init: kernel security level changed from 0 to 1

[Erik Trulsson]

On Wed, Mar 10, 2004 at 04:10:45AM +1100, Jacob Tracey wrote:
> i can't for the life of me understand why this box won't go into securelevel
> 0. i've messed with everything i could think of yet at bootime after
> everything i get this message: init: kernel security level changed from 0 to
> 1.
> 
> any ideas? thanks,
> jacob
> 
> [relevant files]
> 
> police# cat /etc/sysctl.conf
> net.inet.tcp.blackhole=2
> net.inet.udp.blackhole=1
> kern.ps_showallprocs=0
> kern.securelevel=0
> 
> police# cat /etc/rc.conf
> # network init
> hostname="police.rv5.net"
> ifconfig_fxp0="inet 192.168.1.50 netmask 255.255.255.0"
> ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0"
> gateway_enable="YES"
> 
> kern_securelevel_enable="NO"
> kern_securelevel="0" 

You didn't read the manpage for init(8) which states quite clearly that

   If the security level is initially nonzero, then init leaves it
   unchanged.  Otherwise, init raises the level to 1 before going
   multi-user for the first time.  Since the level cannot be reduced,
   it will be at least 1 for subsequent operation, even on return to
   single-user.

if you actually want to run at securelevel 0 you will have to leave the
securelevel at its default value of -1 during the boot process, and
then change the securelevel to 0 after entering multiuser mode.

Note that there is no difference between securelevels -1 and 0 in terms
of what operations are allowed, so you could probably just as well
leave the securelevel alone at -1 and run like that, unless you have
some specific reason to use level 0 exactly.

If you want to run at a securelevel greater than 0 then you should put
  kern_securelevel_enable=YES 
  kern_securelevel=2  (or whatever)
into /etc/rc.conf, otherwise just leave the securelevel alone (i.e.
don't set it in /etc/sysctl.)

-- 
<Insert your favourite quote here.>
Erik Trulsson
ertr1013 at student.uu.se