74razor
Flight Engineer
Flight Engineer
  • 2,140 Views

Unable to reset the root password when disabling SELinux

Jump to solution

I found a few other threads about resetting the root password but none that is specific to my issue. So here goes. 

I am on Virtualbox version 6.130 and running RHEL8.4. I am going through a certification guide that wants me to reset the root password while disabling SELinux. These are the steps I follow:

Edit the kernel entry by deleting 'rhgb quiet' to 'rd.break enforcing=0'. 

chroot /sysroot

mount -o remount, rw /

whoami

passwd

exit

reboot

My VM then reboots, but sits at a blank, black screen with a flashing cursor. I've let it sit for over 20 minutes. If I follow the procedure without the 'enforcing=0', and add 'touch .autorelabel' to my process, then everything boots up fine. I can log in and use root with the updated password. The book I am using is 'RHCSA Red Hat Enterprise Linux 8: Training and Exam Preparation Guide' by Asghar Ghori. There is a lab in the book about resetting the root password while disabling SELinux. However, the steps in the chapter don't mention how to disable it. So I am following the instructions in the book, and found the 'enforcing=0' info from the RHEL documentation on the web site. What am I missing?

0 Kudos
1 Solution

Accepted Solutions
UWillC
Mission Specialist
Mission Specialist
  • 1,926 Views

I done similar procedure to reset root password and followed these steps to make this successfull, maybe it was not stated in the book clearly that context must be restored for password file, try following...

  1. hit E in GRUB boot
  2. go to the line with boot option and remove everything up to rhgb and put rd.break enforcing=0
  3. Ctrl+X
  4. # mount -o remount,rw /sysroot
  5. # chroot /sysroot
  6. # passwd
  7. provide new password for root user
  8. # exit
  9. # mount -o remount,ro /sysroot
  10. # exit
  11. Restore the context of the file /etc/shadow
    1. # restorecon -v /etc/shadow
    2. # setenforce 1
  12. Reboot

This procedure worked for me but I am using the one with .autorelabel - it is faster and has fewer steps to complete the root reset.

View solution in original post

8 Replies
UWillC
Mission Specialist
Mission Specialist
  • 1,927 Views

I done similar procedure to reset root password and followed these steps to make this successfull, maybe it was not stated in the book clearly that context must be restored for password file, try following...

  1. hit E in GRUB boot
  2. go to the line with boot option and remove everything up to rhgb and put rd.break enforcing=0
  3. Ctrl+X
  4. # mount -o remount,rw /sysroot
  5. # chroot /sysroot
  6. # passwd
  7. provide new password for root user
  8. # exit
  9. # mount -o remount,ro /sysroot
  10. # exit
  11. Restore the context of the file /etc/shadow
    1. # restorecon -v /etc/shadow
    2. # setenforce 1
  12. Reboot

This procedure worked for me but I am using the one with .autorelabel - it is faster and has fewer steps to complete the root reset.

74razor
Flight Engineer
Flight Engineer
  • 1,917 Views

Thank you @UWillC , your process seems to work for me! I am just nervous about the exam and want to make sure I have this process down. 

0 Kudos
Tracy_Baker
Starfighter Starfighter
Starfighter
  • 1,913 Views

@74razor 

It doesn't reboot because the system cannot read the /etc/shadow file (which contains the users passwords) -- it has no SELinux context on it.

When you break the grub boot process, SELinux does not load. When you run the passwd command in emergency mode, the /etc/shadow file gets clobbered and recreated and, because SELinux is not loaded, no SELinux context is applied to the file.

To fix this, you have to create the /.autorelabel file before you reboot the system. (The are other ways, but I find this to be the easiest.)

-----------

Here's the concise intructions I give my students. I just did it on my own system - to verify it works under the latest release.

1. Stop the boot process by pressing any key during the grub bootloader. I like to use cursor up / down. Select the kernel you want to load / edit (usually the first one listed).

2. Press e to edit

3. Cursor down to the line that begins with linux (linux16 before RHEL 8)

4. Press the End key on the keyboard to go to the end of the line. Enter in this text: rd.break

NOTE: There may be information that needs to be removed, such as console and / or vconsole directives (i.e.: console=tty or console=ttyS0,115200n8) -- this would be mostly true under certain virtual machine installations.

5. Press Ctrl-x

6. At the switch_root:/# prompt enter: mount -oremount,rw /sysroot

7: At the switch_root:/# prompt enter: chroot /sysroot

8: At the sh-4.4# prompt enter: passwd root

9: At the sh-4.4# prompt enter: touch /.autorelabel

10: At the sh-4.4# prompt enter: exit

11: At the switch_root:/# prompt enter: exit

At this point the system will reboot and relabel the SELinux contexts on files as neded (including on /etc/shadow). It may reboot a second time.

Once finished, use the new root password to log in.

Program Lead at Arizona's first Red Hat Academy, est. 2005
Estrella Mountain Community College
74razor
Flight Engineer
Flight Engineer
  • 1,905 Views

Thank you for the reply! In my lab book, it says to change the root password while disabling SELinux. However, the guide doesn't specifically say how to do that. When going through the RHEL8 documentation, I found that the 'enforcing=0' kernel parameter disableds SELinux.

You mention that when you break the GRUB process, that SELinux does not load. So is 'enforcing=0' even needed in this case? Your process works perfectly, I just want to make sure I have this down for the exam.

0 Kudos
UWillC
Mission Specialist
Mission Specialist
  • 1,901 Views

There is no need to disable SELinux, this is just another way to password reset the root and I am using this one, in case you will forget which file should be crerated use...

man selinux

while in the manual use search option / and jus type the .auto and you will jump to the section where it is clearly stated that...

The best way to relabel the file system is to create the flag file /.autorelabel and reboot.

Process of relabelling the file system take the while so do not panic and just wait for the process completion.

Tracy_Baker
Starfighter Starfighter
Starfighter
  • 1,891 Views

@74razor 

Since SELinux is not loaded, enforcing=0 doesn't do anything. SELinux isn't loaded because you broke the boot process using rd.break

Now, enforcing=0 would disable SELinux if you did not use rd.break. There may be times when you want to boot the system without SELinux loaded. It probably shouldn't be used unless required - perhaps for troubleshooting purposes.

Program Lead at Arizona's first Red Hat Academy, est. 2005
Estrella Mountain Community College
74razor
Flight Engineer
Flight Engineer
  • 1,883 Views

Great, thanks for clearing that up @Tracy_Baker . Appreciate the knowledge share as always. 

0 Kudos
JustinP
Flight Engineer
Flight Engineer
  • 1,497 Views

BTW: A step-by-step method is taught in RH134 & RH199 :)

--
Sr. Solution Architect
Red Hat - NA - ISVs
0 Kudos
Join the discussion
You must log in to join this conversation.