Denied: qubes.UpdatesProxy After Whonix Template Fresh Install

User Support
#1

I kept getting strange unknown bootstrapped messgaes in Whonix and so I wanted to reinstall the whonix template from scratch

This took me to whonix page and I followed instructions.

Then I get Denied: qubes.UpdatesProxy whenever trying to update using any Qube.

4.1 + was regular updated until a week ago.

Tried to change etc/qubes-rpc/policy/ after error started in proxyVM policy before discovering in 4.1 this doesn’t matter.

After error happen, went into /etc/qubes/policy.d after to see if could make a change to default policy. Never been there before. Lot of things, don’t know what change.

After still no change, deleted qubes.UpdateProxy file and now don’t get error but also no download of update

#2

If you want all updatable vms to go through sys-whonix try settings below.

sudo nano /etc/qubes-rpc/policy/qubes.UpdatesProxy

@type:TemplateVM @default allow,target=sys-whonix
@type:TemplateVM @anyvm deny

@tag:whonix-updatevm @default allow,target=sys-whonix
@tag:whonix-updatevm @anyvm deny

@type:StandaloneVM @default allow,target=sys-whonix
@type:StandaloneVM @anyvm deny

To update air-gapped StandaloneVM, add updates-proxy-setup in the vm’s settings from Services tap. Also, disable all updater checks and uncheck for dom0 updates and for qubes updates in Qubes Global Settings as far as I remember they do not go through whonix traffic.

Have a look at 90-default.policy and edit if any lines below are missing.

sudo nano /etc/qubes/policy.d/90-default.policy

# HTTP proxy for downloading updates
# Upgrade all TemplateVMs through sys-whonix.
#qubes.UpdatesProxy     *    @type:TemplateVM        @default    allow target=sys-whonix
# Upgrade Whonix TemplateVMs through sys-whonix.
qubes.UpdatesProxy      *   @tag:whonix-updatevm    @default    allow target=sys-whonix
# Deny Whonix TemplateVMs using UpdatesProxy of any other VM.
qubes.UpdatesProxy      *   @tag:whonix-updatevm    @anyvm      deny
# Default rule for all TemplateVMs - direct the connection to sys-whonix.
qubes.UpdatesProxy      *   @type:TemplateVM        @default    allow target=sys-whonix
qubes.UpdatesProxy	*   @type:TemplateVM	    @anyvm	deny
# rules for StandaloneVMs - direct the connection to sys-whonix.
qubes.UpdatesProxy	*   @type:StandaloneVM	    @default	allow target=sys-whonix
qubes.UpdatesProxy	*   @type:StandaloneVM	    @anyvm	deny

qubes.UpdatesProxy      *   @anyvm                  @anyvm      deny

In the official documents @ character is advised over $.

If fresh install files still have $ character in /etc/qubes-rpc/policy, then optionally you can try:

cd /etc/qubes-rpc/policy
for i in qubes* whonix*; do
sed -i 's/\$/\@/g' $i
done

This will replace every $ to @ in every files in /etc/qubes-rpc/policy.