diff --git a/.cirrus.yml b/.cirrus.yml
index db5ceffc5d..b26568939a 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -33,7 +33,7 @@ env:
     DEBIAN_NAME: "debian-13"
 
     # Image identifiers
-    IMAGE_SUFFIX: "c20240201t143038z-f39f38d13"
+    IMAGE_SUFFIX: "c20240212t122113z-f39f38d13"
 
 
     # EC2 images
@@ -1010,8 +1010,8 @@ upgrade_test_task:
         - build
         - local_system_test
     matrix:
-        - env:
-              PODMAN_UPGRADE_FROM: v4.1.0
+#        - env:
+#              PODMAN_UPGRADE_FROM: v4.1.0
         - env:
               PODMAN_UPGRADE_FROM: v4.8.0
     gce_instance: *standardvm
diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
index efa61a9794..35f12a3b42 100644
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@@ -1248,7 +1248,7 @@ var (
 	defaultConfigMapName  = "testConfigMap"
 	defaultSecretName     = "testSecret"
 	defaultPVCName        = "testPVC"
-	seccompPwdEPERM       = []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
+	seccompLinkEPERM      = []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"link","action":"SCMP_ACT_ERRNO"}]}`)
 	// CPU Period in ms
 	defaultCPUPeriod = 100
 	// Default secret in JSON. Note that the values ("foo" and "bar") are base64 encoded.
@@ -3016,14 +3016,14 @@ var _ = Describe("Podman kube play", func() {
 	It("seccomp container level", func() {
 		SkipIfRemote("podman-remote does not support --seccomp-profile-root flag")
 		// expect kube play is expected to set a seccomp label if it's applied as an annotation
-		jsonFile, err := podmanTest.CreateSeccompJSON(seccompPwdEPERM)
+		jsonFile, err := podmanTest.CreateSeccompJSON(seccompLinkEPERM)
 		if err != nil {
 			GinkgoWriter.Println(err)
 			Skip("Failed to prepare seccomp.json for test.")
 		}
 
 		ctrAnnotation := "container.seccomp.security.alpha.kubernetes.io/" + defaultCtrName
-		ctr := getCtr(withCmd([]string{"pwd"}), withArg(nil))
+		ctr := getCtr(withCmd([]string{"ln"}), withArg([]string{"/etc/motd", "/noneShallPass"}))
 
 		pod := getPod(withCtr(ctr), withAnnotation(ctrAnnotation, "localhost/"+filepath.Base(jsonFile)))
 		err = generateKubeYaml("pod", pod, kubeYaml)
@@ -3042,20 +3042,20 @@ var _ = Describe("Podman kube play", func() {
 		logs := podmanTest.Podman([]string{"logs", ctrName})
 		logs.WaitWithDefaultTimeout()
 		Expect(logs).Should(Exit(0), "podman logs %s", ctrName)
-		Expect(logs.ErrorToString()).To(ContainSubstring("getcwd: Operation not permitted"))
+		Expect(logs.ErrorToString()).To(ContainSubstring("ln: /noneShallPass: Operation not permitted"))
 	})
 
 	It("seccomp pod level", func() {
 		SkipIfRemote("podman-remote does not support --seccomp-profile-root flag")
 		// expect kube play is expected to set a seccomp label if it's applied as an annotation
-		jsonFile, err := podmanTest.CreateSeccompJSON(seccompPwdEPERM)
+		jsonFile, err := podmanTest.CreateSeccompJSON(seccompLinkEPERM)
 		if err != nil {
 			GinkgoWriter.Println(err)
 			Skip("Failed to prepare seccomp.json for test.")
 		}
 		defer os.Remove(jsonFile)
 
-		ctr := getCtr(withCmd([]string{"pwd"}), withArg(nil))
+		ctr := getCtr(withCmd([]string{"ln"}), withArg([]string{"/etc/motd", "/noPodsShallPass"}))
 
 		pod := getPod(withCtr(ctr), withAnnotation("seccomp.security.alpha.kubernetes.io/pod", "localhost/"+filepath.Base(jsonFile)))
 		err = generateKubeYaml("pod", pod, kubeYaml)
@@ -3074,7 +3074,7 @@ var _ = Describe("Podman kube play", func() {
 		logs := podmanTest.Podman([]string{"logs", podName})
 		logs.WaitWithDefaultTimeout()
 		Expect(logs).Should(Exit(0))
-		Expect(logs.ErrorToString()).To(ContainSubstring("Operation not permitted"))
+		Expect(logs.ErrorToString()).To(ContainSubstring("ln: /noPodsShallPass: Operation not permitted"))
 	})
 
 	It("with pull policy of never should be 125", func() {
diff --git a/test/e2e/run_networking_test.go b/test/e2e/run_networking_test.go
index 42b25e80b2..b854e76010 100644
--- a/test/e2e/run_networking_test.go
+++ b/test/e2e/run_networking_test.go
@@ -24,7 +24,6 @@ var _ = Describe("Podman run networking", func() {
 	hostname, _ := os.Hostname()
 
 	It("podman verify network scoped DNS server and also verify updating network dns server", func() {
-		Skip("FIXME: needs netavark > 1.10.2, available >= 2024-02-02")
 		// Following test is only functional with netavark and aardvark
 		SkipIfCNI(podmanTest)
 		net := createNetworkName("IntTest")
@@ -72,8 +71,6 @@ var _ = Describe("Podman run networking", func() {
 	})
 
 	It("podman network dns multiple servers", func() {
-		Skip("FIXME: needs netavark > 1.10.2, available >= 2024-02-02")
-
 		// Following test is only functional with netavark and aardvark
 		SkipIfCNI(podmanTest)
 		net := createNetworkName("IntTest")
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 2ca307c0b6..ef7fc1bd8b 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -361,8 +361,8 @@ var _ = Describe("Podman run", func() {
 		Expect(conData[0].Config.Annotations).To(Not(HaveKey("io.podman.annotations.init")))
 	})
 
-	forbidGetCWDSeccompProfile := func() string {
-		in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
+	forbidLinkSeccompProfile := func() string {
+		in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"link","action":"SCMP_ACT_ERRNO"}]}`)
 		jsonFile, err := podmanTest.CreateSeccompJSON(in)
 		if err != nil {
 			GinkgoWriter.Println(err)
@@ -517,17 +517,27 @@ var _ = Describe("Podman run", func() {
 	})
 
 	It("podman run seccomp test", func() {
-		session := podmanTest.Podman([]string{"run", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
-		session.WaitWithDefaultTimeout()
-		Expect(session).To(ExitWithError())
-		Expect(session.ErrorToString()).To(ContainSubstring("Operation not permitted"))
-	})
+		secOpts := []string{"--security-opt", strings.Join([]string{"seccomp=", forbidLinkSeccompProfile()}, "")}
+		cmd := []string{ALPINE, "ln", "/etc/motd", "/linkNotAllowed"}
 
-	It("podman run seccomp test --privileged", func() {
-		session := podmanTest.Podman([]string{"run", "--privileged", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
+		// Without seccomp, this should succeed
+		session := podmanTest.Podman(append([]string{"run"}, cmd...))
 		session.WaitWithDefaultTimeout()
-		Expect(session).To(ExitWithError())
-		Expect(session.ErrorToString()).To(ContainSubstring("Operation not permitted"))
+		Expect(session).To(ExitCleanly())
+
+		// With link syscall blocked, should fail
+		cmd = append(secOpts, cmd...)
+		session = podmanTest.Podman(append([]string{"run"}, cmd...))
+		session.WaitWithDefaultTimeout()
+		Expect(session).To(Exit(1))
+		Expect(session.ErrorToString()).To(ContainSubstring("ln: /linkNotAllowed: Operation not permitted"))
+
+		// ...even with --privileged
+		cmd = append([]string{"--privileged"}, cmd...)
+		session = podmanTest.Podman(append([]string{"run"}, cmd...))
+		session.WaitWithDefaultTimeout()
+		Expect(session).To(Exit(1))
+		Expect(session.ErrorToString()).To(ContainSubstring("ln: /linkNotAllowed: Operation not permitted"))
 	})
 
 	It("podman run seccomp test --privileged no profile should be unconfined", func() {