Comment 20 for bug 1872175

> # required for pps initialization
> capability dac_read_search,
> capability sys_time,
> /sys/devices/virtual/pps/ r,
> # to submit data to chrony
> ptrace read peer=/usr/sbin/chronyd,
> # for libusb
> /sys/devices/**/usb[0-9]*/** r,
> # triggered on fusercount, not strictly required and unsafe to allow
> # adding a denial rule silences the warnings
> deny ptrace read peer=unconfined,

I believe you said that dac_read_search was due to the /proc accesses that also trigger the ptrace rule. Perhaps it can also be suppressed?

Either way, thanks for all the investigation! +1 for the rules as is. If you aren't blocking dac_read_search, can you add what in the pps initialization needs it? Eg:

# required for pps initialization (foo() from bar.c traverses /proc)

or something?