Hello, I am working with selinux sandbox " http://danwalsh.livejournal.com/28545.html";. Blog clearing mentions that the sandbox "Can not Open or Create any files on the system " except the the shared libraries. But current sandbox allow to read dir stuff which i think should not be allowed: currently i can successfully ran: *"sandbox ls /usr"* ls -Z for my /usr is: *drwxr-xr-x. root root system_u:object_r:usr_t:s0 usr* Now i used sesearch based policy analysis tool to find the allow rules and i have listed few which i can understand and think should not be there: [1] *allow sandbox_domain default_t : file { ioctl read write getattr lock append } ; * # sandbox_t is allow to read write to file having type as default_t, but it doesnt allow to open it..so whats the significance of {read write} [2] *allow domain usr_t : dir { ioctl read getattr lock search open } * Added my system details and here is the list of allowed rules " https://docs.google.com/document/d/1fwNXcaKUuYthiK_qEYuaZHuTzAnCTlMnWF713... " I have started with selinux about 1 week back so there might be problem with my thinking model. *Does the above stuff make sense from logical point of view and should fixed ?* Initially i thought that i will just disallow what i dont want...but know i have realised that selinux is denial by default model and we can only allow stuff. libselinux.x86_64 2.2.2-6.el7 libselinux-python.x86_64 2.2.2-6.el7 libselinux-utils.x86_64 2.2.2-6.el7 selinux-policy.noarch 3.12.1-153.el7_0.13 selinux-policy-devel.noarch 3.12.1-153.el7_0.13 selinux-policy-sandbox.noarch 3.12.1-153.el7_0.13 selinux-policy-targeted.noarch 3.12.1-153.el7_0.13 selinux-policy-sandbox.noarch 3.12.1-153.el7_0.13 Thanks Thanks On Tue, Jan 20, 2015 at 2:36 AM, Daniel J Walsh <dwalsh(a)redhat.com&gt; wrote: