I have been recently thinking about trade-offs involved in running servers at the securelevel 2. In securelevel 2, it is possible to mount a MFS over an arbitrary disk directory and create arbitrary files in it, including those that have system immutable flags set in the original (disk) filesystem. This would essentially allow an attacker to circumvent the system immutable flag until the reboot.
My question is then this: what is the rationale, if any, for allowing mount_mfs in securelevel 2? Not that it is a big deal (as MFS can be disabled in the kernel IIRC), I am just wondering if I am perhaps misunderstanding the concept of securelevel and protections allowed by it. I searched both mailing list archives and Google, but couldn't find anything relevant. Feel free to point me to earlier discussions on the subject, if there were any. Thanks, Roman Rodyakin.
