During the investigation to upgrade AGL to Yocto Project 3.1/dunfell, applications failing to start was tracked down to a SMACK access denial on a Weston owned memfd node.  Digging a bit with mvlad's assistance, it was determined that Weston 8.0.0 now hard-codes using memfd if the C library has support.  With that build time logic worked around, things start up as expected.  The bigger issue this Jira issue is being opened for is what to do about SMACK configuration to allow this memfd usage.  For PipeWire, the current workaround is that every installed application has access to a PipeWire label that all PipeWire objects inherit.  Do we  do the same for Weston, or address the issue more comprehensively somehow (e.g. with security-manager changes)?  For the short-term, jsmoeller has recommended patching Weston to work as before, but it would be good to have a plan for how to address this in a more futureproof fashion.