Fix Bluetooth permission error with AmbientCapabilities and enhanced postinst

- Add AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN to systemd service files - Add sensorpajen user to bluetooth group in postinst - Improve setcap error handling in postinst with clearer messaging - Add comprehensive troubleshooting section for Bluetooth permission errors This fixes the 'Operation not permitted' error when the service tries to access Bluetooth hardware. The fix uses two layers of protection: 1. systemd AmbientCapabilities (modern, robust) 2. File capabilities via setcap (traditional, wider compatibility)
2026-02-20 08:57:28 +01:00
parent a6029456fa
commit 773453bd51
4 changed files with 58 additions and 22 deletions
--- a/debian/postinst
+++ b/debian/postinst
@@ -8,6 +8,12 @@ case "$1" in
            useradd --system --no-create-home --shell /usr/sbin/nologin sensorpajen
            echo "Created system user: sensorpajen"
        fi
+        
+        # Add sensorpajen user to bluetooth group if it exists (for BLE access)
+        if getent group bluetooth > /dev/null; then
+            usermod -aG bluetooth sensorpajen || true
+            echo "Added sensorpajen user to bluetooth group"
+        fi

        # Create config directory with proper permissions
        mkdir -p /etc/sensorpajen
@@ -77,14 +83,20 @@ case "$1" in
        chown -R sensorpajen:sensorpajen /opt/sensorpajen

        # Set Bluetooth capabilities on Python executable (after ownership change)
+        # Note: The systemd service also uses AmbientCapabilities as a fallback
        PYTHON_PATH=$(readlink -f /opt/sensorpajen/venv/bin/python3)
        if command -v setcap >/dev/null 2>&1; then
-            setcap cap_net_raw,cap_net_admin+eip "$PYTHON_PATH" || {
-                echo "Warning: setcap failed. You may need to run Bluetooth operations as root."
-                echo "Try: sudo setcap cap_net_raw,cap_net_admin+eip $PYTHON_PATH"
-            }
+            if setcap cap_net_raw,cap_net_admin+eip "$PYTHON_PATH" 2>/dev/null; then
+                echo "Bluetooth capabilities set on $PYTHON_PATH"
+                getcap "$PYTHON_PATH" || true
+            else
+                echo "Warning: setcap failed. Relying on systemd AmbientCapabilities instead."
+                echo "If Bluetooth access fails, manually run:"
+                echo "  sudo setcap cap_net_raw,cap_net_admin+eip $PYTHON_PATH"
+            fi
        else
            echo "Warning: setcap not found (install libcap2-bin package)"
+            echo "Relying on systemd AmbientCapabilities for Bluetooth access"
        fi

        # v2 installed a unit into /etc/systemd/system/, which overrides packaged units