Bluetooth docker container - getting AccessDenied error for integration

I’ve recently upgraded from Ubuntu 22.04 LTS to 23.10.

the bluetooth integration was running perfectly before the upgrade. now i’m seeing an access denied error. See the below screenshot when i hover over the integration in the UI.

hassbluetooth-integrationhover-accessdenied

Additionally I’m seeing this error in the hass logs:

2023-11-30 20:47:44.537 ERROR (MainThread) [homeassistant] Error doing job: Future exception was never retrieved
Traceback (most recent call last):…
File “/lsiopy/lib/python3.11/site-packages/bluetooth_adapters/dbus.py”, line 137, in _get_dbus_managed_objects
reply = await bus.call(msg)…
^^^^^^^^^^^^^^^^^^^…
File “/lsiopy/lib/python3.11/site-packages/dbus_fast/aio/message_bus.py”, line 399, in call
await future
File “/lsiopy/lib/python3.11/site-packages/dbus_fast/aio/message_reader.py”, line 22, in _message_reader…
message = unmarshaller._unmarshall()
^^^^^^^^^^^^^^^^^^^^^^^^^^…
File “/lsiopy/lib/python3.11/site-packages/dbus_fast/_private/unmarshaller.py”, line 777, in _unmarshall
self._read_header()…
File “/lsiopy/lib/python3.11/site-packages/dbus_fast/_private/unmarshaller.py”, line 638, in _read_header
self._read_to_pos(HEADER_SIGNATURE_SIZE)
File “/lsiopy/lib/python3.11/site-packages/dbus_fast/_private/unmarshaller.py”, line 376, in _read_to_pos
self._read_sock_without_fds(pos)…
File “/lsiopy/lib/python3.11/site-packages/dbus_fast/_private/unmarshaller.py”, line 339, in _read_sock_without_fds
raise EOFError()…
EOFError…

I’m running a docker container, HASS version 2023.11.2
I’m using the ASUS USB-BT500 dongle, a supported device
I’m using dbus-broker (verified this is what systemd is running)
I’ve got BlueZ installed as a lib for sure

Any idea what might have gone wrong?

Looks like ubuntu 23.10 has apparmor enforcing and is denying my home assistant container from making the dbus calls to access the bluetooth controller.

dmesg has these messages:

        [Fri Oct 18 15:17:52 2024] audit: type=1107 audit(1729282653.488:225754): pid=1527 uid=103 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" method="Hello" mask="send" label="docker-default" peer_label="unconfined" exe="/usr/bin/dbus-broker" sauid=103 hostname=? addr=? terminal=?'
        [Fri Oct 18 15:17:52 2024] audit: type=1107 audit(1729282653.489:225755): pid=1527 uid=103 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" method="AddMatch" mask="send" label="docker-default" peer_label="unconfined" exe="/usr/bin/dbus-broker" sauid=103 hostname=? addr=? terminal=?'

Looks like docker-default profile doesnt have the privs, anyone dealt with fixing this?

in case anyone is interested, this had the fix:

i created a new app armor profile per the comment and applied it to the docker image using the security opt