Re: securelevel 2

[rich@rdrose.org]

On Mon, 23 Apr 2001, Theo de Raadt wrote:
> > If you are running an X server, setting your securelevel to 2
> > you will give you problems because X server needs to open /dev/mem
> > and /dev/kmem for writing, and securelevel of 2 prevents doing so.
> This is wrong.  See xf86(4).

I have already set up the machine with a new kernel, which included
XSERVER and APERTURE options. I also set machdep.allowaperture to 1 in
/etc/sysctl.conf.

Is this a question of where X should be started? From what I have learned
so far, xdm will get started by rc, and then X will be started (by rc,
knowing that xdm has been asked for?). The problem is that xdm and X
(specifically X, but that depends on xdm) needs to be started before
reasing the securelevel to 2.

The next question is, what hapeens if I start X, raise the securelevel to
2, then log out of X. IIRC, the X sserver gets restarted, which would lead
to the same problem as I am already facing. (Although I'm happy to admit
not being sure about this).

In answer to the first reply I recieved, saying soemthing like "why would
you want to run in securelevel 2 and have a gui". Well, why the heck
not? Surely I'm not the first fool to try this. A slightly more sensible
answer would be to tell you about LIDS, the Linux Intrusion Detection
System, and tell you that that is on my desktop machine. I would also go
on at length about mandatory access control, limiting what damage can be
done if a root compromise occurred, and so on. I'm also trying to see how
secure a system can be while still being usable.

As a an aside, is there any plans for MAC for OpenBSD, or is the plan just
to never need them?

thanks again,

rik