Date: Tue, 9 Mar 2004 18:37:28 +0100 From: Erik Trulsson <ertr1013@student.uu.se> To: Jacob Tracey <jacobt2003@westnet.com.au> Cc: freebsd-stable@freebsd.org Subject: Re: init: kernel security level changed from 0 to 1 Message-ID: <20040309173728.GA37221@falcon.midgard.homeip.net> In-Reply-To: <20040309171050.118E85FD55@bettong.westnet.com.au> References: <20040309171050.118E85FD55@bettong.westnet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 10, 2004 at 04:10:45AM +1100, Jacob Tracey wrote: > i can't for the life of me understand why this box won't go into securelevel > 0. i've messed with everything i could think of yet at bootime after > everything i get this message: init: kernel security level changed from 0 to > 1. > > any ideas? thanks, > jacob > > [relevant files] > > police# cat /etc/sysctl.conf > net.inet.tcp.blackhole=2 > net.inet.udp.blackhole=1 > kern.ps_showallprocs=0 > kern.securelevel=0 > > police# cat /etc/rc.conf > # network init > hostname="police.rv5.net" > ifconfig_fxp0="inet 192.168.1.50 netmask 255.255.255.0" > ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0" > gateway_enable="YES" > > kern_securelevel_enable="NO" > kern_securelevel="0" You didn't read the manpage for init(8) which states quite clearly that If the security level is initially nonzero, then init leaves it unchanged. Otherwise, init raises the level to 1 before going multi-user for the first time. Since the level cannot be reduced, it will be at least 1 for subsequent operation, even on return to single-user. if you actually want to run at securelevel 0 you will have to leave the securelevel at its default value of -1 during the boot process, and then change the securelevel to 0 after entering multiuser mode. Note that there is no difference between securelevels -1 and 0 in terms of what operations are allowed, so you could probably just as well leave the securelevel alone at -1 and run like that, unless you have some specific reason to use level 0 exactly. If you want to run at a securelevel greater than 0 then you should put kern_securelevel_enable=YES kern_securelevel=2 (or whatever) into /etc/rc.conf, otherwise just leave the securelevel alone (i.e. don't set it in /etc/sysctl.) -- <Insert your favourite quote here.> Erik Trulsson ertr1013@student.uu.se
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040309173728.GA37221>