Bug 2232162

Summary: avc denial when importing templates to a local directory using API
Product: Red Hat Satellite Reporter: Peter Ondrejka <pondrejk>
Component: Templates PluginAssignee: satellite6-bugs <satellite6-bugs>
Status: NEW --- QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.14.0Keywords: Regression
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Ondrejka 2023-08-15 16:25:26 UTC 
Description of problem:

Importing templates to a local directory fails due to the avc denial. Even though the file has httpd_sys_rw_content_t assigned

Version-Release number of selected component (if applicable):
6.14

How reproducible:
always

Steps to Reproduce:
- To reproduce manually prepare a local file and import templates as described in https://access.redhat.com/documentation/en-us/red_hat_satellite/6.13/html/managing_hosts/synchronizing_templates_repositories_managing-hosts#Synchronizing_Templates_with_a_Local_Directory_Using_the_API_managing-hosts
- reproducible using robottelo automation too 

Actual results:

Api call fails with:
500 Server Error: Internal Server Error for url: https://<satellite_hostname>:443/api/v2/templates/import

automation logs say:

"error": {"message":"Using file-based synchronization, but couldn't access /usr/share/foreman_templates/vTioyEjTKn. Please check the access permissions/SELinux and make sure it is readable/writable for the web application user account, typically 'foreman'."}

aureport -a on satellite says 
8/15/2023 12:03:29 puma srv tp 002 system_u:system_r:foreman_rails_t:s0 4 dir getattr unconfined_u:object_r:httpd_sys_rw_content_t:s0 denied 368

audit2allow -a

#============= foreman_rails_t ==============
allow foreman_rails_t httpd_sys_rw_content_t:dir getattr;


Expected results:
Success

Additional info:
- Reproducer available, not occurring in 6.13
- works with setenforce 0
- hit by robotello tests (e.g. tests/foreman/api/test_templatesync.py::TestTemplateSyncTestCase::test_positive_export_and_import_with_metadata)