The following procedure works all the time.
Procedure
At the beginning of the boot process, at the GRUB 2 menu, type the e key to edit.
Then, go to the kernel line (the line starting with linux16) and add the following statements at the end:
rd.break enforcing=0
Caution: The keys to press are those of a US keyboard (querty).
Note: rd.break asks for a break at an early stage of the boot process. enforcing=0 puts the system into SELinux Permissive mode.
Press Ctrl x to resume the boot process.
Then, mount the /sysroot partition as read/write:
switch_root:/# mount –o remount,rw /sysroot
Execute the chroot command on the /sysroot partition:
switch_root:/# chroot /sysroot
Change the root password:
sh-4.2# passwd root
Changing password for user root.
New passwd: mypassword
Retype new password: mypassword
passwd: all authentication token updated successfully.
sh-4.2# exit
exit
switch_root:/# exit
logout
Connect to your server at the console (don’t reboot now!) with the root user and the new password:
...
[ OK ] Started Network Manager Script Dispatcher Service.
[ OK ] Started Crash recovery kernel arming.
[ OK ] Reached target Multi-User System.
CentOS Linux 7 (Core)
Kernel 3.10.0-229.14.1.el7.x86_64 on an x86_64
vm login: root
Password: mypassword
Then type:
# restorecon /etc/shadow
# reboot
If you strictly follow this procedure, you don’t need to force a SELinux relabel (# touch /.autorelabel) or load the SELinux policy (# /usr/sbin/load_policy -i).