Hello,
I have restored AppVM with debian-11 template which was originally created in 4.0.4. Now when I start AppVM I get error in the notification: Denied Qubes.GetDate.
Has anyone experienced this?
Thanks,
Kate
Perhaps there is more info in journalctl -f in dom0?
Thanks for your reply @fsflover
Don’t know now. I have reinstalled 4.0.4, as I found that some other things did not work in 4.1 in my tests…
I reproduced this too.
VMs call the qubes.GetDate qrexec action via the qubes-time-sync service on start-up, which calls /usr/lib/qubes/qubes-sync-clock
The Qubes RPC policy in 4.1 (located at /etc/qubes-rpc/policy/qubes.GetDate in the dom0) has a statement that denies any requests to call qubes.GetDate if the request came from a VM that has the tag ‘anon-vm’ associated with it.
For some reason, some Qubes VMs that are restored from a 4.0 system onto a 4.1 system, get this ‘anon-vm’ tag associated with them, apparently erroneously.
You can view them with qvm-ls --tags anon-vm in the dom0
You can remove such a tag from a vm by running qvm-tags VMNAME rm anon-vm in the dom0.
1 Like