TemplateVM is not defined on qubes-rpc policy by default

dallas87 · September 14, 2021, 6:38am

I changed the name of sys-net and then installing apps on template failed.
I rememberd that on 4.0 in updateproxy policy there was a something like @type:TemplateVM @default allow,target=sys-net but in 4.1 wasn’t there by default.
After added it I was able to install apps on templates but the question is, is it the flow different on 4.1 or why that statement was missing from 4.1?

unman · September 14, 2021, 11:14am

I changed the name of sys-net and then installing apps on template failed.

4.1 has a different mechanism.
There is a default policy file in /etc/qubes/policy.d/90-default.policy

Read the head of the default file.
To override that file you create a new higher-numbered file in the same
directory, with the setting you want.

MSQLI · February 23, 2022, 8:43pm

Have changed as follows and saved the file as 120-default.policy:

Upgrade Whonix TemplateVMs through sys-whonix.

qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=update-vpn

Default rule for all TemplateVMs - direct the connection to sys-net

qubes.UpdatesProxy * @type:TemplateVM @default allow target=update-vpn

Now I get the following error despite file permission and group being identical to the original:

MSQLI · February 27, 2022, 11:55am

@unman

Any idea what I’ve missed or done wrong?

unman · February 27, 2022, 1:31pm

You didn’t read the head of the default file as I suggested, and you
followed what I said instead of what I meant.
To override the default file you need a lower numbered file. I don’t
know what I was thinking.
Apologies.

MSQLI · February 27, 2022, 9:15pm

@unman

I get the exact same error with a lower numbered file name.