Comment 17 for bug 1872175

Overall rules to go with seems to be

 # required for pps initialization
 capability dac_read_search,
 capability sys_time,
 /sys/devices/virtual/pps/ r,
 # to submit data to chrony
 ptrace read peer=/usr/sbin/chronyd,
 # for libusb
 /sys/devices/**/usb[0-9]*/** r,
 # triggered on fusercount, not strictly required and unsafe to allow
 # adding a denial rule silences the warnings
 deny ptrace read peer=unconfined,