Once upon a time, Bill Nottingham notting@redhat.com said:
However, this changes behavior that has existed since the dawn of time in Red Hat/Fedora systems; with this change, single-user mode would now require the root password. This is both when booting with 'linux single/linux S', or going to runlevel 1 with 'telinit 1'.
Well, that would make changing an unknown root password more annoying. At a minimum, you should add the -e option (so if the files are corrupted you can still get in).
How about moving /usr/bin/runcon to /bin and using that to call bash instead?
In any case, the same method should be used for fsck failures, which right now is sulogin, without the -e (but SELinux is disabled for that shell, which doesn't seem like a good idea to me).
I have some old (ancient?) Cobalt RaQs that use sulogin instead of just calling bash, and it is just an annoyance; it doesn't really secure anything (physical access trumps all). If you are trying to secure a system, you need to password-protect the boot loader anyway.