From: Michal Privoznik Date: Fri, 10 Apr 2026 11:33:41 +0000 (+0200) Subject: virnetdevmacvlan: Wait for udev to settle after creating macvtap X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=44bcb77ef4459d0f6798615a76010d6b5279f2c1;p=thirdparty%2Flibvirt.git virnetdevmacvlan: Wait for udev to settle after creating macvtap When a macvtap interface is created (e.g. during domain startup or on device hotplug) libvirt then open corresponding /dev/tapNN in order to pass FDs to the hypervisor. These FDs are labelled before passing, but if creating the interface and open() happen in quick succession, i.e. when udev did not had chance to run, then the /dev/tapNN node might have default SELinux label (device_t) instead of correct one (tun_tap_device_t). This then leads to AVC messages, like the following: type=AVC msg=audit(1774535384.365:1238): avc: denied { open } for pid=6765 comm="rpc-virtqemud" path="/dev/tap33" dev="devtmpfs" ino=805 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 Therefore, allow udev to settle down after macvtap is created (by calling virWaitForDevices()). Resolves: https://gitlab.com/libvirt/libvirt/-/work_items/866 Tested-by: Johannes Segitz Reviewed-by: Laine Stump Signed-off-by: Michal Privoznik --- diff --git a/src/util/virnetdevmacvlan.c b/src/util/virnetdevmacvlan.c index cde9d70eef..e7e27b57fd 100644 --- a/src/util/virnetdevmacvlan.c +++ b/src/util/virnetdevmacvlan.c @@ -24,6 +24,7 @@ #include "virnetdevmacvlan.h" #include "virmacaddr.h" #include "virerror.h" +#include "virutil.h" #define VIR_FROM_THIS VIR_FROM_NET @@ -119,6 +120,11 @@ virNetDevMacVLanCreate(const char *ifname, return -1; } + if (flags & VIR_NETDEV_MACVLAN_CREATE_WITH_TAP) { + /* Allow udev to process newly created macvtap. */ + virWaitForDevices(); + } + VIR_INFO("created device: '%s'", ifname); return 0; }