Bug 1411942 - PrivateDevices=true gives unlabeled /dev/null
Summary: PrivateDevices=true gives unlabeled /dev/null
Keywords:
Status: CLOSED DUPLICATE of bug 1412696
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: 25
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-10 19:35 UTC by Laurent Jacquot
Modified: 2017-06-10 17:24 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2017-06-10 17:24:35 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Laurent Jacquot 2017-01-10 19:35:20 UTC
upgraded from f24 to f25 and then postfix cannot access /dev/null anymore when setenforce = 1

[root@jack selinux]# systemctl start postfix.service 
Job for postfix.service failed because the control process exited with error code.
[root@jack selinux]#journalctl -xe
AVCs...
janv. 10 20:14:19 jack postfix[11894]: /usr/libexec/postfix/postfix-script: line 122: /dev/null: Permission denied
AVCs...
janv. 10 20:14:20 jack systemd[1]: postfix.service: Control process exited, code=exited status=1
janv. 10 20:14:20 jack systemd[1]: Failed to start Postfix Mail Transport Agent.


[root@jack selinux]# cat /etc/fedora-release 
Fedora release 25 (Twenty Five)
[root@jack selinux]# uname -r
4.8.15-300.fc25.x86_64

[root@jack selinux]# rpm -qa |grep selinux-policy
selinux-policy-devel-3.13.1-225.3.fc25.noarch
selinux-policy-targeted-3.13.1-225.3.fc25.noarch
selinux-policy-3.13.1-225.3.fc25.noarch

[root@jack selinux]# ls -lZ /dev/null
crw-rw-rw-. 1 root root system_u:object_r:null_device_t:s0 1, 3  8 janv. 22:14 /dev/null

but postfix is convinced that /dev/null is unlabeled, and wants me to insert the following semodule 

To my understanding PrivateDevices=true directive in the /usr/lib/systemd/system/postfix.service is to be blamed. If set to false or commented postfix starts.

	


see #1389863 and #1398007 for more context

Comment 1 Laurent Jacquot 2017-01-20 18:40:52 UTC
same bug at #1412696

Comment 2 Zbigniew Jędrzejewski-Szmek 2017-06-10 17:24:35 UTC

*** This bug has been marked as a duplicate of bug 1412696 ***


Note You need to log in before you can comment on or make changes to this bug.