Index: refpolicy-2.20180114/policy/modules/contrib/chronyd.fc
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/chronyd.fc
+++ refpolicy-2.20180114/policy/modules/contrib/chronyd.fc
@@ -1,3 +1,4 @@
+/etc/chrony\.conf			--	gen_context(system_u:object_r:chronyd_conf_t,s0)
 /etc/chrony\.keys			--	gen_context(system_u:object_r:chronyd_keys_t,s0)
 
 /etc/rc\.d/init\.d/chronyd		--	gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
@@ -8,6 +9,7 @@
 /usr/lib/systemd/system/[^/]*chrony-wait.* --	gen_context(system_u:object_r:chronyd_unit_t,s0)
 /usr/lib/systemd/system/[^/]*chronyd.*	--	gen_context(system_u:object_r:chronyd_unit_t,s0)
 
+/usr/bin/chronyc			--	gen_context(system_u:object_r:chronyc_exec_t,s0)
 /usr/sbin/chronyd			--	gen_context(system_u:object_r:chronyd_exec_t,s0)
 
 /var/lib/chrony(/.*)?				gen_context(system_u:object_r:chronyd_var_lib_t,s0)
Index: refpolicy-2.20180114/policy/modules/contrib/chronyd.if
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/chronyd.if
+++ refpolicy-2.20180114/policy/modules/contrib/chronyd.if
@@ -19,6 +19,25 @@ interface(`chronyd_domtrans',`
 	domtrans_pattern($1, chronyd_exec_t, chronyd_t)
 ')
 
+#####################################
+## <summary>
+##	Execute chronyc in the chronyc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`chronyd_domtrans_cli',`
+	gen_require(`
+		type chronyc_t, chronyc_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, chronyc_exec_t, chronyc_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute chronyd server in the
@@ -57,6 +76,33 @@ interface(`chronyd_exec',`
 	can_exec($1, chronyd_exec_t)
 ')
 
+########################################
+## <summary>
+##	Execute chronyc in the chronyc domain,
+##	and allow the specified roles the
+##	chronyc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`chronyd_run_cli',`
+	gen_require(`
+		attribute_role chronyc_roles;
+	')
+
+	chronyd_domtrans_cli($1)
+	roleattribute $2 chronyc_roles;
+')
+
 #####################################
 ## <summary>
 ##	Read chronyd log files.
@@ -76,6 +122,44 @@ interface(`chronyd_read_log',`
 	read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
 ')
 
+#####################################
+## <summary>
+##	Read chronyd config file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`chronyd_read_config',`
+	gen_require(`
+		type chronyd_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 chronyd_conf_t:file read_file_perms;
+')
+
+#####################################
+## <summary>
+##	Read and write chronyd config file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`chronyd_rw_config',`
+	gen_require(`
+		type chronyd_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 chronyd_conf_t:file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write chronyd shared memory.
@@ -157,6 +241,83 @@ interface(`chronyd_read_key_files',`
 	read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
 ')
 
+########################################
+## <summary>
+##	Allow specified domain to enable and disable chronyd unit
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`chronyd_enabledisable',`
+	gen_require(`
+		type chronyd_unit_t;
+		class service { enable disable };
+	')
+
+	allow $1 chronyd_unit_t:service { enable disable };
+')
+
+########################################
+## <summary>
+##	Allow specified domain to start and stop chronyd unit
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`chronyd_startstop',`
+	gen_require(`
+		type chronyd_unit_t;
+		class service { start stop };
+	')
+
+	allow $1 chronyd_unit_t:service { start stop };
+')
+
+########################################
+## <summary>
+##	Allow specified domain to get status of chronyd unit
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`chronyd_status',`
+	gen_require(`
+		type chronyd_unit_t;
+		class service status;
+	')
+
+	allow $1 chronyd_unit_t:service status;
+')
+
+########################################
+## <summary>
+##	Send to chronyd command line interface using a unix domain
+##	datagram socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`chronyd_dgram_send_cli',`
+	gen_require(`
+		type chronyc_t, chronyd_var_run_t;
+	')
+
+	files_search_pids($1)
+	dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyc_t)
+')
+
 ####################################
 ## <summary>
 ##	All of the rules required to
Index: refpolicy-2.20180114/policy/modules/contrib/chronyd.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/chronyd.te
+++ refpolicy-2.20180114/policy/modules/contrib/chronyd.te
@@ -1,14 +1,25 @@
-policy_module(chronyd, 1.5.0)
+policy_module(chronyd, 1.5.1)
 
 ########################################
 #
 # Declarations
 #
 
+attribute_role chronyc_roles;
+
 type chronyd_t;
 type chronyd_exec_t;
 init_daemon_domain(chronyd_t, chronyd_exec_t)
 
+type chronyc_t;
+type chronyc_exec_t;
+init_daemon_domain(chronyc_t, chronyc_exec_t)
+application_domain(chronyc_t, chronyc_exec_t)
+role chronyc_roles types chronyc_t;
+
+type chronyd_conf_t;
+files_config_file(chronyd_conf_t)
+
 type chronyd_initrc_exec_t;
 init_script_file(chronyd_initrc_exec_t)
 
@@ -32,10 +43,10 @@ init_daemon_pid_file(chronyd_var_run_t,
 
 ########################################
 #
-# Local policy
+# chronyd local policy
 #
 
-allow chronyd_t self:capability { dac_override ipc_lock setgid setuid sys_resource sys_time };
+allow chronyd_t self:capability { chown dac_override ipc_lock setgid setuid sys_resource sys_time };
 allow chronyd_t self:process { getcap setcap setrlimit signal };
 allow chronyd_t self:shm create_shm_perms;
 allow chronyd_t self:fifo_file rw_fifo_file_perms;
@@ -71,6 +82,7 @@ corenet_udp_sendrecv_generic_if(chronyd_
 corenet_udp_sendrecv_generic_node(chronyd_t)
 corenet_udp_bind_generic_node(chronyd_t)
 
+corenet_sendrecv_ntp_client_packets(chronyd_t)
 corenet_sendrecv_ntp_server_packets(chronyd_t)
 corenet_udp_bind_ntp_port(chronyd_t)
 corenet_udp_sendrecv_ntp_port(chronyd_t)
@@ -87,6 +99,9 @@ logging_send_syslog_msg(chronyd_t)
 
 miscfiles_read_localization(chronyd_t)
 
+chronyd_dgram_send_cli(chronyd_t)
+chronyd_read_config(chronyd_t)
+
 optional_policy(`
 	gpsd_rw_shm(chronyd_t)
 ')
@@ -94,3 +109,44 @@ optional_policy(`
 optional_policy(`
 	mta_send_mail(chronyd_t)
 ')
+
+########################################
+#
+# chronyc local policy
+#
+
+allow chronyc_t self:capability { dac_override };
+allow chronyc_t self:process { signal };
+allow chronyc_t self:udp_socket create_socket_perms;
+allow chronyc_t self:netlink_route_socket create_netlink_socket_perms;
+
+manage_dirs_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_sock_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+files_pid_filetrans(chronyc_t, chronyd_var_run_t, { dir file sock_file })
+
+corenet_all_recvfrom_unlabeled(chronyc_t)
+corenet_all_recvfrom_netlabel(chronyc_t)
+corenet_udp_sendrecv_generic_if(chronyc_t)
+corenet_udp_sendrecv_generic_node(chronyc_t)
+
+corenet_sendrecv_chronyd_client_packets(chronyc_t)
+corenet_udp_sendrecv_chronyd_port(chronyc_t)
+
+files_read_etc_files(chronyc_t)
+files_read_usr_files(chronyc_t)
+
+locallogin_use_fds(chronyc_t)
+
+logging_send_syslog_msg(chronyc_t)
+
+sysnet_read_config(chronyc_t)
+sysnet_dns_name_resolve(chronyc_t)
+
+miscfiles_read_localization(chronyc_t)
+
+userdom_use_user_ttys(chronyc_t)
+
+chronyd_dgram_send(chronyc_t)
+chronyd_read_config(chronyc_t)
+
Index: refpolicy-2.20180114/policy/modules/contrib/ntp.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/ntp.te
+++ refpolicy-2.20180114/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.17.0)
+policy_module(ntp, 1.17.1)
 
 ########################################
 #
@@ -58,7 +58,6 @@ allow ntpd_t self:process { signal_perms
 allow ntpd_t self:fifo_file rw_fifo_file_perms;
 allow ntpd_t self:shm create_shm_perms;
 allow ntpd_t self:socket create;
-allow ntpd_t self:tcp_socket { accept listen };
 allow ntpd_t self:unix_dgram_socket sendto;
 
 allow ntpd_t ntp_conf_t:file read_file_perms;
@@ -99,20 +98,15 @@ kernel_request_load_module(ntpd_t)
 
 corenet_all_recvfrom_unlabeled(ntpd_t)
 corenet_all_recvfrom_netlabel(ntpd_t)
-corenet_tcp_sendrecv_generic_if(ntpd_t)
 corenet_udp_sendrecv_generic_if(ntpd_t)
-corenet_tcp_sendrecv_generic_node(ntpd_t)
 corenet_udp_sendrecv_generic_node(ntpd_t)
 corenet_udp_bind_generic_node(ntpd_t)
 
+corenet_sendrecv_ntp_client_packets(ntpd_t)
 corenet_sendrecv_ntp_server_packets(ntpd_t)
 corenet_udp_bind_ntp_port(ntpd_t)
 corenet_udp_sendrecv_ntp_port(ntpd_t)
 
-corenet_sendrecv_ntp_client_packets(ntpd_t)
-corenet_tcp_connect_ntp_port(ntpd_t)
-corenet_tcp_sendrecv_ntp_port(ntpd_t)
-
 corecmd_exec_bin(ntpd_t)
 corecmd_exec_shell(ntpd_t)
 
Index: refpolicy-2.20180114/policy/modules/system/iptables.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/system/iptables.te
+++ refpolicy-2.20180114/policy/modules/system/iptables.te
@@ -1,4 +1,4 @@
-policy_module(iptables, 1.19.0)
+policy_module(iptables, 1.19.1)
 
 ########################################
 #
@@ -53,6 +53,7 @@ allow iptables_t iptables_tmp_t:dir mana
 allow iptables_t iptables_tmp_t:file manage_file_perms;
 files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
 
+kernel_getattr_proc(iptables_t)
 kernel_request_load_module(iptables_t)
 kernel_read_system_state(iptables_t)
 kernel_read_network_state(iptables_t)
