Qvm-move fails at 'Request refused'

LmaoPls · March 8, 2024, 7:44pm

Problem
File downloaded to personal qube, based on fedora-38-xfce (created by installer) is not possible to move using qvm-move nor gvm-copy to a different qube. Commands fail with Request refused.

[user@personal Downloads]$ qvm-move package.deb
Request refused
[user@personal Downloads]$ qvm-copy package.deb
Request refused

Workaround
File is possible to move through dom0:

[johndoe@dom0 Downloads]$ qvm-run -p personal 'cat ~user/Downloads/package.deb' > package.deb
[johndoe@dom0 Downloads]$ qvm-move-to-vm d12m-usb package.deb

Target Machine Info
System: Qubes 4.2.0 (R4.2)
Xfce: 4.16
CPU: AMD Ryzen 3 4300G
SSD: M.2

Troubleshooting Passed

Reboot
Global Config set to Default policy (no change, just verification)
Tried to check /etc/qubes-rpc/policy/qubes.Filecopy but qubes.Filecopy doesn’t exist
No updates available for dom0

What could be the cause?

DVM · March 8, 2024, 7:55pm

Qubes 4.2 now handles the policy files in /etc/qubes/policy.d/, that’s why you couldn’t find it.

Open Qubes Global Config, go to File Access and check the policy you are currently using.

LmaoPls · March 8, 2024, 8:15pm

Section Moving and Copying Files is set to Default policy as I mention in passed troubleshooting.

DVM · March 8, 2024, 8:21pm

Perhaps you have a custom file in the policy directory that changes the default behavior?

What does this give you in dom0:

sudo grep -r qubes.Filecopy /etc/qubes/policy.d/

LmaoPls · March 8, 2024, 8:24pm

sudo grep -r qubes.Filecopy /etc/qubes/policy.d/ returns:

/etc/qubes/policy.d/90-default.policy:qubes.Filecopy         *      @anyvm      @anyvm     ask

I have also found an error in /var/log/qubes/qrexec.personal.log:

Where does it lead to?

DVM · March 8, 2024, 8:31pm

The policy looks ok to me.

About the screenshot, I see another policy file at the bottom that has a syntax error (/etc/qubes-rpc/policy/trezord-service).

Did you do a fresh install with backup restoration or is this an in-place upgraded Qubes 4.2 system?

LmaoPls · March 8, 2024, 8:56pm

This is the fresh 4.2 installation. I have no backup of dom0. I’m trying to run Trezor Suite and trezord-service is part of it. I will confirm the validity of the file and let you know. Thank you for your time.

LmaoPls · March 12, 2024, 1:19pm

The problem was caused by trezord-service file.

LmaoPls · March 18, 2024, 11:19am

This is a follow-up proposed solution. The problem was caused by command "$anyvm $anyvm allow,user=trezord,target=sys-usb" > /etc/qubes-rpc/policy/trezord-service causing system to take anyvm as a variable. The author of tutorial has released a newer version addresing this syntax error, accessible here: smrtak: updated version with fixed issues: # TrezorSuite ...

The solution is to use '@anyvm @anyvm allow,user=trezord,target=sys-usb' > /etc/qubes-rpc/policy/trezord-service instead or edit file manually.