13

I know that this has been asked many times before, but I believe my situation is different.

I am trying to add a pre-revprop-change hook to our SVN repository to enable changes to be made to log messages.

Before I added the pre-revprop-change file I was getting this error:

$ svn propset -r 557 --revprop svn:log "New message!" https://myserver/repos/myrepo
svn: DAV request failed; it's possible that the repository's pre-revprop-change hook either failed or is non-existent
svn: At least one property change failed; repository is unchanged
svn: Error setting property 'log': 
Repository has not been enabled to accept revision propchanges;
ask the administrator to create a pre-revprop-change hook

No problem, I thought. I'll add it:

$ cd /var/www/svn/myrepo/hooks

$ # Create the simplest hook possible
$ echo '#!/bin/sh' > pre-revprop-change
$ echo 'exit 0' >> pre-revprop-change

$ # Check that it looks correct
$ cat pre-revprop-change
#!/bin/sh
exit 0

$ # Looks good, now make it executable
$ chmod a+x pre-revprop-change

$ # Check the permissions
$ ls -al pre-revprop-change
-rwxr-xr-x 1 apache apache 17 2012-05-24 12:05 pre-revprop-change

$ # Run it, to make sure it runs, and check the error code
$ ./pre-revprop-change 
$ echo $?
0

So, according to everything else I've read on SO, that should be all I need to make it work. But, when I try to edit the log message again, I still get an error (a different one this time):

$ svn propset -r 557 --revprop svn:log "New message!" https://myserver/repos/myrepo
svn: DAV request failed; it's possible that the repository's pre-revprop-change hook either failed or is non-existent
svn: At least one property change failed; repository is unchanged
svn: Error setting property 'log': 
Revprop change blocked by pre-revprop-change hook (exit code 255) with no output.

There are a few points to note:

1) The repository is hosted on an SELinux server (Fedora core 10). Perhaps there is something that I need to do with regards to those permissions? Here are the SE permissions of the hook:

$ ls -alZ pre-revprop-change
-rwxr-xr-x  apache apache unconfined_u:object_r:httpd_sys_content_rw_t:s0 pre-revprop-change

2) The repository is being accessed via WebDAV (note the https:// in the repository name). Is there something that I need to setup on the WebDAV side to allow pre-revprop-change changes?

Lee Netherton
  • 21,347
  • 12
  • 68
  • 102

2 Answers2

11

After several hours of trying, I've found the answer. And, as it doesn't seem to exist anywhere else on the internet, I'll post it here...

The problem was caused by SELinux (no great surprise there). It seems that apache (/usr/sbin/httpd) did not have the necessary permissions to run the hook script with the afore-mentioned SE permissions. To get it to execute, the SELinux permissions needed to be changed with

$ chcon -t httpd_exec_t pre-revprop-change

(I first tried changing it to httpd_sys_script_exec_t, but this was not enough to get the script to execute. But with the httpd_exec_t type it worked.)

Final question: is this a secure thing to be doing?

Lee Netherton
  • 21,347
  • 12
  • 68
  • 102
  • 1
    Whether this is secure depends on your standards of "secure" :) ... but yes, SELinux can cause some subtle problems, which can be diagnosed by enabling logging, though. – 0xC0000022L May 24 '12 at 13:35
  • Thanks. Yeah, I don't think our server is going to be hack-central, but I just wanted to make sure I haven't just opened up a massive security hole! Do you know why using the `httpd_sys_script_exec_t` didn't work? It seems from the documentation that it should have... – Lee Netherton May 24 '12 at 13:41
  • I would have thought also that this should have worked. No idea why it has to be `httpd_exec_t` instead of `httpd_sys_script_exec_t`. But it's possible that SELinux is somehow able to distinguish scripts whose output goes to Apache from those where it goes elsewhere. You where using Apache and not `svnserve` (even though Apache may proxy it), right? – 0xC0000022L May 24 '12 at 13:47
  • Yep, definitely going through apache. The svn WebDAV url is configured in the `/etc/httpd/conf.d/` directory. And I was accessing it via the `https://` url. – Lee Netherton May 25 '12 at 09:07
1

Had a similar thing on CentOS. The problem was probably somewhere in caching as when I edited the file and then change it back it started to work.

So if anyone have a similar problem simply try:

touch hooks/pre-revprop-change
Nux
  • 9,276
  • 5
  • 59
  • 72