diff --git a/SOURCES/0018-dogtaginstance.py-add-debug-to-pkispawn_rhbz#1879604.patch b/SOURCES/0018-dogtaginstance.py-add-debug-to-pkispawn_rhbz#1879604.patch
new file mode 100644
index 0000000..a95c32b
--- /dev/null
+++ b/SOURCES/0018-dogtaginstance.py-add-debug-to-pkispawn_rhbz#1879604.patch
@@ -0,0 +1,117 @@
+Adapted version of d1c860e59b52. to make it apply without commits
+
+34b4d9bce5 - ipatests: Test ipa user login with wrong password
+ab36d79adc - ipatests: Test for ipa-nis-manage CLI tool.
+
+From d1c860e59b5237178066ed963cc2fa50d99cd690 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Wed, 16 Sep 2020 17:07:21 +0200
+Subject: [PATCH] ipatests: check that pkispawn log is not empty
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Since commits:
+https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
+https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
+pkispawn will not honor the pki_log_level configuration item.
+All 10.9 Dogtag versions have these commits.
+This affects FreeIPA in that it makes debugging Dogtag installation issues next
+to impossible.
+Adding --debug to the pkispawn CLI is required to revert to the previous
+behavior.
+Therefore check that the log is not empty and contains DEBUG+INFO lines.
+
+Fixes: https://pagure.io/freeipa/issue/8503
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipatests/test_integration/test_commands.py | 23 ++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
+index fa6abd81e..3a12bcde2 100644
+--- a/ipatests/test_integration/test_commands.py
++++ b/ipatests/test_integration/test_commands.py
+@@ -1295,3 +1295,26 @@ class TestIPACommand(IntegrationTest):
+ assert msg2 not in result.stderr_text
+ finally:
+ bashrc_backup.restore()
++
++ def test_pkispawn_log_is_present(self):
++ """
++ This testcase checks if pkispawn logged properly.
++ It is a candidate from being moved out of test_commands.
++ """
++ result = self.master.run_command(
++ ["ls", "/var/log/pki/"]
++ )
++ pkispawnlogfile = None
++ for file in result.stdout_text.splitlines():
++ if file.startswith("pki-ca-spawn"):
++ pkispawnlogfile = file
++ break
++ assert pkispawnlogfile is not None
++ pkispawnlogfile = os.path.sep.join(("/var/log/pki", pkispawnlogfile))
++ pkispawnlog = self.master.get_file_contents(
++ pkispawnlogfile, encoding='utf-8'
++ )
++ # Totally arbitrary. pkispawn debug logs tend to be > 10KiB.
++ assert len(pkispawnlog) > 1024
++ assert "DEBUG" in pkispawnlog
++ assert "INFO" in pkispawnlog
+--
+2.26.2
+
+From 97c6d2d2c2359b8ff5585afa0d2e5f5599cd5048 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Thu, 17 Sep 2020 07:31:59 +0200
+Subject: [PATCH] dogtaginstance.py: add --debug to pkispawn
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Since commits:
+https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
+https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
+pkispawn will not honor the pki_log_level configuration item.
+All 10.9 Dogtag versions have these commits.
+This affects FreeIPA in that it makes debugging Dogtag installation issues next
+to impossible.
+Adding --debug to the pkispawn CLI is required to revert to the previous
+behavior.
+
+Fixes: https://pagure.io/freeipa/issue/8503
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaserver/install/dogtaginstance.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
+index 524262ad7..03fdd7c0b 100644
+--- a/ipaserver/install/dogtaginstance.py
++++ b/ipaserver/install/dogtaginstance.py
+@@ -183,7 +183,8 @@ class DogtagInstance(service.Service):
+ subsystem = self.subsystem
+ args = [paths.PKISPAWN,
+ "-s", subsystem,
+- "-f", cfg_file]
++ "-f", cfg_file,
++ "--debug"]
+
+ with open(cfg_file) as f:
+ logger.debug(
+--
+2.26.2
+
diff --git a/SOURCES/0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch b/SOURCES/0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch
new file mode 100644
index 0000000..d271d98
--- /dev/null
+++ b/SOURCES/0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch
@@ -0,0 +1,549 @@
+From 52929cbadf0252fcac1019b74663a2808061ea1b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Thu, 17 Sep 2020 11:30:45 +0200
+Subject: [PATCH] ipatests: enhance TestSubCAkeyReplication
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+enhance the test suite so that it covers:
+- deleting subCAs (disabling them first)
+- checking what happens when creating a dozen+ subCAs at a time
+- adding a subCA that already exists and expect failure
+
+Related: https://pagure.io/freeipa/issue/8488
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+---
+ .../test_replica_promotion.py | 52 +++++++++++++++++--
+ 1 file changed, 47 insertions(+), 5 deletions(-)
+
+diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
+index 82117054f..f0b72e1f8 100644
+--- a/ipatests/test_integration/test_replica_promotion.py
++++ b/ipatests/test_integration/test_replica_promotion.py
+@@ -474,17 +474,35 @@ class TestSubCAkeyReplication(IntegrationTest):
+ SERVER_CERT_NICK: 'u,u,u',
+ }
+
+- def add_subca(self, host, name, subject):
++ def add_subca(self, host, name, subject, raiseonerr=True):
+ result = host.run_command([
+ 'ipa', 'ca-add', name,
+ '--subject', subject,
+- '--desc', self.SUBCA_DESC,
++ '--desc', self.SUBCA_DESC],
++ raiseonerr=raiseonerr
++ )
++ if raiseonerr:
++ assert "ipa: ERROR:" not in result.stderr_text
++ auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
++ return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
++ else:
++ assert "ipa: ERROR:" in result.stderr_text
++ assert result.returncode != 0
++ return result
++
++ def del_subca(self, host, name):
++ host.run_command([
++ 'ipa', 'ca-disable', name
+ ])
+- auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
+- return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
++ result = host.run_command([
++ 'ipa', 'ca-del', name
++ ])
++ assert "Deleted CA \"{}\"".format(name) in result.stdout_text
+
+ def check_subca(self, host, name, cert_nick):
+- host.run_command(['ipa', 'ca-show', name])
++ result = host.run_command(['ipa', 'ca-show', name])
++ # ipa ca-show returns 0 even if the cert cannot be found locally.
++ assert "ipa: ERROR:" not in result.stderr_text
+ tasks.run_certutil(
+ host, ['-L', '-n', cert_nick], paths.PKI_TOMCAT_ALIAS_DIR
+ )
+@@ -627,6 +645,30 @@ class TestSubCAkeyReplication(IntegrationTest):
+ ssl = replica.run_command(ssl_cmd)
+ assert 'Issuer: CN = {}'.format(self.SUBCA_MASTER) in ssl.stdout_text
+
++ def test_del_subca_master_on_replica(self):
++ self.del_subca(self.replicas[0], self.SUBCA_MASTER)
++
++ def test_del_subca_replica(self):
++ self.del_subca(self.replicas[0], self.SUBCA_REPLICA)
++
++ def test_scale_add_subca(self):
++ master = self.master
++ replica = self.replicas[0]
++
++ subcas = {}
++ for i in range(0, 16):
++ name = "_".join((self.SUBCA_MASTER, str(i)))
++ cn = "_".join((self.SUBCA_MASTER_CN, str(i)))
++ subcas[name] = self.add_subca(master, name, cn)
++ self.add_subca(master, name, cn, raiseonerr=False)
++
++ # give replication some time
++ time.sleep(15)
++
++ for name in subcas:
++ self.check_subca(replica, name, subcas[name])
++ self.del_subca(replica, name)
++
+
+ class TestReplicaInstallCustodia(IntegrationTest):
+ """
+--
+2.26.2
+
+From 5a5962426d8174212f0b7efef1a9e53aaecb5901 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Fri, 18 Sep 2020 11:55:37 +0200
+Subject: [PATCH] SELinux: Add dedicated policy for ipa-pki-retrieve-key
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add proper labeling, transition and policy for ipa-pki-retrieve-key.
+Make sure tomcat_t can execute ipa-pki-retrieve-key.
+
+Fixes: https://pagure.io/freeipa/issue/8488
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+---
+ selinux/ipa.fc | 1 +
+ selinux/ipa.te | 28 ++++++++++++++++++++++++++++
+ 2 files changed, 29 insertions(+)
+
+diff --git a/selinux/ipa.fc b/selinux/ipa.fc
+index a98cc4665..1176f383c 100644
+--- a/selinux/ipa.fc
++++ b/selinux/ipa.fc
+@@ -30,5 +30,6 @@
+ /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
+ /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
+ /usr/libexec/ipa/custodia/ipa-custodia-ra-agent -- gen_context(system_u:object_r:ipa_custodia_ra_agent_exec_t,s0)
++/usr/libexec/ipa/ipa-pki-retrieve-key -- gen_context(system_u:object_r:ipa_pki_retrieve_key_exec_t,s0)
+
+ /var/log/ipa-custodia.audit.log(/.*)? -- gen_context(system_u:object_r:ipa_custodia_log_t,s0)
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index 3fa4ba980..26daed293 100644
+--- a/selinux/ipa.te
++++ b/selinux/ipa.te
+@@ -75,6 +75,9 @@ files_tmp_file(ipa_custodia_tmp_t)
+ type pki_tomcat_cert_t;
+ type node_t;
+
++type ipa_pki_retrieve_key_exec_t;
++init_script_file(ipa_pki_retrieve_key_exec_t)
++
+ ########################################
+ #
+ # ipa_otpd local policy
+@@ -412,3 +415,28 @@ optional_policy(`
+ optional_policy(`
+ systemd_private_tmp(ipa_custodia_tmp_t)
+ ')
++
++optional_policy(`
++ gen_require(`
++ type tomcat_t;
++ ')
++ can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t)
++ pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_exec_t)
++')
++
++optional_policy(`
++ gen_require(`
++ type devlog_t;
++ ')
++
++ dontaudit ipa_custodia_t devlog_t:lnk_file read_lnk_file_perms;
++')
++
++optional_policy(`
++ java_exec(ipa_custodia_pki_tomcat_exec_t)
++ # allow Java to read system status and RNG
++ dev_read_urand(ipa_custodia_t)
++ dev_read_rand(ipa_custodia_t)
++ kernel_read_network_state(ipa_custodia_t)
++ dev_read_sysfs(ipa_custodia_t)
++')
+--
+2.26.2
+
+From c126610ea6605a1ff36cecf2e2f5b2cb97130831 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Fri, 18 Sep 2020 17:45:39 +0200
+Subject: [PATCH] SELinux Policy: let custodia_t map custodia_tmp_t
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is used by the JVM perf counters.
+
+Related: https://pagure.io/freeipa/issue/8488
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+---
+ selinux/ipa.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index 26daed293..0a9ccaf83 100644
+--- a/selinux/ipa.te
++++ b/selinux/ipa.te
+@@ -347,6 +347,7 @@ logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
+
+ manage_dirs_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
+ manage_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
++mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
+ files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
+
+ kernel_dgram_send(ipa_custodia_t)
+--
+2.26.2
+
+From 310dbd6eec337f0747d73fa87363083a742fc5dc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Mon, 21 Sep 2020 11:32:52 +0200
+Subject: [PATCH] SELinux Policy: ipa_pki_retrieve_key_exec_t =>
+ ipa_pki_retrieve_key_t
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Grant pki_manage_tomcat_etc_rw to ipa_pki_retrieve_key_t instead of
+ipa_pki_retrieve_key_exec_t.
+As suggested by Ondrej Mosnáček.
+
+Fixes: https://pagure.io/freeipa/issue/8488
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+---
+ selinux/ipa.te | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index 0a9ccaf83..92a3b2359 100644
+--- a/selinux/ipa.te
++++ b/selinux/ipa.te
+@@ -78,6 +78,8 @@ type node_t;
+ type ipa_pki_retrieve_key_exec_t;
+ init_script_file(ipa_pki_retrieve_key_exec_t)
+
++type ipa_pki_retrieve_key_t;
++
+ ########################################
+ #
+ # ipa_otpd local policy
+@@ -422,7 +424,7 @@ optional_policy(`
+ type tomcat_t;
+ ')
+ can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t)
+- pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_exec_t)
++ pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_t)
+ ')
+
+ optional_policy(`
+--
+2.26.2
+
+From 0518c63768b50973f3d3129547f5b4b95335f4a8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Mon, 21 Sep 2020 11:37:12 +0200
+Subject: [PATCH] SELinux Policy: ipa_custodia_pki_tomcat_exec_t =>
+ ipa_custodia_pki_tomcat_t
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+ipa_custodia_pki_tomcat_exec_t was granted java_exec by mistake ; replace by
+ipa_custodia_pki_tomcat_t.
+As suggested by Ondrej Mosnáček.
+
+Fixes: https://pagure.io/freeipa/issue/8488
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+---
+ selinux/ipa.te | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index 92a3b2359..b2c618a53 100644
+--- a/selinux/ipa.te
++++ b/selinux/ipa.te
+@@ -63,6 +63,8 @@ init_script_file(ipa_custodia_dmldap_exec_t)
+ type ipa_custodia_pki_tomcat_exec_t;
+ init_script_file(ipa_custodia_pki_tomcat_exec_t)
+
++type ipa_custodia_pki_tomcat_t;
++
+ type ipa_custodia_ra_agent_exec_t;
+ init_script_file(ipa_custodia_ra_agent_exec_t)
+
+@@ -436,7 +438,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- java_exec(ipa_custodia_pki_tomcat_exec_t)
++ java_exec(ipa_custodia_pki_tomcat_t)
+ # allow Java to read system status and RNG
+ dev_read_urand(ipa_custodia_t)
+ dev_read_rand(ipa_custodia_t)
+--
+2.26.2
+
+From 25cf7af0d41bbd34621f37c95802675b42baeae9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Tue, 22 Sep 2020 11:36:13 +0200
+Subject: [PATCH] SELinux Policy: flag ipa_pki_retrieve_key_exec_t as
+ domain_type
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: https://pagure.io/freeipa/issue/8488
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+---
+ selinux/ipa.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index b2c618a53..42b010133 100644
+--- a/selinux/ipa.te
++++ b/selinux/ipa.te
+@@ -78,6 +78,7 @@ type pki_tomcat_cert_t;
+ type node_t;
+
+ type ipa_pki_retrieve_key_exec_t;
++domain_type(ipa_pki_retrieve_key_exec_t)
+ init_script_file(ipa_pki_retrieve_key_exec_t)
+
+ type ipa_pki_retrieve_key_t;
+--
+2.26.2
+
+From 7ad04841245668e3126cb1718ef7ec1b744526e8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Tue, 22 Sep 2020 13:12:05 +0200
+Subject: [PATCH] SELinux Policy: make interfaces for kernel modules
+ non-optional
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Interfaces for kernel modules do not need to be in an optional module.
+Also make sure ipa_custodia_t can log.
+Suggested by Lukas Vrabec.
+
+Fixes: https://pagure.io/freeipa/issue/8488
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+---
+ selinux/ipa.te | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index 42b010133..f984a0f94 100644
+--- a/selinux/ipa.te
++++ b/selinux/ipa.te
+@@ -78,10 +78,9 @@ type pki_tomcat_cert_t;
+ type node_t;
+
+ type ipa_pki_retrieve_key_exec_t;
+-domain_type(ipa_pki_retrieve_key_exec_t)
+-init_script_file(ipa_pki_retrieve_key_exec_t)
+-
+ type ipa_pki_retrieve_key_t;
++domain_type(ipa_pki_retrieve_key_t)
++init_script_file(ipa_pki_retrieve_key_exec_t)
+
+ ########################################
+ #
+@@ -356,6 +355,7 @@ mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
+ files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
+
+ kernel_dgram_send(ipa_custodia_t)
++kernel_read_network_state(ipa_custodia_t)
+
+ auth_read_passwd(ipa_custodia_t)
+
+@@ -366,6 +366,10 @@ can_exec(ipa_custodia_t, ipa_custodia_ra_agent_exec_t)
+ corecmd_exec_bin(ipa_custodia_t)
+ corecmd_mmap_bin_files(ipa_custodia_t)
+
++dev_read_urand(ipa_custodia_t)
++dev_read_rand(ipa_custodia_t)
++dev_read_sysfs(ipa_custodia_t)
++
+ domain_use_interactive_fds(ipa_custodia_t)
+
+ files_mmap_usr_files(ipa_custodia_t)
+@@ -377,6 +381,8 @@ files_read_etc_files(ipa_custodia_t)
+ libs_exec_ldconfig(ipa_custodia_t)
+ libs_ldconfig_exec_entry_type(ipa_custodia_t)
+
++logging_send_syslog_msg(ipa_custodia_t)
++
+ miscfiles_read_generic_certs(ipa_custodia_t)
+ miscfiles_read_localization(ipa_custodia_t)
+
+@@ -441,8 +447,4 @@ optional_policy(`
+ optional_policy(`
+ java_exec(ipa_custodia_pki_tomcat_t)
+ # allow Java to read system status and RNG
+- dev_read_urand(ipa_custodia_t)
+- dev_read_rand(ipa_custodia_t)
+- kernel_read_network_state(ipa_custodia_t)
+- dev_read_sysfs(ipa_custodia_t)
+ ')
+--
+2.26.2
+
+From 6a31605c1d249416ed7627755bca23a1cc45a581 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Tue, 22 Sep 2020 13:34:40 +0200
+Subject: [PATCH] SELinux Policy: Allow tomcat_t to read kerberos keytabs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is required to fix:
+avc: denied { search } for pid=1930 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
+
+Macros suggested by: Ondrej Mosnacek
+
+Fixes: https://pagure.io/freeipa/issue/8488
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+---
+ selinux/ipa.te | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index f984a0f94..fa577191c 100644
+--- a/selinux/ipa.te
++++ b/selinux/ipa.te
+@@ -448,3 +448,11 @@ optional_policy(`
+ java_exec(ipa_custodia_pki_tomcat_t)
+ # allow Java to read system status and RNG
+ ')
++
++optional_policy(`
++ gen_require(`
++ type tomcat_t;
++ ')
++ kerberos_read_config(tomcat_t)
++ kerberos_read_keytab(tomcat_t)
++')
+--
+2.26.2
+
diff --git a/SOURCES/0020-SELinux-do-not-double-define-node_t-and-pki_tomcat_c_rhbz#1870202.patch b/SOURCES/0020-SELinux-do-not-double-define-node_t-and-pki_tomcat_c_rhbz#1870202.patch
new file mode 100644
index 0000000..6ec25a7
--- /dev/null
+++ b/SOURCES/0020-SELinux-do-not-double-define-node_t-and-pki_tomcat_c_rhbz#1870202.patch
@@ -0,0 +1,68 @@
+From 58c3343a67a3922dcc84d3d4b1deca515c48a6f8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Wed, 23 Sep 2020 09:17:53 +0200
+Subject: [PATCH] SELinux: do not double-define node_t and pki_tomcat_cert_t
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+node_t and pki_tomcat_cert_t are defined in other modules.
+Do not double-define them.
+
+Fixes: https://pagure.io/freeipa/issue/8513
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+---
+ selinux/ipa.te | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index fa577191c..d80e64a0b 100644
+--- a/selinux/ipa.te
++++ b/selinux/ipa.te
+@@ -74,9 +74,6 @@ logging_log_file(ipa_custodia_log_t)
+ type ipa_custodia_tmp_t;
+ files_tmp_file(ipa_custodia_tmp_t)
+
+-type pki_tomcat_cert_t;
+-type node_t;
+-
+ type ipa_pki_retrieve_key_exec_t;
+ type ipa_pki_retrieve_key_t;
+ domain_type(ipa_pki_retrieve_key_t)
+@@ -339,12 +336,6 @@ allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
+ allow ipa_custodia_t self:tcp_socket { bind create };
+ allow ipa_custodia_t self:udp_socket create_socket_perms;
+
+-allow ipa_custodia_t node_t:tcp_socket node_bind;
+-
+-allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
+-allow ipa_custodia_t pki_tomcat_cert_t:file create;
+-allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
+-
+ manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t)
+ manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t)
+ logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
+@@ -456,3 +447,19 @@ optional_policy(`
+ kerberos_read_config(tomcat_t)
+ kerberos_read_keytab(tomcat_t)
+ ')
++
++optional_policy(`
++ gen_require(`
++ type node_t;
++ ')
++ allow ipa_custodia_t node_t:tcp_socket node_bind;
++')
++
++optional_policy(`
++ gen_require(`
++ type pki_tomcat_cert_t;
++ ')
++ allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
++ allow ipa_custodia_t pki_tomcat_cert_t:file create;
++ allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
++')
+--
+2.26.2
+
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 0e66609..c1ea27a 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -149,7 +149,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
-Release: 11%{?dist}
+Release: 12%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@@ -181,6 +181,9 @@ Patch0014: 0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch
Patch0015: 0015-IPA-EPN-Fix-SMTP-connection-error-handling_rhbz#1863079.patch
Patch0016: 0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch
Patch0017: 0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch
+Patch0018: 0018-dogtaginstance.py-add-debug-to-pkispawn_rhbz#1879604.patch
+Patch0019: 0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch
+Patch0020: 0020-SELinux-do-not-double-define-node_t-and-pki_tomcat_c_rhbz#1870202.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-4.8.0-Remove-csrgen.patch
Patch1003: 1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
@@ -745,7 +748,7 @@ Conflicts: %{alt_name}-python < %{version}
# This ensures that the *-selinux package and all it’s dependencies are not
# pulled into containers and other systems that do not use SELinux. The
# policy defines types and file contexts for client and server.
-Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
+Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
%endif
%description common
@@ -860,8 +863,7 @@ export PYTHON=%{__python3}
%configure --with-vendor-suffix=-%{release} \
%{enable_server_option} \
%{with_ipatests_option} \
- %{linter_options} \
- --with-ipaplatform=rhel
+ %{linter_options}
# run build in default dir
# -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405
@@ -1532,6 +1534,16 @@ fi
%changelog
+* Wed Sep 23 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.7-12
+- Require selinux sub package in the proper version
+ Related: RHBZ#1868432
+- SELinux: do not double-define node_t and pki_tomcat_cert_t
+ Related: RHBZ#1868432
+- SELinux: add dedicated policy for ipa-pki-retrieve-key + ipatests
+ Related: RHBZ#1868432
+- dogtaginstance.py: add --debug to pkispawn
+ Resolves: RHBZ#1879604
+
* Thu Sep 10 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.7-11
- SELinux Policy: let custodia replicate keys
Resolves: RHBZ#1868432