From Application Definition .adef - Legato Docs
Note
Even though the file system object appears in the app’s sandbox it still needs permissions settings on the file. File permissions (both DAC and MAC) and ownership (group and user) on the original file in the target system remain in effect inside the sandbox.
Each sandboxed application runs as a separate user. You’ll have to set the permission so that your sand boxed application can write to the file. In my case, the app names is “HelloWorld”. You can get the app name from “app list”
root@swi-mdm9x28-wp:~# echo 2 > hello.txt
root@swi-mdm9x28-wp:~# chmod o+w hello.txt
root@swi-mdm9x28-wp:~# xattr set ‘security.SMACK64’ ‘app.HelloWorldrwx’ hello.txt
root@swi-mdm9x28-wp:~# xattr get hello.txt
name=security.SMACK64; value=app.HelloWorldrwx
root@swi-mdm9x28-wp:~#
Run your sand boxed application
root@swi-mdm9x28-wp:~# cat hello.txt
HELLO