FreeBSD kernel doesn't allow any process to decrease securelevel. So,

init(8) cannot decrease securelevel.  The manual page explains this
and single_user() doesn't try to downgrade kernel to insecure mode.

Reviewed by:	bde (manual page)

2 files changed, 1 insertions, 8 deletions

diff --git a/sbin/init/init.8 b/sbin/init/init.8
index e7aa9ac..d779c0e 100644
--- a/sbin/init/init.8
+++ b/sbin/init/init.8
@@ -92,8 +92,7 @@ is marked as
 .Dq secure .
 .Pp
 The kernel runs with four different levels of security.
-Any super-user process can raise the security level, but only 
-.Nm
+Any super-user process can raise the security level, but no process
 can lower it.
 The security levels are:
 .Bl -tag -width flag
diff --git a/sbin/init/init.c b/sbin/init/init.c
index 0e87093..75287b5 100644
--- a/sbin/init/init.c
+++ b/sbin/init/init.c
@@ -623,12 +623,6 @@ single_user()
 	char altshell[128];
 #endif
 
-	/*
-	 * If the kernel is in secure mode, downgrade it to insecure mode.
-	 */
-	if (getsecuritylevel() > 0)
-		setsecuritylevel(0);
-
 	if (Reboot) {
 		/* Instead of going single user, let's reboot the machine */
 		sync();