Comment 2 for bug 1186662

The problem is how dhcpd's implements privilege seperation. It doesn't work well with AppArmor and kernel (hard)link protection.

dhcpd expects to be able to write the leases file and create new files in /var/lib/dhcp when rotating the leases file hourly.
As dhcpd is run as user dhcpd, the directory and the files there belonged to dhcpd:dhcpd in the past till it caused a problem with AppArmor (see bug #1028526). As a fix for this the directory and the files belong now root:root and dhcpd can start but not rotate the leases file as user dhcpd anymore (current bug).

Trying to just set dhcpd as owner for /var/lib/dhcp doesn't work as then the kernel hardlink protection triggers when dhcpd tries to hardlink dhcpd.leases (owned by root) to dhcpd.leases~ when rotating the leases file as user dhcpd. Setting dhcpd as the owner of the leases file too, doesn't work either [1] as we are then back where we started.

1: It doesn't work when it belongs dhcpd:dhcpd when the dhcpd get started, but it works when the leases file belongs root when dhcpd gets started and *after* dhcpd got started chowned manually back to dhcpd.

The proper fix is to have dhcpd open the leases file as user dhcpd during start and not root and having /var/lib/dhcp/ and the leases file belong to dhcpd:dhcpd.