diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 97d8edea..6dcf7513 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1353,6 +1353,9 @@
 - macro: user_known_write_below_root_activities
   condition: (never_true)
 
+- macro: runc_writing_exec_fifo
+  condition: (proc.cmdline="runc:[1:CHILD] init" and fd.name=/exec.fifo)
+
 - rule: Write below root
   desc: an attempt to write to any file directly below / or /root
   condition: >
@@ -1372,6 +1375,7 @@
     and not galley_writing_state
     and not calico_writing_state
     and not rancher_writing_root
+    and not runc_writing_exec_fifo
     and not known_root_conditions
     and not user_known_write_root_conditions
     and not user_known_write_below_root_activities