diff --git a/data/meson.build b/data/meson.build
index e3776fb8..14fa0e4f 100644
--- a/data/meson.build
+++ b/data/meson.build
@@ -60,8 +60,11 @@ if not get_option('libs-only')
     install_dir: pk_datadir / 'polkit-1'
   )
 
-  install_data(
-    'polkit-tmpfiles.conf',
-    install_dir: tmpfiles_dir
+  configure_file(
+    input: 'polkit-tmpfiles.conf.in',
+    output: '@BASENAME@',
+    configuration: service_conf,
+    install: true,
+    install_dir: tmpfiles_dir,
   )
 endif
diff --git a/data/polkit-tmpfiles.conf b/data/polkit-tmpfiles.conf
deleted file mode 100644
index 936f514e..00000000
--- a/data/polkit-tmpfiles.conf
+++ /dev/null
@@ -1 +0,0 @@
-d /etc/polkit-1/rules.d 0750 root polkitd - -
diff --git a/data/polkit-tmpfiles.conf.in b/data/polkit-tmpfiles.conf.in
new file mode 100644
index 00000000..82db4bea
--- /dev/null
+++ b/data/polkit-tmpfiles.conf.in
@@ -0,0 +1,3 @@
+# Pre-create the subdirectory so that administrator cannot forget to set appropriate mode and ownership.
+# It should have as minimal privileges as possible to ensure polkitd cannot change .rules files if it gets hijacked.
+d /etc/polkit-1/rules.d 0750 root @polkitd_user@ - -