Qubes Qrexec Policy File

I am creating a policy files in /etc/qubes/policy.d/. I wanted to create a policy with extremely lockdown system in mind which can have last rule as-

    • @anyvm @anyvm deny
      Does anybody know how to do that.
      The main hindrance is VMRootShell. I don’t know how to writes rules for it so that it can be used in useful way but not jeoparding whole system security. AFAIK it is required for templates updates so it can not be denied always.

AFAIK, the default for qubes.VMRootShell is @anyvm @anyvm deny, and leaving it this way causes no problems for template updates.

The comment in qubes.VMRootShell nicely explains it.

Recently user policy files in /etc/qubes/policy.d/ does not work properly. (If you have a usb mouse, mouse is not assigned to dom0 even after no blocking rules present in user policy and qubes-rpc/policy is set to do so).
It used to work perfectly like about 20 days back.

Yes, that’s true. I have also same kind of problems while testing sys-gui in 4.1. Maybe a redirection in code from dom0 to sys-gui is causing these issues.

I don’t have that directory in dom0. Instead, my policy files are in /etc/qubes-rpc/policy/. I’m on 4.0.