Bug 1412696

Summary: PrivateDevices=true in systemd unit file prevents postfix from starting
Product: [Fedora] Fedora Reporter: Artur <arus>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 25CC: bobgus, dominick.grift, dwalsh, fvzwieten, jk, johannbg, jorti, jskarvad, knnthsrnsn, lnykryn, lvrabec, mgrepl, mike, msekleta, muadda, olysonek, pilux, pkotvan, plautrba, pmoore, ssahani, ssekidde, s, systemd-maint, zbyszek
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-225.20.fc25 selinux-policy-3.13.1-225.22.fc25 selinux-policy-3.13.1-225.23.fc25 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-01 16:38:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Longer line version of journalctl -u lsdevnull.service none

Description Artur 2017-01-12 15:13:41 UTC 
Description of problem:

Postfix service does not start during boot or when running "systemctl start postfix" manually.

Version-Release number of selected component (if applicable):

postfix-3.1.4-1.fc25.x86_64

How reproducible:

Steps to Reproduce:
1. run "systemctl start postfix"

Actual results:

Job for postfix.service failed because the control process exited with error code.
See "systemctl status postfix.service" and "journalctl -xe" for details.

 postfix.service - Postfix Mail Transport Agent
   Loaded: loaded (/etc/systemd/system/postfix.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since czw 2017-01-12 16:08:21 CET; 2min 39s ago
  Process: 4556 ExecStart=/usr/sbin/postfix start (code=exited, status=1/FAILURE)
  Process: 4553 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS)
  Process: 4549 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS)

sty 12 16:08:20 san2 systemd[1]: Starting Postfix Mail Transport Agent...
sty 12 16:08:20 san2 postfix[4556]: /usr/libexec/postfix/postfix-script: line 122: /dev/null: Permission denied
sty 12 16:08:21 san2 systemd[1]: postfix.service: Control process exited, code=exited status=1
sty 12 16:08:21 san2 systemd[1]: Failed to start Postfix Mail Transport Agent.
sty 12 16:08:21 san2 systemd[1]: postfix.service: Unit entered failed state.
sty 12 16:08:21 san2 systemd[1]: postfix.service: Failed with result 'exit-code'.

Expected results:

Running postfix services.

Additional info:

SELinux blocks access to mislabeled private /dev:

type=AVC msg=audit(1484232859.994:277): avc:  denied  { search } for  pid=4040 comm="postfix" name="dev" dev="dm-0" ino=26 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1484232859.998:278): avc:  denied  { search } for  pid=4040 comm="postfix-script" name="dev" dev="dm-0" ino=26 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1484232860.035:283): avc:  denied  { search } for  pid=4047 comm="postlog" name="dev" dev="dm-0" ino=26 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0

After changing PrivateDevices to false the problem disappears.
Comment 1 Jaroslav Škarvada 2017-01-13 09:26:31 UTC 
Hmm, postfix should have access to /dev/null. I think this should be either resolved in selinux or systemd, reassigning to selinux.
Comment 2 Daniel Walsh 2017-01-13 18:48:56 UTC 
Systemd has to label the devices it creates with privatedevices.

Simplest thing would be to restorecon -R -v /dev, or use internal Relabel or create the content with the correct SELinux labels,
Comment 3 Laurent Jacquot 2017-01-20 18:39:56 UTC 
see #1411942
Comment 4 Michal Sekletar 2017-02-22 08:53:30 UTC 
I believe this is already fixed. Please update systemd and selinux-policy, retest and reopen if necessary.
Comment 5 Artur 2017-02-27 10:20:42 UTC 
Sorry, it is not fixed, I get still the same avc messages.

selinux-policy-3.13.1-225.10.fc25.noarch
selinux-policy-targeted-3.13.1-225.10.fc25.noarch
systemd-231-14.fc25.x86_64
Comment 6 Laurent Jacquot 2017-03-01 19:51:20 UTC 
same here, I still have to disable the nice PrivateDevices feature for postfix in enforcing mode.
Comment 7 Bob Gustafson 2017-06-10 16:42:08 UTC 
I was putting together a new system and noticed that logwatch was not sending its usual daily report. Then figured out it was this bug.

As others have noted, I just changed PrivateDevices to false

[root@hoho6 system]# pwd
/usr/lib/systemd/system

[root@hoho6 system]# vim postfix.service << Change PrivateDevices to false

[root@hoho6 system]# systemctl start postfix.service
Warning: postfix.service changed on disk. Run 'systemctl daemon-reload' to reload units.

[root@hoho6 system]# systemctl daemon-reload
[root@hoho6 system]# systemctl start postfix.service
[root@hoho6 system]# systemctl status postfix.service
● postfix.service - Postfix Mail Transport Agent
   Loaded: loaded (/usr/lib/systemd/system/postfix.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2017-06-10 11:29:43 CDT; 20s ago
  Process: 3263 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
  Process: 3260 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS)

**** What are the downsides to changing PrivateDevices to false??
Comment 8 Bob Gustafson 2017-06-10 16:57:39 UTC 
However, I have another Fedora 25 system which is sending logwatch messages just fine.

The files in /etc/postfix don't look like they have been changed since Jan 2 11:20 (virgin update to F25 ?)

PrivateDevices = true  in /usr/lib/systemd/services/postfix.service

Looking at:
[root@hoho0 postfix]# ps ax | grep postfix
 1186 ?        Ss     0:02 /usr/libexec/postfix/master -w
 9181 pts/0    S+     0:00 grep --color=auto postfix
[root@hoho0 postfix]# 

Looks normal..

A puzzle.
Comment 9 Bob Gustafson 2017-06-10 17:22:27 UTC 
Also have yet another F25 system which has been sending logwatch messages daily.

It (hoho8) has PrivateDevices = true and has a running postfix/master

So, only one out of 3 F25 systems here needs the PrivateDevices = false
Comment 10 Zbigniew Jędrzejewski-Szmek 2017-06-10 17:24:35 UTC 
*** Bug 1411942 has been marked as a duplicate of this bug. ***
Comment 11 Zbigniew Jędrzejewski-Szmek 2017-06-10 17:51:44 UTC 
/dev/null seems to be labelled correctly here, both on F25 and F26.
Can anyone who gets the AVC run the following unit:

# /run/systemd/system/lsdevnull.service
[Service]
PrivateDevices=true
Type=oneshot
ExecStart=/bin/ls -lZ /dev/null
ExecStart=/bin/sleep 1

and say what it reports ("journalctl -u lsdevnull"). Thanks.
Comment 12 Bob Gustafson 2017-06-10 18:12:53 UTC 
[root@hoho6 system]# vim lsdevnull.service << create file

[root@hoho6 system]# /run/systemd/system/lsdevnull.service
bash: /run/systemd/system/lsdevnull.service: Permission denied

[root@hoho6 system]# chmod +x /run/systemd/system/lsdevnull.service
[root@hoho6 system]# /run/systemd/system/lsdevnull.service
/run/systemd/system/lsdevnull.service: line 1: [Service]: command not found
/run/systemd/system/lsdevnull.service: line 4: -lZ: command not found
/run/systemd/system/lsdevnull.service: line 5: 1: command not found
[root@hoho6 system]# ls -lZ  /run/systemd/system/lsdevnull.service
-rwxr-xr-x. 1 root root unconfined_u:object_r:systemd_unit_file_t:s0 99 Jun 10 13:06 /run/systemd/system/lsdevnull.service
[root@hoho6 system]# 

... Need a few more hints
Comment 13 Zbigniew Jędrzejewski-Szmek 2017-06-10 18:57:29 UTC 
One you have the file created, run as root 'systemctl start lsdevnull' and then 'journalctl -u lsdevnull'.
Comment 14 Bob Gustafson 2017-06-10 20:20:51 UTC 
[root@hoho6 system]# cat lsdevnull.service
[Service]
PrivateDevices=true
Type=oneshot
ExecStart=/bin/ls -lZ /dev/null
ExecStart=/bin/sleep 1

[root@hoho6 system]# systemctl start lsdevnull
Job for lsdevnull.service failed because the control process exited with error code.
See "systemctl status lsdevnull.service" and "journalctl -xe" for details.

[root@hoho6 system]# journalctl -xe
Jun 10 15:16:29 hoho6.chidig.com systemd[1]: Starting lsdevnull.service...
-- Subject: Unit lsdevnull.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit lsdevnull.service has begun starting up.
Jun 10 15:16:29 hoho6.chidig.com ls[3937]: /bin/ls: cannot access '/dev/null': No such file or directory
Jun 10 15:16:29 hoho6.chidig.com systemd[1]: lsdevnull.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Jun 10 15:16:29 hoho6.chidig.com systemd[1]: Failed to start lsdevnull.service.
-- Subject: Unit lsdevnull.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit lsdevnull.service has failed.
-- 
-- The result is failed.
Jun 10 15:16:29 hoho6.chidig.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=lsd
Jun 10 15:16:29 hoho6.chidig.com systemd[1]: lsdevnull.service: Unit entered failed state.
Jun 10 15:16:29 hoho6.chidig.com systemd[1]: lsdevnull.service: Failed with result 'exit-code'.
lines 1911-1933/1933 (END)


[root@hoho6 system]# ls -l /dev/null
crw-rw-rw-. 1 root root 1, 3 Jun 10 10:25 /dev/null
[root@hoho6 system]#
Comment 15 Zbigniew Jędrzejewski-Szmek 2017-06-11 17:10:44 UTC 
PrivateDevices=true means that the unit sees a tmpfs mounted over /dev with just a few device node created to allows programs to work (/dev/null, /dev/zero, /dev/random, etc.). So the fact that you see /dev/null in the real system does not tell us anything about what happens in the namespace in which the unit is running.

It's very strange that ls does not find /dev/null at all. Can you rerun the test with the unit changed to:

[Service]
PrivateDevices=true
Type=oneshot
ExecStart=/bin/ls -lZ /dev/
ExecStart=/bin/sleep 1

(After editing the file, you need to do 'systemctl daemon-reload' and then 'systemctl start lsdevnull' and 'journalctl -u lsdevnull' again.)
Comment 16 Zbigniew Jędrzejewski-Szmek 2017-06-11 17:13:13 UTC 
Also 'rpm -q systemd selinux-policy-targeted' please.
Comment 17 Bob Gustafson 2017-06-11 20:40:30 UTC 
As you requested

[root@hoho6 system]# date
Sun Jun 11 15:34:15 CDT 2017

[root@hoho6 system]# rpm -q systemd selinux-policy-targeted
systemd-231-15.fc25.x86_64
selinux-policy-targeted-3.13.1-225.16.fc25.noarch
[root@hoho6 system]# 

[root@hoho6 system]# ls ls*
lsdevnull.service

[root@hoho6 system]# vim lsdevnull.service
[root@hoho6 system]# cat lsdevnull.service
[Service]
PrivateDevices=true
Type=oneshot
ExecStart=/bin/ls -lZ /dev/
ExecStart=/bin/sleep 1

[root@hoho6 system]# systemctl daemon-reload
[root@hoho6 system]# systemctl start lsdevnull
[root@hoho6 system]# journalctl -u lsdevnull
-- Logs begin at Fri 2017-02-17 04:46:01 CST, end at Sun 2017-06-11 15:38:16 CDT. --
Jun 10 15:10:40 hoho6.chidig.com systemd[1]: Starting lsdevnull.service...
Jun 10 15:10:40 hoho6.chidig.com ls[3884]: /bin/ls: cannot access '/dev/null': No such file or directory
Jun 10 15:10:40 hoho6.chidig.com systemd[1]: lsdevnull.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Jun 10 15:10:40 hoho6.chidig.com systemd[1]: Failed to start lsdevnull.service.
Jun 10 15:10:40 hoho6.chidig.com systemd[1]: lsdevnull.service: Unit entered failed state.
Jun 10 15:10:40 hoho6.chidig.com systemd[1]: lsdevnull.service: Failed with result 'exit-code'.
Jun 10 15:16:29 hoho6.chidig.com systemd[1]: Starting lsdevnull.service...
Jun 10 15:16:29 hoho6.chidig.com ls[3937]: /bin/ls: cannot access '/dev/null': No such file or directory
Jun 10 15:16:29 hoho6.chidig.com systemd[1]: lsdevnull.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Jun 10 15:16:29 hoho6.chidig.com systemd[1]: Failed to start lsdevnull.service.
Jun 10 15:16:29 hoho6.chidig.com systemd[1]: lsdevnull.service: Unit entered failed state.
Jun 10 15:16:29 hoho6.chidig.com systemd[1]: lsdevnull.service: Failed with result 'exit-code'.
Jun 11 15:38:14 hoho6.chidig.com systemd[1]: Starting lsdevnull.service...
Jun 11 15:38:15 hoho6.chidig.com ls[5974]: total 0
Jun 11 15:38:16 hoho6.chidig.com systemd[1]: Started lsdevnull.service.
[root@hoho6 system]#
Comment 18 Bob Gustafson 2017-06-11 20:45:13 UTC 
Instead of doing the /bin/ls -lZ within the daemon scope, here is the result when done directly from a terminal:

[root@hoho6 system]# /bin/ls -lZ /dev/
total 0
crw-------. 1 root  root    system_u:object_r:autofs_device_t:s0        10, 235 Jun 10 10:25 autofs
drwxr-xr-x. 2 root  root    system_u:object_r:device_t:s0                   320 Jun 10 10:25 block
drwxr-xr-x. 2 root  root    system_u:object_r:device_t:s0                   100 Jun 10 10:25 bsg
crw-------. 1 root  root    system_u:object_r:lvm_control_t:s0          10, 234 Jun 10 10:25 btrfs-control
drwxr-xr-x. 3 root  root    system_u:object_r:device_t:s0                    60 Jun 10 10:25 bus
lrwxrwxrwx. 1 root  root    system_u:object_r:device_t:s0                     3 Jun 10 10:25 cdrom -> sr0
drwxr-xr-x. 2 root  root    system_u:object_r:device_t:s0                  4120 Jun 10 10:26 char
crw-------. 1 root  root    system_u:object_r:console_device_t:s0        5,   1 Jun 10 10:25 console
lrwxrwxrwx. 1 root  root    system_u:object_r:device_t:s0                    11 Jun 10 10:25 core -> /proc/kcore
drwxr-xr-x. 6 root  root    system_u:object_r:device_t:s0                   140 Jun 10 10:25 cpu
crw-------. 1 root  root    system_u:object_r:netcontrol_device_t:s0    10,  62 Jun 10 10:25 cpu_dma_latency
crw-------. 1 root  root    system_u:object_r:tty_device_t:s0           10, 203 Jun 10 10:25 cuse
drwxr-xr-x. 7 root  root    system_u:object_r:device_t:s0                   140 Jun 10 10:25 disk
brw-rw----. 1 root  disk    system_u:object_r:fixed_disk_device_t:s0   253,   0 Jun 10 10:25 dm-0
brw-rw----. 1 root  disk    system_u:object_r:fixed_disk_device_t:s0   253,   1 Jun 10 10:25 dm-1
brw-rw----. 1 root  disk    system_u:object_r:fixed_disk_device_t:s0   253,   2 Jun 10 10:25 dm-2
drwxr-xr-x. 2 root  root    system_u:object_r:device_t:s0                    80 Jun 10 10:25 dri
crw-rw----. 1 root  video   system_u:object_r:framebuf_device_t:s0      29,   0 Jun 10 10:25 fb0
lrwxrwxrwx. 1 root  root    system_u:object_r:device_t:s0                    13 Jun 10 10:25 fd -> /proc/self/fd
drwxr-xr-x. 2 root  root    system_u:object_r:device_t:s0                   100 Jun 10 10:25 fedora_hoho6_01
crw-rw-rw-. 1 root  root    system_u:object_r:null_device_t:s0           1,   7 Jun 10 10:25 full
crw-rw-rw-. 1 root  root    system_u:object_r:fuse_device_t:s0          10, 229 Jun 10 10:26 fuse
crw-------. 1 root  root    system_u:object_r:usb_device_t:s0          246,   0 Jun 10 10:25 fw0
crw-------. 1 root  root    system_u:object_r:usb_device_t:s0          247,   0 Jun 10 10:25 hidraw0
crw-------. 1 root  root    system_u:object_r:usb_device_t:s0          247,   1 Jun 10 10:25 hidraw1
crw-------. 1 root  root    system_u:object_r:usb_device_t:s0          247,   2 Jun 10 10:25 hidraw2
crw-------. 1 root  root    system_u:object_r:clock_device_t:s0         10, 228 Jun 10 10:25 hpet
drwxr-xr-x. 3 root  root    system_u:object_r:hugetlbfs_t:s0                  0 Jun 10 10:25 hugepages
crw-------. 1 root  root    system_u:object_r:random_device_t:s0        10, 183 Jun 10 10:25 hwrng
lrwxrwxrwx. 1 root  root    system_u:object_r:device_t:s0                    25 Jun 10 10:25 initctl -> /run/systemd/initctl/fifo
drwxr-xr-x. 4 root  root    system_u:object_r:device_t:s0                   380 Jun 10 10:25 input
crw-r--r--. 1 root  root    system_u:object_r:kmsg_device_t:s0           1,  11 Jun 10 10:25 kmsg
crw-rw-rw-+ 1 root  kvm     system_u:object_r:kvm_device_t:s0           10, 232 Jun 10 10:25 kvm
lrwxrwxrwx. 1 root  root    system_u:object_r:devlog_t:s0                    28 Jun 10 10:25 log -> /run/systemd/journal/dev-log
crw-rw----. 1 root  disk    system_u:object_r:loop_control_device_t:s0  10, 237 Jun 10 10:25 loop-control
crw-rw----. 1 root  lp      system_u:object_r:printer_device_t:s0        6,   0 Jun 10 10:25 lp0
crw-rw----. 1 root  lp      system_u:object_r:printer_device_t:s0        6,   1 Jun 10 10:25 lp1
crw-rw----. 1 root  lp      system_u:object_r:printer_device_t:s0        6,   2 Jun 10 10:25 lp2
crw-rw----. 1 root  lp      system_u:object_r:printer_device_t:s0        6,   3 Jun 10 10:25 lp3
drwxr-xr-x. 2 root  root    system_u:object_r:device_t:s0                   120 Jun 10 10:25 mapper
crw-------. 1 root  root    system_u:object_r:kmsg_device_t:s0          10, 227 Jun 10 10:25 mcelog
drwxr-xr-x. 2 root  root    system_u:object_r:device_t:s0                    80 Jun 10 10:25 md
brw-rw----. 1 root  disk    system_u:object_r:fixed_disk_device_t:s0     9,   0 Jun 10 10:25 md0
brw-rw----. 1 root  disk    system_u:object_r:fixed_disk_device_t:s0     9,   1 Jun 10 10:25 md1
crw-r-----. 1 root  kmem    system_u:object_r:memory_device_t:s0         1,   1 Jun 10 10:25 mem
crw-------. 1 root  root    system_u:object_r:memory_device_t:s0        10,  59 Jun 10 10:25 memory_bandwidth
drwxrwxrwt. 2 root  root    system_u:object_r:tmpfs_t:s0                     40 Jun 10 10:25 mqueue
drwxr-xr-x. 2 root  root    system_u:object_r:device_t:s0                    60 Jun 10 10:25 net
crw-------. 1 root  root    system_u:object_r:netcontrol_device_t:s0    10,  61 Jun 10 10:25 network_latency
crw-------. 1 root  root    system_u:object_r:netcontrol_device_t:s0    10,  60 Jun 10 10:25 network_throughput
crw-rw-rw-. 1 root  root    system_u:object_r:null_device_t:s0           1,   3 Jun 10 10:25 null
crw-------. 1 root  root    system_u:object_r:nvram_device_t:s0         10, 144 Jun 10 10:25 nvram
crw-------. 1 root  root    system_u:object_r:ppp_device_t:s0          108,   0 Jun 10 10:25 ppp
crw-rw-rw-. 1 root  tty     system_u:object_r:ptmx_t:s0                  5,   2 Jun 11 15:42 ptmx
drwxr-xr-x. 2 root  root    system_u:object_r:devpts_t:s0                     0 Jun 10 10:25 pts
crw-rw-rw-. 1 root  root    system_u:object_r:random_device_t:s0         1,   8 Jun 10 10:25 random
drwxr-xr-x. 2 root  root    system_u:object_r:device_t:s0                    60 Jun 10 10:25 raw
lrwxrwxrwx. 1 root  root    system_u:object_r:device_t:s0                     4 Jun 10 10:25 rtc -> rtc0
crw-------. 1 root  root    system_u:object_r:clock_device_t:s0        251,   0 Jun 10 10:25 rtc0
brw-rw----. 1 root  disk    system_u:object_r:fixed_disk_device_t:s0     8,   0 Jun 10 10:25 sda
brw-rw----. 1 root  disk    system_u:object_r:fixed_disk_device_t:s0     8,   1 Jun 10 10:25 sda1
brw-rw----. 1 root  disk    system_u:object_r:fixed_disk_device_t:s0     8,   2 Jun 10 10:25 sda2
brw-rw----. 1 root  disk    system_u:object_r:fixed_disk_device_t:s0     8,   3 Jun 10 10:25 sda3
brw-rw----. 1 root  disk    system_u:object_r:fixed_disk_device_t:s0     8,  16 Jun 10 10:25 sdb
brw-rw----. 1 root  disk    system_u:object_r:fixed_disk_device_t:s0     8,  17 Jun 10 10:25 sdb1
brw-rw----. 1 root  disk    system_u:object_r:fixed_disk_device_t:s0     8,  18 Jun 10 10:25 sdb2
brw-rw----. 1 root  disk    system_u:object_r:fixed_disk_device_t:s0     8,  19 Jun 10 10:25 sdb3
crw-rw----. 1 root  disk    system_u:object_r:scsi_generic_device_t:s0  21,   0 Jun 10 10:25 sg0
crw-rw----. 1 root  disk    system_u:object_r:scsi_generic_device_t:s0  21,   1 Jun 10 10:25 sg1
crw-rw----+ 1 root  cdrom   system_u:object_r:scsi_generic_device_t:s0  21,   2 Jun 10 10:25 sg2
drwxrwxrwt. 2 root  root    system_u:object_r:tmpfs_t:s0                     40 Jun 11 15:40 shm
crw-------. 1 root  root    system_u:object_r:apm_bios_t:s0             10, 231 Jun 10 10:25 snapshot
drwxr-xr-x. 3 root  root    system_u:object_r:device_t:s0                   200 Jun 10 10:25 snd
brw-rw----+ 1 root  cdrom   system_u:object_r:removable_device_t:s0     11,   0 Jun 10 10:25 sr0
lrwxrwxrwx. 1 root  root    system_u:object_r:device_t:s0                    15 Jun 10 10:25 stderr -> /proc/self/fd/2
lrwxrwxrwx. 1 root  root    system_u:object_r:device_t:s0                    15 Jun 10 10:25 stdin -> /proc/self/fd/0
lrwxrwxrwx. 1 root  root    system_u:object_r:device_t:s0                    15 Jun 10 10:25 stdout -> /proc/self/fd/1
crw-rw-rw-. 1 root  tty     system_u:object_r:devtty_t:s0                5,   0 Jun 10 11:47 tty
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,   0 Jun 10 10:25 tty0
crw--w----. 1 gdm   tty     system_u:object_r:tty_device_t:s0            4,   1 Jun 10 10:25 tty1
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  10 Jun 10 10:25 tty10
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  11 Jun 10 10:25 tty11
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  12 Jun 10 10:25 tty12
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  13 Jun 10 10:25 tty13
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  14 Jun 10 10:25 tty14
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  15 Jun 10 10:25 tty15
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  16 Jun 10 10:25 tty16
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  17 Jun 10 10:25 tty17
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  18 Jun 10 10:25 tty18
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  19 Jun 10 10:25 tty19
crw--w----. 1 user1 tty     unconfined_u:object_r:user_tty_device_t:s0   4,   2 Jun 10 10:25 tty2
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  20 Jun 10 10:25 tty20
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  21 Jun 10 10:25 tty21
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  22 Jun 10 10:25 tty22
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  23 Jun 10 10:25 tty23
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  24 Jun 10 10:25 tty24
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  25 Jun 10 10:25 tty25
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  26 Jun 10 10:25 tty26
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  27 Jun 10 10:25 tty27
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  28 Jun 10 10:25 tty28
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  29 Jun 10 10:25 tty29
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,   3 Jun 10 10:25 tty3
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  30 Jun 10 10:25 tty30
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  31 Jun 10 10:25 tty31
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  32 Jun 10 10:25 tty32
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  33 Jun 10 10:25 tty33
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  34 Jun 10 10:25 tty34
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  35 Jun 10 10:25 tty35
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  36 Jun 10 10:25 tty36
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  37 Jun 10 10:25 tty37
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  38 Jun 10 10:25 tty38
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  39 Jun 10 10:25 tty39
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,   4 Jun 10 10:25 tty4
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  40 Jun 10 10:25 tty40
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  41 Jun 10 10:25 tty41
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  42 Jun 10 10:25 tty42
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  43 Jun 10 10:25 tty43
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  44 Jun 10 10:25 tty44
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  45 Jun 10 10:25 tty45
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  46 Jun 10 10:25 tty46
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  47 Jun 10 10:25 tty47
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  48 Jun 10 10:25 tty48
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  49 Jun 10 10:25 tty49
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,   5 Jun 10 10:25 tty5
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  50 Jun 10 10:25 tty50
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  51 Jun 10 10:25 tty51
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  52 Jun 10 10:25 tty52
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  53 Jun 10 10:25 tty53
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  54 Jun 10 10:25 tty54
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  55 Jun 10 10:25 tty55
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  56 Jun 10 10:25 tty56
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  57 Jun 10 10:25 tty57
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  58 Jun 10 10:25 tty58
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  59 Jun 10 10:25 tty59
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,   6 Jun 10 10:25 tty6
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  60 Jun 10 10:25 tty60
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  61 Jun 10 10:25 tty61
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  62 Jun 10 10:25 tty62
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,  63 Jun 10 10:25 tty63
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,   7 Jun 10 10:25 tty7
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,   8 Jun 10 10:25 tty8
crw--w----. 1 root  tty     system_u:object_r:tty_device_t:s0            4,   9 Jun 10 10:25 tty9
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  64 Jun 10 10:25 ttyS0
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  65 Jun 10 10:25 ttyS1
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  74 Jun 10 10:25 ttyS10
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  75 Jun 10 10:25 ttyS11
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  76 Jun 10 10:25 ttyS12
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  77 Jun 10 10:25 ttyS13
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  78 Jun 10 10:25 ttyS14
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  79 Jun 10 10:25 ttyS15
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  80 Jun 10 10:25 ttyS16
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  81 Jun 10 10:25 ttyS17
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  82 Jun 10 10:25 ttyS18
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  83 Jun 10 10:25 ttyS19
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  66 Jun 10 10:25 ttyS2
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  84 Jun 10 10:25 ttyS20
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  85 Jun 10 10:25 ttyS21
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  86 Jun 10 10:25 ttyS22
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  87 Jun 10 10:25 ttyS23
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  88 Jun 10 10:25 ttyS24
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  89 Jun 10 10:25 ttyS25
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  90 Jun 10 10:25 ttyS26
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  91 Jun 10 10:25 ttyS27
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  92 Jun 10 10:25 ttyS28
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  93 Jun 10 10:25 ttyS29
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  67 Jun 10 10:25 ttyS3
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  94 Jun 10 10:25 ttyS30
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  95 Jun 10 10:25 ttyS31
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  68 Jun 10 10:25 ttyS4
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  69 Jun 10 10:25 ttyS5
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  70 Jun 10 10:25 ttyS6
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  71 Jun 10 10:25 ttyS7
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  72 Jun 10 10:25 ttyS8
crw-rw----. 1 root  dialout system_u:object_r:tty_device_t:s0            4,  73 Jun 10 10:25 ttyS9
crw-------. 1 root  root    system_u:object_r:uhid_device_t:s0          10, 239 Jun 10 10:25 uhid
crw-------. 1 root  root    system_u:object_r:event_device_t:s0         10, 223 Jun 10 10:25 uinput
crw-rw-rw-. 1 root  root    system_u:object_r:urandom_device_t:s0        1,   9 Jun 10 10:25 urandom
drwxr-xr-x. 2 root  root    system_u:object_r:device_t:s0                    60 Jun 10 10:25 usb
crw-------. 1 root  root    system_u:object_r:usbmon_device_t:s0       248,   0 Jun 10 10:25 usbmon0
crw-------. 1 root  root    system_u:object_r:usbmon_device_t:s0       248,   1 Jun 10 10:25 usbmon1
crw-------. 1 root  root    system_u:object_r:usbmon_device_t:s0       248,   2 Jun 10 10:25 usbmon2
crw-------. 1 root  root    system_u:object_r:usbmon_device_t:s0       248,   3 Jun 10 10:25 usbmon3
crw-------. 1 root  root    system_u:object_r:usbmon_device_t:s0       248,   4 Jun 10 10:25 usbmon4
crw-------. 1 root  root    system_u:object_r:usbmon_device_t:s0       248,   5 Jun 10 10:25 usbmon5
crw-------. 1 root  root    system_u:object_r:usbmon_device_t:s0       248,   6 Jun 10 10:25 usbmon6
crw-------. 1 root  root    system_u:object_r:usbmon_device_t:s0       248,   7 Jun 10 10:25 usbmon7
crw-------. 1 root  root    system_u:object_r:usbmon_device_t:s0       248,   8 Jun 10 10:25 usbmon8
crw-rw----. 1 root  tty     system_u:object_r:tty_device_t:s0            7,   0 Jun 10 10:25 vcs
crw-rw----. 1 root  tty     system_u:object_r:tty_device_t:s0            7,   1 Jun 10 10:25 vcs1
crw-rw----. 1 root  tty     system_u:object_r:tty_device_t:s0            7,   2 Jun 10 10:25 vcs2
crw-rw----. 1 root  tty     system_u:object_r:tty_device_t:s0            7,   3 Jun 10 10:25 vcs3
crw-rw----. 1 root  tty     system_u:object_r:tty_device_t:s0            7,   4 Jun 10 10:25 vcs4
crw-rw----. 1 root  tty     system_u:object_r:tty_device_t:s0            7,   5 Jun 10 10:25 vcs5
crw-rw----. 1 root  tty     system_u:object_r:tty_device_t:s0            7,   6 Jun 10 10:25 vcs6
crw-rw----. 1 root  tty     system_u:object_r:tty_device_t:s0            7, 128 Jun 10 10:25 vcsa
crw-rw----. 1 root  tty     system_u:object_r:tty_device_t:s0            7, 129 Jun 10 10:25 vcsa1
crw-rw----. 1 root  tty     system_u:object_r:tty_device_t:s0            7, 130 Jun 10 10:25 vcsa2
crw-rw----. 1 root  tty     system_u:object_r:tty_device_t:s0            7, 131 Jun 10 10:25 vcsa3
crw-rw----. 1 root  tty     system_u:object_r:tty_device_t:s0            7, 132 Jun 10 10:25 vcsa4
crw-rw----. 1 root  tty     system_u:object_r:tty_device_t:s0            7, 133 Jun 10 10:25 vcsa5
crw-rw----. 1 root  tty     system_u:object_r:tty_device_t:s0            7, 134 Jun 10 10:25 vcsa6
drwxr-xr-x. 2 root  root    system_u:object_r:device_t:s0                    60 Jun 10 10:25 vfio
crw-------. 1 root  root    system_u:object_r:xserver_misc_device_t:s0  10,  63 Jun 10 10:25 vga_arbiter
crw-------. 1 root  root    system_u:object_r:vhost_device_t:s0         10, 137 Jun 10 10:25 vhci
crw-------. 1 root  root    system_u:object_r:vhost_device_t:s0         10, 238 Jun 10 10:25 vhost-net
crw-------. 1 root  root    system_u:object_r:watchdog_device_t:s0      10, 130 Jun 10 10:25 watchdog
crw-------. 1 root  root    system_u:object_r:watchdog_device_t:s0     250,   0 Jun 10 10:25 watchdog0
crw-rw-rw-. 1 root  root    system_u:object_r:zero_device_t:s0           1,   5 Jun 10 10:25 zero
[root@hoho6 system]#
Comment 19 Zbigniew Jędrzejewski-Szmek 2017-06-12 00:27:19 UTC 
Hm, that's not useful — the logs you pasted are from the previous invocation, where /dev/null was the argument. So it's probably better to not use 'journalctl -u', but normal 'journalctl' without the filter, and find the relevant part that looks like ls output.

Running ls from the terminal is not useful, because that shows the main namespace, and you need the one from the unit with PrivateDevices=true.
Comment 20 Bob Gustafson 2017-06-12 01:09:21 UTC 
[root@hoho6 system]# cat ls*
[Service]
PrivateDevices=true
Type=oneshot
ExecStart=/bin/ls -lZ /dev/
ExecStart=/bin/sleep 1

[root@hoho6 system]# systemctl daemon-reload
[root@hoho6 system]# systemctl start lsdevnull

[root@hoho6 system]# journalctl -xe
Jun 11 20:02:33 hoho6.chidig.com gnome-software-service.desktop[1916]: 01:02:33:0260 Gs  no app for changed background-logo
Jun 11 20:02:57 hoho6.chidig.com audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fpri
Jun 11 20:03:21 hoho6.chidig.com systemd[1]: Reloading.
Jun 11 20:03:21 hoho6.chidig.com systemd[1]: [/usr/lib/systemd/system/fwupd.service:13] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Jun 11 20:03:21 hoho6.chidig.com systemd[1]: [/usr/lib/systemd/system/fwupd.service:15] Unknown lvalue 'ProtectKernelModules' in section 'Service'
Jun 11 20:03:32 hoho6.chidig.com systemd[1]: Configuration file /run/systemd/system/lsdevnull.service is marked executable. Please remove executab
Jun 11 20:03:32 hoho6.chidig.com systemd[1]: Starting lsdevnull.service...
-- Subject: Unit lsdevnull.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit lsdevnull.service has begun starting up.
Jun 11 20:03:32 hoho6.chidig.com ls[6419]: total 0
Jun 11 20:03:33 hoho6.chidig.com systemd[1]: Started lsdevnull.service.
-- Subject: Unit lsdevnull.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit lsdevnull.service has finished starting up.
-- 
-- The start-up result is done.
Jun 11 20:03:33 hoho6.chidig.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=lsd
Jun 11 20:03:33 hoho6.chidig.com audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=lsde
[root@hoho6 system]#
Comment 21 Bob Gustafson 2017-06-12 01:15:14 UTC 
[root@hoho6 system]# ls -l ls*
-rwxr-xr-x. 1 root root 95 Jun 11 15:37 lsdevnull.service
[root@hoho6 system]# chmod -x lsdev*
[root@hoho6 system]# 

[root@hoho6 system]# ls -l ls*
-rw-r--r--. 1 root root 95 Jun 11 15:37 lsdevnull.service
[root@hoho6 system]# 
[root@hoho6 system]# systemctl start lsdevnull
[root@hoho6 system]# journalctl -xe
-- Unit lsdevnull.service has finished starting up.
-- 
-- The start-up result is done.
Jun 11 20:03:33 hoho6.chidig.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=lsd
Jun 11 20:03:33 hoho6.chidig.com audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=lsde
Jun 11 20:06:10 hoho6.chidig.com kernel: nouveau 0000:01:00.0: therm: temperature (90 C) hit the 'fanboost' threshold
Jun 11 20:10:43 hoho6.chidig.com systemd[1]: Starting lsdevnull.service...
-- Subject: Unit lsdevnull.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit lsdevnull.service has begun starting up.
Jun 11 20:10:43 hoho6.chidig.com ls[6512]: total 0
Jun 11 20:10:44 hoho6.chidig.com systemd[1]: Started lsdevnull.service.
-- Subject: Unit lsdevnull.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit lsdevnull.service has finished starting up.
-- 
-- The start-up result is done.
Jun 11 20:10:44 hoho6.chidig.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=lsd
Jun 11 20:10:44 hoho6.chidig.com audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=lsde
Comment 22 Zbigniew Jędrzejewski-Szmek 2017-06-12 01:18:10 UTC 
OK, so your service runs with an empty /dev.

To rule out the simple things first: I assume that this is with selinux in enforcing mode. What does 'getenforce' say?. If you do 'setenforce 0', does this change the result?
Comment 23 Bob Gustafson 2017-06-12 01:23:43 UTC 
[root@hoho6 system]# getenforce
Enforcing
[root@hoho6 system]# 

[root@hoho6 system]# setenforce 0
[root@hoho6 system]# 
[root@hoho6 system]# getenforce
Permissive
[root@hoho6 system]# 

[root@hoho6 system]# systemctl start lsdevnull
[root@hoho6 system]# journalctl -u lsdevnull.service
-- Logs begin at Fri 2017-02-17 04:46:01 CST, end at Sun 2017-06-11 20:20:44 CDT. --

...
Jun 11 20:20:43 hoho6.chidig.com ls[6592]: lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0            11 Jun 11 20:20 core -> /proc/kcore
Jun 11 20:20:43 hoho6.chidig.com ls[6592]: lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0            13 Jun 11 20:20 fd -> /proc/self/fd
Jun 11 20:20:43 hoho6.chidig.com ls[6592]: crw-rw-rw-. 1 root root system_u:object_r:null_device_t:s0    1, 7 Jun 11 20:20 full
Jun 11 20:20:43 hoho6.chidig.com ls[6592]: drwxr-xr-x. 3 root root system_u:object_r:hugetlbfs_t:s0         0 Jun 10 10:25 hugepages
Jun 11 20:20:43 hoho6.chidig.com ls[6592]: lrwxrwxrwx. 1 root root system_u:object_r:devlog_t:s0           28 Jun 11 20:20 log -> /run/systemd/jou
Jun 11 20:20:43 hoho6.chidig.com ls[6592]: drwxrwxrwt. 2 root root system_u:object_r:tmpfs_t:s0            40 Jun 10 10:25 mqueue
Jun 11 20:20:43 hoho6.chidig.com ls[6592]: crw-rw-rw-. 1 root root system_u:object_r:null_device_t:s0    1, 3 Jun 11 20:20 null
Jun 11 20:20:43 hoho6.chidig.com ls[6592]: lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0             8 Jun 11 20:20 ptmx -> pts/ptmx
Jun 11 20:20:43 hoho6.chidig.com ls[6592]: drwxr-xr-x. 2 root root system_u:object_r:devpts_t:s0            0 Jun 10 10:25 pts
Jun 11 20:20:43 hoho6.chidig.com ls[6592]: crw-rw-rw-. 1 root root system_u:object_r:random_device_t:s0  1, 8 Jun 11 20:20 random
Jun 11 20:20:43 hoho6.chidig.com ls[6592]: drwxrwxrwt. 2 root root system_u:object_r:tmpfs_t:s0            40 Jun 11 20:19 shm
Jun 11 20:20:43 hoho6.chidig.com ls[6592]: lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0            15 Jun 11 20:20 stderr -> /proc/self/fd
Jun 11 20:20:43 hoho6.chidig.com ls[6592]: lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0            15 Jun 11 20:20 stdin -> /proc/self/fd/
Jun 11 20:20:43 hoho6.chidig.com ls[6592]: lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0            15 Jun 11 20:20 stdout -> /proc/self/fd
Jun 11 20:20:43 hoho6.chidig.com ls[6592]: crw-rw-rw-. 1 root root system_u:object_r:devtty_t:s0         5, 0 Jun 11 20:20 tty
Jun 11 20:20:43 hoho6.chidig.com ls[6592]: crw-rw-rw-. 1 root root system_u:object_r:urandom_device_t:s0 1, 9 Jun 11 20:20 urandom
Jun 11 20:20:43 hoho6.chidig.com ls[6592]: crw-rw-rw-. 1 root root system_u:object_r:zero_device_t:s0    1, 5 Jun 11 20:20 zero
Jun 11 20:20:44 hoho6.chidig.com systemd[1]: Started lsdevnull.service.
[root@hoho6 system]# 

[root@hoho6 system]# setenforce 1
[root@hoho6 system]# getenforce
Enforcing
[root@hoho6 system]#
Comment 24 Bob Gustafson 2017-06-12 19:35:19 UTC 
This is on another system - the one where PrivateDevices=true in postfix.service

[root@hoho8 ~]# ls -lZ /dev/null
crw-rw-rw-. 1 root root system_u:object_r:null_device_t:s0 1, 3 Jun  6 09:46 /dev/null
[root@hoho8 ~]# cd /run/systemd/system
[root@hoho8 system]# vim lsdevnull.service << create new file on hoho8
[root@hoho8 system]# date
Mon Jun 12 14:14:36 CDT 2017

This is the postfix.service file - where PrivateDevices = false on hoho6

[root@hoho8 system]# cat /usr/lib/systemd/system/postfix.service
[Unit]
Description=Postfix Mail Transport Agent
After=syslog.target network.target
Conflicts=sendmail.service exim.service

[Service]
Type=forking
PIDFile=/var/spool/postfix/pid/master.pid
EnvironmentFile=-/etc/sysconfig/network
PrivateTmp=true
CapabilityBoundingSet=~ CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE
ProtectSystem=true
PrivateDevices=true
ExecStartPre=-/usr/libexec/postfix/aliasesdb
ExecStartPre=-/usr/libexec/postfix/chroot-update
ExecStart=/usr/sbin/postfix start
ExecReload=/usr/sbin/postfix reload
ExecStop=/usr/sbin/postfix stop

Running the diagnostic routine

(forgot to do systemctl daemon-reload
 but it didn't remind me..)

[root@hoho8 system]# systemctl start lsdevnull
[root@hoho8 system]# journalctl -u lsdevnull.service
-- Logs begin at Sun 2016-05-22 13:51:58 CDT, end at Mon 2017-06-12 14:18:04 CDT
Jun 12 14:18:03 hoho8.chidig.com systemd[1]: Starting lsdevnull.service...
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: total 0
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: lrwxrwxrwx. 1 root root system_u:obj
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: lrwxrwxrwx. 1 root root system_u:obj
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: crw-rw-rw-. 1 root root system_u:obj
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: drwxr-xr-x. 3 root root system_u:obj
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: lrwxrwxrwx. 1 root root system_u:obj
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: drwxrwxrwt. 2 root root system_u:obj
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: crw-rw-rw-. 1 root root system_u:obj
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: lrwxrwxrwx. 1 root root system_u:obj
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: drwxr-xr-x. 2 root root system_u:obj
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: crw-rw-rw-. 1 root root system_u:obj
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: drwxrwxrwt. 2 root root system_u:obj
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: lrwxrwxrwx. 1 root root system_u:obj
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: lrwxrwxrwx. 1 root root system_u:obj
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: lrwxrwxrwx. 1 root root system_u:obj
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: crw-rw-rw-. 1 root root system_u:obj
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: crw-rw-rw-. 1 root root system_u:obj
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: crw-rw-rw-. 1 root root system_u:obj
Jun 12 14:18:04 hoho8.chidig.com systemd[1]: Started lsdevnull.service.
[root@hoho8 system]# journalctl -u lsdevnull.service
-- Logs begin at Sun 2016-05-22 13:51:58 CDT, end at Mon 2017-06-12 14:18:04 CDT. --
Jun 12 14:18:03 hoho8.chidig.com systemd[1]: Starting lsdevnull.service...
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: total 0
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0            11 Jun 1
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0            13 Jun 1
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: crw-rw-rw-. 1 root root system_u:object_r:null_device_t:s0    1, 7 Jun 1
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: drwxr-xr-x. 3 root root system_u:object_r:hugetlbfs_t:s0         0 Jun  
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: lrwxrwxrwx. 1 root root system_u:object_r:devlog_t:s0           28 Jun 1
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: drwxrwxrwt. 2 root root system_u:object_r:tmpfs_t:s0            40 Jun  
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: crw-rw-rw-. 1 root root system_u:object_r:null_device_t:s0    1, 3 Jun 1
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0             8 Jun 1
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: drwxr-xr-x. 2 root root system_u:object_r:devpts_t:s0            0 Jun  
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: crw-rw-rw-. 1 root root system_u:object_r:random_device_t:s0  1, 8 Jun 1
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: drwxrwxrwt. 2 root root system_u:object_r:tmpfs_t:s0            60 Jun 1
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0            15 Jun 1
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0            15 Jun 1
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0            15 Jun 1
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: crw-rw-rw-. 1 root root system_u:object_r:devtty_t:s0         5, 0 Jun 1
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: crw-rw-rw-. 1 root root system_u:object_r:urandom_device_t:s0 1, 9 Jun 1
Jun 12 14:18:03 hoho8.chidig.com ls[32358]: crw-rw-rw-. 1 root root system_u:object_r:zero_device_t:s0    1, 5 Jun 1
Jun 12 14:18:04 hoho8.chidig.com systemd[1]: Started lsdevnull.service.

This keeps looping and generates more logs. I don't remember this behavior on hoho6.. At the moment hoho6# systemctl status lsdevnull shows inactive (dead)

[root@hoho8 system]# systemctl stop lsdevnull

[root@hoho8 system]# getenforce
Enforcing
[root@hoho8 system]# 

Double check - was doing ls on whole directory

[root@hoho8 system]# systemctl stop lsdevnull
[root@hoho8 system]# getenforce
Enforcing
[root@hoho8 system]# more lsdevnull.service
[Service]
PrivateDevices=true
Type=oneshot
ExecStart=/bin/ls -lZ /dev/
ExecStart=/bin/sleep 1
[root@hoho8 system]#
Comment 25 Bob Gustafson 2017-06-12 19:40:46 UTC 
Created attachment 1287099 [details]
Longer line version of journalctl -u lsdevnull.service

Copy paste into normal comments - lines were truncated.
Comment 26 Zbigniew Jędrzejewski-Szmek 2017-06-12 20:08:05 UTC 
So, the output on hoho8 is what I expect, and what I get locally. It seems that selinux is preventing systemd from creating the device nodes properly in the unit namespace on hoho6. Do you see any AVCs (either in enforcing or permissive mode) when lsdevnull.service is started?
Comment 27 Bob Gustafson 2017-06-13 15:10:23 UTC 
Here are a few (most recent)

[root@hoho6 system]# ausearch -m avc


...
time->Sat Jun 10 10:43:08 2017
type=AVC msg=audit(1497109388.440:267): avc:  denied  { search } for  pid=2502 comm="postfix" name="dev" dev="dm-0" ino=2752513 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
----
time->Sat Jun 10 10:43:08 2017
type=AVC msg=audit(1497109388.443:268): avc:  denied  { search } for  pid=2502 comm="postfix" name="dev" dev="dm-0" ino=2752513 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0

time->Sat Jun 10 11:29:15 2017
type=AVC msg=audit(1497112155.473:296): avc:  denied  { search } for  pid=3171 comm="postfix" name="dev" dev="dm-0" ino=2752513 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
----
time->Sat Jun 10 11:29:15 2017
type=AVC msg=audit(1497112155.477:297): avc:  denied  { search } for  pid=3171 comm="postfix-script" name="dev" dev="dm-0" ino=2752513 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
----
time->Sat Jun 10 11:29:15 2017
type=AVC msg=audit(1497112155.496:298): avc:  denied  { search } for  pid=3178 comm="postfix-script" name="dev" dev="dm-0" ino=2752513 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
----
time->Sat Jun 10 11:29:15 2017
type=AVC msg=audit(1497112155.496:299): avc:  denied  { search } for  pid=3178 comm="postfix-script" name="dev" dev="dm-0" ino=2752513 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
----
time->Sat Jun 10 11:29:15 2017
type=AVC msg=audit(1497112155.501:300): avc:  denied  { search } for  pid=3179 comm="postlog" name="dev" dev="dm-0" ino=2752513 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
----
time->Sat Jun 10 11:29:15 2017
type=AVC msg=audit(1497112155.503:301): avc:  denied  { search } for  pid=3179 comm="postlog" name="dev" dev="dm-0" ino=2752513 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
----
time->Sat Jun 10 11:29:15 2017
type=AVC msg=audit(1497112155.503:302): avc:  denied  { search } for  pid=3179 comm="postlog" name="dev" dev="dm-0" ino=2752513 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
[root@hoho6 system]# 
[root@hoho6 system]# 
[root@hoho6 system]# 

I will be away for a week. I can check email, but doing tests will be more difficult.
Comment 28 Zbigniew Jędrzejewski-Szmek 2017-06-13 17:01:07 UTC 
Reassigning back to selinux. It seems that selinux is somehow putting a wrench in the spokes. I'd guess dontaudit rules are also involved, since there's no avc that would explain the issue. Please have a look, comments 24-27 are the most relevant.
Comment 29 Daniel Walsh 2017-06-14 14:59:36 UTC 
unlabeled_t would indicate that the /dev directory or some subcomponent is not being created with a label.  I believe this is an issue with systemd creating and mount the /dev directory, but not labeling it correctly  Running a relabel over /dev should fix this issue.
Comment 30 Zbigniew Jędrzejewski-Szmek 2017-06-14 15:35:56 UTC 
Indeed, unlabeled_t indicates that the postfix process sees /dev from the root filesystem (dm-0). systemd should mount a tmpfs over /dev in the private mount namespace, and if the postfix service is looking at the root filesystem, then it seems that this mount is not happening.

Bob, can you check how your /dev directory itself is labeled (on both working and non-working machines):

$ sudo mount -o x-mount.mkdir --bind / /tmp/foo
$ ls -lidZ /dev /tmp/foo/dev/

?

This should print something like:
   1025 drwxr-xr-x. 22 root root system_u:object_r:device_t:s0 4320 Jun 13 17:56 /dev/
1310721 drwxr-xr-x.  2 root root system_u:object_r:device_t:s0 4096 Apr  9  2013 /tmp/foo/dev//
Comment 31 Bob Gustafson 2017-06-14 18:13:38 UTC 
[user1@hoho8 ~]$ date    # <<<< Good system
Wed Jun 14 12:55:37 CDT 2017
[user1@hoho8 ~]$ sudo mount -o x-mount.mkdir --bind / /tmp/foo
[sudo] password for user1: 
[user1@hoho8 ~]$ ls -lidZ /dev /tmp/foo/dev/
   1025 drwxr-xr-x. 21 root root system_u:object_r:device_t:s0 4320 Jun  6 09:46 /dev
2228225 drwxr-xr-x.  2 root root system_u:object_r:root_t:s0   4096 May 22  2016 /tmp/foo/dev/
[user1@hoho8 ~]$ 

[user1@hoho6 ~]$ date    # <<<< Prob system
Wed Jun 14 12:58:18 CDT 2017
[user1@hoho6 ~]$ sudo mount -o x-mount.mkdir --bind / /tmp/foo
[sudo] password for user1: 
[user1@hoho6 ~]$ ls -lidZ /dev /tmp/foo/dev/
   1025 drwxr-xr-x. 22 root root system_u:object_r:device_t:s0        4200 Jun 10 10:25 /dev
2752513 drwxr-xr-x.  2 root root unconfined_u:object_r:unlabeled_t:s0 4096 May 24 11:58 /tmp/foo/dev/
[user1@hoho6 ~]$
Comment 32 Zbigniew Jędrzejewski-Szmek 2017-06-14 18:51:46 UTC 
OK, so it seems that your root filesystem is mislabelled.
...but, it's non-trivial to fix, because even if autorelabel is run, by the time relabelling is started, /dev is already mounted.

The one option that comes to mind is to do it by hand:
chcon --reference=/dev /tmp/foo/dev
Comment 33 Bob Gustafson 2017-06-15 11:47:38 UTC 
Can I just do the command? It won't blow up the system?

What diagnostic to you want afterwards? I can set the PrivateDevices=true in the postfix.service and do a logwatch. (anyway, the ultimate test)

I am a few miles away from the hoho6 system, so I may not be able to repeat the experiment if things go south.
Comment 34 Zbigniew Jędrzejewski-Szmek 2017-06-15 12:19:27 UTC 
It should be safe, after all it only touches the context of one directory. Just umount /tmp/foo afterwards.
Comment 35 Bob Gustafson 2017-06-15 16:35:56 UTC 
Looks good. Congratulations Zbigniew

(my copy/paste is not working.. below is hand typed from screen)

[root@hoho6 user1]# chcon -- reference=/dev /tmp/foo/dev

[root@hoho6 user1]# ls -lZ /dev/null
...
crw-rw-rw-. 1 root root   system_u:object_r:null_device_t:s0  1, 3 Jun 10 10:25 /dev/null
...

# Change PrivateDevices= from false to true
[root@hoho6 user1]# vim /usr/lib/systemd/system/postfix.service 

[root@hoho6 user1]# systemctl reload daemon
[root@hoho6 user1]# logwatch # << does send email through postfix

[root@hoho6 user1]# umount /tmp/foo

[root@hoho6 user1]# logwatch # << also successfule email send
Comment 36 Zbigniew Jędrzejewski-Szmek 2017-06-15 23:47:53 UTC 
OK, good! I'll close this then. I don't know how your filesystem got mislabelled, but in new installations it seems to be labelled OK, so this was probably caused by some event in the history of that machine.
Comment 37 Mike Goodwin 2017-06-29 16:21:01 UTC 
(In reply to Zbigniew Jędrzejewski-Szmek from comment #36)
> OK, good! I'll close this then. I don't know how your filesystem got
> mislabelled, but in new installations it seems to be labelled OK, so this
> was probably caused by some event in the history of that machine.

New person here. My filesystem got mislabeled because I untarr'd into a new filesystem (migrating to btrfs) without specifying --selinux (even though I had the forethought to tar it with --selinux). Anyway, after the fact I figure "what the heck, autorelabel will take care of the rest."

Very interesting detective work going on in this thread, and eventually led me to realizing _ANY_ mounted directory at the time of fixfiles running wouldn't be correct. 

Indeed boot, home, proc, run, sys, tmp, usr, var were all unlabeled_t:

ls -lZid * | grep unlabeled
  276 drwxr-xr-x. 1 root root unconfined_u:object_r:unlabeled_t:s0    0 Mar 26  2016 boot
14874 drwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0        0 Jun 29 08:44 home
  275 drwxr-xr-x. 1 root root unconfined_u:object_r:unlabeled_t:s0    0 Mar 26  2016 proc
  420 drwxr-xr-x. 1 root root unconfined_u:object_r:unlabeled_t:s0   28 Apr 27  2016 run
 3873 drwxr-xr-x. 1 root root unconfined_u:object_r:unlabeled_t:s0    0 Mar 26  2016 sys
12100 drwxrwxrwt. 1 root root unconfined_u:object_r:unlabeled_t:s0    0 Jun 29 11:11 tmp
14872 drwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0        0 Jun 29 08:44 usr
14873 drwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0        0 Jun 29 08:44 var


Can perhaps autorelabling account for this by bind mounting / like we've done here and comparing?

In the end I'm fixing this by doing:

ls -lZid /tmp/foo | grep unlabeled | awk '{ print $NF }' | while read -r dir; do chcon --reference=/${dir} ./${dir}; done
Comment 38 Bob Gustafson 2017-07-02 14:10:14 UTC 
(In reply to Zbigniew Jędrzejewski-Szmek from comment #36)

> OK, good! I'll close this then. I don't know how your filesystem got
> mislabelled, but in new installations it seems to be labelled OK, so this
> was probably caused by some event in the history of that machine.

The system with the problem (1 out of 3 systems) seems to have a problem starting up postfix after a reboot. It is enabled, but I need to manually start postfix after a boot. (discovered after a logwatch did not show up)

Also, this is the 1 system without a /var/log/messages file. Within that directory, there is a helpful README file which tells the story of the missing messages file - and to use journalctl instead.

My other 2 (all with dnf update this morning) systems still have /var/log/messages files..

Odd.
Comment 39 Zbigniew Jędrzejewski-Szmek 2017-07-02 21:15:59 UTC 
I opened #1467103 against policycoreutils to ask for restorecon to also fix mountpoints. (A new bug is better because this one has too much baggage and false alleys.)
Comment 40 Bob Gustafson 2017-07-17 16:20:13 UTC 
(In reply to Bob Gustafson from comment #38)
> (In reply to Zbigniew Jędrzejewski-Szmek from comment #36)
> 
> The system with the problem (1 out of 3 systems) seems to have a problem
> starting up postfix after a reboot. It is enabled, but I need to manually
> start postfix after a boot. (discovered after a logwatch did not show up)
> 
> Also, this is the 1 system without a /var/log/messages file. Within that
> directory, there is a helpful README file which tells the story of the
> missing messages file - and to use journalctl instead.
> 
> My other 2 (all with dnf update this morning) systems still have
> /var/log/messages files..
> 
> Odd.

All my 3 systems have been upgraded to F26 and also a couple of updates since the major upgrade last Wednesday.

The situation is the same - postfix fails on a reboot on the hoho6 system. All the other systems work fine. All systems have PrivateDevices=true in postfix.service.

I have not yet used the fix recommended at the end of Comment #37 (Mike Goodwin)
Comment 41 Fedora Update System 2017-08-14 15:21:26 UTC 
selinux-policy-3.13.1-225.20.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a
Comment 42 Fedora Update System 2017-08-15 03:50:46 UTC 
selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a
Comment 43 Fedora Update System 2017-08-27 06:21:49 UTC 
selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 44 Fedora Update System 2017-09-01 09:34:21 UTC 
selinux-policy-3.13.1-225.22.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d4f3635ee
Comment 45 Fedora Update System 2017-09-03 06:24:35 UTC 
selinux-policy-3.13.1-225.22.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d4f3635ee
Comment 46 Fedora Update System 2017-09-07 23:19:55 UTC 
selinux-policy-3.13.1-225.22.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 47 Fred van Zwieten 2017-09-21 21:33:10 UTC 
This issue still exists on a fully up-to-date F26 in rpi3:

# ls -lidZ /dev /tmp/foo/dev/
1025 drwxr-xr-x. 17 root root system_u:object_r:device_t:s0    5800 Sep 18 20:07 /dev
7634 drwxr-xr-x.  4 root root system_u:object_r:unlabeled_t:s0 4096 Jul  5 23:56 /tmp/foo/dev/
Comment 48 Fedora Update System 2017-10-10 11:59:56 UTC 
selinux-policy-3.13.1-225.23.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4d00e4db6a
Comment 49 Fedora Update System 2017-10-11 04:21:51 UTC 
selinux-policy-3.13.1-225.23.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4d00e4db6a
Comment 50 Fedora Update System 2017-11-01 16:38:58 UTC 
selinux-policy-3.13.1-225.23.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.