With my thread I refer to the following link or the following and now solved topic:
and here to the elaborated policy in qubes.UpdateProxy, which makes it possible to run the original Whonix system and a matching clone alternatively and independently.
For this, please see
Nevertheless, an important problem occurs:
Only removing the last line
$anyvm $anyvm deny
allows updating fedora and debian via the Qubes updater and via the menu. Otherwise I get an error message that the connection to qubes.Updates.Proxy is denied.
I have tested it several times with fedora and debian and it is always the same negative result.
Since this rule is very important for security and omitting it creates a risk, the question arises as to the cause of the update problem.
I ask for reproduction of the process and opinions on it. Thank you very much.
Yes, I have checked the file and everything seems correct.
But currently, as far as I remember, the qubes.UpdatesProxy file overwrites what is defined in the rewritten policy guidelines. So I was under the impression that the updates must be working. For the whonix systems it does, but just not for fedora and debian.
# Upgrade all Templates through sys-whonix.
#$type:Template $default allow,target=sys-whonix
# Upgrade whonix-gw-16-clone-1 through sys-whonix-cloned.
whonix-gw-16-clone-1 $default allow,target=sys-whonix-cloned
# Upgrade whonix-ws-16-clone-1 through sys-whonix-cloned.
whonix-ws-16-clone-1 $default allow,target=sys-whonix-cloned
# Upgrade Whonix ™ Templates through sys-whonix.
$tag:whonix-updatevm $default allow,target=sys-whonix
# Deny Whonix ™ Templates using UpdatesProxy of any other VM.
$tag:whonix-updatevm $anyvm deny
# Default rule for all Templates - direct the connection to sys-net
$type:Template $default allow,target=sys-net
$anyvm $anyvm deny
And this is the content of 90-policy.d; i have posted only the parts relevant to the problem in the 90-default.policy. (… means omitted):
## Do not modify this file, create a new policy file with lower number in the
## filename instead. For example `30-user.policy`.
###
### Default qrexec policy
###
## File format:
## service-name|* +argument|* source destination action [options]
## Note that policy parsing stops at the first match.
# policy.RegisterArgument should be allowed only for specific arguments.
policy.RegisterArgument * @anyvm dom0 deny
# WARNING: The qubes.ConnectTCP service is dangerous and allows any
# qube to access any other qube TCP port. It should be restricted
# only to restricted qubes. This is why the default policy is 'deny'
# Example of policy: qubes.ConnectTCP +22 mytcp-client @default allow target=mytcp-server
qubes.ConnectTCP * @anyvm @anyvm deny
# VM advertise its supported features
qubes.FeaturesRequest * @anyvm dom0 allow
# Windows VM advertise installed Qubes Windows Tools
qubes.NotifyTools * @anyvm dom0 allow
# File copy/move
qubes.Filecopy * @anyvm @anyvm ask
# Get current date/time
qubes.GetDate * @tag:anon-vm @anyvm deny
qubes.GetDate * @anyvm @anyvm allow target=dom0
......
# Notify about available updates
qubes.NotifyUpdates * @anyvm dom0 allow
......
# HTTP proxy for downloading updates
# Upgrade all TemplateVMs through sys-whonix
#qubes.UpdatesProxy * type:TemplateVM @default allow target=sys-whonix
# Upgrade Whonix TemplateVMs through sys-whonix.
qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=sys-whonix
# Deny Whonix TemplateVMs using UpdatesProxy of another VM.
qubes.UpdatesProxy * @tag:whonix-updatevm @anyvm deny
# Default rule for all TemplateVMs - direct the connection to sys-net
qubes.UpdatesProxy * @type:TemplateVM @default allow target=sys-net
qubes.UpdatesProxy * @anyvm @anyvm deny