SYSTEMD UNIT FILES: removed unneeded capabilities

Justification for remaining caps:
 - CAP_DAC_OVERRIDE (@additional_caps@): access to /var/log/sssd,
   to /var/lib/sss/pipes/private/*, ...
 - CAP_CHOWN: `chown_debug_file()` in case of monitor activation,
   ...
 - CAP_KILL: terminate child process on timeout, ...
 - CAP_SET?ID: drop privs in case of monitor activation,
   sssd_kcm renewal exec(krb5_child), ...
 - CAP_FOWNER (probably can be avoided): chmod(mem-cache), ...

src/sysv/systemd/sssd-ifp.service.in

@@ -11,7 +11,7 @@ Type=dbus
 BusName=org.freedesktop.sssd.infopipe
 ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_ifp.log
 ExecStart=@libexecdir@/sssd/sssd_ifp ${DEBUG_LOGGER} --socket-activated
-CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID
+CapabilityBoundingSet= @additional_caps@
 Restart=on-failure
 User=@SSSD_USER@
 Group=@SSSD_USER@

src/sysv/systemd/sssd-kcm.service.in

@@ -11,4 +11,4 @@ Also=sssd-kcm.socket
 Environment=DEBUG_LOGGER=--logger=files
 ExecStartPre=-@sbindir@/sssd --genconf-section=kcm
 ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER}
-CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID
+CapabilityBoundingSet= @additional_caps@ CAP_SETGID CAP_SETUID

src/sysv/systemd/sssd.service.in

@@ -14,7 +14,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
 Type=notify
 NotifyAccess=main
 PIDFile=@pidpath@/sssd.pid
-CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
+CapabilityBoundingSet= @additional_caps@ CAP_CHOWN CAP_KILL CAP_FOWNER CAP_SETGID CAP_SETUID
 Restart=on-abnormal
 
 [Install]