Thank you very much for those explanations! I now understand why all opening on non-existent files are not caught by Tomoyo But now, I wonder why some syscalls seems not to be caught by Tomoyo. Like sysinfo, getcwd, sigaltstack. In fact, I have to study what is monitored and what is not in details. I give another example: At the moment where vim tries to read the file /home/user1 for exemple (file read /home/user1), strace stays locked on the syscalls open(".",O_READONLY | O_LARGEFIL) = 3. Up to there no problem. But just after I allow Tomoyo to add this authorization to the policy I see others syscalls on strace: Fchdir(3) = 0, chdir("/usr/share/vim") = 0, getcwd("/usr/share/vim", 4096) = 15, close or brk. I have read the documentation but I do not find enought details on those questions. I imagine that my request is hard to satisfy, but if you can help my to get more details, it would be very interesting. Florian -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.osdn.me/mailman/archives/tomoyo-users-en/attachments/20120720/8eb1e3e3/attachment.html>