qa: allowlist bpf podman denials on Rocky 10

Rocky Linux 10 logs SELinux AVCs for systemd BPF operations during container startup due to incomplete SELinux policy coverage. These AVCs occur in permissive mode, are reproducible without Ceph, and do not indicate functional failure. Tests should ignore this specific AVC class while continuing to fail on enforced denials.

Signed-off-by: David Galloway <david.galloway@ibm.com>

diff --git a/qa/distros/all/rocky_10.yaml b/qa/distros/all/rocky_10.yaml
index 3fd574be2c890a808fff93a69877a865f3494095..f68cce1a29dd696f9a74ccfc95d3ee4b4b7d3c23 100644 (file)
--- a/qa/distros/all/rocky_10.yaml
+++ b/qa/distros/all/rocky_10.yaml
@@ -1,2 +1,6 @@
 os_type: rocky
 os_version: "10.1"
+overrides:
+  selinux:
+    allowlist:
+      - 'comm="systemd".*denied.*\{ prog_run \}.*tclass=bpf.*permissive=1'