add chronyd-restricted service (RHEL-9972)

Resolves: RHEL-9972

chrony.spec

@@ -77,6 +77,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$')
         c3992e2f985550739cd1cd95f98c9548  examples/chrony.nm-dispatcher.dhcp
         4e85d36595727318535af3387411070c  examples/chrony.nm-dispatcher.onoffline
         60447a26dce93b3a61f488a364ac46cd  examples/chronyd.service
+        46fa3e2d42c8eb9c42e71095686c90ed  examples/chronyd-restricted.service
 EOF
 
 # don't allow packaging without vendor zone
@@ -95,6 +96,10 @@ sed -e 's|^\(pool \)\(pool.ntp.org\)|\12.%{vendorzone}\2|' \
 
 touch -r examples/chrony.conf.example2 chrony.conf
 
+# set selinux context in chronyd-restricted service
+sed -i '/^ExecStart/a SELinuxContext=system_u:system_r:chronyd_restricted_t:s0' \
+	examples/chronyd-restricted.service
+
 # regenerate the file from getdate.y
 rm -f getdate.c
 
@@ -140,6 +145,8 @@ install -m 644 -p examples/chrony.logrotate \
 
 install -m 644 -p examples/chronyd.service \
         $RPM_BUILD_ROOT%{_unitdir}/chronyd.service
+install -m 644 -p examples/chronyd-restricted.service \
+        $RPM_BUILD_ROOT%{_unitdir}/chronyd-restricted.service
 install -m 755 -p examples/chrony.nm-dispatcher.onoffline \
         $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-onoffline
 install -m 755 -p examples/chrony.nm-dispatcher.dhcp \
@@ -180,13 +187,13 @@ if test -a %{_libexecdir}/chrony-helper; then
                 sed 's|.*|server &|' < $f > /run/chrony-dhcp/"${f##*servers.}.sources"
         done 2> /dev/null
 fi
-%systemd_post chronyd.service chrony-wait.service
+%systemd_post chronyd.service chronyd-restricted.service chrony-wait.service
 
 %preun
-%systemd_preun chronyd.service chrony-wait.service
+%systemd_preun chronyd.service chronyd-restricted.service chrony-wait.service
 
 %postun
-%systemd_postun_with_restart chronyd.service
+%systemd_postun_with_restart chronyd.service chronyd-restricted.service
 
 %files
 %{!?_licensedir:%global license %%doc}