Fixes of systemd security capabilities. Remove isc-dhcp-client user.

ROSA-NEWS

@@ -11,7 +11,6 @@ https://www.freedesktop.org/wiki/Software/systemd/syslog/ says:
 * dhcpd user was added on package installation (dhcp-server), but dhcpd was actually ran from root, not dhcpd
 * use sysusers.d(5) (config isc-dhcpd.conf) instaed of manually created dhcpd user
 * migration: delete dhcpd user on package uninstallation
-* the same for dhclient (isc-dhcp-client.conf) (will it work from not root?)
 
 * /etc/sysconfig/dhcp6 called in dhcpd6.service did not exist (dhcpd6.service was broken);
 let's use copy /etc/sysconfig/dhcpd to /etc/sysconfig/dhcpd6 

dhclient@.service

@@ -6,12 +6,15 @@ Before=network.target
 [Service]
 ExecStart=/usr/sbin/dhclient -lf /var/lib/dhclient/dhclient.leases -pf /run/dhclient@%i/dhclient.pid -d %I
 RuntimeDirectory=dhclient@%i
-User=isc-dhcp-client
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=
-ProtectSystem=yes
+# /var is not read-only
-ProtectHome=yes
+ProtectSystem=true
-ReadWritePaths=/var/lib/dhclient/
+ProtectHome=true
 RestartSec=2s
 Restart=on-failure
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths=
+CapabilityBoundingSet=~CAP_SYS_ADMIN
 
 [Install]
-WantedBy=multi-user.target 
+WantedBy=multi-user.target

dhcp.spec

@@ -28,7 +28,7 @@ Source18:	dhclient.tmpfiles
 Source19:	dhcrelay.tmpfiles
 # sysusers.d(5) (systemd-sysusers)
 Source20:	isc-dhcpd.conf
-Source21:	isc-dhcp-client.conf
+#Source21:	isc-dhcp-client.conf
 # Per-interface dhclient service from Arch Linux (modified)
 Source22:	dhclient@.service
 Source100:	ROSA-NEWS
@@ -209,7 +209,7 @@ install -D -p -m 644 %{SOURCE19} %{buildroot}%{_tmpfilesdir}/dhcrelay.conf
 
 install -d %{buildroot}%{_sysusersdir}
 install -m 644 %{SOURCE20} %{buildroot}%{_sysusersdir}/
-install -m 644 %{SOURCE21} %{buildroot}%{_sysusersdir}/
+#install -m 644 %{SOURCE21} %{buildroot}%{_sysusersdir}/
 
 install -m 755 %{SOURCE7} %{SOURCE8} %{buildroot}%{_sbindir}
 install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}
@@ -313,10 +313,10 @@ EOF
 %post client
 # migrate from root:root as it was before ROSA package v4.4.1
 # create this directory if it does not esist and then chmod it to allow dhcpd to work properly
-%sysusers_create isc-dhcp-client.conf
+#%sysusers_create isc-dhcp-client.conf
 [ ! -d %{var_dhclient}/ ] && mkdir -p %{var_dhclient}/
 touch %{var_dhclient}/dhclient.leases || true
-[ -d %{var_dhclient} ] && chown -R isc-dhcp-client:isc-dhcp-client %{var_dhclient}/
+#[ -d %{var_dhclient} ] && chown -R isc-dhcp-client:isc-dhcp-client %{var_dhclient}/
 %tmpfiles_create dhclient.conf
 
 %postun client

dhcpd.service

@@ -14,7 +14,7 @@ PIDFile=/run/dhcpd/dhcpd.pid
 User=isc-dhcpd
 AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
 ProtectSystem=full
-ProtectHome=on
+ProtectHome=true
 KillSignal=SIGINT
 # We pull in network-online.target for a configured network connection.
 # However this is not guaranteed to be the network connection our