|
sl@0
|
1 |
<!-- This configuration file controls the systemwide message bus.
|
|
sl@0
|
2 |
Add a system-local.conf and edit that rather than changing this
|
|
sl@0
|
3 |
file directly. -->
|
|
sl@0
|
4 |
|
|
sl@0
|
5 |
<!-- Note that there are any number of ways you can hose yourself
|
|
sl@0
|
6 |
security-wise by screwing up this file; in particular, you
|
|
sl@0
|
7 |
probably don't want to listen on any more addresses, add any more
|
|
sl@0
|
8 |
auth mechanisms, run as a different user, etc. -->
|
|
sl@0
|
9 |
|
|
sl@0
|
10 |
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
|
|
sl@0
|
11 |
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
|
|
sl@0
|
12 |
<busconfig>
|
|
sl@0
|
13 |
|
|
sl@0
|
14 |
<!-- Our well-known bus type, do not change this -->
|
|
sl@0
|
15 |
<type>system</type>
|
|
sl@0
|
16 |
|
|
sl@0
|
17 |
<!-- Run as special user -->
|
|
sl@0
|
18 |
<user>messagebus</user>
|
|
sl@0
|
19 |
|
|
sl@0
|
20 |
<!-- Fork into daemon mode -->
|
|
sl@0
|
21 |
<fork/>
|
|
sl@0
|
22 |
|
|
sl@0
|
23 |
<!-- Write a pid file -->
|
|
sl@0
|
24 |
<pidfile>/usr/local/var/run/messagebus.pid</pidfile>
|
|
sl@0
|
25 |
|
|
sl@0
|
26 |
<!-- Only allow socket-credentials-based authentication -->
|
|
sl@0
|
27 |
<auth>EXTERNAL</auth>
|
|
sl@0
|
28 |
|
|
sl@0
|
29 |
<!-- Only listen on a local socket. (abstract=/path/to/socket
|
|
sl@0
|
30 |
means use abstract namespace, don't really create filesystem
|
|
sl@0
|
31 |
file; only Linux supports this. Use path=/whatever on other
|
|
sl@0
|
32 |
systems.) -->
|
|
sl@0
|
33 |
<listen>tcp:host=localhost,port=12437</listen>
|
|
sl@0
|
34 |
|
|
sl@0
|
35 |
<policy context="default">
|
|
sl@0
|
36 |
<!-- Deny everything then punch holes -->
|
|
sl@0
|
37 |
<deny send_interface="*"/>
|
|
sl@0
|
38 |
<deny receive_interface="*"/>
|
|
sl@0
|
39 |
<deny own="*"/>
|
|
sl@0
|
40 |
<!-- But allow all users to connect -->
|
|
sl@0
|
41 |
<allow user="*"/>
|
|
sl@0
|
42 |
<!-- Allow anyone to talk to the message bus -->
|
|
sl@0
|
43 |
<!-- FIXME I think currently these allow rules are always implicit
|
|
sl@0
|
44 |
even if they aren't in here -->
|
|
sl@0
|
45 |
<allow send_destination="org.freedesktop.DBus"/>
|
|
sl@0
|
46 |
<allow receive_sender="org.freedesktop.DBus"/>
|
|
sl@0
|
47 |
<!-- valid replies are always allowed -->
|
|
sl@0
|
48 |
<allow send_requested_reply="true"/>
|
|
sl@0
|
49 |
<allow receive_requested_reply="true"/>
|
|
sl@0
|
50 |
</policy>
|
|
sl@0
|
51 |
|
|
sl@0
|
52 |
<!-- Config files are placed here that among other things, punch
|
|
sl@0
|
53 |
holes in the above policy for specific services. -->
|
|
sl@0
|
54 |
<includedir>system.d</includedir>
|
|
sl@0
|
55 |
|
|
sl@0
|
56 |
<!-- This is included last so local configuration can override what's
|
|
sl@0
|
57 |
in this standard file -->
|
|
sl@0
|
58 |
<include ignore_missing="yes">system-local.conf</include>
|
|
sl@0
|
59 |
|
|
sl@0
|
60 |
<include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>
|
|
sl@0
|
61 |
|
|
sl@0
|
62 |
</busconfig>
|