Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: rhel-10.1
Affects Version/s: None
Component/s: rhel-system-roles
Labels:

Fixed in Build:
rhel-system-roles-1.99.1-0.1.el10
Regression:
No
Severity:
Low
Epic Link:
[Epic]: fix: add default seccomp filters for el9/10

AssignedTeam:
rhel-system-roles

Story Points:
0
ACKs Check:

QE ack, Dev ack
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Products:

Red Hat Enterprise Linux
Sprint:
None

Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/148879
Test Coverage:

Automated

Release Note Type:
Bug Fix
Release Note Text:

Hide
.The `timesync` RHEL system role no longer removes the `OPTIONS="-F 2"` default setting from `/etc/sysconfig/chronyd`

Before this update, the `timesync` system role replaced the default `OPTIONS=` setting for the `chronyd` service with `""`. As a consequence, this removed the default `OPTIONS="-F 2"` setting which weakened the security of `chronyd`. With this release, `-F 2` is added as the default setting for `OPTIONS`, and the user can override or extend this setting. As a result, the `timesync` role now applies the correct security settings while still allowing user customization.

Show
.The `timesync` RHEL system role no longer removes the `OPTIONS="-F 2"` default setting from `/etc/sysconfig/chronyd` Before this update, the `timesync` system role replaced the default `OPTIONS=` setting for the `chronyd` service with `""`. As a consequence, this removed the default `OPTIONS="-F 2"` setting which weakened the security of `chronyd`. With this release, `-F 2` is added as the default setting for `OPTIONS`, and the user can override or extend this setting. As a result, the `timesync` role now applies the correct security settings while still allowing user customization.
Release Note Status:
Done
ProdDocsReview-CCS:
Done
ProdDocsReview-Dev:
Done
ProdDocsReview-QE:
Not Required

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Cause: The timesync role is replacing the default `OPTIONS=` setting for chronyd with `""` upon every role run.

Consequence: This removes the default `OPTIONS="-F 2"` setting on EL9 and EL10 which weakens the security of chronyd.

Fix: Add `-F 2` as the default setting for `OPTIONS` in EL9 and EL10. Ensure that the user can override this setting if necessary, and ensure that this setting can co-exist with other `OPTIONS` settings that may be set by the user.

Result: The timesync role applies the correct security settings on every platform and allows the user to override/extend these settings.

Fixes #278

links to

link to github issue

RHEA-2025:148879 rhel-system-roles bug fix and enhancement update

Assignee:: Richard Megginson

Reporter:: Richard Megginson

Developer:: Richard Megginson

QA Contact:: David Jez

Doc Contact:: Valentina Ashirova

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2025/04/23 10:26 PM

Updated:: 2025/09/02 10:05 AM

Next Planned Release Date:: 2025/11/11

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide