I wrote a dbus service and have it listening on the system bus, under the bus name "org.jfhbrook.plusdeck" and the path "/". That seems to be working fine. I have a corresponding dbus client that I'd like to use to interact with that system bus service, either if I'm the root user (called with sudo) or if I'm in a particular group (in this case, the "plusdeck" group).
I currently have this policy file, based on the dbus-daemon docs and cribbing from whatever examples I could find:
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- --> <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> <busconfig> <!-- Root user can own the plusdeck service --> <policy user="root"> <allow own="org.jfhbrook.plusdeck"/> <allow send_destination="org.jfhbrook.plusdeck"/> </policy> <!-- Allow access for the "plusdeck" group --> <policy group="plusdeck"> <allow send_destination="org.jfhbrook.plusdeck"/> </policy> </busconfig> This works when I use sudo. However, when I use the same client with my user, which is a member of the plusdeck group, I get an error:
ERROR:plusdeck.dbus.client:org.freedesktop.DBus.Error.AccessDenied: Access to org.jfhbrook.plusdeck.Eject() not permitted. Note that this is a different error than I'd get if I didn't have access to the bus - that would be ERROR:plusdeck.dbus.client:org.freedesktop.DBus.Error.AccessDenied: Sender is not authorized to send message. It seems I'm authorized to send messages, but not to call that method.
I've tried combinations of everything I can think of, including setting send_member="*" in the allow tag, as well as <allow send_type="method_call"/>. I'm at my wit's end. Any help or guidance would be appreciated.
For what it's worth, I'm using Fedora 41. I mention this because I'm aware that my issue could be outside this configuration, for instance with SELinux. Though, I believe seeing nothing in /var/log/audit/audit.log rules that out.
