1: <!-- This configuration file controls the systemwide message bus.
    2:      Add a system-local.conf and edit that rather than changing this 
    3:      file directly. -->
    4: 
    5: <!-- Note that there are any number of ways you can hose yourself
    6:      security-wise by screwing up this file; in particular, you
    7:      probably don't want to listen on any more addresses, add any more
    8:      auth mechanisms, run as a different user, etc. -->
    9: 
   10: <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
   11:  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
   12: <busconfig>
   13: 
   14:   <!-- Our well-known bus type, do not change this -->
   15:   <type>system</type>
   16: 
   17:   <!-- Run as special user -->
   18:   <user>@DBUS_USER@</user>
   19: 
   20:   <!-- Fork into daemon mode -->
   21:   <fork/>
   22: 
   23:   <!-- Write a pid file -->
   24:   <pidfile>@DBUS_SYSTEM_PID_FILE@</pidfile>
   25: 
   26:   <!-- Only allow socket-credentials-based authentication -->
   27:   <auth>EXTERNAL</auth>
   28: 
   29:   <!-- Only listen on a local socket. (abstract=/path/to/socket 
   30:        means use abstract namespace, don't really create filesystem 
   31:        file; only Linux supports this. Use path=/whatever on other 
   32:        systems.) -->
   33:   <listen>@DBUS_SYSTEM_BUS_DEFAULT_ADDRESS@</listen>
   34: 
   35:   <policy context="default">
   36:     <!-- Deny everything then punch holes -->
   37:     <deny send_interface="*"/>
   38:     <deny receive_interface="*"/>
   39:     <deny own="*"/>
   40:     <!-- But allow all users to connect -->
   41:     <allow user="*"/>
   42:     <!-- Allow anyone to talk to the message bus -->
   43:     <!-- FIXME I think currently these allow rules are always implicit 
   44:          even if they aren't in here -->
   45:     <allow send_destination="org.freedesktop.DBus"/>
   46:     <allow receive_sender="org.freedesktop.DBus"/>
   47:     <!-- valid replies are always allowed -->
   48:     <allow send_requested_reply="true"/>
   49:     <allow receive_requested_reply="true"/>
   50:   </policy>
   51: 
   52:   <!-- Config files are placed here that among other things, punch 
   53:        holes in the above policy for specific services. -->
   54:   <includedir>system.d</includedir>
   55: 
   56:   <!-- This is included last so local configuration can override what's 
   57:        in this standard file -->
   58:   <include ignore_missing="yes">system-local.conf</include>
   59: 
   60:   <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>
   61: 
   62: </busconfig>