RHEL8 change root password now it hangs at boot

Latest response

Hi all

I am studying the RHCSA and practicing changing root password.

I got an RHEL8 VM on vmware workstation on win10.

So I reboot my vm, insert rd.break into grub, mounts the sysroot, chroot into sysroot, and passwd the new root password, and it all seems to be going fine. I got the successful password token updated message.

then I exit out the shell and reboot on the cmd line, and the VM seems to hang at the screenshot I have attached.

It is a brand new VM, I haven't done anything special to it, everything is the factory default. no selinux. and when I try to ssh into it with my user id (not the root one) it always says my password is wrong (though I think this might be more because my vm isn't fully started yet).

change root pwd and vm hangs

Even a reboot of the vm (from vmware) doesn't work, it just hangs at a different place.

change root pwd and now vm hangs 2

I don't understand why this is happening.

Responses

selinux is enabled by default when you install rhel7/8 . there isnt any option i could find that allows you to disable this. that being said, i tried to reproduce this on rhel8 but couldnt. my system came back up normally but the new root password did not take effect (because selinux is on by default). since this is a new vm, i would retry the break-in process again to see if it works, if not just reinstall the vm.

Hi, you are using Red Hat 7/8 then you can use the rd.break with space enforcing=0 for disable Linux security. after break password you can use restorecon -v /etc/shadow and then you can run stenforce 1 . I hope after that your system are not hanged.

... then you can run setenforce 1...

small error correction

you can also remove 'rhgb quiet' for a more verbose output on the screen

You need to perform:

touch /.autorelabel

after the password change, then restart the VM

Would be nice to know if the RHEL7 procedure works on RHEL8.

Changing and Resetting the Root Password in Red Hat Enterprise Linux 7 System Administrator's Guide.

Yes, it works on RHEL 8.

thank you

Another link (not RH) with what looks like a clear procedure to reset a lost root pass on rhel8

To the original poster Junzhe Zou, please re-read what ir. Jan Gerrit Kootstra wrote above.

Regards

RJ

Why does the the context get messed up on the /etc/shadow file?

I tried to boot with the rd.break then do a ls -lZ /sysroot/etc/shadow and received the following, ---------- 1 root root ? 925 Aug 1 02:20 /sysroot/etc/shadow

I am assuming the ? is because SELinux is disabled in this mode. Which brings up two questions, 1) why is the file context getting lost, is passwd creating a new file, then replacing the old one? 2) at what point in the boot process is SELinux enabled?

I found the answers to my questions here https://serverfault.com/questions/936174/selinux-reset-root-password

Hello, just FYI, the use case of Changing and resetting the root password is now covered in Red Hat documentation:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/managing-users-groups-permissions_configuring-basic-system-settings?lb_target=stage#changing-and-resetting-the-root-password_managing-users-groups-permissions

If your system got stuck after changing password without taking care of SELinux then you can try different approach - take care of SELinux and load policies before changing the password. The full procedure is descibed below:

First: Reboot. Before system starts - in bootloader - edit config. Change line starting with linux... you can (optionally) remove rhgb quiet at the end and you must add this at the end: rd.break then press Ctrl-X to boot. After emergency booting run following commands:

# 1. You are in initramfs filesystem so change to normal root partition which is under /sysroot
chroot /sysroot
# 2. Remount the partition as writeable. You also see options in 'man mount' , search for 'readonly'
mount -o remount,rw /
# 3. Load SELinux policies (otherwise /etc/shadow will lose SELinux security context and will be unusable on normal boot)
/usr/sbin/load_policy -i
# 4. Not really needed but it will actually show you next mount command to type
ps -Z
# 5. Mount proc filesystem - this command is shown by previous 'ps'
mount -t proc proc /proc
# 6. Finally you can change the password now
passwd
# 7. Next line is not mandatory but recommended in case you need to forcefully power-off or restart the machine later
sync; mount -o remount,ro /
# 8. Exit from chroot
exit
# 9. Reboot system to let it start normally. It may take a little while. You can also force restart with (remote) power-button if it takes too long.
reboot -f