Security: Important policy rule blocks fedora/debian updates

Hello Users, hello Qubes-Team,

With my thread I refer to the following link or the following and now solved topic:

and here to the elaborated policy in qubes.UpdateProxy, which makes it possible to run the original Whonix system and a matching clone alternatively and independently.

For this, please see

Nevertheless, an important problem occurs:

Only removing the last line

$anyvm $anyvm deny

allows updating fedora and debian via the Qubes updater and via the menu. Otherwise I get an error message that the connection to qubes.Updates.Proxy is denied.

I have tested it several times with fedora and debian and it is always the same negative result.

Since this rule is very important for security and omitting it creates a risk, the question arises as to the cause of the update problem.

I ask for reproduction of the process and opinions on it. Thank you very much.

Which version of Qubes, and if 4.1x, did you check 90-default.policy.

Version 4.1.1.

Yes, I have checked the file and everything seems correct.
But currently, as far as I remember, the qubes.UpdatesProxy file overwrites what is defined in the rewritten policy guidelines. So I was under the impression that the updates must be working. For the whonix systems it does, but just not for fedora and debian.

It would be helpful if you could paste here content of both files.

This is the content of qubes.UpdatesProxy:

# Upgrade all Templates through sys-whonix.
#$type:Template $default allow,target=sys-whonix

# Upgrade whonix-gw-16-clone-1 through sys-whonix-cloned.
whonix-gw-16-clone-1 $default allow,target=sys-whonix-cloned

# Upgrade whonix-ws-16-clone-1 through sys-whonix-cloned.
whonix-ws-16-clone-1 $default allow,target=sys-whonix-cloned

# Upgrade Whonix ™ Templates through sys-whonix.
$tag:whonix-updatevm $default allow,target=sys-whonix

# Deny Whonix ™ Templates using UpdatesProxy of any other VM.
$tag:whonix-updatevm $anyvm deny

# Default rule for all Templates - direct the connection to sys-net
$type:Template $default allow,target=sys-net

$anyvm $anyvm deny

And this is the content of 90-policy.d; i have posted only the parts relevant to the problem in the 90-default.policy. (… means omitted):

## Do not modify this file, create a new policy file with lower number in the
## filename instead. For example `30-user.policy`.

### Default qrexec policy

## File format:
## service-name|*       +argument|* source          destination action  [options]

## Note that policy parsing stops at the first match.

# policy.RegisterArgument should be allowed only for specific arguments.
policy.RegisterArgument *           @anyvm          dom0        deny

# WARNING: The qubes.ConnectTCP service is dangerous and allows any
# qube to access any other qube TCP port. It should be restricted
# only to restricted qubes. This is why the default policy is 'deny'

# Example of policy: qubes.ConnectTCP +22 mytcp-client @default allow target=mytcp-server
qubes.ConnectTCP        *           @anyvm          @anyvm      deny

# VM advertise its supported features
qubes.FeaturesRequest   *           @anyvm	        dom0	    allow

# Windows VM advertise installed Qubes Windows Tools
qubes.NotifyTools       *           @anyvm          dom0        allow

# File copy/move
qubes.Filecopy          *           @anyvm          @anyvm      ask

# Get current date/time
qubes.GetDate           *           @tag:anon-vm    @anyvm      deny
qubes.GetDate           *           @anyvm          @anyvm      allow target=dom0


# Notify about available updates
qubes.NotifyUpdates  *           @anyvm         dom0           allow

# HTTP proxy for downloading updates
# Upgrade all TemplateVMs through sys-whonix
#qubes.UpdatesProxy  *        type:TemplateVM    @default    allow target=sys-whonix
# Upgrade Whonix TemplateVMs through sys-whonix.
qubes.UpdatesProxy    *   @tag:whonix-updatevm  @default  allow target=sys-whonix
# Deny Whonix TemplateVMs using UpdatesProxy of another VM.
qubes.UpdatesProxy    *    @tag:whonix-updatevm  @anyvm    deny
# Default rule for all TemplateVMs - direct the connection to sys-net
qubes.UpdatesProxy    *     @type:TemplateVM       @default   allow target=sys-net
qubes.UpdatesProxy    *      @anyvm                        @anyvm    deny

It should be

$type:TemplateVM $default allow,target=sys-net

Also, whole file should be

whonix-gw-16-clone-1 $default allow,target=sys-whonix-cloned
$tag:whonix-updatevm $default allow,target=sys-whonix
$type:TemplateVM $default allow,target=sys-net
$tag:whonix-updatevm $anyvm deny

Here are the results:

  1. Changing only the name “Template” in “TemplateVM” does not change anything.

  2. otherwise I have taken over the script so, with successful result. Fedora and Debian were updated.

I kept the following line:

$anyvm $anvm deny.

Whether the whonix-clon and the original still work like this, I still have to test.

Addtion: Have tested whonix and the clone and it works. Only the update function of both is still pending.