diff --git a/SOURCES/0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch b/SOURCES/0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch
new file mode 100644
index 0000000..2e1c708
--- /dev/null
+++ b/SOURCES/0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch
@@ -0,0 +1,62 @@
+From 438285470610dee4aa6a56523df22307840ede87 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Mon, 7 Sep 2020 11:07:21 +0200
+Subject: [PATCH] SELinux Policy: let custodia replicate keys
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Enhance the SELinux policy so that custodia can replicate sub-CA keys
+and certificates:
+allow ipa_custodia_t self:tcp_socket { bind create };
+allow ipa_custodia_t node_t:tcp_socket node_bind;
+allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
+allow ipa_custodia_t pki_tomcat_cert_t:file create;
+allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
+allow ipa_custodia_t self:process execmem;
+
+Found by: test_replica_promotion::TestSubCAkeyReplication
+
+Fixes: https://pagure.io/freeipa/issue/8488
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ selinux/ipa.te | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index c4c3fa805..3fa4ba980 100644
+--- a/selinux/ipa.te
++++ b/selinux/ipa.te
+@@ -72,6 +72,9 @@ logging_log_file(ipa_custodia_log_t)
+ type ipa_custodia_tmp_t;
+ files_tmp_file(ipa_custodia_tmp_t)
+ 
++type pki_tomcat_cert_t;
++type node_t;
++
+ ########################################
+ #
+ # ipa_otpd local policy
+@@ -323,10 +326,18 @@ optional_policy(`
+ allow ipa_custodia_t self:capability { setgid setuid };
+ allow ipa_custodia_t self:fifo_file rw_fifo_file_perms;
+ allow ipa_custodia_t self:netlink_route_socket { create_socket_perms nlmsg_read };
++allow ipa_custodia_t self:process execmem;
+ allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms;
+ allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
++allow ipa_custodia_t self:tcp_socket { bind create };
+ allow ipa_custodia_t self:udp_socket create_socket_perms;
+ 
++allow ipa_custodia_t node_t:tcp_socket node_bind;
++
++allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
++allow ipa_custodia_t pki_tomcat_cert_t:file create;
++allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
++
+ manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t)
+ manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t)
+ logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
+-- 
+2.26.2
+
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index de07724..fa3e993 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -149,7 +149,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        10%{?dist}
+Release:        11%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -180,6 +180,7 @@ Patch0013:      0013-IPA-EPN-Use-a-helper-to-retrieve-LDAP-attributes-fro_rhbz#1
 Patch0014:      0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch
 Patch0015:      0015-IPA-EPN-Fix-SMTP-connection-error-handling_rhbz#1863079.patch
 Patch0016:      0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch
+Patch0017:      0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 Patch1002:      1002-4.8.0-Remove-csrgen.patch
 Patch1003:      1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
@@ -859,8 +860,7 @@ export PYTHON=%{__python3}
 %configure --with-vendor-suffix=-%{release} \
            %{enable_server_option} \
            %{with_ipatests_option} \
-           %{linter_options} \
-           --with-ipaplatform=rhel
+           %{linter_options}
 
 # run build in default dir
 # -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405
@@ -1531,6 +1531,10 @@ fi
 
 
 %changelog
+* Thu Sep 10 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.7-11
+- SELinux Policy: let custodia replicate keys
+  Resolves: RHBZ#1868432
+
 * Wed Aug 19 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.7-10
 - Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations
   Resolves: RHBZ#1870202