qubes-issues icon indicating copy to clipboard operation
qubes-issues copied to clipboard

Published 20 hours ago verified publisher icon QubesOS

RPC policy documentation: clarify/emphasize `30-user.policy` rule precedence mechanics

Open 92VV3M42d3v8 opened this issue 3 years ago • 1 comments

How to file a helpful issue

Qubes OS release

qubes os 4.1.1 Security testing updated

Brief summary

Set 30 user policy in new format with last rule as

    • @anyvm @anyvm deny

Create multiple whonix gateway and workstations. try to connect new ws with new gw. And run tor browser in new ws. NewStatus denied Msg appears. And no connection gets established as ws is not showing any sdwdate in tray icon.

Steps to reproduce

Expected behavior

It should work as without qrexec rule.

Actual behavior

It dosen't work.

Workaround

Copy 80-whonix.policy rules into 30-user.policy before

    • @anyvm @anyvm deny It works as expected.

It makes me wonder if I need to add all rules from other files in policy.d folder to 30-user.policy file before adding last rule.

92VV3M42d3v8 avatar Sep 13 '22 05:09 92VV3M42d3v8

You have set a default rule that denies all services except those mentioned above this rule in 30-user.policy. This file is parsed before any other file and parsing stops at the first rule that matches. So you are blocking everything. (Including qvm-copy, etc etc)

This is why copying the Whonix rules n to the file makes it work.

In sum, don't add a rule like this. It's almost certainly not what you want.

This isn't a bug - it's user error. Probably docs need to make it clearer.

unman avatar Sep 13 '22 14:09 unman