4.1-1

2021-05-13 17:09:26 +02:00
11 changed files with 74 additions and 495 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -1 +0,0 @@
-1
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,3 @@
-/chrony-4.8-tar-gz-asc.txt
-/chrony-4.8.tar.gz
-/clknetsim-6ee99f50dec8.tar.gz
+/chrony-4.1.tar.gz
+/chrony-4.1-tar-gz-asc.txt
+/clknetsim-f89702.tar.gz
--- a/chrony-nm-dispatcher-dhcp.patch
+++ b/chrony-nm-dispatcher-dhcp.patch
@ -11,29 +11,33 @@ diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.
 index 6ea4c37..a6ad35a 100644
 --- a/examples/chrony.nm-dispatcher.dhcp
 +++ b/examples/chrony.nm-dispatcher.dhcp
-@@ -8,15 +8,23 @@ export LC_ALL=C
- interface=$1
- action=$2
+@@ -6,16 +6,24 @@
+ 
+ chronyc=/usr/bin/chronyc
+ default_server_options=iburst
+-server_dir=/var/run/chrony-dhcp
+server_dir=/run/chrony-dhcp
+ 
+ dhcp_server_file=$server_dir/$interface.sources
+ # DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager.
+ nm_dhcp_servers=$DHCP4_NTP_SERVERS
 
 +[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network
 +[ -f /etc/sysconfig/network-scripts/ifcfg-"${interface}" ] && \
 +    . /etc/sysconfig/network-scripts/ifcfg-"${interface}"
 +
- chronyc=/usr/bin/chronyc
-server_options=iburst
-server_dir=/var/run/chrony-dhcp
-+server_options=${NTPSERVERARGS:-iburst}
-+server_dir=/run/chrony-dhcp
- 
- dhcp_server_file=$server_dir/$interface.sources
- dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS"
- 
 add_servers_from_dhcp() {
     rm -f "$dhcp_server_file"
 +
 +    # Don't add NTP servers if PEERNTP=no specified; return early.
 +    [ "$PEERNTP" = "no" ] && return
 +
-     for server in $dhcp_ntp_servers; do
-         # Check for invalid characters (from the DHCPv6 NTP FQDN suboption)
-         len1=$(printf '%s' "$server" | wc -c)
+     for server in $nm_dhcp_servers; do
+-        echo "server $server $default_server_options" >> "$dhcp_server_file"
+        echo "server $server ${NTPSERVERARGS:-$default_server_options}" >> "$dhcp_server_file"
+     done
+     $chronyc reload sources > /dev/null 2>&1 || :
+ }
+-- 
+2.29.2
+
--- a/chrony-seccomp.patch
+++ b/chrony-seccomp.patch
@ -1,194 +0,0 @@
-commit 03875f1ea5c4c0eeeb30a7d1fc5fdd53236f4ac2
-Author: Miroslav Lichvar <mlichvar@redhat.com>
-Date:   Tue Oct 21 14:06:38 2025 +0200
-
-    sys_linux: allow ioctl(TCGETS2) in seccomp filter
-    
-    Add TCGETS2 to the list of allowed ioctls. It seems to be called by the
-    latest glibc version from isatty(), which is called from libpcsclite
-    used by gnutls in an NTS-KE session.
-    
-    Include the linux termios header instead of glibc header to get a usable
-    definition of TCGETS2.
-
-diff --git a/sys_linux.c b/sys_linux.c
-index ca5540f2..e20e459d 100644
--- a/sys_linux.c
-+++ b/sys_linux.c
-@@ -48,7 +48,7 @@
- #ifdef FEAT_SCFILTER
- #include <sys/prctl.h>
- #include <seccomp.h>
-#include <termios.h>
-+#include <linux/termios.h>
- #ifdef FEAT_PPS
- #include <linux/pps.h>
- #endif
-@@ -615,7 +615,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
-   const static int fcntls[] = { F_GETFD, F_SETFD, F_GETFL, F_SETFL };
- 
-   const static unsigned long ioctls[] = {
-    FIONREAD, TCGETS, TIOCGWINSZ,
-+    FIONREAD, TCGETS, TCGETS2, TIOCGWINSZ,
- #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING)
-     PTP_EXTTS_REQUEST, PTP_SYS_OFFSET,
- #ifdef PTP_PIN_SETFUNC
-commit 3c39afa13c769452d4c340bfc987e229b7c9caeb
-Author: Miroslav Lichvar <mlichvar@redhat.com>
-Date:   Wed Oct 22 10:53:11 2025 +0200
-
-    sys_linux: fix building with older compilers and some archs
-    
-    The recent replacement of <termios.h> with <linux/termios.h> to get
-    TCGETS2 seems to work only with compilers (or C standards) that allow
-    the same structure to be defined multiple times. There is a conflict
-    between <sys/ioctl.h> and <linux/termios.h>.
-    
-    Another problem is that TCGETS2 is not used on some archs like ppc64.
-    
-    Switch back to <termios.h> and move TCGETS2 to a list in a separate
-    file where it can be compiled without <sys/ioctl.h>.
-    
-    Fixes: 03875f1ea5c4 ("sys_linux: allow ioctl(TCGETS2) in seccomp filter")
-
-diff --git a/configure b/configure
-index 195b1ed7..ca64475d 100755
--- a/configure
-+++ b/configure
-@@ -808,6 +808,7 @@ then
-   # a time and the async resolver would block the main thread
-   priv_ops="NAME2IPADDRESS RELOADDNS"
-   EXTRA_LIBS="$EXTRA_LIBS -lseccomp"
-+  EXTRA_OBJECTS="$EXTRA_OBJECTS sys_linux_scmp.o"
- fi
- 
- if [ "x$priv_ops" != "x" ]; then
-diff --git a/sys_linux.c b/sys_linux.c
-index e20e459d..89eec950 100644
--- a/sys_linux.c
-+++ b/sys_linux.c
-@@ -48,7 +48,7 @@
- #ifdef FEAT_SCFILTER
- #include <sys/prctl.h>
- #include <seccomp.h>
-#include <linux/termios.h>
-+#include <termios.h>
- #ifdef FEAT_PPS
- #include <linux/pps.h>
- #endif
-@@ -63,6 +63,7 @@
- #endif
- 
- #include "sys_linux.h"
-+#include "sys_linux_scmp.h"
- #include "sys_timex.h"
- #include "conf.h"
- #include "local.h"
-@@ -615,7 +616,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
-   const static int fcntls[] = { F_GETFD, F_SETFD, F_GETFL, F_SETFL };
- 
-   const static unsigned long ioctls[] = {
-    FIONREAD, TCGETS, TCGETS2, TIOCGWINSZ,
-+    FIONREAD, TCGETS, TIOCGWINSZ,
- #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING)
-     PTP_EXTTS_REQUEST, PTP_SYS_OFFSET,
- #ifdef PTP_PIN_SETFUNC
-@@ -728,6 +729,14 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
-                            SCMP_A1(SCMP_CMP_EQ, ioctls[i])) < 0)
-         goto add_failed;
-     }
-+
-+    /* Allow selected ioctls that need to be specified in a separate
-+       file to avoid conflicting headers (e.g. TCGETS2) */
-+    for (i = 0; SYS_Linux_GetExtraScmpIoctl(i) != 0; i++) {
-+      if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
-+                           SCMP_A1(SCMP_CMP_EQ, SYS_Linux_GetExtraScmpIoctl(i))) < 0)
-+        goto add_failed;
-+    }
-   }
- 
-   if (seccomp_load(ctx) < 0)
-diff --git a/sys_linux_scmp.c b/sys_linux_scmp.c
-new file mode 100644
-index 00000000..a907a97d
--- /dev/null
-+++ b/sys_linux_scmp.c
-@@ -0,0 +1,44 @@
-+/*
-+  chronyd/chronyc - Programs for keeping computer clocks accurate.
-+
-+ **********************************************************************
-+ * Copyright (C) Miroslav Lichvar  2025
-+ * 
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of version 2 of the GNU General Public License as
-+ * published by the Free Software Foundation.
-+ * 
-+ * This program is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+ * General Public License for more details.
-+ * 
-+ * You should have received a copy of the GNU General Public License along
-+ * with this program; if not, write to the Free Software Foundation, Inc.,
-+ * 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-+ * 
-+ **********************************************************************
-+
-+  =======================================================================
-+
-+  Lists of values that are needed in seccomp filters but need to
-+  be compiled separately from sys_linux.c due to conflicting headers.
-+  */
-+
-+#include <linux/termios.h>
-+
-+#include "sys_linux_scmp.h"
-+
-+unsigned long
-+SYS_Linux_GetExtraScmpIoctl(int index)
-+{
-+  const unsigned long ioctls[] = {
-+#ifdef TCGETS2
-+    /* Conflict between <linux/termios.h> and <sys/ioctl.h> */
-+    TCGETS2,
-+#endif
-+    0
-+  };
-+
-+  return ioctls[index];
-+}
-diff --git a/sys_linux_scmp.h b/sys_linux_scmp.h
-new file mode 100644
-index 00000000..62a9d548
--- /dev/null
-+++ b/sys_linux_scmp.h
-@@ -0,0 +1,28 @@
-+/*
-+  chronyd/chronyc - Programs for keeping computer clocks accurate.
-+
-+ **********************************************************************
-+ * Copyright (C) Miroslav Lichvar  2025
-+ * 
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of version 2 of the GNU General Public License as
-+ * published by the Free Software Foundation.
-+ * 
-+ * This program is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+ * General Public License for more details.
-+ * 
-+ * You should have received a copy of the GNU General Public License along
-+ * with this program; if not, write to the Free Software Foundation, Inc.,
-+ * 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-+ * 
-+ **********************************************************************
-+
-+  =======================================================================
-+
-+  Header file for lists that are needed in seccomp filters but need to
-+  be compiled separately from sys_linux.c due to conflicting headers.
-+  */
-+
-+extern unsigned long SYS_Linux_GetExtraScmpIoctl(int index);
--- a/chrony-servicedirs.patch
+++ b/chrony-servicedirs.patch
@ -1,18 +0,0 @@
-diff -up chrony-4.7/examples/chronyd.service.servicedirs chrony-4.7/examples/chronyd.service
--- chrony-4.7/examples/chronyd.service.servicedirs	2025-06-11 15:06:19.000000000 +0200
-+++ chrony-4.7/examples/chronyd.service	2025-07-10 12:06:57.354215498 +0200
-@@ -10,7 +10,13 @@ Type=notify
- PIDFile=/run/chrony/chronyd.pid
- Environment="OPTIONS="
- EnvironmentFile=-/etc/sysconfig/chronyd
-ExecStart=/usr/sbin/chronyd -n $OPTIONS
-+ExecStart=!/usr/sbin/chronyd -n $OPTIONS
-+
-+User=chrony
-+LogsDirectory=chrony
-+LogsDirectoryMode=0750
-+StateDirectory=chrony
-+StateDirectoryMode=0750
- 
- CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
- CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
--- a/chrony.spec
+++ b/chrony.spec
@ -1,45 +1,39 @@
 %global _hardened_build 1
-%global clknetsim_ver 6ee99f50dec8
+%global clknetsim_ver f89702
 %bcond_without debug
 %bcond_without nts

-%ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x
-%bcond_without seccomp
-%endif
-
 Name:           chrony
-Version:        4.8
-Release:        3%{?dist}
+Version:        4.1
+Release:        1%{?dist}
 Summary:        An NTP client/server

-License:        GPL-2.0-only
-URL:            https://chrony-project.org
-Source0:        https://chrony-project.org/releases/chrony-%{version}%{?prerelease}.tar.gz
-Source1:        https://chrony-project.org/releases/chrony-%{version}%{?prerelease}-tar-gz-asc.txt
-Source2:        https://chrony-project.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
+License:        GPLv2
+URL:            https://chrony.tuxfamily.org
+Source0:        https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}.tar.gz
+Source1:        https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}-tar-gz-asc.txt
+Source2:        https://chrony.tuxfamily.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
 Source3:        chrony.dhclient
-Source4:        chrony.sysusers
 # simulator for test suite
-Source10:       https://gitlab.com/chrony/clknetsim/-/archive/master/clknetsim-%{clknetsim_ver}.tar.gz
+Source10:       https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz
 %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz}

-# add distribution-specific bits to DHCP dispatcher
+# add Fedora/RHEL-specific bits to DHCP dispatcher, including
+# deferring to dhclient if installled, and using /etc/sysconfig
 Patch1:         chrony-nm-dispatcher-dhcp.patch
-# let systemd create /var/lib/chrony and /var/log/chrony
-Patch2:         chrony-servicedirs.patch
-# update seccomp filter for new glibc
-Patch3:         chrony-seccomp.patch

 BuildRequires:  libcap-devel libedit-devel nettle-devel pps-tools-devel
-BuildRequires:  gcc gcc-c++ make bison systemd gnupg2
+%ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x
+BuildRequires:  libseccomp-devel
+%endif
+BuildRequires:  gcc gcc-c++ make bison systemd gnupg2 net-tools
 %{?with_nts:BuildRequires: gnutls-devel gnutls-utils}
-%{?with_seccomp:BuildRequires: libseccomp-devel}

+Requires(pre):  shadow-utils
 %{?systemd_requires}
-%{?sysusers_requires_compat}

-# Needed by the leapseclist directive in default chrony.conf
-Requires:       tzdata
+# Old NetworkManager expects the dispatcher scripts in a different place
+Conflicts:      NetworkManager < 1.20

 # suggest drivers for hardware reference clocks
 Suggests:       ntp-refclock
@ -58,22 +52,20 @@ service to other computers in the network.
 %prep
 %{gpgverify} --keyring=%{SOURCE2} --signature=%{SOURCE1} --data=%{SOURCE0}
 %setup -q -n %{name}-%{version}%{?prerelease} -a 10
-%{?gitpatch:%patch -P 0 -p1}
-%patch -P 1 -p1 -b .nm-dispatcher-dhcp
-%patch -P 2 -p1 -b .servicedirs
-%patch -P 3 -p1 -b .seccomp
+%{?gitpatch:%patch0 -p1}
+%patch1 -p1 -b .nm-dispatcher-dhcp

 %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}

 # review changes in packaged configuration files and scripts
 md5sum -c <<-EOF | (! grep -v 'OK$')
-        5530d6e60f84b76c27495485d2510bac  examples/chrony-wait.service
-        3f2ddca6065c3e8f4565d7422739795a  examples/chrony.conf.example2
+        bc563c1bcf67b2da774bd8c2aef55a06  examples/chrony-wait.service
+        2d01b94bc1a7b7fb70cbee831488d121  examples/chrony.conf.example2
+        96999221eeef476bd49fe97b97503126  examples/chrony.keys.example
        6a3178c4670de7de393d9365e2793740  examples/chrony.logrotate
-        c3992e2f985550739cd1cd95f98c9548  examples/chrony.nm-dispatcher.dhcp
-        4e85d36595727318535af3387411070c  examples/chrony.nm-dispatcher.onoffline
-        607c82f56639486f52c31105632909eb  examples/chronyd.service
-        5ddbb8a8055f587cb6b0b462ca73ea46  examples/chronyd-restricted.service
+        a7054c9352c07384bd7ea0477e6e8a8c  examples/chrony.nm-dispatcher.dhcp
+        8f5a98fcb400a482d355b929d04b5518  examples/chrony.nm-dispatcher.onoffline
+        32c34c995c59fd1c3ad1616d063ae4a0  examples/chronyd.service
 EOF

 # don't allow packaging without vendor zone
@ -81,34 +73,31 @@ test -n "%{vendorzone}"

 # use example chrony.conf as the default config with some modifications:
 # - use our vendor zone (2.*pool.ntp.org names include IPv6 addresses)
-# - enable leapseclist to get TAI-UTC offset and leap seconds
+# - enable leapsectz to get TAI-UTC offset and leap seconds from tzdata
+# - enable keyfile
 # - use NTP servers from DHCP
 sed -e 's|^\(pool \)\(pool.ntp.org\)|\12.%{vendorzone}\2|' \
-    -e 's|#\(leapseclist\)|\1|' \
+    -e 's|#\(leapsectz\)|\1|' \
+    -e 's|#\(keyfile\)|\1|' \
    -e 's|^pool.*pool.ntp.org.*|&\n\n# Use NTP servers from DHCP.\nsourcedir /run/chrony-dhcp|' \
        < examples/chrony.conf.example2 > chrony.conf

 touch -r examples/chrony.conf.example2 chrony.conf

-# set selinux context in chronyd-restricted service
-sed -i '/^ExecStart/a SELinuxContext=system_u:system_r:chronyd_restricted_t:s0' \
-	examples/chronyd-restricted.service
-
 # regenerate the file from getdate.y
 rm -f getdate.c

-mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim
+mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim

 %build
 %configure \
 %{?with_debug: --enable-debug} \
        --enable-ntp-signd \
-%{?with_seccomp: --enable-scfilter} \
+        --enable-scfilter \
 %{!?with_nts: --disable-nts} \
        --chronyrundir=/run/chrony \
        --docdir=%{_docdir} \
        --with-ntp-era=$(date -d '1970-01-01 00:00:00+00:00' +'%s') \
-        --with-chronyc-user=chrony \
        --with-user=chrony \
        --with-hwclockfile=%{_sysconfdir}/adjtime \
        --with-pidfile=/run/chrony/chronyd.pid \
@ -124,12 +113,13 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/{sysconfig,logrotate.d}
 mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/{lib,log}/chrony
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dhcp/dhclient.d
 mkdir -p $RPM_BUILD_ROOT%{_libexecdir}
-mkdir -p $RPM_BUILD_ROOT%{_sysusersdir}
 mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d
 mkdir -p $RPM_BUILD_ROOT{%{_unitdir},%{_prefix}/lib/systemd/ntp-units.d}

 install -m 644 -p chrony.conf $RPM_BUILD_ROOT%{_sysconfdir}/chrony.conf

+install -m 640 -p examples/chrony.keys.example \
+        $RPM_BUILD_ROOT%{_sysconfdir}/chrony.keys
 install -m 755 -p %{SOURCE3} \
        $RPM_BUILD_ROOT%{_sysconfdir}/dhcp/dhclient.d/chrony.sh
 install -m 644 -p examples/chrony.logrotate \
@ -137,23 +127,18 @@ install -m 644 -p examples/chrony.logrotate \

 install -m 644 -p examples/chronyd.service \
        $RPM_BUILD_ROOT%{_unitdir}/chronyd.service
-install -m 644 -p examples/chronyd-restricted.service \
-        $RPM_BUILD_ROOT%{_unitdir}/chronyd-restricted.service
 install -m 755 -p examples/chrony.nm-dispatcher.onoffline \
        $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-onoffline
 install -m 755 -p examples/chrony.nm-dispatcher.dhcp \
        $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-dhcp
 install -m 644 -p examples/chrony-wait.service \
        $RPM_BUILD_ROOT%{_unitdir}/chrony-wait.service
-install -m 644 -p %{SOURCE4} \
-        $RPM_BUILD_ROOT%{_sysusersdir}/chrony.conf

 cat > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/chronyd <<EOF
 # Command-line options for chronyd
-OPTIONS="%{?with_seccomp:-F 2}"
+OPTIONS=""
 EOF

-touch $RPM_BUILD_ROOT%{_sysconfdir}/chrony.keys
 touch $RPM_BUILD_ROOT%{_localstatedir}/lib/chrony/{drift,rtc}

 echo 'chronyd.service' > \
@ -161,14 +146,19 @@ echo 'chronyd.service' > \

 %check
 # set random seed to get deterministic results
-export CLKNETSIM_RANDOM_SEED=24508
+export CLKNETSIM_RANDOM_SEED=24505
 %make_build -C test/simulation/clknetsim
 make quickcheck

 %pre
-%sysusers_create_compat %{SOURCE4}
+getent group chrony > /dev/null || /usr/sbin/groupadd -r chrony
+getent passwd chrony > /dev/null || /usr/sbin/useradd -r -g chrony \
+       -d %{_localstatedir}/lib/chrony -s /sbin/nologin chrony
+:

 %post
+# workaround for late reload of unit file (#1614751)
+%{_bindir}/systemctl daemon-reload
 # migrate from chrony-helper to sourcedir directive
 if test -a %{_libexecdir}/chrony-helper; then
        grep -qi 'sourcedir /run/chrony-dhcp$' %{_sysconfdir}/chrony.conf 2> /dev/null || \
@ -179,20 +169,20 @@ if test -a %{_libexecdir}/chrony-helper; then
                sed 's|.*|server &|' < $f > /run/chrony-dhcp/"${f##*servers.}.sources"
        done 2> /dev/null
 fi
-%systemd_post chronyd.service chronyd-restricted.service chrony-wait.service
+%systemd_post chronyd.service chrony-wait.service

 %preun
-%systemd_preun chronyd.service chronyd-restricted.service chrony-wait.service
+%systemd_preun chronyd.service chrony-wait.service

 %postun
-%systemd_postun_with_restart chronyd.service chronyd-restricted.service
+%systemd_postun_with_restart chronyd.service

 %files
 %{!?_licensedir:%global license %%doc}
 %license COPYING
-%doc FAQ NEWS README examples/chrony.keys.example
+%doc FAQ NEWS README
 %config(noreplace) %{_sysconfdir}/chrony.conf
-%ghost %config %attr(640,root,chrony) %{_sysconfdir}/chrony.keys
+%config(noreplace) %verify(not md5 size mtime) %attr(640,root,chrony) %{_sysconfdir}/chrony.keys
 %config(noreplace) %{_sysconfdir}/logrotate.d/chrony
 %config(noreplace) %{_sysconfdir}/sysconfig/chronyd
 %{_sysconfdir}/dhcp/dhclient.d/chrony.sh
@ -201,142 +191,15 @@ fi
 %{_prefix}/lib/NetworkManager
 %{_prefix}/lib/systemd/ntp-units.d/*.list
 %{_unitdir}/chrony*.service
-%{_sysusersdir}/chrony.conf
 %{_mandir}/man[158]/%{name}*.[158]*
-%ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony
+%dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony
 %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/drift
 %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/rtc
-%ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony
+%dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony

 %changelog
-* Tue Oct 21 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.8-3
- update seccomp filter for new glibc (#2405310)
-
-* Mon Sep 08 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.8-2
- drop root privileges in chronyc by default
-
-* Wed Aug 27 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.8-1
- update to 4.8
-
-* Thu Aug 14 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.8-0.1.pre1
- update to 4.8-pre1
-
-* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 4.7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
-
-* Thu Jul 10 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.7-2
- let systemd create /var/lib/chrony and /var/log/chrony (#2372944)
- drop workaround for broken build on aarch64
- drop old conflict with NetworkManager
-
-* Wed Jun 11 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.7-1
- update to 4.7
-
-* Thu May 22 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.7-0.2.pre1
- add workaround for broken build on aarch64
-
-* Wed May 21 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.7-0.1.pre1
- update to 4.7-pre1
-
-* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 4.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
-
-* Tue Oct 08 2024 Miroslav Lichvar <mlichvar@redhat.com> 4.6.1-1
- update to 4.6.1
-
-* Mon Sep 02 2024 Miroslav Lichvar <mlichvar@redhat.com> 4.6-1
- update to 4.6
-
-* Tue Jul 30 2024 Miroslav Lichvar <mlichvar@redhat.com> 4.6-0.1.pre1
- update to 4.6-pre1
-
-* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.5-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Tue Dec 05 2023 Miroslav Lichvar <mlichvar@redhat.com> 4.5-1
- update to 4.5
-
-* Wed Nov 22 2023 Miroslav Lichvar <mlichvar@redhat.com> 4.5-0.1.pre1
- update to 4.5-pre1
-
-* Wed Aug 09 2023 Miroslav Lichvar <mlichvar@redhat.com> 4.4-1
- update to 4.4
- require tzdata (#2218368)
-
-* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.4-0.4.pre2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Wed Jun 21 2023 Miroslav Lichvar <mlichvar@redhat.com> 4.4-0.3.pre2
- update to 4.4-pre2
- set selinux context in chronyd-restricted service (#2169949)
-
-* Tue Jun 06 2023 Miroslav Lichvar <mlichvar@redhat.com> 4.4-0.2.pre1
- rebuild for AES-GCM-SIV in new nettle
-
-* Wed May 10 2023 Miroslav Lichvar <mlichvar@redhat.com> 4.4-0.1.pre1
- update to 4.4-pre1
- switch from patchX to patch -P X
-
-* Wed Jan 25 2023 Miroslav Lichvar <mlichvar@redhat.com> 4.3-3
- drop default chrony.keys config (#2104918)
- add chronyd-restricted service for minimal NTP client configurations
- convert license tag to SPDX
-
-* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Wed Aug 31 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.3-1
- update to 4.3
-
-* Thu Aug 11 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.3-0.1.pre1
- update to 4.3-pre1
-
-* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Tue May 24 2022 Luca BRUNO <lucab@lucabruno.net> - 4.2-6
- Add a sysusers.d fragment for chrony user/group
-
-* Wed Feb 16 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 4.2-5
- Drop obsolete workaround in scriptlet
-
-* Wed Feb 09 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.2-4
- update seccomp filter for latest glibc
-
-* Tue Feb 08 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.2-3
- use NTP servers passed by NetworkManager from DHCPv6 NTP server option
-
-* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Thu Dec 16 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.2-1
- update to 4.2
-
-* Thu Dec 02 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.2-0.1.pre1
- update to 4.2-pre1
-
-* Tue Nov 16 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.1-5
- fix hardened chronyd service to allow writing log files
-
-* Wed Sep 29 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.1-4
- harden chronyd and chrony-wait services
-
-* Mon Aug 09 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.1-3
- update seccomp filter for new glibc
- remove unnecessary build requirement
-
-* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
 * Thu May 13 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.1-1
 - update to 4.1
- enable seccomp filter by default (incompatible with mailonchange directive)

 * Thu Apr 22 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.1-0.1.pre1
 - update to 4.1-pre1
--- a/chrony.sysusers
+++ b/chrony.sysusers
@ -1,2 +0,0 @@
-#Type Name   ID    GECOS                Home directory  Shell
-u     chrony -     "chrony system user" /var/lib/chrony /sbin/nologin
--- a/ci.fmf
+++ b/ci.fmf
@ -1 +0,0 @@
-resultsdb-testcase: separate
--- a/gating.yaml
+++ b/gating.yaml
@ -1,25 +0,0 @@
--- !Policy
-product_versions:
-  - fedora-*
-decision_context: bodhi_update_push_testing
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
- 
-#Rawhide
--- !Policy
-product_versions:
-  - fedora-*
-decision_context: bodhi_update_push_stable
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
- 
-#gating rhel
--- !Policy
-product_versions:
-  - rhel-*
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-public.functional}
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}
--- a/plans.fmf
+++ b/plans.fmf
@ -1,47 +0,0 @@
-/tier1-internal:
-  plan:
-    import:
-      url: https://gitlab.com/redhat/centos-stream/tests/chrony.git
-      name: /plans/tier1/internal
-  adjust:
-    enabled: false
-    when: distro == centos-stream, fedora
-    because: They don't have access to internal repos.
-
-/tier1-public:
-  plan:
-    import:
-      url: https://gitlab.com/redhat/centos-stream/tests/chrony.git
-      name: /plans/tier1/public
-
-/tier2-tier3-internal:
-  plan:
-    import:
-      url: https://gitlab.com/redhat/centos-stream/tests/chrony.git
-      name: /plans/tier2-tier3/internal
-  adjust:
-    enabled: false
-    when: distro == centos-stream, fedora
-    because: They don't have access to internal repos.
-
-/tier2-tier3-public:
-  plan:
-    import:
-      url: https://gitlab.com/redhat/centos-stream/tests/chrony.git
-      name: /plans/tier2-tier3/public
-
-/others-internal:
-  plan:
-    import:
-      url: https://gitlab.com/redhat/centos-stream/tests/chrony.git
-      name: /plans/others/internal
-  adjust:
-    enabled: false
-    when: distro == centos-stream, fedora
-    because: They don't have access to internal repos.
-
-/others-public:
-  plan:
-    import:
-      url: https://gitlab.com/redhat/centos-stream/tests/chrony.git
-      name: /plans/others/public
--- a/6
+++ b/6
@ -1,3 +1,3 @@
-SHA512 (chrony-4.8-tar-gz-asc.txt) = df7f4e06f74a4b8c9a49e8fe57ea02e0324c5683d036412c32192a09f08e08f33537609cef8df0b4302bfcd63332b3092f33f40c8d02857c93ecea13822b5b47
-SHA512 (chrony-4.8.tar.gz) = 949b796bb34db32a5c1b9e6b53be6a22e51c59f24a316d585b8a52a52ab1f61bdf0378dc58b282bb0ba4fac1f05e1e99fbe37cb4259aa2b359e7bf679c176aab
-SHA512 (clknetsim-6ee99f50dec8.tar.gz) = 2621d1c44b84b42fcdf644f236ff90dab9f8a8407a138c8719c53dd9c4f21480db3b4ba598116aa1b9d6bd1fa02fc410d85a43baf55ddf8ad47fc09aba4c4477
+SHA512 (chrony-4.1.tar.gz) = 5e283d6a56e6852606c681a7c29c5786b102d584178cbd7033ebbc95a8e95533605631363b850a3087cca438a5878db7a317f120aab2fd856487d02fccfbcb1f
+SHA512 (chrony-4.1-tar-gz-asc.txt) = 82faf9171d782c18224d2d44b340994b0ddab141e88cc803dea83d0ffbb6468bc51e8b11c8dd9bd327220cae04f7d789b58ab23141a2bdf038ce628f9adeb57a
+SHA512 (clknetsim-f89702.tar.gz) = d88d37472b99e4cc044b6c864dfcf5ebb06ef9e2e009ebce06defa07cd46961220707a69c6ec93e35623403a5b4e0683b78b388bf95bfff470fa771d69579c65