virnetdevmacvlan: Wait for udev to settle after creating macvtap

When a macvtap interface is created (e.g. during domain startup
or on device hotplug) libvirt then open corresponding /dev/tapNN
in order to pass FDs to the hypervisor. These FDs are labelled
before passing, but if creating the interface and open() happen
in quick succession, i.e. when udev did not had chance to run,
then the /dev/tapNN node might have default SELinux label
(device_t) instead of correct one (tun_tap_device_t). This then
leads to AVC messages, like the following:

  type=AVC msg=audit(1774535384.365:1238): avc:  denied  { open } for  pid=6765
  comm="rpc-virtqemud" path="/dev/tap33" dev="devtmpfs" ino=805
  scontext=system_u:system_r:virtqemud_t:s0
  tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1

Therefore, allow udev to settle down after macvtap is created (by
calling virWaitForDevices()).

Resolves: https://gitlab.com/libvirt/libvirt/-/work_items/866
Tested-by: Johannes Segitz <jsegitz@suse.de>
Reviewed-by: Laine Stump <laine@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/src/util/virnetdevmacvlan.c b/src/util/virnetdevmacvlan.c
index cde9d70eefd047dc5c16056f6697cf4d05bc0795..e7e27b57fd7f6a8aa4730a718b1718cc4710b02a 100644 (file)
--- a/src/util/virnetdevmacvlan.c
+++ b/src/util/virnetdevmacvlan.c
@@ -24,6 +24,7 @@
 #include "virnetdevmacvlan.h"
 #include "virmacaddr.h"
 #include "virerror.h"
+#include "virutil.h"
 
 #define VIR_FROM_THIS VIR_FROM_NET
 
@@ -119,6 +120,11 @@ virNetDevMacVLanCreate(const char *ifname,
         return -1;
     }
 
+    if (flags & VIR_NETDEV_MACVLAN_CREATE_WITH_TAP) {
+        /* Allow udev to process newly created macvtap. */
+        virWaitForDevices();
+    }
+
     VIR_INFO("created device: '%s'", ifname);
     return 0;
 }