Comment 12 for bug 1815452

I'm not entirely sure if the pathing for the XDG things is correct in libvirt.
The usual rule from mesa [1] would be:
  owner @{HOME}/.cache/ w, # if user clears all caches

But that does not work as user is libvirt-qemu which has a home in /var/lib/libvirt
  libvirt-qemu:x:108:135:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false

But the rule above does not fix the following issue:
apparmor="DENIED" operation="mkdir" profile="libvirt-2f6bde7c-1d3d-498a-b96c-8920f165fa4c" name="/var/lib/libvirt/.cache/" pid=12056 comm="qemu-system-x86" requested_mask="c" denied_mask="c" fsuid=108 ouid=108

fsuid == ouid == 108 matches the user id.
The path matches what I'd expect

And the file for the guest has the rule rendered:
  owner "@{HOME}/.cache/" w

Why does this still fail?!

[1]: https://gitlab.com/apparmor/apparmor/blob/master/profiles/apparmor.d/abstractions/mesa