I am trying to allow an AppVM (called
sd-dev) to clone another one (called
I created two policies for that purpose:
# dom0 # /etc/qubes-rpc/policy/include/admin-global-rwx sd-dev @sdadmin allow,target=@adminvm sd-dev @tag:creatd-by-sd-dev allow,target=@adminvm
# dom0 # /etc/qubes-rpc/policy/include/admin-local-rwx sd-dev @tag:created-by-sd-dev allow,target-@adminvm
I made sure, and verified that
existing-vm is tagged with created-by-sd-dev:
# dom0 qvm-tag existing-vm list # audiovm-dom0 # created-by-dom0 # created-by-sd-dev # guivm-dom0
But when I run
qvm-clone existing-vm new-vm, I keep hitting:
qubesadmin.exc.QubesDaemonAccessError: Service call error: Request refused
That’s the context.
I’ve verified that
/etc/qubes/policy.d/35-compat.policy exists, and that it contains the
!compat-4.0 include directive.
I noticed in the docs, however, that:
Now that the policy is a single entity, it is parsed as a whole. If there are any syntax errors, the parser will refuse to load anything (in order to prevent any unintended permission grants). The system is designed to “failed closed”: An empty policy results in all qrexec calls being denied. [emphasis mine]
I wouldn’t exclude that I made a mistake that I’m not seeing, and I was wondering if there was a way to list the policies that are currently active in a given system for troubleshooting purposes. If I know that the policies I wrote are being applied, I can focus on why they’re not sufficient to what I want to achieve.
Beyond that, I’d welcome any tips on troubleshooting RPC policies!