Restricting service ownership
Applications that register themselves on the bus own a service name. The uk.org.thekelleys.dnsmasq service name is an example of this. The D-Bus policy, declared in the busconfig XML file at /etc/dbus-1/system.d/ (or session.d/ if the service is for the session bus instead of system bus) provides information for D-Bus to decide when taking ownership of a particular service is allowed.
Thanks to D-Bus' SELinux integration, additional constraints can be added to ensure that only authorized applications can take ownership of a particular service.
How to do it…
To restrict service ownership through the SELinux policy, follow the ensuing set of steps:
Inside the D-Bus configuration file of the service, make sure that the
ownpermission is properly protected. For instance, make sure only therootLinux user can own the service:<policy user="root"> <allow own="uk.org.thekelleys.dnsmasq" /> </policy>
If the runtime service account can differ, it is possible...
