[qubes-users] Qubes 4.1 qrexec issue?

I have an issue with Split GPG as well as with opening files in the disposable VMs and with the qrexec in the guide How to use Monero CLI/daemon with Qubes + Whonix too.

Split GPG

Opening Thunderbird, I get following errors in the notification popup:

Denied: whonix.NewStatus
Denied whonix.NewStatus+status from work-email to sys-whonix

I have to as well make every gpg action confirm in the Dom0 Operation Execution with Target GPG backend.

Using dispVMs from within AppVM

When trying to convert file or open it in the disposable VM from within the normal AppVM, I get an error popuplike :

Denied: qubes.PdfConvert
Denied qubes.pdfConvert from work-email to @dispvm

Any advice appreciated!

taran1s:

I have an issue with Split GPG as well as with opening files in the disposable VMs and with the qrexec in the guide How to use Monero CLI/daemon with Qubes + Whonix too.

CLI Wallet/Daemon Isolation with Qubes + Whonix | Monero - secure, private, untraceable

Split GPG

Opening Thunderbird, I get following errors in the notification popup:

Denied: whonix.NewStatus
Denied whonix.NewStatus+status from work-email to sys-whonix

I have to as well make every gpg action confirm in the Dom0 Operation Execution with Target GPG backend.

Using dispVMs from within AppVM

When trying to convert file or open it in the disposable VM from within the normal AppVM, I get an error popuplike :

Denied: qubes.PdfConvert
Denied qubes.pdfConvert from work-email to @dispvm

Any advice appreciated!

Is this mailing list still active or one needs to better go to a different place?

Still active, but the Forum has more traffic, although it's often low
grade and noisy.

On your questions, the first looks like a Whonix issue - Patrick has
asked that Qubes-Whonix questions be put in the Whonix forums, where
they will get better oversight.
The second looks like permissions - look in the policy file at
/etc/qubes-rpc/policy/qubes.PdfConvert

'taran1s' via qubes-users:

taran1s:

I have an issue with Split GPG as well as with opening files in the disposable VMs and with the qrexec in the guide How to use Monero CLI/daemon with Qubes + Whonix too.

Is this mailing list still active or one needs to better go to a different place?

Think many users are over on the forum (https://forum.qubes-os.org/). Your question is a bit niche, though, so possibly not many in general have experienced a similar issue or know how to fix it?

I have an issue with Split GPG as well as with opening files in the
disposable VMs and with the qrexec in the guide How to use Monero CLI/daemon
with Qubes + Whonix too.

CLI Wallet/Daemon Isolation with Qubes + Whonix | Monero - secure, private, untraceable

Split GPG

Opening Thunderbird, I get following errors in the notification popup:

Denied: whonix.NewStatus
Denied whonix.NewStatus+status from work-email to sys-whonix

This is a Whonix problem I am not familiar with.

I have to as well make every gpg action confirm in the Dom0 Operation
Execution with Target GPG backend.

You can solve this problem by adding a line such as:

    qubes.Gpg + work-email <yourtarget> allow

to `/etc/qubes/policy.d/30-user.policy`. Be sure to replace <yourtarget>
with the name of the backend qube.

Using dispVMs from within AppVM

When trying to convert file or open it in the disposable VM from within the
normal AppVM, I get an error popuplike :

Denied: qubes.PdfConvert
Denied qubes.pdfConvert from work-email to @dispvm

What is work-email’s default DisposableVM template? It’s in the
“Default DispVM” column in Qubes Manager. If it is “None” or “default
(None)” you will get this error. Setting it to a valid DisposableVM
Template (such as whonix-ws-16-dvm) should solve the problem.

Any advice appreciated!

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3c5f45cb-0e56-5bb5-a4ea-f68d001e2856%40mailbox.org.

- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Wouldn't reading the list answer the question? :wink:

unman:

taran1s:

I have an issue with Split GPG as well as with opening files in the
disposable VMs and with the qrexec in the guide How to use Monero
CLI/daemon with Qubes + Whonix too.

CLI Wallet/Daemon Isolation with Qubes + Whonix | Monero - secure, private, untraceable

Split GPG

Opening Thunderbird, I get following errors in the notification popup:

Denied: whonix.NewStatus
Denied whonix.NewStatus+status from work-email to sys-whonix

I have to as well make every gpg action confirm in the Dom0 Operation
Execution with Target GPG backend.

Using dispVMs from within AppVM

When trying to convert file or open it in the disposable VM from within
the normal AppVM, I get an error popuplike :

Denied: qubes.PdfConvert
Denied qubes.pdfConvert from work-email to @dispvm

Any advice appreciated!

Is this mailing list still active or one needs to better go to a different
place?

Still active, but the Forum has more traffic, although it's often low
grade and noisy.

On your questions, the first looks like a Whonix issue - Patrick has
asked that Qubes-Whonix questions be put in the Whonix forums, where
they will get better oversight.
The second looks like permissions - look in the policy file at
/etc/qubes-rpc/policy/qubes.PdfConvert

The /etc/qubes-rpc/policy/qubes.PdfConvert has allowed anyvm to run PdfConvert
$anyvm $dispvm allow

I already asked on the whonix forum and followed the improved version of the guide for Split Monero on Whonix website, but got another error that seems like the monero-wallet-ws AppVM doesnt see the monerod-ws AppVM. Monero GUI cannot connect and monero-wallet-cli returns this error:

Error: wallet failed to connect to daemon: http://localhost:18081. Daemon either is not started or wrong port was passed. Please make sure daemon is running or change the daemon address using the ‘set_daemon’ command.
Background refresh thread started

The monerod-ws is syncing albeit it gets quite a lot Socks errors here and there and sometimes freezes

Also in connection with the error related to the PdfConvert, I am not sure if the issue wiht the Split Monero is whonix specific or it is linked to the general qubes qrexcec setup and permissions of my Qubes.

Qubes 4.1 I use is vanilla and whonix-ws-16 is full vanilla too.

It would be really helpful if someone more experienced could have a look into it and provide help. I am cut off from the monero usage now if I don't want to use the remote node which I would like to avoid. Tried to find an answer on the net but didn't succeed.

Thanks in advance to anyone that can help us solve the issue!

Demi Marie Obenour:

unman:

taran1s:

I have an issue with Split GPG as well as with opening files in the
disposable VMs and with the qrexec in the guide How to use Monero
CLI/daemon with Qubes + Whonix too.

CLI Wallet/Daemon Isolation with Qubes + Whonix | Monero - secure, private, untraceable

Split GPG

Opening Thunderbird, I get following errors in the notification popup:

Denied: whonix.NewStatus
Denied whonix.NewStatus+status from work-email to sys-whonix

I have to as well make every gpg action confirm in the Dom0 Operation
Execution with Target GPG backend.

Using dispVMs from within AppVM

When trying to convert file or open it in the disposable VM from within
the normal AppVM, I get an error popuplike :

Denied: qubes.PdfConvert
Denied qubes.pdfConvert from work-email to @dispvm

Any advice appreciated!

Is this mailing list still active or one needs to better go to a different
place?

Still active, but the Forum has more traffic, although it's often low
grade and noisy.

On your questions, the first looks like a Whonix issue - Patrick has
asked that Qubes-Whonix questions be put in the Whonix forums, where
they will get better oversight.
The second looks like permissions - look in the policy file at
/etc/qubes-rpc/policy/qubes.PdfConvert

The /etc/qubes-rpc/policy/qubes.PdfConvert has allowed anyvm to run
PdfConvert
$anyvm $dispvm allow

What do the files under “/etc/qubes/policy.d” contain? R4.1 has a new
policy syntax and the files are located in a different directory. That
could easily cause denials.

Dear Demi-Marie, thank you for your reaction. Patrick on whonix forum mentioned that this is an issue (the communication in between qubes) with the Qubes qrexec rules, not whonix specific.

To your question regarding, the files under /etc/qubes/policy.d. The Qubes 4.1 is a fresh installation and I didn't make any changes except the Split Gpg and the Monero guide here http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Monero_Wallet_Isolation

I believe that there are no changes whatsoever in the files under /etc/qubes/policy.d and should be in default vanilla state.

Thank you in advance for your support!

What do the files under “/etc/qubes/policy.d” contain? R4.1 has a new
policy syntax and the files are located in a different directory. That
could easily cause denials.

- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab