freebsd stable - Mar 2004 - init: kernel security level changed from 0 to 1

i can't for the life of me understand why this box won't go into
securelevel
0. i've messed with everything i could think of yet at bootime after
everything i get this message: init: kernel security level changed from 0 to
1.

any ideas? thanks,
jacob

[relevant files]

police# cat /etc/sysctl.conf
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
kern.ps_showallprocs=0
kern.securelevel=0

police# cat /etc/rc.conf
# network init
hostname="police.rv5.net"
ifconfig_fxp0="inet 192.168.1.50 netmask 255.255.255.0"
ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0"
gateway_enable="YES"

kern_securelevel_enable="NO"
kern_securelevel="0" 

# linux binary compat
linux_enable="YES"
nfs_reserved_port_only="YES"

# die sendmail !!!
sendmail_enable="NONE"

# sshd and usb
sshd_enable="YES"
usbd_enable="YES"

# internet enable
ppp_enable="YES"
ppp_profile="westnet"
ppp_mode="ddial"

# blinking cursor
allscreens_flags="-c blink"

# ident
oidentd_enable="YES"

# ntp
ntpdate_enable="YES"
ntpdate_program="/usr/sbin/ntpdate"
ntpdate_flags="ntp.nasa.gov"

# portmap disable
portmap_enable="NO"

# ipf shit
ipfilter_enable="YES"
ipfilter_flags=""
ipnat_enable="YES"
ipmon_enable="YES"
ipmon_flags="-Dvs"

# proftpd
proftpd_enable="YES"

On Wed, Mar 10, 2004 at 04:10:45AM +1100, Jacob Tracey
wrote:
> i can't for the life of me understand why this box won't go into
securelevel
> 0. i've messed with everything i could think of yet at bootime after
> everything i get this message: init: kernel security level changed from 0
to
> 1.
> 
> any ideas? thanks,
> jacob
> 
> [relevant files]
> 
> police# cat /etc/sysctl.conf
> net.inet.tcp.blackhole=2
> net.inet.udp.blackhole=1
> kern.ps_showallprocs=0
> kern.securelevel=0
> 
> police# cat /etc/rc.conf
> # network init
> hostname="police.rv5.net"
> ifconfig_fxp0="inet 192.168.1.50 netmask 255.255.255.0"
> ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0"
> gateway_enable="YES"
> 
> kern_securelevel_enable="NO"
> kern_securelevel="0" 
You didn't read the manpage for init(8) which states quite clearly that

   If the security level is initially nonzero, then init leaves it
   unchanged.  Otherwise, init raises the level to 1 before going
   multi-user for the first time.  Since the level cannot be reduced,
   it will be at least 1 for subsequent operation, even on return to
   single-user.

if you actually want to run at securelevel 0 you will have to leave the
securelevel at its default value of -1 during the boot process, and
then change the securelevel to 0 after entering multiuser mode.

Note that there is no difference between securelevels -1 and 0 in terms
of what operations are allowed, so you could probably just as well
leave the securelevel alone at -1 and run like that, unless you have
some specific reason to use level 0 exactly.

If you want to run at a securelevel greater than 0 then you should put
  kern_securelevel_enable=YES 
  kern_securelevel=2  (or whatever)
into /etc/rc.conf, otherwise just leave the securelevel alone (i.e.
don't set it in /etc/sysctl.)

-- 
<Insert your favourite quote here.>
Erik Trulsson
ertr1013@student.uu.se