Hi everyone!
Context
I am trying to allow an AppVM (called sd-dev
) to clone another one (called existing-vm
).
I created two policies for that purpose:
# dom0
# /etc/qubes-rpc/policy/include/admin-global-rwx
sd-dev @sdadmin allow,target=@adminvm
sd-dev @tag:creatd-by-sd-dev allow,target=@adminvm
# dom0
# /etc/qubes-rpc/policy/include/admin-local-rwx
sd-dev @tag:created-by-sd-dev allow,target-@adminvm
I made sure, and verified that existing-vm
is tagged with created-by-sd-dev:
# dom0
qvm-tag existing-vm list
# audiovm-dom0
# created-by-dom0
# created-by-sd-dev
# guivm-dom0
But when I run qvm-clone existing-vm new-vm
, I keep hitting:
qubesadmin.exc.QubesDaemonAccessError: Service call error: Request refused
That’s the context.
I read through the New Qrexec Policy System introduction and got that in R4.1 the policies written in the “old format” (R4.0) should still be applied. (source)
I’ve verified that /etc/qubes/policy.d/35-compat.policy
exists, and that it contains the !compat-4.0
include directive.
I noticed in the docs, however, that:
Now that the policy is a single entity, it is parsed as a whole. If there are any syntax errors, the parser will refuse to load anything (in order to prevent any unintended permission grants). The system is designed to “failed closed”: An empty policy results in all qrexec calls being denied. [emphasis mine]
I wouldn’t exclude that I made a mistake that I’m not seeing, and I was wondering if there was a way to list the policies that are currently active in a given system for troubleshooting purposes. If I know that the policies I wrote are being applied, I can focus on why they’re not sufficient to what I want to achieve.
Beyond that, I’d welcome any tips on troubleshooting RPC policies!