cancel
Showing results for 
Search instead for 
Did you mean: 
74razor
Flight Engineer
Flight Engineer
  • 12.2K Views

Unable to reset the root password when disabling SELinux

Jump to solution

I found a few other threads about resetting the root password but none that is specific to my issue. So here goes. 

I am on Virtualbox version 6.130 and running RHEL8.4. I am going through a certification guide that wants me to reset the root password while disabling SELinux. These are the steps I follow:

Edit the kernel entry by deleting 'rhgb quiet' to 'rd.break enforcing=0'. 

chroot /sysroot

mount -o remount, rw /

whoami

passwd

exit

reboot

My VM then reboots, but sits at a blank, black screen with a flashing cursor. I've let it sit for over 20 minutes. If I follow the procedure without the 'enforcing=0', and add 'touch .autorelabel' to my process, then everything boots up fine. I can log in and use root with the updated password. The book I am using is 'RHCSA Red Hat Enterprise Linux 8: Training and Exam Preparation Guide' by Asghar Ghori. There is a lab in the book about resetting the root password while disabling SELinux. However, the steps in the chapter don't mention how to disable it. So I am following the instructions in the book, and found the 'enforcing=0' info from the RHEL documentation on the web site. What am I missing?

1 Solution

Accepted Solutions
UWillC
Mission Specialist
Mission Specialist
  • 12K Views

I done similar procedure to reset root password and followed these steps to make this successfull, maybe it was not stated in the book clearly that context must be restored for password file, try following...

  1. hit E in GRUB boot
  2. go to the line with boot option and remove everything up to rhgb and put rd.break enforcing=0
  3. Ctrl+X
  4. # mount -o remount,rw /sysroot
  5. # chroot /sysroot
  6. # passwd
  7. provide new password for root user
  8. # exit
  9. # mount -o remount,ro /sysroot
  10. # exit
  11. Restore the context of the file /etc/shadow
    1. # restorecon -v /etc/shadow
    2. # setenforce 1
  12. Reboot

This procedure worked for me but I am using the one with .autorelabel - it is faster and has fewer steps to complete the root reset.

View solution in original post

9 Replies
UWillC
Mission Specialist
Mission Specialist
  • 12K Views

I done similar procedure to reset root password and followed these steps to make this successfull, maybe it was not stated in the book clearly that context must be restored for password file, try following...

  1. hit E in GRUB boot
  2. go to the line with boot option and remove everything up to rhgb and put rd.break enforcing=0
  3. Ctrl+X
  4. # mount -o remount,rw /sysroot
  5. # chroot /sysroot
  6. # passwd
  7. provide new password for root user
  8. # exit
  9. # mount -o remount,ro /sysroot
  10. # exit
  11. Restore the context of the file /etc/shadow
    1. # restorecon -v /etc/shadow
    2. # setenforce 1
  12. Reboot

This procedure worked for me but I am using the one with .autorelabel - it is faster and has fewer steps to complete the root reset.

74razor
Flight Engineer
Flight Engineer
  • 12K Views

Thank you @UWillC , your process seems to work for me! I am just nervous about the exam and want to make sure I have this process down. 

Tracy_Baker
Starfighter Starfighter
Starfighter
  • 12K Views

@74razor 

It doesn't reboot because the system cannot read the /etc/shadow file (which contains the users passwords) -- it has no SELinux context on it.

When you break the grub boot process, SELinux does not load. When you run the passwd command in emergency mode, the /etc/shadow file gets clobbered and recreated and, because SELinux is not loaded, no SELinux context is applied to the file.

To fix this, you have to create the /.autorelabel file before you reboot the system. (The are other ways, but I find this to be the easiest.)

-----------

Here's the concise intructions I give my students. I just did it on my own system - to verify it works under the latest release.

1. Stop the boot process by pressing any key during the grub bootloader. I like to use cursor up / down. Select the kernel you want to load / edit (usually the first one listed).

2. Press e to edit

3. Cursor down to the line that begins with linux (linux16 before RHEL 8)

4. Press the End key on the keyboard to go to the end of the line. Enter in this text: rd.break

NOTE: There may be information that needs to be removed, such as console and / or vconsole directives (i.e.: console=tty or console=ttyS0,115200n8) -- this would be mostly true under certain virtual machine installations.

5. Press Ctrl-x

6. At the switch_root:/# prompt enter: mount -oremount,rw /sysroot

7: At the switch_root:/# prompt enter: chroot /sysroot

8: At the sh-4.4# prompt enter: passwd root

9: At the sh-4.4# prompt enter: touch /.autorelabel

10: At the sh-4.4# prompt enter: exit

11: At the switch_root:/# prompt enter: exit

At this point the system will reboot and relabel the SELinux contexts on files as neded (including on /etc/shadow). It may reboot a second time.

Once finished, use the new root password to log in.

Program Lead at Arizona's first Red Hat Academy, est. 2005
Estrella Mountain Community College
74razor
Flight Engineer
Flight Engineer
  • 12K Views

Thank you for the reply! In my lab book, it says to change the root password while disabling SELinux. However, the guide doesn't specifically say how to do that. When going through the RHEL8 documentation, I found that the 'enforcing=0' kernel parameter disableds SELinux.

You mention that when you break the GRUB process, that SELinux does not load. So is 'enforcing=0' even needed in this case? Your process works perfectly, I just want to make sure I have this down for the exam.

UWillC
Mission Specialist
Mission Specialist
  • 12K Views

There is no need to disable SELinux, this is just another way to password reset the root and I am using this one, in case you will forget which file should be crerated use...

man selinux

while in the manual use search option / and jus type the .auto and you will jump to the section where it is clearly stated that...

The best way to relabel the file system is to create the flag file /.autorelabel and reboot.

Process of relabelling the file system take the while so do not panic and just wait for the process completion.

Tracy_Baker
Starfighter Starfighter
Starfighter
  • 11.9K Views

@74razor 

Since SELinux is not loaded, enforcing=0 doesn't do anything. SELinux isn't loaded because you broke the boot process using rd.break

Now, enforcing=0 would disable SELinux if you did not use rd.break. There may be times when you want to boot the system without SELinux loaded. It probably shouldn't be used unless required - perhaps for troubleshooting purposes.

Program Lead at Arizona's first Red Hat Academy, est. 2005
Estrella Mountain Community College
74razor
Flight Engineer
Flight Engineer
  • 11.9K Views

Great, thanks for clearing that up @Tracy_Baker . Appreciate the knowledge share as always. 

unixrab
Cadet
Cadet
  • 2,536 Views

There's now a password prompt as soon as I hit "e" to edit ...any ideas how I reset that or get around it?   I can't add rd.break to the end of the vmlinuz line because as soon as I hit "e" I get prompted for a login (root?) and password   Maybe the iLO password?  I can't get past it.

JustinP
Flight Engineer
Flight Engineer
  • 11.6K Views

BTW: A step-by-step method is taught in RH134 & RH199 :)

--
Sr. Solution Architect
Join the discussion
You must log in to join this conversation.