/rc/config/rc.local
in all my app VMs contains the following:
rm -rf /home/user/QubesIncoming
install -d -o user -g user -m 770 /tmp/QubesIncoming
ln -s /tmp/QubesIncoming /home/user/QubesIncoming
chown -h user:user /home/user/QubesIncoming
what this means is that on starting the AppVM, /home/user/QubesIncoming
is replaced with a softlink to /tmp/QubesIncoming
, ensuring that everything that has been transfered to that VM during a session will be lost along with other content of /tmp
when the VM is shut down - less crud is accumulating.
Following a recent upgrade to fedora-39
as a default base template (in anticipation of the imminent deprecation of fedora-38
), this setup is breaking.
While I can e.g. qvm-copy
fine to debian-12
based AppVMs, doing so to VMs based on fedora-39
results in this:
$ qvm-copy test.txt
EOFt 0/0 KB
qfile-unpacker: Fatal error: Error chdir to /home/user/QubesIncoming/disp4011 (error type: Permission denied)
A bit of investigative work leads shows that while on debian-12
based AppVMs the relevant paths look like this:
$ ls -lad /home/user/QubesIncoming
lrwxrwxrwx 1 user user 18 Feb 26 09:25 /home/user/QubesIncoming -> /tmp/QubesIncoming
$ ls -lad /tmp/QubesIncoming
drwxrwx--- 3 user user 4096 Feb 26 10:00 /tmp/QubesIncoming
the equivalent on fedora-39
based machines gives
$ ls -lad /home/user/QubesIncoming
lrwxrwxrwx. 1 user user 18 Feb 26 10:01 /home/user/QubesIncoming -> /tmp/QubesIncoming
$ ls -lad /tmp/QubesIncoming
drwxrwx---. 2 user user 40 Feb 26 10:01 /tmp/QubesIncoming
Note the diverging .
(dot) following the access right indicator, which after some reading leads me to believe that SeLinux
or its attributes are interfering with the setup.
I have no experience with this at all and am asking for advise on how to tackle this most conservatively without having to forego security benefits from SeLinux
usage.