Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 19 Nov 2006 17:00:52 -0500 (EST)
From:      Darrel <levitch@iglou.com>
To:        Chuck Swiger <cswiger@mac.com>
Cc:        questions@freebsd.org
Subject:   Re: system updates, as affected by securelevel
Message-ID:  <Pine.GSO.4.61.0611191658530.5075@shell1>
In-Reply-To: <455FEC87.6030007@mac.com>
References:  <Pine.GSO.4.61.0611181618200.1912@shell1> <455FEC87.6030007@mac.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Sun, 19 Nov 2006, Chuck Swiger wrote:

> Darrel wrote:
>> With OpenBSD securelevel=2 I can install a kernel, make build, and
>> install programs which are compiled using Systrace.
>> 
>> What is the highest securelevel that I can configure on RELENG_6_2
>> which will not affect compiling and installing; e.g., perhaps not
>> much local difference but having to reboot for a firewall change?
>> This installation is new and the AUDIT option will be in the kernel.
>
> securelevel = 0.
>
> Because the kernel is installed using the schg flag: if you have securelevel 
> set to 1 or higher, you will not be able to over-write the kernel without 
> rebooting into single-user mode.  See "man init" for details.
>
> [ Of course, reinstalling the kernel and/or world is something which you are 
> encouraged to do under single-user mode... ]
>

Thanks, Chuck.

Excepting my amd64 the computers are servers at work, so I will use
'securelevel = 0' to facilitate system upgrades while "up"- only shutting 
down now for install world.

6.2 rc1 'install world' failed on my amd64.  I can csup next month
and try out 'securelevel = 3' on that.  Probably build the world,
etc., installkernel, mergemaster and installworld could all be run
from single user then.

Darrel



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.61.0611191658530.5075>