With PrivateDevices=false all the devices are available in /dev, but only access the one specified with DeviceAllow= works. For example, I tried with: PrivateDevices=false DevicePolicy=closed DeviceAllow=/dev/sda rw In this case, ipmitool didn't work although /dev/ipmi0 did exists.