# required for pps initialization
capability dac_read_search,
capability sys_time,
/sys/devices/virtual/pps/ r,
# to submit data to chrony
ptrace read peer=/usr/sbin/chronyd,
# for libusb
/sys/devices/**/usb[0-9]*/** r,
# triggered on fusercount, not strictly required and unsafe to allow
# adding a denial rule silences the warnings
deny ptrace read peer=unconfined,
Overall rules to go with seems to be
# required for pps initialization virtual/ pps/ r, sbin/chronyd, **/usb[ 0-9]*/* * r,
capability dac_read_search,
capability sys_time,
/sys/devices/
# to submit data to chrony
ptrace read peer=/usr/
# for libusb
/sys/devices/
# triggered on fusercount, not strictly required and unsafe to allow
# adding a denial rule silences the warnings
deny ptrace read peer=unconfined,