Resetting the Root Password Using rd.break for RHEL7

• Start the system and, on the GRUB 2 boot screen, press the e key for edit.
• Remove the rhgb and quiet parameters from the end, or near the end, of the linux16 line, or linuxefi on UEFI systems.

  Press Ctrl+a and Ctrl+e to jump to the start and end of the line, respectively. On some systems, Home and End might also work.

IMPORTANT

The rhgb and quiet parameters must be removed in order to enable system messages.

• Add the following parameters at the end of the linux line on 64-Bit IBM Power Series, the linux16 line on x86-64 BIOS-based systems, or the linuxefi line on UEFI systems:

rd.break enforcing=0

Adding the enforcing=0 option enables omitting the time consuming SELinux relabeling process.

The initramfs will stop before passing control to the Linux kernel, enabling you to work with the root file system.

Note that the initramfs prompt will appear on the last console specified on the Linux line

• Press Ctrl+x to boot the system with the changed parameters.

  With an encrypted file system, a password is required at this point. However the password prompt might not appear as it is obscured by logging messages. You can press the Backspace key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.

  The initramfs switch_root prompt appears.

• The file system is mounted read-only on /sysroot/. You will not be allowed to change the password if the file system is not writable.

  Remount the file system as writable:

  switch_root:/# mount –o remount,rw /sysroot

• The file system is remounted with write enabled. Change the file system's root as follows:

switch_root:/# chroot /sysroot

The prompt changes to sh-4.2#.

• Enter the passwd command and follow the instructions displayed on the command line to change the root password.

  Note that if the system is not writable, the passwd tool fails with the following error:

  Authentication token manipulation error

• Updating the password file results in a file with the incorrect SELinux security context. To relabel all files on next system boot, enter the following command:

  sh-4.2# touch /.autorelabel

  Alternatively, to save the time it takes to relabel a large disk, you can omit this step provided you included the enforcing=0 option in step 3.

• Remount the file system as read only:

  sh-4.2# mount –o remount,ro /

• Enter the exit command to exit the chroot environment
• Enter the exit command again to resume the initialization and finish the system boot.s

  With an encrypted file system, a password or phrase is required at this point. However the password prompt might not appear as it is obscured by logging messages. You can press and hold the Backspace key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.

NOTE

Note that the SELinux relabeling process can take a long time. A system reboot will occur automatically when the process is complete.

• If you added the enforcing=0 option in step 3 and omitted the touch /.autorelabel command in step 8, enter the following command to restore the /etc/shadow file's SELinux security context:

  # restorecon /etc/shadow

  Enter the following commands to turn SELinux policy enforcement back on and verify that it is on:

  # setenforce 1

  # getenforce

  Enforcing