Home | History | Annotate | Download | only in bus 
      1 <!-- This configuration file controls the systemwide message bus.
      2      Add a system-local.conf and edit that rather than changing this 
      3      file directly. -->
      4 
      5 <!-- Note that there are any number of ways you can hose yourself
      6      security-wise by screwing up this file; in particular, you
      7      probably don't want to listen on any more addresses, add any more
      8      auth mechanisms, run as a different user, etc. -->
      9 
     10 <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
     11  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
     12 <busconfig>
     13 
     14   <!-- Our well-known bus type, do not change this -->
     15   <type>system</type>
     16 
     17   <!-- Run as special user -->
     18   <user>@DBUS_USER@</user>
     19 
     20   <!-- Fork into daemon mode -->
     21   <fork/>
     22 
     23   <!-- We use system service launching using a helper -->
     24   <standard_system_servicedirs/>
     25 
     26   <!-- This is a setuid helper that is used to launch system services -->
     27   <servicehelper>@DBUS_LIBEXECDIR@/dbus-daemon-launch-helper</servicehelper>
     28 
     29   <!-- Write a pid file -->
     30   <pidfile>@DBUS_SYSTEM_PID_FILE@</pidfile>
     31 
     32   <!-- Enable logging to syslog -->
     33   <syslog/>
     34 
     35   <!-- Only allow socket-credentials-based authentication -->
     36   <auth>EXTERNAL</auth>
     37 
     38   <!-- Only listen on a local socket. (abstract=/path/to/socket 
     39        means use abstract namespace, don't really create filesystem 
     40        file; only Linux supports this. Use path=/whatever on other 
     41        systems.) -->
     42   <listen>@DBUS_SYSTEM_BUS_DEFAULT_ADDRESS@</listen>
     43 
     44   <policy context="default">
     45     <!-- All users can connect to system bus -->
     46     <allow user="*"/>
     47 
     48     <!-- Holes must be punched in service configuration files for
     49          name ownership and sending method calls -->
     50     <deny own="*"/>
     51     <deny send_type="method_call"/>
     52 
     53     <!-- Signals and reply messages (method returns, errors) are allowed
     54          by default -->
     55     <allow send_type="signal"/>
     56     <allow send_requested_reply="true" send_type="method_return"/>
     57     <allow send_requested_reply="true" send_type="error"/>
     58 
     59     <!-- All messages may be received by default -->
     60     <allow receive_type="method_call"/>
     61     <allow receive_type="method_return"/>
     62     <allow receive_type="error"/>
     63     <allow receive_type="signal"/>
     64 
     65     <!-- Allow anyone to talk to the message bus -->
     66     <allow send_destination="org.freedesktop.DBus"/>
     67     <!-- But disallow some specific bus services -->
     68     <deny send_destination="org.freedesktop.DBus"
     69           send_interface="org.freedesktop.DBus"
     70           send_member="UpdateActivationEnvironment"/>
     71   </policy>
     72 
     73   <!-- Config files are placed here that among other things, punch 
     74        holes in the above policy for specific services. -->
     75   <includedir>system.d</includedir>
     76 
     77   <!-- This is included last so local configuration can override what's 
     78        in this standard file -->
     79   <include ignore_missing="yes">system-local.conf</include>
     80 
     81   <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>
     82 
     83 </busconfig>
     84