How do you use qvm-backup-restore --paranoid-mode?

Hi there,

Before the paranoid backup restore gets documented, can you please share how use it and what configuration is required for it to work?

On my first attempt with Qubes 4.1, I ran the following command:
qvm-backup-restore --paranoid-mode --ignore-missing -d disp1234 /home/user/qubes-backup-2022
and received this message:

qvm-backup-restore: error: qvm-backup-restore tool missing in fedora-35 template, install qubes-core-admin-client package there

After installing the requested package and trying again, I was presented with:

qvm-backup-restore: error: Service call error: Request refused

Executing journalctl -b -u qubes-qrexec-policy-daemon revealed the absence of an appropriate RPC policy:

qrexec: admin.vm.tag.Get+created-by-dom0: disp-backup-restore → untrusted: denied: no matching rule found

Unless I messed up with something I shouldn’t have, it seems default policies are not behaving as expected. A workaround is to add the following line in /etc/qubes/policy.d/85-admin-backup-restore.policy:
admin.vm.tag.Get * @tag:backup-restore-mgmt @tag:backup-restore-in-progress allow target=dom0

Tweaking default policies like this feels wrong though. There’s a rule for admin.vm.tag.Get in 90-admin-default.policy, but I don’t really understand the logic behind include/admin-local-ro. Should a bug report be filed or am I missing something?