The multilabel flag does not stay enabled on my root (/) partition!

The following steps may resolve this transient error:

After establishing a secure environment with MAC, I am no longer able to start Xorg!

This could be caused by the MAC partition policy or by a mislabeling in one of the MAC labeling policies. To debug, try the following:

The error: _secure_path: unable to stat .login_conf shows up.

When a user attempts to switch from the root user to another user in the system, the error message _secure_path: unable to stat .login_conf appears.

This message is usually shown when the user has a higher label setting than that of the user they are attempting to become. For instance, joe has a default label of biba/low. The root user, who has a label of biba/high, cannot view joe's home directory. This will happen whether or not root has used su to become joe as the Biba integrity model will not permit root to view objects set at a lower integrity level.

The system no longer recognizes the root user.

In normal or even single user mode, the root is not recognized, whoami returns 0 (zero), and su returns who are you?.

This can happen if a labeling policy has been disabled, either by a sysctl(8) or the policy module was unloaded. If the policy is disabled, the login capabilities database needs to be reconfigured with label removed. Double check login.conf to ensure that all label options have been removed and rebuild the database with cap_mkdb.

This may also happen if a policy restricts access to master.passwd. This is usually caused by an administrator altering the file under a label which conflicts with the general policy being used by the system. In these cases, the user information would be read by the system and access would be blocked as the file has inherited the new label. Disable the policy using sysctl(8) and everything should return to normal.