qubes-qrexec-policy-daemon rule matching breaks/works by seemingly unrelated filesystem actions #9190
Labels
affects-4.2
This issue affects Qubes OS 4.2.
C: core
needs diagnosis
Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed.
P: default
Priority: default. Default priority for new issues, to be replaced given sufficient information.
T: bug
Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
How to file a helpful issue
Qubes OS release
4.2.1
Brief summary
Weird/counterintuitive behavior of qubes-qrexec-policy-daemon, inability to find matching rules until a service restart or seemingly-unrelated filesystem manipulations take place.
Steps to reproduce
Install Qubes OS 4.2.1 preferably inside a virtual machine like described here to help with debugging the issue by rewinding time to "last known bad/good condition". As part of such virtualized installation, sys-usb may be disabled and a full control of USB devices handled to dom0.
Then attempt to configure the installed system to work with qubes-builderv2 with the following commands:
Try to build the
fedora-39
template - qubes-qrexec-policy-daemon should fail to find an appropriate rule:Further proof of the inability to find the appropriate rule:
Change the policy file's filesystem owner, group and permissions as suggested here:
however, the same exception should be thrown (if that's reproducible, the aforementioned PR may be closed - however, please read further). Take a live snapshot of the virtual machine hosting Qubes OS right here and now to rewind time in case of unsuccessful experiments.
From this point, each of the actions described below happens from that snapshot being restored.
Restarting qubes-qrexec-policy-daemon (or rebooting Qubes OS - same thing) should fix the problem:
These commands should also fix the problem:
Or these:
What does not work:
or
Expected behavior
Consistent and intuitive behavior of qubes-qrexec-policy-daemon, rather than relying on unknown/random/undocumented behavior to make it work as intended. Alternatively a clear mention in the documentation that it's preferable to restart the service, which handles it, each time a policy is to be applied.
Actual behavior
Doing seemingly random/unrelated actions related to moving, copying or modifying filesystem characteristics of a file makes qubes-qrexec-policy-daemon work after it fails to handle the policies in that file, which are added the expected way.
The text was updated successfully, but these errors were encountered: