Why is SIP keeping me from using `dtruss` on an executable outside its protected folders?

I'm trying to run the following command on OS X El Capitan (10.11.4): sudo dtruss /usr/local/bin/mix phoenix.server It fails, saying: > dtrace: failed to execute /usr/local/bin/mix: dtrace cannot control executables signed with restricted entitlements mix is an executable I installed with Homebrew. /usr/local/bin/mix is actually a symlink, but it points to a file nested under /usr/local/Cellar. The [official statement on SIP](https://support.apple.com/en-us/HT204899) says that /usr/local is writable for installers (unlike /usr/ generally). It doesn't say whether SIP allows tracing programs there, but given that I installed this myself, it seems reasonable to be able to trace it. Is there something I can do to allow tracing this program? Ideas I have: - Disable SIP entirely (seems heavy-handed) - Update: I read that one can [disable parts of SIP selectively](http://internals.exposed/blog/dtrace-vs-sip.html) , but as a first step, I [completely disabled it](http://www.macworld.com/article/2986118/security/how-to-modify-system-integrity-protection-in-el-capitan.html) . csrutil status now reports System Integrity Protection status: disabled.. But my original command still fails with the same error. :( - Make Homebrew install everything to a folder under ~ (seems messy) - Update: pretty sure this [would be a bad idea](https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/FAQ.md#why-does-homebrew-prefer-i-install-to-usrlocal) - Ignore Homebrew and compile mix from source into ~, then dtruss the new executable - Update: same failure. **This one really makes no sense to me**. SIP is turned off, the executable isn't "signed" since I compiled it myself, and it's not in a restricted location. :P - Install Linux in a VM. (seriously? do I have to do this?)