Loading...

VONDS ©

Lab 54: Recover Root Password

Back to Lab Index

Recover access when the root password is unknown by using a controlled GRUB edit to boot into a minimal rescue shell. Load SELinux policy, remount the root filesystem read-write, reset the password, trigger a relabel, and return to normal boot.

boot security troubleshooting

Scenario

The root password is unknown. You have console access and must regain root by editing the GRUB boot entry. Boot into a rescue shell, ensure SELinux policy is loaded before making changes, reset the root password, trigger an SELinux relabel, and boot back into normal mode.

Operator context

This workflow is standard for RHEL-like systems. Console and boot loader access are privileged capabilities and must be treated as a security boundary.

Objective

  • Interrupt GRUB and enter edit mode.
  • Append a kernel argument to boot into a minimal shell.
  • Boot the modified entry.
  • Load SELinux policy in the rescue shell.
  • Remount / read-write.
  • Reset the root password.
  • Create /.autorelabel to relabel on next boot.
  • Continue booting into normal mode.

Concepts

  • One-time GRUB edits for recovery without permanently changing boot loader configuration.
  • Init override for minimal rescue access (init=/bin/sh).
  • SELinux policy handling in rescue mode to keep labeling and authentication consistent.
  • Controlled write access by remounting / read-write (mount -o remount,rw /).
  • Password reset workflow (passwd) and post-change relabel signaling (/.autorelabel).
  • Returning to normal boot by replacing the rescue shell with init (exec /sbin/init).

Walkthrough

Step 1 : Interrupt GRUB and edit the selected boot entry.
Command 
e

This edit is in-memory for the current boot only. Use it for recovery without modifying persistent GRUB configuration. 

(GRUB edit screen opens)
Step 2 : Append a kernel argument to boot into a minimal shell.
Command 
init=/bin/sh

Appending init=/bin/sh replaces the init process for this boot and drops you into a minimal shell. This is a controlled recovery mode when authentication is blocked.

Step 3 : Boot the modified entry.
Commands 
Ctrl+x
# OR
F10

The system should boot directly into a shell prompt without a normal login sequence. 

[  OK  ] Started dracut pre-pivot and cleanup hook.
[  OK  ] Reached target Switch Root.
Switching root.
/bin/sh: can't access tty; job control turned off
sh-5.1#
Step 4 : Load SELinux policy before making changes.
Safety note

If SELinux is enforcing, load policy before modifying authentication state. This reduces the chance of booting back into a mislabeled system.

Command 
/usr/sbin/load_policy -i

Loading policy ensures SELinux permission checks behave predictably in the rescue environment. 

/usr/sbin/load_policy:  done
Step 5 : Remount the root filesystem read-write.
Command 
mount -o remount,rw /

In rescue mode, / is typically mounted read-only. Remount it read-write before updating account data.

Step 6 : Reset the root password.
Command 
passwd

This updates the root password in-place so normal authentication can succeed after reboot. 

New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Step 7 : Trigger SELinux relabel on next boot.
Command 
touch /.autorelabel

Creating /.autorelabel forces a relabel on the next boot. This is a standard recovery step after modifying authentication state from a rescue shell.

Step 8 : Continue booting into normal mode.
Command 
exec /sbin/init

exec /sbin/init replaces the rescue shell with the normal init process so the system can complete boot. If relabeling runs, allow it to finish. 

system is rebooting...
SELinux relabel may take several minutes.

Common breakpoints

No GRUB menu appears

The boot may be too fast or the menu may be hidden. Use the console and reboot again, then press the appropriate key to interrupt boot at the GRUB stage.

Root filesystem remains read-only

If passwd fails to write updates, confirm mount -o remount,rw / succeeded and retry the command.

SELinux blocks login after reset

If authentication fails after reboot, the system may have labeling issues. Ensure /.autorelabel was created and allow the relabel to complete.

init override persists unexpectedly

The init=/bin/sh edit is one-time unless you modified persistent GRUB config. Reboot and confirm you are booting the normal entry without the override.

Cleanup checklist

This recovery is designed to leave the system in a normal boot state. Confirm the relabel completed and remove the relabel trigger file if it still exists.

Commands 
ls -l /.autorelabel
rm -f /.autorelabel
Success signal

The system boots normally, root authentication works, and relabeling completes without repeated AVC failures.

Reference

  • e : Enters GRUB edit mode for the selected boot entry.
  • init=/bin/sh : Overrides the init process for a single boot and drops to a minimal shell for recovery.
  • Ctrl+x / F10 : Boots the modified GRUB entry.
  • /usr/sbin/load_policy -i : Loads SELinux policy in rescue mode.
    • -i : Initializes the policy load for the current runtime.
  • mount -o remount,rw / : Remounts the root filesystem read-write.
    • -o : Specifies mount options.
    • remount : Changes mount options without unmounting.
    • rw : Enables read-write access.
  • passwd : Resets the password for the current user (root in this context).
  • touch /.autorelabel : Triggers SELinux relabel on the next boot.
  • exec /sbin/init : Starts the normal init process to resume standard boot.
    • exec : Replaces the current shell with the specified process.
  • ls -l /.autorelabel : Confirms whether the relabel trigger file exists.
    • -l : Shows long listing output including permissions and timestamps.
  • rm -f /.autorelabel : Removes the relabel trigger file if it remains after boot.
    • -f : Removes without prompting and ignores missing files.