Hi. When running chronyd-restricted.service, it works fine but it results in a bunch of SELinux service denials like this one: ``` type=AVC msg=audit(1720332788.481:210): avc: denied { sendto } for pid=4457 comm="chronyc" path="/run/chrony/chronyd.sock" scontext=system_u:system_r:chronyc_t:s0 tcontext=system_u:system_r:chronyd_restricted_t:s0 tclass=unix_dgram_socket permissive=0 ``` This happens on a fully updated Fedora 40 Workstation and latest Fedora CoreOS from testing stream. The AVC denials are not from me running `chronyc`, but something on the system running `chronyc`. It seems to be: `/usr/lib/NetworkManager/dispatcher.d/20-chrony-onoffline` I think even for a restricted chronyd, presumably we do want NetworkManager to be able to check that chronyd is online. Reproducible: Always Steps to Reproduce: 1. Disable and stop chronyd.service 2. Enable and start chronyd-restricted.service 3. Might need to reboot. 4. See AVC denials. selinux-policy-40.23-1.fc40
FEDORA-2024-75212378ea (selinux-policy-40.28-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-75212378ea
FEDORA-2024-75212378ea has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-75212378ea` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-75212378ea See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-75212378ea (selinux-policy-40.28-1.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.