Remove securelevel-related text from init(8) man-page as they're now in

secmodel_bsd44(9). I'm not sure I agree with the BUGS section, but for now move it to secmodel_bsd44(9) as well.
2006-09-15 20:20:06 +00:00 · 2006-09-15 20:20:06 +00:00 · 172a3fa471
commit 172a3fa471
parent 324633bc37
2 changed files with 16 additions and 106 deletions
--- a/sbin/init/init.8
+++ b/sbin/init/init.8
@ -1,4 +1,4 @@
-.\"	$NetBSD: init.8,v 1.41 2006/09/15 20:11:13 wiz Exp $
+.\"	$NetBSD: init.8,v 1.42 2006/09/15 20:20:06 elad Exp $
 .\"
 .\" Copyright (c) 1980, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@ -167,98 +167,6 @@ Type of the node is string capable of holding full pathname, and
 is only accessible by the superuser (unless explicitly destroyed
 and re-created with different specification).
 .Pp
-The kernel runs with four different levels of security.
-Any superuser process can raise the security level, but only
-.Nm
-can lower it.
-.Pp
-The security level mechanism is intended to allow the administrator
-to protect the persistent code and data on the system, or a subset
-thereof, from modification, even by the superuser.
-In order for this protection to be effective, the administrator
-must ensure that no program that is run while the security level
-is 0 or lower, nor any data or configuration file used by any such
-program, can be modified while the security level is greater than
-0.
-This may be achieved through the careful use of the
-.Dq immutable
-file flag to define and protect a Trusted Computing Base (TCB)
-consisting of all such programs and data, or by ensuring that all
-such programs and data are on filesystems that are mounted read-only
-and running at security level 2 or higher.
-.Em Particular care must be taken to ensure, if relying upon
-.Em security level 1 and the use of file flags, that the integrity of the
-.Em TCB cannot be compromised through the use of modifications to the
-.Em disklabel or access to overlapping disk partitions, including the
-.Em raw partition .
-.Pp
-Do not overlook the fact that shell scripts (or anything else fed to an
-interpreter, through any mechanism) and the kernel itself are "programs
-that run while the security level is 0" and must be considered part of
-the TCB.
-.Pp
-Security levels are defined as follows:
-.Bl -tag -width flag
-.It Ic -1
-Permanently insecure mode \- always run system in level 0 mode.
-.It Ic 0
-Insecure mode \- immutable and append-only flags may be changed.
-All devices may be read or written subject to their permissions.
-.It Ic 1
-Secure mode \- system immutable and system append-only flags may not
-be turned off; disks for mounted filesystems,
-.Pa /dev/mem ,
-and
-.Pa /dev/kmem
-are read-only.
-.It Ic 2
-Highly secure mode \- same as secure mode, plus disks are always
-read-only whether mounted or not, new disks may not be mounted,
-and existing mounts may only be downgraded from read-write to read-only.
-This level precludes tampering with filesystems by unmounting them,
-but also inhibits running
-.Xr newfs 8
-while the system is multi-user.
-.Pp
-The
-.Xr settimeofday 2
-system call can only advance the time.
-.Pp
-The state of
-.Xr ipf 8
-(the in-kernel IP filtering facility) may not be changed.
-.Pp
-Users may not change the per-process core name template format, only the
-default can be changed.
-.Pp
-Downgrading from highly secure mode to insecure mode (that is, to single-user
-mode) always requires the root password to be entered on the console, whether
-the console is marked as
-.Dq secure
-in
-.Pa /etc/ttys
-or not.
-.El
-.Pp
-Normally, the system runs in level 0 mode while single user
-and in level 1 mode while multi-user.
-If the level 2 mode is desired while running multi-user,
-it can be set in the startup script
-.Pa /etc/rc
-using
-.Xr sysctl 8 .
-If it is desired to run the system in level 0 mode while multi-user,
-the administrator must build a kernel with
-.Sy options INSECURE
-in the kernel configuration file, which initializes the kernel's
-.Va securelevel
-variable to -1.
-See
-.Xr config 1
-and
-.Xr options 4
-for details.
-.Pp
 In multi-user operation,
 .Nm
 maintains
@ -441,20 +349,10 @@ device driver because of a persistent device error condition.
 .Xr rc 8 ,
 .Xr reboot 8 ,
 .Xr shutdown 8 ,
-.Xr sysctl 8
+.Xr sysctl 8 ,
+.Xr secmodel_bsd44 9
 .Sh HISTORY
 A
 .Nm
 command appeared in
 .At v6 .
-.Sh BUGS
-Systems without
-.Xr sysctl 8
-behave as though they have security level \-1.
-.Pp
-The security level 2 restrictions relating to TCB integrity protection
-should be enforced at security level 1.
-Restrictions dependent upon security level but not relating to TCB
-integrity protection should be selected by
-.Xr sysctl 8
-settings available only at security level 0 or lower.
--- a/share/man/man9/secmodel_bsd44.9
+++ b/share/man/man9/secmodel_bsd44.9
@ -1,4 +1,4 @@
-.\" $NetBSD: secmodel_bsd44.9,v 1.2 2006/09/15 20:15:33 wiz Exp $
+.\" $NetBSD: secmodel_bsd44.9,v 1.3 2006/09/15 20:20:06 elad Exp $
 .\"
 .\" Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
 .\" All rights reserved.
@ -184,5 +184,17 @@ the TCB.
 .Sh SEE ALSO
 .Xr kauth 9 ,
 .Xr secmodel 9
+.SH BUGS
+.Sh BUGS
+Systems without
+.Xr sysctl 8
+behave as though they have security level \-1.
+.Pp
+The security level 2 restrictions relating to TCB integrity protection
+should be enforced at security level 1.
+Restrictions dependent upon security level but not relating to TCB
+integrity protection should be selected by
+.Xr sysctl 8
+settings available only at security level 0 or lower.
 .Sh AUTHORS
 .An Elad Efrat Aq elad@NetBSD.org