diff --git a/SOURCES/0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch b/SOURCES/0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch
new file mode 100644
index 0000000..2e1c708
--- /dev/null
+++ b/SOURCES/0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch
@@ -0,0 +1,62 @@
+From 438285470610dee4aa6a56523df22307840ede87 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Mon, 7 Sep 2020 11:07:21 +0200
+Subject: [PATCH] SELinux Policy: let custodia replicate keys
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Enhance the SELinux policy so that custodia can replicate sub-CA keys
+and certificates:
+allow ipa_custodia_t self:tcp_socket { bind create };
+allow ipa_custodia_t node_t:tcp_socket node_bind;
+allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
+allow ipa_custodia_t pki_tomcat_cert_t:file create;
+allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
+allow ipa_custodia_t self:process execmem;
+
+Found by: test_replica_promotion::TestSubCAkeyReplication
+
+Fixes: https://pagure.io/freeipa/issue/8488
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ selinux/ipa.te | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index c4c3fa805..3fa4ba980 100644
+--- a/selinux/ipa.te
++++ b/selinux/ipa.te
+@@ -72,6 +72,9 @@ logging_log_file(ipa_custodia_log_t)
+ type ipa_custodia_tmp_t;
+ files_tmp_file(ipa_custodia_tmp_t)
+ 
++type pki_tomcat_cert_t;
++type node_t;
++
+ ########################################
+ #
+ # ipa_otpd local policy
+@@ -323,10 +326,18 @@ optional_policy(`
+ allow ipa_custodia_t self:capability { setgid setuid };
+ allow ipa_custodia_t self:fifo_file rw_fifo_file_perms;
+ allow ipa_custodia_t self:netlink_route_socket { create_socket_perms nlmsg_read };
++allow ipa_custodia_t self:process execmem;
+ allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms;
+ allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
++allow ipa_custodia_t self:tcp_socket { bind create };
+ allow ipa_custodia_t self:udp_socket create_socket_perms;
+ 
++allow ipa_custodia_t node_t:tcp_socket node_bind;
++
++allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
++allow ipa_custodia_t pki_tomcat_cert_t:file create;
++allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
++
+ manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t)
+ manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t)
+ logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
+-- 
+2.26.2
+
diff --git a/SOURCES/0018-dogtaginstance.py-add-debug-to-pkispawn_rhbz#1879604.patch b/SOURCES/0018-dogtaginstance.py-add-debug-to-pkispawn_rhbz#1879604.patch
new file mode 100644
index 0000000..a95c32b
--- /dev/null
+++ b/SOURCES/0018-dogtaginstance.py-add-debug-to-pkispawn_rhbz#1879604.patch
@@ -0,0 +1,117 @@
+Adapted version of d1c860e59b52. to make it apply without commits
+
+34b4d9bce5 - ipatests: Test ipa user login with wrong password
+ab36d79adc - ipatests: Test for ipa-nis-manage CLI tool.
+
+From d1c860e59b5237178066ed963cc2fa50d99cd690 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Wed, 16 Sep 2020 17:07:21 +0200
+Subject: [PATCH] ipatests: check that pkispawn log is not empty
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Since commits:
+https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
+https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
+pkispawn will not honor the pki_log_level configuration item.
+All 10.9 Dogtag versions have these commits.
+This affects FreeIPA in that it makes debugging Dogtag installation issues next
+to impossible.
+Adding --debug to the pkispawn CLI is required to revert to the previous
+behavior.
+Therefore check that the log is not empty and contains DEBUG+INFO lines.
+
+Fixes: https://pagure.io/freeipa/issue/8503
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipatests/test_integration/test_commands.py | 23 ++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
+index fa6abd81e..3a12bcde2 100644
+--- a/ipatests/test_integration/test_commands.py
++++ b/ipatests/test_integration/test_commands.py
+@@ -1295,3 +1295,26 @@ class TestIPACommand(IntegrationTest):
+             assert msg2 not in result.stderr_text
+         finally:
+             bashrc_backup.restore()
++
++    def test_pkispawn_log_is_present(self):
++        """
++        This testcase checks if pkispawn logged properly.
++        It is a candidate from being moved out of test_commands.
++        """
++        result = self.master.run_command(
++            ["ls", "/var/log/pki/"]
++        )
++        pkispawnlogfile = None
++        for file in result.stdout_text.splitlines():
++            if file.startswith("pki-ca-spawn"):
++                pkispawnlogfile = file
++                break
++        assert pkispawnlogfile is not None
++        pkispawnlogfile = os.path.sep.join(("/var/log/pki", pkispawnlogfile))
++        pkispawnlog = self.master.get_file_contents(
++            pkispawnlogfile, encoding='utf-8'
++        )
++        # Totally arbitrary. pkispawn debug logs tend to be > 10KiB.
++        assert len(pkispawnlog) > 1024
++        assert "DEBUG" in pkispawnlog
++        assert "INFO" in pkispawnlog
+-- 
+2.26.2
+
+From 97c6d2d2c2359b8ff5585afa0d2e5f5599cd5048 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Thu, 17 Sep 2020 07:31:59 +0200
+Subject: [PATCH] dogtaginstance.py: add --debug to pkispawn
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Since commits:
+https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
+https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
+pkispawn will not honor the pki_log_level configuration item.
+All 10.9 Dogtag versions have these commits.
+This affects FreeIPA in that it makes debugging Dogtag installation issues next
+to impossible.
+Adding --debug to the pkispawn CLI is required to revert to the previous
+behavior.
+
+Fixes: https://pagure.io/freeipa/issue/8503
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaserver/install/dogtaginstance.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
+index 524262ad7..03fdd7c0b 100644
+--- a/ipaserver/install/dogtaginstance.py
++++ b/ipaserver/install/dogtaginstance.py
+@@ -183,7 +183,8 @@ class DogtagInstance(service.Service):
+         subsystem = self.subsystem
+         args = [paths.PKISPAWN,
+                 "-s", subsystem,
+-                "-f", cfg_file]
++                "-f", cfg_file,
++                "--debug"]
+ 
+         with open(cfg_file) as f:
+             logger.debug(
+-- 
+2.26.2
+
diff --git a/SOURCES/0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch b/SOURCES/0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch
new file mode 100644
index 0000000..d271d98
--- /dev/null
+++ b/SOURCES/0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch
@@ -0,0 +1,549 @@
+From 52929cbadf0252fcac1019b74663a2808061ea1b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Thu, 17 Sep 2020 11:30:45 +0200
+Subject: [PATCH] ipatests: enhance TestSubCAkeyReplication
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+enhance the test suite so that it covers:
+- deleting subCAs (disabling them first)
+- checking what happens when creating a dozen+ subCAs at a time
+- adding a subCA that already exists and expect failure
+
+Related: https://pagure.io/freeipa/issue/8488
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+---
+ .../test_replica_promotion.py                 | 52 +++++++++++++++++--
+ 1 file changed, 47 insertions(+), 5 deletions(-)
+
+diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
+index 82117054f..f0b72e1f8 100644
+--- a/ipatests/test_integration/test_replica_promotion.py
++++ b/ipatests/test_integration/test_replica_promotion.py
+@@ -474,17 +474,35 @@ class TestSubCAkeyReplication(IntegrationTest):
+         SERVER_CERT_NICK: 'u,u,u',
+     }
+ 
+-    def add_subca(self, host, name, subject):
++    def add_subca(self, host, name, subject, raiseonerr=True):
+         result = host.run_command([
+             'ipa', 'ca-add', name,
+             '--subject', subject,
+-            '--desc', self.SUBCA_DESC,
++            '--desc', self.SUBCA_DESC],
++            raiseonerr=raiseonerr
++        )
++        if raiseonerr:
++            assert "ipa: ERROR:" not in result.stderr_text
++            auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
++            return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
++        else:
++            assert "ipa: ERROR:" in result.stderr_text
++            assert result.returncode != 0
++            return result
++
++    def del_subca(self, host, name):
++        host.run_command([
++            'ipa', 'ca-disable', name
+         ])
+-        auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
+-        return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
++        result = host.run_command([
++            'ipa', 'ca-del', name
++        ])
++        assert "Deleted CA \"{}\"".format(name) in result.stdout_text
+ 
+     def check_subca(self, host, name, cert_nick):
+-        host.run_command(['ipa', 'ca-show', name])
++        result = host.run_command(['ipa', 'ca-show', name])
++        # ipa ca-show returns 0 even if the cert cannot be found locally.
++        assert "ipa: ERROR:" not in result.stderr_text
+         tasks.run_certutil(
+             host, ['-L', '-n', cert_nick], paths.PKI_TOMCAT_ALIAS_DIR
+         )
+@@ -627,6 +645,30 @@ class TestSubCAkeyReplication(IntegrationTest):
+         ssl = replica.run_command(ssl_cmd)
+         assert 'Issuer: CN = {}'.format(self.SUBCA_MASTER) in ssl.stdout_text
+ 
++    def test_del_subca_master_on_replica(self):
++        self.del_subca(self.replicas[0], self.SUBCA_MASTER)
++
++    def test_del_subca_replica(self):
++        self.del_subca(self.replicas[0], self.SUBCA_REPLICA)
++
++    def test_scale_add_subca(self):
++        master = self.master
++        replica = self.replicas[0]
++
++        subcas = {}
++        for i in range(0, 16):
++            name = "_".join((self.SUBCA_MASTER, str(i)))
++            cn = "_".join((self.SUBCA_MASTER_CN, str(i)))
++            subcas[name] = self.add_subca(master, name, cn)
++            self.add_subca(master, name, cn, raiseonerr=False)
++
++        # give replication some time
++        time.sleep(15)
++
++        for name in subcas:
++            self.check_subca(replica, name, subcas[name])
++            self.del_subca(replica, name)
++
+ 
+ class TestReplicaInstallCustodia(IntegrationTest):
+     """
+-- 
+2.26.2
+
+From 5a5962426d8174212f0b7efef1a9e53aaecb5901 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Fri, 18 Sep 2020 11:55:37 +0200
+Subject: [PATCH] SELinux: Add dedicated policy for ipa-pki-retrieve-key
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add proper labeling, transition and policy for ipa-pki-retrieve-key.
+Make sure tomcat_t can execute ipa-pki-retrieve-key.
+
+Fixes: https://pagure.io/freeipa/issue/8488
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+---
+ selinux/ipa.fc |  1 +
+ selinux/ipa.te | 28 ++++++++++++++++++++++++++++
+ 2 files changed, 29 insertions(+)
+
+diff --git a/selinux/ipa.fc b/selinux/ipa.fc
+index a98cc4665..1176f383c 100644
+--- a/selinux/ipa.fc
++++ b/selinux/ipa.fc
+@@ -30,5 +30,6 @@
+ /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat		--	gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
+ /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped	--	gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
+ /usr/libexec/ipa/custodia/ipa-custodia-ra-agent		--	gen_context(system_u:object_r:ipa_custodia_ra_agent_exec_t,s0)
++/usr/libexec/ipa/ipa-pki-retrieve-key				--	gen_context(system_u:object_r:ipa_pki_retrieve_key_exec_t,s0)
+ 
+ /var/log/ipa-custodia.audit.log(/.*)?				--	gen_context(system_u:object_r:ipa_custodia_log_t,s0)
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index 3fa4ba980..26daed293 100644
+--- a/selinux/ipa.te
++++ b/selinux/ipa.te
+@@ -75,6 +75,9 @@ files_tmp_file(ipa_custodia_tmp_t)
+ type pki_tomcat_cert_t;
+ type node_t;
+ 
++type ipa_pki_retrieve_key_exec_t;
++init_script_file(ipa_pki_retrieve_key_exec_t)
++
+ ########################################
+ #
+ # ipa_otpd local policy
+@@ -412,3 +415,28 @@ optional_policy(`
+ optional_policy(`
+        systemd_private_tmp(ipa_custodia_tmp_t)
+ ')
++
++optional_policy(`
++    gen_require(`
++        type tomcat_t;
++    ')
++    can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t)
++    pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_exec_t)
++')
++
++optional_policy(`
++    gen_require(`
++        type devlog_t;
++    ')
++
++    dontaudit ipa_custodia_t devlog_t:lnk_file read_lnk_file_perms;
++')
++
++optional_policy(`
++    java_exec(ipa_custodia_pki_tomcat_exec_t)
++    # allow Java to read system status and RNG
++    dev_read_urand(ipa_custodia_t)
++    dev_read_rand(ipa_custodia_t)
++    kernel_read_network_state(ipa_custodia_t)
++    dev_read_sysfs(ipa_custodia_t)
++')
+-- 
+2.26.2
+
+From c126610ea6605a1ff36cecf2e2f5b2cb97130831 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Fri, 18 Sep 2020 17:45:39 +0200
+Subject: [PATCH] SELinux Policy: let custodia_t map custodia_tmp_t
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is used by the JVM perf counters.
+
+Related: https://pagure.io/freeipa/issue/8488
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+---
+ selinux/ipa.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index 26daed293..0a9ccaf83 100644
+--- a/selinux/ipa.te
++++ b/selinux/ipa.te
+@@ -347,6 +347,7 @@ logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
+ 
+ manage_dirs_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
+ manage_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
++mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
+ files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
+ 
+ kernel_dgram_send(ipa_custodia_t)
+-- 
+2.26.2
+
+From 310dbd6eec337f0747d73fa87363083a742fc5dc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Mon, 21 Sep 2020 11:32:52 +0200
+Subject: [PATCH] SELinux Policy: ipa_pki_retrieve_key_exec_t =>
+ ipa_pki_retrieve_key_t
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Grant pki_manage_tomcat_etc_rw to ipa_pki_retrieve_key_t instead of
+ipa_pki_retrieve_key_exec_t.
+As suggested by Ondrej Mosnáček.
+
+Fixes: https://pagure.io/freeipa/issue/8488
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+---
+ selinux/ipa.te | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index 0a9ccaf83..92a3b2359 100644
+--- a/selinux/ipa.te
++++ b/selinux/ipa.te
+@@ -78,6 +78,8 @@ type node_t;
+ type ipa_pki_retrieve_key_exec_t;
+ init_script_file(ipa_pki_retrieve_key_exec_t)
+ 
++type ipa_pki_retrieve_key_t;
++
+ ########################################
+ #
+ # ipa_otpd local policy
+@@ -422,7 +424,7 @@ optional_policy(`
+         type tomcat_t;
+     ')
+     can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t)
+-    pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_exec_t)
++    pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_t)
+ ')
+ 
+ optional_policy(`
+-- 
+2.26.2
+
+From 0518c63768b50973f3d3129547f5b4b95335f4a8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Mon, 21 Sep 2020 11:37:12 +0200
+Subject: [PATCH] SELinux Policy: ipa_custodia_pki_tomcat_exec_t =>
+ ipa_custodia_pki_tomcat_t
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+ipa_custodia_pki_tomcat_exec_t was granted java_exec by mistake ; replace by
+ipa_custodia_pki_tomcat_t.
+As suggested by Ondrej Mosnáček.
+
+Fixes: https://pagure.io/freeipa/issue/8488
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+---
+ selinux/ipa.te | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index 92a3b2359..b2c618a53 100644
+--- a/selinux/ipa.te
++++ b/selinux/ipa.te
+@@ -63,6 +63,8 @@ init_script_file(ipa_custodia_dmldap_exec_t)
+ type ipa_custodia_pki_tomcat_exec_t;
+ init_script_file(ipa_custodia_pki_tomcat_exec_t)
+ 
++type ipa_custodia_pki_tomcat_t;
++
+ type ipa_custodia_ra_agent_exec_t;
+ init_script_file(ipa_custodia_ra_agent_exec_t)
+ 
+@@ -436,7 +438,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-    java_exec(ipa_custodia_pki_tomcat_exec_t)
++    java_exec(ipa_custodia_pki_tomcat_t)
+     # allow Java to read system status and RNG
+     dev_read_urand(ipa_custodia_t)
+     dev_read_rand(ipa_custodia_t)
+-- 
+2.26.2
+
+From 25cf7af0d41bbd34621f37c95802675b42baeae9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Tue, 22 Sep 2020 11:36:13 +0200
+Subject: [PATCH] SELinux Policy: flag ipa_pki_retrieve_key_exec_t as
+ domain_type
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: https://pagure.io/freeipa/issue/8488
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+---
+ selinux/ipa.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index b2c618a53..42b010133 100644
+--- a/selinux/ipa.te
++++ b/selinux/ipa.te
+@@ -78,6 +78,7 @@ type pki_tomcat_cert_t;
+ type node_t;
+ 
+ type ipa_pki_retrieve_key_exec_t;
++domain_type(ipa_pki_retrieve_key_exec_t)
+ init_script_file(ipa_pki_retrieve_key_exec_t)
+ 
+ type ipa_pki_retrieve_key_t;
+-- 
+2.26.2
+
+From 7ad04841245668e3126cb1718ef7ec1b744526e8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Tue, 22 Sep 2020 13:12:05 +0200
+Subject: [PATCH] SELinux Policy: make interfaces for kernel modules
+ non-optional
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Interfaces for kernel modules do not need to be in an optional module.
+Also make sure ipa_custodia_t can log.
+Suggested by Lukas Vrabec.
+
+Fixes: https://pagure.io/freeipa/issue/8488
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+---
+ selinux/ipa.te | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index 42b010133..f984a0f94 100644
+--- a/selinux/ipa.te
++++ b/selinux/ipa.te
+@@ -78,10 +78,9 @@ type pki_tomcat_cert_t;
+ type node_t;
+ 
+ type ipa_pki_retrieve_key_exec_t;
+-domain_type(ipa_pki_retrieve_key_exec_t)
+-init_script_file(ipa_pki_retrieve_key_exec_t)
+-
+ type ipa_pki_retrieve_key_t;
++domain_type(ipa_pki_retrieve_key_t)
++init_script_file(ipa_pki_retrieve_key_exec_t)
+ 
+ ########################################
+ #
+@@ -356,6 +355,7 @@ mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
+ files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
+ 
+ kernel_dgram_send(ipa_custodia_t)
++kernel_read_network_state(ipa_custodia_t)
+ 
+ auth_read_passwd(ipa_custodia_t)
+ 
+@@ -366,6 +366,10 @@ can_exec(ipa_custodia_t, ipa_custodia_ra_agent_exec_t)
+ corecmd_exec_bin(ipa_custodia_t)
+ corecmd_mmap_bin_files(ipa_custodia_t)
+ 
++dev_read_urand(ipa_custodia_t)
++dev_read_rand(ipa_custodia_t)
++dev_read_sysfs(ipa_custodia_t)
++
+ domain_use_interactive_fds(ipa_custodia_t)
+ 
+ files_mmap_usr_files(ipa_custodia_t)
+@@ -377,6 +381,8 @@ files_read_etc_files(ipa_custodia_t)
+ libs_exec_ldconfig(ipa_custodia_t)
+ libs_ldconfig_exec_entry_type(ipa_custodia_t)
+ 
++logging_send_syslog_msg(ipa_custodia_t)
++
+ miscfiles_read_generic_certs(ipa_custodia_t)
+ miscfiles_read_localization(ipa_custodia_t)
+ 
+@@ -441,8 +447,4 @@ optional_policy(`
+ optional_policy(`
+     java_exec(ipa_custodia_pki_tomcat_t)
+     # allow Java to read system status and RNG
+-    dev_read_urand(ipa_custodia_t)
+-    dev_read_rand(ipa_custodia_t)
+-    kernel_read_network_state(ipa_custodia_t)
+-    dev_read_sysfs(ipa_custodia_t)
+ ')
+-- 
+2.26.2
+
+From 6a31605c1d249416ed7627755bca23a1cc45a581 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Tue, 22 Sep 2020 13:34:40 +0200
+Subject: [PATCH] SELinux Policy: Allow tomcat_t to read kerberos keytabs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is required to fix:
+avc: denied  { search } for  pid=1930 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
+
+Macros suggested by: Ondrej Mosnacek
+
+Fixes: https://pagure.io/freeipa/issue/8488
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
+Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+---
+ selinux/ipa.te | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index f984a0f94..fa577191c 100644
+--- a/selinux/ipa.te
++++ b/selinux/ipa.te
+@@ -448,3 +448,11 @@ optional_policy(`
+     java_exec(ipa_custodia_pki_tomcat_t)
+     # allow Java to read system status and RNG
+ ')
++
++optional_policy(`
++    gen_require(`
++        type tomcat_t;
++    ')
++    kerberos_read_config(tomcat_t)
++    kerberos_read_keytab(tomcat_t)
++')
+-- 
+2.26.2
+
diff --git a/SOURCES/0020-SELinux-do-not-double-define-node_t-and-pki_tomcat_c_rhbz#1870202.patch b/SOURCES/0020-SELinux-do-not-double-define-node_t-and-pki_tomcat_c_rhbz#1870202.patch
new file mode 100644
index 0000000..6ec25a7
--- /dev/null
+++ b/SOURCES/0020-SELinux-do-not-double-define-node_t-and-pki_tomcat_c_rhbz#1870202.patch
@@ -0,0 +1,68 @@
+From 58c3343a67a3922dcc84d3d4b1deca515c48a6f8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Wed, 23 Sep 2020 09:17:53 +0200
+Subject: [PATCH] SELinux: do not double-define node_t and pki_tomcat_cert_t
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+node_t and pki_tomcat_cert_t are defined in other modules.
+Do not double-define them.
+
+Fixes: https://pagure.io/freeipa/issue/8513
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+---
+ selinux/ipa.te | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index fa577191c..d80e64a0b 100644
+--- a/selinux/ipa.te
++++ b/selinux/ipa.te
+@@ -74,9 +74,6 @@ logging_log_file(ipa_custodia_log_t)
+ type ipa_custodia_tmp_t;
+ files_tmp_file(ipa_custodia_tmp_t)
+ 
+-type pki_tomcat_cert_t;
+-type node_t;
+-
+ type ipa_pki_retrieve_key_exec_t;
+ type ipa_pki_retrieve_key_t;
+ domain_type(ipa_pki_retrieve_key_t)
+@@ -339,12 +336,6 @@ allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
+ allow ipa_custodia_t self:tcp_socket { bind create };
+ allow ipa_custodia_t self:udp_socket create_socket_perms;
+ 
+-allow ipa_custodia_t node_t:tcp_socket node_bind;
+-
+-allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
+-allow ipa_custodia_t pki_tomcat_cert_t:file create;
+-allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
+-
+ manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t)
+ manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t)
+ logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
+@@ -456,3 +447,19 @@ optional_policy(`
+     kerberos_read_config(tomcat_t)
+     kerberos_read_keytab(tomcat_t)
+ ')
++
++optional_policy(`
++    gen_require(`
++        type node_t;
++    ')
++    allow ipa_custodia_t node_t:tcp_socket node_bind;
++')
++
++optional_policy(`
++    gen_require(`
++        type pki_tomcat_cert_t;
++    ')
++    allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
++    allow ipa_custodia_t pki_tomcat_cert_t:file create;
++    allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
++')
+-- 
+2.26.2
+
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index ef6b018..c1ea27a 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -149,7 +149,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        10%{?dist}
+Release:        12%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -180,6 +180,10 @@ Patch0013:      0013-IPA-EPN-Use-a-helper-to-retrieve-LDAP-attributes-fro_rhbz#1
 Patch0014:      0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch
 Patch0015:      0015-IPA-EPN-Fix-SMTP-connection-error-handling_rhbz#1863079.patch
 Patch0016:      0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch
+Patch0017:      0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch
+Patch0018:      0018-dogtaginstance.py-add-debug-to-pkispawn_rhbz#1879604.patch
+Patch0019:      0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch
+Patch0020:      0020-SELinux-do-not-double-define-node_t-and-pki_tomcat_c_rhbz#1870202.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 Patch1002:      1002-4.8.0-Remove-csrgen.patch
 Patch1003:      1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
@@ -744,7 +748,7 @@ Conflicts: %{alt_name}-python < %{version}
 # This ensures that the *-selinux package and all it’s dependencies are not
 # pulled into containers and other systems that do not use SELinux. The
 # policy defines types and file contexts for client and server.
-Requires:       (%{name}-selinux if selinux-policy-%{selinuxtype})
+Requires:       (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
 %endif
 
 %description common
@@ -1530,6 +1534,20 @@ fi
 
 
 %changelog
+* Wed Sep 23 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.7-12
+- Require selinux sub package in the proper version
+  Related: RHBZ#1868432
+- SELinux: do not double-define node_t and pki_tomcat_cert_t
+  Related: RHBZ#1868432
+- SELinux: add dedicated policy for ipa-pki-retrieve-key + ipatests
+  Related: RHBZ#1868432
+- dogtaginstance.py: add --debug to pkispawn
+  Resolves: RHBZ#1879604
+
+* Thu Sep 10 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.7-11
+- SELinux Policy: let custodia replicate keys
+  Resolves: RHBZ#1868432
+
 * Wed Aug 19 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.7-10
 - Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations
   Resolves: RHBZ#1870202