CentOS-6.2
We moved a cron job from a CentOS-5.7 host to a CentOS-6.2 host. The MAILTO variable is set to support@harte-lyne.ca in both instances. On the CentOS-6 host instead of receiving the mail with the output we see this in /var/log/cron instead:
Mar 12 14:49:01 inet09 CROND[6639]: (cron theheart) UNSAFE (support@harte-lyne.ca )
The CentOS-5 host uses Sendmail as the MTA, the CentOS-6 uses Postfix. We can send mail to support@harte-lyne.ca from the command line on both hosts.
The permissions of the files in /var/spool/cron are: # ll /var/spool/cron total 12 -rw-------. 1 root root 34 Mar 9 16:41 root -rw-------. 1 root root 4245 Mar 12 14:53 theheart
Selinux is set to Permissive (for the time being):
# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted
What is causing cron to complain. What is unsafe and how do I rectify this?
On Mar 12, 2012, at 12:03 PM, James B. Byrne wrote:
CentOS-6.2
We moved a cron job from a CentOS-5.7 host to a CentOS-6.2 host. The MAILTO variable is set to support@harte-lyne.ca in both instances. On the CentOS-6 host instead of receiving the mail with the output we see this in /var/log/cron instead:
Mar 12 14:49:01 inet09 CROND[6639]: (cron theheart) UNSAFE (support@harte-lyne.ca )
The CentOS-5 host uses Sendmail as the MTA, the CentOS-6 uses Postfix. We can send mail to support@harte-lyne.ca from the command line on both hosts.
The permissions of the files in /var/spool/cron are: # ll /var/spool/cron total 12 -rw-------. 1 root root 34 Mar 9 16:41 root -rw-------. 1 root root 4245 Mar 12 14:53 theheart
Selinux is set to Permissive (for the time being):
# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted
What is causing cron to complain. What is unsafe and how do I rectify this?
---- the surest way I know to make selinux complain is to copy a file created on one computer or an unrelated directory and copy/move it to another as it will fail to get the correct security contexts whereas generally using the tools for the purpose will avoid that. In other words, if you 'su - theheart' and then 'crontab -e' you should get the correct selinux file contexts.
To remedy, I would suspect that you need to do 'restorecon -v /var/spool/cron'
Craig
Am 12.03.2012 20:03, schrieb James B. Byrne:
CentOS-6.2
We moved a cron job from a CentOS-5.7 host to a CentOS-6.2 host. The MAILTO variable is set to support@harte-lyne.ca in both instances. On the CentOS-6 host instead of receiving the mail with the output we see this in /var/log/cron instead:
Mar 12 14:49:01 inet09 CROND[6639]: (cron theheart) UNSAFE (support@harte-lyne.ca )
Check which non-printable character you have there in the MAILTO line (probably after the mail address). Use od or hexdump to see which illegal (from cron's point of view) character(s) you have in there.
The CentOS-5 host uses Sendmail as the MTA, the CentOS-6 uses Postfix. We can send mail to support@harte-lyne.ca from the command line on both hosts.
The permissions of the files in /var/spool/cron are: # ll /var/spool/cron total 12 -rw-------. 1 root root 34 Mar 9 16:41 root -rw-------. 1 root root 4245 Mar 12 14:53 theheart
Care for usership by user theheart for his own cronjob?
Selinux is set to Permissive (for the time being):
# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted
What is causing cron to complain. What is unsafe and how do I rectify this?
Alexander
On Mar 12, 2012, at 12:03 PM, James B. Byrne wrote:
/ CentOS-6.2
/>/ />/ We moved a cron job from a CentOS-5.7 host to a CentOS-6.2 />/ host. The MAILTO variable is set tosupport at harte-lyne.ca http://lists.centos.org/mailman/listinfo/centos />/ in both instances. On the CentOS-6 host instead of />/ receiving the mail with the output we see this in />/ /var/log/cron instead: />/ />/ Mar 12 14:49:01 inet09 CROND[6639]: (cron theheart) UNSAFE />/ (support at harte-lyne.ca http://lists.centos.org/mailman/listinfo/centos ) />/ />/ The CentOS-5 host uses Sendmail as the MTA, the CentOS-6 />/ uses Postfix. We can send mail tosupport at harte-lyne.ca http://lists.centos.org/mailman/listinfo/centos />/ from the command line on both hosts. />/ />/ The permissions of the files in /var/spool/cron are: />/ # ll /var/spool/cron />/ total 12 />/ -rw-------. 1 root root 34 Mar 9 16:41 root />/ -rw-------. 1 root root 4245 Mar 12 14:53 theheart />/ />/ Selinux is set to Permissive (for the time being): />/ />/ # sestatus />/ SELinux status: enabled />/ SELinuxfs mount: /selinux />/ Current mode: permissive />/ Mode from config file: permissive />/ Policy version: 24 />/ Policy from config file: targeted />/ />/ What is causing cron to complain. What is unsafe and how />/ do I rectify this? /----
Not sure if you are just trying to use root or using an alias, but I found several instances in the manual that said I MUST send root mail to an alias when using certian aspects of postifx/procmail, etc... something to do with the delivery.
Not sure if this has anything to do with it, but I would try adding root:<some other user> in the /etc/aliases file then run 'newaliases' then try something.
hope this helps.
On Mon, March 12, 2012 15:03, James B. Byrne wrote:
CentOS-6.2
We moved a cron job from a CentOS-5.7 host to a CentOS-6.2 host. The MAILTO variable is set to support@harte-lyne.ca in both instances. On the CentOS-6 host instead of receiving the mail with the output we see this in /var/log/cron instead:
Mar 12 14:49:01 inet09 CROND[6639]: (cron theheart) UNSAFE (support@harte-lyne.ca )
This seemed to be cured by running restorecon -rvF /var as was suggested here. However, I still have not been able to identify any avc entries relating to the problem. Thus I cannot be certain that this is in fact the case.
The permissions of the files in /var/spool/cron are: # ll /var/spool/cron total 12 -rw-------. 1 root root 34 Mar 9 16:41 root -rw-------. 1 root root 4245 Mar 12 14:53 theheart
According to the man page the crond daemon requires that root own everything in /var/spool/cron (unless run with the -p option) and that no one else may have write access to the files therein. The file names also must match a user id in passwd to be loaded and used by crond. Thus there was no issue with either the permissions or ownership.
The other difficulties that arose had to do with PostFix configuration. Since on this host there is no local mail delivery the aliases map is simply not used by PostFix. Therefore entries in that map have no effect whatsoever. The virtual map is used by PostFix in this case however. Thus entries made in the virtual map can be used to route locally generated mail sent to local userids even with local delivery disabled.
-
Alexander Dalloz -
Bob Hoffman -
Craig White -
James B. Byrne