I have to admit that I'm also confused by the patch for #786650: On Wed, 2015-08-19 at 13:22 +0200, Guido Günther wrote:
+Subject: Allow access to libnl-3 config files [...] ++ /etc/libnl-3/classid r, ++ That seems to make sense... + # for hostdev + /sys/devices/ r, + /sys/devices/** r, ++ deny /dev/sd* r, ++ deny /dev/vd* r, ++ deny /dev/dm-* r, ++ deny /dev/mapper/ r, ++ deny /dev/mapper/* r, ... these not so much. Regards, Adam