By default, qemu:///system runs VMs as user=qemu, configured via qemu.conf or at compile time.

However this can be overridden for individual VMs, say for uid=1000 gid=1000 like:

  <seclabel type='static' model='dac' relabel='yes'>
    <label>+1000:+1000</label>
  </seclabel>

qemu driver code doesn't handle this consistently though. For example, `/run/libvirt/qemu/passt` is shared with all VMs, and is chown'd qemu.qemu at driver startup. Any UID override request will fail with passt config because passt, running as non-qemu UID, won't be able to write to that dir (root _shoul_d work but it then hits issues with passt's own sandboxing).

You can check for code users of the qemu.conf config by grepping for `cfg->user`. Any usage should be audited IMO, either the pattern should be changed, or it should also take into account any DAC override, like is done in qemuDomainOpenFile. The shared state dir pattern that external processes like passt, slirp, dbus use etc is suspect here. `priv->libDir` is the per-domain dir in /var/lib/libvirt/qemu/domain-$ID-$NAME should probably be used more, but warning it has different selinux labels which causes issues with passt as well, so it's all a bit tricky.

Note, this isn't just a theoretical issue. libguestfs is planning to move to using that `<seclabel>` override, but for user=root. Because its user=root, it papers over a lot of these problems. But existing code should be fixed so the bad pattern doesn't continue to spread IMO.