From 42506abdd1fc3794d8a539a1a84d77f329fc0030 Mon Sep 17 00:00:00 2001
From: David Galloway <david.galloway@ibm.com>
Date: Wed, 4 Feb 2026 09:29:48 -0500
Subject: [PATCH] selinux: allowlist bpf podman denials

Rocky Linux 10 logs SELinux AVCs for systemd BPF operations during container startup due to incomplete SELinux policy coverage. These AVCs occur in permissive mode, are reproducible without Ceph, and do not indicate functional failure. Tests should ignore this specific AVC class while continuing to fail on enforced denials.

Signed-off-by: David Galloway <david.galloway@ibm.com>
---
 teuthology/task/selinux.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/teuthology/task/selinux.py b/teuthology/task/selinux.py
index 7b33b11b3..8dc4fca9b 100644
--- a/teuthology/task/selinux.py
+++ b/teuthology/task/selinux.py
@@ -138,6 +138,7 @@ class SELinux(Task):
             'comm="sss_cache"',
             'context=system_u:system_r:NetworkManager_dispatcher_t:s0',
             'context=system_u:system_r:getty_t:s0',
+            'comm="systemd".*denied.*\{ prog_run \}.*tclass=bpf.*permissive=1',
         ]
         se_allowlist = self.config.get('allowlist', [])
         if se_allowlist:
-- 
2.47.3