Recover access when the root password is unknown by using a controlled GRUB edit to boot into a minimal rescue shell. Load SELinux policy, remount the root filesystem read-write, reset the password, trigger a relabel, and return to normal boot.
The root password is forgotten. You have console access and must regain root by editing the GRUB boot entry. Your goal is to boot into a rescue shell, ensure SELinux policy is loaded before making changes, reset the root password safely, trigger an SELinux relabel, and reboot back into normal mode.
This workflow is a standard recovery procedure for RHEL-like systems. In production, access to the console and the boot loader is a privileged capability and must be treated as a security boundary.
/ read-write./.autorelabel to relabel on next boot.
init=/bin/sh).
load_policy).
mount -o remount,rw /).
passwd./.autorelabel.
exec /sbin/init.
eOn reboot, interrupt the boot loader and edit the current boot entry. This provides a one-time, in-memory change for recovery without permanently modifying the GRUB configuration.
(GRUB edit screen opens)init=/bin/sh
Appending init=/bin/sh changes the init process
for this boot so the system drops directly into a minimal
shell. This is a controlled recovery mode used to regain
access when authentication is blocked.
Ctrl+x
# OR
F10Booting the edited entry applies the changes for this session only. Once the system starts, you should land in a shell prompt without a standard login sequence.
[ OK ] Started dracut pre-pivot and cleanup hook.
[ OK ] Reached target Switch Root.
Switching root.
/bin/sh: can't access tty; job control turned off
sh-5.1#/usr/sbin/load_policy -iLoading policy ensures SELinux permission checks behave predictably for recovery actions. It also reduces the chance of booting back into a system with mislabeled or blocked authentication state.
/usr/sbin/load_policy: donemount -o remount,rw /In this recovery mode, the root filesystem is typically mounted read-only. You must remount it read-write before changing account data.
passwd
Running passwd updates the root password. In a
rescue environment, this is the direct mechanism to regain
login capability.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.touch /.autorelabel
Creating /.autorelabel instructs the system to
relabel files on the next boot. This is a standard safety
step after making sensitive changes from a rescue shell.
exec /sbin/init
exec /sbin/init replaces the current rescue
shell with the normal init process so the system can
complete boot. If /.autorelabel is present,
relabeling may take time and should be allowed to finish.
system is rebooting...
SELinux relabel may take several minutes.e
: Enters GRUB edit mode for the selected boot entry.
init=/bin/sh
: Overrides the init process for a single boot and drops to
a minimal shell for recovery.
Ctrl+x
/
F10
: Boots the modified GRUB entry.
/usr/sbin/load_policy -i
: Loads SELinux policy in rescue mode so permission checks
behave consistently.
-i
: Initializes the policy load for the current runtime.
mount -o remount,rw /
: Remounts the root filesystem read-write to allow changes.
remount
: Changes mount options without unmounting.
rw
: Enables read-write access.
passwd
: Resets the password for the current user (root in this
context).
touch /.autorelabel
: Triggers SELinux relabel on the next boot.
exec /sbin/init
: Starts the normal init process to resume standard boot.
exec
: Replaces the current shell with the specified process.