4.8-3

Use the new configure option added in chrony-4.8 to change the default
chronyc user to chrony. If chronyc is started under root, it will switch
to the chrony user automatically to minimize impact of potential
security issues. This shouldn't be visible to the user, but if for some
reason the original behavior is required, "-u root" can be added to the
chronyc command line.

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1,2 +1,3 @@
-/chrony-3.5.tar.gz
-/clknetsim-3f5ef9.tar.gz
+/chrony-4.8-tar-gz-asc.txt
+/chrony-4.8.tar.gz
+/clknetsim-6ee99f50dec8.tar.gz

chrony-dnssrv@.service

@@ -1,8 +0,0 @@
-[Unit]
-Description=DNS SRV lookup of %I for chrony
-After=chronyd.service network-online.target
-Wants=network-online.target
-
-[Service]
-Type=oneshot
-ExecStart=/usr/libexec/chrony-helper update-dnssrv-servers %I

chrony-dnssrv@.timer

@@ -1,9 +0,0 @@
-[Unit]
-Description=Periodic DNS SRV lookup of %I for chrony
-
-[Timer]
-OnActiveSec=0
-OnUnitInactiveSec=1h
-
-[Install]
-WantedBy=timers.target

chrony-nm-dispatcher-dhcp.patch

@@ -0,0 +1,39 @@
+From: Robert Fairley <rfairley@redhat.com>
+Date: Wed, 17 Jun 2020 10:14:19 -0400
+Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig
+
+Use the PEERNTP and NTPSERVERARGS environment variables from
+/etc/sysconfig/network{-scripts}.
+
+Co-Authored-By: Christian Glombek <cglombek@redhat.com>
+
+diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp
+index 6ea4c37..a6ad35a 100644
+--- a/examples/chrony.nm-dispatcher.dhcp
++++ b/examples/chrony.nm-dispatcher.dhcp
+@@ -8,15 +8,23 @@ export LC_ALL=C
+ interface=$1
+ action=$2
+ 
++[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network
++[ -f /etc/sysconfig/network-scripts/ifcfg-"${interface}" ] && \
++    . /etc/sysconfig/network-scripts/ifcfg-"${interface}"
++
+ chronyc=/usr/bin/chronyc
+-server_options=iburst
+-server_dir=/var/run/chrony-dhcp
++server_options=${NTPSERVERARGS:-iburst}
++server_dir=/run/chrony-dhcp
+ 
+ dhcp_server_file=$server_dir/$interface.sources
+ dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS"
+ 
+ add_servers_from_dhcp() {
+     rm -f "$dhcp_server_file"
++
++    # Don't add NTP servers if PEERNTP=no specified; return early.
++    [ "$PEERNTP" = "no" ] && return
++
+     for server in $dhcp_ntp_servers; do
+         # Check for invalid characters (from the DHCPv6 NTP FQDN suboption)
+         len1=$(printf '%s' "$server" | wc -c)

chrony-seccomp.patch

@@ -0,0 +1,194 @@
+commit 03875f1ea5c4c0eeeb30a7d1fc5fdd53236f4ac2
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Date:   Tue Oct 21 14:06:38 2025 +0200
+
+    sys_linux: allow ioctl(TCGETS2) in seccomp filter
+    
+    Add TCGETS2 to the list of allowed ioctls. It seems to be called by the
+    latest glibc version from isatty(), which is called from libpcsclite
+    used by gnutls in an NTS-KE session.
+    
+    Include the linux termios header instead of glibc header to get a usable
+    definition of TCGETS2.
+
+diff --git a/sys_linux.c b/sys_linux.c
+index ca5540f2..e20e459d 100644
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -48,7 +48,7 @@
+ #ifdef FEAT_SCFILTER
+ #include <sys/prctl.h>
+ #include <seccomp.h>
+-#include <termios.h>
++#include <linux/termios.h>
+ #ifdef FEAT_PPS
+ #include <linux/pps.h>
+ #endif
+@@ -615,7 +615,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
+   const static int fcntls[] = { F_GETFD, F_SETFD, F_GETFL, F_SETFL };
+ 
+   const static unsigned long ioctls[] = {
+-    FIONREAD, TCGETS, TIOCGWINSZ,
++    FIONREAD, TCGETS, TCGETS2, TIOCGWINSZ,
+ #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING)
+     PTP_EXTTS_REQUEST, PTP_SYS_OFFSET,
+ #ifdef PTP_PIN_SETFUNC
+commit 3c39afa13c769452d4c340bfc987e229b7c9caeb
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Date:   Wed Oct 22 10:53:11 2025 +0200
+
+    sys_linux: fix building with older compilers and some archs
+    
+    The recent replacement of <termios.h> with <linux/termios.h> to get
+    TCGETS2 seems to work only with compilers (or C standards) that allow
+    the same structure to be defined multiple times. There is a conflict
+    between <sys/ioctl.h> and <linux/termios.h>.
+    
+    Another problem is that TCGETS2 is not used on some archs like ppc64.
+    
+    Switch back to <termios.h> and move TCGETS2 to a list in a separate
+    file where it can be compiled without <sys/ioctl.h>.
+    
+    Fixes: 03875f1ea5c4 ("sys_linux: allow ioctl(TCGETS2) in seccomp filter")
+
+diff --git a/configure b/configure
+index 195b1ed7..ca64475d 100755
+--- a/configure
++++ b/configure
+@@ -808,6 +808,7 @@ then
+   # a time and the async resolver would block the main thread
+   priv_ops="NAME2IPADDRESS RELOADDNS"
+   EXTRA_LIBS="$EXTRA_LIBS -lseccomp"
++  EXTRA_OBJECTS="$EXTRA_OBJECTS sys_linux_scmp.o"
+ fi
+ 
+ if [ "x$priv_ops" != "x" ]; then
+diff --git a/sys_linux.c b/sys_linux.c
+index e20e459d..89eec950 100644
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -48,7 +48,7 @@
+ #ifdef FEAT_SCFILTER
+ #include <sys/prctl.h>
+ #include <seccomp.h>
+-#include <linux/termios.h>
++#include <termios.h>
+ #ifdef FEAT_PPS
+ #include <linux/pps.h>
+ #endif
+@@ -63,6 +63,7 @@
+ #endif
+ 
+ #include "sys_linux.h"
++#include "sys_linux_scmp.h"
+ #include "sys_timex.h"
+ #include "conf.h"
+ #include "local.h"
+@@ -615,7 +616,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
+   const static int fcntls[] = { F_GETFD, F_SETFD, F_GETFL, F_SETFL };
+ 
+   const static unsigned long ioctls[] = {
+-    FIONREAD, TCGETS, TCGETS2, TIOCGWINSZ,
++    FIONREAD, TCGETS, TIOCGWINSZ,
+ #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING)
+     PTP_EXTTS_REQUEST, PTP_SYS_OFFSET,
+ #ifdef PTP_PIN_SETFUNC
+@@ -728,6 +729,14 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
+                            SCMP_A1(SCMP_CMP_EQ, ioctls[i])) < 0)
+         goto add_failed;
+     }
++
++    /* Allow selected ioctls that need to be specified in a separate
++       file to avoid conflicting headers (e.g. TCGETS2) */
++    for (i = 0; SYS_Linux_GetExtraScmpIoctl(i) != 0; i++) {
++      if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
++                           SCMP_A1(SCMP_CMP_EQ, SYS_Linux_GetExtraScmpIoctl(i))) < 0)
++        goto add_failed;
++    }
+   }
+ 
+   if (seccomp_load(ctx) < 0)
+diff --git a/sys_linux_scmp.c b/sys_linux_scmp.c
+new file mode 100644
+index 00000000..a907a97d
+--- /dev/null
++++ b/sys_linux_scmp.c
+@@ -0,0 +1,44 @@
++/*
++  chronyd/chronyc - Programs for keeping computer clocks accurate.
++
++ **********************************************************************
++ * Copyright (C) Miroslav Lichvar  2025
++ * 
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of version 2 of the GNU General Public License as
++ * published by the Free Software Foundation.
++ * 
++ * This program is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ * 
++ * You should have received a copy of the GNU General Public License along
++ * with this program; if not, write to the Free Software Foundation, Inc.,
++ * 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
++ * 
++ **********************************************************************
++
++  =======================================================================
++
++  Lists of values that are needed in seccomp filters but need to
++  be compiled separately from sys_linux.c due to conflicting headers.
++  */
++
++#include <linux/termios.h>
++
++#include "sys_linux_scmp.h"
++
++unsigned long
++SYS_Linux_GetExtraScmpIoctl(int index)
++{
++  const unsigned long ioctls[] = {
++#ifdef TCGETS2
++    /* Conflict between <linux/termios.h> and <sys/ioctl.h> */
++    TCGETS2,
++#endif
++    0
++  };
++
++  return ioctls[index];
++}
+diff --git a/sys_linux_scmp.h b/sys_linux_scmp.h
+new file mode 100644
+index 00000000..62a9d548
+--- /dev/null
++++ b/sys_linux_scmp.h
+@@ -0,0 +1,28 @@
++/*
++  chronyd/chronyc - Programs for keeping computer clocks accurate.
++
++ **********************************************************************
++ * Copyright (C) Miroslav Lichvar  2025
++ * 
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of version 2 of the GNU General Public License as
++ * published by the Free Software Foundation.
++ * 
++ * This program is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ * 
++ * You should have received a copy of the GNU General Public License along
++ * with this program; if not, write to the Free Software Foundation, Inc.,
++ * 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
++ * 
++ **********************************************************************
++
++  =======================================================================
++
++  Header file for lists that are needed in seccomp filters but need to
++  be compiled separately from sys_linux.c due to conflicting headers.
++  */
++
++extern unsigned long SYS_Linux_GetExtraScmpIoctl(int index);

chrony-service-helper.patch

@@ -1,11 +0,0 @@
-diff -up chrony-3.5/examples/chronyd.service.service-helper chrony-3.5/examples/chronyd.service
---- chrony-3.5/examples/chronyd.service.service-helper	2019-05-10 12:22:57.000000000 +0200
-+++ chrony-3.5/examples/chronyd.service	2019-05-14 13:42:38.069516800 +0200
-@@ -10,6 +10,7 @@ Type=forking
- PIDFile=/run/chrony/chronyd.pid
- EnvironmentFile=-/etc/sysconfig/chronyd
- ExecStart=/usr/sbin/chronyd $OPTIONS
-+ExecStartPost=/usr/libexec/chrony-helper update-daemon
- PrivateTmp=yes
- ProtectHome=yes
- ProtectSystem=full

chrony-servicedirs.patch

@@ -0,0 +1,18 @@
+diff -up chrony-4.7/examples/chronyd.service.servicedirs chrony-4.7/examples/chronyd.service
+--- chrony-4.7/examples/chronyd.service.servicedirs	2025-06-11 15:06:19.000000000 +0200
++++ chrony-4.7/examples/chronyd.service	2025-07-10 12:06:57.354215498 +0200
+@@ -10,7 +10,13 @@ Type=notify
+ PIDFile=/run/chrony/chronyd.pid
+ Environment="OPTIONS="
+ EnvironmentFile=-/etc/sysconfig/chronyd
+-ExecStart=/usr/sbin/chronyd -n $OPTIONS
++ExecStart=!/usr/sbin/chronyd -n $OPTIONS
++
++User=chrony
++LogsDirectory=chrony
++LogsDirectoryMode=0750
++StateDirectory=chrony
++StateDirectoryMode=0750
+ 
+ CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE

chrony.dhclient

@@ -1,20 +1,27 @@
 #!/bin/bash
 
-SERVERFILE=$SAVEDIR/chrony.servers.$interface
+CHRONY_SOURCEDIR=/run/chrony-dhcp
+SERVERFILE=$CHRONY_SOURCEDIR/$interface.sources
 
 chrony_config() {
-	rm -f $SERVERFILE
+	# Disable modifications if called from a NM dispatcher script
+	[ -n "$NM_DISPATCHER_ACTION" ] && return 0
+
+	rm -f "$SERVERFILE"
 	if [ "$PEERNTP" != "no" ]; then
+		mkdir -p $CHRONY_SOURCEDIR
 		for server in $new_ntp_servers; do
-			echo "$server ${NTPSERVERARGS:-iburst}" >> $SERVERFILE
+			echo "server $server ${NTPSERVERARGS:-iburst}" >> "$SERVERFILE"
 		done
-		/usr/libexec/chrony-helper update-daemon || :
+		/usr/bin/chronyc reload sources > /dev/null 2>&1 || :
 	fi
 }
 
 chrony_restore() {
-	if [ -f $SERVERFILE ]; then
-		rm -f $SERVERFILE
-		/usr/libexec/chrony-helper update-daemon || :
+	[ -n "$NM_DISPATCHER_ACTION" ] && return 0
+
+	if [ -f "$SERVERFILE" ]; then
+		rm -f "$SERVERFILE"
+		/usr/bin/chronyc reload sources > /dev/null 2>&1 || :
 	fi
 }

chrony.helper

@@ -1,252 +0,0 @@
-#!/bin/bash
-# This script configures running chronyd to use NTP servers obtained from
-# DHCP and _ntp._udp DNS SRV records. Files with servers from DHCP are managed
-# externally (e.g. by a dhclient script). Files with servers from DNS SRV
-# records are updated here using the dig utility. The script can also list
-# and set static sources in the chronyd configuration file.
-
-chronyc=/usr/bin/chronyc
-chrony_conf=/etc/chrony.conf
-chrony_service=chronyd.service
-helper_dir=/var/run/chrony-helper
-added_servers_file=$helper_dir/added_servers
-
-network_sysconfig_file=/etc/sysconfig/network
-dhclient_servers_files=/var/lib/dhclient/chrony.servers.*
-dnssrv_servers_files=$helper_dir/dnssrv@*
-dnssrv_timer_prefix=chrony-dnssrv@
-
-. $network_sysconfig_file &> /dev/null
-
-chrony_command() {
-    $chronyc -a -n -m "$1"
-}
-
-is_running() {
-    chrony_command "tracking" &> /dev/null
-}
-
-get_servers_files() {
-    [ "$PEERNTP" != "no" ] && echo "$dhclient_servers_files"
-    echo "$dnssrv_servers_files"
-}
-
-is_update_needed() {
-    for file in $(get_servers_files) $added_servers_file; do
-        [ -e "$file" ] && return 0
-    done
-    return 1
-}
-
-update_daemon() {
-    local all_servers_with_args all_servers added_servers
-
-    if ! is_running; then
-        rm -f $added_servers_file
-        return 0
-    fi
-
-    all_servers_with_args=$(cat $(get_servers_files) 2> /dev/null)
-
-    all_servers=$(
-        echo "$all_servers_with_args" |
-            while read server serverargs; do
-                echo "$server"
-            done | sort -u)
-    added_servers=$( (
-        cat $added_servers_file 2> /dev/null
-        echo "$all_servers_with_args" |
-            while read server serverargs; do
-                [ -z "$server" ] && continue
-                chrony_command "add server $server $serverargs" &> /dev/null &&
-                    echo "$server"
-            done) | sort -u)
-
-    comm -23 <(echo -n "$added_servers") <(echo -n "$all_servers") |
-        while read server; do
-            chrony_command "delete $server" &> /dev/null
-        done
-
-    added_servers=$(comm -12 <(echo -n "$added_servers") <(echo -n "$all_servers"))
-
-    [ -n "$added_servers" ] && echo "$added_servers" > $added_servers_file ||
-        rm -f $added_servers_file
-}
-
-get_dnssrv_servers() {
-    local name=$1 output
-
-    if ! command -v dig &> /dev/null; then
-        echo "Missing dig (DNS lookup utility)" >&2
-        return 1
-    fi
-
-    output=$(dig "$name" srv +short +ndots=2 +search 2> /dev/null)
-    [ $? -ne 0 ] && return 0
-
-    echo "$output" | while read prio weight port target; do
-        server=${target%.}
-        [ -z "$server" ] && continue
-        echo "$server port $port ${NTPSERVERARGS:-iburst}"
-    done
-}
-
-check_dnssrv_name() {
-    local name=$1
-
-    if [ -z "$name" ]; then
-        echo "No DNS SRV name specified" >&2
-        return 1
-    fi
-
-    if [ "${name:0:9}" != _ntp._udp ]; then
-        echo "DNS SRV name $name doesn't start with _ntp._udp" >&2
-        return 1
-    fi
-}
-
-update_dnssrv_servers() {
-    local name=$1
-    local srv_file=$helper_dir/dnssrv@$name servers
-
-    check_dnssrv_name "$name" || return 1
-
-    servers=$(get_dnssrv_servers "$name")
-    [ -n "$servers" ] && echo "$servers" > "$srv_file" || rm -f "$srv_file"
-}
-
-set_dnssrv_timer() {
-    local state=$1 name=$2
-    local srv_file=$helper_dir/dnssrv@$name servers
-    local timer=$dnssrv_timer_prefix$(systemd-escape "$name").timer
-
-    check_dnssrv_name "$name" || return 1
-
-    if [ "$state" = enable ]; then
-        systemctl enable "$timer"
-        systemctl start "$timer"
-    elif [ "$state" = disable ]; then
-        systemctl stop "$timer"
-        systemctl disable "$timer"
-        rm -f "$srv_file"
-    fi
-}
-
-list_dnssrv_timers() {
-    systemctl --all --full -t timer list-units | grep "^$dnssrv_timer_prefix" | \
-            sed "s|^$dnssrv_timer_prefix\(.*\)\.timer.*|\1|" |
-        while read -r name; do
-            systemd-escape --unescape "$name"
-        done
-}
-
-prepare_helper_dir() {
-    mkdir -p $helper_dir
-    exec 100> $helper_dir/lock
-    if ! flock -w 20 100; then
-        echo "Failed to lock $helper_dir" >&2
-        return 1
-    fi
-}
-
-is_source_line() {
-    local pattern="^[ \t]*(server|pool|peer|refclock)[ \t]+[^ \t]+"
-    [[ "$1" =~ $pattern ]]
-}
-
-list_static_sources() {
-    while read line; do
-        is_source_line "$line" && echo "$line" || :
-    done < $chrony_conf
-}
-
-set_static_sources() {
-    local new_config tmp_conf
-
-    new_config=$(
-        sources=$(
-            while read line; do
-                is_source_line "$line" && echo "$line"
-            done)
-
-        while read line; do
-            if ! is_source_line "$line"; then
-                echo "$line"
-                continue
-            fi
-
-            tmp_sources=$(
-                local removed=0
-
-                echo "$sources" | while read line2; do
-                    [ "$removed" -ne 0 -o "$line" != "$line2" ] && \
-                        echo "$line2" || removed=1
-                done)
-
-            [ "$sources" == "$tmp_sources" ] && continue
-            sources=$tmp_sources
-            echo "$line"
-        done < $chrony_conf
-
-        echo "$sources"
-    )
-
-    tmp_conf=${chrony_conf}.tmp
-
-    cp -a $chrony_conf $tmp_conf &&
-        echo "$new_config" > $tmp_conf &&
-        mv $tmp_conf $chrony_conf || return 1
-
-    systemctl try-restart $chrony_service
-}
-
-print_help() {
-    echo "Usage: $0 COMMAND"
-    echo
-    echo "Commands:"
-    echo "	update-daemon"
-    echo "	update-dnssrv-servers NAME"
-    echo "	enable-dnssrv NAME"
-    echo "	disable-dnssrv NAME"
-    echo "	list-dnssrv"
-    echo "	list-static-sources"
-    echo "	set-static-sources < sources.list"
-    echo "	is-running"
-    echo "	command CHRONYC-COMMAND"
-}
-
-case "$1" in
-    update-daemon|add-dhclient-servers|remove-dhclient-servers)
-        is_update_needed || exit 0
-        prepare_helper_dir && update_daemon
-        ;;
-    update-dnssrv-servers)
-        prepare_helper_dir && update_dnssrv_servers "$2" && update_daemon
-        ;;
-    enable-dnssrv)
-        set_dnssrv_timer enable "$2"
-        ;;
-    disable-dnssrv)
-        set_dnssrv_timer disable "$2" && prepare_helper_dir && update_daemon
-        ;;
-    list-dnssrv)
-        list_dnssrv_timers
-        ;;
-    list-static-sources)
-        list_static_sources
-        ;;
-    set-static-sources)
-        set_static_sources
-        ;;
-    is-running)
-        is_running
-        ;;
-    command|forced-command)
-        chrony_command "$2"
-        ;;
-    *)
-        print_help
-        exit 2
-esac
-
-exit $?

chrony.spec

@@ -1,37 +1,45 @@
 %global _hardened_build 1
-%global clknetsim_ver 3f5ef9
+%global clknetsim_ver 6ee99f50dec8
 %bcond_without debug
+%bcond_without nts
+
+%ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x
+%bcond_without seccomp
+%endif
 
 Name:           chrony
-Version:        3.5
-Release:        1%{?dist}
+Version:        4.8
+Release:        3%{?dist}
 Summary:        An NTP client/server
 
-License:        GPLv2
-URL:            https://chrony.tuxfamily.org
-Source0:        https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}.tar.gz
-Source1:        chrony.dhclient
-Source2:        chrony.helper
-Source3:        chrony-dnssrv@.service
-Source4:        chrony-dnssrv@.timer
+License:        GPL-2.0-only
+URL:            https://chrony-project.org
+Source0:        https://chrony-project.org/releases/chrony-%{version}%{?prerelease}.tar.gz
+Source1:        https://chrony-project.org/releases/chrony-%{version}%{?prerelease}-tar-gz-asc.txt
+Source2:        https://chrony-project.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
+Source3:        chrony.dhclient
+Source4:        chrony.sysusers
 # simulator for test suite
-Source10:       https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz
+Source10:       https://gitlab.com/chrony/clknetsim/-/archive/master/clknetsim-%{clknetsim_ver}.tar.gz
 %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz}
 
-# add NTP servers from DHCP when starting service
-Patch2:         chrony-service-helper.patch
+# add distribution-specific bits to DHCP dispatcher
+Patch1:         chrony-nm-dispatcher-dhcp.patch
+# let systemd create /var/lib/chrony and /var/log/chrony
+Patch2:         chrony-servicedirs.patch
+# update seccomp filter for new glibc
+Patch3:         chrony-seccomp.patch
 
 BuildRequires:  libcap-devel libedit-devel nettle-devel pps-tools-devel
-%ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x
-BuildRequires:  libseccomp-devel
-%endif
-BuildRequires:  gcc gcc-c++ bison systemd
+BuildRequires:  gcc gcc-c++ make bison systemd gnupg2
+%{?with_nts:BuildRequires: gnutls-devel gnutls-utils}
+%{?with_seccomp:BuildRequires: libseccomp-devel}
 
-Requires(pre):  shadow-utils
 %{?systemd_requires}
+%{?sysusers_requires_compat}
 
-# install timedated implementation that can control chronyd service
-Recommends:     timedatex
+# Needed by the leapseclist directive in default chrony.conf
+Requires:       tzdata
 
 # suggest drivers for hardware reference clocks
 Suggests:       ntp-refclock
@@ -48,20 +56,24 @@ service to other computers in the network.
 %endif
 
 %prep
+%{gpgverify} --keyring=%{SOURCE2} --signature=%{SOURCE1} --data=%{SOURCE0}
 %setup -q -n %{name}-%{version}%{?prerelease} -a 10
-%{?gitpatch:%patch0 -p1}
-%patch2 -p1 -b .service-helper
+%{?gitpatch:%patch -P 0 -p1}
+%patch -P 1 -p1 -b .nm-dispatcher-dhcp
+%patch -P 2 -p1 -b .servicedirs
+%patch -P 3 -p1 -b .seccomp
 
 %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
 
 # review changes in packaged configuration files and scripts
 md5sum -c <<-EOF | (! grep -v 'OK$')
-        47ad7eccc410b981d2f2101cf5682616  examples/chrony-wait.service
-        e473a9fab7fe200cacce3dca8b66290b  examples/chrony.conf.example2
-        96999221eeef476bd49fe97b97503126  examples/chrony.keys.example
+        5530d6e60f84b76c27495485d2510bac  examples/chrony-wait.service
+        3f2ddca6065c3e8f4565d7422739795a  examples/chrony.conf.example2
         6a3178c4670de7de393d9365e2793740  examples/chrony.logrotate
-        8748a663f0b1943ea491858f414a6b26  examples/chrony.nm-dispatcher
-        b23bcc3bd78e195ca2849459e459f3ed  examples/chronyd.service
+        c3992e2f985550739cd1cd95f98c9548  examples/chrony.nm-dispatcher.dhcp
+        4e85d36595727318535af3387411070c  examples/chrony.nm-dispatcher.onoffline
+        607c82f56639486f52c31105632909eb  examples/chronyd.service
+        5ddbb8a8055f587cb6b0b462ca73ea46  examples/chronyd-restricted.service
 EOF
 
 # don't allow packaging without vendor zone
@@ -69,69 +81,79 @@ test -n "%{vendorzone}"
 
 # use example chrony.conf as the default config with some modifications:
 # - use our vendor zone (2.*pool.ntp.org names include IPv6 addresses)
-# - enable leapsectz to get TAI-UTC offset and leap seconds from tzdata
-# - enable keyfile
+# - enable leapseclist to get TAI-UTC offset and leap seconds
+# - use NTP servers from DHCP
 sed -e 's|^\(pool \)\(pool.ntp.org\)|\12.%{vendorzone}\2|' \
-    -e 's|#\(leapsectz\)|\1|' \
-    -e 's|#\(keyfile\)|\1|' \
+    -e 's|#\(leapseclist\)|\1|' \
+    -e 's|^pool.*pool.ntp.org.*|&\n\n# Use NTP servers from DHCP.\nsourcedir /run/chrony-dhcp|' \
         < examples/chrony.conf.example2 > chrony.conf
 
 touch -r examples/chrony.conf.example2 chrony.conf
 
+# set selinux context in chronyd-restricted service
+sed -i '/^ExecStart/a SELinuxContext=system_u:system_r:chronyd_restricted_t:s0' \
+	examples/chronyd-restricted.service
+
 # regenerate the file from getdate.y
 rm -f getdate.c
 
-mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim
+mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim
 
 %build
 %configure \
 %{?with_debug: --enable-debug} \
         --enable-ntp-signd \
-        --enable-scfilter \
+%{?with_seccomp: --enable-scfilter} \
+%{!?with_nts: --disable-nts} \
+        --chronyrundir=/run/chrony \
         --docdir=%{_docdir} \
         --with-ntp-era=$(date -d '1970-01-01 00:00:00+00:00' +'%s') \
+        --with-chronyc-user=chrony \
         --with-user=chrony \
         --with-hwclockfile=%{_sysconfdir}/adjtime \
+        --with-pidfile=/run/chrony/chronyd.pid \
         --with-sendmail=%{_sbindir}/sendmail
-make %{?_smp_mflags}
+%make_build
 
 %install
-make install DESTDIR=$RPM_BUILD_ROOT
+%make_install
 
 rm -rf $RPM_BUILD_ROOT%{_docdir}
 
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/{sysconfig,logrotate.d}
 mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/{lib,log}/chrony
-mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dhcp/dhclient.d
 mkdir -p $RPM_BUILD_ROOT%{_libexecdir}
+mkdir -p $RPM_BUILD_ROOT%{_sysusersdir}
+mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d
 mkdir -p $RPM_BUILD_ROOT{%{_unitdir},%{_prefix}/lib/systemd/ntp-units.d}
 
 install -m 644 -p chrony.conf $RPM_BUILD_ROOT%{_sysconfdir}/chrony.conf
 
-install -m 640 -p examples/chrony.keys.example \
-        $RPM_BUILD_ROOT%{_sysconfdir}/chrony.keys
-install -m 755 -p examples/chrony.nm-dispatcher \
-        $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d/20-chrony
-install -m 755 -p %{SOURCE1} \
+install -m 755 -p %{SOURCE3} \
         $RPM_BUILD_ROOT%{_sysconfdir}/dhcp/dhclient.d/chrony.sh
 install -m 644 -p examples/chrony.logrotate \
         $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/chrony
 
 install -m 644 -p examples/chronyd.service \
         $RPM_BUILD_ROOT%{_unitdir}/chronyd.service
+install -m 644 -p examples/chronyd-restricted.service \
+        $RPM_BUILD_ROOT%{_unitdir}/chronyd-restricted.service
+install -m 755 -p examples/chrony.nm-dispatcher.onoffline \
+        $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-onoffline
+install -m 755 -p examples/chrony.nm-dispatcher.dhcp \
+        $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-dhcp
 install -m 644 -p examples/chrony-wait.service \
         $RPM_BUILD_ROOT%{_unitdir}/chrony-wait.service
-install -m 644 -p %{SOURCE3} $RPM_BUILD_ROOT%{_unitdir}/chrony-dnssrv@.service
-install -m 644 -p %{SOURCE4} $RPM_BUILD_ROOT%{_unitdir}/chrony-dnssrv@.timer
-
-install -m 755 -p %{SOURCE2} $RPM_BUILD_ROOT%{_libexecdir}/chrony-helper
+install -m 644 -p %{SOURCE4} \
+        $RPM_BUILD_ROOT%{_sysusersdir}/chrony.conf
 
 cat > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/chronyd <<EOF
 # Command-line options for chronyd
-OPTIONS=""
+OPTIONS="%{?with_seccomp:-F 2}"
 EOF
 
+touch $RPM_BUILD_ROOT%{_sysconfdir}/chrony.keys
 touch $RPM_BUILD_ROOT%{_localstatedir}/lib/chrony/{drift,rtc}
 
 echo 'chronyd.service' > \
@@ -139,58 +161,261 @@ echo 'chronyd.service' > \
 
 %check
 # set random seed to get deterministic results
-export CLKNETSIM_RANDOM_SEED=24502
-make %{?_smp_mflags} -C test/simulation/clknetsim
+export CLKNETSIM_RANDOM_SEED=24508
+%make_build -C test/simulation/clknetsim
 make quickcheck
 
 %pre
-getent group chrony > /dev/null || /usr/sbin/groupadd -r chrony
-getent passwd chrony > /dev/null || /usr/sbin/useradd -r -g chrony \
-       -d %{_localstatedir}/lib/chrony -s /sbin/nologin chrony
-:
+%sysusers_create_compat %{SOURCE4}
 
 %post
-# fix PIDFile in local chronyd.service on upgrades from chrony < 3.3-2
-if grep -q 'PIDFile=%{_localstatedir}/run/chronyd.pid' \
-                %{_sysconfdir}/systemd/system/chronyd.service 2> /dev/null && \
-        ! grep -qi '^[ '$'\t'']*pidfile' %{_sysconfdir}/chrony.conf 2> /dev/null
-then
-        sed -i '/PIDFile=/s|/run/|/run/chrony/|' \
-                %{_sysconfdir}/systemd/system/chronyd.service
+# migrate from chrony-helper to sourcedir directive
+if test -a %{_libexecdir}/chrony-helper; then
+        grep -qi 'sourcedir /run/chrony-dhcp$' %{_sysconfdir}/chrony.conf 2> /dev/null || \
+                echo -e '\n# Use NTP servers from DHCP.\nsourcedir /run/chrony-dhcp' >> \
+                        %{_sysconfdir}/chrony.conf
+        mkdir -p /run/chrony-dhcp
+        for f in %{_localstatedir}/lib/dhclient/chrony.servers.*; do
+                sed 's|.*|server &|' < $f > /run/chrony-dhcp/"${f##*servers.}.sources"
+        done 2> /dev/null
 fi
-# workaround for late reload of unit file (#1614751)
-%{_bindir}/systemctl daemon-reload
-%systemd_post chronyd.service chrony-wait.service
+%systemd_post chronyd.service chronyd-restricted.service chrony-wait.service
 
 %preun
-%systemd_preun chronyd.service chrony-wait.service
+%systemd_preun chronyd.service chronyd-restricted.service chrony-wait.service
 
 %postun
-%systemd_postun_with_restart chronyd.service
+%systemd_postun_with_restart chronyd.service chronyd-restricted.service
 
 %files
 %{!?_licensedir:%global license %%doc}
 %license COPYING
-%doc FAQ NEWS README
+%doc FAQ NEWS README examples/chrony.keys.example
 %config(noreplace) %{_sysconfdir}/chrony.conf
-%config(noreplace) %verify(not md5 size mtime) %attr(640,root,chrony) %{_sysconfdir}/chrony.keys
+%ghost %config %attr(640,root,chrony) %{_sysconfdir}/chrony.keys
 %config(noreplace) %{_sysconfdir}/logrotate.d/chrony
 %config(noreplace) %{_sysconfdir}/sysconfig/chronyd
-%{_sysconfdir}/NetworkManager/dispatcher.d/20-chrony
 %{_sysconfdir}/dhcp/dhclient.d/chrony.sh
 %{_bindir}/chronyc
 %{_sbindir}/chronyd
-%{_libexecdir}/chrony-helper
+%{_prefix}/lib/NetworkManager
 %{_prefix}/lib/systemd/ntp-units.d/*.list
 %{_unitdir}/chrony*.service
-%{_unitdir}/chrony*.timer
+%{_sysusersdir}/chrony.conf
 %{_mandir}/man[158]/%{name}*.[158]*
-%dir %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony
+%ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony
 %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/drift
 %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/rtc
-%dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony
+%ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony
 
 %changelog
+* Tue Oct 21 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.8-3
+- update seccomp filter for new glibc (#2405310)
+
+* Mon Sep 08 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.8-2
+- drop root privileges in chronyc by default
+
+* Wed Aug 27 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.8-1
+- update to 4.8
+
+* Thu Aug 14 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.8-0.1.pre1
+- update to 4.8-pre1
+
+* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 4.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Thu Jul 10 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.7-2
+- let systemd create /var/lib/chrony and /var/log/chrony (#2372944)
+- drop workaround for broken build on aarch64
+- drop old conflict with NetworkManager
+
+* Wed Jun 11 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.7-1
+- update to 4.7
+
+* Thu May 22 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.7-0.2.pre1
+- add workaround for broken build on aarch64
+
+* Wed May 21 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.7-0.1.pre1
+- update to 4.7-pre1
+
+* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 4.6.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
+
+* Tue Oct 08 2024 Miroslav Lichvar <mlichvar@redhat.com> 4.6.1-1
+- update to 4.6.1
+
+* Mon Sep 02 2024 Miroslav Lichvar <mlichvar@redhat.com> 4.6-1
+- update to 4.6
+
+* Tue Jul 30 2024 Miroslav Lichvar <mlichvar@redhat.com> 4.6-0.1.pre1
+- update to 4.6-pre1
+
+* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.5-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Tue Dec 05 2023 Miroslav Lichvar <mlichvar@redhat.com> 4.5-1
+- update to 4.5
+
+* Wed Nov 22 2023 Miroslav Lichvar <mlichvar@redhat.com> 4.5-0.1.pre1
+- update to 4.5-pre1
+
+* Wed Aug 09 2023 Miroslav Lichvar <mlichvar@redhat.com> 4.4-1
+- update to 4.4
+- require tzdata (#2218368)
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.4-0.4.pre2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Wed Jun 21 2023 Miroslav Lichvar <mlichvar@redhat.com> 4.4-0.3.pre2
+- update to 4.4-pre2
+- set selinux context in chronyd-restricted service (#2169949)
+
+* Tue Jun 06 2023 Miroslav Lichvar <mlichvar@redhat.com> 4.4-0.2.pre1
+- rebuild for AES-GCM-SIV in new nettle
+
+* Wed May 10 2023 Miroslav Lichvar <mlichvar@redhat.com> 4.4-0.1.pre1
+- update to 4.4-pre1
+- switch from patchX to patch -P X
+
+* Wed Jan 25 2023 Miroslav Lichvar <mlichvar@redhat.com> 4.3-3
+- drop default chrony.keys config (#2104918)
+- add chronyd-restricted service for minimal NTP client configurations
+- convert license tag to SPDX
+
+* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Wed Aug 31 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.3-1
+- update to 4.3
+
+* Thu Aug 11 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.3-0.1.pre1
+- update to 4.3-pre1
+
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.2-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue May 24 2022 Luca BRUNO <lucab@lucabruno.net> - 4.2-6
+- Add a sysusers.d fragment for chrony user/group
+
+* Wed Feb 16 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 4.2-5
+- Drop obsolete workaround in scriptlet
+
+* Wed Feb 09 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.2-4
+- update seccomp filter for latest glibc
+
+* Tue Feb 08 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.2-3
+- use NTP servers passed by NetworkManager from DHCPv6 NTP server option
+
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Dec 16 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.2-1
+- update to 4.2
+
+* Thu Dec 02 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.2-0.1.pre1
+- update to 4.2-pre1
+
+* Tue Nov 16 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.1-5
+- fix hardened chronyd service to allow writing log files
+
+* Wed Sep 29 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.1-4
+- harden chronyd and chrony-wait services
+
+* Mon Aug 09 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.1-3
+- update seccomp filter for new glibc
+- remove unnecessary build requirement
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Thu May 13 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.1-1
+- update to 4.1
+- enable seccomp filter by default (incompatible with mailonchange directive)
+
+* Thu Apr 22 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.1-0.1.pre1
+- update to 4.1-pre1
+- rework NM-dispatcher/dhclient detection
+- enable LTO on s390x
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 4.0-4
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Tue Feb 02 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.0-3
+- update NM DHCP dispatcher script
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+- Add BuildRequires: make
+- drop dnssrv service and timer
+
+* Wed Oct 07 2020 Miroslav Lichvar <mlichvar@redhat.com> 4.0-1
+- update to 4.0
+- update directory permissions to follow upstream
+
+* Wed Sep 16 2020 Miroslav Lichvar <mlichvar@redhat.com> 4.0-0.9.pre4
+- update to 4.0-pre4
+
+* Wed Aug 26 2020 Miroslav Lichvar <mlichvar@redhat.com> 4.0-0.8.pre3
+- update to 4.0-pre3
+- switch to sourcedir directive for loading servers from DHCP
+- add NetworkManager dispatcher script to save servers from DHCP when
+  dhclient is not installed (Robert Fairley)
+- drop old migration code from scriptlet
+- move default paths in /var/run to /run
+
+* Mon Aug 10 2020 Jeff Law <law@redhat.com> - 4.0-0.7.pre2
+- Disable LTO on s390x
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.0-0.6.pre2
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.0-0.5.pre2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> 4.0-0.4.pre2
+- use make macros
+
+* Mon May 04 2020 Miroslav Lichvar <mlichvar@redhat.com> 4.0-0.3.pre2
+- rebuild for new nettle
+
+* Mon Apr 20 2020 Miroslav Lichvar <mlichvar@redhat.com> 4.0-0.2.pre2
+- update to 4.0-pre2
+
+* Tue Mar 17 2020 Miroslav Lichvar <mlichvar@redhat.com> 4.0-0.1.pre1
+- update to 4.0-pre1
+- add net-tools to build requirements for testing
+- add missing dependency on coreutils
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.5-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Jan 20 2020 Miroslav Lichvar <mlichvar@redhat.com> 3.5-7
+- fix testing with new glibc (#1792854)
+
+* Wed Oct 09 2019 Miroslav Lichvar <mlichvar@redhat.com> 3.5-6
+- drop timedatex recommendation
+- verify upstream signatures
+
+* Thu Aug 22 2019 Lubomir Rintel <lkundrak@v3.sk> - 3.5-5
+- Move the NetworkManager dispatcher script out of /etc
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.5-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Tue Jul 16 2019 Miroslav Lichvar <mlichvar@redhat.com> 3.5-3
+- rebuild for new nettle
+
+* Thu May 23 2019 Miroslav Lichvar <mlichvar@redhat.com> 3.5-2
+- fix shellcheck warnings in helper scripts
+
 * Tue May 14 2019 Miroslav Lichvar <mlichvar@redhat.com> 3.5-1
 - update to 3.5
 

chrony.sysusers

@@ -0,0 +1,2 @@
+#Type Name   ID    GECOS                Home directory  Shell
+u     chrony -     "chrony system user" /var/lib/chrony /sbin/nologin

ci.fmf

@@ -0,0 +1 @@
+resultsdb-testcase: separate

gating.yaml

@@ -0,0 +1,25 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_testing
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
+ 
+#Rawhide
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_stable
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
+ 
+#gating rhel
+--- !Policy
+product_versions:
+  - rhel-*
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-public.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}

gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc

@@ -0,0 +1,54 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGCc9dwBEADLydyZIqgarshQeCtIlWAgP3coy0mdJwxet1CvXwF1xpq18Qi1
+Tt9RZL64SkbQ8sKryBqnPjKZdOfVT5FwUucjp9L+/j7Bhk0tqv30EIQ57rnDLJ9T
+c4LG1leO+Tc5Ym/0tvv4uMjkxr4KAKHPYrweHk6EAw06bbJ02mfy9xhlITSfyyFl
+QRoRTEjy8N2IDutA4QzbZm0T5kvI7k7s/ILG5vyNo53X5PI/rWrSqmPZ5qs0lvDv
+tA+rxOJp+FvlvOyBuv3ftIX0kAwRU+x/ET2Yd9qQWnXRx9d9D2UpFXm9DHfCDJYR
+F56D0O3hf+rrCa/uSutIqmR33j5Wz4bYjWdmg4wbRQaoVxJl5AUrWuYEFwcCuY2B
+FFgttLPb0qHpeBwuWaWJ9U6HM7qY3WEI2C/OWM0XFM8ERezedNEf7O2GTsoVVcm+
+LRg31R3eJzipKMAGZWScSDSRAXhh6oZhflMRjYKGvwRfgeos/Sl2bdYL80hqyjGV
+jMhEYDC9sfLXRyLU+9FexruIzSLR8Vornma3zjzu9pRkbfTHb8FfBMt9MZEWraF2
+7riRq/zJE9QPWnBL/C8rdaXXxflBmGctn7RDKGOvxZ7SxPzzHbl5tV/Fizhkeph/
+v8YLVuCOk0pIpX65mFun3Xw5IF01x1GMzU1xYezExti9yBNiv9HVqf1DWwARAQAB
+tCZNaXJvc2xhdiBMaWNodmFyIDxtbGljaHZhckByZWRoYXQuY29tPokCVAQTAQgA
+PhYhBI83XH6NDuElo9O9UVN+K3b3aA2sBQJgnPXcAhsDBQkSzAMABQsJCAcCBhUK
+CQgLAgQWAgMBAh4BAheAAAoJEFN+K3b3aA2sl8IQAJ9AMppV6cdxzt8g2Ypz0hw1
+6+9T5DjbYE/s0lozFQhCoYfo+SZyc3+yyKzlxI3ryHwFk9NjXGZZ8QjzT7FLj7/s
+nKDjv5hUCOAi9Q+k217xwlBueeMyheeVaGGGa+Hv5CF1fZx/MtxiShUqu8oSqUyP
+nW8lPGz73MfGAPT7kijVnz73pbht0vrZ9I+r8dnQGiweGBohexfCvmncrTyhjM8r
+nvecycYBNnXhupzpmSMZgIA1s2v7oVmTnV0bntxE/gr7+SPk7KozhD12K8OU8deJ
+cDD8F7NKa9Oe5NtuGVN4IPqp5cgj7GAyIj0sYss9Jknu4jX0imR5kwH6GbgFa7c/
+kU+fKTz57Rs1OGr3glYpMnNftXSWbC2V/OJxHVEcMk8HwKLgnQjtmKLVGeCo5iS6
+LFQuWaxpfjvxVjGSpnNu19cHVUhDM9cTP1DhUd4LdnltHQ+/xjwgzTgE4GJ1ZB0W
+vhvxcdb69Sf50bGd4/WuURRoYSE7M6UKRwfXmMpyTiNhZz+3XjAoScA9AS7q9xfS
+y3OddQEle/+qNFdABB12WmCgRhWemHzTZDXydIJuw+ucLO7U5RrDdqdaHkRVXJ9G
+4mdk+3FgUlYgB9GY4pHQdqGdE60838R2zY9x0gK8cHU+FaRPAiTU8SJL0wb/Rko7
+qbZUY/6bgrDoXp4otAP2iF0EExECAB0WIQSLH0qa2nPUAeMIWgtf8G8puh4BOwUC
+YJ0C3AAKCRBf8G8puh4BO9k2AJ4ohgz/p49IBfjf22sEL1FvYM/DhwCfTyCkbogO
+uagIg5qwuEGwHMgn19G5Ag0EYJz13AEQAMrLXgl5u6vAakSF9n+xCP2WOiMHzzrR
+OxHnWzsX6PTXpJt14LSZOZ5wjdyR3gLJWGLdkfHoxHpQYp7PLgNS29SuAc4HQ+Br
+O5F4g9EmwDJ0ueUYxU1FcySRXfXR+gLabpQCc2s9bW6RaMwLuQNxZwkfXClkPQms
+ImTFA0KntWpHc+uEr1J2i6LQS7D/BK6m72l9x8z9k9gqAabXw+xHsis+ffPMG5Jm
+HOqeHYtsq+2JW1VvBnA4Qh3DKH9OQaD9hZbEiUC3nMmlLkPF/r29tWTPa7luBHBn
+X556JTXVm+vDUDwZ2srLfaKyQCxbNLwvQ2Pn5SOyyCnuIWR2xZs/+KPDMhtKUBAV
+HcboVu6iPCTU42CVMPaJvYD2iUEncZNeUGJOSuG240LSLNGEFFsD7YgXb1XHjQD5
+ci3Ki7P/hHi3AG53IsQTiaE5VgBdDje3zYCf5WaZ6c3DQQB9lab2RMz+5Fdr7Z6Y
+mFRUbmxSnsMe0mwwcqVe3ofV0fKvE7Ep0T8bBg53dCqyU8hIbD5wUe99JmhMFnzs
+5elwkv/Hb3Eg92dgu1zWb5kMzuvGEHtCIukIy1B+pzQOfT+iOC+lbmRHhPslJ9S0
+1vENJE+nEEsGxPy9pRHrmWSKI4Zh+ysjb/vW/vOwAd1RsvxTfgBeOOawmlz+n0pJ
+T018ZnUgmc35ABEBAAGJAjwEGAEIACYWIQSPN1x+jQ7hJaPTvVFTfit292gNrAUC
+YJz13AIbDAUJEswDAAAKCRBTfit292gNrPuRD/43kM0P71gxfJQj6PBpPtjIVVfm
+4TIPWKmV+F4/9eCwAPC/o44Yw+nxGr77Rk2DsaSn0V51j2egRCXKuZBZx/v6JXP7
+qpDk3Uecml7IfxTd+N+gkI3viUsrt4ykUgyUH/wy/edMG3h9qhBQP0RxiDge18P6
+YUpQSnq3uP72ycTPLBJlqp/Y9+GXUapvcyDqBFnvs96ieDmSbjSf6tris1cuLv6f
+eld4HNUY/LmI5MlYbywbgWGpSOyKUlTtyF33LqPnWd7UuTN7QNsYyjGnlJbkkGi/
+KwuNbIo5Gs4avaUSTc7SBLdCYneEIt7mt7hg0StKHQC6s/ak/w8yl1yFy5gRusO4
+QCFT2ZMQ6jZUAuaQGx0rhWQr9akNNJEDsHTBQR8pxpFp3LcDXcUXSSeySRSFZLt+
+hExvDQxXuhdbZHYGL1E6g5gtJQKnobNu2jMOziBcDivhAsqNw2Poq6fJVLavjBI5
+BI1xAqmymIExJFSlHdLuZq09cVzY3EOj3x23YTzPKNOI/qu4jTUT4Byi8Oy3PN1B
+B0n5SqORWJ0KfAyVEewshSAqJ7zrZ5sJXWnKeVQqBOg5EwkOB8rz/M3mqgrnBRiq
+hLiiiG5tKETA1YIQGXIbP8t1vqoQrpvYaJfkk3kQlktxfFkDRt8dKIxpFk8uPiNb
+bcAu2uXfRrQxpaqcOg==
+=/wbD
+-----END PGP PUBLIC KEY BLOCK-----

plans.fmf

@@ -0,0 +1,47 @@
+/tier1-internal:
+  plan:
+    import:
+      url: https://gitlab.com/redhat/centos-stream/tests/chrony.git
+      name: /plans/tier1/internal
+  adjust:
+    enabled: false
+    when: distro == centos-stream, fedora
+    because: They don't have access to internal repos.
+
+/tier1-public:
+  plan:
+    import:
+      url: https://gitlab.com/redhat/centos-stream/tests/chrony.git
+      name: /plans/tier1/public
+
+/tier2-tier3-internal:
+  plan:
+    import:
+      url: https://gitlab.com/redhat/centos-stream/tests/chrony.git
+      name: /plans/tier2-tier3/internal
+  adjust:
+    enabled: false
+    when: distro == centos-stream, fedora
+    because: They don't have access to internal repos.
+
+/tier2-tier3-public:
+  plan:
+    import:
+      url: https://gitlab.com/redhat/centos-stream/tests/chrony.git
+      name: /plans/tier2-tier3/public
+
+/others-internal:
+  plan:
+    import:
+      url: https://gitlab.com/redhat/centos-stream/tests/chrony.git
+      name: /plans/others/internal
+  adjust:
+    enabled: false
+    when: distro == centos-stream, fedora
+    because: They don't have access to internal repos.
+
+/others-public:
+  plan:
+    import:
+      url: https://gitlab.com/redhat/centos-stream/tests/chrony.git
+      name: /plans/others/public

sources

@@ -1,2 +1,3 @@
-SHA512 (chrony-3.5.tar.gz) = c4f6376a44d71b6ac2b6d86e3d6fb4348642faeef7f3f3a4d6431627b5645efcc868b005cc398c8292bc3b63a1161fbd1a042c6ac2a0595843f908fe32eed90c
-SHA512 (clknetsim-3f5ef9.tar.gz) = 01eea027ec8289d1053236fcc9ee09a8411e5f68cb3279077e50d330169a1ba1284798a50786dbd94382444aeaa652e276b94668c7adf5be66e910f937a9e55d
+SHA512 (chrony-4.8-tar-gz-asc.txt) = df7f4e06f74a4b8c9a49e8fe57ea02e0324c5683d036412c32192a09f08e08f33537609cef8df0b4302bfcd63332b3092f33f40c8d02857c93ecea13822b5b47
+SHA512 (chrony-4.8.tar.gz) = 949b796bb34db32a5c1b9e6b53be6a22e51c59f24a316d585b8a52a52ab1f61bdf0378dc58b282bb0ba4fac1f05e1e99fbe37cb4259aa2b359e7bf679c176aab
+SHA512 (clknetsim-6ee99f50dec8.tar.gz) = 2621d1c44b84b42fcdf644f236ff90dab9f8a8407a138c8719c53dd9c4f21480db3b4ba598116aa1b9d6bd1fa02fc410d85a43baf55ddf8ad47fc09aba4c4477