From: Michal Privoznik <mprivozn@redhat.com> When a macvtap interface is created (e.g. during domain startup or on device hotplug) libvirt then open corresponding /dev/tapNN in order to pass FDs to the hypervisor. These FDs are labelled before passing, but if creating the interface and open() happen in quick succession, i.e. when udev did not had chance to run, then the /dev/tapNN node might have default SELinux label (device_t) instead of correct one (tun_tap_device_t). This then leads to AVC messages, like the following: type=AVC msg=audit(1774535384.365:1238): avc: denied { open } for pid=6765 comm="rpc-virtqemud" path="/dev/tap33" dev="devtmpfs" ino=805 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 Therefore, allow udev to settle down after macvtap is created (by calling virWaitForDevices()). Resolves: https://gitlab.com/libvirt/libvirt/-/work_items/866 Tested-by: Johannes Segitz <jsegitz@suse.de> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/util/virnetdevmacvlan.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/util/virnetdevmacvlan.c b/src/util/virnetdevmacvlan.c index cde9d70eef..436f8479a9 100644 --- a/src/util/virnetdevmacvlan.c +++ b/src/util/virnetdevmacvlan.c @@ -119,6 +119,11 @@ virNetDevMacVLanCreate(const char *ifname, return -1; } + if (flags & VIR_NETDEV_MACVLAN_CREATE_WITH_TAP) { + /* Allow udev to process newly created macvtap. */ + virWaitForDevices(); + } + VIR_INFO("created device: '%s'", ifname); return 0; } -- 2.52.0