From owner-freebsd-questions  Wed Jun  6  4:39:29 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22])
	by hub.freebsd.org (Postfix) with ESMTP id 8A5CF37B403
	for <freebsd-questions@freebsd.org>; Wed,  6 Jun 2001 04:39:26 -0700 (PDT)
	(envelope-from ipthomas_77@yahoo.com)
Received: from scarlet.my.domain (1Cust176.tnt2.buffalo.ny.da.uu.net [63.20.90.176])
	by hawk.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id EAA05409;
	Wed, 6 Jun 2001 04:39:19 -0700 (PDT)
Received: (from ipt@localhost)
	by scarlet.my.domain (8.9.3/8.9.3) id HAA00505;
	Wed, 6 Jun 2001 07:38:21 -0400 (EDT)
	(envelope-from ipt)
From: "Ian P. Thomas" <ipthomas_77@yahoo.com>
Message-Id: <200106061138.HAA00505@scarlet.my.domain>
Subject: Re: Disabling kern.securelevel?
In-Reply-To: <20010606.11174600@ideal.darlow.co.uk> from Neil Darlow at "Jun 6, 2001 11:17:46 am"
To: neil@darlow.co.uk (Neil Darlow)
Date: Wed, 6 Jun 2001 07:38:20 -0400 (EDT)
Cc: freebsd-questions@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

	I ran into the same issue.  It's good that a higher secure level
changing certain files(example the kernel) impossible, but if it is your
own box, then this can really get in the way if you recompile your kernel
often.  Two solutions, possibly(for kernels that is).

Boot into single user and then back into the system after commenting out
the appropriate comments in rc.conf.  This is much faster than a full
reboot.

Move the new kernel you compiled into the / directory by hand and give it
another descriptive name.  You would have to reboot to use it anyway, but
at least you should be able to leave the secure level  alone.

	I havn't tried the last one but it seems plausible.  Good luck.

Ian

In the last episode, Neil Darlow stated...
[Charset ISO-8859-1 unsupported, filtering to ASCII...]
> Hi,
> 
> I understand the benefits of running with kern.securelevel > 0 but
> I am finding that it gets in the way when applying patches.
> 
> Is there any way, other than reboot, to change kern.securelevel back
> to 0?
> 
> I've been doing some security updates recently and I've had to do
> the following:
> 
> 1) Disable securelevel in /etc/rc.conf
> 2) Reboot
> 3) Install patches (for files with schg set)
> 4) Enable securelevel in /etc/rc.conf
> 5) Reboot
> 
> Two reboots seems excessive. I can understand the need to do one if
> libc or the kernel has been updated.
> 
> Is there another way?
> 
> Regards,
> Neil Darlow.
> 
> --
> 1024D/531F9048 1999-09-11 Neil Darlow <neil@darlow.co.uk>
> Key fingerprint = 359D B8FF 6273 6C32 BEAA  43F9 E579 E24A 531F 9048
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message