From owner-freebsd-questions  Sun Apr 22  8:16:22 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from guru.mired.org (okc-65-26-235-186.mmcable.com [65.26.235.186])
	by hub.freebsd.org (Postfix) with SMTP id 436D137B423
	for <questions@freebsd.org>; Sun, 22 Apr 2001 08:16:18 -0700 (PDT)
	(envelope-from mwm@mired.org)
Received: (qmail 54386 invoked by uid 100); 22 Apr 2001 15:16:16 -0000
From: Mike Meyer <mwm@mired.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15074.62912.928381.243674@guru.mired.org>
Date: Sun, 22 Apr 2001 10:16:16 -0500
To: "J. Seth Henry" <jshenry@net-noise.com>
Cc: questions@freebsd.org
Subject: Re: FBSD 4.2 security settings
In-Reply-To: <67112722@toto.iv>
X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG%
 *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

J. Seth Henry <jshenry@net-noise.com> types:
> Hello all,
> I recently upgraded to 4.2-RELEASE, and I accepted the default "medium"
> security. All was well until I tried loading a kernel module, and running X.
> I discovered that medium security implies a kernel security level of 1,
> instead of 0. Does anyone know where this is stored? I changed the value in
> rc.conf from 1 to 0, and now I get two messages (almost sequentially)
> Changing kern.securelevel from -1 -> 0
> Changing kern.securelevel from 0 -> 1

FWIW, the installtion security profiles are described at <URL:
http://www.freebsd.org/doc/en_US.ISO_8859-1/books/faq/install.html#AEN1151
>.

> If I turn the setting off, it stays at -1. I thought about just leaving it
> disabled and writing a script that runs from rc.d that sets it explicitly,
> but I would like to know how to fix it the "right" way.

According to the rc.conf man page, you should set
kern_securelevel_enable to enable it, and kern_securelevel to the
value it should be set to. If that's what you did, possibly something
else set the secure level elsewhere. You might try grepping for
securelevel in /etc/rc* to see if you can find it.

	<mike
--
Mike Meyer <mwm@mired.org>			http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message