Any tips to troubleshoot RPC Policies?

Hi everyone!


I am trying to allow an AppVM (called sd-dev) to clone another one (called existing-vm).

I created two policies for that purpose:

# dom0
# /etc/qubes-rpc/policy/include/admin-global-rwx

sd-dev @sdadmin allow,target=@adminvm
sd-dev @tag:creatd-by-sd-dev allow,target=@adminvm
# dom0
# /etc/qubes-rpc/policy/include/admin-local-rwx

sd-dev @tag:created-by-sd-dev allow,target-@adminvm

I made sure, and verified that existing-vm is tagged with created-by-sd-dev:

# dom0

qvm-tag existing-vm list
# audiovm-dom0
# created-by-dom0
# created-by-sd-dev
# guivm-dom0

But when I run qvm-clone existing-vm new-vm, I keep hitting:

qubesadmin.exc.QubesDaemonAccessError: Service call error: Request refused

That’s the context.

I read through the New Qrexec Policy System introduction and got that in R4.1 the policies written in the “old format” (R4.0) should still be applied. (source)

I’ve verified that /etc/qubes/policy.d/35-compat.policy exists, and that it contains the !compat-4.0 include directive.

I noticed in the docs, however, that:

Now that the policy is a single entity, it is parsed as a whole. If there are any syntax errors, the parser will refuse to load anything (in order to prevent any unintended permission grants). The system is designed to “failed closed”: An empty policy results in all qrexec calls being denied. [emphasis mine]

I wouldn’t exclude that I made a mistake that I’m not seeing, and I was wondering if there was a way to list the policies that are currently active in a given system for troubleshooting purposes. If I know that the policies I wrote are being applied, I can focus on why they’re not sufficient to what I want to achieve.

Beyond that, I’d welcome any tips on troubleshooting RPC policies! :slightly_smiling_face:

If you read the context in the post above, you may find useful to know I’ve also tried creating the following policy with no visible effect:

# /etc/qubes/policy.d/20-sd-dev.policy

# service-name|* +argument|* source destination action [options]
* * sd-dev * * ask
* * sd-dev @adminvm * ask
* * sd-dev @tag:created-by-sd-dev * ask

The system log may give you some hints.

  • Qubes 4.0 - journalctl /usr/bin/qrexec-policy
  • Qubes 4.1 - journalctl -u qubes-qrexec-policy-daemon
1 Like