From 25411d57c69fdebbf85c4cc4d6bb375e1e2a614a Mon Sep 17 00:00:00 2001
From: David Galloway <david.galloway@ibm.com>
Date: Mon, 26 Jan 2026 12:05:01 -0500
Subject: [PATCH] qa: allowlist bpf podman denials on Rocky 10

Rocky Linux 10 logs SELinux AVCs for systemd BPF operations during container startup due to incomplete SELinux policy coverage. These AVCs occur in permissive mode, are reproducible without Ceph, and do not indicate functional failure. Tests should ignore this specific AVC class while continuing to fail on enforced denials.

Signed-off-by: David Galloway <david.galloway@ibm.com>
---
 qa/distros/all/rocky_10.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/qa/distros/all/rocky_10.yaml b/qa/distros/all/rocky_10.yaml
index 3fd574be2c89..f68cce1a29dd 100644
--- a/qa/distros/all/rocky_10.yaml
+++ b/qa/distros/all/rocky_10.yaml
@@ -1,2 +1,6 @@
 os_type: rocky
 os_version: "10.1"
+overrides:
+  selinux:
+    allowlist:
+      - 'comm="systemd".*denied.*\{ prog_run \}.*tclass=bpf.*permissive=1'
-- 
2.47.3