Kicksecure inside Debian Template sdwdate qrexec Denied message #7447
Comments
|
Status of Kicksecure inside Qubes: Related Qubes qrexec source code file: qrexec policy line which is causing this: Kicksecure uses sdwdate: qrexec polcy line which is preventing this for Qubes-Whonix: It's prevented in Qubes-Whonix becuase these VMs have qrexec tag How should Kicksecure-Qubes sdwdate support be fixed in Qubes dom0 qrexec policy? In absence of a Kicksecure-Qubes template and Qubes dom0 package qubes-core-admin-addon-kicksecure that seems difficult. For sure we shouldn't re-use the tag Telling users to manually add any tags seems cumbersome. Changing the default Should Qubes dom0 package qubes-core-admin-addon-kicksecure be invented? As long as there's no KIcksecure-Qubes template maintainer that I guess wouldn't work anyhow. For tracking purposes: |
|
Why is a non-Whonix VM calling |
|
This is primarily a Qubes dom0 issue. Suggested ticket tags:
Kicksecure uses sdwdate. |
DemiMarie
added
T: bug
Is renaming the service an option? |
Yes, sure. However, that file is still part of Qubes dom0 package Even if renamed, I still don't see how we can fix the issue reported here without changing the sdwdate qrexed default from deny to allow or without a Kicksecure-Qubes template maintainer. |
andrewdavidwong
added
the
diagnosed
|
Lets first try to figure out what should be the final goal, and only then - how.
Ok, so the user did just this: took Debian template and morphed it into Kicksecure. No Whonix is involved or even installed. What should happen? |
|
Kicksecure VMs are primarily used non-torified, i.e. over clearnet (or VPN). That's the main use case. Some users might torify them for some reason but that would be the corner case. Torified Kicksecure makes little sense - because in that case using Whonix would be better.
Good question. I guess... The Kicksecure VM should be allowed to qrexec send It's non-ideal since the Tor inside For Kicksecure outside of Qubes none of this is an issue. It has its own desktop environment so using its own sdwdate-gui is appropriate. How to best implement this in Qubes is a good question. Then also the That is until a cleaner solution https://phabricator.whonix.org/T930 is implemented which would abolish the need for a two-way qrexec calls. |
|
What's the purpose of this service? Is it only reporting status to be displayed in a single place (instead of separate icon for each qube)? Or is it also assisting with the actual time synchronization? If the former, maybe the solution for the case without Whonix is to run sdwdate-gui locally in the Kicksecure VM? May not be optimal if there are many of them, though... |
Yes, "mostly" only reporting the status and [...]
[...] "Not directly." Except for usability. It offers a few handy buttons buttons
sdwdate-gui homepage: screenshot of that menu:
Yes, that would of course work.
Indeed. It's non-ideal. |
|
Thoughts? |
|
Not sure |
|
Greetings. Any update on this issue, or maybe any clues on how to deal with it while the fix is not in place? Thanks in advance. |
andrewdavidwong
added
the
eol-4.1
This comment was marked as outdated.
This comment was marked as outdated.
|
I dont think this behavior fixed yes? |
andrewdavidwong
added
affects-4.2
Installing Kicksecure inside Debian Template (Following distro-morphing instructions) the Appvm which is based on kicksecure template will give tons of the same error reported above: (The Appvm called I2P)
Any operation using the terminal/command line like e.g remove or install something it will regenerate similar messages.
(This can be reproduced in StandaloneVM based on Debian then changed to Kicksecure)
Originally posted by @TNTBOMBOM in #7013 (comment)
The text was updated successfully, but these errors were encountered: