I wrote:
 > > Yes!  Securelevel can be patched with a trivial program even when
 > > originally in bss.  The kernel needs to be immutable to avoid this.

 Matthieu wrote:
 > And so need the 'rc' scripts. If you can modify them, you can load a
 > LKM that patches securelevel or otherwise defeats it (like the i386
 > XFree86 aperture driver that I wrote...). 

Ah.  It follows then that _every_ binary and script run in single user mode
must be immutable, or there's little point to having securelevel 1.

Gack.
Jaime