| 1 | <!-- This configuration file controls the systemwide message bus. |
|---|
| 2 | Add a system-local.conf and edit that rather than changing this |
|---|
| 3 | file directly. --> |
|---|
| 4 | |
|---|
| 5 | <!-- Note that there are any number of ways you can hose yourself |
|---|
| 6 | security-wise by screwing up this file; in particular, you |
|---|
| 7 | probably don't want to listen on any more addresses, add any more |
|---|
| 8 | auth mechanisms, run as a different user, etc. --> |
|---|
| 9 | |
|---|
| 10 | <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN" |
|---|
| 11 | "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> |
|---|
| 12 | <busconfig> |
|---|
| 13 | |
|---|
| 14 | <!-- Our well-known bus type, do not change this --> |
|---|
| 15 | <type>system</type> |
|---|
| 16 | |
|---|
| 17 | <!-- Run as special user --> |
|---|
| 18 | <user>messagebus</user> |
|---|
| 19 | |
|---|
| 20 | <!-- Fork into daemon mode --> |
|---|
| 21 | <fork/> |
|---|
| 22 | |
|---|
| 23 | <!-- We use system service launching using a helper --> |
|---|
| 24 | <standard_system_servicedirs/> |
|---|
| 25 | |
|---|
| 26 | <!-- This is a setuid helper that is used to launch system services --> |
|---|
| 27 | <servicehelper>/usr/libexec/dbus-daemon-launch-helper</servicehelper> |
|---|
| 28 | |
|---|
| 29 | <!-- Write a pid file --> |
|---|
| 30 | <pidfile>/var/run/dbus/pid</pidfile> |
|---|
| 31 | |
|---|
| 32 | <!-- Only allow socket-credentials-based authentication --> |
|---|
| 33 | <auth>EXTERNAL</auth> |
|---|
| 34 | |
|---|
| 35 | <!-- Only listen on a local socket. (abstract=/path/to/socket |
|---|
| 36 | means use abstract namespace, don't really create filesystem |
|---|
| 37 | file; only Linux supports this. Use path=/whatever on other |
|---|
| 38 | systems.) --> |
|---|
| 39 | <listen>unix:path=/var/run/dbus/system_bus_socket</listen> |
|---|
| 40 | |
|---|
| 41 | <policy context="default"> |
|---|
| 42 | <!-- Deny everything then punch holes --> |
|---|
| 43 | <deny send_interface="*"/> |
|---|
| 44 | <deny receive_interface="*"/> |
|---|
| 45 | <deny own="*"/> |
|---|
| 46 | <!-- But allow all users to connect --> |
|---|
| 47 | <allow user="*"/> |
|---|
| 48 | <!-- Allow anyone to talk to the message bus --> |
|---|
| 49 | <!-- FIXME I think currently these allow rules are always implicit |
|---|
| 50 | even if they aren't in here --> |
|---|
| 51 | <allow send_destination="org.freedesktop.DBus"/> |
|---|
| 52 | <allow receive_sender="org.freedesktop.DBus"/> |
|---|
| 53 | <!-- valid replies are always allowed --> |
|---|
| 54 | <allow send_requested_reply="true"/> |
|---|
| 55 | <allow receive_requested_reply="true"/> |
|---|
| 56 | </policy> |
|---|
| 57 | |
|---|
| 58 | <!-- Config files are placed here that among other things, punch |
|---|
| 59 | holes in the above policy for specific services. --> |
|---|
| 60 | <includedir>system.d</includedir> |
|---|
| 61 | |
|---|
| 62 | <!-- This is included last so local configuration can override what's |
|---|
| 63 | in this standard file --> |
|---|
| 64 | <include ignore_missing="yes">system-local.conf</include> |
|---|
| 65 | |
|---|
| 66 | <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include> |
|---|
| 67 | |
|---|
| 68 | </busconfig> |
|---|
