[CentOS] Cron marks mailto value as UNSAFE

Mon Mar 12 19:32:09 UTC 2012
Craig White <craig.white at ttiltd.com>

On Mar 12, 2012, at 12:03 PM, James B. Byrne wrote:

> CentOS-6.2
> We moved a cron job from a CentOS-5.7 host to a CentOS-6.2
> host.  The MAILTO variable is set to support at harte-lyne.ca
> in  both instances.  On the CentOS-6 host instead of
> receiving the mail with the output we see this in
> /var/log/cron instead:
> Mar 12 14:49:01 inet09 CROND[6639]: (cron theheart) UNSAFE
> (support at harte-lyne.ca )
> The CentOS-5 host uses Sendmail as the MTA, the CentOS-6
> uses Postfix. We can send mail to support at harte-lyne.ca
> from the command line on both hosts.
> The permissions of the files in /var/spool/cron are:
> # ll /var/spool/cron
> total 12
> -rw-------. 1 root root   34 Mar  9 16:41 root
> -rw-------. 1 root root 4245 Mar 12 14:53 theheart
> Selinux is set to Permissive (for the time being):
> # sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy version:                 24
> Policy from config file:        targeted
> What is causing cron to complain. What is unsafe and how
> do I rectify this?
the surest way I know to make selinux complain is to copy a file created on one computer or an unrelated directory and copy/move it to another as it will fail to get the correct security contexts whereas generally using the tools for the purpose will avoid that. In other words, if you 'su - theheart' and then 'crontab -e' you should get the correct selinux file contexts.

To remedy, I would suspect that you need to do 'restorecon -v /var/spool/cron'