This section discusses common configuration errors and how to resolve them.
multilabelflag does not stay enabled on the root (
The following steps may resolve this transient error:
/etc/fstaband set the root partition to
Reboot into single user mode.
Reboot the system.
/and change the
/etc/fstaband reboot the system again.
Double-check the output from
mountto ensure that
multilabelhas been properly set on the root file system.
- After establishing a secure environment with MAC, Xorg no longer starts:
This could be caused by the MAC
partitionpolicy or by a mislabeling in one of the MAC labeling policies. To debug, try the following:
Check the error message. If the user is in the
partitionpolicy may be the culprit. Try setting the user's class back to the
defaultclass and rebuild the database with
cap_mkdb. If this does not alleviate the problem, go to step two.
Double-check that the label policies are set correctly for the user, Xorg, and the
If neither of these resolve the problem, send the error message and a description of the environment to the FreeBSD general questions mailing list.
- The _secure_path: unable to stat .login_conf error appears:
This error can appear when a user attempts to switch from the
rootuser to another user in the system. This message usually occurs when the user has a higher label setting than that of the user they are attempting to become. For instance, if
joehas a default label of
roothas a label of
joe's home directory. This will happen whether or not
joeas the Biba integrity model will not permit
rootto view objects set at a lower integrity level.
- The system no longer recognizes
When this occurs,
sureturns who are you?.
This can happen if a labeling policy has been disabled by sysctl(8) or the policy module was unloaded. If the policy is disabled, the login capabilities database needs to be reconfigured. Double check
/etc/login.confto ensure that all
labeloptions have been removed and rebuild the database with
This may also happen if a policy restricts access to
master.passwd. This is usually caused by an administrator altering the file under a label which conflicts with the general policy being used by the system. In these cases, the user information would be read by the system and access would be blocked as the file has inherited the new label. Disable the policy using sysctl(8) and everything should return to normal.