[systemd-devel] PrivateDevices with more than basic set of devices?

Topi Miettinen toiwoton at gmail.com
Tue Jan 27 14:01:28 PST 2015

On 01/27/15 21:40, Lennart Poettering wrote:
> On Tue, 27.01.15 21:38, Topi Miettinen (toiwoton at gmail.com) wrote:
>>>> CAP_SYS_RAWIO, yes. Only read access is needed otherwise:
>>>> DevicePolicy=closed
>>>> DeviceAllow=block-sd r
>>>> DeviceAllow=/dev/sda r
>>>> DeviceAllow=/dev/sdb r
>>>> works fine here.
>>> You should be able to reduce this to simply:
>>>     DeviceAllow=block-sd r
>>> This should suffic since DevicePolicy=closed is implied if there's at
>>> least one DeviceAllow= specified. And "DeviceAllow=block-sd r" enables
>>> access to all /dev/sd* access, which includes /dev/sda and /dev/sdb,
>>> of course.
>> In general yes, but I didn't want to allow SMART requests to /dev/sdc,
>> it's a DVD-ROM drive and there are useless errors if accessed with
> Well, don't you just get a different error then?

Embarrassingly it looks like I actually fixed the error by editing
smartd.conf and not with the unit file...


> That said, if this is really what you want, then you should really
> remove the "DeviceAllow=block-sd r" line, since that opens up access
> to /dev/sdc, too...
> Lennart

More information about the systemd-devel mailing list