diff --git a/sbin/init/init.8 b/sbin/init/init.8
index 374f2a4b8030..0fed890d29b9 100644
--- a/sbin/init/init.8
+++ b/sbin/init/init.8
@@ -1,4 +1,4 @@
-.\"	$NetBSD: init.8,v 1.28 2003/08/07 10:04:25 agc Exp $
+.\"	$NetBSD: init.8,v 1.29 2003/10/12 04:14:56 tls Exp $
 .\"
 .\" Copyright (c) 1980, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -131,6 +131,29 @@ The kernel runs with four different levels of security.
 Any superuser process can raise the security level, but only
 .Nm
 can lower it.
+.Pp
+The security level mechanism is intended to allow the administrator to 
+protect the persistent code and data on the system, or a subset thereof, 
+from modification, even by the superuser.  In order for this protection 
+to be effective, the administrator must ensure that no program that is 
+run while the security level is 0 or lower, nor any data or configuration 
+file used by any such program, can be modified while the security level 
+is greater than 0.  This may be achieved through the careful use of the 
+"immutable" file flag to define and protect a Trusted Computing Base 
+(TCB) consisting of all such programs and data, or by ensuring that all 
+such programs and data are on filesystems that are mounted read-only 
+and running at security level 2 or higher.  
+.Sy Particular care must be taken to ensure, if relying upon 
+.Sy security level 1 and the use of file flags, that the integrity of the 
+.Sy TCB cannot be compromised through the use of modifications to the 
+.Sy disklabel or access to overlapping disk partitions, including the 
+.Sy raw partition.
+.Pp
+Do not overlook the fact that shell scripts (or anything else fed to an
+interpreter, through any mechanism) and the kernel itself are "programs
+that run while the security level is 0" and must be considered part of
+the TCB.
+.Pp
 Security levels are defined as follows:
 .Bl -tag -width flag
 .It Ic -1
@@ -355,3 +378,10 @@ command appeared in
 Systems without
 .Xr sysctl 8
 behave as though they have security level \-1.
+.Pp
+The security level 2 restrictions relating to TCB integrity protection
+should be enforced at security level 1.  Restrictions dependent upon
+security level but not relating to TCB integrity protection should be
+selected by
+.Xr sysctl 8
+settings available only at security level 0 or lower.