And now 2fa works. So as the bug report states selinux is preventing this from working.
I wouldn’t recommend disbaling selinux permanently, so with wait for the bug to be resolved or use ssh 2fa as I’ve already suggested.
I’ve found a couple of work arounds (what can I say, stuff like this bugs me when it don’t work as expected). First is just to set selinux to permissive for just for the cockpit session:
semanage permissive -a cockpit_session_t
Its the easiest way to do it and its better than turning of selinux altogether, but I don’t really like it as cockpit doesn’t need a free rein; it just needs to able to access
A better option is local policy to allow cockpit to access
These instructions are for a different issue with selinux, but they can used to sort this out. You only need to follow steps 1 & 2, but you will need to repeat them about 4 times to create all the required polices; you can use
journalctl -t setroubleshoot to get the timestamps (take note of the timestamp format on the webpage, as this is one you will need to use). Make sure to name each policy different, so for example:
ausearch -m AVC --start 04/05/2016 19:52:00 --end 04/05/2016 19:52:59 | audit2allow -a -M cockpit1
ausearch -m AVC --start 04/05/2016 19:52:00 --end 04/05/2016 19:52:59 | audit2allow -a -M cockpit2
You need to enable policies to survive a reboot:
semodule -e cockpit1