[main] Doc issue in file modules/ROOT/pages/reset-root-password.adoc #790

New issue

Closed

opened 2024-12-09 21:03:41 +00:00 by veteranporter · 4 comments

veteranporter commented

2024-12-09 21:03:41 +00:00

The instructions for changing the password (root or otherwise) on the console no longer work in Fedora 41, and probably in earlier version of Fedora.

After you have booted into maintenance and changed the password using passwd (which works, as can be seen by dumpin /etc/shadow), you are told to reset the selinux permissions, i.e. perform a relabeling.

However a touch /.autorelabel (or else issuing the command fixfiles onboot, whixh apparently does the same thing) is not enough to start relabling!

We find that after boot, "logging in" still does not work. Not because of a bad password but because of SELinux. There are AVC warnings in /var/log/message (unix_chkpwd is not allowed to access the shadow file, apparently) and the file /.autorelabel is still present. And indeed, no messages concerning relabeling were seen during the boot process.

Apparently, the relabeling itself is interdicted by SELinux. See this discussion:

FEDORA 38 SELINUX .autorelabel without function

where we read:

Before rebooting the system for relabeling, make sure the system will boot in permissive mode, for example by using the enforcing=0 kernel option. This prevents the system from failing to boot in case the system contains unlabeled files required by systemd before launching the selinux-autorelabel service. For more information, see RHBZ#2021835

The latter bug report has the title ".autorelabel does not work anymore in RHEL8.4 if a file required by systemd is unlabelled (/etc/localtime)"

Indeed, to make the process successful, one has to boot with a modified kernel line with an additional enforcing=0.

This will show relabeling progress on boot.

And then the modified password or passwords allow you to log in. Also, the file /.autorelabel is gone and SELinux is in enforcing mode (as shown by sestatus)

The instructions for changing the password (root or otherwise) on the console no longer work in Fedora 41, and probably in earlier version of Fedora. After you have booted into maintenance and changed the password using `passwd` (which works, as can be seen by dumpin `/etc/shadow`), you are told to reset the selinux permissions, i.e. perform a relabeling. However a `touch /.autorelabel` (or else issuing the command `fixfiles onboot,` whixh apparently does the same thing) is not enough to start relabling! We find that after boot, "logging in" still does not work. Not because of a bad password but because of SELinux. There are AVC warnings in `/var/log/message` (`unix_chkpwd` is not allowed to access the `shadow` file, apparently) and the file `/.autorelabel` is still present. And indeed, no messages concerning relabeling were seen during the boot process. Apparently, the relabeling itself is interdicted by SELinux. See this discussion: [FEDORA 38 SELINUX .autorelabel without function](https://discussion.fedoraproject.org/t/fedora-38-selinux-autorelabel-without-function/81282) See also: [Red Hat Docs: Changing SELinux states and modes](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux#changing-selinux-modes_changing-selinux-states-and-modes) where we read: > Before rebooting the system for relabeling, make sure the system will boot in permissive mode, for example by using the `enforcing=0` kernel option. This prevents the system from failing to boot in case the system contains unlabeled files required by systemd before launching the selinux-autorelabel service. For more information, see [RHBZ#2021835](https://bugzilla.redhat.com/show_bug.cgi?id=2021835) The latter bug report has the title ".autorelabel does not work anymore in RHEL8.4 if a file required by systemd is unlabelled (/etc/localtime)" Indeed, to make the process successful, one has to boot with a modified kernel line with an additional `enforcing=0`. This will show relabeling progress on boot. And then the modified password or passwords allow you to log in. Also, the file `/.autorelabel` is gone and SELinux is in enforcing mode (as shown by `sestatus`)