From owner-freebsd-questions@FreeBSD.ORG  Sun Nov 19 22:01:01 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: questions@freebsd.org
Delivered-To: freebsd-questions@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id B2BBB16A4B3
	for <questions@freebsd.org>; Sun, 19 Nov 2006 22:01:01 +0000 (UTC)
	(envelope-from levitch@iglou.com)
Received: from rdsmtp.iglou.com (rdsmtp.iglou.com [192.107.41.63])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4220543D68
	for <questions@freebsd.org>; Sun, 19 Nov 2006 22:00:42 +0000 (GMT)
	(envelope-from levitch@iglou.com)
Received: from [192.107.41.3] (helo=iglou1.iglou.com)
	by rdsmtp.iglou.com with esmtp (8.12.5/8.12.5)
	(envelope-from <levitch@iglou.com>) id 1Gluib-0003qD-6p
	for questions@freebsd.org; Sun, 19 Nov 2006 17:00:53 -0500
Received: from [192.107.41.17] (helo=shell1)
	by iglou1.iglou.com with esmtps (TLS cipher TLSv1:AES256-SHA:256)
	(8.12.5/8.12.5) (envelope-from <levitch@iglou.com>)
	id 1Gluia-0005Qf-Js; Sun, 19 Nov 2006 17:00:52 -0500
Date: Sun, 19 Nov 2006 17:00:52 -0500 (EST)
From: Darrel <levitch@iglou.com>
X-X-Sender: levitch@shell1
To: Chuck Swiger <cswiger@mac.com>
In-Reply-To: <455FEC87.6030007@mac.com>
Message-ID: <Pine.GSO.4.61.0611191658530.5075@shell1>
References: <Pine.GSO.4.61.0611181618200.1912@shell1>
	<455FEC87.6030007@mac.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Originating-IP: 192.107.41.17
X-IgLou-Customer: 3cb6f76205bd20f518810676a67a982b
Cc: questions@freebsd.org
Subject: Re: system updates, as affected by securelevel
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Nov 2006 22:01:01 -0000

On Sun, 19 Nov 2006, Chuck Swiger wrote:

> Darrel wrote:
>> With OpenBSD securelevel=2 I can install a kernel, make build, and
>> install programs which are compiled using Systrace.
>> 
>> What is the highest securelevel that I can configure on RELENG_6_2
>> which will not affect compiling and installing; e.g., perhaps not
>> much local difference but having to reboot for a firewall change?
>> This installation is new and the AUDIT option will be in the kernel.
>
> securelevel = 0.
>
> Because the kernel is installed using the schg flag: if you have securelevel 
> set to 1 or higher, you will not be able to over-write the kernel without 
> rebooting into single-user mode.  See "man init" for details.
>
> [ Of course, reinstalling the kernel and/or world is something which you are 
> encouraged to do under single-user mode... ]
>

Thanks, Chuck.

Excepting my amd64 the computers are servers at work, so I will use
'securelevel = 0' to facilitate system upgrades while "up"- only shutting 
down now for install world.

6.2 rc1 'install world' failed on my amd64.  I can csup next month
and try out 'securelevel = 3' on that.  Probably build the world,
etc., installkernel, mergemaster and installworld could all be run
from single user then.

Darrel