Hi Diederik,

> Looking into possible solutions, I found 2 very similar commits, but in
> different projects, bluez and system-config-printer:
> https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3ef0ce954b66fdf45538a6cdc629f3dac6642832
> https://github.com/OpenPrinting/system-config-printer/commit/19df47d2630b637d1802efe2c3cd5a00f2e40c3b
> 
> They both link to https://www.spinics.net/lists/linux-bluetooth/msg75267.html
> While I lack the knowledge to fully understand what it says I did notice this:
> "The intent is clear: As long as you are logged in to a local machine, and you
> are the foreground/active console, you are allowed to control bluetooth.
> However, the behavior of 'at_console' does *not* match this intent."
> 
> In other places I saw the 'at_console' stanza just plainly removed without
> any replacement, but it could have undesirable consequences for iwd.

I think the solution chosen in BlueZ which gives blanket permission to access 
iwd D-Bus APIs to any local user is probably just fine.  Particularly given that 
at_console effectively allowed any user to use iwd in the past.
This effectively negates the need to provide a separate policy for wheel/netdev 
and so these can be removed.

Alternatively we can limit the policy only to wheel/netdev groups.

Care to send a patch?

Regards,
-Denis