Fedora 38 templates available

system · May 26, 2023, 7:43pm

New Fedora 38 templates are now available! We provide fresh Fedora 38 template packages through the official Qubes repositories, which you can install in dom0 by following the standard installation instructions. Alternatively, we also provide step-by-step instructions for performing an in-place upgrade of an existing Fedora template. After upgrading your templates, please remember to switch all qubes that were using the old template to use the new one.

As a reminder, Fedora 36 has reached EOL. If you have not already done so, we strongly recommend that you upgrade all Fedora 36 templates and standalones to a supported template release immediately.

Please note that no user action is required regarding the OS version in dom0 (see our note on dom0 and EOL).

This is a companion discussion topic for the original entry at https://www.qubes-os.org/news/2023/05/26/fedora-38-templates-available/

quantum · May 26, 2023, 8:41pm

Download failed. In brief . . .

Error canonicalizing file: failed to fill whole buffer

arkenoi · May 26, 2023, 9:26pm

same issue for me

quantum · May 26, 2023, 11:53pm

Download working fine now.

ng0177 · May 27, 2023, 7:59pm

trouble installing; how does the installation differ from previous?

adw · May 28, 2023, 11:40am

The installation process shouldn’t be any different than the previous Fedora template release.

solene · May 28, 2023, 4:02pm

Are there plans to update sys-gui and sys-gui-gpu to a fedora more recent than fedora-36-xfce?

Scumbag · May 29, 2023, 1:24pm

Shouldn’t this have SELinux enabled by default as the issue was closed as completed in February?

github.com/QubesOS/qubes-issues

Build Fedora templates with SELinux enabled from the start

opened 11:46AM - 16 Jan 23 UTC

closed 04:04PM - 26 Feb 23 UTC

marmarek

T: enhancement release notes C: Fedora P: default

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) #…## The problem you're addressing (if any) Currently Fedora templates have SELinux disabled, which diverges from upstream. SELinux support has been implemented as part of https://github.com/QubesOS/qubes-issues/issues/4239 but it still needs to be installed manually (and then relabeling root fs takes significant amount of time). ### The solution you'd like Ship template with SELinux labels set, and SELinux enabled by default (with unconfined default user - same as upstream). This requires: 1. Advertise SELinux support via [standard feature-advertisement API](https://dev.qubes-os.org/projects/core-admin/en/latest/qubes-features.html), similar to how AppArmor is handled (https://github.com/QubesOS/qubes-core-agent-linux/pull/246, although it isn't exactly service here, IMO it's more consistent to treat it as such, especially as we have "apparmor" service already). 2. Enable SELinux by default if template supports it (again similar how it's [done for AppArmor](https://github.com/QubesOS/qubes-core-admin/pull/368)) 3. Add relabeling to the template build process (builder-rpm repo). Probably should be guarded with some template "option", so it's possible to build template without selinux too (template for R4.1 won't have it, and maybe minimal templates shouldn't have it too?). And also advertise SELinux support in template.conf (that will be first actual use of this file, so builder-rpm doesn't know about it yet - see [here](https://github.com/QubesOS/qubes-linux-template-builder/commit/fc3452694aff76573425a8fa696b6c8ff2134561) for hints where to place it), so it can be detected before starting the template for the first time. See [documentation about template.conf](https://www.qubes-os.org/doc/template-manager/#package-format) 3. Extend qvm-template-postprocess to mark selinux as supported (and have it enabled, before starting the template for the first time) if template package advertise its support in template.conf. ### The value to a user, and who that user might be Template by default more consistent with upstream features. No need for slow relabeling when enabling SELinux manually.

adw · May 29, 2023, 8:08pm

Qubes OS 4.2.0 will feature SELinux support in Fedora templates.

github.com/QubesOS/qubes-issues

SELinux support in Fedora qubes

opened 11:35PM - 23 Aug 18 UTC

closed 11:38PM - 06 Feb 23 UTC

t4777sd

T: enhancement C: core C: gui-virtualization C: other release notes P: default diagnosed

### Qubes OS version: 4.0 utilizing default Fedora 28 templates that are fully …updated ### Steps to reproduce the behavior: 1. Edit /etc/selinux/config and enable selinux in the TemplateVM and restart the TemplateVM: SELINUX=enforcing SELINUXTYPE=targeted 2. Add the following kernel params to the AppVM domain where SELinux should be enabled: qvm-prefs --set <appvm> kernelopts "nopat security=selinux selinux=1" 3. Start the AppVM qvm-start <appvm> ### Expected behavior: Expected that the AppVM can boot with SELinux enabled especially because SELinux is enabled by default in fedora. ### Actual behavior: The VM does not start and eventually will need to be killed. * Note: the behavior is the same even if SELINUX=permissive is set

Scumbag · May 30, 2023, 7:26am

Thanks! I missed that.