One last comment, if I apply this patch then cron works even with unconfined disabled/removed.
--- password-auth-local 2014-02-16 13:27:46.805584897 -0500
+++ password-auth-local.cron 2014-02-15 21:03:42.100619845 -0500
@@ -24,7 +24,7 @@ password required pam_cracklib.s
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=24
password required pam_deny.so
-session required pam_lastlog.so showfailed
+session optional pam_lastlog.so showfailed
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
Perhaps the SSG can be updated to utilize this line. I believe changing required to optional is an acceptable action because it is only used for displaying failed logins. If a user were to fail to access the lastlog file they would fail during a previous service type like auth or account.