On Mon, 05 Jan 2009 at 23:32:50 +0100, Filippo Giunchedi wrote: > On Mon, Jan 05, 2009 at 08:32:58PM +0000, Simon McVittie wrote: > > > <allow send_interface="org.bluez.Agent"/> > > > > That will work but is not ideal; D-Bus upstream opinion seems to be that > > a bare "send_interface" without a corresponding send_destination is > > almost always an error (because it matches the corresponding interface on > > completely unrelated processes). Do Agent implementations have a well-known > > service name you can use? > > > > Failing that, maybe you could at least match on object path as well as > > on interface? > > Unfortunately they don't a well known service name nor object path, agents are > user-registered
Never mind. We have a lot of these rules in the archive anyway (http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-utopia-maintain...@lists.alioth.debian.org&tag=fdo-18961) and as far as I can tell it's not a release-critical bug, particularly as an <allow> rule... so leave it like that unless D-Bus upstream can explain something better. > > Debian packages usually have a dual at_console/group-based policy for device > > accesses like this (e.g. members of powerdev and netdev can use various > > interfaces on hal even if they are not at_console), by duplicating the > > permissions of the at_console <policy> into a separate group policy. See > > NetworkManager's configuration in Debian, for instance. > > Okay, given that using AF_BLUETOOTH sockets requires CAP_NET_ADMIN for some > ioctls I'd go for netdev group, makes sense? netdev sounds the most appropriate, yes. avahi-daemon has some suitable postinst snippets to create the group if necessary, before telling D-Bus to reload: case "$1" in configure) ... # Add the netdev group unless it's already there if ! getent group netdev >/dev/null; then addgroup --quiet --system netdev || true fi ... # Ask the bus to reload the config file if [ -x "/etc/init.d/dbus" ]; then invoke-rc.d dbus force-reload || true fi ;; Apparently at_console works (or at least, can be made to work) if you have ConsoleKit installed, so you should have two <policy> sections, one for at_console and one for netdev, containing the same <allow> rules. Please go ahead with the unstable upload, but also attach the resulting bluetooth.conf to this bug so I can review it. Thanks, Simon
signature.asc
Description: Digital signature
