I'm not entirely sure if the pathing for the XDG things is correct in libvirt.
The usual rule from mesa [1] would be:
owner @{HOME}/.cache/ w, # if user clears all caches
But that does not work as user is libvirt-qemu which has a home in /var/lib/libvirt
libvirt-qemu:x:108:135:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
But the rule above does not fix the following issue:
apparmor="DENIED" operation="mkdir" profile="libvirt-2f6bde7c-1d3d-498a-b96c-8920f165fa4c" name="/var/lib/libvirt/.cache/" pid=12056 comm="qemu-system-x86" requested_mask="c" denied_mask="c" fsuid=108 ouid=108
fsuid == ouid == 108 matches the user id.
The path matches what I'd expect
And the file for the guest has the rule rendered:
owner "@{HOME}/.cache/" w
I'm not entirely sure if the pathing for the XDG things is correct in libvirt.
The usual rule from mesa [1] would be:
owner @{HOME}/.cache/ w, # if user clears all caches
But that does not work as user is libvirt-qemu which has a home in /var/lib/libvirt qemu:x: 108:135: Libvirt Qemu,,, :/var/lib/ libvirt: /bin/false
libvirt-
But the rule above does not fix the following issue: "libvirt- 2f6bde7c- 1d3d-498a- b96c-8920f165fa 4c" name="/ var/lib/ libvirt/ .cache/ " pid=12056 comm="qemu- system- x86" requested_mask="c" denied_mask="c" fsuid=108 ouid=108
apparmor="DENIED" operation="mkdir" profile=
fsuid == ouid == 108 matches the user id.
The path matches what I'd expect
And the file for the guest has the rule rendered:
owner "@{HOME}/.cache/" w
Why does this still fail?!
[1]: https:/ /gitlab. com/apparmor/ apparmor/ blob/master/ profiles/ apparmor. d/abstractions/ mesa