Current Path : /usr/share/dbus-1/ |
Current File : //usr/share/dbus-1/system.conf |
<!-- This configuration file controls the systemwide message bus. Add a system-local.conf and edit that rather than changing this file directly. --> <!-- Note that there are any number of ways you can hose yourself security-wise by screwing up this file; in particular, you probably don't want to listen on any more addresses, add any more auth mechanisms, run as a different user, etc. --> <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> <busconfig> <!-- Our well-known bus type, do not change this --> <type>system</type> <!-- Run as special user --> <user>dbus</user> <!-- Fork into daemon mode --> <fork/> <!-- We use system service launching using a helper --> <standard_system_servicedirs/> <!-- This is a setuid helper that is used to launch system services --> <servicehelper>//usr/libexec/dbus-1/dbus-daemon-launch-helper</servicehelper> <!-- Write a pid file --> <pidfile>/run/dbus/messagebus.pid</pidfile> <!-- Enable logging to syslog --> <syslog/> <!-- Only allow socket-credentials-based authentication --> <auth>EXTERNAL</auth> <!-- Only listen on a local socket. (abstract=/path/to/socket means use abstract namespace, don't really create filesystem file; only Linux supports this. Use path=/whatever on other systems.) --> <listen>unix:path=/run/dbus/system_bus_socket</listen> <policy context="default"> <!-- All users can connect to system bus --> <allow user="*"/> <!-- Holes must be punched in service configuration files for name ownership and sending method calls --> <deny own="*"/> <deny send_type="method_call"/> <!-- Signals and reply messages (method returns, errors) are allowed by default --> <allow send_type="signal"/> <allow send_requested_reply="true" send_type="method_return"/> <allow send_requested_reply="true" send_type="error"/> <!-- All messages may be received by default --> <allow receive_type="method_call"/> <allow receive_type="method_return"/> <allow receive_type="error"/> <allow receive_type="signal"/> <!-- Allow anyone to talk to the message bus --> <allow send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.DBus" /> <allow send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.DBus.Introspectable"/> <!-- But disallow some specific bus services --> <deny send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.DBus" send_member="UpdateActivationEnvironment"/> <deny send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.DBus.Debug.Stats"/> <deny send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.systemd1.Activator"/> </policy> <!-- Only systemd, which runs as root, may report activation failures. --> <policy user="root"> <allow send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.systemd1.Activator"/> </policy> <!-- root may monitor the system bus. --> <policy user="root"> <allow send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.DBus.Monitoring"/> </policy> <!-- If the Stats interface was enabled at compile-time, root may use it. Copy this into system.local.conf or system.d/*.conf if you want to enable other privileged users to view statistics and debug info --> <policy user="root"> <allow send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.DBus.Debug.Stats"/> </policy> <!-- Include legacy configuration location --> <include ignore_missing="yes">/etc/dbus-1/system.conf</include> <!-- Config files are placed here that among other things, punch holes in the above policy for specific services. --> <includedir>system.d</includedir> <includedir>/etc/dbus-1/system.d</includedir> <!-- This is included last so local configuration can override what's in this standard file --> <include ignore_missing="yes">/etc/dbus-1/system-local.conf</include> <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include> </busconfig>