selinux: allowlist bpf podman denials

Rocky Linux 10 logs SELinux AVCs for systemd BPF operations during container startup due to incomplete SELinux policy coverage. These AVCs occur in permissive mode, are reproducible without Ceph, and do not indicate functional failure. Tests should ignore this specific AVC class while continuing to fail on enforced denials.

Signed-off-by: David Galloway <david.galloway@ibm.com>

diff --git a/teuthology/task/selinux.py b/teuthology/task/selinux.py
index 7b33b11b3c0b60643bb53ac7cd2052da2b580d55..8dc4fca9b964186e1deaa70d1db2915bd1ce4fc4 100644 (file)
--- a/teuthology/task/selinux.py
+++ b/teuthology/task/selinux.py
@@ -138,6 +138,7 @@ class SELinux(Task):
             'comm="sss_cache"',
             'context=system_u:system_r:NetworkManager_dispatcher_t:s0',
             'context=system_u:system_r:getty_t:s0',
+            'comm="systemd".*denied.*\{ prog_run \}.*tclass=bpf.*permissive=1',
         ]
         se_allowlist = self.config.get('allowlist', [])
         if se_allowlist: