On Wednesday, February 5th, 2025 at 4:01 PM, Stefano Brivio <sbrivio(a)redhat.com> wrote:But the libvirt profile is not associated to the process, oops.Oh, so this is what is being worked upon: that Apparmor is not making the association, whereas SELinux is doing it's thing as it's supposed to.We're just trying to make things as strict as possible, and depending on specific paths.I see. I'm glad this approach of as-strict-as-possible is being taken.We'll probably need to make them a bit looser for the moment being and perhaps just allow passt, no matter who starts it, to write to /var/run/**.I believe user-mode virtual machines only need access to /run/user/$USER and not /var/run. Not even /run/*, but only /run/user/$USER. So if that work-around is to be implemented, that would be the strictest version of it: each user-started passt process gets access to $XDG_RUNTIME_DIR of it's owner (and not outside of it). It also seems that more and more of us use $XDG_RUNTIME_DIR in lieu of /tmp in our personal shell scripts, because it kinda' feels like a more private /tmp. Also, the `passt` update fixing DNS issue hasn't yet made it to Debian Trixie, yet. I figure it's going to take some time (?) Perhaps I should venture to Debian Sid, myself.