It seems that Fedora is trying to move incus sockets from /var/lib/incus to /run/incus (https://github.com/lxc/incus/pull/800).  In order for non-root users to access these sockets, the permission/mode of /run/incus should be at least 0711.  And this is what is set in the tempfiles.d config included in Fedora's RPM.

However, incus itself rewrites the mode to 700 upon initialization.  For example, after a reboot, the first command of incus may change the folder mode:

# ll /run/incus -d
drwx--x--x 2 root root 40 Jun 12 10:28 /run/incus

# incus list
+-------+---------+------+------+-----------+-----------+
| NAME  |  STATE  | IPV4 | IPV6 |   TYPE    | SNAPSHOTS |
+-------+---------+------+------+-----------+-----------+
| test1 | STOPPED |      |      | CONTAINER | 0         |
+-------+---------+------+------+-----------+-----------+
| test2 | STOPPED |      |      | CONTAINER | 0         |
+-------+---------+------+------+-----------+-----------+

# ll /run/incus -d
drwx------ 2 root root 60 Jun 12 10:29 /run/incus

I digged a bit and so far it seems that the mode change happens in incus source "internal/server/sys/fs.go", function initDirs().  I'm not sure if this one-liner change is approriate:

diff -ru a/internal/server/sys/fs.go b/internal/server/sys/fs.go
--- a/internal/server/sys/fs.go 2024-05-30 20:14:21.000000000 -0700
+++ b/internal/server/sys/fs.go 2024-06-12 18:21:30.100094484 -0700
@@ -49,7 +49,7 @@
                {filepath.Join(s.VarDir, "images"), 0700},
                {s.LogDir, 0700},
                {filepath.Join(s.VarDir, "networks"), 0711},
-               {s.RunDir, 0700},
+               {s.RunDir, 0711},
                {filepath.Join(s.VarDir, "security"), 0700},
                {filepath.Join(s.VarDir, "security", "apparmor"), 0700},
                {filepath.Join(s.VarDir, "security", "apparmor", "cache"), 0700},


Reproducible: Always