| 3 |
- |
1 |
<!-- This configuration file controls the systemwide message bus.
|
|
|
2 |
Add a system-local.conf and edit that rather than changing this
|
|
|
3 |
file directly. -->
|
|
|
4 |
|
|
|
5 |
<!-- Note that there are any number of ways you can hose yourself
|
|
|
6 |
security-wise by screwing up this file; in particular, you
|
|
|
7 |
probably don't want to listen on any more addresses, add any more
|
|
|
8 |
auth mechanisms, run as a different user, etc. -->
|
|
|
9 |
|
|
|
10 |
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
|
|
|
11 |
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
|
|
|
12 |
<busconfig>
|
|
|
13 |
|
|
|
14 |
<!-- Our well-known bus type, do not change this -->
|
|
|
15 |
<type>system</type>
|
|
|
16 |
|
|
|
17 |
<!-- Run as special user -->
|
|
|
18 |
<user>dbus</user>
|
|
|
19 |
|
|
|
20 |
<!-- Fork into daemon mode -->
|
|
|
21 |
<fork/>
|
|
|
22 |
|
|
|
23 |
<!-- We use system service launching using a helper -->
|
|
|
24 |
<standard_system_servicedirs/>
|
|
|
25 |
|
|
|
26 |
<!-- This is a setuid helper that is used to launch system services -->
|
|
|
27 |
<servicehelper>/lib64/dbus-1/dbus-daemon-launch-helper</servicehelper>
|
|
|
28 |
|
|
|
29 |
<!-- Write a pid file -->
|
|
|
30 |
<pidfile>/var/run/messagebus.pid</pidfile>
|
|
|
31 |
|
|
|
32 |
<!-- Enable logging to syslog -->
|
|
|
33 |
<syslog/>
|
|
|
34 |
|
|
|
35 |
<!-- Only allow socket-credentials-based authentication -->
|
|
|
36 |
<auth>EXTERNAL</auth>
|
|
|
37 |
|
|
|
38 |
<!-- Only listen on a local socket. (abstract=/path/to/socket
|
|
|
39 |
means use abstract namespace, don't really create filesystem
|
|
|
40 |
file; only Linux supports this. Use path=/whatever on other
|
|
|
41 |
systems.) -->
|
|
|
42 |
<listen>unix:path=/var/run/dbus/system_bus_socket</listen>
|
|
|
43 |
|
|
|
44 |
<policy context="default">
|
|
|
45 |
<!-- All users can connect to system bus -->
|
|
|
46 |
<allow user="*"/>
|
|
|
47 |
|
|
|
48 |
<!-- Holes must be punched in service configuration files for
|
|
|
49 |
name ownership and sending method calls -->
|
|
|
50 |
<deny own="*"/>
|
|
|
51 |
<deny send_type="method_call"/>
|
|
|
52 |
|
|
|
53 |
<!-- Signals and reply messages (method returns, errors) are allowed
|
|
|
54 |
by default -->
|
|
|
55 |
<allow send_type="signal"/>
|
|
|
56 |
<allow send_requested_reply="true" send_type="method_return"/>
|
|
|
57 |
<allow send_requested_reply="true" send_type="error"/>
|
|
|
58 |
|
|
|
59 |
<!-- All messages may be received by default -->
|
|
|
60 |
<allow receive_type="method_call"/>
|
|
|
61 |
<allow receive_type="method_return"/>
|
|
|
62 |
<allow receive_type="error"/>
|
|
|
63 |
<allow receive_type="signal"/>
|
|
|
64 |
|
|
|
65 |
<!-- Allow anyone to talk to the message bus -->
|
|
|
66 |
<allow send_destination="org.freedesktop.DBus"/>
|
|
|
67 |
<!-- But disallow some specific bus services -->
|
|
|
68 |
<deny send_destination="org.freedesktop.DBus"
|
|
|
69 |
send_interface="org.freedesktop.DBus"
|
|
|
70 |
send_member="UpdateActivationEnvironment"/>
|
|
|
71 |
</policy>
|
|
|
72 |
|
|
|
73 |
<!-- Config files are placed here that among other things, punch
|
|
|
74 |
holes in the above policy for specific services. -->
|
|
|
75 |
<includedir>system.d</includedir>
|
|
|
76 |
|
|
|
77 |
<!-- This is included last so local configuration can override what's
|
|
|
78 |
in this standard file -->
|
|
|
79 |
<include ignore_missing="yes">system-local.conf</include>
|
|
|
80 |
|
|
|
81 |
<include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>
|
|
|
82 |
|
|
|
83 |
</busconfig>
|