Alternative method to restore root access on a RHEL 7.x system with a large RAID or SAN

Latest response

Environment

  • Red Hat Enterprise Linux 7.

Issue

  • SUMMARY/EXAMPLE: If you have a huge RAID or SAN - it might not be good to do an entire relabel of your entire system using the traditional method of touch /.autorelabel when recovering a root password. This method is intended to provide an alternate method to avoid that. Example, I have a system with a 500TB raid, it's best not to relabel the entire system when all I did was recover root password and change /etc/shadow
  • The traditional method of restoring root access works, but does a relabel of the entire Linux file system. It might be good to avoid a total filesystem relabel particularly if you have a system with large amount of storage attached. That method works fine if you do not have a large amount of storage, here is the link in the RHEL 7 documentation.
  • This method may be for you if you have a large RAID or SAN attached and wish to avert a total system relabel. This method only relabels /etc/shadow
  • This is not a Red Hat solution. This is a post in the Red Hat discussion forum.

Resolution

  • At the beginning of the boot process, at the GRUB 2 menu (Kernel list), type the e key to edit the kernel. (Be prepared with the grub password if required, or use the DVD restore method).
  • Move down to the kernel line (the line starting with linux16)
  • NOTE EFI SYSTEMS will show linuxefi instead of linux16 Thank you Christian Labisch
  • Remove rhgb quiet using the backspace key.
  • You can change "ro" to "rw" in this grub line to avoid having to do a remount (shown below).
  • IMPORTANT Add to the kernel line: rd.break enforcing=0
    NOTE: you might have to make "console=tty0" above as well depending if it's virtual or not.
  • Press Ctrl x to resume the boot process.
    NOTE: If you did not change "ro" to "rw" above, make sure to remount the /sysroot partition as shown below.
  • # mount –o remount,rw /sysroot
  • # chroot /sysroot
  • # passwd root
  • Type the password correctly two times in a row.
  • Type exit twice to continue the boot process
  • Log in, open a terminal and enter the root account.
  • # restorecon -v /etc/shadow
  • # setenforce 1 ; getenforce

References:

Red Hat Enterprise Linux 7 Installation Guide - Basic System Recovery.

Additional Credits...

  • This is not a Red Hat solution. This is a post in the Red Hat discussion forum.
  • I did not originally create this method. A Red-Hatter created this, the original link is no longer available.

Please post in the comments if you have questions or have recommendations, or if I can clarify it further.

RJ

Responses

Hi RJ,

Thanks for the useful article ! Two things I'd like to suggest : Firstly, on EFI based setups, which mostly are in use these days, the linux line starts with linuxefi instead of linux16. Secondly, I recommend to run sudo touch /.autorelabel and sudo reboot afterwards nevertheless - just to be on the safe side ... :)

Regards,
Christian

Christian,

I'll certainly add linuxefi - however the entire point of this particular method (I borrowed from another Red-Hatter) is to avoid using touch /.autorelabel because as this discussion I mention is intended to avoid relabeling an entire SAN or huge RAID array (which is why I re-presented this method a Red-Hatter provided)

Thanks

RJ

Yes RJ, that is indeed a point of course ... /.autorelabel might take a very long time.
I know, it's not explicitly necessary, that's why I said : just to be on the safe side ... :)

Regards,
Christian

I added the bit on linuxefi - thank you Christian (and gave you credit)

Thank you, RJ - glad I could add something useful. :)

Regards,
Christian