der Mouse wrote:

> Rather, I read it as having knobs for x, y, and z in the kernel;
> additionally, kern.securelevel, a set-only variable, would, when set,
> raise the knobs for x, y, and z.  There would be no single kernel
> variable corresponding to kern.securelevel; it would not exist in any
> form that could be checked against.

exactly.

> If we want to continue to support reading kern.securelevel, the read
> routine for it would have to take the minimum of all the relevant
> variables.  I don't see that as a big deal.

that's exactly the bit i'm still trying to figure out -- it's obvious
that we keep it for keeping things as they are, and it's obvious we
get rid of it for having only the per-setting knobs.

however, if we choose to implement the hybrid scheme i described, how
should kern.securelevel be represented? can it?

-e.

-- 
Elad Efrat