Qubes OS 4.2.0-rc1 is available for testing

oijawyuh · June 3, 2023, 7:12pm

Is SELinux also supported in Fedora minimal templates?
Would SELinux make Fedora significantly more secure than Debian?

quantum · June 3, 2023, 10:21pm

Unable to use WiFi with R4.2.0-rc1 (as with previous R4.2 weekly release).

[sys-net] Connection Failure

Failed to add/activate connection

failure adding connection: error writing to file ‘/etc/NetworkManager/system-connections/{wireless name}.nmconnection’: failed to create file /etc/NetworkManager/system-connections/{wireless name}.nmconnection.46E551: Permission denied

Don’t have access to a LAN connection, so unable to test anything else.

disp6252 · June 4, 2023, 4:01am

You can open an issue on github so devs will know about this problem and try to fix it:

whoareyou · June 4, 2023, 2:21pm

Is SELinux also supported in Fedora minimal templates?

I think not, I’ve just download fedora-38-minimal and it doesn’t have packages like sestatus or setenforce. But fedora-38-xfce support
SELinux.(Although the disk usage between xfce and og is only about 6MB)

Would SELinux make Fedora significantly more secure than Debian?

I don’t know is Debian template enable Apparmor by default but whether or not SELinux is better than Apparmor in security, but you also may lose some ease of use.
But to be honest I don’t know will it be significantly more secure or not.
For me, I’m more curious on the security between Fedora and Kicksecure. Looking for answer.

quantum · June 4, 2023, 2:44pm

Thank you.

oijawyuh · June 5, 2023, 2:15pm

Thank you for your reply. I still have a question, one that may not be easy to answer. Is fedora-38 with SELinux more secure than debian minimal or fedora minimal - both of which have smaller attack surface?

On a related topic, does the SecureDrop Workstation use Fedora or Debian templates?

ng0177 · June 6, 2023, 5:47pm

Is it likely that a new installation of the final Qubes 4.2.0 is not necessary, if -rc1 keeps being updated?

deeplow · June 6, 2023, 9:08pm

A post was split to a new topic: What distro is the SecureDrop workstation based on?

ng0177 · June 7, 2023, 8:03pm

It looks as if we are on the master branch, if I understand correctly, therefore it should be OK to go with -rc1.

unman · June 8, 2023, 12:54pm

Likely, but not definitely.
There could be changes to the installer or organisation that cannot be
resolved by simply updating an installed system.
The same could apply to people updating from an existing 4.1 installation.

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.

51lieal · June 8, 2023, 2:37pm

i assume it was only for partition layout? any example?
in your free time, please do things for 4.2 so i can test and other gain benefit

ng0177 · June 14, 2023, 6:57pm

good job; works flawless for me

ymy · June 16, 2023, 8:53pm

for 4.2: i noticed that whonix 17 template > is waiting for debian bookworm template > is waiting for salt being available in bookworm

“use more bandwith!” - Said the Qubes User uprading to 4.2 and installing debian12 & whonix17 templates afterwards

Bonus Edit:
[FEATURE REQUEST] Add Salt support for Debian 12 · Issue #64223 · saltstack/salt · GitHub Salt themselfs dont offer debian 12 support yet

oijawyuh · June 24, 2023, 6:58am

I use a ProxyVM as a VPN gateway using iptables and CLI scripts.

github.com

Qubes-Community/Contents/blob/master/docs/configuration/vpn.md#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts


How To make a VPN Gateway in Qubes
==================================

<div class="alert alert-info" role="alert">
  <i class="fa fa-info-circle"></i>
  <b>Note:</b> If you seek to enhance your privacy, you may also wish to consider <a href="/doc/whonix/">Whonix</a>.
  You should also be aware of <a href="https://www.whonix.org/wiki/Tunnels/Introduction">the potential risks of VPNs</a>.
</div>

Although setting up a VPN connection is not by itself Qubes specific, Qubes includes a number of tools that can make the client-side setup of your VPN more versatile and secure. This document is a Qubes-specific outline for choosing the type of VM to use, and shows how to prepare a ProxyVM for either NetworkManager or a set of fail-safe VPN scripts.

Please refer to your guest OS and VPN service documentation when considering the specific steps and parameters for your connection(s); The relevant documentation for the Qubes default guest OS (Fedora) is [Establishing a VPN Connection.](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html)

### NetVM

The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages:

- You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world
- All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)

This file has been truncated. show original

In Qubes OS 4.2, DomU firewalls have switched to nftables. I have not installed 4.2 yet.

Do the ProxyVM scripts need an update?

gonzalo-bulnes · June 28, 2023, 9:51am

2 posts were split to a new topic: Error when opening KDE application menu

throwaway11 · June 28, 2023, 8:50am

Any easy fixes for this error?

KDE installed → Application launcher key →
file:///usr/share/plasma/plasmoids/org.kde.plasma.kickoff/contents/ui/Kickoff.qml:157:34: Type FullRepresentation unavailable file:///usr/share/plasma/plasmoids/org.kde.plasma.kickoff/contents/ui/FullRepresentation.qml:43:5: KickoffButton is not a type

gonzalo-bulnes · June 28, 2023, 10:02am

Oops @throwaway11, it looks like I made a mistake! I thought I was reading your post in a different context. I assume you’re testing R4.2 RC1, and your question seems perfectly on-topic. Please disregard my previous post and accept my apologies!

throwaway11 · June 28, 2023, 11:14am

When using KDE Wayland, apps don’t show when launched. KDE X11 works as expected.

solene · June 28, 2023, 11:52am

Qubes OS display protocol uses X and isn’t compatible with wayland.

rrn · July 3, 2023, 9:54pm

I have been using 4.2.0-rc1 for a few hours. Looks great. The UI improvements appear to be more user friendly, such as the new dialogs when creating a new qube. The Qubes menu is nice but the qube name could be larger (the small font is not immediately readable). I think device handling is better as I have tried using conferencing software with an external USB webcam, which was quickly connected, I felt it was faster than 4.1 version.
The installer went with usb enabled on dom0 then I run the salt to enable sys-usb but it failed at the grub usb hiding step. nevertheless after reboot the sys-usb was there and rejecting usb input devices and after adding policy it was working fine.
My existing templates worked fine before upgrading their repository to qubes 4.2, so I used them and upgraded them in place. So far no problems.