Clarify the handling of the securelevel.

PR:		20974

1 files changed, 13 insertions, 8 deletions

diff --git a/sbin/init/init.8 b/sbin/init/init.8
index 7c2fc1e..9604f7b 100644
--- a/sbin/init/init.8
+++ b/sbin/init/init.8
@@ -93,6 +93,8 @@ is marked as
 .Pp
 The kernel runs with four different levels of security.
 Any super-user process can raise the security level, but no process
+(including
+.Nm Ns )
 can lower it.
 The security levels are:
 .Bl -tag -width flag
@@ -134,21 +136,24 @@ cannot be changed and
 configuration cannot be adjusted.
 .El
 .Pp
-If the security level is initially -1, then
+If the security level is initially nonzero, then
 .Nm
 leaves it unchanged.
 Otherwise,
 .Nm
-arranges to run the system in level 0 mode while single-user
-and in level 1 mode while multi-user.
-If level 2 mode is desired while running multi-user,
-it can be set while single-user, e.g., in the startup script
-.Pa /etc/rc ,
+raises the level to 1 before going multi-user for the first time.
+No process, including
+.Nm
+itself,
+can reduce the level, even on return to single-user.
+If a level higher than 1 is desired while running multi-user,
+it can be set before going multi-user, e.g., by the startup script
+.Xr rc 8 ,
 using
-.Xr sysctl 8 
+.Xr sysctl 8
 to set the 
 .Dq kern.securelevel
-variable to the required security level.  
+variable to the required security level.
 .Pp
 In multi-user operation, 
 .Nm