With SELinux in enforcing mode, user is able to login to the Cockpit console, but still is generates the above AVCs. Even in limited access mode (i.e. non-admin mode), there are AVCs showing up just through logging in:
~~~
type=USER_AVC msg=audit(08/27/2025 11:09:48.715:524) : pid=827 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.tuned.control member=recommend_profile dest=com.redhat.tuned spid=10695 tpid=858 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tuned_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
~~~

The wheel group is mapped to staff_u confined user:

$ sudo semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

%wheel               staff_u              s0                   *
_default_          user_u               s0                   *
root                 unconfined_u         s0-s0:c0.c1023       *

The sudo is configured to execute under sysadm_t and sysadm_r, as recommended in KB 4155461:

$ sudo grep '^%wheel' /etc/sudoers
%wheel  ALL=(ALL)       TYPE=sysadm_t   ROLE=sysadm_r   ALL
User has admin access:

$ groups
arevalo wheel

$ id -Z
staff_u:staff_r:staff_t:s0

$ sudo id -Z
staff_u:sysadm_r:sysadm_t:s0