I changed the name of sys-net and then installing apps on template failed.
I rememberd that on 4.0 in updateproxy policy there was a something like @type:TemplateVM @default allow,target=sys-net
but in 4.1 wasn’t there by default.
After added it I was able to install apps on templates but the question is, is it the flow different on 4.1 or why that statement was missing from 4.1?
I changed the name of sys-net and then installing apps on template failed.
4.1 has a different mechanism.
There is a default policy file in /etc/qubes/policy.d/90-default.policy
Read the head of the default file.
To override that file you create a new higher-numbered file in the same
directory, with the setting you want.
Have changed as follows and saved the file as 120-default.policy:
Upgrade Whonix TemplateVMs through sys-whonix.
qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=update-vpn
Default rule for all TemplateVMs - direct the connection to sys-net
qubes.UpdatesProxy * @type:TemplateVM @default allow target=update-vpn
Now I get the following error despite file permission and group being identical to the original:
You didn’t read the head of the default file as I suggested, and you
followed what I said instead of what I meant.
To override the default file you need a lower numbered file. I don’t
know what I was thinking.
Apologies.