diff --git a/cache_images/fedora-netavark_packaging.sh b/cache_images/fedora-netavark_packaging.sh
index 2d310189..cf36f4c6 100644
--- a/cache_images/fedora-netavark_packaging.sh
+++ b/cache_images/fedora-netavark_packaging.sh
@@ -61,16 +61,26 @@ INSTALL_PACKAGES=(\
     zip
 )
 
-EXARG="--exclude=netavark --exclude=aardvark-dns --exclude=cargo --exclude=rust"
+EXARG="--exclude=cargo --exclude=rust"
 
 msg "Installing general build/test dependencies"
 bigto $SUDO dnf install -y $EXARG "${INSTALL_PACKAGES[@]}"
 
-# It was observed in F33, dnf install doesn't always get you the latest/greatest
-lilto $SUDO dnf update -y
+# It was observed in F33, dnf install doesn't always get you the latest/greatest.
+lilto $SUDO dnf update -y $EXARG
 
 msg "Initializing upstream rust environment."
 export CARGO_HOME="/var/cache/cargo"  # must match .cirrus.yml in netavark repo
 $SUDO mkdir -p $CARGO_HOME
 # CI Runtime takes care of recovering $CARGO_HOME/env
 curl https://sh.rustup.rs -sSf | $SUDO env CARGO_HOME=$CARGO_HOME sh -s -- -y
+
+# Downstream users of this image are specifically testing netavark & aardvark-dns
+# code changes.  We want to start with using the RPMs because they deal with any
+# dependency issues.  However, we don't actually want the binaries present on
+# the system, because:
+# 1) They will be compiled from source at runtime
+# 2) The file locations may change
+# 3) We never want testing ambiguity WRT which binary is under test.
+msg "Clobbering netavark & aardvark RPM files"
+remove_netavark_aardvark_files
diff --git a/get_ci_vm/test.sh b/get_ci_vm/test.sh
index 0fecdfa6..46460bc9 100755
--- a/get_ci_vm/test.sh
+++ b/get_ci_vm/test.sh
@@ -231,6 +231,8 @@ mock_gcevm_workflow() {
 }
 # Don't confuse the actual repo. by nesting another repo inside
 tar -xzf "$GOOD_TEST_REPO/dot_git.tar.gz" -C "$GOOD_TEST_REPO" .git
+# Ignore ownership security checks
+git config --system --add safe.directory $GOOD_TEST_REPO
 # Setup should tarball new files in the repo.
 echo "testing" > "$GOOD_TEST_REPO/uncommited_file"
 # Setup should tarball changed files in the repo.
diff --git a/lib.sh b/lib.sh
index 92dcc9fa..29cb3c52 100644
--- a/lib.sh
+++ b/lib.sh
@@ -217,6 +217,26 @@ get_pr_labels() {
     echo -n "$labels"
 }
 
+remove_netavark_aardvark_files() {
+    req_env_vars OS_RELEASE_ID
+    # OS_RELEASE_ID is defined by automation-library
+    # shellcheck disable=SC2154
+    if [[ "$OS_RELEASE_ID" =~ "ubuntu" ]]
+    then
+        die "Ubuntu netavark/aardvark-dns testing is not supported"
+    fi
+
+        LISTING_CMD="rpm -ql podman"
+
+    # yum/dnf/dpkg may list system directories, only remove files
+    rpm -ql netavark aardvark-dns | while read fullpath
+    do
+        # Sub-directories may contain unrelated/valuable stuff
+        if [[ -d "$fullpath" ]]; then continue; fi
+        sudo rm -vf "$fullpath"
+    done
+}
+
 # Warning: DO NOT USE the following functions willy-nilly!
 # They are only intended to be called by other setup scripts, as the very
 # last step during the build process.  They're purpose is to "reset" the