only the home directory is backed up. Therefore, if there are files outside of the home directory you wish to save, you should copy them into the home directory prior to creating a backup.
Now I have some edits to the policy files for various tools such as split-ssh, split-gpg, along with possible other edits. QubesOS backup tool not backing these up is a bummer, because such policy files are scattered around various directories and files.
Are there any strategies for locating the user edited policy files and migrating them to the new machine that other users have?
Symlinks on Linux are one of the most powerful underestimated tools in the hand of users to facilitate transfer of individual files to user’s home directory. Some use cases:
Actual custom policy files could be within user’s home directory. Symlinks to those files could be created at /etc/qubes/policy.d
User’s custom salt formulas could be within user’s home directory. Symlinks to them could be created at /srv/sat/...
Actual config files at /etc/* could be stored in user’s home directory. Symlinks to them could be created there.
Interesting answer. How would symlinks work with files that has to be owned by the root user and group? the files in my home dir would have root as their owner and groups?
Yes. root could create and modify files everywhere including users directories. With any ownership & permission. In many cases the original software will not care about ownership and permissions (e.g. the policy files). In some cases it is sensitive (e.g. salt files).
That’s a cool workflow for making changes to policy files and still keeping them in your home dir (so that the qubesOS backup tools grab them). I will consider migrating to this setup with my QubesOS. Thanks for the idea.
@alimirjamali the breadth of the changes to my dom0 /etc/ directory that I would like to migrate to a new physcial machine’s dom0, that I was able to recognize, so far, are the following files:
/etc/qubes/policy.d/30-user.policy
/etc/qubes/policy.d/50-config-splitgpg.policy
/etc/qubes/policy.d/50-ssh.policy
These are the files that I’ve manually modified on the commandline fitted to my workflow and usecases. However, upon closer look, I realize that the 50-config-splitgpg.policy and the 50-ssh.policy files’ contents might as well be included in the 30-user.policy file. Because the aforementioned 50-* files just contain lines such as:
These two kinds of lines that I have inserted via sudo vim command are very similar to what I have inserted to the 30-user.policy file, via simply vim command, making the 30-user.policy file belonging to my user’s, and thus possibly simplifying the symlinking a file from my user’s home directory to the /etc/qubes/policy.d directory.
Did such a thing occur to you in your symlinking workflow: that, you can collect ALL your customizations to the qubes-os policies into your 30-user.policy file?
I have more than one custom policy file. For example one for sys-audio, one for personal qube, …
One side note that the Qubes OS Policy Editor (GUI) can not edit symlinked policy files (I just recognized it). You will be have to use vim or other text editors for modifying symlinked policy files (at this moment). This is the disadvantage of the symlink strategy at this moment. I will have to work for a fix for this.
I am more than OK with editing the policy files in my home directory (which then get symlinked to the /etc/qubes/policy.d/ dir) with vim (or jove, if it was included by default in dom0 haha).
So, you have 30-sys-audio.policy, 30-personal-qube.policy, etc. files? I am interested in the number preceding the file names of your custom policy files – they are all a low number, am I rightly guessing?
I believe policies are evaluated sequentially (this type of numbering scheme is usually like this). Lower or higher numbers are usually relevant only if there is a conflict. I can check this up for you if you like.
If this doesn’t offend your privacy, I would be interested in seeing a tree command output of your /etc/qubes/policy.d/ directory, OR, only the names of your custom user policy files.
Yep. I have just symlinked my /home/user/30-user.policy file to the /etc/qubes/policy.d/30-user.policy file as well. In contrast to your setup, I will be collecting ALL my mods to the policies in this single file (I will be using comments in that file to structure it). I will also move the contents of the split-ssh and split-gpg configs into my 30-user.policy file. This should make migrating my dom0 to a new physical machine a breeze.
