1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Handbook Page
--
</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>SELinux Information Commands</p>
<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
<p>
You should currently have a SELinux enabled system (but running in permissive
mode, so it will not enforce its policy rules). So before we introduce you to
the world of SELinux and how you can add more rules to make sure your system
remains functional when you switch to enforcing mode, we first give a quick
overview of the various SELinux related commands.
</p>
<p>
We start off with state commands where you can get global information on SELinux
state (is it running in enforcing mode or not, versions etc.)
</p>
<p class="secthead"><a name="doc_chap1_sect1">Getting SELinux Status</a></p>
<p>
The first command we will talk about is <span class="code" dir="ltr">sestatus</span>.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Running sestatus</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">sestatus</span>
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: strict
</pre></td></tr>
</table>
<p>
The output of this command shows you that SELinux is enabled and is currently in
the <span class="emphasis">permissive</span> mode. It also tells you that the system is configured to
run in <span class="emphasis">strict</span> mode - so no unconfined_t domain here.
</p>
<p>
The <span class="code" dir="ltr">sestatus</span> command also has an extended output if you run it with the
<span class="code" dir="ltr">-v</span> option. When this is done, the command returns the contexts of
important processes and files:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Running sestatus -v</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">sestatus -v</span>
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: strict
Process contexts:
Current context: staff_u:sysadm_r:sysadm_t
Init context: system_u:system_r:init_t
/sbin/agetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:sshd_t
File contexts:
Controlling term: staff_u:object_r:user_devpts_t
/sbin/init system_u:object_r:init_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/bin/login system_u:object_r:login_exec_t
/sbin/rc system_u:object_r:rc_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/bin/bash system_u:object_r:shell_exec_t
/usr/bin/newrole system_u:object_r:newrole_exec_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
</pre></td></tr>
</table>
<p>
Another general SELinux status command is <span class="code" dir="ltr">getenforce</span>, which allows you to
quickly see if your SELinux is running in enforcing mode (SELinux policies are
enforced), permissive (SELinux policies are checked and logged, but not
enforced) or disabled (SELinux policy is not loaded and thus not checked).
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using the getenforce command</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">getenforce</span>
Enforcing
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">Getting SELinux Object Information</a></p>
<p>
Next on the table is the <span class="code" dir="ltr">seinfo</span> command. This command allows you to query
the running policy for all objects (types, roles, attributes, users, booleans
...) defined.
</p>
<p>
Common usages are:
</p>
<ul>
<li>
checking if a specific domain is defined on your system (in case you're
wondering if you need to load an additional SELinux policy module or not)
</li>
<li>
checking which domains a particular role can be in (in case you're wondering
if your regular users are allowed by SELinux policies to even be
transitioned towards a specific domain)
</li>
<li>
checking which attributes are assigned to a specific domain (or vice versa,
which domains have a specific attribute set) as some SELinux policy rules
work on attributes rather than domains
</li>
</ul>
<p>
As an example, we query if the crontab_t domain is known, if the user_r role can
use the contab_t domain and finally which domains have the cron_spool_type
attribute set.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using seinfo</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">seinfo -tcrontab_t</span>
crontab_t
# <span class="code-input">seinfo -ruser_r -x</span>
user_r
Dominated Roles:
user_r
Types:
[...]
crontab_t
[...]
# <span class="code-input">seinfo -acron_spool_type -x</span>
cron_spool_type
user_cron_spool_t
system_cron_spool_t
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">Querying SELinux Policy Rules</a></p>
<p>
A command which you will often use is <span class="code" dir="ltr">sesearch</span>. This command allows you
to query the current policy allow rules and is a huge help when trying to find
out if something is allowed (or why something isn't allowed).
</p>
<p>
The <span class="code" dir="ltr">sesearch</span> command is most often used with a source domain (<span class="code" dir="ltr">-s</span>),
target domain (<span class="code" dir="ltr">-t</span>) or both, the class for which you want to query allow
rules for (file, dir, socket, process ...) and the privilege you want to query
for (read, write, open, transition, execute ...).
</p>
<p>
For instance, to find out which domains can write the files that have the
shadow_t domain:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Querying allow rules with sesearch</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">sesearch -t shadow_t -c file -p write -A</span>
Found 8 semantic av rules:
[...]
allow portage_t shadow_t : file { ioctl read write ... };
allow useradd_t shadow_t : file { ioctl read write ... };
...
</pre></td></tr>
</table>
<p>
You will notice that there are sometimes results based on attributes rather than
domains:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Allow rule based on attribute</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
allow portage_t file_type : file { ioctl read write ... };
</pre></td></tr>
</table>
<p>
In this case, the source domain (portage_t) is allowed to write to files whose
domain have the file_type attribute set. If you get the feeling of these things,
you'll wonder if the above rule is not a flagrant security issue as almost all
domains for files have the file_type set. Yes and no - if we take a look at
which domains have file write privileges to file_type domains, you'll notice
that this is only portage:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Querying domains with file-write privileges to file_type domains</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">sesearch -t file_type -c file -p write -A -d</span>
Found 1 semantic av rules:
allow portage_t file_type : file { ioctl read write ... };
</pre></td></tr>
</table>
<p>
Note that we had one command without the <span class="code" dir="ltr">-d</span> option and one with. When
<span class="code" dir="ltr">-d</span> is given, the search will perform an exact search without resolving
the attributes. When <span class="code" dir="ltr">-d</span> is not given, it will resolve the attribute. In
the last command example, dropping <span class="code" dir="ltr">-d</span> would result in hundreds of allow
rules: for each domain that has file_type set, the search tries to find rules
that allow file-write access to that particular domain.
</p>
<p>
Another interesting functionality of the <span class="code" dir="ltr">sesearch</span> command is to show you
the rules that are applicable depending on the state of a boolean. If you want
to query on a particular boolean, use <span class="code" dir="ltr">-b</span>. If you want to see the logic
that the policy uses, use <span class="code" dir="ltr">-C</span> (and yes, both can be combined).
</p>
<p>
As an example, we'll check what we allow (or deny) when the <span class="code" dir="ltr">global_ssp</span>
boolean is set:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Checking the policy regarding the global_ssp boolean</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">sesearch -b global_ssp -A -C -d</span>
Found 2 semantic av rules:
ET allow domain device_t : dir { getattr search open } ; [ global_ssp ]
ET allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ global_ssp ]
</pre></td></tr>
</table>
<p>
The prefix you see shows two letters, relating to two important definitions:
</p>
<ul>
<li>
Is the rule currently <b>E</b>nabled or <b>D</b>isabled?
</li>
<li>
Does the boolean need to be set to <b>T</b>rue or <b>F</b>alse to enable the rule?
</li>
</ul>
<p class="secthead"><a name="doc_chap1_sect1">Getting Security Context Information</a></p>
<p>
During administrative tasks, and especially when you are checking if a SELinux
denial could be made, it is important to find out what the security context is
for a particular resource. Luckily, Gentoo Hardened - if properly installed -
has already patched some tools to allow you to get this information using your
standard tools.
</p>
<p>
To get the security context of a file, use <span class="code" dir="ltr">ls -Z</span>:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting a file security context</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~$ <span class="code-input">ls -Z /etc/make.conf</span>
system_u:object_r:portage_conf_t /etc/make.conf
</pre></td></tr>
</table>
<p>
To get the security context of a process, use <span class="code" dir="ltr">ps -Z</span>:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting a process security context</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">ps -Z $(pidof init)</span>
LABEL PID TTY STAT TIME COMMAND
system_u:system_r:init_t 1 ? Ss 0:00 init [3]
</pre></td></tr>
</table>
<p>
To get the security context of the current user, use <span class="code" dir="ltr">id -Z</span>:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Getting a user security context</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~$ <span class="code-input">id -Z</span>
staff_u:staff_r:staff_t
</pre></td></tr>
</table>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Managing SELinux</p>
<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
<p>
Managing SELinux objects (booleans, users, ports, contexts ...) is most often
done using <span class="code" dir="ltr">semanage</span>. As this application offers the interface towards
various SELinux configurations, we dedicate an entire section on it, but will
also cover the commands that offer similar functionality (and are sometimes
easier to remember).
</p>
<p class="secthead"><a name="doc_chap1_sect1">Booleans</a></p>
<p>
We have already covered SELinux booleans earlier in this book as well as the
<span class="code" dir="ltr">getsebool</span> and <span class="code" dir="ltr">setsebool</span> commands. With <span class="code" dir="ltr">semanage</span> you can too
manage the booleans and, as an added bonus, listing the booleans will also show
the description of the boolean (even though there is still work to be done in
this area).
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the available SELinux booleans</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">semanage boolean -l</span>
SELinux boolean Description
allow_ptrace -> off allow_ptrace
rsync_export_all_ro -> off rsync_export_all_ro
</pre></td></tr>
</table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
As you will notice, most descriptions are just the boolean name, but you will
find more and more booleans with a better description as you get acquainted with
- and install more - SELinux policy modules.
</p></td></tr></table>
<p>
You can set a boolean with both <span class="code" dir="ltr">setsebool</span> and <span class="code" dir="ltr">semanage</span>:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Setting SELinux boolean values</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">semanage boolean -m --on -F user_dmesg</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="users"></a><a name="doc_chap1_sect1">SELinux Users and Logins</a></p>
<p>
SELinux users and logins are different from Unix accounts. SELinux logins allow
you to map a Unix account to a SELinux user:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing the SELinux logins</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">semanage login -l</span>
Login Name SELinux User
__default__ user_u
root root
swift staff_u
system_u system_u
</pre></td></tr>
</table>
<p>
The default behavior is that users are logged on as the <span class="emphasis">user_u</span> SELinux
user. This SELinux user is a non-administrator user: it has no specific
privileges and should be used for every account that never requires elevated
privileges (so no <span class="code" dir="ltr">su</span> or <span class="code" dir="ltr">sudo</span> rights for anything).
</p>
<p>
The account you use to administer your system should be mapped to the
<span class="code" dir="ltr">staff_u</span> SELinux user (or its own user with the appropriate roles). This
can be accomplished as follows (example with the Unix account <span class="emphasis">anna</span>):
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Letting 'anna' log on as 'staff_u'</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">semanage login -a -s staff_u anna</span>
</pre></td></tr>
</table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
Make sure that whatever account you use to administer your system is mapped to
the <span class="code" dir="ltr">staff_u</span> user, or has the ability to switch to the <span class="code" dir="ltr">sysadm_r</span>
role. Portage only works from within the <span class="code" dir="ltr">sysadm_r</span> role.
</p></td></tr></table>
<p>
As mentioned, SELinux users are configured to be able to join in on one or more
roles. To list the available roles, you can use <span class="code" dir="ltr">semanage user -l</span>:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing login / role mappings</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">semanage user -l</span>
SELinux User SELinux Roles
root staff_r sysadm_r
staff_u staff_r sysadm_r
[...]
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap1_sect1">Managing Ports</a></p>
<p>
Even network ports (like port 22 for SSH) are 'protected' by SELinux. To get an
overview of which domains are assigned to which ports (or port ranges) use
<span class="code" dir="ltr">semanage port -l</span>.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Listing SELinux managed ports</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">semanage port -l | grep '22$'</span>
ssh_port_t tcp 22
</pre></td></tr>
</table>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Using SELinux</p>
<p class="secthead"><a name="doc_chap1_sect1">Introduction</a></p>
<p>
Up until now we've covered getting SELinux related information as well as
managing SELinux settings. However, users on a SELinux hardened system will also
need to know a few things about working with SELinux, including (but not limited
to) roles and role transitions.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Switching Roles</a></p>
<p>
As a type enforcement access control system, SELinux allows particular roles to
be within a set of domains. If you are using a role which is not allowed within
a particular domain, you will not be successful in using that domain and will be
denied the actions assigned to that domain.
</p>
<p>
If your standard users are all SELinux user_u users (with the only supported
role being user_r) then those users will never need to switch roles (nor are
they allowed to). But users that are staff_u (or other users that have multiple
roles) those users should be made clear how they switch between roles. We have
already covered how to map such users to the correct SELinux user (see <a href="#users">SELinux Users and Logins</a>).
</p>
<p>
The command that accomplishes switching roles is called <span class="code" dir="ltr">newrole</span>. It's
use is pretty straight forward.
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Using newrole</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~$ <span class="code-input">newrole -r sysadm_r</span>
Password: <span class="code-comment">(Enter the users' password - not root's!)</span>
</pre></td></tr>
</table>
<p>
When performing a role transition, SELinux will ask the user to re-authenticate
through its users' password. If you are logged on as a regular user and used
<span class="code" dir="ltr">su</span> or <span class="code" dir="ltr">sudo</span> to become the root user, then <span class="code" dir="ltr">newrole</span> will still
require you to enter the regular users' password.
</p>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="alttext">Page updated October 15, 2011</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>
|
GitWeb