Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to 4.1 denies VMRootShell to mgmt VM when updating Whonix WS #7486

Closed
tetrahedras opened this issue May 4, 2022 · 8 comments · Fixed by QubesOS/qubes-mgmt-salt#32
Closed

Upgrade to 4.1 denies VMRootShell to mgmt VM when updating Whonix WS #7486

tetrahedras opened this issue May 4, 2022 · 8 comments · Fixed by QubesOS/qubes-mgmt-salt#32
Labels
P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. R: duplicate Resolution: Another issue exists that is very similar to or subsumes this one. r4.1-bookworm-stable r4.1-bullseye-stable r4.1-buster-stable r4.1-centos-stream8-stable r4.1-dom0-stable r4.1-fc34-stable r4.1-fc35-stable r4.1-fc36-stable

Comments

@tetrahedras
Copy link

tetrahedras commented May 4, 2022
edited
Loading

Qubes OS release

4.1

Brief summary

When attempting to update the Whonix WS template (via QubesUpdater or $ sudo qubesctl --show-output --skip-dom0 --templates state.sls update.qubes-vm) the update fails with the user notification pop-up:

Denied qubes.VMRootShell from disp-mgmt-whonix-ws-16 to whonix-ws-16

and the console log entry

whonix-ws-16:
      ----------
      _error:
          Failed to return clean data
      retcode:
          126
      stderr:
          Request refused
      stdout:

If I run apt update and apt upgrade on the template manually, it works fine.

Updates of non-Whonix templates also work fine.

It looks like there is a qrexec configuration issue specific to this one template, but I'm not sure where to go looking for it.
@tetrahedras tetrahedras added P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug labels May 4, 2022
marmarek added a commit to marmarek/qubes-mgmt-salt that referenced this issue May 4, 2022
@marmarek
Place VMRootShell policy file before loading legacy policy
cc8d57d 
Legacy policy leftover could contain `@anyvm @AnyVM deny` rule (which is
expected in R4.0, but not appropriate in R4.1 anymore). To avoid
conflict, place dynamic rule earlier - at order "30".
If user wants, it's still possible to override this by earlier policy
files.

Fixes QubesOS/qubes-issues#7486
marmarek added a commit to marmarek/qubes-mgmt-salt that referenced this issue May 4, 2022
@marmarek
Place VMRootShell policy file before loading legacy policy
e7ac751 
Legacy policy leftover could contain `@anyvm @AnyVM deny` rule (which is
expected in R4.0, but not appropriate in R4.1 anymore). To avoid
conflict, place dynamic rule earlier - at order "30".
If user wants, it's still possible to override this by earlier policy
files.

Fixes QubesOS/qubes-issues#7486
@marmarek marmarek mentioned this issue May 4, 2022
Merged
@marmarek
Copy link
Member

marmarek commented May 4, 2022

Duplicate of #7122

@marmarek marmarek marked this as a duplicate of #7122 May 4, 2022
@marmarek marmarek closed this as completed May 4, 2022
marmarek added a commit to marmarek/qubes-mgmt-salt that referenced this issue May 4, 2022
@marmarek
Place VMRootShell policy file before loading legacy policy
2bdc39c 
Legacy policy leftover could contain `@anyvm @AnyVM deny` rule (which is
expected in R4.0, but not appropriate in R4.1 anymore). To avoid
conflict, place dynamic rule earlier - at order "30".
If user wants, it's still possible to override this by earlier policy
files.

Fixes QubesOS/qubes-issues#7486
Fixes QubesOS/qubes-issues#7122
@andrewdavidwong
Copy link
Member

This appears to be a duplicate of an existing issue. If so, please comment on the appropriate existing issue instead. If anyone believes this is not really a duplicate, please leave a comment briefly explaining why. We'll be happy to take another look and, if appropriate, reopen this issue. Thank you.

@andrewdavidwong andrewdavidwong added the R: duplicate Resolution: Another issue exists that is very similar to or subsumes this one. label May 4, 2022
@qubesos-bot
Copy link

Automated announcement from builder-github

The package mgmt-salt has been pushed to the r4.1 testing repository for the CentOS centos-stream8 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.1-current-testing

Changes included in this update

@qubesos-bot qubesos-bot mentioned this issue May 13, 2022
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The component mgmt-salt (including package qubes-mgmt-salt-4.1.14-1.fc32) has been pushed to the r4.1 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package mgmt-salt has been pushed to the r4.1 stable repository for the CentOS centos-stream8 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The component mgmt-salt (including package qubes-mgmt-salt-4.1.14-1.fc32) has been pushed to the r4.1 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-mgmt-salt_4.1.14-1 has been pushed to the r4.1 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing buster-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot mentioned this issue Sep 7, 2022
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-mgmt-salt_4.1.16-1+deb10u1 has been pushed to the r4.1 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. R: duplicate Resolution: Another issue exists that is very similar to or subsumes this one. r4.1-bookworm-stable r4.1-bullseye-stable r4.1-buster-stable r4.1-centos-stream8-stable r4.1-dom0-stable r4.1-fc34-stable r4.1-fc35-stable r4.1-fc36-stable
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Place VMRootShell policy file before loading legacy policy marmarek/qubes-mgmt-salt
4 participants
@marmarek @andrewdavidwong @qubesos-bot @tetrahedras