Description of problem: I have successfully enabled two-factor authentication using the Google Authenticator in SSH. However, I haven’t had the same luck with Cockpit: Dec 08 21:57:24 NUC cockpit(pam_google_authenticator)[11885]: Accepted google_authenticator for root Dec 08 21:57:24 NUC audit[11885]: AVC avc: denied { dac_override } for pid=11885 comm="cockpit-session" capability=1 scontext=system_u:system_r:cockpit_session_t:s0 tcontex t=system_u:system_r:cockpit_session_t:s0 tclass=capability permissive=0 Dec 08 21:57:24 NUC audit[11885]: USER_AUTH pid=11885 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/libexec/cockpit-session" hostname=192.168.1.82 addr=192.168.1.82 terminal=? res=failed' Dec 08 21:57:24 NUC cockpit(pam_google_authenticator)[11885]: Failed to update secret file "/root/.google_authenticator": Permission denied The /root directory has permissions 0550 and Cockpit, unlike SSH, doesn’t have the DAC_OVERRIDE capability. Version-Release number of selected component (if applicable): cockpit-183-1.fc29.x86_64 google-authenticator-1.04-3.fc29.x86_64 selinux-policy-3.14.2-42.fc29.noarch How reproducible: Always. Steps to Reproduce: 1. Enable two-factor authentication in the PAM configuration for Cockpit. 2. Try to log in as root. Actual results: Failed authentication. Expected results: Successful authentication. Additional info:
commit 73801b54e7549b557a5568a4a7b0afe77eaf60ed (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Wed Dec 12 13:54:20 2018 +0100 Add dac_override capability to cockpit_session_t domain BZ(1657489)
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.