There are multiple methods of changing root’s password. Some of us old timers just boot a bootable system disk, fsck the root file system, mount it, and edit etc/shadow. This may not work correctly with a system configured using SELinux.
In this quickie, I’m talking about Red Hat 7.
Boot the system. At the grub2 menu, hit e to go into edit mode.
On the kernel line, remove the rhgb and quiet keywords. You should do this anyway on a server so you can see the system messages as it boots. Helps to know that a system is running fsck or some crazy DBA has set up an Oracle script to prompt for an answer (ask me how I know).
At the end of the line (Ctrl + e), add rd.break enforcing=0.
Press Ctrl + x to continue booting.
Once it’s done, you’ll be at a prompt. Remount the root file system as read-write. mount -o remount,rw /sysroot
Change the mounted root file system to be a jail. chroot /sysroot. You’ll have a normal prompt.
Run the passwd command to set root’s password.
You’ll need to rescan the drive for SELinux. touch /.autorelabel.
Remount the file system as read only. This flushes any memory to ensure all writes have completed. mount -o remount,ro /
Exit out of the chroot jail. exit
Exit out of emergency mode and continue booting. Depending on the size of the system it can take several minutes. exit
You’ll need restore the context of the /etc/shadow file. restorecon /etc/shadow
Check the current SELinux status. getenforce
If you’re out of enforcing mode, set it. setenforce 1
Check the status once again. getenforce
And done. Reset root’s password once the system is back up and ready to use.