selinux-policy-minimum-3.13.1-166.el7_4.9$>g\טRػ;6RwZu>E ? d  , Hx|  % 2 ? Z   w.X   HLS(T)[*+,-8 B93B:5VB=k>sD{GτHI X hY t\ ] $^ Ob d Re Wf Zl \t tu v w `x y  Cselinux-policy-minimum3.13.1166.el7_4.9SELinux minimum base policySELinux Reference policy minimum base module.Zx86-01.bsys.centos.orgCentOSGPLv2+CentOS BuildSystem System Environment/Basehttp://oss.tresys.com/repos/refpolicy/linuxnoarch if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then . /etc/selinux/config; FILE_CONTEXT=/etc/selinux/minimum/contexts/files/file_contexts; if [ "${SELINUXTYPE}" = minimum -a -f ${FILE_CONTEXT} ]; then [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; fi; touch /etc/selinux/minimum/.rebuild; if [ -e /etc/selinux/minimum/.policy.sha512 ]; then POLICY_FILE=`ls /etc/selinux/minimum/policy/policy.* | sort | head -1` sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; checksha512=`cat /etc/selinux/minimum/.policy.sha512`; if [ "$sha512" == "$checksha512" ] ; then rm /etc/selinux/minimum/.rebuild; fi; fi; fi; if [ $1 -ne 1 ]; then /usr/sbin/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > /usr/share/selinux/minimum/instmodules.lst fiif [ -e /etc/selinux/minimum/modules/active/base.pp ]; then DONT_REBUILD=1 /usr/libexec/selinux/selinux-policy-migrate-local-changes.sh minimum touch /etc/selinux/minimum/.rebuild systemctl daemon-reexec fi contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst` basepackages=`cat /usr/share/selinux/minimum/modules-base.lst` #TODO: (cd /etc/selinux/minimum/modules/active/modules; rm -f pkcsslotd.pp) if [ ! -d /etc/selinux/minimum/active/modules/disabled ]; then mkdir /etc/selinux/minimum/active/modules/disabled fi if [ $1 -eq 1 ]; then for p in $contribpackages; do touch /etc/selinux/minimum/active/modules/disabled/$p done for p in $basepackages apache dbus inetd kerberos mta nis; do rm -f /etc/selinux/minimum/active/modules/disabled/$p done /usr/sbin/semodule -B -s minimum /usr/sbin/semanage import -S minimum -f - << __eof login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ login -m -s unconfined_u -r s0-s0:c0.c1023 root __eof /sbin/restorecon -R /root /var/log 2> /dev/null else instpackages=`cat /usr/share/selinux/minimum/instmodules.lst` for p in $contribpackages; do touch /etc/selinux/minimum/active/modules/disabled/$p done for p in $instpackages apache dbus inetd kerberos mta nis; do rm -f /etc/selinux/minimum/active/modules/disabled/$p done /usr/sbin/semodule -B -s minimum . /etc/selinux/config; FILE_CONTEXT=/etc/selinux/minimum/contexts/files/file_contexts; /usr/sbin/selinuxenabled; if [ $? = 0 -a "${SELINUXTYPE}" = minimum -a -f ${FILE_CONTEXT}.pre ]; then /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; rm -f ${FILE_CONTEXT}.pre; fi; if /sbin/restorecon -e /run/media -R /root /var/log /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then continue; fi; fi exit 0 .0?#g" y*-X#v!- (B" M(kd-*.8b-w-M/(" )3$U[?H (@%%f1a >/lB%4%s0d/ ._2#,$F#f !z!!#%`:!!?2 !$Sb"E2'%a0C"{!= {3X  , -Y ( '2 !6 )S/i;" ({"q}!.&J '? + & ("- [2% @'%$W=S%E!?.02  k'+%_5 >$ (F2!9. r' & (S$ 'Y%,"^#J174 0:&N|%^A% '= ("0K q,o4p!#%82<%$q  )"2G8zT% ` +;-> (% $p r(ku-l!U.Y% (z1yr[.$ C$@!(! A&c Y'22W#W#r &.t!@1Y"M<:2 *Rk,# #t9 *.# 5!q"q!5 ~ &P"1x)mn *!:3YE% %D : F ( -9n&243>c0"x!Bc P 'Y (8O + ( I)1O$_ &# ,'+ -&]#! [> 1>e6z &N '!h!"$h$.%"aCK1L! ,5$I$/#F# ($@ :$0]..AD" |({9"0"|14wc-w% *!%1 u-5 +"! +=L/ K^#?" S*%J!Q0 'Xq  )[8.n$</e$!0A H,# C( (g"^-On$T:0$ ,N  O)6!9%i%$E4EOt!6 )*Q f4F$@\! " (} &# # * (%qn2#F8l 0%Lu.uS}#^%-#s$$"#xv%"v8"#Dn"!>/ 1&K&$Hf"P"K (<H$R '.#D,X '!GC"#&X$g"F^D&zC% 2\;f<#M>$ (P#%"`a#Giq ='s+; r%Mg#(.z* , y' ( )=21 +wTF[w1: * y&= )9;9Bje ?e3qM!J59#Ba3>G h9B_j0 0fs vA큤AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA큤A큤A큤AA큤A큤ZtZtZtZtZsZsZtZtZeZeZuZuZeZeZuZuZeZeZuZuZeZeZvZuZeZeZvZvZeZeZvZvZeZeZwZvZeZeZwZwZeZeZwZwZeZeZxZxZeZeZxZxZeZeZyZxZeZeZyZyZeZeZzZyZeZeZzZzZeZeZ{ZzZeZeZ{Z{ZeZeZ|Z{ZeZeZ|Z|ZeZeZ}Z}ZeZeZ~Z}ZeZeZ~Z~ZeZeZZZeZeZZZeZeZZZeZfZuZtZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZfZfZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZgZZZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZZZgZgZ ZZgZgZ Z ZgZgZZ ZhZhZZZhZhZZZhZhZZZhZhZZZhZhZZZhZhZZZhZhZZZhZhZ!Z ZhZhZ$Z"ZhZhZ&Z%ZhZhZ)Z'ZhZhZ+Z)ZhZhZ.Z,ZhZhZ0Z/ZhZhZ3Z1ZhZhZ6Z4ZhZhZ8Z7ZhZhZ;Z9ZhZhZ>ZZaT6xT6xT@S@SSDSg}@SB@S>S;S:@S9XS5d@S4S2@S0@S,)S*@S)S)S&S&S"@S!S L@SSS@SSc@SSnS @S SK@RRR@RRJ@Ra@RRR&R&RRR=RʚRR@R@R@Rv@Rv@R@RR@R R@R@R|@Rz/@Rz/@RsRpRnQRi RfhR_@R_@R[R[RSRNRNRL RIgRB@RB@R:@R1R-@R-@R(r@R' R%@R7RRNRR@Q@QQdQQ@QQޞ@Q@QکQکQ@QzQQ4Q@@Q@QKQQ@Q@Q@Q@QQ@QQQQ@Q@QQQ@Qzl@Qw@QvwQo@Qo@QnQm=@QkQfQb@Q`@Q^QZ@QQQIQGQ@j@Q9Q8@Q4Q0@Q-@Q& @Q$QQ@QQ@Q @Qh@QsPP@P@PP@P[PP!@P8@PO@P @Pf@PPqP @PP7@P@PPPYP@P@PPPM@PPd@P@PoP{@P{@P@PP5@P@P~P}L@Px@PvPvPuc@Puc@Pr@Pmz@Pmz@Pmz@Pj@Pd?Pd?Pb@PaPaP[@PXb@PWPS@PQPO'PM@PIP@@P>@P8@P7lP2&P2&P,P,P*=P(@P#@P#@P!@P!@P@PkPw@Pw@PP

@NNU@NNl@N@N@NåN@NNNN@NNN@N@NGNGNGN@N@NNS@NS@N^N^N @N @NNj@Nj@NN$@NN@N/N@N@NFNFN@NNN@N@N@N]Ni@Ni@Ni@N|tNyNx@Ns:@NoENoENiNf @N^"@N\N[@NTNS@NS@NC@NBrN:N98@N7N6@N2N.@N*N)f@N(N%qN$ @N@N7@N e@NpNpM@M@Md@Md@MM{@M@M۝M@M@M‘@M@M@M@My@My@M3@M@M@MMM@MMMMTMx@Mx@Mv@MlMbSM[@MRMQ0@MQ0@MJMGMGMA^@M>@M9u@M6@M5M4/@M4/@M0:M,F@M$]@M@M9MMMMM\@M M M@L!L!L@LL@L@L@LOLOL[@L@L@Lr@L L,@L,@Lډ@L7LLLNL@LΫLeL|L@LB@LB@LB@L@LMLL@LdLL{L*@L@L5LLA@LLLL@LcL@L@L@LzL)@L|L|L|L{@LvW@LvW@Ls@Ls@LrbLrbLmLk@LjyLe3Lc@La?@LZLYV@LXLN@LN@LMxLMxLI@LH2LF@LEL=L=L=L;L7@L LT@L@LL@L@L0LLGL@K^K^KKKj@K$@KKK@K@KK@K]K޺K@KtK#@KKՀ@K:@KK͗@KŮ@K\K\K @KKKKK9@KK@KK@K@KKKKrKK~@K,K,K,K@KK8@KKK@KK@KqKqK}+K{@K{@KuBKs@KqN@KjKie@Kf@Ka|@K`*K]KXAKTM@KPXKEKEKEKD{@KC)KA@K;@K2@K0K/c@K+nK*@K(K"4@KK>K>K>JJęJH@JH@JJJ_@J@JjJjJ@Jv@Jv@Jv@Jv@J$J@JJ0@J@J@JG@JG@J@JJ@J@J@JJJ#J@JJJ@J:J@JJQJ@J J J|@JzJyt@Jyt@Jx"JrJrJq@Jn@Jn@JmJhPJeJ\s@JW-@JT@JS8JKOJI@JCfJCfJB@J@J@J?r@J<@J;}J:,@J7@J67J2C@J0J/@J,@J%@JJB@JJMJ J dJ@J@JJ@J*@J*@II@IIA@IIII@I@IIIX@IX@IX@II@I@IcIIo@Io@IzI)@I@IܑI@@II@I@I@IԨIд@I̿In@I3I3I@II@I@IV@IIaIIm@I@I'@II2III@IIIIIIII@III@I1I@III~@I}Iy@Ix_Iw@IuItk@Itk@Io%@Ik0IeIcGIa@I`IVIO@IJ;@IHIAI>]I= @I7@I6tI3I-I@III9@I9@II IP@I@IIg@Ig@HHH@HrH~@H,H@HCHHH @H @Hf@Hf@H@H+H@H׈H׈H7@HBH@HǶH@HH|@HHH@H{@H)HHL@H@H@H@HnH}H|@Ht@HsVHr@Hl@HkmHgy@HcH`H_@H^>HRa@HQHQHO@HFHFH$@DX@DU@DN@DN@DLDH@DGwDGwDDD@@D?D?D;@D;@D:HD:HD2_D1@D1@D-D+@D+@D'D!<@D!<@D!<@DDD@D@D@DDDDDD@D@D@D@D uD $@D D @D @DDDFC@C@C@C@CCCCCR@CCCCC@Ci@CC@C@CtC@C@CC:@CECCC @C @CعCعCعCعCC@C-C-C-C@C@CCǖ@C@CáCáCP@CP@C[C @C @CCg@Cg@CCC!@C~@C,C@CCCCC@CC@C@C@CZCZC @C @CCCf@Cf@Cf@CC@CqCqC @C @C @CCC}@C7@C7@C7@CBCBCYC@C@CC}@CqCqLukas Vrabec - 3.13.1-166.9Lukas Vrabec - 3.13.1-166.8Lukas Vrabec - 3.13.1-166.7Lukas Vrabec - 3.13.1-166.6Lukas Vrabec - 3.13.1-166.5Lukas Vrabec - 3.13.1-166.4Lukas Vrabec - 3.13.1-166.3Lukas Vrabec - 3.13.1-166.2Lukas Vrabec - 3.13.1-166.1Lukas Vrabec - 3.13.1-166Lukas Vrabec - 3.13.1-165Lukas Vrabec - 3.13.1-164Lukas Vrabec - 3.13.1-163Lukas Vrabec - 3.13.1-162Lukas Vrabec - 3.13.1-161Lukas Vrabec - 3.13.1-160Lukas Vrabec - 3.13.1-159Lukas Vrabec - 3.13.1-158Lukas Vrabec - 3.13.1-157Lukas Vrabec - 3.13.1-156Lukas Vrabec - 3.13.1-155Lukas Vrabec - 3.13.1-154Lukas Vrabec - 3.13.1-153Lukas Vrabec - 3.13.1-152Lukas Vrabec - 3.13.1-151Lukas Vrabec - 3.13.1-150Lukas Vrabec - 3.13.1-149Lukas Vrabec - 3.13.1-148Lukas Vrabec - 3.13.1-147Lukas Vrabec - 3.13.1-146Lukas Vrabec - 3.13.1-145Lukas Vrabec - 3.13.1-144Lukas Vrabec - 3.13.1-143Lukas Vrabec - 3.13.1-142Lukas Vrabec - 3.13.1-141Lukas Vrabec - 3.13.1-140Lukas Vrabec - 3.13.1-139Lukas Vrabec - 3.13.1-138Lukas Vrabec - 3.13.1-137Lukas Vrabec - 3.13.1-136Lukas Vrabec - 3.13.1-135Lukas Vrabec - 3.13.1-134Lukas Vrabec - 3.13.1-133Lukas Vrabec - 3.13.1-132Lukas Vrabec - 3.13.1-131Lukas Vrabec - 3.13.1-130Lukas Vrabec - 3.13.1-129Lukas Vrabec - 3.13.1-128Lukas Vrabec - 3.13.1-127Lukas Vrabec - 3.13.1-126Lukas Vrabec - 3.13.1-125Lukas Vrabec - 3.13.1-124Lukas Vrabec - 3.13.1-123Lukas Vrabec - 3.13.1-122Lukas Vrabec - 3.13.1-120Lukas Vrabec - 3.13.1-119Lukas Vrabec - 3.13.1-118Lukas Vrabec - 3.13.1-117Lukas Vrabec - 3.13.1-116Lukas Vrabec - 3.13.1-115Lukas Vrabec - 3.13.1-114Lukas Vrabec - 3.13.1-113Lukas Vrabec - 3.13.1-112Lukas Vrabec - 3.13.1-111Lukas Vrabec - 3.13.1-110Lukas Vrabec - 3.13.1-109Lukas Vrabec - 3.13.1-108Lukas Vrabec - 3.13.1-107Lukas Vrabec - 3.13.1-106Miroslav Grepl - 3.13.1-105Lukas Vrabec - 3.13.1-104Lukas Vrabec - 3.13.1-103Dan Walsh - 3.13.1-102Lukas Vrabec - 3.13.1-101Lukas Vrabec - 3.13.1-100Lukas Vrabec - 3.13.1-99Lukas Vrabec - 3.13.1-98Lukas Vrabec - 3.13.1-97Lukas Vrabec - 3.13.1-96Lukas Vrabec - 3.13.1-95Lukas Vrabec - 3.13.1-94Lukas Vrabec - 3.13.1-93Lukas Vrabec - 3.13.1-92Lukas Vrabec - 3.13.1-91Lukas Vrabec - 3.13.1-90Lukas Vrabec - 3.13.1-89Lukas Vrabec - 3.13.1-88Lukas Vrabec - 3.13.1-87Lukas Vrabec - 3.13.1-86Lukas Vrabec - 3.13.1-85Lukas Vrabec - 3.13.1-84Lukas Vrabec - 3.13.1-83Lukas Vrabec - 3.13.1-82Lukas Vrabec - 3.13.1-81Lukas Vrabec - 3.13.1-80Petr Lautrbach - 3.13.1-79Lukas Vrabec - 3.13.1-78Lukas Vrabec - 3.13.1-77Lukas Vrabec - 3.13.1-76Lukas Vrabec - 3.13.1-75Lukas Vrabec - 3.13.1-74Lukas Vrabec - 3.13.1-73Lukas Vrabec - 3.13.1-72Lukas Vrabec - 3.13.1-71Lukas Vrabec - 3.13.1-70Lukas Vrabec - 3.13.1-69Lukas Vrabec - 3.13.1-68Lukas Vrabec - 3.13.1-67Petr Lautrbach - 3.13.1-66Lukas Vrabec 3.13.1-65Lukas Vrabec 3.13.1-64Lukas Vrabec 3.13.1-63Lukas Vrabec 3.13.1-62Lukas Vrabec 3.13.1-61Miroslav Grepl 3.13.1-60Miroslav Grepl 3.13.1-59Lukas Vrabec 3.13.1-58Lukas Vrabec 3.13.1-57Miroslav Grepl 3.13.1-56Lukas Vrabec 3.13.1-55Lukas Vrabec 3.13.1-54Lukas Vrabec 3.13.1-53Lukas Vrabec 3.13.1-52Miroslav Grepl 3.13.1-51Lukas Vrabec 3.13.1-50Lukas Vrabec 3.13.1-49Lukas Vrabec 3.13.1-48Lukas Vrabec 3.13.1-47Lukas Vrabec 3.13.1-46Lukas Vrabec 3.13.1-45Lukas Vrabec 3.13.1-44Lukas Vrabec 3.13.1-43Lukas Vrabec 3.13.1-42Lukas Vrabec 3.13.1-41Lukas Vrabec 3.13.1-40Miroslav Grepl 3.13.1-39Lukas Vrabec 3.13.1-38Lukas Vrabec 3.13.1-37Lukas Vrabec 3.13.1-36Lukas Vrabec 3.13.1-35Lukas Vrabec 3.13.1-34Lukas Vrabec 3.13.1-33Lukas Vrabec 3.13.1-32Miroslav Grepl 3.13.1-31Miroslav Grepl 3.13.1-30Miroslav Grepl 3.13.1-29Miroslav Grepl 3.13.1-28Miroslav Grepl 3.13.1-27Miroslav Grepl 3.13.1-26Miroslav Grepl 3.13.1-25Miroslav Grepl 3.13.1-24Miroslav Grepl 3.13.1-23Miroslav Grepl 3.13.1-22Miroslav Grepl 3.13.1-21Miroslav Grepl 3.13.1-20Miroslav Grepl 3.13.1-19Miroslav Grepl 3.13.1-18Miroslav Grepl 3.13.1-17Miroslav Grepl 3.13.1-16Miroslav Grepl 3.13.1-15Miroslav Grepl 3.13.1-14Miroslav Grepl 3.13.1-13Miroslav Grepl 3.13.1-12Miroslav Grepl 3.13.1-11Miroslav Grepl 3.13.1-10Miroslav Grepl 3.13.1-9Miroslav Grepl 3.13.1-8Miroslav Grepl 3.13.1-7Miroslav Grepl 3.13.1-6Miroslav Grepl 3.13.1-5Miroslav Grepl 3.13.1-4Miroslav Grepl 3.13.1-3Miroslav Grepl 3.13.1-2Miroslav Grepl 3.13.1-1Miroslav Grepl 3.12.1-156Miroslav Grepl 3.12.1-155Miroslav Grepl 3.12.1-154Miroslav Grepl 3.12.1-153Miroslav Grepl 3.12.1-152Miroslav Grepl 3.12.1-151Miroslav Grepl 3.12.1-149Miroslav Grepl 3.12.1-149Miroslav Grepl 3.12.1-148Miroslav Grepl 3.12.1-147Miroslav Grepl 3.12.1-146Miroslav Grepl 3.12.1-145Miroslav Grepl 3.12.1-144Lukas Vrabec 3.12.1-143Miroslav Grepl 3.12.1-142Miroslav Grepl 3.12.1-141Miroslav Grepl 3.12.1-140Miroslav Grepl 3.12.1-139Lukas Vrabec 3.12.1-138Miroslav Grepl 3.12.1-137Miroslav Grepl 3.12.1-136Miroslav Grepl 3.12.1-135Miroslav Grepl 3.12.1-134Miroslav Grepl 3.12.1-133Miroslav Grepl 3.12.1-132Miroslav Grepl 3.12.1-131Miroslav Grepl 3.12.1-130Miroslav Grepl 3.12.1-129Miroslav Grepl 3.12.1-128Miroslav Grepl 3.12.1-127Miroslav Grepl 3.12.1-126Miroslav Grepl 3.12.1-125Miroslav Grepl 3.12.1-124Miroslav Grepl 3.12.1-123Miroslav Grepl 3.12.1-122Miroslav Grepl 3.12.1-121Miroslav Grepl 3.12.1-120Miroslav Grepl 3.12.1-119Miroslav Grepl 3.12.1-118Miroslav Grepl 3.12.1-117Miroslav Grepl 3.12.1-116Miroslav Grepl 3.12.1-115Miroslav Grepl 3.12.1-114Miroslav Grepl 3.12.1-113Miroslav Grepl 3.12.1-112Miroslav Grepl 3.12.1-111Miroslav Grepl 3.12.1-110Miroslav Grepl 3.12.1-109Miroslav Grepl 3.12.1-108Miroslav Grepl 3.12.1-107Dan Walsh 3.12.1-106Miroslav Grepl 3.12.1-105Miroslav Grepl 3.12.1-104Miroslav Grepl 3.12.1-103Miroslav Grepl 3.12.1-102Miroslav Grepl 3.12.1-101Miroslav Grepl 3.12.1-100Miroslav Grepl 3.12.1-99Miroslav Grepl 3.12.1-98Miroslav Grepl 3.12.1-97Miroslav Grepl 3.12.1-96Miroslav Grepl 3.12.1-95Miroslav Grepl 3.12.1-94Miroslav Grepl 3.12.1-94Miroslav Grepl 3.12.1-93Miroslav Grepl 3.12.1-92Miroslav Grepl 3.12.1-91Miroslav Grepl 3.12.1-90Miroslav Grepl 3.12.1-89Miroslav Grepl 3.12.1-88Miroslav Grepl 3.12.1-87Miroslav Grepl 3.12.1-86Miroslav Grepl 3.12.1-85Miroslav Grepl 3.12.1-84Miroslav Grepl 3.12.1-83Miroslav Grepl 3.12.1-82Miroslav Grepl 3.12.1-81Miroslav Grepl 3.12.1-80Miroslav Grepl 3.12.1-79Miroslav Grepl 3.12.1-78Miroslav Grepl 3.12.1-77Miroslav Grepl 3.12.1-76Miroslav Grepl 3.12.1-75Miroslav Grepl 3.12.1-74Miroslav Grepl 3.12.1-73Miroslav Grepl 3.12.1-72Miroslav Grepl 3.12.1-71Miroslav Grepl 3.12.1-70Miroslav Grepl 3.12.1-69Miroslav Grepl 3.12.1-68Miroslav Grepl 3.12.1-67Miroslav Grepl 3.12.1-66Miroslav Grepl 3.12.1-65Miroslav Grepl 3.12.1-64Miroslav Grepl 3.12.1-63Miroslav Grepl 3.12.1-62Miroslav Grepl 3.12.1-61Miroslav Grepl 3.12.1-60Miroslav Grepl 3.12.1-59Miroslav Grepl 3.12.1-58Miroslav Grepl 3.12.1-57Miroslav Grepl 3.12.1-56Miroslav Grepl 3.12.1-55Miroslav Grepl 3.12.1-54Miroslav Grepl 3.12.1-53Miroslav Grepl 3.12.1-52Miroslav Grepl 3.12.1-51Miroslav Grepl 3.12.1-50Miroslav Grepl 3.12.1-49Miroslav Grepl 3.12.1-48Miroslav Grepl 3.12.1-47Miroslav Grepl 3.12.1-46Miroslav Grepl 3.12.1-45Miroslav Grepl 3.12.1-44Miroslav Grepl 3.12.1-43Miroslav Grepl 3.12.1-42Miroslav Grepl 3.12.1-41Miroslav Grepl 3.12.1-40Miroslav Grepl 3.12.1-39Miroslav Grepl 3.12.1-38Miroslav Grepl 3.12.1-37Miroslav Grepl 3.12.1-36Miroslav Grepl 3.12.1-35Miroslav Grepl 3.12.1-34Miroslav Grepl 3.12.1-33Miroslav Grepl 3.12.1-32Miroslav Grepl 3.12.1-31Miroslav Grepl 3.12.1-30Miroslav Grepl 3.12.1-29Dan Walsh 3.12.1-28Dan Walsh 3.12.1-27Miroslav Grepl 3.12.1-26Miroslav Grepl 3.12.1-25Miroslav Grepl 3.12.1-24Miroslav Grepl 3.12.1-23Miroslav Grepl 3.12.1-22Miroslav Grepl 3.12.1-21Miroslav Grepl 3.12.1-20Miroslav Grepl 3.12.1-19Miroslav Grepl 3.12.1-18Miroslav Grepl 3.12.1-17Miroslav Grepl 3.12.1-16Miroslav Grepl 3.12.1-15Miroslav Grepl 3.12.1-14Miroslav Grepl 3.12.1-13Miroslav Grepl 3.12.1-12Miroslav Grepl 3.12.1-11Miroslav Grepl 3.12.1-10Miroslav Grepl 3.12.1-9Miroslav Grepl 3.12.1-8Miroslav Grepl 3.12.1-7Miroslav Grepl 3.12.1-6Miroslav Grepl 3.12.1-5Miroslav Grepl 3.12.1-4Miroslav Grepl 3.12.1-3Miroslav Grepl 3.12.1-2Miroslav Grepl 3.12.1-1Dan Walsh 3.11.1-69.1Miroslav Grepl 3.11.1-69Miroslav Grepl 3.11.1-68Miroslav Grepl 3.11.1-67Miroslav Grepl 3.11.1-66Miroslav Grepl 3.11.1-65Miroslav Grepl 3.11.1-64Miroslav Grepl 3.11.1-63Miroslav Grepl 3.11.1-62Miroslav Grepl 3.11.1-61Miroslav Grepl 3.11.1-60Miroslav Grepl 3.11.1-59Miroslav Grepl 3.11.1-58Miroslav Grepl 3.11.1-57Miroslav Grepl 3.11.1-56Miroslav Grepl 3.11.1-55Miroslav Grepl 3.11.1-54Miroslav Grepl 3.11.1-53Miroslav Grepl 3.11.1-52Miroslav Grepl 3.11.1-51Miroslav Grepl 3.11.1-50Miroslav Grepl 3.11.1-49Miroslav Grepl 3.11.1-48Miroslav Grepl 3.11.1-47Miroslav Grepl 3.11.1-46Miroslav Grepl 3.11.1-45Miroslav Grepl 3.11.1-44Miroslav Grepl 3.11.1-43Miroslav Grepl 3.11.1-42Miroslav Grepl 3.11.1-41Miroslav Grepl 3.11.1-40Miroslav Grepl 3.11.1-39Miroslav Grepl 3.11.1-38Miroslav Grepl 3.11.1-37Miroslav Grepl 3.11.1-36Miroslav Grepl 3.11.1-35Miroslav Grepl 3.11.1-34Miroslav Grepl 3.11.1-33Miroslav Grepl 3.11.1-32Miroslav Grepl 3.11.1-31Miroslav Grepl 3.11.1-30Miroslav Grepl 3.11.1-29Miroslav Grepl 3.11.1-28Miroslav Grepl 3.11.1-27Miroslav Grepl 3.11.1-26Miroslav Grepl 3.11.1-25Miroslav Grepl 3.11.1-24Miroslav Grepl 3.11.1-23Miroslav Grepl 3.11.1-22Miroslav Grepl 3.11.1-21Miroslav Grepl 3.11.1-20Miroslav Grepl 3.11.1-19Miroslav Grepl 3.11.1-18Miroslav Grepl 3.11.1-17Miroslav Grepl 3.11.1-16Dan Walsh 3.11.1-15Miroslav Grepl 3.11.1-14Dan Walsh 3.11.1-13Miroslav Grepl 3.11.1-12Miroslav Grepl 3.11.1-11Miroslav Grepl 3.11.1-10Dan Walsh 3.11.1-9Dan Walsh 3.11.1-8Dan Walsh 3.11.1-7Dan Walsh 3.11.1-6Miroslav Grepl 3.11.1-5Miroslav Grepl 3.11.1-4Miroslav Grepl 3.11.1-3Miroslav Grepl 3.11.1-2Miroslav Grepl 3.11.1-1Miroslav Grepl 3.11.1-0Miroslav Grepl 3.11.0-15Miroslav Grepl 3.11.0-14Miroslav Grepl 3.11.0-13Miroslav Grepl 3.11.0-12Fedora Release Engineering - 3.11.0-11Miroslav Grepl 3.11.0-10Miroslav Grepl 3.11.0-9Miroslav Grepl 3.11.0-8Miroslav Grepl 3.11.0-7Miroslav Grepl 3.11.0-6Miroslav Grepl 3.11.0-5Miroslav Grepl 3.11.0-4Miroslav Grepl 3.11.0-3Miroslav Grepl 3.11.0-2Miroslav Grepl 3.11.0-1Miroslav Grepl 3.10.0-128Miroslav Grepl 3.10.0-127Miroslav Grepl 3.10.0-126Miroslav Grepl 3.10.0-125Miroslav Grepl 3.10.0-124Miroslav Grepl 3.10.0-123Miroslav Grepl 3.10.0-122Miroslav Grepl 3.10.0-121Miroslav Grepl 3.10.0-120Miroslav Grepl 3.10.0-119Miroslav Grepl 3.10.0-118Miroslav Grepl 3.10.0-117Miroslav Grepl 3.10.0-116Miroslav Grepl 3.10.0-115Miroslav Grepl 3.10.0-114Miroslav Grepl 3.10.0-113Miroslav Grepl 3.10.0-112Miroslav Grepl 3.10.0-111Miroslav Grepl 3.10.0-110Miroslav Grepl 3.10.0-109Miroslav Grepl 3.10.0-108Miroslav Grepl 3.10.0-107Miroslav Grepl 3.10.0-106Miroslav Grepl 3.10.0-105Miroslav Grepl 3.10.0-104Miroslav Grepl 3.10.0-103Miroslav Grepl 3.10.0-102Miroslav Grepl 3.10.0-101Miroslav Grepl 3.10.0-100Miroslav Grepl 3.10.0-99Miroslav Grepl 3.10.0-98Miroslav Grepl 3.10.0-97Miroslav Grepl 3.10.0-96Miroslav Grepl 3.10.0-95Miroslav Grepl 3.10.0-94Miroslav Grepl 3.10.0-93Miroslav Grepl 3.10.0-92Miroslav Grepl 3.10.0-91Miroslav Grepl 3.10.0-90Miroslav Grepl 3.10.0-89Miroslav Grepl 3.10.0-88Miroslav Grepl 3.10.0-87Miroslav Grepl 3.10.0-86Miroslav Grepl 3.10.0-85Miroslav Grepl 3.10.0-84Miroslav Grepl 3.10.0-83Miroslav Grepl 3.10.0-82Dan Walsh 3.10.0-81.2Miroslav Grepl 3.10.0-81Miroslav Grepl 3.10.0-80Miroslav Grepl 3.10.0-79Miroslav Grepl 3.10.0-78Miroslav Grepl 3.10.0-77Miroslav Grepl 3.10.0-76Miroslav Grepl 3.10.0-75Dan Walsh 3.10.0-74.2Miroslav Grepl 3.10.0-74Miroslav Grepl 3.10.0-73Miroslav Grepl 3.10.0-72Miroslav Grepl 3.10.0-71Miroslav Grepl 3.10.0-70Miroslav Grepl 3.10.0-69Miroslav Grepl 3.10.0-68Miroslav Grepl 3.10.0-67Miroslav Grepl 3.10.0-66Miroslav Grepl 3.10.0-65Miroslav Grepl 3.10.0-64Miroslav Grepl 3.10.0-63Miroslav Grepl 3.10.0-59Miroslav Grepl 3.10.0-58Dan Walsh 3.10.0-57Dan Walsh 3.10.0-56Dan Walsh 3.10.0-55.2Dan Walsh 3.10.0-55.1Miroslav Grepl 3.10.0-55Dan Walsh 3.10.0-54.1Miroslav Grepl 3.10.0-54Dan Walsh 3.10.0-53.1Miroslav Grepl 3.10.0-53Miroslav Grepl 3.10.0-52Miroslav Grepl 3.10.0-51Dan Walsh 3.10.0-50.2Dan Walsh 3.10.0-50.1Miroslav Grepl 3.10.0-50Miroslav Grepl 3.10.0-49Miroslav Grepl 3.10.0-48Miroslav Grepl 3.10.0-47Dan Walsh 3.10.0-46.1Miroslav Grepl 3.10.0-46Dan Walsh 3.10.0-45.1Miroslav Grepl 3.10.0-45Miroslav Grepl 3.10.0-43Miroslav Grepl 3.10.0-42Miroslav Grepl 3.10.0-41Dan Walsh 3.10.0-40.2Miroslav Grepl 3.10.0-40Dan Walsh 3.10.0-39.3Dan Walsh 3.10.0-39.2Dan Walsh 3.10.0-39.1Miroslav Grepl 3.10.0-39Dan Walsh 3.10.0-38.1Miroslav Grepl 3.10.0-38Miroslav Grepl 3.10.0-37Dan Walsh 3.10.0-36.1Miroslav Grepl 3.10.0-36Dan Walsh 3.10.0-35Dan Walsh 3.10.0-34.7Dan Walsh 3.10.0-34.6Dan Walsh 3.10.0-34.4Miroslav Grepl 3.10.0-34.3Dan Walsh 3.10.0-34.2Dan Walsh 3.10.0-34.1Miroslav Grepl 3.10.0-34Miroslav Grepl 3.10.0-33Dan Walsh 3.10.0-31.1Miroslav Grepl 3.10.0-31Miroslav Grepl 3.10.0-29Miroslav Grepl 3.10.0-28Miroslav Grepl 3.10.0-27Miroslav Grepl 3.10.0-26Miroslav Grepl 3.10.0-25Miroslav Grepl 3.10.0-24Miroslav Grepl 3.10.0-23Miroslav Grepl 3.10.0-22Miroslav Grepl 3.10.0-21Dan Walsh 3.10.0-20Miroslav Grepl 3.10.0-19Miroslav Grepl 3.10.0-18Miroslav Grepl 3.10.0-17Miroslav Grepl 3.10.0-16Miroslav Grepl 3.10.0-14Miroslav Grepl 3.10.0-13Miroslav Grepl 3.10.0-12Miroslav Grepl 3.10.0-11Miroslav Grepl 3.10.0-10Miroslav Grepl 3.10.0-9Miroslav Grepl 3.10.0-8Miroslav Grepl 3.10.0-7Miroslav Grepl 3.10.0-6Miroslav Grepl 3.10.0-5Miroslav Grepl 3.10.0-4Miroslav Grepl 3.10.0-3Miroslav Grepl 3.10.0-2Miroslav Grepl 3.10.0-1Miroslav Grepl 3.9.16-30Dan Walsh 3.9.16-29.1Miroslav Grepl 3.9.16-29Dan Walsh 3.9.16-28.1Miroslav Grepl 3.9.16-27Miroslav Grepl 3.9.16-26Miroslav Grepl 3.9.16-25Miroslav Grepl 3.9.16-24Miroslav Grepl 3.9.16-23Miroslav Grepl 3.9.16-22Miroslav Grepl 3.9.16-21Miroslav Grepl 3.9.16-20Miroslav Grepl 3.9.16-19Miroslav Grepl 3.9.16-18Miroslav Grepl 3.9.16-17Dan Walsh 3.9.16-16.1Miroslav Grepl 3.9.16-16Miroslav Grepl 3.9.16-15Miroslav Grepl 3.9.16-14Miroslav Grepl 3.9.16-13Miroslav Grepl 3.9.16-12Miroslav Grepl 3.9.16-11Miroslav Grepl 3.9.16-10Miroslav Grepl 3.9.16-7Miroslav Grepl 3.9.16-6Miroslav Grepl 3.9.16-5Miroslav Grepl 3.9.16-4Miroslav Grepl 3.9.16-3Miroslav Grepl 3.9.16-2Miroslav Grepl 3.9.16-1Miroslav Grepl 3.9.15-5Miroslav Grepl 3.9.15-2Miroslav Grepl 3.9.15-1Fedora Release Engineering - 3.9.14-2Dan Walsh 3.9.14-1Miroslav Grepl 3.9.13-10Miroslav Grepl 3.9.13-9Dan Walsh 3.9.13-8Miroslav Grepl 3.9.13-7Miroslav Grepl 3.9.13-6Miroslav Grepl 3.9.13-5Miroslav Grepl 3.9.13-4Miroslav Grepl 3.9.13-3Miroslav Grepl 3.9.13-2Miroslav Grepl 3.9.13-1Miroslav Grepl 3.9.12-8Miroslav Grepl 3.9.12-7Miroslav Grepl 3.9.12-6Miroslav Grepl 3.9.12-5Dan Walsh 3.9.12-4Dan Walsh 3.9.12-3Dan Walsh 3.9.12-2Miroslav Grepl 3.9.12-1Dan Walsh 3.9.11-2Miroslav Grepl 3.9.11-1Miroslav Grepl 3.9.10-13Dan Walsh 3.9.10-12Miroslav Grepl 3.9.10-11Miroslav Grepl 3.9.10-10Miroslav Grepl 3.9.10-9Miroslav Grepl 3.9.10-8Miroslav Grepl 3.9.10-7Miroslav Grepl 3.9.10-6Miroslav Grepl 3.9.10-5Dan Walsh 3.9.10-4Miroslav Grepl 3.9.10-3Miroslav Grepl 3.9.10-2Miroslav Grepl 3.9.10-1Miroslav Grepl 3.9.9-4Dan Walsh 3.9.9-3Miroslav Grepl 3.9.9-2Miroslav Grepl 3.9.9-1Miroslav Grepl 3.9.8-7Dan Walsh 3.9.8-6Miroslav Grepl 3.9.8-5Miroslav Grepl 3.9.8-4Dan Walsh 3.9.8-3Dan Walsh 3.9.8-2Dan Walsh 3.9.8-1Dan Walsh 3.9.7-10Dan Walsh 3.9.7-9Dan Walsh 3.9.7-8Dan Walsh 3.9.7-7Dan Walsh 3.9.7-6Dan Walsh 3.9.7-5Dan Walsh 3.9.7-4Dan Walsh 3.9.7-3Dan Walsh 3.9.7-2Dan Walsh 3.9.7-1Dan Walsh 3.9.6-3Dan Walsh 3.9.6-2Dan Walsh 3.9.6-1Dan Walsh 3.9.5-11Dan Walsh 3.9.5-10Dan Walsh 3.9.5-9Dan Walsh 3.9.5-8Dan Walsh 3.9.5-7Dan Walsh 3.9.5-6Dan Walsh 3.9.5-5Dan Walsh 3.9.5-4Dan Walsh 3.9.5-3Dan Walsh 3.9.5-2Dan Walsh 3.9.5-1Dan Walsh 3.9.4-3Dan Walsh 3.9.4-2Dan Walsh 3.9.4-1Dan Walsh 3.9.3-4Dan Walsh 3.9.3-3Dan Walsh 3.9.3-2Dan Walsh 3.9.3-1Dan Walsh 3.9.2-1Dan Walsh 3.9.1-3Dan Walsh 3.9.1-2Dan Walsh 3.9.1-1Dan Walsh 3.9.0-2Dan Walsh 3.9.0-1Dan Walsh 3.8.8-21Dan Walsh 3.8.8-20Dan Walsh 3.8.8-19Dan Walsh 3.8.8-18Dan Walsh 3.8.8-17Dan Walsh 3.8.8-16Dan Walsh 3.8.8-15Dan Walsh 3.8.8-14Dan Walsh 3.8.8-13Dan Walsh 3.8.8-12Dan Walsh 3.8.8-11Dan Walsh 3.8.8-10Dan Walsh 3.8.8-9Dan Walsh 3.8.8-8Dan Walsh 3.8.8-7Dan Walsh 3.8.8-6Dan Walsh 3.8.8-5Dan Walsh 3.8.8-4Dan Walsh 3.8.8-3Dan Walsh 3.8.8-2Dan Walsh 3.8.8-1Dan Walsh 3.8.7-3Dan Walsh 3.8.7-2Dan Walsh 3.8.7-1Dan Walsh 3.8.6-3Miroslav Grepl 3.8.6-2Dan Walsh 3.8.6-1Dan Walsh 3.8.5-1Dan Walsh 3.8.4-1Dan Walsh 3.8.3-4Dan Walsh 3.8.3-3Dan Walsh 3.8.3-2Dan Walsh 3.8.3-1Dan Walsh 3.8.2-1Dan Walsh 3.8.1-5Dan Walsh 3.8.1-4Dan Walsh 3.8.1-3Dan Walsh 3.8.1-2Dan Walsh 3.8.1-1Dan Walsh 3.7.19-22Dan Walsh 3.7.19-21Dan Walsh 3.7.19-20Dan Walsh 3.7.19-19Dan Walsh 3.7.19-17Dan Walsh 3.7.19-16Dan Walsh 3.7.19-15Dan Walsh 3.7.19-14Dan Walsh 3.7.19-13Dan Walsh 3.7.19-12Dan Walsh 3.7.19-11Dan Walsh 3.7.19-10Dan Walsh 3.7.19-9Dan Walsh 3.7.19-8Dan Walsh 3.7.19-7Dan Walsh 3.7.19-6Dan Walsh 3.7.19-5Dan Walsh 3.7.19-4Dan Walsh 3.7.19-3Dan Walsh 3.7.19-2Dan Walsh 3.7.19-1Dan Walsh 3.7.18-3Dan Walsh 3.7.18-2Dan Walsh 3.7.18-1Dan Walsh 3.7.17-6Dan Walsh 3.7.17-5Dan Walsh 3.7.17-4Dan Walsh 3.7.17-3Dan Walsh 3.7.17-2Dan Walsh 3.7.17-1Dan Walsh 3.7.16-2Dan Walsh 3.7.16-1Dan Walsh 3.7.15-4Dan Walsh 3.7.15-3Dan Walsh 3.7.15-2Dan Walsh 3.7.15-1Dan Walsh 3.7.14-5Dan Walsh 3.7.14-4Dan Walsh 3.7.14-3Dan Walsh 3.7.14-2Dan Walsh 3.7.14-1Dan Walsh 3.7.13-4Dan Walsh 3.7.13-3Dan Walsh 3.7.13-2Dan Walsh 3.7.13-1Dan Walsh 3.7.12-1Dan Walsh 3.7.11-1Dan Walsh 3.7.10-5Dan Walsh 3.7.10-4Dan Walsh 3.7.10-3Dan Walsh 3.7.10-2Dan Walsh 3.7.10-1Dan Walsh 3.7.9-4Dan Walsh 3.7.9-3Dan Walsh 3.7.9-2Dan Walsh 3.7.9-1Dan Walsh 3.7.8-11Dan Walsh 3.7.8-9Dan Walsh 3.7.8-8Dan Walsh 3.7.8-7Dan Walsh 3.7.8-6Dan Walsh 3.7.8-5Dan Walsh 3.7.8-4Dan Walsh 3.7.8-3Dan Walsh 3.7.8-2Dan Walsh 3.7.8-1Dan Walsh 3.7.7-3Dan Walsh 3.7.7-2Dan Walsh 3.7.7-1Dan Walsh 3.7.6-1Dan Walsh 3.7.5-8Dan Walsh 3.7.5-7Dan Walsh 3.7.5-6Dan Walsh 3.7.5-5Dan Walsh 3.7.5-4Dan Walsh 3.7.5-3Dan Walsh 3.7.5-2Dan Walsh 3.7.5-1Dan Walsh 3.7.4-4Dan Walsh 3.7.4-3Dan Walsh 3.7.4-2Dan Walsh 3.7.4-1Dan Walsh 3.7.3-1Dan Walsh 3.7.1-1Dan Walsh 3.6.33-2Dan Walsh 3.6.33-1Dan Walsh 3.6.32-17Dan Walsh 3.6.32-16Dan Walsh 3.6.32-15Dan Walsh 3.6.32-13Dan Walsh 3.6.32-12Dan Walsh 3.6.32-11Dan Walsh 3.6.32-10Dan Walsh 3.6.32-9Dan Walsh 3.6.32-8Dan Walsh 3.6.32-7Dan Walsh 3.6.32-6Dan Walsh 3.6.32-5Dan Walsh 3.6.32-4Dan Walsh 3.6.32-3Dan Walsh 3.6.32-2Dan Walsh 3.6.32-1Dan Walsh 3.6.31-5Dan Walsh 3.6.31-4Dan Walsh 3.6.31-3Dan Walsh 3.6.31-2Dan Walsh 3.6.30-6Dan Walsh 3.6.30-5Dan Walsh 3.6.30-4Dan Walsh 3.6.30-3Dan Walsh 3.6.30-2Dan Walsh 3.6.30-1Dan Walsh 3.6.29-2Dan Walsh 3.6.29-1Dan Walsh 3.6.28-9Dan Walsh 3.6.28-8Dan Walsh 3.6.28-7Dan Walsh 3.6.28-6Dan Walsh 3.6.28-5Dan Walsh 3.6.28-4Dan Walsh 3.6.28-3Dan Walsh 3.6.28-2Dan Walsh 3.6.28-1Dan Walsh 3.6.27-1Dan Walsh 3.6.26-11Dan Walsh 3.6.26-10Dan Walsh 3.6.26-9Bill Nottingham 3.6.26-8Dan Walsh 3.6.26-7Dan Walsh 3.6.26-6Dan Walsh 3.6.26-5Dan Walsh 3.6.26-4Dan Walsh 3.6.26-3Dan Walsh 3.6.26-2Dan Walsh 3.6.26-1Dan Walsh 3.6.25-1Dan Walsh 3.6.24-1Dan Walsh 3.6.23-2Dan Walsh 3.6.23-1Dan Walsh 3.6.22-3Dan Walsh 3.6.22-1Dan Walsh 3.6.21-4Dan Walsh 3.6.21-3Tom "spot" Callaway 3.6.21-2Dan Walsh 3.6.21-1Dan Walsh 3.6.20-2Dan Walsh 3.6.20-1Dan Walsh 3.6.19-5Dan Walsh 3.6.19-4Dan Walsh 3.6.19-3Dan Walsh 3.6.19-2Dan Walsh 3.6.19-1Dan Walsh 3.6.18-1Dan Walsh 3.6.17-1Dan Walsh 3.6.16-4Dan Walsh 3.6.16-3Dan Walsh 3.6.16-2Dan Walsh 3.6.16-1Dan Walsh 3.6.14-3Dan Walsh 3.6.14-2Dan Walsh 3.6.14-1Dan Walsh 3.6.13-3Dan Walsh 3.6.13-2Dan Walsh 3.6.13-1Dan Walsh 3.6.12-39Dan Walsh 3.6.12-38Dan Walsh 3.6.12-37Dan Walsh 3.6.12-36Dan Walsh 3.6.12-35Dan Walsh 3.6.12-34Dan Walsh 3.6.12-33Dan Walsh 3.6.12-31Dan Walsh 3.6.12-30Dan Walsh 3.6.12-29Dan Walsh 3.6.12-28Dan Walsh 3.6.12-27Dan Walsh 3.6.12-26Dan Walsh 3.6.12-25Dan Walsh 3.6.12-24Dan Walsh 3.6.12-23Dan Walsh 3.6.12-22Dan Walsh 3.6.12-21Dan Walsh 3.6.12-20Dan Walsh 3.6.12-19Dan Walsh 3.6.12-16Dan Walsh 3.6.12-15Dan Walsh 3.6.12-14Dan Walsh 3.6.12-13Dan Walsh 3.6.12-12Dan Walsh 3.6.12-11Dan Walsh 3.6.12-10Dan Walsh 3.6.12-9Dan Walsh 3.6.12-8Dan Walsh 3.6.12-7Dan Walsh 3.6.12-6Dan Walsh 3.6.12-5Dan Walsh 3.6.12-4Dan Walsh 3.6.12-3Dan Walsh 3.6.12-2Dan Walsh 3.6.12-1Dan Walsh 3.6.11-1Dan Walsh 3.6.10-9Dan Walsh 3.6.10-8Dan Walsh 3.6.10-7Dan Walsh 3.6.10-6Dan Walsh 3.6.10-5Dan Walsh 3.6.10-4Dan Walsh 3.6.10-3Dan Walsh 3.6.10-2Dan Walsh 3.6.10-1Dan Walsh 3.6.9-4Dan Walsh 3.6.9-3Dan Walsh 3.6.9-2Dan Walsh 3.6.9-1Dan Walsh 3.6.8-4Dan Walsh 3.6.8-3Dan Walsh 3.6.8-2Dan Walsh 3.6.8-1Dan Walsh 3.6.7-2Dan Walsh 3.6.7-1Dan Walsh 3.6.6-9Dan Walsh 3.6.6-8Fedora Release Engineering - 3.6.6-7Dan Walsh 3.6.6-6Dan Walsh 3.6.6-5Dan Walsh 3.6.6-4Dan Walsh 3.6.6-3Dan Walsh 3.6.6-2Dan Walsh 3.6.6-1Dan Walsh 3.6.5-3Dan Walsh 3.6.5-1Dan Walsh 3.6.4-6Dan Walsh 3.6.4-5Dan Walsh 3.6.4-4Dan Walsh 3.6.4-3Dan Walsh 3.6.4-2Dan Walsh 3.6.4-1Dan Walsh 3.6.3-13Dan Walsh 3.6.3-12Dan Walsh 3.6.3-11Dan Walsh 3.6.3-10Dan Walsh 3.6.3-9Dan Walsh 3.6.3-8Dan Walsh 3.6.3-7Dan Walsh 3.6.3-6Dan Walsh 3.6.3-3Dan Walsh 3.6.3-2Dan Walsh 3.6.3-1Dan Walsh 3.6.2-5Dan Walsh 3.6.2-4Dan Walsh 3.6.2-3Dan Walsh 3.6.2-2Dan Walsh 3.6.2-1Dan Walsh 3.6.1-15Dan Walsh 3.6.1-14Dan Walsh 3.6.1-13Dan Walsh 3.6.1-12Dan Walsh 3.6.1-11Dan Walsh 3.6.1-10Dan Walsh 3.6.1-9Dan Walsh 3.6.1-8Dan Walsh 3.6.1-7Dan Walsh 3.6.1-4Ignacio Vazquez-Abrams - 3.6.1-2Dan Walsh 3.5.13-19Dan Walsh 3.5.13-18Dan Walsh 3.5.13-17Dan Walsh 3.5.13-16Dan Walsh 3.5.13-15Dan Walsh 3.5.13-14Dan Walsh 3.5.13-13Dan Walsh 3.5.13-12Dan Walsh 3.5.13-11Dan Walsh 3.5.13-9Dan Walsh 3.5.13-8Dan Walsh 3.5.13-7Dan Walsh 3.5.13-6Dan Walsh 3.5.13-5Dan Walsh 3.5.13-4Dan Walsh 3.5.13-3Dan Walsh 3.5.13-2Dan Walsh 3.5.13-1Dan Walsh 3.5.12-3Dan Walsh 3.5.12-2Dan Walsh 3.5.12-1Dan Walsh 3.5.11-1Dan Walsh 3.5.10-3Dan Walsh 3.5.10-2Dan Walsh 3.5.10-1Dan Walsh 3.5.9-4Dan Walsh 3.5.9-3Dan Walsh 3.5.9-2Dan Walsh 3.5.9-1Dan Walsh 3.5.8-7Dan Walsh 3.5.8-6Dan Walsh 3.5.8-5Dan Walsh 3.5.8-4Dan Walsh 3.5.8-3Dan Walsh 3.5.8-1Dan Walsh 3.5.7-2Dan Walsh 3.5.7-1Dan Walsh 3.5.6-2Dan Walsh 3.5.6-1Dan Walsh 3.5.5-4Dan Walsh 3.5.5-3Dan Walsh 3.5.5-2Dan Walsh 3.5.4-2Dan Walsh 3.5.4-1Dan Walsh 3.5.3-1Dan Walsh 3.5.2-2Dan Walsh 3.5.1-5Dan Walsh 3.5.1-4Dan Walsh 3.5.1-3Dan Walsh 3.5.1-2Dan Walsh 3.5.1-1Dan Walsh 3.5.0-1Dan Walsh 3.4.2-14Dan Walsh 3.4.2-13Dan Walsh 3.4.2-12Dan Walsh 3.4.2-11Dan Walsh 3.4.2-10Dan Walsh 3.4.2-9Dan Walsh 3.4.2-8Dan Walsh 3.4.2-7Dan Walsh 3.4.2-6Dan Walsh 3.4.2-5Dan Walsh 3.4.2-4Dan Walsh 3.4.2-3Dan Walsh 3.4.2-2Dan Walsh 3.4.2-1Dan Walsh 3.4.1-5Dan Walsh 3.4.1-3Dan Walsh 3.4.1-2Dan Walsh 3.4.1-1Dan Walsh 3.3.1-48Dan Walsh 3.3.1-47Dan Walsh 3.3.1-46Dan Walsh 3.3.1-45Dan Walsh 3.3.1-44Dan Walsh 3.3.1-43Dan Walsh 3.3.1-42Dan Walsh 3.3.1-41Dan Walsh 3.3.1-39Dan Walsh 3.3.1-37Dan Walsh 3.3.1-36Dan Walsh 3.3.1-33Dan Walsh 3.3.1-32Dan Walsh 3.3.1-31Dan Walsh 3.3.1-30Dan Walsh 3.3.1-29Dan Walsh 3.3.1-28Dan Walsh 3.3.1-27Dan Walsh 3.3.1-26Dan Walsh 3.3.1-25Dan Walsh 3.3.1-24Dan Walsh 3.3.1-23Dan Walsh 3.3.1-22Dan Walsh 3.3.1-21Dan Walsh 3.3.1-20Dan Walsh 3.3.1-19Dan Walsh 3.3.1-18Dan Walsh 3.3.1-17Dan Walsh 3.3.1-16Dan Walsh 3.3.1-15Bill Nottingham 3.3.1-14Dan Walsh 3.3.1-13Dan Walsh 3.3.1-12Dan Walsh 3.3.1-11Dan Walsh 3.3.1-10Dan Walsh 3.3.1-9Dan Walsh 3.3.1-8Dan Walsh 3.3.1-6Dan Walsh 3.3.1-5Dan Walsh 3.3.1-4Dan Walsh 3.3.1-2Dan Walsh 3.3.1-1Dan Walsh 3.3.0-2Dan Walsh 3.3.0-1Dan Walsh 3.2.9-2Dan Walsh 3.2.9-1Dan Walsh 3.2.8-2Dan Walsh 3.2.8-1Dan Walsh 3.2.7-6Dan Walsh 3.2.7-5Dan Walsh 3.2.7-3Dan Walsh 3.2.7-2Dan Walsh 3.2.7-1Dan Walsh 3.2.6-7Dan Walsh 3.2.6-6Dan Walsh 3.2.6-5Dan Walsh 3.2.6-4Dan Walsh 3.2.6-3Dan Walsh 3.2.6-2Dan Walsh 3.2.6-1Dan Walsh 3.2.5-25Dan Walsh 3.2.5-24Dan Walsh 3.2.5-22Dan Walsh 3.2.5-21Dan Walsh 3.2.5-20Dan Walsh 3.2.5-19Dan Walsh 3.2.5-18Dan Walsh 3.2.5-17Dan Walsh 3.2.5-16Dan Walsh 3.2.5-15Dan Walsh 3.2.5-14Dan Walsh 3.2.5-13Dan Walsh 3.2.5-12Dan Walsh 3.2.5-11Dan Walsh 3.2.5-10Dan Walsh 3.2.5-9Dan Walsh 3.2.5-8Dan Walsh 3.2.5-7Dan Walsh 3.2.5-6Dan Walsh 3.2.5-5Dan Walsh 3.2.5-4Dan Walsh 3.2.5-3Dan Walsh 3.2.5-2Dan Walsh 3.2.5-1Dan Walsh 3.2.4-5Dan Walsh 3.2.4-4Dan Walsh 3.2.4-3Dan Walsh 3.2.4-1Dan Walsh 3.2.4-1Dan Walsh 3.2.3-2Dan Walsh 3.2.3-1Dan Walsh 3.2.2-1Dan Walsh 3.2.1-3Dan Walsh 3.2.1-1Dan Walsh 3.1.2-2Dan Walsh 3.1.2-1Dan Walsh 3.1.1-1Dan Walsh 3.1.0-1Dan Walsh 3.0.8-30Dan Walsh 3.0.8-28Dan Walsh 3.0.8-27Dan Walsh 3.0.8-26Dan Walsh 3.0.8-25Dan Walsh 3.0.8-24Dan Walsh 3.0.8-23Dan Walsh 3.0.8-22Dan Walsh 3.0.8-21Dan Walsh 3.0.8-20Dan Walsh 3.0.8-19Dan Walsh 3.0.8-18Dan Walsh 3.0.8-17Dan Walsh 3.0.8-16Dan Walsh 3.0.8-15Dan Walsh 3.0.8-14Dan Walsh 3.0.8-13Dan Walsh 3.0.8-12Dan Walsh 3.0.8-11Dan Walsh 3.0.8-10Dan Walsh 3.0.8-9Dan Walsh 3.0.8-8Dan Walsh 3.0.8-7Dan Walsh 3.0.8-5Dan Walsh 3.0.8-4Dan Walsh 3.0.8-3Dan Walsh 3.0.8-2Dan Walsh 3.0.8-1Dan Walsh 3.0.7-10Dan Walsh 3.0.7-9Dan Walsh 3.0.7-8Dan Walsh 3.0.7-7Dan Walsh 3.0.7-6Dan Walsh 3.0.7-5Dan Walsh 3.0.7-4Dan Walsh 3.0.7-3Dan Walsh 3.0.7-2Dan Walsh 3.0.7-1Dan Walsh 3.0.6-3Dan Walsh 3.0.6-2Dan Walsh 3.0.6-1Dan Walsh 3.0.5-11Dan Walsh 3.0.5-10Dan Walsh 3.0.5-9Dan Walsh 3.0.5-8Dan Walsh 3.0.5-7Dan Walsh 3.0.5-6Dan Walsh 3.0.5-5Dan Walsh 3.0.5-4Dan Walsh 3.0.5-3Dan Walsh 3.0.5-2Dan Walsh 3.0.5-1Dan Walsh 3.0.4-6Dan Walsh 3.0.4-5Dan Walsh 3.0.4-4Dan Walsh 3.0.4-3Dan Walsh 3.0.4-2Dan Walsh 3.0.4-1Dan Walsh 3.0.3-6Dan Walsh 3.0.3-5Dan Walsh 3.0.3-4Dan Walsh 3.0.3-3Dan Walsh 3.0.3-2Dan Walsh 3.0.3-1Dan Walsh 3.0.2-9Dan Walsh 3.0.2-8Dan Walsh 3.0.2-7Dan Walsh 3.0.2-5Dan Walsh 3.0.2-4Dan Walsh 3.0.2-3Dan Walsh 3.0.2-2Dan Walsh 3.0.1-5Dan Walsh 3.0.1-4Dan Walsh 3.0.1-3Dan Walsh 3.0.1-2Dan Walsh 3.0.1-1Dan Walsh 2.6.5-3Dan Walsh 2.6.5-2Dan Walsh 2.6.4-7Dan Walsh 2.6.4-6Dan Walsh 2.6.4-5Dan Walsh 2.6.4-2Dan Walsh 2.6.4-1Dan Walsh 2.6.3-1Dan Walsh 2.6.2-1Dan Walsh 2.6.1-4Dan Walsh 2.6.1-2Dan Walsh 2.6.1-1Dan Walsh 2.5.12-12Dan Walsh 2.5.12-11Dan Walsh 2.5.12-10Dan Walsh 2.5.12-8Dan Walsh 2.5.12-5Dan Walsh 2.5.12-4Dan Walsh 2.5.12-3Dan Walsh 2.5.12-2Dan Walsh 2.5.12-1Dan Walsh 2.5.11-8Dan Walsh 2.5.11-7Dan Walsh 2.5.11-6Dan Walsh 2.5.11-5Dan Walsh 2.5.11-4Dan Walsh 2.5.11-3Dan Walsh 2.5.11-2Dan Walsh 2.5.11-1Dan Walsh 2.5.10-2Dan Walsh 2.5.10-1Dan Walsh 2.5.9-6Dan Walsh 2.5.9-5Dan Walsh 2.5.9-4Dan Walsh 2.5.9-3Dan Walsh 2.5.9-2Dan Walsh 2.5.8-8Dan Walsh 2.5.8-7Dan Walsh 2.5.8-6Dan Walsh 2.5.8-5Dan Walsh 2.5.8-4Dan Walsh 2.5.8-3Dan Walsh 2.5.8-2Dan Walsh 2.5.8-1Dan Walsh 2.5.7-1Dan Walsh 2.5.6-1Dan Walsh 2.5.5-2Dan Walsh 2.5.5-1Dan Walsh 2.5.4-2Dan Walsh 2.5.4-1Dan Walsh 2.5.3-3Dan Walsh 2.5.3-2Dan Walsh 2.5.3-1Dan Walsh 2.5.2-6Dan Walsh 2.5.2-5Dan Walsh 2.5.2-4Dan Walsh 2.5.2-3Dan Walsh 2.5.2-2Dan Walsh 2.5.2-1Dan Walsh 2.5.1-5Dan Walsh 2.5.1-4Dan Walsh 2.5.1-2Dan Walsh 2.5.1-1Dan Walsh 2.4.6-20Dan Walsh 2.4.6-19Dan Walsh 2.4.6-18Dan Walsh 2.4.6-17Dan Walsh 2.4.6-16Dan Walsh 2.4.6-15Dan Walsh 2.4.6-14Dan Walsh 2.4.6-13Dan Walsh 2.4.6-12Dan Walsh 2.4.6-11Dan Walsh 2.4.6-10Dan Walsh 2.4.6-9Dan Walsh 2.4.6-8Dan Walsh 2.4.6-7Dan Walsh 2.4.6-6Dan Walsh 2.4.6-5Dan Walsh 2.4.6-4Dan Walsh 2.4.6-3Dan Walsh 2.4.6-1Dan Walsh 2.4.5-4Dan Walsh 2.4.5-3Dan Walsh 2.4.5-2Dan Walsh 2.4.5-1Dan Walsh 2.4.4-2Dan Walsh 2.4.4-2Dan Walsh 2.4.4-1Dan Walsh 2.4.3-13Dan Walsh 2.4.3-12Dan Walsh 2.4.3-11Dan Walsh 2.4.3-10Dan Walsh 2.4.3-9Dan Walsh 2.4.3-8Dan Walsh 2.4.3-7Dan Walsh 2.4.3-6Dan Walsh 2.4.3-5Dan Walsh 2.4.3-4Dan Walsh 2.4.3-3Dan Walsh 2.4.3-2Dan Walsh 2.4.3-1Dan Walsh 2.4.2-8Dan Walsh 2.4.2-7James Antill 2.4.2-6Dan Walsh 2.4.2-5Dan Walsh 2.4.2-4Dan Walsh 2.4.2-3Dan Walsh 2.4.2-2Dan Walsh 2.4.2-1Dan Walsh 2.4.1-5Dan Walsh 2.4.1-4Dan Walsh 2.4.1-3Dan Walsh 2.4.1-2Dan Walsh 2.4-4Dan Walsh 2.4-3Dan Walsh 2.4-2Dan Walsh 2.4-1Dan Walsh 2.3.19-4Dan Walsh 2.3.19-3Dan Walsh 2.3.19-2Dan Walsh 2.3.19-1James Antill 2.3.18-10James Antill 2.3.18-9Dan Walsh 2.3.18-8Dan Walsh 2.3.18-7Dan Walsh 2.3.18-6Dan Walsh 2.3.18-5Dan Walsh 2.3.18-4Dan Walsh 2.3.18-3Dan Walsh 2.3.18-2Dan Walsh 2.3.18-1Dan Walsh 2.3.17-2Dan Walsh 2.3.17-1Dan Walsh 2.3.16-9Dan Walsh 2.3.16-8Dan Walsh 2.3.16-7Dan Walsh 2.3.16-6Dan Walsh 2.3.16-5Dan Walsh 2.3.16-4Dan Walsh 2.3.16-2Dan Walsh 2.3.16-1Dan Walsh 2.3.15-2Dan Walsh 2.3.15-1Dan Walsh 2.3.14-8Dan Walsh 2.3.14-7Dan Walsh 2.3.14-6Dan Walsh 2.3.14-4Dan Walsh 2.3.14-3Dan Walsh 2.3.14-2Dan Walsh 2.3.14-1Dan Walsh 2.3.13-6Dan Walsh 2.3.13-5Dan Walsh 2.3.13-4Dan Walsh 2.3.13-3Dan Walsh 2.3.13-2Dan Walsh 2.3.13-1Dan Walsh 2.3.12-2Dan Walsh 2.3.12-1Dan Walsh 2.3.11-1Dan Walsh 2.3.10-7Dan Walsh 2.3.10-6Dan Walsh 2.3.10-3Dan Walsh 2.3.10-1Dan Walsh 2.3.9-6Dan Walsh 2.3.9-5Dan Walsh 2.3.9-4Dan Walsh 2.3.9-3Dan Walsh 2.3.9-2Dan Walsh 2.3.9-1Dan Walsh 2.3.8-2Dan Walsh 2.3.7-1Dan Walsh 2.3.6-4Dan Walsh 2.3.6-3Dan Walsh 2.3.6-2Dan Walsh 2.3.6-1Dan Walsh 2.3.5-1Dan Walsh 2.3.4-1Dan Walsh 2.3.3-20Dan Walsh 2.3.3-19Dan Walsh 2.3.3-18Dan Walsh 2.3.3-17Dan Walsh 2.3.3-16Dan Walsh 2.3.3-15Dan Walsh 2.3.3-14Dan Walsh 2.3.3-13Dan Walsh 2.3.3-12Dan Walsh 2.3.3-11Dan Walsh 2.3.3-10Dan Walsh 2.3.3-9Dan Walsh 2.3.3-8Dan Walsh 2.3.3-7Dan Walsh 2.3.3-6Dan Walsh 2.3.3-5Dan Walsh 2.3.3-4Dan Walsh 2.3.3-3Dan Walsh 2.3.3-2Dan Walsh 2.3.3-1Dan Walsh 2.3.2-4Dan Walsh 2.3.2-3Dan Walsh 2.3.2-2Dan Walsh 2.3.2-1Dan Walsh 2.3.1-1Dan Walsh 2.2.49-1Dan Walsh 2.2.48-1Dan Walsh 2.2.47-5Dan Walsh 2.2.47-4Dan Walsh 2.2.47-3Dan Walsh 2.2.47-1Dan Walsh 2.2.46-2Dan Walsh 2.2.46-1Dan Walsh 2.2.45-3Dan Walsh 2.2.45-2Dan Walsh 2.2.45-1Dan Walsh 2.2.44-1Dan Walsh 2.2.43-4Dan Walsh 2.2.43-3Dan Walsh 2.2.43-2Dan Walsh 2.2.43-1Dan Walsh 2.2.42-4Dan Walsh 2.2.42-3Dan Walsh 2.2.42-2Dan Walsh 2.2.42-1Dan Walsh 2.2.41-1Dan Walsh 2.2.40-2Dan Walsh 2.2.40-1Dan Walsh 2.2.39-2Dan Walsh 2.2.39-1Dan Walsh 2.2.38-6Dan Walsh 2.2.38-5Dan Walsh 2.2.38-4Dan Walsh 2.2.38-3Dan Walsh 2.2.38-2Dan Walsh 2.2.38-1Dan Walsh 2.2.37-1Dan Walsh 2.2.36-2Dan Walsh 2.2.36-1James Antill 2.2.35-2Dan Walsh 2.2.35-1Dan Walsh 2.2.34-3Dan Walsh 2.2.34-2Dan Walsh 2.2.34-1Dan Walsh 2.2.33-1Dan Walsh 2.2.32-2Dan Walsh 2.2.32-1Dan Walsh 2.2.31-1Dan Walsh 2.2.30-2Dan Walsh 2.2.30-1Dan Walsh 2.2.29-6Russell Coker 2.2.29-5Dan Walsh 2.2.29-4Dan Walsh 2.2.29-3Dan Walsh 2.2.29-2Dan Walsh 2.2.29-1Dan Walsh 2.2.28-3Dan Walsh 2.2.28-2Dan Walsh 2.2.28-1Dan Walsh 2.2.27-1Dan Walsh 2.2.25-3Dan Walsh 2.2.25-2Dan Walsh 2.2.24-1Dan Walsh 2.2.23-19Dan Walsh 2.2.23-18Dan Walsh 2.2.23-17Karsten Hopp 2.2.23-16Dan Walsh 2.2.23-15Dan Walsh 2.2.23-14Dan Walsh 2.2.23-13Dan Walsh 2.2.23-12Jeremy Katz - 2.2.23-11Jeremy Katz - 2.2.23-10Dan Walsh 2.2.23-9Dan Walsh 2.2.23-8Dan Walsh 2.2.23-7Dan Walsh 2.2.23-5Dan Walsh 2.2.23-4Dan Walsh 2.2.23-3Dan Walsh 2.2.23-2Dan Walsh 2.2.23-1Dan Walsh 2.2.22-2Dan Walsh 2.2.22-1Dan Walsh 2.2.21-9Dan Walsh 2.2.21-8Dan Walsh 2.2.21-7Dan Walsh 2.2.21-6Dan Walsh 2.2.21-5Dan Walsh 2.2.21-4Dan Walsh 2.2.21-3Dan Walsh 2.2.21-2Dan Walsh 2.2.21-1Dan Walsh 2.2.20-1Dan Walsh 2.2.19-2Dan Walsh 2.2.19-1Dan Walsh 2.2.18-2Dan Walsh 2.2.18-1Dan Walsh 2.2.17-2Dan Walsh 2.2.16-1Dan Walsh 2.2.15-4Dan Walsh 2.2.15-3Dan Walsh 2.2.15-1Dan Walsh 2.2.14-2Dan Walsh 2.2.14-1Dan Walsh 2.2.13-1Dan Walsh 2.2.12-1Dan Walsh 2.2.11-2Dan Walsh 2.2.11-1Dan Walsh 2.2.10-1Dan Walsh 2.2.9-2Dan Walsh 2.2.9-1Dan Walsh 2.2.8-2Dan Walsh 2.2.7-1Dan Walsh 2.2.6-3Dan Walsh 2.2.6-2Dan Walsh 2.2.6-1Dan Walsh 2.2.5-1Dan Walsh 2.2.4-1Dan Walsh 2.2.3-1Dan Walsh 2.2.2-1Dan Walsh 2.2.1-1Dan Walsh 2.1.13-1Dan Walsh 2.1.12-3Dan Walsh 2.1.11-1Dan Walsh 2.1.10-1Jeremy Katz - 2.1.9-2Dan Walsh 2.1.9-1Dan Walsh 2.1.8-3Dan Walsh 2.1.8-2Dan Walsh 2.1.8-1Dan Walsh 2.1.7-4Dan Walsh 2.1.7-3Dan Walsh 2.1.7-2Dan Walsh 2.1.7-1Dan Walsh 2.1.6-24Dan Walsh 2.1.6-23Dan Walsh 2.1.6-22Dan Walsh 2.1.6-21Dan Walsh 2.1.6-20Dan Walsh 2.1.6-18Dan Walsh 2.1.6-17Dan Walsh 2.1.6-16Dan Walsh 2.1.6-15Dan Walsh 2.1.6-14Dan Walsh 2.1.6-13Dan Walsh 2.1.6-11Dan Walsh 2.1.6-10Dan Walsh 2.1.6-9Dan Walsh 2.1.6-8Dan Walsh 2.1.6-5Dan Walsh 2.1.6-4Dan Walsh 2.1.6-3Dan Walsh 2.1.6-2Dan Walsh 2.1.6-1Dan Walsh 2.1.4-2Dan Walsh 2.1.4-1Dan Walsh 2.1.3-1Jeremy Katz - 2.1.2-3Dan Walsh 2.1.2-2Dan Walsh 2.1.2-1Dan Walsh 2.1.1-3Dan Walsh 2.1.1-2Dan Walsh 2.1.1-1Dan Walsh 2.1.0-3Dan Walsh 2.1.0-2.Dan Walsh 2.1.0-1.Dan Walsh 2.0.11-2.Dan Walsh 2.0.11-1.Dan Walsh 2.0.9-1.Dan Walsh 2.0.8-1.Dan Walsh 2.0.7-3Dan Walsh 2.0.7-2Dan Walsh 2.0.6-2Dan Walsh 2.0.5-4Dan Walsh 2.0.5-1Dan Walsh 2.0.4-1Dan Walsh 2.0.2-2Dan Walsh 2.0.2-1Dan Walsh 2.0.1-2Dan Walsh 2.0.1-1- Update openvswitch policy from Fedora Resolves: rhbz#1538936- Update openvswitch SELinux module Resolves: rhbz#1538936- Allow cluster_t domain creating bundles directory with label var_log_t instead of cluster_var_log_t Resolves: rhbz:#1513075- Allow tomcat domain to connect to mssql port Resolves: rhbz#1500697 - Add keepalived domain setpgid capability Resolves: rhbz#1500813- Allow certmonger using systemctl on pki_tomcat unit files Resolves: rhbz#1486552- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc Resolves: rhbz#1485308- Fixing wrong NVR Resolves: rhbz#1479767- Increase NVR Resolves: rhbz#1479767- Allow llpdad send dgram to libvirt Resolves: rhbz#1479767- Add new boolean gluster_use_execmem Resolves: rhbz#1469027 - Allow cluster_t and glusterd_t domains to dbus chat with ganesha service Resolves: rhbz#1468581- Dontaudit staff_t user read admin_home_t files. Resolves: rhbz#1290633- Allow couple rules needed to start targetd daemon with SELinux in enforcing mode Resolves: rhbz#1424621 - Add interface lvm_manage_metadata Resolves: rhbz#1424621- Allow sssd_t to read realmd lib files. Resolves: rhbz#1436689 - Add permission open to files_read_inherited_tmp_files() interface Resolves: rhbz#1290633 Resolves: rhbz#1457106- Allow unconfined_t user all user namespace capabilties. Resolves: rhbz#1461488- Allow httpd_t to read realmd_var_lib_t files Resolves: rhbz#1436689- Allow named_t to bind on udp 4321 port Resolves: rhbz#1312972 - Allow systemd-sysctl cap. sys_ptrace Resolves: rhbz#1458999- Allow pki_tomcat_t execute ldconfig. Resolves: rhbz#1436689- Allow iscsi domain load kernel module. Resolves: rhbz#1457874 - Allow keepalived domain connect to squid tcp port Resolves: rhbz#1457455 - Allow krb5kdc_t domain read realmd lib files. Resolves: rhbz#1436689 - xdm_t should view kernel keys Resolves: rhbz#1432645- Allow tomcat to connect on all unreserved ports - Allow ganesha to connect to all rpc ports Resolves: rhbz#1448090 - Update ganesha with another fixes. Resolves: rhbz#1448090 - Update rpc_read_nfs_state_data() interface to allow read also lnk_files. Resolves: rhbz#1448090 - virt_use_glusterd boolean should be in optional block Update ganesha module to allow create tmp files Resolves: rhbz#1448090 - Hide broken symptoms when machine is configured with network bounding.- Add new boolean virt_use_glusterd Resolves: rhbz#1455994 - Add capability sys_boot for sbd_t domain - Allow sbd_t domain to create rpc sysctls. Resolves: rhbz#1455631 - Allow ganesha_t domain to manage glusterd_var_run_t pid files. Resolves: rhbz#1448090- Create new interface: glusterd_read_lib_files() - Allow ganesha read glusterd lib files. - Allow ganesha read network sysctls Resolves: rhbz#1448090- Add few allow rules to ganesha module Resolves: rhbz#1448090 - Allow condor_master_t to read sysctls. Resolves: rhbz#1277506 - Add dac_override cap to ctdbd_t domain Resolves: rhbz#1435708 - Label 8750 tcp/udp port as dey_keyneg_port_t Resolves: rhbz#1448090- Add ganesha_use_fusefs boolean. Resolves: rhbz#1448090- Allow httpd_t reading kerberos kdc config files Resolves: rhbz#1452215 - Allow tomcat_t domain connect to ibm_dt_2 tcp port. Resolves: rhbz#1447436 - Allow stream connect to initrc_t domains Resolves: rhbz#1447436 - Allow dnsmasq_t domain to read systemd-resolved pid files. Resolves: rhbz#1453114 - Allow tomcat domain name_bind on tcp bctp_port_t Resolves: rhbz#1451757 - Allow smbd_t domain generate debugging files under /var/run/gluster. These files are created through the libgfapi.so library that provides integration of a GlusterFS client in the Samba (vfs_glusterfs) process. Resolves: rhbz#1447669 - Allow condor_master_t write to sysctl_net_t Resolves: rhbz#1277506 - Allow nagios check disk plugin read /sys/kernel/config/ Resolves: rhbz#1277718 - Allow pcp_pmie_t domain execute systemctl binary Resolves: rhbz#1271998 - Allow nagios to connect to stream sockets. Allow nagios start httpd via systemctl Resolves: rhbz#1247635 - Label tcp/udp port 1792 as ibm_dt_2_port_t Resolves: rhbz#1447436 - Add interface fs_read_configfs_dirs() - Add interface fs_read_configfs_files() - Fix systemd_resolved_read_pid interface - Add interface systemd_resolved_read_pid() Resolves: rhbz#1453114 - Allow sshd_net_t domain read/write into crypto devices Resolves: rhbz#1452759 - Label 8999 tcp/udp as bctp_port_t Resolves: rhbz#1451757- nmbd_t needs net_admin capability like smbd Resolves: rhbz#1431859 - Dontaudit net_admin capability for domains postfix_master_t and postfix_qmgr_t Resolves: rhbz#1431859 - Allow rngd domain read sysfs_t Resolves: rhbz#1451735 - Add interface pki_manage_common_files() Resolves: rhbz#1447436 - Allow tomcat_t domain to manage pki_common_t files and dirs Resolves: rhbz#1447436 - Use stricter fc rules for sssd sockets in /var/run Resolves: rhbz#1448060 - Allow certmonger reads httpd_config_t files Resolves: rhbz#1436689 - Allow keepalived_t domain creating netlink_netfilter_socket. Resolves: rhbz#1451684 - Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files. Resolves: rhbz#1451318 - Make able deply overcloud via neutron_t to label nsfs as fs_t Resolves: rhbz#1373321- Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files. Resolves: rhbz#1451318 - Allow sssd_t domain creating sock files labeled as sssd_var_run_t in /var/run/ Resolves: rhbz#1448056 Resolves: rhbz#1448060 - Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls Resolves: rhbz#1450819 - Make able deply overcloud via neutron_t to label nsfs as fs_t Resolves: rhbz#1373321 - Allow netutils setpcap capability Resolves:1444438- Update targetd policy to accommodate changes in the service Resolves: rhbz#1424621 - Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls Resolves: rhbz#1450819 - Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options. Resolves: rhbz#1415841 - Allow radius domain stream connec to postgresql Resolves: rhbz#1446145 - Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit Resolves: rhbz#1449977 - Allow glusterd_t domain start ganesha service Resolves: rhbz#1448090 - Made few cosmetic changes in sssd SELinux module Resolves: rhbz#1448060 - sssd-kcm should not run as unconfined_service_t BZ(1447411) Resolves: rhbz#1448060 - Add sssd_secrets labeling Also add named_filetrans interface to make sure all labels are correct Resolves: rhbz#1448056 - Allow keepalived_t domain read usermodehelper_t Resolves: rhbz#1449769 - Allow tomcat_t domain read pki_common_t files Resolves: rhbz#1447436 - Add interface pki_read_common_files() Resolves: rhbz#1447436- Allow hypervkvp_t domain execute hostname Resolves: rhbz#1449064 - Dontaudit sssd_selinux_manager_t use of net_admin capability Resolves: rhbz#1444955 - Allow tomcat_t stream connect to pki_common_t Resolves: rhbz#1447436 - Dontaudit xguest_t's attempts to listen to its tcp_socket - Allow sssd_selinux_manager_t to ioctl init_t sockets Resolves: rhbz#1436689 - Allow _su_t to create netlink_selinux_socket Resolves rhbz#1146987 - Allow unconfined_t to module_load any file Resolves rhbz#1442994- Improve ipa_cert_filetrans_named_content() interface to also allow caller domain manage ipa_cert_t type. Resolves: rhbz#1436689- Allow pki_tomcat_t domain read /etc/passwd. Resolves: rhbz#1436689 - Allow tomcat_t domain read ipa_tmp_t files Resolves: rhbz#1436689 - Label new path for ipa-otpd Resolves: rhbz#1446353 - Allow radiusd_t domain stream connect to postgresql_t Resolves: rhbz#1446145 - Allow rhsmcertd_t to execute hostname_exec_t binaries. Resolves: rhbz#1445494 - Allow virtlogd to append nfs_t files when virt_use_nfs=1 Resolves: rhbz#1402561- Update tomcat policy to adjust for removing unconfined_domain attr. Resolves: rhbz#1432083 - Allow httpd_t domain read also httpd_user_content_type lnk_files. Resolves: rhbz#1383621 - Allow httpd_t domain create /etc/httpd/alias/ipaseesion.key with label ipa_cert_t Resolves: rhbz#1436689 - Dontaudit _gkeyringd_t stream connect to system_dbusd_t Resolves: rhbz#1052880 - Label /var/www/html/nextcloud/data as httpd_sys_rw_content_t Resolves: rhbz#1425530 - Add interface ipa_filetrans_named_content() Resolves: rhbz#1432115 - Allow tomcat use nsswitch Resolves: rhbz#1436689 - Allow certmonger_t start/status generic services Resolves: rhbz#1436689 - Allow dirsrv read cgroup files. Resolves: rhbz#1436689 - Allow ganesha_t domain read/write infiniband devices. Resolves: rhbz#1383784 - Allow sendmail_t domain sysctl_net_t files Resolves: rhbz#1369376 - Allow targetd_t domain read network state and getattr on loop_control_device_t Resolves: rhbz#1373860 - Allow condor_schedd_t domain send mails. Resolves: rhbz#1277506 - Alow certmonger to create own systemd unit files. Resolves: rhbz#1436689 - Allow staff to systemctl virt server when staff_use_svirt=1 Resolves: rhbz#1415841 - Allow unconfined_t create /tmp/ca.p12 file with ipa_tmp_t context Resolves: rhbz#1432115 - Label /sysroot/ostree/deploy/rhel-atomic-host/* as root_t Resolves: rhbz#1428112- Alow certmonger to create own systemd unit files. Resolves: rhbz#1436689- Hide broken symptoms when using kernel 3.10.0-514+ with network bonding. Postfix_picup_t domain requires NET_ADMIN capability which is not really needed. Resolves: rhbz#1431859 - Fix policy to reflect all changes in new IPA release Resolves: rhbz#1432115 Resolves: rhbz#1436689- Allow sbd_t to read/write fixed disk devices Resolves: rhbz#1440165 - Add sys_ptrace capability to radiusd_t domain Resolves: rhbz#1426641 - Allow cockpit_session_t domain connects to ssh tcp ports. Resolves: rhbz#1413509- Update tomcat policy to make working ipa install process Resolves: rhbz#1436689- Allow pcp_pmcd_t net_admin capability. - Allow pcp_pmcd_t read net sysctls - Allow system_cronjob_t create /var/run/pcp with pcp_var_run_t Resolves: rhbz#1336211- Fix all AVC denials during pkispawn of CA Resolves: rhbz#1436383 - Update pki interfaces and tomcat module Resolves: rhbz#1436689- Update pki interfaces and tomcat module Resolves: rhbz#1436689- Dontaudit firewalld wants write to /root Resolves: rhbz#1438708 - Dontaudit firewalld to create dirs in /root/ Resolves: rhbz#1438708 - Allow sendmail to search network sysctls Resolves: rhbz#1369376 - Add interface gssd_noatsecure() Resolves: rhbz#1438036 - Add interface gssproxy_noatsecure() Resolves: rhbz#1438036 - Dontaudit pcp_pmlogger_t search for xserver logs. Allow pcp_pmlogger_t to send signals to unconfined doamins Allow pcp_pmlogger_t to send logs to journals Resolves: rhbz#1379371 - Allow chronyd_t net_admin capability to allow support HW timestamping. Resolves: rhbz#1416015 - Update tomcat policy Resolves: rhbz#1436689 Resolves: rhbz#1436383 - Allow certmonger to start haproxy service Resolves: rhbz#1349394 - Allow init noatsecure for gssd and gssproxy Resolves: rhbz#1438036- geoclue wants to dbus chat with avahi Resolves: rhbz#1434286 - Allow iptables get list of kernel modules Resolves: rhbz#1367520 - Allow unconfined_domain_type to enable/disable transient unit Resolves: rhbz#1337041 - Add interfaces init_enable_transient_unit() and init_disable_transient_unit - Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd" Resolves: rhbz#1435264 - Label sysroot dir under ostree as root_t Resolves: rhbz#1428112- Remove ganesha_t domain from permissive domains. Resolves: rhbz#1436988- Allow named_t domain bind on several udp ports Resolves: rhbz#1312972 - Update nscd_use() interface Resolves: rhbz#1281716 - Allow radius_t domain ptrace Resolves: rhbz#1426641 - Update nagios to allos exec systemctl Resolves: rhbz#1247635 - Update pcp SELinux module to reflect all pcp changes Resolves: rhbz#1271998 - Label /var/lib/ssl_db as squid_cache_t Label /etc/squid/ssl_db as squid_cache_t Resolves: rhbz#1325527 - Allow pcp_pmcd_t domain search for network sysctl Allow pcp_pmcd_t domain sys_ptrace capability Resolves: rhbz#1336211- Allow drbd load modules Resolves: rhbz#1134883 - Revert "Add sys_module capability for drbd Resolves: rhbz#1134883" - Allow stapserver list kernel modules Resolves: rhbz#1325976 - Update targetd policy Resolves: rhbz#1373860 - Add sys_admin capability to amanda Resolves: rhbz#1371561 - Allow hypervvssd_t to read all dirs. Resolves: rhbz#1331309 - Label /run/haproxy.sock socket as haproxy_var_run_t Resolves: rhbz#1386233 - Allow oddjob_mkhomedir_t to mamange autofs_t dirs. Resolves: rhbz#1408819 - Allow tomcat to connect on http_cache_port_t Resolves: rhbz#1432083 - Allow geoclue to send msgs to syslog. Resolves: rhbz#1434286 - Allow condor_master_t domain capability chown. Resolves: rhbz#1277506 - Update mta_filetrans_named_content() interface to allow calling domain create files labeled as etc_aliases_t in dir labeled as etc_mail_t. Resolves: rhbz#1167468 - Allow nova domain search for httpd configuration. Resolves: rhbz#1190761 - Add sys_module capability for drbd Resolves: rhbz#1134883 - Allow user_u users stream connect to dirsrv, Allow sysadm_u and staff_u users to manage dirsrv files Resolves: rhbz#1286474 - Allow systemd_networkd_t communicate with systemd_networkd_t via dbus Resolves: rhbz#1278010- Add haproxy_t domain fowner capability Resolves: rhbz#1386233 - Allow domain transition from ntpd_t to hwclock_t domains Resolves: rhbz#1375624 - Allow cockpit_session_t setrlimit and sys_resource Resolves: rhbz#1402316 - Dontaudit svirt_t read state of libvirtd domain Resolves: rhbz#1426106 - Update httpd and gssproxy modules to reflects latest changes in freeipa Resolves: rhbz#1432115 - Allow iptables read modules_conf_t Resolves: rhbz#1367520- Remove tomcat_t domain from unconfined domains Resolves: rhbz#1432083 - Create new boolean: sanlock_enable_home_dirs() Resolves: rhbz#1432783 - Allow mdadm_t domain to read/write nvme_device_t Resolves: rhbz#1431617 - Remove httpd_user_*_content_t domains from user_home_type attribute. This tighten httpd policy and acces to user data will be more strinct, and also fix mutual influente between httpd_enable_homedirs and httpd_read_user_content Resolves: rhbz#1383621 - Dontaudit domain to create any file in /proc. This is kernel bug. Resolves: rhbz#1412679 - Add interface dev_rw_nvme Resolves: rhbz#1431617- Allow gssproxy to get attributes on all filesystem object types. Resolves: rhbz#1430295 - Allow ganesha to chat with unconfined domains via dbus Resolves: rhbz#1426554 - add the policy required for nextcloud Resolves: rhbz#1425530 - Add nmbd_t capability2 block_suspend Resolves: rhbz#1425357 - Label /var/run/chrony as chronyd_var_run_t Resolves: rhbz#1416015 - Add domain transition from sosreport_t to iptables_t Resolves: rhbz#1359789 - Fix path to /usr/lib64/erlang/erts-5.10.4/bin/epmd Resolves: rhbz:#1332803- Update rpm macros Resolves: rhbz#1380854- Add handling booleans via selinux-policy macros in custom policy spec files. Resolves: rhbz#1380854- Allow openvswitch to load kernel modules Resolves: rhbz#1405479- Allow openvswitch read script state. Resolves: rhbz#1405479- Update ganesha policy Resolves: rhbz#1426554 Resolves: rhbz#1383784 - Allow chronyd to read adjtime Resolves: rhbz#1416015 - Fixes for chrony version 2.2 Resolves: rhbz#1416015 - Add interface virt_rw_stream_sockets_svirt() Resolves: rhbz#1415841 - Label /dev/ss0 as gpfs_device_t Resolves: rhbz#1383784 - Allow staff to rw svirt unix stream sockets. Resolves: rhbz#1415841 - Label /rhev/data-center/mnt as mnt_t Resolves: rhbz#1408275 - Associate sysctl_rpc_t with proc filesystems Resolves: rhbz#1350927 - Add new boolean: domain_can_write_kmsg Resolves: rhbz#1415715- Allow rhsmcertd_t dbus chat with system_cronjob_t Resolves: rhbz#1405341 - Allow openvswitch exec hostname and readinitrc_t files Resolves: rhbz#1405479 - Improve SELinux context for mysql_db_t objects. Resolves: rhbz#1391521 - Allow postfix_postdrop to communicate with postfix_master via pipe. Resolves: rhbz#1379736 - Add radius_use_jit boolean Resolves: rhbz#1426205 - Label /var/lock/subsys/iptables as iptables_lock_t Resolves: rhbz#1405441 - Label /usr/lib64/erlang/erts-5.10.4/bin/epmd as lib_t Resolves: rhbz#1332803 - Allow can_load_kernmodule to load kernel modules. Resolves: rhbz#1423427 Resolves: rhbz#1424621- Allow nfsd_t domain to create sysctls_rpc_t files Resolves: rhbz#1405304 - Allow openvswitch to create netlink generic sockets. Resolves: rhbz#1397974 - Create kernel_create_rpc_sysctls() interface Resolves: rhbz#1405304- Allow nfsd_t domain rw sysctl_rpc_t dirs Resolves: rhbz#1405304 - Allow cgdcbxd_t to manage cgroup files. Resolves: rhbz#1358493 - Allow cmirrord_t domain to create netlink_connector sockets Resolves: rhbz#1412670 - Allow fcoemon to create netlink scsitransport sockets Resolves: rhbz#1362496 - Allow quota_nld_t create netlink_generic sockets Resolves: rhbz#1358679 - Allow cgred_t create netlink_connector sockets Resolves: rhbz#1376357 - Add dhcpd_t domain fowner capability Resolves: rhbz#1358485 - Allow acpid to attempt to connect to the Linux kernel via generic netlink socket. Resolves: rhbz#1358478 - Rename docker module to container module Resolves: rhbz#1386916 - Allow setflies to mount tracefs Resolves: rhbz#1376357 - Allow iptables to read nsfs files. Resolves: rhbz#1411316 - Allow systemd_bootchart_t domain create dgram sockets. Resolves: rhbz#1365953 - Rename docker interfaces to container Resolves: rhbz#1386916- Allow initrc_t domain to run rhel-autorelabel script properly during boot process Resolves: rhbz#1379722 - Allow systemd_initctl_t to create and connect unix_dgram sockets Resolves: rhbz#1365947 - Allow ifconfig_t to mount/unmount nsfs_t filesystem Resolves: rhbz#1349814 - Add interfaces allowing mount/unmount nsfs_t filesystem Resolves: rhbz#1349814- Add interface init_stream_connectto() Resolves:rhbz#1365947 - Allow rhsmcertd domain signull kernel. Resolves: rhbz#1379781 - Allow kdumpgui domain to read nvme device - Allow insmod_t to load kernel modules Resolves: rhbz#1421598 - Add interface files_load_kernel_modules() Resolves: rhbz#1421598 - Add SELinux support for systemd-initctl daemon Resolves:rhbz#1365947 - Add SELinux support for systemd-bootchart Resolves: rhbz#1365953- Allow firewalld to getattr open search read modules_object_t:dir Resolves: rhbz#1418391 - Fix label for nagios plugins in nagios file conxtext file Resolves: rhbz#1277718 - Add sys_ptrace capability to pegasus domain Resolves: rhbz#1381238 - Allow sssd_t domain setpgid Resolves:rhbz#1416780 - After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. Resolves: rhbz#1350927 - Allow kdumpgui domain to read nvme device Resolves: rhbz#1415084 - su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987 - Add user namespace capability object classes. Resolves: rhbz#1368057 - Add module_load permission to class system Resolves:rhbz#1368057 - Add the validate_trans access vector to the security class Resolves: rhbz#1368057 - Add "binder" security class and access vectors Resolves: rhbz#1368057 - Allow ifconfig_t domain read nsfs_t Resolves: rhbz#1349814 - Allow ping_t domain to load kernel modules. Resolves: rhbz#1388363- Allow systemd container to read/write usermodehelperstate Resolves: rhbz#1403254 - Label udp ports in range 24007-24027 as gluster_port_t Resolves: rhbz#1404152- Allow glusterd_t to bind on glusterd_port_t udp ports. Resolves: rhbz#1404152 - Revert: Allow glusterd_t to bind on med_tlp port.- Allow glusterd_t to bind on med_tlp port. Resolves: rhbz#1404152 - Update ctdbd_t policy to reflect all changes. Resolves: rhbz#1402451 - Label tcp port 24009 as med_tlp_port_t Resolves: rhbz#1404152 - Issue appears during update directly from RHEL-7.0 to RHEL-7.3 or above. Modules pkcsslotd and vbetools missing in selinux-policy package for RHEL-7.3 which causing warnings during SELinux policy store migration process. Following patch fixes issue by skipping pkcsslotd and vbetools modules migration.- Allow ctdbd_t domain transition to rpcd_t Resolves:rhbz#1402451- Fixes for containers Allow containers to attempt to write to unix_sysctls. Allow cotainers to use the FD's leaked to them from parent processes. Resolves: rhbz#1403254- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t Resolves: rhbz#1404152 - Allow systemd to stop glusterd_t domains. Resolves: rhbz#1400493- Make working CTDB:NFS: CTDB failover from selinux-policy POV Resolves: rhbz#1402451- Add kdump_t domain sys_admin capability Resolves: rhbz#1375963- Allow puppetagent_t to access timedated dbus. Use the systemd_dbus_chat_timedated interface to allow puppetagent_t the access. Resolves: rhbz#1399250- Update systemd on RHEL-7.2 box to version from RHEL-7.3 and then as a separate yum command update the selinux policy systemd will start generating USER_AVC denials and will start returning "Access Denied" errors to DBus clients Resolves: rhbz#1393505- Allow cluster_t communicate to fprintd_t via dbus Resolves: rhbz#1349798- Fix error message during update from RHEL-7.2 to RHEL-7.3, when /usr/sbin/semanage command is not installed and selinux-policy-migrate-local-changes.sh script is executed in %post install phase of selinux-policy package Resolves: rhbz#1392010- Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device. Resolves: rhbz#1384488 - Allow glusterd to get attributes on /sys/kernel/config directory. Resolves: rhbz#1384483- Use selinux-policy-migrate-local-changes.sh instead of migrateStore* macros - Add selinux-policy-migrate-local-changes service Resolves: rhbz#1381588- Allow sssd_selinux_manager_t to manage also dir class. Resolves: rhbz#1368097 - Add interface seutil_manage_default_contexts_dirs() Resolves: rhbz#1368097- Add virt_sandbox_use_nfs -> virt_use_nfs boolean substitution. Resolves: rhbz#1355783- Allow pcp_pmcd_t domain transition to lvm_t Add capability kill and sys_ptrace to pcp_pmlogger_t Resolves: rhbz#1309883- Allow ftp daemon to manage apache_user_content Resolves: rhbz#1097775 - Label /etc/sysconfig/oracleasm as oracleasm_conf_t Resolves: rhbz#1331383 - Allow oracleasm to rw inherited fixed disk device Resolves: rhbz#1331383 - Allow collectd to connect on unix_stream_socket Resolves: rhbz#1377259- Allow iscsid create netlink iscsid sockets. Resolves: rhbz#1358266 - Improve regexp for power_unit_file_t files. To catch just systemd power unit files. Resolves: rhbz#1375462- Update oracleasm SELinux module that can manage oracleasmfs_t blk files. Add dac_override cap to oracleasm_t domain. Resolves: rhbz#1331383 - Add few rules to pcp SELinux module to make ti able to start pcp_pmlogger service Resolves: rhbz#1206525- Add oracleasm_conf_t type and allow oracleasm_t to create /dev/oracleasm Resolves: rhbz#1331383 - Label /usr/share/pcp/lib/pmie as pmie_exec_t and /usr/share/pcp/lib/pmlogger as pmlogger_exec_t Resolves: rhbz#1206525 - Allow mdadm_t to getattr all device nodes Resolves: rhbz#1365171 - Add interface dbus_dontaudit_stream_connect_system_dbusd() Resolves:rhbz#1052880 - Add virt_stub_* interfaces for docker policy which is no longer a part of our base policy. Resolves: rhbz#1372705 - Allow guest-set-user-passwd to set users password. Resolves: rhbz#1369693 - Allow samdbox domains to use msg class Resolves: rhbz#1372677 - Allow domains using kerberos to read also kerberos config dirs Resolves: rhbz#1368492 - Allow svirt_sandbox_domains to r/w onload sockets Resolves: rhbz#1342930 - Add interface fs_manage_oracleasm() Resolves: rhbz#1331383 - Label /dev/kfd as hsa_device_t Resolves: rhbz#1373488 - Update seutil_manage_file_contexts() interface that caller domain can also manage file_context_t dirs Resolves: rhbz#1368097 - Add interface to write to nsfs inodes Resolves: rhbz#1372705 - Allow systemd services to use PrivateNetwork feature Resolves: rhbz#1372705 - Add a type and genfscon for nsfs. Resolves: rhbz#1372705 - Allow run sulogin_t in range mls_systemlow-mls_systemhigh. Resolves: rhbz#1290400- Allow arpwatch to create netlink netfilter sockets. Resolves: rhbz#1358261 - Fix file context for /etc/pki/pki-tomcat/ca/ - new interface oddjob_mkhomedir_entrypoint() - Move label for /var/lib/docker/vfs/ to proper SELinux module - Allow mdadm to get attributes from all devices. - Label /etc/puppetlabs as puppet_etc_t. - Allow systemd-machined to communicate to lxc container using dbus - Allow systemd_resolved to send dbus msgs to userdomains Resolves: rhbz#1236579 - Allow systemd-resolved to read network sysctls Resolves: rhbz#1236579 - Allow systemd_resolved to connect on system bus. Resolves: rhbz#1236579 - Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t - Label all files in /dev/oracleasmfs/ as oracleasmfs_t Resolves: rhbz#1331383- Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_t Resolves:rhbz#1366915 - Allow certmonger to manage all systemd unit files Resolves:rhbz#1366915 - Grant certmonger "chown" capability Resolves:rhbz#1366915 - Allow ipa_helper_t stream connect to dirsrv_t domain Resolves: rhbz#1368418 - Update oracleasm SELinux module Resolves: rhbz#1331383 - label /var/lib/kubelet as svirt_sandbox_file_t Resolves: rhbz#1369159 - Add few interfaces to cloudform.if file Resolves: rhbz#1367834 - Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module Resolves: rhbz#1347514 - Allow krb5kdc_t to read krb4kdc_conf_t dirs. Resolves: rhbz#1368492 - Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run. Resolves: rhbz#1365653 - Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. Resolves: rhbz#1365653 - Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t type Resolves: rhbz#1331383 - A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init. Resolves: rhbz#1367834 - Allow iptables to creating netlink generic sockets. Resolves: rhbz#1364359- Allow ipmievd domain to create lock files in /var/lock/subsys/ Resolves:rhbz#1349058 - Update policy for ipmievd daemon. Resolves:rhbz#1349058 - Dontaudit hyperkvp to getattr on non security files. Resolves: rhbz#1349356 - Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_t Resolves: rhbz#1347514 - Fixed lsm SELinux module - Add sys_admin capability to sbd domain Resolves: rhbz#1322725 - Allow vdagent to comunnicate with systemd-logind via dbus Resolves: rhbz#1366731 - Allow lsmd_plugin_t domain to create fixed_disk device. Resolves: rhbz#1238066 - Allow opendnssec domain to create and manage own tmp dirs/files Resolves: rhbz#1366649 - Allow opendnssec domain to read system state Resolves: rhbz#1366649 - Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs Resolves: rhbz#1366649 - Allow rasdaemon to mount/unmount tracefs filesystem. Resolves: rhbz#1364380 - Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/ Resolves: rhbz#1367520 - Modify interface den_read_nvme() to allow also read nvme_device_t block files. Resolves: rhbz#1362564 - Label /var/run/storaged as lvm_var_run_t. Resolves: rhbz#1264390 - Allow unconfineduser to run ipa_helper_t. Resolves: rhbz#1361636- Dontaudit mock to write to generic certs. Resolves: rhbz#1271209 - Add labeling for corosync-qdevice and corosync-qnetd daemons, to run as cluster_t Resolves: rhbz#1347514 - Revert "Label corosync-qnetd and corosync-qdevice as corosync_t domain" - Allow modemmanager to write to systemd inhibit pipes Resolves: rhbz#1365214 - Label corosync-qnetd and corosync-qdevice as corosync_t domain Resolves: rhbz#1347514 - Allow ipa_helper to read network state Resolves: rhbz#1361636 - Label oddjob_reqiest as oddjob_exec_t Resolves: rhbz#1361636 - Add interface oddjob_run() Resolves: rhbz#1361636 - Allow modemmanager chat with systemd_logind via dbus Resolves: rhbz#1362273 - Allow NetworkManager chat with puppetagent via dbus Resolves: rhbz#1363989 - Allow NetworkManager chat with kdumpctl via dbus Resolves: rhbz#1363977 - Allow sbd send msgs to syslog Allow sbd create dgram sockets. Allow sbd to communicate with kernel via dgram socket Allow sbd r/w kernel sysctls. Resolves: rhbz#1322725 - Allow ipmievd_t domain to re-create ipmi devices Label /usr/libexec/openipmi-helper as ipmievd_exec_t Resolves: rhbz#1349058 - Allow rasdaemon to use tracefs filesystem. Resolves: rhbz#1364380 - Fix typo bug in dirsrv policy - Some logrotate scripts run su and then su runs unix_chkpwd. Allow logrotate_t domain to check passwd. Resolves: rhbz#1283134 - Add ipc_lock capability to sssd domain. Allow sssd connect to http_cache_t Resolves: rhbz#1362688 - Allow dirsrv to read dirsrv_share_t content Resolves: rhbz#1363662 - Allow virtlogd_t to append svirt_image_t files. Resolves: rhbz#1358140 - Allow hypervkvp domain to read hugetlbfs dir/files. Resolves: rhbz#1349356 - Allow mdadm daemon to read nvme_device_t blk files Resolves: rhbz#1362564 - Allow selinuxusers and unconfineduser to run oddjob_request Resolves: rhbz#1361636 - Allow sshd server to acces to Crypto Express 4 (CEX4) devices. Resolves: rhbz#1362539 - Fix labeling issue in init.fc file. Path /usr/lib/systemd/fedora-* changed to /usr/lib/systemd/rhel-*. Resolves: rhbz#1363769 - Fix typo in device interfaces Resolves: rhbz#1349058 - Add interfaces for managing ipmi devices Resolves: rhbz#1349058 - Add interfaces to allow mounting/umounting tracefs filesystem Resolves: rhbz#1364380 - Add interfaces to allow rw tracefs filesystem Resolves: rhbz#1364380 - Add interface dev_read_nvme() to allow reading Non-Volatile Memory Host Controller devices. Resolves: rhbz#1362564 - Label /sys/kernel/debug/tracing filesystem Resolves: rhbz#1364380 - Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1357857- Dontaudit mock_build_t can list all ptys. Resolves: rhbz#1271209 - Allow ftpd_t to mamange userhome data without any boolean. Resolves: rhbz#1097775 - Add logrotate permissions for creating netlink selinux sockets. Resolves: rhbz#1283134 - Allow lsmd_plugin_t to exec ldconfig. Resolves: rhbz#1238066 - Allow vnstatd domain to read /sys/class/net/ files Resolves: rhbz#1358243 - Remove duplicate allow rules in spamassassin SELinux module Resolves:rhbz#1358175 - Allow spamc_t and spamd_t domains create .spamassassin file in user homedirs Resolves:rhbz#1358175 - Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1357857 - Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data. Resolves: rhbz#1330464 - Allow gnome-keyring also manage user_tmp_t sockets. Resolves: rhbz#1257057 - corecmd: Remove fcontext for /etc/sysconfig/libvirtd Resolves:rhbz#1351382- Allow ipa_dnskey domain to search cache dirs Resolves: rhbz#1350957- Allow ipa-dnskey read system state. Reasolves: rhbz#1350957 - Allow dogtag-ipa-ca-renew-agent-submit labeled as certmonger_t to create /var/log/ipa/renew.log file Resolves: rhbz#1350957- Allow firewalld to manage net_conf_t files. Resolves:rhbz#1304723 - Allow logrotate read logs inside containers. Resolves: rhbz#1303514 - Allow sssd to getattr on fs_t Resolves: rhbz#1356082 - Allow opendnssec domain to manage bind chace files Resolves: rhbz#1350957 - Fix typo in rhsmcertd policy module Resolves: rhbz#1329475 - Allow systemd to get status of systemd-logind daemon Resolves: rhbz#1356141 - Label more ndctl devices not just ndctl0 Resolves: rhbz#1355809- Allow rhsmcertd to copy certs into /etc/docker/cert.d - Add interface docker_rw_config() Resolves: rhbz#1344500 - Fix logrotate fc file to label also /var/lib/logrotate/ dir as logrotate_var_lib_t Resolves: rhbz#1355632 - Allow rhsmcertd to read network sysctls Resolves: rhbz#1329475 - Label /var/log/graphite-web dir as httpd_log_t Resolves: rhbz#1310898 - Allow mock to use generic ptys Resolves: rhbz#1271209 - Allow adcli running as sssd_t to write krb5.keytab file. Resolves: rhbz#1356082 - Allow openvswitch connect to openvswitch_port_t type. Resolves: rhbz#1335024 - Add SELinux policy for opendnssec service. Resolves: rhbz#1350957 - Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd Resolves: rhbz#1350957 - label /dev/ndctl0 device as nvram_device_t Resolves: rhbz#1355809- Allow lttng tools to block suspending Resolves: rhbz#1256374 - Allow creation of vpnaas in openstack Resolves: rhbz#1352710 - virt: add strict policy for virtlogd daemon Resolves:rhbz#1311606 - Update makefile to support snapperd_contexts file Resolves: rhbz#1352681- Allow udev to manage systemd-hwdb files - Add interface systemd_hwdb_manage_config() Resolves: rhbz#1350756 - Fix paths to infiniband devices. This allows use more then two infiniband interfaces. Resolves: rhbz#1210263- Allow virtual machines to rw infiniband devices. Resolves: rhbz#1210263 - Allow opensm daemon to rw infiniband_mgmt_device_t Resolves: rhbz#1210263 - Allow systemd_hwdb_t to relabel /etc/udev/hwdb.bin file. Resolves: rhbz#1350756 - Make label for new infiniband_mgmt deivices Resolves: rhbz#1210263- Fix typo in brltty SELinux module - Add new SELinux module sbd Resolves: rhbz#1322725 - Allow pcp dmcache metrics collection Resolves: rhbz#1309883 - Allow pkcs_slotd_t to create dir in /var/lock Add label pkcs_slotd_log_t Resolves: rhbz#1350782 - Allow openvpn to create sock files labeled as openvpn_var_run_t Resolves: rhbz#1328246 - Allow hypervkvp daemon to getattr on all filesystem types. Resolves: rhbz#1349356 - Allow firewalld to create net_conf_t files Resolves: rhbz#1304723 - Allow mock to use lvm Resolves: rhbz#1271209 - Allow keepalived to create netlink generic sockets. Resolves: rhbz#1349809 - Allow mirromanager creating log files in /tmp Resolves:rhbz#1328818 - Rename few modules to make it consistent with source files Resolves: rhbz#1351445 - Allow vmtools_t to transition to rpm_script domain Resolves: rhbz#1342119 - Allow nsd daemon to manage nsd_conf_t dirs and files Resolves: rhbz#1349791 - Allow cluster to create dirs in /var/run labeled as cluster_var_run_t Resolves: rhbz#1346900 - Allow sssd read also sssd_conf_t dirs Resolves: rhbz#1350535 - Dontaudit su_role_template interface to getattr /proc/kcore Dontaudit su_role_template interface to getattr /dev/initctl Resolves: rhbz#1086240 - Add interface lvm_getattr_exec_files() Resolves: rhbz#1271209 - Fix typo Compliling vs. Compiling Resolves: rhbz#1351445- Allow krb5kdc_t to communicate with sssd Resolves: rhbz#1319933 - Allow prosody to bind on prosody ports Resolves: rhbz#1304664 - Add dac_override caps for fail2ban-client Resolves: rhbz#1316678 - dontaudit read access for svirt_t on the file /var/db/nscd/group Resolves: rhbz#1301637 - Allow inetd child process to communicate via dbus with systemd-logind Resolves: rhbz#1333726 - Add label for brltty log file Resolves: rhbz#1328818 - Allow dspam to read the passwd file Resolves: rhbz#1286020 - Allow snort_t to communicate with sssd Resolves: rhbz#1284908 - svirt_sandbox_domains need to be able to execmod for badly built libraries. Resolves: rhbz#1206339 - Add policy for lttng-tools package. Resolves: rhbz#1256374 - Make mirrormanager as application domain. Resolves: rhbz#1328234 - Add support for the default lttng-sessiond port - tcp/5345. This port is used by LTTng 2.x central tracing registry session daemon. - Add prosody ports Resolves: rhbz#1304664 - Allow sssd read also sssd_conf_t dirs Resolves: rhbz#1350535- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs. Resolves:rhbz#1331315 - Label named-pkcs11 binary as named_exec_t. Resolves: rhbz#1331315 - Allow glusterd daemon to get systemd status Resolves: rhbz#1321785 - Allow logrotate dbus-chat with system_logind daemon Resolves: rhbz#1283134 - Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid files Resolves: rhbz#1336211 - Add interface cron_read_pid_files() Resolves: rhbz#1336211 - Allow pcp_pmlogger to create unix dgram sockets Resolves: rhbz#1336211 - Add hwloc-dump-hwdata SELinux policy Resolves: rhbz#1344054 - Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t. Resolves: rhbz#1121171 - Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd() Resolves: rhbz#1259764 - Create label for openhpid log files. esolves: rhbz#1259764 - Label /var/lib/ganglia as httpd_var_lib_t Resolves: rhbz#1260536 - Allow firewalld_t to create entries in net_conf_t dirs. Resolves: rhbz#1304723 - Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals Resolves: rhbz#1288255 - Include patch from distgit repo: policy-RHEL-7.1-flask.patch. Resolves: rhbz#1329560 - Update refpolicy to handle hwloc Resolves: rhbz#1344054 - Label /etc/dhcp/scripts dir as bin_t - Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals. Resolves: rhbz#1288255- Allow firewalld_t to create entries in net_conf_t dirs. Resolves: rhbz#1304723 - Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals Resolves: rhbz#1288255 - Allow mongod log to syslog. Resolves: rhbz#1306995 - Allow rhsmcertd connect to port tcp 9090 Resolves: rhbz#1337319 - Label for /bin/mail(x) was removed but /usr/bin/mail(x) not. This path is also needed to remove. Resolves: rhbz#1262483 Resolves: rhbz#1277506 - Label /usr/libexec/mimedefang-wrapper as spamd_exec_t. Resolves: rhbz#1301516 - Add new boolean spamd_update_can_network. Resolves: rhbz#1305469 - Allow rhsmcertd connect to tcp netport_port_t Resolves: rhbz#1329475 - Fix SELinux context for /usr/share/mirrormanager/server/mirrormanager to Label all binaries under dir as mirrormanager_exec_t. Resolves: rhbz#1328234 - Allow prosody to bind to fac_restore tcp port. Resolves: rhbz#1321787 - Allow ninfod to read raw packets Resolves: rhbz#1317964 - Allow pegasus get attributes from qemu binary files. Resolves: rhbz#1260835 - Allow pegasus get attributes from qemu binary files. Resolves: rhbz#1271159 - Allow tuned to use policykit. This change is required by cockpit. Resolves: rhbz#1346464 - Allow conman_t to read dir with conman_unconfined_script_t binary files. Resolves: rhbz#1297323 - Allow pegasus to read /proc/sysinfo. Resolves: rhbz#1265883 - Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals. Resolves: rhbz#1288255 - Label tcp ports:16379, 26379 as redis_port_t Resolves: rhbz#1348471 - Allow systemd to relabel /var and /var/lib directories during boot. - Add files_relabel_var_dirs() and files_relabel_var_dirs() interfaces. - Add files_relabelto_var_lib_dirs() interface. - Label tcp port 2004 as mailbox_port_t. Resolves: rhbz#1332843 - Label tcp and udp port 5582 as fac_restore_port_t Resolves: rhbz#1321787 - Allow sysadm_t user to run postgresql-setup. Resolves: rhbz#1282543 - Allow sysadm_t user to dbus chat with oddjob_t. This allows confined admin run oddjob mkhomedirfor script. Resolves: rhbz#1297480 - Update netlink socket classes.- Allow conman to kill conman_unconfined_script. Resolves: rhbz#1297323 - Make conman_unconfined_script_t as init_system_domain. Resolves:rhbz#1297323 - Allow init dbus chat with apmd. Resolves:rhbz#995898 - Patch /var/lib/rpm is symlink to /usr/share/rpm on Atomic, due to this change we need to label also /usr/share/rpm as rpm_var_lib_t. Resolves: rhbz#1233252 - Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t Resolves: rhbz#1052880 - Add mediawiki rules to proper scope Resolves: rhbz#1301186 - Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t Resolves: rhbz#1052880 - Allow mysqld_safe to inherit rlimit information from mysqld Resolves: rhbz#1323673 - Allow collectd_t to stream connect to postgresql. Resolves: rhbz#1344056 - Allow mediawiki-script to read /etc/passwd file. Resolves: rhbz#1301186 - Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc. Resolves: rhbz#1344505 - Add labels for mediawiki123 Resolves: rhbz#1293872 - Fix label for all fence_scsi_check scripts - Allow ip netns to mounton root fs and unmount proc_t fs. Resolves: rhbz#1343776 Resolves: rhbz#1286851 - Allow sysadm_t to run newaliases command. Resolves: rhbz#1344828 - Add interface sysnet_filetrans_named_net_conf() Resolves: rhbz#1344505- Fix several issues related to the SELinux Userspace changes- Allow glusterd domain read krb5_keytab_t files. Resolves: rhbz#1343929 - Fix typo in files_setattr_non_security_dirs. Resolves: rhbz#1115987- Allow tmpreaper_t to read/setattr all non_security_file_type dirs Resolves: rhbz#1115987 - Allow firewalld to create firewalld_var_run_t directory. Resolves: rhbz#1304723 - Add interface firewalld_read_pid_files() Resolves: rhbz#1304723 - Label /usr/libexec/rpm-ostreed as rpm_exec_t. Resolves: rhbz#1340542 - Allow sanlock service to read/write cephfs_t files. Resolves: rhbz#1315332 - Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) - Added missing docker interfaces: - docker_typebounds - docker_entrypoint Resolves: rhbz#1236580 - Add interface files_setattr_non_security_dirs() Resolves: rhbz#1115987 - Add support for onloadfs - Allow iptables to read firewalld pid files. Resolves: rhbz#1304723 - Add SELinux support for ceph filesystem. Resolves: rhbz#1315332 - Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) Resolves: rhbz#1236580- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) - Added missing docker interfaces: - docker_typebounds - docker_entrypoint Resolves: rhbz#1236580 - New interfaces needed for systemd-machinectl Resolves: rhbz#1236580 - New interfaces needed by systemd-machine Resolves: rhbz#1236580 - Add interface allowing sending and receiving messages from virt over dbus. Resolves: rhbz#1236580 - Backport docker policy from Fedora. Related: #1303123 Resolves: #1341257 - Allow NetworkManager_t and policykit_t read access to systemd-machined pid files. Resolves: rhbz#1236580 - Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) - Added interfaces needed by new docker policy. Related: rhbz#1303123 - Add support for systemd-machined daemon Resolves: rhbz#1236580 - Allow rpm-ostree domain transition to install_t domain from init_t. Resolves: rhbz#1340542- dnsmasq: allow NetworkManager to control dnsmasq via D-Bus Resolves: rhbz#1336722 - Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te Resolves: rhbz#1333198 - sftpd_* booleans are functionless these days. Resolves: rhbz#1335656 - Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t. Resolves: rhbz#1335828 - Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus. Resolves: rhbz#1336760 - Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t. Resolves: rhbz#1336737 - Label /usr/libexec/storaged/storaged as lvm_exec_t to run storaged daemon in lvm_t SELinux domain. Resolves: rhbz#1264390 - Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t. Resolves: rhbz#1337061 - Revert "Allow all domains some process flags." Resolves: rhbz#1303644 - Revert "Remove setrlimit to all domains." Resolves: rhbz#1303644 - Label /usr/sbin/xrdp* files as bin_t Resolves: rhbz#1276777 - Add mls support for some db classes Resolves: rhbz#1303651 - Allow systemd_resolved_t to check if ipv6 is disabled. Resolves: rhbz#1236579 - Allow systemd_resolved to read systemd_networkd run files. Resolves: rhbz#1236579- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus. Resolves: rhbz#1336760 - Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t. Resolves: rhbz#1336737- Allow logwatch to domtrans to postqueue Resolves: rhbz#1331542 - Label /var/log/ganesha.log as gluster_log_t - Allow glusterd_t domain to create glusterd_log_t files. - Label /var/run/ganesha.pid as gluster_var_run_t. Resolves: rhbz#1335828 - Allow zabbix to connect to postgresql port Resolves: rhbz#1330479 - Add userdom_destroy_unpriv_user_shared_mem() interface. Related: rhbz#1306403 - systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments. Resolves: rhbz#1306403- We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed. Resolves: rhbz#1333952- Add interface glusterd_dontaudit_read_lib_dirs() Resolves: rhbz#1295680 - Dontaudit Occasionally observing AVC's while running geo-rep automation Resolves: rhbz#1295680 - Allow glusterd to manage socket files labeled as glusterd_brick_t. Resolves: rhbz#1331561 - Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content Resolves: rhbz#1246522 - Allow stunnel create log files. Resolves: rhbz#1296851 - Label tcp port 8181 as intermapper_port_t. Resolves: rhbz#1334783 - Label tcp/udp port 2024 as xinuexpansion4_port_t Resolves: rhbz#1334783 - Label tcp port 7002 as afs_pt_port_t Label tcp/udp port 2023 as xinuexpansion3_port_t Resolves: rhbz#1334783 - Dontaudit ldconfig read gluster lib files. Resolves: rhbz#1295680 - Add interface auth_use_nsswitch() to systemd_domain_template. Resolves: rhbz#1236579- Label /usr/bin/ganesha.nfsd as glusterd_exec_t to run ganesha as glusterd_t. Allow glusterd_t stream connect to rpbind_t. Allow cluster_t to create symlink /var/lib/nfs labeled as var_lib_nfs_t. Add interface rpc_filetrans_var_lib_nfs_content() Add new boolean: rpcd_use_fusefs to allow rpcd daemon use fusefs. Resolves: rhbz#1312809 Resolves: rhbz#1323947 - Allow dbus chat between httpd_t and oddjob_t. Resolves: rhbz#1324144 - Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. Resolves: rhbz#1324144 - Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. Resolves: rhbz#1324144 - Allow prosody to listen on port 5000 for mod_proxy65. Resolves: rhbz#1316918 - Allow pcp_pmcd_t domain to manage docker lib files. This rule is needed to allow pcp to collect container information when SELinux is enabled. Resolves: rhbz#1309454- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs. Resolves: rhbz#1319442 - Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. Resolves: rhbz#1296640 - Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits. Resolves: rhbz#1097775 - /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. Resolves: rhbz#1262483 - Allow nsd daemon to create log file in /var/log as nsd_log_t Resolves: rhbz#1293140 - Sanlock policy update. - New sub-domain for sanlk-reset daemon Resolves: rhbz#1212324 - Label all run tgtd files, not just socket files Resolves: rhbz#1280280 - Label all run tgtd files, not just socket files. Resolves: rhbz#1280280 - Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody. Resolves: rhbz#1321049 - unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets. Resolves: rhbz#1318224 - Allow prosody to listen on port 5000 for mod_proxy65. Resolves: rhbz#1316918 - Allow targetd to read/write to /dev/mapper/control device. Resolves: rhbz#1063714 - Allow KDM to get status about power services. This change allow kdm to be able do shutdown. Resolves: rhbz#1316724 - Allow systemd-resolved daemon creating netlink_route sockets. Resolves:rhbz#1236579 - Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used Resolves: rhbz#1065362 - Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t Resolves: rhbz#1321943 - Label all nvidia binaries as xserver_exec_t Resolves: rhbz#1322283- Create new permissivedomains CIL module and make it active. Resolves: rhbz#1320451 - Add support for new mock location - /usr/libexec/mock/mock. Resolves: rhbz#1271209 - Allow bitlee to create bitlee_var_t dirs. Resolves: rhbz#1268651 - Allow CIM provider to read sssd public files. Resolves: rhbz#1263339 - Fix some broken interfaces in distro policy. Resolves: rhbz#1121171 - Allow power button to shutdown the laptop. Resolves: rhbz#995898 - Allow lsm plugins to create named fixed disks. Resolves: rhbz#1238066 - Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.confResolves: rhbz#1278777 - Allow hyperv domains to rw hyperv devices. Resolves: rhbz#1309361 - Label /var/www/html(/.*)?/wp_backups(/.*)? as httpd_sys_rw_content_t.Resolves: rhbz#1246780 - Create conman_unconfined_script_t type for conman script stored in /use/share/conman/exec/ Resolves: rhbz#1297323 - Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib. - Add support for /dev/mptctl device used to check RAID status. Resolves: rhbz#1258029 - Create hyperv* devices and create rw interfaces for this devices. Resolves: rhbz#1309361 - Add fixes for selinux userspace moving the policy store to /var/lib/selinux. - Remove optional else block for dhcp ping- Allow rsync_export_all_ro boolean to read also non_auth_dirs/files/symlinks. Resolves: rhbz#1263770 - Fix context of "/usr/share/nginx/html". Resolves: rhbz#1261857 - Allow pmdaapache labeled as pcp_pmcd_t access to port 80 for apache diagnostics Resolves: rhbz#1270344 - Allow pmlogger to create pmlogger.primary.socket link file. Resolves: rhbz#1270344 - Label nagios scripts as httpd_sys_script_exec_t. Resolves: rhbz#1260306 - Add dontaudit interface for kdumpctl_tmp_t Resolves: rhbz#1156442 - Allow mdadm read files in EFI partition. Resolves: rhbz#1291801 - Allow nsd_t to bind on nsf_control tcp port. Allow nsd_crond_t to read nsd pid. Resolves: rhbz#1293140 - Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs Resolves: rhbz#1293140 - Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface. Resolves: rhbz#1265102 - Add missing labeling for /usr/libexec/abrt-hook-ccpp. Resolves: rhbz#1213409 - Allow pcp_pmie and pcp_pmlogger to read all domains state. Resolves: rhbz#1206525 - Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port. Resolves: rhbz#1275246 - cockpit has grown content in /var/run directory Resolves: rhbz#1279429 - Allow collectd setgid capability Resolves:#1310898 - Remove declaration of empty booleans in virt policy. Resolves: rhbz#1103153 - Fix typo in drbd policy - Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs. Allow drbd_t create drbd_tmp_t files in /tmp. Resolves: rhbz#1134883 - Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files. Resolves: rhbz#1293788 - Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern. Resolves: rhbz#1254188 - Allow abrt_t to read sysctl_net_t files. Resolves: rhbz#1254188 - The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system. - Allow abrt-hook-ccpp to getattr on all executables. - Allow setuid/setgid capabilities for abrt-hook-ccpp. Resolves: rhbz#1254188 - abrt-hook-ccpp needs to have setfscreate access because it is SELinux aware and compute a target labeling. Resolves: rhbz#1254188 - Allow abrt-hook-ccpp to change SELinux user identity for created objects. Resolves: rhbz#1254188 - Dontaudit write access to inherited kdumpctl tmp files. Resolves: rbhz#1156442 - Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables) Resolves: rhbz#1291801 - Label 8952 tcp port as nsd_control. Resolves: rhbz#1293140 - Allow ipsec to use pam. Resolves: rhbz#1315700 - Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020 - Allow setrans daemon to read /proc/meminfo. Resolves: rhbz#1316804 - Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg Resolves: rhbz#1298151 - Label tcp port 5355 as llmnr-> Link-Local Multicast Name Resolution Resolves: rhbz#1236579 - Add new selinux policy for systemd-resolved dawmon. Resolves: rhbz#1236579 - Add interface ssh_getattr_server_keys() interface. Resolves: rhbz#1306197 - Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106 Resolves: rhbz#1306197 - Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used. Resolves: rhbz#1309417 - Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t. Resolves: rhbz#1293788- Prepare selinux-policy package for userspace release 2016-02-23. Resolves: rhbz#1305982- Allow sending dbus msgs between firewalld and system_cronjob domains. Resolves: rhbz#1284902 - Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols. Resolves: rhbz#1242506 - Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba. Resolves: rhbz#1284972 - Add support for systemd-hwdb daemon. Resolves: rhbz#1257940 - Add interface fs_setattr_cifs_dirs(). Resolves: rhbz#1284972- Add new SELinux policy fo targetd daemon. Resolves: rhbz#1063714 - Add new SELinux policy fo ipmievd daemon. Resolves: rhbz#1083031 - Add new SELinux policy fo hsqldb daemon. Resolves: rhbz#1083171 - Add new SELinux policy for blkmapd daemon. Resolves: rhbz#1072997 - Allow p11-child to connect to apache ports. - Label /usr/sbin/lvmlockd binary file as lvm_exec_t. Resolves: rhbz#1278028 - Add interface "lvm_manage_lock" to lvm policy. Resolves: rhbz#1063714- Allow openvswitch domain capability sys_rawio. Resolves: rhbz#1278495- Allow openvswitch to manage hugetlfs files and dirs. Resolves: rhbz#1278495 - Add fs_manage_hugetlbfs_files() interface. Resolves: rhbz#1278495- Allow smbcontrol domain to send sigchld to ctdbd domain. Resolves: #1293784 - Allow openvswitch read/write hugetlb filesystem. Resolves: #1278495Allow hypervvssd to list all mountpoints to have VSS live backup working correctly. Resolves:#1247880- Revert Add missing labeling for /usr/libexec/abrt-hook-ccpp patch Resolves: #1254188- Allow search dirs in sysfs types in kernel_read_security_state. Resolves: #1254188 - Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs. Resolves: #1254188- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs Resolves: #1254188 - We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes. Resolves:#1261938- Remove labeling for modules_dep_t file contexts to have labeled them as modules_object_t. - Update files_read_kernel_modules() to contain modutils_read_module_deps_files() calling because module deps labeling could remain and it allows to avoid regressions. Resolves:#1266928- We need to require sandbox_web_type attribute in sandbox_x_domain_template(). Resolves: #1261938 - ipsec: The NM helper needs to read the SAs Resolves: #1259786 - ipsec: Allow ipsec management to create ptys Resolves: #1259786- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type. Resolves:#1261938 - Allow abrt_t domain to write to kernel msg device. Resolves: #1257828 - Allow rpcbind_t domain to change file owner and group Resolves: #1265266- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind. Resolves: #1256459- Allow dirsrv-admin script to read passwd file. Allow dirsrv-admin script to read httpd pid files. Label dirsrv-admin unit file and allow dirsrv-admin domains to use it. Resolves: #1230300 - Allow qpid daemon to connect on amqp tcp port. Resolves: #1261805- Label /etc/ipa/nssdb dir as cert_t Resolves:#1262718 - Do not provide docker policy files which is shipped by docker-selinux.rpm Resolves:#1262812- Add labels for afs binaries: dafileserver, davolserver, salvageserver, dasalvager Resolves: #1192338 - Add lsmd_plugin_t sys_admin capability, Allow lsmd_plugin_t getattr from sysfs filesystem. Resolves: #1238079 - Allow rhsmcertd_t send signull to unconfined_service_t domains. Resolves: #1176078 - Remove file transition from snmp_manage_var_lib_dirs() interface which created snmp_var_lib_t dirs in var_lib_t. - Allow openhpid_t daemon to manage snmp files and dirs. Resolves: #1243902 - Allow mdadm_t domain read/write to general ptys and unallocated ttys. Resolves: #1073314 - Add interface unconfined_server_signull() to allow domains send signull to unconfined_service_t Resolves: #1176078- Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS. Resolves:#1250456- Fix labeling for fence_scsi_check script Resolves: #1255020 - Allow openhpid to read system state Allow openhpid to connect to tcp http port. Resolves: #1244248 - Allow openhpid to read snmp var lib files. Resolves: #1243902 - Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe - Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t Resolves: #1243403 - Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl Resolves: #1255020- Fix regexp in chronyd.fc file Resolves: #1243764 - Allow passenger to getattr filesystem xattr Resolves: #1196555 - Label mdadm.conf.anackbak as mdadm_conf_t file. Resolves: #1088904 - Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc." - Allow watchdog execute fenced python script. Resolves: #1255020 - Added inferface watchdog_unconfined_exec_read_lnk_files() - Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t. Resolves: #1230877- Allow watchdog execute fenced python script. Resolves: #1255020 - Added inferface watchdog_unconfined_exec_read_lnk_files() - Label /var/run/chrony-helper dir as chronyd_var_run_t. Resolves: #1243764 - Allow dhcpc_t domain transition to chronyd_t Resolves: #1243764- Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file. Resolves: #1252442- Allow exec pidof under hypervkvp domain. Resolves: #1254870 - Allow hypervkvp daemon create connection to the system DBUS Resolves: #1254870- Allow openhpid_t to read system state. Resolves: #1244248 - Added labels for files provided by rh-nginx18 collection Resolves: #1249945 - Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db. Resolves: #1252968 - Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution. Resolves: #1243431 - Allow abrt_dump_oops_t to read proc_security_t files. - Allow abrt_dump_oops to signull all domains Allow abrt_dump_oops to read all domains state Allow abrt_dump_oops to ptrace all domains - Add interface abrt_dump_oops_domtrans() - Add mountpoint dontaudit access check in rhsmcertd policy. Resolves: #1243431 - Allow samba_net_t to manage samba_var_t sock files. Resolves: #1252937 - Allow chrome setcap to itself. Resolves: #1251996 - Allow httpd daemon to manage httpd_var_lib_t lnk_files. Resolves: #1253706 - Allow chronyd exec systemctl Resolves: #1243764 - Add inteface chronyd_signal Allow timemaster_t send generic signals to chronyd_t. Resolves: #1243764 - Added interface fs_dontaudit_write_configfs_dirs - Add label for kernel module dep files in /usr/lib/modules Resolves:#916635 - Allow kernel_t domtrans to abrt_dump_oops_t - Added to files_dontaudit_write_all_mountpoints intefface new dontaudit rule, that domain included this interface dontaudit capability dac_override. - Allow systemd-networkd to send logs to systemd-journald. Resolves: #1236616- Fix label on /var/tmp/kiprop_0 Resolves:#1220763 - Allow lldpad_t to getattr tmpfs_t. Resolves: #1246220 - Label /dev/shm/lldpad.* as lldapd_tmpfs_t Resolves: #1246220 - Allow audisp client to read system state.- Allow pcp_domain to manage pcp_var_lib_t lnk_files. Resolves: #1252341 - Label /var/run/xtables.* as iptables_var_run_t Resolves: #1243403- Add interface to read/write watchdog device - Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde Resolves:#1210237 - Allow apcupsd_t to read /sys/devices Resolves:#1189185 - Allow logrotate to reload services. Resolves: #1242453 - Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device) Resolves: #1244260 - Allow openhpid liboa_soap plugin to read generic certs. Resolves: #1244248 - Allow openhpid liboa_soap plugin to read resolv.conf file. Resolves: #1244248 - Label /usr/libexec/chrony-helper as chronyd_exec_t - Allow chronyd_t to read dhcpc state. - Allow chronyd to execute mkdir command.- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t. Resolves:#1073314 - Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS. - Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users. - Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode. - Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling. Resolves:#1183503 - Add support for /etc/sanlock which is writable by sanlock daemon. Resolves:#1231377 - Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet. Resolves:#1243775 - Allow snapperd to pass data (one way only) via pipe negotiated over dbus Resolves:#1250550 - Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.- Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files). Resolves: #1243902 - Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device Resolves: #1238079 - Allow lsm_plugin_t to rw raw_fixed_disk. Resolves:#1238079 - Allow rhsmcertd to send signull to unconfined_service.- Allow httpd_suexec_t to read and write Apache stream sockets Resolves: #1243569 - Allow qpid to create lnk_files in qpid_var_lib_t Resolves: #1247279- Allow drbd to get attributes from filesystems. - Allow redis to read kernel parameters. Resolves: #1209518 - Allow virt_qemu_ga_t domtrans to passwd_t - Allow audisp_remote_t to start power unit files domain to allow halt system. Resolves: #1186780 - Allow audisp_remote_t to read/write user domain pty. Resolves: #1186780 - Label /usr/sbin/chpasswd as passwd_exec_t. - Allow sysadm to administrate ldap environment and allow to bind ldap port to allow to setup an LDAP server (389ds). Resolves:#1221121- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te - Allow pcp_pmcd daemon to read postfix config files. - Allow pcp_pmcd daemon to search postfix spool dirs. Resolves: #1213740 - Added Booleans: pcp_read_generic_logs. Resolves: #1213740 - Allow drbd to read configuration options used when loading modules. Resolves: #1134883 - Allow glusterd to manage nfsd and rpcd services. - Allow glusterd to communicate with cluster domains over stream socket. - glusterd call pcs utility which calls find for cib.* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes.- Allow glusterd to manage nfsd and rpcd services. - Allow networkmanager to communicate via dbus with systemd_hostanmed. Resolves: #1234954 - Allow stream connect logrotate to prosody. - Add prosody_stream_connect() interface. - httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t. - Allow prosody to create own tmp files/dirs. Resolves:#1212498- Allow networkmanager read rfcomm port. Resolves:#1212498 - Remove non exists label. - Fix *_admin intefaces where body is not consistent with header. - Label /usr/afs/ as afs_files_t, Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t, Allow afs_bosserver_t read kerberos config - Remove non exits nfsd_ro_t label. - Make all interfaces related to openshift_cache_t as deprecated. - Add rpm_var_run_t label to rpm_admin header - Add jabberd_lock_t label to jabberd_admin header. - Add samba_unconfined_script_exec_t to samba_admin header. - inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t - Fix ctdb policy - Add samba_signull_winbind() - Add samba_signull_unconfined_net() - Allow ctdbd_t send signull to samba_unconfined_net_t. - Allow openshift_initrc_t to communicate with firewalld over dbus Resolves:#1221326- Allow gluster to connect to all ports. It is required by random services executed by gluster. - Add interfaces winbind_signull(), samba_unconfined_net_signull(). - Dontaudit smbd_t block_suspend capability. This is kernel bug. - Allow ctdbd sending signull to process winbind, samba_unconfined_net, to checking if processes exists. - Add tmpreaper booleans to use nfs_t and samba_share_t. - Fix path from /usr/sbin/redis-server to /usr/bin/redis-server - Allow connect ypserv to portmap_port_t - Fix paths in inn policy, Allow innd read innd_log_t dirs, Allow innd execute innd_etc_t files - Add support for openstack-nova-* packages - Allow NetworkManager_t send signull to dnssec_trigger_t. - Allow glusterd to execute showmount in the showmount domain. - Label swift-container-reconciler binary as swift_t. - Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files. - Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?" Resolves:#1213540 - Merge all nova_* labels under one nova_t.- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins Resolves:#1233550 - Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ - Add support for oddjob based helper in FreeIPA. - Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob. - Add nagios_domtrans_unconfined_plugins() interface. - Update mta_filetrans_named_content() interface to cover more db files. Resolves:#1167468 - Add back ftpd_use_passive_mode boolean with fixed description. - Allow pmcd daemon stream connect to mysqld. - Allow pcp domains to connect to own process using unix_stream_socket. Resolves:#1213709 - Allow abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly. - Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob. - Add support for oddjob based helper in FreeIPA. - Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/- Allow iptables to read ctdbd lib files. Resolves:#1224879 - Add systemd_networkd_t to nsswitch domains. - Allow drbd_t write to fixed_disk_device. Reason: drbdmeta needs write to fixed_disk_device during initialization. Resolves:#1130675 - Allow NetworkManager write to sysfs. - Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission. - Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types. - Allow NetworkManager write to sysfs. - Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. - Dontaudit apache to manage snmpd_var_lib_t files/dirs. - Add interface snmp_dontaudit_manage_snmp_var_lib_files(). - Dontaudit mozilla_plugin_t cap. sys_ptrace. - Rename xodbc-connect port to xodbc_connect - Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. - Allow iscsid write to fifo file kdumpctl_tmp_t. Appears when kdump generates the initramfs during the kernel boot. - Dontaudit chrome to read passwd file. - nrpe needs kill capability to make gluster moniterd nodes working. Resolves:#1235587- We allow can_exec() on ssh_keygen on gluster. But there is a transition defined by init_initrc_domain() because we need to allow execute unconfined services by glusterd. So ssh-keygen ends up with ssh_keygen_t and we need to allow to manage /var/lib/glusterd/geo-replication/secret.pem. - Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so. - Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password. - Label gluster python hooks also as bin_t. - Allow glusterd to interact with gluster tools running in a user domain - Add glusterd_manage_lib_files() interface. - ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. - Allow samba_t net_admin capability to make CIFS mount working. - S30samba-start gluster hooks wants to search audit logs. Dontaudit it. Resolves:#1224879- Allow glusterd to send generic signals to systemd_passwd_agent processes. - Allow glusterd to access init scripts/units without defined policy - Allow glusterd to run init scripts. - Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain. Resolves:#1224879- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block. - Allow samba-net to access /var/lib/ctdbd dirs/files. - Allow glusterd to send a signal to smbd. - Make ctdbd as home manager to access also FUSE. - Allow glusterd to use geo-replication gluster tool. - Allow glusterd to execute ssh-keygen. - Allow glusterd to interact with cluster services. - Allow glusterd to connect to the system DBUS for service (acquire_svc). - Label /dev/log correctly. Resolves:#1230932- Back port the latest F22 changes to RHEL7. It should fix most of RHEL7.2 bugs - Add cgdcbxd policy Resolves:#1072493 - Fix ftp_homedir boolean Resolve:#1097775 - Dontaudit ifconfig writing inhertited /var/log/pluto.log. - Allow cluster domain to dbus chat with systemd-logind. Resolves:#1145215 - Dontaudit write access to inherited kdumpctl tmp files Resolves:#1156442 - Allow isnsd_t to communicate with sssd Resolves:#1167702 - Allow rwho_t to communicate with sssd Resolves:#1167718 - Allow sblim_gatherd_t to communicate with sssd Resolves:#1167732 - Allow pkcs_slotd_t to communicate with sssd Resolves:#1167737 - Allow openvswitch_t to communicate with sssd Resolves:#1167816 - Allow mysqld_safe_t to communicate with sssd Resolves:#1167832 - Allow sshd_keygen_t to communicate with sssd Resolves:#1167840 - Add support for iprdbg logging files in /var/log. Resolves:#1174363 - Allow tmpreaper_t to manage ntp log content Resolves:#1176965 - Allow gssd_t to manage ssh keyring Resolves:#1184791 - Allow httpd_sys_script_t to send system log messages Resolves:#1185231 - Allow apcupsd_t to read /sys/devices Resolves:#1189185 - Allow dovecot_t sys_resource capability Resolves:#1191143 - Add support for mongod/mongos systemd unit files. Resolves:#1197038 - Add bacula fixes - Added label mysqld_etc_t for /etc/my.cnf.d/ dir. Resolves:#1203991- Label /usr/libexec/postgresql-ctl as postgresql_exec_t. - Add more restriction on entrypoint for unconfined domains. - Only allow semanage_t to be able to setenforce 0, no all domains that use selinux_semanage interface - Allow all domains to read /dev/urandom. It is needed by all apps/services linked to libgcrypt. There is no harm to allow it by default. - Update policy/mls for sockets related to access perm. Rules were contradictory. - Add nagios_run_pnp4nagios and nagios_run_sudo booleans to allow r un sudo from NRPE utils scripts and allow run nagios in conjunction w ith PNP4Nagios. Resolves:#1201054 - Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead. - Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type - Label /var/lib/tftpboot/aarch64(/.*)? and /var/lib/tftpboot/images2(/.*)? - Add support for iprdbg logging files in /var/log. - Add fixes to rhsmcertd_t - Allow puppetagent_t to transfer firewalld messages over dbus - Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script. - Added label mysqld_etc_t for /etc/my.cnf.d/ dir. - Add support for mongod/mongos systemd unit files. - cloudinit and rhsmcertd need to communicate with dbus - Allow dovecot_t sys_resource capability- ALlow mongod execmem by default. - Update policy/mls for sockets. Rules were contradictory. Resolves:#1207133 - Allow a user to login with different security level via ssh.- Update seutil_manage_config() interface. Resolves:#1185962 - Allow pki-tomcat relabel pki_tomcat_etc_rw_t. - Turn on docker_transition_unconfined by default- Allow virtd to list all mountpoints. Resolves:#1180713- pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t. - Allow fowner capability for sssd because of selinux_child handling. - ALlow bind to read/write inherited ipsec pipes - Allow hypervkvp to read /dev/urandom and read addition states/config files. - Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd. - Add glusterd_filetrans_named_pid() interface - Allow radiusd to connect to radsec ports. - Allow setuid/setgid for selinux_child - Allow lsmd plugin to connect to tcp/5988 by default. - Allow lsmd plugin to connect to tcp/5989 by default. - Update ipsec_manage_pid() interface. Resolves:#1184978- Update ipsec_manage_pid() interface. Resolves:#1184978- Allow ntlm_auth running in winbind_helper_t to access /dev/urandom.- Add auditing support for ipsec. Resolves:#1182524 - Label /ostree/deploy/rhel-atomic-host/deploy directory as system_conf_t - Allow netutils chown capability to make tcpdump working with -w- Allow ipsec to execute _updown.netkey script to run unbound-control. - Allow neutron to read rpm DB. - Add additional fixes for hyperkvp * creates new ifcfg-{name} file * Runs hv_set_ifconfig.sh, which does the following * Copies ifcfg-{name} to /etc/sysconfig/network-scripts - Allow svirt to read symbolic links in /sys/fs/cgroups labeled as tmpfs_t - Add labeling for pacemaker.log. - Allow radius to connect/bind radsec ports. - Allow pm-suspend running as virt_qemu_ga to read /var/log/pm-suspend.log - Allow virt_qemu_ga to dbus chat with rpm. - Update virt_read_content() interface to allow read also char devices. - Allow glance-registry to connect to keystone port. Resolves:#1181818- Allow sssd to send dbus all user domains. Resolves:#1172291 - Allow lsm plugin to read certificates. - Fix labeling for keystone CGI scripts. - Make snapperd back as unconfined domain.- Fix bugs in interfaces discovered by sepolicy. - Allow slapd to read /usr/share/cracklib/pw_dict.hwm. - Allow lsm plugins to connect to tcp/18700 by default. - Allow brltty mknod capability to allow create /var/run/brltty/vcsa. - Fix pcp_domain_template() interface. - Fix conman.te. - Allow mon_fsstatd to read /proc/sys/fs/binfmt_misc - Allow glance-scrubber to connect tcp/9191. - Add missing setuid capability for sblim-sfcbd. - Allow pegasus ioctl() on providers. - Add conman_can_network. - Allow chronyd to read chrony conf files located in /run/timemaster/. - Allow radius to bind on tcp/1813 port. - dontaudit block suspend access for openvpn_t - Allow conman to create files/dirs in /tmp. - Update xserver_rw_xdm_keys() interface to have 'setattr'. Resolves:#1172291 - Allow sulogin to read /dev/urandom and /dev/random. - Update radius port definition to have also tcp/18121 - Label prandom as random_device_t. - Allow charon to manage files in /etc/strongimcv labeled as ipsec_conf_t.- Allow virt_qemu_ga_t to execute kmod. - Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean. - Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs. Resolves:#1113725 - Enable OpenStack cinder policy - Add support for /usr/share/vdsm/daemonAdapter - Add support for /var/run/gluster- Remove old pkcsslotd.pp from minimum package - Allow rlogind to use also rlogin ports. - Add support for /usr/libexec/ntpdate-wrapper. Label it as ntpdate_exec_t. - Allow bacula to connect also to postgresql. - Label /usr/libexec/tomcat/server as tomcat_exec_t - Add support for /usr/sbin/ctdbd_wrapper - Add support for /usr/libexec/ppc64-diag/rtas_errd - Allow rpm_script_roles to access system_mail_t - Allow brltty to create /var/run/brltty - Allow lsmd plugin to access netlink_route_socket - Allow smbcontrol to read passwd - Add support for /usr/libexec/sssd/selinux_child and create sssd_selinux_manager_t domain for it Resolves:#1140106 - Allow osad to execute rhn_check - Allow load_policy to rw inherited sssd pipes because of selinux_child - Allow admin SELinux users mounting / as private within a new mount namespace as root in MLS - Add additional fixes for su_restricted_domain_template to make moving to sysadm_r and trying to su working correctly - Add additional booleans substitions- Add seutil_dontaudit_access_check_semanage_module_store() interface Resolves:#1140106 - Update to have all _systemctl() interface also init_reload_services(). - Dontaudit access check on SELinux module store for sssd. - Add labeling for /sbin/iw. - Allow named_filetrans_domain to create ibus directory with correct labeling.- Allow radius to bind tcp/1812 radius port. - Dontaudit list user_tmp files for system_mail_t. - Label virt-who as virtd_exec_t. - Allow rhsmcertd to send a null signal to virt-who running as virtd_t. - Add missing alias for _content_rw_t. Resolves:#1089177 - Allow spamd to access razor-agent.log. - Add fixes for sfcb from libvirt-cim TestOnly bug. - Allow NetworkManager stream connect on openvpn. - Make /usr/bin/vncserver running as unconfined_service_t. - getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain. - Label /etc/docker/certs.d as cert_t.- Label /etc/strongimcv as ipsec_conf_file_t. - Add support for /usr/bin/start-puppet-ca helper script Resolves:#1160727 - Allow rpm scripts to enable/disable transient systemd units. Resolves:#1154613 - Make kpropdas nsswitch domain Resolves:#1153561 - Make all glance domain as nsswitch domains Resolves:#1113281 - Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active - Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t Resolves:#1140106- Dontaudit access check on setfiles/load_policy for sssd_t. Resolves:#1140106 - Add kdump_rw_inherited_kdumpctl_tmp_pipes() Resolves:#1156442 - Make linuxptp services as unconfined. - Added new policy linuxptp. Resolves:#1149693 - Label keystone cgi files as keystone_cgi_script_exec_t. Resolves:#1138424 - Make tuned as unconfined domain- Allow guest to connect to libvirt using unix_stream_socket. - Allow all bus client domains to dbus chat with unconfined_service_t. - Allow inetd service without own policy to run in inetd_child_t which is unconfined domain. - Make opensm as nsswitch domain to make it working with sssd. - Allow brctl to read meminfo. - Allow winbind-helper to execute ntlm_auth in the caller domain. Resolves:#1160339 - Make plymouthd as nsswitch domain to make it working with sssd. Resolves:#1160196 - Make drbd as nsswitch domain to make it working with sssd. - Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working. - Add support for /var/lib/sntp directory. - Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc - Allow winbind to read usermodehelper - Allow telepathy domains to execute shells and bin_t - Allow gpgdomains to create netlink_kobject_uevent_sockets - Allow mongodb to bind to the mongo port and mongos to run as mongod_t - Allow abrt to read software raid state. - Allow nslcd to execute netstat. - Allow dovecot to create user's home directory when they log into IMAP. - Allow login domains to create kernel keyring with different level.- Allow modemmanger to connectto itself Resolves:#1120152 - Allow pki_tomcat to create link files in /var/lib/pki-ca. Resolves:#1121744 - varnishd needs to have fsetid capability Resolves:#1125165 - Allow snapperd to dbus chat with system cron jobs. Resolves:#1152447 - Allow dovecot to create user's home directory when they log into IMAP Resolves:#1152773 - Add labeling for /usr/sbin/haproxy-systemd-wrapper wrapper to make haproxy running haproxy_t. - ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t. - Allow nslcd to execute netstat. - Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability. - Allow nslcd to read /dev/urandom.- Add back kill permisiion for system class Resolves:#1150011- Add back kill permisiion for service class Resolves:#1150011 - Make rhsmcertd_t also as dbus domain. - Allow named to create DNS_25 with correct labeling. - Add cloudform_dontaudit_write_cloud_log() - Call auth_use_nsswitch to apache to read/write cloud-init keys. - Allow cloud-init to dbus chat with certmonger. - Fix path to mon_statd_initrc_t script. - Allow all RHCS services to read system state. - Allow dnssec_trigger_t to execute unbound-control in own domain. - kernel_read_system_state needs to be called with type. Moved it to antivirus.if. - Added policy for mon_statd and mon_procd services. BZ (1077821) - Allow opensm_t to read/write /dev/infiniband/umad1. - Allow mongodb to manage own log files. - Allow neutron connections to system dbus. - Add support for /var/lib/swiftdirectory. - Allow nova-scheduler to read certs. - Allow openvpn to access /sys/fs/cgroup dir. - Allow openvpn to execute systemd-passwd-agent in systemd_passwd_agent_t to make openvpn working with systemd. - Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files. - Add auth_use_nsswitch for portreserve to make it working with sssd. - automount policy is non-base module so it needs to be called in optional block. - ALlow sensord to getattr on sysfs. - Label /usr/share/corosync/corosync as cluster_exec_t. - Allow lmsd_plugin to read passwd file. BZ(1093733) - Allow read antivirus domain all kernel sysctls. - Allow mandb to getattr on file systems - Allow nova-console to connect to mem_cache port. - Make sosreport as unconfined domain. - Allow mondogdb to 'accept' accesses on the tcp_socket port. - ALlow sanlock to send a signal to virtd_t.- Build also MLS policy Resolves:#1138424- Add back kill permisiion for system class - Allow iptables read fail2ban logs. - Fix radius labeled ports - Add userdom_manage_user_tmpfs_files interface - Allow libreswan to connect to VPN via NM-libreswan. - Label 4101 tcp port as brlp port - fix dev_getattr_generic_usb_dev interface - Allow all domains to read fonts - Make sure /run/systemd/generator and system is labeled correctly on creation. - Dontaudit aicuu to search home config dir. - Make keystone_cgi_script_t domain. Resolves:#1138424 - Fix bug in drbd policy, - Added support for cpuplug. - ALlow sanlock_t to read sysfs_t. - Added sendmail_domtrans_unconfined interface - Fix broken interfaces - radiusd wants to write own log files. - Label /usr/libexec/rhsmd as rhsmcertd_exec_t - Allow rhsmcertd send signull to setroubleshoot. - Allow rhsmcertd manage rpm db. - Added policy for blrtty. - Fix keepalived policy - Allow rhev-agentd dbus chat with systemd-logind. - Allow keepalived manage snmp var lib sock files. - Add support for /var/lib/graphite-web - Allow NetworkManager to create Bluetooth SDP sockets - It's going to do the the discovery for DUN service for modems with Bluez 5. - Allow swift to connect to all ephemeral ports by default. - Allow sssd to read selinux config to add SELinux user mapping. - Allow lsmd to search own plguins. - Allow abrt to read /dev/memto generate an unique machine_id and uses sosuploader's algorithm based off dmidecode[1] fields. - ALlow zebra for user/group look-ups. - Allow nova domains to getattr on all filesystems. - Allow collectd sys_ptrace and dac_override caps because of reading of /proc/%i/io for several processes. - Allow pppd to connect to /run/sstpc/sstpc-nm-sstp-service-28025 over unix stream socket. - Allow rhnsd_t to manage also rhnsd config symlinks. - ALlow user mail domains to create dead.letter. - Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. - Allow pki-tomcat to change SELinux object identity. - Allow radious to connect to apache ports to do OCSP check - Allow git cgi scripts to create content in /tmp - Allow cockpit-session to do GSSAPI logins. - Allow sensord read in /proc - Additional access required by usbmuxd- Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems - Label /usr/lib/erlang/erts.*/bin files as bin_t - Add files_dontaudit_access_check_home_dir() inteface. - Allow udev_t mounton udev_var_run_t dirs #(1128618) - Add systemd_networkd_var_run_t labeling for /var/run/systemd/netif and allow systemd-networkd to manage it. - Add init_dontaudit_read_state() interface. - Add label for ~/.local/share/fonts - Allow unconfined_r to access unconfined_service_t. - Allow init to read all config files - Add new interface to allow creation of file with lib_t type - Assign rabbitmq port. - Allow unconfined_service_t to dbus chat with all dbus domains - Add new interfaces to access users keys. - Allow domains to are allowed to mounton proc to mount on files as well as dirs - Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories. - Add a port definition for shellinaboxd - Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t - Allow userdomains to stream connect to pcscd for smart cards - Allow programs to use pam to search through user_tmp_t dires (/tmp/.X11-unix) - Update to rawhide-contrib changes Resolves:#1123844- Rebase to 3.13.1 which we have in Fedora21 Resolves:#1128284- Back port fixes from Fedora. Mainly OpenStack and Docker fixes- Add policy-rhel-7.1-{base,contrib} patches- Add support for us_cli ports - Fix labeling for /var/run/user//gvfs - add support for tcp/9697 - Additional rules required by openstack, needs backport to F20 and RHEL7 - Additional access required by docker - ALlow motion to use tcp/8082 port - Allow init_t to setattr/relabelfrom dhcp state files - Dontaudit antivirus domains read access on all security files by default - Add missing alias for old amavis_etc_t type - Allow block_suspend cap for haproxy - Additional fixes for instack overcloud - Allow OpenStack to read mysqld_db links and connect to MySQL - Remove dup filename rules in gnome.te - Allow sys_chroot cap for httpd_t and setattr on httpd_log_t - Allow iscsid to handle own unit files - Add iscsi_systemctl() - Allow mongod to create also sock_files in /run with correct labeling - Allow httpd to send signull to apache script domains and don't audit leaks - Allow rabbitmq_beam to connect to httpd port - Allow aiccu stream connect to pcscd - Allow dmesg to read hwdata and memory dev - Allow all freeipmi domains to read/write ipmi devices - Allow sblim_sfcbd to use also pegasus-https port - Allow rabbitmq_epmd to manage rabbit_var_log_t files - Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input - Allow docker to status any unit file and allow it to start generic unit files- Change hsperfdata_root to have as user_tmp_t Resolves:#1076523- Fix Multiple same specifications for /var/named/chroot/dev/zero - Add labels for /var/named/chroot_sdb/dev devices - Add support for strongimcv - Use kerberos_keytab_domains in auth_use_nsswitch - Update auth_use_nsswitch to make all these types as kerberos_keytab_domain to - Allow net_raw cap for neutron_t and send sigkill to dnsmasq - Fix ntp_filetrans_named_content for sntp-kod file - Add httpd_dbus_sssd boolean - Dontaudit exec insmod in boinc policy - Rename kerberos_keytab_domain to kerberos_keytab_domains - Add kerberos_keytab_domain() - Fix kerberos_keytab_template() - Make all domains which use kerberos as kerberos_keytab_domain Resolves:#1083670 - Allow kill capability to winbind_t- varnishd wants chown capability - update ntp_filetrans_named_content() interface - Add additional fixes for neutron_t. #1083335 - Dontaudit getattr on proc_kcore_t - Allow pki_tomcat_t to read ipa lib files - Allow named_filetrans_domain to create /var/cache/ibus with correct labelign - Allow init_t run /sbin/augenrules - Add dev_unmount_sysfs_fs and sysnet_manage_ifconfig_run interfaces - Allow unpriv SELinux user to use sandbox - Add default label for /tmp/hsperfdata_root- Add file subs also for /var/home- Allow xauth_t to read user_home_dir_t lnk_file - Add labeling for lightdm-data - Allow certmonger to manage ipa lib files - Add support for /var/lib/ipa - Allow pegasus to getattr virt_content - Added some new rules to pcp policy - Allow chrome_sandbox to execute config_home_t - Add support for ABRT FAF- Allow kdm to send signull to remote_login_t process - Add gear policy - Turn on gear_port_t - Allow cgit to read gitosis lib files by default - Allow vdagent to read xdm state - Allow NM and fcoeadm to talk together over unix_dgram_socket- Back port fixes for pegasus_openlmi_admin_t from rawhide Resolves:#1080973 - Add labels for ostree - Add SELinux awareness for NM - Label /usr/sbin/pwhistory_helper as updpwd_exec_t- add gnome_append_home_config() - Allow thumb to append GNOME config home files - Allow rasdaemon to rw /dev/cpu//msr - fix /var/log/pki file spec - make bacula_t as auth_nsswitch domain - Identify pki_tomcat_cert_t as a cert_type - Define speech-dispater_exec_t as an application executable - Add a new file context for /var/named/chroot/run directory - update storage_filetrans_all_named_dev for sg* devices - Allow auditctl_t to getattr on all removeable devices - Allow nsswitch_domains to stream connect to nmbd - Allow unprivusers to connect to memcached - label /var/lib/dirsrv/scripts-INSTANCE as bin_t- Allow also unpriv user to run vmtools - Allow secadm to read /dev/urandom and meminfo Resolves:#1079250 - Add booleans to allow docker processes to use nfs and samba - Add mdadm_tmpfs support - Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java running as pki_tomcat_t - Allow vmware-user-sui to use user ttys - Allow talk 2 users logged via console too - Allow ftp services to manage xferlog_t - Make all pcp domanis as unconfined for RHEL7.0 beucause of new policies - allow anaconda to dbus chat with systemd-localed- allow anaconda to dbus chat with systemd-localed - Add fixes for haproxy based on bperkins@redhat.com - Allow cmirrord to make dmsetup working - Allow NM to execute arping - Allow users to send messages through talk - Add userdom_tmp_role for secadm_t- Add additional fixes for rtas_errd - Fix transitions for tmp/tmpfs in rtas.te - Allow rtas_errd to readl all sysctls- Add support for /var/spool/rhsm/debug - Make virt_sandbox_use_audit as True by default - Allow svirt_sandbox_domains to ptrace themselves- Allow docker containers to manage /var/lib/docker content- Allow docker to read tmpfs_t symlinks - Allow sandbox svirt_lxc_net_t to talk to syslog and to sssd over stream sockets- Allow collectd to talk to libvirt - Allow chrome_sandbox to use leaked unix_stream_sockets - Dontaudit leaks of sockets into chrome_sandbox_t - If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t - Run vmtools as unconfined domains - Allow snort to manage its log files - Allow systemd_cronjob_t to be entered via bin_t - Allow procman to list doveconf_etc_t - allow keyring daemon to create content in tmpfs directories - Add proper labelling for icedtea-web - vpnc is creating content in networkmanager var run directory - Label sddm as xdm_exec_t to make KDE working again - Allow postgresql to read network state - Allow java running as pki_tomcat to read network sysctls - Fix cgroup.te to allow cgred to read cgconfig_etc_t - Allow beam.smp to use ephemeral ports - Allow winbind to use the nis to authenticate passwords- Make rtas_errd_t as unconfined domain for F20.It needs additional fixes. It runs rpm at least. - Allow net_admin cap for fence_virtd running as fenced_t - Make abrt-java-connector working - Make cimtest script 03_defineVS.py of ComputerSystem group working - Fix git_system_enable_homedirs boolean - Allow munin mail plugins to read network systcl- Allow vmtools_helper_t to execute bin_t - Add support for /usr/share/joomla - /var/lib/containers should be labeled as openshift content for now - Allow docker domains to talk to the login programs, to allow a process to login into the container - Allow install_t do dbus chat with NM - Fix interface names in anaconda.if - Add install_t for anaconda. A new type is a part of anaconda policy - sshd to read network sysctls- Allow zabbix to send system log msgs - Allow init_t to stream connect to ipsec Resolves:#1060775- Add docker_connect_any boolean- Allow unpriv SELinux users to dbus chat with firewalld - Add lvm_write_metadata() - Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type - Allow pegasus_openlmi_storage_t to write lvm metadata - Add hide_broken_symptoms for kdumpgui because of systemd bug - Make kdumpgui_t as unconfined domain Resolves:#1044299 - Allow docker to connect to tcp/5000- Allow numad to write scan_sleep_millisecs - Turn on entropyd_use_audio boolean by default - Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. - Allow lscpu running as rhsmcertd_t to read /proc/sysinfo - Fix label on irclogs in the homedir - Allow kerberos_keytab_domain domains to manage keys until we get sssd fix - Allow postgresql to use ldap - Add missing syslog-conn port - Add support for /dev/vmcp and /dev/sclp Resolves:#1069310- Modify xdm_write_home to allow create files/links in /root with xdm_home_ - Allow virt domains to read network state Resolves:#1072019- Added pcp rules - dontaudit openshift_cron_t searching random directories, should be back ported to RHEL6 - clean up ctdb.te - Allow ctdbd to connect own ports - Fix samba_export_all_rw booleanto cover also non security dirs - Allow swift to exec rpm in swift_t and allow to create tmp files/dirs - Allow neutron to create /run/netns with correct labeling - Allow certmonger to list home dirs- Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-ask - Add sysnet_filetrans_named_content_ifconfig() interface - Allow ctdbd to connect own ports - Fix samba_export_all_rw booleanto cover also non security dirs - Allow swift to exec rpm in swift_t and allow to create tmp files/dirs - Allow neutron to create /run/netns with correct labeling - Allow kerberos keytab domains to manage sssd/userdomain keys" - Allow to run ip cmd in neutron_t domain- Allow block_suspend cap2 for systemd-logind and rw dri device - Add labeling for /usr/libexec/nm-libreswan-service - Allow locallogin to rw xdm key to make Virtual Terminal login providing smartcard pin working - Add xserver_rw_xdm_keys() - Allow rpm_script_t to dbus chat also with systemd-located - Fix ipa_stream_connect_otpd() - update lpd_manage_spool() interface - Allow krb5kdc to stream connect to ipa-otpd - Add ipa_stream_connect_otpd() interface - Allow vpnc to unlink NM pids - Add networkmanager_delete_pid_files() - Allow munin plugins to access unconfined plugins - update abrt_filetrans_named_content to cover /var/spool/debug - Label /var/spool/debug as abrt_var_cache_t - Allow rhsmcertd to connect to squid port - Make docker_transition_unconfined as optional boolean - Allow certmonger to list home dirs- Make snapperd as unconfined domain and add additional fixes for it - Remove nsplugin.pp module on upgrade- Add snapperd_home_t for HOME_DIR/.snapshots directory - Make sosreport as unconfined domain - Allow sosreport to execute grub2-probe - Allow NM to manage hostname config file - Allow systemd_timedated_t to dbus chat with rpm_script_t - Allow lsmd plugins to connect to http/ssh/http_cache ports by default - Add lsmd_plugin_connect_any boolean - Allow mozilla_plugin to attempt to set capabilities - Allow lsdm_plugins to use tcp_socket - Dontaudit mozilla plugin from getattr on /proc or /sys - Dontaudit use of the keyring by the services in a sandbox - Dontaudit attempts to sys_ptrace caused by running ps for mysqld_safe_t - Allow rabbitmq_beam to connect to jabber_interserver_port - Allow logwatch_mail_t to transition to qmail_inject and queueu - Added new rules to pcp policy - Allow vmtools_helper_t to change role to system_r - Allow NM to dbus chat with vmtools - Fix couchdb_manage_files() to allow manage couchdb conf files - Add support for /var/run/redis.sock - dontaudit gpg trying to use audit - Allow consolekit to create log directories and files - Fix vmtools policy to allow user roles to access vmtools_helper_t - Allow block_suspend cap2 for ipa-otpd - Allow pkcsslotd to read users state - Add ioctl to init_dontaudit_rw_stream_socket - Add systemd_hostnamed_manage_config() interface - Remove transition for temp dirs created by init_t - gdm-simple-slave uses use setsockopt - sddm-greater is a xdm type program- Add lvm_read_metadata() - Allow auditadm to search /var/log/audit dir - Add lvm_read_metadata() interface - Allow confined users to run vmtools helpers - Fix userdom_common_user_template() - Generic systemd unit scripts do write check on / - Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files - Add additional fixes needed for init_t and setup script running in generic unit files - Allow general users to create packet_sockets - added connlcli port - Add init_manage_transient_unit() interface - Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t - Fix userdomain.te to require passwd class - devicekit_power sends out a signal to all processes on the message bus when power is going down - Dontaudit rendom domains listing /proc and hittping system_map_t - Dontauit leaks of var_t into ifconfig_t - Allow domains that transition to ssh_t to manipulate its keyring - Define oracleasm_t as a device node - Change to handle /root as a symbolic link for os-tree - Allow sysadm_t to create packet_socket, also move some rules to attributes - Add label for openvswitch port - Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label. - Allow postfix_local to read .forward in pcp lib files - Allow pegasus_openlmi_storage_t to read lvm metadata - Add additional fixes for pegasus_openlmi_storage_t - Allow bumblebee to manage debugfs - Make bumblebee as unconfined domain - Allow snmp to read etc_aliases_t - Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem - Allow pegasus_openlmi_storage_t to read /proc/1/environ - Dontaudit read gconf files for cupsd_config_t - make vmtools as unconfined domain - Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig. - Allow collectd_t to use a mysql database - Allow ipa-otpd to perform DNS name resolution - Added new policy for keepalived - Allow openlmi-service provider to manage transitient units and allow stream connect to sssd - Add additional fixes new pscs-lite+polkit support - Add labeling for /run/krb5kdc - Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20 - Allow pcscd to read users proc info - Dontaudit smbd_t sending out random signuls - Add boolean to allow openshift domains to use nfs - Allow w3c_validator to create content in /tmp - zabbix_agent uses nsswitch - Allow procmail and dovecot to work together to deliver mail - Allow spamd to execute files in homedir if boolean turned on - Allow openvswitch to listen on port 6634 - Add net_admin capability in collectd policy - Fixed snapperd policy - Fixed bugsfor pcp policy - Allow dbus_system_domains to be started by init - Fixed some interfaces - Add kerberos_keytab_domain attribute - Fix snapperd_conf_t def- Addopt corenet rules for unbound-anchor to rpm_script_t - Allow runuser to send send audit messages. - Allow postfix-local to search .forward in munin lib dirs - Allow udisks to connect to D-Bus - Allow spamd to connect to spamd port - Fix syntax error in snapper.te - Dontaudit osad to search gconf home files - Allow rhsmcertd to manage /etc/sysconf/rhn director - Fix pcp labeling to accept /usr/bin for all daemon binaries - Fix mcelog_read_log() interface - Allow iscsid to manage iscsi lib files - Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it. - Make tuned_t as unconfined domain for RHEL7.0 - Allow ABRT to read puppet certs - Add sys_time capability for virt-ga - Allow gemu-ga to domtrans to hwclock_t - Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages - Fix some AVCs in pcp policy - Add to bacula capability setgid and setuid and allow to bind to bacula ports - Changed label from rhnsd_rw_conf_t to rhnsd_conf_t - Add access rhnsd and osad to /etc/sysconfig/rhn - drbdadm executes drbdmeta - Fixes needed for docker - Allow epmd to manage /var/log/rabbitmq/startup_err file - Allow beam.smp connect to amqp port - Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true - Allow init_t to manage pluto.ctl because of init_t instead of initrc_t - Allow systemd_tmpfiles_t to manage all non security files on the system - Added labels for bacula ports - Fix label on /dev/vfio/vfio - Add kernel_mounton_messages() interface - init wants to manage lock files for iscsi- Added osad policy - Allow postfix to deliver to procmail - Allow bumblebee to seng kill signal to xserver - Allow vmtools to execute /usr/bin/lsb_release - Allow docker to write system net ctrls - Add support for rhnsd unit file - Add dbus_chat_session_bus() interface - Add dbus_stream_connect_session_bus() interface - Fix pcp.te - Fix logrotate_use_nfs boolean - Add lot of pcp fixes found in RHEL7 - fix labeling for pmie for pcp pkg - Change thumb_t to be allowed to chat/connect with session bus type - Allow call renice in mlocate - Add logrotate_use_nfs boolean - Allow setroubleshootd to read rpc sysctl- Turn on bacula, rhnsd policy - Add support for rhnsd unit file - Add dbus_chat_session_bus() interface - Add dbus_stream_connect_session_bus() interface - Fix logrotate_use_nfs boolean - Add lot of pcp fixes found in RHEL7 - fix labeling for pmie for pcp pkg - Change thumb_t to be allowed to chat/connect with session bus type - Allow call renice in mlocate - Add logrotate_use_nfs boolean - Allow setroubleshootd to read rpc sysctl - Fixes for *_admin interfaces - Add pegasus_openlmi_storage_var_run_t type def - Add support for /var/run/openlmi-storage - Allow tuned to create syslog.conf with correct labeling - Add httpd_dontaudit_search_dirs boolean - Add support for winbind.service - ALlow also fail2ban-client to read apache logs - Allow vmtools to getattr on all fs - Add support for dey_sapi port - Add logging_filetrans_named_conf() - Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring- Update snapper policy - Allow domains to append rkhunter lib files - Allow snapperd to getattr on all fs - Allow xdm to create /var/gdm with correct labeling - Add label for snapper.log - Allow fail2ban-client to read apache log files - Allow thumb_t to execute dbus-daemon in thumb_t- Allow gdm to create /var/gdm with correct labeling - Allow domains to append rkhunterl lib files. #1057982 - Allow systemd_tmpfiles_t net_admin to communicate with journald - Add interface to getattr on an isid_type for any type of file - Update libs_filetrans_named_content() to have support for /usr/lib/debug directory - Allow initrc_t domtrans to authconfig if unconfined is enabled - Allow docker and mount on devpts chr_file - Allow docker to transition to unconfined_t if boolean set - init calling needs to be optional in domain.te - Allow uncofined domain types to handle transient unit files - Fix labeling for vfio devices - Allow net_admin capability and send system log msgs - Allow lldpad send dgram to NM - Add networkmanager_dgram_send() - rkhunter_var_lib_t is correct type - Back port pcp policy from rawhide - Allow openlmi-storage to read removable devices - Allow system cron jobs to manage rkhunter lib files - Add rkhunter_manage_lib_files() - Fix ftpd_use_fusefs boolean to allow manage also symlinks - Allow smbcontrob block_suspend cap2 - Allow slpd to read network and system state info - Allow NM domtrans to iscsid_t if iscsiadm is executed - Allow slapd to send a signal itself - Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA. - Fix plymouthd_create_log() interface - Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package - Add mozilla_plugin_exec_t for /usr/lib/firefox/plugin-container - Allow postfix and cyrus-imapd to work out of box - Allow fcoemon to talk with unpriv user domain using unix_stream_socket - Dontaudit domains that are calling into journald to net_admin - Add rules to allow vmtools to do what it does - snapperd is D-Bus service - Allow OpenLMI PowerManagement to call 'systemctl --force reboot' - Add haproxy_connect_any boolean - Allow haproxy also to use http cache port by default Resolves:#1058248- Allow apache to write to the owncloud data directory in /var/www/html... - Allow consolekit to create log dir - Add support for icinga CGI scripts - Add support for icinga - Allow kdumpctl_t to create kdump lock file Resolves:#1055634 - Allow kdump to create lnk lock file - Allow nscd_t block_suspen capability - Allow unconfined domain types to manage own transient unit file - Allow systemd domains to handle transient init unit files - Add interfaces to handle transient- Add cron unconfined role support for uncofined SELinux user - Call corenet_udp_bind_all_ports() in milter.te - Allow fence_virtd to connect to zented port - Fix header for mirrormanager_admin() - Allow dkim-milter to bind udp ports - Allow milter domains to send signull itself - Allow block_suspend for yum running as mock_t - Allow beam.smp to manage couchdb files - Add couchdb_manage_files() - Add labeling for /var/log/php_errors.log - Allow bumblebee to stream connect to xserver - Allow bumblebee to send a signal to xserver - gnome-thumbnail to stream connect to bumblebee - Allow xkbcomp running as bumblebee_t to execute bin_t - Allow logrotate to read squid.conf - Additional rules to get docker and lxc to play well with SELinux - Allow bumbleed to connect to xserver port - Allow pegasus_openlmi_storage_t to read hwdata- Allow init_t to work on transitient and snapshot unit files - Add logging_manage_syslog_config() - Update sysnet_dns_name_resolve() to allow connect to dnssec por - Allow pegasus_openlmi_storage_t to read hwdata Resolves:#1031721 - Fix rhcs_rw_cluster_tmpfs() - Allow fenced_t to bind on zented udp port - Added policy for vmtools - Fix mirrormanager_read_lib_files() - Allow mirromanager scripts running as httpd_t to manage mirrormanager pid files - Allow ctdb to create sock files in /var/run/ctdb - Add sblim_filetrans_named_content() interface - Allow rpm scritplets to create /run/gather with correct labeling - Allow gnome keyring domains to create gnome config dirs - Dontaudit read/write to init stream socket for lsmd_plugin_t - Allow automount to read nfs link files - Allow lsm plugins to read/write lsmd stream socket - Allow certmonger to connect ldap port to make IPA CA certificate renewal working. - Add also labeling for /var/run/ctdb - Add missing labeling for /var/lib/ctdb - ALlow tuned to manage syslog.conf. Should be fixed in tuned. #1030446 - Dontaudit hypervkvp to search homedirs - Dontaudit hypervkvp to search admin homedirs - Allow hypervkvp to execute bin_t and ifconfig in the caller domain - Dontaudit xguest_t to read ABRT conf files - Add abrt_dontaudit_read_config() - Allow namespace-init to getattr on fs - Add thumb_role() also for xguest - Add filename transitions to create .spamassassin with correct labeling - Allow apache domain to read mirrormanager pid files - Allow domains to read/write shm and sem owned by mozilla_plugin_t - Allow alsactl to send a generic signal to kernel_t- Add back rpm_run() for unconfined user- Add missing files_create_var_lib_dirs() - Fix typo in ipsec.te - Allow passwd to create directory in /var/lib - Add filename trans also for event21 - Allow iptables command to read /dev/rand - Add sigkill capabilityfor ipsec_t - Add filename transitions for bcache devices - Add additional rules to create /var/log/cron by syslogd_t with correct labeling - Add give everyone full access to all key rings - Add default lvm_var_run_t label for /var/run/multipathd - Fix log labeling to have correct default label for them after logrotate - Labeled ~/.nv/GLCache as being gstreamer output - Allow nagios_system_plugin to read mrtg lib files - Add mrtg_read_lib_files() - Call rhcs_rw_cluster_tmpfs for dlm_controld - Make authconfing as named_filetrans domain - Allow virsh to connect to user process using stream socket - Allow rtas_errd to read rand/urand devices and add chown capability - Fix labeling from /var/run/net-snmpd to correct /var/run/net-snmp Resolves:#1051497 - Add also chown cap for abrt_upload_watch_t. It already has dac_override - Allow sosreport to manage rhsmcertd pid files - Add rhsmcertd_manage_pid_files() - Allow also setgid cap for rpc.gssd - Dontaudit access check for abrt on cert_t - Allow pegasus_openlmi_system providers to dbus chat with systemd-logind- Fix semanage import handling in spec file- Add default lvm_var_run_t label for /var/run/multipathd Resolves:#1051430 - Fix log labeling to have correct default label for them after logrotate - Add files_write_root_dirs - Add new openflow port label for 6653/tcp and 6633/tcp - Add xserver_manage_xkb_libs() - Label tcp/8891 as milter por - Allow gnome_manage_generic_cache_files also create cache_home_t files - Fix aide.log labeling - Fix log labeling to have correct default label for them after logrotate - Allow mysqld-safe write access on /root to make mysqld working - Allow sosreport domtrans to prelikn - Allow OpenvSwitch to connec to openflow ports - Allow NM send dgram to lldpad - Allow hyperv domains to execute shell - Allow lsmd plugins stream connect to lsmd/init - Allow sblim domains to create /run/gather with correct labeling - Allow httpd to read ldap certs - Allow cupsd to send dbus msgs to process with different MLS level - Allow bumblebee to stream connect to apmd - Allow bumblebee to run xkbcomp - Additional allow rules to get libvirt-lxc containers working with docker - Additional allow rules to get libvirt-lxc containers working with docker - Allow docker to getattr on itself - Additional rules needed for sandbox apps - Allow mozilla_plugin to set attributes on usb device if use_spice boolean enabled - httpd should be able to send signal/signull to httpd_suexec_t - Add more fixes for neturon. Domtrans to dnsmasq, iptables. Make neutron as filenamtrans domain.- Add neutron fixes- Allow sshd to write to all process levels in order to change passwd when running at a level - Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range - Allow apcuspd_t to status and start the power unit file - Allow udev to manage kdump unit file - Added new interface modutils_dontaudit_exec_insmod - Allow cobbler to search dhcp_etc_t directory - systemd_systemctl needs sys_admin capability - Allow sytemd_tmpfiles_t to delete all directories - passwd to create gnome-keyring passwd socket - Add missing zabbix_var_lib_t type - Fix filename trans for zabbixsrv in zabbix.te - Allow fprintd_t to send syslog messages - Add zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port - Allow mozilla plugin to chat with policykit, needed for spice - Allow gssprozy to change user and gid, as well as read user keyrings - Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly - Allow polipo to connect to http_cache_ports - Allow cron jobs to manage apache var lib content - Allow yppassword to manage the passwd_file_t - Allow showall_t to send itself signals - Allow cobbler to restart dhcpc, dnsmasq and bind services - Allow certmonger to manage home cert files - Add userdom filename trans for user mail domains - Allow apcuspd_t to status and start the power unit file - Allow cgroupdrulesengd to create content in cgoups directories - Allow smbd_t to signull cluster - Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t - Add label for /var/spool/cron.aquota.user - Allow sandbox_x domains to use work with the mozilla plugin semaphore - Added new policy for speech-dispatcher - Added dontaudit rule for insmod_exec_t in rasdaemon policy - Updated rasdaemon policy - Allow system_mail_t to transition to postfix_postdrop_t - Clean up mirrormanager policy - Allow virt_domains to read cert files, needs backport to RHEL7 - Allow sssd to read systemd_login_var_run_t - Allow irc_t to execute shell and bin-t files: - Add new access for mythtv - Allow rsync_t to manage all non auth files - allow modemmanger to read /dev/urand - Allow sandbox apps to attempt to set and get capabilties- Add labeling for /var/lib/servicelog/servicelog.db-journal - Add support for freeipmi port - Add sysadm_u_default_contexts - Make new type to texlive files in homedir - Allow subscription-manager running as sosreport_t to manage rhsmcertd - Additional fixes for docker.te - Remove ability to do mount/sys_admin by default in virt_sandbox domains - New rules required to run docker images within libivrt - Add label for ~/.cvsignore - Change mirrormanager to be run by cron - Add mirrormanager policy - Fixed bumblebee_admin() and mip6d_admin() - Add log support for sensord - Fix typo in docker.te - Allow amanda to do backups over UDP - Allow bumblebee to read /etc/group and clean up bumblebee.te - type transitions with a filename not allowed inside conditionals - Don't allow virt-sandbox tools to use netlink out of the box, needs back port to RHEL7 - Make new type to texlive files in homedir- Allow freeipmi_ipmidetectd_t to use freeipmi port - Update freeipmi_domain_template() - Allow journalctl running as ABRT to read /run/log/journal - Allow NM to read dispatcher.d directory - Update freeipmi policy - Type transitions with a filename not allowed inside conditionals - Allow tor to bind to hplip port - Make new type to texlive files in homedir - Allow zabbix_agent to transition to dmidecode - Add rules for docker - Allow sosreport to send signull to unconfined_t - Add virt_noatsecure and virt_rlimitinh interfaces - Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipmi port - Add sysadm_u_default_contexts - Add logging_read_syslog_pid() - Fix userdom_manage_home_texlive() interface - Make new type to texlive files in homedir - Add filename transitions for /run and /lock links - Allow virtd to inherit rlimit information Resolves:#975358- Change labeling for /usr/libexec/nm-dispatcher.action to NetworkManager_exec_t Resolves:#1039879 - Add labeling for /usr/lib/systemd/system/mariadb.service - Allow hyperv_domain to read sysfs - Fix ldap_read_certs() interface to allow acess also link files - Add support for /usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt - Allow tuned to run modprobe - Allow portreserve to search /var/lib/sss dir - Add SELinux support for the teamd package contains team network device control daemon. - Dontaudit access check on /proc for bumblebee - Bumblebee wants to load nvidia modules - Fix rpm_named_filetrans_log_files and wine.te - Add conman policy for rawhide - DRM master and input event devices are used by the TakeDevice API - Clean up bumblebee policy - Update pegasus_openlmi_storage_t policy - Add freeipmi_stream_connect() interface - Allow logwatch read madm.conf to support RAID setup - Add raid_read_conf_files() interface - Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling - add rpm_named_filetrans_log_files() interface - Allow dkim-milter to create files/dirs in /tmp - update freeipmi policy - Add policy for freeipmi services - Added rdisc_admin and rdisc_systemctl interfaces - opensm policy clean up - openwsman policy clean up - ninfod policy clean up - Added new policy for ninfod - Added new policy for openwsman - Added rdisc_admin and rdisc_systemctl interfaces - Fix kernel_dontaudit_access_check_proc() - Add support for /dev/uhid - Allow sulogin to get the attributes of initctl and sys_admin cap - Add kernel_dontaudit_access_check_proc() - Fix dev_rw_ipmi_dev() - Fix new interface in devices.if - DRM master and input event devices are used by the TakeDevice API - add dev_rw_inherited_dri() and dev_rw_inherited_input_dev() - Added support for default conman port - Add interfaces for ipmi devices- Allow sosreport to send a signal to ABRT - Add proper aliases for pegasus_openlmi_service_exec_t and pegasus_openlmi_service_t - Label /usr/sbin/htcacheclean as httpd_exec_t Resolves:#1037529 - Added support for rdisc unit file - Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs - Allow runuser running as logrotate connections to system DBUS - Label bcache devices as fixed_disk_device_t - Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service - Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t- Add back setpgid/setsched for sosreport_t- Added fix for clout_init to transition to rpm_script_t (dwalsh@redhat.com)- Dontaudit openshift domains trying to use rawip_sockets, this is caused by a bad check in the kernel. - Allow git_system_t to read git_user_content if the git_system_enable_homedirs boolean is turned on - Add lsmd_plugin_t for lsm plugins - Allow dovecot-deliver to search mountpoints - Add labeling for /etc/mdadm.conf - Allow opelmi admin providers to dbus chat with init_t - Allow sblim domain to read /dev/urandom and /dev/random - Allow apmd to request the kernel load modules - Add glusterd_brick_t type - label mate-keyring-daemon with gkeyringd_exec_t - Add plymouthd_create_log() - Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6 - Allow sssd to request the kernel loads modules - Allow gpg_agent to use ssh-add - Allow gpg_agent to use ssh-add - Dontaudit access check on /root for myslqd_safe_t - Allow ctdb to getattr on al filesystems - Allow abrt to stream connect to syslog - Allow dnsmasq to list dnsmasq.d directory - Watchdog opens the raw socket - Allow watchdog to read network state info - Dontaudit access check on lvm lock dir - Allow sosreport to send signull to setroubleshootd - Add setroubleshoot_signull() interface - Fix ldap_read_certs() interface - Allow sosreport all signal perms - Allow sosreport to run systemctl - Allow sosreport to dbus chat with rpm - Add glusterd_brick_t files type - Allow zabbix_agentd to read all domain state - Clean up rtas.if - Allow smoltclient to execute ldconfig - Allow sosreport to request the kernel to load a module - Fix userdom_confined_admin_template() - Add back exec_content boolean for secadm, logadm, auditadm - Fix files_filetrans_system_db_named_files() interface - Allow sulogin to getattr on /proc/kcore - Add filename transition also for servicelog.db-journal - Add files_dontaudit_access_check_root() - Add lvm_dontaudit_access_check_lock() interface- Allow watchdog to read /etc/passwd - Allow browser plugins to connect to bumblebee - New policy for bumblebee and freqset - Add new policy for mip6d daemon - Add new policy for opensm daemon - Allow condor domains to read/write condor_master udp_socket - Allow openshift_cron_t to append to openshift log files, label /var/log/openshift - Add back file_pid_filetrans for /var/run/dlm_controld - Allow smbd_t to use inherited tmpfs content - Allow mcelog to use the /dev/cpu device - sosreport runs rpcinfo - sosreport runs subscription-manager - Allow staff_t to run frequency command - Allow systemd_tmpfiles to relabel log directories - Allow staff_t to read xserver_log file - Label hsperfdata_root as tmp_t- More sosreport fixes to make ABRT working- Fix files_dontaudit_unmount_all_mountpoints() - Add support for 2608-2609 tcp/udp ports - Should allow domains to lock the terminal device - More fixes for user config files to make crond_t running in userdomain - Add back disable/reload/enable permissions for system class - Fix manage_service_perms macro - We need to require passwd rootok - Fix zebra.fc - Fix dnsmasq_filetrans_named_content() interface - Allow all sandbox domains create content in svirt_home_t - Allow zebra domains also create zebra_tmp_t files in /tmp - Add support for new zebra services:isisd,babeld. Add systemd support for zebra services. - Fix labeling on neutron and remove transition to iconfig_t - abrt needs to read mcelog log file - Fix labeling on dnsmasq content - Fix labeling on /etc/dnsmasq.d - Allow glusterd to relabel own lib files - Allow sandbox domains to use pam_rootok, and dontaudit attempts to unmount file systems, this is caused by a bug in systemd - Allow ipc_lock for abrt to run journalctl- Fix config.tgz- Fix passenger_stream_connect interface - setroubleshoot_fixit wants to read network state - Allow procmail_t to connect to dovecot stream sockets - Allow cimprovagt service providers to read network states - Add labeling for /var/run/mariadb - pwauth uses lastlog() to update system's lastlog - Allow account provider to read login records - Add support for texlive2013 - More fixes for user config files to make crond_t running in userdomain - Add back disable/reload/enable permissions for system class - Fix manage_service_perms macro - Allow passwd_t to connect to gnome keyring to change password - Update mls config files to have cronjobs in the user domains - Remove access checks that systemd does not actually do- Add support for yubikey in homedir - Add support for upd/3052 port - Allow apcupsd to use PowerChute Network Shutdown - Allow lsmd to execute various lsmplugins - Add labeling also for /etc/watchdog\.d where are watchdog scripts located too - Update gluster_export_all_rw boolean to allow relabel all base file types - Allow x86_energy_perf tool to modify the MSR - Fix /var/lib/dspam/data labeling- Add files_relabel_base_file_types() interface - Allow netlabel-config to read passwd - update gluster_export_all_rw boolean to allow relabel all base file types caused by lsetxattr() - Allow x86_energy_perf tool to modify the MSR - Fix /var/lib/dspam/data labeling - Allow pegasus to domtrans to mount_t - Add labeling for unconfined scripts in /usr/libexec/watchdog/scripts - Add support for unconfined watchdog scripts - Allow watchdog to manage own log files- Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory. - Label /etc/yum.repos.d as system_conf_t - Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t - Allow dac_override for sysadm_screen_t - Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file. - Allow netlabel-config to read meminfo - Add interface to allow docker to mounton file_t - Add new interface to exec unlabeled files - Allow lvm to use docker semaphores - Setup transitons for .xsessions-errors.old - Change labels of files in /var/lib/*/.ssh to transition properly - Allow staff_t and user_t to look at logs using journalctl - pluto wants to manage own log file - Allow pluto running as ipsec_t to create pluto.log - Fix alias decl in corenetwork.te.in - Add support for fuse.glusterfs - Allow dmidecode to read/write /run/lock/subsys/rhsmcertd - Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files. - Additional access for docker - Added more rules to sblim policy - Fix kdumpgui_run_bootloader boolean - Allow dspam to connect to lmtp port - Included sfcbd service into sblim policy - rhsmcertd wants to manaage /etc/pki/consumer dir - Add kdumpgui_run_bootloader boolean - Add support for /var/cache/watchdog - Remove virt_domain attribute for virt_qemu_ga_unconfined_t - Fixes for handling libvirt containes - Dontaudit attempts by mysql_safe to write content into / - Dontaudit attempts by system_mail to modify network config - Allow dspam to bind to lmtp ports - Add new policy to allow staff_t and user_t to look at logs using journalctl - Allow apache cgi scripts to list sysfs - Dontaudit attempts to write/delete user_tmp_t files - Allow all antivirus domains to manage also own log dirs - Allow pegasus_openlmi_services_t to stream connect to sssd_t- Add missing permission checks for nscd- Fix alias decl in corenetwork.te.in - Add support for fuse.glusterfs - Add file transition rules for content created by f5link - Rename quantum_port information to neutron - Allow all antivirus domains to manage also own log dirs - Rename quantum_port information to neutron - Allow pegasus_openlmi_services_t to stream connect to sssd_t- Allow sysadm_t to read login information - Allow systemd_tmpfiles to setattr on var_log_t directories - Udpdate Makefile to include systemd_contexts - Add systemd_contexts - Add fs_exec_hugetlbfs_files() interface - Add daemons_enable_cluster_mode boolean - Fix rsync_filetrans_named_content() - Add rhcs_read_cluster_pid_files() interface - Update rhcs.if with additional interfaces from RHEL6 - Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t - Allow glusterd_t to mounton glusterd_tmp_t - Allow glusterd to unmout al filesystems - Allow xenstored to read virt config - Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct label - Allow mozilla_plugin_t to mmap hugepages as an executable- Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp- Allow sshd_t to read openshift content, needs backport to RHEL6.5 - Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t - Make sur kdump lock is created with correct label if kdumpctl is executed - gnome interface calls should always be made within an optional_block - Allow syslogd_t to connect to the syslog_tls port - Add labeling for /var/run/charon.ctl socket - Add kdump_filetrans_named_content() - Allo setpgid for fenced_t - Allow setpgid and r/w cluster tmpfs for fenced_t - gnome calls should always be within optional blocks - wicd.pid should be labeled as networkmanager_var_run_t - Allow sys_resource for lldpad- Add rtas policy- Allow mailserver_domains to manage and transition to mailman data - Dontaudit attempts by mozilla plugin to relabel content, caused by using mv and cp commands - Allow mailserver_domains to manage and transition to mailman data - Allow svirt_domains to read sysctl_net_t - Allow thumb_t to use tmpfs inherited from the user - Allow mozilla_plugin to bind to the vnc port if running with spice - Add new attribute to discover confined_admins and assign confined admin to it - Fix zabbix to handle attributes in interfaces - Fix zabbix to read system states for all zabbix domains - Fix piranha_domain_template() - Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files. - Allow lldpad sys_rouserce cap due to #986870 - Allow dovecot-auth to read nologin - Allow openlmi-networking to read /proc/net/dev - Allow smsd_t to execute scripts created on the fly labeled as smsd_spool_t - Add zabbix_domain attribute for zabbix domains to treat them together - Add labels for zabbix-poxy-* (#1018221) - Update openlmi-storage policy to reflect #1015067 - Back port piranha tmpfs fixes from RHEL6 - Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop - Add postfix_rw_spool_maildrop_files interface - Call new userdom_admin_user_templat() also for sysadm_secadm.pp - Fix typo in userdom_admin_user_template() - Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey - Add new attribute to discover confined_admins - Fix labeling for /etc/strongswan/ipsec.d - systemd_logind seems to pass fd to anyone who dbus communicates with it - Dontaudit leaked write descriptor to dmesg- Activate motion policy- Fix gnome_read_generic_data_home_files() - allow openshift_cgroup_t to read/write inherited openshift file types - Remove httpd_cobbler_content * from cobbler_admin interface - Allow svirt sandbox domains to setattr on chr_file and blk_file svirt_sandbox_file_t, so sshd will work within a container - Allow httpd_t to read also git sys content symlinks - Allow init_t to read gnome home data - Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to really need it. - Allow virsh to execute systemctl - Fix for nagios_services plugins - add type defintion for ctdbd_var_t - Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file - Allow net_admin/netlink_socket all hyperv_domain domains - Add labeling for zarafa-search.log and zarafa-search.pid - Fix hypervkvp.te - Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. - Add hypervkvp_unit_file_t type - Fix logging policy - Allow syslog to bind to tls ports - Update labeling for /dev/cdc-wdm - Allow to su_domain to read init states - Allow init_t to read gnome home data - Make sure if systemd_logind creates nologin file with the correct label - Clean up ipsec.te- Add auth_exec_chkpwd interface - Fix port definition for ctdb ports - Allow systemd domains to read /dev/urand - Dontaudit attempts for mozilla_plugin to append to /dev/random - Add label for /var/run/charon.* - Add labeling for /usr/lib/systemd/system/lvm2.*dd policy for motion service - Fix for nagios_services plugins - Fix some bugs in zoneminder policy - add type defintion for ctdbd_var_t - Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file - Allow net_admin/netlink_socket all hyperv_domain domains - Add labeling for zarafa-search.log and zarafa-search.pid - glusterd binds to random unreserved ports - Additional allow rules found by testing glusterfs - apcupsd needs to send a message to all users on the system so needs to look them up - Fix the label on ~/.juniper_networks - Dontaudit attempts for mozilla_plugin to append to /dev/random - Allow polipo_daemon to connect to flash ports - Allow gssproxy_t to create replay caches - Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. - Add hypervkvp_unit_file_t type- init reload from systemd_localed_t - Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd - Allow systemd_localed_t to ask systemd to reload the locale. - Add systemd_runtime_unit_file_t type for unit files that systemd creates in memory - Allow readahead to read /dev/urand - Fix lots of avcs about tuned - Any file names xenstored in /var/log should be treated as xenstored_var_log_t - Allow tuned to inderact with hugepages - Allow condor domains to list etc rw dirs- Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. - Add hypervkvp_unit_file_t type - Add additional fixes forpegasus_openlmi_account_t - Allow mdadm to read /dev/urand - Allow pegasus_openlmi_storage_t to create mdadm.conf and write it - Add label/rules for /etc/mdadm.conf - Allow pegasus_openlmi_storage_t to transition to fsadm_t - Fixes for interface definition problems - Dontaudit dovecot-deliver to gettatr on all fs dirs - Allow domains to search data_home_t directories - Allow cobblerd to connect to mysql - Allow mdadm to r/w kdump lock files - Add support for kdump lock files - Label zarafa-search as zarafa-indexer - Openshift cgroup wants to read /etc/passwd - Add new sandbox domains for kvm - Allow mpd to interact with pulseaudio if mpd_enable_homedirs is turned on - Fix labeling for /usr/lib/systemd/system/lvm2.* - Add labeling for /usr/lib/systemd/system/lvm2.* - Fix typos to get a new build. We should not cover filename trans rules to prevent duplicate rules - Add sshd_keygen_t policy for sshd-keygen - Fix alsa_home_filetrans interface name and definition - Allow chown for ssh_keygen_t - Add fs_dontaudit_getattr_all_dirs() - Allow init_t to manage etc_aliases_t and read xserver_var_lib_t and chrony keys - Fix up patch to allow systemd to manage home content - Allow domains to send/recv unlabeled traffic if unlabelednet.pp is enabled - Allow getty to exec hostname to get info - Add systemd_home_t for ~/.local/share/systemd directory- Fix lxc labels in config.tgz- Fix labeling for /usr/libexec/kde4/kcmdatetimehelper - Allow tuned to search all file system directories - Allow alsa_t to sys_nice, to get top performance for sound management - Add support for MySQL/PostgreSQL for amavis - Allow openvpn_t to manage openvpn_var_log_t files. - Allow dirsrv_t to create tmpfs_t directories - Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label - Dontaudit leaked unix_stream_sockets into gnome keyring - Allow telepathy domains to inhibit pipes on telepathy domains - Allow cloud-init to domtrans to rpm - Allow abrt daemon to manage abrt-watch tmp files - Allow abrt-upload-watcher to search /var/spool directory - Allow nsswitch domains to manage own process key - Fix labeling for mgetty.* logs - Allow systemd to dbus chat with upower - Allow ipsec to send signull to itself - Allow setgid cap for ipsec_t - Match upstream labeling- Do not build sanbox pkg on MLS- wine_tmp is no longer needed - Allow setroubleshoot to look at /proc - Allow telepathy domains to dbus with systemd logind - Fix handling of fifo files of rpm - Allow mozilla_plugin to transition to itself - Allow certwatch to write to cert_t directories - New abrt application - Allow NetworkManager to set the kernel scheduler - Make wine_domain shared by all wine domains - Allow mdadm_t to read images labeled svirt_image_t - Allow amanda to read /dev/urand - ALlow my_print_default to read /dev/urand - Allow mdadm to write to kdumpctl fifo files - Allow nslcd to send signull to itself - Allow yppasswd to read /dev/urandom - Fix zarafa_setrlimit - Add support for /var/lib/php/wsdlcache - Add zarafa_setrlimit boolean - Allow fetchmail to send mails - Add additional alias for user_tmp_t because wine_tmp_t is no longer used - More handling of ther kernel keyring required by kerberos - New privs needed for init_t when running without transition to initrc_t over bin_t, and without unconfined domain installed- Dontaudit attempts by sosreport to read shadow_t - Allow browser sandbox plugins to connect to cups to print - Add new label mpd_home_t - Label /srv/www/logs as httpd_log_t - Add support for /var/lib/php/wsdlcache - Add zarafa_setrlimit boolean - Allow fetchmail to send mails - Add labels for apache logs under miq package - Allow irc_t to use tcp sockets - fix labels in puppet.if - Allow tcsd to read utmp file - Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to access host keys - Define svirt_socket_t as a domain_type - Take away transition from init_t to initrc_t when executing bin_t, allow init_t to run chk_passwd_t - Fix label on pam_krb5 helper apps- Allow ldconfig to write to kdumpctl fifo files - allow neutron to connect to amqp ports - Allow kdump_manage_crash to list the kdump_crash_t directory - Allow glance-api to connect to amqp port - Allow virt_qemu_ga_t to read meminfo - Add antivirus_home_t type for antivirus date in HOMEDIRS - Allow mpd setcap which is needed by pulseaudio - Allow smbcontrol to create content in /var/lib/samba - Allow mozilla_exec_t to be used as a entrypoint to mozilla_domtrans_spec - Add additional labeling for qemu-ga/fsfreeze-hook.d scripts - amanda_exec_t needs to be executable file - Allow block_suspend cap for samba-net - Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t - Allow init_t to run crash utility - Treat usr_t just like bin_t for transitions and executions - Add port definition of pka_ca to port 829 for openshift - Allow selinux_store to use symlinks- Allow block_suspend cap for samba-net - Allow t-mission-control to manage gabble cache files - Allow nslcd to read /sys/devices/system/cpu - Allow selinux_store to use symlinks- Allow xdm_t to transition to itself - Call neutron interfaces instead of quantum - Allow init to change targed role to make uncofined services (xrdp which now has own systemd unit file) working. We want them to have in unconfined_t - Make sure directories in /run get created with the correct label - Make sure /root/.pki gets created with the right label - try to remove labeling for motion from zoneminder_exec_t to bin_t - Allow inetd_t to execute shell scripts - Allow cloud-init to read all domainstate - Fix to use quantum port - Add interface netowrkmanager_initrc_domtrans - Fix boinc_execmem - Allow t-mission-control to read gabble cache home - Add labeling for ~/.cache/telepathy/avatars/gabble - Allow memcache to read sysfs data - Cleanup antivirus policy and add additional fixes - Add boolean boinc_enable_execstack - Add support for couchdb in rabbitmq policy - Add interface couchdb_search_pid_dirs - Allow firewalld to read NM state - Allow systemd running as git_systemd to bind git port - Fix mozilla_plugin_rw_tmpfs_files()- Split out rlogin ports from inetd - Treat files labeld as usr_t like bin_t when it comes to transitions - Allow staff_t to read login config - Allow ipsec_t to read .google authenticator data - Allow systemd running as git_systemd to bind git port - Fix mozilla_plugin_rw_tmpfs_files() - Call the correct interface - corenet_udp_bind_ktalkd_port() - Allow all domains that can read gnome_config to read kde config - Allow sandbox domain to read/write mozilla_plugin_tmpfs_t so pulseaudio will work - Allow mdadm to getattr any file system - Allow a confined domain to executes mozilla_exec_t via dbus - Allow cupsd_lpd_t to bind to the printer port - Dontaudit attempts to bind to ports < 1024 when nis is turned on - Allow apache domain to connect to gssproxy socket - Allow rlogind to bind to the rlogin_port - Allow telnetd to bind to the telnetd_port - Allow ktalkd to bind to the ktalkd_port - Allow cvs to bind to the cvs_port- Cleanup related to init_domain()+inetd_domain fixes - Use just init_domain instead of init_daemon_domain in inetd_core_service_domain - svirt domains neeed to create kobject_uevint_sockets - Lots of new access required for sosreport - Allow tgtd_t to connect to isns ports - Allow init_t to transition to all inetd domains: - openct needs to be able to create netlink_object_uevent_sockets - Dontaudit leaks into ldconfig_t - Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls - Move kernel_stream_connect into all Xwindow using users - Dontaudit inherited lock files in ifconfig o dhcpc_t- Also sock_file trans rule is needed in lsm - Fix labeling for fetchmail pid files/dirs - Add additional fixes for abrt-upload-watch - Fix polipo.te - Fix transition rules in asterisk policy - Add fowner capability to networkmanager policy - Allow polipo to connect to tor ports - Cleanup lsmd.if - Cleanup openhpid policy - Fix kdump_read_crash() interface - Make more domains as init domain - Fix cupsd.te - Fix requires in rpm_rw_script_inherited_pipes - Fix interfaces in lsm.if - Allow munin service plugins to manage own tmpfs files/dirs - Allow virtd_t also relabel unix stream sockets for virt_image_type - Make ktalk as init domain - Fix to define ktalkd_unit_file_t correctly - Fix ktalk.fc - Add systemd support for talk-server - Allow glusterd to create sock_file in /run - Allow xdm_t to delete gkeyringd_tmp_t files on logout - Add fixes for hypervkvp policy - Add logwatch_can_sendmail boolean - Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb - Allow xdm_t to delete gkeyringd_tmp_t files on logout- Add selinux-policy-sandbox pkg0 - Allow rhsmcertd to read init state - Allow fsetid for pkcsslotd - Fix labeling for /usr/lib/systemd/system/pkcsslotd.service - Allow fetchmail to create own pid with correct labeling - Fix rhcs_domain_template() - Allow roles which can run mock to read mock lib files to view results - Allow rpcbind to use nsswitch - Fix lsm.if summary - Fix collectd_t can read /etc/passwd file - Label systemd unit files under dracut correctly - Add support for pam_mount to mount user's encrypted home When a user logs in and logs out using ssh - Add support for .Xauthority-n - Label umount.crypt as lvm_exec_t - Allow syslogd to search psad lib files - Allow ssh_t to use /dev/ptmx - Make sure /run/pluto dir is created with correct labeling - Allow syslog to run shell and bin_t commands - Allow ip to relabel tun_sockets - Allow mount to create directories in files under /run - Allow processes to use inherited fifo files- Add policy for lsmd - Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory - Update condor_master rules to allow read system state info and allow logging - Add labeling for /etc/condor and allow condor domain to write it (bug) - Allow condor domains to manage own logs - Allow glusterd to read domains state - Fix initial hypervkvp policy - Add policy for hypervkvpd - Fix redis.if summary- Allow boinc to connect to @/tmp/.X11-unix/X0 - Allow beam.smp to connect to tcp/5984 - Allow named to manage own log files - Add label for /usr/libexec/dcc/start-dccifd and domtrans to dccifd_t - Add virt_transition_userdomain boolean decl - Allow httpd_t to sendto unix_dgram sockets on its children - Allow nova domains to execute ifconfig - bluetooth wants to create fifo_files in /tmp - exim needs to be able to manage mailman data - Allow sysstat to getattr on all file systems - Looks like bluetoothd has moved - Allow collectd to send ping packets - Allow svirt_lxc domains to getpgid - Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff - Allow frpintd_t to read /dev/urandom - Allow asterisk_t to create sock_file in /var/run - Allow usbmuxd to use netlink_kobject - sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket - More cleanup of svirt_lxc policy - virtd_lxc_t now talks to dbus - Dontaudit leaked ptmx_t - Allow processes to use inherited fifo files - Allow openvpn_t to connect to squid ports - Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert() - Allow ssh_t to use /dev/ptmx - Make sure /run/pluto dir is created with correct labeling - Allow syslog to run shell and bin_t commands - Allow ip to relabel tun_sockets - Allow mount to create directories in files under /run - Allow processes to use inherited fifo files - Allow user roles to connect to the journal socket- selinux_set_enforce_mode needs to be used with type - Add append to the dontaudit for unix_stream_socket of xdm_t leak - Allow xdm_t to create symlinks in log direcotries - Allow login programs to read afs config - Label 10933 as a pop port, for dovecot - New policy to allow selinux_server.py to run as semanage_t as a dbus service - Add fixes to make netlabelctl working on MLS - AVCs required for running sepolicy gui as staff_t - Dontaudit attempts to read symlinks, sepolicy gui is likely to cause this type of AVC - New dbus server to be used with new gui - After modifying some files in /etc/mail, I saw this needed on the next boot - Loading a vm from /usr/tmp with virt-manager - Clean up oracleasm policy for Fedora - Add oracleasm policy written by rlopez@redhat.com - Make postfix_postdrop_t as mta_agent to allow domtrans to system mail if it is executed by apache - Add label for /var/crash - Allow fenced to domtrans to sanclok_t - Allow nagios to manage nagios spool files - Make tfptd as home_manager - Allow kdump to read kcore on MLS system - Allow mysqld-safe sys_nice/sys_resource caps - Allow apache to search automount tmp dirs if http_use_nfs is enabled - Allow crond to transition to named_t, for use with unbound - Allow crond to look at named_conf_t, for unbound - Allow mozilla_plugin_t to transition its home content - Allow dovecot_domain to read all system and network state - Allow httpd_user_script_t to call getpw - Allow semanage to read pid files - Dontaudit leaked file descriptors from user domain into thumb - Make PAM authentication working if it is enabled in ejabberd - Add fixes for rabbit to fix ##992920,#992931 - Allow glusterd to mount filesystems - Loading a vm from /usr/tmp with virt-manager - Trying to load a VM I got an AVC from devicekit_disk for loopcontrol device - Add fix for pand service - shorewall touches own log - Allow nrpe to list /var - Mozilla_plugin_roles can not be passed into lpd_run_lpr - Allow afs domains to read afs_config files - Allow login programs to read afs config - Allow virt_domain to read virt_var_run_t symlinks - Allow smokeping to send its process signals - Allow fetchmail to setuid - Add kdump_manage_crash() interface - Allow abrt domain to write abrt.socket- Add more aliases in pegasus.te - Add more fixes for *_admin interfaces - Add interface fixes - Allow nscd to stream connect to nmbd - Allow gnupg apps to write to pcscd socket - Add more fixes for openlmi provides. Fix naming and support for additionals - Allow fetchmail to resolve host names - Allow firewalld to interact also with lnk files labeled as firewalld_etc_rw_t - Add labeling for cmpiLMI_Fan-cimprovagt - Allow net_admin for glusterd - Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ - Add pegasus_openlmi_system_t - Fix puppet_domtrans_master() to make all puppet calling working in passenger.te - Fix corecmd_exec_chroot() - Fix logging_relabel_syslog_pid_socket interface - Fix typo in unconfineduser.te - Allow system_r to access unconfined_dbusd_t to run hp_chec- Allow xdm_t to act as a dbus client to itsel - Allow fetchmail to resolve host names - Allow gnupg apps to write to pcscd socket - Add labeling for cmpiLMI_Fan-cimprovagt - Allow net_admin for glusterd - Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ - Add pegasus_openlmi_system_t - Fix puppet_domtrans_master() to make all puppet calling working in passenger.te -httpd_t does access_check on certs- Add support for cmpiLMI_Service-cimprovagt - Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t - Label pycmpiLMI_Software-cimprovagt as rpm_exec_t - Add support for pycmpiLMI_Storage-cimprovagt - Add support for cmpiLMI_Networking-cimprovagt - Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working - Allow virtual machines and containers to run as user doains, needed for virt-sandbox - Allow buglist.cgi to read cpu info- Allow systemd-tmpfile to handle tmp content in print spool dir - Allow systemd-sysctl to send system log messages - Add support for RTP media ports and fmpro-internal - Make auditd working if audit is configured to perform SINGLE action on disk error - Add interfaces to handle systemd units - Make systemd-notify working if pcsd is used - Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t - Instead of having all unconfined domains get all of the named transition rules, - Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default. - Add definition for the salt ports - Allow xdm_t to create link files in xdm_var_run_t - Dontaudit reads of blk files or chr files leaked into ldconfig_t - Allow sys_chroot for useradd_t - Allow net_raw cap for ipsec_t - Allow sysadm_t to reload services - Add additional fixes to make strongswan working with a simple conf - Allow sysadm_t to enable/disable init_t services - Add additional glusterd perms - Allow apache to read lnk files in the /mnt directory - Allow glusterd to ask the kernel to load a module - Fix description of ftpd_use_fusefs boolean - Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process controls, but add them to svirt_lxc_net_t - Allow glusterds to request load a kernel module - Allow boinc to stream connect to xserver_t - Allow sblim domains to read /etc/passwd - Allow mdadm to read usb devices - Allow collectd to use ping plugin - Make foghorn working with SNMP - Allow sssd to read ldap certs - Allow haproxy to connect to RTP media ports - Add additional trans rules for aide_db - Add labeling for /usr/lib/pcsd/pcsd - Add labeling for /var/log/pcsd - Add support for pcs which is a corosync and pacemaker configuration tool- Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t - Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1 - Allow all domains that can domtrans to shutdown, to start the power services script to shutdown - consolekit needs to be able to shut down system - Move around interfaces - Remove nfsd_rw_t and nfsd_ro_t, they don't do anything - Add additional fixes for rabbitmq_beam to allow getattr on mountpoints - Allow gconf-defaults-m to read /etc/passwd - Fix pki_rw_tomcat_cert() interface to support lnk_files- Add support for gluster ports - Make sure that all keys located in /etc/ssh/ are labeled correctly - Make sure apcuspd lock files get created with the correct label - Use getcap in gluster.te - Fix gluster policy - add additional fixes to allow beam.smp to interact with couchdb files - Additional fix for #974149 - Allow gluster to user gluster ports - Allow glusterd to transition to rpcd_t and add additional fixes for #980683 - Allow tgtd working when accessing to the passthrough device - Fix labeling for mdadm unit files- Add mdadm fixes- Fix definition of sandbox.disabled to sandbox.pp.disabled- Allow mdamd to execute systemctl - Allow mdadm to read /dev/kvm - Allow ipsec_mgmt_t to read l2tpd pid content- Allow nsd_t to read /dev/urand - Allow mdadm_t to read framebuffer - Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t - Allow mozilla_plugin_config_t to create tmp files - Cleanup openvswitch policy - Allow mozilla plugin to getattr on all executables - Allow l2tpd_t to create fifo_files in /var/run - Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory - Allow mdadm to connecto its own unix_stream_socket - FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now. - Allow apache to access smokeping pid files - Allow rabbitmq_beam_t to getattr on all filesystems - Add systemd support for iodined - Allow nup_upsdrvctl_t to execute its entrypoint - Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch - add labeling for ~/.cache/libvirt-sandbox - Add interface to allow domains transitioned to by confined users to send sigchld to screen program - Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab - Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service - Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs. - Allow staff to getsched all domains, required to run htop - Add port definition for redis port - fix selinuxuser_use_ssh_chroot boolean- Add prosody policy written by Michael Scherer - Allow nagios plugins to read /sys info - ntpd needs to manage own log files - Add support for HOME_DIR/.IBMERS - Allow iptables commands to read firewalld config - Allow consolekit_t to read utmp - Fix filename transitions on .razor directory - Add additional fixes to make DSPAM with LDA working - Allow snort to read /etc/passwd - Allow fail2ban to communicate with firewalld over dbus - Dontaudit openshift_cgreoup_file_t read/write leaked dev - Allow nfsd to use mountd port - Call th proper interface - Allow openvswitch to read sys and execute plymouth - Allow tmpwatch to read /var/spool/cups/tmp - Add support for /usr/libexec/telepathy-rakia - Add systemd support for zoneminder - Allow mysql to create files/directories under /var/log/mysql - Allow zoneminder apache scripts to rw zoneminder tmpfs - Allow httpd to manage zoneminder lib files - Add zoneminder_run_sudo boolean to allow to start zoneminder - Allow zoneminder to send mails - gssproxy_t sock_file can be under /var/lib - Allow web domains to connect to whois port. - Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t. - We really need to add an interface to corenet to define what a web_client_domain is and - then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain. - Add labeling for cmpiLMI_LogicalFile-cimprovagt - Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules - Update policy rules for pegasus_openlmi_logicalfile_t - Add initial types for logicalfile/unconfined OpenLMI providers - mailmanctl needs to read own log - Allow logwatch manage own lock files - Allow nrpe to read meminfo - Allow httpd to read certs located in pki-ca - Add pki_read_tomcat_cert() interface - Add support for nagios openshift plugins - Add port definition for redis port - fix selinuxuser_use_ssh_chroot boolean- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean. - Allow bootloader to manage generic log files - Allow ftp to bind to port 989 - Fix label of new gear directory - Add support for new directory /var/lib/openshift/gears/ - Add openshift_manage_lib_dirs() - allow virtd domains to manage setrans_var_run_t - Allow useradd to manage all openshift content - Add support so that mozilla_plugin_t can use dri devices - Allow chronyd to change the scheduler - Allow apmd to shut downthe system - Devicekit_disk_t needs to manage /etc/fstab- Make DSPAM to act as a LDA working - Allow ntop to create netlink socket - Allow policykit to send a signal to policykit-auth - Allow stapserver to dbus chat with avahi/systemd-logind - Fix labeling on haproxy unit file - Clean up haproxy policy - A new policy for haproxy and placed it to rhcs.te - Add support for ldirectord and treat it with cluster_t - Make sure anaconda log dir is created with var_log_t- Allow lvm_t to create default targets for filesystem handling - Fix labeling for razor-lightdm binaries - Allow insmod_t to read any file labeled var_lib_t - Add policy for pesign - Activate policy for cmpiLMI_Account-cimprovagt - Allow isnsd syscall=listen - /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler - Allow ctdbd to use udp/4379 - gatherd wants sys_nice and setsched - Add support for texlive2012 - Allow NM to read file_t (usb stick with no labels used to transfer keys for example) - Allow cobbler to execute apache with domain transition- condor_collector uses tcp/9000 - Label /usr/sbin/virtlockd as virtd_exec_t for now - Allow cobbler to execute ldconfig - Allow NM to execute ssh - Allow mdadm to read /dev/crash - Allow antivirus domains to connect to snmp port - Make amavisd-snmp working correctly - Allow nfsd_t to mounton nfsd_fs_t - Add initial snapper policy - We still need to have consolekit policy - Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t - Dontaudit sandbox apps attempting to open user_devpts_t - Allow dirsrv to read network state - Fix pki_read_tomcat_lib_files - Add labeling for /usr/libexec/nm-ssh-service - Add label cert_t for /var/lib/ipa/pki-ca/publish - Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant - Allow nfsd_t to mounton nfsd_fs_t - Dontaudit sandbox apps attempting to open user_devpts_t - Allow passwd_t to change role to system_r from unconfined_r- Don't audit access checks by sandbox xserver on xdb var_lib - Allow ntop to read usbmon devices - Add labeling for new polcykit authorizor - Dontaudit access checks from fail2ban_client - Don't audit access checks by sandbox xserver on xdb var_lib - Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream - Fix labeling for all /usr/bim/razor-lightdm-* binaries - Add filename trans for /dev/md126p1- Make vdagent able to request loading kernel module - Add support for cloud-init make it as unconfined domain - Allow snmpd to run smartctl in fsadm_t domain - remove duplicate openshift_search_lib() interface - Allow mysqld to search openshift lib files - Allow openshift cgroup to interact with passedin file descriptors - Allow colord to list directories inthe users homedir - aide executes prelink to check files - Make sure cupsd_t creates content in /etc/cups with the correct label - Lest dontaudit apache read all domains, so passenger will not cause this avc - Allow gssd to connect to gssproxy - systemd-tmpfiles needs to be able to raise the level to fix labeling on /run/setrans in MLS - Allow systemd-tmpfiles to relabel also lock files - Allow useradd to add homdir in /var/lib/openshift - Allow setfiles and semanage to write output to /run/files- Add labeling for /dev/tgt - Dontaudit leak fd from firewalld for modprobe - Allow runuser running as rpm_script_t to create netlink_audit socket - Allow mdadm to read BIOS non-volatile RAM- accountservice watches when accounts come and go in wtmp - /usr/java/jre1.7.0_21/bin/java needs to create netlink socket - Add httpd_use_sasl boolean - Allow net_admin for tuned_t - iscsid needs sys_module to auto-load kernel modules - Allow blueman to read bluetooth conf - Add nova_manage_lib_files() interface - Fix mplayer_filetrans_home_content() - Add mplayer_filetrans_home_content() - mozilla_plugin_config_roles need to be able to access mozilla_plugin_config_t - Revert "Allow thumb_t to append inherited xdm stream socket" - Add iscsi_filetrans_named_content() interface - Allow to create .mplayer with the correct labeling for unconfined - Allow iscsiadmin to create lock file with the correct labeling- Allow wine to manage wine home content - Make amanda working with socket actiovation - Add labeling for /usr/sbin/iscsiadm - Add support for /var/run/gssproxy.sock - dnsmasq_t needs to read sysctl_net_t- Fix courier_domain_template() interface - Allow blueman to write ip_forward - Allow mongodb to connect to mongodb port - Allow mongodb to connect to mongodb port - Allow java to bind jobss_debug port - Fixes for *_admin interfaces - Allow iscsid auto-load kernel modules needed for proper iSCSI functionality - Need to assign attribute for courier_domain to all courier_domains - Fail2ban reads /etc/passwd - postfix_virtual will create new files in postfix_spool_t - abrt triggers sys_ptrace by running pidof - Label ~/abc as mozilla_home_t, since java apps as plugin want to create it - Add passenger fixes needed by foreman - Remove dup interfaces - Add additional interfaces for quantum - Add new interfaces for dnsmasq - Allow passenger to read localization and send signull to itself - Allow dnsmasq to stream connect to quantum - Add quantum_stream_connect() - Make sure that mcollective starts the service with the correct labeling - Add labels for ~/.manpath - Dontaudit attempts by svirt_t to getpw* calls - sandbox domains are trying to look at parent process data - Allow courior auth to create its pid file in /var/spool/courier subdir - Add fixes for beam to have it working with couchdb - Add labeling for /run/nm-xl2tpd.con - Allow apache to stream connect to thin - Add systemd support for amand - Make public types usable for fs mount points - Call correct mandb interface in domain.te - Allow iptables to r/w quantum inherited pipes and send sigchld - Allow ifconfig domtrans to iptables and execute ldconfig - Add labels for ~/.manpath - Allow systemd to read iscsi lib files - seunshare is trying to look at parent process data- Fix openshift_search_lib - Add support for abrt-uefioops-oops - Allow colord to getattr any file system - Allow chrome processes to look at each other - Allow sys_ptrace for abrt_t - Add new policy for gssproxy - Dontaudit leaked file descriptor writes from firewalld - openshift_net_type is interface not template - Dontaudit pppd to search gnome config - Update openshift_search_lib() interface - Add fs_list_pstorefs() - Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18 - Better labels for raspberry pi devices - Allow init to create devpts_t directory - Temporarily label rasbery pi devices as memory_device_t, needs back port to f18 - Allow sysadm_t to build kernels - Make sure mount creates /var/run/blkid with the correct label, needs back port to F18 - Allow userdomains to stream connect to gssproxy - Dontaudit leaked file descriptor writes from firewalld - Allow xserver to read /dev/urandom - Add additional fixes for ipsec-mgmt - Make SSHing into an Openshift Enterprise Node working- Add transition rules to unconfined domains and to sysadm_t to create /etc/adjtime - with the proper label. - Update files_filetrans_named_content() interface to get right labeling for pam.d conf files - Allow systemd-timedated to create adjtime - Add clock_create_adjtime() - Additional fix ifconfing for #966106 - Allow kernel_t to create boot.log with correct labeling - Remove unconfined_mplayer for which we don't have rules - Rename interfaces - Add userdom_manage_user_home_files/dirs interfaces - Fix files_dontaudit_read_all_non_security_files - Fix ipsec_manage_key_file() - Fix ipsec_filetrans_key_file() - Label /usr/bin/razor-lightdm-greeter as xdm_exec_t instead of spamc_exec_t - Fix labeling for ipse.secrets - Add interfaces for ipsec and labeling for ipsec.info and ipsec_setup.pid - Add files_dontaudit_read_all_non_security_files() interface - /var/log/syslog-ng should be labeled var_log_t - Make ifconfig_var_run_t a mountpoint - Add transition from ifconfig to dnsmasq - Allow ifconfig to execute bin_t/shell_exec_t - We want to have hwdb.bin labeled as etc_t - update logging_filetrans_named_content() interface - Allow systemd_timedate_t to manage /etc/adjtime - Allow NM to send signals to l2tpd - Update antivirus_can_scan_system boolean - Allow devicekit_disk_t to sys_config_tty - Run abrt-harvest programs as abrt_t, and allow abrt_t to list all filesystem directories - Make printing from vmware working - Allow php-cgi from php54 collection to access /var/lib/net-snmp/mib_indexes - Add virt_qemu_ga_data_t for qemu-ga - Make chrome and mozilla able to connect to same ports, add jboss_management_port_t to both - Fix typo in virt.te - Add virt_qemu_ga_unconfined_t for hook scripts - Make sure NetworkManager files get created with the correct label - Add mozilla_plugin_use_gps boolean - Fix cyrus to have support for net-snmp - Additional fixes for dnsmasq and quantum for #966106 - Add plymouthd_create_log() - remove httpd_use_oddjob for which we don't have rules - Add missing rules for httpd_can_network_connect_cobbler - Add missing cluster_use_execmem boolean - Call userdom_manage_all_user_home_type_files/dirs - Additional fix for ftp_home_dir - Fix ftp_home_dir boolean - Allow squit to recv/send client squid packet - Fix nut.te to have nut_domain attribute - Add support for ejabberd; TODO: revisit jabberd and rabbit policy - Fix amanda policy - Add more fixes for domains which use libusb - Make domains which use libusb working correctly - Allow l2tpd to create ipsec key files with correct labeling and manage them - Fix cobbler_manage_lib_files/cobbler_read_lib_files to cover also lnk files - Allow rabbitmq-beam to bind generic node - Allow l2tpd to read ipse-mgmt pid files - more fixes for l2tpd, NM and pppd from #967072- Dontaudit to getattr on dirs for dovecot-deliver - Allow raiudusd server connect to postgresql socket - Add kerberos support for radiusd - Allow saslauthd to connect to ldap port - Allow postfix to manage postfix_private_t files - Add chronyd support for #965457 - Fix labeling for HOME_DIR/\.icedtea - CHange squid and snmpd to be allowed also write own logs - Fix labeling for /usr/libexec/qemu-ga - Allow virtd_t to use virt_lock_t - Allow also sealert to read the policy from the kernel - qemu-ga needs to execute scripts in /usr/libexec/qemu-ga and to use /tmp content - Dontaudit listing of users homedir by sendmail Seems like a leak - Allow passenger to transition to puppet master - Allow apache to connect to mythtv - Add definition for mythtv ports- Add additional fixes for #948073 bug - Allow sge_execd_t to also connect to sge ports - Allow openshift_cron_t to manage openshift_var_lib_t sym links - Allow openshift_cron_t to manage openshift_var_lib_t sym links - Allow sge_execd to bind sge ports. Allow kill capability and reads cgroup files - Remove pulseaudio filetrans pulseaudio_manage_home_dirs which is a part of pulseaudio_manage_home_files - Add networkmanager_stream_connect() - Make gnome-abrt wokring with staff_t - Fix openshift_manage_lib_files() interface - mdadm runs ps command which seems to getattr on random log files - Allow mozilla_plugin_t to create pulseaudit_home_t directories - Allow qemu-ga to shutdown virtual hosts - Add labelling for cupsd-browsed - Add web browser plugins to connect to aol ports - Allow nm-dhcp-helper to stream connect to NM - Add port definition for sge ports- Make sure users and unconfined domains create .hushlogin with the correct label - Allow pegaus to chat with realmd over DBus - Allow cobblerd to read network state - Allow boicn-client to stat on /dev/input/mice - Allow certwatch to read net_config_t when it executes apache - Allow readahead to create /run/systemd and then create its own directory with the correct label- Transition directories and files when in a user_tmp_t directory - Change certwatch to domtrans to apache instead of just execute - Allow virsh_t to read xen lib files - update policy rules for pegasus_openlmi_account_t - Add support for svnserve_tmp_t - Activate account openlmi policy - pegasus_openlmi_domain_template needs also require pegasus_t - One more fix for policykit.te - Call fs_list_cgroups_dirs() in policykit.te - Allow nagios service plugin to read mysql config files - Add labeling for /var/svn - Fix chrome.te - Fix pegasus_openlmi_domain_template() interfaces - Fix dev_rw_vfio_dev definiton, allow virtd_t to read tmpfs_t symlinks - Fix location of google-chrome data - Add support for chome_sandbox to store content in the homedir - Allow policykit to watch for changes in cgroups file system - Add boolean to allow mozilla_plugin_t to use spice - Allow collectd to bind to udp port - Allow collected_t to read all of /proc - Should use netlink socket_perms - Should use netlink socket_perms - Allow glance domains to connect to apache ports - Allow apcupsd_t to manage its log files - Allow chrome objects to rw_inherited unix_stream_socket from callers - Allow staff_t to execute virtd_exec_t for running vms - nfsd_t needs to bind mountd port to make nfs-mountd.service working - Allow unbound net_admin capability because of setsockopt syscall - Fix fs_list_cgroup_dirs() - Label /usr/lib/nagios/plugins/utils.pm as bin_t - Remove uplicate definition of fs_read_cgroup_files() - Remove duplicate definition of fs_read_cgroup_files() - Add files_mountpoint_filetrans interface to be used by quotadb_t and snapperd - Additional interfaces needed to list and read cgroups config - Add port definition for collectd port - Add labels for /dev/ptp* - Allow staff_t to execute virtd_exec_t for running vms- Allow samba-net to also read realmd tmp files - Allow NUT to use serial ports - realmd can be started by systemctl now- Remove userdom_home_manager for xdm_t and move all rules to xserver.te directly - Add new xdm_write_home boolean to allow xdm_t to create files in HOME dirs with xdm_home_t - Allow postfix-showq to read/write unix.showq in /var/spool/postfix/pid - Allow virsh to read xen lock file - Allow qemu-ga to create files in /run with proper labeling - Allow glusterd to connect to own socket in /tmp - Allow glance-api to connect to http port to make glance image-create working - Allow keystonte_t to execute rpm- Fix realmd cache interfaces- Allow tcpd to execute leafnode - Allow samba-net to read realmd cache files - Dontaudit sys_tty_config for alsactl - Fix allow rules for postfix_var_run - Allow cobblerd to read /etc/passwd - Allow pegasus to read exports - Allow systemd-timedate to read xdm state - Allow mout to stream connect to rpcbind - Add labeling just for /usr/share/pki/ca-trust-source instead of /usr/share/pki- Allow thumbnails to share memory with apps which run thumbnails - Allow postfix-postqueue block_suspend - Add lib interfaces for smsd - Add support for nginx - Allow s2s running as jabberd_t to connect to jabber_interserver_port_t - Allow pki apache domain to create own tmp files and execute httpd_suexec - Allow procmail to manger user tmp files/dirs/lnk_files - Add virt_stream_connect_svirt() interface - Allow dovecot-auth to execute bin_t - Allow iscsid to request that kernel load a kernel module - Add labeling support for /var/lib/mod_security - Allow iw running as tuned_t to create netlink socket - Dontaudit sys_tty_config for thumb_t - Add labeling for nm-l2tp-service - Allow httpd running as certwatch_t to open tcp socket - Allow useradd to manager smsd lib files - Allow useradd_t to add homedirs in /var/lib - Fix typo in userdomain.te - Cleanup userdom_read_home_certs - Implement userdom_home_reader_certs_type to allow read certs also on encrypt /home with ecryptfs_t - Allow staff to stream connect to svirt_t to make gnome-boxes working- Allow lvm to create its own unit files - Label /var/lib/sepolgen as selinux_config_t - Add filetrans rules for tw devices - Add transition from cupsd_config_t to cupsd_t- Add filetrans rules for tw devices - Cleanup bad transition lines- Fix lockdev_manage_files() - Allow setroubleshootd to read var_lib_t to make email_alert working - Add lockdev_manage_files() - Call proper interface in virt.te - Allow gkeyring_domain to create /var/run/UID/config/dbus file - system dbus seems to be blocking suspend - Dontaudit attemps to sys_ptrace, which I believe gpsd does not need - When you enter a container from root, you generate avcs with a leaked file descriptor - Allow mpd getattr on file system directories - Make sure realmd creates content with the correct label - Allow systemd-tty-ask to write kmsg - Allow mgetty to use lockdev library for device locking - Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music - When you enter a container from root, you generate avcs with a leaked file descriptor - Make sure init.fc files are labeled correctly at creation - File name trans vconsole.conf - Fix labeling for nagios plugins - label shared libraries in /opt/google/chrome as testrel_shlib_t- Allow certmonger to dbus communicate with realmd - Make realmd working- Fix mozilla specification of homedir content - Allow certmonger to read network state - Allow tmpwatch to read tmp in /var/spool/{cups,lpd} - Label all nagios plugin as unconfined by default - Add httpd_serve_cobbler_files() - Allow mdadm to read /dev/sr0 and create tmp files - Allow certwatch to send mails - Fix labeling for nagios plugins - label shared libraries in /opt/google/chrome as testrel_shlib_t- Allow realmd to run ipa, really needs to be an unconfined_domain - Allow sandbox domains to use inherted terminals - Allow pscd to use devices labeled svirt_image_t in order to use cat cards. - Add label for new alsa pid - Alsa now uses a pid file and needs to setsched - Fix oracleasmfs_t definition - Add support for sshd_unit_file_t - Add oracleasmfs_t - Allow unlabeled_t files to be stored on unlabeled_t filesystems- Fix description of deny_ptrace boolean - Remove allow for execmod lib_t for now - Allow quantum to connect to keystone port - Allow nova-console to talk with mysql over unix stream socket - Allow dirsrv to stream connect to uuidd - thumb_t needs to be able to create ~/.cache if it does not exist - virtd needs to be able to sys_ptrace when starting and stoping containers- Allow alsa_t signal_perms, we probaly should search for any app that can execute something without transition and give it signal_perms... - Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets - Fix deny_ptrace boolean, certain ptrace leaked into the system - Allow winbind to manage kerberos_rcache_host - Allow spamd to create spamd_var_lib_t directories - Remove transition to mozilla_tmp_t by mozilla_t, to allow it to manage the users tmp dirs - Add mising nslcd_dontaudit_write_sock_file() interface - one more fix - Fix pki_read_tomcat_lib_files() interface - Allow certmonger to read pki-tomcat lib files - Allow certwatch to execute bin_t - Allow snmp to manage /var/lib/net-snmp files - Call snmp_manage_var_lib_files(fogorn_t) instead of snmp_manage_var_dirs - Fix vmware_role() interface - Fix cobbler_manage_lib_files() interface - Allow nagios check disk plugins to execute bin_t - Allow quantum to transition to openvswitch_t - Allow postdrop to stream connect to postfix-master - Allow quantum to stream connect to openvswitch - Add xserver_dontaudit_xdm_rw_stream_sockets() interface - Allow daemon to send dgrams to initrc_t - Allow kdm to start the power service to initiate a reboot or poweroff- Add mising nslcd_dontaudit_write_sock_file() interface - one more fix - Fix pki_read_tomcat_lib_files() interface - Allow certmonger to read pki-tomcat lib files - Allow certwatch to execute bin_t - Allow snmp to manage /var/lib/net-snmp files - Don't audit attempts to write to stream socket of nscld by thumbnailers - Allow git_system_t to read network state - Allow pegasas to execute mount command - Fix desc for drdb_admin - Fix condor_amin() - Interface fixes for uptime, vdagent, vnstatd - Fix labeling for moodle in /var/www/moodle/data - Add interface fixes - Allow bugzilla to read certs - /var/www/moodle needs to be writable by apache - Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest - Fix namespace_init_t to create content with proper labels, and allow it to manage all user content - Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean - Fixes for dlm_controld - Fix apache_read_sys_content_rw_dirs() interface - Allow logrotate to read /var/log/z-push dir - Fix sys_nice for cups_domain - Allow postfix_postdrop to acces postfix_public socket - Allow sched_setscheduler for cupsd_t - Add missing context for /usr/sbin/snmpd - Kernel_t needs mac_admin in order to support labeled NFS - Fix systemd_dontaudit_dbus_chat() interface - Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest - Allow consolehelper domain to write Xauth files in /root - Add port definition for osapi_compute port - Allow unconfined to create /etc/hostname with correct labeling - Add systemd_filetrans_named_hostname() interface- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean - Fixes for dlm_controld - Fix apache_read_sys_content_rw_dirs() interface - Allow logrotate to read /var/log/z-push dir - Allow postfix_postdrop to acces postfix_public socket - Allow sched_setscheduler for cupsd_t - Add missing context for /usr/sbin/snmpd - Allow consolehelper more access discovered by Tom London - Allow fsdaemon to send signull to all domain - Add port definition for osapi_compute port - Allow unconfined to create /etc/hostname with correct labeling - Add systemd_filetrans_named_hostname() interface- Fix file_contexts.subs to label /run/lock correctly- Try to label on controlC devices up to 30 correctly - Add mount_rw_pid_files() interface - Add additional mount/umount interfaces needed by mock - fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk - Fix tabs - Allow initrc_domain to search rgmanager lib files - Add more fixes which make mock working together with confined users * Allow mock_t to manage rpm files * Allow mock_t to read rpm log files * Allow mock to setattr on tmpfs, devpts * Allow mount/umount filesystems - Add rpm_read_log() interface - yum-cron runs rpm from within it. - Allow tuned to transition to dmidecode - Allow firewalld to do net_admin - Allow mock to unmont tmpfs_t - Fix virt_sigkill() interface - Add additional fixes for mock. Mainly caused by mount running in mock_t - Allow mock to write sysfs_t and mount pid files - Add mailman_domain to mailman_template() - Allow openvswitch to execute shell - Allow qpidd to use kerberos - Allow mailman to use fusefs, needs back port to RHEL6 - Allow apache and its scripts to use anon_inodefs - Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7 - Realmd needs to connect to samba ports, needs back port to F18 also - Allow colord to read /run/initial-setup- - Allow sanlock-helper to send sigkill to virtd which is registred to sanlock - Add virt_kill() interface - Add rgmanager_search_lib() interface - Allow wdmd to getattr on all filesystems. Back ported from RHEL6- Allow realmd to create tmp files - FIx ircssi_home_t type to irssi_home_t - Allow adcli running as realmd_t to connect to ldap port - Allow NetworkManager to transition to ipsec_t, for running strongswan - Make openshift_initrc_t an lxc_domain - Allow gssd to manage user_tmp_t files - Fix handling of irclogs in users homedir - Fix labeling for drupal an wp-content in subdirs of /var/www/html - Allow abrt to read utmp_t file - Fix openshift policy to transition lnk_file, sock-file an fifo_file when created in a tmpfs_t, needs back port to RHEL6 - fix labeling for (oo|rhc)-restorer-wrapper.sh - firewalld needs to be able to write to network sysctls - Fix mozilla_plugin_dontaudit_rw_sem() interface - Dontaudit generic ipc read/write to a mozilla_plugin for sandbox_x domains - Add mozilla_plugin_dontaudit_rw_sem() interface - Allow svirt_lxc_t to transition to openshift domains - Allow condor domains block_suspend and dac_override caps - Allow condor_master to read passd - Allow condor_master to read system state - Allow NetworkManager to transition to ipsec_t, for running strongswan - Lots of access required by lvm_t to created encrypted usb device - Allow xdm_t to dbus communicate with systemd_localed_t - Label strongswan content as ipsec_exec_mgmt_t for now - Allow users to dbus chat with systemd_localed - Fix handling of .xsession-errors in xserver.if, so kde will work - Might be a bug but we are seeing avc's about people status on init_t:service - Make sure we label content under /var/run/lock as <> - Allow daemon and systemprocesses to search init_var_run_t directory - Add boolean to allow xdm to write xauth data to the home directory - Allow mount to write keys for the unconfined domain - Add unconfined_write_keys() interface- Add labeling for /usr/share/pki - Allow programs that read var_run_t symlinks also read var_t symlinks - Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports - Fix labeling for /etc/dhcp directory - add missing systemd_stub_unit_file() interface - Add files_stub_var() interface - Add lables for cert_t directories - Make localectl set-x11-keymap working at all - Allow abrt to manage mock build environments to catch build problems. - Allow virt_domains to setsched for running gdb on itself - Allow thumb_t to execute user home content - Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000 - Allow certwatch to execut /usr/bin/httpd - Allow cgred to send signal perms to itself, needs back port to RHEL6 - Allow openshift_cron_t to look at quota - Allow cups_t to read inhered tmpfs_t from the kernel - Allow yppasswdd to use NIS - Tuned wants sys_rawio capability - Add ftpd_use_fusefs boolean - Allow dirsrvadmin_t to signal itself- Allow localectl to read /etc/X11/xorg.conf.d directory - Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors"" - Allow mount to transition to systemd_passwd_agent - Make sure abrt directories are labeled correctly - Allow commands that are going to read mount pid files to search mount_var_run_t - label /usr/bin/repoquery as rpm_exec_t - Allow automount to block suspend - Add abrt_filetrans_named_content so that abrt directories get labeled correctly - Allow virt domains to setrlimit and read file_context- Allow nagios to manage nagios spool files - /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6 - Add swift_alias.* policy files which contain typealiases for swift types - Add support for /run/lock/opencryptoki - Allow pkcsslotd chown capability - Allow pkcsslotd to read passwd - Add rsync_stub() interface - Allow systemd_timedate also manage gnome config homedirs - Label /usr/lib64/security/pam_krb5/pam_krb5_cchelper as bin_t - Fix filetrans rules for kdm creates .xsession-errors - Allow sytemd_tmpfiles to create wtmp file - Really should not label content under /var/lock, since it could have labels on it different from var_lock_t - Allow systemd to list all file system directories - Add some basic stub interfaces which will be used in PRODUCT policies- Fix log transition rule for cluster domains - Start to group all cluster log together - Dont use filename transition for POkemon Advanced Adventure until a new checkpolicy update - cups uses usbtty_device_t devices - These fixes were all required to build a MLS virtual Machine with single level desktops - Allow domains to transiton using httpd_exec_t - Allow svirt domains to manage kernel key rings - Allow setroubleshoot to execute ldconfig - Allow firewalld to read generate gnome data - Allow bluetooth to read machine-info - Allow boinc domain to send signal to itself - Fix gnome_filetrans_home_content() interface - Allow mozilla_plugins to list apache modules, for use with gxine - Fix labels for POkemon in the users homedir - Allow xguest to read mdstat - Dontaudit virt_domains getattr on /dev/* - These fixes were all required to build a MLS virtual Machine with single level desktops - Need to back port this to RHEL6 for openshift - Add tcp/8891 as milter port - Allow nsswitch domains to read sssd_var_lib_t files - Allow ping to read network state. - Fix typo - Add labels to /etc/X11/xorg.d and allow systemd-timestampd_t to manage them- Adopt swift changes from lhh@redhat.com - Add rhcs_manage_cluster_pid_files() interface - Allow screen domains to configure tty and setup sock_file in ~/.screen directory - ALlow setroubleshoot to read default_context_t, needed to backport to F18 - Label /etc/owncloud as being an apache writable directory - Allow sshd to stream connect to an lxc domain- Allow postgresql to manage rgmanager pid files - Allow postgresql to read ccs data - Allow systemd_domain to send dbus messages to policykit - Add labels for /etc/hostname and /etc/machine-info and allow systemd-hostnamed to create them - All systemd domains that create content are reading the file_context file and setfscreate - Systemd domains need to search through init_var_run_t - Allow sshd to communicate with libvirt to set containers labels - Add interface to manage pid files - Allow NetworkManger_t to read /etc/hostname - Dontaudit leaked locked files into openshift_domains - Add fixes for oo-cgroup-read - it nows creates tmp files - Allow gluster to manage all directories as well as files - Dontaudit chrome_sandbox_nacl_t using user terminals - Allow sysstat to manage its own log files - Allow virtual machines to setrlimit and send itself signals. - Add labeling for /var/run/hplip- Fix POSTIN scriptlet- Merge rgmanger, corosync,pacemaker,aisexec policies to cluster_t in rhcs.pp- Fix authconfig.py labeling - Make any domains that write homedir content do it correctly - Allow glusterd to read/write anyhwere on the file system by default - Be a little more liberal with the rsync log files - Fix iscsi_admin interface - Allow iscsid_t to read /dev/urand - Fix up iscsi domain for use with unit files - Add filename transition support for spamassassin policy - Allow web plugins to use badly formated libraries - Allow nmbd_t to create samba_var_t directories - Add filename transition support for spamassassin policy - Add filename transition support for tvtime - Fix alsa_home_filetrans_alsa_home() interface - Move all userdom_filetrans_home_content() calling out of booleans - Allow logrotote to getattr on all file sytems - Remove duplicate userdom_filetrans_home_content() calling - Allow kadmind to read /etc/passwd - Dontaudit append .xsession-errors file on ecryptfs for policykit-auth - Allow antivirus domain to manage antivirus db links - Allow logrotate to read /sys - Allow mandb to setattr on man dirs - Remove mozilla_plugin_enable_homedirs boolean - Fix ftp_home_dir boolean - homedir mozilla filetrans has been moved to userdom_home_manager - homedir telepathy filetrans has been moved to userdom_home_manager - Remove gnome_home_dir_filetrans() from gnome_role_gkeyringd() - Might want to eventually write a daemon on fusefsd. - Add policy fixes for sshd [net] child from plautrba@redhat.com - Tor uses a new port - Remove bin_t for authconfig.py - Fix so only one call to userdom_home_file_trans - Allow home_manager_types to create content with the correctl label - Fix all domains that write data into the homedir to do it with the correct label - Change the postgresql to use proper boolean names, which is causing httpd_t to - not get access to postgresql_var_run_t - Hostname needs to send syslog messages - Localectl needs to be able to send dbus signals to users - Make sure userdom_filetrans_type will create files/dirs with user_home_t labeling by default - Allow user_home_manger domains to create spam* homedir content with correct labeling - Allow user_home_manger domains to create HOMEDIR/.tvtime with correct labeling - Add missing miscfiles_setattr_man_pages() interface and for now comment some rules for userdom_filetrans_type to make build process working - Declare userdom_filetrans_type attribute - userdom_manage_home_role() needs to be called withoout usertype attribute because of userdom_filetrans_type attribute - fusefsd is mounding a fuse file system on /run/user/UID/gvfs- Man pages are now generated in the build process - Allow cgred to list inotifyfs filesystem- Allow gluster to get attrs on all fs - New access required for virt-sandbox - Allow dnsmasq to execute bin_t - Allow dnsmasq to create content in /var/run/NetworkManager - Fix openshift_initrc_signal() interface - Dontaudit openshift domains doing getattr on other domains - Allow consolehelper domain to communicate with session bus - Mock should not be transitioning to any other domains, we should keep mock_t as mock_t - Update virt_qemu_ga_t policy - Allow authconfig running from realmd to restart oddjob service - Add systemd support for oddjob - Add initial policy for realmd_consolehelper_t which if for authconfig executed by realmd - Add labeling for gnashpluginrc - Allow chrome_nacl to execute /dev/zero - Allow condor domains to read /proc - mozilla_plugin_t will getattr on /core if firefox crashes - Allow condor domains to read /etc/passwd - Allow dnsmasq to execute shell scripts, openstack requires this access - Fix glusterd labeling - Allow virtd_t to interact with the socket type - Allow nmbd_t to override dac if you turned on sharing all files - Allow tuned to created kobject_uevent socket - Allow guest user to run fusermount - Allow openshift to read /proc and locale - Allow realmd to dbus chat with rpm - Add new interface for virt - Remove depracated interfaces - Allow systemd_domains read access on etc, etc_runtime and usr files, also allow them to connect stream to syslog socket - /usr/share/munin/plugins/plugin.sh should be labeled as bin_t - Remove some more unconfined_t process transitions, that I don't believe are necessary - Stop transitioning uncofnined_t to checkpc - dmraid creates /var/lock/dmraid - Allow systemd_localed to creatre unix_dgram_sockets - Allow systemd_localed to write kernel messages. - Also cleanup systemd definition a little. - Fix userdom_restricted_xwindows_user_template() interface - Label any block devices or char devices under /dev/infiniband as fixed_disk_device_t - User accounts need to dbus chat with accountsd daemon - Gnome requires all users to be able to read /proc/1/- virsh now does a setexeccon call - Additional rules required by openshift domains - Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-service execute work - Allow spamd_update_t to search spamc_home_t - Avcs discovered by mounting an isci device under /mnt - Allow lspci running as logrotate to read pci.ids - Additional fix for networkmanager_read_pid_files() - Fix networkmanager_read_pid_files() interface - Allow all svirt domains to connect to svirt_socket_t - Allow virsh to set SELinux context for a process. - Allow tuned to create netlink_kobject_uevent_socket - Allow systemd-timestamp to set SELinux context - Add support for /var/lib/systemd/linger - Fix ssh_sysadm_login to be working on MLS as expected- Rename files_rw_inherited_tmp_files to files_rw_inherited_tmp_file - Add missing files_rw_inherited_tmp_files interface - Add additional interface for ecryptfs - ALlow nova-cert to connect to postgresql - Allow keystone to connect to postgresql - Allow all cups domains to getattr on filesystems - Allow pppd to send signull - Allow tuned to execute ldconfig - Allow gpg to read fips_enabled - Add additional fixes for ecryptfs - Allow httpd to work with posgresql - Allow keystone getsched and setsched- Allow gpg to read fips_enabled - Add support for /var/cache/realmd - Add support for /usr/sbin/blazer_usb and systemd support for nut - Add labeling for fenced_sanlock and allow sanclok transition to fenced_t - bitlbee wants to read own log file - Allow glance domain to send a signal itself - Allow xend_t to request that the kernel load a kernel module - Allow pacemaker to execute heartbeat lib files - cleanup new swift policy- Fix smartmontools - Fix userdom_restricted_xwindows_user_template() interface - Add xserver_xdm_ioctl_log() interface - Allow Xusers to ioctl lxdm.log to make lxdm working - Add MLS fixes to make MLS boot/log-in working - Add mls_socket_write_all_levels() also for syslogd - fsck.xfs needs to read passwd - Fix ntp_filetrans_named_content calling in init.te - Allow postgresql to create pg_log dir - Allow sshd to read rsync_data_t to make rsync working - Change ntp.conf to be labeled net_conf_t - Allow useradd to create homedirs in /run. ircd-ratbox does this and we should just allow it - Allow xdm_t to execute gstreamer home content - Allod initrc_t and unconfined domains, and sysadm_t to manage ntp - New policy for openstack swift domains - More access required for openshift_cron_t - Use cupsd_log_t instead of cupsd_var_log_t - rpm_script_roles should be used in rpm_run - Fix rpm_run() interface - Fix openshift_initrc_run() - Fix sssd_dontaudit_stream_connect() interface - Fix sssd_dontaudit_stream_connect() interface - Allow LDA's job to deliver mail to the mailbox - dontaudit block_suspend for mozilla_plugin_t - Allow l2tpd_t to all signal perms - Allow uuidgen to read /dev/random - Allow mozilla-plugin-config to read power_supply info - Implement cups_domain attribute for cups domains - We now need access to user terminals since we start by executing a command outside the tty - We now need access to user terminals since we start by executing a command outside the tty - svirt lxc containers want to execute userhelper apps, need these changes to allow this to happen - Add containment of openshift cron jobs - Allow system cron jobs to create tmp directories - Make userhelp_conf_t a config file - Change rpm to use rpm_script_roles - More fixes for rsync to make rsync wokring - Allow logwatch to domtrans to mdadm - Allow pacemaker to domtrans to ifconfig - Allow pacemaker to setattr on corosync.log - Add pacemaker_use_execmem for memcheck-amd64 command - Allow block_suspend capability - Allow create fifo_file in /tmp with pacemaker_tmp_t - Allow systat to getattr on fixed disk - Relabel /etc/ntp.conf to be net_conf_t - ntp_admin should create files in /etc with the correct label - Add interface to create ntp_conf_t files in /etc - Add additional labeling for quantum - Allow quantum to execute dnsmasq with transition- boinc_cliean wants also execmem as boinc projecs have - Allow sa-update to search admin home for /root/.spamassassin - Allow sa-update to search admin home for /root/.spamassassin - Allow antivirus domain to read net sysctl - Dontaudit attempts from thumb_t to connect to ssd - Dontaudit attempts by readahead to read sock_files - Dontaudit attempts by readahead to read sock_files - Create tmpfs file while running as wine as user_tmpfs_t - Dontaudit attempts by readahead to read sock_files - libmpg ships badly created librarie- Change ssh_use_pts to use macro and only inherited sshd_devpts_t - Allow confined users to read systemd_logind seat information - libmpg ships badly created libraries - Add support for strongswan.service - Add labeling for strongswan - Allow l2tpd_t to read network manager content in /run directory - Allow rsync to getattr any file in rsync_data_t - Add labeling and filename transition for .grl-podcasts- mount.glusterfs executes glusterfsd binary - Allow systemd_hostnamed_t to stream connect to systemd - Dontaudit any user doing a access check - Allow obex-data-server to request the kernel to load a module - Allow gpg-agent to manage gnome content (~/.cache/gpg-agent-info) - Allow gpg-agent to read /proc/sys/crypto/fips_enabled - Add new types for antivirus.pp policy module - Allow gnomesystemmm_t caps because of ioprio_set - Make sure if mozilla_plugin creates files while in permissive mode, they get created with the correct label, user_home_t - Allow gnomesystemmm_t caps because of ioprio_set - Allow NM rawip socket - files_relabel_non_security_files can not be used with boolean - Add interface to thumb_t dbus_chat to allow it to read remote process state - ALlow logrotate to domtrans to mdadm_t - kde gnomeclock wants to write content to /tmp- kde gnomeclock wants to write content to /tmp - /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde - Allow blueman_t to rwx zero_device_t, for some kind of jre - Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre - Ftp full access should be allowed to create directories as well as files - Add boolean to allow rsync_full_acces, so that an rsync server can write all - over the local machine - logrotate needs to rotate logs in openshift directories, needs back port to RHEL6 - Add missing vpnc_roles type line - Allow stapserver to write content in /tmp - Allow gnome keyring to create keyrings dir in ~/.local/share - Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on - Add interface to colord_t dbus_chat to allow it to read remote process state - Allow colord_t to read cupsd_t state - Add mate-thumbnail-font as thumnailer - Allow sectoolm to sys_ptrace since it is looking at other proceses /proc data. - Allow qpidd to list /tmp. Needed by ssl - Only allow init_t to transition to rsync_t domain, not initrc_t. This should be back ported to F17, F18 - - Added systemd support for ksmtuned - Added booleans ksmtuned_use_nfs ksmtuned_use_cifs - firewalld seems to be creating mmap files which it needs to execute in /run /tmp and /dev/shm. Would like to clean this up but for now we will allow - Looks like qpidd_t needs to read /dev/random - Lots of probing avc's caused by execugting gpg from staff_t - Dontaudit senmail triggering a net_admin avc - Change thumb_role to use thumb_run, not sure why we have a thumb_role, needs back port - Logwatch does access check on mdadm binary - Add raid_access_check_mdadm() iterface- Fix systemd_manage_unit_symlinks() interface - Call systemd_manage_unit_symlinks(() which is correct interface - Add filename transition for opasswd - Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock - Allow sytstemd-timedated to get status of init_t - Add new systemd policies for hostnamed and rename gnomeclock_t to systemd_timedate_t - colord needs to communicate with systemd and systemd_logind, also remove duplicate rules - Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock - Allow gpg_t to manage all gnome files - Stop using pcscd_read_pub_files - New rules for xguest, dontaudit attempts to dbus chat - Allow firewalld to create its mmap files in tmpfs and tmp directories - Allow firewalld to create its mmap files in tmpfs and tmp directories - run unbound-chkconf as named_t, so it can read dnssec - Colord is reading xdm process state, probably reads state of any apps that sends dbus message - Allow mdadm_t to change the kernel scheduler - mythtv policy - Update mandb_admin() interface - Allow dsspam to listen on own tpc_socket - seutil_filetrans_named_content needs to be optional - Allow sysadm_t to execute content in his homedir - Add attach_queue to tun_socket, new patch from Paul Moore - Change most of selinux configuration types to security_file_type. - Add filename transition rules for selinux configuration - ssh into a box with -X -Y requires ssh_use_ptys - Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on - Allow all unpriv userdomains to send dbus messages to hostnamed and timedated - New allow rules found by Tom London for systemd_hostnamed- Allow systemd-tmpfiles to relabel lpd spool files - Ad labeling for texlive bash scripts - Add xserver_filetrans_fonts_cache_home_content() interface - Remove duplicate rules from *.te - Add support for /var/lock/man-db.lock - Add support for /var/tmp/abrt(/.*)? - Add additional labeling for munin cgi scripts - Allow httpd_t to read munin conf files - Allow certwatch to read meminfo - Fix nscd_dontaudit_write_sock_file() interfac - Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t - llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling- Allow gnomeclock to talk to puppet over dbus - Allow numad access discovered by Dominic - Add support for HOME_DIR/.maildir - Fix attribute_role for mozilla_plugin_t domain to allow staff_r to access this domain - Allow udev to relabel udev_var_run_t lnk_files - New bin_t file in mcelog- Remove all mcs overrides and replace with t1 != mcs_constrained_types - Add attribute_role for iptables - mcs_process_set_categories needs to be called for type - Implement additional role_attribute statements - Sodo domain is attempting to get the additributes of proc_kcore_t - Unbound uses port 8953 - Allow svirt_t images to compromise_kernel when using pci-passthrough - Add label for dns lib files - Bluetooth aquires a dbus name - Remove redundant files_read_usr_file calling - Remove redundant files_read_etc_file calling - Fix mozilla_run_plugin() - Add role_attribute support for more domains- Mass merge with upstream- Bump the policy version to 28 to match selinux userspace - Rebuild versus latest libsepol- Add systemd_status_all_unit_files() interface - Add support for nshadow - Allow sysadm_t to administrate the postfix domains - Add interface to setattr on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Add systemd_status_all_unit_files() interface - Add support for nshadow - Allow sysadm_t to administrate the postfix domains - Add interface to setattr on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t sys_admin for use with afs logins - Add labeling for /var/named/chroot/etc/localtim- Allow setroubleshoot_fixit to execute rpm - zoneminder needs to connect to httpd ports where remote cameras are listening - Allow firewalld to execute content created in /run directory - Allow svirt_t to read generic certs - Dontaudit leaked ps content to mozilla plugin - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - init scripts are creating systemd_unit_file_t directories- systemd_logind_t is looking at all files under /run/user/apache - Allow systemd to manage all user tmp files - Add labeling for /var/named/chroot/etc/localtime - Allow netlabel_peer_t type to flow over netif_t and node_t, and only be hindered by MLS, need back port to RHEL6 - Keystone is now using a differnt port - Allow xdm_t to use usbmuxd daemon to control sound - Allow passwd daemon to execute gnome_exec_keyringd - Fix chrome_sandbox policy - Add labeling for /var/run/checkquorum-timer - More fixes for the dspam domain, needs back port to RHEL6 - More fixes for the dspam domain, needs back port to RHEL6 - sssd needs to connect to kerberos password port if a user changes his password - Lots of fixes from RHEL testing of dspam web - Allow chrome and mozilla_plugin to create msgq and semaphores - Fixes for dspam cgi scripts - Fixes for dspam cgi scripts - Allow confine users to ptrace screen - Backport virt_qemu_ga_t changes from RHEL - Fix labeling for dspam.cgi needed for RHEL6 - We need to back port this policy to RHEL6, for lxc domains - Dontaudit attempts to set sys_resource of logrotate - Allow corosync to read/write wdmd's tmpfs files - I see a ptrace of mozilla_plugin_t by staff_t, will allow without deny_ptrace being set - Allow cron jobs to read bind config for unbound - libvirt needs to inhibit systemd - kdumpctl needs to delete boot_t files - Fix duplicate gnome_config_filetrans - virtd_lxc_t is using /dev/fuse - Passenger needs to create a directory in /var/log, needs a backport to RHEL6 for openshift - apcupsd can be setup to listen to snmp trafic - Allow transition from kdumpgui to kdumpctl - Add fixes for munin CGI scripts - Allow deltacloud to connect to openstack at the keystone port - Allow domains that transition to svirt domains to be able to signal them - Fix file context of gstreamer in .cache directory - libvirt is communicating with logind - NetworkManager writes to the systemd inhibit pipe- Allow munin disk plugins to get attributes of all directories - Allow munin disk plugins to get attributes of all directorie - Allow logwatch to get attributes of all directories - Fix networkmanager_manage_lib() interface - Fix gnome_manage_config() to allow to manage sock_file - Fix virtual_domain_context - Add support for dynamic DNS for DHCPv6- Allow svirt to use netlink_route_socket which was a part of auth_use_nsswitch - Add additional labeling for /var/www/openshift/broker - Fix rhev policy - Allow openshift_initrc domain to dbus chat with systemd_logind - Allow httpd to getattr passenger log file if run_stickshift - Allow consolehelper-gtk to connect to xserver - Add labeling for the tmp-inst directory defined in pam_namespace.conf - Add lvm_metadata_t labeling for /etc/multipath- consoletype is no longer used- Add label for efivarfs - Allow certmonger to send signal to itself - Allow plugin-config to read own process status - Add more fixes for pacemaker - apache/drupal can run clamscan on uploaded content - Allow chrome_sandbox_nacl_t to read pid 1 content- Fix MCS Constraints to control ingres and egres controls on the network. - Change name of svirt_nokvm_t to svirt_tcg_t - Allow tuned to request the kernel to load kernel modules- Label /var/lib/pgsql/.ssh as ssh_home_t - Add labeling for /usr/bin/pg_ctl - Allow systemd-logind to manage keyring user tmp dirs - Add support for 7389/tcp port - gems seems to be placed in lots of places - Since xdm is running a full session, it seems to be trying to execute lots of executables via dbus - Add back tcp/8123 port as http_cache port - Add ovirt-guest-agent\.pid labeling - Allow xend to run scsi_id - Allow rhsmcertd-worker to read "physical_package_id" - Allow pki_tomcat to connect to ldap port - Allow lpr to read /usr/share/fonts - Allow open file from CD/DVD drive on domU - Allow munin services plugins to talk to SSSD - Allow all samba domains to create samba directory in var_t directories - Take away svirt_t ability to use nsswitch - Dontaudit attempts by openshift to read apache logs - Allow apache to create as well as append _ra_content_t - Dontaudit sendmail_t reading a leaked file descriptor - Add interface to have admin transition /etc/prelink.cache to the proper label - Add sntp support to ntp policy - Allow firewalld to dbus chat with devicekit_power - Allow tuned to call lsblk - Allow tor to read /proc/sys/kernel/random/uuid - Add tor_can_network_relay boolean- Add openshift_initrc_signal() interface - Fix typos - dspam port is treat as spamd_port_t - Allow setroubleshoot to getattr on all executables - Allow tuned to execute profiles scripts in /etc/tuned - Allow apache to create directories to store its log files - Allow all directories/files in /var/log starting with passenger to be labeled passenger_log_t - Looks like apache is sending sinal to openshift_initrc_t now,needs back port to RHEL6 - Allow Postfix to be configured to listen on TCP port 10026 for email from DSPAM - Add filename transition for /etc/tuned/active_profile - Allow condor_master to send mails - Allow condor_master to read submit.cf - Allow condor_master to create /tmp files/dirs - Allow condor_mater to send sigkill to other condor domains - Allow condor_procd sigkill capability - tuned-adm wants to talk with tuned daemon - Allow kadmind and krb5kdc to also list sssd_public_t - Allow accountsd to dbus chat with init - Fix git_read_generic_system_content_files() interface - pppd wants sys_nice by nmcli because of "syscall=sched_setscheduler" - Fix mozilla_plugin_can_network_connect to allow to connect to all ports - Label all munin plugins which are not covered by munin plugins policy as unconfined_munin_plugin_exec_t - dspam wants to search /var/spool for opendkim data - Revert "Add support for tcp/10026 port as dspam_port_t" - Turning on labeled networking requires additional access for netlabel_peer_t; these allow rules need to be back ported to RHEL6 - Allow all application domains to use fifo_files passed in from userdomains, also allow them to write to tmp_files inherited from userdomain - Allow systemd_tmpfiles_t to setattr on mandb_cache_t- consolekit.pp was not removed from the postinstall script- Add back consolekit policy - Silence bootloader trying to use inherited tty - Silence xdm_dbusd_t trying to execute telepathy apps - Fix shutdown avcs when machine has unconfined.pp disabled - The host and a virtual machine can share the same printer on a usb device - Change oddjob to transition to a ranged openshift_initr_exec_t when run from oddjob - Allow abrt_watch_log_t to execute bin_t - Allow chrome sandbox to write content in ~/.config/chromium - Dontaudit setattr on fontconfig dir for thumb_t - Allow lircd to request the kernel to load module - Make rsync as userdom_home_manager - Allow rsync to search automount filesystem - Add fixes for pacemaker- Add support for 4567/tcp port - Random fixes from Tuomo Soini - xdm wants to get init status - Allow programs to run in fips_mode - Add interface to allow the reading of all blk device nodes - Allow init to relabel rpcbind sock_file - Fix labeling for lastlog and faillog related to logrotate - ALlow aeolus_configserver to use TRAM port - Add fixes for aeolus_configserver - Allow snmpd to connect to snmp port - Allow spamd_update to create spamd_var_lib_t directories - Allow domains that can read sssd_public_t files to also list the directory - Remove miscfiles_read_localization, this is defined for all domains- Allow syslogd to request the kernel to load a module - Allow syslogd_t to read the network state information - Allow xdm_dbusd_t connect to the system DBUS - Add support for 7389/tcp port - Allow domains to read/write all inherited sockets - Allow staff_t to read kmsg - Add awstats_purge_apache_log boolean - Allow ksysguardproces to read /.config/Trolltech.conf - Allow passenger to create and append puppet log files - Add puppet_append_log and puppet_create_log interfaces - Add puppet_manage_log() interface - Allow tomcat domain to search tomcat_var_lib_t - Allow pki_tomcat_t to connect to pki_ca ports - Allow pegasus_t to have net_admin capability - Allow pegasus_t to write /sys/class/net//flags - Allow mailserver_delivery to manage mail_home_rw_t lnk_files - Allow fetchmail to create log files - Allow gnomeclock to manage home config in .kde - Allow bittlebee to read kernel sysctls - Allow logrotate to list /root- Fix userhelper_console_role_template() - Allow enabling Network Access Point service using blueman - Make vmware_host_t as unconfined domain - Allow authenticate users in webaccess via squid, using mysql as backend - Allow gathers to get various metrics on mounted file systems - Allow firewalld to read /etc/hosts - Fix cron_admin_role() to make sysadm cronjobs running in the sysadm_t instead of cronjob_t - Allow kdumpgui to read/write to zipl.conf - Commands needed to get mock to build from staff_t in enforcing mode - Allow mdadm_t to manage cgroup files - Allow all daemons and systemprocesses to use inherited initrc_tmp_t files - dontaudit ifconfig_t looking at fifo_files that are leaked to it - Add lableing for Quest Authentication System- Fix filetrans interface definitions - Dontaudit xdm_t to getattr on BOINC lib files - Add systemd_reload_all_services() interface - Dontaudit write access on /var/lib/net-snmp/mib_indexes - Only stop mcsuntrustedproc from relableing files - Allow accountsd to dbus chat with gdm - Allow realmd to getattr on all fs - Allow logrotate to reload all services - Add systemd unit file for radiusd - Allow winbind to create samba pid dir - Add labeling for /var/nmbd/unexpected - Allow chrome and mozilla plugin to connect to msnp ports- Fix storage_rw_inherited_fixed_disk_dev() to cover also blk_file - Dontaudit setfiles reading /dev/random - On initial boot gnomeclock is going to need to be set buy gdm - Fix tftp_read_content() interface - Random apps looking at kernel file systems - Testing virt with lxc requiers additional access for virsh_t - New allow rules requied for latest libvirt, libvirt talks directly to journald,lxc setup tool needs compromize_kernel,and we need ipc_lock in the container - Allow MPD to read /dev/radnom - Allow sandbox_web_type to read logind files which needs to read pulseaudio - Allow mozilla plugins to read /dev/hpet - Add labeling for /var/lib/zarafa-webap - Allow BOINC client to use an HTTP proxy for all connections - Allow rhsmertd to domain transition to dmidecod - Allow setroubleshootd to send D-Bus msg to ABRT- Define usbtty_device_t as a term_tty - Allow svnserve to accept a connection - Allow xend manage default virt_image_t type - Allow prelink_cron_system_t to overide user componant when executing cp - Add labeling for z-push - Gnomeclock sets the realtime clock - Openshift seems to be storing apache logs in /var/lib/openshift/.log/httpd - Allow lxc domains to use /dev/random and /dev/urandom- Add port defintion for tcp/9000 - Fix labeling for /usr/share/cluster/checkquorum to label also checkquorum.wdmd - Add rules and labeling for $HOME/cache/\.gstreamer-.* directory - Add support for CIM provider openlmi-networking which uses NetworkManager dbus API - Allow shorewall_t to create netlink_socket - Allow krb5admind to block suspend - Fix labels on /var/run/dlm_controld /var/log/dlm_controld - Allow krb5kdc to block suspend - gnomessytemmm_t needs to read /etc/passwd - Allow cgred to read all sysctls- Allow all domains to read /proc/sys/vm/overcommit_memory - Make proc_numa_t an MLS Trusted Object - Add /proc/numactl support for confined users - Allow ssh_t to connect to any port > 1023 - Add openvswitch domain - Pulseaudio tries to create directories in gnome_home_t directories - New ypbind pkg wants to search /var/run which is caused by sd_notify - Allow NM to read certs on NFS/CIFS using use_nfs_*, use_samba_* booleans - Allow sanlock to read /dev/random - Treat php-fpm with httpd_t - Allow domains that can read named_conf_t to be able to list the directories - Allow winbind to create sock files in /var/run/samba- Add smsd policy - Add support for OpenShift sbin labelin - Add boolean to allow virt to use rawip - Allow mozilla_plugin to read all file systems with noxattrs support - Allow kerberos to write on anon_inodefs fs - Additional access required by fenced - Add filename transitions for passwd.lock/group.lock - UPdate man pages - Create coolkey directory in /var/cache with the correct label- Fix label on /etc/group.lock - Allow gnomeclock to create lnk_file in /etc - label /root/.pki as a home_cert_t - Add interface to make sure rpcbind.sock is created with the correct label - Add definition for new directory /var/lib/os-probe and bootloader wants to read udev rules - opendkim should be a part of milter - Allow libvirt to set the kernel sched algorythm - Allow mongod to read sysfs_t - Add authconfig policy - Remove calls to miscfiles_read_localization all domains get this - Allow virsh_t to read /root/.pki/ content - Add label for log directory under /var/www/stickshift- Allow getty to setattr on usb ttys - Allow sshd to search all directories for sshd_home_t content - Allow staff domains to send dbus messages to kdumpgui - Fix labels on /etc/.pwd.lock and friends to be passwd_file_t - Dontaudit setfiles reading urand - Add files_dontaudit_list_tmp() for domains to which we added sys_nice/setsched - Allow staff_gkeyringd_t to read /home/$USER/.local/share/keyrings dir - Allow systemd-timedated to read /dev/urandom - Allow entropyd_t to read proc_t (meminfo) - Add unconfined munin plugin - Fix networkmanager_read_conf() interface - Allow blueman to list /tmp which is needed by sys_nic/setsched - Fix label of /etc/mail/aliasesdb-stamp - numad is searching cgroups - realmd is communicating with networkmanager using dbus - Lots of fixes to try to get kdump to work- Allow loging programs to dbus chat with realmd - Make apache_content_template calling as optional - realmd is using policy kit- Add new selinuxuser_use_ssh_chroot boolean - dbus needs to be able to read/write inherited fixed disk device_t passed through it - Cleanup netutils process allow rule - Dontaudit leaked fifo files from openshift to ping - sanlock needs to read mnt_t lnk files - Fail2ban needs to setsched and sys_nice- Change default label of all files in /var/run/rpcbind - Allow sandbox domains (java) to read hugetlbfs_t - Allow awstats cgi content to create tmp files and read apache log files - Allow setuid/setgid for cupsd-config - Allow setsched/sys_nice pro cupsd-config - Fix /etc/localtime sym link to be labeled locale_t - Allow sshd to search postgresql db t since this is a homedir - Allow xwindows users to chat with realmd - Allow unconfined domains to configure all files and null_device_t service- Adopt pki-selinux policy- pki is leaking which we dontaudit until a pki code fix - Allow setcap for arping - Update man pages - Add labeling for /usr/sbin/mcollectived - pki fixes - Allow smokeping to execute fping in the netutils_t domain- Allow mount to relabelfrom unlabeled file systems - systemd_logind wants to send and receive messages from devicekit disk over dbus to make connected mouse working - Add label to get bin files under libreoffice labeled correctly - Fix interface to allow executing of base_ro_file_type - Add fixes for realmd - Update pki policy - Add tftp_homedir boolean - Allow blueman sched_setscheduler - openshift user domains wants to r/w ssh tcp sockets- Additional requirements for disable unconfined module when booting - Fix label of systemd script files - semanage can use -F /dev/stdin to get input - syslog now uses kerberos keytabs - Allow xserver to compromise_kernel access - Allow nfsd to write to mount_var_run_t when running the mount command - Add filename transition rule for bin_t directories - Allow files to read usr_t lnk_files - dhcpc wants chown - Add support for new openshift labeling - Clean up for tunable+optional statements - Add labeling for /usr/sbin/mkhomedir_helper - Allow antivirus domain to managa amavis spool files - Allow rpcbind_t to read passwd - Allow pyzor running as spamc to manage amavis spool- Add interfaces to read kernel_t proc info - Missed this version of exec_all - Allow anyone who can load a kernel module to compromise kernel - Add oddjob_dbus_chat to openshift apache policy - Allow chrome_sandbox_nacl_t to send signals to itself - Add unit file support to usbmuxd_t - Allow all openshift domains to read sysfs info - Allow openshift domains to getattr on all domains- MLS fixes from Dan - Fix name of capability2 secure_firmware->compromise_kerne- Allow xdm to search all file systems - Add interface to allow the config of all files - Add rngd policy - Remove kgpg as a gpg_exec_t type - Allow plymouthd to block suspend - Allow systemd_dbus to config any file - Allow system_dbus_t to configure all services - Allow freshclam_t to read usr_files - varnishd requires execmem to load modules- Allow semanage to verify types - Allow sudo domain to execute user home files - Allow session_bus_type to transition to user_tmpfs_t - Add dontaudit caused by yum updates - Implement pki policy but not activated- tuned wants to getattr on all filesystems - tuned needs also setsched. The build is needed for test day- Add policy for qemu-qa - Allow razor to write own config files - Add an initial antivirus policy to collect all antivirus program - Allow qdisk to read usr_t - Add additional caps for vmware_host - Allow tmpfiles_t to setattr on mandb_cache_t - Dontaudit leaked files into mozilla_plugin_config_t - Allow wdmd to getattr on tmpfs - Allow realmd to use /dev/random - allow containers to send audit messages - Allow root mount any file via loop device with enforcing mls policy - Allow tmpfiles_t to setattr on mandb_cache_t - Allow tmpfiles_t to setattr on mandb_cache_t - Make userdom_dontaudit_write_all_ not allow open - Allow init scripts to read all unit files - Add support for saphostctrl ports- Add kernel_read_system_state to sandbox_client_t - Add some of the missing access to kdumpgui - Allow systemd_dbusd_t to status the init system - Allow vmnet-natd to request the kernel to load a module - Allow gsf-office-thum to append .cache/gdm/session.log - realmd wants to read .config/dconf/user - Firewalld wants sys_nice/setsched - Allow tmpreaper to delete mandb cache files - Firewalld wants sys_nice/setsched - Allow firewalld to perform a DNS name resolution - Allown winbind to read /usr/share/samba/codepages/lowcase.dat - Add support for HTTPProxy* in /etc/freshclam.conf - Fix authlogin_yubike boolean - Extend smbd_selinux man page to include samba booleans - Allow dhcpc to execute consoletype - Allow ping to use inherited tmp files created in init scripts - On full relabel with unconfined domain disabled, initrc was running some chcon's - Allow people who delete man pages to delete mandb cache files- Add missing permissive domains- Add new mandb policy - ALlow systemd-tmpfiles_t to relabel mandb_cache_t - Allow logrotate to start all unit files- Add fixes for ctbd - Allow nmbd to stream connect to ctbd - Make cglear_t as nsswitch_domain - Fix bogus in interfaces - Allow openshift to read/write postfix public pipe - Add postfix_manage_spool_maildrop_files() interface - stickshift paths have been renamed to openshift - gnome-settings-daemon wants to write to /run/systemd/inhibit/ pipes - Update man pages, adding ENTRYPOINTS- Add mei_device_t - Make sure gpg content in homedir created with correct label - Allow dmesg to write to abrt cache files - automount wants to search virtual memory sysctls - Add support for hplip logs stored in /var/log/hp/tmp - Add labeling for /etc/owncloud/config.php - Allow setroubleshoot to send analysys to syslogd-journal - Allow virsh_t to interact with new fenced daemon - Allow gpg to write to /etc/mail/spamassassiin directories - Make dovecot_deliver_t a mail server delivery type - Add label for /var/tmp/DNS25- Fixes for tomcat_domain template interface- Remove init_systemd and init_upstart boolean, Move init_daemon_domain and init_system_domain to use attributes - Add attribute to all base os types. Allow all domains to read all ro base OS types- Additional unit files to be defined as power unit files - Fix more boolean names- Fix boolean name so subs will continue to work- dbus needs to start getty unit files - Add interface to allow system_dbusd_t to start the poweroff service - xdm wants to exec telepathy apps - Allow users to send messages to systemdlogind - Additional rules needed for systemd and other boot apps - systemd wants to list /home and /boot - Allow gkeyringd to write dbus/conf file - realmd needs to read /dev/urand - Allow readahead to delete /.readahead if labeled root_t, might get created before policy is loaded- Fixes to safe more rules - Re-write tomcat_domain_template() - Fix passenger labeling - Allow all domains to read man pages - Add ephemeral_port_t to the 'generic' port interfaces - Fix the names of postgresql booleans- Stop using attributes form netlabel_peer and syslog, auth_use_nsswitch setsup netlabel_peer - Move netlable_peer check out of booleans - Remove call to recvfrom_netlabel for kerberos call - Remove use of attributes when calling syslog call - Move -miscfiles_read_localization to domain.te to save hundreds of allow rules - Allow all domains to read locale files. This eliminates around 1500 allow rules- Cleanup nis_use_ypbind_uncond interface - Allow rndc to block suspend - tuned needs to modify the schedule of the kernel - Allow svirt_t domains to read alsa configuration files - ighten security on irc domains and make sure they label content in homedir correctly - Add filetrans_home_content for irc files - Dontaudit all getattr access for devices and filesystems for sandbox domains - Allow stapserver to search cgroups directories - Allow all postfix domains to talk to spamd- Add interfaces to ignore setattr until kernel fixes this to be checked after the DAC check - Change pam_t to pam_timestamp_t - Add dovecot_domain attribute and allow this attribute block_suspend capability2 - Add sanlock_use_fusefs boolean - numad wants send/recieve msg - Allow rhnsd to send syslog msgs - Make piranha-pulse as initrc domain - Update openshift instances to dontaudit setattr until the kernel is fixed.- Fix auth_login_pgm_domain() interface to allow domains also managed user tmp dirs because of #856880 related to pam_systemd - Remove pam_selinux.8 which conflicts with man page owned by the pam package - Allow glance-api to talk to mysql - ABRT wants to read Xorg.0.log if if it detects problem with Xorg - Fix gstreamer filename trans. interface- Man page fixes by Dan Walsh- Allow postalias to read postfix config files - Allow man2html to read man pages - Allow rhev-agentd to search all mountpoints - Allow rhsmcertd to read /dev/random - Add tgtd_stream_connect() interface - Add cyrus_write_data() interface - Dontaudit attempts by sandboxX clients connectiing to the xserver_port_t - Add port definition for tcp/81 as http_port_t - Fix /dev/twa labeling - Allow systemd to read modules config- Merge openshift policy - Allow xauth to read /dev/urandom - systemd needs to relabel content in /run/systemd directories - Files unconfined should be able to perform all services on all files - Puppet tmp file can be leaked to all domains - Dontaudit rhsmcertd-worker to search /root/.local - Allow chown capability for zarafa domains - Allow system cronjobs to runcon into openshift domains - Allow virt_bridgehelper_t to manage content in the svirt_home_t labeled directories- nmbd wants to create /var/nmbd - Stop transitioning out of anaconda and firstboot, just causes AVC messages - Allow clamscan to read /etc files - Allow bcfg2 to bind cyphesis port - heartbeat should be run as rgmanager_t instead of corosync_t - Add labeling for /etc/openldap/certs - Add labeling for /opt/sartest directory - Make crontab_t as userdom home reader - Allow tmpreaper to list admin_home dir - Add defition for imap_0 replay cache file - Add support for gitolite3 - Allow virsh_t to send syslog messages - allow domains that can read samba content to be able to list the directories also - Add realmd_dbus_chat to allow all apps that use nsswitch to talk to realmd - Separate out sandbox from sandboxX policy so we can disable it by default - Run dmeventd as lvm_t - Mounting on any directory requires setattr and write permissions - Fix use_nfs_home_dirs() boolean - New labels for pam_krb5 - Allow init and initrc domains to sys_ptrace since this is needed to look at processes not owned by uid 0 - Add realmd_dbus_chat to allow all apps that use nsswitch to talk to realmd- Separate sandbox policy into sandbox and sandboxX, and disable sandbox by default on fresh installs - Allow domains that can read etc_t to read etc_runtime_t - Allow all domains to use inherited tmpfiles- Allow realmd to read resolv.conf - Add pegasus_cache_t type - Label /usr/sbin/fence_virtd as virsh_exec_t - Add policy for pkcsslotd - Add support for cpglockd - Allow polkit-agent-helper to read system-auth-ac - telepathy-idle wants to read gschemas.compiled - Allow plymouthd to getattr on fs_t - Add slpd policy - Allow ksysguardproces to read/write config_usr_t- Fix labeling substitution so rpm will label /lib/systemd content correctly- Add file name transitions for ttyACM0 - spice-vdagent(d)'s are going to log over to syslog - Add sensord policy - Add more fixes for passenger policy related to puppet - Allow wdmd to create wdmd_tmpfs_t - Fix labeling for /var/run/cachefilesd\.pid - Add thumb_tmpfs_t files type- Allow svirt domains to manage the network since this is containerized - Allow svirt_lxc_net_t to send audit messages- Make "snmpwalk -mREDHAT-CLUSTER-MIB ...." working - Allow dlm_controld to execute dlm_stonith labeled as bin_t - Allow GFS2 working on F17 - Abrt needs to execute dmesg - Allow jockey to list the contents of modeprobe.d - Add policy for lightsquid as squid_cron_t - Mailscanner is creating files and directories in /tmp - dmesg is now reading /dev/kmsg - Allow xserver to communicate with secure_firmware - Allow fsadm tools (fsck) to read /run/mount contnet - Allow sysadm types to read /dev/kmsg -- Allow postfix, sssd, rpcd to block_suspend - udev seems to need secure_firmware capability - Allow virtd to send dbus messages to firewalld so it can configure the firewall- Fix labeling of content in /run created by virsh_t - Allow condor domains to read kernel sysctls - Allow condor_master to connect to amqp - Allow thumb drives to create shared memory and semaphores - Allow abrt to read mozilla_plugin config files - Add labels for lightsquid - Default files in /opt and /usr that end in .cgi as httpd_sys_script_t, allow - dovecot_auth_t uses ldap for user auth - Allow domains that can read dhcp_etc_t to read lnk_files - Add more then one watchdog device - Allow useradd_t to manage etc_t files so it can rename it and edit them - Fix invalid class dir should be fifo_file - Move /run/blkid to fsadm and make sure labeling is correct- Fix bogus regex found by eparis - Fix manage run interface since lvm needs more access - syslogd is searching cgroups directory - Fixes to allow virt-sandbox-service to manage lxc var run content- Fix Boolean settings - Add new libjavascriptcoregtk as textrel_shlib_t - Allow xdm_t to create xdm_home_t directories - Additional access required for systemd - Dontaudit mozilla_plugin attempts to ipc_lock - Allow tmpreaper to delete unlabeled files - Eliminate screen_tmp_t and allow it to manage user_tmp_t - Dontaudit mozilla_plugin_config_t to append to leaked file descriptors - Allow web plugins to connect to the asterisk ports - Condor will recreate the lock directory if it does not exist - Oddjob mkhomedir needs to connectto user processes - Make oddjob_mkhomedir_t a userdom home manager- Put placeholder back in place for proper numbering of capabilities - Systemd also configures init scripts- Fix ecryptfs interfaces - Bootloader seems to be trolling around /dev/shm and /dev - init wants to create /etc/systemd/system-update.target.wants - Fix systemd_filetrans call to move it out of tunable - Fix up policy to work with systemd userspace manager - Add secure_firmware capability and remove bogus epolwakeup - Call seutil_*_login_config interfaces where should be needed - Allow rhsmcertd to send signal to itself - Allow thin domains to send signal to itself - Allow Chrome_ChildIO to read dosfs_t- Add role rules for realmd, sambagui- Add new type selinux_login_config_t for /etc/selinux//logins/ - Additional fixes for seutil_manage_module_store() - dbus_system_domain() should be used with optional_policy - Fix svirt to be allowed to use fusefs file system - Allow login programs to read /run/ data created by systemd_login - sssd wants to write /etc/selinux//logins/ for SELinux PAM module - Fix svirt to be allowed to use fusefs file system - Allow piranha domain to use nsswitch - Sanlock needs to send Kill Signals to non root processes - Pulseaudio wants to execute /run/user/PID/.orc- Fix saslauthd when it tries to read /etc/shadow - Label gnome-boxes as a virt homedir - Need to allow svirt_t ability to getattr on nfs_t file systems - Update sanlock policy to solve all AVC's - Change confined users can optionally manage virt content - Handle new directories under ~/.cache - Add block suspend to appropriate domains - More rules required for containers - Allow login programs to read /run/ data created by systemd_logind - Allow staff users to run svirt_t processes- Update to upstream- More fixes for systemd to make rawhide booting from Dan Walsh- Add systemd fixes to make rawhide booting- Add systemd_logind_inhibit_var_run_t attribute - Remove corenet_all_recvfrom_unlabeled() for non-contrib policies because we moved it to domain.if for all domain_type - Add interface for mysqld to dontaudit signull to all processes - Label new /var/run/journal directory correctly - Allow users to inhibit suspend via systemd - Add new type for the /var/run/inhibit directory - Add interface to send signull to systemd_login so avahi can send them - Allow systemd_passwd to send syslog messages - Remove corenet_all_recvfrom_unlabeled() calling fro policy files - Allow editparams.cgi running as httpd_bugzilla_script_t to read /etc/group - Allow smbd to read cluster config - Add additional labeling for passenger - Allow dbus to inhibit suspend via systemd - Allow avahi to send signull to systemd_login- Add interface to dontaudit getattr access on sysctls - Allow sshd to execute /bin/login - Looks like xdm is recreating the xdm directory in ~/.cache/ on login - Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jounald - Fix semanage to work with unconfined domain disabled on F18 - Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls - Virt seems to be using lock files - Dovecot seems to be searching directories of every mountpoint - Allow jockey to read random/urandom, execute shell and install third-party drivers - Add aditional params to allow cachedfiles to manage its content - gpg agent needs to read /dev/random - The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd wants to read and write - Add a bunch of dontaudit rules to quiet svirt_lxc domains - Additional perms needed to run svirt_lxc domains - Allow cgclear to read cgconfig - Allow sys_ptrace capability for snmp - Allow freshclam to read /proc - Allow procmail to manage /home/user/Maildir content - Allow NM to execute wpa_cli - Allow amavis to read clamd system state - Regenerate man pages- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- Add realmd and stapserver policies - Allow useradd to manage stap-server lib files - Tighten up capabilities for confined users - Label /etc/security/opasswd as shadow_t - Add label for /dev/ecryptfs - Allow condor_startd_t to start sshd with the ranged - Allow lpstat.cups to read fips_enabled file - Allow pyzor running as spamc_t to create /root/.pyzor directory - Add labelinf for amavisd-snmp init script - Add support for amavisd-snmp - Allow fprintd sigkill self - Allow xend (w/o libvirt) to start virtual machines - Allow aiccu to read /etc/passwd - Allow condor_startd to Make specified domain MCS trusted for setting any category set for the processes it executes - Add condor_startd_ranged_domtrans_to() interface - Add ssd_conf_t for /etc/sssd - accountsd needs to fchown some files/directories - Add ICACLient and zibrauserdata as mozilla_filetrans_home_content - SELinux reports afs_t needs dac_override to read /etc/mtab, even though everything works, adding dontaudit - Allow xend_t to read the /etc/passwd file- Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t - Add init_access_check() interface - Fix label on /usr/bin/pingus to not be labeled as ping_exec_t - Allow tcpdump to create a netlink_socket - Label newusers like useradd - Change xdm log files to be labeled xdm_log_t - Allow sshd_t with privsep to work in MLS - Allow freshclam to update databases thru HTTP proxy - Allow s-m-config to access check on systemd - Allow abrt to read public files by default - Fix amavis_create_pid_files() interface - Add labeling and filename transition for dbomatic.log - Allow system_dbusd_t to stream connect to bluetooth, and use its socket - Allow amavisd to execute fsav - Allow tuned to use sys_admin and sys_nice capabilities - Add php-fpm policy from Bryan - Add labeling for aeolus-configserver-thinwrapper - Allow thin domains to execute shell - Fix gnome_role_gkeyringd() interface description - Lot of interface fixes - Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files - Allow OpenMPI job to use kerberos - Make deltacloudd_t as nsswitch_domain - Allow xend_t to run lsscsi - Allow qemu-dm running as xend_t to create tun_socket - Add labeling for /opt/brother/Printers(.*/)?inf - Allow jockey-backend to read pyconfig-64.h labeled as usr_t - Fix clamscan_can_scan_system boolean - Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11- initrc is calling exportfs which is not confined so it attempts to read nfsd_files - Fixes for passenger running within openshift. - Add labeling for all tomcat6 dirs - Add support for tomcat6 - Allow cobblerd to read /etc/passwd - Allow jockey to read sysfs and and execute binaries with bin_t - Allow thum to use user terminals - Allow cgclear to read cgconfig config files - Fix bcf2g.fc - Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other domains - Allow dbomatic to execute ruby - abrt_watch_log should be abrt_domain - Allow mozilla_plugin to connect to gatekeeper port- add ptrace_child access to process - remove files_read_etc_files() calling from all policies which have auth_use_nsswith() - Allow boinc domains to manage boinc_lib_t lnk_files - Add support for boinc-client.service unit file - Add support for boinc.log - Allow mozilla_plugin execmod on mozilla home files if allow_ex - Allow dovecot_deliver_t to read dovecot_var_run_t - Allow ldconfig and insmod to manage kdumpctl tmp files - Move thin policy out from cloudform.pp and add a new thin poli - pacemaker needs to communicate with corosync streams - abrt is now started on demand by dbus - Allow certmonger to talk directly to Dogtag servers - Change labeling for /var/lib/cobbler/webui_sessions to httpd_c - Allow mozila_plugin to execute gstreamer home files - Allow useradd to delete all file types stored in the users hom - rhsmcertd reads the rpm database - Add support for lightdm- Add tomcat policy - Remove pyzor/razor policy - rhsmcertd reads the rpm database - Dontaudit thumb to setattr on xdm_tmp dir - Allow wicd to execute ldconfig in the networkmanager_t domain - Add /var/run/cherokee\.pid labeling - Allow mozilla_plugin to create mozilla_plugin_tmp_t lnk files too - Allow postfix-master to r/w pipes other postfix domains - Allow snort to create netlink_socket - Add kdumpctl policy - Allow firstboot to create tmp_t files/directories - /usr/bin/paster should not be labeled as piranha_exec_t - remove initrc_domain from tomcat - Allow ddclient to read /etc/passwd - Allow useradd to delete all file types stored in the users homedir - Allow ldconfig and insmod to manage kdumpctl tmp files - Firstboot should be just creating tmp_t dirs and xauth should be allowed to write to those - Transition xauth files within firstboot_tmp_t - Fix labeling of /run/media to match /media - Label all lxdm.log as xserver_log_t - Add port definition for mxi port - Allow local_login_t to execute tmux- apcupsd needs to read /etc/passwd - Sanlock allso sends sigkill - Allow glance_registry to connect to the mysqld port - Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl - Allow firefox plugins/flash to connect to port 1234 - Allow mozilla plugins to delete user_tmp_t files - Add transition name rule for printers.conf.O - Allow virt_lxc_t to read urand - Allow systemd_loigind to list gstreamer_home_dirs - Fix labeling for /usr/bin - Fixes for cloudform services * support FIPS - Allow polipo to work as web caching - Allow chfn to execute tmux- Add support for ecryptfs * ecryptfs does not support xattr * we need labeling for HOMEDIR - Add policy for (u)mount.ecryptfs* - Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage host cache - Allow dovecot to manage Maildir content, fix transitions to Maildir - Allow postfix_local to transition to dovecot_deliver - Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code - Cleanup interface definitions - Allow apmd to change with the logind daemon - Changes required for sanlock in rhel6 - Label /run/user/apache as httpd_tmp_t - Allow thumb to use lib_t as execmod if boolean turned on - Allow squid to create the squid directory in /var with the correct labe - Add a new policy for glusterd from Bryan Bickford (bbickfor@redhat.com) - Allow virtd to exec xend_exec_t without transition - Allow virtd_lxc_t to unmount all file systems- PolicyKit path has changed - Allow httpd connect to dirsrv socket - Allow tuned to write generic kernel sysctls - Dontaudit logwatch to gettr on /dev/dm-2 - Allow policykit-auth to manage kerberos files - Make condor_startd and rgmanager as initrc domain - Allow virsh to read /etc/passwd - Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs - xdm now needs to execute xsession_exec_t - Need labels for /var/lib/gdm - Fix files_filetrans_named_content() interface - Add new attribute - initrc_domain - Allow systemd_logind_t to signal, signull, sigkill all processes - Add filetrans rules for etc_runtime files- Rename boolean names to remove allow_- Mass merge with upstream * new policy topology to include contrib policy modules * we have now two base policy patches- Fix description of authlogin_nsswitch_use_ldap - Fix transition rule for rhsmcertd_t needed for RHEL7 - Allow useradd to list nfs state data - Allow openvpn to manage its log file and directory - We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly - Allow thumb to use nvidia devices - Allow local_login to create user_tmp_t files for kerberos - Pulseaudio needs to read systemd_login /var/run content - virt should only transition named system_conf_t config files - Allow munin to execute its plugins - Allow nagios system plugin to read /etc/passwd - Allow plugin to connect to soundd port - Fix httpd_passwd to be able to ask passwords - Radius servers can use ldap for backing store - Seems to need to mount on /var/lib for xguest polyinstatiation to work. - Allow systemd_logind to list the contents of gnome keyring - VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL - Add policy for isns-utils- Add policy for subversion daemon - Allow boinc to read passwd - Allow pads to read kernel network state - Fix man2html interface for sepolgen-ifgen - Remove extra /usr/lib/systemd/system/smb - Remove all /lib/systemd and replace with /usr/lib/systemd - Add policy for man2html - Fix the label of kerberos_home_t to krb5_home_t - Allow mozilla plugins to use Citrix - Allow tuned to read /proc/sys/kernel/nmi_watchdog - Allow tune /sys options via systemd's tmpfiles.d "w" type- Dontaudit lpr_t to read/write leaked mozilla tmp files - Add file name transition for .grl-podcasts directory - Allow corosync to read user tmp files - Allow fenced to create snmp lib dirs/files - More fixes for sge policy - Allow mozilla_plugin_t to execute any application - Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain - Allow mongod to read system state information - Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t - Allow polipo to manage polipo_cache dirs - Add jabbar_client port to mozilla_plugin_t - Cleanup procmail policy - system bus will pass around open file descriptors on files that do not have labels on them - Allow l2tpd_t to read system state - Allow tuned to run ls /dev - Allow sudo domains to read usr_t files - Add label to machine-id - Fix corecmd_read_bin_symlinks cut and paste error- Fix pulseaudio port definition - Add labeling for condor_starter - Allow chfn_t to creat user_tmp_files - Allow chfn_t to execute bin_t - Allow prelink_cron_system_t to getpw calls - Allow sudo domains to manage kerberos rcache files - Allow user_mail_domains to work with courie - Port definitions necessary for running jboss apps within openshift - Add support for openstack-nova-metadata-api - Add support for nova-console* - Add support for openstack-nova-xvpvncproxy - Fixes to make privsep+SELinux working if we try to use chage to change passwd - Fix auth_role() interface - Allow numad to read sysfs - Allow matahari-rpcd to execute shell - Add label for ~/.spicec - xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it - Devicekit_disk wants to read the logind sessions file when writing a cd - Add fixes for condor to make condor jobs working correctly - Change label of /var/log/rpmpkgs to cron_log_t - Access requires to allow systemd-tmpfiles --create to work. - Fix obex to be a user application started by the session bus. - Add additional filename trans rules for kerberos - Fix /var/run/heartbeat labeling - Allow apps that are managing rcache to file trans correctly - Allow openvpn to authenticate against ldap server - Containers need to listen to network starting and stopping events- Make systemd unit files less specific- Fix zarafa labeling - Allow guest_t to fix labeling - corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean - add lxc_contexts - Allow accountsd to read /proc - Allow restorecond to getattr on all file sytems - tmpwatch now calls getpw - Allow apache daemon to transition to pwauth domain - Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t - The obex socket seems to be a stream socket - dd label for /var/run/nologin- Allow jetty running as httpd_t to read hugetlbfs files - Allow sys_nice and setsched for rhsmcertd - Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports - Allow setfiles to append to xdm_tmp_t - Add labeling for /export as a usr_t directory - Add labels for .grl files created by gstreamer- Add labeling for /usr/share/jetty/bin/jetty.sh - Add jetty policy which contains file type definitios - Allow jockey to use its own fifo_file and make this the default for all domains - Allow mozilla_plugins to use spice (vnc_port/couchdb) - asterisk wants to read the network state - Blueman now uses /var/lib/blueman- Add label for nodejs_debug - Allow mozilla_plugin_t to create ~/.pki directory and content- Add clamscan_can_scan_system boolean - Allow mysqld to read kernel network state - Allow sshd to read/write condor lib files - Allow sshd to read/write condor-startd tcp socket - Fix description on httpd_graceful_shutdown - Allow glance_registry to communicate with mysql - dbus_system_domain is using systemd to lauch applications - add interfaces to allow domains to send kill signals to user mail agents - Remove unnessary access for svirt_lxc domains, add privs for virtd_lxc_t - Lots of new access required for secure containers - Corosync needs sys_admin capability - ALlow colord to create shm - .orc should be allowed to be created by any app that can create gstream home content, thumb_t to be specific - Add boolean to control whether or not mozilla plugins can create random content in the users homedir - Add new interface to allow domains to list msyql_db directories, needed for libra - shutdown has to be allowed to delete etc_runtime_t - Fail2ban needs to read /etc/passwd - Allow ldconfig to create /var/cache/ldconfig - Allow tgtd to read hardware state information - Allow collectd to create packet socket - Allow chronyd to send signal to itself - Allow collectd to read /dev/random - Allow collectd to send signal to itself - firewalld needs to execute restorecon - Allow restorecon and other login domains to execute restorecon- Allow logrotate to getattr on systemd unit files - Add support for tor systemd unit file - Allow apmd to create /var/run/pm-utils with the correct label - Allow l2tpd to send sigkill to pppd - Allow pppd to stream connect to l2tpd - Add label for scripts in /etc/gdm/ - Allow systemd_logind_t to ignore mcs constraints on sigkill - Fix files_filetrans_system_conf_named_files() interface - Add labels for /usr/share/wordpress/wp-includes/*.php - Allow cobbler to get SELinux mode and booleans- Add unconfined_execmem_exec_t as an alias to bin_t - Allow fenced to read snmp var lib files, also allow it to read usr_t - ontaudit access checks on all executables from mozilla_plugin - Allow all user domains to setexec, so that sshd will work properly if it call setexec(NULL) while running withing a user mode - Allow systemd_tmpfiles_t to getattr all pipes and sockets - Allow glance-registry to send system log messages - semanage needs to manage mock lib files/dirs- Add policy for abrt-watch-log - Add definitions for jboss_messaging ports - Allow systemd_tmpfiles to manage printer devices - Allow oddjob to use nsswitch - Fix labeling of log files for postgresql - Allow mozilla_plugin_t to execmem and execstack by default - Allow firewalld to execute shell - Fix /etc/wicd content files to get created with the correct label - Allow mcelog to exec shell - Add ~/.orc as a gstreamer_home_t - /var/spool/postfix/lib64 should be labeled lib_t - mpreaper should be able to list all file system labeled directories - Add support for apache to use openstack - Add labeling for /etc/zipl.conf and zipl binary - Turn on allow_execstack and turn off telepathy transition for final release- More access required for virt_qmf_t - Additional assess required for systemd-logind to support multi-seat - Allow mozilla_plugin to setrlimit - Revert changes to fuse file system to stop deadlock- Allow condor domains to connect to ephemeral ports - More fixes for condor policy - Allow keystone to stream connect to mysqld - Allow mozilla_plugin_t to read generic USB device to support GPS devices - Allow thum to file name transition gstreamer home content - Allow thum to read all non security files - Allow glance_api_t to connect to ephemeral ports - Allow nagios plugins to read /dev/urandom - Allow syslogd to search postfix spool to support postfix chroot env - Fix labeling for /var/spool/postfix/dev - Allow wdmd chown - Label .esd_auth as pulseaudio_home_t - Have no idea why keyring tries to write to /run/user/dwalsh/dconf/user, but we can dontaudit for now- Add support for clamd+systemd - Allow fresclam to execute systemctl to handle clamd - Change labeling for /usr/sbin/rpc.ypasswd.env - Allow yppaswd_t to execute yppaswd_exec_t - Allow yppaswd_t to read /etc/passwd - Gnomekeyring socket has been moved to /run/user/USER/ - Allow samba-net to connect to ldap port - Allow signal for vhostmd - allow mozilla_plugin_t to read user_home_t socket - New access required for secure Linux Containers - zfs now supports xattrs - Allow quantum to execute sudo and list sysfs - Allow init to dbus chat with the firewalld - Allow zebra to read /etc/passwd- Allow svirt_t to create content in the users homedir under ~/.libvirt - Fix label on /var/lib/heartbeat - Allow systemd_logind_t to send kill signals to all processes started by a user - Fuse now supports Xattr Support- upowered needs to setsched on the kernel - Allow mpd_t to manage log files - Allow xdm_t to create /var/run/systemd/multi-session-x - Add rules for missedfont.log to be used by thumb.fc - Additional access required for virt_qmf_t - Allow dhclient to dbus chat with the firewalld - Add label for lvmetad - Allow systemd_logind_t to remove userdomain sock_files - Allow cups to execute usr_t files - Fix labeling on nvidia shared libraries - wdmd_t needs access to sssd and /etc/passwd - Add boolean to allow ftp servers to run in passive mode - Allow namepspace_init_t to relabelto/from a different user system_u from the user the namespace_init running with - Fix using httpd_use_fusefs - Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it for chrome_sandbox- Rename rdate port to time port, and allow gnomeclock to connect to it - We no longer need to transition to ldconfig from rpm, rpm_script, or anaconda - /etc/auto.* should be labeled bin_t - Add httpd_use_fusefs boolean - Add fixes for heartbeat - Allow sshd_t to signal processes that it transitions to - Add condor policy - Allow svirt to create monitors in ~/.libvirt - Allow dovecot to domtrans sendmail to handle sieve scripts - Lot of fixes for cfengine- /var/run/postmaster.* labeling is no longer needed - Alllow drbdadmin to read /dev/urandom - l2tpd_t seems to use ptmx - group+ and passwd+ should be labeled as /etc/passwd - Zarafa-indexer is a socket- Ensure lastlog is labeled correctly - Allow accountsd to read /proc data about gdm - Add fixes for tuned - Add bcfg2 fixes which were discovered during RHEL6 testing - More fixes for gnome-keyring socket being moved - Run semanage as a unconfined domain, and allow initrc_t to create tmpfs_t sym links on shutdown - Fix description for files_dontaudit_read_security_files() interface- Add new policy and man page for bcfg2 - cgconfig needs to use getpw calls - Allow domains that communicate with the keyring to use cache_home_t instead of gkeyringd_tmpt - gnome-keyring wants to create a directory in cache_home_t - sanlock calls getpw- Add numad policy and numad man page - Add fixes for interface bugs discovered by SEWatch - Add /tmp support for squid - Add fix for #799102 * change default labeling for /var/run/slapd.* sockets - Make thumb_t as userdom_home_reader - label /var/lib/sss/mc same as pubconf, so getpw domains can read it - Allow smbspool running as cups_t to stream connect to nmbd - accounts needs to be able to execute passwd on behalf of users - Allow systemd_tmpfiles_t to delete boot flags - Allow dnssec_trigger to connect to apache ports - Allow gnome keyring to create sock_files in ~/.cache - google_authenticator is using .google_authenticator - sandbox running from within firefox is exposing more leaks - Dontaudit thumb to read/write /dev/card0 - Dontaudit getattr on init_exec_t for gnomeclock_t - Allow certmonger to do a transition to certmonger_unconfined_t - Allow dhcpc setsched which is caused by nmcli - Add rpm_exec_t for /usr/sbin/bcfg2 - system cronjobs are sending dbus messages to systemd_logind - Thumnailers read /dev/urand- Allow auditctl getcap - Allow vdagent to use libsystemd-login - Allow abrt-dump-oops to search /etc/abrt - Got these avc's while trying to print a boarding pass from firefox - Devicekit is now putting the media directory under /run/media - Allow thumbnailers to create content in ~/.thumbails directory - Add support for proL2TPd by Dominick Grift - Allow all domains to call getcap - wdmd seems to get a random chown capability check that it does not need - Allow vhostmd to read kernel sysctls- Allow chronyd to read unix - Allow hpfax to read /etc/passwd - Add support matahari vios-proxy-* apps and add virtd_exec_t label for them - Allow rpcd to read quota_db_t - Update to man pages to match latest policy - Fix bug in jockey interface for sepolgen-ifgen - Add initial svirt_prot_exec_t policy- More fixes for systemd from Dan Walsh- Add a new type for /etc/firewalld and allow firewalld to write to this directory - Add definition for ~/Maildir, and allow mail deliver domains to write there - Allow polipo to run from a cron job - Allow rtkit to schedule wine processes - Allow mozilla_plugin_t to acquire a bug, and allow it to transition gnome content in the home dir to the proper label - Allow users domains to send signals to consolehelper domains- More fixes for boinc policy - Allow polipo domain to create its own cache dir and pid file - Add systemctl support to httpd domain - Add systemctl support to polipo, allow NetworkManager to manage the service - Add policy for jockey-backend - Add support for motion daemon which is now covered by zoneminder policy - Allow colord to read/write motion tmpfs - Allow vnstat to search through var_lib_t directories - Stop transitioning to quota_t, from init an sysadm_t- Add svirt_lxc_file_t as a customizable type- Add additional fixes for icmp nagios plugin - Allow cron jobs to open fifo_files from cron, since service script opens /dev/stdin - Add certmonger_unconfined_exec_t - Make sure tap22 device is created with the correct label - Allow staff users to read systemd unit files - Merge in previously built policy - Arpwatch needs to be able to start netlink sockets in order to start - Allow cgred_t to sys_ptrace to look at other DAC Processes- Back port some of the access that was allowed in nsplugin_t - Add definitiona for couchdb ports - Allow nagios to use inherited users ttys - Add git support for mock - Allow inetd to use rdate port - Add own type for rdate port - Allow samba to act as a portmapper - Dontaudit chrome_sandbox attempts to getattr on chr_files in /dev - New fixes needed for samba4 - Allow apps that use lib_t to read lib_t symlinks- Add policy for nove-cert - Add labeling for nova-openstack systemd unit files - Add policy for keystoke- Fix man pages fro domains - Add man pages for SELinux users and roles - Add storage_dev_filetrans_named_fixed_disk() and use it for smartmon - Add policy for matahari-rpcd - nfsd executes mount command on restart - Matahari domains execute renice and setsched - Dontaudit leaked tty in mozilla_plugin_config - mailman is changing to a per instance naming - Add 7600 and 4447 as jboss_management ports - Add fixes for nagios event handlers - Label httpd.event as httpd_exec_t, it is an apache daemon- Add labeling for /var/spool/postfix/dev/log - NM reads sysctl.conf - Iscsi log file context specification fix - Allow mozilla plugins to send dbus messages to user domains that transition to it - Allow mysql to read the passwd file - Allow mozilla_plugin_t to create mozilla home dirs in user homedir - Allow deltacloud to read kernel sysctl - Allow postgresql_t to connectto itselfAllow postgresql_t to connectto itself - Allow postgresql_t to connectto itself - Add login_userdomain attribute for users which can log in using terminal- Allow sysadm_u to reach system_r by default #784011 - Allow nagios plugins to use inherited user terminals - Razor labeling is not used no longer - Add systemd support for matahari - Add port_types to man page, move booleans to the top, fix some english - Add support for matahari-sysconfig-console - Clean up matahari.fc - Fix matahari_admin() interfac - Add labels for/etc/ssh/ssh_host_*.pub keys- Allow ksysguardproces to send system log msgs - Allow boinc setpgid and signull - Allow xdm_t to sys_ptrace to run pidof command - Allow smtpd_t to manage spool files/directories and symbolic links - Add labeling for jetty - Needed changes to get unbound/dnssec to work with openswan- Add user_fonts_t alias xfs_tmp_t - Since depmod now runs as insmod_t we need to write to kernel_object_t - Allow firewalld to dbus chat with networkmanager - Allow qpidd to connect to matahari ports - policykit needs to read /proc for uses not owned by it - Allow systemctl apps to connecto the init stream- Turn on deny_ptrace boolean- Remove pam_selinux.8 man page. There was a conflict.- Add proxy class and read access for gssd_proxy - Separate out the sharing public content booleans - Allow certmonger to execute a script and send signals to apache and dirsrv to reload the certificate - Add label transition for gstream-0.10 and 12 - Add booleans to allow rsync to share nfs and cifs file sytems - chrome_sandbox wants to read the /proc/PID/exe file of the program that executed it - Fix filename transitions for cups files - Allow denyhosts to read "unix" - Add file name transition for locale.conf.new - Allow boinc projects to gconf config files - sssd needs to be able to increase the socket limit under certain loads - sge_execd needs to read /etc/passwd - Allow denyhost to check network state - NetworkManager needs to read sessions data - Allow denyhost to check network state - Allow xen to search virt images directories - Add label for /dev/megaraid_sas_ioctl_node - Add autogenerated man pages- Allow boinc project to getattr on fs - Allow init to execute initrc_state_t - rhev-agent package was rename to ovirt-guest-agent - If initrc_t creates /etc/local.conf then we need to make sure it is labeled correctly - sytemd writes content to /run/initramfs and executes it on shutdown - kdump_t needs to read /etc/mtab, should be back ported to F16 - udev needs to load kernel modules in early system boot- Need to add sys_ptrace back in since reading any content in /proc can cause these accesses - Add additional systemd interfaces which are needed fro *_admin interfaces - Fix bind_admin() interface- Allow firewalld to read urand - Alias java, execmem_mono to bin_t to allow third parties - Add label for kmod - /etc/redhat-lsb contains binaries - Add boolean to allow gitosis to send mail - Add filename transition also for "event20" - Allow systemd_tmpfiles_t to delete all file types - Allow collectd to ipc_lock- make consoletype_exec optional, so we can remove consoletype policy - remove unconfined_permisive.patch - Allow openvpn_t to inherit user home content and tmp content - Fix dnssec-trigger labeling - Turn on obex policy for staff_t - Pem files should not be secret - Add lots of rules to fix AVC's when playing with containers - Fix policy for dnssec - Label ask-passwd directories correctly for systemd- sshd fixes seem to be causing unconfined domains to dyntrans to themselves - fuse file system is now being mounted in /run/user - systemd_logind is sending signals to processes that are dbus messaging with it - Add support for winshadow port and allow iscsid to connect to this port - httpd should be allowed to bind to the http_port_t udp socket - zarafa_var_lib_t can be a lnk_file - A couple of new .xsession-errors files - Seems like user space and login programs need to read logind_sessions_files - Devicekit disk seems to be being launched by systemd - Cleanup handling of setfiles so most of rules in te file - Correct port number for dnssec - logcheck has the home dir set to its cache- Add policy for grindengine MPI jobs- Add new sysadm_secadm.pp module * contains secadm definition for sysadm_t - Move user_mail_domain access out of the interface into the te file - Allow httpd_t to create httpd_var_lib_t directories as well as files - Allow snmpd to connect to the ricci_modcluster stream - Allow firewalld to read /etc/passwd - Add auth_use_nsswitch for colord - Allow smartd to read network state - smartdnotify needs to read /etc/group- Allow gpg and gpg_agent to store sock_file in gpg_secret_t directory - lxdm startup scripts should be labeled bin_t, so confined users will work - mcstransd now creates a pid, needs back port to F16 - qpidd should be allowed to connect to the amqp port - Label devices 010-029 as usb devices - ypserv packager says ypserv does not use tmp_t so removing selinux policy types - Remove all ptrace commands that I believe are caused by the kernel/ps avcs - Add initial Obex policy - Add logging_syslogd_use_tty boolean - Add polipo_connect_all_unreserved bolean - Allow zabbix to connect to ftp port - Allow systemd-logind to be able to switch VTs - Allow apache to communicate with memcached through a sock_file- Fix file_context.subs_dist for now to work with pre usrmove- More /usr move fixes- Add zabbix_can_network boolean - Add httpd_can_connect_zabbix boolean - Prepare file context labeling for usrmove functions - Allow system cronjobs to read kernel network state - Add support for selinux_avcstat munin plugin - Treat hearbeat with corosync policy - Allow corosync to read and write to qpidd shared mem - mozilla_plugin is trying to run pulseaudio - Fixes for new sshd patch for running priv sep domains as the users context - Turn off dontaudit rules when turning on allow_ypbind - udev now reads /etc/modules.d directory- Turn on deny_ptrace boolean for the Rawhide run, so we can test this out - Cups exchanges dbus messages with init - udisk2 needs to send syslog messages - certwatch needs to read /etc/passwd- Add labeling for udisks2 - Allow fsadmin to communicate with the systemd process- Treat Bip with bitlbee policy * Bip is an IRC proxy - Add port definition for interwise port - Add support for ipa_memcached socket - systemd_jounald needs to getattr on all processes - mdadmin fixes * uses getpw - amavisd calls getpwnam() - denyhosts calls getpwall()- Setup labeling of /var/rsa and /var/lib/rsa to allow login programs to write there - bluetooth says they do not use /tmp and want to remove the type - Allow init to transition to colord - Mongod needs to read /proc/sys/vm/zone_reclaim_mode - Allow postfix_smtpd_t to connect to spamd - Add boolean to allow ftp to connect to all ports > 1023 - Allow sendmain to write to inherited dovecot tmp files - setroubleshoot needs to be able to execute rpm to see what version of packages- Merge systemd patch - systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online - Allow deltacloudd dac_override, setuid, setgid caps - Allow aisexec to execute shell - Add use_nfs_home_dirs boolean for ssh-keygen- Fixes to make rawhide boot in enforcing mode with latest systemd changes- Add labeling for /var/run/systemd/journal/syslog - libvirt sends signals to ifconfig - Allow domains that read logind session files to list them- Fixed destined form libvirt-sandbox - Allow apps that list sysfs to also read sympolicy links in this filesystem - Add ubac_constrained rules for chrome_sandbox - Need interface to allow domains to use tmpfs_t files created by the kernel, used by libra - Allow postgresql to be executed by the caller - Standardize interfaces of daemons - Add new labeling for mm-handler - Allow all matahari domains to read network state and etc_runtime_t files- New fix for seunshare, requires seunshare_domains to be able to mounton / - Allow systemctl running as logrotate_t to connect to private systemd socket - Allow tmpwatch to read meminfo - Allow rpc.svcgssd to read supported_krb5_enctype - Allow zarafa domains to read /dev/random and /dev/urandom - Allow snmpd to read dev_snmp6 - Allow procmail to talk with cyrus - Add fixes for check_disk and check_nagios plugins- default trans rules for Rawhide policy - Make sure sound_devices controlC* are labeled correctly on creation - sssd now needs sys_admin - Allow snmp to read all proc_type - Allow to setup users homedir with quota.group- Add httpd_can_connect_ldap() interface - apcupsd_t needs to use seriel ports connected to usb devices - Kde puts procmail mail directory under ~/.local/share - nfsd_t can trigger sys_rawio on tests that involve too many mountpoints, dontaudit for now - Add labeling for /sbin/iscsiuio- Add label for /var/lib/iscan/interpreter - Dont audit writes to leaked file descriptors or redirected output for nacl - NetworkManager needs to write to /sys/class/net/ib*/mode- Allow abrt to request the kernel to load a module - Make sure mozilla content is labeled correctly - Allow tgtd to read system state - More fixes for boinc * allow to resolve dns name * re-write boinc policy to use boinc_domain attribute - Allow munin services plugins to use NSCD services- Allow mozilla_plugin_t to manage mozilla_home_t - Allow ssh derived domain to execute ssh-keygen in the ssh_keygen_t domain - Add label for tumblerd- Fixes for xguest package- Fixes related to /bin, /sbin - Allow abrt to getattr on blk files - Add type for rhev-agent log file - Fix labeling for /dev/dmfm - Dontaudit wicd leaking - Allow systemd_logind_t to look at process info of apps that exchange dbus messages with it - Label /etc/locale.conf correctly - Allow user_mail_t to read /dev/random - Allow postfix-smtpd to read MIMEDefang - Add label for /var/log/suphp.log - Allow swat_t to connect and read/write nmbd_t sock_file - Allow systemd-tmpfiles to setattr for /run/user/gdm/dconf - Allow systemd-tmpfiles to change user identity in object contexts - More fixes for rhev_agentd_t consolehelper policy- Use fs_use_xattr for squashf - Fix procs_type interface - Dovecot has a new fifo_file /var/run/dovecot/stats-mail - Dovecot has a new fifo_file /var/run/stats-mail - Colord does not need to connect to network - Allow system_cronjob to dbus chat with NetworkManager - Puppet manages content, want to make sure it labels everything correctly- Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it - Allow all postfix domains to use the fifo_file - Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t - Allow apmd_t to read grub.cfg - Let firewallgui read the selinux config - Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp - Fix devicekit_manage_pid_files() interface - Allow squid to check the network state - Dontaudit colord getattr on file systems - Allow ping domains to read zabbix_tmp_t files- Allow mcelog_t to create dir and file in /var/run and label it correctly - Allow dbus to manage fusefs - Mount needs to read process state when mounting gluster file systems - Allow collectd-web to read collectd lib files - Allow daemons and system processes started by init to read/write the unix_stream_socket passed in from as stdin/stdout/stderr - Allow colord to get the attributes of tmpfs filesystem - Add sanlock_use_nfs and sanlock_use_samba booleans - Add bin_t label for /usr/lib/virtualbox/VBoxManage- Add ssh_dontaudit_search_home_dir - Changes to allow namespace_init_t to work - Add interface to allow exec of mongod, add port definition for mongod port, 27017 - Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t - Allow spamd and clamd to steam connect to each other - Add policy label for passwd.OLD - More fixes for postfix and postfix maildro - Add ftp support for mozilla plugins - Useradd now needs to manage policy since it calls libsemanage - Fix devicekit_manage_log_files() interface - Allow colord to execute ifconfig - Allow accountsd to read /sys - Allow mysqld-safe to execute shell - Allow openct to stream connect to pcscd - Add label for /var/run/nm-dns-dnsmasq\.conf - Allow networkmanager to chat with virtd_t- Pulseaudio changes - Merge patches- Merge patches back into git repository.- Remove allow_execmem boolean and replace with deny_execmem boolean- Turn back on allow_execmem boolean- Add more MCS fixes to make sandbox working - Make faillog MLS trusted to make sudo_$1_t working - Allow sandbox_web_client_t to read passwd_file_t - Add .mailrc file context - Remove execheap from openoffice domain - Allow chrome_sandbox_nacl_t to read cpu_info - Allow virtd to relabel generic usb which is need if USB device - Fixes for virt.if interfaces to consider chr_file as image file type- Remove Open Office policy - Remove execmem policy- MCS fixes - quota fixes- Remove transitions to consoletype- Make nvidia* to be labeled correctly - Fix abrt_manage_cache() interface - Make filetrans rules optional so base policy will build - Dontaudit chkpwd_t access to inherited TTYS - Make sure postfix content gets created with the correct label - Allow gnomeclock to read cgroup - Fixes for cloudform policy- Check in fixed for Chrome nacl support- Begin removing qemu_t domain, we really no longer need this domain. - systemd_passwd needs dac_overide to communicate with users TTY's - Allow svirt_lxc domains to send kill signals within their container- Remove qemu.pp again without causing a crash- Remove qemu.pp, everything should use svirt_t or stay in its current domain- Allow policykit to talk to the systemd via dbus - Move chrome_sandbox_nacl_t to permissive domains - Additional rules for chrome_sandbox_nacl- Change bootstrap name to nacl - Chrome still needs execmem - Missing role for chrome_sandbox_bootstrap - Add boolean to remove execmem and execstack from virtual machines - Dontaudit xdm_t doing an access_check on etc_t directories- Allow named to connect to dirsrv by default - add ldapmap1_0 as a krb5_host_rcache_t file - Google chrome developers asked me to add bootstrap policy for nacl stuff - Allow rhev_agentd_t to getattr on mountpoints - Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets- Fixes for cloudform policies which need to connect to random ports - Make sure if an admin creates modules content it creates them with the correct label - Add port 8953 as a dns port used by unbound - Fix file name transition for alsa and confined users- Turn on mock_t and thumb_t for unconfined domains- Policy update should not modify local contexts- Remove ada policy- Remove tzdata policy - Add labeling for udev - Add cloudform policy - Fixes for bootloader policy- Add policies for nova openstack- Add fixes for nova-stack policy- Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain - Allow init process to setrlimit on itself - Take away transition rules for users executing ssh-keygen - Allow setroubleshoot_fixit_t to read /dev/urand - Allow sshd to relbale tunnel sockets - Allow fail2ban domtrans to shorewall in the same way as with iptables - Add support for lnk files in the /var/lib/sssd directory - Allow system mail to connect to courier-authdaemon over an unix stream socket- Add passwd_file_t for /etc/ptmptmp- Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK) - Make corosync to be able to relabelto cluster lib fies - Allow samba domains to search /var/run/nmbd - Allow dirsrv to use pam - Allow thumb to call getuid - chrome less likely to get mmap_zero bug so removing dontaudit - gimp help-browser has built in javascript - Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t - Re-write glance policy- Move dontaudit sys_ptrace line from permissive.te to domain.te - Remove policy for hal, it no longer exists- Don't check md5 size or mtime on certain config files- Remove allow_ptrace and replace it with deny_ptrace, which will remove all ptrace from the system - Remove 2000 dontaudit rules between confined domains on transition and replace with single dontaudit domain domain:process { noatsecure siginh rlimitinh } ;- Fixes for bootloader policy - $1_gkeyringd_t needs to read $HOME/%USER/.local/share/keystore - Allow nsplugin to read /usr/share/config - Allow sa-update to update rules - Add use_fusefs_home_dirs for chroot ssh option - Fixes for grub2 - Update systemd_exec_systemctl() interface - Allow gpg to read the mail spool - More fixes for sa-update running out of cron job - Allow ipsec_mgmt_t to read hardware state information - Allow pptp_t to connect to unreserved_port_t - Dontaudit getattr on initctl in /dev from chfn - Dontaudit getattr on kernel_core from chfn - Add systemd_list_unit_dirs to systemd_exec_systemctl call - Fixes for collectd policy - CHange sysadm_t to create content as user_tmp_t under /tmp- Shrink size of policy through use of attributes for userdomain and apache- Allow virsh to read xenstored pid file - Backport corenetwork fixes from upstream - Do not audit attempts by thumb to search config_home_t dirs (~/.config) - label ~/.cache/telepathy/logger telepathy_logger_cache_home_t - allow thumb to read generic data home files (mime.type)- Allow nmbd to manage sock file in /var/run/nmbd - ricci_modservice send syslog msgs - Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly - Allow systemd_logind_t to manage /run/USER/dconf/user- Fix missing patch from F16- Allow logrotate setuid and setgid since logrotate is supposed to do it - Fixes for thumb policy by grift - Add new nfsd ports - Added fix to allow confined apps to execmod on chrome - Add labeling for additional vdsm directories - Allow Exim and Dovecot SASL - Add label for /var/run/nmbd - Add fixes to make virsh and xen working together - Colord executes ls - /var/spool/cron is now labeled as user_cron_spool_t- Stop complaining about leaked file descriptors during install- Remove java and mono module and merge into execmem- Fixes for thumb policy and passwd_file_t- Fixes caused by the labeling of /etc/passwd - Add thumb.patch to transition unconfined_t to thumb_t for Rawhide- Add support for Clustered Samba commands - Allow ricci_modrpm_t to send log msgs - move permissive virt_qmf_t from virt.te to permissivedomains.te - Allow ssh_t to use kernel keyrings - Add policy for libvirt-qmf and more fixes for linux containers - Initial Polipo - Sanlock needs to run ranged in order to kill svirt processes - Allow smbcontrol to stream connect to ctdbd- Add label for /etc/passwd- Change unconfined_domains to permissive for Rawhide - Add definition for the ephemeral_ports- Make mta_role() active - Allow asterisk to connect to jabber client port - Allow procmail to read utmp - Add NIS support for systemd_logind_t - Allow systemd_logind_t to manage /run/user/$USER/dconf dir which is labeled as config_home_t - Fix systemd_manage_unit_dirs() interface - Allow ssh_t to manage directories passed into it - init needs to be able to create and delete unit file directories - Fix typo in apache_exec_sys_script - Add ability for logrotate to transition to awstat domain- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state - Add SELinux support for ssh pre-auth net process in F17 - Add logging_syslogd_can_sendmail boolean- Add definition for ephemeral ports - Define user_tty_device_t as a customizable_type- Needs to require a new version of checkpolicy - Interface fixes- Allow sanlock to manage virt lib files - Add virt_use_sanlock booelan - ksmtuned is trying to resolve uids - Make sure .gvfs is labeled user_home_t in the users home directory - Sanlock sends kill signals and needs the kill capability - Allow mockbuild to work on nfs homedirs - Fix kerberos_manage_host_rcache() interface - Allow exim to read system state- Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files - We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t- Allow collectd to read hardware state information - Add loop_control_device_t - Allow mdadm to request kernel to load module - Allow domains that start other domains via systemctl to search unit dir - systemd_tmpfilses, needs to list any file systems mounted on /tmp - No one can explain why radius is listing the contents of /tmp, so we will dontaudit - If I can manage etc_runtime files, I should be able to read the links - Dontaudit hostname writing to mock library chr_files - Have gdm_t setup labeling correctly in users home dir - Label content unde /var/run/user/NAME/dconf as config_home_t - Allow sa-update to execute shell - Make ssh-keygen working with fips_enabled - Make mock work for staff_t user - Tighten security on mock_t- removing unconfined_notrans_t no longer necessary - Clean up handling of secure_mode_insmod and secure_mode_policyload - Remove unconfined_mount_t- Add exim_exec_t label for /usr/sbin/exim_tidydb - Call init_dontaudit_rw_stream_socket() interface in mta policy - sssd need to search /var/cache/krb5rcache directory - Allow corosync to relabel own tmp files - Allow zarafa domains to send system log messages - Allow ssh to do tunneling - Allow initrc scripts to sendto init_t unix_stream_socket - Changes to make sure dmsmasq and virt directories are labeled correctly - Changes needed to allow sysadm_t to manage systemd unit files - init is passing file descriptors to dbus and on to system daemons - Allow sulogin additional access Reported by dgrift and Jeremy Miller - Steve Grubb believes that wireshark does not need this access - Fix /var/run/initramfs to stop restorecon from looking at - pki needs another port - Add more labels for cluster scripts - Allow apps that manage cgroup_files to manage cgroup link files - Fix label on nfs-utils scripts directories - Allow gatherd to read /dev/rand and /dev/urand- pki needs another port - Add more labels for cluster scripts - Fix label on nfs-utils scripts directories - Fixes for cluster - Allow gatherd to read /dev/rand and /dev/urand - abrt leaks fifo files- Add glance policy - Allow mdadm setsched - /var/run/initramfs should not be relabeled with a restorecon run - memcache can be setup to override sys_resource - Allow httpd_t to read tetex data - Allow systemd_tmpfiles to delete kernel modules left in /tmp directory.- Allow Postfix to deliver to Dovecot LMTP socket - Ignore bogus sys_module for lldpad - Allow chrony and gpsd to send dgrams, gpsd needs to write to the real time clock - systemd_logind_t sets the attributes on usb devices - Allow hddtemp_t to read etc_t files - Add permissivedomains module - Move all permissive domains calls to permissivedomain.te - Allow pegasis to send kill signals to other UIDs- Allow insmod_t to use fds leaked from devicekit - dontaudit getattr between insmod_t and init_t unix_stream_sockets - Change sysctl unit file interfaces to use systemctl - Add support for chronyd unit file - Allow mozilla_plugin to read gnome_usr_config - Add policy for new gpsd - Allow cups to create kerberos rhost cache files - Add authlogin_filetrans_named_content, to unconfined_t to make sure shadow and other log files get labeled correctly- Make users_extra and seusers.final into config(noreplace) so semanage users and login does not get overwritten- Add policy for sa-update being run out of cron jobs - Add create perms to postgresql_manage_db - ntpd using a gps has to be able to read/write generic tty_device_t - If you disable unconfined and unconfineduser, rpm needs more privs to manage /dev - fix spec file - Remove qemu_domtrans_unconfined() interface - Make passenger working together with puppet - Add init_dontaudit_rw_stream_socket interface - Fixes for wordpress- Turn on allow_domain_fd_use boolean on F16 - Allow syslog to manage all log files - Add use_fusefs_home_dirs boolean for chrome - Make vdagent working with confined users - Add abrt_handle_event_t domain for ABRT event scripts - Labeled /usr/sbin/rhnreg_ks as rpm_exec_t and added changes related to this change - Allow httpd_git_script_t to read passwd data - Allow openvpn to set its process priority when the nice parameter is used- livecd fixes - spec file fixes- fetchmail can use kerberos - ksmtuned reads in shell programs - gnome_systemctl_t reads the process state of ntp - dnsmasq_t asks the kernel to load multiple kernel modules - Add rules for domains executing systemctl - Bogus text within fc file- Add cfengine policy- Add abrt_domain attribute - Allow corosync to manage cluster lib files - Allow corosync to connect to the system DBUS- Add sblim, uuidd policies - Allow kernel_t dyntrasition to init_t- init_t need setexec - More fixes of rules which cause an explosion in rules by Dan Walsh- Allow rcsmcertd to perform DNS name resolution - Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts - Allow tmux to run as screen - New policy for collectd - Allow gkeyring_t to interact with all user apps - Add rules to allow firstboot to run on machines with the unconfined.pp module removed- Allow systemd_logind to send dbus messages with users - allow accountsd to read wtmp file - Allow dhcpd to get and set capabilities- Fix oracledb_port definition - Allow mount to mounton the selinux file system - Allow users to list /var directories- systemd fixes- Add initial policy for abrt_dump_oops_t - xtables-multi wants to getattr of the proc fs - Smoltclient is connecting to abrt - Dontaudit leaked file descriptors to postdrop - Allow abrt_dump_oops to look at kernel sysctls - Abrt_dump_oops_t reads kernel ring buffer - Allow mysqld to request the kernel to load modules - systemd-login needs fowner - Allow postfix_cleanup_t to searh maildrop- Initial systemd_logind policy - Add policy for systemd_logger and additional proivs for systemd_logind - More fixes for systemd policies- Allow setsched for virsh - Systemd needs to impersonate cups, which means it needs to create tcp_sockets in cups_t domain, as well as manage spool directories - iptables: the various /sbin/ip6?tables.* are now symlinks for /sbin/xtables-multi- A lot of users are running yum -y update while in /root which is causing ldconfig to list the contents, adding dontaudit - Allow colord to interact with the users through the tmpfs file system - Since we changed the label on deferred, we need to allow postfix_qmgr_t to be able to create maildrop_t files - Add label for /var/log/mcelog - Allow asterisk to read /dev/random if it uses TLS - Allow colord to read ini files which are labeled as bin_t - Allow dirsrvadmin sys_resource and setrlimit to use ulimit - Systemd needs to be able to create sock_files for every label in /var/run directory, cupsd being the first. - Also lists /var and /var/spool directories - Add openl2tpd to l2tpd policy - qpidd is reading the sysfs file- Change usbmuxd_t to dontaudit attempts to read chr_file - Add mysld_safe_exec_t for libra domains to be able to start private mysql domains - Allow pppd to search /var/lock dir - Add rhsmcertd policy- Update to upstream- More fixes * http://git.fedorahosted.org/git/?p=selinux-policy.git- Fix spec file to not report Verify errors- Add dspam policy - Add lldpad policy - dovecot auth wants to search statfs #713555 - Allow systemd passwd apps to read init fifo_file - Allow prelink to use inherited terminals - Run cherokee in the httpd_t domain - Allow mcs constraints on node connections - Implement pyicqt policy - Fixes for zarafa policy - Allow cobblerd to send syslog messages- Add policy.26 to the payload - Remove olpc stuff - Remove policygentool- Fixes for zabbix - init script needs to be able to manage sanlock_var_run_... - Allow sandlock and wdmd to create /var/run directories... - mixclip.so has been compiled correctly - Fix passenger policy module name- Add mailscanner policy from dgrift - Allow chrome to optionally be transitioned to - Zabbix needs these rules when starting the zabbix_server_mysql - Implement a type for freedesktop openicc standard (~/.local/share/icc) - Allow system_dbusd_t to read inherited icc_data_home_t files. - Allow colord_t to read icc_data_home_t content. #706975 - Label stuff under /usr/lib/debug as if it was labeled under /- Fixes for sanlock policy - Fixes for colord policy - Other fixes * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log- Add rhev policy module to modules-targeted.conf- Lot of fixes * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log- Allow logrotate to execute systemctl - Allow nsplugin_t to getattr on gpmctl - Fix dev_getattr_all_chr_files() interface - Allow shorewall to use inherited terms - Allow userhelper to getattr all chr_file devices - sandbox domains should be able to getattr and dontaudit search of sysctl_kernel_t - Fix labeling for ABRT Retrace Server- Dontaudit sys_module for ifconfig - Make telepathy and gkeyringd daemon working with confined users - colord wants to read files in users homedir - Remote login should be creating user_tmp_t not its own tmp files- Fix label for /usr/share/munin/plugins/munin_* plugins - Add support for zarafa-indexer - Fix boolean description - Allow colord to getattr on /proc/scsi/scsi - Add label for /lib/upstart/init - Colord needs to list /mnt- Forard port changes from F15 for telepathy - NetworkManager should be allowed to use /dev/rfkill - Fix dontaudit messages to say Domain to not audit - Allow telepathy domains to read/write gnome_cache files - Allow telepathy domains to call getpw - Fixes for colord and vnstatd policy- Allow init_t getcap and setcap - Allow namespace_init_t to use nsswitch - aisexec will execute corosync - colord tries to read files off noxattr file systems - Allow init_t getcap and setcap- Add support for ABRT retrace server - Allow user_t and staff_t access to generic scsi to handle locally plugged in scanners - Allow telepath_msn_t to read /proc/PARENT/cmdline - ftpd needs kill capability - Allow telepath_msn_t to connect to sip port - keyring daemon does not work on nfs homedirs - Allow $1_sudo_t to read default SELinux context - Add label for tgtd sock file in /var/run/ - Add apache_exec_rotatelogs interface - allow all zaraha domains to signal themselves, server writes to /tmp - Allow syslog to read the process state - Add label for /usr/lib/chromium-browser/chrome - Remove the telepathy transition from unconfined_t - Dontaudit sandbox domains trying to mounton sandbox_file_t, this is caused by fuse mounts - Allow initrc_t domain to manage abrt pid files - Add support for AEOLUS project - Virt_admin should be allowed to manage images and processes - Allow plymountd to send signals to init - Change labeling of fping6- Add filename transitions- Fixes for zarafa policy - Add support for AEOLUS project - Change labeling of fping6 - Allow plymountd to send signals to init - Allow initrc_t domain to manage abrt pid files - Virt_admin should be allowed to manage images and processes- xdm_t needs getsession for switch user - Every app that used to exec init is now execing systemdctl - Allow squid to manage krb5_host_rcache_t files - Allow foghorn to connect to agentx port - Fixes for colord policy- Add Dan's patch to remove 64 bit variants - Allow colord to use unix_dgram_socket - Allow apps that search pids to read /var/run if it is a lnk_file - iscsid_t creates its own directory - Allow init to list var_lock_t dir - apm needs to verify user accounts auth_use_nsswitch - Add labeling for systemd unit files - Allow gnomeclok to enable ntpd service using systemctl - systemd_systemctl_t domain was added - Add label for matahari-broker.pid file - We want to remove untrustedmcsprocess from ability to read /proc/pid - Fixes for matahari policy - Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir - Allow sshd to transition to sysadm_t if ssh_sysadm_login is turned on- Fix typo- Add /var/run/lock /var/lock definition to file_contexts.subs - nslcd_t is looking for kerberos cc files - SSH_USE_STRONG_RNG is 1 which requires /dev/random - Fix auth_rw_faillog definition - Allow sysadm_t to set attributes on fixed disks - allow user domains to execute lsof and look at application sockets - prelink_cron job calls telinit -u if init is rewritten - Fixes to run qemu_t from staff_t- Fix label for /var/run/udev to udev_var_run_t - Mock needs to be able to read network state- Add file_contexts.subs to handle /run and /run/lock - Add other fixes relating to /run changes from F15 policy- Allow $1_sudo_t and $1_su_t open access to user terminals - Allow initrc_t to use generic terminals - Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs -systemd is going to be useing /run and /run/lock for early bootup files. - Fix some comments in rlogin.if - Add policy for KDE backlighthelper - sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems - sssd wants to read .k5login file in users homedir - setroubleshoot reads executables to see if they have TEXTREL - Add /var/spool/audit support for new version of audit - Remove kerberos_connect_524() interface calling - Combine kerberos_master_port_t and kerberos_port_t - systemd has setup /dev/kmsg as stderr for apps it executes - Need these access so that init can impersonate sockets on unix_dgram_socket- Remove some unconfined domains - Remove permissive domains - Add policy-term.patch from Dan- Fix multiple specification for boot.log - devicekit leaks file descriptors to setfiles_t - Change all all_nodes to generic_node and all_if to generic_if - Should not use deprecated interface - Switch from using all_nodes to generic_node and from all_if to generic_if - Add support for xfce4-notifyd - Fix file context to show several labels as SystemHigh - seunshare needs to be able to mounton nfs/cifs/fusefs homedirs - Add etc_runtime_t label for /etc/securetty - Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly - login.krb needs to be able to write user_tmp_t - dirsrv needs to bind to port 7390 for dogtag - Fix a bug in gpg policy - gpg sends audit messages - Allow qpid to manage matahari files- Initial policy for matahari - Add dev_read_watchdog - Allow clamd to connect clamd port - Add support for kcmdatetimehelper - Allow shutdown to setrlimit and sys_nice - Allow systemd_passwd to talk to /dev/log before udev or syslog is running - Purge chr_file and blk files on /tmp - Fixes for pads - Fixes for piranha-pulse - gpg_t needs to be able to encyprt anything owned by the user- mozilla_plugin_tmp_t needs to be treated as user tmp files - More dontaudits of writes from readahead - Dontaudit readahead_t file_type:dir write, to cover up kernel bug - systemd_tmpfiles needs to relabel faillog directory as well as the file - Allow hostname and consoletype to r/w inherited initrc_tmp_t files handline hostname >> /tmp/myhost- Add policykit fixes from Tim Waugh - dontaudit sandbox domains sandbox_file_t:dir mounton - Add new dontaudit rules for sysadm_dbusd_t - Change label for /var/run/faillock * other fixes which relate with this change- Update to upstream - Fixes for telepathy - Add port defition for ssdp port - add policy for /bin/systemd-notify from Dan - Mount command requires users read mount_var_run_t - colord needs to read konject_uevent_socket - User domains connect to the gkeyring socket - Add colord policy and allow user_t and staff_t to dbus chat with it - Add lvm_exec_t label for kpartx - Dontaudit reading the mail_spool_t link from sandbox -X - systemd is creating sockets in avahi_var_run and system_dbusd_var_run- gpg_t needs to talk to gnome-keyring - nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd - enforce MCS labeling on nodes - Allow arpwatch to read meminfo - Allow gnomeclock to send itself signals - init relabels /dev/.udev files on boot - gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_exec_t - nautilus checks access on /media directory before mounting usb sticks, dontaudit access_check on mnt_t - dnsmasq can run as a dbus service, needs acquire service - mysql_admin should be allowed to connect to mysql service - virt creates monitor sockets in the users home dir- Allow usbhid-ups to read hardware state information - systemd-tmpfiles has moved - Allo cgroup to sys_tty_config - For some reason prelink is attempting to read gconf settings - Add allow_daemons_use_tcp_wrapper boolean - Add label for ~/.cache/wocky to make telepathy work in enforcing mode - Add label for char devices /dev/dasd* - Fix for apache_role - Allow amavis to talk to nslcd - allow all sandbox to read selinux poilcy config files - Allow cluster domains to use the system bus and send each other dbus messages- Update to upstream- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Update to ref policy - cgred needs chown capability - Add /dev/crash crash_dev_t - systemd-readahead wants to use fanotify which means readahead_t needs sys_admin capability- New labeling for postfmulti #675654 - dontaudit xdm_t listing noxattr file systems - dovecot-auth needs to be able to connect to mysqld via the network as well as locally - shutdown is passed stdout to a xdm_log_t file - smartd creates a fixed disk device - dovecot_etc_t contains a lnk_file that domains need to read - mount needs to be able to read etc_runtim_t:lnk_file since in rawhide this is a link created at boot- syslog_t needs syslog capability - dirsrv needs to be able to create /var/lib/snmp - Fix labeling for dirsrv - Fix for dirsrv policy missing manage_dirs_pattern - corosync needs to delete clvm_tmpfs_t files - qdiskd needs to list hugetlbfs - Move setsched to sandbox_x_domain, so firefox can run without network access - Allow hddtemp to read removable devices - Adding syslog and read_policy permissions to policy * syslog Allow unconfined, sysadm_t, secadm_t, logadm_t * read_policy allow unconfined, sysadm_t, secadm_t, staff_t on Targeted allow sysadm_t (optionally), secadm_t on MLS - mdadm application will write into /sys/.../uevent whenever arrays are assembled or disassembled.- Add tcsd policy- ricci_modclusterd_t needs to bind to rpc ports 500-1023 - Allow dbus to use setrlimit to increase resoueces - Mozilla_plugin is leaking to sandbox - Allow confined users to connect to lircd over unix domain stream socket which allow to use remote control - Allow awstats to read squid logs - seunshare needs to manage tmp_t - apcupsd cgi scripts have a new directory- Fix xserver_dontaudit_read_xdm_pid - Change oracle_port_t to oracledb_port_t to prevent conflict with satellite - Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file. * These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t - Allow readahead to manage readahead pid dirs - Allow readahead to read all mcs levels - Allow mozilla_plugin_t to use nfs or samba homedirs- Allow nagios plugin to read /proc/meminfo - Fix for mozilla_plugin - Allow samba_net_t to create /etc/keytab - pppd_t setting up vpns needs to run unix_chkpwd, setsched its process and write wtmp_t - nslcd can read user credentials - Allow nsplugin to delete mozilla_plugin_tmpfs_t - abrt tries to create dir in rpm_var_lib_t - virt relabels fifo_files - sshd needs to manage content in fusefs homedir - mock manages link files in cache dir- nslcd needs setsched and to read /usr/tmp - Invalid call in likewise policy ends up creating a bogus role - Cannon puts content into /var/lib/bjlib that cups needs to be able to write - Allow screen to create screen_home_t in /root - dirsrv sends syslog messages - pinentry reads stuff in .kde directory - Add labels for .kde directory in homedir - Treat irpinit, iprupdate, iprdump services with raid policy- NetworkManager wants to read consolekit_var_run_t - Allow readahead to create /dev/.systemd/readahead - Remove permissive domains - Allow newrole to run namespace_init- Add sepgsql_contexts file- Update to upstream- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on - Add puppetmaster_use_db boolean - Fixes for zarafa policy - Fixes for gnomeclock poliy - Fix systemd-tmpfiles to use auth_use_nsswitch- gnomeclock executes a shell - Update for screen policy to handle pipe in homedir - Fixes for polyinstatiated homedir - Fixes for namespace policy and other fixes related to polyinstantiation - Add namespace policy - Allow dovecot-deliver transition to sendmail which is needed by sieve scripts - Fixes for init, psad policy which relate with confined users - Do not audit bootloader attempts to read devicekit pid files - Allow nagios service plugins to read /proc- Add firewalld policy - Allow vmware_host to read samba config - Kernel wants to read /proc Fix duplicate grub def in cobbler - Chrony sends mail, executes shell, uses fifo_file and reads /proc - devicekitdisk getattr all file systems - sambd daemon writes wtmp file - libvirt transitions to dmidecode- Add initial policy for system-setup-keyboard which is now daemon - Label /var/lock/subsys/shorewall as shorewall_lock_t - Allow users to communicate with the gpg_agent_t - Dontaudit mozilla_plugin_t using the inherited terminal - Allow sambagui to read files in /usr - webalizer manages squid log files - Allow unconfined domains to bind ports to raw_ip_sockets - Allow abrt to manage rpm logs when running yum - Need labels for /var/run/bittlebee - Label .ssh under amanda - Remove unused genrequires for virt_domain_template - Allow virt_domain to use fd inherited from virtd_t - Allow iptables to read shorewall config- Gnome apps list config_home_t - mpd creates lnk files in homedir - apache leaks write to mail apps on tmp files - /var/stockmaniac/templates_cache contains log files - Abrt list the connects of mount_tmp_t dirs - passwd agent reads files under /dev and reads utmp file - squid apache script connects to the squid port - fix name of plymouth log file - teamviewer is a wine app - allow dmesg to read system state - Stop labeling files under /var/lib/mock so restorecon will not go into this - nsplugin needs to read network state for google talk- Allow xdm and syslog to use /var/log/boot.log - Allow users to communicate with mozilla_plugin and kill it - Add labeling for ipv6 and dhcp- New labels for ghc http content - nsplugin_config needs to read urand, lvm now calls setfscreate to create dev - pm-suspend now creates log file for append access so we remove devicekit_wri - Change authlogin_use_sssd to authlogin_nsswitch_use_ldap - Fixes for greylist_milter policy- Update to upstream - Fixes for systemd policy - Fixes for passenger policy - Allow staff users to run mysqld in the staff_t domain, akonadi needs this - Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py - auth_use_nsswitch does not need avahi to read passwords,needed for resolving data - Dontaudit (xdm_t) gok attempting to list contents of /var/account - Telepathy domains need to read urand - Need interface to getattr all file classes in a mock library for setroubleshoot- Update selinux policy to handle new /usr/share/sandbox/start script- Update to upstream - Fix version of policy in spec file- Allow sandbox to run on nfs partitions, fixes for systemd_tmpfs - remove per sandbox domains devpts types - Allow dkim-milter sending signal to itself- Allow domains that transition to ping or traceroute, kill them - Allow user_t to conditionally transition to ping_t and traceroute_t - Add fixes to systemd- tools, including new labeling for systemd-fsck, systemd-cryptsetup- Turn on systemd policy - mozilla_plugin needs to read certs in the homedir. - Dontaudit leaked file descriptors from devicekit - Fix ircssi to use auth_use_nsswitch - Change to use interface without param in corenet to disable unlabelednet packets - Allow init to relabel sockets and fifo files in /dev - certmonger needs dac* capabilities to manage cert files not owned by root - dovecot needs fsetid to change group membership on mail - plymouthd removes /var/log/boot.log - systemd is creating symlinks in /dev - Change label on /etc/httpd/alias to be all cert_t- Fixes for clamscan and boinc policy - Add boinc_project_t setpgid - Allow alsa to create tmp files in /tmp- Push fixes to allow disabling of unlabeled_t packet access - Enable unlabelednet policy- Fixes for lvm to work with systemd- Fix the label for wicd log - plymouthd creates force-display-on-active-vt file - Allow avahi to request the kernel to load a module - Dontaudit hal leaks - Fix gnome_manage_data interface - Add new interface corenet_packet to define a type as being an packet_type. - Removed general access to packet_type from icecast and squid. - Allow mpd to read alsa config - Fix the label for wicd log - Add systemd policy- Fix gnome_manage_data interface - Dontaudit sys_ptrace capability for iscsid - Fixes for nagios plugin policy- Fix cron to run ranged when started by init - Fix devicekit to use log files - Dontaudit use of devicekit_var_run_t for fstools - Allow init to setattr on logfile directories - Allow hald to manage files in /var/run/pm-utils/ dir which is now labeled as devicekit_var_run_t- Fix up handling of dnsmasq_t creating /var/run/libvirt/network - Turn on sshd_forward_ports boolean by default - Allow sysadmin to dbus chat with rpm - Add interface for rw_tpm_dev - Allow cron to execute bin - fsadm needs to write sysfs - Dontaudit consoletype reading /var/run/pm-utils - Lots of new privs fro mozilla_plugin_t running java app, make mozilla_plugin - certmonger needs to manage dirsrv data - /var/run/pm-utils should be labeled as devicekit_var_run_t- fixes to allow /var/run and /var/lock as tmpfs - Allow chrome sandbox to connect to web ports - Allow dovecot to listem on lmtp and sieve ports - Allov ddclient to search sysctl_net_t - Transition back to original domain if you execute the shell- Remove duplicate declaration- Update to upstream - Cleanup for sandbox - Add attribute to be able to select sandbox types- Allow ddclient to fix file mode bits of ddclient conf file - init leaks file descriptors to daemons - Add labels for /etc/lirc/ and - Allow amavis_t to exec shell - Add label for gssd_tmp_t for /var/tmp/nfs_0- Put back in lircd_etc_t so policy will install- Turn on allow_postfix_local_write_mail_spool - Allow initrc_t to transition to shutdown_t - Allow logwatch and cron to mls_read_to_clearance for MLS boxes - Allow wm to send signull to all applications and receive them from users - lircd patch from field - Login programs have to read /etc/samba - New programs under /lib/systemd - Abrt needs to read config files- Update to upstream - Dontaudit leaked sockets from userdomains to user domains - Fixes for mcelog to handle scripts - Apply patch from Ruben Kerkhof - Allow syslog to search spool dirs- Allow nagios plugins to read usr files - Allow mysqld-safe to send system log messages - Fixes fpr ddclient policy - Fix sasl_admin interface - Allow apache to search zarafa config - Allow munin plugins to search /var/lib directory - Allow gpsd to read sysfs_t - Fix labels on /etc/mcelog/triggers to bin_t- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t - Allow saslauthd_t to create krb5_host_rcache_t files in /tmp - Fix xserver interface - Fix definition of /var/run/lxdm- Turn on mediawiki policy - kdump leaks kdump_etc_t to ifconfig, add dontaudit - uux needs to transition to uucpd_t - More init fixes relabels man,faillog - Remove maxima defs in libraries.fc - insmod needs to be able to create tmpfs_t files - ping needs setcap- Allow groupd transition to fenced domain when executes fence_node - Fixes for rchs policy - Allow mpd to be able to read samba/nfs files- Fix up corecommands.fc to match upstream - Make sure /lib/systemd/* is labeled init_exec_t - mount wants to setattr on all mountpoints - dovecot auth wants to read dovecot etc files - nscd daemon looks at the exe file of the comunicating daemon - openvpn wants to read utmp file - postfix apps now set sys_nice and lower limits - remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly - Also resolves nsswitch - Fix labels on /etc/hosts.* - Cleanup to make upsteam patch work - allow abrt to read etc_runtime_t- Add conflicts for dirsrv package- Update to upstream - Add vlock policy- Fix sandbox to work on nfs homedirs - Allow cdrecord to setrlimit - Allow mozilla_plugin to read xauth - Change label on systemd-logger to syslogd_exec_t - Install dirsrv policy from dirsrv package- Add virt_home_t, allow init to setattr on xserver_tmp_t and relabel it - Udev needs to stream connect to init and kernel - Add xdm_exec_bootloader boolean, which allows xdm to execute /sbin/grub and read files in /boot directory- Allow NetworkManager to read openvpn_etc_t - Dontaudit hplip to write of /usr dirs - Allow system_mail_t to create /root/dead.letter as mail_home_t - Add vdagent policy for spice agent daemon- Dontaudit sandbox sending sigkill to all user domains - Add policy for rssh_chroot_helper - Add missing flask definitions - Allow udev to relabelto removable_t - Fix label on /var/log/wicd.log - Transition to initrc_t from init when executing bin_t - Add audit_access permissions to file - Make removable_t a device_node - Fix label on /lib/systemd/*- Fixes for systemd to manage /var/run - Dontaudit leaks by firstboot- Allow chome to create netlink_route_socket - Add additional MATHLAB file context - Define nsplugin as an application_domain - Dontaudit sending signals from sandboxed domains to other domains - systemd requires init to build /tmp /var/auth and /var/lock dirs - mount wants to read devicekit_power /proc/ entries - mpd wants to connect to soundd port - Openoffice causes a setattr on a lib_t file for normal users, add dontaudit - Treat lib_t and textrel_shlib_t directories the same - Allow mount read access on virtual images- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs. - Allow devicekit_power to domtrans to mount - Allow dhcp to bind to udp ports > 1024 to do named stuff - Allow ssh_t to exec ssh_exec_t - Remove telepathy_butterfly_rw_tmp_files(), dev_read_printk() interfaces which are nolonger used - Fix clamav_append_log() intefaces - Fix 'psad_rw_fifo_file' interface- Allow cobblerd to list cobler appache content- Fixup for the latest version of upowed - Dontaudit sandbox sending SIGNULL to desktop apps- Update to upstream-Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access - dovecot-auth_t needs ipc_lock - gpm needs to use the user terminal - Allow system_mail_t to append ~/dead.letter - Allow NetworkManager to edit /etc/NetworkManager/NetworkManager.conf - Add pid file to vnstatd - Allow mount to communicate with gfs_controld - Dontaudit hal leaks in setfiles- Lots of fixes for systemd - systemd now executes readahead and tmpwatch type scripts - Needs to manage random seed- Allow smbd to use sys_admin - Remove duplicate file context for tcfmgr - Update to upstream- Fix fusefs handling - Do not allow sandbox to manage nsplugin_rw_t - Allow mozilla_plugin_t to connecto its parent - Allow init_t to connect to plymouthd running as kernel_t - Add mediawiki policy - dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs. - Disable transition from dbus_session_domain to telepathy for F14 - Allow boinc_project to use shm - Allow certmonger to search through directories that contain certs - Allow fail2ban the DAC Override so it can read log files owned by non root users- Start adding support for use_fusefs_home_dirs - Add /var/lib/syslog directory file context - Add /etc/localtime as locale file context- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user - Turn off iptables from unconfined user - Allow sudo to send signals to any domains the user could have transitioned to. - Passwd in single user mode needs to talk to console_device_t - Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio - locate tried to read a symbolic link, will dontaudit - New labels for telepathy-sunshine content in homedir - Google is storing other binaries under /opt/google/talkplugin - bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug - Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15 - modemmanger and bluetooth send dbus messages to devicekit_power - Samba needs to getquota on filesystems labeld samba_share_t- Dontaudit attempts by xdm_t to write to bin_t for kdm - Allow initrc_t to manage system_conf_t- Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory. - Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets - Allow confined users to read xdm_etc_t files - Allow xdm_t to transition to xauth_t for lxdm program- Rearrange firewallgui policy to be more easily updated to upstream, dontaudit search of /home - Allow clamd to send signals to itself - Allow mozilla_plugin_t to read user home content. And unlink pulseaudio shm. - Allow haze to connect to yahoo chat and messenger port tcp:5050. Bz #637339 - Allow guest to run ps command on its processes by allowing it to read /proc - Allow firewallgui to sys_rawio which seems to be required to setup masqerading - Allow all domains to search through default_t directories, in order to find differnet labels. For example people serring up /foo/bar to be share via samba. - Add label for /var/log/slim.log- Pull in cleanups from dgrift - Allow mozilla_plugin_t to execute mozilla_home_t - Allow rpc.quota to do quotamod- Cleanup policy via dgrift - Allow dovecot_deliver to append to inherited log files - Lots of fixes for consolehelper- Fix up Xguest policy- Add vnstat policy - allow libvirt to send audit messages - Allow chrome-sandbox to search nfs_t- Update to upstream- Add the ability to send audit messages to confined admin policies - Remove permissive domain from cmirrord and dontaudit sys_tty_config - Split out unconfined_domain() calls from other unconfined_ calls so we can d - virt needs to be able to read processes to clearance for MLS- Allow all domains that can use cgroups to search tmpfs_t directory - Allow init to send audit messages- Update to upstream- Allow mdadm_t to create files and sock files in /dev/md/- Add policy for ajaxterm- Handle /var/db/sudo - Allow pulseaudio to read alsa config - Allow init to send initrc_t dbus messagesAllow iptables to read shorewall tmp files Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr intd label vlc as an execmem_exec_t Lots of fixes for mozilla_plugin to run google vidio chat Allow telepath_msn to execute ldconfig and its own tmp files Fix labels on hugepages Allow mdadm to read files on /dev Remove permissive domains and change back to unconfined Allow freshclam to execute shell and bin_t Allow devicekit_power to transition to dhcpc Add boolean to allow icecast to connect to any port- Merge upstream fix of mmap_zero - Allow mount to write files in debugfs_t - Allow corosync to communicate with clvmd via tmpfs - Allow certmaster to read usr_t files - Allow dbus system services to search cgroup_t - Define rlogind_t as a login pgm- Allow mdadm_t to read/write hugetlbfs- Dominic Grift Cleanup - Miroslav Grepl policy for jabberd - Various fixes for mount/livecd and prelink- Merge with upstream- More access needed for devicekit - Add dbadm policy- Merge with upstream- Allow seunshare to fowner- Allow cron to look at user_cron_spool links - Lots of fixes for mozilla_plugin_t - Add sysv file system - Turn unconfined domains to permissive to find additional avcs- Update policy for mozilla_plugin_t- Allow clamscan to read proc_t - Allow mount_t to write to debufs_t dir - Dontaudit mount_t trying to write to security_t dir- Allow clamscan_t execmem if clamd_use_jit set - Add policy for firefox plugin-container- Fix /root/.forward definition- label dead.letter as mail_home_t- Allow login programs to search /cgroups- Fix cert handling- Fix devicekit_power bug - Allow policykit_auth_t more access.- Fix nis calls to allow bind to ports 512-1024 - Fix smartmon- Allow pcscd to read sysfs - systemd fixes - Fix wine_mmap_zero_ignore boolean- Apply Miroslav munin patch - Turn back on allow_execmem and allow_execmod booleans- Merge in fixes from dgrift repository- Update boinc policy - Fix sysstat policy to allow sys_admin - Change failsafe_context to unconfined_r:unconfined_t:s0- New paths for upstart- New permissions for syslog - New labels for /lib/upstart- Add mojomojo policy- Allow systemd to setsockcon on sockets to immitate other services- Remove debugfs label- Update to latest policy- Fix eclipse labeling from IBMSupportAssasstant packageing- Make boot with systemd in enforcing mode- Update to upstream- Add boolean to turn off port forwarding in sshd.- Add support for ebtables - Fixes for rhcs and corosync policy-Update to upstream-Update to upstream-Update to upstream- Add Zarafa policy- Cleanup of aiccu policy - initial mock policy- Lots of random fixes- Update to upstream- Update to upstream - Allow prelink script to signal itself - Cobbler fixes- Add xdm_var_run_t to xserver_stream_connect_xdm - Add cmorrord and mpd policy from Miroslav Grepl- Fix sshd creation of krb cc files for users to be user_tmp_t- Fixes for accountsdialog - Fixes for boinc- Fix label on /var/lib/dokwiki - Change permissive domains to enforcing - Fix libvirt policy to allow it to run on mls- Update to upstream- Allow procmail to execute scripts in the users home dir that are labeled home_bin_t - Fix /var/run/abrtd.lock label- Allow login programs to read krb5_home_t Resolves: 594833 - Add obsoletes for cachefilesfd-selinux package Resolves: #575084- Allow mount to r/w abrt fifo file - Allow svirt_t to getattr on hugetlbfs - Allow abrt to create a directory under /var/spool- Add labels for /sys - Allow sshd to getattr on shutdown - Fixes for munin - Allow sssd to use the kernel key ring - Allow tor to send syslog messages - Allow iptabels to read usr files - allow policykit to read all domains state- Fix path for /var/spool/abrt - Allow nfs_t as an entrypoint for http_sys_script_t - Add policy for piranha - Lots of fixes for sosreport- Allow xm_t to read network state and get and set capabilities - Allow policykit to getattr all processes - Allow denyhosts to connect to tcp port 9911 - Allow pyranha to use raw ip sockets and ptrace itself - Allow unconfined_execmem_t and gconfsd mechanism to dbus - Allow staff to kill ping process - Add additional MLS rules- Allow gdm to edit ~/.gconf dir Resolves: #590677 - Allow dovecot to create directories in /var/lib/dovecot Partially resolves 590224 - Allow avahi to dbus chat with NetworkManager - Fix cobbler labels - Dontaudit iceauth_t leaks - fix /var/lib/lxdm file context - Allow aiccu to use tun tap devices - Dontaudit shutdown using xserver.log- Fixes for sandbox_x_net_t to match access for sandbox_web_t ++ - Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory - Add dontaudit interface for bluetooth dbus - Add chronyd_read_keys, append_keys for initrc_t - Add log support for ksmtuned Resolves: #586663- Allow boinc to send mail- Allow initrc_t to remove dhcpc_state_t - Fix label on sa-update.cron - Allow dhcpc to restart chrony initrc - Don't allow sandbox to send signals to its parent processes - Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t Resolves: #589136- Fix location of oddjob_mkhomedir Resolves: #587385 - fix labeling on /root/.shosts and ~/.shosts - Allow ipsec_mgmt_t to manage net_conf_t Resolves: #586760- Dontaudit sandbox trying to connect to netlink sockets Resolves: #587609 - Add policy for piranha- Fixups for xguest policy - Fixes for running sandbox firefox- Allow ksmtuned to use terminals Resolves: #586663 - Allow lircd to write to generic usb devices- Allow sandbox_xserver to connectto unconfined stream Resolves: #585171- Allow initrc_t to read slapd_db_t Resolves: #585476 - Allow ipsec_mgmt to use unallocated devpts and to create /etc/resolv.conf Resolves: #585963- Allow rlogind_t to search /root for .rhosts Resolves: #582760 - Fix path for cached_var_t - Fix prelink paths /var/lib/prelink - Allow confined users to direct_dri - Allow mls lvm/cryptosetup to work- Allow virtd_t to manage firewall/iptables config Resolves: #573585- Fix label on /root/.rhosts Resolves: #582760 - Add labels for Picasa - Allow openvpn to read home certs - Allow plymouthd_t to use tty_device_t - Run ncftool as iptables_t - Allow mount to unmount unlabeled_t - Dontaudit hal leaks- Allow livecd to transition to mount- Update to upstream - Allow abrt to delete sosreport Resolves: #579998 - Allow snmp to setuid and gid Resolves: #582155 - Allow smartd to use generic scsi devices Resolves: #582145- Allow ipsec_t to create /etc/resolv.conf with the correct label - Fix reserved port destination - Allow autofs to transition to showmount - Stop crashing tuned- Add telepathysofiasip policy- Update to upstream - Fix label for /opt/google/chrome/chrome-sandbox - Allow modemmanager to dbus with policykit- Fix allow_httpd_mod_auth_pam to use auth_use_pam(httpd_t) - Allow accountsd to read shadow file - Allow apache to send audit messages when using pam - Allow asterisk to bind and connect to sip tcp ports - Fixes for dovecot 2.0 - Allow initrc_t to setattr on milter directories - Add procmail_home_t for .procmailrc file- Fixes for labels during install from livecd- Fix /cgroup file context - Fix broken afs use of unlabled_t - Allow getty to use the console for s390- Fix cgroup handling adding policy for /cgroup - Allow confined users to write to generic usb devices, if user_rw_noexattrfile boolean set- Merge patches from dgrift- Update upstream - Allow abrt to write to the /proc under any process- Fix ~/.fontconfig label - Add /root/.cert label - Allow reading of the fixed_file_disk_t:lnk_file if you can read file - Allow qemu_exec_t as an entrypoint to svirt_t- Update to upstream - Allow tmpreaper to delete sandbox sock files - Allow chrome-sandbox_t to use /dev/zero, and dontaudit getattr file systems - Fixes for gitosis - No transition on livecd to passwd or chfn - Fixes for denyhosts- Add label for /var/lib/upower - Allow logrotate to run sssd - dontaudit readahead on tmpfs blk files - Allow tmpreaper to setattr on sandbox files - Allow confined users to execute dos files - Allow sysadm_t to kill processes running within its clearance - Add accountsd policy - Fixes for corosync policy - Fixes from crontab policy - Allow svirt to manage svirt_image_t chr files - Fixes for qdisk policy - Fixes for sssd policy - Fixes for newrole policy- make libvirt work on an MLS platform- Add qpidd policy- Update to upstream- Allow boinc to read kernel sysctl - Fix snmp port definitions - Allow apache to read anon_inodefs- Allow shutdown dac_override- Add device_t as a file system - Fix sysfs association- Dontaudit ipsec_mgmt sys_ptrace - Allow at to mail its spool files - Allow nsplugin to search in .pulse directory- Update to upstream- Allow users to dbus chat with xdm - Allow users to r/w wireless_device_t - Dontaudit reading of process states by ipsec_mgmt- Fix openoffice from unconfined_t- Add shutdown policy so consolekit can shutdown system- Update to upstream- Update to upstream- Update to upstream - These are merges of my patches - Remove 389 labeling conflicts - Add MLS fixes found in RHEL6 testing - Allow pulseaudio to run as a service - Add label for mssql and allow apache to connect to this database port if boolean set - Dontaudit searches of debugfs mount point - Allow policykit_auth to send signals to itself - Allow modcluster to call getpwnam - Allow swat to signal winbind - Allow usbmux to run as a system role - Allow svirt to create and use devpts- Add MLS fixes found in RHEL6 testing - Allow domains to append to rpm_tmp_t - Add cachefilesfd policy - Dontaudit leaks when transitioning- Change allow_execstack and allow_execmem booleans to on - dontaudit acct using console - Add label for fping - Allow tmpreaper to delete sandbox_file_t - Fix wine dontaudit mmap_zero - Allow abrt to read var_t symlinks- Additional policy for rgmanager- Allow sshd to setattr on pseudo terms- Update to upstream- Allow policykit to send itself signals- Fix duplicate cobbler definition- Fix file context of /var/lib/avahi-autoipd- Merge with upstream- Allow sandbox to work with MLS- Make Chrome work with staff user- Add icecast policy - Cleanup spec file- Add mcelog policy- Lots of fixes found in F12- Fix rpm_dontaudit_leaks- Add getsched to hald_t - Add file context for Fedora/Redhat Directory Server- Allow abrt_helper to getattr on all filesystems - Add label for /opt/real/RealPlayer/plugins/oggfformat\.so- Add gstreamer_home_t for ~/.gstreamer- Update to upstream- Fix git- Turn on puppet policy - Update to dgrift git policy- Move users file to selection by spec file. - Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t- Update to upstream- Remove most of the permissive domains from F12.- Add cobbler policy from dgrift- add usbmon device - Add allow rulse for devicekit_disk- Lots of fixes found in F12, fixes from Tom London- Cleanups from dgrift- Add back xserver_manage_home_fonts- Dontaudit sandbox trying to read nscd and sssd- Update to upstream- Rename udisks-daemon back to devicekit_disk_t policy- Fixes for abrt calls- Add tgtd policy- Update to upstream release- Add asterisk policy back in - Update to upstream release 2.20091117- Update to upstream release 2.20091117- Fixup nut policy- Update to upstream- Allow vpnc request the kernel to load modules- Fix minimum policy installs - Allow udev and rpcbind to request the kernel to load modules- Add plymouth policy - Allow local_login to sys_admin- Allow cupsd_config to read user tmp - Allow snmpd_t to signal itself - Allow sysstat_t to makedir in sysstat_log_t- Update rhcs policy- Allow users to exec restorecond- Allow sendmail to request kernel modules load- Fix all kernel_request_load_module domains- Fix all kernel_request_load_module domains- Remove allow_exec* booleans for confined users. Only available for unconfined_t- More fixes for sandbox_web_t- Allow sshd to create .ssh directory and content- Fix request_module line to module_request- Fix sandbox policy to allow it to run under firefox. - Dont audit leaks.- Fixes for sandbox- Update to upstream - Dontaudit nsplugin search /root - Dontaudit nsplugin sys_nice- Fix label on /usr/bin/notepad, /usr/sbin/vboxadd-service - Remove policycoreutils-python requirement except for minimum- Fix devicekit_disk_t to getattr on all domains sockets and fifo_files - Conflicts seedit (You can not use selinux-policy-targeted and seedit at the same time.)- Add wordpress/wp-content/uploads label - Fixes for sandbox when run from staff_t- Update to upstream - Fixes for devicekit_disk- More fixes- Lots of fixes for initrc and other unconfined domains- Allow xserver to use netlink_kobject_uevent_socket- Fixes for sandbox- Dontaudit setroubleshootfix looking at /root directory- Update to upsteam- Allow gssd to send signals to users - Fix duplicate label for apache content- Update to upstream- Remove polkit_auth on upgrades- Add back in unconfined.pp and unconfineduser.pp - Add Sandbox unshare- Fixes for cdrecord, mdadm, and others- Add capability setting to dhcpc and gpm- Allow cronjobs to read exim_spool_t- Add ABRT policy- Fix system-config-services policy- Allow libvirt to change user componant of virt_domain- Allow cupsd_config_t to be started by dbus - Add smoltclient policy- Add policycoreutils-python to pre install- Make all unconfined_domains permissive so we can see what AVC's happen- Add pt_chown policy- Add kdump policy for Miroslav Grepl - Turn off execstack boolean- Turn on execstack on a temporary basis (#512845)- Allow nsplugin to connecto the session bus - Allow samba_net to write to coolkey data- Allow devicekit_disk to list inotify- Allow svirt images to create sock_file in svirt_var_run_t- Allow exim to getattr on mountpoints - Fixes for pulseaudio- Allow svirt_t to stream_connect to virtd_t- Allod hald_dccm_t to create sock_files in /tmp- More fixes from upstream- Fix polkit label - Remove hidebrokensymptoms for nss_ldap fix - Add modemmanager policy - Lots of merges from upstream - Begin removing textrel_shlib_t labels, from fixed libraries- Update to upstream- Allow certmaster to override dac permissions- Update to upstream- Fix context for VirtualBox- Update to upstream- Allow clamscan read amavis spool files- Fixes for xguest- fix multiple directory ownership of mandirs- Update to upstream- Add rules for rtkit-daemon- Update to upstream - Fix nlscd_stream_connect- Add rtkit policy- Allow rpcd_t to stream connect to rpcbind- Allow kpropd to create tmp files- Fix last duplicate /var/log/rpmpkgs- Update to upstream * add sssd- Update to upstream * cleanup- Update to upstream - Additional mail ports - Add virt_use_usb boolean for svirt- Fix mcs rules to include chr_file and blk_file- Add label for udev-acl- Additional rules for consolekit/udev, privoxy and various other fixes- New version for upstream- Allow NetworkManager to read inotifyfs- Allow setroubleshoot to run mlocate- Update to upstream- Add fish as a shell - Allow fprintd to list usbfs_t - Allow consolekit to search mountpoints - Add proper labeling for shorewall- New log file for vmware - Allow xdm to setattr on user_tmp_t- Upgrade to upstream- Allow fprintd to access sys_ptrace - Add sandbox policy- Add varnishd policy- Fixes for kpropd- Allow brctl to r/w tun_tap_device_t- Add /usr/share/selinux/packages- Allow rpcd_t to send signals to kernel threads- Fix upgrade for F10 to F11- Add policy for /var/lib/fprint-Remove duplicate line- Allow svirt to manage pci and other sysfs device data- Fix package selection handling- Fix /sbin/ip6tables-save context - Allod udev to transition to mount - Fix loading of mls policy file- Add shorewall policy- Additional rules for fprintd and sssd- Allow nsplugin to unix_read unix_write sem for unconfined_java- Fix uml files to be owned by users- Fix Upgrade path to install unconfineduser.pp when unocnfined package is 3.0.0 or less- Allow confined users to manage virt_content_t, since this is home dir content - Allow all domains to read rpm_script_tmp_t which is what shell creates on redirection- Fix labeling on /var/lib/misc/prelink* - Allow xserver to rw_shm_perms with all x_clients - Allow prelink to execute files in the users home directory- Allow initrc_t to delete dev_null - Allow readahead to configure auditing - Fix milter policy - Add /var/lib/readahead- Update to latest milter code from Paul Howarth- Additional perms for readahead- Allow pulseaudio to acquire_svc on session bus - Fix readahead labeling- Allow sysadm_t to run rpm directly - libvirt needs fowner- Allow sshd to read var_lib symlinks for freenx- Allow nsplugin unix_read and write on users shm and sem - Allow sysadm_t to execute su- Dontaudit attempts to getattr user_tmpfs_t by lvm - Allow nfs to share removable media- Add ability to run postdrop from confined users- Fixes for podsleuth- Turn off nsplugin transition - Remove Konsole leaked file descriptors for release- Allow cupsd_t to create link files in print_spool_t - Fix iscsi_stream_connect typo - Fix labeling on /etc/acpi/actions - Don't reinstall unconfine and unconfineuser on upgrade if they are not installed- Allow audioentroy to read etc files- Add fail2ban_var_lib_t - Fixes for devicekit_power_t- Separate out the ucnonfined user from the unconfined.pp package- Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t.- Upgrade to latest upstream - Allow devicekit_disk sys_rawio- Dontaudit binds to ports < 1024 for named - Upgrade to latest upstream- Allow podsleuth to use tmpfs files- Add customizable_types for svirt- Allow setroubelshoot exec* privs to prevent crash from bad libraries - add cpufreqselector- Dontaudit listing of /root directory for cron system jobs- Fix missing ld.so.cache label- Add label for ~/.forward and /root/.forward- Fixes for svirt- Fixes to allow svirt read iso files in homedir- Add xenner and wine fixes from mgrepl- Allow mdadm to read/write mls override- Change to svirt to only access svirt_image_t- Fix libvirt policy- Upgrade to latest upstream- Fixes for iscsid and sssd - More cleanups for upgrade from F10 to Rawhide.- Add pulseaudio, sssd policy - Allow networkmanager to exec udevadm- Add pulseaudio context- Upgrade to latest patches- Fixes for libvirt- Update to Latest upstream- Fix setrans.conf to show SystemLow for s0- Further confinement of qemu images via svirt- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild- Allow NetworkManager to manage /etc/NetworkManager/system-connections- add virtual_image_context and virtual_domain_context files- Allow rpcd_t to send signal to mount_t - Allow libvirtd to run ranged- Fix sysnet/net_conf_t- Fix squidGuard labeling- Re-add corenet_in_generic_if(unlabeled_t)* Tue Feb 10 2009 Dan Walsh 3.6.5-2 - Add git web policy- Add setrans contains from upstream- Do transitions outside of the booleans- Allow xdm to create user_tmp_t sockets for switch user to work- Fix staff_t domain- Grab remainder of network_peer_controls patch- More fixes for devicekit- Upgrade to latest upstream- Add boolean to disallow unconfined_t login- Add back transition from xguest to mozilla- Add virt_content_ro_t and labeling for isos directory- Fixes for wicd daemon- More mls/rpm fixes- Add policy to make dbus/nm-applet work- Remove polgen-ifgen from post and add trigger to policycoreutils-python- Add wm policy - Make mls work in graphics mode- Fixed for DeviceKit- Add devicekit policy- Update to upstream- Define openoffice as an x_domain- Fixes for reading xserver_tmp_t- Allow cups_pdf_t write to nfs_t- Remove audio_entropy policy- Update to upstream- Allow hal_acl_t to getattr/setattr fixed_disk- Change userdom_read_all_users_state to include reading symbolic links in /proc- Fix dbus reading /proc information- Add missing alias for home directory content- Fixes for IBM java location- Allow unconfined_r unconfined_java_t- Add cron_role back to user domains- Fix sudo setting of user keys- Allow iptables to talk to terminals - Fixes for policy kit - lots of fixes for booting.- Cleanup policy- Rebuild for Python 2.6- Fix labeling on /var/spool/rsyslog- Allow postgresl to bind to udp nodes- Allow lvm to dbus chat with hal - Allow rlogind to read nfs_t- Fix cyphesis file context- Allow hal/pm-utils to look at /var/run/video.rom - Add ulogd policy- Additional fixes for cyphesis - Fix certmaster file context - Add policy for system-config-samba - Allow hal to read /var/run/video.rom- Allow dhcpc to restart ypbind - Fixup labeling in /var/run- Add certmaster policy- Fix confined users - Allow xguest to read/write xguest_dbusd_t- Allow openoffice execstack/execmem privs- Allow mozilla to run with unconfined_execmem_t- Dontaudit domains trying to write to .xsession-errors- Allow nsplugin to look at autofs_t directory- Allow kerneloops to create tmp files- More alias for fastcgi- Remove mod_fcgid-selinux package- Fix dovecot access- Policy cleanup- Remove Multiple spec - Add include - Fix makefile to not call per_role_expansion- Fix labeling of libGL- Update to upstream- Update to upstream policy- Fixes for confined xwindows and xdm_t- Allow confined users and xdm to exec wm - Allow nsplugin to talk to fifo files on nfs- Allow NetworkManager to transition to avahi and iptables - Allow domains to search other domains keys, coverup kernel bug- Fix labeling for oracle- Allow nsplugin to comminicate with xdm_tmp_t sock_file- Change all user tmpfs_t files to be labeled user_tmpfs_t - Allow radiusd to create sock_files- Upgrade to upstream- Allow confined users to login with dbus- Fix transition to nsplugin- Add file context for /dev/mspblk.*- Fix transition to nsplugin '- Fix labeling on new pm*log - Allow ssh to bind to all nodes- Merge upstream changes - Add Xavier Toth patches- Add qemu_cache_t for /var/cache/libvirt- Remove gamin policy- Add tinyxs-max file system support- Update to upstream - New handling of init scripts- Allow pcsd to dbus - Add memcache policy- Allow audit dispatcher to kill his children- Update to upstream - Fix crontab use by unconfined user- Allow ifconfig_t to read dhcpc_state_t- Update to upstream- Update to upstream- Allow system-config-selinux to work with policykit- Fix novel labeling- Consolodate pyzor,spamassassin, razor into one security domain - Fix xdm requiring additional perms.- Fixes for logrotate, alsa- Eliminate vbetool duplicate entry- Fix xguest -> xguest_mozilla_t -> xguest_openiffice_t - Change dhclient to be able to red networkmanager_var_run- Update to latest refpolicy - Fix libsemanage initial install bug- Add inotify support to nscd- Allow unconfined_t to setfcap- Allow amanda to read tape - Allow prewikka cgi to use syslog, allow audisp_t to signal cgi - Add support for netware file systems- Allow ypbind apps to net_bind_service- Allow all system domains and application domains to append to any log file- Allow gdm to read rpm database - Allow nsplugin to read mplayer config files- Allow vpnc to run ifconfig- Allow confined users to use postgres - Allow system_mail_t to exec other mail clients - Label mogrel_rails as an apache server- Apply unconfined_execmem_exec_t to haskell programs- Fix prelude file context- allow hplip to talk dbus - Fix context on ~/.local dir- Prevent applications from reading x_device- Add /var/lib/selinux context- Update to upstream- Add livecd policy- Dontaudit search of admin_home for init_system_domain - Rewrite of xace interfaces - Lots of new fs_list_inotify - Allow livecd to transition to setfiles_mac- Begin XAce integration- Merge Upstream- Allow amanada to create data files- Fix initial install, semanage setup- Allow system_r for httpd_unconfined_script_t- Remove dmesg boolean - Allow user domains to read/write game data- Change unconfined_t to transition to unconfined_mono_t when running mono - Change XXX_mono_t to transition to XXX_t when executing bin_t files, so gnome-do will work- Remove old booleans from targeted-booleans.conf file- Add boolean to mmap_zero - allow tor setgid - Allow gnomeclock to set clock- Don't run crontab from unconfined_t- Change etc files to config files to allow users to read them- Lots of fixes for confined domains on NFS_t homedir- dontaudit mrtg reading /proc - Allow iscsi to signal itself - Allow gnomeclock sys_ptrace- Allow dhcpd to read kernel network state- Label /var/run/gdm correctly - Fix unconfined_u user creation- Allow transition from initrc_t to getty_t- Allow passwd to communicate with user sockets to change gnome-keyring- Fix initial install- Allow radvd to use fifo_file - dontaudit setfiles reading links - allow semanage sys_resource - add allow_httpd_mod_auth_ntlm_winbind boolean - Allow privhome apps including dovecot read on nfs and cifs home dirs if the boolean is set- Allow nsplugin to read /etc/mozpluggerrc, user_fonts - Allow syslog to manage innd logs. - Allow procmail to ioctl spamd_exec_t- Allow initrc_t to dbus chat with consolekit.- Additional access for nsplugin - Allow xdm setcap/getcap until pulseaudio is fixed- Allow mount to mkdir on tmpfs - Allow ifconfig to search debugfs- Fix file context for MATLAB - Fixes for xace- Allow stunnel to transition to inetd children domains - Make unconfined_dbusd_t an unconfined domain- Fixes for qemu/virtd- Fix bug in mozilla policy to allow xguest transition - This will fix the libsemanage.dbase_llist_query: could not find record value libsemanage.dbase_llist_query: could not query record value (No such file or directory) bug in xguest- Allow nsplugin to run acroread- Add cups_pdf policy - Add openoffice policy to run in xguest- prewika needs to contact mysql - Allow syslog to read system_map files- Change init_t to an unconfined_domain- Allow init to transition to initrc_t on shell exec. - Fix init to be able to sendto init_t. - Allow syslog to connect to mysql - Allow lvm to manage its own fifo_files - Allow bugzilla to use ldap - More mls fixes- fixes for init policy (#436988) - fix build- Additional changes for MLS policy- Fix initrc_context generation for MLS- Fixes for libvirt- Allow bitlebee to read locale_t- More xselinux rules- Change httpd_$1_script_r*_t to httpd_$1_content_r*_t- Prepare policy for beta release - Change some of the system domains back to unconfined - Turn on some of the booleans- Allow nsplugin_config execstack/execmem - Allow nsplugin_t to read alsa config - Change apache to use user content- Add cyphesis policy- Fix Makefile.devel to build mls modules - Fix qemu to be more specific on labeling- Update to upstream fixes- Allow staff to mounton user_home_t- Add xace support- Add fusectl file system- Fixes from yum-cron - Update to latest upstream- Fix userdom_list_user_files- Merge with upstream- Allow udev to send audit messages- Add additional login users interfaces - userdom_admin_login_user_template(staff)- More fixes for polkit- Eliminate transition from unconfined_t to qemu by default - Fixes for gpg- Update to upstream- Fixes for staff_t- Add policy for kerneloops - Add policy for gnomeclock- Fixes for libvirt- Fixes for nsplugin- More fixes for qemu- Additional ports for vnc and allow qemu and libvirt to search all directories- Update to upstream - Add libvirt policy - add qemu policy- Allow fail2ban to create a socket in /var/run- Allow allow_httpd_mod_auth_pam to work- Add audisp policy and prelude- Allow all user roles to executae samba net command- Allow usertypes to read/write noxattr file systems- Fix nsplugin to allow flashplugin to work in enforcing mode- Allow pam_selinux_permit to kill all processes- Allow ptrace or user processes by users of same type - Add boolean for transition to nsplugin- Allow nsplugin sys_nice, getsched, setsched- Allow login programs to talk dbus to oddjob- Add procmail_log support - Lots of fixes for munin- Allow setroubleshoot to read policy config and send audit messages- Allow users to execute all files in homedir, if boolean set - Allow mount to read samba config- Fixes for xguest to run java plugin- dontaudit pam_t and dbusd writing to user_home_t- Update gpg to allow reading of inotify- Change user and staff roles to work correctly with varied perms- Fix munin log, - Eliminate duplicate mozilla file context - fix wpa_supplicant spec- Fix role transition from unconfined_r to system_r when running rpm - Allow unconfined_domains to communicate with user dbus instances- Fixes for xguest- Let all uncofined domains communicate with dbus unconfined- Run rpm in system_r- Zero out customizable types- Fix definiton of admin_home_t- Fix munin file context- Allow cron to run unconfined apps- Modify default login to unconfined_u- Dontaudit dbus user client search of /root- Update to upstream- Fixes for polkit - Allow xserver to ptrace- Add polkit policy - Symplify userdom context, remove automatic per_role changes- Update to upstream - Allow httpd_sys_script_t to search users homedirs- Allow rpm_script to transition to unconfined_execmem_t- Remove user based home directory separation- Remove user specific crond_t- Merge with upstream - Allow xsever to read hwdata_t - Allow login programs to setkeycreate- Update to upstream- Update to upstream- Allow XServer to read /proc/self/cmdline - Fix unconfined cron jobs - Allow fetchmail to transition to procmail - Fixes for hald_mac - Allow system_mail to transition to exim - Allow tftpd to upload files - Allow xdm to manage unconfined_tmp - Allow udef to read alsa config - Fix xguest to be able to connect to sound port- Fixes for hald_mac - Treat unconfined_home_dir_t as a home dir - dontaudit rhgb writes to fonts and root- Fix dnsmasq - Allow rshd full login privs- Allow rshd to connect to ports > 1023- Fix vpn to bind to port 4500 - Allow ssh to create shm - Add Kismet policy- Allow rpm to chat with networkmanager- Fixes for ipsec and exim mail - Change default to unconfined user- Pass the UNK_PERMS param to makefile - Fix gdm location- Make alsa work- Fixes for consolekit and startx sessions- Dontaudit consoletype talking to unconfined_t- Remove homedir_template- Check asound.state- Fix exim policy- Allow tmpreadper to read man_t - Allow racoon to bind to all nodes - Fixes for finger print reader- Allow xdm to talk to input device (fingerprint reader) - Allow octave to run as java- Allow login programs to set ioctl on /proc- Allow nsswitch apps to read samba_var_t- Fix maxima- Eliminate rpm_t:fifo_file avcs - Fix dbus path for helper app- Fix service start stop terminal avc's- Allow also to search var_lib - New context for dbus launcher- Allow cupsd_config_t to read/write usb_device_t - Support for finger print reader, - Many fixes for clvmd - dbus starting networkmanager- Fix java and mono to run in xguest account- Fix to add xguest account when inititial install - Allow mono, java, wine to run in userdomains- Allow xserver to search devpts_t - Dontaudit ldconfig output to homedir- Remove hplip_etc_t change back to etc_t.- Allow cron to search nfs and samba homedirs- Allow NetworkManager to dbus chat with yum-updated- Allow xfs to bind to port 7100- Allow newalias/sendmail dac_override - Allow bind to bind to all udp ports- Turn off direct transition- Allow wine to run in system role- Fix java labeling- Define user_home_type as home_type- Allow sendmail to create etc_aliases_t- Allow login programs to read symlinks on homedirs- Update an readd modules- Cleanup spec file- Allow xserver to be started by unconfined process and talk to tty- Upgrade to upstream to grab postgressql changes- Add setransd for mls policy- Add ldconfig_cache_t- Allow sshd to write to proc_t for afs login- Allow xserver access to urand- allow dovecot to search mountpoints- Fix Makefile for building policy modules- Fix dhcpc startup of service- Fix dbus chat to not happen for xguest and guest users- Fix nagios cgi - allow squid to communicate with winbind- Fixes for ldconfig- Update from upstream- Add nasd support- Fix new usb devices and dmfm- Eliminate mount_ntfs_t policy, merge into mount_t- Allow xserver to write to ramfs mounted by rhgb- Add context for dbus machine id- Update with latest changes from upstream- Fix prelink to handle execmod- Add ntpd_key_t to handle secret data- Add anon_inodefs - Allow unpriv user exec pam_exec_t - Fix trigger- Allow cups to use generic usb - fix inetd to be able to run random apps (git)- Add proper contexts for rsyslogd- Fixes for xguest policy- Allow execution of gconf- Fix moilscanner update problem- Begin adding policy to separate setsebool from semanage - Fix xserver.if definition to not break sepolgen.if- Add new devices- Add brctl policy- Fix root login to include system_r- Allow prelink to read kernel sysctls- Default to user_u:system_r:unconfined_t- fix squid - Fix rpm running as uid- Fix syslog declaration- Allow avahi to access inotify - Remove a lot of bogus security_t:filesystem avcs- Remove ifdef strict policy from upstream- Remove ifdef strict to allow user_u to login- Fix for amands - Allow semanage to read pp files - Allow rhgb to read xdm_xserver_tmp- Allow kerberos servers to use ldap for backing store- allow alsactl to read kernel state- More fixes for alsactl - Transition from hal and modutils - Fixes for suspend resume. - insmod domtrans to alsactl - insmod writes to hal log- Allow unconfined_t to transition to NetworkManager_t - Fix netlabel policy- Update to latest from upstream- Update to latest from upstream- Update to latest from upstream- Allow pcscd_t to send itself signals- Fixes for unix_update - Fix logwatch to be able to search all dirs- Upstream bumped the version- Allow consolekit to syslog - Allow ntfs to work with hal- Allow iptables to read etc_runtime_t- MLS Fixes- Fix path of /etc/lvm/cache directory - Fixes for alsactl and pppd_t - Fixes for consolekit- Allow insmod_t to mount kvmfs_t filesystems- Rwho policy - Fixes for consolekit- fixes for fusefs- Fix samba_net to allow it to view samba_var_t- Update to upstream- Fix Sonypic backlight - Allow snmp to look at squid_conf_t- Fixes for pyzor, cyrus, consoletype on everything installs- Fix hald_acl_t to be able to getattr/setattr on usb devices - Dontaudit write to unconfined_pipes for load_policy- Allow bluetooth to read inotifyfs- Fixes for samba domain controller. - Allow ConsoleKit to look at ttys- Fix interface call- Allow syslog-ng to read /var - Allow locate to getattr on all filesystems - nscd needs setcap- Update to upstream- Allow samba to run groupadd- Update to upstream- Allow mdadm to access generic scsi devices- Fix labeling on udev.tbl dirs- Fixes for logwatch- Add fusermount and mount_ntfs policy- Update to upstream - Allow saslauthd to use kerberos keytabs- Fixes for samba_var_t- Allow networkmanager to setpgid - Fixes for hal_acl_t- Remove disable_trans booleans - hald_acl_t needs to talk to nscd- Fix prelink to be able to manage usr dirs.- Allow insmod to launch init scripts- Remove setsebool policy- Fix handling of unlabled_t packets- More of my patches from upstream- Update to latest from upstream - Add fail2ban policy- Update to remove security_t:filesystem getattr problems- Policy for consolekit- Update to latest from upstream- Revert Nemiver change - Set sudo as a corecmd so prelink will work, remove sudoedit mapping, since this will not work, it does not transition. - Allow samba to execute useradd- Upgrade to the latest from upstream- Add sepolgen support - Add bugzilla policy- Fix file context for nemiver- Remove include sym link- Allow mozilla, evolution and thunderbird to read dev_random. Resolves: #227002 - Allow spamd to connect to smtp port Resolves: #227184 - Fixes to make ypxfr work Resolves: #227237- Fix ssh_agent to be marked as an executable - Allow Hal to rw sound device- Fix spamassisin so crond can update spam files - Fixes to allow kpasswd to work - Fixes for bluetooth- Remove some targeted diffs in file context file- Fix squid cachemgr labeling- Add ability to generate webadm_t policy - Lots of new interfaces for httpd - Allow sshd to login as unconfined_t- Continue fixing, additional user domains- Begin adding user confinement to targeted policy- Fixes for prelink, ktalkd, netlabel- Allow prelink when run from rpm to create tmp files Resolves: #221865 - Remove file_context for exportfs Resolves: #221181 - Allow spamassassin to create ~/.spamassissin Resolves: #203290 - Allow ssh access to the krb tickets - Allow sshd to change passwd - Stop newrole -l from working on non securetty Resolves: #200110 - Fixes to run prelink in MLS machine Resolves: #221233 - Allow spamassassin to read var_lib_t dir Resolves: #219234- fix mplayer to work under strict policy - Allow iptables to use nscd Resolves: #220794- Add gconf policy and make it work with strict- Many fixes for strict policy and by extension mls.- Fix to allow ftp to bind to ports > 1024 Resolves: #219349- Allow semanage to exec it self. Label genhomedircon as semanage_exec_t Resolves: #219421 - Allow sysadm_lpr_t to manage other print spool jobs Resolves: #220080- allow automount to setgid Resolves: #219999- Allow cron to polyinstatiate - Fix creation of boot flags Resolves: #207433- Fixes for irqbalance Resolves: #219606- Fix vixie-cron to work on mls Resolves: #207433Resolves: #218978- Allow initrc to create files in /var directories Resolves: #219227- More fixes for MLS Resolves: #181566- More Fixes polyinstatiation Resolves: #216184- More Fixes polyinstatiation - Fix handling of keyrings Resolves: #216184- Fix polyinstatiation - Fix pcscd handling of terminal Resolves: #218149 Resolves: #218350- More fixes for quota Resolves: #212957- ncsd needs to use avahi sockets Resolves: #217640 Resolves: #218014- Allow login programs to polyinstatiate homedirs Resolves: #216184 - Allow quotacheck to create database files Resolves: #212957- Dontaudit appending hal_var_lib files Resolves: #217452 Resolves: #217571 Resolves: #217611 Resolves: #217640 Resolves: #217725- Fix context for helix players file_context #216942- Fix load_policy to be able to mls_write_down so it can talk to the terminal- Fixes for hwclock, clamav, ftp- Move to upstream version which accepted my patches- Fixes for nvidia driver- Allow semanage to signal mcstrans- Update to upstream- Allow modstorage to edit /etc/fstab file- Fix for qemu, /dev/- Fix path to realplayer.bin- Allow xen to connect to xen port- Allow cups to search samba_etc_t directory - Allow xend_t to list auto_mountpoints- Allow xen to search automount- Fix spec of jre files- Fix unconfined access to shadow file- Allow xend to create files in xen_image_t directories- Fixes for /var/lib/hal- Remove ability for sysadm_t to look at audit.log- Fix rpc_port_types - Add aide policy for mls- Merge with upstream- Lots of fixes for ricci- Allow xen to read/write fixed devices with a boolean - Allow apache to search /var/log- Fix policygentool specfile problem. - Allow apache to send signals to it's logging helpers. - Resolves: rhbz#212731- Add perms for swat- Add perms for swat- Allow daemons to dump core files to /- Fixes for ricci- Allow mount.nfs to work- Allow ricci-modstorage to look at lvm_etc_t- Fixes for ricci using saslauthd- Allow mountpoint on home_dir_t and home_t- Update xen to read nfs files- Allow noxattrfs to associate with other noxattrfs- Allow hal to use power_device_t- Allow procemail to look at autofs_t - Allow xen_image_t to work as a fixed device- Refupdate from upstream- Add lots of fixes for mls cups- Lots of fixes for ricci- Fix number of cats- Update to upstream- More iSCSI changes for #209854- Test ISCSI fixes for #209854- allow semodule to rmdir selinux_config_t dir- Fix boot_runtime_t problem on ppc. Should not be creating these files.- Fix context mounts on reboot - Fix ccs creation of directory in /var/log- Update for tallylog- Allow xend to rewrite dhcp conf files - Allow mgetty sys_admin capability- Make xentapctrl work- Don't transition unconfined_t to bootloader_t - Fix label in /dev/xen/blktap- Patch for labeled networking- Fix crond handling for mls- Update to upstream- Remove bluetooth-helper transition - Add selinux_validate for semanage - Require new version of libsemanage- Fix prelink- Fix rhgb- Fix setrans handling on MLS and useradd- Support for fuse - fix vigr- Fix dovecot, amanda - Fix mls- Allow java execheap for itanium- Update with upstream- mls fixes- Update from upstream- More fixes for mls - Revert change on automount transition to mount- Fix cron jobs to run under the correct context- Fixes to make pppd work- Multiple policy fixes - Change max categories to 1023- Fix transition on mcstransd- Add /dev/em8300 defs- Upgrade to upstream- Fix ppp connections from network manager- Add tty access to all domains boolean - Fix gnome-pty-helper context for ia64- Fixed typealias of firstboot_rw_t- Fix location of xel log files - Fix handling of sysadm_r -> rpm_exec_t- Fixes for autofs, lp- Update from upstream- Fixup for test6- Update to upstream- Update to upstream- Fix suspend to disk problems- Lots of fixes for restarting daemons at the console.- Fix audit line - Fix requires line- Upgrade to upstream- Fix install problems- Allow setroubleshoot to getattr on all dirs to gather RPM data- Set /usr/lib/ia32el/ia32x_loader to unconfined_execmem_exec_t for ia32 platform - Fix spec for /dev/adsp- Fix xen tty devices- Fixes for setroubleshoot- Update to upstream- Fixes for stunnel and postgresql - Update from upstream- Update from upstream - More java fixes- Change allow_execstack to default to on, for RHEL5 Beta. This is required because of a Java compiler problem. Hope to turn off for next beta- Misc fixes- More fixes for strict policy- Quiet down anaconda audit messages- Fix setroubleshootd- Update to the latest from upstream- More fixes for xen- Fix anaconda transitions- yet more xen rules- more xen rules- Fixes for Samba- Fixes for xen- Allow setroubleshootd to send mail- Add nagios policy- fixes for setroubleshoot- Added Paul Howarth patch to only load policy packages shipped with this package - Allow pidof from initrc to ptrace higher level domains - Allow firstboot to communicate with hal via dbus- Add policy for /var/run/ldapi- Fix setroubleshoot policy- Fixes for mls use of ssh - named has a new conf file- Fixes to make setroubleshoot work- Cups needs to be able to read domain state off of printer client- add boolean to allow zebra to write config files- setroubleshootd fixes- Allow prelink to read bin_t symlink - allow xfs to read random devices - Change gfs to support xattr- Remove spamassassin_can_network boolean- Update to upstream - Fix lpr domain for mls- Add setroubleshoot policy- Turn off auditallow on setting booleans- Multiple fixes- Update to upstream- Update to upstream - Add new class for kernel key ring- Update to upstream- Update to upstream- Break out selinux-devel package- Add ibmasmfs- Fix policygentool gen_requires- Update from Upstream- Fix spec of realplay- Update to upstream- Fix semanage- Allow useradd to create_home_dir in MLS environment- Update from upstream- Update from upstream- Add oprofilefs- Fix for hplip and Picasus- Update to upstream- Update to upstream- fixes for spamd- fixes for java, openldap and webalizer- Xen fixes- Upgrade to upstream- allow hal to read boot_t files - Upgrade to upstream- allow hal to read boot_t files- Update from upstream- Fixes for amavis- Update from upstream- Allow auditctl to search all directories- Add acquire service for mono.- Turn off allow_execmem boolean - Allow ftp dac_override when allowed to access users homedirs- Clean up spec file - Transition from unconfined_t to prelink_t- Allow execution of cvs command- Update to upstream- Update to upstream- Fix libjvm spec- Update to upstream- Add xm policy - Fix policygentool- Update to upstream - Fix postun to only disable selinux on full removal of the packages- Allow mono to chat with unconfined- Allow procmail to sendmail - Allow nfs to share dosfs- Update to latest from upstream - Allow selinux-policy to be removed and kernel not to crash- Update to latest from upstream - Add James Antill patch for xen - Many fixes for pegasus- Add unconfined_mount_t - Allow privoxy to connect to httpd_cache - fix cups labeleing on /var/cache/cups- Update to latest from upstream- Update to latest from upstream - Allow mono and unconfined to talk to initrc_t dbus objects- Change libraries.fc to stop shlib_t form overriding texrel_shlib_t- Fix samba creating dirs in homedir - Fix NFS so its booleans would work- Allow secadm_t ability to relabel all files - Allow ftp to search xferlog_t directories - Allow mysql to communicate with ldap - Allow rsync to bind to rsync_port_t- Fixed mailman with Postfix #183928 - Allowed semanage to create file_context files. - Allowed amanda_t to access inetd_t TCP sockets and allowed amanda_recover_t to bind to reserved ports. #149030 - Don't allow devpts_t to be associated with tmp_t. - Allow hald_t to stat all mountpoints. - Added boolean samba_share_nfs to allow smbd_t full access to NFS mounts. - Make mount run in mount_t domain from unconfined_t to prevent mislabeling of /etc/mtab. - Changed the file_contexts to not have a regex before the first ^/[a-z]/ whenever possible, makes restorecon slightly faster. - Correct the label of /etc/named.caching-nameserver.conf - Now label /usr/src/kernels/.+/lib(/.*)? as usr_t instead of /usr/src(/.*)?/lib(/.*)? - I don't think we need anything else under /usr/src hit by this. - Granted xen access to /boot, allowed mounting on xend_var_lib_t, and allowed xenstored_t rw access to the xen device node.- More textrel_shlib_t file path fixes - Add ada support- Get auditctl working in MLS policy- Add mono dbus support - Lots of file_context fixes for textrel_shlib_t in FC5 - Turn off execmem auditallow since they are filling log files- Update to upstream- Allow automount and dbus to read cert files- Fix ftp policy - Fix secadm running of auditctl- Update to upstream- Update to upstream- Fix policyhelp- Fix pam_console handling of usb_device - dontaudit logwatch reading /mnt dir- Update to upstream- Get transition rules to create policy.20 at SystemHigh- Allow secadmin to shutdown system - Allow sendmail to exec newalias- MLS Fixes dmidecode needs mls_file_read_up - add ypxfr_t - run init needs access to nscd - udev needs setuid - another xen log file - Dontaudit mount getattr proc_kcore_t- fix buildroot usage (#185391)- Get rid of mount/fsdisk scan of /dev messages - Additional fixes for suspend/resume- Fake make to rebuild enableaudit.pp- Get xen networking running.- Fixes for Xen - enableaudit should not be the same as base.pp - Allow ps to work for all process- more xen policy fixups- more xen fixage (#184393)- Fix blkid specification - Allow postfix to execute mailman_que- Blkid changes - Allow udev access to usb_device_t - Fix post script to create targeted policy config file- Allow lvm tools to create drevice dir- Add Xen support- Fixes for cups - Make cryptosetup work with hal- Load Policy needs translock- Fix cups html interface- Add hal changes suggested by Jeremy - add policyhelp to point at policy html pages- Additional fixes for nvidia and cups- Update to upstream - Merged my latest fixes - Fix cups policy to handle unix domain sockets- NSCD socket is in nscd_var_run_t needs to be able to search dir- Fixes Apache interface file- Fixes for new version of cups- Turn off polyinstatiate util after FC5- Fix problem with privoxy talking to Tor- Turn on polyinstatiation- Don't transition from unconfined_t to fsadm_t- Fix policy update model.- Update to upstream- Fix load_policy to work on MLS - Fix cron_rw_system_pipes for postfix_postdrop_t - Allow audotmount to run showmount- Fix swapon - allow httpd_sys_script_t to be entered via a shell - Allow httpd_sys_script_t to read eventpolfs- Update from upstream- allow cron to read apache files- Fix vpnc policy to work from NetworkManager- Update to upstream - Fix semoudle polcy- Update to upstream - fix sysconfig/selinux link- Add router port for zebra - Add imaze port for spamd - Fixes for amanda and java- Fix bluetooth handling of usb devices - Fix spamd reading of ~/ - fix nvidia spec- Update to upsteam- Add users_extra files- Update to upstream- Add semodule policy- Update from upstream- Fix for spamd to use razor port- Fixes for mcs - Turn on mount and fsadm for unconfined_t- Fixes for the -devel package- Fix for spamd to use ldap- Update to upstream- Update to upstream - Fix rhgb, and other Xorg startups- Update to upstream- Separate out role of secadm for mls- Add inotifyfs handling- Update to upstream - Put back in changes for pup/zen- Many changes for MLS - Turn on strict policy- Update to upstream- Update to upstream - Fixes for booting and logging in on MLS machine- Update to upstream - Turn off execheap execstack for unconfined users - Add mono/wine policy to allow execheap and execstack for them - Add execheap for Xdm policy- Update to upstream - Fixes to fetchmail,- Update to upstream- Fix for procmail/spamassasin - Update to upstream - Add rules to allow rpcd to work with unlabeled_networks.- Update to upstream - Fix ftp Man page- Update to upstream- fix pup transitions (#177262) - fix xen disks (#177599)- Update to upstream- More Fixes for hal and readahead- Fixes for hal and readahead- Update to upstream - Apply- Add wine and fix hal problems- Handle new location of hal scripts- Allow su to read /etc/mtab- Update to upstream- Fix "libsemanage.parse_module_headers: Data did not represent a module." problem- Allow load_policy to read /etc/mtab- Fix dovecot to allow dovecot_auth to look at /tmp- Allow restorecon to read unlabeled_t directories in order to fix labeling.- Add Logwatch policy- Fix /dev/ub[a-z] file context- Fix library specification - Give kudzu execmem privs- Fix hostname in targeted policy- Fix passwd command on mls- Lots of fixes to make mls policy work- Add dri libs to textrel_shlib_t - Add system_r role for java - Add unconfined_exec_t for vncserver - Allow slapd to use kerberos- Add man pages- Add enableaudit.pp- Fix mls policy- Update mls file from old version- Add sids back in - Rebuild with update checkpolicy- Fixes to allow automount to use portmap - Fixes to start kernel in s0-s15:c0.c255- Add java unconfined/execmem policy- Add file context for /var/cvs - Dontaudit webalizer search of homedir- Update from upstream- Clean up spec - range_transition crond to SystemHigh- Fixes for hal - Update to upstream- Turn back on execmem since we need it for java, firefox, ooffice - Allow gpm to stream socket to itself- fix requirements to be on the actual packages so that policy can get created properly at install time- Allow unconfined_t to execmod texrel_shlib_t- Update to upstream - Turn off allow_execmem and allow_execmod booleans - Add tcpd and automount policies- Add two new httpd booleans, turned off by default * httpd_can_network_relay * httpd_can_network_connect_db- Add ghost for policy.20- Update to upstream - Turn off boolean allow_execstack- Change setrans-mls to use new libsetrans - Add default_context rule for xdm- Change Requires to PreReg for requiring of policycoreutils on install- New upstream releaseAdd xdm policyUpdate from upstreamUpdate from upstreamUpdate from upstream- Also trigger to rebuild policy for versions up to 2.0.7.- No longer installing policy.20 file, anaconda handles the building of the app.- Fixes for dovecot and saslauthd- Cleanup pegasus and named - Fix spec file - Fix up passwd changing applications-Update to latest from upstream- Add rules for pegasus and avahi- Start building MLS Policy- Update to upstream- Turn on bash- Initial version/bin/sh/bin/sh/bin/sh  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~3.13.1-166.el7_4.93.13.1-166.el7_4.93.13.1-166.el7_4.9      !!!"""###$$$%%%&&&'''((()))***+++,,,---...///000111222333444555666777888999:::;;;<<<===>>>???@@@AAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZ[[[\\\]]]^^^___```aaabbbcccdddeeefffggghhhiiijjjkkklllmmmnnnooopppqqqrrrssstttuuuvvvwwwxxxyyyzzz{{{|||}}}~~~                  !!!"""###$$$%%%&&&'''((()))***+++,,,---...///000111222333444555666777888999:::;;;<<<===>>>???@@@AAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZ[[[\\\]]]^^^___```aaabbbcccdddeeefffggghhhiiijjjkkklllmmmnnnooopppqqqrrrssstttuuuvvvwwwxxxyyyzzz{{{|||}}}~~~minimum.policy.sha512activecommit_numfile_contextshomedir_templatemodules100abrtcilhlllang_extaccountsdcilhlllang_extacctcilhlllang_extafscilhlllang_extaiccucilhlllang_extaidecilhlllang_extajaxtermcilhlllang_extalsacilhlllang_extamandacilhlllang_extamtucilhlllang_extanacondacilhlllang_extantiviruscilhlllang_extapachecilhlllang_extapcupsdcilhlllang_extapmcilhlllang_extapplicationcilhlllang_extarpwatchcilhlllang_extasteriskcilhlllang_extauditadmcilhlllang_extauthconfigcilhlllang_extauthlogincilhlllang_extautomountcilhlllang_extavahicilhlllang_extawstatscilhlllang_extbaculacilhlllang_extbasecilhlllang_extbcfg2cilhlllang_extbindcilhlllang_extbitlbeecilhlllang_extblkmapdcilhlllang_extbluemancilhlllang_extbluetoothcilhlllang_extboinccilhlllang_extbootloadercilhlllang_extbrctlcilhlllang_extbrlttycilhlllang_extbugzillacilhlllang_extbumblebeecilhlllang_extcachefilesdcilhlllang_extcalamariscilhlllang_extcallweavercilhlllang_extcannacilhlllang_extccscilhlllang_extcdrecordcilhlllang_extcertmastercilhlllang_extcertmongercilhlllang_extcertwatchcilhlllang_extcfenginecilhlllang_extcgdcbxdcilhlllang_extcgroupcilhlllang_extchromecilhlllang_extchronydcilhlllang_extcindercilhlllang_extcipecilhlllang_extclockcilhlllang_extclogdcilhlllang_extcloudformcilhlllang_extcmirrordcilhlllang_extcobblercilhlllang_extcockpitcilhlllang_extcollectdcilhlllang_extcolordcilhlllang_extcomsatcilhlllang_extcondorcilhlllang_extconmancilhlllang_extconsolekitcilhlllang_extcontainercilhlllang_extcouchdbcilhlllang_extcouriercilhlllang_extcpucontrolcilhlllang_extcpufreqselectorcilhlllang_extcpuplugcilhlllang_extcroncilhlllang_extctdbcilhlllang_extcupscilhlllang_extcvscilhlllang_extcyphesiscilhlllang_extcyruscilhlllang_extdaemontoolscilhlllang_extdbadmcilhlllang_extdbskkcilhlllang_extdbuscilhlllang_extdcccilhlllang_extddclientcilhlllang_extdenyhostscilhlllang_extdevicekitcilhlllang_extdhcpcilhlllang_extdictdcilhlllang_extdirsrvdirsrv-admincilhlllang_extcilhlllang_extdmesgcilhlllang_extdmidecodecilhlllang_extdnsmasqcilhlllang_extdnsseccilhlllang_extdovecotcilhlllang_extdrbdcilhlllang_extdspamcilhlllang_extentropydcilhlllang_exteximcilhlllang_extfail2bancilhlllang_extfcoecilhlllang_extfetchmailcilhlllang_extfingercilhlllang_extfirewalldcilhlllang_extfirewallguicilhlllang_extfirstbootcilhlllang_extfprintdcilhlllang_extfreeipmicilhlllang_extfreqsetcilhlllang_extfstoolscilhlllang_extftpcilhlllang_extgamescilhlllang_extganeshacilhlllang_extgdomapcilhlllang_extgeocluecilhlllang_extgettycilhlllang_extgitcilhlllang_extgitosiscilhlllang_extglancecilhlllang_extglusterdcilhlllang_extgnomecilhlllang_extgpgcilhlllang_extgpmcilhlllang_extgpsdcilhlllang_extgssproxycilhlllang_extguestcilhlllang_exthddtempcilhlllang_exthostnamecilhlllang_exthsqldbcilhlllang_exthwloccilhlllang_exthypervkvpcilhlllang_exticecastcilhlllang_extinetdcilhlllang_extinitcilhlllang_extinncilhlllang_extiodinecilhlllang_extiotopcilhlllang_extipacilhlllang_extipmievdcilhlllang_extipseccilhlllang_extiptablescilhlllang_extirccilhlllang_extirqbalancecilhlllang_extiscsicilhlllang_extisnscilhlllang_extjabbercilhlllang_extjettycilhlllang_extjockeycilhlllang_extjournalctlcilhlllang_extkdumpcilhlllang_extkdumpguicilhlllang_extkeepalivedcilhlllang_extkerberoscilhlllang_extkeyboarddcilhlllang_extkeystonecilhlllang_extkismetcilhlllang_extkmsconcilhlllang_extksmtunedcilhlllang_extktalkcilhlllang_extl2tpcilhlllang_extldapcilhlllang_extlibrariescilhlllang_extlikewisecilhlllang_extlinuxptpcilhlllang_extlircdcilhlllang_extlivecdcilhlllang_extlldpadcilhlllang_extloadkeyscilhlllang_extlocallogincilhlllang_extlockdevcilhlllang_extlogadmcilhlllang_extloggingcilhlllang_extlogrotatecilhlllang_extlogwatchcilhlllang_extlpdcilhlllang_extlsmcilhlllang_extlttng-toolscilhlllang_extlvmcilhlllang_extmailmancilhlllang_extmailscannercilhlllang_extman2htmlcilhlllang_extmandbcilhlllang_extmcelogcilhlllang_extmediawikicilhlllang_extmemcachedcilhlllang_extmiltercilhlllang_extminidlnacilhlllang_extminissdpdcilhlllang_extmip6dcilhlllang_extmirrormanagercilhlllang_extmiscfilescilhlllang_extmockcilhlllang_extmodemmanagercilhlllang_extmodutilscilhlllang_extmojomojocilhlllang_extmon_statdcilhlllang_extmongodbcilhlllang_extmotioncilhlllang_extmountcilhlllang_extmozillacilhlllang_extmpdcilhlllang_extmplayercilhlllang_extmrtgcilhlllang_extmtacilhlllang_extmunincilhlllang_extmysqlcilhlllang_extmythtvcilhlllang_extnagioscilhlllang_extnamespacecilhlllang_extncftoolcilhlllang_extnetlabelcilhlllang_extnetutilscilhlllang_extnetworkmanagercilhlllang_extninfodcilhlllang_extniscilhlllang_extnovacilhlllang_extnscdcilhlllang_extnsdcilhlllang_extnslcdcilhlllang_extntopcilhlllang_extntpcilhlllang_extnumadcilhlllang_extnutcilhlllang_extnxcilhlllang_extobexcilhlllang_extoddjobcilhlllang_extopenctcilhlllang_extopendnsseccilhlllang_extopenhpidcilhlllang_extopenshiftopenshift-origincilhlllang_extcilhlllang_extopensmcilhlllang_extopenvpncilhlllang_extopenvswitchcilhlllang_extopenwsmancilhlllang_extoracleasmcilhlllang_extosadcilhlllang_extpadscilhlllang_extpassengercilhlllang_extpcmciacilhlllang_extpcpcilhlllang_extpcscdcilhlllang_extpegasuscilhlllang_extpesigncilhlllang_extpingdcilhlllang_extpiranhacilhlllang_extpkcscilhlllang_extpkicilhlllang_extplymouthdcilhlllang_extpodsleuthcilhlllang_extpolicykitcilhlllang_extpolipocilhlllang_extportmapcilhlllang_extportreservecilhlllang_extpostfixcilhlllang_extpostgresqlcilhlllang_extpostgreycilhlllang_extpppcilhlllang_extprelinkcilhlllang_extpreludecilhlllang_extprivoxycilhlllang_extprocmailcilhlllang_extprosodycilhlllang_extpsadcilhlllang_extptchowncilhlllang_extpublicfilecilhlllang_extpulseaudiocilhlllang_extpuppetcilhlllang_extpwauthcilhlllang_extqmailcilhlllang_extqpidcilhlllang_extquantumcilhlllang_extquotacilhlllang_extrabbitmqcilhlllang_extradiuscilhlllang_extradvdcilhlllang_extraidcilhlllang_extrasdaemoncilhlllang_extrdisccilhlllang_extreadaheadcilhlllang_extrealmdcilhlllang_extrediscilhlllang_extremotelogincilhlllang_extrhcscilhlllang_extrhevcilhlllang_extrhgbcilhlllang_extrhnsdcilhlllang_extrhsmcertdcilhlllang_extriccicilhlllang_extrkhuntercilhlllang_extrlogincilhlllang_extrngdcilhlllang_extroundupcilhlllang_extrpccilhlllang_extrpcbindcilhlllang_extrpmcilhlllang_extrshdcilhlllang_extrsshcilhlllang_extrsynccilhlllang_extrtascilhlllang_extrtkitcilhlllang_extrwhocilhlllang_extsambacilhlllang_extsambaguicilhlllang_extsandboxXcilhlllang_extsanlockcilhlllang_extsaslcilhlllang_extsbdcilhlllang_extsblimcilhlllang_extscreencilhlllang_extsecadmcilhlllang_extsectoolmcilhlllang_extselinuxutilcilhlllang_extsendmailcilhlllang_extsensordcilhlllang_extsetranscilhlllang_extsetroubleshootcilhlllang_extseunsharecilhlllang_extsgecilhlllang_extshorewallcilhlllang_extslocatecilhlllang_extslpdcilhlllang_extsmartmoncilhlllang_extsmokepingcilhlllang_extsmoltclientcilhlllang_extsmsdcilhlllang_extsnappercilhlllang_extsnmpcilhlllang_extsnortcilhlllang_extsosreportcilhlllang_extsoundservercilhlllang_extspamassassincilhlllang_extspeech-dispatchercilhlllang_extsquidcilhlllang_extsshcilhlllang_extsssdcilhlllang_extstaffcilhlllang_extstapservercilhlllang_extstunnelcilhlllang_extsucilhlllang_extsudocilhlllang_extsvnservecilhlllang_extswiftcilhlllang_extsysadmcilhlllang_extsysadm_secadmcilhlllang_extsysnetworkcilhlllang_extsysstatcilhlllang_extsystemdcilhlllang_exttargetdcilhlllang_exttcpdcilhlllang_exttcsdcilhlllang_exttelepathycilhlllang_exttelnetcilhlllang_exttftpcilhlllang_exttgtdcilhlllang_extthincilhlllang_extthumbcilhlllang_exttmpreapercilhlllang_exttomcatcilhlllang_exttorcilhlllang_exttunedcilhlllang_exttvtimecilhlllang_extudevcilhlllang_extulogdcilhlllang_extumlcilhlllang_extunconfinedcilhlllang_extunconfinedusercilhlllang_extunlabelednetcilhlllang_extunprivusercilhlllang_extupdfstabcilhlllang_extusbmodulescilhlllang_extusbmuxdcilhlllang_extuserdomaincilhlllang_extuserhelpercilhlllang_extusermanagecilhlllang_extusernetctlcilhlllang_extuucpcilhlllang_extuuiddcilhlllang_extvarnishdcilhlllang_extvdagentcilhlllang_extvhostmdcilhlllang_extvirtcilhlllang_extvlockcilhlllang_extvmtoolscilhlllang_extvmwarecilhlllang_extvnstatdcilhlllang_extvpncilhlllang_extw3ccilhlllang_extwatchdogcilhlllang_extwdmdcilhlllang_extwebadmcilhlllang_extwebalizercilhlllang_extwinecilhlllang_extwiresharkcilhlllang_extxencilhlllang_extxguestcilhlllang_extxservercilhlllang_extzabbixcilhlllang_extzarafacilhlllang_extzebracilhlllang_extzonemindercilhlllang_extzosremotecilhlllang_extdisabledpolicy.kernpolicy.linkedseusersseusers.linkedusers_extrausers_extra.linkedbooleans.subs_distcontextscustomizable_typesdbus_contextsdefault_contextsdefault_typefailsafe_contextfilesfile_contextsfile_contexts.binfile_contexts.homedirsfile_contexts.homedirs.binfile_contexts.localfile_contexts.local.binfile_contexts.subsfile_contexts.subs_distmediainitrc_contextlxc_contextsremovable_contextsecuretty_typessepgsql_contextssnapperd_contextssystemd_contextsuserhelper_contextusersguest_urootstaff_usysadm_uunconfined_uuser_uxguest_uvirtual_domain_contextvirtual_image_contextx_contextsloginsdocker.pppolicypolicy.30semanage.read.LOCKsemanage.trans.LOCKsetrans.confseusersselinux-policy-migrate-local-changes@minimum.serviceselinux-policy-migrate-local-changes@.serviceselinux-policy-migrate-local-changes.shminimumbase.lstmodules-base.lstmodules-contrib.lstnonbasemodules.lst/etc/selinux//etc/selinux/minimum//etc/selinux/minimum/active//etc/selinux/minimum/active/modules//etc/selinux/minimum/active/modules/100//etc/selinux/minimum/active/modules/100/abrt//etc/selinux/minimum/active/modules/100/accountsd//etc/selinux/minimum/active/modules/100/acct//etc/selinux/minimum/active/modules/100/afs//etc/selinux/minimum/active/modules/100/aiccu//etc/selinux/minimum/active/modules/100/aide//etc/selinux/minimum/active/modules/100/ajaxterm//etc/selinux/minimum/active/modules/100/alsa//etc/selinux/minimum/active/modules/100/amanda//etc/selinux/minimum/active/modules/100/amtu//etc/selinux/minimum/active/modules/100/anaconda//etc/selinux/minimum/active/modules/100/antivirus//etc/selinux/minimum/active/modules/100/apache//etc/selinux/minimum/active/modules/100/apcupsd//etc/selinux/minimum/active/modules/100/apm//etc/selinux/minimum/active/modules/100/application//etc/selinux/minimum/active/modules/100/arpwatch//etc/selinux/minimum/active/modules/100/asterisk//etc/selinux/minimum/active/modules/100/auditadm//etc/selinux/minimum/active/modules/100/authconfig//etc/selinux/minimum/active/modules/100/authlogin//etc/selinux/minimum/active/modules/100/automount//etc/selinux/minimum/active/modules/100/avahi//etc/selinux/minimum/active/modules/100/awstats//etc/selinux/minimum/active/modules/100/bacula//etc/selinux/minimum/active/modules/100/base//etc/selinux/minimum/active/modules/100/bcfg2//etc/selinux/minimum/active/modules/100/bind//etc/selinux/minimum/active/modules/100/bitlbee//etc/selinux/minimum/active/modules/100/blkmapd//etc/selinux/minimum/active/modules/100/blueman//etc/selinux/minimum/active/modules/100/bluetooth//etc/selinux/minimum/active/modules/100/boinc//etc/selinux/minimum/active/modules/100/bootloader//etc/selinux/minimum/active/modules/100/brctl//etc/selinux/minimum/active/modules/100/brltty//etc/selinux/minimum/active/modules/100/bugzilla//etc/selinux/minimum/active/modules/100/bumblebee//etc/selinux/minimum/active/modules/100/cachefilesd//etc/selinux/minimum/active/modules/100/calamaris//etc/selinux/minimum/active/modules/100/callweaver//etc/selinux/minimum/active/modules/100/canna//etc/selinux/minimum/active/modules/100/ccs//etc/selinux/minimum/active/modules/100/cdrecord//etc/selinux/minimum/active/modules/100/certmaster//etc/selinux/minimum/active/modules/100/certmonger//etc/selinux/minimum/active/modules/100/certwatch//etc/selinux/minimum/active/modules/100/cfengine//etc/selinux/minimum/active/modules/100/cgdcbxd//etc/selinux/minimum/active/modules/100/cgroup//etc/selinux/minimum/active/modules/100/chrome//etc/selinux/minimum/active/modules/100/chronyd//etc/selinux/minimum/active/modules/100/cinder//etc/selinux/minimum/active/modules/100/cipe//etc/selinux/minimum/active/modules/100/clock//etc/selinux/minimum/active/modules/100/clogd//etc/selinux/minimum/active/modules/100/cloudform//etc/selinux/minimum/active/modules/100/cmirrord//etc/selinux/minimum/active/modules/100/cobbler//etc/selinux/minimum/active/modules/100/cockpit//etc/selinux/minimum/active/modules/100/collectd//etc/selinux/minimum/active/modules/100/colord//etc/selinux/minimum/active/modules/100/comsat//etc/selinux/minimum/active/modules/100/condor//etc/selinux/minimum/active/modules/100/conman//etc/selinux/minimum/active/modules/100/consolekit//etc/selinux/minimum/active/modules/100/container//etc/selinux/minimum/active/modules/100/couchdb//etc/selinux/minimum/active/modules/100/courier//etc/selinux/minimum/active/modules/100/cpucontrol//etc/selinux/minimum/active/modules/100/cpufreqselector//etc/selinux/minimum/active/modules/100/cpuplug//etc/selinux/minimum/active/modules/100/cron//etc/selinux/minimum/active/modules/100/ctdb//etc/selinux/minimum/active/modules/100/cups//etc/selinux/minimum/active/modules/100/cvs//etc/selinux/minimum/active/modules/100/cyphesis//etc/selinux/minimum/active/modules/100/cyrus//etc/selinux/minimum/active/modules/100/daemontools//etc/selinux/minimum/active/modules/100/dbadm//etc/selinux/minimum/active/modules/100/dbskk//etc/selinux/minimum/active/modules/100/dbus//etc/selinux/minimum/active/modules/100/dcc//etc/selinux/minimum/active/modules/100/ddclient//etc/selinux/minimum/active/modules/100/denyhosts//etc/selinux/minimum/active/modules/100/devicekit//etc/selinux/minimum/active/modules/100/dhcp//etc/selinux/minimum/active/modules/100/dictd//etc/selinux/minimum/active/modules/100/dirsrv-admin//etc/selinux/minimum/active/modules/100/dirsrv//etc/selinux/minimum/active/modules/100/dmesg//etc/selinux/minimum/active/modules/100/dmidecode//etc/selinux/minimum/active/modules/100/dnsmasq//etc/selinux/minimum/active/modules/100/dnssec//etc/selinux/minimum/active/modules/100/dovecot//etc/selinux/minimum/active/modules/100/drbd//etc/selinux/minimum/active/modules/100/dspam//etc/selinux/minimum/active/modules/100/entropyd//etc/selinux/minimum/active/modules/100/exim//etc/selinux/minimum/active/modules/100/fail2ban//etc/selinux/minimum/active/modules/100/fcoe//etc/selinux/minimum/active/modules/100/fetchmail//etc/selinux/minimum/active/modules/100/finger//etc/selinux/minimum/active/modules/100/firewalld//etc/selinux/minimum/active/modules/100/firewallgui//etc/selinux/minimum/active/modules/100/firstboot//etc/selinux/minimum/active/modules/100/fprintd//etc/selinux/minimum/active/modules/100/freeipmi//etc/selinux/minimum/active/modules/100/freqset//etc/selinux/minimum/active/modules/100/fstools//etc/selinux/minimum/active/modules/100/ftp//etc/selinux/minimum/active/modules/100/games//etc/selinux/minimum/active/modules/100/ganesha//etc/selinux/minimum/active/modules/100/gdomap//etc/selinux/minimum/active/modules/100/geoclue//etc/selinux/minimum/active/modules/100/getty//etc/selinux/minimum/active/modules/100/git//etc/selinux/minimum/active/modules/100/gitosis//etc/selinux/minimum/active/modules/100/glance//etc/selinux/minimum/active/modules/100/glusterd//etc/selinux/minimum/active/modules/100/gnome//etc/selinux/minimum/active/modules/100/gpg//etc/selinux/minimum/active/modules/100/gpm//etc/selinux/minimum/active/modules/100/gpsd//etc/selinux/minimum/active/modules/100/gssproxy//etc/selinux/minimum/active/modules/100/guest//etc/selinux/minimum/active/modules/100/hddtemp//etc/selinux/minimum/active/modules/100/hostname//etc/selinux/minimum/active/modules/100/hsqldb//etc/selinux/minimum/active/modules/100/hwloc//etc/selinux/minimum/active/modules/100/hypervkvp//etc/selinux/minimum/active/modules/100/icecast//etc/selinux/minimum/active/modules/100/inetd//etc/selinux/minimum/active/modules/100/init//etc/selinux/minimum/active/modules/100/inn//etc/selinux/minimum/active/modules/100/iodine//etc/selinux/minimum/active/modules/100/iotop//etc/selinux/minimum/active/modules/100/ipa//etc/selinux/minimum/active/modules/100/ipmievd//etc/selinux/minimum/active/modules/100/ipsec//etc/selinux/minimum/active/modules/100/iptables//etc/selinux/minimum/active/modules/100/irc//etc/selinux/minimum/active/modules/100/irqbalance//etc/selinux/minimum/active/modules/100/iscsi//etc/selinux/minimum/active/modules/100/isns//etc/selinux/minimum/active/modules/100/jabber//etc/selinux/minimum/active/modules/100/jetty//etc/selinux/minimum/active/modules/100/jockey//etc/selinux/minimum/active/modules/100/journalctl//etc/selinux/minimum/active/modules/100/kdump//etc/selinux/minimum/active/modules/100/kdumpgui//etc/selinux/minimum/active/modules/100/keepalived//etc/selinux/minimum/active/modules/100/kerberos//etc/selinux/minimum/active/modules/100/keyboardd//etc/selinux/minimum/active/modules/100/keystone//etc/selinux/minimum/active/modules/100/kismet//etc/selinux/minimum/active/modules/100/kmscon//etc/selinux/minimum/active/modules/100/ksmtuned//etc/selinux/minimum/active/modules/100/ktalk//etc/selinux/minimum/active/modules/100/l2tp//etc/selinux/minimum/active/modules/100/ldap//etc/selinux/minimum/active/modules/100/libraries//etc/selinux/minimum/active/modules/100/likewise//etc/selinux/minimum/active/modules/100/linuxptp//etc/selinux/minimum/active/modules/100/lircd//etc/selinux/minimum/active/modules/100/livecd//etc/selinux/minimum/active/modules/100/lldpad//etc/selinux/minimum/active/modules/100/loadkeys//etc/selinux/minimum/active/modules/100/locallogin//etc/selinux/minimum/active/modules/100/lockdev//etc/selinux/minimum/active/modules/100/logadm//etc/selinux/minimum/active/modules/100/logging//etc/selinux/minimum/active/modules/100/logrotate//etc/selinux/minimum/active/modules/100/logwatch//etc/selinux/minimum/active/modules/100/lpd//etc/selinux/minimum/active/modules/100/lsm//etc/selinux/minimum/active/modules/100/lttng-tools//etc/selinux/minimum/active/modules/100/lvm//etc/selinux/minimum/active/modules/100/mailman//etc/selinux/minimum/active/modules/100/mailscanner//etc/selinux/minimum/active/modules/100/man2html//etc/selinux/minimum/active/modules/100/mandb//etc/selinux/minimum/active/modules/100/mcelog//etc/selinux/minimum/active/modules/100/mediawiki//etc/selinux/minimum/active/modules/100/memcached//etc/selinux/minimum/active/modules/100/milter//etc/selinux/minimum/active/modules/100/minidlna//etc/selinux/minimum/active/modules/100/minissdpd//etc/selinux/minimum/active/modules/100/mip6d//etc/selinux/minimum/active/modules/100/mirrormanager//etc/selinux/minimum/active/modules/100/miscfiles//etc/selinux/minimum/active/modules/100/mock//etc/selinux/minimum/active/modules/100/modemmanager//etc/selinux/minimum/active/modules/100/modutils//etc/selinux/minimum/active/modules/100/mojomojo//etc/selinux/minimum/active/modules/100/mon_statd//etc/selinux/minimum/active/modules/100/mongodb//etc/selinux/minimum/active/modules/100/motion//etc/selinux/minimum/active/modules/100/mount//etc/selinux/minimum/active/modules/100/mozilla//etc/selinux/minimum/active/modules/100/mpd//etc/selinux/minimum/active/modules/100/mplayer//etc/selinux/minimum/active/modules/100/mrtg//etc/selinux/minimum/active/modules/100/mta//etc/selinux/minimum/active/modules/100/munin//etc/selinux/minimum/active/modules/100/mysql//etc/selinux/minimum/active/modules/100/mythtv//etc/selinux/minimum/active/modules/100/nagios//etc/selinux/minimum/active/modules/100/namespace//etc/selinux/minimum/active/modules/100/ncftool//etc/selinux/minimum/active/modules/100/netlabel//etc/selinux/minimum/active/modules/100/netutils//etc/selinux/minimum/active/modules/100/networkmanager//etc/selinux/minimum/active/modules/100/ninfod//etc/selinux/minimum/active/modules/100/nis//etc/selinux/minimum/active/modules/100/nova//etc/selinux/minimum/active/modules/100/nscd//etc/selinux/minimum/active/modules/100/nsd//etc/selinux/minimum/active/modules/100/nslcd//etc/selinux/minimum/active/modules/100/ntop//etc/selinux/minimum/active/modules/100/ntp//etc/selinux/minimum/active/modules/100/numad//etc/selinux/minimum/active/modules/100/nut//etc/selinux/minimum/active/modules/100/nx//etc/selinux/minimum/active/modules/100/obex//etc/selinux/minimum/active/modules/100/oddjob//etc/selinux/minimum/active/modules/100/openct//etc/selinux/minimum/active/modules/100/opendnssec//etc/selinux/minimum/active/modules/100/openhpid//etc/selinux/minimum/active/modules/100/openshift-origin//etc/selinux/minimum/active/modules/100/openshift//etc/selinux/minimum/active/modules/100/opensm//etc/selinux/minimum/active/modules/100/openvpn//etc/selinux/minimum/active/modules/100/openvswitch//etc/selinux/minimum/active/modules/100/openwsman//etc/selinux/minimum/active/modules/100/oracleasm//etc/selinux/minimum/active/modules/100/osad//etc/selinux/minimum/active/modules/100/pads//etc/selinux/minimum/active/modules/100/passenger//etc/selinux/minimum/active/modules/100/pcmcia//etc/selinux/minimum/active/modules/100/pcp//etc/selinux/minimum/active/modules/100/pcscd//etc/selinux/minimum/active/modules/100/pegasus//etc/selinux/minimum/active/modules/100/pesign//etc/selinux/minimum/active/modules/100/pingd//etc/selinux/minimum/active/modules/100/piranha//etc/selinux/minimum/active/modules/100/pkcs//etc/selinux/minimum/active/modules/100/pki//etc/selinux/minimum/active/modules/100/plymouthd//etc/selinux/minimum/active/modules/100/podsleuth//etc/selinux/minimum/active/modules/100/policykit//etc/selinux/minimum/active/modules/100/polipo//etc/selinux/minimum/active/modules/100/portmap//etc/selinux/minimum/active/modules/100/portreserve//etc/selinux/minimum/active/modules/100/postfix//etc/selinux/minimum/active/modules/100/postgresql//etc/selinux/minimum/active/modules/100/postgrey//etc/selinux/minimum/active/modules/100/ppp//etc/selinux/minimum/active/modules/100/prelink//etc/selinux/minimum/active/modules/100/prelude//etc/selinux/minimum/active/modules/100/privoxy//etc/selinux/minimum/active/modules/100/procmail//etc/selinux/minimum/active/modules/100/prosody//etc/selinux/minimum/active/modules/100/psad//etc/selinux/minimum/active/modules/100/ptchown//etc/selinux/minimum/active/modules/100/publicfile//etc/selinux/minimum/active/modules/100/pulseaudio//etc/selinux/minimum/active/modules/100/puppet//etc/selinux/minimum/active/modules/100/pwauth//etc/selinux/minimum/active/modules/100/qmail//etc/selinux/minimum/active/modules/100/qpid//etc/selinux/minimum/active/modules/100/quantum//etc/selinux/minimum/active/modules/100/quota//etc/selinux/minimum/active/modules/100/rabbitmq//etc/selinux/minimum/active/modules/100/radius//etc/selinux/minimum/active/modules/100/radvd//etc/selinux/minimum/active/modules/100/raid//etc/selinux/minimum/active/modules/100/rasdaemon//etc/selinux/minimum/active/modules/100/rdisc//etc/selinux/minimum/active/modules/100/readahead//etc/selinux/minimum/active/modules/100/realmd//etc/selinux/minimum/active/modules/100/redis//etc/selinux/minimum/active/modules/100/remotelogin//etc/selinux/minimum/active/modules/100/rhcs//etc/selinux/minimum/active/modules/100/rhev//etc/selinux/minimum/active/modules/100/rhgb//etc/selinux/minimum/active/modules/100/rhnsd//etc/selinux/minimum/active/modules/100/rhsmcertd//etc/selinux/minimum/active/modules/100/ricci//etc/selinux/minimum/active/modules/100/rkhunter//etc/selinux/minimum/active/modules/100/rlogin//etc/selinux/minimum/active/modules/100/rngd//etc/selinux/minimum/active/modules/100/roundup//etc/selinux/minimum/active/modules/100/rpc//etc/selinux/minimum/active/modules/100/rpcbind//etc/selinux/minimum/active/modules/100/rpm//etc/selinux/minimum/active/modules/100/rshd//etc/selinux/minimum/active/modules/100/rssh//etc/selinux/minimum/active/modules/100/rsync//etc/selinux/minimum/active/modules/100/rtas//etc/selinux/minimum/active/modules/100/rtkit//etc/selinux/minimum/active/modules/100/rwho//etc/selinux/minimum/active/modules/100/samba//etc/selinux/minimum/active/modules/100/sambagui//etc/selinux/minimum/active/modules/100/sandboxX//etc/selinux/minimum/active/modules/100/sanlock//etc/selinux/minimum/active/modules/100/sasl//etc/selinux/minimum/active/modules/100/sbd//etc/selinux/minimum/active/modules/100/sblim//etc/selinux/minimum/active/modules/100/screen//etc/selinux/minimum/active/modules/100/secadm//etc/selinux/minimum/active/modules/100/sectoolm//etc/selinux/minimum/active/modules/100/selinuxutil//etc/selinux/minimum/active/modules/100/sendmail//etc/selinux/minimum/active/modules/100/sensord//etc/selinux/minimum/active/modules/100/setrans//etc/selinux/minimum/active/modules/100/setroubleshoot//etc/selinux/minimum/active/modules/100/seunshare//etc/selinux/minimum/active/modules/100/sge//etc/selinux/minimum/active/modules/100/shorewall//etc/selinux/minimum/active/modules/100/slocate//etc/selinux/minimum/active/modules/100/slpd//etc/selinux/minimum/active/modules/100/smartmon//etc/selinux/minimum/active/modules/100/smokeping//etc/selinux/minimum/active/modules/100/smoltclient//etc/selinux/minimum/active/modules/100/smsd//etc/selinux/minimum/active/modules/100/snapper//etc/selinux/minimum/active/modules/100/snmp//etc/selinux/minimum/active/modules/100/snort//etc/selinux/minimum/active/modules/100/sosreport//etc/selinux/minimum/active/modules/100/soundserver//etc/selinux/minimum/active/modules/100/spamassassin//etc/selinux/minimum/active/modules/100/speech-dispatcher//etc/selinux/minimum/active/modules/100/squid//etc/selinux/minimum/active/modules/100/ssh//etc/selinux/minimum/active/modules/100/sssd//etc/selinux/minimum/active/modules/100/staff//etc/selinux/minimum/active/modules/100/stapserver//etc/selinux/minimum/active/modules/100/stunnel//etc/selinux/minimum/active/modules/100/su//etc/selinux/minimum/active/modules/100/sudo//etc/selinux/minimum/active/modules/100/svnserve//etc/selinux/minimum/active/modules/100/swift//etc/selinux/minimum/active/modules/100/sysadm//etc/selinux/minimum/active/modules/100/sysadm_secadm//etc/selinux/minimum/active/modules/100/sysnetwork//etc/selinux/minimum/active/modules/100/sysstat//etc/selinux/minimum/active/modules/100/systemd//etc/selinux/minimum/active/modules/100/targetd//etc/selinux/minimum/active/modules/100/tcpd//etc/selinux/minimum/active/modules/100/tcsd//etc/selinux/minimum/active/modules/100/telepathy//etc/selinux/minimum/active/modules/100/telnet//etc/selinux/minimum/active/modules/100/tftp//etc/selinux/minimum/active/modules/100/tgtd//etc/selinux/minimum/active/modules/100/thin//etc/selinux/minimum/active/modules/100/thumb//etc/selinux/minimum/active/modules/100/tmpreaper//etc/selinux/minimum/active/modules/100/tomcat//etc/selinux/minimum/active/modules/100/tor//etc/selinux/minimum/active/modules/100/tuned//etc/selinux/minimum/active/modules/100/tvtime//etc/selinux/minimum/active/modules/100/udev//etc/selinux/minimum/active/modules/100/ulogd//etc/selinux/minimum/active/modules/100/uml//etc/selinux/minimum/active/modules/100/unconfined//etc/selinux/minimum/active/modules/100/unconfineduser//etc/selinux/minimum/active/modules/100/unlabelednet//etc/selinux/minimum/active/modules/100/unprivuser//etc/selinux/minimum/active/modules/100/updfstab//etc/selinux/minimum/active/modules/100/usbmodules//etc/selinux/minimum/active/modules/100/usbmuxd//etc/selinux/minimum/active/modules/100/userdomain//etc/selinux/minimum/active/modules/100/userhelper//etc/selinux/minimum/active/modules/100/usermanage//etc/selinux/minimum/active/modules/100/usernetctl//etc/selinux/minimum/active/modules/100/uucp//etc/selinux/minimum/active/modules/100/uuidd//etc/selinux/minimum/active/modules/100/varnishd//etc/selinux/minimum/active/modules/100/vdagent//etc/selinux/minimum/active/modules/100/vhostmd//etc/selinux/minimum/active/modules/100/virt//etc/selinux/minimum/active/modules/100/vlock//etc/selinux/minimum/active/modules/100/vmtools//etc/selinux/minimum/active/modules/100/vmware//etc/selinux/minimum/active/modules/100/vnstatd//etc/selinux/minimum/active/modules/100/vpn//etc/selinux/minimum/active/modules/100/w3c//etc/selinux/minimum/active/modules/100/watchdog//etc/selinux/minimum/active/modules/100/wdmd//etc/selinux/minimum/active/modules/100/webadm//etc/selinux/minimum/active/modules/100/webalizer//etc/selinux/minimum/active/modules/100/wine//etc/selinux/minimum/active/modules/100/wireshark//etc/selinux/minimum/active/modules/100/xen//etc/selinux/minimum/active/modules/100/xguest//etc/selinux/minimum/active/modules/100/xserver//etc/selinux/minimum/active/modules/100/zabbix//etc/selinux/minimum/active/modules/100/zarafa//etc/selinux/minimum/active/modules/100/zebra//etc/selinux/minimum/active/modules/100/zoneminder//etc/selinux/minimum/active/modules/100/zosremote//etc/selinux/minimum/contexts//etc/selinux/minimum/contexts/files//etc/selinux/minimum/contexts/users//etc/selinux/minimum/modules/active/modules//etc/selinux/minimum/policy//usr/lib/systemd/system/basic.target.wants//usr/lib/systemd/system//usr/libexec/selinux//usr/share/selinux//usr/share/selinux/minimum/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=genericdrpmxz2noarch-redhat-linux-gnu   directoryASCII textASCII text, with very long lines (bzip2 compressed data, block size = 500k)ASCII text, with no line terminatorsASCII text (bzip2 compressed data, block size = 500k)cannot open (No such file or directory)exported SGML document, ASCII textemptyHTML document, ASCII textBourne-Again shell script, ASCII text executableASCII text, with very long lines, with no line terminatorsR?7zXZ !#, ]"k%Qkhu}މ0Ӣ!b 2MɢobJHPA5)g oĵ#Jo(*[u^LΤ=^[_gԚ[l\̬ 2 'bFoxtIqk2BdjAejSR:`/1n*GAQSO9o} yJAjHYNj* 4rpoۋ'DQ$> .&H|ι[R50?;M$>&_- j%?ӰEXu D ̼u2g# ~?\EO00)9DjֽWF$yleyod`{ӥ5Ӯ@\'6&gM# XM"GThiOnP77sx`leAW {mziN{ۛu#mhO5H"!-u 5uw½47mί$Eu7>;' +`UVgݵ˴~/}Z=?SUck7\Ҁ`^^0W;_`ᔊ2)Pz(AIn'EkB:91ҍ-w>zBmϼ *=*[ȝvJv)3ç{.Yξku {wwP|a1ȢxQFԈU;22-W(*1G7#z(ƴ霣!CI[QSds}#*d"ҙ)E9ܮgn>Nqÿ5JEWR2ScGT-x -|_H{PA!I BbFZ4|K^B>ƒS)2!IH I2Y^mW`F_`z3HRQX^+)bsW r'wR.MH2깝#&)ɐw;G4ʛ>>6/O̢.'xMHαh*y+&CBhƕϿNV",RhQ`| Z}Dl=| CL4~Z0:X@OWB O0A6{n_3򌭓ʖͺZd^?A 䋅3MޥPXƭ襌{D8>&d1/*`/R Xښ?)sIĚcwH#*أ.Qk}y!}ԾHFڼFߔ~5T.!'i9AVjjK+~ҢݨgM :wˁeڝ&?pևM7Ҹ4wAoԡc'5d7Km>!tߕP, +p+&XEJon3氅%6)*<DڽK:]9kSy`ZK0a P̷4xo)[(A'}Up=cgA  [XԌjGsy af]v{Cic7HM 5K|R3=Ȫ&!l`j fkW75bN)x|qߟrz>a5r8 8!+wP/91ήRk prpp|N;@+KmT߄\xmJUxC2:tgNz"4{{q;`Z@2O3~G^yxgعn!Z?8}Izz#VG&2Tf5͓Y~}3ȴmrUQ_cAJʉ8S-:' VS)cÊΖąnRFi4ċLFaݮ_S47HB!w?Df&B~2 EJ7/x (f$U+z2xƲOoAt~<'d%M2oN8P_UekQ֓۔*б}f>QGY%YquCMʩˠڍOHirBqvG6*8Tؼ\"ǮIs.'s\ Fh+XBPC '~W=kJ`5IC#(Tqvc* T(a1LO#ƣԦeoѪ{K.$B0#S&V.zLu/W7[& w|34AZǨP`($M&N*ԞHvԁf6lZD 㳁P :=R}iY}&ߕB 7Ö^@:j[<^- Z/-Zbjn]yc"}%[2g|ci?I]xV*N W8 &6 >T)JɐP}Ҭv*A0L$*B$*mE~Sքv'_yZ(n VKi혙q@Pх`o ;\)Zؾϒ ~Mq)Jw8)t&״b$j 6s՟vne=!1T߮V@ sa82~研EK!|L|+XM$K7kxF>M"#TYsYnUx ŁeCn+?l*ޭ 4X GfdtaSo 6֣,lUGq~Ď!-K׷[+R >3K`QREEJث# Qe7 P"bma?,6n`@nDt)5!̺օqAh2mZ 41x!ߒ- D""f`l.V Jet' ҝ[sa""u&Eh&fF|U_&_\whm1E.tQ(vJb5ɺ0 yPa~"SnNEƞ"Bm o#Hg2wsM0ƻ|>w64D _Ge'c18Ń|tzUml}kMEpօ*NXJ%w.Qzcy@qGk*P%i=U֪ڼ' F@luGZTx4$6ƠRz>28~iꚖ>[n;'*aYH7Nw7xO>J f9t+͛;"E2Z$}0?)/^xҨ av|:]PYHͬTү_fɴ1ꇪ=@:r>)SD+\Br12T$*a3C+;W ,EB}f^>L< nU׍X("Jv\#r@ fĮQMIarLO2U!'LS;qHM2|X]Mj^hTxᴞ.ry{i'g^Ӕ ' ur24LJjD_Xz/&& 8O`_3\%(߶Ia(|BҺ %? 2mPDTVĸ8%!u+'pQn0$x%r/ -@bډ71 G)i,& b}/nBaXl!-{cp 2&PăzkUۀj9 KNzNW3dC]R:b3Ru0{N4h{>z0v)8Ƹu urY?{Nܘ2|WK *!ؙ-ORa}@> }"2[.ϩQ4Dh7KGM1n^mJ|̉' Z5W;ly/X2y 3Cs=ROFz;N߂!ԃȕP̑v  5vC I3z*YBp N12J?T'7} ,A cXYpJQ!c-|>JAf UAcAli-ɇEMDdUu4 P+V=Zw u?!.ڤ2u=+mlGKM)yYX܌K)}h6r?µ#ڬY Eʎ#$qWjůԩ@2=x,XIRMe>c LAwuG᩟:t)mIObaW q8&J#JC/e16d}ḟMCVԏ8T RT{02r)}t @D]aL$lsIPw{UK|;1N QM4٥R G[';*T,HQHScHۏ!ie2ˊpCfePacAZ9r\.'[Q[o1,­!ۯ24SCSr{W s h D\@3 (@Ҏߌ/J\j+iG"4 )oAaA> 5(i:  JOF$[[ 1rRM9ij_nM= I<-N5($N);q! Dw8ֻqxw˹Pr4d>µ+fʈ VcזL/7@Plv6V8Ǯ0~z?cWK)Ҿ|# $-ZtvKZ9D`XBK[٩8Fc|pGn@wkݣy56!b55Қb! kOFi Liz$ɿZAPsd Cl*H,WT"W(sAYu`du]evZBZx3L0Oyf**i:_J !eշ&~lғJFdwX#Ź(a *yRTܿ@2$xʫ`5 t\R,Z2jlǼ;vQE⯚G10Ox'bݲfD=WD-9C4y*b37FD ̑TxzF{<ᾘ"#?]gWkjAL@d,.\A#-XV\ :Ox 7_PT]VXΧZ. $WMF/|Ռ kr=N5w`A#`RX/{O|My~.ěwX m4UٞՖkn.XS ?V 3 z>1ڰDl;AΝr75`F_:ғz$9NӃ+1/q.8sIl -1AǍTF]Aڿ6m{Uل*or%`L/.N[bMp$H5'7 z4;MZ0 iEZF ?Wf_*9Eg1ׂ+=Ÿm%^4d"KQ2V!TbpG`3]A/gv\ha̙[ x?IT7^+{i Pum(6>TAd}$Rb/^x$Rn&:~4%iofb5SW mnػ^& O uv@wMPa|HU&n ̌'0b滧5O 5|4p#TlA>@cWrd8^yqE\HE_h5[)JRު愗7$,G*giCL#0"RTQ a` %6o*L0>p8Nv/2eJt|@$& e9qyd=QH;i˺,>Y~q qU !) +HU#ֶAĄ-/fB,'UP%:̋L`ut*,F?O/P<~-2C)-eovnn;XwM"fpƲ׬~W$%}E״P$R_%"'kU-PPBor .zŝmJhB{WcQY3:\.A6E[7oEs(jþc'R+H\P5ơ䯷craXME@ek@S*KQg )Mi(Y͉fGeL.W16~L{@GĐԡEB׽oz(;v&:=V?6uool) bP\$xk&-AZ]i}׌ ecZيԙcYASigrdlGm &$7PAyXbZ 9X'{n6}fB\;g9p\RU6jn@d0)!ƒ(x@K&2վMsz^!Q?s+e| Vfֱ>Ǐk,]DAS.F(M"U}&ŗcJyWBL=+׶جC>i\Mhg䏻~'Yt [gta>1kxi%86yiR.R4Є ?w&bQf%/yқ\OKIDk[*%nn WtB%c]׋0 *Cq1_]"%`I8Tkٺ;ք.|擖#LI'P02(๷CI@ Fڐz5,`Ǟ[‚%7R*oU Gx~. $%U7.`/߆9ޚO{x3}8lB pv1*a^qgxEKږg- N-%fA[:PРco=!ekk۔2g*11Ie^=[6F'4}{gjA67^Z)^Ў]l5y2O}]rcrs!u+H̵cre8.NæI1YH< Sl)E0sidy|s-0F}~9upع(0J%݂$ŷkAP{ n%@m80`Q(Ȱ˙e&ң3?Q{2f?p35){GZf<ɚRq5y,bk&1X~RhmJ6~Úzrh|EW7n DB>^o^S|#i©ʤq,?7M~L.uzC_)?ukiiB&rȣqTYz!Bgɩic3p4q"]FglWn8TNffT,&aϝߙ (MQ[kֽR"4}I͂.Gר3ĬI2[? 9Frٔ24"(VP/W2\au>* /oNݍſiKr=|)jij,4x0z eM~Sdi/aO{m6|$3rк̳FQ( U/h6}4u"2MWii;{x#L #GqTĢPn&+Jb*v`Qn} 3Exh`i q=ܮhM/ғO>׮n&8)q30\DVqz kdJ@9^jei<) U9«fÔ&KpW@͞ỲN9]U*:^jT?65C-Sao+BnĴOyax)%$!Y`'?n$dI3݀*g̵SG`D<)(Z"=1ᚄbmn<a?X$%]u{%>4ogezGX݁hYD\b֚dg`QcSE^%5|MKuwJ/AQ!:M%wQyCE >rdڊ.+hٜQkäTiw|C}sT6(?;v.]cTT[Cee!IN /r~u)tuI9\5scsYa)tVڃxޔT`vKچT ׆H #T6jZg_3oRCO~Qn+(D6W k>tb.Q UTuPK{YaV胇0}) 3z<:Ī>$@`ڼF+qP;Epov-)*;,0}2dPo~B^F HD*MzUt uJX{Jw:gRVX3# 5*F KX$_iDYIgbY s^sC0DnN湵,XP06JgxEHZڨL'dc~ҩb^';P|nJGq9>eP|,5LGIs`D.e..CpHjeE˶77Ӫv6- ry] !5magp/qCD&:}}YR(hTB~AFãHvxr>J<l(0uljFSX Ї@ՏЌԐKw UlfV;ϳ#Wn'폍7? +R?2]NY!<rqF׾WJL"v{~wз&<ИK|aۉ┞bMaRF FA7LF8h/%%~ƋaZݫDS#yc)wL7)ÕXбOjBgLJ?TI5_\rH<98)Ǥ͞JRFme)2qw.(EƉ}:̖t.40Cּ|GVOl>\E$4cpa^?Nt]%k8Ix t&q-bg@Ӑ8( {3Ty6Ĺ`<>j:/S ҐDA rmDrc'Lߢ, 0.x˱cl $Lr}UMEiMtJ)W@eA=!V ^7 SzvT:z  =|eQqνkmtLR0h3#jKwg,'APs_z@x"+fRBI?ۗfdT[ Xr4~LL*ξ3cRƷAmiS9ZuؙYH ))VKFN 8\wą7iJu͂lNXC\ƃ&[ Okd8} bdF>)yG  Kh(XǂoLۓ/ ]C}n=6+{?w\+@Ex͜idhD;/=](Sd uh"I.Jܲ&"]GMٳka.ݛ~3F #ۄ9zY9pӥq;*ŐX7yNFI>JEH{i&G\P{ScM 5"$hoڳ[(x~oE* zO4Y ӣ&YheGʜI#@0'ź}GDOqX iÄwE'=LW{=83["MmBY#nX\‡ 0y ޔrQaqe9LK`b2LǩaUdUQ%,,/m)f>[_3殣A;06nkJy~ajy<%=^"XYe(V4`GM9՛iz?5 XTix jE"dNnwxz뇩,itp#^Sɷ/X/D2}e~uc1 IWI%Kh.JmZu~-Э#YPIrr<]8aZRH+'l'FaV#% QaqLXچr!+wd+V*T% [p\<q8DJ-q"B~$j?>sivС^TJ3-n'M:ճ(Htfp _E07^P hѥJu!!%B(]e9X F=63}J,g'G 29.IYF;[,bAB’SeӋfa7 gUaZ#!z7r6HVu J~lZn*T(c>m{1W șs?R)V׬YM2q973?!M3aVro:R E/so:9USJ9%}q % tD^D+zQ癬ND ,b6 9Z{u%otWQV;w85G1Ufΐâe⾯ko#Xg٪ V'6q!sFlNV`X3$/\h--߼"ɉd_3H@q-@߰@;EYAY/{;KL2'?>ucCbxV 5[[Gr ~\hHĒ+ĩjrpR+!cSCt02mkc_D"[\ԓ.#W[5wmtL2wLsHE~,.BΑN,yŹbqcFQſ-Ԩ!fdvQbk,&:XOo]%ͦ*36H2UQ$G+jlb=-`@-AWkRn0L#uP=t3#SKƪ ξ6!"9Dܽ 9\ jXkU8p*W󄭧s/ Ǭ1D,cr#D"?ЫVc?趗UwCc?eA*=e-ZHYFޓ&/y Ă':&G&PqAjPh:_NҖʻ(7\F'k}q>MFbJ+wAGSKP'F]YNEPNd^9w #ӄpr{E~6qUo 1LAQl-7jFJ#K3|=_J >p^yi^ lč,ċV ΔTm^ȟzkm>(Do%L諻+JĮ̏*ݠCeɔ:6IuKQZk9՜ t_cdT򏍬f.rIv \ajétz3r-g/MT3X[ ^hM/,7-%O 鶫1")tc]b "]MR'29}S o{o~D-jxY(ﶲ\=,P v'0+tp a/k"n҃7+~-bHhlWMeiTDo%u]7.IP,wNJd7F$ڏYf׻+(!SܹBg%LB=F ׷D96u~c=d t_H*kK`BHa`R2P_]`V/Vꫢi}иwdA~|TʵYuj|:~Q BiSzUu9[\]wFB:jx=w?wg89:X+1q-Rζ'o XSQ}8n'0'͛K)e[O;y2+~qZlsCl@9GQ:<  Hq-60kݽHH(~*P25z $֨xAt:*0 Wub2SLMǹdN K,>W`sS43 ;,B{ٖkx1 C?EIGQ8CӼv(*E(T;GK^2o4wWvtM!YbAeri |jjJt*l.`BG_$* ^=Ȟ)UǟBWA&cP_Y/g-. Ӿng8WSd.SvkfKgТ++,hm,#֍Tq J9Y'S9o^`a7"vjM( c MB!8tճ)rӲRK@~.8(Tڅ4B"X^IA`r~En-bG$B`G52Co ?B[)UKˁRV s&^ gRlf.?c7Ha]@[%Jg$T `h EahXqązϼ6㟚ODCz')s}eЌ^*N9$mzqěۄ,coFʑ6:ݥN q9+HԈ͞Io»3(Qj`6m .|U؋m4c"c2!Kȡx$mv%flKǑ$ ?KjTJ[8C8pjLg¯N}ؤmIazAϋ@w)}VmP!C^S֪N +'?疾.JڋA:k^n:L5rKPK%˔F2[ܤ~-;\ٳZS UbGQž4vI 'RǤ#q*** 7VR9^|_0?C%͛t"1QC_j!}5G'[C{-kߘ|&c %U,ajsÎ^.ӒxJ-#{ز \<) ~hJh$BFp{N`n_h:6>kfڹSdkJ[FTvZ*XhlE9'E&mFN-]54x0oOk4L)uE\]_Qhm{I*N^ H(> 1m+8;/ɐ*31lp%^OlLzz=c\W!f3U£(=æLC)vh‚h|V֍l׮viH9u(' 2 Eԧ}koQ߉]=VPɡTrݙ*eĀ`{)xB{$'88˺>ɕ3l>̟e`CʤfmQ_C tAB wUrF cit %n(Lk?Cl>$O98%WD|dk/8bAKLbTVYa{tWe 1F,Je~_F5C I>OCW=H'>oǰGYIhRꋪgӲ8J23uOGB> ʠ!#vknꭩsV 5OP_dkEjsVHRT \,r(R9%m= d55fFĂ\u\sV9d2<5Af.r/i?%=A>tFUSHb!wzzmɁ(~fa6bi*xO{+]0T-œf#^ 4LR9L䆞pQU\ u(-$iA2gTT[da)M;ɔVwXe3 =FI7U4єD=NOٻ;-GfIk;pA~b8w٪R6K^bG41ڂ.mM|t ! \y/7RxqQC6kF6jAd:̶*.\Y ݴUVo!*Gy?䗏ٝX 1C/znҫF#TxM)0F6$'Xō. pDhtJ%K9-*-9 _þ}L蟎He{PTHheL\iM2X>d׀)s a &_dqW Rn=n M%(<qɏU+D6@4^w&K~ËV8ic+G:z^mnӄC/S <*GX6'ώȄ-1? AwJn#<AzϰF'fʣ[Lh^Tm^3݆pt]o0BF/RzLm`m@6wM"0n𣚧 ?;9lVc}E'b!XOwntPܭ5_ΠD/UB*t?MuLgW"QJ_*c,(F+?1lUjm;9~r͛z?cnl$qP6BnxsW\xh &Á3x6[}iq+VΉ:&s[ ( ~|ՠr:[TbqQ"Ȳ3@SYqmjpbL^q+b 1r7j0r^sucz~jhfsQL\z=j|q?ydNJVn_k1wXF?z{#q^h䍪mj@x+ -5"Qnx*Y|KXe+ 9\lÐNcXX 0')^eN^YҊ֐s<ų b7%Q1qUAJ!9&qSu-2 |+,@vjR PyI1.Kra;|>e4È">1:H.Ӫwe HZ¬lY0@sSIMTtZ xV z"mFWGϺࢰEm:`cU, ~m1rͱ1زãJK(H͠xsa%s e"VP3}\8࢒,q|E2%x!GT[Mrf::zQ_U@s@]%0Ns),`av-2ez<?UHV=<Zj(}KOP=@*6H.^啣QC@s @%'O`\$ j'InECGݵ!;ګ`XaiMfy|[v."-*rIVQǘ{zGYhA/֣ssx*R>&1R&0ψddzJ6 iYy~uF!9x:/?qޑ;;֘m!aݬ RHD{uMd~ս]ᛥAx>Txyͱաhi&Y=1J`7iQR71 S<4%N6FoP1]#iۤq yp2u\8thC?/J* n IJޘtv P۬!ČNZW2UGZo&8ڦ ZV.A{yq]vT0J)–m? w?"^aܻb%ڇxkr"q8P$;j.eyUȱiGJ{.Kh,zA*:i*y[֡ꨍq@}Ojy]MfPdvemg'uz`>"̢GK=e( //L>qeեp/]'b+^|Ykm6,?cAxaj)~/KMv~I$-.r OT]B< 4S}KgL9 '|Q5r`S$E*/QN!6W-pfJU} da0_vK@"nC[%fDb.F_ݺE\n(GZ ܔz|@j~]\%3wҰ˿,d!]5%BTFGsK/I'y$VV`S"##qe(/\I 9E+^*D*422 (gB5$P↯i qMФ*Hiu#kM^a7̽ˏȗ^!M^$"e-w{j6&  ܖ cV':}=Y' ]yȼDOZ`3DpL6}(;>w {xdп3+._fD'6#eOh 7x;'"}тh)iME~28HȨHKs_WZ%+$ '@|jQQ->S;fC9#Ǭ~N#if+I!Xf-BNBG2ʁ+CTFW- |J&C&^ Es ;!fn fRٚ}"%*}Ǐܒ#?)}dgƊ'5%ffQ❵n*n$%o T)zHd Vp쑦6vODׂ2(.i[]{{Urx?fe'Ug*M΂s 3goJUTrD%7py5:Ej*ތ@, :lixc(f@˄ܜ0jIT͗ hXRcޏx<ABO6y㍈6~ F5fMk,UzcˠPE(<_^A~g9 P@ɩ lH"32CT6e •?JšUWYdϾ2j䢐FOZmޮin`U ;IH\ϱP?F:B “9qϧ|\+Bi^f%a]M`8,5 s*Se~H:br^Un] '%5fD\9y>oant6!]^99 7pԹmcp%:#.y"Gݯ 2HVuhBo <իbc `ɰaխ^Ä́HikA#De^=~MuON ;qPk@|aѥS&--A; IؖLDIKj/dCX<˨(Ɖ›L.ymzǦ݉X0}N~@ ¼C's * 'cC'agBxC@n[u˳NRilɥ^i^Wd4rȗ9Jٙf_}IYTM!"n.'q'X:@Nu9QǬT'߾Ӟw&rDϤݰ|'+1J.?fyHYLgD^>o\61;Ou"Jim'6RuN$q=UYRgv=TT).?m->ȩT.\יɤlǪ&A[k-fՐkgU}P!8T*Qǯ}'fOXfA9aEs Tźv_Xᅲn2HĨ&'K ٨=6ߓ֭^^=:&ӲV'=k omS ]9xޱPq J&֥_];FGbg7dG a9q~ueaT j^dxU8FVWLs"7up5ۯPʨ'oë`1Tkv0kCFO%4V0_O$ʙ qJ)2%;8*Y|6ŷ|i>U&k/kVYݠY}, ׸v*-/g5YkPx8AGľxMRD3=sDÌfh9}b ÓW+NW~1i(DS௬gqd?pO4B:wE%BhEkM\!aݨߞ!o+~$g<]U 3ևӺdWYخuxdc)x5f̊[0d^G=m䁍c{jN@:M|jv?etJaϔrx,I0Ps$[EDtdPXOyP(){- L12S6gXpЩ'*N])OizGe fAg@H9dc)9ͅmYfĆRio&- WLCO`̛}NG:Dry AXf )P:gF`E 43 wæ~xo4昹ihU 3e+L ~ԼcY1gvږ3#P z T8Ir$d8VL3J [<~1(whATGjB4#PmdcT"&`?|K_,dhS#ިJ 44~~ݡ~. CΎqaJ YYs7Sz TQ5,`(5l[$2N3Qb뺼!;ESe0-Bdb}fT!rqި7y#*`]jp mօZ,N~vx8*^I/f 1%p9À 4aRLhyP;bfvgfJӗ=yp0v<4w2$@!)^sZ0*v8LT/ ="-_WU'{bK`oGւue yYg jfGeWwSj%R1Q Λ8 pN~XDzXĊگ HdvEajGo:L/>a`7>|n7+.sLI zt6!is&m ޞID5F4mܽuS?yıx#pkFK "b z沓LQ0xDHwk;@cH$wޡIK(s\˯=/3c8 Bs1ٿ Ge9d8pr'əm%vӎJNT`BvZ>WT D@ +%eҭĺo!emh=V°Z(\OFqQjIe6P6سOU睆M]GkθJVo M<NYőU?76ۅ0"%E{4Nٚ %6f'CZY a 9B%4$㪍L1d@ѽ~^P_p9eCE1~ 'kEJIӡX X]j]:rB2v~]B:HQa?2$j2̉ tqa : - D C?bv{]독8#4p\xvxod9u" iHۿ_D=U wIrh[p8w?\QHvRTpD䆵AJh6Pa rjq]f˘pwx) ';.E4;&XT d:6pN1&݇m^g>ӹfF%'8DEsmѺwrǰ y \ k[d8= v8`kO]nʿ/581WZA ׯYlճRU~^Pf[+92T єGs~/%FEyt爘 J_#&wZ^+bɻjIط>IT UIYe ]d4*޴-&&<R2(Ƶ>_hB8ǐ `#w6X{{! 3b'*sS8KW 53`֬܅˒J+p=䅛;]Tɾ9oi [F\n|Tє1GxQMlt-V*d1t.=/T~;rGLҙK{$ʦra2=U,v'r&a>YhSY /JOƿ:/BKPQoh I+~ƔZKuNIUe(cJ qs8>L=m˰<Ì5`[2?K];N7mIZ(C2˳N ?0;pHg\S`3N% nV| Z"L@ق95fZ4JZccKxeu?lx@OHU4|Ϫd-X&qPXp'rE4fzanj<q$m8ɳ"\ZtkG4QP uoT5ǖ]XBBѫWvɠ}AS`:` #8C阕G t:o꠳X0jy]|zn h|Ҁ+73c ;b?+{)'0V=W!y|T`PO3#B3p p[?]3 <%Z5hh!`<4}2mwO|.#)V{Z-"Xʱ+YV2˓gbK\2۔ %by[1ۯvzLXcml|oӵVe["dOn꘱Zn:HZUL |_Tw$wiO'F} GJ!2qȞIV*s8נmr67 TϦ l}T莫ՙOx!RJm0"8WW=-^WtGى G3GGN5Rؿ7eԘhuv{V@^bTN$r_nnjsW/Cl-j='&a/p[u MSkJ.Ȗٴ^.*y=Sц! {Rld!>WqԓmUPXTiPbfח*-Ճg'jߝ;}Nα?Q>:QN>`>咼R.ǹ8ɜ\?ّl^lg//uIJ*OV&&$wz8g>_Q"Z-ZLPҶ&KUtNSQ]!$:JV_S^ԧP{x`Z7:J7 ց\r\ HM>de@MVǨiUu'@ CL`O!$`_d"F3goJ@י3<82]Ey1@N'"265u 8dOP>[p1` _>ϵ4^r࡜ozACqvYFv@ R>B+K3T $bWN>Yzq0B<{zJ ܕ a1]0I^ZqTl}BoRX'euXkřnThb-;JGjٱnʏ{e!@B/0˚l{J!";j–o9,VaNIbx ›=70P%m&D4]l;"~/_ âۗÖ>p t5#<\x pz&S\ŞΉ(Ȯbu` Wc*%Hr;Pi1`cЬ(13ZPh Ɋ;R\[6I5GM"z `zz' $ޒ"wU{s<)u̎$p82Mÿ< dυ WȽN xk w5^OU8D:<>%!'ld LgcN5=PUF?^ Ys14_Ț+C؜) ^|M !u~}kɢj0=XQuDib)(,m3~U%B"XU\F4:c/ }i~`͇r?e]I۵IoM ̸3X ?&{;KJ1Vx(<ڦчSa{,h(i>0֘W7r/&C5ޱ^}(a`0(c(>J05bM0 kT}7y箭IŊf#i7ORȭׄzݍ9p)E_c1[m% GYL p>a 1,#SKE)=j Q\>kYwiP$<}b,1lWn7[2*Y jU|+{QkÔ*2;3Ni 0^5p a|uteg|`awW&VƼ /ˑ_|VE[ !z/F:vRH "ѺVz%D YKP r{ʮ`drF>1zoa~WƂ6i2 |N6 3: K%|>X=./4x꾢d9Da DRm(9\I^ д(v'ȱI])1ޠl¿Ӭ`mܥ \+RbAn64]lP礌~PD{ AR]zDŽZ P .]w=8-jb99FL)T;V5QNUS[Z1N> :2a}Zo+:3;06 ʶH ˝}$y:Oh~^8Y NK'p:QʊgU;WIm8$q M!j<f& [@(D|F7bo#c3@5 N q]jֱ{qĽ+ZĞC*kȮ b!u9Rr.tJ7q ꯊve&fTˁ߯dXQD5!3[R68؏Ծ0ݼ!7㟉/xNBc;'X6#niWxd6d$DL͖в="l\ =(nnJ kq?V%z`qoye~Aj^%(W-=kOvgZ@G8BM J4U9y-#^tv׊Ssfo~֜sŒ#Cq(X3̅-\-`Әy( D<l ޮh>:vS -_N F$Gt$2*2VH^!n!1ռ 꾙iԇ[4-'@;Orq@J(!<2τ8sTDS5\U)S?Ad& º\ZɳY%Ӡ&PzTn\ePVXDo)A<#gV!*R4Lѫ΋[Hbw崂A%UH]=BH0NuYtx#V¯:\aD߼φQu1~1zF׫$* lX&1tK%m0imuy3 pdZ Ȇ]"T[//sa=a|~_1VAE8uDהvcFלFk^/Ό$ ia'Nw8NFL*O51ipKtky=ޚ^BUXmOʑኳrNOIx~A lQBY eVap)d6Fa?2*]i:\7)' h ӱgrtwQiaZT6:nS}ၲb( 19ù/Xcmz1@[tI. _}/ߌ÷V=YU  _܉rr=~c^m2s+vp#wMxsf܊:KF붔NH~8x3I`y*eƁ5|٢D8j=Ñ)fہ-?4+}"koCtwό"Sմ9m;AkђgjwEl9|$kz JK~tQJ7Dd4(8̬I‘Ld~4"W# [Vxn :m$l"jAQY\nt6"p~Guա7gs,2F |4 fP䮇 {Pb CXhxףegϴrt؃!#j~ IϏg7.ʁx#WfD5r?B GtE%3ip!)y*8a:V* #XQ[2co)_ 5/3:>]5mns@b 0jտacr|p\̱Ιu;Rvш֩Ƭ&7f'tSQ2I'#/ubc  k: 6.|ϣU3kM[D?68 nZ˽H՚eIސ=?9ο_ H}TK[YczAKT!k^&><>-CC&Hٯ8"}X/X^+@:a1#,) DRD#Ѥ2OJܩ`+SOP_bR#ę;b?eM.]X 0$+h. KQC߀M'6Tjo~JvImNnS _J>;Zȩ$E-~B`s /1&9OC\OQCD] ˣY94GfO5zr_{ani3pOϒ`@]>PT*D+b*)=5ɾKI JPDo̐@uLXuL/gBc"X]dhT!Li8pGIåf0F5QAyb琠4MV]bA4tCc%W2ԦgQ /;vn#VaiM(4Pz(\e(ASJK4_[ r'gzR\BYj@@пgϥ3E*Gw}KJZo?ь>ONL$Ȫ:gU֤,6wiM<7-zJozezmԀxzē"v' 9EVIKF37} \[)ʞl=zwǟ nZ %)sJ`o.f队$ԡ $Q:q0!&aYGŴt^0RML& _6EjFt Sr1VHde݃K 3Y-B{Lv( (IMM}5[/#a{3>9i6[^Os 1L=n,OeˬjWAY`ʶ7_LGruvK&R_nL+9넩{]mRVoɍ5/4Nz4Eه䁝] Ԃha.Te^$lĦgW(˟:MѰޛq(y9T$"2Q Զ&Ҟ8PUe}77nQyKMgMəL?l^buL[qZK13 !4ԳVKyJs*,4zG}@,ofc_M'iߓ|DY%Gz`2T!P=mGhvkY1fхuӼ~}z&6oسzV>#/]iTja0.]!C̬/{|%!?Qx ;w$a-ꢽ{E؀MvVb% 41;ly&uQi"y#r[A!ޓD%֘|Fք:XjOͩsl{ ]0vٙ2WZ;~ePrP~^~;sϖe~j{2p~7'?)Ekkb`[|uF} n*v?RS$vg_FV7WY, 8uI_?xq5vhWdthIu/+ҁP8|OhV%ɠbal  ބ+hMt[K=>o'+)O:OH4ke^ºn[$/Jт#)[/G{3ц_VMYi$$B_򕟬\|%=8dAptXϺ z VLIK ld)'׳;э* Ġ*0KQ /୆{}qd|"@vL[ 8d9W]gbg|6H"zUfL{e@A1V풴(b%گ}:WW䥓8Nc( 5ޕ 29V2aeT2YxO8 )K[^" ZkѼIcpM:96/ )JT3qv!ˡG $Ƽ"I@ǨhІjz3Ȱi KO* Mr./?-ult[IA,¼x cXN.6gXw~VIx|ʒ AFK+8Y6[J_^>Y9-o2TRLn,LYf2M, _;NI0"%.9K?z,~,ϊKGB7!Pp}nE\L?.jDϳU?[1v/()͉̒3qþ3a:em?st=d!|Z>dO- .26-U)BK#zMn^4KC'гs/C~xFV |,+sYm6+Fwbn͐d+Ę| B+Húbx 'ahϧ"6v*{N==d">ecӣL#JhZFWX4dJJuPۨY[|9_TI,֯m/ߡ=?_H|eW)/eF#{כԗ@)NWԹFb)%3'QbVp\_?,2e Y Y74bU&G.,wX] sֶKd0>s_Χ=fQ)94~㷃kPvbHźѷ?mѸL|f%D6n?@^~ ( P[,ٖ)QD}p Rnf7IO26EXxA"vy9SȹOAwنb0o$#䃆Y-:ei_ʗgxF2sL7E;=p 7M`Q~|ɮ@ixw|gx(Z-R}r3&1(?YLQq-ūh! >vce{׏x[VNrR*HqDuܨUWV%aaTC˿].r|N^]!@I԰x"}6k T`,`/:x6\"EA%]xhM\j!{yoem6?;MM31KϢCI:TH2wQf根dt7٭Х:}_rs ;ZhFu-9djKrp0|o~jlxVΖK|(ϫ㌎vb<_ 7pi)]('@+7hsvG(?{Cu6-d7gaG.NTI46 :&GE4wKoH"mmL._q59 |"gUE 3ӱ*rn _\eЛ @KC~჌ˇrq߅M~SV2{sv^6µcİnZ:8bDF ^`Zmc1fģl)B T2[Px-@2'S5R~-`Vנ"nn'eL"2jvC@^iCNՅLw.qLJ*`SY*Wt iIl^1.iV µh:*L!tM9+ BLd%2$fiQ/h@&G7#aEEA_oo ђClMq1W:w rS^+V6g4ރs'u[و!gEJ'9Pp] ȹh=]JRJX-έ:lv+?GF6ef(硠ƣOj)OEM s ;@mwϓ䤰Oo08˷jԍOQiۆ3a?ܽ5d\?{M|}M&G=`W3KMRat9*ArgQ" 6K@c*c.R93`#J ,*Tm;&r,=ZY:)"o |8n?MpDŀݪ|PGm|X"XlbTQ8^4 Qϲ{FFoL.wg) W3UX{.H A_LXejj_zKt4x/6jeLd( fN\>3Em>mw)J}f''ٚA^t62eH{eGr( R>ONcKgw)eiveo)c0‚gcuaM{+Sܕy`]𿡼8 n @g)ډQRa d D 7128Ev@J _vȘ%HrΎH=Mg%<A]oNxd-U&& ѳI(fFIc_e:G~Z4:%M-6w8僒$)ۥ:26>l o]Ȁh+.9( {uQ{;tYv|1(-~TN"ID9Ɏ| S6pQOr{im6c g.1,azr]VUHI;"HY) 7lW[ i\XU#@:{ o~Z߱y0ShlM;8~x<"/Tt[^*0F<`YSΕ˾4L.(0YQjM6ʠ^\NB-]K(D_쪶pS#36 D;Nm(B()ie/giɰ:Rp^L[^y׭ OMB)F8i &XfR8 sdSK/.%":S<֗5ca+T#r8~acc?\8}=&F49&x OjI4UuzBߴ'Sl-qJlOdTB5]VOGWoxH^5Im{v7X̾Qؽps(bdy9t:|ȸ ̸xO$FG:%vs>:0tMUkz 6JAfS ⇦H;IX Vm/6)\l:]c,A'*D\Neລ3>pZH2}=ߝh.eȇ1BhjpB|5{ȄaeF^xA"A"|-]do6jS!GLvQF0Wp $N oxj*.\|iY\}U uA9?>S l9o6J Gⷺ )pɻEiItUNЙIfe{LJ,^". w O y)! !#U$%tb=Q(`8v^/0gm@JǢ1)ꌆAd|7= ]]sC\iSʼn%v* {vg^(p7OG29Nª<@ŵXrqV%sY+ -"4=Pwh& :Š}k6^h !sէ+%N@b@ Dpx4ϝPfʠg ͔WXτ 噒98^=T͖} AC0`Is)~qpU~ ?Tv3`KIxHXLڒ;6R#ٹ=8dK`ʅW])c?| tƃ1V?k>Wa kOLɠ?@/ ֖OlcLa3:APfc5uvJW@f<'.`zc)CY|zOv*Teo,Fe@JFR?Ʊ m=A|(=5c>6Qdɒ+5e oY'PkE$z(3KOJgؐAМ6$uP&d1!*] 3x4{ka-ԦhO W"F@-]UawzTUY сXRE wKdL{Z=x"p:eg mP-I'u1ЙrsN,dOw' W)0=AIOfu@ҥ 0IzA!#. unNH<_{Eqk(Ϩz<hk(/2,TS{ѣxL#W&wlVV=F.t0ՠ`=IPQM[Wk 9| kA aOaڏfr$(EF~I"G0'"]O0#lS'REE26.v8yx i&fὨC 5g0b ɒH*{Q84-AmKUWf ɑZq9T8k`6G6iAFF_^j? {Y˻ l OH)ȣT?8lp>vDMxrְV=l+ض}Vpt[-m-TXooQ 蠌/\fuUSݰ 'z=qv$П95"BmZ|dƧ1`W\vT޿m^lcC]Ϡꎖ zP4M_4T7M+YÏI"v4WW|j[ø碅ٜ);T6 6]XE{l9o'dGU(2w/2u dj_uӓ`< c8ĈG;0瓵)W(5X@.ksֿ!&W$N+)وC"*qD!P  S^Sb2/@n~b !8ztbY1MIねpgj#II@[UtyGD&FkzJ f z^=jgv<_nՄΘo}0|FhT==/[ P ƃ9 jgX;dݥt\^ },gLXM Hѿp+byF9YsGW-vЧ:P=o׺?zfD#uC|kA)VFk[^]w~u#쨞nO0u ?Vl/Ɏ/^TF"a\i!UO'Mr; DmRz`Vprk,\v gDw_!+X+AURo+ #M<|~9gz3\~/t2qGV\yRԖR Pk{4oi_㡍 {-""XxUvq=8OHB5n6?1! F> c.P2.PF7]MEnOھ֫ĥbġXTx84O7 jG:˅"mSmGNGTC$T+ړ:TƁ{C4V$.+e 6[Pfƫ(#Fʥ:>0 (l'qxälqQ 2UC^3A@"э{e7T(oI+T1p>b<$X,݇ ']3. >F>l]1eC׉x( IxHAmN@Y%@P)J%=X*R5 "c7ʙ3{83LtB0< sJ,!D?5aYq'!0l!l,_u-T/ zj_ml_)g*ʜ=pf??_@Z^B =[~y/^ EvY.FP?}3a4ێyps1j7K+y nL-i) HTca%,=Բĸ >KX‘"ߓ!߳˶8/Qem>O!KLXO}/" =W{p?( w)Nb;=za`h`?1 YKT \ӝTM a f|pPj>ئj a}l*N23vjkx l|Lf0Z5U:x\N\I+}tr9z^T²]P)9MDqldw<؞!7n'EX[Cbr 0Ž{шlٴFm-([Mtp: |otH9oL P"9=_ŏ2OU8Mͷ|g9J!_sI-%X`/Ҝ@^ EȤ"&qߢGQ8xEAYWW{b.9|vGD[*oo 凇sr`5 RdوWw݊ \=TޜAɃ[B_׺ah׼cit-ڮy:mJY=Z C7& BW~fo'g>Ma xּYv"}Zs:-VE, ==fQG r1R vtzKy~,Ѐ=+Ut><~cmX3ov”[qj|Yx Ο)*Ie2XgޭgHxcReR7{DRꙁ$ZLDpd&W\@+8ܚwcV?*(} {ޫOSnaRtMSHe&|okZ1=/o:[j8hZ4A@}F d"s$uidLQ񮰪BX~Tq $E5gm~ }c)%9H\cAγGh*u8aa2gEMRJ+'HGUŲDo,H=*}y/3|=cbɳϭ_7\F+ο ŀr muP}˸0@(¤o?i*MܣoK?`sVpuc}Y9as ae!$?u #jlEH?PGM{tȚz)ޞ[̠'~M&+'4v:˦EJ`@ :E0UR4/:3}bgO]w6ahCS&Y^N,G &M"gϡ&yãPr&Bj/ف{dCv0̿;tU5@).A 닸ņ>LV nj0#=t"LN}S+;( (U}u5s!?UΏ! ^7Y:K*1sAr/f"9{KU_ƤL1:@vN&B3݈|, j!xT:DԔcFQ?P;?o_09O6k:G.,;gODv€lsY ].\p&NSՒT%rrrDź?ggƢ/I&~86<66$ʊ )x5uDpkL,ZtPLjV $& %[O>wiw?5$r@ЗvX6PF3fwDs(u$V-5Wސ'ْwIYl֛w6H[. ZO0NAEV)w4KoCh*] Z.uY?J#(3tbª;&e\T*ȣ͖1IӇOgK\9{}]WNJsa" ng<٣$b;@0 }md%6ƦT ʻ[7ɮάU뙚_^WZ7Ke%H)Nsh?n]9 lSH0[Y}E*}n$?JU|@Ke^$#RⅺEe^_|*KCGU17?Aȇy5rSB "5;(HISfGrWa2ˤjU׏,̿* BI7D:%4yGsLgr+D}>CB[N;5&*(?e9S%v_sz/Mu\,R[*1B Q\&Pɳv͵EIEsf3< W?Ӄ.hj"yӅ1߮sBE unB`` C oG>lTI.n$Xj+P^ |Vܲ!DWVFN(lMC.QF?/pGiǘWaJ!P{jtWO'ң*IuuINՇ:3j-uMˁW+5GK3 ޟ!N\Br  |6)Y;tBouoR YU;ktt.Qq<8>ۄcxQ'VmPc7w%aZefݖ@Xk= ՁQ9)G.\@ ~ċM>LY[78=n@o O&&$īz =6@4ּCz_NsʸR lz!;W B=Dzou*{_f%bʲYd~f&Y!Â,|װ1 Vuw)ޠ(Jp5dRD!QbPTF8I84Hh|lz:TuS{tC5@nџ<,6];x 5ߐ2B{S%╬ fc0wIC{`{YPQlY3j[ tA"<0{Čϋqph"peIПHR>qW\hIHq/|Rqixg{$ gĠwa?EiQͯsxHd\'ӓK :6 blǶ@5Hm)a}I'qP{؆ XorILIō̿v <@yF^~m <ґeVA:!gJb"x|59FO}4|љF>(౫P#FEZ[I閨QX}xPY|Q!L3qSvPl]TZn ""yN9U\:I^0VPIB|^m*)C7G+ *qk:8E EU=?>A|bԁ72iV l{7@e)\ ~_:. csBW+;=a^:8l5\2g(Gh:#M|mS_v'/ Γ kOhe@7us `Z' 6}I'/6˗U90.=vO YF!R@3ޛ2o=߀}GUɆ-p(>@UT[JL+1ňrF!dwh'_M2йc 攓Q~I ]䛍p!w.MEB̹}b8 mCeWc=E>L ݸ;Յ/AYCin_‡w 61Ɲ@Id/ZZD4*{lMNpn= [$_!’s\@ICC(;8MVM"bYo=v0n>оY(woOՒAx=ϡ3jq ϙOрAFg.d߄ k} xj"#˟ҝ Zv)g 5?)hV $_ʄٶJ[̙ߧ{WJw3ċU cr* G$-b)Ci᣾ xfB} wxjjZuPd\!6$g)u+i|5-8= J = rg. sUB%RTOG_2xy:i01c`Xn },}W.'+e(Bj_l20b)\.?ֹ^nH A Y&2i}8+F›V:a r&. J)Q2~%iZ;_X_UevC =BܽC1 y_/^ Њ U7ٖvts<Zћ~Nۅ~@OS(&*N:Fx?i$b[+(mv6|2[Q5ߨ'0mjweFPc\]#Zvzx^9n~PK7t0+ĠC"X ׶z[ŸTkփz FAL\EX>m!g}fXpU#+=0Y+'0 )~{JYk  k(.-Sl~*/`NQw4/Ap#Θ2Za?ʷɟ\es2D =fRڶ־ h?@cbo3䉶I(MInEe%15T 'K0XvH:^ &<=)`3p$ݽ]_,A\Ix6>?w8S`VG@OfMn6m(- ڻn#Ғi;cWime[ᵲ%`}_eņYUʥGSsOLfasE3 Juiډ+\||.Tt§#!i\fFj6!$m%dƎs&Jcc%LPE_ ^0oJOxZvwijPN擗6xQ%t>8i8 q79By$9J-qI֣s[M6uO(WvU o1Uf~]S_NҥYHЗwǾjnݙ![shW55ŕѨ2ƁC*JXPh[7bv:ꠕ/pQ|7b2 o U_m 2hiu%Hm* R`Z')kL0J9۬LD}'03m\j0N)JZ N&&1PLsFECy*PotP@΀2(L58qq.w= =Z9$]h矮0_exk$Jxͅ0SKtUi`5Pיў3tcJtV38Z5;kfkC'KG¸- _uiDn,CCG9tdS.6c^JT PF='rA%FǮobf߆34Rmda 4߲!! Г4&hD'2:@PHWuxp\D~/BSv8A*v #\7a ֚ ,5U$!$͟*:b,|}@Hzg#hDU%qd;>KO,}#SQlj^Ȧg͉rb#&3{|tԲޥQt&(UKa2ƎdDf!wO7k5+3|i>j";?gw#o[nc$ BmI9RGbL^ko7n0.e@}bNZaPDM@Q0Q 0bSLů(L; UkVp*7[m%37EO!1N "խsrK]n~6> L?Q,ޚ'}jw^cKwMhvZ_萦;"Yͧfޤ $ɸZ{Zl]ج%rMC۹s^c˫I )εP {U;Uy:Rh@q"6)c |ty=^~6Ă.cc%o}S^ GRc,ة~%2K4$S6( 'a9Stkؠ CWIg!9 | G`|dd*XDy`[?W5dwTOT%Oeb. x %G8.-)8ȣVA܇ɑ7,jbo>`s m*:TjNg=$q:xM$!eLKqQ/*YFx (ԻW1w*K/r/G %ebDy7D| >9z՜MS]3rcؽU6@q¨Z9W]?rU= Ȱ'0C IY*elyȀ"nZ&=QԜ4M$ `5p_N?[|Yv-2"iI9V/%܁ /U'AFP-fbNUj8=|j{ ':̃kU/79,YUҫ!TmWÅ=*O$1{$BD (xG^#?(cDUK< |V\N6a pɳN+e'0*iݠl@azcjQȣH/ARڕKan'Nq}_l˵Jx 9XXeP0& *a؛7ƆPom,\7Hf6l!RFS)eI֏Xss{z1ݚKYm6X0K z0d)T(krwt2R:уXeN>5~:C#M 5OjSЮfأަ#NSY5Wo-eWog|"QUHpxTެz?E4$|zH/upbBG,Ad6#`Z_ME_3D¤B}<HN'"ET ɬ1vC1-uXB'(ZQ;#Di qwy?]塾!Kba&  k;Ȭ\V7m(tqwCȡX{i@sǍ ]͂,n'\^=_7*`^lgfap8UҒSepLuw ;meOP"*LJ'=\\Ab"aZF)+l֯K=tT\2CX -3o4ʘAî>Iv>a1>gRN]7E\Zc}fI2:w&<Ӱ%& "[}( eFdO.$k DCZ0c*!3kϽ.nЄp/EAAOYПQ%68{*#UUu'sո!<-I^B+`z2ar9WHod~e6ryD(";%V$Ղ EV˜]e;j5 g ̪TsX'#>i) bgHږ &geJQjll օCn֒Cd[-[O~V yIAB @YS!zie[DA2#HD?0!t.{9ѻ)2N6r A{,mV"8G{v ݈\U` U'c^iH*ǭ6X,2EpnQTbAnQcha[pޠVFcNc$uNܡ31 dۍ6ݛFę15ӕHt1UwWY#G9q$ ]$t*B/(SvEzat\P4$v1 T$GNćȰV4lI&ɹ_vc y"¤Kgrs=kϱJ7iO3#՗J: EԹ8L\R4뗰G0qC׽6gygYүGA9w;TʞEu] "qu]^wu͊>7)D1xH6 8:zyōʬ;_a[75( 3 {>|;o# b.49ͅճT:?d v 8*5e6wdwp(`Jw\;U$u, ^ҬoWwt$j"/@:$E(xP{:tB{_)H՘OxnS!wXsD'Xg v@I_DCzF":l\`[/ZȋtVŝ鸪+VK@X!%P7Axx=\wSn'0?:I^MߓvR0^^Q:}Nen4_'ՒD>[[rd(M3Npǘ@DrVu@ybH@ 1 }]Ɋ}X U;cTc9L2 Z 4-?>D,V%@0mcWVz,> _nrK HZyJnˠ:оwV6D@ktkۯNS:;78dm%xϴaKH˚ <1xgׂp!8"\uDsev+XﷸAjɺU{oRX[M0w2/IKx!*Qng 奷d E#092JM˂CU%V ͚` K̂F6X[b&6M9!+Mta5X6p*<uZ?Pm5}#7Val O֥y #SzBnMy50yԨ$s; #VʱUM>(]ga5!/X.A98ދ{Ps#$x6KΛL@zm.=Q:%Mi@vQ,1(k" D[,E/n":=2ǎɥGmB} zىTltS9kk/8AX <ЬG.^m{?.or4m`G#*/ȝ_ZyMz_7' nT'b~n<%/(_9m̳ U[JM 29sk"BfЌC;A 9\13ԭ,?5YWtc \M!B2QYodpd[` ]M ^^Уj H[/C[! B:BRlh'Vd$Dv-sJn[(P+hr;J1t:!+k#8oۈ{u1_N>msh4Q쏔nϚPx=|V&L2P5'jR&{m!9[Ĝ[$s`zX}>s oxAy TQuU:w^ ?.SϦp#ne G1o"u7aQfuurԼ0=!9-@foUYd =udKJAa\h(Ĺ1~-9z HrDwᗰK9?>dy^ MJ4һJUcVsD6rњbOM;ڱy< =};'*'b3LG5u Q+ mA4:) s9JFͣd!G]Zy^P,8+p=MEi\n?IxYhVLA5|!e*(AxFuzW- j׉j%Zy;7=! y9I6)P&fM0zb:$-(hnw7S25+Řn4M4^|g-)"ѠBrww2yE<PLVgcɳixEΤе~睲B{):.γeH[އ漌]֚dSxsgo[g⿶M˜f+1½xU~q!ZH[&"¿~W,W/aMg/r$4s6cO_EN/2ͻDoUqNu{$0Ihv\dC i{! N&zlwan9RfQFBO^Bݐ ą4զ0EWgenGegVd)_+ / 2IʈR`ք!{hDL wB|NΕqd~+.س4Urٮ>eޕ.08mW`eaHV!OB9 NjR"4|k_'~jnfpIqCO ;8&Y.NVt1W>sJqkdldN.;z?x&k;}H{XPD 'VܢCl| `‚hNq˛q̹ގ7 HNJw@&8A>tѪɣun#ᆹϷ.L_Qpq6Zj6Gqv -,YT*38dS1hι$]?4H6I:R"`4XS&)N7zk.$35kw"A A-~eC=}A-|;jK yŶ$L_.!N/\Wrt̴ZߛS}e!Ƥ?N44s?Ɂ-G=##5OU^K ovb4ܫhQXEً*[F,JRX@ݖ훩Jm1ny{ BY ??+s58Ire9XxBǰ)KfV `ʩk.@U?w·(6dA0Z.nâB7A$'޷2'C("qr\ p9 T)T^B3Tsf ͤZuFC>hpфwZ@@c"nm2jqLiѴ6Ba@e7>pFn88%e!(3`dgPe|U=7Y`SӫR|tgX"5|@g4KT3@ҝ }KU}6No'Tq۳йZ>^wɑ1@Mz,0Z{iCBIYlбk]n󤳕AZ,NYiiz-p6ÿ褾4v7(#șj YL/y}b oqt rwNfƖ"!ƙgsi%Y3GP ;[6""kubR+[#Ϳa>LxX`wRpܻR.ߵ9#TT%'LknhxE+xWa!uQ+qpiS,>h]^P3 Mo<>`(vCD<jIpM .{J89ҍ1C6I> ~ГAY#F2E)74 Zqj͐&ִ;{Up~jwD#7dQTc8N zᥨ}ubadk#Ex$&+lצ\}joswMyt(6 mz t/&}:J0 [pQE9/HMX.G/cL}BX@ۊ>qCG 7nX$4w%>r#{j@~٫5*HnV-@(xmn*(:d%gCE}R.%l&g, Q|ڥ^q=u@^,:7 kƸh?& :w(vl]QKLj!!?R7\$V]qT4oOyRgT鄵y;cqWfFЌy`n)V*AJ͊7(J'Y\%?"%m( r e `M]Jk1[)亸T&#vU`'/ 1O6~PhFaUA[V"q>%dE)u/i~͇V(.߆m~M˦jZش'eW͘vuEJk%|Vp{,=ohCی2ava=CMG'??BHߏ[`'Sa!*>bGo> &R_`5EG< x. 0^9*U'bҦq}1=H:ڍ]'UZ]l'`XTps|=zܓ/W}w]n@^[ҡ__,.}$''7,{h\" 6^h%̛"(HTKLµ#1s|}922a[/ Oƒ}`2=L9t@WP L%,NH}Uhexgl#6d9)XnFgBtP5˟EI-'(^ş,io?Uaa7gg[c0()3FWՑh,fxO!QAP&%錎ܒ3})+<)N%~`^Ϳ"#bw>0h%^ʟ$/nyKfHGIGR?GŅBNzB=)٘ uf$:Rk{ FQD]NR3& H$0͒}!oFTTN\L5  т|OLQ=n4@-Ir=,!?^Zz1x~QS ppК&f |-$$3҆˺OU'HwZ("gM$g~,@RPl="IF@E< . ZZ 5եjf{ŹLq^ h?+K7X@򾋊,#(gER׃$˂dgU: t:ᮔLCa_ѭ3 k SYXpؑڐDh0(#Sz (QD[#hiI q޸4:G45f!o[bSC^$$fwMqTf(O=zOe7D}UZ2p=CC^Ubj=^ZABA|kL* Byˍ8TSrrs,Y]@^neٙ+&1 0gf3Uű#=/D}=Rɞ0,WQڋx!ZԦ'IuT\am|w~^\O F֠  ̒I2m_1fs[8a .r8Jݬl&IdC 'ZL>_ُ*&l( '7@s.kBDDθk'1`@J:濒:K~mꩈpD WAbrKt6%*R3УIcI燳NTx]PWOY3dX2ԈHsHSܔZXv1@Z 'V994QTq{_Qo#;R{٬ P$>|U[se'i >runԂ :OK|i'3T rZ' FsK:Uķ}T;(1lWkas8ѣxS BL8ԍˆ #lm,B2: Ǟ~`Wٯnr| r}SUH_6tb _p;0փ:.{' b2{ y=LعC'9 ж~N2] 0nRwnPi0T+h‚ˉoq\&>~4M#wyJnu6 Fߌ>iOB)R؁Bl[PgJ9,--  C<5| &:zD Xo,o(z,[᭖3r{γ>"Kd gKcJ96LwH+bʬ~Twټ%k50r3KN?Ip9N#$TQKN`.}Kb'C 1 r ,wض[)`M'(6I|ŏ-`aOwَ~Yb.nMŒ$rL!"]%{4+1R'^vJw%3T,Eqg{F[]`!\= ]q[P#N"־a"3_O zsR[%ȗ^/'u<34l; >ٝAp:NiuOZn)5Q8m_&IAgʿt:ՇQJwu] 3Tyg~v^ HUx,'O~1KHC]fqJi RڤQR$r| M3J'b r2H,8} '@)cigglr>e[f9 w,7tKYYv_ {LfRH2g' q<'-֊\ Qtaj+՚i!io7č́۰݈ v{ :荔 (uKF@fBu9QQ9hU10ZZGkTm`2jHI/^ٹ: Vv qR0bpį-Q*:L]qvJ,l:wLk5[9 ?yÃi`ݷ#YB@Id!=N xl(9YFmUx%I3;[el=дs슴}X~h4c~>J\5΂YZ vN^Ox>ZA^N$ɔ5>FT (pֳ)jV=_AH *$w_v_/WpB.(fOV\B\'Ao&GtUp\.Umo؍Ksi{fuv-SG^|sdq7O$|dJ>z,GBZ U(e>0^;frhI qLL,$^[|P|@/ƒxpD(r9dmRI 4Uwn c)1WS%F[-OEWhp 9G'cNف]Z%,gin91),[Cd]NE@Zޖ Lo2)S[ⱱ]i[7̬I)BMHI y#ݐT lbAJZ'qKe\/mQTiKN#s$L{KݟZ߹)KMV}2yߋa"ePu5&ˌi *Ё(,-@Zի*i[kA $ܨ)i$:vBTXE\pƳ=:N$ȩ2dxK"cSR_Z;@3E.x1X gD2 ᑏ ~G, ~1h%y<n%2>Böy. *iZ\|̯vnin7_@nW;P;^ 澺=Tޅ 5.<~7rac~ve\{!,=O=, vJO#SSzc8.^e9F5`2B{N¢mT<{Q5^ P!!!AiM 5|: #j*Hr> _=QT+/4_ʁ ̹pH&+QhIzJ #(c1)h1~gr(>.wHJ{;Y;|够hyDk<1b ~vwX81H,5J*}2:I‚#7׈_y=qrl@G.$t|~˗,S[a nҖG0'Wcڥ!d wqF)B'GU(ؗ˭gYigxlWr8I6}x9h\?k=ahC*w9o'kH- 0U[ 'p;7ZC3=ns~[ uok@Xͷ^;JYu 96". ]0±:4?'G'GxZh٤HNf{\Zބk\:b[n0p'Yt9"B:-1Z3d Pip EXg]75p&[P /#zJlY^NlnGYrvXFU_8wcxǜp]%A:ÒB8{Gj]#U(g32^Te93jj m~F4dLK =a=?͚1AZJS?dD%5 >(Q^?TԹ-c u nS{19[ (!d ǣ6 ^|iylX@4N)L5ܖ) /tGՈ! eh'MΕibu~>z0ntn"\&XXaBjtezxNu /|Ux 9jɝו:<"L~,+ $-a2LP >tA˿$4^Sk w kUؾOS\ͺH  KJةjT^&CQF\$5PjM{ĀӸ{֗@jbQ$<$k '-[C%LF`;*9#%>,ڄyumtE[J?]gvh_ Ť`jʁTSu#Z_.D9ky`H+!6'S#M˥ࢶYbHG'ӛٍ4ap(ڕAD2NW9Pzfb繣3fY\sGB$b״G̗usY%X4cgL&bs}m}:ZmD/ iH@ wbFA-02WJCE6ͨ^R@yt[r5sM EL[V -7Fhۈ㍄B)L ֒opp2V K6G\;P= @r-$l9.CPNJ("Z}b9!xؖ*ciS*1?@w')1+ p s97cY4pf$0jV⊶4\ Ք>-2ox~2.,:Ī~vʣV9dN>;E?q:m#rRՇ:eDovhIKyTHYt߼Ӌ]mG@W3iM}g!NhӣtOdcpV y`?]={[YKu{P6w0$ eɵ9M`FS^;wL@McYkK 21]M7sJ|\XtT?AAPb5i{s:gFD,QjWGa!aH ]'YgZj^uщpLB&G߹DEI[_?SegD.ߕŰ5P,1@ߍ:p\u@ phT4l,\4y^ce %-$ dDǻ 9C1[F_n bM#dY킼p G(NNL \bi<|w=$$b+*3DSFD@HV,9GY,?2`C(zB. G9ZP HaD9ZP9) D}?aT G KÞז*JSdə Q:VIӯ#lׇȃʙN .=i%'@14=)ZNXܸ Fm"m62Kmdx@}L\|$m_M,g-bKzW` rr|u%6;^q1=3å3(n4A?}/'dizvL(aT=XUrM.cFd=TN` X!g#4,!&/гR0Z ׇb^ʥ%v,D"w4q?T7}HҒ{j+,ҢJ(elM1 CCkptB}%#+-;A:JtUFrQ9%7EE`r'|t3)F0V A Fa /gVX KCwK،ԭJ(@fYPѨU $ OzX`e+v'\RcAhB$iF[x>TLFdPjr2uދH`[ tﻛEM,2D<z"X. T}zr7bC$ƕNک3_PYW(r*"!(AWX[h!snӟ6\GTA_t#QHOfre֭fL >.[bٶitI1H/ċb3ulaذ-K{`ߨ턁0x/-qfURst\,#2IV*-tU&s<Ԡ7H^w=Om=1r5-[>:z#tmBIqZ"B Jl̙qh^aXH XQhsnR]2%rkϗ(y$벝Y@/U?\$-u\.eTc- U,n 9fZ-elx | ?D ӮJ1Oax,]cxEBC 8dѧ$4ZD1 :IBI1;[p{dk# uVBEZECGǯ% &7P`h`UDE_[hđ p~Un{%T?̌n q1J$Jwv+x`"IS7d~e5[BOskZc90-)i@;ǭ.vbJW-kK#k4C h=qf+{Qgx=3Eof!Yp80wUό)ۊ;RV~@5x4 EUU793yI SFR擼ό8#>ެC5F?mAj-> @(ZC;Y-_A=};(!? r }`Q8Af*"]?.vFO-![V4`,3ucb]5;/2d0/;$$^OzQeP+[M*ИiRkY2egHtv[YY]!(.,Gym{sGg⚒$ƍ3hi%E .>xx/#Ҹ]y5 ߧX8-?~#ŋGls+W}+)Qbȯ$6D;kJj2z{SGt_i řs$@+V5 ..9eA 8j}rZyyŹ%1-^ow2jB]b( Y>Eokr'\,ݻBhY2IԔa]bqMqPp^tHJTTZi/ᤗ^_Ad dU ,{u[ѨRyW>fZ3#@ 4֟,,N _UPlDˢ`E!޹=5a.cYW`#9яDaIZݖĥ1N uR9@E,\ S^W~nĸ1!7Bؕb_a_P!+7]7fY1"sł9xsY/ s yc##ah $cZ]tA/Nr{#(w:nOcR]2Jb@yBȠZSf#ioW -(?ZTՃTmk9#9)1CM+xݏo%l/ºeF}/G um/4Wu^˭428G ::N~'g܄'uW 6,(_;GoU/dڳc ao/4Gqw 9CƬ6V $ gC Ar5$Q>lC˽' ;OxU7[>]"0J`bf鲏>>4 ޫnl#e*⾾ЗI,=7XӼ>~|gx{)r t񭓐3Iŧ^yhLώP}dR4}[нz.c#A4\Rnŋh=gB$KgNlt44Q?? 4l$d"n7{4i1**?{Ȣ?*nß:RfO8ø!Y& WPM1Й'LHn0XZ[6Kڵ, 6VUQD:)pXF&GQ40HSPq%bHG-7![A%Z~Ώ_/ Oᒥ6ةP]A폧ľWoB`*~+cK UiֹZ}<^tbێt"c%KΝcXKE#33ܫzNvjB."eY 2p㑢c=APS4b .CqE[z7T.Ckj]:4C30/ѪAdÍ&(Z欇7;#/V#W~7xA+ qadX=:0K+KMBM{-#sy}7vKsCO1bēF};|gRdZP=NH{.bUҋ8*@= ] k+LwW? !bΊȽu/1[ʩWi6e Cq!9<6ײE dm4C<qK̄`ޯEeɷ4IpN9q3CW%,qu$O]<҂@;z8/=j*F2A# ;0))۠;l8YH0t $Pv\Ű's/ę>{p6^޷M]|$}SB,d8IΫgDgAtk?ğAG}HcQb+'Ҭ%:PIm$%@g'k@PQ2nȓ|PoŎEvxqXN;f[iG~^3o_Ex#p[pr`ć^ 0~⢂fGw/dF%5ҡ@'cfs*6Kǫ X`S5 5HԘ`.x$#9kE@b\PZ[0A >7Q0Li1XlpL!k6NT=[22 b#i7⊡Uq%d #0WL$ɠr  .#(N2NzF0@C}*#@;N(W Kl_4E-zU>Y4R.vB>8U9=I!NIϐz@X{e0l'W)\j0:9&aN=VwFnjRa7]-9Lnͼx)N~w%m q,LmFyZ_& ?L~c#tsfK>Jb(4z'b(jhP`>!:(\ Z`@8tOŭ_a&~2u̼sC8j~ݟfK=0وqMR\uXCZA[~ed ύjUb~*{bV C1ڗTz'AnjgC :҇y$3ݦ:jU- } b{" yዲj]b4C/dn%>J2>QmCzX x1 S`fXǒZǘQ3oB-ӋU}IJuԥs-1 ~&N!Md x߽A3~n^-Y XaƔtоTt-3G{Ab0ŒqeL^Jp`]_n+n;34-:yTcHi]@aBJDnϒ+Zb^ܦ޾`ZBqp BZ-y5cPBlD7}|"M eH7b_",a:#z)pռu -U-ȴBH^ჼ3?|egi _ m)+aPsRĪ5eFzj#/<-N 67:VfɊ]xI FY1 )'1;EinV$EM)sCl}j݊1(e/N H暚iwwġf1b*FqUޒWv-B,],U/M@$f #funTqZSu 7b[-P܃"Zw7d͙PP?$`P1ڞK{-|i@ 䣽R`l30v aⷽe)ƛUijFuaNfFL_:Ɍ䯣~حypd݆s?B~2{Da!dm0  u;;O|6m%zWf)DKQ)ҞyY'EnثSI*whM GШh<2k!5?ѽM2p9{swcJ'a@' .q.Bo eErV#3.jHT\8qG4E F?Y( lH  '>n&5X;|?zj*W6C)IF'1x?B) tm q<h$/U'M 0)WO ?wuپPP1eUڐQȜFxCMVWo b+_ 22~V/CPD [N]LA3rpcb" u\[TzZmB!z*u浈<2e(u58# cZ0#ro~Rڦ?\$>E}qC˿L<.kJ׋;4ttXüHoñv]ӛ)Lk(ZfI`fNpzo"n(N,ornGټH>"?[.VPZ9Bp+Үp4j7pn++7U ܽ^Z [h3˹v\TTʧ&/Cqԣ}:Q蠿rP mEJ~+l#[p ^ 7I(\(,5qh9bDƙwP&8F/ihmcD E3X|{Y tQ@}!ssTYA|n &"Vf$S4-;89X9y~`e&JaFt$3ߪgzDҮn$w?ډ&gz<g5 hh mb7v'hwlŠ~,M<[^r^vZh+}djG->yЏvH%41r52 V:6faL_~nKw\tDc]d=7Q5x?ԝ=})a|~TH h1_lk6k߬DB[n >tZ8Kg~&(:o(&6+.tycG1YfJ+{Xm9.ϘyN[{~PjrV2rn|ICi p"rաsE%&Y9JW;i!VR‡BP3OތZD r;Br HE;#dJ)m[Mزō2DZV=4\h<:\Ǎкs +<>QL  m = V'֗wIRHwl[; :Z5'S:L{@s.>hkw$e^%iS}jwq.j)o坲Aۨ"_z$$$e+4y&(F.hΛ(Th{1ϓ)?mςnlQK{s}$qOPkTq䪝QL":fE\ԃeymuHYe@Hf `*MZwfr\b-0]MȆ [ke V= xذ{G}qxy2NC `H"!/ (\.n;F[htfCy$ ]L4OQe0VӻAzT3TauY/9G5TkU%`]1,軲]o"|4@ٿ>dPk w|z%ѐ5;ڗ+X-κ|tcoʣ啁:5D9MK|3wRMzz|}R+ZfE-~_ab/5`)s2d.2.2Ĭ1LJypFz|%> -k-'2!<\qoWS]S sy/b(Kt=Mf]r-x[{ \E ҼEȬyZmmMHnYSZx0Iւf٢nDBbL$XoC[W7Xz^8B@%wpeQ] 3MM] R7tKYh:MPw%^K82Gv?rBrC(JrܛfTq:)[" ˟Y ͑|e=īamˮ.+"N~>ߒ-Όܥ ƧrIEǹQ)w B臟C7o5-/S 5aO9 h4%|DTJk۲&TQx,GQVBVQh*ԉׇ* +gfCCS-R\Km~]|Qڈ?ÇSl^zڡZ[ƸZȍʼni*Y畯TE0ܶɈ+lk* ,(Оo+Ǖ<"| C9]IcUj5ECnwǯ%"ͨ|-yʛjgWL8{\.+`pvkԩnR1Y=%Y˱M@R|;e vl%k_LېvrAD7W'6KrEdzxz%GL(9WXz$mi*!I9kb83s~Gs홭Նklw1y!̾~0v!SRyT| o~ cbVE20bFz]{dpKx[ rn=ݛ4mNME$\U:l=2ewJ*Ԭj);\e2u0UJ9y֔$ țY@#D$1M?ua%Cs,AN j'XN-p bn̋뿠„3`c7*6aRqfBB>>hKQv$I0ip#Ў8kQ ![cl+A$C _ V?]c] G9wF(1x]6Ī!'=l8}t??.qB,{rvؙIҐs`|XPv0WuNRh*@/o?wRmx`sɅh1OZ=x9X<7 Bƹ|?M]עN|UQhpitc-Csy[iGrwf4D6`[OHrꂺnX֔Nv ܼ& 7KbeӔ mFlm 61S2:|wr!F =uRkU{ld}GFj2P^Vy٬Ov Y LRԊKwfٞ`Dp:9`Eg?^%>G?9pDdx3?#d#Rݻ cmWM~4l;cGyBpL96u9B:\1NGRdd&Z/0EVB4}6jw~Ul{SWZGC{V5B0Y*\!&]\?-o) m׹Jψ{ ΍J~h*pimMB(m"+0s$;]Jql-Et;i{3|Ivd`X[?j<:;kv /UE~$d[)gSgQggRR P%\̊QЋ7xXu϶qBm~^Xل jFM݄&n s|)? *lc?Eb]5+^sEty+p|['NaWc5?I1H ┸27놶p~"0xߨ 1lqMIq4OJ745:\-2^:lY6 ĀnZ-)-#FXaxm舠<.:~E2c]c|e"g72yw+>Hj78rtHLAVOK?,`ǹ[B1't=H!/)Η xѷ̗V^Q;Htp3ފTE0|N~yc55mw|f٦H'q3+sLӏ beG"~O*Ҧ.@dۅ%+MT! >8u_RlE9bi'뮾9SQXgʉRWg"7Or.=Z|I^suʼ>qCJ1.g|mdj<Z^/h˖aNB$ ˣ+xV\^_wT.P| =rP0On!(创~Vvg:bꝤ8㧛QQh<[[W=ŋWdf'4͏Cn5xwR"!@jj505Y`Fr{bOk)fsaM[>!--I<`$t܍T Rf]ٱbִClPQvN bJf!`=i%6Uͣ>gfi0ÐpROz֬-7">UOSh$Sjkc㾈6Б-U&BD'[f \w=#t[08,~wˢHkhzM׼\6Ow $9,qŧN4a32emo;,z}?I"FX ?>$YFtX]۞(~r"&fpW!W{t?Q(DUۺ6 ^_rz`!XL!ek LpjL.l!:hDng 5eSf'08dž;\[ZxM6"'Y8!b[ۖZ4ZוڔVN m|QT B_jWi6/[H)u T#~8RpM4ŗ: 8"2-w-$qw3lk@N'egDΡeg};T3O\Rd"oCZ* o}|y$hn3I/Hި#~_uVV"ҲuJfMB8T XfXyg ROZZiۦ@&a( $_ M9_,C5$ Ju4ERLֹ<-Z[{{OXe ?27d'm~1N0U޸evp`RK&AƿQOQXTf>Y""FwƌZuywVYPYN;>-]:;ZGG,\&1t}j<]IB.y;nKz]YD/+J, s=,=Uwh?F L%:a_wy]ޤp5?/MqܸUqU̢ӫ-$t $ys3gJP>1aO$ce9}Pf jkh ^b w!P]\- y?y(T\Psr=_Earm,),^6;p(vtTkR -lyZ֎< Y%^wpLxO}:{lՐ  Xa٭n-LU!F<)_du_g/Qgv#Ǟo5j'kυ ,lE(o-ɵ FȩӆDrd(OCBoR057z80Źp#> ; M?EQ?^IS6**6SIIr橥F8icDt= R]oOA/H]X5{i `mK차XXe+Ķ:Ó3n}%3 F)MR 8N1CT8k,pQgZ /Yli@Ǜ &!bU³ "߹ zܽK( 2|Xo;h_!Kت5wsׂ@qk>纸j:6:P& cTU4Ij5`̉n=et PI uK^WHJ][Ӥpҋ F [jkU@ 2S. V5Dj4ZJ'm:.>|(rs ^>`4%f(e]T>7ג7~ʱ] tBW"5a{Pep%^{a^C᫦C\;^F(w{VijMǪڤBcb䷅ @ \xnT蘉U-@GM -rE+1cUtf"VQ0HmEYў*c.&r4cĪ=Nn $H/y;7+˃ J&Tn!+?F <60J n2B16vR8 ɄImPɎm=!b%Ƴ{6OJ3v܇q|,Owω{40 c(GJXgbjȕ&d d]#d$}{*_fy>Ǹ)]98Wt%.ԯo\DffX85S\t!9;BElWBD:|DF-%:43^(ل2D 8UjSU_&VFY_A2h;ks%G7;V( i<~Uw_$3M$}LҝK]Ȩr\UZRo?xलpCkKƍJ'XEc4~Z$( fLg g䵖B:~=Е(ty7.X:62M!EVqu};TTCRJ:q{:Q֝r^|]7 OJpѣ%K+w\j1{Y& ~F[XY|-1n;nZ%1 1SO:Zw猥Nm 9O^Q N%%2c^얬9Wq]ܜcծ2Ё5ZaŢO<*SB(5 ZT@NZ`åb?UFáAMl?6jDeą* #mZL%|ϷI/Rj&rX{')Hׁ@O&.[ņjc%w-.B(py;&=Ɋ7e@s fT9h\#Kat`+%(5cM@44.ffqմx*zQ%<.Vģ_=ֹ,X)iMFk<.\oߑ]"hdGdi%fOG5^3,A2yK1rwRk)7NqTԯv/Ds&54KGUu l.iLKq.Z1iJ4XS5Otos{ i);vXZ! xl*{#`%!; V;5͗b 8|>TI[ 2UGo1С@c[L{kLfq4`Hk;R%roҳsip‘y\Yȭ5LT00}kK0x;>h¥օ ^)y؃iD d #͚(C5Y5@5>w4!(4hmrѕE]лz% 7c=oAIWNa0*LXgY٦u=G+Ng =@'qq7նʼpBBʶ+QtH!&%``wP@m Rb^S}?[xwC_!`D/ `q*Y=IU<<XHs%vTCHyBeB%Zb*xԸ=k%3 ˠh5x~ElNьӈ֊ɩW!2lfWzZx70#ɐ\=u3[txdQ [FqvӐڅm&Yͭ??+$mm-bdr6JML!V>c:E=f{%9E9.4iN|gt!;nlE?wA"}u(¼+K˧z*6(vڜ}]kwۻ2pŮy3--7ėR:ܬD~KAL;qZz?^0yJmZI&۳a`'ʊ6@g@fi D}mZ |QExX[&6}Gr;EMxUD#tY0 hM/Mm&g|OLH}n*phprfeM6! NڋFnV}r\Ǜ+DȄr"a`Vw,c]Xpg/"8IU׃*Q(sRv+iDЭBV%?[l28 I, Ow|.o)zAdzڂޱ",ZAP͑}BYVZAL(홐M`4Ds{zs( ԀTxc! IDGƟ>N.1Id{oz[wbgy{WSΛ(վR>߿f[tբ2hz#BCb2ec` 9O\a;K|~5&㩣TcF;urW~6H: >aTϽi:om;aחD¨$r)uO}H9)ܔ%-7saj/,5m`ޠ4Lf4cQYUu-⮧Fb vZƘ"j1B;%~ǽqrɜ=Bl @jS+ۓiC8{cotܵ|š˧ABF&];w)4%T X|2)SVAQk |ԤM(|S#y?p%c[jd -N-!7ӑ8W**|cC[B0g*YT7gjfe2uyNA1>}t %ˮw6(z$D" X<^-lu Yvb<梉wBzzB57 0{r&NqjQʌ .T.Z#pB0'ŐVMP$F.0n엖L<rO&j`uF]f!多u=& @{ÞP(vUֽ`9uȱ5?cGS3 {-𵏾YS},̋XC5$&Zco ٙ&TBk_n؛M]&D :~9+z [ekҦ@MZנ;*3I1>[;*\@-3H诿w=tXԟ ,pvI.ӂv`_5|r;8k ;mB_WX[>J!lqy-]0߰1'lmҦj,V1 2 =#y8a`Q[* SD}?~L`<{eL3)! wli$66^-q^k 1"X" l~%>v-jDэ3n JJ6־aꞁM1(gk-VΙ8ntaEJ6YF>Gڊ li^r XR[諑FN8_QW(#>`k{dѯb\#/1R"Z-Q}ˏrP*v9 ;^:)YlY]8@.ꢲXMط(PVM/?s,⒅{OIƾ9D8(x W~;Ni/ssy9uL-HG׾1SN~/3{嵍'5F)cJM\qN-=)LfIwu\먐Xo>7x`jWF3&$aߠw kގbS:EIO . tPSoKp`N_tvŮUUH N{X[z?Ű}3Olv\T3[N[VVߋjpoiK}̾WZ?Ns\0ϝ6[\t <0ʐ$P%RtbLM7CkW[n %G$ûPKE%#/ah˸TIQ~Ɓ3Xa+yy4(ꍌj3Jrf:#1}1?8.F۫d=@8o&Se'B>R+RQgt,#[qP44``oh,'ہeԶR] Y.XN k`rp %2QF*z"IznzJ"}4xt1s9 ."}7~`ki~m76uNHfpE܅f p2 l-%FQ@!m9^RAG컗imB/*̼kS@ 媠? ̰,W#tFQh0Cx +c|y9shiSzFR&dp9ݷOZ[L%o[ }hCR7ZKUMaF]|fPՃܤgo?Y ύ__͗ffzRyM6L60[~[6La0sIH0MH o&ԳF"(+m={E`:6Z,w td18?C 3xY~͑8?F.VrO1~L޴Y`%ABO3u9^Vo.42[X'jJG6r8Lu=n&$Qnݧ$NM+ra* c?UEk \e9Ypbg'ڗ|f/vp f[3/=sD7Fu6R^qG4r#'+'U ̛[N6"bI3čjs.D}vIG/#Bz!/U4*+ǁ$N8ևΒ#մ@tVWZ~69u\~!w4b%.Q"Hݤ qBϧִ+p偈C~c 2<ה/uQZ㹼 2qX0= 5z,0em:G;No3UzyQpWH%Ԁ?[ҏjxz^hM,l65<8}\a8[hqQ!q,J/>kg^SmA٭嶾}Z ^'zvSq 7-3kEmx9ʏ9HΌ+@6&^DyIlnj7NN5c*uN&XHB4Fɝ?C]k178|c8>UC"$tB$ݢN$>'Ö@ŕA6k8NθYG?f[Z;v1DG%wg16n63C]CSsSfw2ofoxrO:)*YJ0N!k\mao&15M Z3ȺG;"'6ZKP[]JM`|D#p4E;YR&֨SeNI?u}vT39R|wʙhT_pmr+Cqî%I0Lf)1ZjNTF 7Wnqd>ga 9F#P(ke;)9Dk([[XE#Adgo;#?:!aD,.諀_,] Fiyy&0r$a87"2i%bk\OEƈ\C)}x#pD2S7F]]Ow7V ͩ/ƢѪߑa.c|nq;ӗ6Ia;p J] v#9-i 3¹HqGs0]\csҴ;lOك:n Nw70b1ފ_͟87([qNa\4Rn4/X@M`#"=w7v6Ya̲wPB3ho!͔=@!. l ዞ̷2(&)נr,үs ֘WѾTiljJ K]шE5R\ۅSH%–o1NnZ3<۷fxq A+R:(U3%xqu2^T No@mU4Tw=P+hn|D*rYhr 0~Cv `cFMdŢa7 ɂ1;W,"g}`:CdL^h@Z%x|'pGb6޿&YDFΡWbcORi˥DvJq|̮AKu{a/l.r`B26-K?ML+9!MK]S~lY[C1%Oi"llKv ["pvk8{#=DYԟ # iNML95ua 5vc ! wn+IYeS%@:2e?v֩*eWMx2[xі޹\E>1XHihHm,]tb߻ !Y}21um3-[,{(Q]Ջ[Ga aҨZ TuETxdgd gB4bٍtx"Npk)DGp%~_]/@َ>V%{VVuLhF)5<ܒE`٠S㵥mb)R8h iGۗuİ<`|YѼyZ8WˑH;^"i,FwlqIfښU&4HWS#H\z: KMaPSmcݢHJDx>. 6j +  ň)@QBVꌴV/)ע#fr@+) |=Ok#!IX{V3X()J3ULhʪ>:eE Gq֭s B^|"`I7n:e¸+$2j#yhuR." 09JLvSh:=Kvt`#T Ak7_6/*^U{pުGk}E5L1ͭat0(~Uȵocl6ؖ%,{lJzNM"_ -Ma rjt,}Dy/1@Oݽ^!t`)PYXh8 R6!djH]=H.-~f,Ko̥Ti>\i2H?jh{?jfqCdP=J̐OëL@KDqB~U`b A   BWt1,i9)56m]Ճ0~ܮ !UpX*b9 A7 vl(4:&.+>wJW]cL\ڇ|AaQWZ -!d|*.ף냔 8((FZ'T':rNnUb֏xݚugSl` S/\ ݤ1L~ Q ^F8!崒,}2깭N[PQ d6E!UD Z^*K!MF8YFjKUH=Fw-e֫\R5j x4=$u҃՝Maa2ѪGLꟻ?Ԏ %Mُ=PLcl*Ugb}'~OS,[k&GhW} 3W^ .Ӕb MmYF[U4b'st{͠b 3Lp{vJ")i[:_C*J'-b &S-/yj>Sőy(C+$ňX<}]ZK7?OdKwCFuܧLj^ cyG?44%~8{ΝJ?Y] (ms-xs7*A pg\]WqVw$R6A9ӑQUakja%AVzIh( ~%$sVZ`Tn[{F׎eBRgH 6; Ce@Oi@yJa! W O}*b>fDI5I +O5Wp}}4Uhx-gM8mI!!)D5N[@$736}ݞwln8֡fgxs F2-lLe@rӐ)OWN l4kVQ0"R+мu"&S :Pij`Hߣ́Fqɑ7NiB(/TE"9U)Ic =HSa`*RG/2Ih5=ژc<+|t Qi܆+&"hs<2FwޫNLb|7A|s X=nŎ uT$=3 |B!,/G4kܦgd@R(%_!84Kyq#0-}m,_Ǥ#[W{'H`kaT:ߟ d釃rQU Z֥9oSLglcc;$=G8nۡ>yv\G 4(K~7Q=xH/YPZ4 fDŽ_a~-WC\|c]6n6$X 6{ݏ]j,237ʥ@~/pK(x5fɘ;6=ut%d2' m3}VR F0**_&d4ןR3ӯɉ`) +[4H0ͧ5D0T=Su͟S䊉gU{?W")pgKA")ȶKd 2ҍHσ G&dt{S4݅l$}az= 3۵h!D"|F-/<^3,ؖ:8$a9>CtQpdj}eRdezTilQ0hi_k9(&_rA (aWMTO$fn70qFK:u=ݗbuCF?Pq20FCj\˽Ǥ-U7kߙQ"t"Pp(-CG.q5#vM|SO d:QN5]#6x/z^;g@ߺn sjΪѥ-Hx2[K2/nW$#X|:^?HE+Pe,jD `\.J})wmh((vH@E18=y)@N&FP(/CwBwgx Ćsf\0DI;h*U,r3.K☧MH[s}HզꧦBkѻ8a%`)fCZбMsⲨb2[{`Ѳ2c`~mg10p}{~bsNqeو UUWo@pEWqu|_?N":}Ɏtv- Xq]t2MN[[_4-_?/ _ϽnI2UNyD%{"{@"FٴMTPi VX3J1#J=յ/B ڜ pTx0`b{yV1(4HoRow@>*LZ19kj z&‰7j$ۖ 3"&]=r Q4g :RvֿW6<BOY$ET10J0]^S̙ 4փ4bhZ);QWn37}F47;M4ÑGzE}y= -ODX0 Ɓ"UѾe jʛGiX)4Lڎ8{+0]5[g\S=A@!W'Lvb䘓 D6S~ʳn+dq U_`r]ËIl݃fcm;_x A^Ix|s >]:1w}ɖamb/@Ӗu0hlF1 !:@}iӤ+Vx63~8w$Dt;zzӆj[}F+eC'=H@N$=@r#z`pJWz(a=SEh-<l US2D/$y+?ٛ>vvsvń쯳qH`{QЋ0JtϛqxQp83k_p di$Wz@5Η/05RN$[[3`27G{x}B!nk|NX$@-j1{ݸq-#ꪯH㾕Ah;(zZzAUp֐ljItwx\"GjKuY]= û='d $S u[rUOSR-Poo*CQoq\6.հ`a!f.0K0i幏8(F_L +Hw|[,S4r1KG'No&/|b^(P&Ql̯+b@h/\j!9B}/A:Y/T'-zz]ΎZ'xAJxdvf@U~mG)S #"ޠ?GFh^+ aCOYД#Q}!:W`BW'5t9/gJPuM)J4}nhh_9]p~‹vCNiwÍMl9fVԃW DC"Os `ClR:IxApqn+_[+t$UK$Ѕ8dUw@)S2Hg< z|Vݑa (Vl/M-"Z -kGO2V674@-){1Kf6:I QT%B W>ȭ³ad\;V=]Rrw^Aܴ]v5*7z̕Hcƹ|+H::{Zכ $Yȁ &6-Y„((`'frT ,Yif& v򙻼 I(j>Of3Q7t9#Y iښWs}95ЖELjB@wgBp}]B;\9 VV*U*6V^׮@xkI wtpozWJNlT ``@B0@z,x_5= U`BMʖWB?8::ܿxMY徿4qgT2O@hH\/U$ox %<^I>ucrs CG~XRvhZ bWbm[lt #EJ[ODZAL,$"k}'4-.1M'E{~1XO &)WM#%oD:"#X--h̙?HNܳ5z@t笝:|+y a5 ե w 9gQ!&se5XÓ_-4(!sT~9L^LQٍ\D5ԽEKw7XA(I멯D~V$"I[ewd5e$$Xw'HV̔-oz^R?;ˊ=}HFJSۓZ՝I24, j>g-= /fW%o,kA:?NUԽ[Bt6Xro0 u:/ `今pg ӝl[R\ekoԼo[:X4E&@XeD11W@!`z5Ʉc`PSD;lx@|69^Lc:Na;dLM*"*XP?PԥQ `Cd QF|=vB6N eV{a랫[MV Y-ܹs|LrJhe9 ðth鹐K jq1& :u&v/)~Lrj7\BiȕCVIƸC=]7h9w7Ll4Ҏut1!:0 L$.!!ǫ4_B]h=RY "c\Ef|K ^de9A ?2NJ(bP*0JT5|f|` >aYqntۭ6TxؕMhtxJi e5-+a2'3Z>nN^\&i>T'rJ&~ٻQ(u#Nk tB^l ^8<4$bLVҩhדV;ʱxeTu}01!]J\;h?n04nkKNMaK/dmUnd%VuqMsJ IG`)/Y;H[aQ2yeOEH7xZ,8] Um4PJ4F2iOyijjDI2McY;7d_ȵjcU\{YmQS6CQ7]wi3Q B4O-rRr c=آ6[fӆXuVLR{ ﶃA==pzrwnk_kuS1,?wA"W8$My[DخGLN?͐A/Y.XZ=Pd!3jz_n>;?Zb H܁R^lWYx9:=ALEa3B5%PPl, g&k^C3aZb S!3- ަsKU2OsG]ulMvEwp`KbգuLyP}dNN,2OCYR͠Zbk3!2r/qbtqCt\Wt|Y ƱiN/KJ,{Zkh 2h ؟ BFlA 3xK1P ޘ76M`K&byw`qB6v|@һv526hBtA~VSb֜Ifۿn*A6z?bnέG5r%"2R]5dH(c/؛3+jiIf]a-2m"MdsgXbdGp<^RfCH~FT-ՠrٰw8q>eF4vF5Y/ Zi$16݀Tx~A[Tz=Os UN[槒tr#NX#kiv {)A4a4|4K*ؔOo.&Ȧi 1Cю X+qr =ôww39:i"~xr.L{ogRLN5h8+u ZHy./u3m+ _䜮Hd* >^ Q>Z hWD|IyDbZuWw2M 8+e9$(bIߨE^wLG|`5zDa| ׳>􌎼 81Ҏ\ob \!@Av.[Ľe9x(urXIm#A`$<@b)ln4w0qd~}ޑM~ReBZ >塘ˮ ~.W1_ fT{D0Cj~DKNc!އUUD6:f2oe+ 3#^w)A¿Ɏb<3ߘ+.Ar8[^uޙdʸ=È]uqz>P)u%m=SPîą<8&X˹F<樇GOan8ia @8Yc]h;I.*0.ѧ: twT8^?vL\\\#fМoP7$4(f=`-ʬc0<ص%s?u`$o:nM;6fk4 U#^QU @yercWa}tKSK={T݇0{[C;ϊ&@H@~0\k0J!yjGOsǒUpyũ :"m3{LM4#r1Ae2Aa;f mms/'2YKE-X}mxoPDNC_V gӹI>L%'h wU-%0j"lTX.;Ԍ:?\C9$3vS>id磉Rw`Y WlkGIMw?RQ; >ަnIpEGEDŽ\&x7buYGLm3;n~1koU10oLoԉ[%Bi˧ 5䡅g>nyؗ$6[UZ4%,T /# )YW3GM †xvG[i:xMYl5pНɺSτ1[ jn5@ثǠD7tR%z4\a bmRʿq#,_湒=+,-گj@uv hGj !m7^׽0QgT~%V8ۋa#7+.́ zxFF;S˜%ʲ k`=枊{1Zⓗ}~,V F}x,<; .!J4K~_k7p!5kSb18mTjs/ʦQ;]װܷ>so7x;FIDX:RH1\c8"XRf ԟKsX S(A| Q!'gsA)e&t({MRՄM!*f_tPCz4_Gc,#-:b29z]P+1R؉ekq)7(`ZHiΠw* Txl'>z\K칿!k{^%rGѐgv|FnZޙ|zla2j\(eH)v9IDBMfFRWȳ M "M9/EBj?-xhg+3Lnum2LU`/l#~hBIfn#Ybb?fɳ_25 I$FS@ADC DG~(a"iMgD9Ř1[a`c:/ebA2vԈEUJ[˼Ь ȢQqMC#9&WӉaX&3'L#y) K?1>~ #ٳR/95LKڙ_~$j#0=!ORE|MuR-3T.kP%`?tLkyNv$_|>!^A oqyNra5āXY}v> h,$[B>redr&]z|c88# hnrW1ɚ 2ì,t ʼn) ̲=+MP{gXU:?$h{:)pXPp`"-\8qɛ|}6อ/pনU#ݗ^.Ojeڇ֤)QJ#^G? +:nQJB0w ߾5~Zbb˥m(xN\/%.k:͘RLiJQtj|n#aX?P߭v` 7a&c+k<>6 Jf4 1rJ9zɋcT36*#򫊨uʉ@4 Z%ljLJڢ,NGcI(j$8lߴ+2(Vpx-;.}B=h´lf.j8`gnqwor>5#듫霉KN4ڸ9h9]AD&t^>2#BHR"ޑr7.rd ƕJ.IEߏ+L ?*|VfRHx?ˆ'52+~>6\i^㜀eC%HmsTR9HL%\*0@з5: Ws|zDfCFgɆFW+aTWAnZw[Q)t9x׃-ϰC1rظE%h/Q-Ib,XkI/2sB{W qt=Ta˂բ"n~W(豹;~4*1rX/'kF1}x9+0ө) 8+#h?݁ $F\˃R%ۨJs$WH_|ř*wGĻVVSٝls\(f^sp~ɻP}$Wإa_o 7,À'2MNH\:]Cu4*˙x-U$!nԭk7vjImT~k:6Co5J풥Rw$CE ;H#A@PL;X)(dDb dOx{3Kͣz+z~bQ8ޡk'R"f+[&%_}*InR-|MmD P܈VG\Mn 24lVҗdbA޾e]aT!LlGosҴ 15k&6c$njNO)Bݑ&l\+5 t1+dFq=m޾$8P2 #WXJLkC0qFyM +f z; ] PݳBWWsXDH"t~CCl?F+'+C=|/Vt/V4a") ڿ#8" 9duYppjݟinn~oI&L[C4h "A ºZ$kS#׮oNw6h|u3Ѫy80*"x#muwqn]boQ!>(A%S2`:l@yNV12rmcکJU/S2!H8_OI.Υ|ѤeQظaꗥS?Qdq^%Ih!)6H Bԙv*࿞E}𮮱2O`!p _{1m)=L=͂IJUSq+ }ʀakdiYUuj>^v2(邫p`h~F5s4 gZnF_;E #jJ>ߗ3T]*il|53px]pn $+W+~4LHQ8Hd'da~ՓwGp[jY>?"IsUbf<r^"pQ}.&n&!uOxwn)jF#^NSx+(Z,ZI#s[pqLvvo!@x=Tdg_fϴriC󜐬,wz`.=Az 5D4|^X(?R%;}pv\1:lZx />la@fKߚ3T z$ޖ?֒w~uC,Z@Vfpk0T͆t[V!Na)߰̽wJ0h^܋bop ?u( b}&0|//QdY7Po5sZ`JP6>pjՔpMJ;bkoِ0r= 9(pP(HS,JMpSOV]4w6+9Mk Ɵql|VwX`8rHEzK*GcSb;keޮ`&Ǐ㿘n_*w4VH*ѹ AMp~+٣u,@",5 ddđEپI3L`"=?Bn^.]4(1喿aT,zicKfS8TRNm܃=~Ϫ>.X bnb(ܺ]) AD)uNP8$Ie2$< # T0OD(d\0;abFőNƷNZPxEp*z|7Rh"ɤ3@Q-VJڏYbAÑs8hsW+9Bi3X#]=(dyU+Kϣ/)ɣOeyi#9>دBs1ꛬTǒAĭIݷlS X'CTdp\,cDPQ;B m$Qehc_{9եKHGe:Y`Bz&+h8ƿGvCø$ʜDBu5/|}?(ltNRvw4c[[lEڏ:,moOz2aJhnlEOI W;&cٛ#[ꍍW=>RSiD_jM yiN"RW#x݅ϼEmI=J6ڻ8PUwTD\7uPTx^Mz>Sv8֊m<ˈ6&cC?̏/ HQ+)Ҧ:W<TۋZCnww8|&`UX<݌%ApGZDm4uWyˇ gVhNWAg_;%b{c^o}3oWQhv%Mn= ̒/smBJ]; U{wՓ}hߟ˜.1|r)ck)Q"Si n%fʵWf0H)m첻+fN{tGAiQQ?"\\5'WF՛SAKv'ۨ-3OzŬk͘tIy{ٵfUQ--xE"f1jq V;I겷zq˸?Cn]_Cbol'Sn~oaBuθ O4wyVjL d}7"M<ƱJ)R"ռ,KYMZYE߹8 P?ޓLw@Fz}e=.٠Jζ{Mm6T@odΞr~ĐoDMPfzU85&1C `P 7|Q/Mt0WnL?؇sI>';pU5 G꼖q{|W,(I_hl$K]qޱ |\-Xem'5)vR 7cnJBqn)/Lmɦ M"4xĜ!ZXb#2&sW~9aqb+<Qmqi{mwHӎ6ތٰw(Х׎|e n%.U*(ֱ ̘yГɡ,=QIԔ@zrקF\Sx .loTq{EHPR "p3V{3RJvFs]כ?E 75nP;5$3j#Ҁ?ǧ5d { \:g1EzmFy1<{\sU4Qaۧ7A>b0yO"D?oz (9aC3Sp:@]1H%zRn~`M\ERQqL5T <&[V(Itfӿ=,KCv$sožޟF&2 MjAfNG (J~4iuD0U,S;J$ɉ 6o"a츰<*Phƶ <$AN$͇uB &9ϭ53AUtlLxqDcf5+LE:68˗ωDJo~S|q :Ϟ/+N_V bb3~;h  <MQN p\V(ˑq r=J#܎=OB̞l'>$QkȈyVDⵆ{>?t$U 3Wօ\1V_R&ѰLP-eۿcHį#m"o\-sck,)B a4R"͕VGqb!c'-Z0`_FF!=z $KkD>lU#=!(y7 3JI]_уQ|hgH͹XLb_ǻtx񳴌85>a\ ϖr(W*jG}R'FQ11! gqlt/0Y׎̟u ϜcOsp+V%FuPmϓ;+@!Ф* Zy a ,-{̈́R)AI@C X]ך* ǀ2&tCJ+m'iR٨HCH[.$/NKѶ`0hF[3c ;P6Y(+I R&zr6p:+䶕`Ä ͌ܮ2-i'NZ(|.mMǭQʶa "<(Xvo"=m}uj8ګAegՏ>GÁ>Rn2*nS @N>gĊhZEu5Mj+19,F%$b:T_A})pUتģ-x M|`8ꁢŤJu κ)Uǰ@s!ƒ~iks3rqFL2Ҩ>1eR`Wuc3?ȗ@yjdhx\o@x>PGG#wւ%7wMI}<+++PWDGαla&j٨k)71#sw b{*"_u:}bݽMW{IүGS; -ӽhVDa>IQ2g]8Z|Bsz`͍Cy5g[x##~Rx,z$ Hk_ {1@ *!zG&~ K#l*) 85YYe4ũNj̿}pstHD^XcOPId1 Ķ#vbp=>Z;?@#I; I#93 48?q ,eJi5RW`H)"2 |NvJ@d C𖧟B-p.8HշdK<L﷨>A  &<JP7ud42acK;RX n=3-Ao| $R61p++8b{{3/ǵ"W,9Ualh97?ZV1kwUt*(@x.H8:$Og%X2~8?+vkNFNkgQgf [sJ~$j躜 !a63Ce~NssFuI|wfdb.fNU,-'#BdT.`f#Jhh7l/HR_R" y!+1ۋKD;4sH:)K_@}$ZxB|.Q7`M#vxX*^K_sm&D&Z & B=&GdE1ͭ&}P"0.ҦvےC'd,6\"|c89|8 !~EM*ކ:YVVxeAOc^{[6jVL_okG ָ'{n 5@@a [7Uc\&:-:㉏YmLRNv~s7_@ ߾6w/Zl@j P/c荱$WB/|[6e\PHc:a#&ҍwՍ#t# T]bҳ#ɰ8킖3+)N~ie@[]Rś‰I7giVb!yq/q zh;2̗j#,F<#v!.qAg2]\tc\Sƒ&gDYXO & KJ⣎nb@4ZēQD)2Q{4pLRіzR]$\NLVZw(hQ, { هUBuPT9lo Hkf^vqðdG]x&L3bXO:'9$ZJP% VJ5n8GU*W Ha~%ry, y/Nq]d:cױ/5.vHcw;S%R3w)S{ҋV->̔f]u*|ឦD5>7L`kR!hkU&L{~ME$)Q{ .\vcލ5kkMrరe6%3sҰء2V||[[ݼ `6p $G\|j36M (ֺ%&Q*ՙ;/)b!#K#)qdhL?ONK}[MŌZԂ`JG{tMh_wW5( PBe)df c\\ U\Y߹;%27eH$f$uV>fhaԹe7Zk~aT9~#})+ӰzQ#bF}'߻7gI~#6~﨧7ڵ4w(uȎ1 ')im epbDJ`TmM9 \rkyXQcQ(o1pƿ<5iUb\~fFVO64_-ORLɋ$XtMsFE|pG8?Un a+y8bӳ9*~K_;6ث;r{t[N8I> fMiO$U)ϼo{]qQVN5w1v_:O>Z:}@,bz>X Tę`tqËIhLaia[(kO;0V#NtKْzF[0f ^fzE7(h܏ (WƤ8GN-]#aP DmSDd:O~RqBB6 Ϛ4P;l]W΁42to*Bo6$wB7hɴ#Z0l R`= oee@MNb°t<-)'09[lIZه(ռmMMpm*1ZK!}֓U)t /InYQ^~ IuV X=4φp%Dp?_z 877ݯFnƲQCX龤58q#>QPW*Eq8G`k0.gFޛ{ QɿL2ّ/Of49z> bK,o;q$)U-۶)zbi;jg%([(Gj6pbXtWu={bu_?=mdetHeVD4Fa⺂)w#Vy{[ݹBOgh YdA|um*}j d".ŀnB;D:\k.rMJ,"jA.5o&wE^|=/^a߁D#`C МHMˠ.J?sȈ's&jLWtm2qty}%!^+8?{&pxPH;bM@{gk JlUHꨈ?et-I;r! IfR(X%S2T DxErԒr0ⷧ3W7e5E-@doDj^ #(ME'd 3Agm3)4R]18/zcR0?1cn?g8>}VPi* 1%KW"MU<(f_\!j鑔WP:5yW6Qnݳݟ=g FVZc)mS3V$ɶPӕBd{Z!N NFߙ=nV0SsA)a S /LTHU}v͘UنlH8˻ƫUp^oD WF\ c>X9.1/Hi]H`=IT[~CI7@(řLjrnz[Q-ڇ@ZL6`SrM(Rbl=cpOnU_(9.Lv‚sE&H?uUh+-6?oFMk~R=c&)_CFZ?`N M)`)}nh=DF EbpKO0΍cՍ!ѻM'YjΤ(&~|߬}"Ay1PP&lVko$zߡزZЁf+A$QƩ2@mXrqH =[vVFj|T&I&HM粏3eq:v@¶"OoPEն,/t7#YS;,^ҡo '!1*%^ug   QJeOI/%O[ #8I&\7&\Q 4A۝$5D^p <ᩎqeG82s*,ٲ2cĀEtgOa lB?;WaЅsК(e2䌇F7zҔ:Vp v7IA=GntV"0=mErYDcəw ";!>8\a WJ$6< `)K[i=,{ krġ{q6(cMO͢Nr7o?&(ܑ)06/ݮeF ?Ɔ54}) %W~xf? 9B[X%RTK/[rR̈Âd  p]7 n*^FĆpuXDS+ӯ}B=2!Vzy@&C12h' 7 oq c˘\FR2 |:h62/5=#E>(HUZN/%;IQCO҉ʄ8Myi0ԕ?uĚ`4(ouA@u$0@IWDQRgEĝ - ){ SH8|>J_Lw{QA˴L=L`rCsݨ~4Ia0+Ķ)L$KZ==|*Vad1>+زl]ɢ6 rਲ Υg; 0dp4 ЁO"{$apdZ#.þ$Fز,Ԧ+YFjC_5Ъ3h1ߖfn84?=RJ1z'{ғ7:6}"ifśPQ\Gl>%@ J37pG*!δ٠3fnh1ߩ|ǣ o(RRur \RzI:X⤘r[ ßijɟ=Bm[ayU#2aEH#3R W`J3 ¢j} lZԈ+BU*uꭌJ)ۭ^ _-n^ze5Vd|KsV= i_%C'å4J).&*>Ydۿ"-$z=[9g9gJ<;yx 7߮T-zY"N:1  0 k)9ed,uJe.;N'75\S 4F6>11A0,׺=jn/2XzA - ޣHD^)Xw0\l 5YqO@}?'?y0TaAT- ߀‡8E׀ڻPb&D4 -I&8 r)pʠičY>SGy+but5#k+h$+S9{^i_zcm,(TeUn, UiݨQ6VsW{WhlRh4:FFib0o2xB]o9F ,:)c8bUfԋӝF'.L=g=QKPAOLcܤN\zŤN{!;c-m۫p^a5J\xJb6}qg,G&eFмLE@ 8qE,n2v?nXj;̛nӣO|RJ|mZ,UMދ+_Vyt7_x^iK֌jBOh,`$RJʳ#==!FɤD!ILwD#pdTf#m}yZ^>eɲ}/T\\Y0\](ޟSCx(]ip'ӽG;m^e1 pqa=RO^ DJ?{:0{ `BsTHЬޱ74cwp: Gxs̳u+N =%ey=Fy/,b13@>';XXffZli7Aؤ%6iǕRCRi [w U2q,TWA<,E GAQEҠ%\H dލxFRF4U/{f{~J7~2&14l8=+Q"PC6ܫCxGj^njqVFVF߸xtInv^-E 6K b&VnGAD22=q֖|KXT33_@` \syORC W "V?p<U. }e}Fc, B`HjrGp%¢23l!9yb ?U}r. ;RG9a8*,QsjݜC̦EQ}X)<)d0i[!j"ĥ:}كX{6B7_&~KA)=/y05Xalj @K=p7 oC6{¤8IFl<+e8S(ZUHW t7:zOj)p Z~3DP:!|b#ZʡOR'I!^N (o0x#U QkDePXF9R0SªD25h[k82BN*6ُRJOrc :\NΘ}C2mfܜʉS@xXhHK>}}uhdJtRl%UqG!D̵l.~>):F?\{СB/#ˤ#QcDTn:t's[4`50}YxybӦ  }+U%6 Rj\@3*-sJIɻO"LbCrXv{OQwjuzFu!=ʟTwoZY\&vek'lwkw\$ޠyg{lloMRm45ܼHuAPaoЛve $T*J* Oa C!,~@A8;aqϦWAҹ#k쓷PCUwIw>cfQz_yF̸i̤u峐f7,DxYq).u2RmE\輗销=gYR83W6֠2F䅄:@-Uy ;3o")7>\!A39dmuvtt4Gy Ң+}!6 >_fH jÔ^2r7ȣ(2YLθ" (HQF>Ӿ:o/Q10'%U|jWb-*aV{f26꼑g $>6:+򈥂 Ӻ?j0;3m+)1 ,RˤO,胶#"_b if@4 H~y(/=j|yfEqzӼ'-5=f8|8w\EoA΋r(Ex}}D{<ƇF&Ӝ7 T{,EQ=*1((Q.M@)}7R ¾׊Na"jmaXLi󥪅&8T{ l \jB:pMvlrKOQF5nܩ]ՇG?Oq$ٛS/XFvHC!˽ @=: zǟWgM9I=^D.#Ojn$tcZ&hXK9J͇tX\t ?I,Dv-ak06A\0f(8h# \8Ze|ELPTBxx ˛ ˢn3zM ~+|VsxnINe,?'y.Iƌ߉|rɘSPkn!lt=WdrQgG% MlqɄNo4'M|/]ۓaa|Н!(F20A|mL]b-(h4Wp7mތ'< OF%zT5o>eIH[S,%3m gt$ej ~S ]~X<ں_φ4&xm.OX,9hzŔ(މKEp,N~ !1^kfAt )ۻ{siwzCfnflAh@ ]d_8#uҪHyR-yKP&ƚsG;6@l j_g訒>W8cSݜf"I'3;ik%2(wZXxU"~^IXp?qSF)>kzsu[!$ݝ<1x H{4BI֛DA K!b+?%6 hjނDeJmBהvЧY>-]3KגVJδ́s{v{;{9܂*`\ӧ/pg:k@{XW౥CbH-ބ'4Q*3w5RW|G  y9gGn?7@]'ّ'WPDmWDZ-@OE~uB#@C`: Ig4J<Omd7/ 7b#V B;t&x.Qa!xzlMh/2)<MbcrBBb 5w(iIUxrTUc[{L01B@>f4]֟]GƮbMl>Z,t2h$JVu<C;EDb2OFPHEB[{y[ڨWC7P<: D02uy $wo.+"Ai!%1HBY("!5#y!&pWr̹C^|xPMP;KJ6H 58/HO 5lU~o:py[fq"`V.d- cB2w?Ii]U ,PJ1Kuh;3}>/0%jwfX`{6 9hX˃ѷ"qr>?I NL'vCgc+/FstT?IV̑@ `$.LC{KzX cchq? X!EgZf8{֐0`9,yd{|F$=W @3$"wr,Q7>bHUL%E5QLG-%-;A:K%NH|^A8蠥}h&>pxO+dǜ]A\L<8* ߮h6Me\ PÃ40kMy Q+FbX9I֮nR bat>]ܐb* 2 =舞ŝS0rw_-H)(J~5mʟ*;3T<ƌ{F Uh砦T|C;jaLDy9鶲D}bX)ަ1jlrLWۧݨFF \E _ @'CHJ?fp\6έ#ǪGT]2|]vQҟWEΚaf+5s}@y#Vl]/_ ڟT[Z]eoam2c>TeCm klY3By.7X=  [ǒVyT7U S)KO W(e5R5.~yb '_'W@(>'+[iONv+xKwp+I~!C'k'l4RL}wz;EV%h;S3ߖ O Q1^Zcn1֍8A&΍dϚ߼v}DG\-Đ@;jǓ~bR_94%+=K~eZizt7 O0|dbo8aM⑶b^eZ>C`dMN`pc#SMEWjWn6٢S휽X|\؁> ~v m0/ͺZh]Pyݍ018JIϭRv"48!.]P; )؃.`s1Y]HNֆ%x0"ji?,W#AuWA! eiԉN:zM@R)r7ţ|u"rHz%Yq E q=97y` 9WMqiTgN*Y?/ X#w_}Bŝ"~u 3gqotk!0fwس-Dl|+-5_qh4IĎu Gja! (8js 0NzbEXhYT0gfL;d-ĴcvYVvkX.> B ISd*)V2oQsQ+U^F6\k0I4(Ik"Y; 7GʜYf\a]Chߺl*MʰL{ i~1{58ɹکDεǽD󁦶_3 [L 1c*"$ܿGVqJo=Z% ؖ[h"fm+ ~$ /J,Jkk%R8z;>Is21ZmCZPɱIq5 b6-7LGlMf`gwʍ׌\bϹI} % \8L4o?FX@뇢hgu'Us}U6ؚ5ϛa%u>leHsonY+RڟM{DCۯ hYTRapjMVJ d/.mn݉Yb)#_'tF~z^N~޶=K_2"pӶ`:26ѫV`ھ+隑pSnẌ%M{yG/JƷ#^@,{O %8o, @{ȞVm6f^.xSUXGsUB2TEZƜ3:NQ3Tڲ)uˤpհѰ-%M X_zra&m\r0C5TwBKB1o"wVGNp5ÆFFT"-38Ԛ $) q1Q3DzO4VL i5݈؋䝘ciq.ޗ&2nd)":hFO|R97iU҄cס!oރ ムI<5? #+osPXJ[ۧ|ϻKs{c&4f'.L=B"N0R 9E߻ %kp4% ng]ʬO-LsBƩD3u݆Y왾4SPof^~Wޔ] )UNj\"Kdm+E1BO7F̵xT"SV9e|_nų!8!m ZϹ]+]J/ Jns%b|;1R~<1 uFg˦*YۧFlQ.= $^/'& ݒ—юJ2L!gTtiG*;[$aJ ૸ys?Jۮl);~>$UE7cs=?vaUjۜ݇2Jڳ_v٬!\ٙf lk>Vcٿ#xs^ q^s6c|@W 8>/SM>_ȷ‘Vf_A*j5YZIBXwb}ZkA6jT]%Vq該 p4)ԔdQ+35٣ W)9F7s9րH(lmYK;ڰ-n`w,b$@wb4w0@#w5b8AEX @`g!`,=~vm_Dh[U>r݈C)H\Is{J4 mnG)|. Q ,5ty͞9!my+k$ f7'd>-`|P+ghu4@}sգqK TA4XdƈylxPr1v&.ب΃ >r͜uF:↰,a(_|ZOcF| e$6ĸJ1o/p'Tcǃ-wҵ-KJ' B/ "V%,WuO5doyyUK'hOrTC]%nfgͨ"aR wSv)S,rj@a.xdDid̮Y&!:5dHb;469Z;%:f?d,5AfYQptrA`A` J g?Ŵ^}lDe$tw`(+"n1, b$£ꟍϞ"U4 LRi@~ƪ enOXf3!ߐIXK!c|Ji>a Uf'Ns5rTvDNZ~њW#ʚ wm)r(%b R Bi?lte6'SJofl=?zQ>kR,hʧl |~AC\l[CQ DX:ԏ]}1`9m y7 y1idTg#j L[\!bB*5 2a,Z34[Ϟ2ic*0|SDѭ,o\Vn(hV}j1(;̙acz]g3a;<=*Zq-]50}W>0`sQ<sYFnvVSc ?#n\H:9(+;2BHUOFh]C7') ~}u);7Cc1ĴMGP6 1]nsNm&/z +-bE5K&Jw2i:݅m]1%<, Qv)1K= 6Ϛ/ JDbB=9䦸 &7EFHQ#M$ 乄S~OU߭c!νU%7 GfLwM)f!M'0nn ebV]"m{TM ()t^D4֤D/v.y&&Uc3]. w8 fZsg ;_<Eº] B AQ>Zc?? 0Rܳ$Z=tzߎս1e)X-˵ېOGy•LՏd_G7,m:N0o,.//t?K vGM|]\4{v9b˙!OA%w0e!k$_܎ᏖfoS揵}= 9ɕWDwѦaA+ݽǕq8N1Ed -htV8/z5RIحΖ3AlsقHzSZ;WZFLiߥG SǕ"v֠LE{^){41 kDgI"x ~=s]c"VUđo–j/ rQdV[_NjW't6EYiP?J<\jϬ=Сղ~yI47xX݄%px8| VYlE Zwg 2|3N>C{7nMsj-=ҏXoh-J9e W : Jhu74rO{{?_=;fZNu3"BuxN23lQb/=N:f~r 5g&EDgaqqZGj[#ܣ^]-DsdZi N 4% Ilqu1ž-j`Nq"C"a)IODp?CB"͝X q2KՎ`vV0*I"6[xu /!yfU%dF;?&=yGQ,͛$Z(ϘfqcDfmśpWfIP-a#-4"/Ծ7)V/^&,JOn,S{hY\6aKyH?4r5޶+P`3&UsKCS@l{69yQBHj^JRɨ;Ic1Kh91p<ǎoi_:I1~(']mGB4r.clC i.HUg0+q\oaB3B"8 A+cDMABj! r,1gavS`R=.~72+w.C SB>!:%a.8֗/^m ~'`wę"8i!ͽXVMrOHPT0em|_ 'X7) jg}?}:ov)8lS eLhv;88莨Y㱦DuOBWʼn$6.z $Id oM賿ߺeyz9ꏣ#ܪ^(LI:&i te@=u* p: VKZ0vǾL/lVq㑍BH4)c )"$x`Nd]w/FN<@945aHB6ehr!n{~9yp嶡sݸEGxHyD |^ ~2nlva+%{Vh∲/h"7\%%U%s i;{ .B2K<% GD*[: _ 8gt*E?c'MZ^*NY;XSXN8䇑Dz1/фJ,n瑍8oKMǓc]YTLNFϪjxFnW]`6L#&5-"}RP;Yky!KAZ<.FրY~ ּ&AE;BAT [X'&"NEK=RZmάEarM]3k#z=\WtqW~LXO FiZ@{ӹXj|隵F*,Z:3CJI@o`(i>EEܐZWO6?q{]I[Q܌[.H%njP:M$ORe8}_|E<Scg%o}Uմ6і~-_b$>?Uh$ЉXM!KK^&QXG$@/>M'0Zy~4 =4vJD{˜0$}0e=E_@:>+!9܎ ZQm?sNdLf@-)8 QVXGAl3b4lѤGVǡhՠm w:Oha2"?swFuE|j%'c QRpxu[vPvڡ(#2aogoa{ 9Ƕ!xR34N+)ӺB6y>bI.LA:vikr8A }{j3\@}7/|ͦxm!74'[3:xZ)K}( E",G׻h ^ &L3T TP٥χM[$Ы#dn6iĒ$ME%*].=o~kuwqWz9:_k&/ŋD3 YGPy;63?t\E=fkUt n!Ysod9ӏi$ ;/"׈ hRY VO$& ۫ ~.LRLiuVg㚢@1(2Z`d hτ\1;\ t / j(bۢHE! ;ռ<<*',SxX/x[AXβWIoU m߮Cyd-dFm:iX`*!@/?4 m9C޾&.b4&-]^?HR~ X&ZXbMaO'9(br`#wJpb,xKEHR؍>z"%j_]z!D0ٺZ旭 o]P6ălܮމqh/싌1}۫zp(u,'=Tַ6`3y):~)53MRóԉ[^vO nف%1Gͦo`֪F7uHȇ(pֳt{:L} "]>4Q|y]ÀJ~ ,uƪ|4.7=dۨurofH/tSH2 UZ=E],V:V`f5őg* rϱ}#a#u]u=6ϙ̒\!3Bgc&ky%*[o^}ι;Ue7E?):/ +ajQd 20<"|\mWЄNMc˓lҡ`KB4l:MīI R]&d*APYgt}9tIc. "2 {23ֵH Fc90ޖ"?IvK> >KȬ)G}` pR_s0Cv l_K>?GnhKF8P;?̋T 5֎(02pBc=XM|Cew"f]Ķ|p%mM-gӠDOx%n}ʒycTP$ZqCΟ2%L?29½c[bwU~\GCS >R?] Β(PIn&^y,PXș(0$!y\C"/*\Wo&Ej]m ۞R75ּ j: $J}|k]Z?^>ی4= ݄4MiKv-Y#NUYVnG*g"MwUL1k24{kl"TMjO©1+ #I@ԥe3dM`2K z'亓~Y#W l71H-2eM4P8 9l ķmf/6䐼tSΠb̳{/yյj^S #)NQk e3( lIZv[N%Y,.yA8ᠫ/M6T-?[s^^k9 @vU67(]|a3<<,B0y3mOkUVLwOS1cm8e$cLMO>N LR]n;]7YoxhƠ-{ &#k폘+,AT͚~+Gq7ݺBE:v$oZŒ(! ] ~ }ܿ@]p]4CR@'n4)y֭H׾euwr1%3:.JnۙkcիuY"$stMc&F [N#~yٖ* }l x]y_XFqD.]$^l% qȓS26ʄHj9H8*W,p{&93z~iۛ=b,_sCGM`:@8RCiO^$LhrB1Y!x&`l$d1 ~^FG"\+`$EFA e!MI]3MaԊZJ;mUcЍ>QVQf@f={T Y$RB2ÏR;B*\OM[sp loȂ-*¥[&Bz8ntxtbWiL͑z<46a{X;OE=VEG{'uŸ<*$~~W}PxX-< ^蓋pc?ԭ\iULxB*b\B}nLCv8aej nvQN6vVWNb`a_lrv<#[BݵJ|VlȂʸ3XLZ3nX-cK|QaJ&nCuiHG IeNY8E9Mժ )SSa3DOFg@1K<'g%]H2DcpEb 4 Sㇾkcm]T(`?'h 3_;QhyVRlZJ䉴;GluGؓ# H:Gji_n"—/Sې0̡I[tt)] N~0}Y>1 tpRRMSЖ-mGhrLCtbc;3Y&S9~AQ~\]RG1 |( :|"ËA-ݳΣ܏1.͖Ju623۽*˴ X6o`[QCoRl[[ZI [{j@¹\֭v8[ѱ\ô,|{l,TGzW92uhn!G_ɀKZ$JN^-$Hk v=x[xk0 LI\g\9.<1%Z,<GwEl$M"b $f* fW`y1(]{)5'yuۇOeW\M S*aC{mӁ|$Ϣd'za"ILZzΒ;Y%=q3ԐT/\'O*s:EK6jՂ%VB"3nQDNEA\ۃ{_^TCȍZJ?H0;PuiL&csߣxODKksSuB^< ̪USST_A I j(@6R7ci׍}Rb [5xY>4ZNJD+䌦&eXO|LpylfFpg~Wr1nKs ML͎B eP8tM52'őATR<ƟdQ6~/ wxI f8"jy2- kmE4IK?L2$ R SNdukG} zzǶ^.`uNww\;biFoP3XF$ /!g$Oh)wʺB8n\{Ydc呉.=W.K ŴK)|0^|!^ks/1ݣRi?hbrz;Wn0YW ^N)1Y aoFMWY%eѡq&(G;n˺i3#a(aþk dAߢTGC7ZMuUP=U r@vyYڱs` >p7ɵ>t]"ǾŠ1 RL(>DA5ƽ "L)إ,-Ѕ@q~M[EvsHDA8xh"7=zmۦV=(&uVm7*"y>>в:It ~r4r+|cS.QMk S%(OQ/qx5nLjajSEj01:fg-%:8~c bqDjԗŁ*5uٳC4/8sG /46 '1{'J$H@}0I>Ffu@[5#p |?҆M0V<?R@XR$ML3P@ǃ2p.vO zg47VZtC3RPl#N0x8VE(ܱN$q.u.䌆}*3ED܀3gXŽG dd _|PGhH"N8 71C9wk3I%ǹHl9z7I-ֹ~,]L_Fu?zNoOUt ǹL6(/3DzP5il!=q?f\]mk !V73V" I35AtzX%z ^(DG°$2&1sn|2Q ]+](g"8ِ(=ݎrm|.[cbPcU\z}\7`C_e{l!N ^wo588R jb8fSuEa(q=O6}e,‼ ?$H˷q 0h׽rtz>=M+H?Dac!UW*0׸Cs_7U0P­'v 7}$܈, j=.*9g8w2_^#paLYӳՀ Jg^\[/%\Xb2Qr]T:󸗰t!M]Jx'APeVT-g.תoS t|y(v[b`Uun Z k1HE1Dl(۶džO {7 ,mP_-2^y+/&nO"p(/aqjo =]^<_,cɥM?Ə { ?>/g_o|œƑKUkct/g`H77,p*BfLNx= "18$i2@ Յ L-@&;-&X 8ou\MyWRt:} ]2 c{7LF@BYW%e7o$eScЎJ2<lHKw}2]&J7,)&6̚7bQ -sV e`M*9= C pQsAP0wGo?Cu[c.FQ{< -wij`37S-IXO*I;fJt-t!{NTZnmJѾ#l:lv}=JkwVV 3T"զ6 :` 1w#L*1K ߿i2DODdG=hS} v[NU'FQ HghcMFZ 6zV]?RP,;^>(BNҁ C^4twRIHCj'\n \KIqlQiMJ[GpVǀ-(zroN$ɗrj> Ì:3F9ʊ}(/c ep4{1Pr1 |3yӡDLZ~&JFX$v̉޽78M|"Ab3L XqsˌmZ?xu*[+Tt&ҙU+\O ,/fe>N8JCJtؚ_}&ζ0?>sylYh)@I 6!kΣm>{EPfA[DX-a L21%%QKԤx=^Xs{ǰoh}@Ws1xDwn+mJqQM@ʧ|7J+diit ݔhH0AFC5Fk>5@J4v)ȗWßiiekVCaɐ2U= 'Zn>z&<^ ^̯߰Wvۺ?͞=hBa^0lj tOb-GrUٔFv* qZA Fj9nzu6fy5E,1JZbMzM' Y# B w!峷`/M\!)U(N~/ZV-)-%k#3w[uk- (Mqn0]}h6)jpaZ(p7鈢KWRM I1hC5JtK8>\R-K7w3&(LcFki*KgHWXW}H8>d0q s䊗FKUn/->LEy"'˧:L忾f2Y˧}>2ҞB<=?%Da+ ^^=+ɭ'8C\ Ҳ<"-Ɉ\_nOo1U p *Ҟ#_,%Bo %C9ͣ®`Kޤ\%؃+<4BЧ] 1!R#e*vJ5"3*_q?eK>^Ydžf\ ;%fq}0@% @=̞/ؠ{Qxm-+hk :l q;jv=MZoС/FD=6r9Jr4fWkDh]+[̺!QvX&&]y Exa2}1Yi|BDZF }=~S=3id| Khb#qPV#ӄ8X/ر[^W0@ǽ+uGCħ1}B0\GAKL\a fs&p)3  m%$=7.B}͞HGyͱ!Ei 4l,g`2|9\";+C~B,%VY9ۂe1XPc,G)K<>!*,f*!a~ϼ1]#y6@Jb ٓ#`ш,z#r,;, T'+T8,g4A'9beP:F; ඨ@dZB{'7IVXᎍN+-sz b =/緂1oe#oZAgSx߁4t򎇘P8>ş1$uf@:Pp>+ۖǷWWۿFiV) s[zzkJRMf *\kFlTWVzuTH~9;g&ol7nBfR.ߠ罸ϗw yZ w1au.r@o{ֹ yyJc<mT_7W?%b.VpaCg-qȞ@G>^F'tHLsr/ ^[}֜4y1-OL1-ntSق`-a]6REkb<,&e1@~ R YM"tfd [&o(e>me7]9̟&eE}棿tc!Zt$Q eЬ%esԤlߙPw߳!ˡ^#E{4" pP<3MA" )C 5+lz(ytEjwOרf]٣K`i-p8 4[NuErmn+`K8c˹y_EͿdexdS BL9fh5k]YBΗoHbN`:ν4>KhW#c@ WS~-i7l!3Nش)Pe)D\}W1Ԗz^(A|eTCibpO#*bN'@$Y"y8\ÔyZtѐE #Mc/ C=-_  .8ow3ϫ_V"1"y? :0SB,/L"^Ipl5MfO-Hc]B%A0| 9nEn* g/ &=n-RN4 [${[۠ZAHXpID M5q:&*tu%@e-Cb3#_:-bZFO :per"t@x J#`F`7q>>Y(=< UPȅYvźAf Կ [Kz rj!]RѰ\X4Eȋ[rXZ7Ꙃ诖Gj` 7粈ZUэZpLc]z"a=T*C=ýY  j(a703#jD$@Q]:s@rKch˼_%¨)C +_9B=^F?0\f4Vֶvׄ#D.MPDsRMQR#mp}I߿}vsIBeJ~dɸpk-nЦ 85l2H~),dl|e^ g 0& غ3 ,GOx!~_[/.OUhjC>z^yz}ŊGPԍ?<.(4.*6l 8)~笍iN:jX, }Z1ʘ҇ p`N=kX7 ?mg$g-+^ٯR͖Ll=pffm"wѡY EN#wY~  fVM?7$|_L _E (h1|NrMf t& MYb3ƷdzXF;P[nnb4Hlr$&/͔r 3ueKuMn\:<`K7dneuc_\i(m&0&RX)RT֞^(34= d?xE ~e/wO5VeS :0YBzw~EOݜzQ};+~r bsEyBr~9]L jqjsL!9.žcC&Hѩt&rgQޘ[pkhT# 5:.ohN5\db"*m`Cnv| VX_¾ThƮFX6hT8B0NH\6`žlMxrwC'8LL]CH֧ۖdd$m/5EhJ4W`lN*Bu`әhUiV8/s /( Em<䝴; xQ`SEC}c \pG Së1·$O6IuaaDg4{ZY~YǙ(jfZ0D*AѿUSS@-v){4qk|{AXSؗ|^rhZZHW/BYv2MZ4tY誠85.Y^,M5ڱp_{u!*N!*қ|nF5h)x훘-*r6Q2]3iJڬۗ@%VjdEXA^4h]7?7 șͬϘi؞^ 4CYL_Қ&oOM|m*`Uy 5\~J,t/<(B0ǐYArD$ԢہslthyM$'Ac(&Pz1l PPzNJɈ nIVp |%ɭ0e^6ӆ]>;_RT+,@"-0͔=zRHu?кTy&% rRBQ՛f'Pͅבl>SB*N=܈tpOWZ0Ny6ҽ\vGS]}Z;jLn@ז>9(3突 F?Ժ(P TvTSFhaDw]拪On833U4 u\-D)ٯjU+qR"+Y̦& ^ dgg={m[QYK?3ͬw,⣌NcE^fag(4?\:2p Uv a!ޓ-&6'ko)aJXY.$BJyHUv?Y,y7+9/2cǔ3SY?mc673.HkP}AzcK 0tO0aQ44A_Hfӡp)L6>e`ߕgAVK E+uګP6~Edho]rNH7ܨY`$hh P04!y^ G*OjTӞ3{l:K&|  b݉Bw$Ot~@14% PB-~m~FcK'dmDځ2Y&gqVbGD^k>#xVـju^χjp[gsoSOzNf1"4$.'~pN<û*XՇTLCv? _p)5~WPf Qə +6(t /(y݇;[' UBbNjf[7dDŏ`U"#C{?<Njw#gophyW+E7 #Z|ѣC4g CoOH`]6jBP$ 7L iCedb%溳,YBT˦%5 Ly0 IϷ0*ڬ*p6&p KwF<{h%1iN/ p"t,72ۍ4Dl݈j36E=.F(H! ݕ!)AW넚J}$.6ᅓ[J:(MaWazy}ļ{}~ݓ$$9!t!@i?YW}{ŗ󫉏\/]-xY. m53@`W U)ixQYU"t cVZIH:Fy&Ui3 GTW{&( )I ?FL 'XKۂ~¢{U\!څ`MC5wy7EsN )5@CCN @fQ[L(Rh6Ց%vz kWg |"3sf|YexGDI>/jcr\g;0M&a>] *["8)}uy@-7w~'+s~/>wt؏A-BJWjs|ϓݎkRGïsBl>gh~u$V.j?,odeX%sXq:}S9׹1? jGDZ}sAi%;TЧ*8;pÏIc^[T,lt#6'׉gz&/j<`JN'pMX'@w 5#b,[]h2OHbPW2%uVpa3Z@@nY5@59_ED|[^wCKZ&j[U,m,RW]=Z`|+BϪ5FCo6p.Yj@`tMgBc5B sGjDot"VਧNo=i\aPq{ q7;-ӑ-VM,j=M}@+wUI^=g 0 Honj_ڴ-Ȩ>UNYGPj4F!#[﷑c>EioGsg<Ȁݪm}Gl.. .Oޒ/zTmLgGX|t^Gf˗2kSx$"A*ͣ8yz*cr=c2t'9;{ IܕKXP]NTo#sea1]'-4Z4ٙy.m^>䄑_%a2a;gģIf*զNwP'$WvZ>(R!l֞fwZE7t콱لD[3lqw7p%,i^cʹH!!4 S?kۑqUlY1ƌ^QQi?Pdf|/oȄ!!@dxJ٫Z$X\lz|]a1-"EzI,d+eůIKJ2vV*,5RK9|@쇯;AnQh6;ΰ{ ]gvx3c+CEC ? i _ZA<6uT}bgS'ͿPt^tLAYoVRy3aM14hS)Qw^cŏFf76/LZ<`YmTK֡lnv~`/"ɀbsI"R5'uMaխ4L5 [g'E&aʋA~mIZ>^K9(a)x,>XD+K|ז5.ΌAa$EYoB$ 8׍zZz{(::y!vg$^+J'N]2WNEB \0] +|Gi5*bTNレ?yjyut+-wGK ˽FIFjQ|L!P|-~*>1p9&%EISd}K]o[qlR63}l΢=GAOв~Ţ3k_YD#:3^9?G?i A;1.Tk ӄEFs\j}0Nx$hByUߐ%F Nv#w`69C"\C?K%3I˷JžC I.:lgE[3fghp9yr pweN].Snxޗ:qɒ(t 3kS %f_VPC\~W%'P։ɽdG=Л돠cH2:*}F'5yjg"n3^'-%yp!AlR8MM:"5b1cF(MMPyp(7aBr+pp.O_͜tJb-&lv޷/!&"Kçi<=*O}V(LNU4iv!>EnJdnjYm$ c$*̚~Y_wYtJ5k9S"Vwh'9r/C9jMV] wò 4lYG,MNkbpќɔxUu{80u-uXۥ0(em0zʂwDO }VWĨp9A^ü$\T#rXIh*_XE>]A %i qEtDb ~̎Im]=)op^(-}ԡEPvQ`ܷ!w"X!PO8XM 3VxI~VsV<Zۿ#7,jHПlE60{9YlT6y)j5q2|'glr2͝ct*kY|-?^b!gbNMbC@4O^NGOXҤ/Y'Dp#gP:],Ëw.L=`B#;zܭ_=߮cb2eb@n)/PWܶ?~cB R-QTs6]Ɋ,]韒ΐ_m?gTR/wyMh2}d\`v&>8]# 28c<9 j6 LM}>rwEATC>fғL9<9È+ .BW 1N߼ǽ۫x߇XAaZ8I8Aw :xA49= Pr.C: #P{_v r 4k_1`\ %_fR2vH"K {f컎X1mC+J^޺d棐 oMie|1ܣ%[N;kMi_iѰ$ca$6/Ue{Y 6]H|%Д8ni&iLWG l[5&m{)vqw ~ԀI`c1BĪ@YDB(_ πkߴhTLjn<BY<|v?;6_r+0}Q[mdqؔ"E$Gb -[O:Ge6G1z`"?GjЖ'-fqyCtq>JM6:=[%VNK{LY?RTnȭnHr'nA70T˧Ŝda^ {4|~i-jl/EЅ ϧtf@Gkz~8Q>A1fG?<gJ#ߒ՝-Kƭi1*Y(2 ~&1z[mvxih 5**I]ܞ8ոe$L6fyQ5/bŇ$pWBMwP!HՃ+g)w^-E%M6Rf3u0L'(Ē6st?s 8x3O|?#dρ&8Bj8 8VnX۾l ׁ >6\N^eVx'hLAHiis[%EOcA?VVtG֤,9VnѺ)`}(P xl GZ.5 Δxwm=X‘$Y{%G?0՞xܖ_.J8ܺeNApKif2|硫%"κŃZ|xMA_Υ`J/9U˫>h19wl2usʹ͒.L@ )\[YFm6XZ/A9xYh4۶ R y ׾n Gsyh N2np>IE_`LR8v_)K ;ު9Jkf`}KK<>2>a1߶*=Ù©TEO7{E-s}b'%؎!'9—Jc@ЦQE3[[6V_=~͇(I4(b6"Z8fZ]'c`xLn ɟ}lͶ\8]Ƕ\/>GxE-QM e;K95=ߌM .2TwMcn,^Vc2z79ȶؼd2aA(2bUQ#mX4\wwK`\>ʞ}  ¿ k;2fM}8ۋt&3v(}U+ibSHɡP"L9 O Vc{(m,<O>XZ'~0UBy7E4GuVt)u].K@~m>+Խ;oI@4ӵ2֘s@Hj\$a_-Ux#3)oO^7J={" kqC*:rJ{8;4 e-t\N9x8oԧ9K$_j"#4oXŐϼb]ݫJ*S&e>c=,xaK?#)(1-PQ#]FA$WA8a #L[G޳ַ$/2C?R|vyN:)Ca2Fلcy>ѳ=uz;B`ЄCPu3{hNxQ  l{ͰkTe(s$d(9w65Q_-BV#G[QӀFAm!RO@ܰ%'5sF8BQ07Ȝq/:+QK!yl9;-4yTR+c`?H8Yo;XgYm6]K]spGCDZABxY G. [y,VP^H b9'A w:E:=Dۭ_òUFɒl8S q''0ǫ$õ8Ѽ9C"`jl5c'+k)#zj[р:k\;ф;u-v{ ˽c\<2@''Jem؝ fJ.eIVR)'i ~ h7zMܼS,wGy1ȴ% sjqrrjXYh@/(ğNrO\)y=^ iZ% /: [;f.!}dH_ 4S1#~7A0FU}<%3hާ&a[#PC(fP6ΧOlʇX,vd_ӧ0('K=?~T$D˼xy;/wAx u+ PSy(K.b\v4JEwBᵨԁa-; dy }D9]zb#0M4 'p_ ZXuxUhByGLYFlE"a|j4v@Cj w`V.g!}ɬ]1i|27"4$BPlX΅<9bȧ00lQ !ddpi1p'hl3-i0+Y @8 3Ȟ5n$Ma  J(KF< EXɤ@ 굑$(20)Zh_]fԋ+ߍ~G&f>ϱK@lXIPEWPBdt?}u!'a%SD \g\rj}T6i r9c{='˗?a9=0S C&%o7& ?_1y 3Qn!`KE 3F/n":+ٿo9DV\SZRIqPj=Q*5[ gz]@(5qPVtY)a8!L)j"~!" IRf𾨶|PFRȝi cG!TbQ6 @/9n3C :w?S2)sfڣTWsxfψvJ.R!\Ŧ^ǃd7Pv{|ٚy0TJrޘʓ"7]я=D;# &4pħeK/~= \lmuVn b_c~PgaX7no&l𫳬)f]uth /HBʟC=7hahr4Ea G>]jŢpaA5kRUWaOKI{gY0:c/|K}(hF]hCQ`d`pͬ^>~#/Vu^ &'wSpcKZVS'hz?E DgGj$'W*l&߆cI@D>Ob. m*6gYiapn-$9ZZ>$ߐO>¬UlDZa/yM’?p FڻW:-)LE g{Rc# ;߭"Hp9䪻/5CZ'&I@ yъ^pt?dE2û tR~<J #8,tJF@W@P9,ݞ<ʹf*0,Dt(ryn<4XhgEn $z8"O^݈*W k`;r<2P " =>Y#X&/hr^@RĻ4͉TkR>'?6Bߛ-~U;.i hfsJXryzVb$ ,4Qe֔Ԓ>}mHBf$aE7dUXZZf`l-\Kf"ꬵN YY fO:H±]9S2 b`ʱXep0fb&'Ήde_AB#]$čm_ mN(Wv% [;G*:f͡ ƶs%2H2ʃSc GE.= R;s[fDO3zQJhr&НR'O<Ov5 z}7TGIfFp zkS,~~+ `QH/G?!6WeĹ>W_D[ L`'O:,p1Tslvn&6.aڣrC -|΄c3[OS-F!-ؾt.5JTf;\JlO4502V%ᤥq+(*Y"3ʚ1}gr\"J*^"!yn=R v7)>g^aiFA^sLeP-ƞ.Lz%Q^ P6dFu?OuN jbai\7 IŴFc3Be ziU?kinch+\NȴN/OKDH\}7LKx-(lmGavKZs<-~V<2NHVJ^C\ffQ,k@5R1$g"awSO_' _A~A)ʜò(5+pGÜA%xUV/u ?$b@,(SȵCiMKpC%UC ϔ7WXMՆe$ekڡcrn+T_> uW- @9}e?p%cPhcʿJC{e9ܝnDx.YT (HGPNA>V,AFЖ3hRtgթt_0޵2ctr'b2rsRlv(D ;Ɵ#)#센R6O3{Gn:CUZwA*:_{@eB x\Hz}ILFцa4/{;yr:R!yA2F7.) FXx8HE|+Xp 뽯K*]߄ Lax{pEZcA؞j@\,7/8Z?"XgCRxaPR?YzHlw '[y,Y(%MŬ;y:u#i2`ڗCd.xoq;qD-4hBpYa!*̛±f @<;*)~az4B*j#c|o(±i=hPV봂C#^KTwHCֿ$1z7rԌj8H~@VJ1N $d6V&Z'F?crŻDm-Mnm᭕L{?s>Fp݈^Z&$atbJLDPOty44ju|AF{XW)x(u&T`}dٳq Мgbɰ5޻w)^* l|TUWE0@)6JxgN$T< Xk?Mڿt`0ϑލ9us:Sɬr_N{+5np{s3Ppj魋C˭l.xFtی*$6ef'_MzkLҾ0=,No`&C7 bj)/KJ 'I>toh7/nUt>b<3x*c^/e 7ّ5zM#Qp[pP"~vq굞 C@M1\FNRUI3;*J3"u.⋉쮫P\`u[Z6c[G⧐ '}q$ozԁ塁G(pSV]aoeC>5]G!,*2[foqsr|eDz`a :buZEd9c.z^Oި AxQ)|O&^ɳ: XGd=xr!-]  æ>@ЗUrO'89ͩ^1gE=#J25-f-3dnҊSJZ4.F򘌌gcє-<盜ksF_晨pSƎ; L_@'%”ע^ ,d|ӏQ" 7Hp kV M9 R)b& Rn>ɫ-Y9\fIWض]ԔtB]]Ĺ`yxtPxhuǍO#Ҍ\@hc^uY7U߄h Г5.22vV#E 6ck/sY!k 6lEYZ o$w_ wG#Ë4 %*'ܷ#9NaOggwWT *G"gH-?a8Z>i"MVRȃi:E;^~,┦9+y0$/}|I>9 0ǭ5^:}>8tT"v%p^=˻ؿڵDD݋\_yaBs0'@GE`o]J|}Iy>\@)75 Aɚr)w!;'hV]xM1'`JRca 3YWOR0454"Cץ.BtAYHq@<3Q@WS EuUp4cDk?'N7mR3u)i[,a(E0GeaaZR /GJ!]dhe?u#0Uoʹ1NО~ w DȱT2xƷx|pBqJq`د5,kNjޑpd pNQn"4 qbKUzhp"fg)_'HCMٱcC$.N3;RjA"^K'r|ۡ\#]|=y{Yb]S9V{Kt$^h$m>ʙܐL-RMOp54+e&~9!׏YK,(x7]@?Gֵ O.YB[F\_ 1_.*n3eE,y:qYw#.EC5;xݚ7ύZ]եv(NxX\/9̈ _ų[QS.?HG-(a=nRs7h12'MYi๥\!Z?룓(*#Jkr5V]j_[ldQ}9DNUX ҅``<w/(/~C;õ[Vd ncX90׀<<'I1ls@ί89תG9[\".){t<8gD;{+hUZi1+T'70];vqqfzh#IA%jl8W;2lrodS2wo, z}r&~(7Nnpl : W/fwmXx?70!lA$(D?#v2Ճ[VP6g8orB{\HTb6}y0DrKa/z|_+#hW7&.<'fh8(t+hS|~&7S:џv !Y]4J56[mnSpuJ٨}Qȩ&(g#:)=IX|^%oW*KoSط\- mHT}- -_ i)o20z;W_ DIb╪za:ޯe^~,Aٹ :nfDŽW;EcjaudoM;򸲖^C_*t dQ{ZJsNAt*W~XGCcx5U{Ν&EƠɯm8|ϗ.]jA O=k%K_irUGKVDz"䛸@fuiBxM {\ԁ޿IЈ* ޠ D}OjX"]]w+"&J1 @sdm^,gh oYGr <3#(z%Ҋ 7aYewAu1nϚya=Qe['R.+F{ 39 A6_Ckm(gY.Tk2`54_YPh77M- 0GX^̰MGV` -n2zidZFww,JX"y? 'iN\:hax@AJ7G b5 KR{qe x|}|Y&ˬVG%`|hE9wq0!  cT@kVdu#.+ wAMѠDCsO2#O%G¬^BHY1Q bj]#<޷ dG|褛=Ikbko8 6#QT/7 jb&N@MjCs6R 1#n4,ѣLw9}D6u3o Z)iQT]5ʇ++h@?@ۻbjjZ.Mta 'zfI4@3bץvw2|Ynr~ߵsӺȃXsN FY =@u {:V*S !R>;RVz688hfv3},M3?0p;,&jenf*'_ƎE#O )w8*;njAX&D5 NݴVLοL#i2Ob|Jd()ٓg]B$^$W-)Sggm2{>&5'OD3 ?:hgCBC-6ĺQ4;4:;;>MvA8?惹 !'D4长6 R姈iZNl$wM͏堧S sY:+\xwcu-1rT; Z4QvdA-8dqctk̭~/ Piri~-A'$ЬzEmyUPQ\L,"}`g11B( JQk_jۉ ;ʯ2dE=$!-}%n6 L`R"ڤKR:wi leV:W8L}kE1VE~W6$n^k;Lʊѳ& ^eќ6K-|`S& g\ P(8<0֏\%}7;Ċ||\C8&t̥nW}#U3Z m 8 &lz,߶bE铘)؄0S$G7y%Zu8s55R\f1_]Q h_yrψCh8󥦾Q5H#: ̊esQ<`q Zy. 3hJtp&&yAD ٯ3m.~lҿD=(B8K7Z_r('grx|9\4+x ';/`MD [)s߃qc#< :t"+u-=J}S'5&X_ʢlXafU͢)omw'fVy>! sØ_oYZD3l'a "{cL-icʥ'x$s/W+Z4SC '>Ȉk'GP!fƳ!:ºs :i3;HXu@ MMhP{e~'σVC=գ;ܞ2ydC<\!mKѳ;Y^.[o_!eXB).ЍYKiz"%xU`[BJ|oJjrHy2"ݬnj/{a+MCp"a AOg_TzL A9WcbN:  1"+GZW'5ijō{_GS8LNzfÐO@z'uC;IlkoVVOhqTߗ +~^z%5]љ vCJ>A&' Hf#̛:Ӕv뿅.e)l*mֆO% lOWXN-duEҰ(X!챜1MYb%`ƛ)j%`VN,'4FZ作|皔?AMI"vrB}:'+j @'sNĐQ(R:tT0RXuJ~=&mӽY;,>>a!LKGe3#3E7} {3oB[ZeɄʠ2VCgX<4OF&e-4ؼl3G#AcamwT[c)ZΥ`IJNK3VJq+e0_ɦB%* iP^2T-kDLa=I:|g|z?[ĸWIr>,0t_TS] ۗ``3E XTdž`W8X6V ~tGQ)(qLXvW =CYFp$%r$C3486I?ǺٓkYXJn(,H^)jCя+'ruUI >?=Bq5Q6/o9+qc;\3RoOE͹C =*kK:׊Ϗxm3`5{I<dB8$tmPF`HN:* YmLxUf ܛ2SgѪw+jp&m-:!0N")0eBK- pZDHAZz`vO8AQup(Q\5xݱ y}WMu$u1n=y$ܬ[v@uS Ya7E F䬚5:kL;#/?%MPfywNp8I4AϬ$_+R5B(K4=b"x'"Hvd YKv-X4bԸl-h+#G*. DD̼QAYY??NZ3s~ >69bK}΄ *f$V@WO.ШnodI(^Hg-Y豇@aujx+\kz&*GŽםjUUu!w2Phy6s"(J4{c6nrGֲP16o:ԅk^~4xv S.1R.܎ET1@D%wH3CͼCEN8ո6 %ZY&jwx8&hkO7%-x.Rsؤ4WFT)Z#!t^.KrtoHZ"E108s @u졅}3!3}u62$#c8f6?;|`VkiAfqΙ'WbKɹ&6YCJ;P zгXjd@ ƴ0Fo1?A=q>M ҞUB zl21R4U_{o_;GG883RDGRu~ysdabjD+l s`ƚglBwXVVE՚3g[*i4?nPv!_!`D+Րoz'Ybn*U5v8i(ŧ+F1]^ QEG7Tu {ltbcPXz=N :I;4)׈ qDۤD m+Ē)%3 dlLutAٿ*0_khĂӀYc9O{RePS6D-u%Ty񯜖^Hր5n2uTP3 g7IgT_O~yZtpp-h,q)P=Ny_XdF+["28/:S4IMft:hL0\F^.43mgI\CXRLiZ Wv躋qT9Ȫ7-rayІxj[M?X+w[Wb<^a&CAww'-|8qxɴHa&Gƹ*.̂X{k`lJମយ:@$eu9}:$ ]H' KbmQʩuM *vYU)$~<@l^Nn z 4 31B2S!j+5@k ²_W#P_Bu?߳DeMт,Z"4#?4]qAkƴm@o8!1A@j},wPm3f+S_u?%EISޣ+B;<ޓԿpr1PN>%-cѠWU+k HKTn4nv^oMsu+Bp3EScie/z;q&xǺLN"|\$H*M;ǡKEB rwöM1N0{'{Sb3s6|B 6~Nn9˯Ŏ`oksDQG^?ſ$4><dxcV VȝVa|̟rLEYOO[F`9 #.3(EzuFEЅ/̉hbCv*m߼F+ŝ f!>]䰬3:ó4XΚ,u9=io$$B_]^`nhO3`vUgP/8E'3b)Qa^ed@$/e j^H_wѬL~5vJZ%9kJs 1; 27v=ߪ3GЫL O`ST_9;qӦT?hM/ˡ;ZQȨP{ |ELz Y)#̳-0yJl#fRX(.Vp7,.;Ʋ! [L+W80-JKf,!x cX0FvA?:_~A' nʒ w!|0_4]F#CAzK7>iCH^}CqZ|^R:o1؟yF+X0s u[P jxensl56b#h$1FrOZEAk_I="Qq̏l= =Uҩa/@/ta7ɭE:GmT+0q0x Bl0 -ENmNV9MY (KrWar8 ] OrA%nѿɺ }[R̻fNO"(oʨ7H]"j&xH$cZPTDBϒZ<@'PGdܣ9QSӚi.`wrTw@/NV*b}n)CFHVU.a0zr'=tjȭreŬ"hZ'#[Ox@bI@ggyWT(GlozJp8aW=TOUUsgE1׮tXzE ̀3P6|u.i"{%#O* ƕ54+kyqISf = ? UP ?[fISn<)̈́rXC6!d^1L#2;TvJ6ku% <.*.]WY@(oՠA"dSK|JJ+Js]ƞ4L܊ XW ¦G;?|QL/&4"Et;,=sg% 7pDZ,0=p[k^%Qȇ7&gm[ N˴p<,t"Lm&pMO4W̚7R2Ӟ~ ,{s\Ե= Y b< A&4(X&!ԥTͷ4;P7bS {[#gɄ`64rgyD f-@04/8qLytJ35ns)SZ-"oCvA~ #"l^X xQo-Z齙H~q!m@ۻv_W|b`o$>c[W)V1Hn '^qޏwJv0;צϳ7(FжąO;_h^(n9 Y㣝"Gu[9]"u$"ORz|M + ", N.8~Uj٨~:w&*]Ha$a`E *M|hp@lrr2v;G`'B;?'˿l'ng9qj5VssaJKs0zKEji oMggw+Sr<{چ*zV ؜0}5RmV\xt1ewThLmt@q߬kh-rK/ۉeWh,|q݆ '=iK\}.)>ky7e_ewz +ht4EK_.iw7&Ye;껑`I-Ȑ]XT@LabT !s)"% c @,ZwwAvUDo~yo4Nor]sT%Uie5q)f#AsIUn:auuוD}L@`L 3f:#%B%^EۣLMh8Q!\ kd\ߎ%qg\WĀg<ܚ]$}9^ zBVCFc_'T7 9-Ϡƒ]O8 {S0K~ZVi4It3:~ QbD ˾6G>r5xִKö ԳzVug'S^!zmBQDrzjxc|ԲIQI:Q; KFnSfcQjtMk t9֗~3 F$9J6Wq 1U >8u.\),FAY~;%fh__N)7-n7z?-E*$=+ujzI.ZK/7eB/ѱy鹑Yg>B|'/Pt)FRrM^Re"IՑ5XZ+ag\!oϓ\_x05v1l,E;##iوB0A0С*+ G))1^V.a[@| s հݎSpn2-Oin̼?4^2`!q`uQ;*(z_஀`Nzk.+}7X'G`) :D@ܱRQUqx"L@d/,D<شZ?gZ4m`(":l+vNO^B.hoES EF|pS訇+L;.V8ܖM;^r/9H|NN!㼩ʟ8CW`1훩Yih/ [l~Ȧs5I+e1,V'vP_ƞ&:j9b%(3Cَ9ֱ+ 06j/縦ۥ v+y}H!;3^ hp<87>&֣sh^A lSoV-x<9[ԯS:/פVr<u2EGt(;~!y=Gl,,T4OΆ=3hq;Q+K[ڈIմ"f̀秀A&*-ݦ#`x Oq|mV{FiqTq6,lC B+ tf/iB ,,VBbd?c Q H_Câ4ba\I zKyr~=rZ=SL@eQ"Y/*ދ@aej}e)dۈz)y]VѤ.Þ;$ UBpoZ̢<@%7i}ZQY+M54e *f'go嚟֣= qջ>4giPsoXlu$TLS2gsɿĴ);M{'`%%ݲ=?K{%%B_;C?1Mͼ&vh>/ڐ(f5c"+YӀ~ 42SDD }Yda~;!+~,7A~N0/*M}͓!MGmjV7#T7|+k[[kJxT52/ m.C]t,Y ʺq +y+3 =wT52Rx:$KtM*fu-:V%z8?ǹ^\AH),oh΄Qѳc9Za+W=P3<'SWd`C@dE:LY -;E!S"<_>*WVc}p)Fr/TH. ȈPBvaۙ-ׅ![ڣbڶ@Ip ue_6(i-OeQ57)n`4J_VZCC{UũsOQ|XK>Vqmh (,=ci4<ܴg v [kk,wGwO'ӭRhi^\j%VYDXCfʼdGBB){h,+rn^-N7=aBƌrV?3gO! _Wcts &hY)rC_"nՍ"IljD9ʴp;?Ao7I4|(eb/}s7L0b!]"{$|ͷx%r8idB-ەMs֝ӧ&MajXd BsI pG*Lyo֩Q6#ӏBҸ#not̒0׍ÐR "l'|k9B_Y!Gr`*xkI&qy7+fbMf+Eڹ'oZÏY4'_m2&Z{;U2x#M'O i>d[TȬ > lȈuz٧޽)dJ&yU`e,V>Y8^)Q B`ٕ>WW8"Isbq1v( 'VLx7-$Fm spiT#^[)LL25>j:+pC#'[x&OܖBJHDu'JQy\2\LŎYJ*sd8eX҂?MC0/b8.p5ZHrsڏP7x-Sd-$r=rA "7%jJY /&ѹ0Đg/եIYܪjVv94=g#2훴^}]ws>f(+T)[}>59,S>7ϙiW<lC*}kfPMtOLXW ?[ylGE4WRB(b|`0s3e!y%Pal.\Tlk.H ڜFk~-͐=|5Uɘw|)ۆLv; J;S<韮=.O4 ~;\0cтd1L--E%rN,S~sy4.F/B}F\ЗmGY 8aٜ[MsF֜k0vK#@ vf()p 4 ' /-R)=${sK!*cZu}Mpgٟx0;N?JWsQaU5+ 2*֨LOYYu62ٍg 6VNyy{lȱ+,<s!_t؄oY;#< Du=ɾA\u&T^m@^9ZcT{[wr":.$BBTZʥgeCi P#m8ݱhSI*I v͞)<)!I?"}(ߤSVdj͛(^6?bh ӽn[%߅._ld^چcd=lST23]KVO]+~M@#*>גIP +]ifh=HooK;{o٨s.:y.+$9=#/d7O&‚ף ]vYA7T|Hŀ2Mt$(́h%ȷk`CrPAتOLΉY+0GJѝf.{~u?{fv-B*8HFj߃#j@$UDo?ĘXHGb6z47%چ=+K; +Ȯiӵ5X\aO.4]ʈS] >OM / zڡ?!CCyB|i]*E.~XPVh׉եWNjJH6~4N&(zI>+Ҿ&3IǦ3 jlrx&ML1oPD{fVܾQ;Xe[`!P:kxp9[`9ҐrF3C5IT#AF%BK<y}G. ZQfc(/R"LPprl\R㩛--c$jaZZ"d4if_f8RkzOQg Ʊ7Oz-Lx> qݚ5@i2}V~㝊ڻ8[1Z29ႎ ݀f0^@g`:P8 RoFw%;3/S@[D)Қ(#}Ɏ7ھXrZmrmjh#?Y,bNf?1MRC &m)Mol[xF#|CwEPNד> 3:V4t.YrKU@ IP@aُ%#\Q+.7y=>r93$?0šM C$cHv@Ym+-7Ԡ/ͫSpdo>ݳ+F츏]:jчbW9MbX,{zwϿQA\dghUgXh"yP߉CH^6Rrz3 vrS(-![u-u:H[({eF.M=xpq&2HKs!UJ*61p38,bknX?TEVL9dg5찄X٥Yd5/`S0tUQbMJP/p8T~}IӺX:<A FW rt4Au`7s@+e]޶uo:4$ǐS;\zm q2-/y:m>^&[傐+#UŪ>Ǔ܌IǢ%"Y=7!%:ֽLfTNn%E$Gm絁!]]]T-AnjJDs q;q|57HqfWq0)p'bѣ d\&29/t":aqvKwhTqvYшz辄ڧ18_H$^nv-\ FUd?{6&TPV[`jLmyqC3&kx+["].h9[yra(>Tlx|Η$ى퀪_~t=+ ѧ Ejɷti)G/m$Tpl sM$ IzP|xӞg _ECAYhqM\D gK^hKZeU53gGIŝH];(.$܆ +Az=JVwgc[t&'{W-Mܙ5k(t^>x߳ EǍ^0sY+GAVIE#^ca ١p{T7Wvgs֜x @&rLe!R} 푃 L )?aƂ?&^RYsŊgLj[{ͪmMP kqQ:.<`äikBeqg%,ߨK hbos?cDw;x[a8K[A p]Ձ},&:c^# ؈2F~w\oo *0];h. +I^i ɩq)%E -~'fM%n@8A!l"_#Y bDٹozu<=]tyG*'ϩTA5bt,؆fhR'Jj|N])iXdҍ|#(y9ff[8y6Q)=BJRbe}cq@##.NKfZ$Iahlb`Dg＀ ^0265%V&]Zf,A\fiBƋԘik MJh~RCpBs &I}˸@(hIH&[`0II?)c8zɢKQ8+5wJ>kUe=.b|G^=`u5'_" GE ь>'aYdSQ@=V)}g-;]ǽT6x17W/ׂ>v|e^D0C8M)ois%fG7zopFt" !~5 ʮ"+m.Uvݖ lZ|Gḏ!]Vkw&TƔ4nLYir{C9:G*YT]1' [#ιJE'^͙z~.QNg}ˡ3Gܯ#Zl?.NBm97~LްaUX P=Ѽgrn7! U(wu`n%Ԡ)nnA{fYˠi|k>V㙦xDV`ݺ-UbGQ=>^J7"'ޤyÅJsl.=)yzQBáRpawʸ2k}9P(tKu;]R{է"HeKҩoqƂ`tb@" rjb ~#ǏB$gqӢՕ$c7`r9Vg,ld3E*$ť\=B|4u! b{ );wl촘_H jF:u|W/itR];Nh)!zclֹY- ,ԃϤ2 ?l7px&?** W 9$#*)7߆9 џq'yd"Lcq8+홷d6)5k fp?TOR$=~pCfO3I>UuW|*hD3N<)1:BiDj"2m `yF``+#As'@9+)YO_>|[53NT`w3)!^ gˉL53T0GQCEl\Tē;qDzNïg$/0Ajb@D>If.t_SK+2JX !b!OjVy,}; K)S완c$!p9 lQ5^0nVjyYkK+LYdR>4CnC.]2З é1=ЌF?#d˺QO{gN*}]CD8eCI=e|~bc 6?abc21C+UfIXQNzZdbޠrOEZIl^*MG.POZ3ࡱ8[E t+eA!P 4('lD "[Xn $6Ϋ;v2hp ndl1٬ 9 \u'v'DArm#ЫCS6R; JX݌X z pu b)f`gCc ~7_*uS8g6` ټѬKHu%BȪ4KxJH2  @FL *Ϋ:W<خfe4^mB ZVeZoF)jfD~ZE'-zTY0~JE<rV߸~ߨn(~f:9h!]~pQ7%FQj|YIξd1oAؔtB؄`Yuc4 "e3y|9oZZT%%j1FC+9hZsp͙ҲT@4mPxdI RfmJEY`/ͻ!m^Y/R |˚Y_SXBNUu .؛(}=dsy$ڦaRh5p>^p *\}2o zU=+֔B\_9ɹ.qd!^SѲ$&AICP jLS2}<?eZN)n däZ)*V:jƣ١IMA–WobhG`@!{tEhtofZJ4"N9 'ZL CGX ͞ #p>3y[ϧGG1+=~'%g /{C$XƤ)̎)Bz\mCՄ'IA :u29t6n%pI[y<1±fέ=a7UЬRNkG nLLїZE}}PE!hI `&gamEW~w{ sK )F?^v <`} .!1Yoy2V0\;a~X2}ՏcگTa,N^0wzfݹaS H0Ox +'yQq7Yx>kLmbО[3T9bn(g׾ XA!w8g`IF肘h!3tv,y{\!3oX)BpHV^=jyk[쪯x3!&TJ!mYq:F(KA;\q0"iȎpSQAr6/$eYE2L~ѩ 7(ooJ5`sf{yA^ubeV~lX?>l;Rs })02㾇+iw`FGV9OL۟Ύ;x,R&< (ZH!ŃiG/]KaRzI@kUczD*~XXq4?x+/^-iy&:6TՠF lqJv~T.DX V aP>Y7h; .$XHc\T% 7o)CtJeӚmA,fr4,`o (1ٍo^uzf2XJ6z*8kSv˱ -! ^O3_C!4t_;}?!/.Hm+6K)?(tQv}=^GA0&)$HC@! 3O~KupKIxs΂u+'*wØBU%ao'z Df=!UPL.(:ѣE\ؘ{ss1, v- M!'%N/sg5ILx h\_f79;Ә:++(N>+GQD9mQ`W:!ı[ɣ;첥g1 " b lh-~o[щ\TNi(O6A4Dm.mk "*等%-  AVç7) W2~ >$Q4rΥǐj(wxH"h<$*$]K=s3{o%y#tuTA+ބu|Xk%,`lz͆詞>.CŘ?cRI\t̤%#4SCٱKeibh.۟IxU}T{8IFiU'2،vFIa` 1zoR^ưC|"rgϧ-`'(?Nd|P@RX PRb$Xa1m4McO?NjkHs{cl,Vy±xHJjIZQu5ceYM9,-Z.~4h\f-# Oowѳ胬 X kdkL;a}_M#a) 4ِVFA҅{Hr'.NCnK'ed'ͭSg{p o W*+8PGNnZAGa$#^btʦjɁoUrwn(hh:6ɔ#]ɢO$a=΋Cy~vr1N6h]a *W8 Ʌ+h`9|`.ŭD<ŖJyqfҐ^eX/V fP)@0Yf DŽIRJOΒ.?FF_`o˩I%ﬠ'۔RJSw2#וp54K-xVZG3e{tJ.^{S^4WB,A h:nX_n[-}^OR8DQXl*Un Zwr ǕM o6RC=f. ZVIcJ᪐R8JyxjJ D\d.ea/ k6m!mhF ϲ3sUHZ_2H1=ٔb9"0ȪjjA~ r=U<ޫ~Dt b]B 7S/2HcRύ߲QM[ b4d <#zU=ml AjpVKPQ)/'^;o⽲7Yh,}ʧ2H~O$â*8tx>|&e=xg5Vٽ$yIi6Ta n]AI Wm`KIJK YMݐΫ7E釠A8~FP@e3mܠ }D/8?/cA>;GzL*vCƫ [D$aA+Idc##B6{i1J }(E$akgF`"X.bR}a[ 몶OxTi0XŢ9}ZRB 7ꃒ9 3]"S); .%`b@o1͗T蜕1.Xu$r>Gj-c}/"0// cJB lFI 2ԀW7$֫]\CcONvn};ztRE؟SoU֐Ƞ6QirF9胨f-Q3YخO@s  PMƆn)]sOEw %P9 P6+B_8ӞLÌ`'HW9m anN-0x02e@\)^BkE=:_ea0$ $(HQ 6ey#g~r]jq#;+*a|':(ElŸߐ܋*'IMbkItrK=g|b>qQ٣t4N8Hg"Cw9ޅk`j+1OIeZaa琇=݆\5t34wg1:>ۺv,hת7.=}QƥՄs} سY.wA8V+ĘX>4!1\*πSm^Nvp;F5®'4c.L?fw(K5bB\㦗lׅσ'7_ <$pJE6"#wfZ0Uq¸;I%͎`h^ȨG7rux (:[h34kVMk8tR=|:=DF.(/ѯ<$6 nwڡ8)F ESYx~&78md D)LEH&UdDKNJ:ufU:ч<$) B6B%l,|ː&Ԝ/jw:IQ%K|C:X4rmYBr8H(V[ pDWn!`flXCWO`rsrq\ԡ wbK{@dt g~:LY81dcE@>m@:G&!#7hinp#<a鸾Y3tעz.`2i:]Ǭj;7k~Qʼnt PEجI!dm@$]KgPK$Wz~nUmYCճDϾ]ĞV̭%*dupZ-<3Ϩ`  kI K;G h\M]֦gxg|'"k1n@`o k6D5oȗ^(gع16l@ek =ZnqD|5HKISE3&y\%!kݑ3?7F~K N<=]O 8v"I~`b7A;H'm2~&Q;'g;60Wm (HE|m+S4jI?xr)&:M$b#ZN.^Oׯ?)E;9P?ʹk8cHq^ oXZ`yTO4uӹj$_qQSD\9䈝ȢXMv@ ]I:0@eAvMtwa5K. qz<s⚖S0HK׀ nNn{@T:;{ $&SBsZbtKDTK 4y ZW: :a$1ƖA[v :#4r[I!x(Y7i4l[}TԠN<`@cbK%`Jy$$D($3 ]UzdG!Np)fZ'[S\AJr!ٜLҁdZ<<<4G:eJs:/mIcB)Z{7\@&e៰sMƳ](JЇ+o50/Q;c+d[Q.ї 㡕yRX-,>vZpūXV4UU`^nZЈSHiݎZ6y1tWyC UHsx1:AV3ȅD Z'?5eټLcR,}OQ00L?*~~?%Xm'Pvc9O R\DBr160?ݾy;E6cYl33kEwl-PN"s¢~ ~}7U"=C(ٛ馚mgg6cEFy5@>7됣|2>O(D=:bWR4j;I =06zde؁>r4TPV޻  lrD9BpZ~SMo"kNe 5vYBXڀB\Bم'f!GɶTn`csr(fWZƏdr>X֢)^=@'\. mR6\r;Qׯ7>yOzѽ쌇.V_pyQKiXES.2.v AX\R|U$.ލ7F^z'neɹi$15z'(3R40kFMMIt12rg<ڸh"^Bw"/ RK=rBm5{e&DqL]~ʺió""%mr|眏[ӗzJF0լg|HFxy}A)z\вTfUdvXZ!L{;̹_޿6jsiOkhH(">!S>*{9~Õ";ro-y`/O:ϺC& 1ꋯv#A~yl)/ډ 4wP#"z:$_7\OwKocWBN2˴j,cp~NBwi;Qd%@S=31Vb^"fn! aȦyAOŽJ1ӛҋ bEQ' B>FT~] i][IHI |ۓf"ϒgjHUTu5b.X5n.FEJ E!8Zp[$FO#|j@pN5t#n-]ƛ gS+"锫سD W>zI׻?0|Κ9"R܄>%B ҃АaF w*)أ x; |?~27iLW$._g:yB"UY=@ YɃkim+[L 2?*yK'CvW ,Tq/̞+ ߈]݉I1ODa}+i荭ܭ*A4,O dMY"oSBsi,E7ӛ+ՀzitМ5>9b`*Kθ6U vobҮ]CSZʸb2G&qȾc>Y|&C)i訤Xb(䎍+p_ ^x Z ahK^HYk^o{pSĉWkV O3L)s;^Xx ? ③1t\9+C*͗;XJHJB  ㆞qiHEV''gi Gq"VlͼPlVNR̪sr6}EW!`bVeg?zT ~.w2 |d2cy!sh= 5鎰O)wD.k̥xA I}rxU2 kK.2Gup\.T2gԪ=bsHȮx~^̖nat@_w /oc&T{L9]wF v-ʡ1іݙ\ ceC # jﳝI |txӺPRdvӜl696#mb ou?0O*l4f=+/$`*ɠ_h Vi,Xd]NZ.%;|/ ܎"Uɰ kcY! _u}4E#@pͽl9Շ5P}t P?GRgjի$i -j\~ ,c+KazgT(9ӌ.Ŀ&/h\_ WŪpCa{"Aag"ϧaLLx-;/9<LE{IȀqNU;3?ĕV"?" /i /Pn*βKBND\İ퇊ŻEPy_7Hz C7>ƒ޿ZtZ+\~[>?*>; XPzZXزAj@CO &<*qa;6UF@-);K Z`l#=4B&z 4m*}{ggg!U=jpwɿ3LŅ[˂yn'mu0=ƈBiTe,Oq;0QˊDX#s7:{D;I )=R9k$7fg8;-dۄ "Lz 8i ˜FMT4w0W~1J8wKZ)L\KC{k;KRdQ;* FffR^3-Œ̓XNTA\9>o>Q4 QSm(csL ~EтӠ2iJQ,&,<ԇ~C}u@OPjÛ8~Xi26/;_J `smy`EU>|j<@LB8w~aV␪-ѕ{*/ݭSz9o;z IפnK{8[\3޶vk7Ƞgu}ɔk3GUz75&DޮQ{ZIA,POc~հ9ʤ@ :t00u2Zl'zEsXmCB,A4,<0\\ ,Q0CkWrTTZl<L?Qj1M0 [A_7PV._<aQwm^!x1dŐW&~EWrmq-tf|qw ΐ<7@t1,Kւ{19Ȩ(QK7hA*X|})(C7T7,֔fYD@ࠕt. : K1 {!vBБP -,OZ t?VAHQwko^0!6 cN SzŦ ܼ`"l: >ёaqbpҭ4v#2GٷhL?$L?UL_kXG[ߴ`r^ɑLRBuv/&Й<\կ%Qkaˑt6;QU ?Ģ(M5nMtKˁiTw9i?[d%$ĆLJ+?^7T=*J~t \gX3!vt\ ,7Aㆇ7(MpbQbXM NyNC(+pXW*|3hx)ӡ[oM=ZWQmKg0`Z%_=9ɒA+a!wϣ2~'eIeʖP.2=gULtN4sRr@iqH6Z&~dp=++f$\-h89V#U$s gF3 J ؑ.C|6% )7p؍}Yc][܆6leGik ]}u=+P:G{jr';GzSb?aZA0H;3zD1YЩ! b%ROC`xt%0CHĞMBL!!EI}vs&酀騌i=t QV`DWQ˱ywNYB_Pm 7/}3uOVEʋ1{3R2 |[uX'e * (2EmS ~?m\[Y0TL" f@K,8dv\sDy7]Rr=6xo[YzGr3фuDyD[INum[(-Ba^kLgT R 8k7V["6}:*8Җ񾓡4?3~m B^%oyțb((Caff  brSbZk)q# ߔAkua]Q|v)[dnC{K!ɓHd'|ZZ+-B?? ƵΥ{2{G\Y0|Td_K5R癧5 , T9KjB!kr};bvm\̏d!)[Ʋӣi@lqlJBD_ ,J_\{3q+ZGjb']>,rf`a>oN\akF0>P3̶2음}x]ZPV_-π$&zr=˅Cr*k9]gE%:xq;I^uBZe]Drbdϝ ~0d;>LɟğBClXXm6kIv$g‘jgkwG>rkZ3#nَ#o_z} 0K'j #`*#3_et2@'4]JԺSl" 1,Ꮪ|]dD";Bҏa4Zւ/51y xI@>@.%-,ɕ?R-@Z6" Zw9GfPtFV]KeuNÁ(0.\pB32::fמb(ęVQ[ܤ9PomLX5,LǓ6?F519Mz!e9[Zx> *DJ>Wq3NVzt[=>jyb5'/Ia ZȂ  35,i>:YS'={L#`,'QCzÄz7p(^3 T}BE &@: ՕKVm R6^Nb.J#s?0 k$F~;`Y'qG \]Y *d|AC/hC`'5^_)eMhgD2d41 D7eޖrg~pѪ# l_`9S7*D[fjyr Sq0cCkW@2͵.wNlu[za}67¦iI%|sípL eMiZRL#S'ӡ֨ "v;Xtu|[&Ro[[wYS\xӏ>r_~,P:Ď?x':n6XN(i~&LgӎVgjh Q7JP!eBog`2UB#DuCΰs_œ - bmZ}(Iw?7T(p!MhYO: @~LBЊBŴ71f\BI(u ?L1tςɢ퇝ބan$SoƊ+ʼnp㽶UnKDfIt:Iɥ70VR)wu*(BFt+p: eބ>G& p hc\G0l +||PA؂v{'i//w($H~ *3[I [;>Χbһ$.)>[4߾&ʃU)ːNh>9n2",!|X8bsvfUwӔ%q R i8@3mTtTpsGIKpG+IqL|wb袠nZQr} َ5XAa`oBQ6 H~YP,\.`dNeCP5/*}껓keVF 9Ƶ&2` >(C1 V\qp^3ƱjNՓ>^-B=%B "yHv8ך u!下spNF ׂT{vCys#s> Գ㥦) DgRl δji+J2, \]: MŪ\:yJt񜂲Vz2oI*}y'FgvtP;6OBM?1NG{/q%ٹAfWߪ3uu%*r@~:pC@{-(QP\_;fNc q_6f֤7/އ*\Àt,=}fBZRYy"B&Aă,@)XBhbS.UIÖŸy fWϠ+ūV\H{F_'feeNYiv%3<[[0l]6&4Pt{S-<^[?Wc ow`m΀4:[rxe\yi/? ^o}E+{FK؁n9xiRfpi2%lt;5C`8 . iՖ&fI^Prz͟$Q@f%-4l@˜1>" |Hd%9]Ye=ۃ11˸e CuXNtgfav3Euԋ1x6VdYa/ȕ/R9wv&b%VE#Gov0ޜ9\:I:G"1ý?X%TE~ pXJuh) 5^+Zk 1}EgK_[I}um3Eɺ|E#c~Lk]1׵y+%n| B L%sM@ǍK#?t[O+bOӬkmGTT};eoҜ{ =p+FmBʲsQ 5@Xbw6v]iQr 2&Z\+/W׻mP2Q@~M7egrWH=p Rң:#p䲌m5Dxl^k' CӠTéhT9r8fɣmd&ʄsbiw_)S1cr #trPj. {gѿ9{wC'?Qe! \qS|,5Ù.PZʨCYtCJILeB CN ׃7!*frH^knZ~rvUQ|~>i_!iLZ^=R RBf0Q_"q:1s4$\&K$/t8=wCW_655atQްbfHpYv2(ӈ<):NSxiId'H+jADK}`d^q 1ӍeG"}&y+!* 'P+s xw1RRW8 AOdYռ멋sPnJ>zVZ&%4s4mW?O SHİzR7~N? GS~?yXWôUBIfL\5!rG.þ(8LuyfDjyS1U'yL\Uc&+EPj$IJ\0Bh~CL'x=mp(0SO袤D3?nh'Hrbs.Uʣo`ދ1TL(@S z =IlŮ+McV/Qo #}xKˡ_<*;9|7+,EU|?S)tDTyx|hqKdDexξ;Oǂ9ʭhH@9֢Zx1)Ex&6sYjς1c=/'騛Тc }Cpg֝#WDN<円D^ AXa-EN'w=Uy-n =!qxP5 6H<ff5+M-ƱFGy>! ,:lNߙpFevg][six%zA<􎬞݂FK\Z)ڄ#GGBˡ?jl4"(XK*cu.n;e+29TzvXH%o%l(@z#!~N/iEzf@q} $mefE*3VƸ^iO_ܳ춋5KN#р0[YˑH~6 Bw qL&=Jd#8!ahg8ȉ8W40SϰFDX3DV!D=go#@K.$:2 3w c#.dzot4?WN'm4PIS:l>L "7v p9B{gǖW(\i_y:>a,c-bNht%[hK,ɭ Iy-<' ۫tMϭƥUUu(X2AM߹!Ab'Y\W;| Spz$pk?A # !FL*1Q_vv HN4iy*JT %۞qڂuL9 KMx8-fRDWpXsf[B9SK]`5h2>FVVXy9иr$Dژ;iS4F,]PBe Z35H6M+%? q@0i\Ӗ8w `z*pA"|d'Iȭa7nj&vo`bjɪ <4d<6Xj/^haڕK1).ijO9Ck.'5$Rt( rut8OhPL] .k%  4;tVj+4?&_--Z ԓb~ZqDG=z]Σ^Pޗ)d%T5eIY/ybI8y OsXu* ~]4$qNSnb)-T\h<遘, GšAti<hJOw# ?m8糧syiO@B;S>Y{xfwO ^/D}~ 8Q O8CdUEq'` hǘv努]M+{D]Jdb;Ѡ5H@t{EeR.>bMvnm| }Qw^Eq6}`0P=x0K1Zg_Owgۿ,XNSR>%L}Xٛ?He/m>XBghL][ˀYCQSt}ih;^B dq⫚|rPӯZ%d'规nG%*k<㹄 g ŭ|1 JcV|N1 #{?ܢ?Ql,lWf:mU'B )Hwa&Tf/5hc] ڂGxR$X G=2k!ښ{:@K`Qzy:1T* / AP6>(" Y=MIFg?g7gT!N V<]*CҬj Xœ }Y,.'a:7 7pa.eӊ\M&a_-[09x 8Gষ$#mnZհQ {q_ZJ=of,6 )mGV)ea( ENNOLę8WMuWI`$ZDVہ([Ѹ,GOr\ 1{@D+$<%殆ˋWJ>~XeiZ H OR-{0_}8}[qU % 1& &`in@gW)tITܽb+~;n`8GVZrӹ.fbs 0u6G{,)˒ ^6mrU4ثRx7(gxd] JO0y~Tg՝yC;SG+L9|M&CClTx}B2uS3st;th#ePr;mӔooCN:hzt *5Qt/qsR@zp[[ mwɟ\7g*NMuՔE(Hc2}UU[*2B=]}si`Sb@i߾&b|W!lh#p+)dcK_<ڴJ{ajs iF; k+H6& &TƘwl3~3 fD{711ێ: r?Ο]"v$]0]{SjtNBp0$k\,l21lRu%InkU?z-+>ѥQ&w/L<}͆w}C`tUJ3N, vW>.b:wQ^\F%P߆05ll=XA ?6lNrjdh5_e4msN];_b1lj$IR?̄IA U7e]?~vHR2:eglKEη<Mzb[ EvIA:b #.P]m̓hʑMs5M|oFHBn{vwsǕ3%$OW8=G:ϻVXFXٖw>~ڱX@>AECOq"p~gN&"w<\'|4r>("jM9G!SP$Lva y g$APdL4ڀB]rgvP6_BjgSIĶ]e9=_6ȡd@ۏD\A?lcWԵ6gt o ҄=ڹxH3e ^NBQC9}WpnA#`ca+ :0J QE'EZ%}^ԧ&uOYΛe0H] F8 _ b bEbDsܖ`|H?\@pZܪ r}!?B}V(%Og6"̡X@-MiAoj^LHmg =?qB᧺S]B 66<&SwǢw$+ps9C~2W^LzxM-D$7[J6-7,GL7̪*/oCGE%_QX|Sq!@We{n6%PP-H]02wVA6ඇz*vбjf3D΁rč _:8پ}a#&Y{$B Q (-7 ]Ux&XM#CkM*z1s0fCڸD LUq؍Yۄ@Ko̰z@ x@ t Jihٗ%B174 I9 [My& ϓ;.KH$!nY=1fL_(|ğ#;{\Dݜ1ݲfIkM• Ǵ.ol ]J 걀Z^e9n֕h3Cpkfq\V Jͦ3N@mŵ pcD!-}\|44F= O6w0X 8~$rdH[hfhPC6 P( nU3Wyh(U2g£@ |6[JR印gUr 42V,0YT)[pK|wRLֈ ԇrAQ¶ l;]KLEY$1M$tW߃dϣ :xlXo*rOzUXlNP;΀tU #60ڑ""s-voھ`y-2 lprF$ճMD|)kՍٕʨuS ms&ۥcUm ڌ>3~ftL.-LDER_ZG!;㔏t%?[~ ! {k̮Uu{ɔo%zoQt{o8!9z`<<K1?1 Q[B#6 Ór"z\u&۷N#A&ZoW'AEUA\6W/JªZGG766T .s$9|`D4^QA>==6Ti֭,5g-»])C+7 W)Ow;]YqEOIr;͎ GZ4*ZjvN<pm%%Ar<^]'ph=>ں@%,$$ lm͸6Ma{63H/ƉNJHyh`[: KQE71Y=2<6TrLO1Sz]n  dؒ50J![Ɉ{Ybe#8V~W͡?pOSw9OWleb_6-@"U8pJY=>Q`,gG@Ec!qm1G~^x+Cu:/Iv_&C|=% %kc-0҇{U#Cc ,*frXC$GIo#n-:}-W#qe<}:+4j"XCF۳R;@ 41i8ߋ_4FL<=nŏR8qha^. Kެs|BsZSgX[lQhϛ(2N㰨̚=-\ ^Wr=T r8Gs߳_*c.`!T#B~;c( `|9sYNKU3e!_P |_q ݳ}vwyvT2/9VQK3RsY*W$!跘MBZp\/lW|{eE>nň;1q+lt_z(TžM^9#{4N㥾 7{z):ONA}xLX:y2M/dXqQ92S_X _ZcOjqƢw8H6gqZ+eH#r:*{*f;<,aV+;J'Њ]'BKF]+򝝝Kvs ~'U,:Y8 , ah=B;`Cw'-+&]e:78hM:iŎ"7;=SHc#eݥ9'*&X^\va)J'HC$.LK]9g()Ql_m9PVBM[ȤUG_8dQa)j><(?[O|\Fv i{5z6~qA1/VbT;wcqj` y=CQ՟yHquwȜ43ӚWڕfȥPE2)ᩁX4W/T)òGrWH ?yr{G[ {*D#!iǞP"uXɷ~|#>8 V޵ 1܉9H_xy)@{ѝڎՌ4Š焺ݜiEghh}UЛ^6O5@~سkZ ^/fAq'|9mBeX}KX?/r\nZXUrؓ**tfVŘeH=*{=q ݹ?v|6iL ò˥ȇWJcB@'N>TIJ \Њ7=%fts \(Nzo6( 'sX,[ I{gvĻ&^,8̴q{?ز>TXVץWЪz< C;oT ^bRcbکptwvE['qXZCa45rrW>_XZ[~WtTXs"Op98x82<<&[EI!rK1x7ٻ%W:n "N=x8q[^ Z' c[Gq^zF="#ŬrxoZ BIp {0.q(: ৑OB7 H 2A)hfЬIL+NdhCz&e.lf, GS==eƷzQzL}3VAN/+Q. YTZ~qt8Dr%kۜ??ea:<̀<>M;Y_#l dqŒ~= t&҄YVw̲B'32s<qEۘ <&5UmQopUV{?D}Rgd.VeɫzPl팿Q'+jm˾\,Ì@&14uQ8Q= y、 MIa@#I :of /ls[v5zzPg21"!nz $6Nk~+rG K+N-)̐tH}2E`~xX+i7Q4:/[˺w0ׂۜJQI[MxމiVF2<%OݙҨvԒ$>nm9l"sҒ{t#Ć?Uzѣ|am;4H!09Y3̈́(犸RD9ϗ+oShoHBh|uffdsIe҄o\Tq;$][JA '0?8KoH o. Boq#֏$%GYHza#- ێnmhabaeEb"I4Mg.{ +_]lNlĸDvĕO ^W)PΪ#*CN2ցez[ÙӜz&X+KӴAzdrZGWed'bQPdy*&E9?zISph~W8 }BѣDp4 t o d_| P5JLORH?ߺ8Fξ5iMs[0irVc$*{%}9=ۄ'L% zjjk2HlwW.w=,I~~GZ~Eub $ɛrϓ~](X|0[;8O{@A7jcʒu]%xAJ9EK ~0p"Xp#,Aa &<0x&,Œ<=Y'* c}Ä#HI/L ]H Qy MAх=+{p/en?lX@1VfhH݀SlOښL%F rz{ctn{~!-ٽRSIa y HzƮ{oT:Es98q_D0 \f<$"ik f?4:#kܺ, T yOVcUoGSH1c '#t@0HBK_y%;!"XoaRJН{IiVM[i07at'ՂߑF KZ)ȃ`(OqV'KrP7U BYet 5n@XbU+; DKCG j"^}ςyL2 N5~3|QAp1Y76ېM@%.jqFO6 uL.(c}*+wα{a"[M8ZR(=+>d>]%K:yiC~Iu;HMޕH[yxV#y"3*,æy+*43C9шtNw ylݒyv%=7N4 Wdk-%X>bʳi(MfVZu45F$,8+eenV<20J?i*d`c(BMKV9ߩ*-ܓDĜfN$*z%bH4NA*cV6[7Pۢ˗u]7w]>VZs=sW 7`3TкC'0HZ Z1cvj%[B| );F49d2wzt]6;gJbylɩL%lKrYŞ-j+&2ʀp  ZjL?Dk̋rȮΕQV/c11k/m}.J%ce\eU~@a|! n*^yAʆen8suY*dX.e0Elz 6QǢ \0Aj9H x}I}.2GAq yg 0EC虑ΦQ.,.ͺ*JO.}zq=P }ԞiQsg;K LQQr}*6F=1+koNQ":=ԇoxyoB9.5A5O|5ֱIM %lG"y>3l MhS⣍Fͣ jQ׈Reʢj0ϓ'2]5W,G'Qmc9,\ݾ-+ /`Vil$>w<M>$$i} !ݙObWf Kr$k=>b츤]eg^:ջzgx#ɔ<%ce6;bs)'yȸEC,lؾE'b/&JWi+=X[ /I&Wٸ" Т(+h[r@="?j O[ u)v?GV*!~(+ys3V14p?g&F¿š<ːQ@rљ=H|\·B/%LqP#avʔ{eN M urv~smR{SW6; d먧?3;~@=_f6$9U1^F$Ŵ)e} 1&\ػuaQY/Q sqfb>-;ZlC Go e=TօW,z6=2/v[$KӠ&aJ\8 /j8寔ENt"L iuopN6U-Tubp@HTj4\n%oPPTҙzЗ'zeتq#&OU aG R*ظ) NN|#pcħʣ1ܖTy"\:ޒuпKgUYl@q2ht ,WX@Gz$byQ3$^%AteLLXCc.R7&4H >^j 8G0kb'^AYӭ͝uR3{:gt<7R!6/b4>%w VU¯!fb=ҽ{5F56Jwv! IA5C.5CѤsc[r6(AOe]kѴ-2 s37̫觉aBLsaer:t爢ۗF2nF2J<{呤璉5rՉu3;SPB^A bz|ZFÚHpmκ4ЅM-NlTZӹP!ixZ)=tJMO$M8 pP6} \'Z|[%nՐM]:)IsO.-f$5,\稂2u'-=J|k=hHT5N7 vBI5!)=(UNxXu¤^[fc*ݸˠzGT]O/RS|v(<ۦNP YUNOC8ZQD@ō28jtt+]$nFV*y~༚9yJ V`0M|`!e_rRp =T)C$hq:^g@Ƞn)V'5@cYt[ Ƕe,h9gq AW c)c ͤU`Q˝L ]& BU4eL?U>4TO! $?uUo 6I|HF*l2ԟf@=Bۿ{8? `nyT 𱋚m`]T#GqqY/@\AZ#>(J#Xp$|z*InU:hƟ n:]{S9XgoZqmr׏{"vf>i-xc<ZίQ}5z}'Sx'l \1-NT<w6WoWYJ u,Sl$-wÐ~ k)"1[| m>b>YdcI1 bT{8b-7Ë7(tNXOvmoiǀeGW`tG_@wJ)c?8J99tGN @5Z7 L@&E%un cWgt+ajEX<p BX‡>&r"ܚ 94h_}ZG8+*޻_򧋔^XW0ٴјƂxU'AS© vZǑu>4S}v׷O".$ۑHe)250?9wIs.7"0xkEϏLB)EqܨTyÈ=>!H P):qAS%f|?ױ!Aq8D|,BX dyQb#V̪^?\Pk9`.{@tαMձnI\m5(pOlý!, 3ie1uqT2炎Lhe1!@F26BXYރ e]H-||\ MRf>S"pBUOO4RG.5OozpD !OU/*9#ㅤ &ѾeXi#ڵ{`M;уo > {pV1P7AqT0kz!m;2TOۮbD%D|ֵq ' P䌸 H k9:b48\| toY8')#D")EvpoәhiaAJJn&-ei ʽ>ʪ|.f2{RګoӢ7g6 2J}2QܗȞ rRQe&c-.WxJd.Axl$6Ɍmvw 覒Et/)X?v `Wjp#r""h b@5ڃp:EPYnE\+S/M WoU%Cb5=h \I4_ 1"v[Wobfp3[6޶0njMB(GCh&ѹjSAN DT`Ot ,{0,q7mK"&ez,o\!fbȽ~Jg +)93L#%<**,G8H#Ĵv:l[[O(Mh{K~ɼAj9[A,5׃Fc_;{ADԠJRQU%Rå+d ԁXqr@Ҭ4і<+/x)a[|YAYA(ˠRhtRIUjvcgZݮR +uJ:}| iA S{lih 2!#C8ت>$G:Bl b&{|-[F%-"V,mmąEx1ÍfUQKiʂ9fxdSαCiUQQl Ȝ'X1R]4;t !a[mpeQiJ%0PsY=BgBmQz`V7C+JČBRLQ3 W @=Ko]n3KK%)s/c/A#IxAu /Z?Em ԞV&5[΢\= ڹ uh:.,: niU][f1/ʛݬ?@ZgLXp 8+1eeBӹǞJ6]ER҂`gLtQ>.OH4@"SVP=10{ɻtk@S$܇?6++8M.߁3 .+z#|-m$PB`'#dYnCwesшlV eaX%Zwm,L=VPF lN=; __.~Yڡǝdd /S+[t/ᮽ)WU-l0K}cn,N^'*,zaX\HDW{wNB mt<悕$q| VSs:\ NHUl{cX`y\U]8|eb^`AX]rf吟v)c z!lΠ5Jonbz ʻ{GR5^01\r@u$(} ^U~(:)B7n^z&g6 bq}g:8AR:P`^p#w+yn a~/pB6 n_wW0ŭdS (bF mIɄTYjAmr,_ /WA}hxz+9I(ƺTU \8Ze{mɉǢV'k dh*^mP{ WE}C"kr>Jݜ'K%c5=;̻^ {=ar*^8t搇[._(W 4ӼGsx_|GbBY5|յIN[@ysʯV/26#%t'gEgEjx FM쁈a(mn9v0M@TiM^)@FuzsqC K~k|mԞD/dpOghT\`o^  ?x&` 'K.zt5z2sK,dAa #vfD:7jCɛ$-rI\"'W8%kXDIwpa.DPLV#0x xSOi!l7Hbnt+/Kq9~wח 7Ѐ?0T,M,&ɌL4Y[rMa5 5RA($_)?NvKvpv_.~_A?~x[IKb!?=LrFLa8>vh2hk3ۉ,24$Rp 'uL7򋬮$5;T 2m9 z;Q>%0@{wPӦlisۿ`wgbEf2r7t A!0W2_`a zry\MeZ[X_pí vUnJ+nTOpbeQQ{>]d0vf yԍr=FN>m^XK6w~M;ҫ=|`ʂS^D52u$sKy< P-$e%Zɚ0wKpGKuSKs1& fE%ı[J {LfNX̰װYuT)@~eWGs{zCB^L닫e* ;0 vxz18A9#}&ϑ9$w3/ njs썭ngJPM[!lppcsQwE> Ifݱ{8NØFeU!.;Yz!yg źC r敗\L<՘[S}XiY,DؠgQTLIM=T5IɎnIRp kNh7 (T%EHQ#hr`<&6(77!䓟#YseHE)cKr^}o1ʼnV*aP_ZGQs=Uf qW2k|J򬾐?  dPpc[7u[;h$!+k!+];Л= Le#gMŒ/*%C$K,zCe~;Уb[ȟEF*4~Κ4J!cbze6&co=6~T.@Nf.{gnm _ܾ>6S",;9xk$jgZdV54GͶPt:zMiq+XJ/l9spz4mQd_͢8Ac7UOPl BC@  w.6"!!G~9~Vw'U3=͸ |N__!f|]# 5S~3Y~=1GOeqS(ޅ ##&WO3+%;6uwTzel%Lp |cg)ȵ1hq4z0Hb4ZDU59I幤5xӋ gTPx(L]7=`+FzSiWq҆ y`="Hr֦ ̆gM镨0z̨ud 7畫3:FZM&q^#aBCi+yb3.)+.D{Jtply% d19nZ"e)+ T D2*[I1,= ԑ,+7kPc^ߤ7~9Ckd(@P$ -=kpc;Z@c*Y:`W<1Axpxbh|/If/tkv$f W ӂqQ@!ZEfȻuUy tAG)3=Ts=RhO*CZe?LNy )1JSFF,gKI"JzέG0nt R{ vצ z 5ʚT-rxCJ/L;q=J$#?YrRi EM/إy =?U}r"tvN6 $'diϠ0#ϊ58W݁-Bʩ`vb6h0l}_NqB_i S'GRS:| TQoPP3y{6C˄r[x[ 7ϐ_ J- 0jMjYbT.FF"6O{ ػ aɄF{6Ģ:!e3B5͡!&( VAsStd9<.vcE5r}qI8ԡr.4= %V n"wīXc&c? 3"ݝսR}20$봳= $D7|F!Vo J|ᦔ =ɷv1ww4+j;ZSqPzȇ^Mv$(<1|w~1]W,wǸG[()> YޥDꩽˈS;^fJ!qyb[-Oeӆfd4t~rn>$ccfXbul؋Oxk:!ǧk-98o!x[l)h!rirI`';TkK>81[ "dT!4YaaPB$tJM!Tڸ%9y8Q wkvu((Ȋ2N3;&"04CVRƄR,41eXD[eTHemרQXG"|"1Aڰr! s`ʤ2$`LlCgX+kI=b`gA:Z:~]6"{ w}a*e!i~>c6Q0:;l6T%Mle섵oNu|&E_Ph:6#-nlׂ!D;|ȔN=oƧX79uhW[b )d9%]zZ},f.Ky@b~)|R#/pEY;Q^&-HiאOϠwq6B\mP`'b\o6ۓW"(I 7A-+ Ĉ.YVL pqVW =(7)>n1!>W4c@:ޛ!p\o3ƅ$r[{-J7rF5cVCLweYL$l2)MiT\ߔm 9 Mg2O, 7:'S)УMh3;Y d?z߆儷T~ݿ|1RkRWP,OW)% Huq}4C{yvv{ H{oY@SɢTt!9Jܖ-fyK:LyVߊ[k6)->Y=""?y|XMTv<;sA}属wA't];1"%^XMO_T`SqtgkGN|Jw:$+9l}@9S^gj8\̭!t.yUyFv5_@K ړVr$[!1%CFEIGBYOatTؑiXSKrmẎS\J!}$g"\VYrnM BiE#O qEnёw#[ykƒёLڣ^ GUtM aBt,3k%ѐO+ mQQq>ٚ˸ɴ+° )EW-޸"A5hxpſq,?{z/U'MGw8񓣳('U]9x1~X L$88 S "ZR ^.w kOi Xd(©cL̝[bB tj!0kٵkPx(67QPhRcB%.Pk'}@C{a#fQeif2Ht@OfXJ\( "ߝl4+Xa-BF|WiKbqP )ů>Wan"wNNOAH!' /"/. AI2\ڍ"#u$^3:"qH~r^6}|*DP$ҷz;I;CQ4a!*z.pNvCiWӘ NIxxܟ|U)µOYl%H*5k9Ԕ 5!trWӆuO'`wnl"|JIS)2}&9F+ɰ|O8~?A n~4XKG[Fpp}dI+_mXԓ3~i$aĀH=%(h?;:XI1+f}K J̉&rAgo{ liovaqr*K$qxk řtDgt1rt"E~K牳 ȅz=r:fv}c@ÏxJx셧Gh,SQNY($~WGV#su!-WeQ }l eȬ9(zt zdyQ~(P3m b)LfuQo -hyqB|Ⱥ,55]{Td4SxaenHJ"-|珧#3[[4ҋ0'\x#7oϕԏf z f/(ip*e5gNov*3 %YzxwZ u{뭣jE lSwYΔ$1ۙrq-e;bc>E~F4mqy˼ ?`m̚~bq՘fhQ xdhFB7ls}C<*m-'qQXX+9==ྀ g̺>+a˲E@65S̽2~K;XV'J8Jd=5*mr8ufD)ѽ}~9G+J@HTe0Z<(?׹R!Gò%bG.2piBwBcc\f|y=*kcMl"uF#HXHfk}4e+o n,}!n )ySA`TӰe5zz\tH8-U^]`++"*\GCd9O b (ʺ3iky$  ԱM*ߺKG#d/T7Fy|'hڰ *fr x03"Յ:-Ÿ\mUVoFX|M5y,evAaFsltv.$u~>rTh3>:]_TT'S RB~Lkb~U9l|t #Wpfo/ڵ=%iTbr2Nt#hQ :ְH@Zc[^Dڦ8FŘEA{ ,(Iq˶"yTaPN} @3Eza?Crg(el1PYe1C f*L, \JzTє}B=z&L+dwH',/6zTe 5(ɴq;K{ˢ{6۔:Gq "d@d?S_DͮعNYFڀ1E*iV[v3Pn(ʓ;O}6!ĵ6ޖ{B.χƭ/tD!^2P ! arc!'! q2zU:P(Sé;LaKV` 22uMLg}WPXk uJ|!ɢyzjpFS;<2˞+iTi `С.raUFBZ[M &Xj0BFUnyI5X%.R?um'#ZY_T-X[d`\Qb{E- lHïK06xǐu9MI1W# Z*q&F&ޙhXB;cFCE'Q5d}L85)*h =$ mQE 2jot wp5C,{͹⒠ӝfej϶UIbV:3HbC #(4w\˶dI@+_9,L[ BԄǥ3*;@T]9rJb\F@a爵ʑՠ%[u5\h.~8VTqWxHAym_VC׵(#e4"L"0Z(b(,C\pWh#Hvޡ)0Xky@iv'G{=X|1T&H&GΊ,R%IJ_F"P@ IK5޶5q-DՐ`Դ!:#e+s]X3uNGm/Q##6~9P]dƖ0i]+q Qwՠ9Ctmб Mg? hH[]7 T:DѫBެ[Gˤ̔@6{|DDV,` O# @7,*LRwH{'1q}"=fBCT|rJZ0FՂp.'%;`T6 Q`*CtAQ(bQc K<Ѧ_%U2m[O~Ew@\<~d+ߕG[nMv//pe> Lk{#2٫մ/UO|x DJi8H>ۺ>^-a}vj)Gg/ۊPBj$8b?]{\s%꜈4$ǒk0^Z<뮁0PX > m8.#ZqX0 V9BU.,1u6[y:#(MZH'a%*Ҷ Xxυ( 6k4Ihå7z$AL[ K>A[.풳ZmJTY3h9eў;#h4Hru} b(7Tk=@/wt&gJ-|Nx Ml}!ԪGۋxidhs' 9q-DP2ãS!P2?\YJ*n}X8j'3BL3XTE"yoYλ`.uMɗǩ;p6[փ aYX[ȐWJ@pF?SڥS)S*fzᰉUM) If p&wZccŕ,Nv72f0 /S E^JMjC`Jz鱼DL8W2ZW?:P m4x x8h7l лG%̏_q3k [jalrk!/n@b9JEh:R\)󣽖}5SM*㺻Rw66f.JoxgnΞcf_r%_j`1Z;ߖwF&3`.ͻRzXEݺ8( MB,.eBj1b\!πdК[ÿK0t6<;4ae6k"/Iz*T1֘&/x|D2ici14R@q7ӜV_*[n:҂/-BgK#ncm#+?ᚕ|JnAdiiBTzCx-=EĒa5:3e(Zo㍃1j&>^@RU\$H3}Fjʮ E;~awnR{rE&X 'I i](u:pŮ]2׈M}H-5 :I:QʗaP\T_ģ×F~`NкUamb$m/hiWQ^G]ӗ7h){ (֧aͪđ£mS*s1u:ʷ( pfg@/LC>#e6Kk68!IN9A@iVbX}jbh. }bzI"+"HT:eʜ\Jbj Zٹ=_I !.mEٳ;'!65)Y(>Dl"QY:nF kN}# ha93{=@>Sɏ7~S0qâHŒToI4qOe~ kZDaߣ[NZ &FcKn_>lxBGKA&grjsjYG)7Ւ;w9l@> w i^y!X ӔwM !8 x3 $s_"_y#k1{e%;]2Cdr] P=5U(PBG~z-FҽONۮ`嫥r+կr#}I} \Xj? {pDLEnD|31ljąXkXZOԮ;,:TPyz6Ñ@tm;2nHo2{|ֈ-@cgϕ=g)bҚg$͠M.N>FUbcI[f6qa> KLCBRo}}#O-s F3w e 5dsN8+rhai0E/RG-LG/:7@<.jlҼd)z]LҦuk=`ّ W~pl]z2ȔM&[g']ȏL*G0Eg-jxwQHh#(7uX6DD=,͆`4O@AG4ѤrNJ3TRnk]˖x(r6߇ ^(~ T`4 f} =0dUOWYJ,ҽM+HAM o1^w7Z,u>WRwC1\O{R<5[O) C ɒ E9Fdy_5RwX[EFIa2' _e2Uv `mg]#[]U&LGqKͥQpH}%~xWFTom\H0'|HvLWH e,iŸM~n@U `/[Ik*6tHJ}c$5ǃFk 惕00JA5 isb4ڀ4 "gXj4J1x'C~}~ CØ #)̨)WUʆpWQ1K<*;PVnN(kG|z~,u3fvXpRC}am/'!/ B.У Y'H1#ëg5HH07U?=I&VȟP䋢% $rLylyCVվE6zZb=<){Z 3$ݼ;tKU@ j;N9Q:;i]۵|xX3>AͭcB/\ *CaaՌ Y7 1{9[S{)꠷7>g LGdL?WՉṷ8|jfߧ:.j4~nL#j!G6΁X$1<) c{)%Q0$m>a<)Ҍd`v7-RFq4aPfz2zT]-Dї4W gH lvav`VafګtdcaB@.}oGxfȻ{_s`䖲<îhu9hŖ^oa܈FxC ٤Uռ@dfȿWxAe}x {Ǯޟ@U =BBzQ?7Mx޴!p8Crqޯ$̨U/k_8";?kq?9ʾK̭Xˡm$ :֎, i*co\%K%xE bT`y;TMZnP9k MJSVy!밖(#Rޝ0: B~,E XD0m&zU2߼D1cقҷhg{{Rԍ'[Q4!~qnpIz%Bt+*(YHՕ_pQh=S)&vZ8"㠽 浢;-v mEfY|Ix|wC?Wх/3d&1n\.jT9F~kr ]dkhoaχH% h=tD4omeu6|k\KZUԺ#'_%^@K~+zTHȁR3DSz z>_g02m%bVfst$\3+Cdg =?9+:+iZs;!{> YWs8lX=\g(+~R}/[s_]ss z$ZS>jr#z)5pLL˒VQqYĈ]C!ŌE }gt“w~c~NCZ=RhMUbضINҲV)hI y??0V:K,hu(p;\]<Ӵ$ے^b%Sv8V3J cI,.k&O'ʊl a)hyx# H.!c齁֮#=K%db) :ʠԸs-Fap&D(Ba&4rw"RB녩K-b _ {PxuASiրY`E騪z|בE%5YO84u߻Dfcl-q*v߹8Zdqm˹J*t2Xsmb;u; հ$▛|) 6HN1A:C+;*/}fސ1n|*L [P9v,|t/*23 #aHec. 2dD9hraȮL]IMO"꼑Gdz\Hӑa(4xԟ__0S*>g"R|ИudL>-6bK9ppJaePr*1+ȹyRY%@m><ߗG,}d~ϗޝ0j&ܠjCcm@D=lk|A |"FSJ/&6(dྨ^Lm،k>+`*$>+eDFo}">IY\Svm s/ppPZQίFmLnMjmȌQ6މ=UceYlˉ٥滞Ƚ"d"~&f@KEf7d.j&TRP+R!EA"#P9\z\QTŗm),VиMJi/1JC˃^f\&(4b߭Uρrl!b: ]|AިGӺq5G %jhUMYMBS &?f~rbP成LgoLuPsp`uyϒ$Bfk *OkUV&.xxoDRO,Nw!Xׁ>~j/֥3Z6(C׌ 49>3\/:0줞̖DQp[͖p|o)~5]1ϑpohW/yD,3ddE~&W|T.m+RNWfUyP2M.鐥 8dn ;l$:ʵ$eT1_-wSђ xW{?  Ư@FtY3P^z|Rgi1VT(>@ |j> J9N44?+/PxӗBn2,j)]ol>ٲ)(;5vn{iܽ0a9>?¤[!h!RbeB#2{xfBbeiLXw|:%|wҳ9N#qx ]zP`ԫ&m |0;z% 7/`N(1KQ `*xl8l2CL ?rr|  sr *fCPA-E tC3,$M.Yr(}0 KN.96q80v=sw@̷ !rZu>0;ɇp[C[,s`!= .h,pqoۖ'Ql[.x/RbvdӶ1hhm0e݈9I%. B` rVzء$@y0k},T@ʯyx I >f3$Ҿ׭ .; ɮ;8"‚ ĸ1/ie{ 9҄~ڱ!g^Rvv&X|ơ%7\j"[$4Vo^J\:I4ɦ ]eYQ$wX[F,!'|{Np|Fr#ߑq(9E^6+!fJu Fu=I_ tT$ļRv#%`:H$]ĿV fY; e"UN\t:E@ya}''. ,[+p|6 +r\i~’ۗtpJ$)a>#'|xWZ1^81216N 3GP-OrR\4dx,< GlW QLK?B9`nv(BI1 ;|z_{$~f(c7I)`8?[PP#Sxqs1 UgAzce?WG&߅':,;Wy9{e)|'yr\$7M=ݙCl.X9efL~Yv+]aK)i] @j ~%2eVsvvA/մG~zps[Wxпg4Xȉ[Q?yJ|NحF{Zc:ևgA7~V6m`g( -1 z?#5rCꈨ0v~/ҭMz?kAJɗ~<7d_>ZJ2!Jm',6`H3sɄrm>~L_(sLY.G\<_\k6Gn`tfWH1 +˥G_vE6S!J2Ț^B<ذ~4y`1mG=uKGb#7& %ϐ'(݇v""[k${&ߨ:Fei%bQX;DZuŖ0`cD'au OEVйg#NGZwon[e$(,W, MD\roX*)%-Ҷ!gJC\z/S?;#.t'{}4SU@ G9ֱ{|ZIhmsHw4L"\AZ8zrٷPtzuM /$ z~^Mn]WyuS_!\M?| rXSE7i3b}q>v٭Bh[$k,@&(G"RVW7gJe ՜aGisvʴDXf{~mD*$er2 sIjΑ&ꏋa͕k0K^TSN6]T33 Y7xwayS۶Hw߱*}R:WlۭBo,4J!󢴷#T?'}˽ko m-N~e#)hyQnyE SU\f8xwW4QcۜCE9zmPjccU7`̐ZCv'P.SS{͙ŤpU=y^+Jo I.*U}_+1dv{!}iJ M7e nwEOՄ,?97 Naa"O0mX[Xg]nG˗hzrJm,mյm6z'[I;@ V1aK4&92ɇ҆ q2ڃGDKi,1W92(n=Hk,{Uv`ΧZZho$<+1 ۉړvLE.[kuBf^K#̢^I'`]97r`Aƫ{%zšsf9yjq^w$!¢VKdhQ~hTÖҎ+,:Rbhu58`.mv8Bz™ rlO)4?7Єӵ,o,j)L 읩NzE~.* nm;[m7}nl[ n1YR& j>E~Ɣn\aEck)=K kcb]v503T„'ԤjHNpzfFqXO 54VѬוw''_՚ˑ&ǐB)T!285@. @o1b0JAFy[ξ uYdj&cFG ʷrNħKH; xP>vZYiZ1:X$- ^KՂ2tiu"z#'Oٱo'c+n#ci>-Z3i!p$n{}&=/J v~js eJD L},VDga.IUT1BN9ʫ fH8N\_CDnNR 35UeoaB.]q̉4mA-[ PlJDo\WG7CE E>Kݎ&e.<*PX3uxk/cuw͒tcdm+$,Yŕ')Qt_LiȟqҾjL͟<-rP+{^ݎ X W¤Ҧ3 6{;-C)q#suOV:-4/S'`+]b+IﳭFMSaS.Z# $ҹ'x {N#ɤ!/5զw*HuOKمBL)!SOsN&IlKsd3(ۆjL)<(H}"hߕ^nv}ʘP9"Dxms* ]G^!Z.4.Ī34t .äG=ubhr'+ƒ-މi*Aa QZȗlg;fU]Hʕ2SnC9G/R*tTp-afEV ˧"Rރ[),p6p0{TrKr5Zh\-)WO&:9KSloЭ44M74VmS}A*5!~pY,qq.Į,NOO|O.k}($B`8S6jxImʒ{URѶITc{~709WX+kLM |]ya444CQpr7b+ giO`ަ?^KH2Pw삍*mPEcˬ.BDH,$ $>7j9H9<Ղxo[WeBgS-o'[8J[l|vR.]I>%q ] {Mz_l_+HkbC GL-o*6꬚4h\1ykĄLۯlu9/`+AdZVxs7Ain<&M~ W&UQ'-e&]wX"%`3<9L? ōFgI1 ֞t9 tjiOfPP Bۄj+K==D&7yqr>.9^Pq78IsQ5Qa Eӧ:t&Ӗ3&4,6slsv6L;ir$L)G5~ix wCxՎp6h@  ܖ0܊f<.2Jf$2,lFbU+[7+y)ahg^IALPNˀGQAc5":|ʒtiN2qg枕.!*|}֩7 ?= "FYD̕7:VG jȴW2jhK8[{uSfR)C/:LZqTW$16" uZc 䨨k`/f9{Ɉ^ﶨ*όg-vILA3i%I ^):xSt"4B|+ɂfMzB$쯩AюJ¬^VX!6utaH,OT^{GTޓ8@õAWxLj86Cw芼VyQכHCyJ/sS8K+(AiޭYl_3KRsnMw . tߗoyٸ!4$b{ߊ$|WtؓfQX2xd1@}ЅQZ?8i F(p>wtMcs 2Hxڍ]kkܡ,B)1Lx qG?X`*НfAP.L"MׂC4ʝ޾T:Ѝ # s㏾?͋WA3Or|!X-eaUSI4Y2Yu]m˛hg`|B꡻BdMՏuX O0%pa~43PDp 04\Hqԉ!X:|IKY0H>ާ#y9]",jaG<( @{pwM\R,!Gk7 k[U0f]pAfhcohHl#[` ^H봭^_Ԃ$Z6 κ( T~ u}@ 7fhjGCSq)TeH[JuVTB|u!-wOq,]Ym::٠L#`XrڮO eSJfY <~Nꉉrz`zlo0 ^m\erՔ88`$>6hjڻ>ȺV/9ٗi}SV䯸>H*Du, &S[Z&TADviLZri3﮵Hy*xIjYPGTVvrڴN*YN. #=l8ތ˚Gf}}J~qu_3Q4=8̵,QͶie3;}t ~1x/)(^) " /̋+ɤ4 ҍʱe0cnc:P jB Ϡ9E!L<OLnsq\,?3lO(m+*o ;|B"e)rV$$o{!ŊmNxʰ^/l)t<~aF|pIOoN-!93R~hߍeQxK,"tԫ_ ԁfЩDz3dN57 ΢x jǾ3& h.۷OԈhTo}(r˜2$qy TL<^C5diﲹm\\VK@վt]|3+(8Qv]ԗ?S|m8E=HpgGoYԿIog=~S wy-`lA\o>^b3@Ȣv~VŖSCj[dd0)I|cW8̔m{?cJ)|67|DYP>\.aVD2y؉B<,h3f PJ|y_:ސKcCc QcK 8*3$ OR= :W`L^/궢ٕ<:pfixX8f=^5ږ}V3>ȧQ56XE{8 CǎzrA6'ٰ-Jh5|3p4&G),m`ZN:Dw&mK]Hy 0ܡu%P0A ڛVCP. 5M&**N#Bˍa~\ YԮr2MM+ǿR1bqC|g[ &.1MԮM/*tbOƃyBtڃ9c 7 vŧ}B=$!Vc꤮)~*_UMtdfe:|&\I\e|'Ho{AiWgZۗKcj>~DЩ,)Q]E4菉yo;f. "ġ@—b]aŵ/~\270)[88h^ Eը~Q4)'0=PGRAȠ)4÷'SJV ?T8y^)!FPbi]L8*%oT/MʝeA\&g [-2'@~<4~| TYGpUHh~b'ktwd5!KFq'qJ%p1MO> Ȅt/Z%Z/)$-gqx!ط w)p&[&G6SH5`"c:+Ę H W`*s@CHw#vEn=Kl~Koi`Pʨ> ̫gr[qhDHɔ(]=xwC=, Hc 1Gፏ>"ح>mmP"hht+}T}D]coap*Gz; AyhP /*(|j\q G*`t):>λE 4QC@} *fa~d=i"^NJ]/=f3BhYpNARPV< Ȱù⥌H_2IXBʤG+:ZK7>{-j*YRCSRPY顅҈ o|iH~GXi/&nuO6j%2)9| Te0`,j3mESt3LH;2:jpF䁇H8@:? }s,z+/f+=qs{Tal7LlCY9izh Ib\Z6{J,s<gMCmw.RsH!nP-^ެJk7TF~ cv5KȬj w10,Q!dm8a]eC2W` 813cj.ͷF"o&E6}Y.ݣdbqlWwG$6~I",50<6?Xa$.vGt^(P z!h \찃%3*K rf$˝ G+gR $swnc6廐(y2ĽH[3AΒb0bVJ9PL)IͶR(UƟj)u[_qr+`/u`%fY4AZQW9x7aڪѴ%t;2pHB{h3TtbDYE9]~~nG G?N SW+Pɧ²9Gvh)E(O9|O[t4)X埓ɶnyp.ڣn1WpK Ce!c~ɡ+$m?ԙu Hk# g)p"h8 ٣ӭ 8w,ѡ5{|t3QҰP^2Mh>fQN}1&fyGrR3&:1*ji7XHq+ j{peTc,XLNw4ee 2^4R;+FXH.(;wmm@l~^\xHK{_0T,qfb-"F EݚV/-g ie%Rz? `Ժa;%ܕk]r.UqV"!2(F/@U'DXg=pk RZPir/E*?,]\0P` *mlY*}PJq^eYLXr.!7;;ʕC&WɧaF~mhQ7/OL_F#RB*b/>SBhS)8?pAa$p߿숏sj}mhVЧHdZG]m.  ))$PZdXD\՗VJ3T,-C9R}xQLjEscї{et2*⁠<@y)'Hee6u*xX&?Kկ.T{XP)JV+J UۤtCFMh"'lXP?]`?4`9:jr5qDD.VerqNÓ:趐ܥ-nc{lwQk"m,-O2Rp^wCR X#'x- ɹOḱB'_uUbi24+O?,9hzzh 9-S/5B~lhwۓ ?t?cOs(UrDv:9V O+X|`0;) -iq2NpPlN Œ+BojIpQR*y۟c#BK [ _%15:ꦩÒmY:Rۦ`1f&QǹMxzvtɡ:'2/FP(ǠYF!I짖WnA_IҀWLCzTL1btC+u'iRkYSeEutHPCoAp*ص$zU5㺑(W ',ٔ@Փ@O@IkX;ֈ yZPU^t=Gc{WϋqN4?PskP->m? J5p ?bl5+r]~jd|`Hy[h=dJrZAm:pT+mwK#RL)8*>;Qc\KI`XJ::Vf;X5 7JܤMqtX2DkJDrJXD>3\ÃCnCQ@X,oӖ+ xZc[>gB `!Iy}Yp>IxA×jS;^zOYjS4ނSsf~Z~dQ "ד,MQfAə[9ru!j}]2[7Pgp=4}fJheN|\eQdj,5`{[J\;] FB{$.gc`"`й$cha[bKŎ@:+ڝDD2IbKuT`IΘҩb"p|^>bP:x4$2L k0ό6|gtM_"ғLH/,[, B&WD`}@V5>;|",k`⽯.Sx&{PQ_0`P1Eҋ"z9ԕ򻠘b۸ylŪDYGuZ&ϑ KEy_T_^÷3B1ȄI)R-xKY'p~HX#_X0#"@?c/2rm>"4D2}3cm}2+gŕ,f<8 C "5Iˌ5gB;++@@.L &t.*+JE Ȇa}[ط'U`3FI0̷֟,ou@/Zq,hy Ï)Ň%iBpX{-"atCYl|azE-t tw}~M 0Lipo!_䯯[Ȣ*-HE6&qPy M^ײ/|}=׬rh-6D6P} \!/QyP3sT[v8y?&^[$D6*FQHÌHbg1NQ48T S^X ڲKF[t}xZiR‡X7B,}3f1^)>>@y.(I|_uwA΅N)ZCJ ^JQzdWX&uI6q;wZv'`c׆0DyJ~DtDQFF#е"W (P8L)k7B=m~"%^:gG*f_^G_S̬gbF9_[DiOuru*DpϞ=ҽjDcO>D~][M֓6/ŰkaqP<[{s;3B&wc>s2e '}t^V=}Y,g6^ 8}r;YW֌R10!z ?aӛ`+XP't2L`iԇʥx{]ɠM.i]o |+U\lJ'3$.)Uq3'Q2%#ąV lݱۺ(^ J;saԝ1$Be]YP e55K R"=7G?bUY4o Eq:=ش&( ꋧ\cfY* 0h{SY̠vС**)TZ21{l%pnqP)w^Ê0<CaL.BfMחȍ =H..w^N&ߝa 3GeIr~Y".w~HZØI m˦3@H`\N͇xo,[W/JYP˖5 hZH-HhӂLerq _3> >ɕ>Zc(ͪƶUΑP}c\m,_żE༉|[%j0ĕQ$k4s =tCM.=xrH~$YYbli]$G1&2 ۨlL)'.NCdtyn޵+Q|zRF9j]o\#/؁]kh9[y2,E+O{ߛ`7Đ 9h;y_ 3^虳%u[a':o1&N:2+h^_VćXx.aXn/>{ ' 煛pуW"nQg,TE#q*ZIvCKyVDU5~07l9\1^.,Ź>10Wɖ0է-|i%sD}2?<"P C>Q\><o?yˆU{R_w[Ψ$ -g"*E7oTM$p8.ږ|7ϳayc^E'&!3)r6cAC-1e0L=P/M8>ڪBCh$ tD]GHliٙJ[^3Ӟ RZ&ZN _o -8g󚏗T1Y fwB;˧VD!rkHp9 &6IUkɚG +|(Rhs@QD7D̜MvNzcAs Q5SJJ 7"@}+ib'P\I8٥oc6;z귧}#^{Ǝ#ָL9ʧ)NSrn%I 2Dĵc&jc/5/fm**C[xzvl/j3I!z40Ά!cѹ%oVyieY)XNh)eN~Tp gίaI#:2mN Ed7Gڿ.ڦdĉn%јױni1)]fzK"w?E;z^swn{nM.=.j˥N~F-m=L4?ىdLy(Y'a+'$mnӨtw7t\@y8^42ț2`P'Brp`'5Ԅomvr sq> }2(gdWOo8Iߟ{ #qL OXѡ/ Kv\3%bI,sv5( $V{b8bKoN p6%A  . v.^w&3 R *"`},tG˴%ܘalTWv'+1" s Y΋Ql!n^4,/%0oa#,>g=AHoU0b) kTS+UG7%zc=A{0ۙtQr`ߋ-PZ fZ@nv 밀cxvk8 D`܏v@ -+-MI5 xx(@wsX&ӵ@ /0v ׄg9Ԛߞ d,$5/^KV4Ҙ}B/@iUŲTdң$1IR%)> .tO$r9*euJ=_}D;PhޖM\a^܏6 C}CZ_Yxelmp׾$ɵtkẊ:)ѧ|ȝt,TįޛBggI7~qC 9YBa2Ҧ8ν樛bJ}@įC֠A>6)/4fuXXkSCyΠPȆWm5B-"WgOMhG. 4!X!(G<藱VN5`f؝eQ:Ot}MBFwm X̪_[>l}ũG$0{7HB. (Rh}?|Y\l2n~;%3x{Ěx;rtUe@ރ +Bhn%>DtAvt*]P농R yLD]Q]"5Zfmb{ZY/@쓶"c S;(*~_՝yNӏFZH[sSKcO !>tVa i!t9OWo8)y̭LC?ܾ~4ں7F$ &uZA)iϒ qֺVLϊv+ ޖĪI[&Bv+lѾvHa,CVKq`L1O㬇QO4a~OS"-l, C ڌj- ,c@Mk^ w`e V]S9;iW64a&nH4:l[ Ccn[$8|T=_,lcmBMH-DAތ~})zijϚ1fS'Tm󀵔iSZΧŪV+"> h h@V(4RQ'{yr$j~c٩amvmV/{z cCVci_oQDLV1h&#m7@ϝԼ9[-{_/p04[1fDXaYɣ [>f ䷍1k\oPo 2(#2a 36,l(ilqOOz?vPf1-g,-<- kf[;KU[`( *mugY,gov@Ʉ?f|> xG \8'r[M/v[pcH@&\V8>s@$zL_©KL b3" 6F[3gan(+&Jt+yg 2j{}S!j[<.xB]:#AK~=u7GNweh[9%e C4u&)>Z`;GkG;z:h,) էѐѩ[\Ʉ.0uhf.PV%M%BUN}b05gLwxJ {\b ?IP}ҏQTQ8͐{r~}Q0d)(ƸmIۗYR2aZ;)ͻ88tlB{i7Y=ZbjX"dX营@!_zl ö 0=?b~G^fl|w;6٥1WyVDŽ'cqDL©ςfb?0h|C^# 3.5~qu(z#Ur=ӔVWk)o]#w3E\Lv`KX#fWXLXB_?tP/^JE."R}ș|1 {w)x9ѵmgaZ;cVʹ(., V8G o.yv鷒 MO kŹ7RI6TqUO=4ft!^Gp[BTG &8ߘ*+&- v}5XxծoNCMfFF͵BD n*@]Fڶ!+h?j]ЧzMі10R?W'+ < Cpq2mbA!#q:lƶ;uzXHNѹDwjYn&JU[ЍjZ NB%w4~>n~#l2jyBݴԙys R(V' `r{ԂXʼRI>#P@"[.Wj- Y)D34o3ASV]G"v#_=,Se成u6(-:t5( 9^*P5#+ 0*f0/u"o:$-H!oM>5ۭ7ggVp<,!6ւyHRЀ MZokezϒ5zր"eBUr-=o[c+H.iuxW~-pC*#J-{ٝҗiu{2d$gtt.ɠYhQ-f96&Usʿh\ 1Ikk&$lQV03y0Sޅb1'˜~Esi[s¾ٔӲ4McܢU3TddH2Z^5?8izF4:rJՅ>0, D\t)Jq)\Zw/"d0Ulto*T8tTbϣ܂)MD Z㰭=g D^s1VC< 㙨[C?BX$,[o{mSJ37KS+9]"r~ \XK,r!|9?jL͂ >R/c/d) >"onmЄvNAҞC[n1JЂ:̜z'{1dZ_l!> ߥ/ |̠s/ѧ1Q] qf-zqoGpvBAfRd;TuoN>=fN{ձ])Uڀ?cܰM%7+O]D/f"pvo)K)EȞ6̬j0ݟǒ(X "d<2|7QU΃9)Mo[(G,w&' 4#==<Uve4X|Fz=P}-E*pI["Ψ ~ źyJ7^YXEreYBE1J]>4DM$Pc%_:KKs\`՜z7MU1p'ʯ-#u W6I*c}-zӷ J%3۲k&&6|~ș9Ea8zܴklT(LިZt̓Mi`dm9v8 \~PhͭdAeq; qlCN5K%3ôEF!mϳMC֋ZbA2-X`:(l?̛|]JV zdu5 \E%bBix@v;/@Ds&U䟪l )t'wXtf  3ǒXc@GsnV~ Mz2%RKe/D\CBϲlUg=hn]dVxvHA– =TCf)=~վ^ /dd4LEPOZ5$=-) v~!)I%;WtYR33rRS /&:(7z`ΩNBnF<#uv<7bKvh {oHKeմi%¢BĀGDӪ;)* <$'-=K!{;B^{R` -G^DW)TYKP@ _m5pg4vq( 9 hݣ"SI}1$3:q{$ -Z'yEva[;TB\Y :hqӻS>?VhѕAyN15T/KqBώWeI-b;ȵeU hڎ26a)HHX],ܺ]ػ@Sҧg`hZ``,\k-/,O=cݲr6}ޒ oq^x';Ɇg+)olvސc_HeDyVvS& Œr/POʢnߕei :`$1%@̮P6昰,Ixjl"l %礝'}M};@GvJ]ZUDᐻa9ad&</8tcȢJč)Vn=y8o9AY\pǥ 7NzY#s-b"|$kmw2g*XA=m1iᇈ˒|E"{} 2|v2A3Ch:r]CI75ZaUTزHx/@=myﮁ j( bMwH`-%{4C&cUO _S(1앋ƅb!zY:ȼͨU|"la t 0xU]yfKNE%Q;G"\sҎ_ kVN,Th=\hiMHI(^t:L"^<+mtMIn -7 TτY(]Eȯ?F䴞(2R CgB̃9vzW.1=3wV; NDxI bjҵi|䆑F#+ln'J\UdF+q@AX35놽G('Vጷn6sdm$_5- 銬Z|iG~S<G>&c5*{X;.Mo]@PΌ 5LYOOƳ~", ǽ-~,VU^ћ@Uޣ >,Rn*to7u8\EW #>ek(1 4N-,̈1YTJLk˙^`l}ރZ5֝pV]Bpڭs}:3;y$">*BDL3 .V X:*063+sLbj@.8Yr*4>ݽ%1QO@FoXbޠ&6d;!=Xߒ{둁6=zlLu(_JpWxNC SoZ&7[4qHлV=L(f 678ՋcO=JۢuNE<i1(+g1_]ր}/W:S<0v1׃ j<%xS}&f!LAuR KtE3!:[?a6e[bok'orT#ucrc?F_CH)ȩWgB{~di YNb4*`g/e/'VGĨ]ZWdӼkNw| lCG`?*P%kLnZ*) ou8ჺK%-QqnS6ؒN"Hr(\&tj[P؄ qo.h:i'8SܵSdgXi U 0( ];^K2)rZ).4؉`a*5?v8b%li$1)\հK;t-:^w-5FhOL_hkcI9V̜ h+S:0![VY[WL"N-fh$zhxQ8͋g׈QtW>aCوM'^̉U=Qq"Y ()YDiG Co5_c~ʴ }f7 gԄ45ܬJnN7OLŻMf3[II03ƣ" CPQ6]DuzN漵e&Y&RNm!q qf hDUrntU,i)&WV!,W~)e D7j ,ݍȟ-[ؚuیsгי?" ,p:IFْr$?$g{ӕ[_ZgbNzz~ò۷R{g Xj'ɣO< ͗ڼ{3So7IMr1q W nUקeamhzuDHC W+`4?!myIM=(PlgFDTa27,23ώ6" 4`J?{.2־ 7Xc?@,'. ;OʩQ:y1'(א fo٢7I9^+frA"aԪW?sߕŠe aS쬿Dy-jl[ 㲼K7%4N5ar%kk!NwYDe6vko7^+ͧ+⍝(_pql^,Tg0&B1{ᤈj-T ="Q@<£DZW'g>`/Uecq; u>F]P޷ix IsTw:[؂-Up6hR佂\gWPXƳIP_xl.]INz7{W,dN'M6Wv9?iڃ`U{'N\&\KQdޥxVxA-dPsm4onG|>$Yv @S>چѳ}.*R}a2KgnˑJ9.rK$oJFB!_G{/lh-$ 6K=:$gb#WtL=̖\7i*Nmv?yBαcp"3,% &W\f }2m#YDD" GI>-GpkrTN;S$y+c-/*e VO a_G'o7NCXɰ+>0;p=z="r_1cG*] 0nn 6 iYħT~G~'/nQf,Ft6.d|_4,cYϔ_$ܴZ^rʌM+<ZV6[~:v2䝴*ARnh[HK+:US^Wkɕ:sһSCsCq|w?4p~{p2@<G7>1K 90HW+Wt+Fm(c8I0r8ib=t\m1cϥ**?0!/ ޟx=E7Yl4wL'~n?~ қMi2a$%}t(lh?PD3]7K-obA@p%> 6zؾg zc{Mא0d7jnaDV:.sŢ\wlus'- fw$%V;O,uR13f5=w.`J =punSWf.q Dъ˽p#R%v@"QSTqbsSnqg.`IL+ R^>VZizPIꏸS |wbA}EA/HdC*&',rRg2B䋩5gV,Og]*lXO]1 K *whh?" k{2S^Oօ0l.0uD,ʵ!_^E'j׃?Vf!!5ێx=u>ɰC5WE :3G9)\=ZSR5XVXl*̼ޥ*p }UXWOs|TfR +Ή;բ&OoQTr`6iG=!)ULLGP0۞\+۟Q-F}QYlYi=ZEkWƲ{OֿQLKν2 dō|a*F}=uqvw5kWc?1lQ}xwUb%óDIXj+XU׺(U)JX2'N`ՃUC!d`h]O|!bTeW7̞]%b}5ZpS qG9G 1"3Y _;SVܴ.ҺnUO~C(k>M 3+CyLef]S7 `Y~cʪլ^J"#JJRx[RaǴ o|vz+:@ļPfXʀtG' Y"Kʃ֔D$|bbBV,y AYF8,8qfyy|?^ED$7q]J *65%gZcmMf竊4ES]ݬ cu[ #|ZЙ#FLCdSP5A@bv򯩤pᗜ+KiozeW*-f 0FdWƲ)1Jjv}]$'o"Na82ZQ>r8# 4KYTnkmu~hh!q@;ԫn/xsU]PT uۨ~ DC!0%Hj߂(,GL$g:ƍ^@:l9jN ,L>鯇jva:L"^9zj s禳giNKsPi|GLM̮S8.NΜ @<-rI{T 2o+썃FQ'TU"J$=M7+ a|ey3 ZKFD]v8oÏʺ3z*h>ZHL6 fox1Ij-9}4F_/`P:1k DB˥r/0^ ahЗ̪5shB!EqZ}3kjrr}h}B;N1UOfſl|7ٮ/h} d)t&VJ,܇בQMT{6qCWn(2Sml̆y͊#(Hj[M ώ;*qT*QnyoteXx6Tsl<^tU4}}qQB Zл=yZ@ yRqLr"kL:;7`S0>^ʙw kQim!cRσ`DQ|nC!0ȆAA2#Si[sh"Z*>z{QkjQӏ8 RJ徱{0 ,zZ,or4MԪ mϰDRJM0N|OLSdߋ.Q@yF5g%s )(Qז~iX5~a aq|҇-_܋deHs|3 +7x{ B.bc--$BVW [{31{,^ѷ&{ eq;$ސX%QA7SU[ITӬ=zZ|}-s=dPh|>z=2~PB*iPcit ,rسAgKҧ49kf>F>YF`tR/G;sQB&J8(6P5ɕwqPWBXf-}P~A_Jl<N.;%]㛝%TQ&X鉾]0^CZk pgQc]VX?A ܛ?0[ wecWӆjd}D0 ,3wپVMB[/ycڱ:ko SE4hdž iO{qAC3ֶ:T;eH7)ݻ񩁽l_IW=8rMnxq); N+@]]9jd yU HOg'wcU#؉.}mg~s做c]e7 ± %rc>sxэ)ljJ)ſJ7PTx*3}b7 Oϊbm$_B$N(n-Pbv,`7ȼ& oj񎚔Ci_o%`F :5xnj^|Q` 'U5gc.Xs[d/zOyB]aϸ8`FOaZp4m8s)ðOر+vəzv6ñ ^R3^<^D*> Ҵ`W/@k 1eb8T0e;ݏ||( ]Y-Ӄkc~cI?[Ipz>&$%|iZi$QsSt(=>g t: c&_M4=Čw 8A*RFhw _yӬ?*$//p?R hN- ~1,Zpas>ʑi5YUDI7_rI^ťK GiU2 ~m)޶t=l#:ibs ۥksfX\P]&a7ebJ-'Y+`Qa)vQM/w sΓpyh>Эi}<Al٘MEv,'ˣ{z*zu3+h`Ѫ-es#u-ɸSV1"= D#N[Clhƈ4m4@ y#T ,9cGzku~^0P_%h +_s%?  L8α"k}*&D領Jx;zzG+ZY2z;Z^^=m([L6YGr$?gFRt d8_~az >Pf<L=lɗ zOA^``8xl9jؽud &NVHu~-PtLɄa__} 6hy4#c4gbWZ6&Cʍ0x}#Ŝe͛-U3[EU:?"ΡUBcJŬ^$"h<R`WR_IU"}ɕ ju3 TaԶCgPk2$Iaj=RojrF?ÄcctGypN-d8uV$z3Mӊ$fiXiLl(l}Zew:] [D .(erK+urj\uu&d:Perxu)_S~ـۋ"ߜV@Va-قᦊ("PfN!w2_OR)WN2?2^h" g3};":kP0'd˵305H90 ig^2\&US^%Nf-ߩ<-ۚ¡ \\*S{s[2`==f$6Cֽ3 > 65~>҇)qb%7%`4#\5o)yLk8ԇa%FKmEU3W7D8qQ_P"GV+F~0 ʝRQDʕpL]|vSJ ruȺ &yĔ14XH{<;{&O ԝ6 AOta2H1lkVv,Sp. غUp K: e/\V 2F|#PߏchT˒7 67+X{^O򦧡SJvuZB6l3#_M <(i31Җy@\n(̭p;#-(Z J\bzcOۏ2Ɇ){yϰjq1 TJxZ'vi''>N}Rv3Ҁb־/棧w#'OS˙{iѪ @ m? B rr8^\ekVUΚժ{S-7\w,{^tUR0%Z]$Mǘdž>N棡t#}-D{>`.5Ȗ` d8ձsM՟uHU F.EXDIDآ?z278F@iM?MA֜;m3~~@ |G\&?4YXZH . o2gE GF/WXJzh}/#`1$+y8.!8*[f&JkNS ɲj"UcoKG>%/rCKpB5w=sgQWT7':RB]VX48(Lk!;T sGX|jzg4`V=vިk 9p1P.'IG8⦯o}~?9;}nR U4PuRA~sc\GolWj%5Wp(JQauR|/I#ĒTy!2,3$BٮpzOCL['b ԩq_~sADi,^JIT rR!! ]ڤ{=#Ly^}KTq 7r "14OpM[:Zm䠭$Y ~#j%_A(tڼװu龦H(=sVt(@9 j4>@e 9ȁ@wtelElN_[+3QGlY?^h_kZ{F6#s_ЖQDIP~k#DHINJr eҪJ,Ƅ6{u{1T/i!jAt7sxL(|?!r_QwMZ G4QgZ$U)B7"M1(SUSا$քBjNIs0T}Wh`b*Nx"YEV0&H;dHwb/AX!P{?It@dGh%bK'):5~U N{8Z:תѦ!S;4褨?k%aJ&ꛖ~٩a4A$~A??1ZXx<v9eI' W7o^4 6k]"KP TLd8?LO; #a]VSX:/2A[Wݚ L@ԦO9q>Z\Xx.bFMڔ"'1Uu; c;+ӥAdѝ_<(7Z_oܦ}4l|!U&(}wwA̩QSmWB2 ~>UPja]ȴ\Nԓϙ~/_fzelhlpq=4Ƚad61pD2R80coL]OlHyo'& 4YrzFw8ntmgsѺKiqǫ$uJ2@"xG.Jr)[dj0E&Zkf~Bx9mdɾ2D"}`7Uwo%K=i+fYPtƨ"<euE09 i!W|9=ԒKT#ڈ2PέLoT41OSs^amW4H IC#ʮo#rZa_F,H,@*tN_4nv9TR]4aU9%6 8_MVc :;_ ̙ FRRe4ETّAp恏6ƀt 24ɎjR*;ү8eư3T}6&Mv!i+?<1 n1H*>*&qFZ|ZžܯS$SiX,jzxR]֍5BhK1xy1BD 1;[]9^$-~NMZ+|M`(*PqϫpXv͉wg*ۘd&]U'DQ_p|+{~'IBBDȨ:׵bgт}j8_! %"GbuexhLYݣ6$qUNl #6LĴ吅 8dF^MsV7'Ԋd2[(zܳ4qTr*ҒRvw\!pkHϠB 9,nĉq19kʀxѐ*K'qkJBZݮF:4&jFo/+_ |q{B-vy:だztXR-0'8_eXrh̓yD6\c+uhUS5-;%:TZ d)-wq,z*aןBc>d4e+иz՞ G3#WJxG|d.*e;1dI"8 j?3͔2xbAX()0 vN-2sB=,3@| Gؘlo@Z87 $+C)3&j9Qs翴47uE")Z>l%[%3SwVČ\AКBjwW shc`l. { _Q]!L,CO>ʚ[8VxYK QҜr_OA(TY>(oV~=v9ôڈ޺r UlUw7LbYL)YX^hƩ w(DSgڷnD" ԝIZIqu4ҋXjrI~}"!.YY=EBϺ Oi?5餡9gr֪^FEXNiixU^{|]z2]n{&fȷx&9swb'cpMr@23/Ep51e5i:UA_'Er#T1Y,NP|  ;] z$k\m"̕Uձg^5/wHLd%FqA1/IBƌɝTq9gG؜uk`,Oޕ+a$oNRb?7w$4C chVVX0&_2BZ3E'0wL:GEg0a&GA!7VGc[ c!m5+X>^Dv⑃u#|w<#i}*(E)E:zP 8cJS)_%{mSE[R)X s4sZ>|+L'~'EYGt'EFw'w'j\U{Xr¯5FV1ת(ZeIG I 7 $I$EY ƛZz5/A _oKm5UV*(]Oɗz JV:7!= z#_ ʖvn9l'Lg"Phwsy8e;픈fu8i@]<=|cGco#˵V?֎| su'7n /佋Led6yӡaX#Ԝ;\ M_*Hj'x9|"3?M "H+Ȗ¤"b !k\5ЋXZgXz78MnR SA'h?8Fp+2|/]ͦyC>7U ^F<%ܓLG%Z֩ \Uf$b٬6 t,HmhUңa9bxVBbpz)Es  7ͭO9?4ǤKe%l()$vMWq_q R|M(;#t\j$K (rr*E0\6鋞Z|`ok%D`IRBcn4[WxՌ[_ J:|HDj,6{Wҍg{,a)Sg'+وݫI6fO ILEv^oõLY i) 8 Sd/}[|n( b=/W/|Jڪz,۲Nm Ⱥ|\U;kC͒QӟUR Ž})TA-U63d+GTc~~ljPц3s'/GbwcDPׂXoy9(i@FC#iŃ m& EH. ,&{&HB x eb֓0Fg63kZW`e0g_r`C9XJf27ꨊĜ %@D;eOJJW-wf00d` ȟ'+~]\Phzj܃@BiqQyK[oՁuc 8Bށ1x +~=L%^ ׶'薛Ѱ8Od:.Vi=_8qxB,mKWz !w+N]d|tt8NN#z-0|?T9c_DU@ |n#ӵ]4G|V JR%C] KϢ.s ߽ ũBqnWh!O74Ɗe4K1kq N컙oqtMxZeT[Q1R"5 i˓B@nu Z|ZpiI-#Cz-Tle_[j?oF%3A$v6Z>_t蔰\ OКTȆ'U|/e1xaL SYgiFnŨq@Xϭo^Q͘,P?q4Ғ#*BP4=_7r=n-T^1k& &̚Ȁ9%<.&I$zL- >tB,Bm˜)IT>6|ri /~+IvY!c"WuXs݆>qj}?D VwZ(AR mDIbDWyKfL೗ؽW8ÏKW[FUAZ#{!^Ej,pw/ri~<-&Qe?)\{#v@Xffn"'J%Sl =6/3 %( >/pm}H׌.%WBq?+}??/q7[gPfU -Fdc R yxU3~ʚyM7!$nEx'B;ᬧ >p6s ϶r?Ob+֔ĝոIAOteL aQ)\EoFbX*oOq7f`Y\V|KẎ񰭃'hjRIZ.d Nċ/5{_\Wn&-GtoJYnXaGE22tJ"{&?!? K[+mRFzlbNɴNJfzx?w9 ./124XZ2*O؀ސNesU( JL^V0rꐤRw~lbݬf iɐG!=@&=Q (3ꈟ!uԌ%ZSE}uMmu)a);yW{>co?f^D^]@WkwfD+^^p[m$;e ؆[v1E(KuNkhɁTf7WUK w%_ cV`H;b;8n!)X??};QP輋4#>0Fy\=L\,04Wv9xRb6UFV}oTA@ĭq"|N-OXu9+7?7 Ky׸gHƽUi jLTu7Z!j__ zI J?# P%88.ӡ1(p=EǰCp>/JuRNf O0;Snԏ𵱂M%//ݘG"4 Js)hzzP :3lߖ2*ڰ vwƱ5R=Cm~"8+ MDF$!kO'fYthBM/_a)gdْ)k\x`MKヌ e0<0*+2fg˥3<dC`7$Zv(9vqVbs% ;o>-َ9_U8̋ [*jm~G!t:Շ8?+"Cag&9,QvMQ6jjyJ,ދ#3?֝&d3 59=!7u1d‰?VcņȔ$UqLc,i/xE:^<}F+W'2bxmYKph7`j, Ɓco[2P=]> V:CdW(SեPKu"jh`:6 F裮Daqtqy=P5B?v]3lA+yp"m/%W麟@ i(3ѐ S櫜^\l))#@BFq_1(bG ᜖EeJG_r?Uh8RLCpz[P%sYER/7,X6@/)9ˎNjb6P9Y Wr!뉟ON2|tVS.8 5u;a$n`hWaaw&.+%$C̄ؐB9nUK΅"nh鰏SCy PӖnʅ;fDUļ(]H|'=q^*&}tx)ѸOgnЂ$UűNцDXˆAr2%P"eX< )q僮A%9,[s"C"rHy3 ]TahPOJY3: oɨ6SU_fA*;4 R!6ܼT-q=KQgqH+q$87uA44洐m,)O|:ck6>ܮ  k(s\粬}"@GU<ׇ.]2H{4w)SG_t OPWx_W 9:& ] 3ȣQt:kbv*.DeH]5w!_qk7w̹_#7L.Wg#UiZьH&`X!ҶikQ$zy%|Xssܳ`kbݛ~^-ib{fNLJ8[\/#$HsYIZɡ?1dx hwWKux_ 2 1s[:>~!vUREiUA7$zaS$f/:_Ev^mn1R&_)v2g~Ek|zLcf?EFS wy1gv2!L5⒒L.dh2zŧ!Q T3˹;dkDl&U1r9@.䶢gw څj8ʹFB3)Wy۹7/P])87Gؓ bwk gicjN!+[6控hGq&ۈ53 )CJbmNg DE1M@◦Hϸ+_|нW" 4CsWiUTStf6?!ËFNz\d@mNJsGv3*Mܸ,m l)#SeY )0΁$x7x Kj:g ?*::W@dOL)؛7v-GXGFA}&}p:+x-Xtg(>|òttB`Y \O@T$"ŏ-FOBBXs./R-#B+Yūzި[ ða -s OjL||n$HR>g Elj06(|OԍbT'9a4(]8g]_ \^C 90^{%l0SHWYTam%ip cZ᡼8CHuǿ[R[toxFׅ uҠ@oS~t\1enhz*[Y<&Z~v#P Q5? [P6/*̫ ~t_ 0 \cE7|#2:7iuv٤%##| fB:otM_O8>p9/򄸆;` Eh:ʏ!V{P ɬ9ꙗpWXW( "lׄKB #;6_Tn{)M+=W"pݮCF/<U<z}(ny<~E0E#jԀJ Iؖy7707olhz't<㻾g]dϊb}a>p;6UFv?_Q8ec<UBcɓU2^"ݍY*庲=8RE֖O=? hGծT( >"ӻs,4"֓'D/šl8a.2 d^ l0OCu@֣CjPẔ?cQA/n`MSdIgXE al?f#/vvQL"4c1at^ 7<]|Jt=Uי$Y„g|0NP K`o;' I n^zo32θ N:,r)O|W_YL]M1-)(6L赺Qhu o Dl<) D.'U9#b.-KgJY3O@)Z*ӹf|@+h Kh8[@1E`}j 'qt@#2hՒ k@4cDT2-/ʬ`FzWP Og'O@ZÐ]k^LT}܈&]) T'L^Zi15 N8suv..kOUQ(BVq[Œ|LF}";z Sq7Yɪж.98N88!THtO2U-V8qiԧNHsO @7!(d:S `ݟ1V>¹[ ё u"+/{)Ju<"KG+A-gNEaqJEb&t/#ӖxM+~Tܬ"?{O i1SiBOT_+/J/!ۥON5Fh+\hGoD-A]a`:'67BSWaR+A~]W'KQ l'e&vK.DM$/=L=6s,(ck߻Bʱ# < /XoƕAiL:d^”,+?ϊsSPr9 h1AQ-)vEYђOlT51mE?8̹dsk?yQHXNI~cA` /*o=3#3 gNU9,,otR@mpem's?63Wbiq Xm]Q'MW#/8ohN$W." +X& 7c:3xP:ؽ~lPx>GÕԫ~5xdBe)9QY}cȄ|^o 1.ɯK|bU#*ѦN H;A$^eI8ԥ;|]hh60_ӹmjrnvllUdɍ;Q^Yg E2&1$O2=Zn~nN5,ㆇBShimhJq4N)fa>`3m&w,ꛈ^O F ' rh߲/}OiRSX.&=Rܟcڒ'vCӮë:phN-v?G,s궩KlPNp"0Wn ػU r0vmo0];&Vy'G2P29%<[#蓛,,yT$bfؐ0?e‚$,k7#~p;D>oV;qP`&U5r!TZHw#'dQܦxej4 ^iI}jS\!svqazo<+3n2?8m?}6E gNk`KNLl<\QcUGK@L@a{wW?,ܢlȕlg';Y ymͦhFΫ\h ):_fI VxY=f>\72IH~qtHJ1s,No.Q0[2|풫(1Şn6Bktσo拮wMx$V@Y0)D&aY$+ IqxgQ6< c򴋯yZ,D0S(&+FPlC,b ^Q޾,sKuh8պtf%Me}V}<)MtS"+lJ Qx.Y|S)#HMQ"z3 \'CtՋ/TҁFͩEb&GiУ$ ,S:Q@7 \&(=bAu`p\w&;vCIn{=u>ϯ,sn.Vn-4?{rb%XfOIx/$&_C7a46s '<LիxܐTie H˵sp{}%{'㥣JaSB+&@τTw6_FBe:eqТ~y+1Q)+dCգ :NnK.c`UnW CҶHvGG{_Kg@.FwϬs>SP#>6e6̢֠݀?,2t֯dVOܰ&#t6;?r8.@0ݫO"7[㝋WC7._#D~V2Y=BMN  ddo"$ I{;UZ%5Us'e(qYlk! J/xP5IB ,^ z,asM 4Q:pOόgWg9v5z"q~C]6)tN3xDq}m+zMu.LLBrC`(yTTB ?Z@v |U&Lhp'0Qᄋi *P"dq-V/S;;qX^W&(4mJKlcn]G :L.LH^pc5&hRg+>h\s (6IdT5I$i犒dǽ"F VҖ ƻN>G6アOH9 jd|Xc.aLWt؉>3w˧+bnkћI;Ʀg'Ȉwt8^' -:JH ץikrIe$-tPy9[;2vaϬݸ^/Fc:hm͛`?QdʊrJ6Hj󿬑u#3ș 펆B"y5sJNۢKWQ\حLoQ>`Tz 0}K0v]u}hX0^L/|P4V#qp2 @k 0!]uch=D[]*?n%N5L¤Qy/L3 _zczN! z<)nD}@7q)7ZZ, ]3׳B=ϳƬix f5s ~}ms^bWvju6fY%$ovuFK!IZI!G\p?/›&cL( ʙgGq#uȞ5oÍN^2ÞXu{^doɟc^FJ6欄F@nǔp4%([A ̩} Ìm/G(e5dc>T Q½q]:f!ӜQؔe٥x`-k"uyg(9i ;n`Vn [)ҩ὘#UI uq|gWOJvMg00eKݯ q7\tk4oDTӬw?w]FʂOZ@E] Z yQA9E"hJYfpxC4RY*|z E]`c!!3BE>P<]UKZg Z|vlX" JKJمCh:! AQSɈ;݇ $xۺ??Rk2tT[U]GLO['ew@\$2Ӆ@i]G0Fpw;M7ku:JMs'ؙí*jO:4QM[y5pͻ| 8 ֩+`,W)xH3GD.lS§vx_'8hTJt1C {A>'*)[(4K5R[mg~THcœ9``ޤ?1doˇ@!(b5Y){Ojw-#Kzi jwV1!2JpA^܊8BRz{CZǷugY M6H ښ R kc1ENyAl*kU9ˮbga]/<ל͇ZHmI;)4S}JVD@YJhR~o05*7_Ra퀥Gl*|S'Xjc;Rz=L%^^`D#b)wޙP:1tsLP 7s-R RoۚiZۉI%]ѱĮNwINK˙_L6sh$*IV$_&ܹ1kh%q uZTڱ<837tpud- _O==yRO-j׌FN1:J\u6^!;=jHA5 |MMe^p,ذlT.wO T3%g•ڛD>~r 451> a)G4@ e:}j;~xE)uq1J=6i&]@ƧǖEL+=7A]mk+`kX wpC$D,쓺/z &#;b􃄢 'mtpϧAi(dR. ps MلCJd훝Vp*kg4Hob3%g>B_6 Et62'h|&n2ʉ.'ɋUokB(KKQ5;I7 ]@!J'Fc[y. 2I|Bek:{?A")okMPJ}ڠX@4^Hآ[1~zLmy?"AEp <=%}VXlz_k 0(H`0rxV(W>_ 07tJ_>F TEpu;livB3j#I?]p4-llj?}kjېI|r`=MxjL57QEiԘBfL[p]u&@N|'QP<񨿊к,s_VrFM,u-5cJ(ˬ}e-8nB˱e?=-%6gcnZTaYx;p`4JqXܾ>.nFM>[V˴'X^X,Ke#7P%l~FMQ283(mn ,ئY7t(4{lV"!'f Oq+shIw  fJȵ/9BT{I{>@ݝY?WJXQ[tB `#\۽\ Ѩ W} qty,8ëU_Ll 3Y R$Za՟!ҝIejJXGa-P+~E[һq5H#Gfb?{7pQo|o<-ߵv^4zWظLI:oyoZQu~VMh3 gM!bLe7 ,-.\(Cb's$Yz;X?>Nؽ?Qu>˄8 F8;4c$y+~9ԭk'{Ҙ-сSU |.G]2Qu2dry3S2:jT5gYM"QPzZ]45@Tz0n&%| \LIη(3E~ɸ'RP/\(`TRSH=>Mizzڀܑۧn9˝:­NY8TAwJs_u %q"L-/,diޒǼsa-aJT7؂]xJΓ&t]K =&& BJ璓d_Ǣ}Dd#,=wXDݨL;+"rѢa3f9.tsFJ ? T_Zn8iԷ LÅ3it OlKYi^O =/>M X>e铠U5*# !>Jߙ~4(n΍ݔw;q8?Hf2szdy9\^fmīu"lO>rOVLNF efxܳuq$;N\qO:{vsq 9)r='(>U_isĸ*e$=kZ }i)L A P6[}ET J0̫ {lAJ j+lndKPMsEH?m\]i1\o1ϛצ־DNCԂz4,C&m"Ud]5.D[]8DeG q,K ,,U-f.=E!/0Z^W C[=4V[#̪kM.{-.j }qO}e-"$#쏻;)KFiK}$L1h$B\rF~QWSVׅ. w)b8yҋ%lac!" J#Â5z8b-F +@߄Fày]3#('r޲vF‡KWT""Eo]TCث706yxK0gb˫}^Jtc^lwNi/!JUt"s0L/HWNǟfJbAh$.h40CPU28w8AOy>"o8^n?*g~)+o/G5rh)tsew8Ě]ȳ=ba1f;+KQ- [0^=/nLre%Pεp6HTqIsۚB~sdЈoRd P.{ֺ߳4l 0t)cng&6fiPG..l4+\:|Mcb";,ؒL\p:>99,i~`uAvB7Ύ:plo3dµM4󚤨<@RB G686YvN_I= CaCH? u*XaAs8Ћ,O|o tSR-\4(O$P!ƽsLy_M=4se1NU2RLb|x%R8 <+JLE' Ex-sU Ǫ QuzGCL, jf|Y}Z lP<ᣕπ_よMZR|vHVc?+!Y8zU[\-P!eab!ңђ76z*L.Z)}`Wf Uj&+Ds-uk<4Zu}el33cGX4(11 O:x? =U?SAQ$+N'za竩$3yǻu3~ʕ85<3odCnwyi 8~anuN*{aXn!4pdmߩAߗ 6 znCjy9wPv!c! +M`,]49.4b|)TO(3@t+4j' ~>-b1$kUʄ bO>2@ ͇iTy~h@Swqsq`u5;rw8ܽKhhks7@Ipᙨe:lӔzKw=ДI·@':'>/Ƣ]cٹM]#r[Weٰ{6+!HP{Z"5{YQ E܃@~Zn9( !gZjsmFDao*:u*tu$ \ >G>7c9h{z, X&|zG2uc [77F|ZtVnZ"9DQ3Bh.ST"ֳ=ML;ɂGf c G[@iqcB'K-ܯgYtBOvy&R]8ي&\f}`]v.d} dnɢfQEoMoВ:3Szws{bh S6c{Q,{*Q`}^4+ڴ7ʎdf^Uk =Ynv&6 JeAT.'H:I=j[Bp9gu}h-e)oXHlV< Y"BЭ)q5.3AObBEk+ٮ ׊.Z]mfr*j5'6^DڝZL, FV=ڊ@@]o7Jp!2r1[f1gvlH6ަxFָ:pr*g B'y0!*;1)>q MʂE3g"Po6f<'{ʆ#N++CFgJˢĝ'ǢӸ] 1_5Q!\шE[j w>O&~m4qt5 +( ;mRv?:^(FsFǞ ZfqgE!بiN!Y0#.>QwԺ zp#гD~P&SGFO y"Q>xVh;qdۨ@2ؒy,D\F = N75AT+x6Y _*\֕\酵}f [ )\%!!$deukhVu#g$"9iV3|"8TS=w;<\%+k#R^$v2*L2Z'I%MdޜbTJ*v0i@zڝ)ZN !F(ϥ4 To}$FoiWԐ3O; 7HM [Mϣ2H;xեtnm49dꡱ8^wGtȇ;CfwO~>)r+>_a-XD7ΆYcV-bAsr1:hN[p f쭕般Y-}r|x ^R 5_%a`=a\@c{3sE ô{: m]!k\}61BMI2WƶL2ݗ"*,2j#avul<{Z*A#tCojE6s5* ϳ8`ڕ*"2# |\b]q0_GOA~@ȚܻXh7Pv FneB7o' ڳ19f9 ojjqmY\LζEgE[9h֥bwt꩏͸!jK6e}"(h{@X+_ ) ?qL{U]~F?1zKwf3>\Ve.tEZѠfzd>s7+BPjrhFe\|}YpйV82I37Kږ/QA܂*sKN"(:Oo,~@\2őQ~b|Jy7ҧ52%I򻁝cl)w$L`yoٮ(~٘2Db &p6Y%p"d( p d4Pxa3IP(1 P$JzÀh34/}I:f^[fnFz1\R4'3qJt~ԁOM/;y e}=VY~=.XY#Tq8K$Y=o]MjuN.ևYlxUnY{uc'A}|`g T7f{^hq*M&ɣ)l3aCPbJq!(Jی|}Wкԩy\AI P^DaASc6e ―|ty&0bM;[FN[KtG_@Iz|z%:).  q?m?ӳ]Pc!8'Q%DwC W@Xdhp*]Xcեu%[R$mG;!^g$R~c;+c]'Vz`F?Q %]O=>6N1G+XdP-) Qm %PE¤KI/hbdaʙbS>6;&s]oFΏ[c|Cֳ:A%bΐ) @=3Ƚ 2 p/KJgtR.8(p2: pcH,}5tJ9/GkӔh2+1T~U$$!ykr![Иxa/<{ hݰ YE6:?KAs,"RLmA|4M[CG %4=c]n]Y4C.`s7[QkدZH C.- ,1Tq)G1Tc Np!Q̏N[4`X #g]n2QFFvLnaa]A6.`g$oDIQƵbnwȌ.<ߪ'@.[G6ܷG%h#(MAcrv@}]=E:S =L"87x/|[f)|%nG:ΒS',$TYsHRrxY%q 4aBvgzcjYry(Xڳ3 =sI :+t'jNE=g)_Ex1t0{ _skO ۰牯٦ AwTn /a(g_i&ߣ1cUpQR&&}!ATT?gjR>=gz(-S7cjLe A uHW7XpLƒ!slv U `89CrF_>i b0˾tb#sTĞ/$/J>]a1/kVWĈLgx/Wser;2AI_՘b2}~eYr箒ʇF>_i|9MiQR癭{1/aGx/&Pї,fL?s]>Tyj4^Q+ 5OŌJ7RY?QI>LW\g˞9c {N-?D_lWɶAˀ8-  W;N:sZ\CqC0n%&0 0볕k.#!RlrLp^(sQF…e}:%\QCDT]REaG!d[#FD: Mem|3 A6>k ֕?;a1ovwAy C۸o<yE_8@oqv/#zff(g֎2s؏F_ E(Pt%'? 1rA\d(vk̬hq;8=;ض}M)’>=:l.S96l nJԝ&;Qe!4(#>8q[FRX1 $G^ji/Q1Nޔ_UFp{K!§Vg Ylyt ֗68;6 .Ӯ>\WVPVj,]@>9(<ū1wmF:aIpH"ecԭn]KH+΢Zr;t:f&CWQjؙIx8)NARw4 ͎dCSRAszپ} B9pi+ȳyJPc)=of  </~c An(K K$JEi *ZM/Lԫw̴7>?"_bhxYF.rTk6X6KGj|?XGJ,$0XY}{OQ9GN1;rk>Uc&g!Q, ƅ\ zAPT]p<ijkMHQy>ۖا߯@Z2ي<(6BpMi/ЊUu*ޞi/)4͎n3_%tV,RWvirsN}<^9_C#OAvzbME.V'N|+X7EG_ӈfhvJq(Sʐ8m|HM ?@T'GDV TgXoT e4i@'M;b͵<^'q#8!Yxs(+xzOʏS,?EhuM (M^Lh! L#PinI'r\7p&SE3ҦJU){(#89P N&F#݌Ă;]ZUQAF"&[H71d^3L|jO!lt-*ְi%3&]=_'g1иGd3! */,ELɩ->v F屩9> y#B;RxǧiS Jsof,x-<A NOP~ yHqe՗e$p ئf`X&`'b7JCٽXpu &H#_֕:LD~S&\e%WxԆQ>?5&]-W60b o <^/ \Y:HgRٝ ;pt.OnG喛"JQ W7>ȁn/{ a;x\(C#UFF- ]DϺ/ŀs->H@(@+Z)02N }@{N'{wBB PθIÉ"͉f\#9MS5U4ۄÍJ\:i{zmF5]5t5[Uv}|G2-yzbO*VYH&c4oH sÙJ{_ENH}AvIEHa($JaPm*ty7`'#Teq؁p'ۀI;oVum1xn!Z^p!=&$$9(w-:Y ICFT6NX*&`RG%XMԽYf9Q~A-eq(0Oc""2V#@ ƓKޡ9LL9FxHrpfC,L{RHPkgȱ~>f߈`vp?tq7 v%a-gMbsن1IZR_Z,Mƣ@V/oJgKWef\ҍ67pnvc~<+3T]CϘD>(WJNjh FEc$\}_n-4XGZoV@T̼ B@:ĥn>>dΠc[E@6C"s&, s)UUG1N (? 5x`Oh+I5vssoW% sQӥMR&H,FNͯy/wNJ=w 7jDv.@Y%+ \¢AS{4 v.2c˜s1ӷwEK U?djH+yVPsF|JtK?2.['<{f@P~^8kxs4m?^J 5b[Mݼ8;6\Z+=G轿ACmpǡZ "5EM%&1o}LS0BÜ-.?ruCB 2mŚ&;wT(vʣkS.cIܣ%CXqщ+PK'.D˕pn7v<2}lu O"F|<ث(lPޛ.5XA͜ ThZ$vWĥ(Ý~*PTø= l⼎SgYžJ `jyy?*;=o5,O{ˣX4q>`W t|/E ڨM0S|o xO'4!u\ʚ讼ZkI ݢO 82s+dEgi0{mX@zB.B `NfH F$"u3}! /ҶZ.w&s(tuc7ˇy E [ٽ2e92tB9%x$>QDd׋]x$袷'6@n y{4},H=]Ղ x;\#:PIi WX+ƔFQ7RG `{k?|ذ6"Dn<_EM ~Gw?S{5+Ū );0p||ƒXk pG~;G'Q%Q>mP"Iٓm[T5gRPG xR[X/H'6Ciyµ#"@ x P?G +iͬyg4I(]/GF46jr04vonT8&S:%`TK:{A2t)Y|sܵUk=ɠ 9( g9yޮ8|e#~eTސvQ >iG,3,}/e*:jHkX]IqXR&{3Dj2 n1if_SH\>Lс|Q6IVNfzhv^#1#OT{z:ZrLTh R*ˠi"Ni7 O/(ktVb%Oƴ _Oo6ߓ#1ӣVzyO޾fiNH4GPֺӃ+1o@#1,@ԢLlhHT֜x<)22DOhFgmI֗~Ȧ_q흹[DشэfNӑV̋ O+JƬ4{0yy`>F!=1cakHH03د)$O[x˚"PY"jOj@X~kWP+Β9p>cԸ",1|12Y,tH̱+_C=T(f#*u\\^Z"Wvoٕ|wHEE 1y^dضȎC2t{m%:߂BzwG#/=:U1*0B+ZRI"#gVXdޠ 8D V9(3" `FoP+qWV4,|jAǡ_F$Ra&yEBR+/ +%ΝZ9Іim}n%F}8 [K02Ŵ^3;R඲8`[ wpX8)+png_-f(rePkQ'DA(n.0Y"\aг!+ĕ.5O]7㪡*laJbj;ERYk}SYA";@_"ZBW]~Y:i%;`i#kRQWѲ.7.C Y6S^4!mu|_:j=Mk+ sc-iMK?n~L+Kcq_bv dEUsK+5's g_vc1CON0]ϹUp=l3EY?Wqp@^*mu<cX&cG,钑XOQ[>0Pn,A@u EPu9&y]LiS9w!JJkw^V=&) 20C0U9Ɂ .b7DŭF%D,ܷ[HVPrgRA2k?ڬ`R+ !lam}#(ÜKz39sfP+s{&U#qsF>KwJ6HrKf']lѤ֨նK$2/URZ|YPV_ ⠩?p_ue  0?[2)4zb|%a(M&A IIͼ0*$-JxEq Dt/fdJ%jZVrLᾸθ iS_)\OGc @ӵ_Ł+£T"$r MlHUEʚ/2J(bq-GDr cW%@_]1mѰD%Hslvܠ2")R8V e!?MmFMv3fm;RF'^>f#:%3  ݄5u=5+Ge\jEN=/߱O]f{ uou2Nsۆ+8:n:dn1MD@U V(28sFZN{KVLV oe E K=^/9\~">}UZ&P@3vpg?0#ٿ:_DHoZ0?u_r=d7IK Oٱ~Wo8y*oO ›"6 4l_|Z>Bi+w=4hv_M9 z*pC1ǽ&b+W7@y'm b PxDpfBA9Iس:3N#>~d)Bf }k?LRְ}pzb·9n?َ,'9Y1HTa޸JOtb_ h2KA i02rleڬշw,Ej1~> \Q-7Q1Ƶ,VU~Ǝcj`|V9 -L 嫆om: ^<#ܤ[ ܏ 揈n 1):Pcݯ&'Xb' a!Cv27KNc8DfڙI84?Ie\85Kh/,6[ zEAvKo#4M}a'=Ah+?` ? =Ixoqt8$&!R5bLFںt[6 m` 2"Q Q Kxh :0+vgpFtbxIh`j}.tC xwW WE S4Us5= w(,˞ =هm]ej1* X*.yPeINw>WI@1E٦"ğ, 2rZ+-#wۗ)=EHH ×JSΛwy1B+kw5lvAc]>jc<+:k%*[pOX5k8]1f]F*ӳ$_)3oseB9P7x#*xJY P=N{ qVZŗkכNJgV#dӚRYz< MXXCV~l6RxS 4YtGӼ,.w]DDcjJ!uԨ%K=tc=Y*=$?R/[åO+NrNwlqXzA u׃ޫqEUbs@{)8+:J%Qh#:fMzE0DQf̲Gedc͕T;UK~0Jak=q@{(Ӳ&79MJ]hg}I&?+"6wڷGsu䱲8`jzyQZ;/r(Lu ZY#'uvn9-k&<< &'4PAT I5|oAjm=e`-D~V1;鹷~xPt<Jmd4ߕVEѴШfV#ߩi,A%jͫ4yҲ&@{LAU/Gq×.F/ΊJ1@0*C`=RKaqc5w$ vE8+97~wIKj{YĎ<08s_"XF,D|YKI"@5J'$r |s~:)+'9^L#݂Sn%*'XjdeG6.y{djߖa+Àu% Ҙl&JZ.[6`s=q*/8kT٦KaDtAĭ-vw"]akD Q~y7\NS̍$X[؈'W4yo 6mOŀEZy8^zUT*8b1(#7T֜U&rp$ j)̦{%Sir)U=˝9;G-SDO3R_Ԅ-tKd)܊<^@Q /m !jU ܵ z<-Xmg$) tb̡҆5F=5Gې|1G3c5b:n@?)t)3*aZhUDӌ[ y\k#DqC>xLJcPG?NU(̻+DݵVK=VB0Մ\p-݃h ¿Iڗ+b]}T,چzOnĈXҼt;G9[LCH@vxSMvKryXMX.pw4C;EwDv ]!]VP9{!n%/34i:GHҸ뀺zxJTc ~v$pX{Ǻ$dɴ!ǂН6rCTT3R/ D !4I> )V'c|`/87SǓo 0]S矩nZd? Ew`ř+ sn"%g@\:(((}zx o5Ak_]e (= k,a:*]tIX77nDz&x&ΌS sXC&~7˕6qz4kD\{T$]8hiєhpiE|ѢӰl|3a:w_^7ViC[U?f}&ZzQZ3߳-<)iPC@o2˻.1ROO1t.W&}r0(-P!ʹ]%ÔT%] %ƑY s#7d:>9*zۺ}gZt-F.2LN,(B4P0A9z  o*kohMQwP@0H(SX` vL&J;{fզpRak_+=/ɤ ތCЧGlfTWZ>F>R,)zښ:> @F wZ3̄hK=1?`Dz`,D .?,6Pe? oY=źҁum }QJj4O?Mb[Ea/ޥ5 'r~+r˃QSߋi3$RSS'@Aח@dlr5_ va̬56H1Ǜ+<Ƞq2OfeD`VS>JKC(k @ҥHTâZ4FMZJ t> :ɋP.bk2K9o #c;RU! -sSLRɛXf>J[Srw9D{6VK&,pLǢ&jk/rmYsi\,67{J5jyZh7>2QU'.!=WO Zi&GLje/[G^GhkrṬCwk|Vah\0ƇV?XT3л,#U*r^łJ߂OȂ>zS =NOќO .9vwIFHwYȷT 0p M r o.55>;.<&YvtK`x)GwpAnrd -oslrBd*s23mRAX4!+Uqv\_w"u9}鉹HcМaAdىQzpfˈc4+$uA֠ ^ĸDX3Re :ŕ(?Qo;&wDgO)4#R|ދIҶXj4/h/qvB!mxE2 7<>UbUJj(_XwU8_y7cwMQ9 L~嶐\g{tNPQcĪP0ǝs% {#5ma"5e"O/t6f6nV~rN",Fw&eL/1|@ҦLdCYKfwIŝPS^F䉳} apDaP}\J6(jAɐvHTqk39ќK C_BݠB\ d(]5WA9lm)*%irym%))j*&$۱zxZ7VbXO$`Ġ?U|W2b_QS0r%uc;`NKAC##vC]%6UzZd~V~(4ýԩ. k0<@(=3:jZojz2WnG|-w*Z'2޼đ8*Eє1G<M#6Pyc $-r/8)$@(w|d]Y fk8f&@<0EEF]+5zZlJ$U0m-/ %|=ã7 Vo}±zӁQipoc j3 o706&#elUiB,^Mz0Kf/&UeZxޏS!ƊXZqg5BXϻ%"}EN' iEҏ;Mxtƒ4tz3勤k }NB i32Dȅ%"nG^`~ݠT 2۽̪`zM!ɇbVQ-'8 gdz̆ @O#H QXUk:9ZŤt@)^.yűw@'Rx'P2J%;|?; DkJB5Z/c9gԲ7&IMDb+l%a%2)6**!"`-u#`萖2<4yBh*6bXP(qB1|M|ގg*5z.ʐP{wOYSS.WRɯ% 5li&9Bk<8bWf/kj>**Hv-ٷڽPT0"NK@J:nB#&ebnh/P*mNhY,m,ԡxSDUcݩ ZCD  ,, Xv`kA dD^2nUo|:eP]oK,ɕ8^$*fI~wn 7e:Y]Խt{֞luSyT'mq uWxV7P}D`dA2D׼lVV*Eѻ_[ҩQ;j 3x ԒVJ}oo +$oQȚ)̮[zHnV7[Q BfPlq߰`I9cF?CG|iͽQ(((㢎L(#nN G(,_@!0偞}Wc=D;`V:Duv} j>jB&ը;AAYSKfNM$LXDWPo?_1D[^W6->H3~[[GrWksۙaWTaT˦Wv+M#jzEIܮ͜4t1uYlU6߰Dsh>kK?mXQg<_ՁfZ57 jT5B >e_/ƃ w6YBØ:UNDcPLr ٟՙS,m)Ƌ"DTE#򌁆n9;(dǃUš 3KRY\g\7GESy}qkCP6NQἎYzl,‰1 Wb l89~UGe BƊXPT𑳙J:y:H4BD?ǢeGSSljBXR`4 NQ9t3Q~)Q|XtG|W̲IWqZmvI>nߣkoOs0ݐw .eyx(mcp/B3;Vs 3h@-rs +7t@Pyu JA!LPPL˼%I2ظ1dЙ).ҋѯ*-+~7&r-vna/޻`ȝ/ ۶ n*;#YU}s>;õ$Of%14+9P^#p'AMEK~^}(&f`zқ7͏&>]_`wƱQ\4*좹qB (xz2؃J5Dyi@6J%PR=M}4LA1a!ٚx}hvb.o `%I8 H:] ز\L6PDl63Ԡ{f_}}PS6{32ٲtѮjyj`d/60M妯քK]no!ZskJfNp`}yw!W78y] gj;%6X~ݺxm*ZD󄵋" i`m0` r?c/DXƧyeWPC+W3-D߰٩Ql OT潰Pzπ?9Ձx qwN} S\DѴgJ~E$ x9^NLg] Acmdf?#K%+Fbf5GSߝU|G>CZmsCAL0t/n&!"~OpObk=$ik1і <֜q>u.P] CY=.\3),`ta\` 5v i?4F('ؐw `\rع\뷑 OjsFٗtt(Bs:ZHZQscr-zdΐ t ]PG%-G+Γ\q8ErVi5خUjV58m @bŃgȝ+JN0߷:Syiͩ)  =}T2f(R FN+/ΟmCkjˌCR=<'m?ŧyߋ!p~w~`5 4^=ω2o5w!ȀI P3|؇E-ٲ8E+Cb4Bb-T6ׁQoKqWykH^\TiW%0c_F^lSYJ5d8VF˳ΑȣGF;1 HM,o#wD1Z]@\X'A\ФR7;D:s$Ú)i#׺oDηzRJދ<)BZUΎxTl (VlX=L_,V`87Jhgc#}GD(9 \Bv(ă*wŰvͰLUrPYQ,eV "9}e !pPtկ\YnE6s].Of*7j{W7~oW_QJY9rP6YL7kpYeCpYW ˕Oᨽ^ENkSØpy2&n][ѹ[NQM;nL?Vk~0ghӷE!~R5@ E,kwdJQaۧ3ʌ{ቑTf=,i^n`;OJoj޸IM)ᮽFLspR7޻WfW(Ls5pLTڠۯ r[ 5./U E@ax\{DI#\H5=7}I6vasPrE]^%AVdSNge5;_dzʳ7KWGjuA3`3c>ۤ%%jy= {F~shΎdzjy E{3`m"^{Az~ZKY:^K~)熩o%n%۷TOl-N5dڴe/L;h T}Ot8 `w-Hܦ`)Ƈ?PI^'T*{]8D(+ũXRFۦa0#fGyqsH1/MEO@ ^ւQm@b}w2E|'61Dɤkzcu~l+DlCQ '9s > O*A('T; ")݄_NS Z@TE .lBz߾[;TWȝk)J L֊gEQY/b0 "Eg\-J1v8\K`҉sƹԠ)й!{IKnTZvvSbt 6Q&-Db@ ZwS PvK6]d u`h>/+zܩNQ gR\cҡcQOhXV}DV:*꺬p~T=l7@w\mX ?Q~qeMtT#MeTi0y8N싮:lA[جhU<ڔy'2늭+tB` DW('yvcl3 1`o{kFSt"UaaՏ%y҃/~ZB3noh=}"n\GSkсĤ9gGV80NE4_\R=:UciXkqϬoNwQ߂Bg]eNd񄮈W{*^mt)jxFߛɲP,nniqM1M!xH皐x:[dBW"=ߚG^@1]*WU75t>d7hLL[bD^q媈u!K1)GBZT35}|߁:GpֱWLVPFw|RSBQҸc8:! Y8;WvI 9Jݟ OHC+{HXR$ qC>\L t5mۚ6@eWn;W/<{[gH0ng^B$aKdQK"ͲN# 6Sf8(s@ <=@ `Ө+|l)ɉ9~8fiRXfBqTNd-Չn>3CZtlݲ&(4AMz~ m=w {Oڗ@83Ru~yHpvI~}ȫ;{oLr9)+A%)7ܘXD`ޤ+|7ŸI橲E/kйD%ta9Wv+ /_.9컉~W[YBc6Z\ QTd/ЏN(&vQ23I$X7\x*lK'ӽGS-0,#i,漐5|9{^`( 6zLȸk!L19 av74 'T RKPSwH3']Q?I<<8"&ɑ<ŅǒV+ 7J + c"nH:qw9g0`U>z_żSWRXJ;[robwsXp`JN)D?pͽ-_UF+N44]ؓ'C &O)ՙj } n$EIɡ2G u(L;KsVjB.xx={lqd[|X}kEԧ'C JǯM5Q7pv2th&qm()$BTwɭK08|2'@x sDf 9 {+ͤ[mW#oݩi[Z[ǩ5āj+?Uۄg1p|9?ILhE*eF?/a!"@.E/<n~C`⬱bBjzɩ$ ;GqtDq w~H^1{rn^)W$|O_B\g'xOsϒooT0ImB$X*4~Vaxn4mk㓒ަxoh];5r)FHߨ0gPef~-/Y0pجʝt9^ lj/;P~~>E3-']ZN4 @ig E@abHgl4"b{lozoy=A7ux.gyg  4F9QZw2%ؘ=t۪bidyY@4V,=4gxoh yLIc Y&E \ Y1N w#lÉdAg '/z8 ]Pm.s`5JX-y$=x[}*f PoJS iP9[b#kg*`՞%Y/)^+=D3Q( ]yXREFKz@6_H#zג *C $ȱaI5ThU\7juya{uKGל@auFcJEKݪ 4b<ѳ ;<&=I B/k:>>a"2&gp`~yAgb _a{;m,EK}.Z *ݧ@)z0;'vRxĖE НؔXqƈrMY^ ~)(ndzQ̧S͓}x2٬몪{<) 'Ldc)φEi.4zŧh~etC@&5#k-"^;ΥrF  Xdž;: 3W2:nEv-guW:F?I!kHXym(H@oDKfuu1JP" eC3.nqM;kxD2MF.sAD6Z7◎P*z݋ !@$SyŹ ť*9j!͡ g1%̬(xZBd|? ZSWQK,&4 wȐ:v ~JߍyXN@F!^}2>/*tb$K"lh~Z) XbMVhN`ię,#iH7-JYF8+&aKp> ,}=qV^ 0mk糿9_zQ*7l0)$oa 96{uoνIG'ע2 F*Auwc(jE0+A KE\d3UXG C vex vƧ#`ܱto7hȾI#<\.{D%M L&@0isS49]Rɕ^xE[p>Z| Pq`'Idu< y?+jKeјbM8PJK֚.d*Â|q)7,odcjTF+K链/Z,cXEXzس[nҡTRP⅙ՍxFNGG吘Gb\~+6UOxu&Mec.QUwF:=4=灟E8ԩ6 (Ysp!ͺ7هb]<6o8כ>iX,7f`O `"P,Ms> `gBf7Wr|)Fe/$!ӏ )pY⌠] rhN| RTY"J-im]pȟᜢ;'wNpaRDܑaI \g5u#Y~ h@Sn Oʠ|0>6#,xv)ԧ$OÑl5,Q6uuW ~kA>ڠDR}M "M@JB;5visuyugtj":XL!܀Ojot>'u!xY]q >Ig88P@'âK"@t(̢Q#,fYCclAiG_mqPJ-?DGGqeH2/&4[wr p?Yt쁲[%tpxp_:,}o`j\Xi@`_yyCx@ZvqWb<ͥ89&yXE҃(I0K)W}.3yțF:HKP0QD |LU|*QĊq*wn-&g)(ܽO!0?6tWVS#d\%zA7+;Յ9n.4q#k׉\ ,GR9ʯ#KCђ^6a3WG^E~?53U]d<|紈>.>9TmSq<#nMY 7Tlvlx#H'd>)om+`iNE0tU9ʃwAoG} {3Se0[Yr"rx͙msӁEy,_q RDLlHUHQB3]31^yжVKKs>}zX"DS36v =Ix|PR7&&%Ah޺D7k1ѝy. ҟ\KE\$) ?=(j[!G^ xwөŧX[SvsPڇA\ N-Om1Ι5#H 3] A.id+"~|*(^R3Խ=p ޫyk%.SI N ]N$nwK#`&Ia(~ o~(q5+ DYFg"}_Q2;^?,7qQ$䦋Lvi"y+*|M )\j6d_(=Wv`-±t ǵpi_U (E}ӚuG$N?~t75[w̎!G'&ar[i4qȫ b#!j&-J_"&m:nynʹ>d(_W'كɀYr:܁fnqb[ҝc/Uw{UCb}޽`*ނa-=&gT|W3GU(G\g]Y>=,cɮlޡP^;'{H=JDB[gW2/w'j,./yLj69|5Wbp R$Ta"oHbp{*xW%n} |m<Ѹ^;|C5،pXu>CGqA`r*E$?'_A wTeBN45 /$cVlNS m|{+ D?'W@ݚS,i'3 < 뷻֥V!p:[mV(%P63p./>\ሳhE+G^APLX|I0HتXvH춙U갖:嘐_"ߝcǧcK׌h%gAQ.&_9bLZ5{ү`> Rȉ-m@NU WK3Mg=Dn-L|bɩ(6*JcYSݨDb,5Pn}q٧/0<eg1Sp&,*xNVADLQtN~C &RsHBIZ{rIi {∁!$WB r''aGo: qJZlcrګZ7AV<|{b{zm 6[KtxFձ1LCiA(6Ƞ0iĤZR}*O$H++G5>)ḵ @JHfc&!Auo[~ B}Go',y>,1n~E!7 nQ,8lAVpԭ?匛Eh'BOs2fXً]`W<(WLjٌ_Ֆw3TqڨvhU[f)a:3# t.ዳO+'|D51Yer9ppRZ'Tb_z2opg#q6K7l74J{Ky& TI*^IO?'\lw_>H"b*V _DC#o棓]Uˮui>,V 4(=Os]mwb\'|m|>t Jr~}We~=RB Hi+nܐm xT-FǗt~rl%.q"N:5@~DZga.8t-P5DnZqG5)] 1YJ1aU2z @nC IPuFU}9.SLpe5=8?)WU 3Yv×Kf!|W)<}J %=a̼#e(a!Hfv{-:=R3bIZ?dJuj^%#*ue;pNDK0`n֪8q󵱻3٤1{t#/=w-1f'êI JZ;I! X ETn]Bۧ,) 3 hJuæbayiMBq Y֢9 Xn;`s;1]b""g@xZ-,$GAP!wB#ge;WVViFHicޢɞj6/ I͓C~6WWo tlnm;_n;OeiH$3DcUiu˛B4vఙ^~6?4(P!C)/I5zse9fis E3›nb$-{x1JH+LG^xrF#}.1J\v5& eG#{KlgLe|$M%8ms&$K &?y76 GdӌƩ`%$uyfgs*F\Y‑.69|k$xqKk}^vD+-;E,G;%~CwήRrU~k{#Ur(_HxGq:Mo"8:MH5/HlzsjjNt&E|#id~'``$la-S}I2 y S8G6]ߠ~pTr y}D=*-ӎa`Ul}&eioi d}TbYH#!t ERXCm}y xuDՓƱ>>vmF.yV0]$g4Eǜ8 *]ti٘8pݕ)m45#٪g -4 M[jޱs\w3v#i >ECwru8C;Xǜ՘dvL6D0u)J7kYKdݑz- vX,fpANϨ}3|ket}k[ LTd+AunJ5R[TRM4lD#J?D[8f&ҁ (#pf1_2dۖPMH.#:Wb٥W^s1HVkBɱP'JuUexm i|eUgtn@G,e|5cں[jX[@y]7 E~ڔA~9 Lj[sݰmv td#ڗ2t[; \*E- ._ !ZcXeD'ϩܳ=HEMY-ۡ9~(܉5B}0i#+V8~WͿ {+B:#H='τpI}_Eҫ?ѥcyPsX3dK'ZW9$(W@Ml'נ)b"ɋ)e%`AјU_8y^}#x/̽i3-?lQu83o.(lb^/-)7?FFc8L񅁙33'd}0=-h2lKUl6pTh&/l{{`g/A#2́k֕WQnD7,k 8 QCkǻC==݋X3/Z&N*ajb2| V`{ k Ss7b\Ņ='ά@GS)vU 6}+rJupͤ5Cמ4HcMgZ4Ej|bOp#(sH龽52֨XxSPs('PN&9aNH[a:rs"ȴ=!? ت}C נ̮HNhރ|-5 I2O{^ .z;#&7a;bLQ.L[HZ][gAlS恼Z mAΦ; 9A.t=o/ '+I(G^6j5F֔wnb.ړ]'7LqwiawN+1%vd(IrQDO3Ğm=rvۙ/d5ϸѬ0bL?%1#ei,u[T' Oi!?X|!jJicsu#hsxJʈo\-{ |iPՆdpoJiU1+ jіWwpWmI$:6r?#Rg曑w'(|v.CIq>eҥ5P-nx '[!yUp[0"p,²{͈ 5l8'm0ǀvT^4v!:N$gܤ%T2e/vU S8/-oԔ"'ˤwՆ; 5XNL':)¿; 0{?HG4CroAJNj^b !>Q~smJ DwS¡꿣T)<cəqV0tQCv=;9f_Y_AB>\BoE7q!rϑxdO۽->:dzwƟi11SdO( 踛+N)J_2\EX[OZ'}%*u 'k45g氺^~70)`1HuG7'Թ>9B-܈@u# 1ک[X^Ӎ-ܔHL[i).58[bNR1\s9zOz/ק zF7!}JL#y8qk"iz(K#n⒂֫,,$B'yq4\C(Ix:Un/ŗ>;uXU{ 3s̏CS#feȬ[g0Tjrrb ps "`jP2lQQ?b5@Ag ?C]*mizZMK*&ߥ8z˘t,`&̋ T4{ȄKz+7՞rЧOt"% -"3Q |Db/{ 8YqWWǬ(CR] {tX8 gV)&]{.$SJ]x:JIlR̈[?3y8RE|L['X`袚zU:xjk=| i%^!ߔˈ'<:Zh|1oYЉyPh_ɹr"ǟ/IEQ a>UhYQrF^H V5}FZ>5r$qYz;rUs Dk"\ `xkyʰG`}GN?h- -0ہG.b5  &`cΠ_i`ѫ̧d|+܆ciYccw ޏ')ҝ#r ʹ`M+^ҫ+ -n$xję$:$dMi-g 5w9O ƑŔO:KY`c?d $gjO񿏧s!VU N)D;Y;<$-ϞƑNg;C`6: f/{쥻ml/\Ŕ $b&'E?҈\{+&a^T/ J~%d߷#wFgG?d8; P-OZZT˼a#:F"&|Op*%R~Y.8 O'h.3>\SBKɿp'ZYg/_V=e&!bdl0(I[I! ]TndO0^:b$̀~l]IU/rUWթ Ul?]sm˜LOD!Ĝp$̺&Go ipmF1I6K_cfCX@|1X(p9 av3R7&wA\LKR]'!ؽPTCHp]&[f'ЩP%Z=kӀ~[+i5?,otW *L{B}v JyQ!AAQ?drhI~dIK,{F<2jCf=\.^7/ލe4̀`vPC;l~%XmnYOk,\낆ȣRwיM:V,8BPN5!يGO*0籕҆t_J?{}TrpD3(L &zvp|4RTo U!ҟfbd'{ޘٙ3 ئR0!m;SflU*"ό\Pj e7!/fu{7@7€VO*6I W jV}ġpGQi*Vwހ*!%E:M{,$d~झHq5 Y^c1_B*P*oiQI}j6A&i ='CrkpN_!9WiqW #2.ex# Gqv˥"C)vіe'=r2/YϩS(։XFC\.3tХIbc )(siOcx Ņ?exE.B(o9g(P kʰ4!F}XR;NҞ;Ͱc@l^΁ۣoXX$ FdlZ}(8u Ys񳓡>wt@JTx-[ϣ]X ֡o)W%;ϭ>_Jk\x @s)bx.1NHMO= <9s׹@n[sav.BLUY~5sb&F#Omn}; t:YDOrt6p pi5XY3 % t֙3_蒄)t+gpu5gUcL<|U ]"JQ('nj#gm?n[鷓lYVӉ[v:NIH&\>_ ]ݮ.ly$i|S#.j\H}iX G۰14s|+Růo⟤b<$˷X~ Z+J%BfȹE_&'2>1K4d@.Yr`4(Gi|&h@Sgo5rH%>!e"Yzdxo4v۬ {Ϩ*7 &J0[ZɢTxپuZ̄}%4ﴏ. 8z]<'%Z$cܔ0Ka)x77ZL脆CATx{JZ$}p줤\CAģv^ @y ܺr) )7eFWIS[mVj,rp̮3*{DsYtؗ0_;XD$7s>`Vv@YR %$ӊ~n~/A 兗gqbvle<},$Q2RU^ƦE]Y,*!)kIf#DN13vPx/6+rی',R85*B(.l BR4]3U%' 7rz1t;|do4_WۃtxFt{>sRDJ1O-#Uk#:WW'W)+ȇqwH7!6 hx%Fvʜsy4 [P nPآj:$ bn&BYRTU 09]0s^*,$Ss0vyflw@)Ю/% >r`D |*?*WDB>_G JdPLvNM ;&\x˳ìqdׅm|k C4ޙ$Azcm՝c Efe|0i}H_AlުX/ш@ݗǡr5J6mF1 !r'jr,g!jZӶγ`ki>pUJ&xoݹ B8ru`]ꞙxJw`? 2⃺g:SQ3'3Z㼯 D5vk\練XNrJ8uI'Udy}Zs2>#Z}?/GWWtWn9L8Ufu僝J!^#Cs YZ(.. CR7Fw*fRS~} G1!{أ$MTE=~:ѕ.ukC1`f2R&~ q5!srb/"h0&nV<歌soz*JPj>|养MLr~mTaж=7u-odЭ[Q'**sHo4S{XlTj*\ BC)AEAC<= B,>a0;DPHB)c,lMV]I*d#&ƤbSx PL <ؑ1)Әf*tˆ}@(V8F"wť&(SɽG?\VŹ%奮C ,{J2Ayr u! 쨜 uL^MS=}䳟'j27$(m}׹wpu6D]w^=Fic5ңٖW/`nBFר&+: %O^#awPP*~j!nwGB: 57j>v8;$c@A;({9%H㮥Yk &̫ ]WŧbPّ -g.L_'-#3i&LR-}6IB xkP D {K5Z/ъ$t81{hg(=zo=Ģ:@L0ykLAf鹫xL S۽xvlBM6#\+r{t_9|MnŒ]wC"6yl Wgy^>;W ?B pO*c|"JhllTtr Mx|)񉁌*u mY:I+ Zd$,-ak їנj'=-9 Fcȴ,r#%mP(IkjC{i?dC9w޼g%&UɠY<~`"ClOvYsgvG0liaZ!)ȭ epNc~kV޻ (<эRAg!E{UIK!`\Jݞ^,ܣQK, />i svr,|G|[g^5oO>xw3bp"eyh7`hXeR%|53d6*3!~]jZBSJ|(> $\k'\e KΎg\qr}; S]{σ4znkO-B@l ɒzݒ{ yZ9\q*Ril@f=ڸ).\"ؚ6ؔ$Y7;ZBŔCi5D6@<$eFJ/!u~1jp'UĂKᖂ8YwB?E:~߫v<{\r_y‹xH ~F,f~0;^% `"9jYkxوEjM_oIi Q@f 1=etǒȤ?l÷><*ԻuTn}5Q6g@'Wee-Kn8c`ff*7=gGDz ]d_B1s('^UL$v -]S=F<aqgGu=39Y9 wG !4Cm;Z]QlVoP?1ڀ_L&ꦪ:u"7m+`4I3AwK!:V{u;-xȺP7ULd0rcj;nM/9yWQH#p a@´tVlk~,0i(E$NZi_L S}~2yr@cG`'陦xT#1aL1+}\RWyc!ID^DW;{:HSdgK`c`W ѝҥeI Ȑ5#dƉ<ͪ9'S60&wL:FL ,Bbf/Ċ$>(I.-@K*=Œ)sBE1tr )isݠ6!L`»XU88YȍjB/̕t\#F}7p )6YPU*|+r3zߧuƆq2%uA˯l0S_ bܫD[)1u#kĪkvOy av`#x@5[OWIA^ة%\ٽJv=B?; _8V61-fلqT|<8j C@,om]ӿ9p87cj_U"q20W#;|7E]mUC(!i{Y59Z?( (ƴpJd3 7RE/b+VE8s\3AGPy* ڣdj&ӽna&~eyw,vGN2{;g~-s% %sWsv1zhk">l%2ؑw~/P)L~~èA;󌡇䡉ɔ Y½JU2IR9N`}rbbL 8R4OE<7AdxWٝe>Rgc_RrJ-{\bʄ3Wg|8hۡm04cv#gAzemȳ9HtS B̙u3M}#̀]10/ΘMq[eYļs'*I^,!r~e$8Ҷ\ &a:Pre%&{fO *WvQt+Y p}]9[9(다p]>J5Zjjw#ʪr8O"M.}RZTzTdӜHkP.=~6<7,E]Q} AOyd1&҉c[`EAS[1sF -Uc[~XK&郏v|'9 |&5GÕz8Snzi[!;q3a?fZ˂XO}$8'jh6yIL;\UwNGg6`/{hI-]gQOj nL R_xc;joLf;% 1,}2H3(9P;iDLKe"m#:H,decl:Ҁci99((" EHzUB@b_ʷQ;0 WŷĨa䬉-ń@T"+Or(yhy$Ew;V`9067͢YĦk 9!tT|縉Hs'/_ *=k /zoT_FNCy>sTM;eTUr0(IԐ9{gX6KvA~BIl Zf;8~^>ƀȒ7 蛂2h0oWG\AHy oI= H|STv&lj=¸6Dex+je%F^yh%WZ|z@TE0jсk;,n-$" Y5Ut=-w$0[ȨM2YBmKh!t#u""h!%C<}z[E2b"8S3➑Z)M=NuoX~ꡏ1>B"XC, X;1\ A?U:[G:EjJN9#9,`IAPG2j^aQy /;e_m/KRd9{g/Q40GFDKpd$} 1b$Mtyl|X Zvf 2v-Էe~BJ:0Mٹ@rRc*j itFPN/5gQjj!-qՒYشgC(]Nǁz_U+/Y<D^ICAKB癌A#TeբZcHD+$iN.ԬIއ$AJVm#K{;tVRpO{SWnFd'rn!6dش#xe? gnz[xL]ؾ&B9o Z3:OMw6V $7iSаX­6>xϠnPTCt D`sQkKU\Z #zc'3rlmJ[e P^F&YR8 vRs_/w Oa ]wGbkmQ%K4{Z?p5PHЋw]U*TuWӗ?B\eP(?y+_ItPL}֮VZ$5WE]?i,KMAz2Qy:TgBDMZ;<Q3˱vwmpЉb#udK0K1!o)Z!WifԆ@c[2 &ü7L^03q8TB*lw޻8dzv\'^ KHI*)Y|8j r!M0Db6YH(^R2 $&a۠8hy[L@UhE2E~𚽆aUk(`QO20;}! ϶[ ;;o@3J "]żR-cvJI&zqvk-x -?R烚*fZv3[;|TI"랖k1[PG5]xqV\jq\-OPa7M3["Pj\Gʷlj*ll~g@gZM;~P\/om欞h dYp(eTKm]U?R4fl&k~һ7 s$6wrX *R#˭7ubW41\T'tcI(D4:Zh4)͠¶)+ ~-g`yeجCNgI{{}Ɛ]rғȣ)W|ߺMG[%7-<nXt^>F(zҎ}g~at,*kv/†^o${Bsff$pb+o*NYGaebCo3$W#(-3A!4p,CD앶b~uIxNʁ*:ط1w4d?jX(0+皨d-~l :dE4RK| XydO{=OQw}6Au @qaҦWeEk&r3VH[Aw}hV""vG& `Qץ7]Fǘ16FDesO K ˀ^@j۝x#|yH}'s)D-@~} {rPCHԒ1orᜍ{ct,Hږ0V:hޥye9_yy Eb/Sʨ"CEC1\-I[!5И:1S~C;@U̯ ~ߡ3 a[#hl#ˑ>ehAտWo8?hndEU!_W&TiK`aX>\8N8&!L"lx̅+=1'Y1#b<<$psV.^fc_eb#c)@]8mX霦0٬7X,nhopI’Oݴ`T@C'VkMBFbSQЦ+;m.?AP/?Tg:zNaiTzP\Č|QSQ蟻 MYA(r/sv(u\G f?dH~S#PYWfo?KWlm[dR?Nlϯq_JB)48 .|UzD;=lVl _VaVi$2|.[$_߂ R X1U뷖Æ2%K^aS`%1bJedhfFs*GoX^]iE=KJSMH˚Fl`(2#A21yS K9c̄ÈEmA>^ƪ(TfӒp&'s aUwToπ):\ _#vK2Uҹ8"iD_WǮdT""F :O^Pt{gg c_ڤ_ך@v?NWQmjtLL>98Q7{ou& |e6=g]g6{`sQ>^a%1D @P'f6f鶌K>EhV?B/+S9QF]|Bպμ }Q?}`nإ- b{ KR{r #& xʘDjV\d@s-e7(:4Bb+-D; g̬&$e5zOk BR0g .#$H#DqqX5:c}4q6 lDT r?dCߠ n7;;[ց$rԵ`)"ġ>6Yvx .#)Y1=肦݇49.2k7p$rNYv'sPxK(x"* 9͋f5hcBrvaL 'bO ZSC< -| wR?4Wrv(^ѢRm_,bO?- +?%T 0g0>y(>ѥu8?' > c)6B _\l;`?R$7m4`.Z hpy\v.á 3ZUIu~{q?MA 튫axkmA]!E4pM䪛5~[I0>;~*f,r1(S~[zC\vگ->T!2wn 98yX+Lؕk\TާR#>n_oCB fG6P;%z %_>[yGI, N]^Rydݽam0ЕVc1cwA q7۰"&r:<~qb1yȓ_k?,A $ 'WegP)CYp`1ݐOR㛴H 'S@k !WሤpÞUÅ^>)44gh Zߚ}Pj;V""܅Lt@h&#e>#N}`=;nz $0dP7(Ӿj\3t?YM໥{L \ǡGNg=)&}4@%'` ƴ lIkf hYV Wǁv1V Y.RrGtZ6, Ihn"<:8Y=⦪ Զl *957g^ KۢT[#⌛egNdϏlCGiFE6nYՓ/ mhW?泒@Q^5`neqrvI<=Tӽk܈TC4{,V zӃZCxo؝I|`rPo|zy] .ݕ8aGd}$1> =^Hzj38Bj^͢ dړFσf4 MLgIPXnO#!*dj- '@"nˉ)vlQ- Ff v#S&I$tߩwuXю]UY7zc.ڀ07M-\PHYۉ'sfAUX{O׉d]qnf/(mS= `{f@<5A"W1ؼ$dDiSψw410oUkcÇ|?1V&篅і5i(JG'=jLH J}e|%.l:MIepq 95]IBh U_LRAQB3%Ĕ2٘m50i4|1lq&~hbbe_y&dVA@ghMNRFX.y[2í}w !j%H~֑r%5Ү'E5'4T{!W~_&$i׃n<|K#9b l$uJ\Hdt)ZRHF'd?sf '$$hDPɝEpٹD=CkQPB Mص/{Ⱥ֊RN@ bINI"BxERg5zHHpMe-cO[]wYv]hOL3~wAE@=O3 |+btdtj3~5[kf ߪ} u9l.wpB(_>n*do(1)bɼy1-'hA7X2mGLJC3UW~CB|iFmosn %X',CJ* SiwRSfH@ys[cͅ}tddBm3./2!Cjy ^B*61PeHoI4_:ĸprxqOYu9ڰgu[0$T,U)6]T:g<ۗ#)jxh*eɕ́K%յSL3WX墏t /dlȐ2ʤeOإi]ǚ&`~o-}YnEñX?WSËv_tOI+}%$ En ( iԂtjcbe9 j$oDS! 2ޚ¥ŪO(fuz65;/ ѧ@@[&葊2II1لSol{4|ZQK8))JgyY})5$VO('DY9Hqsoԩ˯:|yGN3nvc&mP>ذ=TJu ĭQyrd!➞}JkxQz:NX2q׈F?+U%hR7]3Ie&Z:w`ZO܈xH%>)_<ͭ5—R*]7N3D!H樖2"zN1VEI&u7E_pTFݭ2y~/%[xq/lsss7PVg12 Xslx^,Tz86HX*d%QH/AFքy]J-kGV63`@P^#vlKSC2Yu:Zj ?],W(iYl^.cQ%[߆:"t.YلAc}, IV 57-(z p.P m5F(;{)ʞw*9 1F_W ZUĢz 7"*b{~70{֭9n_C ߘ2ϯ42 ұO[{Gr`85fg9LƸ4YU>:bS" -]:jZ^F?3e9ogV|td&np)Zbox2 C0]yx#t\[i )pa+\ ڍVh#W`8^PInh6;&B"!#"8&xY*c2-c&r&~6NL3 a sƿ9Lw4G!uĝnvA9J",.$$a#%mmԶIG;(-PGfu%Ú2LbI >&v!ԛ}ݲk]B_bڙPx U#B8VA z'ܼ5Xjn0S\IeYY=(^tDn/_bZvyt @ %өҟFtE#ۍ'{9M,#XYV}PRDTO5s$UftAe4o/qUD=D .RI8yu8.-H~"p/*ʕ^v9<0mSF ךzG>rZ7]zZsVDUP&_P"MTUê]~) D- }i< ՙpzK?XzVeyIĸ%>0Y@Єqd+BNvj;ʼn<>;Q=Wi J=uuF_hD/;6*v[٘eu\_FnZzU ۫p;+n/r0b zDDmvpZ+9I&gxĉ]hS646^˃ݏ;Ƒ- ^Ic>c-=7/(?viKR<ؼY&2(WMˌTx2H>M G]$೾!?bMA.f%ayrY^]KOf;:VX)$/'C.CL E@j]ψ&1X yOt Ld)ЉLy $luN lxɶNUFp 8zݗʐ쥾t:~X$m˰lnQf$f Ρ)FS}%oCJ qtD;(P4;ށֱ[>^$!8LfH ]1Mm(s *S&٭XE0 ֽZJ;Iߙ1ddR$Koֻwh0*,GLL\nBK+7fl6.AZQҏ"- V,!vP̔ԝd.Dt"(rװ G=De8UC6b)/W-)T->u9BϞ>)|\+ZeKiܣMU+֙Ԇ-b Ք3h³6Yn[Sl&ETJC$E~6J3mc$͂ڊ_7I[2)Đud;tr!R~Zi;Y~RWʽ^fA*G|c!wB4g~8p'ulI@l]byVC6|4=R.%If(ݱQ@Oy,AI|&Pڂ!1kr͘$/񒛨LY#/vˈٹ)cT!\*BDOMi* $t'OAxM@Y-mlbrW? &]> ײ:pJ."2Gw*:Bi,,(#N81@SѢ6>}0(bGţj'?5n.BIl^ Qv<]fĊ-Dz[˞_M  \}l,+CƬl% ~4T_Ӟ]1;:r3XO@~"jaH9熎@ YVE/{I8kg bl*Y&*]2S' Kb❫W s"_戤[,*KB0BoCg:{C~Cڨhp)9=6x@r&?D* zQ s@G=FwEJ ^-å[wjZu &֐0Kn: aЧ م" ] n" }qĽxV%l^GRdF#)`(˯8t0>>bě?.)r@HSqQC!hgcۍNBυ2 1 N!U9بV3BvD 4m~7Dz{X6驣k(ߕO`^PSB,X*6*75" @%Wbjq,}Cn!4Bt+箳Wݱ@V~$ݨ/0#5v<)]ѵ,WָN*Tf Rn'1$멪Mp,"D\9!mF%w]0Sn1m8t\iK W \65OQϊ}OU&s&$e5C&1 OMGB2Ͳì#1eE# |wIh _o5Q@Rq˩ c^K'Fh ;ʨ.w?&&קٸ{{|1t J(u|: 8 HjhTRd%j'7,1>3R>4tʷD%eUb'vA!ԽҳHu=3~OLX_jr胥"H f'B9ϛ e J1s,>MlW%tզ%!ѢotPα "A:Tÿٜͭ;oFZn h=RB1hY~%$S{UaXWrnR뙄wՄ.t?b0Et~nƩgM}?Q# 䤥}W32ڔdY"} tfNtJWsOB 'Ž^pZV>|ݯW77wbp6WI]n)M{4nE1h?eV[²fJl2GOCaq{쏊ۅFHvb2n7;m(L6hJ2BkPQU pPrjDsۍGp-x 3/^}{l ிor; 83n^$z⾵& ROH䟠<׷Y4=r(iFJHT+))P|I t]X4cnB~J)+L:f|8!Y&^7 ֈ*B8 S/U Im̈́t7`o5j QrmM.#/{~v|"v~ -<="օG뺣E98W{fWлXcQBeqZJO"8zdleij@6?kڂ<{o@\-5)-O/r~5 2"wS`cݤ dq0B7${"^ #")CߜlƢDblhB) *7ӗQH,ʹL!dGx:-8b# uJDf#n)Ut3 (N'|FՐS?nިL$)!]P?V\/)EbzD>yt"4ݠ '"T8DI A2Bun̖'z-'غ}+v6J7#ϻJ35wRrv~jo⧐zSvn'Sh")MMIh뻇VPI5UGH":D !=Yb;jGCOĠٷ(1sjF>;-ѱ+ bgL8sR(?%Lr$v[R-Fl:<RLj΂gIikc}10Agx(bNQ% =s O~~CB\l CK?>h\ Jms84#K .8-ȸq*ga)YQrype:b|XMAtXV&~XǣEMKO%b` w9^AJ%Zy>]}RTQD)] x6{8%/(1&p9oQƬGOG~~?ۯcʤ/rf=yK1*Cn>σnZ}U0"4 g<i8S1n(C%jۀFέNsO2:9 ih<<]l[K̢% miYl 5D Qp*q6"]fM9ttj}R՛(` t8L77#&?ȃ&d)}5mtJƢ0_n{2D'c}8Yj[ )_JRYg53#`L8: q.q Ͳށi>dJBZtFX+:8/+<56@ {r?= IwT{d@Z"@hЀ4Gb|u%]qC7`R&THWwRY1#$ݹHjU@YhozRj o_PF3HYqnfdnT:>aKɶפ ґhcBĕs7! F||`+;<ޙO&O`\IN*(t-!է Ҩʷ"}`z]蜆w, k@Yuء6uiVۥ|T[7|i H=mTZDbB+ĝd#\`[Cߴ5Ndm}= Hsm6(wa[iRgWu|A2zg-mY\^K5NNj(oy/$3toDa/|T}f\{ {V5VƦɅ+v5ӱ`\Pm%CA n1;%nTm@EsO5fCSLm [J@i곯 w`bb1J13EYXU/C맵~l| ݅f~͹r Vky:JT]TlN^vi7w64^v+pQiŘPX"x rAe5}/2B,6W jϳӛ -=sJ7N5kjQ7$a"nq (xFOSòM}K"`ݼHaEL$5hΉX&NJjubRc_ѸH& 4nQ}xګPdvnI솏]b E6uy^*3clWwK_< K EuӯvW&Gzu{w  =6he,ɴ\LV47F6ݦ]=o'%)%v-@V7ۿ,G A$7sǤK7g1ln0g& t2,sQtíĀ[h7@')A4 ㅷ4I˧k?qrMjA">Hk؅S$ifM)dv$f])n{{7YL;}m̵*~F ^ ti!ε~R#B& u:pmi5x`=R_d 9j. cy%-:W-i; pwp%ܮ'CӂqKhw8\l^8jBq&\ pz jvڦw3m;`npD!jR mAf|#H9C2%ּ~i!"P Ւ wXxDhS5RѩMZ&!lqm-(&xFӐKniwd!4J$+cGtUz+lh\  t^w| 8sH O"E&4D9&TRU"NQ-='Gt,ʇU7 GJ>9 eX*mQu%ӯhi>[Yb"P5Pnf\ .~@KZ;ѵ U;,LR" +nhڧ}ŭ[%{j90DMP% cKxL $I䳐g !DM@{D}nf1qGPV9B Y,]k*2hf dګLbr[Or}ݗ6絕 ?M Rer/VzT+o6~>Yjuz/wE1 J+ҋtru I2'*MI#AQb!F&Q.bY+6?.G~s8x=O9b`8 '&ͳYXK>nF>Fy8~ :K[Z޴@&;Hl@J, acE20e] (I pt m%9kې| 2]*H*=}zӼSlo7L}|h03ᒷ7{DgAƓQb?hyPO]3 Nv _ shY`K*Swȍ,2,g"!JBW  @;@1"ñٮ![ 5EqX)gNHX%YMш] !~}ߡ^jqVtO1YS )u_w2{2Wkt0.[eXlii4UJ4\Yq~v#MKRH!8k-vvi0H@+T]@A>89tG־2mK \tXeџ'ВdKwŤSbUOI Ob(8?EvOy`{&;Dc&C ޠɡ}Fn(8<"k @31#< aߴ)+|-E; C CLqmS:%JvzK 4SEMAMqLp\F)(:vglRԊP4dh3~'!]7\VAڍe(&作4C`jG=n `ӅwqeS{YZͩ=P-Sw4y{ O96(5F<51[3U8f 2 ""(փ,y*ByL}mH//ܡ<)r̈́-sުS[~%zZ3ii*h Ͼܧ\S]2ү [4J@]=N1m(l{#GNtz', )OO婥s Y[nv(srPי23HY#sH@la?Eh~jEt pa=h-Q5C,p{,S,dYx}.Xl8Mdd6ڟK3nN8(#=UO) gD3U߃D!>Q@P Y6lr\j'v ;;yK& RiO𻗩B5|9B| d.1Q|^FYح|?rV.RHxlh1MƎ,s2j>f,gVKs t׆ n|!y*OeQ~\‚eKle_}AvFxum!$ ,8~j?OͿN/Җ-+h+QDl{c5h  ?ᒦS5sB )w%UiD.{ C~>`Rw&Mm^q>lߕrYLC-,nB̸-񈹁-Wo\-#{*m I5 &$xp1BlN1B e CDMX\z#x/ 'r3J1ӡ}UA"dEҕH<.)?E9(Gb_ ĀWUE]T ^و(o5Kj @QzO@f[󌈦/#3.W8 cc'd 8 jtxze|Ix{7(ѯ-A|bJ8E 2B?ke=Y ~<7H-ZysJ8/M_|)}{x•fGzXe V=t,z_'Mڎ7Sz.{EM~!~)ٛT;I0Qod[F{Npӥ )Vʄ.";\v^Z3alNґM}ׁpE`'U:$J_+Ce?'g;vɹbcjqaBy'wGt_=,`YS8J_\CMŒ0&)} ;HVjХ5b?">a8|4|6"I,k$l]JUg3R~\D $' Y @h;uyhafIf ݠSm8úƆNNdȺ ӒxlvYy$)1Y4{]a82@j|[V:^Ns=;]?ti+(k w2S3,ٞh7=7Z{w!_6X$OCIn/imbaUTWB-F_n?L˓urMwmZ!] ǫSk/×@i(7~^,Ȭ)m;舵N@GQl{&.ln*2hvGZ:8^9YYK8dc!~X0 ;_ۈtA r@s`5ah0 _) *-v3QFpb dAOg<f4R:՗ X)orԯ#wV0A9eE"/]E6G~6sR҇>>AMsJ1l",tmGB7e<`I~΀yؑ T 280.O薩upc~p5Ga;[6QL-Y[pf~b ݡtt3^.\1s ^ܚ4xLE'D9Xus t$k&-W!z"4V,RdTʗݮzǔJguאmSϢ<ɔ1TZbYwg_k-(Vk_@G =e[m`0NJR`oꌦhgH5i,cCFCi@"=u."9 rl/Q=w09y 7;*q qEEnǒa_2 }ͲΗ?Ge)#Au#Qa 4*jyU'?H&aϰšaZ qEk~ A 6 /K֪<~_Iaۂ#P 8bp1ICӷO5p;Gӫw[+ت5 ;9Y״ eX6G:^ ,X'#J|\=o.xNe$OX{H<*YSB>Ss,I]lV`;4ni-|[g;2*K:$re#M^MZY/p`tL=Pթw:Ӛr}r2)=ʄ>];כ8#MiMͥ9OU'*zr$'TcbN$BV;Wwv)880@ŲCBmD01K\ wo3ݞM^)LS$*ԓ۲tJAd:nsv'.ŋ"ܺdԶ4p(Xa>|"\i`AAvXDޤc2q# ߳tߍ>dbg_?$g3܆uؚm[ q0]V):󖺻+: BXSr=[;Ύ)z@J,-U1 g>3R#Q:yУLŦ\V۩(E"dFwYW-NwOPrE&N# t4wsYvC&f9~nwpL ;n'"c #tҬz[yip&L]wRRQt1){;Ue@W"#NCɰJ Y s8yyÄɜ=>\V8Ml,gEͧeZqACgv7\n nǙ{N ܵ*aMApna! m)YfrڍcCIq ;rX 2b#MkP—\H/R+|Oi[C^ͣ77= ?N͝[!rķ#c}H-.}"`-Eה_u̝0ӕJF(OX׉gMxM3*{Blmܺp3׎v[R0όq轚]:\e[V WN:C}>4v֖4h|o7Gid=`ЬpM@]Ҁ[~+Ȧop0\#(;Bw(icL"xr(M{+2{*mop3F^^~ɞ['5=lP'aP]0vԀwkϩ4DP-WsUd#Xd5LkgS1^0s QDbuܳ!XwBn @N tU"{ WEZ]&36D~1$J9DM[KPZ0|iu6D3;V!%ۚS &k @s(T.w+{m^,!x>-fHٺ\j鶭5l-eY!v -g`f3[ aM8RݫPt\}}fU =8XR+_"9*DE6wy)m{jM5E- !4>8)0W\iK\ x uug ~Ɏd)[洅(a?f-Fc~k\;3ɌcZM8J]%zq?URZAo 8\[_u>kShQ;،%dFuPܟJs0*GB9ЁQ-(ѓ[# ڑ0לr 7U pT{o"J1Y&iߘzW*MsBHE9nxS&zڑP\`oLK*$!CyzCJ=/GiW\7tzƋ`T62.۾ L!9:QJ/Jj;0@@mG&~W>G4Ch s|2v 2ͬ(B/Nݲ5izlll\?N8Q | @ f7^[o èwۏ/_\!]j:Lac & KTZV:5T7X ɈE۝UdQlL\9 |~ч٧ LcUZ.Y0U}r ߥM^ dv!'>isc36:һ%RơEBq\WKK.8¿147z$ҜOıJ \l_Kf58/V ]/"%-LBAIDOĕ!̢HRoA|?U4A!c&$=.ต3I3y.Y -]S&]a$ x\v]$ߴ.m[~I H( r01?wd騷?'4F'0}TyQ7I3,gTutU (OA&߁z",;/SBK8f@~fj=|PgJΉ9.N3N_X^55Mk|-N.m "R'x|*M`ER;dXŲT4#앻LFI-8a9Gc?֮ݣ?JwJ7,po5↕hZzD %`ˏ >>%My,fP ]IoG!X#JC uX׍팯v%pM!ڍOqϸqNiw~\mXzE5MPkY߽\Dp{떳pzBj`7.ӨNRD'vGX308젒t}mONXWBd3\״1X0 'b=hp0=jj#@B-K3 sK(aTGc,Z 9]3.w펏hzRcҤ-D0on{ Z H:C ͓ fXBXW%X9!_k4( /XAb̳'u˜ :mҵNzr&]w}ǒ QpY)9PH wãUw.F2r.XJ~ 0U0Ydm3\⫑ߏ5}a̤w dO σޱfu{ &84 l=g6;x{M~ %Σ/sm'Iv.c%OLj Ga BJm\ÀZ3uw|L%7 =S ЙC20l\=v){ַj ~a-asE6"˯Gһߪjp1sDqcv9`)cԣѝvR;(`aܖXDAۮ211tlo(lxg~KS0cb-VS'x8&Ə#WhL.5xoE񉸟5jEmu3(Fg!(Qfbw6@,Sv}hnݗ2g6IM}0X,E(uX1?Rn t]Ts!b/%%$Yw/+ ￷f?_庡MK7%UO}S2taplpdE+Q:vYW:-Aإ_ }fs^SbLE>b߾ [CUԱc`A9,Qp"㾓0 K\oo9F`AZښ5A Ȋca~r sF0ؤ$VcE^yT b4+?_'h"ETd\| y̘q h{3 d yQF;5S|J(+K#ޖ<,CVm$$d l;?}BUP h Z}@ ;xaPv_pOSRL]qdș""hUcMď%Z$!F GޟqJ7mJd N=> qGGoi1Nq,Z<,8բYRjv};4BؾSGu)uI%څ*,Y[lÝ)S#I^*twYha\l# U`)gJ;`xDKxk' 3 9n]`qg5VC:4w6M[gl݃|m#QCL |q^ w# n,S4]#HqBiRيfO R$5T{1nO 4ʵ),0a`TdhU\Y#ND67CpW>Gw4ZŮh|_ 9$y4ܖ"!!Ԗ4Ym4!x^Zq&9>БVĴUzt}G*i8kbY6& c4zH/x'.HQoif7e#5ΰdڃhQVHڸhrsk`1)q ZS%h(Bd}= MtI8f^D7_.T r 6\'|'OMm?.{!E(ɿWyt(U7-* E-}N3zRP"P _Lu$Ѹ0DHoÎm+?x71,u]aQX*^Xҵ=;xf%1/h9U&xrT-]pFdsp%WD528'=oqEI"Y@~=xdk*/] &g2o.wFY/8W;'q0)c/*Q6yqw 7MH Ab|$=s;e0CިE^lm##͢H>FCN- l]yӅU+γ_ucYS˒8 pIw dl'( ˖y >e SUO7ݿݧe\Jt\c(_cm=‚&y6m>3OYn?{6'LGzs_gL`2%[{,@svGMb(EdOwg¬S8"MlC T(hkTkEիqUʍrH,{g/&p,V 9$GD-r 8z#cT # +פ;S {9%ip%:˨F(ؒ{rJms ;șvCsp-g@䇷mN#KT-v7l!۹Hm̃ F\?Nv,1<  Xl' o{PJ^_.Ha{2Mx=de -龆x|YےAى]8̎"vKUuA`SS(S~?ph؈t%N >Kdef<V!JwQfaK`S|gc^ ܄ KtJ$-N`AB$NJx}ܫD^{>=)tmUR@vT@ qU%b,=4ɧ}»n(~vĐMq1 S<Î"ĺLQ)h+Ea`[yz y*`f(ְ`7 }F_U܉4iyWrpNbE[5fJ&2m'u`6,y. <bѶYbv5ffX1i{!ɣj7koz3hnfEUŎGtMu :./ٷXY99BM3=&%m@,s9v/OS4[ @k@6\M5Mwu~]- ݹ6&+Wr+Gz#)$pQ% <].TH(3:wW.(Zٺbƨep[AqX4";Au G|{֞RbRI:+HRp8m%~9J$]1Atz+:X.]zȪ~n~]n#v&@3YΖg X[\!hdڊo&Ra[٣8a>3s^yҟTuCCiUr;4 %|~`鷡DzT1N(: Zu⸴k.e&ƬrWZ?pyXq O*EyIxGtsMK >rH?Bo r~Β&8&gQ 7l^r3#7eV5^pP jt,LˋxYJ_2iY`ȳ9 `}h7(15$%5%W3T mM_ڂ-M8E>ج)=B.FRp %_eb 3t5E `90dAKalLNe=BZl?[A'jYw9N[[%ey'a>Jv  Y0ezOG:PR_Y/O/}Uę l4J01D]_!كֈ:%u-gtmxY=Kׯ껵o":m 3R{7'  NjuG>^ qGC#?Q%Kb'k/Y\0lW-:_A'זO*K?bxaJWJa%}a%H؀.;́q5R&V!N_\VCD=cv4k\\6S~t h庒jiE ]:xKTbբ"yԅ|.sV1RacjSq}!2 Za^)9Iq@+%hޮIn9]s cԢA<2`2 jo4XŽ̐ġcDV -#Ctw'OI`Bߢwv٩鳀J*@V侫~Rv6&RxfjG眥o3 6w⩪*0ŝnpNq̨n2p _WQ>_YuϿ[-H 'K8<<";t0D:)Z+{yHΒ~"˾ 5oKlCW4~0rވ:biLHT@,KGK )na7!z#jb8ry*p.J)J^V Lsq}Q"j|gSSB P0${,v#[=Ǯ=K.Zp/sVzò8{fAVtwu$'[R^<8Qj!(q[K8`L<(cANϩg[>rnw)Ðx9ݷ7֧yTz@W lfԪ7֜Iu~]Eׯ9x^$+Ns"-`s],G_ګX,!}?ֲC?i pxTc *Yq ! &3 /?";RHYbLGۣQ)WQ5ql5Y=ʜ] ESYQV39!t@hWK\3Ғsh @K`dCH澟eJ|tgܢWlW1{"R|wX1=n= O0i'Jv41NX('}! JFHB ܎/9;0_'H &aP}*@&l_Q'gGk[(DQ<]MHқ5 !FVwvF59r0ȮncKѿ;w'n}g:R UTs׺Krlj۰B$G_9tI b46` 2!m:3lM\U|bcJIhN4w& 0E.Ұk۳YϣGGx~w$N=}jy+6$ o2ﶫ\wކ/ބvYI: :6ߵ**rAE:.C#2H _|RF:86E@ļR޵?N^vjJm'v,MmQKN<KTr63 &ѩW݌J$s&Mc^_L }٩݌onL=0?ƄmxM @?c3kԆ y~'+|-mM_mUi[BL /M\UYfz񢟂fx;N.F"%`ߎ/ʑqIX!V[]PdvZK.dVE|w{GEO , &KWWdB02xGv!Ļ=i Wcs|RR"I/ Sz<hV;yJ 7I+f4[*3 ͼ46g$/CP/Qs84\x~=ajRXqIXڎX6'aui_ RlB~!jLn #JUٍ!m9ǀ0ݖ{@.>۽mEԒCOH~! 3z$F48mTO3q^ж9 N?m|ȔO^8uGEd4E$Nx<'g;dRtwc7a u}o]iC׍W CO_ b.іMǒP 0! ?BT ]+6.4E90 b+2qs̸rVPG6d6a o'> rmV-kEQ ublE\qf?T:yH.>03!}s[}–P?r.fsG4~[۷C0ʒ! MOArVtdU&i}쩯kA@)]}texl&1ujBn`A~JFX[y] juȯ9&xYrv sGUȎ(Kz=^NOٽMI&L|,e,k۵:d@͇x.! V Ee &͸)9M8*Yp 7-faIoL?]o+XQնJZ}?,M~I(G@}U{A.S`}\P ،k * *G-[ى„8–clwʺT/Ε"QGNOM]#B ':돮uU$(1.elT'߳ ߏT}IL d+YѽUjJdrXU$^u]~p-S2c-?rܖv,?亊-} P+t0{ܴC ڰ ?[ed&?|x> pu@# ε%A*w .:؝ߋZb6p0~ꧻA g&HTJK̟uڂ:xc-ԣ?赇V?yCz/jV"l@ca`R/JNŻM  )Ih@!mIz GQŅ`cfggvV/:uX9swW>}~aJH @]F4=Wc]&ͦy@X`@vHe[>Y0;[U'8azURH:Ӽ@`Nߪ4)>r1J3o%#&+ge_b@M[3ᬵ` Ё`n|7 [EQߦ@(RTMv͌JAd(F_)m$eOkGb{d Rcj7J`=#F,a֋ ۍG?i,avnnN*0(c@l{7g; bIv@!`@2w>#l_NǑ+8āpuVYAe; ƷR8XՊ[}g|ĢMkNv/(1/lt?(mZ,դ(7ޞ E h} WxWUXso"pO R&6JWR!E`z,{bSS)4qxFUs Uvnny6_VZnP&hg&-_93.FUc ML.Ёo.}6ᓯ< _ [ ig$*X@…D1W*Es]7dFH2Npjنp MߍI~+_v^б4xgeBlOVԡ7 iKͮMvuDmFW.^yaaQI) ((/gS4`Ç $HN2)!EMuhփ.J#Aqs*WwEҀ|qAK ic랇L=-^d~#H+5kY<yk,,l!t5kjiYF,$F0{MMJFk*g(Z,aZJ9YȞ |cA_6 _WB|N2&W*mc*/N$`KedAF$/K NOٰvpguUݼ6пjFAiB0/%XK:Ʒ=NdMZpx}oHn1H80)æl>UYʮ.]P !hH(TA._('Qs暨5Lq&94 }iNHoAibd}l$"(UK!M#vUvj˨kyV G} χȜ&F T~n7ffGZ~WImoO@77m-K핰ͣCfIq1TG+HUQb!sۏƊe'ʃ×3$fjG.iͿ(}OC .ִ9 3$_a&L[ `R՟$ȟJ&OPPv() S$Ĵ/mӣ O 7>ۨիa:rwbW+0%c[ٍHM ]cj$u(t?o4$kN*bV;؆BCIzr#D(P76<*U T_MSި۹gM5dޭ3M#D)xK+PʝKdh@ōXyE'°>&΋h;'gghxd0iN`*#RsӬ06|;Ëp~ʧI ۱O R}dk/Wk| B(+!Y):D*cj: 1Lӂ _ p0W)FxӜjLOu>U ƒFI^(r<~ Mt$9Za9wV]_{ܣXmbz4r"甆nI螝\E 2eIn1nu G\g%Ȣs&#+0Crr$"qKOc.m *iFu!υ߶2>b#Z VʸGud]*=rnr3zĔ,Z (&,qϵ]TNm . PS/}d$?d) C-z;l@."tc.caF-oc@2[:9H. 9Vv*(;T1\p^x;JNM IJ=BJe%A#Sm #t\=Qhn/F2#ZY&9K~XK|oXѝv`%}a;l|o%Y?`L@Z/qۓun;ޭ<ܥHr>"|}AcOG^9b#ZkW&^d& c}297Dh:vSv7M)!>҃*5ȓTk7.t"=tIi[dc w^CXVeϋJ|cPtij8MbYtJWKFh)HY]˫򢝺G<Bsӝg_M(\FE$R*$V R蚨ϫ,؛3ʴnvGmz p0e<'HXMIQqՉHS逄s6??ߣn8V%Jw]Cu%A_p _Nek*A?-AO,?'LfG),Z ȥ/gC\iRk9(B5Ymu Giz8Wɝjd03F]:Qt=wn6Ʌrr#}^u6ut{|Gir$Tݍ]̞A4j=Կ;5m?Wͺxd=<{v[-+rKhlwCIԅ/=Q4.çN$fהtRԠ$ʙ^`Yf֪j(M:ݡCz,Ft+6]td٨L,<'j0Wi7:IuK8lDʷĤ?ǤOpn*x5WH++xSfl ?H9Hmk" bR#^?{4#`;MOl(CNv=lF:ӑv>u[TF:ayGn12aFv壙-j1{XQUГ+f3!@fqX. ;w[QPaL8t01 j]cz&rIŽ恙իUma-(6JV6dA2GmV.vnv "NfNu~V up)mstΫiE\0`""CIa.0O}#}v /H7 MVFpƠ,_m*Yɀ=aԔ1xTi<̏6<P-݉#'¥G7hő/5+&MVu2"Gjm:x_{lw|V!6G.uL @dĂWK7T5=UKH+%]`G8XCigsۿ]كb}dDg4g=l>#GUuNDF*j+830IgŪQ&lf *+$| ,=;x^HyX2W&xVBwS馀N=ȳA3GܩX4:c'wCA̻hj훚FbJid1CoCh_ Eԗ@aJ ` l> 9$oXXD̀` 3ƜUMlXB5B], &ń h2JR8sB3ce|+lllAL :~SCff}LVZm-E\t 0.i)AH*S X| WI0gC̃] [xjm̵C&e!0۞4RFo^OLFQ  ]LVeKErvj9 00f b}Zpa0K40y4c :ٵΣAmB<[ydK=<+ \G]S@#o'e C"h2rM]'n6(8{>BWNDDߪb1%MUB M'qL?w=BqW AȦ]e?Q^rlU7+ VO8)/RS*{qCCwuA{Yb" 7[{‚&_55H'bi|^\B!TJ?P[[#-;S!˩9Q'4,_0`lI|iuuifv)D=xLI]&K=$3'̑%l \.]t0rAՠ[WDUh DT)r8jdm&6"';8b{俍䩦U* *g>4o<LH'YKQK&bIeSiX˒ف33W ^B ܏0 ?þ]"\ -, yLlQ0 rFkr.=@s&C;^!ݯ9O88ɉŰI9X zK=|Kɛ1KJqPŭ +\72}՛%N0לۑgrb/*OOA/w.jp86AyXi&>/FG JWmL&h2 4χnACIJ* @&cSKi;Duц4>q")s.H3V|,,d!v `#X'`o=Hۄ܊rpѥ? -6dhQEIiFQ&zԆtIJi} h?('m񗀳MwHۓN8Hme8U{AX}"Pb[GfY{z )_> )sGaE!L[IV^;8)[BgӏE+6ƱK* mPsT&rQU7SG,/bɎ+4H ScReYuAKYci`i< 4c }R4֮Eȋ]Uښ鎒2Yj|C6#` W%C52!cOk`3wJ)\ڢUG9Mxa>U`7, \!󱵙;y`P{ OWYGKP=wi\f!I QjlҪRw. gu&66RN3aJ30R@Y+,ӯO!ZA(u=~{gū|Gəa3a< !6w pTg;K'*p`Ԣw5 ;^mXoL Exi/glUE@Ė%y7k,S)V3ٹN nBixO3r(|[|\\[ |q\񑒲(G[wtגC(ryOA_{-9BN$Q 2ۭAr=m=sL0/_LF}DN13V&Gz/Tf[}P:] J`u".4)>`hv X4_M7f:h]͑tn 3ִ|c5|GG2!-=ʌsݑ>ѱ;VN4:SM&j;䜐KHsэ,TNx2,<>o^Hw9KF^lRM wr$/WaT.טWVi5b!Hpwxf0S:=rOkAiC6MkNpeefPD/wJ4j!r-`y. 0Cph[9D|K0K*޿/?X[BdTf,VE|ğ 4`.(vFU-5u]k9s  &jDsD2w yfG Н҆m4F-gv8$Yl`c báCDrXv>{Ws Ȝ˃b t5>olښXB+9K@L~wfD+! EWyo#]þ!ڂDk3Y$IJutEr EوA5K gIWK ,'RXАix&|kG$ mϱn ɸvhoq D(e>K9e+ Ɋd2ꉾ:ky1G,6l o^.sP xt lH_i -cv6O\& *%Wc:7>O^obXK:JXmRh=K^ВE7 S| v,&GP::ǖC9`d+ńԞVoiʵO2s;WllpkG޴1hFJ{);{\xB8.N˃"gǦWsuWsoH+R)6LH$3ax֭PY.m&8)>TYg 8%3H~H'sVEFpO gJ,?F@+ RcbQw]-9 XDD= 0K=";G,z"sMcYգM(Rlى' RBe!t{""e/6pa_ ir!&p:}{˦Şul.FyǓ>'=fȧ\]q>f^Yӂ4rG;ZZ28qS#YGДi~XMӮSCզ)X-TP&c77#%aw'ATt+U@zC?A#j+x gZI`K dcs?/uه;ǰs j 4 \z;)LL֞ <|Ow~èwbooRТ!ș-0tӁݺUpr3h4+g3#o{h!:F> ~>"4]"4deÿa lvZ.!v@TjQڙo_eR vA]Em]9 `@viqsnwlZ*xߥT2^7K˟0}Da%5G WpFDR2 JA(r'#jʚU$`3 vfw9ASA6@7eX^ITwڄ'lف!cHd~ (aE>Zpԧ0{`H'.) !{eTR cßd 4ɸ0תG¬28aI'  >A Td|Vpq &Qtf*nEzD?ϣXiw`\r8_ݙ%?ͺ}9ħm֝J>sY!U6ʶ0W.Y&K$~_0+Ӄ;>?O^UШX9:ۿ5y(MP}qī,~3i;#sj(ӿ(J_J+P_;-1YIw~9B8iI0 pÊ[?/3u љ[aF(Tm UeBQv̛KZbs7#C]ND uRz[wO_Cn HVD&ai盛!ؤ}:T]nSeah=}"5ˬEݍ&GZx`vQaHmr?G>R} A!sa5-a=ѰD{u%x>bYy)ůG TO1ʿXsÒ?9ăii0DⱔLgZ-FuW|>fϡҙ վ ʉov6}Bb'rabL ˾W3.O'<!1c[KV/DXSrNUtONHØ usD}/2ăhO?D \pk6t":cHcp3e44pj9Bjjd)"~8 YI]4=e%V'l29 g)\G\mq!fo7X,Չ#Kk UCzD9G\1 ?L-C#=ZnbQ5$,`zþUzbygl"y{R6&hPx(gAEAj_ @|,^i;.QVO/rDIOZEyܽg»pdWص39"# *WNU<^,8DCvn!,*uCEIWX8Qd'e  _)'hdJ˸y fmF y(c,ϱS6#'p)U_39L&G('] oX٢615dm^jQVk ]Thƿmxl`LZ7Cq\3w%u8)VP-: %#6Py5Cz,;6jGeYJjvV6iYNM`+B%N C}sV<^*bcjɧpPn(hSX2}uÉd/ځ(kB?-ۮpm {~M~-bԔY [?Kso`{}aB0#xLbxn'- M>Qŀ\Rɞ.ڸIw+'i 7v%Sx Ld3)Ч c*CS|| )1><; !َ-Oxzc,E^>QB8u ?!׺,LF6nȷ]B=،./fnGBjݫՉTwx`g!;J+[o0u˃i~#?zZoHd&UiÚ pY6[ld(Dd1)  0>7j<ӅE5<]KBaBq:,-x(ų#ԣ<8\pnD7Vk԰ٮid?Oeb LS ҇D"@֥Zu hhgcߟ1JD:˨Cc)vKoƟ$u+AO NZ`RFxcŒRR/mzTVq$.^U"{`e6?d +knzO+C ą !tDvP:$F ᓵʘ>(~)^ej{8[a_^Pq%GUPL Kw<]$21+'=c恅<ݹݘb,.$`n4/(v5m78FM^覙E*u~JӖ&9@tLV DކaAbѭ ޫU,o|ٓH 7}'AFԆ`Xz:s ˁCbS$WI}v~);B ^n <^p|vqW\Bw`HȐ[pej7v]G(/M\+\~2۰&XY[qűK-q»c( TO HрҲ,tk[38ĥ:ڍ&WfsiU ZQV}t+YAQ-ۭd11N%˞Ŗ =P^#&r|;_ysfo7$NsW,|#J[9YAzg]VJ1 `5bG'/ 6_mg}~U47P8kMKfMgZJ yIHo/ꖜE1p>r3Hl@.e>uNu^۹&!'dPk-,8;A|-{0fXCkorͭNHfS>Go5c=tN%x/qX$iTTuVץo#>cbao)2ԬV U_f_?r׳d]MV,i!k$X('3lT#@)Ơ\z#PnZw7nnX ?Gý"j9Gm*&oG#F7ot4#Cɰ{R-ȡkl7Fm g;K7pF޸ qFP-s_AW"=d|^b5( `:0)?& #yVepݚ,jg{£ P6џ?GM˃4G95%M=ԃn3X l $w_l2;R1Ӈ]G/O;noɞL;ԍ\FwpJ_ l|`cˎ}(L)W&<$/ߒůxsq0$]x_ ⢘33#D)mMsv^%a4yF[|=,V3M<"%Kr,]Ÿza̲\:|wL1 :n?8['ޠ*`Y A |vP8/`Ե";YՇڭR,ES*Eܶճ/wu"(#H\A$/o+;E9Vb `_RUxk#[-s|bb \("?+|1hNУ}eڹe%BkU 02* r͊D(=gw齨7bq ޗ VoMt֧5p^9 5,M6" o@Rrq*nI7&rG(o)``& i]XnGz~KZ(f0-U8IY3"FچB'ݡH2yܣl[O ْ.W:S)7M|)4wu𞒰a>UfJI{2^ʻeqBTM v'S:ZR ^1K',\ Qɫr9?-֚lh%56N@oٳx*p1ZeƟ1k_R܊sUHpQ8C=ؙ@J\㜉&}$c[v.j_~r-Șw kaXϖאV 7BOϸ i:fn19XqM8}cָh*|t>I^1rP$AƄJStA{  UxƒX(XuwhP\cSGx.AN* ]!wdiEFw:9ϑxa1YU0ϐ J\P%񲛽diυeƩ2^` ^>-wKGcBL*cxuʚTR>Dy!?\ #E$"^OeO ԋpz0c$'F2dҙN9 $ !916q&hߋ)˹B sDt`=Ӓ6y |ffɼ"Jd޹Prie(1+Wi T[:!fC?Z_͙MX2'.,6Zy\nYW<3!z˜L] ̧)fJU?c Ipǝ80jn+B33vc8?q'jh%x 5p&`3i:\ʵWvYg\54%EeH:.!5ClGg2Pm(f:s<- :oDʤJd[&DgH w a)xس){^A̓k"Wb/AJJߝpƹ]BOڰ,led=iVD/4;ܶ#_Nя|2`tfACc^H,}ciz[ bLňqN } t0j(Bۥ/;ApʞF1EG\'d\pH^ czдN(t(5ҌX8jJ~u/[w^P3R(V>xFR8J#n<̶IDCZHw,:T-l]KFT"mh[RpCBKhA?u4vԢqKϠADL V@<0ڭ3Q.a`˺BQViєM1G62QjżIvB>!Eй?}7uh|ΰ "Nd0/5%"xC+Y%=)L%E0Q {=.eiC//*dvȓO cpz^Nv #yG{l ..?89pV@YB#P>ok.hǯQ%B#Fzto=ڨm$_G臘^xe)skF뻃/EӶ [P8JS ]V fOa+wĻdSڍN&(@ RCfgg^=[:ʺC)n"fLm&0f{aN Ku,un6,!"xgY5^k%.v뎕4?ЮUB.)bX+<яն;HrHCŝh!SLJpg"-Rĭ7%kIhF^7 ~֞oJ,3#yukjT.ܟEĥ/0e*(xӎ<N>(%hDk& #NDI]QP%DF6Y\bTPCC=ݴB? ~|#Uj9wCPQX\ӯD!d#i|a.~sɿߞdT2n8:U'\Sc-}Y]AJrxI՝B'/$494M~$; `\qvyGz+^/Gu,',z{jS7pZ,o /068?3L}{_R!,Yό=^#N%gG|R #-YIh݆֦|ȸ%WyƖV{ CXIWg[Q)sBl>"F432>[ t\p*8>^M)v{Ƈxs nsHȒVb^L8Hd=yg5QB uDNF /A='펭h6\G K\Iq1k4C&Z/ dWU6+s;]5Rt) Welc̅\^#}hNy>Αr( RҒc6װ]ˑ"&j̳mdP%2t\wŤޥs3/iRj Fw cJŽ On9|4Z-Ȅ5yA@ DʱFyܑi4V &`d }2.et)D+gBXS);a=2b oUV2ZS;e:W0z!>SFR̢*֧?:65HV>5Reϱ{ߦO%R%So'^ڂ<3Rbtkmۜ|ڻV^-b֕zGLzmlЫmqmy@* (=x.1ƴ`Cc t'x3(P{tmXT{mk{Je&s/8"W9Bі2 `Lvʢ1$XCdw-jI6(-dUgY}{:È}Mgj5F t**2ⱲWb(Xwgj\+}?|ZQ9-Q{Z טnL)BbGb툹Fid`S 3[O->sIIkBZD-;O[{6YSecŕS؝4U$F1e×#_]T6pZ8t.kSn&Lߋm "y <nq`Xˉ5(Ox?LSA ayU}v)t={g1dñi\||ܧd:ρ@6 &cplMܔqL8')!{~~yyB .h]l,ά5 #וf B }~  J(zw"ѦLZ&`Vj׃"ҽЧxCئĜQ_x_$< x&]9,י$!Kڬ2&22둈g4j:慖&rSP8E@? )>C, Tqsku:}mZ[ Ѳuvaщ?bpr4Sp>,=^Nfo`!;d&V]aJpQ-k+\Tʗxj+ҼŘ8|l WUj%N_m* i@b[/`:D#%Mc{G/pn jN'~ai?h 6MbC2u:N=8oh}8]Ri +cᮚiV'ɀ^}KG2a`L tE+w}`>xpDJƑix@bkRR$!KÉ.} KS@uK7 bq!W-p$O9Yʒ~|1Ip2+K\#6bx8FnJMl.B (\q짻Aմ*ʂעBxO)/BD&^ `\.>bk"M k2F^_%-`Lelʅa)3pBIUA@<__8!ġ 3g緖4l͡k/)Dq1'utYpd79H>lD-&n{szi+i~=K[=h1m(G|  ۴YK֞G4?:}O:p}^y(4Xcm\x.?u[,% kvXsGXjc,)+WԞUmC 6Yͳuї)d+sa|Z`,n}roˏ"VEE>D)b[N `TWb10dnBHX IO7A2Z =n0OG~eSww]=GU#刅@n2욣7r #|ng?Ԍk$GHyP'{Ȉnwr$nbgSX&Mg5 b?8M P 4rtQeziIPʈSFcZ7. +z{"]-t\`K9RZuVh5PhUE()P]' $a;ľV`g2;큌q'?` G6 8cW},$c5΂aPXce N)2(4o7Q2Q5('Yh Es3"P +InU^;*J8/ug L*oM4ŇqD"$\yh86ah7Jfɠe}INNPTc%́0`D$NgwV@Fz#YͧΞLe_g=7h 9 !pc /aZ\G3Xg,>B-$7WOr ;'_^_ %Qvg|JRc{$|Ԯ $7A16|9׼U9 OqD4 ݱĉjf~q$`V=/ \.*Axծ9`esA:frB7h)|[NW~BdbX&BتID@X֨ەQTr׍y} Eѱ>*eU  #%Pot:lqv1;HAUwecw ʾQ;7i ׂhr`Ϭ\s^_f*W;2E=!dޯW8} ؈cUUl.\tF1&p><;ݐԘX+3qMkqHSUjE 8W,,4.Jmw"[wh@*. ?(6Q`0 䠀HHxI6`xAאQ2'lpe8Pv|Q)DuUi>P:+كlOϳ40c.1h\'?g͎`8-|Gt}Pfa8?w%L4վe7`Kgl-Xk.}&eĆ4bd"yPbVɶm0s߽蒒:U>00u6'(iō|{ U : ~K#IJx]_RԮx L7 PQ׫Iqtŀ `;*JYOȉ95[oJNqv)N8cAUN_`$;"๒!Aobծ>{z!7үl @j[ru+:GD+c sƿ+DknӣMNOOQ zԒ}.#;% fe&N9\ &/IA7[%{gT!:iN( Ik L~P ŋIzz F~z 2YB -Mg*+#̺, Ky',aEuhH6”(POf6GӻWu%H<_'٬Ruç͟ ȱ?U`RFJXjjH2ZOyàSۈwa<9J[0on;=[[ȉ_dda-"|AѣFN QxŶv SPHef1Fk29rh1ԣce:0Á.gl+= Ujt3S|rn5I$(Eڤ*1 Hda9æ[b5IWlYд>ܡ{RDTWL܄۫=7\bD5#)&w'nB<K&)bs>nQT,Nj(|Zh1=>WL,5qlj]Y.QuO'FȰXp|,4pz--zR ܥœ.f d6YH_JɧYTzN{+GDqiDb<8ob^~)Nj:%0ݐDKU'n)w;&Y3HFԏBClSVǙG>vaH}S3V,U2Zc-Oj uƕ79-"ọQYVA*&ZPlcrl%'ǎqte횑a91z#nVTO0j%Жtwnܑ;t %pf&w۞9!G$ ]6N0-(,+ anzXW^H\Hv,բbudH08hm<tƲL>R$X-IY>NP)O"*._?/\O⤳h8(*K[b PNb&^.>Vʞ5t* A O)O-= [>?^Dp!ନ5/*#΀$$R&0HȘ.-d6wM{evƁwL97*44J3K۟-}% M&wpXJ$6I;+;@&`^|x0.ܦ{PNˊl['1.L4*v<sQ|2KMR=A/G?w Qw8 i=CdAB설&%3 nx56ͦT>)sp=ͅV [Iw$ _c8#A6˯qmyw/'ECnDK5 _fk}P)2{pZzl#rʨγqxe{aR {T5W#/;$Cۇgl=J3z`>2Pm5j+Y1?W#VE6qAcTNGneg:#?WI.קwեyGE6\" dsSj S} *d9 s#q-u^{~+`c{5+3tWSTN`&1d@}1ZhHB#&me:o( )4E;%Ƈ< (tմ⌖ Q]H$X9d  ۡP֜6,`,4=`A*(Yѯ \,b-wcq_J`e  "p=0trܭb%%/man> "R\g)1w(} ;Py3bv͸nypD4H!ь+==]=>K#GY"…- O3M.9-;+p,/bjz9..@,q0TYsjpTiĴk 7TQ4!(!`Ɵ,ap_v-vfp6<$ä2A4<}tdD/g?4+͙>~|P6+2}9X w6mќ2ʠbZC!JEY o)LVqf+'CqW9L>Vb͝K-m&V{]صA*nhTx|Yrj[P*Qǜ/ Zѽd4ʕ%NeH=El%ZU:IN{V֢M§8cMg/>\@ s-b;%YPAgMq.IVL$n"K{,sep=Lf(j;M21"]_OhׁQa/Op`ˌL5q J4Įg0K2Ȼ!Axlx9Ke@g@~e? @shA%m ڞL$Qͺv8f'<z1:'j(nlxw i,:dۡcй=S^&~`n ٔ9AHQ,{['~9A㪠;p9H+aWEon\j! |cr|){XBAnHX\u]Qg\n y6>%Yjh́fEeux%Wd9`#T &.ܠ{їxܣqFx-6 (Vr=u֊Iy)oH `sljpBT3\4]ILnM~߿1RD{_I3oy\Rm2DE$ ߫&.^* ګʝ AxRXs@N@ϧjO9c̛;deglDH=)Jי%W,5ds@m0\+L7bMw,;BQTi ehC%_,͓ϣ.+a =! Fr!f={]'8udIcbl1tMB8<-dt-\nK5xo1wVĘXpBG<*L&Ǹ?6fCf1)X(<]H^bbL͹{E+sGT㱽4}ӜHHz;I+fxv|7.0p?NZZwx,t6jadցF]՚g5i43KE pPxVi:AdΩ:\ټ}K=hێlm@]~\w/i,Cg& j(-ƒō *yDz?&fx!ՠ`g|:E7s|`zaci8Cd.1W4*_,6w/c\ߡKBJ K9" w|yEXYAWQB1&W2.ZO\+7<bEx㛙'X/&_󍇁ᤴ>u% \=>Es駋Ce r'-)gx{34ᖾG6 &E\ {?G@ÜOUVFDD bfs!}ʪV>Z S' yF[JwK)#'Hh"7:\b'-נrĽ9-sD {\Ju;3iװ56gp~<&EQ5Vf*1)ݮX<n^qUar^#`{^_ף ڵ* [)b4<R*Z}eP!0AatOa zLp0We1->%fQΣ~"e8Z R哖'lxe~?6><(72P 6"*`r,;!2h1zdwF> [C?MH]hbb)qȡ.M0e548oa:ktRCaVBo#']dkl ~5.0SB0#Z xeW.UyGF&4N[c _X&U\\OCו 8h]UZEڠa;/XPB6m^Hm/ qufi$)sBٷ~6x9FYr|@KL.g$wb [-be-?,Qѱ! h1l-e\*2PaHY+n 6_[2~:3ɺ4B~ ^QwmB^OTC ~G4+±RcN)ҕk7\qʝ+g ,N? QγCB!hT 8M̧IzMP oG4'E+4_Ev>u]+}kAhTg[Qѐ|kr@,2\v&;Cf*JXpTaBL{P7LY2V(h ywJxnz8r9 Y,ߠtY7Öҵ =3E+| & p*Xnfe BykuZƮYomUp +)A? F%95豍.2̽7Ub%х}0>/Æjccg 'Sy%F<_j#:xv3?!3m-YqI6"JIu2 w8n X>䉫ZwtatF<6\ލ# Xa -CoF/ܨ,ȓx -mD\灯တU(ۻhm} Tz%kpiG)1Zln((;Xx2-2N іWYG=걸Lw"Bw$9ruu'm 2r`P|zO=@M_hʹҍ>X𺡛yD uN[C1=l)-46P*RNiD)=ߎ^ .# R>`sb0]hU I#} ITz&J5.5D.[џ!Dڵ?o5\koCT; u ',Yo M W]"JGk SڠbND FF3U/:UEd?$CV`R(hR>%-+\{'UQČot8N_99ezU|qhfXs9xQ/=?N_暧zI|Z7,o2$kCҳw%!߀=EDwecPdݙUD!r^Vet˵K~&Th1>&?f;i񝃸Wl3Z ã/8*riqq - / DQ>e4\(Cj@xW2Y/C2!}BAc< }7S1Lr$q V) B?J#q#Xj`.gxnm[nqVbhBzzY'N^hq"b# %:ȁpA@k')wXhGMJcaIvR'٭\-MQ /vיuRo7ua`8YPyL_?f#rԫ_.S2n-B,%<=a{Ϙkcjbﭸv_q*ʉROP3ŽGrԥ0sͿ_~O_a`Rw+`&Fy/ WVzX >g[/lUeb&^?F-SF(}x@ M.MY9Y P:4QiG4|q>SU|afM4팮6bHQ%Llgzza:_ _AN"{U~IW5Xt'VsY˘a~r%Keu6"L%:N5f^[>.LF惺/UX_HCL4Q & C/,$*)߈ I[;e^9ZԣAnch`7mT[h[P, "> eywLs{5s03aⶤ`b=H]Ɩκ@֠S[0T$ @;2\dܶoQ-q^CsҍujLĭH8DH>d K9y{ 1"iQaިeH\@]X_E1Xd"[{+㷟(+k)<^ΧF&)5`0PuG(~F {*RPVŜoshI )~#ZH6T;fgLqZvbFOOY(=iyZ`pk C}Իփ dȜ(Xx/hla $7G1tRLUg ޔ`ex {?qSP:]ٛϛQe9b- .#LzUavN32C?ZLᆵ@Y/7 P]BYwxf >X i4$ :Ƞ#,s)#plpylM(;qE_#^v%6v5E_C2 Xd,U*L+Q4X'ru` !X{zlWM D;'uVkd` } .cWeǓo A}I8w?JϦ5R U-G\yHx0.V«@ o(1#$Ӛ ~ch jA>dsÂKIhXɃZ$%Q " f<9 RJj Rf :{ (=2z AAռ?T!6! W҈yUbBq{5..P{"ːY4lF !^erI"H{p">7s⹼:vdI*XAxJ@-? $c>5 Sόbybn]ʑD5D)y1 _c; *ݥJ}Z0ڦ7>zӁ j<=]а;]gS%vQ׮\;q۵Q%۵X{9HO} dɮY\rFȽo[Txf u8eNg.C}^x_[dϜ|Pui8{ZU*0 >Cg]"sIZFvR+jg;c ťcЃBUrT~\pP{lz4y,$&\K{+[Ui =2 #1%ԇ=|5j>LSzsWxRZ1dQ2 :IJ鮫.4͛!̧Ѥ{PƦM{\%Bԓ{@JK;ǔp=kc{-)dǡa scŶhRI!:뇝]>}vk$g=v4ͭOTjmCl n;!jtW-ٿR~.}Ё G^x3;Tj sLá,o;zf0,( FN4S*a뿟3ʐMb/$+>dnbl} }3~<^SoJ1~\v&UNb Š+q(+#A{?y+q4Y \Nr$c},# ʂF$0'|W1M%u9c-ŭduRU&Gw@PtNy݉D"Tq!oV2Utd}A"; p`2\ׄ'\sM=ڑ 1Omx68@⽎(্$68֕6+5(+d=zz|z[fO!7~v #<)sf Wbkw+ܡ#gH˃0\5{Ȕ;-vnȒ[>~?p˳tpzzQע!V/{5 dGtLhv9f͋y)@U%F-3p1ܛ5l+2"e'G>2P/Fb[84[*̔̽I0b"e`ɭ"9lF+ʁrwk=} oZte8onڸln;XxJ9ݍ},`oa#P0 m7K:{ucPv^?.Cg!m!Z 9v'osc"5U]V:>& zj*9Q(./4cx=WDzÉYAP2WLKT}mRS;7'I{}l.,3轉i[IF y1W sfcMxFOĐ8πX=Y?} t s_^G9 6@=~n;xxLB[sۘ:X`,P2CH0I E3QWJ~,nla JrxնkhPsWlT^:S3 шSĶUbkn'6GޚM5;X!Z LrWcƩ#_x^rJ}:Y{SbI˵5,N8j a< $ˠ/,un/Е#}r&<TV BvOtޑ>N jm7<= -yZڭ20+Җ,a׽.q[j-^ rƭ~x^#4"13FeW[=J̷$#jbi{[#|sqb?&+0~hp 7S]e%Fh3-R׉;UpA߳"diH] Ie!Y~kw?.ͫ aZve<7.?fh|$t$rfS^JMĂcfcPl ԗ0(C~`8*Sr8Ņ}LT6Gvl\ޞHnevz$<皽?.޺)ik[nwWFh!NqYÆO5Hȧz㿸:u`ײco;2ֲcAg&pWj,G~7x_<8FF$H:7>a75ʽF$"UzL]14JO+.9֚UO*@9,t*.hD< \Q 8^,Z #gv83qJZj H Az)>N4T6F,Hll5Z7ܯ>Mͣ`qR%IҘo٢*7E)I Eˈ{"& 5`7 ;4|KT#rlX5.hUxU3=g @ï|ҪI(gdVV../?O1͔ksSWO->?q*ˈd1ޜ@w29 }BWf.ꨭ8ph9;?Ĺ#!EV߹KuN.OYvsڹqzdC<6@U23]Y$CbȜiCmJ^XQbs棁0b_|)"4&ԭy9l8RԵReb">qCL5wMod[f ,^%?4󖛢[2b4vPB`YeI|~cU&% SK942ʛ&݃QgG`Elz!޵|eǥGK_AL&ɱ@1 C DF2^fl 6B Bm01WU #@ ^8$鳃kN.՜e&J׵UMw2//P98y8RLnc > IY伡fS4Ǡ_}$Fa\Z~*F5_Ӟ6IBd{ex7}oذ)nmLJKZߚI%h܄z|yV=ݯ!$D#[ $ͻUbl9cnn[t7%ph!/$tAJqP!qUZiDŽZCvO8 4ѬG81Uʢ,N t; xqyb-SFj [Z4xc!,kat_ᄔ qxE DNȾ"In!0F^lݹ݃I. wO 5 ˮ?hqݰ]|S69 *h/2b_|O& f+̙ria#xLXp1Y2 ,}' [\/Mskb;t ߳wƑ"C٥G.x|umL@RRq7Uݻ>3mήK20"v ,Eg_QEЪrN#wY~bIi+sJp+o 3f^?ܘz W^nitYI>%PAp;OAL ƩeiM?Q, 7KY/<ŪHItn{8Qm+yd%'2c㣫. -jY@0mQE-tWWj\:.7u&w(V[vB -Xqa"[gWwq$ *DsT^ -4>`3qĹh)Nb"Ī6HEɐ3]  $ H 0Z` V4Lo`xgo = Q.=O lax:C}.i]|1u;Aht5'H7^᪾xB yfj"gCd-F\"|? ą~\_][e’lK_ Ȣ5=<.j2d8at8Y0FmV]gCy難 [ק~KǦFkj$.j6(@E3fPԮe(h@ NifIy*}䤎~W)Ӥ@^PW'mpS.=2"k2H bC<}#˱Ս*~f-ዻټ.:55 "ɱ$3Bw}ܓjbS5Y@{s,ѿ<(wÑ翹yR?o$Eh %J2p Xmrex10Rǩn"zf ҲDZl^؛ dusZ+h&q d` ^p<_c vICG #3w ?z<&H4p+i:?|4‡q~ힳzӉ@Nh!Ɍ1,CYU24&4Ir Av[23̝)ŭbq朐_7lsmzt--CNBr4[#{ >>jy kZO*ON#fgO1ec-|n?I%b/c3zUy薹! ڪSRp~9."X$ Ρ8'٫8@ٽrz7v& @n2An{K=!"Ct?@{p3)J ssWS8fsu5\˘h1W\7#3LrWca@7w.373bZEAJkģ [(1 @g^A| {D5[zM%<%U7;Jo+Ȁ x.Qhz* ^Hd}< ~F1-hg2c)BvoL%pj e`6PJafs@Y v м_Bl]1w4ǭc?556FBoW3~A735 C@$n$`H*hf{8⚱=ps(C72lr'*jZ<ጾTwUxM'A`gQQۡZ_/JRu{N22Cwp:VE N(q!R+;kǒ6/K"B>k;nb0+\Cm<'ӗC$~`|8ai2%ͱ>0KXT9>ɽ՝hM\ jQ!Zajd(B6GZ))1f.2s,B+4G G)*,zؚR|ѼSo /%mq+0Tdx ]tp| -^zʉ5::O ۼ]yi%" NʑoJ(_^yFB8||lManq.O3z&ܽbN*$24FNɂc A@:"oP tlѳ@QnYh?3t"ϊt3B'B۟mצOy RHc1pGZzѸ#FxAئ)g\tN;+A=PDmaihPa1UgRͿkt)1VS~#tH4Ԗ7~WAd-Ὦ74#n1i}8' N @[O=rլrw'0~q{S.X ި\"g:x5 N+!Ė{rXs<\6_KV0tBio>ou%x8wLTٽ4`Κ:B&*ORK TCD'k=?,.Y("r bTˀExLE3"-dnjh¶-$f'/ OBfs+2[U, u4pn9$eƟI#Rhp/0l6.ǰK;v.0QVƔd;{~q^SlsGپWnBu \A8Aq:^>ڜ|O Wzpxw zb4ԐאgӅɉxToA7bh+D$U-x>:r<cbY+I*pFgGn \kOwF(evFB~Y_glxMQ´k`QWC6pV>#ݛ|qD/7Tc!ƇiO5] կ1D@0[OhZf-ꕇWnd.EfExˈy (AN);k1A%1¡L$Cґ(W}3wK<7/ Bd]y=\hl1 `%1mn4tndz UMVu~asX}@[3[4hl"cWYY\VSɽHȶW&z'țyt@tY.e.s`G0o+HE@Qhg?0q_Y`fBzDbIǤQnHԌ9Zo^)(%sKv0"rTQb*R0}NX`}B\''1Km}N [8ei(Uu-~MmC&t{eC*HQ ʺaa=S <֢)L5mPV~rx-?G|Ǽ/6D7|X)qd1pUUh9ێ}M o v \PZQjmkj }cxvGGXe[-~W그n`HߐG Dԓ#э"PlWӺ&}#'p ݴ{j#HX# (& qRՎRԲpPFB~TqlŦW@HuWY:ė!DZ{-KG?rC}"E#jW_r ᖳ͔nbpe"Qkg̻Et֠GgF6^Uf_ᜒU#ti g9kV?\Tvq͠4 PKf־j瞎Җ)Y9,b5O%p2fK6( T>EfY0_GdVkϒ`/yooD_a3yOu=13FzgY#RfF轃p.}xTPt+*JpnYcd JQح{_|Q܌D\e^"o_ǿ.VJv.Ry 4%݂˺4Z"ȃ08 w;L _jBJ OHfA): _hm?o4e@޹%Rn;DT z| Hƈ8)2ݚԊxI|78HÑff3mp`R| {[Uߩɒ̟z`\#5Aw03/ڥHSa\-xQ;c$ Kd7Qa8a5aa B֥b;nK5ׯBWJ,)Ȳ9p&`r.7VB=^|8][gֱq#7Us&#<{W6ȱLԣ hJzŐ`ZW4 rަfdbz )]Z_2]c:VJqz\CU[Փb<N4??Q*ܕ]wYX솷 OK38+BXmB'Zx,B~ź#=XZeer:uk)"!pM|&,gV#Ys`j1߆>?pYa.ml3\"3?_Wd>״W+(H Y \yBcl7sQ` _!qbS+zʶ-U4vj 0Pq| g)蝺,5, SltB,j8pzoBղo$aٚ$o+B]S܈B9g)^H"f-22t@7^ jXImJՙ7(BB9a˼+NIW}(80{{~L<p̋L/-ywi+]B=J?Gc- j;U*`1¨<-3jSd|gJBT|¯'@Ͷn.oR%bbm=iz]M+Zsa~8x~W[2Sc[?\{/M=铴,"2ndnGL*W@ Axr@Z|^E. @ 0Ope7v}P IV>AÝzIfכ^`l^EL~Ԩ|$;n0|kݦB 2p<\O0a1~'A-$\k<6tSm)c'}~ cbMVݦh])[a]*w q6ZF3^,YkU.װ_W5͑1@ Vy @Է-oqa͆{œI}7Fq֔"M5b^лz BpdW1t?}I<۩>fbBqJOWoz)\]/ZEӀ1uuh}jh&{kXX4/)j9앤TMJd뾉lQ8 kUD\Gܮ^Ҳ.1}2t0OFf>@'Ҏ :>:jWJe[_u%~.Puշ*E+y:NJpsD^ಸO6lTsxujݚs0z]3{- V \4$79}DN|e=l*椪%qtT],NLwv"9Eb2&+^ZPܨ+e;Mꦁ_QTUM#fKʟk,07~; )J(썏 $ 7y@8d7n7=| rW*sA=NT-3Px靚]"੆AuΆ˟M$k5ʁz7r㫬6Ja ۿli :?Í.wS.{=\7$e Xd,̔Dz[[FyLcA.Y_b]QFeы0 3 01OP;D4%?Rdn($J@]:8X04R-r53k|01¶:;7 ШR ygFq;& 4=ti"=U ќ?WҽSTcf׆:C升~X@fq}.CQQTX *xuȜRn$7 7@0k}kEy |ۖQ{sG\ʕdOةJA~v=I? \E݈O-i "jwI'HfC=* %iKxK XsNݛ0(X.YӘ S9)bZBxpREqç ~Tq?mz0SyA+CW:M$.\OG 4 M\W%2KlR٤NmҶ&#WT-R_Bac(NUv!Ѳtj+j,̦)g{)k߿\%x|5o*cK{!"(.pj)S:4T*:8~Pb{;.G +"jA&z]H NkV/V ?8LWGK쨂yJ!i3ܗ61<^"gޜQ(nz!FKԉLt@R}[Y-ΛTl .El~RM]g5e~xEұ;؀k3ħ0h̓A3f@ JCA?~ШeDEIy䞌] Dۍ(ŵ}ߪ՗ROd@A}g5 I'yeoOja&{ f4*k댘cO1~$:sU}=l~vǤ.t%?Yۍ+aN֤(ѡ_Մj&^K?ZAI`"dl|Y o(ӻ=f H\!l[a$-*,s>1F?XM|>˧!JT \2.O9]g>_u3HfB;{RǾi1Gun3hȓqcG|;'7oZX-kF%,,N0-RxK¿ϘAy"oe&moR+,KVMI(yCmIN.;eOTL3ZÍ_LUOF> _'gʉ˂36O$oXb&bhZhK3"Θ@Q}ۅEA(M VhOl8l"\% J^n<<%S z5K5D16D>0EkMG҅qXʔvݹӂa_y--k?FHΈ7l9V%F7TWM3q֔+-Ys;UaZ̀t9d<2jZN RBΗ;4gwzVJ@pWLo]D1jP\huwSӽUUOg%^siKpϱP1r{;-:); u:~5 bo+#򱷁 YJɸ}T& zSjW%Z 6A+uj\\_0!%cW[}[ɑ7>":_#nR a&,vCa{A)My4_ƍ:Q\TM|`3.$dP/::nu ؃PM$k8 ;$G85E3/Ҽ4ٮ"gKTHv1}ۀLRx/KtL  RMmp,.@29ʟп#Ems{xk@6f0"y:q{ȓA|(Wcf?=m>'Ժ|yzP$L e\wΎ{äNTD-=B &>9ýj@.h: P[*ma[Qfs4VYG4V|IX ^LĠ 4 MU:߭2և|Cد qd )i@S&lT񥂿֓X`PߥHu" {v+Q_gVJkyc^.=hoE4` @.bRdj P5[*l9i_gʉp15Fuz2ADaȂ[ S\gE;'\DG*.{h5Η`@A NTc S1A<#ݟH\lvV#ZAՌX'iV8Px_ ;^ڤAVzK̎r玾M~DODӽ:Jjj{6L&3X3m_r/@gb@^ ȼ9} "nQ|`RøBqYy{R;&AmI}¿(bi\Cۤ.[!+jLDq& /xu*$^F 2d oG,RuTΈ?.Lf0-j9Jc*B b^P=Q؂;+s!Z{1OYG70=Ov:)!LaA/8^s+?pj)0dO[QԼąİ>d9}U0CF w- +"bVڪ>VU }Jp,޴0+LL l*X+`%E0%(Zp)bvj.JѨnzeEˍBσ9+2ܲRMQQq4Fodh|a)j$o环օiPD&t!Z%JʮD3\f !C:'EXqkۥrn{6WѦCZ?-0pIq{8X TGnWT2 c'W$-BZyGi *tw50Hppn(S=6`h#7n5T[_3mrOxo7tj[ # MѲ|=k>2Կ~Z@▝=\6LuV,8R!1ϊ1>h>$kÆb\E6"eEzfJ ,~\(ٜc;NOLյ2Vڨ ΀I|fPšކF|I[3U>2 9!'3}ºݵ$Dc:=#cȯAU$m,Hc9>Ty"^tYMgHõNn 8E{|]L07! |5M"@Z}U&@p~IQDaV/֣ zŖ7>e eRA.:KB#z.M)gnKy_3J UWDŧ2wq3O`)~[$tdCӆ?YsB"ca6~#9ylBjh.电5Xf`}×iqăjRhJ4(:to7} NҠX5>]Uu-JgA#k2@h=GbB9s(DL3xH鍱(mƶ52$RB6'EM @/8Α5= jêT}I%hat{(B!ѐR"~ 7t¹ o ~stN,4GQ4j;6JӁGm/*{L9I[yT}|y}͔Ym(}N6]晪Z| !bTM1sP2anJ]B˗WR595rdGfLD%&R-Hl]xv%ث hs1rG7'( UgmazA#Rʢ짮ɱ \ܿІ/B{ j-JJ# NEj>T8 `t}61[&*4G6K{ȫKMaT l} E _A>]2̙]px2ORl`+{L$+SE疫:\ۊ|u(5FBv ?4818I̅e.m u%[jH%2ư)0u.)5ƅx-hA0,a>o[GMĥL+[n^E@W<ގe-^e,^ KA8=2#19bfg77~,(À:޲#r P+5MA(K,YN~ȀY2];Wg&4-z(|in ݻ- 2D@z}.-k44= Y3vH$!HX(۴WEm$^jztNU!~0 NC1cqW~ uE R ޿6A}snmp<ߚXQRuH\G#69j$9oL)THM_Fi = I~({n@ox{` 1ŕeVtMmt5JOp֥݅= ߝk:]i=ugP5~>T3+Δ`GZo40\AEiIwrwÁ?itU 27IvY|~j,ٷH2Pϳa:Sf6/֯ ݍ 螌6c}_R0 A)/<"Ԇ çq>0#"Osr |t+-`~~VfYFj~cSoSw;PH%;$u Ev+`qy./i0V~lࠚZ?>#ײVkx37p 7wmĆ=irUA Pmpk9+=Yeμ4uep ]:>>rS%J'؉ͳZ|:M&ofB䍉sRsQHhrAy%[I ^cFfd`7`};Q2ׅi|wf=c35ͽ$a^/EdkG`z SS)nb@D3d3]cpI]:93@"E䠥| Ѡ/\^jt>gh FI{]~FHfhO@;iol(%!fET <ט둎 d% `kה 3NJB[*Re9ga_]jz GzvU%bzOh U׬BW+ a*<;6 WO.kICJ8lCmNoU@TlXGܱ>P~VўmV(<~ibFC)mD^ހv`c0P2+6lAiX?4ǧx #Nӯԩ?{@l(كDu`$~}9Y}{>L--c/Xa80BzB.pxiv V {b>`ϝw==eȝt4Tu۽ #{?aʡ,E; fΙt ZWe#*UX#݁%đ#00p<#zdUtbthe5ߏO}+@/r vDr+l`{[P'ƒVOHZ܌RO|%CNN2\uVtZ?^4eelİo=<+MilfUb em7B O}wbK?CmqdY6GjGF<WDFpy_4 0"0=.ZJ2S1wa DžYIZ_FUJGB|H\_|:fByێ)#͘75f(#+~Kf Õct㋢(zjI gSmrML`4o,)%TCͱ󧻝_w>]U+}ޤ>odMl,vי Ӕt$ȞΡGAi Y6WkLF%FPF ;?\Z`4q*>e.~8. R4<%{ V7 ^5Yѵ^D/ސ91:>Vcy7unp3RfA9CFHj5.N6QψC%uV >mSy DNz2@KQM2z dFp,X|w+4*ugF ,YW7h=z@ $)4WE9N9cecهAҒF\XS~QZ`hJ {T}Z#ڭcS">iMv|DE3j@98LIݏi}idFOBPeR+\ -طdz @qQwt|Gvgn~Z@0C, ņ*wn#1p9TGqӔ'y$-PhW -`_#/HQI}J,HHoK[i3V' ̨Yʰ~H-?46?\җѨ;.A]SdӦe#n.VoͭUPH&X\chΗʴnKͤ܄-{O5υ8ɻ`ak]d<^yq#ԟ{u2*vn0OKY7%!HpD1=rIeFLg+U =cHG"%iNAmBT־T/i^f|| X>nXk# .Ì?Y\Gzy9J&ia۴6?J9*06pH[fϊcJO4smr>2vl`j|6j9IYF!mS U[3FꃬܩZɅo0r)1ze^S. !̃+;q6IDg螵D8eFB'(mZjKέG>j ǁc=$JYBÙң ?-L"u,?RN䷽*.p7שnTh#f6]ߵ\$+P^{kHQTz2ucyx'ymg ӈI;=vOaڗ_PЪO=3;jf`劙yMI,P"qs9MWP+տ<O7"z/E GK낄`V[A3fQ\^ss^rОIۉ+r>7.ҳª#k7Wp;f v7\e4;`tF`22RIˈƌOȍ9`Aᱳə/Ov6$8\rl{:7;1_i,R1ƥ=yE{!Y ‚J'@aNk|96Xkc^)E4=vj<~0kNcBZtmc)+qFd̹A@:!+*&WNl1%vv}#ď`Ki-}/ҹsYTkⅿKWAn#-MmZ>  ǔB2`n> mNdEr'_͎dhϖ T-jO[.8x8ZeЬjN00  Fȿ^-Y~4~ѿ#ռdhw#{]b39fZV_i իQ \N4ȯgo'(}Zg *6% 8u=+XYR'vE0[VClu;}eSjvWil OYt㻲2;k+#K"WF"5uގ"$ (&"xwb;H=0hON:/o)I*HFR.&CͯwGu1Q){ucaK@ˇkIMHۮ-rG뵉#ǀ/ETc"WRS4r3d:U85 ^p,ՕP}:J$e/@0 d' 3m&.eb jΥG3+rt6p]d O}^ w٭inK*LHU4$Ӕ &DI"!}o%&0rS 9{V `W `J3"(G7OA@A!^kPqIL$+eGtU`ۛc[']sS/++ytr}jkdں3tum6>I凊f7;ة,^1H/r;z'c1 k-2NmςgqJ &W^̫^U?tWkdd2om(߰ wD~S/O ԟ.R_ʊkRIU4wWk%kD4'{Ϫnl]:>G pe38=ϲ5Ĝ)a%> w2TԼх x^jA[P&XX|(Q=@ps3#`SZ9WAZo,i"E#f M?潤Ɣbܷ>MnI\J??vUD_W܏i$GA&جnYzj?v\4.d΋e<:72hȒ&.\1]ZИn>ҝ ufc`:m`G:!I$ sUڑ[6#WdO/ q[IL$B~MUEte!1ÑȞK7:.BNp;NFyDeҗZSiPwU3)?$@գc|0AģUP)eJvעA.Ob&xoNj!KTdmXf?TvGD&4{)8d-=ن.KɮO#YpX? 5O5(sׅz_5xĻڐ#D Hߏԇ8m.GC4p$ؓR,.r|-{!1Pfb,_ˉX^h3Y`!8 dF\: i5'چpO޼"dpa}Ipx|H7Y=wGnH]L;12Aur~o^턯Wk~FH"+d[)7֨h9oGpH._:x] Oe0#E:Lb紷 pZ^d'cL[F!Ź `ݻzbLe:uzrpN'GATY!!NDKJުlsiw5T}=&Є Si,JޒȜ¹eha$HȶTPZ4]r$m1*.{Yoa;L6S`+(9~"`&(nq\&'A[ޑ1H wtrEd4|ϝ|.nKv^] "*6\3_8óE ?w}sp&M 0.1V2|e P8`΅D"/grVQbIiK}@+‡ ӭB6U8 ?f[ 29HA>V[M;|hqgBń~RFSno!tM \_x=>tTդTŊx]7rc ^vϮ}tOcsWW-%Mk s`W:. WwHhtr~*E 7d"OyQ6|~Ėd>@Ҵŵ\{*34>КuAfT}=20O1$5G[4ʇ r+=~Uu!]H_ 0 L6u 1uޭàBV/*tD@jx:)+i;U}Yc;ҕ[oI $$a_H ]d- 2!}WK`H%!KZ| OQV",c%@/PH'ԩ4|vT%N* =/ HV4b hQqwK *zꬳ#$$-J6h *D6HnA*39՘!3ek%hfhX`3v $paaiR&67_ңOv2'0+x@YI8Xo3]P1mQ6ʭ=-6ͱq>"䷆LηӘdHk}S7!E0$Rn$uҙa dA]X͌uLC?Ji7p7ϳUa@S(I&4Ʒ(-YtWq Bv!I#Ks>rR@OZt]rsE%!3 73ێ tz pő /hksԥ9Dfy )ǛMAJ2{l{ӹ[5I{n 7 0턩$t66ʶ$b>."mQ37#)oPx?T2!m#D 48ppqWJ9: '2)(%X31._76 sߓu]9ڨi4Xn~<- ڈUD m}nVAuՈt[O͋,8OLpKڏJșkC0Z}YAl,Ub;Ԟ=LF+Ĵf3X=yl z ?z=Bd/nA7ϘAweghTېnMͺd7Z~m*D_-"=iv )͇oPI?ї-<" p _, <{d.lݾɱ>Khj*he:{Ocַ:.TJW@3R)8`[9Hnt#)z;!'7Pqj<_y[O }ItD՟9rku@7x:q嫕ӁFL:7@/o$Ƕ|r`{Yג[>$ReOeկd5z-6|s{+OnAz(+*JuwͣK S aӏU>m\h}i*M0_귳eM<r" PSyjYN5y֬=@cUM6 Aҡu UDREtJqX(Z8b\2//K[^t9kpPͳzG#oAkrV\ۄH25W#X۾%N$S!觢1A__Y6  jä]i pt9Xq꡸E#9UL32ҙF: Z4z%~})B:Z[B^R? ^u%r^ .η~W"2wV:`V$Vk1BkߊZ.7iJ(H:J57s*p2asy@|%:+Tkw q[Zbz4E@DelQeY'+y>sk5~ ٴ֪h/D)#;hG\Snal+h0Ǜ_L31(x&z̙ AŪ*LH(Z;oW*ق"5*Ͱ/vKCvoDDP~Œ4G9|gE9D/S\JY1t oc}Hq3u!FEX?5xإBէY65hp[Ftײ~1t L+R]`\ԇCc VǵI2o)ֻ9h`HB8g @}qk%H3{%{;d<>>yvPZN2I_偛5l0̩ B=,AYChԅ[ƙd*/ wg5qWZJ nm,0{ d%6E=.bؘx[.;Wg$F,mQ}Ea%x072aӯJ! =89tĂ {EFI!Dɒ2v~?2d]&YOjqyX,Z0 @ΛB֚ +B:3G( U /UM%':f)ހοqZNTtNІ:AE&f9gEH((U9.U7ʊjyZϲM okgu.ˣ=nJZrlt.5ȵSp8vJń[ Nѿ5sLSRHdܷ?(ZalejPfкxʿ|Q| ,1~U1!>oИAޓ[u‚4ʄ CV҆MڷW$Uع36Ѕ%ִo#朰.Tȕ? 8MuEo?^V95ÚdBL:Y7Jv1XB9͇fmO:;Nu)in]2Nmɽ:!&ZO"@lqMOl"}SڝC$c{`{Ipj:'ɞ}Wܰ딖_G K6{lt91b1J55. tj!op'|y('vj|/LASrKXO thiP^[d́RVgԶ<,x鿎AE`2 1d8# h)6TC.Q=Q:௕9O *y~|_bb$6 Cٕ0GdՒ#)uYNqѢԡxZY8i:ڡ(3¶C % m`vYm <>c*yPX+moKÎ}s2zy^'FvIcrc;0ިMZQ48^Հrot+ y+K0G/44o /jrSwtcՇ)hGE gǯIsHW&m8䴀٤Zo}xީbd88X FCQPe+uOdP}DfY~t[WQvL9Rn2Aq?v"6X u #D[q=lZdg]YH/*KH$^a} ̽huղ4?X m<:)ˠE Rq#)9 3K3?CY5&ax[in. TB'Clwx"L-y.OcWfk aN !/^Ms]X;'~$OO9C&2w,sJ*f=#xwc>/wk޿Sj> #l%oAx±9Be^5ϔ !fSS}%n邺jSH2< E! Ud@?r^ $ߑLOj\(,^LǍ%މ1]W|f9?b:z?Q޷m}҅9*<mܴBG%H `z\j `EJj@rVR刷YD x։{!ƻ,q%*ǻ{XN8<2[i$AhI [?arjacJa6s_撿TFyjbmi 0֠ʇ{gTU_^qj&0URU6%nFj efp#w4H],d6.jo">p$cAyUo{7pF0Qӯae{WҴ uto=sVdm&0VLs" ̻t8P%(^7=TЄ;mwN/vCͥ! /Y5ȶT\㓌Y*bZ>Kq-X[͊B@ҁUy+_j-{emN:oSS7,% ӫB'>9Xd0rMb`ɽumߕx_NG"|Eů$?+lDW\)<$/-2 KVWT:6PR ̸'J$/ 䨤b5F-{m:y^F P{p*?RV0jWim %ez|EZN! P$ő~ .|LޓǾ {4bϹB1;Ƈ5sBy9=!b"j9Q"p⅌i=!S-լ\<Q*D*f\];p#&@JIdxqI‰OD7- .sEJA.k(mҤ*70x8Gc^1PMNoxIvND=etuL/0,͖즠F+ʹcp)ƪOUqBQi:\~bXld"]vJ Yb2޼䷡>m;lw;?tf{&$?1dt,Kzk?QOw:+ΌW0g)+912v\5Y iٿM;4=HԂLՉ \XJoTMT3r+O>/4}Ѳ]ܸXHd.3 ~EV.u:E4Vz qCl9Jiġ3,NPO<:b(;k_fu{l4;3.q D8Uxy}C$.l>Z6Z}s68XˡQ6&F Dfv_F$]j"D5bo s-]ّMˆ;G%Q Gi百n*e Ъ3 MϋW8}4)gc$-4m뉉ž7u;Ky] Qd]b?lZ1nͻhS8dH1Solh;m^=5IΕxQtxٵA$(GkA6jM2L Kɡ5;]TL8ĸyN;؆=H 5U&%@ݾkpF9ٰ̝l?^ujL6kA܌/oȾ) #%~S"߶=$q%xE˔:2I?='Kё;$<1Ӟ P9v,^[C7v!?Qؗ`9쎏#9t_< D|YfC i+o(Y6_bK{CTcWLlB"REHb9]%lYg EØfU$+c+i;yܐV%|ě=0FsU5hc̀d9\EZͮ'΅Uβ)땲/Zʅ7jd  n6p12.L0҅p~vQwJ5:oE7ߪk/Y@渖w!*$I}. OƢ./ɗ@rfi{VeV`K :Y-@A>X!6Y"i3{nWG? !VC[UϻvxR6cFV I$ -\q'&P#b AmaO|B6YDRLrX|$߲]Z^X>S|Es"-05Wy/ D}MZvtOV1Ag!sY#-8΅z&ny-{a扜w;JѾt~[Fkuۙqm"vF33W7 ;^C54kD#}B9NCѰyS0 [ds6] ȵeZ5VhŅ \45\H)#UNɿۏk,dv3?-;$s*C )4t˅ƏnfW u3׎g1RoD(zwFH1րk{-h 捋 "1yrOf'R\JT8$TlȖ'w8>*4%=fI;?tߛJ_I]MPx{QXB}ʣ@X:WbIWS/ >~@2.[?A =/ mHws ~o& K萼T#&]p 19ŅtkDaWޡfP446cL4?dL-˺=FD7g,a7J&,s>w,UPxiEqu΄ cjÏwyYR;p7le\AdWڮ7htQo鏶n!q P6)+)@O&T2ԉRRm>kl6Mc4sš(BT RK5FJ=§QA!|f}3H,؃pG22JneJ<7y4ld`d*P^/X.Gv-'Ba>;Ct\2Ț-bylec$oLjﻍJD\8G$aCz A5s3\3LShl;_ộ!6a\)3JR%?kf4C+Ͼ`]YBo A =ܵzft#%&.Kj@FZ? 3L!͌pzr+w̔݊wܬ0sg_wʑ }LKAj[]V@Y)2+N^RIҍt<j /q |n"wfAۂauɃ%D IBBxj<9$: c?]GKjVvKñB/JI@s Pev I,E xn@0m|\qLfk$5QL>+'XsOGE z14 lo6ia9\3k> 6$/%fEdydr1XPwojV.h*p+޶!EV[QQ_Tky1Jc?`2e8NBK({b<#e'7$6[ЈW9/q&8W +!`e’OFHGrpnIIլQ3E!*Dx.i`Tnw攕ZUURשּׂ{unx^ʠ;`7f`'^fk5g($%'&߿$gt .$4?w DZ79[&+pY>x.zw,PP^|a}!ҺyHZ,fFݾTj5hܔpxFр& ;pه y/()%bwIUbqT޽92xUl\(SoI4hEDab{ C '뺚Xs)+jL]؎_#b Q"1R5ӄl޶5WR_v* !ֵjν^kkF+gnfZPDZ|Y}CE9?8k "'6rxK%v2"]=٪cۼY{dy:|p:_z Men&F )>DtUE)&p5\5L$l۬a:҈w{m+ucbH`Y$:חU-̂k&wn?!X/0䦸!b7_#2]ۺ]y{ռ E-:c #sFؼ~Q=m8& إ;t&zúX|K֣;jZ! ](M -\AxF~NaΪb00%DŽVn?OPsCKꙵpttU:lrD! KB4i6-&&WC ~ XIW%.P.<  lGhpqz}乛'q_Ge1tQH&-݄S M=h"t( _c\L9=PM.iL˝y_mfgAE?bC$vPZl`wdj7#U6"ZL۳>eCNr^k=].< bifv6nUqpu3uzqȼ|M>(i<5=|y,츴 _6k:"%i]ŕ6=^t)Od'BH!:Q  gVZGd{Sg*t2=O;g-O^,m?o- !gTҮ֜͡},p7{F^s=AJȍ'b8a,~!U'``]OG&XF J6^7jsېZ?7RC,$ xSӿif<7AZ4@t .#J&Em2Q>S݉4TJp͏)CMZ~b GINC?U4.g% V  )M̗S^y/=!1&#N^K7pz IIluА}`@ T2O"3D{EK`|מ c.ބ'm^rOfDZF1?Xr5\Bbn$5ْU@Z8QM_r@l.5+sʏw р\v|a6u!6jx`70D=+]|?%اX;Ь#.]۔g+Z >'(>]90" OFEJt_&>Mi45h^ݎZ5;Jg7<pU X[ s$,"pŴ29'.N{J{gcJ$^,CitSʛ|`n(&DR[UFB#gt2x-tLzGBk!;?8EqPFwнt^lPn p= n`*"9A a4^6W-H;~`E韧X;.|uzzIL먩_/6lqُjLb9"+7֧> <`f%ZT\yp^Uǧ!a4d\#\ .11걜հȰ -œ & `y6D 2eVګ+0V%gG!p߽N|&!TYYZ18qNJ!Y$Ru3aaޱ#]Tghaq`-(jr^`㼇'Qm1HH2S<߅Z(7 J`xj4S ڥNz x-V_A4JF!Uy㦯߆E9ӬQ;p1]?kPOЃ E rVL4`l{^^5.c3#X[u, \Zeg-)' J%<ͻ&3l'p+-D'9dH9Ёp c}ᷳ(Dǂ*%nSh)vp#w WI&]]\Vb8:\FiMk.v&҅!2}$KÜ)G%ޗ..;zr-2nɞX7؍JQ~FU1GI A'Cg~<@?:?2l=]!8{Sj(9I RtyZ^nQ|f,XoܠU&^wY:ruc'ybfm#n<ɚ.>۴:k[h֦ U:v7%}r-G޿>Ԩ Y޾`nMP fcg-I)TJ0LPOh@OKC[ q _|j1̂ba6FxD5'efzPb۹4vmF03~ B(-T LA' J;-[)*Aj54G][6Zdոiߢʟ1,xImfJ2%09\h^*Pp3>G-bPEUti_nK'HF}K-]e(3(w~/\˄4S}P#SA@V?K DٹT}*QAV)'&Ǥ{b,4^"U*p֬ R|Oc k~!ԑoD{kApp[_3U|;b|sfP'7WJ/GKHnRno3Sc+fK'0b& Jejq-Z*qq*IJjwn ͋ +I^jGҤgZP8)jۗL!-&A(Don~6!`_,/2[&h緣K=P|K>%|'âٌ ''Nސ [ud9',QR׊;!EO+x&KI9c1:lԹJO*o"0V,dq?m ²O sE@nA)AZe+V7yT99S1Oe0,L|g{T)%fzs-"@hnxl\䟔4.'UJ ž+lKvĬuh88MO@IS9|6mIwCKర-tK"HeWk30ė \p*Q' Qʔ_욽JN62b#5|xADp3ևպbI_ E1 Х(Wf!~R&q5va.xrPVtCO'15*o}n,YQ3(ɗ6iQɏ~UjsR.RG^p[ZP*U'}pAаXe\8UNc\a)t[ۻ֞'s:I2UÒ>6|0ꌀBI)5^1H6z0[ϻJ?TjQ!kbA7*O;2oCF 4.Dxڲw -SOx |ƛEϺxe;݁21 GNIKՍ'eM^(xY>ʍ"Xhba;L]&mP̤Sy&+lrzl2'+.~rJhdWM63jD̟ؓSύp1 zbJi*\Zo_M5JV,[ AqVF0ˑ%h(%JS}s3΁y] (ȶs0UY;l8ꄉ+%#&&4p Z(ciF=80up=-ΛDyR b |f{o׶ {S$F>M7~jٯ2\QsjY7 ڄm/N0i1)HDVej3 M&xܭel\eTIУU:LőnpȰrW@2a:ʨ}j])m`S/g˂Y ?6VX#u hiHT&?g-A4`5gMc:w5XʱOI1S]%5}6oV>n5i\0\?5v4E_G'L=vMЉA!AU=qlDw g p-֙N8k 2xHN2~Rg"_UrA5dl$Iv2f`̿-(cSb|.qz [$N/aJ\QHElEF/B09"TM Cܱٷ"5TzNA*.@f?bDf!)zי ц׻V ;gI"'dFM:kI=ՑbRQۡh`ItQX7mP[nٖȎ8H38?iD0H3FSZI)AHۧEq+%wdi$-δ-2xf\{;d,Vj!#(N~:jPYMm5N8Af͔["CR\5J`K9ĉ JEK&>~=*'·MR(Tj;xBڈ'>#\tFԃSa"(rK-kK+YsFyFiE\HnV>^9<2 2a )rKjuZϖvfLG<#hƽXZ АvmR=6&|Hc`r~Dj"0Vq›OvXNb=:b&z^aVL*_y/}6-cc*ܖ"Q`3`2JG. ,L?[Q vvvSA8df# _(Eы CiP-K.)Z+nі[gsVA(y3Av2X$I zR_3qrv2}P-ftdU])کN(UX&U+3S"[re"ܣ$)'}J ;DPC"/ ҦN=dc mԹiZ1/k;wMԵoTXվI_,UD6 ~^e~;czZk5AhDqC'S%~ZAj|"$ߠDvݜwOk7/<*oJ'T'ߺGOd^ԙ^Cm.K(*q\]wHrrldPZ}sqR ߓߤ3W x#S(P3齄x\d=pa!iB.CV; I>FIΟ͞.0 w[4oVanEHff–O|XdRO>c:wka&Vog)0Jcx}1uu"\.Sʇ`Af}XucQ֩g_ I8yff6rʁ{ rK|ẅptak?WQeRhfjC-|MXrvjZ;|=,-2Děa2eY#M7 t{42MD6q1#ѲOlJV^S$q7J O}E+MwFNZu 'Oϳ~WڧE6!`Ms-^.9_y+6$o+y/~`mmbvFqk|p%"ŝkvG*ڌ>X7o?\Bv=0Æt>/{h8. U, am޲$kEau)\ Ίڍ 9ßїvKU;V|txgB4v\H4[~6g^MPˬEG;7 [k8Ӽ _Rϥ+4Be5yK~+̺5%0A ^,F2pȤ0 mT*ߩpzzny,ih;3 '78t: S`"2Ɣ^O,ŀpYHR~ɵ[$Qjpِڜ_ ̀m1qZ!8,P$K~;2ĩ}u3sE e(?bYn"u'~36b{X혘4餀u+`x+Y/\lSA}WM^Sk)V_UX!+QV0W}c Y;r8ey2_p}eXzIzĩ9M! ٙ5<-D7!֤ex^CGKݱ*!@C0 1>񎛖6+PW\GBi&+Z>a˧@F[.3KTϰup/Bqp߷ŹOs'Pl78\"5l:4y.qm'Exl@1-. ;\l+q Uq`"uh3qt[?s}[ WKfާgsb_Su?sݏ΃=QHYdb^2B%!cZ"=-NS |e5J۱)0LV6/I3EgҤ+* @II.Sz#I&+4[BXPIAu[Q_UޓF2P:z7|n=- 2c/ /h`v ] Š7}04АTaL@(׏0q+e}S3׃cV3ۣ[b~n>Y+#S9Qq1"fjIꕸGja3^zI`dQ=)NֹȞ[%4{fRs^:R7wxӖ.g%PYF7<ՇdW kEb a LJ;eM5d{UJ>i+vY N 1|!J(4eZ.0KW h^L \ڑTs)n~Uʪ&ibʭ Aw5'c|d2Sia6a؆ܼ*rQMYt݇?*Y*B© ۓʓx6 4c*@y3mmAډ=zwG@JEQp_Mz[Ȥۗ#'-i>Ŋ5s.tFL~ڿrTjhFjFeZ){$6+Zv鱖#q(ޢcԨɭ#g0)U͋ & D%uk"g^޺a D"= ۱HO4 ".> \ ?Ů7lӨ4OG0'':f`+\.(x/PGUKT$x#<1tDΰ_GX?2?:n:»ʜ|K2~*ݺt۞tp : W}e.FlX*7ݯ4w@uOQؤ]opE; Y7Sb^jX֟}<>n^PR$ŖS" 敢hc}w3[ 5sHEr~f׺>޿jijITv܃)@ خisd0`5ۯ]S+mttkoTT ajѡ|E!:;ƞw,eH}"r-giq3`r7(tQ'05hlAVoedPM?Z9 mtזm]lώ8'˔>OJS޴q *P3ѕ& e;"캪mE 5I'LlUy;`TgblGY9-̘Z*2Y)"UYN PdϬTh+toSB̕lkkdf}. \W5A_RVHeE+sWyL$N,uXx,7:Vǩ(Qt6jT eϊj|2QZA&mAF/|G?4 KofsQ{.̜bO3$qI@.U%o F.c@lCgU rrȕ'^-܋dPmo ¦!W!X0cH!H =ru[!J-H!̱ :(QgFti<I⁜QUTho#GRWiۢJx#,sBxVPJ(^؊}WڨA%rR_i;(<X#rG-B&Z'(`gN j* )2>}H+E$VOW/"hfB J_b|h8ax#coDfPXqSC߉``30i!NsA{(֤&21&0e`n;GjLدc>D""$]P62rR%52hJ,WعUAHe ~]2ߜ-["]s1i+(&t;YN< 0@/!ln:41(i'O- af:_nl7+`*.V./ fj-].IJFFd*xL%r':mѐ;&g}GnT[qmj Dʀ:Nm k'>>pVr䩯C8WfgT8# 9,Jm Ԍ lڛ}$~K ↔{NN˩ 1Zz7p2kre7NFB8e6Ɯ2,JwN2l~R )i>ugiex7tz0[dSU D]@7Rj{&=j< >]'QŽ~ུB'b-PGE+]{׮isY_ QXB1yܒs-"nd qFc쓚,5BQM#4(_ 3S/bzd爤&Z'm?Bݿaw>'5GkYwՔt%͛l뿹g@ lGK*j+RpŇeSYE]FѤBr`fcW1ۜX7"'&|{op 'Z/7Q$?l,17[bG9N{wZ6Lp\ⴑw, S8M0I 7eo*t<6 H%/`%4$\D;>BKW?:A~poH"fUAцM~8q6_~Cm)Z\f ``-FqAE4pÔM@w_&" v@sZZrYVLc?X 8QC9ojxKjQ'dc^qּMXq!ܔ nSAOA) ΫV*f`=/[_eT'#L+ߺKXx h4z;)KhȚS,i1{5aK4qV`=sozU-0_, vs\.fv}YwTtW >=Қjbt)FS.=f|73V"bcB4'o*>*Hx`6pFCwF։rсz5bAi-bw<$Ab_l4fd5k#NA;7%z60=oKAk4h}jrBұ]>BZQ' qп(HH#@NY^KJos-dEI.y!0₅hPP2@FT˺Zx?萦$~ovV"{[Nyhcz!}izŠ#n ~dJ}Cw2N5: ~=dnE` uiAr'W=]k'@32+{pH=1O3$]u>$n fL[#MκW^:-6 9];y83~aR/??625m=qyk=& 9yJ]Bni;ҭ+Ztp D׏SΊqtkNt50h^hQiV7}}{ ʋ7)r'!TD&ڦMݍHW;U8!}7gz WgJξIP2*R8EF|@srkqxzv7̈0g汾Axv#h.*HӔ|yp{D#Ţ)Aɭa}qSnJbLL^⃓ ,'3{8qjQ6iФȐ+{V,25|]ES+bo2any8w*fnBOZaWbh+bDQ Xż^8J]"`4-bnX*CyQݑ[q;=Zeyh 6. Mȃ'cief \4,WmbE "Hאo\_ެKg/Gz #Kf{"4,E oW-=t:"$p ],FD^{E;g둉93n}9=oeÐzxBs(([zzWo'q;EѰ[[Fqjc7jNނ@U;\M#cͷqӶ^Y񻾅@KbVzL])$4"xcbG>E;;%MYM &'Ѭ2d:Z!D]H`CLWp։T~)3@4ٺCDcu @۩'-.灲8iBZنgNS'B 9xJe0R%2V2V7[ަ"!{1èRBaV1(jU%[ZokH?v>igJf/ 9:T/{=;AuFGŌ6h 'N Elϐ阬cGCר v :<  ??4 t7 ?L`Xh=Vꊋɉyj|)+| B,hi!bqzһ.ݜ ߳;]+6+F!T$IE`"AOYx' O~!5@j~S4OSo 2<6K=BL3ݿ0YL. S g98EoP޴q }6Njt@dGqgp(Q]k% =Q"]o4`xqm8Hڹ:^eްh<77 ᱀r' ۬(G2g&X=Qqɳ!TC ^9t$[hj$]xn#s?"r4aHfȔGHjKYx&l1,ktc;g31=ƌb)\Y0Q }eE :WEbs3 ,h(:լq.ɷeN4DOW?#MW7&ys6f*\k@8bT, o4 ʩtf-PzQ0VK'37XPŠ,7]/WÚ;J7DnE?NdOF<6S%Gd˯zW®/B)/ M!7̔nNC&5Uu:n9Uf~x?hn0'0PAm,NAiB mvw_{9>УfhK"ު"Pe$2d)5F6iuՊԓFUtqlf Ν-N~Dׄ ~4Fj+}c'ͬ֫-`1U:l75tqݗ@0#W4ۿRg r@; KM l ,?jS&1hT/5'jAsz⊲,^;ج 4rHxmթcn&ObonMȐ fGGM` ~:QύVI$bgC.Kܿ<`>(egEpr@Ib y/c{) ̟aA,p;paN !ZՀ *CIW% X*Dٔ5² \W%<# F2V쓶%]]])tyz@oZZ9YֽQ^y^e Mc-zu13+k27֊xTOvdL:-m;ohmY3`b,gzt(J|<1~fLibxNNNHpzV]Cb\Xg-#,Ԝk.PS6gN~ADg,k/I@ );i7YJX65>gh^rC y(h\Fm~SzqΫK#D,Ұ*ɵh"0'pG'm#Up_S63D1[CgO.oǑ5|.m ;rxi!M&𓏰tiTrwe^n*O跀lfzyq|1wkW[ hηjl'"<3P洹?x(f~Rg]sh,,*^dCx~|[h< * U99`Z*lEXp4Y`,#2yJyY!m@=; u=7H}JRPIYM\|I%;Z1A ߟ&(I+C":& +l*[s3ƙ=i41`_)iT2 !"fRt~|[O@T1Zud|xO~xv{26~O<+Q"-RINӀv»vgF5Ҿ [0#71񎳍mmR m!Ci c]|XPf`S)źX%?YNω٥;Se%S \gK^N{ Ok3 !Qs1 u)VP#i~cl ̣O(9D0g<])|9OLˏ6`hDzh9J-#~ڏ44F+1cwՌ\!DG;rU/GCQs304PwU+Pښ&zV.Lܕ!x`Ļae xA9WKT霈'j5Ԕ_C"NV_@mO 2J #>J?Fg;m& ɩ<;lrW- ѥQ"3/Qj`#Ɩ[pfI? UJjk)B#FՊI W 7gmDX٣aQwFYsޱ ~2_׈=/gYgT)uj)W9*5<<WMvaRZzM:U*5(T$[P׾"m](x6  1ɢu8wg%"* |]oi]H{߽7_da8yUKn,yKa2y:Ԁ&WzHjz٨'+!&& 14: qt)MN.!:b{3wJ+"C; I%jݻ<+hꔭ̾ >tN=;D} &uf6e zC$n>v9Aa_ !'H7,Fq[bEl`/B\?6>B3^;%z6蒠;PSX?5ˑAaQhH[-wujE9 rHfl C^ N6%VkPhfnBD7] BDQͥ ;B Zڮ4ƭOoVK_&˼ i Tt9v? {gy\t V*1Y"}DGVb>xyV&%e`s^6̺,4}5]};T?gDIm!C5t}1̓9aaGH9I$& I9nN@E@$PWi%zmjv::6Y; [,@b`}v^Hػ'zH d锠뷈 7<+"'K .n+gC@n-10:(L/ y\veo2WĔ԰(p7UFlHVaR(Mopdi av~>" u"ǡ[3n[6dptZlM㣳Tp3nuky r TWrG_HZ#FK3;_QS})+N(ZqNCU3zXRP_uNju‰ڤU5^'zlmp&5Ed_QnN۰PM?}T4?$uXRވtPCQ0b)~%vpUHDm25hyĿLc&YJٳa.Ty},ݫ$ݷ85 oIwLHQ[T87EW3*1V u@Z@?)-܈\@vXjq̑vT:/w4ow~ؿ>&QCM})l!ض6~!ݎdvQʼ!|jٙ9ƺ`0'E*^1=vt,,6 z$b \7H:`~" USsnj˾G. ,K/J2-.ݍUc|(_\ >[هOn2^eqgv A<3PZ[eO IPQ m9<=4Ze~usfDPKs$%Ltgm$ܩ]e)M3g?>qVw0guթ&TQBB,G1ٛHdxh4z[~p8pY#H͋z]h+ȞVe\B MZ?pRC6q$嬨kBK:dUii+;AHk[Ц6j)OW&p!ty<*WHN:uY>8 4#6Qm{?AQ> +2۝$Ntp_dsJ' rѽcdbjdS=fw@ʧwY+1MC&q#  ,j-ySϺy=-q#]P?<مʄD6 ̖r GT(yA^A uDrt_Dd:xF="5.(~b?P^whD&|ӨT|jEݖij-)6c` }㵆&l\o=vc0i8tzX0CH,FzFњ4 {X}ed?"O횰t%do(ǥht\秖 4CP8RPK1x4hjQ!Hqq|+rVcZMй'lO y :gg8wog/EHo-;HuXICs͟aFKRzq%PzN O9ޓydpBIZUR7Z XuB7?F\(|K޼L@TI:۷-C%TܵB[*vcQo/ _1>-!M'"y}_Nˮ2hZfuP[;>)?ԣpÀ^Ycm_?芠slbh-}.hq[g=~iIg$-H:HݽKP$Bb2,:b-z; tcN͆~3B7Sohީ;Po-bv?@W>"~6vٍsomI[.T_ERG~Q{µAєͪJr/{Oow= g=-DVNY UB$Xv8jؓAqLu{E[T_VaP(`T_ױ)e`8Ж@Ibȭi;T‚}5猲LqAа=*.(%ׯ 5FܩWM=RɠY]K^Y ?ߎuV[DW:Y 歂nImI܈go2mujn%qѳ"[F;.+Z 8i%CNS?KXnSNXFSj۪xnAu  n$klًY[6Ν~ \)-c=`\]z;ѺF;QZ6!9V@+6 8U1B)/xYαcɒ*^6D2.̫(w ?WmUI z7Raxj_Iսy 7ELR) iA["Rr~ϬD2A:ؚG-OAUcNN'YGWZ*#N5a[?饷mZNxl#|; CLB@eʥ.KN&j 5)(P;o%5c=:P}zɇS}'Dn NbXi9%9"ɚ{?e(0(yGJHܳ 734A]\FWbşGi]l \ײD4<7|uD֛XO L6i%ň010GA5WR"~3z_ꮗ>u.Ba g8 3Qc9oς-t@0MКyvV +y1:yK`:NQ(DGzzsG08ů'^\ձ"Qu⼆2hSW"ΠDDE%t#oxٜ m$6X{wkʁx ijyplh'ee-vEB먧|f^fb( f~DZdى$bLO/I`jRWQ nw&|Rg>M_6KsꂰPnJqAu0mH˃Gnvop5"j ̉=SEm {ŤqOus?5vVo9]F4% @L{ y3=-'vR<(!q+uk[ YOen?J'chR\'Vnrx_DZg}u]'&AW4G{j\.y]‰殢ޘ9 ʑ@Zn/݌XX͇~& ]/'o/4+ld?>Xp3砳D5ޫ{t yu}9mOXvns{.U([jg5QVQ;S `rPÞǽD. BȂ?<ɼ̎ZKN$ j|yqvӎ.n#z2 J)vQ**a2xQ=#WYj>Hf 2ztCn} bLu1~|l_!K|k_$ ej*hK%325I!l ݗF=3~qVQAI}h0̢,QWnFq25tD2;ŭJRd[Xg`EEmn)R>E{5t7fy-Wu\*jd/oiKS)%A En!O}#M0XApڛvu.A6T]T3dxt#eSx[w'T5[~]byd 7w4)/LBvؤUN5a} uWWԏAE1Э>Dv/}Ԓ?~[n8Ĝ~Rަ{"x#v!0[p9;h fhp |$enW@ƳsrS^DT(Ct J Wp_ ' #g՗k-lg`vEd[gB{}r3?!Wbk.Rݍb.ΝC՝u1P-)0 Xԯ''qBݑz,Sc8=q`:1}YZUCc[ykk7eVd!mr܎"Voʬyu4 #v,L>;5eea5I2T6bVp%Y~1pfxL6 p^-R{Fb9 K%5p|~(чao&rݾ`x$ `4w<˯jjGX3p+dle碞J`FdŎOK3N}lPy[!W[| [g yłht~ ;F ᤧ}J\O(1O&sCKPם@GU=,էvXkwVB|9+relV^BS ?$A s^H^֩}#vכo}˖qdF̸6dӠTtp!i7?peaZTA\D̻~ky W&bV$A97~uͿ$O#?QR 14uz7M[5xS].VWure *~R<f-^a@x}J8ӆ3vh-hx" gXyB,s2ҶYY?fny+x^PѮ\ TZ$W,!5ıjz>`*84;`O'賂+8<'j!6{w4v ɱPցQשM)BHGab)\ 5TVt!5 ٠ KmL&7qGFk+JrJی5@ M݀yqhw'D]AN©E@bxM>N ѱvw1˩hKH|OCH8Xx~m@z̭tnT +uu0cG*H/(W/~(dBm噽_9Gr?dzboᕛ(zH44W6 8 74̼V5ܚjfFՃSjqyȞ-Y^]%rYo!$ ᖳZF r=OrN\II OQ(m4z}@%3RD~*ulh@xǗ@-I,>:^FnKBZp* [G81)NfN$GXYyA gWN[WTw?]Prd"JfLq}P.ƍF\\WAz {BV\eR@ oA:mO;-J*}*̵0SU Gy%cr %_/,J zh)%DT[s BXYمԥ^;-{!avE])]@#"K.tW y&Jz|,rȭ? OF8lu:~-ܴՊW=#ݯb3Mhа8'+A$ּ-{'a9ԣ'JS7i7;SP Dv&5DN3ccB2s|&ŵDKYj&+0 j{YFd(S] %1Ue,r '`T_*om_" l_f.cj&yNe]g`Qʉ8m4ͻ$1*֘ O 1Nk[Qf XI](yB||c,6@o'Tn$C]02L=8"̭Il֩AjlE*ʯλw?RP%3K.Q Zt8VPFXe R8|#eZ7l6O5 o.g$K".l {8 cDG!;׸iHr'\\R]8i cj55M˱xn45"Rɑ#mc+уr=<$h?|/9쁕SKG b{GV()Ibz?Âj;_-ȩiDpHj Mhus %wp0/SA}wCxe}۝jYH/&*Z?֨:"!ٴkn$>K6mZh[`A.(޽$>;AiFejp0H87ɰFMM-Ǥud1*D>'zRI\2m|,!{s*U)bL>1' llDQjeks~m- Y~/~X'_7U1[+MyOqnꙌ}ag70j[5_0rO 2FEkMzzA3`blG5)859O1 Iglg6Jnn ȗ@<qU0WUHI]\h CUw[%[Zҿ[w)/L/& cA+O U&VG= 甲?TXп7 #DZ5yp6k=`HۆRi鏅U[1MQxLn5<.Mڍ12wyPy跳UO4Bh5fcnvKQ 1hҬ+V ]"wdd OW 15;Aed!UCE]TXnyYҽ*9 >4<01'HĹRk2˻#"S%{Twyxj_:IJȳvS sQ#pq 9ڋ,eaOm cK&H8^1 vW&l߃}=VkbfIGN^7A?$S"c %ΑDkA1E݁uX("‚@ZвK:!U¯_ x؅9/J`Cmzc㭠2.zus{3hwqyN9#3 v@ LiSki8ȹGQSp1b[Ru!vXp}d\Ff.$!dЎ1x 6REky tNx9wݢE` ~3 `Ec9ٜl;­~d3d/d42ux56iaG*CL\[E7?zD(>-5wmc1lX Chm-fHDP.66_(﮻`DBNUzPˣ"MPv1GBqGWrw99:$w^WgnjC6u{"Dg84Җq (T\'R=J~/ޗŒ=|/G2]D}:сg9@[qC3k/lZbXbԻqrrF!\Vrrиii#v|:⇊mU/6D] KHh-ϓ)󷳊Dђ / O+{E>}[сj}&>|1N'I=~\V):}RT uy`]{k !nɓGMlcGNN*QyI 4eO:ȒThr^]'0CΛf&#$#4aoZ&K~rBq^ nYsX04mG]Lkz0Qu89ICp#5)ի&Ċ0RP4~ 犖Ia^K ytzJ&ѧKI&q$ŃoUËk*O׃sD،?yzNw;k; EwH߸R5X/ 59VJ<6>|MR<.ѡpw#ҝ]LƧҕ{Vmљc/IЎkQ6)k^#&r6SyU9@!8;}*yz)AS`T=ɽ;soy~Iwi ̈́]h'vvnt6dsrBh=b&e,468i:a1`,"t|u`7Om1)򣝒o^L3`&VO`6S'P(hP#f uSxXtSdkW4ͻ9I³!j+tGy"tIF@SO~dh\%[D؎^W,s9`ѭ^Èh19jX$M,e "<_Z"[J4?r:枫?LyθUHv䭻41"-F.D ~p}[.: IvK Z1C1\xI%.HMa&T4Ua U.EG:M"DRc];g{׍䉠“#!d/6B|, _$K{ם]c&N7DsvU|p@dSTSr=cH0d!#\[cI8L#=~&p -ix7IdYPvt*S^^a|ZZvB,\}L'̷ ^FhaY^lɀ{"Ȼe5|7s~`CHȫkgQ;EqMͥ#MzU>e;;!g7N *:}P?|0/eWE]ln@7[|lC8^+p 2^Ӽ3\9l09GM/y'vD a|ͥ.ܚ΂LFyܨˑTmkNRW4-ez%MT9 +V3Ӡ47aSlcsB.\C]A1vr߂cx~t꩑{Ufl8dلDR?[UO۝{T{po̱_JX,0K͌W ױ;p앇D9ZUmxE+ f'\moG(L&3aIΕ 81LG]hʱ0_ 3D!7,yk Hbp͋$( ҢoCGaZy~rpA !)ɡ=nfy*pPpەc TO$ #DZd :"; Z>`n3r:w̗ԄοDeLq5 JHagVʎ68g %Ȩ/M£<>=A5{$kqm G nm,*{o.Ubж ?UDT NJ'H$^R$Z}Rr9A+@`S_;8o>JwMv\Tv_gZ!_B:U.v&8?xПC qyٰenX'UM`u˅K4%f+i Ih. $O tORHHޒ5JAqWW7}DlW$5 K?tIF!N !#FK\M$5x#dxOj둔*72_M!B΅ [s7=b"4T=5|~T˂{}?8uI<3s8Zg,RQ2CS?%uߎٽN͎M;2DijPBnt̼&K"HℲits\,/fKb含;QDWO,J.qP.v-3_gQ}V· Cئ Zk,Ҕ0e4Ցmd#~]}UNUSԊAUz#H} 4E1p,jmЂ؈o&݋?5**W| m|YU+_F?IHS)}1e ̿QtpnTrTN-{lU~+POC7O+@l}cqulZ7"E,|{wP8VPzK ^*dP+ q3O&Q*E~9PѺ!{Ns:ianF&A17Д1Őe]{Gϑ]@0 0GW|IS* rp;.q}6nnԑm(HE'Irˠ~^ܺ9 Ph^)g84w7ƘZ*]'Ȗ 7PI]6cPH6|fT}bWM:R+ɢ-”whxhSI$-kSkmJژhye'X>Veiͣ/ct%M(,Fh ` ]uW;(F#z3v8q %No{)ym"ݼSvXM^K&*Ggb%ˁb;HLZLl6^Y܏?qSyVPCi"ǡ~"ec"@E<ʱ6{M{XkT9'璬Ţb^,P߈#(Er͌ <40&}>𤼅ߊp(tyGWئ8X~Z\E /(YP?xhs[8hx/paŔ~pWqi k5u*L$")ݰJ=HZjVefd CcLl<?w,>7%sX>H<)1|K, ^)` D'4;2Fk\ 9[qDT-ɤ&N҈[x ě0M!D絖~Fı&E=#K: ܺvHcOBrp&YS=@ LA0өj9+|B(~tSBH\fu]O6|kM1Ǜ>JM Oع'y& oYrpUkd,ɒdzW'or>?x H`UIk=;:&K:]_HTE+s%^We ŅD?SV13!lXp0|*3M 3B?aOI$ jHs[΅B̕N^t;trNXHxF>@N|͓C2&IޚgF1eꏐ!vgqicSsv|3e肝 PUӋ .6"FԼ} o w@yUeheUgxl#j K_ (}#Ϝ5}M5YH .K=HzuՉ]zyT\KH3ͥ@p j Iv7C3 Ȕ!VBhÁo*Dނ,`;~` >UB,J7^hTO<4rA5m V&rE {>0!%RF%l]j9dn3?(nncFs5Wt'J3 7ff%˜ÉxlcӧJvht63B'S/O/e`-]!s?z}9 ;0h7%n][:-vƪaGqDpHd7),wV(5"0 R2Rvk(Ya jU*IA"pP>+ww-]pU j,7Z_ a0@(Oùs3U+pj(}kap.`ʕ@qV02;D)g܇^m"NWf7DjZ*wYh6Bdlǀ &:}QF NSL/s6-82\T{=9KeVNwړ;c|í}.~'u(6rph Yߵ EBaf}؅^hC*0$J1suDedj}+ڞX orik6UXz _v#EoN+\Q S|kgbx_]Hr#ymmy2&uŬrbct˼w5{l]T|P;?l*E%@?:߮t$`TFDɋjZO0^#m~׍c㑘|~C\ C?k^SmkEj8ZSYڠImScUY~C41zNXdy B T̒wzbUe|FA]a; >S+-}`}J40ٜF5ǝLlfnEݶՍVD¼!uC?G =.((Ng·>*\ƶ.0Q#'Fp/ {/ ;^5mn|lT1J@C>285*RЎO1,Rn%| s?buOj 9d!t-c/pOڵE>*eԧOQEn$UCh od&D^ǺC9 umy)*~t^kpjHnwQ;=\<ƚGgh1p4t[kcc-T$Wؿi1{먓zl Vρ&*J#4eQ4=|Tlf{TL*ku%RGjҺpubMʡ6Plq*6Zx3>Qw7ۡKp(1Hsm\Xtus'.z*'5sCv]v7z..]4]`P.1_g\iӨw>gPW? RRD5)& l§Hp.9>+5'. 'ZdC؛L'-)s pDLO}7:5H̢?`Ab\;:C1c.<)o'!d q$ؼH@*2nZJJAp2Z)oQ!, UiC 'SX=}*mf.ʮF,")YxL$cOzh¸^Z܃Nd/|M߇!]Nt^E@Seiy}[/iR EEnS3:6nܧس16߻s&ׂ I'Zwh./k%7 \f:rn7 W@MKg:|8mImISL\D*NSw]0Ͱ"Z_+[ V~min2Wm}*8E]LPs ٌG%Pgj\̱Ț/#D!$%;U49X6MeP)ת(1 ĘYTds 2#.PA+dPϑăc;ՊqyXN'㜔9V.Q z'z7xWa$ IC,3uCE6$KY\_ ))~L,}q_zջ@6 נah7}Ǎv9̮Y^XJG JK8lCM䧀8 i=dy%Z"=Y6^i^2O׎TáZFhĈWQeS=)[rdlBK|ĺ [&@1:9<%#O1e&Dj ]v4q^? w'7h`l/@"Cʀk &LEwIt+ sg'&pNw7M07F-لp?zD9ȹ1#] 5 C3sco s\.}z /Ӏ99Orлa%E D$Dɐk!Q[[٩fn^PPkbډ4UdѸ3#^' Sxxn&u"eS]97 ^cQPY"23j:ǜcybZ5\¬G@!_Voz( c7&zUV_wQm`ai܋a8rVyy0, x;ֱ.X+ Ajë$@~ "szhOvy ;!o OyI$.9ˮVh"gfd ]go,́^Bk[p5ťoQ^-x :Q.Q%L,|b>-Z^CPgwPeؼwlJYs[#e_ˮd ~&NbeEe5,ˀIv1}=^~uiG@ocE? ђ7ՑڡIU8ߣ^7rg`z GH^OGGfMqx>w*~w.NyEaH&PW,@+;gV&Y5㟩x*>o2<YnXj| }-GXtkdP.jHGg}".!0"P}Kq7X%y/ [\׈ɾX"^vxV׎vl[Yu )`"'1[{Omkپ>#Oŀ$35{ ݬ}kH|f} k;P^"N,i1XKwhor0j,b>X7++WjNT (>)l{q~s8K_:-M:q@Ե6?kKLaay(ufmOC| &f'c*ᓆl<0( qx"m9 PL)M q՚EkP-8Ž7cq9[Dr" ,2$[!Y1ќM<vǯ?kAOX`4y_StQ?څ|}O @m=c2я*^WKtQI'bgdz(iR5_h^&#lPM5v{RO˟Y}E6Xďܙ|lz-1bt;!^ xH1Z<X us퉙Uy+PN]'ƤS Tl3#…h,9"~b!sueΌX|3)`cKֈI$zf~ 6> 2O7l igQԢ7HU$88̽piM3яt㧪c[%= +B["@-KhTQtoeJv -7df  %\GDl&JK{![Q^5P iT9-ӱo`n㓐Y 9iY@ (M/D+JʅP_tYa0'|},3;ڥxqVv~+jv˞Yʼn2#U>fkzfMy¶KKrG %;(8@,CiPcmm֍Il1C{(G[;2ړ^(K-t_7,±p<5*&ҺeTC2PYҗ5IFaUXV*6e2vP"⻲AҔyKwxS'"}MG bRb(:1A>}'[災Ł!97Cp0~nJuB(B@rNl}9~E5Z\K>4`|"R#U@*W`(Z-FB;nX~ecf.#L<$S% JscKon F{xHWF+/˘ί~Ktډ9{'Xv襆| ]]-Xwyl4̕Oॷ DSG |>kC'sw d;vd\SuGER)աF, 0~3Yr~Hdlox&A!u۫~|Fk\sFz)W2v$SZ|o(/RmۼWh AMF[ZFM{ ~6Ti`2ycdZI,i'\yB!4)lR7 \̃% AÅU@"V7,pk*Em5.ܛ+kCr" .|Nt8-$!;%DSȹ=֡3u?BwU%kŃט@.6N2Kxf3/DniP~cZ9LEvQ/dt3~p5Gwhldoq]5h,n=u|(^qarnocuuIng7j@  }v~&f.aj,=RF,uנޜ_4Ѱ,gj]͗ZF 2 ttNh@ ~ӜVK$4h$?~ܢG$ǔ3 &9vu$If%X0=/igY6.cd=0ndps56v=P5;`]GڄS,v2ޙyyn \rfʢ{%#5CGsE] ܀eY7!Pdr1ˀl= 4p*QF%(.{OSvyϬmp0QM/VbzdʸNz("-JW1`F"zݵ'ҭ/5}F|gIif7aKVTQ\&ܳ(ǜďf1M낑%ֈ?"J/4ߗў)q6 %T֫PZ`(2/Dnq&M>u%]5ob.:du2e)uB"bPk "jozU\ʦb$B A zO.H>#9OS;a4[hdKDGb!V,Z*2wJ <`_''ׇ6?c5vsܭN,V2fV%.-f =[bΘ|S7Ά´dx!Fiɤ# Qc;S#UzA@fqdy}T !N丘kJP<$P  ߛD#u)@~MOna FLjyQu]A|cItnv#t3-?>]W pve鳄Hjc4H:Dn>4' D9kZLhF#nD}[Ziظ03Xwwu)Cn)˓ZxXQT0-Issȸ>orvTkc,&{_Xt{!ѣRo8Gx86Jf\Oxы16qϫ0\n`K=2T48$W;. uNū ==Βm?6GY_Zb> /*2j@CCuM<YKϾ/8X  Jl `J@/ɚK/ꜞzmX49- CzG"N?xl+7HbDȸ)-o@s^'iWii՝KP·== xqH}YL03x)bL՟7X2tѝmj}Uul#pQYWFj<'C䈇&4"$$Yv"D<5?9gQRpT?7] >f :(O+g@O <֯wdjڀGQKeod]pe.4xGo빘s\O}ۄ6Tq<U5Rꌷ !)[@Z¥"I ?9âw2-?VkyceBG-gaV}kDX5c3/GTY䑤ؓa4qD n? th@9 ~Ef=J̝ղNً;&}dap1Ͱַ <¬sww7i8xؒZ5{2&6uv9LcV\:@93Ԃ@ D8;[tHi,!+^΂W/onJfg}+f<- .δebRmU Jt 16y[45f5TU%豦Jq׏&q=AR4 H0g!0_,HD6$Z܉WNױq9ȋɥ^De#N!*`|ة`Zh֪ O#bYŜumYsQI#Qc wWhs_Πx)iV] u,Dz(ɘi)謬 *_M#h>2 PGJ"hLƜus+=I0p ~,*߁&2x%hK QR A \Jgx"R!BӰ_tr~Υa5rڄjtX9Y2;3cPO^W,}VcL' |vZp(M4r1N_C-J8)A{Oq[YCYg|8A5 1$Ht"q.:xlq;s"Uр r]]$Xr ί~eP)dYJ]`E8ucpk8Cs?KqB14ѽ=Ff>Dcxt0څ?pZQ%0kMY+ba>p.XK:7X\wF? iS$YHvfl`HJ|=N%dy Qo|4,"*Lr:dҡp%+դ-(]+C޾qMåQyu瘐M{:ȸX#hG_R9"9M7SHDZ&"Oom] \ZHBw(xEh^a\^ӂߪFcm .Z<%rav5gd"yע]1yvta+4sW{ T ( ]Щ,5S_tJG 1h([ &Qon:qw dZ\ExLe螜fzF ML+ DW'I»IЮLݚ¤=PXϺs"2]u$zf!gkʭ6PIO$>jQG>@ ,^$;`G e'L[_Th+oXGNA̫2TN3VMa9qHd=jY̜dMߏ'd=BEbIW4߯%:'l#5s~yi w[A:=O\r٥fks2w11c/K1tNjâz{l Y{[C۶T̽rXh!j⳵ݐxgޚZH;\"H7b38s3'ɩdV* ql YzSRhtaJy_Hx>0x!I[$L? L}IU)0M@Z@NHQm]g Y2V @FڔӔw;38 u,ӛ^y*Z9DzƝZQR⠩k㵆br{%tjy8uyRZCeJ0QwIM]-Ɲ>NÍV}U Qlדb8T}Lv? J)@ ߵPr [Д|;$Ԋױ@*o}m-,Dk=g R»Aɗd|-{QބR}$nǎgC?/^YxE@7aPWNͩ[1 H8ٚW:}/DޑpC:%A]PwqCwI:_09ݘk~^ %󨉣?|2vfWdZHn$Q]Rl쇯vXkdE8$];z6k&Th1|fy=kiP꓍?kaǗR=QO")jSj36 `ݹgP&m ibN׻]y(:Ҿh֐T.wtqp]yqg#;6DjupUѻ_T1.Nו=GҪ܆aֻw,9V/4 [EGbq _}YG* ߍd;HM#BV (nn>-JǠ*;ƶc԰5Ņ(Dpo#Au riz1NOԁSm{1x tOĩbpjy4ɛ9yAH¥r);cꕥ+mPm )b㣶tP ]%:DzNq61s|n"_ٵ!(8;'!p>o&4or#ow2ݑ:Fjwd89Y)l]A%Ї`j[ \I|NgPP$rtlˊQ_\ GSYu-(; ,A! to+_VRj mʃfMdW/}QkjaZH[DU']qsvN^M q8HGC4DzCyd2-wس%7'@'5 q,l[o#Y1E_LZXӆ< [ek+ DL7E#'ycѰҟqSB] d #Xa+jstBEnAgW5wpW}#b(LZ/Q0vsloԸ}[~'e0iLH7t3ͬ]i_?y 9W(Y,{XkT#-Ǎ5IspnVN/̆9IRV:cZy^|nƪE[Rʍy,fι  )-~;SmK *CV _a+tR=2Q=E#R$A}ey3v\E?]g0x7:Jr/H{ZgdICVcs6, G (p\Yh5H"z@\"?UhtQ1z@o$E+a"jkdL9o_:eۍdAwhb 5|N?5="ܖ* M(י^%:= c:$]=ʠU P1Ue'> rmtʮj.%Ŕ`J~zpmXV9(I\_Ôupu-z#\V/{d֕dz\!Ab:ٸ%SY8΁ըl0^?_H_%`ttlMyU4v[c;Iar]&䣘̏oTsxsmƷЕ#"fm[,K)ģRrrwB)\̊7SHé3 XzR`6&vפ}CC͒Aܣ% yQXAGm@ʭsj>/g'tZ/3 =F$vtIA麦ݖ!bUľ=ܔ2<1P{D3G0k}465/+34-_7bˈYHGOAt .I^AXB}[u㥤}er8nCZm"N+[c?ûϠ3a /U!LWe'׳Z]'5Zzڌlb-._:el>̋ _a~xh>/G).DHF d8 L/Zx:v3?-[c#6 VG'<dVK|&EuI Γźv+oriFvLQ-8bf3 aw8,wy?>s2"k\D:zᄙΒ~"ն'sT~HvG0םvE ޶K#kV ?f O%_ךgz:Hk>-ggYZ 6=u<.Ag#0i zmh0Pb:林mpz/I_JVQ7Ja+U]3+{s >Dr8A]<h3s8ZrQY]`%l$4tMGVhîZAĢPՖw ݄|Y>/wrXeu $DkB'M>f+ww1x`!#Pi \ߥ{d9r Pz{.)%($;U Pl5vN%L[vHojFf騔bE mhOZ3WxThV 4hs1umvD ƝНYʘ ^盚>;7etTj$օj>%JyMB)xSvk +1p)b`JMp1/'K U& (lTXu}4s *rYi!aрks8O@ddsx h"G>Z\%0)ΆfY N80r PEQWe.Fr'H_Bhb (R1G3 Pݎ:LY+%^e`֊' 1_}UbFf?s஢ْ0Xo6YSܖ2+[ֱHǪS@]n}+vS[Ê ]kݢJqw8tG1\k/w.Cd'oղ7f;KN+mĭX0;N+ʠ6-/k8|'8l}saYraV4Q~#|ySq?rDcp@66P!OeQمHW6?žyK NЋśZ4m-颐-ZiOf^;wԻ o joOƒ0/&9!we^,E!j~v2,&+VsJ=GFF W"FC]O.f+Ta:MBח#B75w<'oL$3&.QaGXRx"رH)tj<˕'2CNÂPXN.G6o/ Mg&נ䛊O(AA.,y]JSJ}qlm4r ` I5W;rV$jR\ْ ^A=ʓÅW>z^?g>xE'0TZ%8nh"!KyJ`cVx0N-2ODJu)9w9'5zBFo. QSm(lN,Cq/NU~N^r ,GުIa5k/ zkǻ{ $[?ݜPij]݄y{21'? $..N7I.1sҴ/ $䙯0$5_VMS#ywV޾buX.~hx#dCbaquN.xos5IS4~V؞q" Ը =xlLm1>p:t۲x }-pEЈR·sVIjW Z%?>@v)^h@4+|ӘuxWLM͵&VSoLk,DoSl%,Ea)2n4*Yu8#^ k 9{)V1@  U:)ҷvcw9C6Ph^b*JDz3ڗձ?Y`UwN Sկsڝ7 u_j:!aʘ9֔Ux:WP]:kv&Ъ3pj3\=\$uk=`^"So{Xme%/Pǽݕ*gg {׳bkyDhZfq;(R(&E4ZN# |bng,g^-blzR+HG>uQP=gh"3t8sE%gV<@߱πtr m$xەUXjEr7ΦOYj}-zcNL2eTyZ P4,( KJS@ҪX,*:N̈́7ܓ@cپT̹ܴi_>4HC+_X{$WXHu=^C;s0`UC{7(@eșYh@›j 1ʴq"ȑ+d4Ab}J; ja%#dy 66n$4rgQdfuRrZ8 uƶmEȉOc#-?+ [3=?fd>4GJ~V <'T.{A䨩_WpFzNz:1F7r]FJ~>\=.hs'T-Rf5 s.E+ §۩ 3D ! ?`Ric4hLӲ%+>Qz \ҸaVstCr<5 Xx5" wRbF'71!L÷HPLԓmg"'A3THHRao] o'z~>1h)_,t΅#Sj9&a[#U$z*hQtL8H/M$eELi:]`N4GE~l;=)^]30^mfF "U|8 c5f}H_eS$+*K:u5:*t@"<(hj|¢9hDdA*$HiM~)FSIhEod)ቧzOzhAG)=A{m[N0-DP>W9Ӎ ]ISzg(AœU4 t뗱"O!Y;jyxim"[;szcp~-bS3Bz9;_2,$*hm++j2%aQ4Bo@n/w:bFKQμ$ww ;ٳfylz!łN[Y3Ŝ7*PƳW t#JQ뛩THl7>1kgvcr*ke9 ეhlיˁBWQqK}Y޴-_t`HQHEIDRIR+b0k]A  'T "ץާѵ„lB.\{dk?cQ4*i.w1V%h~D]CX z1 v,SeCUJ#}~I^SR$.tz되.?2UxIlycXYNsp8rM_ F=|RT8XQÙ~uEF>TWN5&K:*S&M;W3#IDJ [\Y>0B$߻Dʮd"R9{@M߰Tm;rIaoF/zP |&5 bCce#[Vo3#>p| b!pKL2]چ(+]l݋m@paN*n7>jI,$ B  »G U,aMd/'Yw?Z˗qmoiVqS^G.HbVOAh")b4-] 9`5-&&8#D4C,-1wal5au_s2iY⬯$t~K0WhH{eGfA.0v!uS3<շ;.n;ɭzf`B &ߴ$^nX8b֞')̒X][i<}IR@Ӧ4Vj}}rNybHvtA1),xI.3 R+4>:iW,?E 5dHTbEbN~* h$fzD9|>Y%n<7$q5}d#B[4!͑7C7 ܾG[•z{ s+Il UvQ@s.}6?P4L!-"Sť>̛$ps)F)Q4bMK4΁ԍsD7SauAэ3y\b@xױ̜ݝf0 (rʹUB $ N!3#Ovr.n!C~cmu:ޟ!G ` %b51oIgOUJJ,LYv ~ 9wm7ut!1Sx(2Na&O8- +ajAN#ǽ7 zmء$^*;yV1jO; .*STf^mED%ꢒ.Cj&_paYݙuцOs¸m͛n~m(Ӄ%dq3~3عcM?_GLriDG.Зt1;!O=Q'1m':vO.3<<.3aO;1rZ.UNѦdz:S9[QBvpj;+8(.#Ir pIc Y$z />(u 51u=U\tnC]w*vV"p Hr$+l$_L3_,tBNU\bcH2H sTQ5%hzy `HY.4{Lfu"v0m#rRfKG/P; ZQuDK^F&"ံ D=^iTI!KKC9kR!e>lf^!Q b-`R~&Sb d-$IͱN_DSi/cEY[j+8d,GqY(^oNh8GY=K)fU?nΕ˺iƔT/Mԑv(b[D'Ro9j@I{)Q ojf ;ɦ$d/Ck R1-?) ׍Z| .22qc)чE6<@Vo WtJSE c.N֩ N-$ш)g_CK6s ! J<~B9@VM?U+b@ZAaVBqZOş͞b>(BMc諳s76{Z#;̸`tl" Q py~ (+rk`5+UYӕzQd)Yo/?ᅴ(dy>o5ɔqQT2ǧj[饍d0SPj-r J2x#=ɮ$1dBjW#ɅF-YXqѻ0SVIxXmMӤm)QwtT?v~[5rvCG/&5砇|yj?muF(i;)dwd/ BBe,6C{08%k6ףk-Ѳ##zLaz9^N~|FeX(u;2& 6͙EL>gS@8"HQ(HJrfj/r4}+Z0Rl_S+4}Y^&et >̐ 4vYQ#jtyM:1Nt1{:B9;!j[4ERgcHJ (AܤPGo/u<@Aŀ&{fU}Mn{dZ_#Dq׎N:S>^ͫqV*5wrRhW,W5+ז(bO{+: s[KasѦ(Ff!> 5<>đ%xO3֞ATCl@a h,ɸ]Q ,C|vF BW KjAdItޠ|%!/1^HsN蟦94V8GҨ6su yb&, tEgR8.ZkFBSҳgo8H6~Wfi7]S<;脚>ʸ[\hM:"XൂЛ +La ``5tW!ڡۇx?n&Trd_EҒ^!%9yccctg쪶S&4P%`);{? hE}CTG'X`(tW]i@-9]0+Rk tf S}gX\_lhE|ϩ4RURSzg:]&ۊW|G+7zu,ӭ}zlW$bҀEBP ֋M7: 8玅Wsw o %bߕ{1̐mjq O&Q.^wIY(Mw5$`UXNJ]f6d CH|00Dy{l }AiՎ/hMzf?LȺfKr؈%[ns/TCwkG?!s X U8ٚӲ'5Y;~(@o:aEP$x (d D(T }z{zn`p;p)X Ay>"pVKlY#QyuU =&L3{ues8:N_+9+cbl M6VDɷ÷yص0݈͛t{pvGd\8V8iq[*M2ARSނO;\hxLGyllVBx4)_/*ٰi2b920QvaJ-Ӭxf ~ 4Fz7@F$/ 񈿀n+cDqaoex)-aELxXLzfKS5XƲa VMkosz &,`&[,Qڶ"O%X^61_{2vJi[h~ODFBZ5sauLx,34Ԥzŵ7x{>cS/a{cAOq^1Ek6IZn̰RZoF]mE4s\5ch["E<ү#3}ʗ4fUWB03P $5XY`S3sd~lKvSL8R> O5#Ф ڰi\ 2䗵&)V%6!Ef/1Y3Nin,?L2(@pU- [vSxIݓ|/s!Ó9JK/zÛVy۽a>7'Cs"Kt0~?Y4uT2r~`cʼn}PG&5Ag-QF/oF~I ϗ29uS}E_@߱phYEp,RW:4[ƞ W@PMaCcuoKm1G2^]ddO6Y+h<ӆNPQSSc!Ԩ膅=[F\Eޒ0Dz?YH]AY)zЙIn dw%֛DQYkWAlAE-o_+Re>j= ',;z6e^ahclqNfhZ>028q`F:Aqc:<* )H%o蚭>w z l:sXPίxJӃruA4 7#/~8?b0-ؽ:qQm|M7!*Cz2z)co*;X6EGRsѪUw2]j)4Ԡ7᭙l7DI'!PnРjIkc>KR(R F=ka% 1S3%RbM)x*AI5RܮRL gY`1uzb^U`t*.}&b#:ʬ7e|Zǿ!4K*k_3 %"?S"Ta]!aDJ xXaf4!6~3״lK2V!;mjCM` -uj.7QE׉@cw~NV"%wL9ta6Dܼ "|o'}rAAqΰc$cTvh8$C gɦA>+/Ev,X.J?qP/7kV؟%{CKnJFZ} mwNڴψ b& zdC\ŪU=1o[e` r?4j{.!rotBB8pvڣ<8#ko)Eq3qxԱwG]{R7'S"@“.xPȜ:Mftۻߜd@_*u *.BCѥ$P'itdy,-یῳrMW wqLv4xt,xc~@R&cYN3 (0il`sw.W[vȈo:ChfY-ϓzoWH͔&)IrCo̱$S[Vt̆__WTbGcz8fS| >Q ]w/(b hWo>A"L޹(D˴@7 [cAhFUec_i[2-4NbͰh+$I@i8Ծ^ucyNV0t v]ك굶7݆ޡ=+. M= 429@R &iYxeWч%jQU0;G^h|=dܤX_E"/vq;᮵<\9uT0n*Y;Džnz[;;h8&+ 8\Ww\k ];ϥi{N-> &N"hVϚ.G4͊#/b?`%5BV#ySKVss$n#)8LWNR",t]`gU7nX ƇNT#T\ 1׭ k\`EK$h@_yw^%EA[7\Wjq+vڍt܂Qlwfm(T+;t,D~ ޲+"zn+Ʈa|O>ԱpK#NGZӆu[A^HtKEN"G<:?b wK2-pS"놃Fvo&\[XF {9_|H3r>!+W`)I:!ͺBᙑ7ƕw#!j))q4닞ņBo) yÂGݐ:wr|;띝j{!>r$׭?rdA_B aHtRu['X]Up`:PK-u;Ɔ E+E& R>׃H}L qhW0YHobk]kJj]'.ٖ!_ݜɫ-vYkfFQ@O3}"CD'N6o8ᚔoL6(kށA‡B Cnt*`+F›..I(ғDMj6z(*xW_?Foo|D=D^&zlJ'@56=7-Mȁ*2?hu A.q= 8$1~CC#\-Cm֪sosUO;Xk4r'}x~1TΉaE)n'ϻ*,k`<rv-> *4ZO~BU@Ph)J}Z͍޲ī%O4rNOi:c)r 6yO9|>]絲(YiP N1Ϋ$|[HuG, Mq' 8RNѨA:*<Ƥ"ԉld_' D3= "-Sd9- [P4V}-I-y. %oeT:P?Ey>Ú.^6U+2 8M""Ekq/W7nXeƴPI$Y\K|}2R,h*'.0MtҵvnYpܶX{ȴwEJtNb< gж#=ǤlQxm1Osa0g%Z:j.#imR\yK4(LgِtDŽEBۭy4f3̣n78@wݛK= QOTZh=R[)c >RƀX/+:7>6vsSdACj{Xsi#5~ka755Aӽ\{4*I&ߦ* wX!`u)'Ӌʲ^xQaG7ecdPw&ʜU`AYs.zMnN(>9(~)װrbp)Or)э݇6L~VɰXmUo =|a?ٍ#Q^=1~ |4B'Ч?ov̙{@EdIz冣*S6dT(U#ᓙ-UR~Pލuu/Oցa1:uF,dG|C(V;,LK²N?f2y 2)gwm$w4+LGׅR5MV_Em oϯ;>޴'Q^.}v \]TE$wUuZp;tk[uSPlQ9klOo&$O]i<[ ILx`䨮-cp&0ɧ(!weB+cE13z=¦s\ز&2MUOZ&ho6-={d3ocE;n,VI|Ͷzʞ1Zt MOVQGW2^m)~MK*ΝOh-!}i-́#=qc҇$x?Q !lĆ?"-`>~OLPCI7ځhW7{81xK@T|r0QA?ݐ@,&^~n6//_ Y Ɣ5뚚 RZC6Qi4Ƃ=6oIJLÐ4ꟕ i\_6$O!$/x#cC{V#K;Ϛ6&/Ti9o-#*[a4RӣPzZ0Ow'6)EƂB5*EWScg0۬N3En#l6Y5v)+az!D#5rsQ(a@N=3>:Xwm)7O|X}pRHyW{*PV,qH 7>x,'t 5UNd +?N/)脹ݟc_m#n~1/X}PX PYS&k I:4IFv-WQd6$ϗT _di@Ϥg6h7j|^g,~_zϙeB)YJP==4'aTi6Q+OѤHOBL[S?0v %}+O$] Ɲ_IKR`0Dz֙ ojwDBVLXZSJWԖ4R';Q6w*/)3о gvh3]ARn,T30R%=Y( Vp!CiYHj+3M]Ӗ{BɁ=qo(g :OcV%s{6:ۇݡ`JVML"#=5?ܴ[AʪmjBDjTg;Q[2?)u .it3%S۷M[sq4FQ?PY;5&3qCw%lNχQGET\rkǀLlt.ad^EYY@E#iiijHhwg AI'l0pD xF/s'T /ʼ(LѤ@PEgu|}ey"1xDr2jGBmaF5pChL'rT5*AA @`W.[mFT'TB'˯C9koHWd鰫p ;?GYmg?-2"0mWBDHM~ςƒ~ m5Wf[6G{;/>9O,Lvydzyi T@mxzrU|!*tjnZZjcVr TPQh /gȣNFG„^.k+uc<;R)Sbb6ʹtT0ylةcD)fעaSW V^shNˍ0a]5+5+"X_kAyzzw$gX<}ZR<ő\lgzp1uO׺{WAԒw+S2oQ3>-GɌ&WQu8\y0TmK{X8B`yd\n0v$9 T:LFx 5[\Pa*\F>:ĵq ߪeF@'wx9<7FՒHW'>&|1uR&ij`Ϡ2κ164B!+ka$b`:(he *tj}p"ܑDx_;E:qac Jg=Y!݆F[vJ歳fqAZƽ cUUwmπ}Ot^d~I '6%O+@I8=Y+(Zo.>L8uB; 6~Gũc9ᘶS99r'-bl؟o5,gKi殛$v9H' κ=I*WRD25ܥc=yR.D Su$cQQmD2r2yCpo響6Rw S`1- $Y?ǡ(/ ok̹ZuGXOi`zgEǁIn7\K|2c|b?y1@ue[ H)R;.T=UXRI٠+њP2$WӬ䳽~t`oYQ^4.؇!SƖgMp=GW-<: X߁T1:q-xry+7{BnMf:Ϯ;.)>]NpkH72G P`vP Sku܇~q|p^Z 7WTwKVUƧ"6[z;E0 Hyzp(H<<&>0Կg{Z"4= + ;~<~b 䍿؜ozVf4S⏤K^ѷ/G2R &97LڛZt.AЇûV\IefUg^P4u> QB=1'$rDog IY7B%P9$_7" w9 ,7(}r}rA@с_nȃw-Q".G5L3ы+rOM\]H{, w=. 㱵@S΁` |#-A#+ao1}H`&9-$o9_ZNjDRCKj&8d/ÙjQԙFkj Ha1qpgׄE7ۦA0¶a)/jwr,aF'. =(#D#۰^f҄Eܧ8k@~~fƑv#ZA0o`1/TnJ/XP _ +QG$⃁ _] ;aB*`iMUΘ΄p?W;pͺE`]oKT KɈیS`ƚESffLyA/n9C/{ VjJFrL6m3+gA`.U&rU$Eؑ"lS%2d¾VSU˕._KN<6FuQP|V8bQ.2͌"UsZspy)FR`6^k° 2/%G{FVJ&4 ?'&O9zӪ&> Э>f'HxL~Nx1d0RNyYR6@ w4+l#iU܁TMSʊ!-嬻2UE=srB;cO  \->/]L ~I?̭nV(, PDƔ%⪱ufHG61Z޹9n8 ֿHl܏-̥ykk2<ۅt+N{g( eFk3[\3Jw2,ZIZ0As2p?{| T΂sENё`o='8:aoF41F"-}9c"'G2I%ݔI~ ?ZWC<>rA{qFb`xWhG>PJTm~ZV@WѯXCo| k0fm!=jtH!{p!4b3e:\c8g^ G#`[coLdt@ҡT[TְdK4ҩܒ^IpxJMK\{cM&ANr= ,Ĥ/;о[{Hr9%=QP5{͟8_F2 P*ш;QRCׯ}:Bl2>/e"$ε9 }+\=e['ZNgQr g -ͲdG0 -;X~4_A| o-WZm-_ l}[G;3z#mLNٿPA-1l?-9v~RchН͉o>GÅ~g qYg% ?r az>,5jHө1KX뽟y nS k.7"g"M:JEw' ArW0Z(=!pj>GOD~\xcNx|h8p?aǜ ` R4DLwFkƐ s̬ ߙm@Xb8fRD!ir\QI7wܭ;N@6*#`f?}1Ҵ Ŕ^? vakqϾð{Goh!/QnUC݊FȘ?.7!hWa1k>Rf|vU] A2˘Cn:g7Rp>! o/Bokmw1#x_W'is$_DJM*`qi(?xYlB_f/ D4%=~S7T&d秡;+u^D_Y"_H%|5JNw -SO rs4PSŅO /"р)hbwixS`4p䢾2a@|}ۋ}MQZ4g#C)5=[lz:TOZp aV}G$b_r?PatVqr@BuR{Vt>9VPr~t]Zm3p-`n2WN;߃.: )y9oԣ1)2r LR\Q)C$G+2cʇ 0 ):UpYwݙ#^GHu7g >r͜Td CBL/y XAnTfv{G~yӵ?쁑}`@.K<+Ż&Nf}J1Dk\!P %0(Fh:5"Bz܏ RyĆ[Z͸`އ`!/GvГ<_Sm )/AD*6 #wS y6*UOݖZ߄Z(,_Wi٨U p޺~QBR~?  4Y%?sqf g4CAJA96bMA{<Ѳf1tM8fYWE΋&rT_cąhyf5;jSZXR>[a9qg@"ez0?WdsQěզ>[iy*/ب"1;teȢsuَO7f'ã8r0&=SWޅϚ ~g/*[~V#JD9%^!36T Cf9.e~{<<;irTBq/8H[{l@"tSneiHwĬbh̒?n^. zsIlt!D>]-K{l|O|| JSWV"I&6ӼI_<!Hs8Uu(4:zM-E}-T4 =yħ`T"+1J3U +[6m}&*_e[`ِy.G F Vwǭ+z'v7/@7PJūaߊeU P GOnsrCBgΠ[*O ư9Hǚ)Fk6ᩱVXOcCx^+*G75 ό5p'EP_gUA3\Xʬu_`?fWж=a l~a.8&["HH][[l,R(O{L_*Dw^V͊ 6:5:^JqβLXQu~Ao%jC]VH腺T ]G[Nu=w.ZͮY;"#),,\edU鋷BdtM릮 !IuAoxrE)bLbKЎ ]!PũUHF ek`ޥd,7Ą#e241sK>Y#f_И-K!t +dhx>ox8 R\[~gINJH&bq"쾏Yn橞IAئ[0ogd4V;(*hٙnY8CB0b]M}@FTHl"ȫ2+u8 .@T%>۾>Ê }vBU*} *La/Y^kBSrc[g9zJQhrn sVvss ,硏z t~Z9oT3w cx]f7G' FYUXP,$/}l(.Gs%'Rjz1 a؞I?EmZDg(Lu5 .g*^'wo:je_ 4l|&H/_+ #Pʨo Bb/YG{(M.oG/>uXӞST?dgqB8|l{4Pʋ0S4<!Ilݔ \˩Jf6 fARs_֭Pxxkd]Tpuar Z4T0YƎ Efq9 p4Tx~d2Lq_&p1v|nwp ):Qa>h7d#!e5dg[|נOodEeO2Ta-?N> 9SDL|a>r9]6R(| Ld0;<_!^ʐ[Z㤚 e$Nm^D۰->c>Zڱ{ZV1oZ܊)Կ7oNޖ=F ߐb ,,%αT[m C$M De a=(#ڔ[f2Dt|]χ367FLA|@? j^I8ҭ2LMW6@[Pf+?H.Qxh(ǔ#ŰfjK{$+ _y{T7_ofv og9n<Vf~&|{ь̧fOeINԸ\`_ܳYl? |үYjs6`"i'pU@U1&uQp#l ԴKF5* #fg`Th gbkuɡ*^ ZɤSt8js$O˸ƃaj :)ބ_oɢH.)jcpxvw{\F-{\;c[-uGW#7{KKF6+=d~ VZOL?1nCb6XݫVuJ_O2P9Jo>|Hf%4S ԑLīt$o(SHG?r hއ`;z;Z?t x̎")m@`bYBըs";.!K0k|ZXnw[? 3hi[4L&)7r{֡pb^&m\vA_l1j)l^&ʁٮW/ImJM|M mR1#wTi&S k.N0\3\e7]V8i "x+J)LuT+<—r,})LH ~i#3̓!8<ƋRG{Qex1SU&JѲ2 ^ `6ŦEqs){Nvq7TZAQ=!IknWaD~8+pJ?K٦x)~yHe`WdE!pRNW7HB2ZvuMxāqqA7ibѡ5]IhF"yZ 'n2C2wDN橲 y >*UmS݄`/Jj]WsG3q{boy^XÀZqNH2qqG8vn3h߆t#+:dپNb{5wR E-d  ^o0$dqJ`Jheoz<Пhюpհ;1|Q?הUGl(ث;*5}NJmK3M AէNHO/8iGXgǯ>T~OLh9F;~urX jLnyC3}JwyS^Oza.zp/?wTp9Tӻ mLNA[֚!iQĕPkxk\^f"DTjFJ@./-;xlV/kCI P4ZʸY񙢨Ce0qx!2|wXt[ ODѝot 5!^ro3󧀎Y!+zH;\)=e1 NriͳʿΙr#v&0F|NH}QѨ' kh7^1y/Qjƃ$k1uz$mvunQ奖 pƬXSDݟVP8ѫ[a"ؚ@~QBP8+ `kɞg*=9J>>E D/(RTyQEOܶ㗛9.5}ug0 ^1I tq/Czi^?] '?,Դi?|C,ذ{]ѷ fWN%@+$?v87hhK z_v7Hv?{Zy8}]TR1nȗ+`k"hEN45Lq*H)|DzZ6p|DӃk<骩ݏ PAV1-~/#X2:rfcO*- REvbG : cH瘿B_ sfst?!,z>ɱ^*.d»2_|,RIVL>2(i¤RZiJ\g.2P^u"BWdY-v}Rm ڬ {y4A*4; Rψ,<^#7 vA=$ǑAeiUZ K]4AF4xlA#YRH/`#'D& %D@]@$RGOCL꼧zC 5Nrx>CrV՟7u1i\gaR$1N* ߣJD^E9ra+d1w2ܡR5Ѵ8 C~cŬQ;]ҙ)nT.rs L#3SZbCcw'XqCT9ΆutrjzQdx%@ H׹UX Cg{Xz~,0!gܱ U\/+̜ތwp[)6=XeP( LB_Xa"ο/5s Sˠ:CSd 3=.K0hPjђMaQ<]9^Q@ecC1nSlڥ(ϵ΄neִFۊ \P閗aj EU0-JT<7M[Ә 6fIJ*k ndx=.䖩m/ .-2p+ȿpN!V@ij[ߛ]ȣ_ԑ 3#N2S|P0g.g;<&W;:[u(-:=% {x>3N!.xT< v y'l ph`əϗя^_O;yV p/\1!lڝ{62jr`Nu+F;FժurgTP| wxRzb&iVQ/+˙sF+9;yWK_Q0 1BGI`ބX#.#7~32D{(5lhde?Or8My/߽?ԶD,?U9,8I'5;ϐ̿ԍ)y@a%; ' hm{ؗ:;#pƨ:]rfOw9/o](_b{cҐV'*د4ְbBT*aېQm/uN-δg[iӃեTT-rp׊ܩ8a@&Պ1{њ֘^cA$wa -"4~ "dwHdUl|z^)5/]=JgR H}"]`9kP^M&x 6.C딱ل+lK[}4m±'OX'%![Hn@.9]~Hbj}7p UIoUsR*=kj٤0|T9l z-+BӤctk %:#&D:- dD#Z {=mlv**FFqVdQ[{[bl:’0z^ _򦖊vEK"zu!ftOٕBBFcYQVL_yqA(  IDWS> R[wۈmB$"0 XNZqe溸тrx/ l'ڠid)p"Vd:b9]c=4[?2|0^vrxU)6*frT}b bIկ u3+a WQ6xʡX9-qOx#Pb{5a>.6dzlpFHbqlU ]v2@kE.eeosYSV8$`pƋ7ݫ؄Tn'-mJL@7(^hB}GgO?{;O {k")wp=C _$T˷P3W:*_T] ZUP\_X8>zhkPJ #v"$t^cm0fl&f.bXE(oĥqҠ;':qe;mKg ܿ Afܥ,ec %G2bZsme}aeQbi3TzXmLqSۀ2ΡN I4jM1}"NYR)YbyjY|;:K$JBTaR\s ߴ *SA"q`ΰTp,t?Ճ0sZu$fCVxo2uEC,4P֘fLʺZ~z[pBIKx$J-~3ߔuV Λ'Ei:$b (8^n[t a540y_<4k"`)L#20y#^{