App qube
For the creation of app qubes within an adminvm (other than dom0),
you will need to install qubes-core-admin-client inside that qube.
As @unman said, you also will need to set the correct permissions.
This topic may help you:
https://forum.qubes-os.org/t/how-to-create-an-adminvm-in-r4-1/1941
I guess you already read them, but here, some related documentations:
https://www.qubes-os.org/doc/qrexec/
https://www.qubes-os.org/doc/admin-api/
RPC policies
The tool isn’t qvm-policy, it’s qubes-policy.
And it’s part of qubes-core-qrexec which should already be installed in your template.
The closer thing of documentation is:
https://www.qubes-os.org/doc/admin-api/#policy-admin-api
and
qubes-policy -h
usage: qubes-policy {[-l]|-g|-r|-d} [include/][RPCNAME[+ARGUMENT]]
positional arguments:
[include/][name] specify qubes RPC name or filename to operate on; with
"include/", operate on files in include subdirectory
options:
-h, --help show this help message and exit
-l, --list list present policy files
-g, --get fetch the content of the policy file
-r, --replace replace given policy with the one provided on standard
input
-d, --remove remove a policy file
For the later, forget the [RPCNAME[+ARGUMENT] and the specify qubes RPC name.
It only works with policy filename (according to my test, I may be wrong, but I don’t think so).
I guess it’s a relic of the old policy format.
It should be something like:
usage: qubes-policy {[-l]|-g|-r|-d} [include/][name]
You have two options:
qrexec-client-vmqubes-policy
qrexec-client-vm
With the admin API (qrexec-client-vm) (see the doc link just above):
The usage is: e.g.
[user@some_qube ~]$ echo -e 'new\nqubes.foobar * src dest ask' | qrexec-client-vm dom0 policy.Replace+30-custom-rules
The argument of policy.Replace (i.e. +30-custom-rules) is the name of your policy file.
If you forget to define an argument (qrexec-client-vm dom0 policy.Replace), the created file will be .policy.
Therefore it will be an hidden file.
[user@dom0 ~]$ cat /etc/qubes/policy.d/30-custom-rules.policy
qubes.foobar * src dest ask
with the token new, if the file exist, it will raise an error that you can’t override the file.
[user@some_qube ~]$ echo -e 'new\nqubes.foobar * xxx xxx ask' | qrexec-client-vm dom0 policy.Replace+30-custom-rules
Internal error. See /var/log/qubes/policy-admin.log in dom0 for details.
[user@dom0 ~]$ cat /var/log/qubes/policy-admin.log
[...]
qrexec.policy.admin.PolicyAdminTokenException: File exists but token is 'new'
To override an existing file, use the any token: 'any\nqubes.foobar * xxx xxx ask'
qubes-policy
The second option is the tool qubes-policy.
The code doesn’t mention any token, so the policy file will always be erased, existing or not.
https://github.com/QubesOS/qubes-core-qrexec/blob/main/qrexec/tools/qubes_policy.py
The usage is: e.g.
[user@some_qube ~]$ echo 'qubes.foobar * src dest ask' | qubes-policy -r 30-custom-rules
As with qrexec-client-vm, 30-custom-rules is the name of your policy file.
Both tools will replace the entire file.
If you have several rules to add, it would be better to use a file and cat:
[user@some_qube ~]$ cat "some_file.policy" | qubes-policy -r 30-custom-rules
Permissions
For both tools, you will need to create the correct permissions.
For example, to make the creation of RPC policy rules: e.g.
[user@dom0 ~]$ cat /etc/qubes/policy.d/30-admin-policy.policy
policy.Replace * some_qube dom0 ask default_target=dom0
Remarks
If you don’t have a fresh installation, check if the log file /var/log/qubes/policy-admin.log
can be written by its group (qubes).
log permission error
[user@dom0 ~]$ ll /var/log/qubes/policy-admin.log
-rw-r--r-- 1 root qubes 59K Sep 9 21:30 /var/log/qubes/policy-admin.log
[user@some_qube ~]$ echo 'qubes.Filecopy * src dst ask' | qubes-policy -r 30-custom-rules
Command failed
[user@dom0 ~]$ sudo journalctl
Sep 09 xx:xx:xx dom0 policy.Replace+30-custom-rules-some-qube[12704]: PermissionError: [Errno 13] Permission denied: '/var/log/qubes/policy-admin.log'
If you don’t have the correct permissions for this log file, fix them:
sudo chmod 664 /var/log/qubes/policy-admin.log
According to this:
https://github.com/QubesOS/qubes-issues/issues/8014#issuecomment-1417649920
I think it’s fixed for a while, but my system and this file was probably created before the fix.
I mention it, just in case.
Have fun.