Thanks, this was really helpful. From /var/log/audit/audit..log:
type=AVC msg=audit(1666221117.868:118): avc: denied { sendto } for pid=1694 comm="chronyd" path="/run/chrony/chronyc.5240.sock" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=unix_dgram_socket permissive=0
type=SYSCALL msg=audit(1666221117.868:118): arch=c000003e syscall=46 success=no exit=-13 a0=8 a1=7ffedddcf8f0 a2=0 a3=7f9380df1800 items=0 ppid=1 pid=1694 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null)
And piped through audit2allow:
============= chronyd_t ==============
#!!!! The file '/run/chrony/chronyc.2442.sock' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /run/chrony/chronyc.2442.sock
allow chronyd_t cloud_init_t:unix_dgram_socket sendto;
I was able to work around it by adding the following to the User Data of the launch template:
% semanage permissive -a chronyd_t
Onto the next oddness.