diff --git a/en/getting-started/install-self-hosted/README.md b/en/getting-started/install-self-hosted/README.md
index a48b661..3e0ec8c 100644
--- a/en/getting-started/install-self-hosted/README.md
+++ b/en/getting-started/install-self-hosted/README.md
@@ -68,11 +68,6 @@ The Dify Self hosted Edition, which is the open-source on [GitHub](https://githu
 
     ![](<../../.gitbook/assets/image (33).png>)
 
-*   **Why is SYS_ADMIN permission needed?**
-        The sandbox service is based on `Seccomp` for sandbox isolation, but also, Docker is based on `Seccomp` for resource isolation. In Docker, Linux Seccomp BPF is disabled by default, which prevents the use of `Seccomp` in containers, so SYS_ADMIN permission is required to enable `Seccomp`.
-
-        As for the security of the sandbox service, we disabled all `file system`, `network`, `IPC`, `PID`, `user`, `mount`, `UTS`, and system access capabilities of all processes in the sandbox to ensure that malicious code is not executed. At the same time, we also isolate the files and network in the container to ensure that even if the code is executed, it cannot harm the system.
-
 ### Contributing
 
 To ensure proper review, all code contributions - including those from contributors with direct commit access - must be submitted via pull requests and approved by the core development team prior to being merged.
diff --git a/en/getting-started/install-self-hosted/install-faq.md b/en/getting-started/install-self-hosted/install-faq.md
index b7136b9..0d5f485 100644
--- a/en/getting-started/install-self-hosted/install-faq.md
+++ b/en/getting-started/install-self-hosted/install-faq.md
@@ -201,4 +201,13 @@ VECTOR_STORE: weaviate
 
 ```
 flask vdb-migrarte # or docker exec -it docker-api-1 flask vdb-migrarte
-```
\ No newline at end of file
+```
+
+### 16. Why is SYS_ADMIN permission needed?**
+
+#### **Why does the sandbox service need SYS_ADMIN permission?**
+
+The sandbox service is based on `Seccomp` for sandbox isolation, but also, Docker is based on `Seccomp` for resource isolation. In Docker, Linux Seccomp BPF is disabled by default, which prevents the use of `Seccomp` in containers, so SYS_ADMIN permission is required to enable `Seccomp`.
+
+#### **How does the sandbox service ensure security?**
+As for the security of the sandbox service, we disabled all `file system`, `network`, `IPC`, `PID`, `user`, `mount`, `UTS`, and system access capabilities of all processes in the sandbox to ensure that malicious code is not executed. At the same time, we also isolate the files and network in the container to ensure that even if the code is executed, it cannot harm the system.