[CentOS] [SOLVED] Cron marks mailto value as UNSAFE

Tue Mar 13 19:20:08 UTC 2012
James B. Byrne <byrnejb at harte-lyne.ca>

On Mon, March 12, 2012 15:03, James B. Byrne wrote:
> CentOS-6.2
>
> We moved a cron job from a CentOS-5.7 host to a CentOS-6.2
> host.  The MAILTO variable is set to support at harte-lyne.ca
> in  both instances.  On the CentOS-6 host instead of
> receiving the mail with the output we see this in
> /var/log/cron instead:
>
> Mar 12 14:49:01 inet09 CROND[6639]: (cron theheart) UNSAFE
> (support at harte-lyne.ca )
>

This seemed to be cured by running restorecon -rvF /var as
was suggested here.  However, I still have not been able
to identify any avc entries relating to the problem.  Thus
I cannot be certain that this is in fact the case.

>
> The permissions of the files in /var/spool/cron are:
> # ll /var/spool/cron
> total 12
> -rw-------. 1 root root   34 Mar  9 16:41 root
> -rw-------. 1 root root 4245 Mar 12 14:53 theheart
>

According to the man page the crond daemon requires that
root own everything in /var/spool/cron (unless run with
the -p option) and that no one else may have write access
to the files therein.  The file names also must match a
user id in passwd to be loaded and used by crond.  Thus
there was no issue with either the permissions or
ownership.

The other difficulties that arose had to do with PostFix
configuration.  Since on this host there is no local mail
delivery the aliases map is simply not used by PostFix. 
Therefore entries in that map have no effect whatsoever. 
The virtual map is used by PostFix in this case however. 
Thus entries made in the virtual map can be used to route
locally generated mail sent to local userids even with
local delivery disabled.


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3