diff --git a/doc/dbus-specification.xml b/doc/dbus-specification.xml
index 4e8c0742..ae005646 100644
--- a/doc/dbus-specification.xml
+++ b/doc/dbus-specification.xml
@@ -5201,6 +5201,83 @@
service is started by systemd during boot.
+
+
+ Mediating Activation with AppArmor
+
+
+ Please refer to
+ AppArmor documentation
+ for general information on AppArmor, and how it mediates D-Bus
+ messages when used in conjunction with a kernel and
+ dbus-daemon that support this.
+
+
+
+ In recent versions of the reference dbus-daemon,
+ AppArmor policy rules of type dbus send
+ are also used to control auto-starting: if a message is sent to
+ the well-known name of an activatable service, the
+ dbus-daemon will attempt to determine whether
+ it would deliver the message to that service
+ beforeauto-starting it, by making some
+ assumptions about the resulting process's credentials.
+
+
+
+ If it does proceed with auto-starting, when the service appears, the
+ dbus-daemon repeats the policy check (with
+ the service's true credentials, which might not be identical)
+ before delivering the message. In practice, this second check will
+ usually be more strict than the first; the first check would only
+ be more strict if there are "blacklist"-style rules like
+ deny dbus send peer=(label=/usr/bin/protected)
+ that match on the peer's specific credentials, but AppArmor is
+ normally used in a "whitelist" style where this does not apply.
+
+
+
+ To support this process, service description files may contain a
+ AssumedAppArmorLabel key. Its value is the name
+ of an AppArmor label, for example
+ /usr/sbin/mydaemon.
+ If present, AppArmor mediation of messages that auto-start a
+ service will decide whether to allow auto-starting to occur based
+ on the assumption that the activated service will be confined
+ under the specified label; in particular, rules of the form
+ dbus send peer=(label=/usr/sbin/mydaemon) or
+ deny dbus send peer=(label=/usr/sbin/mydaemon)
+ will match it, allowing or denying as appropriate
+ (even if there is in fact no profile of that name loaded).
+
+
+
+ Otherwise, AppArmor mediation of messages that auto-start a
+ service will decide whether to allow auto-starting to occur
+ without specifying any particular label. In particular, any rule of
+ the form dbus send peer=(label=X) or
+ deny dbus send peer=(label=X)
+ (for any value of X, including the special label
+ unconfined) will not influence whether the
+ auto-start is allowed.
+
+
+
+ Rules of type dbus receive are not checked
+ when deciding whether to allow auto-starting; they are only checked
+ against the service's profile after the service has started, when
+ deciding whether to deliver the message that caused the auto-starting
+ operation.
+
+
+
+ Explicit activation via
+ is not currently
+ affected by this mediation: if a confined process is to be prevented
+ from starting arbitrary services, then it must not be allowed to call
+ that method.
+
+