[solved] messed up qrexec policies

ckN6QwSZ · May 30, 2022, 11:18am

My Qubes Updater returns (regardless which template I want to update):

----------
_error:
    Failed to return clean data
retcode:
    126
stderr:
    Request refused
stdout:

In dom0-cli the same mistake can be reproduced with sudo qubesctl --skip-dom0 --target= and so forth.

Can anybody lend me a hand where and what to look out for? Or a quick fix, a revert of the qrexec-framework for instance?

Recent changes I made:

installed (and updated) fedora-35 template
changed templates for AppVMs and SysVMs to fedora-template
installed (and updated) fedora-34-xfce while giving sys-gui and sys-gui-gpu a try
deactivated autostart of both sys-guis, since sys-gui gave me a more or less empty xfce-desktop and sys-gui-gpu crashes the system

I suspect a flaw or a misconfiguration in qrexec-policies.

tzwcfq · May 30, 2022, 11:26am

tzwcfq · May 30, 2022, 11:32am

Maybe try to change default-mgmt-dvm to fedora-35 template as well.

ckN6QwSZ · May 30, 2022, 11:32am

Could be, a more specfic error message of the updater would be nice, i.e. can't reach https://https.fedora.net, ssl-certificate expired or something like this.

tzwcfq · May 30, 2022, 11:34am

You can try to run dnf check-update in template terminal to check if there are some errors.

ckN6QwSZ · May 30, 2022, 11:37am

In sys-firewall? That does not give an error (Last metadata expiration check…).

tzwcfq · May 30, 2022, 11:39am

In fedora-35 (or 34) template.

ckN6QwSZ · May 30, 2022, 11:46am

Thanks, yes, their error messages are more specific.

Although I get errors for ALL mirrors (debian, kali, fedora, whonix).

Reading from proxy failed - read (104: Connection reset by peer) [IP: 127.0.1 8082]

tzwcfq · May 30, 2022, 11:49am

There is a problem with your updatevm.
What qube do you use as updatevm?
What did you change in it? Only changed template?
Or maybe you changed policy file in dom0?
cat /etc/qubes-rpc/policy/qubes.UpdatesProxy

ckN6QwSZ · May 30, 2022, 11:52am

Tinyproxy is running and listening (0.0.0.0:8082) in sys-net.

Can’t find the setting for updatevm at the moment. dom0 update vm according to “Qubes Global Settings” is sys-firewall…

tzwcfq · May 30, 2022, 11:53am

Run this command in dom0:
cat /etc/qubes-rpc/policy/qubes.UpdatesProxy

ckN6QwSZ · May 30, 2022, 11:57am

$tag: whonix-updatevm $default allow,target=sys-whonix
$tag: whonix-updatevm $anyvm deny

I do not recall switching update-vms.

ckN6QwSZ · May 30, 2022, 11:59am

As I mentioned in the other thread ctrl+shift+v doesn’t work either, that’s why I suspect some qrexec f…up.

tzwcfq · May 30, 2022, 12:00pm

What do you have here?
cat /etc/qubes/policy.d/90-default.policy | grep -i update
Also I have this in /etc/qubes-rpc/policy/qubes.UpdatesProxy:

$ cat /etc/qubes-rpc/policy/qubes.UpdatesProxy 
$tag:whonix-updatevm $default allow,target=sys-whonix
$tag:whonix-updatevm $anyvm deny
$type:TemplateVM $default allow,target=sys-whonix

tzwcfq · May 30, 2022, 12:01pm

Seems like you’ve somehow messed up policies in dom0.

ckN6QwSZ · May 30, 2022, 12:02pm

The 3rd line is missing…

Do I have to reload policies after adding the third line?

ckN6QwSZ · May 30, 2022, 12:06pm

Could the inter-VM copy&paste issue be a messed up qubes.ClipboardPaste?

Could you give me your qubes.ClipboardPaste?

tzwcfq · May 30, 2022, 12:18pm

No, just add the line and it’ll be applied.

Yes.

$ cat /etc/qubes-rpc/policy/qubes.ClipboardPaste 
## Note that policy parsing stops at the first match,
## so adding anything below "@anyvm @anyvm action" line will have no effect
##
## Clipboard paste (Ctrl-Shift-V) will treat "ask" as "allow" but only when
## called by this keyboard shortcut. "deny" always denies the operation.

## Please use a single # to start your custom comments

dom0	@anyvm	ask
@anyvm	@anyvm	ask

Also check this file:
cat /etc/qubes/policy.d/90-default.policy
It’s a policy file with new Qubes 4.1 format and these rules are applied as well as rules in old Qubes 4.0 format from /etc/qubes-rpc/policy.

ckN6QwSZ · May 30, 2022, 12:24pm

My qubes.ClipboardPaste is identical to yours.

I got the feeling that experimenting with sys-gui and sys-gui-gpu messed up my

/etc/qubes/policy.d/*

Let me check the official qubes-documentation about (completely) reverting sys-gui-experiments.

Thank you very much for your help!

ckN6QwSZ · May 30, 2022, 12:42pm

I checked 90-default.policy with md5sum against qubes-core-admin/qubes-rpc-policy at master · QubesOS/qubes-core-admin · GitHub and they are identical.

Then I renamed 50-gui-sys-gui-gpu.policy to 50-gui-sys-gui-gpu.policy.backup and 50-gui-sys-gui.policy to 50-gui-sys-gui.policy.backup.

Although getting those two files out of the way might make sense… is renaming to foobar.policy.backup enough? Would you recommend to remove them entirely? I’m not sure if they still get parsed… since shift+ctrl+v and updating templates still don’t work.