On Mon, March 12, 2012 15:03, James B. Byrne wrote:
CentOS-6.2
We moved a cron job from a CentOS-5.7 host to a CentOS-6.2 host. The MAILTO variable is set to support@harte-lyne.ca in both instances. On the CentOS-6 host instead of receiving the mail with the output we see this in /var/log/cron instead:
Mar 12 14:49:01 inet09 CROND[6639]: (cron theheart) UNSAFE (support@harte-lyne.ca )
This seemed to be cured by running restorecon -rvF /var as was suggested here. However, I still have not been able to identify any avc entries relating to the problem. Thus I cannot be certain that this is in fact the case.
The permissions of the files in /var/spool/cron are: # ll /var/spool/cron total 12 -rw-------. 1 root root 34 Mar 9 16:41 root -rw-------. 1 root root 4245 Mar 12 14:53 theheart
According to the man page the crond daemon requires that root own everything in /var/spool/cron (unless run with the -p option) and that no one else may have write access to the files therein. The file names also must match a user id in passwd to be loaded and used by crond. Thus there was no issue with either the permissions or ownership.
The other difficulties that arose had to do with PostFix configuration. Since on this host there is no local mail delivery the aliases map is simply not used by PostFix. Therefore entries in that map have no effect whatsoever. The virtual map is used by PostFix in this case however. Thus entries made in the virtual map can be used to route locally generated mail sent to local userids even with local delivery disabled.