linuxserver · aptalca · Sep 19, 2025 · Sep 19, 2025 · Sep 19, 2025
diff --git a/.editorconfig b/.editorconfig
diff --git a/.github/ISSUE_TEMPLATE/issue.bug.yml b/.github/ISSUE_TEMPLATE/issue.bug.yml
diff --git a/.github/ISSUE_TEMPLATE/issue.feature.yml b/.github/ISSUE_TEMPLATE/issue.feature.yml
diff --git a/.github/workflows/permissions.yml b/.github/workflows/permissions.yml
diff --git a/README.md b/README.md
@@ -77,7 +77,7 @@ In order to provide HA with access to the host's Bluetooth device, one needs to
 
 #### Docker Cli:
 ```bash
---cap-add=NET_ADMIN --cap-add=NET_RAW -v /var/run/dbus:/var/run/dbus:ro
+--cap-add=NET_ADMIN --cap-add=NET_RAW -v /run/dbus:/run/dbus:ro
 ```
 
 #### Docker Compose:
@@ -86,9 +86,11 @@ In order to provide HA with access to the host's Bluetooth device, one needs to
       - NET_ADMIN
       - NET_RAW
     volumes:
-      - /var/run/dbus:/var/run/dbus:ro
+      - /run/dbus:/run/dbus:ro
 ```
 
+If the dbus path on host differs, such as `/var/run/dbus`, then you can map it as `/var/run/dbus:/run/dbus:ro`.
+
 ### Using the Ping integration
 
 For the [Ping][ping0] integration to work, the capability `NET_RAW` must be added to the container. See above for instructions.
@@ -316,6 +318,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **19.09.25:** - Add the necessary capabilities in the container to allow the unprivileged user access to bluetooth stack.
 * **03.01.25:** - Rebase to alpine 3.21.
 * **04.12.24:** - Make setcap target dynamic.
 * **07.11.24:** - Add go2rtc binary.

diff --git a/readme-vars.yml b/readme-vars.yml
@@ -51,7 +51,7 @@ app_setup_block: |
 
   #### Docker Cli:
   ```bash
-  --cap-add=NET_ADMIN --cap-add=NET_RAW -v /var/run/dbus:/var/run/dbus:ro
+  --cap-add=NET_ADMIN --cap-add=NET_RAW -v /run/dbus:/run/dbus:ro
   ```
 
   #### Docker Compose:
@@ -60,9 +60,11 @@ app_setup_block: |
         - NET_ADMIN
         - NET_RAW
       volumes:
-        - /var/run/dbus:/var/run/dbus:ro
+        - /run/dbus:/run/dbus:ro
   ```
 
+  If the dbus path on host differs, such as `/var/run/dbus`, then you can map it as `/var/run/dbus:/run/dbus:ro`.
+
   ### Using the Ping integration
 
   For the [Ping][ping0] integration to work, the capability `NET_RAW` must be added to the container. See above for instructions.
@@ -114,6 +116,7 @@ init_diagram: |
   "homeassistant:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "19.09.25:", desc: "Add the necessary capabilities in the container to allow the unprivileged user access to bluetooth stack."}
   - {date: "03.01.25:", desc: "Rebase to alpine 3.21."}
   - {date: "04.12.24:", desc: "Make setcap target dynamic."}
   - {date: "07.11.24:", desc: "Add go2rtc binary."}

diff --git a/root/etc/s6-overlay/s6-rc.d/svc-homeassistant/run b/root/etc/s6-overlay/s6-rc.d/svc-homeassistant/run
@@ -3,7 +3,12 @@
 
 PY_LOCAL_PATH=$(find /usr/local/lib -maxdepth 1 -name python* -type d)
 PY_LOCAL_BIN=$(basename "${PY_LOCAL_PATH}")
-setcap 'cap_net_bind_service=+ep' "/usr/local/bin/${PY_LOCAL_BIN}"
+if capsh --has-p=cap_net_admin 2>/dev/null && capsh --has-p=cap_net_raw 2>/dev/null; then
+  echo "Adding cap_net_admin and cap_net_raw to python binary for bt access"
+  setcap 'cap_net_bind_service,cap_net_raw,cap_net_admin=+ep' "/usr/local/bin/${PY_LOCAL_BIN}"
+else
+  setcap 'cap_net_bind_service=+ep' "/usr/local/bin/${PY_LOCAL_BIN}"
+fi
 
 if [[ -z "${DISABLE_JEMALLOC+x}" ]]; then
   export LD_PRELOAD="/usr/local/lib/libjemalloc.so.2"