From owner-freebsd-stable@FreeBSD.ORG  Tue Mar  9 09:37:31 2004
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EE15416A4CE
	for <freebsd-stable@freebsd.org>;
	Tue,  9 Mar 2004 09:37:31 -0800 (PST)
Received: from falcon.midgard.homeip.net (h201n1fls24o1048.bredband.comhem.se
	[212.181.162.201])
	by mx1.FreeBSD.org (Postfix) with SMTP id 14A7143D41
	for <freebsd-stable@freebsd.org>;
	Tue,  9 Mar 2004 09:37:30 -0800 (PST)
	(envelope-from ertr1013@student.uu.se)
Received: (qmail 37308 invoked by uid 1001); 9 Mar 2004 17:37:28 -0000
Date: Tue, 9 Mar 2004 18:37:28 +0100
From: Erik Trulsson <ertr1013@student.uu.se>
To: Jacob Tracey <jacobt2003@westnet.com.au>
Message-ID: <20040309173728.GA37221@falcon.midgard.homeip.net>
Mail-Followup-To: Jacob Tracey <jacobt2003@westnet.com.au>,
	freebsd-stable@freebsd.org
References: <20040309171050.118E85FD55@bettong.westnet.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040309171050.118E85FD55@bettong.westnet.com.au>
User-Agent: Mutt/1.5.6i
cc: freebsd-stable@freebsd.org
Subject: Re: init: kernel security level changed from 0 to 1
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Mar 2004 17:37:32 -0000

On Wed, Mar 10, 2004 at 04:10:45AM +1100, Jacob Tracey wrote:
> i can't for the life of me understand why this box won't go into securelevel
> 0. i've messed with everything i could think of yet at bootime after
> everything i get this message: init: kernel security level changed from 0 to
> 1.
> 
> any ideas? thanks,
> jacob
> 
> [relevant files]
> 
> police# cat /etc/sysctl.conf
> net.inet.tcp.blackhole=2
> net.inet.udp.blackhole=1
> kern.ps_showallprocs=0
> kern.securelevel=0
> 
> police# cat /etc/rc.conf
> # network init
> hostname="police.rv5.net"
> ifconfig_fxp0="inet 192.168.1.50 netmask 255.255.255.0"
> ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0"
> gateway_enable="YES"
> 
> kern_securelevel_enable="NO"
> kern_securelevel="0" 

You didn't read the manpage for init(8) which states quite clearly that

   If the security level is initially nonzero, then init leaves it
   unchanged.  Otherwise, init raises the level to 1 before going
   multi-user for the first time.  Since the level cannot be reduced,
   it will be at least 1 for subsequent operation, even on return to
   single-user.

if you actually want to run at securelevel 0 you will have to leave the
securelevel at its default value of -1 during the boot process, and
then change the securelevel to 0 after entering multiuser mode.

Note that there is no difference between securelevels -1 and 0 in terms
of what operations are allowed, so you could probably just as well
leave the securelevel alone at -1 and run like that, unless you have
some specific reason to use level 0 exactly.

If you want to run at a securelevel greater than 0 then you should put
  kern_securelevel_enable=YES 
  kern_securelevel=2  (or whatever)
into /etc/rc.conf, otherwise just leave the securelevel alone (i.e.
don't set it in /etc/sysctl.)

-- 
<Insert your favourite quote here.>
Erik Trulsson
ertr1013@student.uu.se