The latest development code of chrony has support for dropping root privileges in the chronyc command-line utility to minimize the impact of potential bugs. The setgroups()/setgid() and setuid() calls are blocked by the current selinux policy. This is what I see in the permissive mode: type=AVC msg=audit(1754571339.039:1605): avc: denied { setgid } for pid=647878 comm="chronyc" capability=6 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tclass=capability permissive=1 type=AVC msg=audit(1754571339.039:1606): avc: denied { setuid } for pid=647878 comm="chronyc" capability=7 scontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chronyc_t:s0-s0:c0.c1023 tclass=capability permissive=1 Reproducible: Always Steps to Reproduce: 1. install chrony from https://copr.fedorainfracloud.org/coprs/mlichvar/chrony/build/9386351/ 2. systemctl start chronyd 3. (as root) chronyc -u chrony ntpdata Actual Results: setgroups() failed : Operation not permitted Expected Results: No errors reported by chronyc and the audit log. Additional Information: selinux-policy-42.4-1.fc42.noarch
FEDORA-2025-3ed36829c6 (selinux-policy-42.8-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-3ed36829c6
FEDORA-2025-3ed36829c6 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-3ed36829c6` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-3ed36829c6 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-3ed36829c6 (selinux-policy-42.8-1.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.
It works, thanks!