Bug 1411942

Summary: PrivateDevices=true gives unlabeled /dev/null
Product: [Fedora] Fedora Reporter: Laurent Jacquot <jk>
Component: systemdAssignee: systemd-maint
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 25CC: johannbg, knnthsrnsn, lnykryn, mail, msekleta, muadda, rhel, ssahani, s, systemd-maint, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-10 17:24:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Laurent Jacquot 2017-01-10 19:35:20 UTC 
upgraded from f24 to f25 and then postfix cannot access /dev/null anymore when setenforce = 1

[root@jack selinux]# systemctl start postfix.service 
Job for postfix.service failed because the control process exited with error code.
[root@jack selinux]#journalctl -xe
AVCs...
janv. 10 20:14:19 jack postfix[11894]: /usr/libexec/postfix/postfix-script: line 122: /dev/null: Permission denied
AVCs...
janv. 10 20:14:20 jack systemd[1]: postfix.service: Control process exited, code=exited status=1
janv. 10 20:14:20 jack systemd[1]: Failed to start Postfix Mail Transport Agent.


[root@jack selinux]# cat /etc/fedora-release 
Fedora release 25 (Twenty Five)
[root@jack selinux]# uname -r
4.8.15-300.fc25.x86_64

[root@jack selinux]# rpm -qa |grep selinux-policy
selinux-policy-devel-3.13.1-225.3.fc25.noarch
selinux-policy-targeted-3.13.1-225.3.fc25.noarch
selinux-policy-3.13.1-225.3.fc25.noarch

[root@jack selinux]# ls -lZ /dev/null
crw-rw-rw-. 1 root root system_u:object_r:null_device_t:s0 1, 3  8 janv. 22:14 /dev/null

but postfix is convinced that /dev/null is unlabeled, and wants me to insert the following semodule 

To my understanding PrivateDevices=true directive in the /usr/lib/systemd/system/postfix.service is to be blamed. If set to false or commented postfix starts.

	


see #1389863 and #1398007 for more context
Comment 1 Laurent Jacquot 2017-01-20 18:40:52 UTC 
same bug at #1412696
Comment 2 Zbigniew Jędrzejewski-Szmek 2017-06-10 17:24:35 UTC 

*** This bug has been marked as a duplicate of bug 1412696 ***