New Fedora 38 templates are now available! We provide fresh Fedora 38 template packages (standard, minimal , and Xfce ) through the official Qubes repositories, which you can install in dom0 by following the standard installation instructions . Alternatively, we also provide step-by-step instructions for performing an in-place upgrade of an existing Fedora template. After upgrading your templates, please remember to switch all qubes that were using the old template to use the new one .
As a reminder, Fedora 36 has reached EOL . If you have not already done so, we strongly recommend that you upgrade all Fedora 36
templates and standalones to a supported template release immediately.
Please note that no user action is required regarding the OS version in dom0 (see our note on dom0 and EOL ).
This is a companion discussion topic for the original entry at https://www.qubes-os.org/news/2023/05/26/fedora-38-templates-available/
2 Likes
Download failed. In brief . . .
Error canonicalizing file: failed to fill whole buffer
3 Likes
Download working fine now.
1 Like
trouble installing; how does the installation differ from previous?
adw
May 28, 2023, 11:40am
6
The installation process shouldn’t be any different than the previous Fedora template release.
1 Like
Are there plans to update sys-gui and sys-gui-gpu to a fedora more recent than fedora-36-xfce?
Shouldn’t this have SELinux enabled by default as the issue was closed as completed in February?
opened 11:46AM - 16 Jan 23 UTC
closed 04:04PM - 26 Feb 23 UTC
T: enhancement
release notes
C: Fedora
P: default
[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/)
#… ## The problem you're addressing (if any)
Currently Fedora templates have SELinux disabled, which diverges from upstream. SELinux support has been implemented as part of https://github.com/QubesOS/qubes-issues/issues/4239 but it still needs to be installed manually (and then relabeling root fs takes significant amount of time).
### The solution you'd like
Ship template with SELinux labels set, and SELinux enabled by default (with unconfined default user - same as upstream).
This requires:
1. Advertise SELinux support via [standard feature-advertisement API](https://dev.qubes-os.org/projects/core-admin/en/latest/qubes-features.html), similar to how AppArmor is handled (https://github.com/QubesOS/qubes-core-agent-linux/pull/246, although it isn't exactly service here, IMO it's more consistent to treat it as such, especially as we have "apparmor" service already).
2. Enable SELinux by default if template supports it (again similar how it's [done for AppArmor](https://github.com/QubesOS/qubes-core-admin/pull/368))
3. Add relabeling to the template build process (builder-rpm repo). Probably should be guarded with some template "option", so it's possible to build template without selinux too (template for R4.1 won't have it, and maybe minimal templates shouldn't have it too?). And also advertise SELinux support in template.conf (that will be first actual use of this file, so builder-rpm doesn't know about it yet - see [here](https://github.com/QubesOS/qubes-linux-template-builder/commit/fc3452694aff76573425a8fa696b6c8ff2134561) for hints where to place it), so it can be detected before starting the template for the first time. See [documentation about template.conf](https://www.qubes-os.org/doc/template-manager/#package-format)
3. Extend qvm-template-postprocess to mark selinux as supported (and have it enabled, before starting the template for the first time) if template package advertise its support in template.conf.
### The value to a user, and who that user might be
Template by default more consistent with upstream features. No need for slow relabeling when enabling SELinux manually.
adw
May 29, 2023, 8:08pm
9
Qubes OS 4.2.0 will feature SELinux support in Fedora templates.
opened 11:35PM - 23 Aug 18 UTC
closed 11:38PM - 06 Feb 23 UTC
T: enhancement
C: core
C: gui-virtualization
C: other
release notes
P: default
diagnosed
### Qubes OS version:
4.0 utilizing default Fedora 28 templates that are fully … updated
### Steps to reproduce the behavior:
1. Edit /etc/selinux/config and enable selinux in the TemplateVM and restart the TemplateVM:
SELINUX=enforcing
SELINUXTYPE=targeted
2. Add the following kernel params to the AppVM domain where SELinux should be enabled:
qvm-prefs --set <appvm> kernelopts "nopat security=selinux selinux=1"
3. Start the AppVM
qvm-start <appvm>
### Expected behavior:
Expected that the AppVM can boot with SELinux enabled especially because SELinux is enabled by default in fedora.
### Actual behavior:
The VM does not start and eventually will need to be killed.
* Note: the behavior is the same even if SELINUX=permissive is set
2 Likes
Hi. A minimal template based on Fedora 38 does not exist yet, right?
solene
August 7, 2023, 9:08am
12
qvm-template list shows this, so it available in the official repository.
fedora-38-minimal 0:4.0.6-202305201231 qubes-templates-itl
fedora-38-xfce 0:4.0.6-202305200036 qubes-templates-itl
fedora-38 0:4.0.6-202305200036 qubes-templates-itl
4 Likes
Ohh great. Then I must have missed it. Thank you!
4 Likes
adw
August 8, 2023, 6:01am
14
Updated announcement to specify all three available Fedora template versions.
2 Likes
At this time, are the current Fedora 38 templates in the repository shipping with SElinux profiles and SElinux enabled by default? I have upgraded my system to 4.2, but I’m still using my old fedora-38 templates and want to know when I should switch over my profiles to the “new” fedora 38 templates.
adw
September 7, 2023, 8:34am
16
They should be. @Demi , can you confirm?
1 Like
solene
September 7, 2023, 9:01am
17
On my migrated from 4.1 to 4.2-RC3 Fedora-38 template, the command getenforce says Disabled.
It seems selinux isn’t enabled.
On a fedora-38 template installed with 4.2-RC3, getenforce returns Enforcing.
1 Like