SELinux reset root password

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












Disclaimer: This question is not to solve the problem of changing root password while SELinux is active because there are a lot of guides to solve that already. This is more of how SELinux does that internally.



I'm a recent user of SELinux but lately I've been more in touch with it. There was a moment when someone asked me how I could reset root password in case of forgetting it.
So I booted my CentOS, edited grub entry to something like

....
linux16 <kernel_location> root=/dev/mapper/centos-root rw init=/bin/bash
...

I ran passwd and afterwards ran sync and forced reboot.
After reboot, logging in with the new password was rejected as well as with the old of course.
Rebooted again and passed the kernel the parameter to disable SELinux (selinux=0). Tried logging in with the new password and it worked.
Afterwards I forced a fs auto relabel (via the file .autorelabel) and with SELinux active it was now possible to log in.



My question is: why does happen? Why does relabeling affect log in when there was merely a change of password and not of users or objects?



Thank you for your attention.



TL;DR: Usual root password reset doesn't work in SELinux. Why?



Edit: This was tested on a virtual machine running CentOS7 with KVM as hypervisor.






redhat selinux






share



















  • 1




    Are you sure it doesn't work? Try it again. It probably will work fine. I suspect that you simply had wrong file contexts on some files, causing all logins to fail. Thus the autorelabel was what really fixed the problem.
    – Michael Hampton♦
    1 hour ago











  • @MichaelHampton I just retraced all my steps doing it again and couldn't log in again with SELinux active. After disabling it I could log in without a problem. Correct me if I'm wrong but changing a password shouldn't change file contexts right?
    – Jorge Heleno
    1 hour ago






  • 1




    No it shouldn't. You seem to have discovered something strange and unexpected.
    – Michael Hampton♦
    1 hour ago














up vote
2
down vote

favorite












Disclaimer: This question is not to solve the problem of changing root password while SELinux is active because there are a lot of guides to solve that already. This is more of how SELinux does that internally.



I'm a recent user of SELinux but lately I've been more in touch with it. There was a moment when someone asked me how I could reset root password in case of forgetting it.
So I booted my CentOS, edited grub entry to something like

....
linux16 <kernel_location> root=/dev/mapper/centos-root rw init=/bin/bash
...

I ran passwd and afterwards ran sync and forced reboot.
After reboot, logging in with the new password was rejected as well as with the old of course.
Rebooted again and passed the kernel the parameter to disable SELinux (selinux=0). Tried logging in with the new password and it worked.
Afterwards I forced a fs auto relabel (via the file .autorelabel) and with SELinux active it was now possible to log in.



My question is: why does happen? Why does relabeling affect log in when there was merely a change of password and not of users or objects?



Thank you for your attention.



TL;DR: Usual root password reset doesn't work in SELinux. Why?



Edit: This was tested on a virtual machine running CentOS7 with KVM as hypervisor.






redhat selinux






share



















  • 1




    Are you sure it doesn't work? Try it again. It probably will work fine. I suspect that you simply had wrong file contexts on some files, causing all logins to fail. Thus the autorelabel was what really fixed the problem.
    – Michael Hampton♦
    1 hour ago











  • @MichaelHampton I just retraced all my steps doing it again and couldn't log in again with SELinux active. After disabling it I could log in without a problem. Correct me if I'm wrong but changing a password shouldn't change file contexts right?
    – Jorge Heleno
    1 hour ago






  • 1




    No it shouldn't. You seem to have discovered something strange and unexpected.
    – Michael Hampton♦
    1 hour ago












up vote
2
down vote

favorite









up vote
2
down vote

favorite











Disclaimer: This question is not to solve the problem of changing root password while SELinux is active because there are a lot of guides to solve that already. This is more of how SELinux does that internally.



I'm a recent user of SELinux but lately I've been more in touch with it. There was a moment when someone asked me how I could reset root password in case of forgetting it.
So I booted my CentOS, edited grub entry to something like

....
linux16 <kernel_location> root=/dev/mapper/centos-root rw init=/bin/bash
...

I ran passwd and afterwards ran sync and forced reboot.
After reboot, logging in with the new password was rejected as well as with the old of course.
Rebooted again and passed the kernel the parameter to disable SELinux (selinux=0). Tried logging in with the new password and it worked.
Afterwards I forced a fs auto relabel (via the file .autorelabel) and with SELinux active it was now possible to log in.



My question is: why does happen? Why does relabeling affect log in when there was merely a change of password and not of users or objects?



Thank you for your attention.



TL;DR: Usual root password reset doesn't work in SELinux. Why?



Edit: This was tested on a virtual machine running CentOS7 with KVM as hypervisor.






redhat selinux






share















Disclaimer: This question is not to solve the problem of changing root password while SELinux is active because there are a lot of guides to solve that already. This is more of how SELinux does that internally.



I'm a recent user of SELinux but lately I've been more in touch with it. There was a moment when someone asked me how I could reset root password in case of forgetting it.
So I booted my CentOS, edited grub entry to something like

....
linux16 <kernel_location> root=/dev/mapper/centos-root rw init=/bin/bash
...

I ran passwd and afterwards ran sync and forced reboot.
After reboot, logging in with the new password was rejected as well as with the old of course.
Rebooted again and passed the kernel the parameter to disable SELinux (selinux=0). Tried logging in with the new password and it worked.
Afterwards I forced a fs auto relabel (via the file .autorelabel) and with SELinux active it was now possible to log in.



My question is: why does happen? Why does relabeling affect log in when there was merely a change of password and not of users or objects?



Thank you for your attention.



TL;DR: Usual root password reset doesn't work in SELinux. Why?



Edit: This was tested on a virtual machine running CentOS7 with KVM as hypervisor.






redhat selinux




redhat selinux





share














share












share



share








edited 1 hour ago

























asked 1 hour ago









Jorge Heleno

607




607







  • 1




    Are you sure it doesn't work? Try it again. It probably will work fine. I suspect that you simply had wrong file contexts on some files, causing all logins to fail. Thus the autorelabel was what really fixed the problem.
    – Michael Hampton♦
    1 hour ago











  • @MichaelHampton I just retraced all my steps doing it again and couldn't log in again with SELinux active. After disabling it I could log in without a problem. Correct me if I'm wrong but changing a password shouldn't change file contexts right?
    – Jorge Heleno
    1 hour ago






  • 1




    No it shouldn't. You seem to have discovered something strange and unexpected.
    – Michael Hampton♦
    1 hour ago












  • 1




    Are you sure it doesn't work? Try it again. It probably will work fine. I suspect that you simply had wrong file contexts on some files, causing all logins to fail. Thus the autorelabel was what really fixed the problem.
    – Michael Hampton♦
    1 hour ago











  • @MichaelHampton I just retraced all my steps doing it again and couldn't log in again with SELinux active. After disabling it I could log in without a problem. Correct me if I'm wrong but changing a password shouldn't change file contexts right?
    – Jorge Heleno
    1 hour ago






  • 1




    No it shouldn't. You seem to have discovered something strange and unexpected.
    – Michael Hampton♦
    1 hour ago







1




1




Are you sure it doesn't work? Try it again. It probably will work fine. I suspect that you simply had wrong file contexts on some files, causing all logins to fail. Thus the autorelabel was what really fixed the problem.
– Michael Hampton♦
1 hour ago





Are you sure it doesn't work? Try it again. It probably will work fine. I suspect that you simply had wrong file contexts on some files, causing all logins to fail. Thus the autorelabel was what really fixed the problem.
– Michael Hampton♦
1 hour ago













@MichaelHampton I just retraced all my steps doing it again and couldn't log in again with SELinux active. After disabling it I could log in without a problem. Correct me if I'm wrong but changing a password shouldn't change file contexts right?
– Jorge Heleno
1 hour ago




@MichaelHampton I just retraced all my steps doing it again and couldn't log in again with SELinux active. After disabling it I could log in without a problem. Correct me if I'm wrong but changing a password shouldn't change file contexts right?
– Jorge Heleno
1 hour ago




1




1




No it shouldn't. You seem to have discovered something strange and unexpected.
– Michael Hampton♦
1 hour ago




No it shouldn't. You seem to have discovered something strange and unexpected.
– Michael Hampton♦
1 hour ago










1 Answer
1






active

oldest

votes

















up vote
4
down vote



accepted










I was able to duplicate this issue in a freshly installed CentOS 7.5 system.



Here is what is happening:



When you boot with init=/bin/bash there are two issues you may run into:



  • The root filesystem may be mounted readonly. In this case passwd will complain of an Authentication token manipulation error.

  • The SELinux policy may not be loaded. In this case passwd will appear to succeed, but nothing will happen, and you will have the problem described in the original question above.

To change the root password on RHEL/CentOS 7, you therefore need to follow this process:



  1. Add init=/bin/bash to the end of the kernel command line in grub, as you previously did.

  2. At the bash prompt, load the SELinux policy with /usr/sbin/load_policy -i.

  3. Mount the root filesystem read-write with mount -o remount,rw /.

  4. Now change the password, and it will succeed. passwd root

  5. Remount the filesystem readonly to commit changes and have a clean filesystem on next boot with mount -o remount,ro /.

  6. Exit the shell or restart the system with exec /sbin/init 6.

Now you can log in with the changed root password.



A longer explanation of this procedure is available from Red Hat (subscription required).






share|improve this answer




















  • The problem was on the policies which weren't loaded. Why don't they get loaded? SELinux should operate at kernel level so init system shouldn't be required.
    – Jorge Heleno
    52 mins ago






  • 1




    @JorgeHeleno SELinux is indeed on or off by default when the kernel starts, but the userland is responsible for deciding which policies are loaded. The kernel could not decide this, because some installations may want different policies (e.g. targeted, strict, mls). This happens early in the boot process, but you bypass that when you run init=/bin/bash.
    – Michael Hampton♦
    46 mins ago











  • Excellent explanation, thank you very much!
    – Jorge Heleno
    41 mins ago











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f936174%2fselinux-reset-root-password%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
4
down vote



accepted










I was able to duplicate this issue in a freshly installed CentOS 7.5 system.



Here is what is happening:



When you boot with init=/bin/bash there are two issues you may run into:



  • The root filesystem may be mounted readonly. In this case passwd will complain of an Authentication token manipulation error.

  • The SELinux policy may not be loaded. In this case passwd will appear to succeed, but nothing will happen, and you will have the problem described in the original question above.

To change the root password on RHEL/CentOS 7, you therefore need to follow this process:



  1. Add init=/bin/bash to the end of the kernel command line in grub, as you previously did.

  2. At the bash prompt, load the SELinux policy with /usr/sbin/load_policy -i.

  3. Mount the root filesystem read-write with mount -o remount,rw /.

  4. Now change the password, and it will succeed. passwd root

  5. Remount the filesystem readonly to commit changes and have a clean filesystem on next boot with mount -o remount,ro /.

  6. Exit the shell or restart the system with exec /sbin/init 6.

Now you can log in with the changed root password.



A longer explanation of this procedure is available from Red Hat (subscription required).






share|improve this answer




















  • The problem was on the policies which weren't loaded. Why don't they get loaded? SELinux should operate at kernel level so init system shouldn't be required.
    – Jorge Heleno
    52 mins ago






  • 1




    @JorgeHeleno SELinux is indeed on or off by default when the kernel starts, but the userland is responsible for deciding which policies are loaded. The kernel could not decide this, because some installations may want different policies (e.g. targeted, strict, mls). This happens early in the boot process, but you bypass that when you run init=/bin/bash.
    – Michael Hampton♦
    46 mins ago











  • Excellent explanation, thank you very much!
    – Jorge Heleno
    41 mins ago















up vote
4
down vote



accepted










I was able to duplicate this issue in a freshly installed CentOS 7.5 system.



Here is what is happening:



When you boot with init=/bin/bash there are two issues you may run into:



  • The root filesystem may be mounted readonly. In this case passwd will complain of an Authentication token manipulation error.

  • The SELinux policy may not be loaded. In this case passwd will appear to succeed, but nothing will happen, and you will have the problem described in the original question above.

To change the root password on RHEL/CentOS 7, you therefore need to follow this process:



  1. Add init=/bin/bash to the end of the kernel command line in grub, as you previously did.

  2. At the bash prompt, load the SELinux policy with /usr/sbin/load_policy -i.

  3. Mount the root filesystem read-write with mount -o remount,rw /.

  4. Now change the password, and it will succeed. passwd root

  5. Remount the filesystem readonly to commit changes and have a clean filesystem on next boot with mount -o remount,ro /.

  6. Exit the shell or restart the system with exec /sbin/init 6.

Now you can log in with the changed root password.



A longer explanation of this procedure is available from Red Hat (subscription required).






share|improve this answer




















  • The problem was on the policies which weren't loaded. Why don't they get loaded? SELinux should operate at kernel level so init system shouldn't be required.
    – Jorge Heleno
    52 mins ago






  • 1




    @JorgeHeleno SELinux is indeed on or off by default when the kernel starts, but the userland is responsible for deciding which policies are loaded. The kernel could not decide this, because some installations may want different policies (e.g. targeted, strict, mls). This happens early in the boot process, but you bypass that when you run init=/bin/bash.
    – Michael Hampton♦
    46 mins ago











  • Excellent explanation, thank you very much!
    – Jorge Heleno
    41 mins ago













up vote
4
down vote



accepted







up vote
4
down vote



accepted






I was able to duplicate this issue in a freshly installed CentOS 7.5 system.



Here is what is happening:



When you boot with init=/bin/bash there are two issues you may run into:



  • The root filesystem may be mounted readonly. In this case passwd will complain of an Authentication token manipulation error.

  • The SELinux policy may not be loaded. In this case passwd will appear to succeed, but nothing will happen, and you will have the problem described in the original question above.

To change the root password on RHEL/CentOS 7, you therefore need to follow this process:



  1. Add init=/bin/bash to the end of the kernel command line in grub, as you previously did.

  2. At the bash prompt, load the SELinux policy with /usr/sbin/load_policy -i.

  3. Mount the root filesystem read-write with mount -o remount,rw /.

  4. Now change the password, and it will succeed. passwd root

  5. Remount the filesystem readonly to commit changes and have a clean filesystem on next boot with mount -o remount,ro /.

  6. Exit the shell or restart the system with exec /sbin/init 6.

Now you can log in with the changed root password.



A longer explanation of this procedure is available from Red Hat (subscription required).






share|improve this answer












I was able to duplicate this issue in a freshly installed CentOS 7.5 system.



Here is what is happening:



When you boot with init=/bin/bash there are two issues you may run into:



  • The root filesystem may be mounted readonly. In this case passwd will complain of an Authentication token manipulation error.

  • The SELinux policy may not be loaded. In this case passwd will appear to succeed, but nothing will happen, and you will have the problem described in the original question above.

To change the root password on RHEL/CentOS 7, you therefore need to follow this process:



  1. Add init=/bin/bash to the end of the kernel command line in grub, as you previously did.

  2. At the bash prompt, load the SELinux policy with /usr/sbin/load_policy -i.

  3. Mount the root filesystem read-write with mount -o remount,rw /.

  4. Now change the password, and it will succeed. passwd root

  5. Remount the filesystem readonly to commit changes and have a clean filesystem on next boot with mount -o remount,ro /.

  6. Exit the shell or restart the system with exec /sbin/init 6.

Now you can log in with the changed root password.



A longer explanation of this procedure is available from Red Hat (subscription required).







share|improve this answer












share|improve this answer



share|improve this answer










answered 1 hour ago









Michael Hampton♦

158k26293596




158k26293596











  • The problem was on the policies which weren't loaded. Why don't they get loaded? SELinux should operate at kernel level so init system shouldn't be required.
    – Jorge Heleno
    52 mins ago






  • 1




    @JorgeHeleno SELinux is indeed on or off by default when the kernel starts, but the userland is responsible for deciding which policies are loaded. The kernel could not decide this, because some installations may want different policies (e.g. targeted, strict, mls). This happens early in the boot process, but you bypass that when you run init=/bin/bash.
    – Michael Hampton♦
    46 mins ago











  • Excellent explanation, thank you very much!
    – Jorge Heleno
    41 mins ago

















  • The problem was on the policies which weren't loaded. Why don't they get loaded? SELinux should operate at kernel level so init system shouldn't be required.
    – Jorge Heleno
    52 mins ago






  • 1




    @JorgeHeleno SELinux is indeed on or off by default when the kernel starts, but the userland is responsible for deciding which policies are loaded. The kernel could not decide this, because some installations may want different policies (e.g. targeted, strict, mls). This happens early in the boot process, but you bypass that when you run init=/bin/bash.
    – Michael Hampton♦
    46 mins ago











  • Excellent explanation, thank you very much!
    – Jorge Heleno
    41 mins ago
















The problem was on the policies which weren't loaded. Why don't they get loaded? SELinux should operate at kernel level so init system shouldn't be required.
– Jorge Heleno
52 mins ago




The problem was on the policies which weren't loaded. Why don't they get loaded? SELinux should operate at kernel level so init system shouldn't be required.
– Jorge Heleno
52 mins ago




1




1




@JorgeHeleno SELinux is indeed on or off by default when the kernel starts, but the userland is responsible for deciding which policies are loaded. The kernel could not decide this, because some installations may want different policies (e.g. targeted, strict, mls). This happens early in the boot process, but you bypass that when you run init=/bin/bash.
– Michael Hampton♦
46 mins ago





@JorgeHeleno SELinux is indeed on or off by default when the kernel starts, but the userland is responsible for deciding which policies are loaded. The kernel could not decide this, because some installations may want different policies (e.g. targeted, strict, mls). This happens early in the boot process, but you bypass that when you run init=/bin/bash.
– Michael Hampton♦
46 mins ago













Excellent explanation, thank you very much!
– Jorge Heleno
41 mins ago





Excellent explanation, thank you very much!
– Jorge Heleno
41 mins ago


















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f936174%2fselinux-reset-root-password%23new-answer', 'question_page');

);

Post as a guest
































































Comments

Post a Comment

Popular posts from this blog

Long meetings (6-7 hours a day): Being “babysat” by supervisor

Image
Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 31 down vote favorite 4 I hold a PhD in mechanical engineering with a 7 year background in self-guided, self-paced research including 2 years as a graduate level course instructor and a subject matter expert for various engineering projects in a university setting in the United States. For the last 10-11 months, I am working in a research industry in France where my task is to debug C++ spaghetti code written over a period of several years by my current supervisor. It is a team of 2: just I and my supervisor. Diurnally, I am posed with a "bug of the day" to get out of this C++ code. My supervisor generally gives me about 15-30 minutes to solve it and then accosts me about whether or not the task is completed and then rinses and repeats this until the end of the day. Off-late, my supervisor has been holding 6-7 hour long "meetin
Read more

Is the Concept of Multiple Fantasy Races Scientifically Flawed? [closed]

Image
Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite Many fantasy worlds have multiple humanoid species (elves, orcs, humans, etc) living in the same world, in addition to that, they often have the ability to interbreed. And I can't help but question their believability... fantasy-races reproduction interspecies-relations share | improve this question edited Aug 9 at 14:46 Michael Kjörling ♦ 21.1k 10 85 161 asked Aug 9 at 13:13 Chlodio 118 6 closed as unclear what you're asking by MichaelK, Gryphon, John, Vincent, Frostfyre Aug 9 at 15:25 Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question. 3 Stack Exchange exist to
Read more

Confectionery

Image
Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of
Read more