freeipa-container: Attempt to run fedora-27 image in OpenShift fails

Attempt to create application in OpenShift on

docker-1.13.1-44.git584d391.fc26.x86_64
selinux-policy-3.13.1-260.18.fc26.noarch
container-selinux-2.40-1.fc26.noarch

OpenShift was started as all-on-one setup with oc cluster up, using oc 3.6.1 from https://github.com/openshift/origin/releases/download/v3.6.1/openshift-origin-client-tools-v3.6.1-008f2d5-linux-64bit.tar.gz

The ipaserver-install.log ends with:

2018-02-01T12:38:27Z DEBUG Starting external process
2018-02-01T12:38:27Z DEBUG args=/bin/systemctl start messagebus.service
2018-02-01T12:38:27Z DEBUG Process finished, return code=0
2018-02-01T12:38:27Z DEBUG stdout=
2018-02-01T12:38:27Z DEBUG stderr=
2018-02-01T12:38:27Z DEBUG Starting external process
2018-02-01T12:38:27Z DEBUG args=/bin/systemctl is-active messagebus.service
2018-02-01T12:38:27Z DEBUG Process finished, return code=0
2018-02-01T12:38:27Z DEBUG stdout=active

2018-02-01T12:38:27Z DEBUG stderr=
2018-02-01T12:38:27Z DEBUG Starting external process
2018-02-01T12:38:27Z DEBUG args=/bin/systemctl start certmonger.service
2018-02-01T12:38:27Z DEBUG Process finished, return code=0
2018-02-01T12:38:27Z DEBUG stdout=
2018-02-01T12:38:27Z DEBUG stderr=
2018-02-01T12:38:27Z DEBUG Starting external process
2018-02-01T12:38:27Z DEBUG args=/bin/systemctl is-active certmonger.service
2018-02-01T12:38:27Z DEBUG Process finished, return code=0
2018-02-01T12:38:27Z DEBUG stdout=active

2018-02-01T12:38:27Z DEBUG stderr=
2018-02-01T12:38:52Z ERROR Introspect error on :1.1:/org/fedorahosted/certmonger: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
2018-02-01T12:38:52Z DEBUG Executing introspect queue due to error
2018-02-01T12:39:17Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 506, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 496, in run_step
    method()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 259, in configure_certmonger_renewal
    path = iface.find_ca_by_nickname(name)
  File "/usr/lib64/python3.6/site-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib64/python3.6/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib64/python3.6/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

2018-02-01T12:39:17Z DEBUG   [error] DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
2018-02-01T12:39:17Z DEBUG   File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 174, in execute
    return_value = self.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 336, in run
    cfgr.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 364, in run
    self.execute()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 388, in execute
    for _nothing in self._executor():
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 430, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 459, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 420, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 417, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 654, in _configure
    next(executor)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 430, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 459, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 517, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 514, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 420, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 417, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 66, in _install
    for _nothing in self._installer(self.parent):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 578, in main
    master_install(self)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 250, in decorated
    func(installer)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 797, in install
    ca.install_step_0(False, None, options)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line 289, in install_step_0
    use_ldaps=standalone)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 448, in configure_instance
    self.start_creation(runtime=runtime)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 506, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 496, in run_step
    method()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 259, in configure_certmonger_renewal
    path = iface.find_ca_by_nickname(name)
  File "/usr/lib64/python3.6/site-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib64/python3.6/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib64/python3.6/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)

2018-02-01T12:39:17Z DEBUG The ipa-server-install command failed, exception: DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
2018-02-01T12:39:17Z ERROR org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

In the audit.log, I only see AVC denials

type=AVC msg=audit(1517488935.631:817): avc:  denied  { write } for  pid=12573 comm="ipa-server-conf" name="fd" dev="proc" ino=248798 scontext=system_u:system_r:container_t:s0:c4,c7 tcontext=system_u:system_r:container_t:s0:c4,c7 tclass=dir permissive=0

which seems to be https://bugzilla.redhat.com/show_bug.cgi?id=1540963 and hopefully not directly related.