[evoke] r1253 committed - * Add config files for dbus.
codesite...@google.com
Author: heliocentric
Date: Mon Oct 12 14:55:17 2009
Log: * Add config files for dbus.
http://code.google.com/p/evoke/source/detail?r=1253
Added:
/trunk/share/lib/dbus
/trunk/share/lib/dbus/system.conf
/trunk/share/lib/dbus/system.d
/trunk/share/lib/dbus/system.d/hal.conf
Modified:
/trunk/builder/portlist
/trunk/share/bin/systart
=======================================
--- /dev/null
+++ /trunk/share/lib/dbus/system.conf Mon Oct 12 14:55:17 2009
@@ -0,0 +1,68 @@
+<!-- This configuration file controls the systemwide message bus.
+ Add a system-local.conf and edit that rather than changing this
+ file directly. -->
+
+<!-- Note that there are any number of ways you can hose yourself
+ security-wise by screwing up this file; in particular, you
+ probably don't want to listen on any more addresses, add any more
+ auth mechanisms, run as a different user, etc. -->
+
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration
1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+
+ <!-- Our well-known bus type, do not change this -->
+ <type>system</type>
+
+ <!-- Run as special user -->
+ <user>messagebus</user>
+
+ <!-- Fork into daemon mode -->
+ <fork/>
+
+ <!-- We use system service launching using a helper -->
+ <standard_system_servicedirs/>
+
+ <!-- This is a setuid helper that is used to launch system services -->
+ <servicehelper>/bin/dbus-daemon-launch-helper</servicehelper>
+
+ <!-- Write a pid file -->
+ <pidfile>/mem/pid/dbus.pid</pidfile>
+
+ <!-- Only allow socket-credentials-based authentication -->
+ <auth>EXTERNAL</auth>
+
+ <!-- Only listen on a local socket. (abstract=/path/to/socket
+ means use abstract namespace, don't really create filesystem
+ file; only Linux supports this. Use path=/whatever on other
+ systems.) -->
+ <listen>unix:path=/mem/run/dbus/system_bus_socket</listen>
+
+ <policy context="default">
+ <!-- Deny everything then punch holes -->
+ <deny send_interface="*"/>
+ <deny receive_interface="*"/>
+ <deny own="*"/>
+ <!-- But allow all users to connect -->
+ <allow user="*"/>
+ <!-- Allow anyone to talk to the message bus -->
+ <!-- FIXME I think currently these allow rules are always implicit
+ even if they aren't in here -->
+ <allow send_destination="org.freedesktop.DBus"/>
+ <allow receive_sender="org.freedesktop.DBus"/>
+ <!-- valid replies are always allowed -->
+ <allow send_requested_reply="true"/>
+ <allow receive_requested_reply="true"/>
+ </policy>
+
+ <!-- Config files are placed here that among other things, punch
+ holes in the above policy for specific services. -->
+ <includedir>system.d</includedir>
+
+ <!-- This is included last so local configuration can override what's
+ in this standard file -->
+ <include ignore_missing="yes">system-local.conf</include>
+
+ <include if_selinux_enabled="yes"
selinux_root_relative="yes">contexts/dbus_contexts</include>
+
+</busconfig>
=======================================
--- /dev/null
+++ /trunk/share/lib/dbus/system.d/hal.conf Mon Oct 12 14:55:17 2009
@@ -0,0 +1,51 @@
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+
+ <!-- This configuration file specifies the required security policies
+ for the HAL to work. -->
+
+ <!-- Only root or user haldaemon can own the HAL service -->
+ <policy user="haldaemon">
+ <allow own="org.freedesktop.Hal"/>
+ </policy>
+ <policy user="root">
+ <allow own="org.freedesktop.Hal"/>
+ </policy>
+
+ <!-- Allow anyone to invoke methods on the Manager and Device interfaces
-->
+ <policy context="default">
+ <allow send_interface="org.freedesktop.Hal.Manager"/>
+ <allow send_interface="org.freedesktop.Hal.Device"/>
+ <allow receive_interface="org.freedesktop.Hal.Manager"
+ receive_sender="org.freedesktop.Hal"/>
+ <allow receive_interface="org.freedesktop.Hal.Device"
+ receive_sender="org.freedesktop.Hal"/>
+
+ <allow
send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/>
+ <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel"/>
+ <allow send_interface="org.freedesktop.Hal.Device.Volume"/>
+ <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>
+ <allow
receive_interface="org.freedesktop.Hal.Device.SystemPowerManagement"
+ receive_sender="org.freedesktop.Hal"/>
+ <allow receive_interface="org.freedesktop.Hal.Device.LaptopPanel"
+ receive_sender="org.freedesktop.Hal"/>
+ <allow receive_interface="org.freedesktop.Hal.Device.Volume"
+ receive_sender="org.freedesktop.Hal"/>
+ <allow receive_interface="org.freedesktop.Hal.Device.Volume.Crypto"
+ receive_sender="org.freedesktop.Hal"/>
+ </policy>
+
+ <!-- Default policy for the exported interfaces; if PolicyKit is not used
+ for access control you will need to modify this -->
+ <policy context="default">
+ <allow
send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/>
+ <allow send_interface="org.freedesktop.Hal.Device.VideoAdapterPM"/>
+ <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel"/>
+ <allow send_interface="org.freedesktop.Hal.Device.Volume"/>
+ <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>
+ </policy>
+
+</busconfig>
+
=======================================
--- /trunk/builder/portlist Fri Oct 9 17:42:39 2009
+++ /trunk/builder/portlist Mon Oct 12 14:55:17 2009
@@ -43,3 +43,4 @@
B:dhcpd:net/isc-dhcp31-server:::
B:dbus-daemon:devel/dbus:::
B:hald:sysutils/hal:::
+B:dbus-daemon-launch-helper:devel/dbus:::
=======================================
--- /trunk/share/bin/systart Sat Sep 5 12:14:26 2009
+++ /trunk/share/bin/systart Mon Oct 12 14:55:17 2009
@@ -151,6 +151,7 @@
# 'Running' files. mainly lockfiles
export EVOKE_RUNDIR=${EVOKE_MEMDIR}/run
mkdir -p ${EVOKE_RUNDIR}
+mkdir -p ${EVOKE_RUNDIR}/dbus
# PID files, format is logicalname.pid
export EVOKE_PIDDIR=${EVOKE_MEMDIR}/pid