diff --git a/Changelog b/Changelog
index 64584b0..e1bf08d 100644
--- a/Changelog
+++ b/Changelog
@@ -1,5 +1,6 @@
- X object manager revisions from Eamon Walsh.
- Added modules:
+ chronyd (Miroslav Grepl)
cobbler (Dominick Grift)
dbadm (KaiGai Kohei)
nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index e29bde8..91e0b1c 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -81,6 +81,7 @@ network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
network_port(certmaster, tcp,51235,s0)
+network_port(chronyd, udp,323,s0)
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc
new file mode 100644
index 0000000..af4fa00
--- /dev/null
+++ b/policy/modules/services/chronyd.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+
+/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+
+/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
+/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
+/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
new file mode 100644
index 0000000..5bda4f9
--- /dev/null
+++ b/policy/modules/services/chronyd.if
@@ -0,0 +1,102 @@
+## Chrony NTP background daemon
+
+#####################################
+##
+## Execute chronyd in the chronyd domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`chronyd_domtrans',`
+ gen_require(`
+ type chronyd_t, chronyd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chronyd_exec_t, chronyd_t)
+')
+
+####################################
+##
+## Execute chronyd
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`chronyd_exec',`
+ gen_require(`
+ type chronyd_exec_t;
+ ')
+
+ can_exec($1, chronyd_exec_t)
+')
+
+#####################################
+##
+## Read chronyd logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`chronyd_read_log',`
+ gen_require(`
+ type chronyd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
+')
+
+####################################
+##
+## All of the rules required to administrate
+## an chronyd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the chronyd domain.
+##
+##
+##
+#
+interface(`chronyd_admin',`
+ gen_require(`
+ type chronyd_t, chronyd_var_log_t;
+ type chronyd_var_run_t, chronyd_var_lib_t;
+ type chronyd_initrc_exec_t;
+ ')
+
+ allow $1 chronyd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, chronyd_t)
+
+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 chronyd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, chronyd_var_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, chronyd_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, chronyd_var_run_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, chronyd_tmp_t)
+')
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
new file mode 100644
index 0000000..15234c7
--- /dev/null
+++ b/policy/modules/services/chronyd.te
@@ -0,0 +1,58 @@
+
+policy_module(chronyd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type chronyd_t;
+type chronyd_exec_t;
+init_daemon_domain(chronyd_t, chronyd_exec_t)
+
+type chronyd_initrc_exec_t;
+init_script_file(chronyd_initrc_exec_t)
+
+type chronyd_var_lib_t;
+files_type(chronyd_var_lib_t)
+
+type chronyd_var_log_t;
+logging_log_file(chronyd_var_log_t)
+
+type chronyd_var_run_t;
+files_pid_file(chronyd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow chronyd_t self:capability { setuid setgid sys_time };
+allow chronyd_t self:process { getcap setcap };
+allow chronyd_t self:unix_dgram_socket create_socket_perms;
+allow chronyd_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+files_var_lib_filetrans(chronyd_t, chronyd_var_lib_t, { file dir })
+
+manage_files_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t)
+manage_dirs_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t)
+logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir })
+
+manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+files_pid_filetrans(chronyd_t, chronyd_var_run_t, { file })
+
+corenet_udp_bind_ntp_port(chronyd_t)
+# bind to udp/323
+corenet_udp_bind_chronyd_port(chronyd_t)
+
+# real time clock option
+dev_rw_realtime_clock(chronyd_t)
+
+auth_use_nsswitch(chronyd_t)
+
+logging_send_syslog_msg(chronyd_t)
+
+miscfiles_read_localization(chronyd_t)