I’m getting a massive amount of ‘Denied: sdwdate-gui.ConnectCheck’ notifications when using Kicksecure. Following the instructions at https://www.kicksecure.com/wiki/Qubes#Qubes_Persistence didn’t help. Is anyone else actually using Kicksecure?
or
That is your issue?
The second post was from a time where the new versions were not officially released.
This happens when your VM doesn’t have the sdwdate-gui-client tag. It should be added automatically, but it’s a known issue it doesn’t happen in some cases:
Add it by running this in dom0:
qvm-tags <vm-name> add sdwdate-gui-client
If sys-whonix is not running, your dom0 syslog will silently be flooded with messages. I don’t know how to change this other than disabling sdwdate-gui, which, to my knowledge, is only used for reporting the state and doesn’t have any meaningful impact.
That’s documented here: sdwdate-gui: Secure Distributed Web Date Graphical User Interface
Second Scenario
Qubes OS R4.3: repeated Denied: sdwdate-gui.ConnectCheck notifications
- Issue: On Qubes OS R4.3, it is possible a deluge of notifications will appear any time a Kicksecure 18 template or AppVM is running. These notifications will say
Denied: sdwdate-gui.ConnectCheck. - Cause: This will result if
qubes-core-admin-addon-kicksecureis not installed and set up in dom0. - Resolution: If this occurs, follow the steps below.
1 In dom0, install qubes-core-admin-addon-kicksecure.
sudo qubes-dom0-update --action=install qubes-core-admin-addon-kicksecure
2 Restart qubesd.
sudo systemctl restart qubesd.service
3 Launch Qterminal in the kicksecure-18 template
4 Switch to bash
- Command: In the terminal, run
bash. - Note: The default shell (
zsh) will not work here.
bash
5 Run the post-install scripts
cd /etc/qubes/post-install.d || exit 1 for i in *.sh; do source "$i"; done
6 Shut down template and AppVMs
- Action: Shut down the
kicksecure-18template and all AppVMs based on it.
7 In dom0, verify Kicksecure features
qvm-features kicksecure-18 | grep '^kicksecure'
8 Confirm expected output.
- Expected: Verify that you see a line that looks like
kicksecure 1.
9 Done.
hi linuxuser1. I did exactly that, but I posted because it kept spitting out a large number of “Denied: sdwdate-gui.ConnectCheck” messages and wouldn’t stop.
Then it’s most certainly this:
I have the package linuxuser1 mentioned installed, but the tag is still missing. Does your VM have the tag?
Also note the syslog spam when sys-whonix is not running.
thank you
qvm-tags sys-net add sdwdate-gui-client
qvm-tags sys-firewall add sdwdate-gui-client
qvm-tags sys-usb add sdwdate-gui-client
For now, those commands have stopped the spam. Thank you!!
By the way, what is tag?
Happy it helped. You can mark the answer as the solution if you like so others see it at the bottom of your original post if anyone else runs in to the issue.
I would compare tags to user groups in this context. Qubes has policies in which way different qubes are allowed to communicate with each other. sdwdate-gui reports the VMs sdwdate status to sys-whonix by default. This is allowed with a policy that says that the VM sending the information must have the tag (or be in the “group” of VMs if you will) named in my previous reply.
As the tag wasn’t present, it sent the data but the policy didn’t allow that, hence the notification you’ve been flooded with.
2 Likes
I see. so that’s how it works. I understand. 