From: David Galloway <david.galloway@ibm.com>
Date: Mon, 26 Jan 2026 17:05:01 +0000 (-0500)
Subject: qa: allowlist bpf podman denials on Rocky 10
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=854b223d5e0749bf4a4144a4b8df29fb95e84d44;p=ceph-ci.git

qa: allowlist bpf podman denials on Rocky 10

Rocky Linux 10 logs SELinux AVCs for systemd BPF operations during container startup due to incomplete SELinux policy coverage. These AVCs occur in permissive mode, are reproducible without Ceph, and do not indicate functional failure. Tests should ignore this specific AVC class while continuing to fail on enforced denials.

Signed-off-by: David Galloway <david.galloway@ibm.com>
(cherry picked from commit 93718d5f9a544471f73be974e30de00ac58c746f)
---

diff --git a/qa/distros/podman/rocky_10.yaml b/qa/distros/podman/rocky_10.yaml
new file mode 100644
index 00000000000..f68cce1a29d
--- /dev/null
+++ b/qa/distros/podman/rocky_10.yaml
@@ -0,0 +1,6 @@
+os_type: rocky
+os_version: "10.1"
+overrides:
+  selinux:
+    allowlist:
+      - 'comm="systemd".*denied.*\{ prog_run \}.*tclass=bpf.*permissive=1'