Broken `qrexec-policy-daemon` after messed up `qubes-remote-desktop` installation

User Support
1

Hello, I need urgent help please.
I was planning to set up qubes-remote-desktop (GitHub - QubesOS-contrib/qubes-remote-desktop).
To do this I first created

sudo qubes-dom0-update qubes-remote-desktop
vncpasswd
qvm-service --enable dom0 qubes-x0vncserver
systemctl start qubes-x0vncserver@user

executed. I executed the command from this post (Remote Qubes User Testing (Running Qubes in the Browser))

echo "qubes.ConnectTCP +5901 remote-admin @default allow target=dom0" | sudo tee - /etc/qubes/policy.d/30-remote-admin.policy

This did not work and I tried ConnectTCP via

This did not work either and now the service qubes-qrexec-policy-daemon is not running.

[user@dom0 Desktop] systemctl status qubes-qrexec-policy-daemon
...
...(code=exited, status=1/FAILURE)
...
Sep 29 09:56:12 dom0 qrexec-policy-daemon[8378]: qrexec.exc.PolicySyntaxError: /etc/qubes-rpc/policy/-:1: invalid action: remote-admin

What I have tried so far: Deleting the files /etc/qubes/policy.d/30-remote-admin.policy as well as /etc/qubes-rpc/policy/qubes.ConnectTCP and rebooting the computer and restarting services. Without success.

I do not find any other reference to remote-admin and I’m afraid of doing more damage.
Maybe there is a cache which I need to delete?

2

From the status message I see:

 invalid action: remote-admin

Can you try running in the dom0 terminal the following:

grep -r 'remote-admin' /etc/qubes/policy.d/

It should show in which file you still have a remote-admin action that is messing up your configuration

3

Thanks for the fast response. No, there is no output.

4

Do you have a qube called remote-admin? (step 1 of the guide)

5

Yes. I followed the steps and created a debian based qube remote-admin

6

Then let me check the commands I ran. It could be that I mistyped something.

7

Sure. If you need more logs or further information, just let me know.

8

One thing I noticed was that there was no command called vncpassword after installation.
Just vncpasswd. But I think it’s not related to this issue.

9

Yes. That was a typo which I just fixed. Thanks!

10

Ah. I see what the problem might be. Did you perhaps foget to type the .d? It was supposed to be /policy.d/ and not /policy/. And it’s not just this but also /etc/qubes/policy.d/ and not /etc/qubes-rpc/policy/.

Notice the command:

11

I did not forget it and executed exactly your provided command.
I have deleted the files /etc/qubes/policy.d/30-remote-admin.policy and /etc/qubes-rpc/policy/qubes.ConnectTCP so I don’t know why there is still a reference to remote-admin

Also this command

grep -r 'remote-admin' /etc/qubes/

yields no result.

12

And now I noticed another issue with the guide. It should have been 5900 and not 5901

13

Try

grep -r 'remote-admin' /etc/qubes-rpc/
14

Ahh I did find a difference:

# your command
echo "qubes.ConnectTCP +5901 remote-admin @default allow target=dom0" | sudo tee -  /etc/qubes/policy.d/30-remote-admin.policy
# my command
echo "qubes.ConnectTCP +5901 remote-admin @default allow target dom0" | sudo tee -  /etc/qubes/policy.d/30-remote-admin.policy
15

Ah. That was it, then! But don’t forget to change +5901 to +5900 in this and the following command

16

Ahh yes

grep -r 'remote-admin' /etc/qubes-rpc/
/etc/qubes-rpc/policy/-:qubes.ConnectTCP +5901 remote-admin @default allow target dom0
17

OK. That’s my fault. the tee command shoudn’t have the - dash. I have fixed it in the guide now.

18

I get

[user@dom0 policy] ll
-rw-r--r-- 1 root root 63 Sep 28 22:58 -
...
So can I savely delete this file?
19

Yes. You were the one creating with my wrong tee command. And I don’t have it on my Qubes system. So you’re good to go.

It has those permissions because you created it with sudo.

20

That did it. So the correct command is

echo "qubes.ConnectTCP +5900 remote-admin @default allow target=dom0" | sudo tee /etc/qubes/policy.d/30-remote-admin.policy

?