selinux-policy-targeted-3.13.1-192.el7_5.6>t  DH`p[z$ƨM*dt[$Y^on,.&ƙ.؄$"7N"P\VZ;цdL(No'ϭa3uQ"QhKL1tm~nIєPMn_ܸ1Y|$>E[R%rFʑ%G+zWbyK?;^_ue5إz z"+x Q YZ's020 f^QmmAkKaYB*|i$ܭq'2]3Ǩ g?-|B1̘Fn좰"@5]>&`G=YО#)9&u1Xȭ|9xٸ 7$kت@C}StZxG`5'ҴAyMh!:aե=NvS-Hl(|#a1Or?(/J Άϸ.fe,-9 q&2J|.o6TE筺:83Ȏ Aʹ^6%)m1)D`I4TO>Mu>&֯!d#mUS&dr*o9-tW3)@#o2_;LR ) (-k̂3!WQt;br~gta"UD#ci}s2EiK] }Do$AKɓA!.׫8 5K2t]EkzxiۭՙEņD _5&·L=P y<ݥP-`fBʂmbPc12>|@;zz7#-la#N*XK, 2Byeu3Cqc)-wdB.IWh\Q 6(>B L`? LPd! - J| " P$ 1 > Y S PL   h(8Y94Y::}Y= > B G ,H *hI DX K4Y K@Z K|[ K\ K] e^ b d e f l t u v < w x 2 y LH LLCselinux-policy-targeted3.13.1192.el7_5.6SELinux targeted base policySELinux Reference policy targeted base module.[ux86-01.bsys.centos.org&2CentOSGPLv2+CentOS BuildSystem System Environment/Basehttp://oss.tresys.com/repos/refpolicy/linuxnoarch if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then . /etc/selinux/config; FILE_CONTEXT=/etc/selinux/targeted/contexts/files/file_contexts; if [ "${SELINUXTYPE}" = targeted -a -f ${FILE_CONTEXT} ]; then [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; fi; touch /etc/selinux/targeted/.rebuild; if [ -e /etc/selinux/targeted/.policy.sha512 ]; then POLICY_FILE=`ls /etc/selinux/targeted/policy/policy.* | sort | head -1` sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; checksha512=`cat /etc/selinux/targeted/.policy.sha512`; if [ "$sha512" == "$checksha512" ] ; then rm /etc/selinux/targeted/.rebuild; fi; fi; fi;if [ -e /etc/selinux/targeted/modules/active/base.pp ]; then DONT_REBUILD=1 /usr/libexec/selinux/selinux-policy-migrate-local-changes.sh targeted touch /etc/selinux/targeted/.rebuild systemctl daemon-reexec fi . /etc/selinux/config; #TODO: (cd /etc/selinux/targeted/modules/active/modules; rm -f vbetool.pp l2tpd.pp shutdown.pp amavis.pp clamav.pp gnomeclock.pp nsplugin.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qemu.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp pkcsslotd.pp smstools.pp ) if [ -e /etc/selinux/targeted/.rebuild ]; then rm /etc/selinux/targeted/.rebuild; /usr/sbin/semodule -B -n -s targeted; fi; [ "${SELINUXTYPE}" == "targeted" ] && selinuxenabled && load_policy; if [ $1 -eq 1 ]; then /sbin/restorecon -R /root /var/log /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; else . /etc/selinux/config; FILE_CONTEXT=/etc/selinux/targeted/contexts/files/file_contexts; /usr/sbin/selinuxenabled; if [ $? = 0 -a "${SELINUXTYPE}" = targeted -a -f ${FILE_CONTEXT}.pre ]; then /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; rm -f ${FILE_CONTEXT}.pre; fi; if /sbin/restorecon -e /run/media -R /root /var/log /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then continue; fi; fi; exit 0 \3q.@?s#" *rX$.!w (#c (j-/M8b|-z/( " *4S$p? >)FL%?%1= /^% %1hV/Z/52#$F$%#!!"$h%5!!\2"O$`">E2^ &0C#7! 4X!M , -z )  'A!J77 ,*8/;z" *("}!'K '@_ + & (# - 2" @(I&h$=%E!.1l2!; 'u%w5,>% (8""9. r'W  (k$ "'%f-F #6$?2H7z 0&|%n%b !' ) (J0 t,4+w"#`%3)%Oq  @*5"_3GG}{%  ,h% d1 ""<B  ( (9hO!,l )+ 6)R$'!%# 1( ,X -& $k! >!Q3[?5 =6 b' $(!!`#h $i$/X&"{CP2L!G/5$$m/#F$, ~\A+:$0/&.O>#' (9"#~|w k1 4S-&2 *]%v u. +! +D t/ _^$+?"# U+%JQ1S 'q u *n82/$H0rt%D!SBD u,# V( )3g 4".OO$;0%L ,! U*dB"9n%$E4lt! )*_ n4}P$\!#( ( &#u #s$ )%[38#8l S$0%)K/T# &-$$z%$Mxh%9"% G.$e!/B G&8$o"K" (`$ 9(^#x\, '"H"#&i%"GFD^{G&{ ~;>$Iq>%9 .(#{"b#tGrG ='-;!r%g#+.*!f.p |' ) )^1T+UFx1y * y& )V9:s9:sjjee ?\]3qM!J59#Ba3>G h9:s_j0 0fs xNA큤AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA큤A큤A큤AA큤A큤[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u/[u[u/[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[u[uE[u[u[u[uc5fa9d246f9acd9b7ba6c3e93e0b8c74d1ae10b8c003b925a75728f6bec2b9e0bab5ee4df3e95905a9287de62ed921465a107f2571992a977afc70ecd135ac39e76666fd3e7dd6f19d33c62089e487a026f62d4d30ac0657157cad25f5ea8ba28da3f2bc8647894c8d5a567fb89bb3b81a8513f8b013ed9b794536953d2d0980ee5384ad487470a91938f9bb8b08e8bee95e44950349152c022ad35450bdc4fe74ff8da531ca753641b201000b4a014aa0a1aa3bba5ca77b7d1faf05399b3f1c9c0251fe15b618ae05feac837d165c5092a291e05676cccd42224106ce6b8d90d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e805bf6df921ca597e0ebc8c3a5962612c10306694ffb0b91e0d5876e9304472f3991be23871f8d3d157c1e79f96b428f5adc98821368b4f86163704b62909cb2d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e195fef40607cb0c98cb835d83d18ca5889671f071e13e3f45e9dd5334f3be500354819772f93e87a64af7945c0f223ca93a1b3f1f76103f8a2a0677b74f9c52dd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e997e28040a6f2d194aa8f0d5967e887b694a21f07bf7cad7f8b1f22b28ec1110e4509a2119ebb13188ec75edfa4eed0b2f81cee3fada7c7fcb88b8f190f1a708d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e1630c942fb5831a8a0422b0aaddb248bff1a0488a27ee9669033f81ceeffc2a70d81638fb3206964479a0a423f5874b8a962129dd5cb3b63fb04e5f1fa286289d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e33a819d1d3787b6a301ab5742c4f9b24d08851d8cc35f337b3f25773d58dc32fa01df1443c0ea50aa18f7ef144a2370abae798b75808db7df7b120f0eafa32b8d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e9412f4ae4af0d8623cdebf56a224267d139edf91a47e67da89d99e7359654b9ea311af58e8c732da446999e853110c4594f56fc96f909c07037096a9ce2a3d00d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e8d725307aa5fed3b8d6fd3afa1c851e89f77ccf42104a826b3cd42821dacc041cf314060868f682412a0bdefb4882a858d7783181072048d91d59837b52a77b9d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e8f322605948dc2fd0f47c0d6f81e64838edfa321181ac76cf77b42e0ba66e3db78fd4dbbe71795d8167578fc5cc54b5676331d7d4e4f8074b87343eb4a0f5ee7d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eea78809195da4edbf021b91a2b3b2cc0c7b46668e56cf74e67c717245608444d8444813dfc4ee336f346ba7f20eaad55bcecd2ec89dd4395123fe8a7e475ac9cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ea3e9ed257ea388336f10a27d730678b2feb39b3d532980498c2532e108134e7b1ef46bba1d36eed7264dfff98af2748911f0f671f3802d71e5790b58f333e229d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ef28e919314d5cf80432d0971019c2c81ed7558f957d4cd3601e36c48ea25d17bafa8fde22987b24745333429c93d71e347741b1b9de461ddb18856e2ea7424dbd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e055ea35b9150fa7ac6dfbcd0b6471c8f4c4599fe7d2a05523d32b3a3eb5422bbd5b06e080f83cec44259d899c58bde0874c8e6c36d20c4e67c4eef8e80d08fffd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e0876b34e3da3e1560aa1a7763c1ea26ace351473a89da631f14f11266a6c8f852ffb0be8ac1e30918e6b1b150492910066f3b0b13c92c80d8278ba381a326924d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e9b3b74e92635381accb283e05a6ff5b3fdbb6b51aafe667f412e3a28aad834077000a1c2dd017634460c57fbf0f5ba5cfaf0283f75ab7117506e16cba2c2e2c9d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ec484dda3e23c8013c01e5730e940248efa9b0a6ca22370bec7fd3d8c3cd3668e70cf9e0e92524477ef1a244e063a608f8ae5692eb7aea5a4bf7b901967bd1259d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eeff95ba93dbd6713201bd50f47939c0725cdef09a116637e8f4ce3ec388ff7c6f235f71658c12547f4bfa7aefdf694b448599c4f6a96fbd5b7ec5e52af6a54e0d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e51d7e9dfe5653c8c58a52af90c561b2a27f1a24706bdd77459ba935cdcb904e40f5a404cc14953d642cc761b18581908cf35424a3e18370813083b40b1a15b8fd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e518f9d9c5d594d124ca11cfc611908cd4f02d8abc879042c8e518558aea7f23a864313e4ec448a32dd6271eef1cafeaa7fca598caa21a8d5c15c9e0039a744a3d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e7b9d5a3123cb5915ba272cfaff7d085ec8e6a56916127612b89952b02a24556c644044c1e782d90e72ebbaa01c383c60e652cb487f9dc7b1cff3a7ae244f977bd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e20cfcd301f9917f6953f2f9f43d49e7d4c51563cfb969c1ec7af78e1298793f5b1bd056a55956219d9e33830c27abf2b3c315ada79de269e3623e0f38ddefabad53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e8d35625e74227c3a7a0d14a073a88e598ea22bb91d719e30a728764bfaac75c019cfc43c2cd17b56732784cffdc438d9f0ca564ecacd10de60c081b6f19a6818d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e93cb86d2a8e77a77a1805fe0fe4179ef9c8d69c4a4e7a27c3fbc8aaf5a2fb82f13681e8fcaa4425d4661133bc1586ea63e44906b8c7b983f8c68391994c6d2f3d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ed00f22e6f4fd30eca2d8938634d6fe539a85247b31e5dacc2d536b323180bc85bb34793ba56cc6e05ba20ebf09f3b04d51160be6ca685282136e905c5c11d2aad53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e30d5311da75a71a5a3e51eb22990fd1848f50de74b6bbb1c2c5cd80a629bc63c251ef80d9962efc788e89aba70ba0a8ec8d1440840d9996be9bc01fabf654c15d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e24d6c674b27710fce8e6442eabd5c1392ff752c4fca9e7cc7f018711898b250575cce56a3e1dad1fa1a221773074ef2f6ed907b4a4cdf01f31c31c23a7109e21d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e7d3db2b3749e2a64035391cfb48a66277786809227b4055ab083b0a58c8274afbcd4c3f1fdd6be1dd5cc63d1de656ab958e338a1743596accb61bf2d5e2b1db6d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eab18b4bd0672d9750e5ff7c89baa9e257e54958283909d221d97faead53ea8cb58f789168d1c216c205a655c9b4cf8dcb46610beec0a2bb49e9fee6f6f4c7f39d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e9d87838c0570abd2a14826b2fec43560a856b66e0e742d573cf11f06291d2d184db9d0b557e7d161ad3e584c6ed90a8752681bea40a4f620f70d160a42746cdad53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e5db50719f62e7a8ca12814fbae2a57d7a6059ab24ca7bfbf266f571709b84b9d7375b3d383aaa4ef386a42555419a1766ced81792ea613450616f25fe7f9d10fd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ebf878e6aa0a0d69bdf544a096173363949bb2d07d9cfce9fb5924cd83d5e9675d9f063f38dd4e9de7d1670609f9ce421916973224845493954756f5f1a566843d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e29f0bf5bf5cce63e0b2e18ebae6df8e235d886871e5a271335d4bff3b21bc575c2546fef8e07e355c7b6f60788afbc4365201a5f35749b3d2c719613831f4ffbd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34efc97ffb0c2c03823f516f146f50d8838b5507330586aef56ea5d8588f254d9b52b90222d9d7aac282ca438c813a73157d81fc405303aa21c071425a36f53a113d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eb799d83a329c5e405ee47b5b472d0c095ef68858ce971fc7df1d023478eacfc9e42193b1c694227866021142e30ca59dd241d59efee6722c779135c9dd50a2f5d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eedcf08da2f4259b9d37cf39719ad097466c3e118225e10efe8cd822976eb63c54f18eb898a1d757c9c9a1699f35ac845ea5c4b98fbb6e63d7ce28de692f5e12fd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e384857f401df4db6de12208d7a9cd7049d9ae5ab98214298cee60ffef5a89bbe400175ba85bf5051788da78828620ce7fb3f4691d6ed28c0474164e773fe362fd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e78d5792dda8c4bd1b2f508fbbb3b6e17a61efc7ed9651c4e90bb6dc4bb7642d1221c5ab93840251ea423767de9c7ea6cb1a4e3a6b79765b5de60f3c5d6f6bd15d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e30b50469a9632f5b0a92505297654db235277f4fd187dc97ea2b8cf3ed8e130523f650c958c965a920924807a32365565937a331a63927a7fa9d8495d6729c4ed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34edd6c60d4c9f709ac67d52a5a24e586c62ee1a2ff489a42c5b863c6431eb6f6eb313b4224b3d23d8e4b54e5254c55fc553256bd512aec7ddfab55ed319094222dd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ee5447c2539ca05a79b92bc3c6abce9cb85ca34d470134259eae8fe591c80a7b23bfe85061a90e29d76dc367b3f6102f886b25ab29477f4f8ba0b3f331b181a0cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ef1f7549b11f5ef6eeb83fc6dd377424262caeed5aedb5891674c76f62f281d46f0a376c9674a457acadad82a348bfed3d6e84183619b627a42b9367069c88973d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e66dc814eb54a7cce7b8c802d11d258c4b65406197ddfb13789c6c1a17b0229717bef3ca142836e720dc17cbb7f70cace34240c765a246b024ee62ba8d3c006c5d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e4bab8ce155e58ec058af199fff032dd432feca9eae3b398d2d1005ef42af8b4e643e7f98e39f913595b67bbda00c473eb67fca6b97573ebb1626a428fd96b177d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e835e86f30f844110cfdbf568b3719042cd86448d4b21f825cdec78adab6d8d7bdad59eccb81e40766b7809a3d743dbb6c216027b6463def9b5b037a92eb38595d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eb177a77ff576f80ba13de1f39893be2201fa8e1df4d2362ec0022f086d2b05388aef02ca2a340848cbb21716ddaea8f3d1ef7e7d6f2d46ef6cb79344bc537b88d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e1303ad5fc8a5bfc45f059d3ff4f46639ed082fa1537cc5543745b16c735f536d5cf358429bf3de394c06f9a24959c79a6deea47114c4177d8950cf25d3209440d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eed32d8aab7198be25d9c902c94d1be5015322a03239bd091920b64e3077a1c80bedb77eab10c8d62e143c3fbfe9919c734f34f37cbb4ecbf1725523eadc3381ad53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e5c7421c96b66b06da6b28a6907def12cd4158d0bc96b8d722ed0b2fba15511594e8637a07f284b559833c87edb476a68d5408e558418519939bc01e7edbdbfc4d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e498f68d64af8c910b35d0950b7814e0d9c10faaac38ff7dcb058bb70f5407657cfa399b2bd8886f4f81bfbbda6183c6ba66cf2eb4c67534ff933df1b9409f1cdd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e12ad281f66fbb3f3ade5dd4cccb38be6a4615fd2ab22703a66de259805bb89437ffbb5da628378816b8c80d2495c7031ce6a7d79fce570a0f7c618d1d1551497d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e756ef3add772c3d39fb3e81a0750090209592fdf0c5f831db26011c2b0c9aad16302aa95cb0033feeba4700abcefdee022adcf0b2bc74cdbfc21925f86ef5946d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e3888626b14603cd7d993e5d0215a5007f87e1e2bb885da28ec16419806ccdd00e8e38aeff5b75900739125bba31dd288c99c9138adc34f64d744c26e7bd12e4cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e1873c707386db830636c782383cf3f2c436ea31f2cbffcb188f8a649c22bb8e5c50f658aef6ec8981b9a2384d453baef4aeedea184ee75a65661ff27e34c65bed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ea3b3f202142291503e7f4595ead68d635b1a18b1e4f6dee4a8127d071de4b1a0d82388f131689b41c277345113d3b725c54f044d6153796a2964e7da4075d842d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34effe7a9b115ac4a4d8aa0f55b1706c152683b367ffce6188b958f2cbb7cd31f6a31acafb28ce08b73b489b8084fead1d1a2f081a5c8205ca2908bae3bde7d80aed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e68908d6726077db657b8192338afb0d5e714f1ee7ae54883137fe153859f37617bd6457d9dc60c194b6406066dba6f5bc75f59ca561b0c1916393403fa3350dbd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e497d2a1a47d13def548abf7b33428002bbc88d16f9c1b731a3d3cbff77a64ba8225f0487324d73177be15067e46d84d1e899dc909b26307d803f302bdf61c196d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ecc32f4ab15213087ffe7efda3e59fc7413a00110245d9b5d10502c5741cb54d868ba05138adf7418522c0e33b2b52a82649eff8fb5077279b2f6c4b7e9416465d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e1d808df7499ca5684c9ae074629157a1d364ea5aecfbf0bc249d1307638f45b949108eb9b13bc1854539983c4e7bef5d1618c98ef9ec08722e19bce0ac2ea370d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e32d34e0f015687eaa92c0dd93d5d6d05b11bcf8470e64ecfea998c8b5ec17c66ef7cc38c3d6a7e38d3a4ef90083b338f3331d95e525a10b80291944b1fd4a980d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ed8f9f8b5dba61b7c52eebf7161e58ad82f0af6afc398a895219625358d0c83c0224b7112fde03ca119a2cd5555b91bd8206d5aa5ac6f2463f5d6cf087fd4e19ad53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e9ee77457bd7a4c0612a0ec6f769d8b9fb430d38351c3d01dc5f34793a276068525909e7e98b3933260704b7a0d18ee31b709551d659050d171ab4ad1292e4866d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ece31cc22d2ca334137bfdb871ea01df26bdba5f6ceeac0ff22fd0de7fabdaea80b3a08834c4dcac07639210b10c6d4bd3140645b33f419bc1356d8f652b31687d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e1d6f0a672151bd5240de43b6761c697156fe6cb785392fa73bf0bcfa090b56dd5ab78b97ecd6bbf4807a12020fb99b8031f9744f5662ea003d89ffd4fcea4751d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eca5963be0329a3d878c82bbd038d6361096680cd150e0e8bc2c87ca51761ab2343423255a77c588d10143d6b520c8e6d58ae56b538e2d7880236be07435e3b9bd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e6ba8935c7cab2f28c6a96e4395c72b0f3995a9e900b9c56dbb71b377a98d9a877a10b02113babeb3b85bc79a963a62c8b36c5164e948ca9135a5566ecf2b56d4d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e7cd72a2818c03e084c793d21f31c9e3942bb8531e21063082173e3ba05cb12f7edbb00d4a960a51925ddfe28b850321ed10fda923613ea4162a2128ffbc06336d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e550dd1772475b8a6ef51510a4a1a289acc4bb59505d53929ab99d8163e4ca23c0fdab854a8051a045cb2345eff9df2b879fba38dfc876b27dfe513ec6b0eee21d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e3b6a398537d69233d27983dbaa825597d3609843ae7eaba141998b89612dbc568b31990df8b657a4e784908a394c0c5a22f422cbcfe0036f30f00a9c4f966be2d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ec2cfcf10ab145c7d046f52b4358c34c4c9172d1acbb2f140456b0635d3c92754567a75714babaa519f6ef578c9354023b3d0ea3a38b31d6c466dc00abd0a887ad53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34efe828e33e5d73dde4916f1464a7895ef6946a0f9aa504f492eaa4e4d6027fd56cda543a7b104e2ef396f7d27794e41f881fcfde73665e2eaf2dbb05b3b440a8bd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ef390ddf696c96b64b51cf6ed229bbab6d080690748d0c1b616d8b6e1d084515c582c741ad91ca817b4718deaa4e8a83c0b9d92e2216c8d1fb8d624f68fb6bc0dd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e66851a7d8ce5a82247bd3cab9b9fa4df18f9b43d713ea0fc47c69520adfd871641f7da6589c6a2c35e268c4b563d32c2bc0399fc03fce1475f2791ce0e42683cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e115d7e1db55fb6e10b8b03f482c4e06d9e8101d6b832bd6bf23401fb896ca5d141999c1f29a7ef62b2812052f0aeb344227825891768971847ee823bdcea3b94d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e64d5f62ba44e20291cf1a83a44ddba427d7a6d1d6587b840baa4f1ffe99f70649f93de3ce5198ac7cfd3692bf813ee80a42509540db8ed73d3c4e92e65004206d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ed518f5cb66b18d7e5b7c0bf537fe87f8cf65879d76d33a978511f0ec35e9f669d20d39f796e2a7e18e80088a104cf043720406134b2a45f600ae1b3d73a71564d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e233ee97ca1f5b49ca3a0018555d27b4befa80ea371e906dc6e3505c4423d5acd0ae66b179f9ffe3cc16078f7e278c257d1ab4b8008c14aa02ef8eb4cabedae35d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e772f42c2ec6217a49775ac3842c2925449daa24d95187fa782c269b67dec1276dad2d8b69a966ea0e3e02397ea634c95532186725a3aace3f5cd88c6a1dd9b53d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ef58d39204a30a0fc7e57d931d94b7914211854d985d17617dbf48981d518bc30b5f13e5fab59cf90d2296aa67b9cd9b4ff0bc1a530db9420bb694797fdcf1a8bd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e93e7b3b5e99cb9cd8832c7e7ffe79514f8cd903e440fa5a1ecfce18f9146ca6354043ac1f4064c88317baffc95d6b2763a37ff0d545de252bfe263bfe72ca120d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e0f5f1953707caf8e7c666f2b6243fd17d9c02d727292127ee5f4d47ad876ef3f25424e3f59c66e566341519bb83d3b191265754e7195dce7d8532fc5185917bed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ec63d801447b01a76a03e2943bf661341a15af298f0efdd05620e39a2a138e52d1b9a6cc35f14a240fc15a7b2f3c027eedd7c3aa09bc5143ba57b8b51daa1b632d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e862338fee28482de998516c68dbd282dde544b5461967f5aed95282acbd73574b55ee5420f770540bbc60b583e6b9241d1edc572729b7593c7b15ef2148ea4ebd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e3228e2ff5f4d69d7f46d0e5e228e7f5ad22cc09c896f1f1337fad11ac3d911507ff24a9a9a64765c433e7bb4133f7d4675e4d6daadc0bf2952e4b52f69eea260d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e66e5c5155a25a885906321e0e65c6c341a9420eb3d539729fefc5e2c2d5cfdbfe07a7a296288602936b14836846d35c26676dd6cab52b84f2266f190c3432819d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ea764ce42b04e2f96ee3c37f6ea7d6198c3aa4b222a78049baa48d37b33dac977b1c18e33b251f1dc4f13ab2aa3d1b4fc8a7760e64694480d7f44b16ee40d9a01d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eeb339692049a912f63fa2232176fbc76f546d7d7fe9ebc41a0480fb7662c8ed0def13005d3fae7befeb065b72171eba27eb0d202777a0547ec506b904ce0a372d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e23e28283b4dcbb9d947f4bdc53210738317613ab18b69fe811011e9aa48f1aecb7cb20515dc2fcb2e875564348437e8fe0dbb7aec5994c7790359230725d7753d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eaa9ee49fec05f0d91fd95447bc831ff2c8790589a4228352184e6b8c0c48554ebaf2dceca6824a1191a02bfa59b94391815bcac5170c699e9c15e181d3872e56d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e6fc91e04e0e3746586a7df6b56b345e97dc47d619fe20acb368e8de37ea72a3b1d301ffdf11dde169f50da26ac50ab26f1bade769f77a4cc08e58d0193db4f59d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e0e688cc5ce4bc986ee674eb99838c78693b69a663dc5d5793644d5dcedc4377d13744f335adf1f04f080fb5546874486b7bd6b4bf954f7ba9843f49040056380d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e3e639bcc9dceb5672144b93ced69a9132a96ded992f8d99a6019636601dec60088e6e71266eb0816fea8701211fbac65afee72c950d62bd8ede36bc5b3cbfd51d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e134a7ba4ff8e20faceb427f432a1b392cbbb74c0163f490fe37868b6f64d58453fd4a149d172a25e3739d42b2e34f3037c37d12cb2f2ea76a3d1f111a24ae720d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e863e608231e755b8c127a6190593db834cc0bf877269606469cf1f5f1f3a57e9feb16117a3758eead1754a1c9bb64aa010b42f281e57f5c027f0b3d420b9678dd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e6116713dfa23e62f5961bd7cd0ff64344f492aa9a999550f35cf4722693e6fca996f129db52924b52235380ad8e3e04c4f93a17dedf872e861ad20ce72622d73d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e56e8d4e59d1590acba9ba95ead56003a6fdb5b3a0984ced2922ec5d8a8451ab7c30312f60994c4f77ab8713767c388ceea159d3d4750e5f77621d871da9740a5d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34edabcd3e70decc72301ada63a77df94f24824b4608a65cf6860674e22a1872a0d49114b47c96ff821cb904f24fba26520f1c77489bda0a589e0f92df9c33fc0add53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e8d27a34ff35ae5a7dfbb3efb09bf108c918a6755e3eb45d620058b8d0e81772f0261f613cdf4bfb507f98ece5f35e7fb25f1299d69a43a051b36dc0af50e1c1ad53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ede98db67cac8fb643a22d141e6b262fd515bc7b0af3c32bbb8c42dd78ebeb82c528415e84829e4403234416b1088a7f3b47af279cd7727e191e1c4c12b484b2cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ec52667bb86a97acc8c6e50250a6aa4f7fcf5dea4c8620a3016d28c98ca3c2482b05de439b019add7585e73509a6155d054fa9d8596ae967f2292d09faf5760c2d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e39d901214b258f31ed8bb722814896081f224e66cc776344651f7ab64e91dc610cb0a3da7343bc85c3eeb7204f6d0719bdc54c318730ed57cc5ae1b0f0f79ac7d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e4f96de17a6a82971e86d44aee328ee0be82103ca61615c586d7d8d3bd39fcb0a4d9242bf45003cd8382cc08818c3ba1512c20b99201dca4efbf2c9ad85a750d4d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e1b9dfe8db346a4257e3c18baea82033a67bd8198c54b5c09f9f64b52909a690a3f5db0981bb6d74003df7047497e6c0d09e9a0bf5036c674f535f6a82cc394c7d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e1e4f051f19f74e0c190b1a133776d1493ae71edfa2d8fe98a90cdfab39e72ce7c5a8e931536f9015957f18cf42ba9d826613ef435217f52937fd22efaa6b10a0d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eb730d6be083335a9268ad423d726e9d901d5d4770e9ac17e8d3155b4f577cc934c286b1ed2418769bb42baba1dd77f9452f38c8ebbd7ee54e4c2cfbb5fc0d3a1d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ee6faead9c6e24f27bb318282421311d48a1d8fab849e1b25f9fde4a7bd8e555216a4053e86b8e70d8c7d0afec5abd6d91844fa829b1770e199c68eae3a5728f6d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ed02dcba9af5c805ecdc13105ef5e172973d3e358f0e4d705b2d15434a1d01ae81e41ebf8aab5a4d1f52dc8fc9e18cf2275644031ad334bc6d6948ebf72353465d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e7bb2d1c80fc1afbe3d20041938889ff86ffb9027e412ff2d28d00f1358274569266fa31e2f05d04a7aa7c210b1f99e133fe528d77fe0fc54294d4c33ab81a932d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e695c70b604fe47f7b2e51b9a27163bffbf0c98449ab2cb554ea4270418345b16d9b430edd7ac15ce50b44f9f8a1400e4aaf6bd284a1078edb9da79b6b57e6247d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ec29b0c65f634c1c1c5736a204494487089c98d67be4ea062635c2d072f978adcac49adec9acf8668a65e89e2bd7ab8af8bd2fdf7c05ad8199ff8d8327bf9782bd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e33daac22add0f07aed8d09dcc978ac33971a2ccbf9f106353b736c92a3ca210bf46cd70d4794c29f83c6c1d53aa69d9c0c9155d0031f3fc37ef5ae1069d03c5cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e11086f0e9e4619db5afbb2ab71602156b7ee7574d6e9e9fae950132a5fbe95903483249ba0d8168a6d08da257c88de785a5727c8743e82b7bea418e097ad63add53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ec7ea419ca387023423ad450a2a4e9701462f42b6169418587691931a5b8163963ff06c9d278414d411ca234c716eb4053fe833bf4b4b8782a94a54a4ca88c738d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e85297b46d517864c64bd39ca3344eab5ed15333129eba1c97f6b78af51f661847bc0cdfd065fb80727016f6a30c75a4e6a7ad5f8150740528b9b272fc34c1116d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ee0f730a35a102c672e781534204d4268114eb98b5d8016d992480229b0bf00665955fcb23916ce81ae75c62df8570edfbe8c806a76b53c7a158fe2d6cae621d7d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ee1458beba656e80ec5fa77d825cabffec375d870484c8d6a445c259b5687e8b70c5e83adf89e636673c7dbe2b178c1d43aed985da961525a21cf8fef9f0943a8d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e57bb232ea7ff39b82af22314a23b4a536437880b93f79ed8872850a356580eaaf89c00ee35901f2571d1a914cedc5269ba8a8aa5a631043e5ffa03b16bd2eb07d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eea9818f1abd96d4f4701b1e2d3be0ff0955050692d7a999ceb39d6d12453b0368ff7c290a3bbcb44a55b8ba78ed4a9d04cdab68357d0d6db0c274f83bdb1714fd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ec9f8c979e2091d2982ae1057f97546b8bff4cc50fea4d3c32d689e05e099cbf8e497cc72be7d4577030ffaefaeedc0eb2464e564cfad9d47fc3fef81f54af07cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34efdc99759f8c37cc2033ad56a252916dc4ab3f7aa4081eef0dec6e4f3939e4f6ea5a28b3557274a2f7a14f6b9e512c4a43fd3d73c604d3c8cc1d7179921d1ba4bd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e3cf61a64c6ee55c37b9e6d8b877a12a48b86fe44b6799fe77ebdae537816bee42aca6756c041093fec4e76c8b95d50b7da401e8aeb1c8b93b6748e141a3a8fe1d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e089fb6a3352c6b30dac672e2c6bb98291ae6f777185ae4a093226a89aba0e08f12c8b6ba1b918136783080edfb3dc8a38ed0f0c4ea1b86f3c57871eddd7b8a79d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e2e80fdd8bc0f94c3e0a7ef8f244ea51ad27bb1077bf94a52ca6afa8fa648d6ba2447e98969131ff13134f2d943ba029ae9e198c8cae303b07044d5fe50b83bdcd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ee016105a3c322f317c3272e0166c45d7f0d84be1fdc8d3508c3890b31f0eeb5b24fa6e243815153c3877ce029d916b9403d8e342221ccf840fe4233282def1f5d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e850584e1a1867f2e66dfb3d9e899ff9d10265a5b5e8d082cd1eddacaa18ff05042f35cd44f6fd6bbdf8916e32d59f86e777e4a8e410bdb8b13214107db03dcc0d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e67c4251dd10d68213801b59dc4a633078b6f3d851eb6e74f88961c1673f8444b336bd3df99945da7cc75197ac7bc3c091c14f7604b9e47423da34c56930deacfd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e6d054e2a442e717da5ab0bc9e73e1b1ac0b6c56cf0918fa78a2d486d6a1d7aec13e1be6913d49e5e08e066b3db45f1df97f63eb2ead5661694ae355caf0fff5ad53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ef264df1106d4e855d5b03a6f62a24b50b054f608cdba5764b1fd5800ebfd0edbd27e2fcc802d08940ad1619e8cbc60135ec3cd9ae919fcfbb990e38e5993a90fd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e9636ce62475abbef1fe18c0bd5e67dd99724cb4826e63dfc29cfd58a74f93f6bafd5b680f01fc91ee1376a49c5e399845eff09e31610ef9429046bf4e807f1dbd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e1d6614363c90f86a92c9f7720e9dd4f7a4de5fc24434443511ca2ba0ce3f4652a6c6655db4c5f52745b473376bf51c54f7c447e818ca0ce1b7d48006cff07cedd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eb15269ab1148ba5986a4c58fe7d082d3b711c669bf1c8fae55754a13572fc74fb7b2dfdcff9633aa30c7993a20b640b3d5bffce920d8727ece23a7c697a397efd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e3cff8224f6d8b8cfd4c5c062613809f1488f14d717c7797be18b016e7e6d0e69caa3836e833d17f8c736f1f27db19a08b09bd486a5d9cf7dc4bef6cca6493b3bd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ed38d8f15d96734ff5585964e86499cd8757531142eef66c9a294f937aa647866dec27fb83a4ac15c1dad21db7b01c2694f369677259a98e2b4d2371237442d1cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eb9b784531d8aaa93fd073a04d63978fb8c9c097c97a3b5b83022b196745cd0285acbeefe88fbf5052f90fad302f134436e740da99390d2620a5f0dda5a2fc790d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34efedbcefa46d7be5ea15b2c42280c2f2601a53002997136b17aef8b73c7cdebc469e5fca535e105d8f9fdbea5aba123ac35d1b14e7477294383b42276d895fe5bd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eb0277ab471790b1584acbb16057e90699f94cb0c49de06ff8b20afa00d33ac92d53557ee1cf3be2af12e5e372e01ddc15641a191fc9ce7bf622521d7c9eba3dcd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e37d7f55d535dfe7db28a25538345e18a2daa4ddab7e8915354371940ca585e0eef64371e65669df92ffd5f7623078aab6578010a205f75ab124374f348f0526dd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e8962d35259a359771ef026b51d4dbe6976fa59614c470917d1c559296890d70306691d250b1f1f16f95d79dc633f858b2bdf8748f6e5b3ca9085b3b177fd5b1cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34efbe76b8bfcdfd439f21f00f3db657f1dc9f6d4413f1df6464e436794882b847f9253d8a14aafbc81775b52a0fde88e7e27d3bbfe307054eb2f08cb060df12eacd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e6b35ff3f4ae6cef4b6e63e98bd83dad38fbdf05d1db51aaba76b7ca74ab03560d02002eb8340c5f614759dc280b77ba4db8fee8196df43b66ae3aa3ac1f2b1ddd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e58e349b0a5ae64a629c08cb8d53f0a8f8d57593391fb9f7d50a7728491314652111be0c5bffd7913ebad70302a5616d41a8f76efa269081743763b75d55cf9c2d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ed085d83394bb1d2342a12b8d6c2d17bbb6f281028018886f2ff51b3967acef390bbaea6d00f2e2f9f7527a501625940641705c9b9404276915b554048828cb07d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ef07a3a38dfb7db2ef0c12d79cdef5099b3164a5a94e3e4ff5877dd86b03efbb8ce751d192140d0505809e85e83a2c282269f4b59fb4eeaf20c78485b5a21bffbd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34edcae8f9246fd97301d3b571292df06cd31808b83c64cd7c2712fbd8d93f7594e208cab428143ee291538dfeab905255801dbdb8d484ac4d41487598a0921a8ccd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e8abede29811afbbaabd283affa733b4021be7b5a2d12e3a9fd4dcd3dfd6f360e874dd94b9e62ce4501e44311a5c94392ade96779fcb3eadd405c2f8010615656d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eea8fcbbdd4411a7731257496a1f6f11f978417ffd2408a39aa2b25d20d17e0d5da054c7956445a57dd43a7a50ea112b61ef432342fdd2d13a850aea33356f48bd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e450e096dd179b7cc23211546f46131c966636d8bfadf12a36c12a8b16bd1946504df53a5238211f02b226077921d20497b4361452bc404953cf70de2e3c4e2f8d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eac2b524166a389fbfaf7d29f53365556991d251cf0526f786a98b388203f18fb0dc6b4f6f58e08c1d73665655c0fb1f1f9b98e0e5933c5340f6e9611122be36cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ebf0647e395e46090f8ca952f4711ec5958fa04ce2d1b30f53ec2f614e19764d18cd28f526719f75c591d7551afa31f373c4ab444c238ad44f3c3e1e84bd0ecfad53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e727a9eb980819fc5c868c2db04655ecd2f35a6241cc534223b62bf8413f469a869e1adad2ef98125874fb5def9a6b2b2cb158ac7916eb95cfec671a028183ed8d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eef3633762d5c36cc8eb84b3850605478a7d97a41b9a3c2a9fd834114e97e4a76ad122ec547e72f753daaa7c651e5b13fac577326cc3d5af2376f89c5c91faeead53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e89786b9799c008288ba37488060e4fcae8cc0d02f9e7836b90805640e5d2575d712ce6a00f46bcb80f76b47236cba9d9528b0f554e21aad99f6590fc1b48ab73d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e4166375c3c18d83efa74d801264f2bfb96a73bab01393499e6e0c11f197f3871dde9921ca5562aa33771c4957471a1d6ac3c1c5fb15bfb0a082e5316ef7ad4d6d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ee0cb19f9ff68ea644012350079e655a1b50a074a65d345394196d3db4b6903de05b94c793ac7e87dd3f07bc3bf1f17ef62f387bb124efd5554de0a3cc0d0345bd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eef6c2973c372d52e7742be5a50974aab5d5dbb83358c6ec0d1fab4b58da7a95f54f76e2eb3e27b7b1183c31558fa5b003a1d39c28987ecfd51992ab21323426ed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e4d5a841b73cb1c34dcb6ccb7ea3d7e5f2eda27679abd905b7a83eecba78283dbbc94d7c3e87913baa41c81e47d3cf5a9c7633e48b4b57c91933e4f0b581df74dd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eabedeccc3cbc39988b2809bd3062edf7779929ec907977111c079b133c66e4b363a4261304bec7c713c1ae182446c0f3615664c7e7ddd181d284e97d2d0ada25d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ee49f39ea04c89260e0305525dd27332b4022a05fb992076b64a5bcab437c9c8ece772961606dfb74760c94b612317a476b42dd1cda7103ce5377ab191497bf18d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eddd52f7d76a76f5ba778911d2f834757947257b738fa1497c3a494cf37eb3fd64ff272908fa6c80d9c28f8699fd5e48784cbd81189a770b23fff99bea5a4f8ead53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ea40c3621ae367f4e40b3625966971f9a6be4a408a43f39e31ef25fa43ce88e715a3d92cdf5e054289c90998cc95b071b305e5c96208a82473243676131496db6d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eb99859f038318f2c7c409a21b24f4325530d4ed67b96c225f80e6f6b8cc3ad628254cac2d0182b1c3a27377b24c81e8c08ce3e7ca7b7af66d86a0a48135a80d6d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e536aa4de06f6234479b0b415436e65fca0628a6791504261a1e7e5d4706901c3eafa8207b985219d06cce38e8346db225354e0cbfe138d2f367750189a2792d8d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34efe50e8bb533f620731e197df6f3c601121d6f7993c3f8d177f9e8f0b219b18f1787bd85b1b9c948b553af5e2eab76bb75886f9b4df28132e9d3afe4290b0b5fed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ea7661fb89a7464f5d60af71a21ec399f63116bd76a9943e61b3eee25726d93eb221132c9c5ada5c5afa520aeacf8d1f415953495570c6c644caf157c80dd985ed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e65f294bb338fe33e0fdb63455b940bea6973edc453e5958d59786d9053611b8419afa3a06466105321e34bd35ff1d56f38b8b6a9999762312431e5c581c00fced53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ee7ca6b6dc0254ccf82a1b0b37f1cd6757c20f988edc99fbc662207d9a850a3b71dc94a0f02a4b27f8e1fcd0418e6959f33a47c74b3d43567cd90d03e33c04697d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e5bfa5b5aae873eee3bb1187ffdfb80d3a8f30f5c118d21681dd243be0dbc859ec0f2c4db6514bf57e900b1da685d6b778f936056bedef36d96ff5af64bf94ac1d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e3268746d35f6b4f3d3444bbae21d2a711b74086727ab3156afac5ac11411e909239ed6b977c1f00290f61c17e978e68609aae238a8996b06b12de6736a989080d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eca505a80bbe92aa6237899da28321cb7bb5abef3a3034881e248f721e0acfe41e25a065d94e44147b24430cb337d9da9f4a5352599c7f136bae630f93464a112d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e37c104a29ad03e697f09e8b6437c985eb5213f176560b07139c392470cee64aefa50837906e13e7fbaf66b920c1ae40d86ff732de7f120d78aab22ecb9e6e26ad53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e5571811cae90934d668c11b20c486a37318ea3890eb9419777f3cc3392a639289ebe3090bd51cd68fac5efc840138f411f97a675a6a22cc16d1f53522432b1a7d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ea3c0d2a77c9a2d4082654f95be7fa9bb9cbff015f826d51ffb155ef287f1618abfca2270cfab77ba35aba31a64b774d376eae38b8cdcec7f1e8016f746ebdc51d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eb35b90a9e07cfa1f66f7747f4b6755cd7a71c6407bbeca64fa798e85cb49a21c9346e861064be28f42d5aad44da6e32a66c7c350911596073a32278c27c0b5c0d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e8b96cf80b378cacd8e4b9845b227d1364e5d172884aa78374876659e1bafe2b2c04b0a7751ad37616e64dfc9ba498fcb4ca7995ee8b21a792e3e5b42aea0522fd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e3224ff8c13a04c6f299483aa84090f0be05ef629b93bc6391905e371e7d56e67e205509a768516f34765823caeafa1b00273e5534631adefc54fc00ebcc633dfd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e28f383c5ae8fc7eced1620a51125123e47ca505d2d5602af75b228b1b518323a0a737786f0b7599a1a40f481d341b5d7ba9bdc75c25dc3fe858296085b512d70d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e85f8719d31f9d846cec6cf7bb7e47037831c0ddc21bd048293529fe0a856ca2705bc992618e12c0d0bd68e83e715ca42c43112283c92454dec4d1bb4911c665ed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e04290cbf4d34da06ffac3a99bca399a670b2a45008c4a050cdeb853dcc477ae311fae2a5779889608aa6f1f6c2a4471819685f61b9568a1a2386085ec3e28accd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e926e7c444b5d1a0d54a1117797d775c51ad7e5a3d4b49389e7fa902e213475469ed49d513d95e895fb02f6c024572e1d6d0386552ae351c84f4b8fb4e56b56cad53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e5dc07630a3ef13ac14b1c77578d8dae13e515f767d0ff9adf6879e42bf934b9df8a8242d946b986288d2ded66fe8c9eeedfd8bc58b87fd875621bf06b4b1ae28d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ede6dfe5f788bf6b40a9f3fb87096bc32513ca52ae523e54f6b33d01a86cbe4529062112ba81a6cc141c525dab3eba3612139778311a8e18e0f7a374dc42b1e4ad53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e1f476958a8dd38e8d9366147eb1bb2c6f1c216d136e4c37ca9989baa6d69798e4a47c9bea717b8caf1d1848582a469e620427b8b402ed1400abaa4fe5b97c5b1d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e4c655d140104aacc4f9b14d26e01cf14fc1538e2b5ef7b6499c13473f146be55f896a2880d5ce2f35060f1778c5b3a3bb358930a1c7e9db264c0b0582e757926d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e70aee74ae8c9ee6722bb0f3b563eb1378e51f95105a54a0494e612fa47681ddd4ddf514eed2ef43acdb8741368881ff43b57664eab713a2017cf75b325a8ec69d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e2c30db595d08d11946056ac9df82c99ab649a52368f9be8ed48ee4f75a721f54561b819f44b24e39db0860e75310618e12cccba0b54499695108695a9b4fc813d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ed5a99ec9dda258c87f30e22193e6c2652934abde291df66b5ffd47bca318b46eb445eab7f187dbe5d6573b7d98eb6b5b336b6350d461d3ea2125b575f8675fdcd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e1bec64defb304c7fc866e57c032ce02ef06fc190f41803febaf8101488747b7634364f50f819b21f29dd6ef842a07bc8c77e0fcc8d65e9aed623222590888726d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eb79d1ca7d51c3d1ef2cdedf85a91cbe70b5d17e4b3723a5bfecff3f6ef5a1a7725ed381bfe9360b0c1003d90920f552b0acc48ce7af8bc3b5692c5dcd6a52ba2d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e9671f1020109e643f246e5a0dacedad7ab7868ddf48a33a504888bdbc6513579b80a3c4d7bbcd0fbe2d991f36f2ffbe33d741b930f71104b6b7afac538c0bdf6d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e744d491d627f9a3f4fba20c19a8eadb0881c3c06d07018d6a91bcd90b84759250dd36310e508bfd70d9bf1f0e3d5bb2af733437e15641c22539a801abf8da75bd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34efc4147c38796fd2b9032fb33f7a14eb5b6eb1d7fe08dd5aa8750783f87f41295b736c5568552c1ef3dace32bff2dfcc93d38fb311cce15350f9dad26a56e06a7d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e5d17f44e537fd82b85fcfdcb34346d91abbe89a67b7172ec2cc6e587198b994ea8d949bb14c06c4e8d41f44e87a93396540d1892ff0d0afdc8e58e3ea196cf26d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e4e0c1da87c3c65b18ff676fb4b508b790ba2ac23e0ef6c816281f16b471b0df64e7287620cae44864ef3806ce43279133b4e8e272c4c682287df43b920c7b961d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ebb8fef9c839a86956053bb76422d21d9617d72ac3c2fff7d7991f6d6938a7610d642b940d2ab3a8a4fb381a5232dd20e4bb9e0ca18788d87ae1633d358fb15e1d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eefc25657814f4feb5f0558ebaf04ca353d5a10e89b44e06f63531b22933250904e188bca1909ea2b58ccc5d96d695cd5e999e25b2f14217ac328f510f13bea01d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e2cc35a23345a694af3b2247a8b2b9ff66e85f7135cb5aa98e4d3eb7d9fa7d44ddc7de0679c20b5c2099d11d325b216e239fbf4c57b84f0c71220b7964dd2e613d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e3fae01f3c7f5fddc296faba85c264c4cac55d6d5038bab9373478a6d13de015de064181645394ad9ab3b1f39dfc97ec4e4f27b420c4a0744cfd549d1c4c8166ed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e33f2d2f364fb1c6657101851abd8fcf882ca412403c50dcc3f7718a1df532d193c0afd3780105b0d3345b944aba7fa8cff52fcf9b59965011fbdaa679ec0a7b6d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ee883bc812d30c77492354bacce0b762f94974443354f4882a2fa3bab5c9e1d8298612e2e88b2251f4d52ced5d385741f4249ad83bae4145b98a608d29945315ed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ece53d82ed879ed95df4d75dcc23ff1f38ca1966280862e417de73bb6e23b48cd9a7be6c99ef7c6b331254e3a6646745166105e7c92397adc5bfa5f3c17a2578cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e53aa931225f68b023a2d5fa380f4f2465467e3562a52f12225574645311e56161cb5c5fcc41b96f30362b5371aa6b59093d1b353cd5e8757ab94c458736719c9d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e8aa04fd086c9a767bf522aa5b02f629eecf9900c94f9658b4fd3e1c64f0af287e8974d98d0d19920dc858c59c97834038edc40b619afa242139115c85e407405d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e4cdca8d8694746a17dabd0ad46ca0e53ace5f45809c781d6971278413b9c21da94aaa684de493fcd10e14929d5677810a1ef4e00d86adff5ec48b04eda0f7051d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e5d197f551b6406f1de54f07226e7669721b12366d24b8df0cbd3934ba2262a0a42a63bd7d7a06787852b6b83ca7a3fb4dc73b82e00a58b030c00f31a2e7a07a4d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ed40930f2b0f11bb1611ea68c98c523bfb5dec09921497350ba140c80d90aaefcce43da1c184b4ca6f00c136d9f6bdeeff0aa7ea0de59019cc71ab260f0baeebcd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e8d078db6d977ea6123747d8addf50bf311067c8516a874088dd2711d19203109a989d7332fe98058836fbebee47304afb605567f265ce1c5462beebc174f0238d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e4dcfd6b35e431010d5f80b33377c708c9a14e3b9c8554ff0e53a3cad9997d893a8f3923abc58f6e85bbdde2e1df1c47cfb4258a2ec99ec384309ad4c638e4fbbd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e9e7aa74500fb67fa7b3b4b532cb9f473e8ecafb9c0b9a29a83829d1acc127d7975df2a327719d930fb685e382c1f239f3a99e6a112e318d255fb67921c575459d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ed87e9d70ddd1bdc1f5de498798a7494fa018c8498035e9eeddc603b3f0e07d052dcda200db4890d7e8be915aa2840ad87404e5d5d31e7e58e6d66179e62b0be0d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ebe36f5513b29d8fd215a40f272dda05e90a1ddecbde53caee501035e0fd0dfec6853f06ca93e32bc062786b592c8ac738fbe4efd5f285b600d9f1ba80430636cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e6794c3b37f56db5f3f276c632e10e149ed67bbcb8afd9e4642aaa7eff917589e5e2a6025ef85e8f94038c85242bade362c1a589ecbf3911635f7be9b33f9b216d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e398edeb728eafc1b943a34b55ce495ed61c01b7c0310f32af5269f3f6a611dcc01843d62711e7b81ed49825cfa723efd4344c855ec8d17b4da33f0905bd0fcedd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e35b0c0fce1c34d4af6481a2bf8e6db21f1442886afc764da2a71feddc9912ac1e6c4802242641b292b0798862694f31637b7f167b19695e46908c02450e35eb3d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e6d256703b3c2040e3ac8feb9df23720ddd402b9ef6a2e283805e89f855252b3991624fc604638958c2d7d0fde3cae402edf6a51194771aaa0d0d3aea82e40181d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e3abd4994dff624a6f16c3dc2d5d53a11e53a5ad717fedc257faea5b1482199471b7f508ae317e8fb5e8470384948cd7630c732e80f03c5d9e9f5d32b1cd7a403d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e8b4aba2d22343681019cc88f5586bba930418fa1274004aaaba6d89721bf37cfef70dd598d7675eecaa719b6032b27690c8b23102d5bc6bf2f6e25de5fc2a125d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e27f66c48a3484dc5e8e1eeb7fedf0f357a0efe81da77e5a9244397b2a12bfccda53c5a5f05842a07632345c188f327a702ed55054c4ec5064dd5e7d10394ed69d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eccb20c4625eff529d58eac2d51df01497aeb543c8682bef0399d54e0a2f0c1cb6ad6aa27ddbb48d7c2feae4285f6699e6dc9e635a0b921c38aeb027473f275cbd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e0e17961e5fa39ed06da850286fd66ef45498cf6a03cdff8fc93decc85c66ead0cfcf0ce991de2cdc4ad5a2983312dad80555ed93d3bf921dff12bb813d776d52d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e2093288ac6d01db53c9c192d4d884835e59d573716c8fe2902e4994975b448d8c62900c6b445b67d3fa4a03d15e7e05a235b0ff5ba124313310f4a25dfd65889d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e8dd46d6200dd358cd6e8eeb8ac3c793ab883f086576b76c9b4e788d9fe553e4b5ee91a25aed8b0d6b2a68d7ac215a11ebefd74d5edd91c1679eafc98ab777807d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ed39cbd166da699f1df8d8f9c6b2ee192ad6fc48b00a5677cd45cd41c630dbc5a5e4e88bde929700794423b252aa3e3b2a9651b66f775f78682a0df9d53d1c9f4d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ec8ebfb447949077882e0f06af0c6bf30272c997bf2a98459ec62d1ba02c57fd82b298052ea3eee70caca3e929ff07b690164e5f3bdea31b6e41c75c98429fe1dd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ee4b5fd85595cf13a0f8e1bdc373f0f9b95aba3c63f071552638273df07d155c7a874382731e900d053227a7c69c0b969a42dd5ef140ec920b638cc5e8321a7ced53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34efbcdfa39fa3a35c56d37b399fb62ee49659ecff4735d1f2972c9fb37d1614999fa7c5a7ad198855f1571871ea88c124f937fa1b2ccd93e6c771726bdd2fdcb9ed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ea5045ecd7bb09821f6f2f3f32792e171b2896ed46bea99c9931d6857bc3f7780c4f90195e0e69d18ac08b447c320779fbd72646a953671379eaa89a4e0846636d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eeb899c5069f73332efdc39b3ceebba056d20a1c08c521efb443b5853aa2ffbe9ec2da4031447c8f05b48df698b6abdc4b6090f15d6af811069584567c57f1fc5d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ede93badd20ffb667feb4e686fb52676a08a6b338aa9fc7f97e9263b467fcee807923a40970a1887a550cc03cfd3006813959712f7d3f0ba53f6da7b5909e343cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ef42ddc21862b5e93d3208261d9334ba31e95a3b11a95543efd7e74be40233c4fdab19ea7890c736f43014184dc5deb6d6ca8a0031e3febe816ee0e4beacdd092d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e42bc0634682e896d9d72a68161801cea62796114a4b11a92509536b6cd90beee5bfcc4c0914fb0c034577ae1eaa872259766f5d845a78d8a5c3158ee967abc78d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e969b275b98eed25f5e285f961f16e97fc1a930536154002b9d56b30416cd3811474640917edbe6778a6fa97592d7dc13aaac2301e2f0061cb344353897b9caf5d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e20a053109d124c31916191c3deb199525aed5e090fd4495c49fb3064018d945919675b6b05de562f2af213c50702b7537961c1f0c1be0925471836668d6f88d2d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e685db5475a5a6696e4c7f08f52b8743b595c3ebbefea7facd4b3d1a0a57e98bce5c82fbcf47388f0f8eac065c79051ea62d4924dfa728747c61ae07d3e8ea301d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e076b8ba34b674d7838ffff221bce9530daeef732517869bf77cdb284777b8e0cdc045a5c46a14452802ecd63193c1a5307f13eca7e9c3fa4ab0388b5af08c8e3d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ef982dea48f7e8aeb46d51b527983133732ba9e1a29be4da8f4c90a96c4c6fb86ef362aec94d2538cebbecaf11d7fa7300af9ded947e070f9e674b29732d52618d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ef903d372f20d85ba93d3fc35e128db715128468414f2f6da0e823bcc4fd06d07585aa6822d730450213cad3e6b8547dc31177c15112b9d3454b5df7c914fb7fad53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e1de5efc97dbfeb109cfec61d41896f5c06d7bb9694e1bcf8253e8aed09246750fb2da765fa9ee7db40d590875ed78ea3face578b5589bb95d10b9331e32b4bb1d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e50226f07af9f7b556846c929e2d4fc6bd2dcfb3dc217052b27ff355cd2408955802ff0281f8ef693a109f6785e1c07cd664fe6dccf5944a72f76521284a083ecd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e46e8bf732ea44ad3dddd39d29efcaff624546d807b1f178dd43dda32ac8628e24995ef1246cf581da9a822e0e351059ed418c08182aecf6d96f956ccf3013ca8d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e495df8bbf518f02a25c45b5b4fdf6a7acbd54138d85ff5ccfe6f28d411fa44fed08a585303cc2e8287e357e52762ca5005ed263d903f953a5e541a50b681fcacd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e98cc705b01d5a2409e3aa25c64a747435cf7b4d08b4d58717dd9f4d8001764a12879d7fb4a69e41f461910eba9b0b007da80be6f2ffc00f7427e8f53eec9964cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eee50b7f5d810098809ca19fe6bdc68116a64e81ad2d25e122d44b24305e92305c072c7180a33c6c0a5c1f832d7f21dffe3ca1a20e5061eeee857c426e2a59dddd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34efcfbd9fa9e27b83692da5e8b7829e0da8fba4bad172bf6e09930325072ef84cc4ca07cd29d4f183ee90b20404a74eb338cefd6e3700c8b1b44284ff3cbdcfaefd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e0cb26f7ba077d0d028116cd3eb0cbc7362537b7c0d2aff3e4d7ab8d7d4f88a089a2e646ef933bedfa63503f7c2484674daf9d41f7e6822983b919e5e952f83cfd7b90057247a6932c03aaf8aa8dbb52be0f49de305504bf3d0674dad65c679d51d713e9e25e77c023d5c2b70d68124f62989d0c4a51aab6d16260ad8a028107dd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e64ff453b827d6fa46ff2822f8862adeda945bf806e1cb214dd2a60fc80387e21514766d68d686ad7ce3229961aa19be4e8e952dddd7f21a6dba1bdb4ee8b2cf8d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e12e8530f6f62c658f7f6684765b90bd92f467d39574f61fd889674d6ad5dcd36601525f3ce5318342b099bdf2bc7543c686b46ae5ca18c8154c119916eca547bd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ee7d7f5c66bd0480c26b1eba3f4dbde36e40f21061060068efaf74dfa72759b9a4844e0153b631b660d8aa4a9ef73dd4ac6cd2e8e0aafe5340791c2d406606602d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e9b027974799d60a45bf5e919b82c51b16de30cdbcf6f0019fdc656941d23ae65fe422e5cb0136804e2b33c7400888da12a019d07a443e80c88f6bf1ebaaad52ed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e2c60155f183dd5f246470753d08ead06d60a986d496c64987999d57f355c39505162f81b515155857c3f1d4eb9b0aff8607ba31dfff4a7eee5771c5af2d599bdd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ecf4717683bc91e16335e3f72c45f23f688c099c26967ffe7e69af420be3fd3f3f0fc96747eccd08e6464cc342498e4ca8869d6f50b7d9daf7a88391f6a54d4d9d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e8d7fcbb3500023f57e9a7a2d104ad36f029d06040c0612c835e4236abfd6aeb52d4d79684812e2b4a7582d0644f28962b1af80cac3057d23944ad03008b2b923d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34efff29040e10a19a11de993a7e7bf9994ab05d2b99b2035e136ef2d599ff599414f6aaab9adfe0c8f465547b6845d1fce4dc7066458898f5211db6df0f1622fc5d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e956f1ce6bf99dd2ab04e0cba426b0a9f597a74d818c2d141b6f74d3cc9ca59e0c6f6ae20d744a20db2c3c1634bb04af0bd14d937de5b9f707a8cc634cd7e2f68d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ef5aae7389df54c0456e6a28a76cdb7bcaf3808a346acc4a5e6e21cbdfca6138699e6d5a37e0622f38c4444c3e27f6020377e0eb8668697bd170519045c84f971d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e6a7f1718360c9c018012a825bf52ce31b2bb68b9c40b84799461f8791fe687e9556177e732c894bbe883f458a88b4f8c7f2f635f601c7c8baf0d0b9d1fa68b43d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ea4ba0c02ddaa4e10de6b7f9485a8f42bfc3b711ef971aa96bcecc91b0a95d741d70985d66904662fa3949307281def3d7b5bf368c1612196820a530d69ecaf3dd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e222828cc19c47f2e92bc127e66311dd237230531e254fc7c2e6e2be9ad0f51fbcce382ec01f0d23755f99007b1b059caace09d5b6785e23422a8045b681cbf1ad53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ecdacb73f47125db82101f9e7b9e0a2987f5add4972bd0f74a5d6560a9ef475d0e78c910338e2d4810887582591fec809903f755ecc0d82ac26cba18d3d403af9d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e6da07e46c9130259c78ba9fa0ade512eb17f21cbe26c1cfb5052f98e8b5b8fa4a709fee64d99577febadf20f3b8419049f092526b96955d547130676ef100089d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e05593944d46b2eb78b5db858c23477eac1fbcad17ac8c3066e2439467cba712c4564d29c02e58b7c36030f967fcb2d019e086a2d64685bf5b661865033533f5ad53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ee914996c1295c9465512d8dbd1d0bcc912ac220c0c39af4e50ed25e57909fce4bf6bf71ab4df4a241419cbf37463b900fce97aa4e06f64e37547de9f216604e1d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e39149364a95f605e42640d9f2c7f22d8e748f1a1d9881090538c7b03fbef36838a92942f0ae5e0132fe102eca2daa75dcb12382c21aa68c0244a718abf0fa538d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ebce4cd47937fc8ad537bd33a4593e621d263487ad68a4301f9cbc2656514a72386a3c5075f42bc45ba3f064257ea33c1041225845e8c935bfa03d0e06edb4b5ed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e41ba5bb2816bf1db56d88c67189efbaea7957e0dfc77fb9d10add63eb60c9d93dadd9132f0262ed91ff809638ca55c01beff352f37f0f367b6f96eadf7357119d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e7a48487f6fa3c9b8e3cca4e63e0c4dbabde4be1d81ac10e74f2659ea78049ac6db94bd2123870b55a79895e0aafc3431ce375e1a2538ff5e7077a8a8842f4953d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e111a7ded70fd635801f7ad4aded7db859eadb460e806a2a927fdbfc912f590b327caa30b5dbeabba8c3774604440f481229cd6f22fb20aacdd1e642084e1b950d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e3dfe1590566d472ebce3ae1822a1fcf8b202fa39bed1cfd76aad44c3c9a62d56f53a707fcb1485c8a6e18487073739f6ae867fa570726d685039bd6b7405996ad53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e29baf7e591282297fa0ba685f3404b912a010706b22bcfbcfb02d6bc94f0b89aa60cc84d5a7261bf871312e735aaf4799da52e77599d418400bb4356e14dce11d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e41f304f4dde01f87a2558be27836df65d57fddaa1f57eeccd6721829c4ca6893a0923534dce2d6ce2e36a4e1eee571f974734cabbdb99aa13f6c2fbf85a1fc14d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e241a4f17184ea847310346534c34cd657658048adbf6af4e96e5fc6f6a86709f536ffa33a750b4bd3b80c5e032f97c76bc01904a534670640405f06ae290e4a2d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e8e9c88a23ea5564749f416b05135fc7687ddfbe5f2e4c9bf6c4378e69ef5009efbaacd74d1946d00ac66150994d1252a331905a90a5d3e4a8e1e58acfc3db4e5d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eb60a8f1edc44d2dc897f8fd31ad4da9d995f67e2dec048758eecef74242c9da8b0d4fd0961c0533ea1cc09b898f7e6598c3156f38cfbef215f6eefd49d6de0c5d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e8fa5b0b953fb22c07fa5128c6938ce04dfecc5588d8134cbbc7c7161bbbd3d00d7ded0ed75b8d3de34ca68ae320fc816bf285bc460af5c16800e77789036db63d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e66028dd3e0805ac8044c0cf4325933ce4a7df6602d2176bf1281cf71a3b8ccedc98d6c128b6cc238789ec9a0060c9aac0acbe003102c0ab72363640d5276bfcfd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ef4929f7c9c90f8633bd3a2ebc4a5fb4de30242313f399089ad8b0c78420483fec16f0b4bd552bdcdea80e24017ce1af9c0cc747cb10710599632fef74d7e8674d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e9dd02ca5ca91dea10fd468be92fcb10e6a583cf85161dcae77eac4f7fac24126191ddaa41baf32a13ca580c5e1a5012cc49720ec125cc4af20759c518120c3cfd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34efef877e1acf81d446ddb2ce78cbcb8c916e4bbe42f89b741fbb010fd1d3b607b23b728b725c8d557f27689a3fe29f1393d4e9554a1bd7059e62105636402731ed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e03b6900a6c1ebcaeb95f6f53834cc28cdf42863b892a272fcd01fce05321cee05d844fa89f523692763f49498b85d1f77a0d829fc389cb282b58645bd26bd3f5d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e634f6b3efd2c8ad6d591d7149cdc03783631a58a7e8504906c821ba903347b95adc33def01a2f2faded49b0f70fa9cd2c3c0d362fc8a03d5193113075656596cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eb94667ef08338feaac3634ac25c0f2031490e9ef058ecfb9677256286bb3e0dacacb8f8d472906ec96ea14c957e0fc4571019f994250b625a1513bc20f1a85e1d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e64883d5e37b75a683acfe56723105c20881aef8d9cf86a7a3a536e88a61e441e487c54b1b539f2468b1198e4d0dab46c78ed0902b49cd44b002e03fe4812f88ed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ebb7fd19e7bb15505a9e10ccd4ba19f1c0277a2aaf9d44eafeb50ed8d33ae1f3ad8333303a30fb4c590fe9457f10b27980eb11358a00bad5803fad12adbcb8d3ad53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eb88ac5db497ac425853b35df36369d270be3b4a953c16720f71c2116c58da951ab4a38183663f328a2b0f4fc7ad00c248e0faa0c5132535fc29a7baea703e593d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e0a8f4d4d52f32624c8aa510789b46658de32a865be6cbf0fced2ab28b269185e37e36e9492d2353de70665e24b3ca9a0b78916c999ba87ab2b82b3f857853302d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ee4b6022fd019f64a2f82ed730b83d4bae35216b2426cac06f8a3f4f268e4a737967fdaae5d576c69f4bccf94d81ed0e069742c134fc72692186bf4e4aa1fac50d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ea981b63873acac93857ce69c61f3c76dd34c43099d1303827e57a8d8093f1efc84633e850d2d255c66aaac5cfc28b718771d46eff57342d2881b14bd0c9a9999d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eb19e3af4078b5ad9b594b3d59fff5d9d4d7e419b60a3e0baf028f7fac26127ada735af60042a54c6542c6c5fc614299568b18772c79c6727be96357508506305d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e54a549f6ce17b7e68a318a2e4def0e76516be5ac51b2695b1f074054c414840bb736260b2159afa01fb97f677e5550dd97b4c8e3cba64cc1d8b9d56c62eeceadd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eef288a8cd90237d7401c2c0460d304c9f95d6c8d5c59cfa0063e98bf50ea05ca64af546d2cd5c0f9d714bcef200a534cf9b46bc5ca2bc15ebae68d63e668a8bbd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e956031f3b222d6dc59b5274bbeb3ae272d63d893e8ab4c9ab23f8816201e9b203ba85504e0c55709d579930f84a740a5356de378f72c308fdda3c7e2fe1d2a45d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e74df628c759fc311fda27c82901779432b22a257f987ba8780da674e2338e9587cc0d9b2567966b4388afd70c4eb703a42ddb8ad25ce34f4dc23864ee3f47dd5d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ee9c1e6017cce43c77c337e3f27bebbbeb8f2085e9b98f9b965a10bfca04f5a2d849222bcf3ddd833e05e3cfea92c80734201fb1c6a83da4f1f1fc8d6653e9e27d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34efa5c473935480100c037b81ac5d7c6a5dda6f34173dac3c1863134d41de4ecb86002756f70938cc690521d775fb7e5c1ad0f3d834f434330b717ae3dae4bda14d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e24548eff2fcf6b5072766d83f455004e7634914c40e9b0947cf3cbe3602154edfea71961d53a2d6592a6440ed9cda59d36113e16ac07a46924ea8737865eea5fd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eef284574ba2bbd3d7069fb8034e97f376b2592ceb21edc71ba71c69dc104ac18da8689a14e4fb62b2230b37b3d7ecf82e78780db146eeec3e0996e91e52e8dcbd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e73c7fd829e6e7f2633c467e4e5c992b820faa0dea39671f6897b4c4479fd800015e14cf285a5dd2249d40d8cee9591d7313af625ed9e3b5bebee2192aa529225d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e4641ee08264f58320d71382f3105a614c0e74d7763b5d88efa12cb0a7c3fceed0e6e35c9830101cc51a0f6bf097b8e231b9d1bf9a79a40f4d805a2b4950958ead53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e8ca248eb1e4bf779a0693e24338930784c76dedc7b04d72c67df6b9834d91a48d0a67649bd9a0f9352749fdea4094f5e2da14f0f7fb90b6a30241dbc725978e7d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e24a30edec9cca517ba34c56288133402b439c9fa41022c87b53415685e1be32d936b7f21dcd36e8b25bd1d217760c4b445db4771c65d10c2dd3c980698298ebfd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e56d475df3c50875dc1e2e598127467e1c8b95d51ffc2a1ad49cfb3723b7f316277b888a86ae76942eee5bcc80463179f494aa8191f4d65563062cd999442089bd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eeb89f18dde276a576ba02443cb759733f7e8688d159574279bf89f8abd6d21332e104b9f519667a3db80e4ddf29843bdce172c7b42ed9868edf55d368f0bf2d7d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e69fcac4a5c044cf9bcadd1ab70ed099e81b88db31ceb21e8a37f0ce195ffa929bfaad498e3df06fea5a5542635c0c34edbd3d36b8dffd899b25ba438885e297fd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e4b4613bb12f9a174d5339f299c2d86894a06ad2561fc3f41b30ecfa7833d2d836debc47e0c2b34ac97832d0678dd2a3080136d48c0cc440a236399bfcfc38c5cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e14ebb75f9c32c79d300eea8867a36d949f737a4a8e6cdf6de6cd3088a7e1893c7a2e483565d7e6534d72e2d2c36f96530f23f1eef45bcca06dea358454edb1efd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ea28812770dfe2f7c7de735f683a94dc1db1237002ca055a6fc29248145fd9fbed18fcc763930b50efe20054e74de1f7d234680e81fa0ee239675780f8caf7212d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e0ce76946f9762d7bda5b943facf97f21c4ad6d1de5249a576aa146cb7cfb6f2bc9924bc4cbbbf0ddef77cdeb660bb75678212d800d3b19581d12103a17955e95d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e10e90c5f711e820aacca300f6ee7c5535f38e53996c78bc06bbcc8831d190f9a342a6653c2d57748cadcfbae7238d289ee5645169ff3844119b6412bdebb8847d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e763edc9ff8e9fed8d9b17da50475acef7dcb402d72ce472188b52e17427e09558483215a65d131f6a4edc6c46f4896f812433429bb294657697f06bc4684276fd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e095ea071c5b063ee6566ae0638e80ea629982177c16ea28327ccf934f3414dfb874ebd7bed2c296952df34e29aa4569cf9341fb48f8b8b49ca93a656d8383da8d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e424c88f23346299d4bb54b6f62e739185502666960fb08e04a4edef59013b7c18e29197d8eee914e126c4544829abd67b0bf104dee72393316b824591147e8bad53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e39ef9b11c3d7f11fcba18c535a7048f13cff918a4b12c3068a80134ba9a55ae6140d0b9d83e207d57c3d1b0e46bb120df8f618a5189fdad2f3838ebf68783d2ed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eb02ed4b7588c88d805d8e0ac81bc93828c7d79587cbfc3497ba90d0b9e15f5fb8572a7b99726448469ac9684e0fe371426b417b416ece533a4900f44b6e3bf7cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e5f39582d5fe81f240d19b814953a084cf4ae97f30d76eadc009822dd3e5a0c879530c2a9e579dfbe8680e5e0828eba60883c3380719e5196b1d58a41b8782c35d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ef9b52b706e0b7a7aa7fbd82f4177ed4ef14b6d9caeb3dada4284b6e06d6eb7226b4baf968247a5d81dbc0d9f6cecf50aadaa0875b4564095513e443ee7c091d2d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ef12de9e57e680bc25cb772e47b1b40dbbf73c5b2b74cba8c861b2ec3049c774131bff88651b12c4d8a83c1c3d55a74d0fdb68349685c9007e043f7c3e81ebc0fd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e3044494fb987fd27826cca42d5ccaa652fda21030530f4fdabaa7bffaf04556897e889b242f54e8e32f1016f46182ebceab6987005376228d14145dec6760388d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ec9e96019e54b04deb50cfd94a7686c9c2d178e46413966960b4c75756fd102de787db9c2f48f75bcf49effa4f35dc5aadbc5d0dde241c6c431a247688561d112d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eb994bdf2ae033b6adacab6b8743ba046120de07cc04a381d750b4b0bb81b6186fce5a03d0d65f8acbe4c35e0b70b9ad7eac9ff1f15775bbfcfb08edbb626d909d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ea12b99c2c194ab0bdb5914f9388888fe852701a9ad58d6c61912a256ed84ed17461098677da7a6ce4769f363c2f793445cdbb7f382618f0f9fa0281ce8458fe9d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ee31ed65f372f37f4f1fd435027acbaca573ee7470f594e3b331ca71976d88cc72ce5c258985a8d1b01f635e883972d3d5ccc1c35de8731f2d159834bbcfa5ef5d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e986432ba76124fc251800200157c9cac80f6590454df97bbe9fdbcd117277e9ecf224799173cbe918320ed41e623bd9f50152457ab30f1c1d8c263412a090743d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e0491f8b5008a065d93e3dea63aea83fd6feff9a802ca67b26f2eda74671c09ede2efddc6eaf447d7b823d0d0e25666c6d404ba5ac29c0c67981626a5b7bb8510d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eccd63c41a47dfc079019059ff08e0c8b4a51ed07fa34b4ecbdbebffaba0e3d72bdcf5e5f13cf1f79295914a6bcdd886a1e75cfc0bf912a237cdbd43d4955c404d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e4d2223258623556b44e0786a4e62130428b1e25bfdc18412fd859e09c0f7db2a3b697f97e2c4eab793a1aef51fabb72e2304192524e693ebac61017da27afbf7d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e0d220690e8f0598002f7b58b5a6edd545cee8a9d5635ac724674f070a0cb1620711000bdd8de2d413d63d39aa126b0bd0d695d816927cc69e995a60ed93e7b3fd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e440f0ecf4be9e652ea7acb30a8aa85ce923bce2ec79abb5f1468e5e5eb8c62906559f170cfdb31abce58c3d72e3c0881a1698552e80a0b2b92f216bb7efd692cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e49b986784cdd1a8fa8bd4d3b5be0eb60f98d72af42e9d6567b21bfba49f1379db36cc1c25f1ae07f379a89ba21536685384859a11ebec4d4c3ea3e79f513f8fed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e446b54ae7f6378559b745f22f2fc51f505ced8b01fa16d08142b7af607b4eb71c18e2e58f1c03e5eacf51bffe1f730d8249accbab083dc6a0407736c11c462d7d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e07d4c986fc07174807d21e06d2519fad02aedcf11d957c6c154f3b6277332f2812286456597e2b45098991f4122103c11c08de16811897ee5b0acfc9512a4dead53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e5605177d422fad276b24eb64489cb813ff147d48f0075f50688eb2264764537c962474e381471e6fa70b2f651838d20e6ef63784ed680b5eeec55e6205346bdfd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ee4c067952ffb46f51a22938f75cce65e51e01b22ca3f1d274eb5c59f6007553cbf331a2728d35e57ac9f7c774e1f963a9725a7088fc063a50a50db70fefae6c6d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e496ce8320c2d9658d41f28a7f362a15c9df093178a3ae4fd2c43b9b06d1bf67b69663e2a3892c7571e6ec5c13a086c5dc8d098a5406a47c39e64aa90fe4c03dbd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e87bc8396ea9e6a857b78ef128f0a290716c98b5e878b764938d2d01bc502a50f3588378adf84dc0c1b5010e32384b82b2f12453c570d16accf772078a5f8d1e0d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ead2e897f97325aa68e1d4afcb0d58cb4e47e5721580c90ee285ef848a10d7be6f8c1171301257e2d60124af426f72673edc403c9b095defd9dd7f3ea809ccfa9d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e71688a88aa33d666f5d5dc27f82cefde839bd083775af64be0e07fafcd222e2b3a1ca0d6397235fb80a454699be00652733dc884e33bcce15fde70a8d7f25d47d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e0ec68222599e07e8d62b2cd255b7a1bec9d78b47287db5a886265fbca3cc600d25d6394797deaf794c178fa461c7a44635cbaf44ddeefed8d44c33eadd99492ad53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e748081d4c307ab25e57c6738e844a510aa5b30ec7193ad6ebcfdb5ffee5105560e97a6856a2b49a78a9ee7ebd2fb9db6645d76c2c1dce69c4da81388f508872fd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e8bebf4e1522297740e6dedfebe9c7be88d587be059d7db39a40712a3e3be8a7b97c80ada10643ba30a15d2c9bbecdde2aecd5fa73602f4b3d266328a6f8c9643d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eec93746164eaef97baedabd174b0aff8d70dbd07295bdf1341dd44cb129d853c489ffaea661144760fae789edd4f1931e9f196c715fa542cd93f41526d7c613ed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e42903983892cacac17c82c6aa840a9f6340ce5c70e6a1eedcd89a9dad4a3492b479edd372eb4c154abb7fbff860e048a2c71675258dc95cc3581ff1bf19c2c7ed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e4fed2fd0aeda6be8d4c99e3c9257f4ea8bf0d578e15f836f75c8ef454620d930aca3d2cfcde159049df2ad23ce7376386230e0c127b8e5eb0113a87e4705be25d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ed70df0f9e4505dfbe252938fb26d365eaf5d0369bea82f9f67b05b3dbcdcdf2fb1e0c50dd0c545cd4da34ebaae61d548e390190f3f19fee0b8c9ae90144d8c26d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e7ca6fdcb1adaae3b542196bd4d687a649bf3e59a570aa3704fef601d19fcad91c26bab7ffa88b445a6f79a288b3c376c5c733d20cb0d1c344588a92c1314ca80d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e7c9b7b8518c6c6a5f849522577814a69b2cfa4ef5b9a9eeee2f170f3de40ce5a7cf94f4738f9d31995c5695c51d686526cb47909c58346cae0c8b574b9d180f9d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e0231350c8a11bc3360080e1d5585e5c2a93a8cb3f49782a615ba6ea55a4c88fcd42fe66e8dcba8786f0e1c713b865aa2a99809eea0c16fcd19e8cd68c6bb8389d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ea9111a4fd54a5a4f7632cd820b3384eb03538e923d94bedaa3244ba60589b20b9c1322051151488898b6e475b7c71af45244d229cff5383f699e551bc2c01937d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ed17e4f157b968361a5887833e0b7bb23173c164529f356e6bc79ae7d5712dd83aad677f4eb099c500b85de2ac7d56933b0e228ef4c383ffa435ce9c70ceb5617d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ef1e95a6728828378a333e27dffa583c3031be792f7b9d52947bd2a2f87b536f63b575f0454d3d6804c20c16e5abb42b4370da8a93c00a403a8d482f3f8491d4bd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e87cb553988c10b9206ba7a404636ac9886df0e3d6e7ddea36e240ed7b9e3466a065f4d37a7074d41fd5ce956de7c6ab5d7a4ad4af66a045492e0b7a3b53c74f5d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e60b48c33a2c91b00f1c0cf2e07400427a7c5395872f53109a8a50a080c479a4f100961b6ad3365394d93ad173a31be8d240415d96942c992a98de1f5d93e69e6d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e99e3eb69f0e67ae7c1f307dade4f8d511e2cfb9d8f4bfe7d1f95b34433acc88dbc5ff349900d901d73ab95ace1f46925b86fd70c4b50e382ac9a69a913b1eea3d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eb8820bcb0ee5f8d37bf38f4ae95266e78b3b7a3688f10e2df1e3ba179d0451ebcd825e05f37edb7ef39abff5145755175a995eb5ca13e2b24e920c93fe958841d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ebf02def75d2d457df004ccfd7814cca31f29d753772868e54201f78a4e21be169ba9a3963b9762df848f338b6dce8cd8cd50c21cd7532fadcc2c36ebe004ffe5d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eb723bd19059a64a380fcf794081af7e3144f65836e73e3cd92a2720e5eca93ca5d127b5769b36d27ce1e1a89db8c8263fbe6b7672dacb6101a41f59af41fdf9cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e42f54cfcf67a99bdce1abbd40b5898ff3bc6ce92c6cc54082baef9e15cf540293d1fe5804facc3160aac907c6fdd1872cf05304cc9251b8f8efc5c4a600b228fd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e08889007e1af5e77462e6a5b973d4b4e477abc50f92efeed08a63a591ce63da5036b37fa78de56ac820ef4de7e659d61e073314cdf22af080f96fc0cd415db6cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e653623e6238f9b54e0bb30ef27e3f88ca0864c0c9b133b95df73646d6513f304af0aedfaf5f707b6f2515e833d5937a509ab96b55d7b75bae7986aa56ce6114cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eb025880b46543743d623b5ca464028f2eb4e18982fd6de1457f80f5bee304e68e5f3c3134afcb4ae1800d866a1b918c0e05de0a75f880093e155cddc2e6f4c9dd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e08164f96b3ebce0b0b6be573fa00785e8928bf5b316e1151c9359bf1d8906b94f1769086e4cd48cb3325d1062e7cfa6ccfd2ebd252fc13e7da3fd550250a0dadd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e85feed268f8b65410ff87ba9da55275dd09eea5faf46a99d75d8081934668c1d3d6210439f62b5ea952d9ba8081e38d7ee6aed25c9911a620a095297e916e8a1d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e82a068097a103f55e683a4e8161ea9255eb6eed90b3ebed8513b0f1f76ac501031a4c1bede872318784c21399b5905af6235f960e4c91fe212e23e62e8a9500cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e392b45cba2628bc764f62a048a770e6f10c0ada341156580a6992370fe48447f817743267616751a2f3a442012d541997ff7227d02eb9066070ea28eb47065b3d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ee3fe94b7afd9c8a0378fde9951f964772fb77f00f28b318fb0e24a452df69d4f1e79ec784fcf04ea870366c3161960937a6d97b2b0f0bf2964e7b3f2df65cd96d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e328c27559e6cbeb1e1464233a7c89ef609115e1eee53439423b97cbebdf550f45fe31aa3a7a059dfa2afc9ccfe4d9ec4106c510f28b2aea3efa84aa41843a0e0d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eaf777e2ba40fd02a112f9dbbf727030cdbdbb59ae4ff42bfcb9a4e003b860db986702a263c1f301c1d394d1a93edf8bb51a1408a9f5a91046d0a52f9837c04ccd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ef82bce6d065591d03bf318c950d5d6e12b7998359dff3d19b9b1c6817793bddc20f67cd1e3e5e7e0fd9a79cace3db59e6b1b8c04690a693813a84c279bdbb8a5d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e9f99d818e977f21a97396c6282758ee413c520c354f898577da8214ea28c92240986a548a3889258a0417bfdf57de1ca896830d2d8492e3886e7642015c1794dd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ebb0da4f4c6723cba0abaf596aa79bf9f852ace44e0999d3c4654f49c716bee96e698afeccbb7a617036c9c659a4106749ed347473786bf4a36bf90ea011c1e75d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e51dc5a33fe27f979799057b11c9c66fcd646549cc6e8585098fbb1524acb56fcdac9eeba3e9434246cd6390136c24a4703325a61b777118c07fd1582dba8f810d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e062bd3d2efa5d4fff5f9c07309df1dca2a9c03bdddb1bc423c99d1e52a55ba559ed36d7e4748ef1cff2824a149573d5d5ffac6ddbf42349565799ad2464ab541d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e2f1d9787669eab3eb86c9757f7f2d27cd71487e292c3aa73669d3065b14ecf8e7e97632ea82f29be6b6ba83947f1d7ac33eb3cc08913aa165d3403d93de8944dd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34efb1a44a9e0b15d3aac91498eff778b97fa66c0df83abd6151651a1b9df5ffb6f30cc10148df9944f2896dd8cc7cff300eb90e7af889e917635451abaa006fb09d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e7c3937f7d3f10f40c885b6754e18883e12a8a5fc9736218d6da67700ce680dc78e73ca1e8232dad33861dd3c0fc2c1abba00c76104e02ec4b4b6b9048b3c2e04d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eaa61062e6752746a512b0231e001cf4bf8cc34bb23055a7fa6633713ac3ab386665338988236da3b0c1f93849ebd1f3794f3935cdbe3b69538010758fc9eb366d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e422cd7b87511503e4c3b362d8c83e274c83a839cede765e95d805a15fc29e9c733aeed851893cae89cfcdb44010f2d6e0fcde636150cbc8d1ae02681cf9ec940d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e0a5caed2e7ba70117d920994335a9c95c43c75cd426dc729d12447c185674271fc2a8e4dbe3ba5c8950d3109b383e5d2f1e1c0319b6b05d1cd502b66950a1e09d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e3f922a212bf29923657857690f14000d3352d0afec7d98e3d82104d672f6f07485e3020cd5cf9d6e85fc0fe2d0e3f524a32ea073ce401be6a6b193d3a06a1db6d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e6ab443d0523214cc394b5295133d1c193c9509dbc074ec45c5d44f6c55cd71075d5cd1f4884e846f2ff3f983b0bee12df328ef74d7236e813b11f4206a81060dd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e979795956183f77adcd196f0c641719a439a1edaa8d54a50fa869bc94e55e757d5f8db8236ccf33a8ccb3563b8d52c49a769a5553cbc6fec274a64151d37b3ced53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e5d566fd2f53195c5e5c7c872d50a48d27e1ea80be4297e21fa071fe02b7348a26532fd0794e40c332fa8957652c04f4c5d6f651e0d5e76adf3b06ac7c66aa214d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e3f2814513606166282b67e2431f23652fe47353b74f0b5dc079128f3653c57f4b5f9f9265c7bd46bbbad8764b32575a73cf59e28d73680826190a095393fc5a1d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e424924c2bb825ce578f2654e3f52a15cf5530ca5f1c967242c28601c003fca85e279a7d3304ba7499a5283a84d4a13572c8b107a3020edb76031df60a5d3cef9d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e219b0892db9d16683855a398495bc98c6b719d53ca9d590a26c755efc26361086cfc778b1be250e9b05f5bbe629a34df3d63002695c9d28a91d41c5c396f710dd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ebd0832d9012ffe553c31debd916d211edb32bb346eb46c676f0c166d262f5b361e23b9a62fe259a2ac22eb30750ea25ad4465c3244f6828b5be77048956803e1d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e8623db16d32eef353e1b30e5f83a63067c1d0e63f3169cb282f0552aa18859205c4a3ea85e4acf9513014bbcf8b7272f1049e2fc390ec50d7fc1fc16049d88b4d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e98aab56f27c3bb5c198d60a5292d12aa3118a1a85525693050182d90bb98c9b779068a3e2d4187c5b51903b1762054befedf59bf0d4e0e6794ce2d8c45af4a0cd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e8567574e184b09b75ad462c2d2c55ca247d2ed18fabcbfe814373576f6f2669bd92fbb6139c1cb9f9eae874f2395b6138c59cc1ebc7c7573ca44580609488d0dd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eb33add4f66cbf27f9fe785a0be2b75693eaf2a551370c47677c95e83f74b33a76ff306cb42a5cb2b47ee4f16747699721b59739ebd5fbf5c14dee61466a9a7f9d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e90ca9b7ff680031c1690dc2aac95f78053878ef81a0b9c7e9cc290f2b32635e1c0977574a84fbeda0064e7166349e2f35cedf56a079acb10fee441a6ee64f29fd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e44335396957de41ceab0cf684ca69dfd5ba93b2ea73c0a2d7e1208ab79eb15574f4d500df44ca4dedcccc5dbee5b849b8738c1cae23c92a1abb13531e9e1c582d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e979555d43a557cb0b49dc7d2eed09a86ceae1346cd76866480b1b046417cf6c1371d17ebe02cd3a98f5b31fba0e6e492dec206bfd91bb8c5d7537ef32ec6672ed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e7e9f4b612ac41af0fe78ec2b52abda88f63f6354f8d2ce03081e7f04df9e3d1e5c0ee262540a03da94e81a1d1e7cb331c4827bdbe5909a47753833a6519ca0e5d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e881e990649e86f405129ff932953b6385c746076c57016895af91a59ac3dda5bcf6475ad366d3edfe5e52cd911fcab36344f33dc1f7e09dbc257364dd7e072c6d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34eda9f53c988e468508aab64a14418bbc0efdb09b5766241fedebb9c05b94a8a038a99c0a1ebac96cfe54afa826c2b48043c09850f3c5531f38af6b8a3a2c773f5d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e4ed279228d62594d3185a7a289f77daa52dca3703876f0a061e8f9fc9c9baa9b83bb927c537bce6290935310ef105c227b744a5b05d7ef821fd6b5ca815468b0d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e0b8ce47eabc4dd869a765a4372f0ce3638607c2dbfe6f7829682c9d678edb6056ea22e72c0823c0f2168e627078a39cbe9400a57152262ac0928b9cbbd08b6bed53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e31b0fc4e55407dc5591e35678df86027be9338284199602ba61e7effcbf8a8648a4b2f2fbd289b1ecb5a3180183d8e0c5ca24bbe3c65d653742a1a01ad53b2a5d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e67179b79a75c412c3b31cad521f174aa1f69a07cf45f8746bd3b723968fdf4be4f44256558ba58b263a6160eca7f1256cf5315f3c5c26b0929963fa779766b84d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34ef325caf773e398071c686fd59ada6fb33b3becc603cbb9d95733ea52801b6a5aac586e60b13e0ae13ed49db54c31682d43cc6e36bc0f915f240a66a9658c7c74d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e45d6ca66a711a61c8fe8ab522a5a34fd825ea18f926f1713b9b1e994001c7caed5d8b65014b4dd10bc9c0ebfb37964ae4fcd2f9b0592a073ae43c86877272825d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e0c12eb80756fb9d4f19ae25ae9d2b3a82911541f64238507604afeb7407c7b12440fdd9e5d4eb0591dd1206dde6d389c166f89bd35949a3959fb90240152f20dd53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e06b2a19c4a8a0ffd7adb60b6c8791c660c095f32fa9beb69673752dc23a78e912fb90d9d5892898956f53f105b0b093c5ac87b2ecadca8c13eeafdf90909a007d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e8861035b9fe7249eb178e9cd090abd80d88fc94c527ccdc1a38b96417186de078861035b9fe7249eb178e9cd090abd80d88fc94c527ccdc1a38b96417186de079148f2f9217ad674792bba2829821f4c588b94286ee51aa2478af714e0f237259148f2f9217ad674792bba2829821f4c588b94286ee51aa2478af714e0f237257336e4cf97adf5f0114759176842596133e86e735d249d5151f04b5fc35b289c7336e4cf97adf5f0114759176842596133e86e735d249d5151f04b5fc35b289cda1fcf0bde6f255c2853bbd173a17b1b25d62771e3b7e3d90661b6d4b7e534f0db85a973259a48f811edf199b81341d353d89b2aefb08a309125ee481ed4311c33115c8ae83b6d571d45099e1758b571209e2808eed26389ffc50c1d5409cb372193bbeb31675d218652e2563042f424ba7c9512412552c594429ce1e9464e9ba3758b5ae9519ea9ff5be8f2061eb25a61aa5486d91be5f81f951b52dff12a8150e3c030d2451b2871ca4084e1cb1da2fc20e1cc0d1ff717d9a86ab8c9224bf8e76666fd3e7dd6f19d33c62089e487a026f62d4d30ac0657157cad25f5ea8ba28a4c3149043a19bee768c6f4353257ffb056947cb6ae1df0cdba161f22d73def8da3f2bc8647894c8d5a567fb89bb3b81a8513f8b013ed9b794536953d2d0980b3d0ec97a193c1109a9971e3cd806b7b5a097e07ecba8eab79468fc1f65087d2e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b8555a4e51619ee7c5271a79c695efd82fe9a7bb1bbd563c5093f30b0fe9653e16dd08062b1ce71faab6f7a21a62b6cb71a88b275e7f36fad087d29fd7e0f121d13d8564f22331cfac1d241b73064f15e1a5ffae1133f81f6592187d6d9cf673f27776afe622fa2ab9e66f67ff50f9e3d9af768587fc9a04f367e370450e8faae0f9e1fa3269417ef83475c62ed5fd9477da3a3f0518b699b35ad6edfb8044ef4f46dd0f14d1f02077d066f0f4b332fa4ed4ba352c560a62a6f628cb82df4de4a345c4a79bf016230fdb72a4ee61be011c3e63471c1978071f20cff3d78c36bd98546669d66bfcc2aaa964253460196d90e17244d1ca474a7e46ffb3ce986afc3efeb76cc49f30816e6ec08a4bf3f48cab11f3c0c159624e8c3abe52b52f5e6816f0c16d8b425ec6ad79e708bcf6403ab125bb66bf8c951dd1a64b4267081ef9d51e00a9188c690e3c9929aeab0807e528087cc248936f24619ed4662991a24680b3efe7b851134b5bfc25890013d9045f0ba69ae7b123e56cb85165aa0f26eb760ae3bc9be806fc9b738ebacd0313d1d166277c8b307ff1b72ecd4984496a1a96a2277e93ce396e993e4d66627ef503a55a3e12ad1cc4fe67dee67eb838e46200fb241a8881c02be0510da0bb52b897aefdc61b2bb23b272b81e67a51d446e764022a09046f4ae89c3fccc514a1d749d62bcf4d50a27067c77175dcd20e1274fd19db7a42138adbfc8d02f049e9b76055ff2b53e777253d5c13eecc746d0182a8e68e7fb0018bd239d06926a009de845619163e8f8111596cfae0157d914ec1c10d2d74091c97b82bdc91d50b5ccde9ce59eb6565dc9a63d3bb9a2049ed72843d094762fa117dfad29fd5fbd5e51c562e237f9538204ffd1cc717e77c14e5dd6a288861035b9fe7249eb178e9cd090abd80d88fc94c527ccdc1a38b96417186de07e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855ef53c74ff844d0b66411cecfbb3fe6e301c8a819f78864c126cdf95a15d165fe9148f2f9217ad674792bba2829821f4c588b94286ee51aa2478af714e0f2372502deec1f66de343d85ef80a325125f0e0f1dad2e55b81f82062f18e6ab4872051c3c8cd4d0b3e34d64e32f195e3425c1281078701cb33af80f25ab47d2b5a67af83702c1f209391f7b40d18c10083bffffd9ddcc55d8f27b146d87a5c55bc14e8e523b6647d9f268a2d741f419c712732b2f7d347c52cb9e3ed7277a8d9332fa1b74f09de65db7dc2a505a1008c81e69aa08d51bbd94bf2cb6c0f3213a88fbe32d225e666151002a4bd33445e60746a8e083f1c4dbd076a3c01c828b99938177../selinux-policy-migrate-local-changes@.service@@@@@@@rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootselinux-policy-3.13.1-192.el7_5.6.src.rpmconfig(selinux-policy-targeted)selinux-policy-baseselinux-policy-targeted@     /bin/bash/bin/sh/bin/shconfig(selinux-policy-targeted)coreutilspolicycoreutilsrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)selinux-policyselinux-policyrpmlib(PayloadIsXz)3.13.1-192.el7_5.62.5-183.0.4-14.6.0-14.0-13.13.1-192.el7_5.63.13.1-192.el7_5.65.2-1 audispd-pluginsseedit389-ds-base389-adminpki-selinuxfreeipa-server-selinux1.7.7-11.2.71.1.1210.0.0-0.45.b13.2.2-14.11.3[`O@[6@[@ZZZI@ZH@Z@ZZz@Zz@ZyZ_:ZWQZV@Z.s@Z)-@Z%8ZZ @ZZNZNYYA@YYW@YW@YYY@Y@Ycl@YP@YJ_YI@YBvY9<@Y6@Y5GY1S@Y0Y.@Y-^Y, @Y, @Y%uYYY@Y@Y@Y.YXQ@XXX@X@X@XXX@XۡXP@XXg@Xg@X~@X@XƉXCXCXX @XXXBXXXs{@XY@XWXRXRXOXJXAb@X@X)@X#X!@XWWSW_@W_@Wv@W;W@WίWW:WQW@WW@W@WW~W@WW~D@W{@Ws@WrfWj}WbW^@WYZ@WYZ@WUeWM|WBW9@W9@W1@W(W V@V@V@V޾V2V@V_VVCV@VZV @VqV }@V }@VBUUU@U@UpUUUUoUoU5@UUȒ@UĝUUWUU@UUK@UUU'Ua@U~@UzUv@UT@U@Tr@T@T@T7TTTC@T@TTT}Tto@TsTk4T`T[bTWn@T?@T>aT6xT6xT@S@SSDSg}@SB@S>S;S:@S9XS5d@S4S2@S0@S,)S*@S)S)S&S&S"@S!S L@SSS@SSc@SSnS @S SK@RRR@RRJ@Ra@RRR&R&RRR=RʚRR@R@R@Rv@Rv@R@RR@R R@R@R|@Rz/@Rz/@RsRpRnQRi RfhR_@R_@R[R[RSRNRNRL RIgRB@RB@R:@R1R-@R-@R(r@R' R%@R7RRNRR@Q@QQdQQ@QQޞ@Q@QکQکQ@QzQQ4Q@@Q@QKQQ@Q@Q@Q@QQ@QQQQ@Q@QQQ@Qzl@Qw@QvwQo@Qo@QnQm=@QkQfQb@Q`@Q^QZ@QQQIQGQ@j@Q9Q8@Q4Q0@Q-@Q& @Q$QQ@QQ@Q @Qh@QsPP@P@PP@P[PP!@P8@PO@P @Pf@PPqP @PP7@P@PPPYP@P@PPPM@PPd@P@PoP{@P{@P@PP5@P@P~P}L@Px@PvPvPuc@Puc@Pr@Pmz@Pmz@Pmz@Pj@Pd?Pd?Pb@PaPaP[@PXb@PWPS@PQPO'PM@PIP@@P>@P8@P7lP2&P2&P,P,P*=P(@P#@P#@P!@P!@P@PkPw@Pw@PP

@NNU@NNl@N@N@NåN@NNNN@NNN@N@NGNGNGN@N@NNS@NS@N^N^N @N @NNj@Nj@NN$@NN@N/N@N@NFNFN@NNN@N@N@N]Ni@Ni@Ni@N|tNyNx@Ns:@NoENoENiNf @N^"@N\N[@NTNS@NS@NC@NBrN:N98@N7N6@N2N.@N*N)f@N(N%qN$ @N@N7@N e@NpNpM@M@Md@Md@MM{@M@M۝M@M@M‘@M@M@M@My@My@M3@M@M@MMM@MMMMTMx@Mx@Mv@MlMbSM[@MRMQ0@MQ0@MJMGMGMA^@M>@M9u@M6@M5M4/@M4/@M0:M,F@M$]@M@M9MMMMM\@M M M@L!L!L@LL@L@L@LOLOL[@L@L@Lr@L L,@L,@Lډ@L7LLLNL@LΫLeL|L@LB@LB@LB@L@LMLL@LdLL{L*@L@L5LLA@LLLL@LcL@L@L@LzL)@L|L|L|L{@LvW@LvW@Ls@Ls@LrbLrbLmLk@LjyLe3Lc@La?@LZLYV@LXLN@LN@LMxLMxLI@LH2LF@LEL=L=L=L;L7@L LT@L@LL@L@L0LLGL@K^K^KKKj@K$@KKK@K@KK@K]K޺K@KtK#@KKՀ@K:@KK͗@KŮ@K\K\K @KKKKK9@KK@KK@K@KKKKrKK~@K,K,K,K@KK8@KKK@KK@KqKqK}+K{@K{@KuBKs@KqN@KjKie@Kf@Ka|@K`*K]KXAKTM@KPXKEKEKEKD{@KC)KA@K;@K2@K0K/c@K+nK*@K(K"4@KK>K>K>JJęJH@JH@JJJ_@J@JjJjJ@Jv@Jv@Jv@Jv@J$J@JJ0@J@J@JG@JG@J@JJ@J@J@JJJ#J@JJJ@J:J@JJQJ@J J J|@JzJyt@Jyt@Jx"JrJrJq@Jn@Jn@JmJhPJeJ\s@JW-@JT@JS8JKOJI@JCfJCfJB@J@J@J?r@J<@J;}J:,@J7@J67J2C@J0J/@J,@J%@JJB@JJMJ J dJ@J@JJ@J*@J*@II@IIA@IIII@I@IIIX@IX@IX@II@I@IcIIo@Io@IzI)@I@IܑI@@II@I@I@IԨIд@I̿In@I3I3I@II@I@IV@IIaIIm@I@I'@II2III@IIIIIIII@III@I1I@III~@I}Iy@Ix_Iw@IuItk@Itk@Io%@Ik0IeIcGIa@I`IVIO@IJ;@IHIAI>]I= @I7@I6tI3I-I@III9@I9@II IP@I@IIg@Ig@HHH@HrH~@H,H@HCHHH @H @Hf@Hf@H@H+H@H׈H׈H7@HBH@HǶH@HH|@HHH@H{@H)HHL@H@H@H@HnH}H|@Ht@HsVHr@Hl@HkmHgy@HcH`H_@H^>HRa@HQHQHO@HFHFH$@DX@DU@DN@DN@DLDH@DGwDGwDDD@@D?D?D;@D;@D:HD:HD2_D1@D1@D-D+@D+@D'D!<@D!<@D!<@DDD@D@D@DDDDDD@D@D@D@D uD $@D D @D @DDDFC@C@C@C@CCCCCR@CCCCC@Ci@CC@C@CtC@C@CC:@CECCC @C @CعCعCعCعCC@C-C-C-C@C@CCǖ@C@CáCáCP@CP@C[C @C @CCg@Cg@CCC!@C~@C,C@CCCCC@CC@C@C@CZCZC @C @CCCf@Cf@Cf@CC@CqCqC @C @C @CCC}@C7@C7@C7@CBCBCYC@C@CC}@CqCqLukas Vrabec - 3.13.1-192.6Lukas Vrabec - 3.13.1-192.5Lukas Vrabec - 3.13.1-192.4Lukas Vrabec - 3.13.1-192.3Lukas Vrabec - 3.13.1-192.2Lukas Vrabec - 3.13.1-192.1Lukas Vrabec - 3.13.1-192Lukas Vrabec - 3.13.1-191Lukas Vrabec - 3.13.1-190Lukas Vrabec - 3.13.1-189Lukas Vrabec - 3.13.1-188Lukas Vrabec - 3.13.1-187Lukas Vrabec - 3.13.1-186Lukas Vrabec - 3.13.1-185Lukas Vrabec - 3.13.1-184Lukas Vrabec - 3.13.1-183Lukas Vrabec - 3.13.1-182Lukas Vrabec - 3.13.1-181Lukas Vrabec - 3.13.1-180Lukas Vrabec - 3.13.1-179Lukas Vrabec - 3.13.1-178Lukas Vrabec - 3.13.1-177Lukas Vrabec - 3.13.1-176Lukas Vrabec - 3.13.1-175Lukas Vrabec - 3.13.1-174Lukas Vrabec - 3.13.1-173Lukas Vrabec - 3.13.1-172Lukas Vrabec - 3.13.1-171Lukas Vrabec - 3.13.1-170Lukas Vrabec - 3.13.1-169Lukas Vrabec - 3.13.1-168Lukas Vrabec - 3.13.1-167Lukas Vrabec - 3.13.1-166Lukas Vrabec - 3.13.1-165Lukas Vrabec - 3.13.1-164Lukas Vrabec - 3.13.1-163Lukas Vrabec - 3.13.1-162Lukas Vrabec - 3.13.1-161Lukas Vrabec - 3.13.1-160Lukas Vrabec - 3.13.1-159Lukas Vrabec - 3.13.1-158Lukas Vrabec - 3.13.1-157Lukas Vrabec - 3.13.1-156Lukas Vrabec - 3.13.1-155Lukas Vrabec - 3.13.1-154Lukas Vrabec - 3.13.1-153Lukas Vrabec - 3.13.1-152Lukas Vrabec - 3.13.1-151Lukas Vrabec - 3.13.1-150Lukas Vrabec - 3.13.1-149Lukas Vrabec - 3.13.1-148Lukas Vrabec - 3.13.1-147Lukas Vrabec - 3.13.1-146Lukas Vrabec - 3.13.1-145Lukas Vrabec - 3.13.1-144Lukas Vrabec - 3.13.1-143Lukas Vrabec - 3.13.1-142Lukas Vrabec - 3.13.1-141Lukas Vrabec - 3.13.1-140Lukas Vrabec - 3.13.1-139Lukas Vrabec - 3.13.1-138Lukas Vrabec - 3.13.1-137Lukas Vrabec - 3.13.1-136Lukas Vrabec - 3.13.1-135Lukas Vrabec - 3.13.1-134Lukas Vrabec - 3.13.1-133Lukas Vrabec - 3.13.1-132Lukas Vrabec - 3.13.1-131Lukas Vrabec - 3.13.1-130Lukas Vrabec - 3.13.1-129Lukas Vrabec - 3.13.1-128Lukas Vrabec - 3.13.1-127Lukas Vrabec - 3.13.1-126Lukas Vrabec - 3.13.1-125Lukas Vrabec - 3.13.1-124Lukas Vrabec - 3.13.1-123Lukas Vrabec - 3.13.1-122Lukas Vrabec - 3.13.1-120Lukas Vrabec - 3.13.1-119Lukas Vrabec - 3.13.1-118Lukas Vrabec - 3.13.1-117Lukas Vrabec - 3.13.1-116Lukas Vrabec - 3.13.1-115Lukas Vrabec - 3.13.1-114Lukas Vrabec - 3.13.1-113Lukas Vrabec - 3.13.1-112Lukas Vrabec - 3.13.1-111Lukas Vrabec - 3.13.1-110Lukas Vrabec - 3.13.1-109Lukas Vrabec - 3.13.1-108Lukas Vrabec - 3.13.1-107Lukas Vrabec - 3.13.1-106Miroslav Grepl - 3.13.1-105Lukas Vrabec - 3.13.1-104Lukas Vrabec - 3.13.1-103Dan Walsh - 3.13.1-102Lukas Vrabec - 3.13.1-101Lukas Vrabec - 3.13.1-100Lukas Vrabec - 3.13.1-99Lukas Vrabec - 3.13.1-98Lukas Vrabec - 3.13.1-97Lukas Vrabec - 3.13.1-96Lukas Vrabec - 3.13.1-95Lukas Vrabec - 3.13.1-94Lukas Vrabec - 3.13.1-93Lukas Vrabec - 3.13.1-92Lukas Vrabec - 3.13.1-91Lukas Vrabec - 3.13.1-90Lukas Vrabec - 3.13.1-89Lukas Vrabec - 3.13.1-88Lukas Vrabec - 3.13.1-87Lukas Vrabec - 3.13.1-86Lukas Vrabec - 3.13.1-85Lukas Vrabec - 3.13.1-84Lukas Vrabec - 3.13.1-83Lukas Vrabec - 3.13.1-82Lukas Vrabec - 3.13.1-81Lukas Vrabec - 3.13.1-80Petr Lautrbach - 3.13.1-79Lukas Vrabec - 3.13.1-78Lukas Vrabec - 3.13.1-77Lukas Vrabec - 3.13.1-76Lukas Vrabec - 3.13.1-75Lukas Vrabec - 3.13.1-74Lukas Vrabec - 3.13.1-73Lukas Vrabec - 3.13.1-72Lukas Vrabec - 3.13.1-71Lukas Vrabec - 3.13.1-70Lukas Vrabec - 3.13.1-69Lukas Vrabec - 3.13.1-68Lukas Vrabec - 3.13.1-67Petr Lautrbach - 3.13.1-66Lukas Vrabec 3.13.1-65Lukas Vrabec 3.13.1-64Lukas Vrabec 3.13.1-63Lukas Vrabec 3.13.1-62Lukas Vrabec 3.13.1-61Miroslav Grepl 3.13.1-60Miroslav Grepl 3.13.1-59Lukas Vrabec 3.13.1-58Lukas Vrabec 3.13.1-57Miroslav Grepl 3.13.1-56Lukas Vrabec 3.13.1-55Lukas Vrabec 3.13.1-54Lukas Vrabec 3.13.1-53Lukas Vrabec 3.13.1-52Miroslav Grepl 3.13.1-51Lukas Vrabec 3.13.1-50Lukas Vrabec 3.13.1-49Lukas Vrabec 3.13.1-48Lukas Vrabec 3.13.1-47Lukas Vrabec 3.13.1-46Lukas Vrabec 3.13.1-45Lukas Vrabec 3.13.1-44Lukas Vrabec 3.13.1-43Lukas Vrabec 3.13.1-42Lukas Vrabec 3.13.1-41Lukas Vrabec 3.13.1-40Miroslav Grepl 3.13.1-39Lukas Vrabec 3.13.1-38Lukas Vrabec 3.13.1-37Lukas Vrabec 3.13.1-36Lukas Vrabec 3.13.1-35Lukas Vrabec 3.13.1-34Lukas Vrabec 3.13.1-33Lukas Vrabec 3.13.1-32Miroslav Grepl 3.13.1-31Miroslav Grepl 3.13.1-30Miroslav Grepl 3.13.1-29Miroslav Grepl 3.13.1-28Miroslav Grepl 3.13.1-27Miroslav Grepl 3.13.1-26Miroslav Grepl 3.13.1-25Miroslav Grepl 3.13.1-24Miroslav Grepl 3.13.1-23Miroslav Grepl 3.13.1-22Miroslav Grepl 3.13.1-21Miroslav Grepl 3.13.1-20Miroslav Grepl 3.13.1-19Miroslav Grepl 3.13.1-18Miroslav Grepl 3.13.1-17Miroslav Grepl 3.13.1-16Miroslav Grepl 3.13.1-15Miroslav Grepl 3.13.1-14Miroslav Grepl 3.13.1-13Miroslav Grepl 3.13.1-12Miroslav Grepl 3.13.1-11Miroslav Grepl 3.13.1-10Miroslav Grepl 3.13.1-9Miroslav Grepl 3.13.1-8Miroslav Grepl 3.13.1-7Miroslav Grepl 3.13.1-6Miroslav Grepl 3.13.1-5Miroslav Grepl 3.13.1-4Miroslav Grepl 3.13.1-3Miroslav Grepl 3.13.1-2Miroslav Grepl 3.13.1-1Miroslav Grepl 3.12.1-156Miroslav Grepl 3.12.1-155Miroslav Grepl 3.12.1-154Miroslav Grepl 3.12.1-153Miroslav Grepl 3.12.1-152Miroslav Grepl 3.12.1-151Miroslav Grepl 3.12.1-149Miroslav Grepl 3.12.1-149Miroslav Grepl 3.12.1-148Miroslav Grepl 3.12.1-147Miroslav Grepl 3.12.1-146Miroslav Grepl 3.12.1-145Miroslav Grepl 3.12.1-144Lukas Vrabec 3.12.1-143Miroslav Grepl 3.12.1-142Miroslav Grepl 3.12.1-141Miroslav Grepl 3.12.1-140Miroslav Grepl 3.12.1-139Lukas Vrabec 3.12.1-138Miroslav Grepl 3.12.1-137Miroslav Grepl 3.12.1-136Miroslav Grepl 3.12.1-135Miroslav Grepl 3.12.1-134Miroslav Grepl 3.12.1-133Miroslav Grepl 3.12.1-132Miroslav Grepl 3.12.1-131Miroslav Grepl 3.12.1-130Miroslav Grepl 3.12.1-129Miroslav Grepl 3.12.1-128Miroslav Grepl 3.12.1-127Miroslav Grepl 3.12.1-126Miroslav Grepl 3.12.1-125Miroslav Grepl 3.12.1-124Miroslav Grepl 3.12.1-123Miroslav Grepl 3.12.1-122Miroslav Grepl 3.12.1-121Miroslav Grepl 3.12.1-120Miroslav Grepl 3.12.1-119Miroslav Grepl 3.12.1-118Miroslav Grepl 3.12.1-117Miroslav Grepl 3.12.1-116Miroslav Grepl 3.12.1-115Miroslav Grepl 3.12.1-114Miroslav Grepl 3.12.1-113Miroslav Grepl 3.12.1-112Miroslav Grepl 3.12.1-111Miroslav Grepl 3.12.1-110Miroslav Grepl 3.12.1-109Miroslav Grepl 3.12.1-108Miroslav Grepl 3.12.1-107Dan Walsh 3.12.1-106Miroslav Grepl 3.12.1-105Miroslav Grepl 3.12.1-104Miroslav Grepl 3.12.1-103Miroslav Grepl 3.12.1-102Miroslav Grepl 3.12.1-101Miroslav Grepl 3.12.1-100Miroslav Grepl 3.12.1-99Miroslav Grepl 3.12.1-98Miroslav Grepl 3.12.1-97Miroslav Grepl 3.12.1-96Miroslav Grepl 3.12.1-95Miroslav Grepl 3.12.1-94Miroslav Grepl 3.12.1-94Miroslav Grepl 3.12.1-93Miroslav Grepl 3.12.1-92Miroslav Grepl 3.12.1-91Miroslav Grepl 3.12.1-90Miroslav Grepl 3.12.1-89Miroslav Grepl 3.12.1-88Miroslav Grepl 3.12.1-87Miroslav Grepl 3.12.1-86Miroslav Grepl 3.12.1-85Miroslav Grepl 3.12.1-84Miroslav Grepl 3.12.1-83Miroslav Grepl 3.12.1-82Miroslav Grepl 3.12.1-81Miroslav Grepl 3.12.1-80Miroslav Grepl 3.12.1-79Miroslav Grepl 3.12.1-78Miroslav Grepl 3.12.1-77Miroslav Grepl 3.12.1-76Miroslav Grepl 3.12.1-75Miroslav Grepl 3.12.1-74Miroslav Grepl 3.12.1-73Miroslav Grepl 3.12.1-72Miroslav Grepl 3.12.1-71Miroslav Grepl 3.12.1-70Miroslav Grepl 3.12.1-69Miroslav Grepl 3.12.1-68Miroslav Grepl 3.12.1-67Miroslav Grepl 3.12.1-66Miroslav Grepl 3.12.1-65Miroslav Grepl 3.12.1-64Miroslav Grepl 3.12.1-63Miroslav Grepl 3.12.1-62Miroslav Grepl 3.12.1-61Miroslav Grepl 3.12.1-60Miroslav Grepl 3.12.1-59Miroslav Grepl 3.12.1-58Miroslav Grepl 3.12.1-57Miroslav Grepl 3.12.1-56Miroslav Grepl 3.12.1-55Miroslav Grepl 3.12.1-54Miroslav Grepl 3.12.1-53Miroslav Grepl 3.12.1-52Miroslav Grepl 3.12.1-51Miroslav Grepl 3.12.1-50Miroslav Grepl 3.12.1-49Miroslav Grepl 3.12.1-48Miroslav Grepl 3.12.1-47Miroslav Grepl 3.12.1-46Miroslav Grepl 3.12.1-45Miroslav Grepl 3.12.1-44Miroslav Grepl 3.12.1-43Miroslav Grepl 3.12.1-42Miroslav Grepl 3.12.1-41Miroslav Grepl 3.12.1-40Miroslav Grepl 3.12.1-39Miroslav Grepl 3.12.1-38Miroslav Grepl 3.12.1-37Miroslav Grepl 3.12.1-36Miroslav Grepl 3.12.1-35Miroslav Grepl 3.12.1-34Miroslav Grepl 3.12.1-33Miroslav Grepl 3.12.1-32Miroslav Grepl 3.12.1-31Miroslav Grepl 3.12.1-30Miroslav Grepl 3.12.1-29Dan Walsh 3.12.1-28Dan Walsh 3.12.1-27Miroslav Grepl 3.12.1-26Miroslav Grepl 3.12.1-25Miroslav Grepl 3.12.1-24Miroslav Grepl 3.12.1-23Miroslav Grepl 3.12.1-22Miroslav Grepl 3.12.1-21Miroslav Grepl 3.12.1-20Miroslav Grepl 3.12.1-19Miroslav Grepl 3.12.1-18Miroslav Grepl 3.12.1-17Miroslav Grepl 3.12.1-16Miroslav Grepl 3.12.1-15Miroslav Grepl 3.12.1-14Miroslav Grepl 3.12.1-13Miroslav Grepl 3.12.1-12Miroslav Grepl 3.12.1-11Miroslav Grepl 3.12.1-10Miroslav Grepl 3.12.1-9Miroslav Grepl 3.12.1-8Miroslav Grepl 3.12.1-7Miroslav Grepl 3.12.1-6Miroslav Grepl 3.12.1-5Miroslav Grepl 3.12.1-4Miroslav Grepl 3.12.1-3Miroslav Grepl 3.12.1-2Miroslav Grepl 3.12.1-1Dan Walsh 3.11.1-69.1Miroslav Grepl 3.11.1-69Miroslav Grepl 3.11.1-68Miroslav Grepl 3.11.1-67Miroslav Grepl 3.11.1-66Miroslav Grepl 3.11.1-65Miroslav Grepl 3.11.1-64Miroslav Grepl 3.11.1-63Miroslav Grepl 3.11.1-62Miroslav Grepl 3.11.1-61Miroslav Grepl 3.11.1-60Miroslav Grepl 3.11.1-59Miroslav Grepl 3.11.1-58Miroslav Grepl 3.11.1-57Miroslav Grepl 3.11.1-56Miroslav Grepl 3.11.1-55Miroslav Grepl 3.11.1-54Miroslav Grepl 3.11.1-53Miroslav Grepl 3.11.1-52Miroslav Grepl 3.11.1-51Miroslav Grepl 3.11.1-50Miroslav Grepl 3.11.1-49Miroslav Grepl 3.11.1-48Miroslav Grepl 3.11.1-47Miroslav Grepl 3.11.1-46Miroslav Grepl 3.11.1-45Miroslav Grepl 3.11.1-44Miroslav Grepl 3.11.1-43Miroslav Grepl 3.11.1-42Miroslav Grepl 3.11.1-41Miroslav Grepl 3.11.1-40Miroslav Grepl 3.11.1-39Miroslav Grepl 3.11.1-38Miroslav Grepl 3.11.1-37Miroslav Grepl 3.11.1-36Miroslav Grepl 3.11.1-35Miroslav Grepl 3.11.1-34Miroslav Grepl 3.11.1-33Miroslav Grepl 3.11.1-32Miroslav Grepl 3.11.1-31Miroslav Grepl 3.11.1-30Miroslav Grepl 3.11.1-29Miroslav Grepl 3.11.1-28Miroslav Grepl 3.11.1-27Miroslav Grepl 3.11.1-26Miroslav Grepl 3.11.1-25Miroslav Grepl 3.11.1-24Miroslav Grepl 3.11.1-23Miroslav Grepl 3.11.1-22Miroslav Grepl 3.11.1-21Miroslav Grepl 3.11.1-20Miroslav Grepl 3.11.1-19Miroslav Grepl 3.11.1-18Miroslav Grepl 3.11.1-17Miroslav Grepl 3.11.1-16Dan Walsh 3.11.1-15Miroslav Grepl 3.11.1-14Dan Walsh 3.11.1-13Miroslav Grepl 3.11.1-12Miroslav Grepl 3.11.1-11Miroslav Grepl 3.11.1-10Dan Walsh 3.11.1-9Dan Walsh 3.11.1-8Dan Walsh 3.11.1-7Dan Walsh 3.11.1-6Miroslav Grepl 3.11.1-5Miroslav Grepl 3.11.1-4Miroslav Grepl 3.11.1-3Miroslav Grepl 3.11.1-2Miroslav Grepl 3.11.1-1Miroslav Grepl 3.11.1-0Miroslav Grepl 3.11.0-15Miroslav Grepl 3.11.0-14Miroslav Grepl 3.11.0-13Miroslav Grepl 3.11.0-12Fedora Release Engineering - 3.11.0-11Miroslav Grepl 3.11.0-10Miroslav Grepl 3.11.0-9Miroslav Grepl 3.11.0-8Miroslav Grepl 3.11.0-7Miroslav Grepl 3.11.0-6Miroslav Grepl 3.11.0-5Miroslav Grepl 3.11.0-4Miroslav Grepl 3.11.0-3Miroslav Grepl 3.11.0-2Miroslav Grepl 3.11.0-1Miroslav Grepl 3.10.0-128Miroslav Grepl 3.10.0-127Miroslav Grepl 3.10.0-126Miroslav Grepl 3.10.0-125Miroslav Grepl 3.10.0-124Miroslav Grepl 3.10.0-123Miroslav Grepl 3.10.0-122Miroslav Grepl 3.10.0-121Miroslav Grepl 3.10.0-120Miroslav Grepl 3.10.0-119Miroslav Grepl 3.10.0-118Miroslav Grepl 3.10.0-117Miroslav Grepl 3.10.0-116Miroslav Grepl 3.10.0-115Miroslav Grepl 3.10.0-114Miroslav Grepl 3.10.0-113Miroslav Grepl 3.10.0-112Miroslav Grepl 3.10.0-111Miroslav Grepl 3.10.0-110Miroslav Grepl 3.10.0-109Miroslav Grepl 3.10.0-108Miroslav Grepl 3.10.0-107Miroslav Grepl 3.10.0-106Miroslav Grepl 3.10.0-105Miroslav Grepl 3.10.0-104Miroslav Grepl 3.10.0-103Miroslav Grepl 3.10.0-102Miroslav Grepl 3.10.0-101Miroslav Grepl 3.10.0-100Miroslav Grepl 3.10.0-99Miroslav Grepl 3.10.0-98Miroslav Grepl 3.10.0-97Miroslav Grepl 3.10.0-96Miroslav Grepl 3.10.0-95Miroslav Grepl 3.10.0-94Miroslav Grepl 3.10.0-93Miroslav Grepl 3.10.0-92Miroslav Grepl 3.10.0-91Miroslav Grepl 3.10.0-90Miroslav Grepl 3.10.0-89Miroslav Grepl 3.10.0-88Miroslav Grepl 3.10.0-87Miroslav Grepl 3.10.0-86Miroslav Grepl 3.10.0-85Miroslav Grepl 3.10.0-84Miroslav Grepl 3.10.0-83Miroslav Grepl 3.10.0-82Dan Walsh 3.10.0-81.2Miroslav Grepl 3.10.0-81Miroslav Grepl 3.10.0-80Miroslav Grepl 3.10.0-79Miroslav Grepl 3.10.0-78Miroslav Grepl 3.10.0-77Miroslav Grepl 3.10.0-76Miroslav Grepl 3.10.0-75Dan Walsh 3.10.0-74.2Miroslav Grepl 3.10.0-74Miroslav Grepl 3.10.0-73Miroslav Grepl 3.10.0-72Miroslav Grepl 3.10.0-71Miroslav Grepl 3.10.0-70Miroslav Grepl 3.10.0-69Miroslav Grepl 3.10.0-68Miroslav Grepl 3.10.0-67Miroslav Grepl 3.10.0-66Miroslav Grepl 3.10.0-65Miroslav Grepl 3.10.0-64Miroslav Grepl 3.10.0-63Miroslav Grepl 3.10.0-59Miroslav Grepl 3.10.0-58Dan Walsh 3.10.0-57Dan Walsh 3.10.0-56Dan Walsh 3.10.0-55.2Dan Walsh 3.10.0-55.1Miroslav Grepl 3.10.0-55Dan Walsh 3.10.0-54.1Miroslav Grepl 3.10.0-54Dan Walsh 3.10.0-53.1Miroslav Grepl 3.10.0-53Miroslav Grepl 3.10.0-52Miroslav Grepl 3.10.0-51Dan Walsh 3.10.0-50.2Dan Walsh 3.10.0-50.1Miroslav Grepl 3.10.0-50Miroslav Grepl 3.10.0-49Miroslav Grepl 3.10.0-48Miroslav Grepl 3.10.0-47Dan Walsh 3.10.0-46.1Miroslav Grepl 3.10.0-46Dan Walsh 3.10.0-45.1Miroslav Grepl 3.10.0-45Miroslav Grepl 3.10.0-43Miroslav Grepl 3.10.0-42Miroslav Grepl 3.10.0-41Dan Walsh 3.10.0-40.2Miroslav Grepl 3.10.0-40Dan Walsh 3.10.0-39.3Dan Walsh 3.10.0-39.2Dan Walsh 3.10.0-39.1Miroslav Grepl 3.10.0-39Dan Walsh 3.10.0-38.1Miroslav Grepl 3.10.0-38Miroslav Grepl 3.10.0-37Dan Walsh 3.10.0-36.1Miroslav Grepl 3.10.0-36Dan Walsh 3.10.0-35Dan Walsh 3.10.0-34.7Dan Walsh 3.10.0-34.6Dan Walsh 3.10.0-34.4Miroslav Grepl 3.10.0-34.3Dan Walsh 3.10.0-34.2Dan Walsh 3.10.0-34.1Miroslav Grepl 3.10.0-34Miroslav Grepl 3.10.0-33Dan Walsh 3.10.0-31.1Miroslav Grepl 3.10.0-31Miroslav Grepl 3.10.0-29Miroslav Grepl 3.10.0-28Miroslav Grepl 3.10.0-27Miroslav Grepl 3.10.0-26Miroslav Grepl 3.10.0-25Miroslav Grepl 3.10.0-24Miroslav Grepl 3.10.0-23Miroslav Grepl 3.10.0-22Miroslav Grepl 3.10.0-21Dan Walsh 3.10.0-20Miroslav Grepl 3.10.0-19Miroslav Grepl 3.10.0-18Miroslav Grepl 3.10.0-17Miroslav Grepl 3.10.0-16Miroslav Grepl 3.10.0-14Miroslav Grepl 3.10.0-13Miroslav Grepl 3.10.0-12Miroslav Grepl 3.10.0-11Miroslav Grepl 3.10.0-10Miroslav Grepl 3.10.0-9Miroslav Grepl 3.10.0-8Miroslav Grepl 3.10.0-7Miroslav Grepl 3.10.0-6Miroslav Grepl 3.10.0-5Miroslav Grepl 3.10.0-4Miroslav Grepl 3.10.0-3Miroslav Grepl 3.10.0-2Miroslav Grepl 3.10.0-1Miroslav Grepl 3.9.16-30Dan Walsh 3.9.16-29.1Miroslav Grepl 3.9.16-29Dan Walsh 3.9.16-28.1Miroslav Grepl 3.9.16-27Miroslav Grepl 3.9.16-26Miroslav Grepl 3.9.16-25Miroslav Grepl 3.9.16-24Miroslav Grepl 3.9.16-23Miroslav Grepl 3.9.16-22Miroslav Grepl 3.9.16-21Miroslav Grepl 3.9.16-20Miroslav Grepl 3.9.16-19Miroslav Grepl 3.9.16-18Miroslav Grepl 3.9.16-17Dan Walsh 3.9.16-16.1Miroslav Grepl 3.9.16-16Miroslav Grepl 3.9.16-15Miroslav Grepl 3.9.16-14Miroslav Grepl 3.9.16-13Miroslav Grepl 3.9.16-12Miroslav Grepl 3.9.16-11Miroslav Grepl 3.9.16-10Miroslav Grepl 3.9.16-7Miroslav Grepl 3.9.16-6Miroslav Grepl 3.9.16-5Miroslav Grepl 3.9.16-4Miroslav Grepl 3.9.16-3Miroslav Grepl 3.9.16-2Miroslav Grepl 3.9.16-1Miroslav Grepl 3.9.15-5Miroslav Grepl 3.9.15-2Miroslav Grepl 3.9.15-1Fedora Release Engineering - 3.9.14-2Dan Walsh 3.9.14-1Miroslav Grepl 3.9.13-10Miroslav Grepl 3.9.13-9Dan Walsh 3.9.13-8Miroslav Grepl 3.9.13-7Miroslav Grepl 3.9.13-6Miroslav Grepl 3.9.13-5Miroslav Grepl 3.9.13-4Miroslav Grepl 3.9.13-3Miroslav Grepl 3.9.13-2Miroslav Grepl 3.9.13-1Miroslav Grepl 3.9.12-8Miroslav Grepl 3.9.12-7Miroslav Grepl 3.9.12-6Miroslav Grepl 3.9.12-5Dan Walsh 3.9.12-4Dan Walsh 3.9.12-3Dan Walsh 3.9.12-2Miroslav Grepl 3.9.12-1Dan Walsh 3.9.11-2Miroslav Grepl 3.9.11-1Miroslav Grepl 3.9.10-13Dan Walsh 3.9.10-12Miroslav Grepl 3.9.10-11Miroslav Grepl 3.9.10-10Miroslav Grepl 3.9.10-9Miroslav Grepl 3.9.10-8Miroslav Grepl 3.9.10-7Miroslav Grepl 3.9.10-6Miroslav Grepl 3.9.10-5Dan Walsh 3.9.10-4Miroslav Grepl 3.9.10-3Miroslav Grepl 3.9.10-2Miroslav Grepl 3.9.10-1Miroslav Grepl 3.9.9-4Dan Walsh 3.9.9-3Miroslav Grepl 3.9.9-2Miroslav Grepl 3.9.9-1Miroslav Grepl 3.9.8-7Dan Walsh 3.9.8-6Miroslav Grepl 3.9.8-5Miroslav Grepl 3.9.8-4Dan Walsh 3.9.8-3Dan Walsh 3.9.8-2Dan Walsh 3.9.8-1Dan Walsh 3.9.7-10Dan Walsh 3.9.7-9Dan Walsh 3.9.7-8Dan Walsh 3.9.7-7Dan Walsh 3.9.7-6Dan Walsh 3.9.7-5Dan Walsh 3.9.7-4Dan Walsh 3.9.7-3Dan Walsh 3.9.7-2Dan Walsh 3.9.7-1Dan Walsh 3.9.6-3Dan Walsh 3.9.6-2Dan Walsh 3.9.6-1Dan Walsh 3.9.5-11Dan Walsh 3.9.5-10Dan Walsh 3.9.5-9Dan Walsh 3.9.5-8Dan Walsh 3.9.5-7Dan Walsh 3.9.5-6Dan Walsh 3.9.5-5Dan Walsh 3.9.5-4Dan Walsh 3.9.5-3Dan Walsh 3.9.5-2Dan Walsh 3.9.5-1Dan Walsh 3.9.4-3Dan Walsh 3.9.4-2Dan Walsh 3.9.4-1Dan Walsh 3.9.3-4Dan Walsh 3.9.3-3Dan Walsh 3.9.3-2Dan Walsh 3.9.3-1Dan Walsh 3.9.2-1Dan Walsh 3.9.1-3Dan Walsh 3.9.1-2Dan Walsh 3.9.1-1Dan Walsh 3.9.0-2Dan Walsh 3.9.0-1Dan Walsh 3.8.8-21Dan Walsh 3.8.8-20Dan Walsh 3.8.8-19Dan Walsh 3.8.8-18Dan Walsh 3.8.8-17Dan Walsh 3.8.8-16Dan Walsh 3.8.8-15Dan Walsh 3.8.8-14Dan Walsh 3.8.8-13Dan Walsh 3.8.8-12Dan Walsh 3.8.8-11Dan Walsh 3.8.8-10Dan Walsh 3.8.8-9Dan Walsh 3.8.8-8Dan Walsh 3.8.8-7Dan Walsh 3.8.8-6Dan Walsh 3.8.8-5Dan Walsh 3.8.8-4Dan Walsh 3.8.8-3Dan Walsh 3.8.8-2Dan Walsh 3.8.8-1Dan Walsh 3.8.7-3Dan Walsh 3.8.7-2Dan Walsh 3.8.7-1Dan Walsh 3.8.6-3Miroslav Grepl 3.8.6-2Dan Walsh 3.8.6-1Dan Walsh 3.8.5-1Dan Walsh 3.8.4-1Dan Walsh 3.8.3-4Dan Walsh 3.8.3-3Dan Walsh 3.8.3-2Dan Walsh 3.8.3-1Dan Walsh 3.8.2-1Dan Walsh 3.8.1-5Dan Walsh 3.8.1-4Dan Walsh 3.8.1-3Dan Walsh 3.8.1-2Dan Walsh 3.8.1-1Dan Walsh 3.7.19-22Dan Walsh 3.7.19-21Dan Walsh 3.7.19-20Dan Walsh 3.7.19-19Dan Walsh 3.7.19-17Dan Walsh 3.7.19-16Dan Walsh 3.7.19-15Dan Walsh 3.7.19-14Dan Walsh 3.7.19-13Dan Walsh 3.7.19-12Dan Walsh 3.7.19-11Dan Walsh 3.7.19-10Dan Walsh 3.7.19-9Dan Walsh 3.7.19-8Dan Walsh 3.7.19-7Dan Walsh 3.7.19-6Dan Walsh 3.7.19-5Dan Walsh 3.7.19-4Dan Walsh 3.7.19-3Dan Walsh 3.7.19-2Dan Walsh 3.7.19-1Dan Walsh 3.7.18-3Dan Walsh 3.7.18-2Dan Walsh 3.7.18-1Dan Walsh 3.7.17-6Dan Walsh 3.7.17-5Dan Walsh 3.7.17-4Dan Walsh 3.7.17-3Dan Walsh 3.7.17-2Dan Walsh 3.7.17-1Dan Walsh 3.7.16-2Dan Walsh 3.7.16-1Dan Walsh 3.7.15-4Dan Walsh 3.7.15-3Dan Walsh 3.7.15-2Dan Walsh 3.7.15-1Dan Walsh 3.7.14-5Dan Walsh 3.7.14-4Dan Walsh 3.7.14-3Dan Walsh 3.7.14-2Dan Walsh 3.7.14-1Dan Walsh 3.7.13-4Dan Walsh 3.7.13-3Dan Walsh 3.7.13-2Dan Walsh 3.7.13-1Dan Walsh 3.7.12-1Dan Walsh 3.7.11-1Dan Walsh 3.7.10-5Dan Walsh 3.7.10-4Dan Walsh 3.7.10-3Dan Walsh 3.7.10-2Dan Walsh 3.7.10-1Dan Walsh 3.7.9-4Dan Walsh 3.7.9-3Dan Walsh 3.7.9-2Dan Walsh 3.7.9-1Dan Walsh 3.7.8-11Dan Walsh 3.7.8-9Dan Walsh 3.7.8-8Dan Walsh 3.7.8-7Dan Walsh 3.7.8-6Dan Walsh 3.7.8-5Dan Walsh 3.7.8-4Dan Walsh 3.7.8-3Dan Walsh 3.7.8-2Dan Walsh 3.7.8-1Dan Walsh 3.7.7-3Dan Walsh 3.7.7-2Dan Walsh 3.7.7-1Dan Walsh 3.7.6-1Dan Walsh 3.7.5-8Dan Walsh 3.7.5-7Dan Walsh 3.7.5-6Dan Walsh 3.7.5-5Dan Walsh 3.7.5-4Dan Walsh 3.7.5-3Dan Walsh 3.7.5-2Dan Walsh 3.7.5-1Dan Walsh 3.7.4-4Dan Walsh 3.7.4-3Dan Walsh 3.7.4-2Dan Walsh 3.7.4-1Dan Walsh 3.7.3-1Dan Walsh 3.7.1-1Dan Walsh 3.6.33-2Dan Walsh 3.6.33-1Dan Walsh 3.6.32-17Dan Walsh 3.6.32-16Dan Walsh 3.6.32-15Dan Walsh 3.6.32-13Dan Walsh 3.6.32-12Dan Walsh 3.6.32-11Dan Walsh 3.6.32-10Dan Walsh 3.6.32-9Dan Walsh 3.6.32-8Dan Walsh 3.6.32-7Dan Walsh 3.6.32-6Dan Walsh 3.6.32-5Dan Walsh 3.6.32-4Dan Walsh 3.6.32-3Dan Walsh 3.6.32-2Dan Walsh 3.6.32-1Dan Walsh 3.6.31-5Dan Walsh 3.6.31-4Dan Walsh 3.6.31-3Dan Walsh 3.6.31-2Dan Walsh 3.6.30-6Dan Walsh 3.6.30-5Dan Walsh 3.6.30-4Dan Walsh 3.6.30-3Dan Walsh 3.6.30-2Dan Walsh 3.6.30-1Dan Walsh 3.6.29-2Dan Walsh 3.6.29-1Dan Walsh 3.6.28-9Dan Walsh 3.6.28-8Dan Walsh 3.6.28-7Dan Walsh 3.6.28-6Dan Walsh 3.6.28-5Dan Walsh 3.6.28-4Dan Walsh 3.6.28-3Dan Walsh 3.6.28-2Dan Walsh 3.6.28-1Dan Walsh 3.6.27-1Dan Walsh 3.6.26-11Dan Walsh 3.6.26-10Dan Walsh 3.6.26-9Bill Nottingham 3.6.26-8Dan Walsh 3.6.26-7Dan Walsh 3.6.26-6Dan Walsh 3.6.26-5Dan Walsh 3.6.26-4Dan Walsh 3.6.26-3Dan Walsh 3.6.26-2Dan Walsh 3.6.26-1Dan Walsh 3.6.25-1Dan Walsh 3.6.24-1Dan Walsh 3.6.23-2Dan Walsh 3.6.23-1Dan Walsh 3.6.22-3Dan Walsh 3.6.22-1Dan Walsh 3.6.21-4Dan Walsh 3.6.21-3Tom "spot" Callaway 3.6.21-2Dan Walsh 3.6.21-1Dan Walsh 3.6.20-2Dan Walsh 3.6.20-1Dan Walsh 3.6.19-5Dan Walsh 3.6.19-4Dan Walsh 3.6.19-3Dan Walsh 3.6.19-2Dan Walsh 3.6.19-1Dan Walsh 3.6.18-1Dan Walsh 3.6.17-1Dan Walsh 3.6.16-4Dan Walsh 3.6.16-3Dan Walsh 3.6.16-2Dan Walsh 3.6.16-1Dan Walsh 3.6.14-3Dan Walsh 3.6.14-2Dan Walsh 3.6.14-1Dan Walsh 3.6.13-3Dan Walsh 3.6.13-2Dan Walsh 3.6.13-1Dan Walsh 3.6.12-39Dan Walsh 3.6.12-38Dan Walsh 3.6.12-37Dan Walsh 3.6.12-36Dan Walsh 3.6.12-35Dan Walsh 3.6.12-34Dan Walsh 3.6.12-33Dan Walsh 3.6.12-31Dan Walsh 3.6.12-30Dan Walsh 3.6.12-29Dan Walsh 3.6.12-28Dan Walsh 3.6.12-27Dan Walsh 3.6.12-26Dan Walsh 3.6.12-25Dan Walsh 3.6.12-24Dan Walsh 3.6.12-23Dan Walsh 3.6.12-22Dan Walsh 3.6.12-21Dan Walsh 3.6.12-20Dan Walsh 3.6.12-19Dan Walsh 3.6.12-16Dan Walsh 3.6.12-15Dan Walsh 3.6.12-14Dan Walsh 3.6.12-13Dan Walsh 3.6.12-12Dan Walsh 3.6.12-11Dan Walsh 3.6.12-10Dan Walsh 3.6.12-9Dan Walsh 3.6.12-8Dan Walsh 3.6.12-7Dan Walsh 3.6.12-6Dan Walsh 3.6.12-5Dan Walsh 3.6.12-4Dan Walsh 3.6.12-3Dan Walsh 3.6.12-2Dan Walsh 3.6.12-1Dan Walsh 3.6.11-1Dan Walsh 3.6.10-9Dan Walsh 3.6.10-8Dan Walsh 3.6.10-7Dan Walsh 3.6.10-6Dan Walsh 3.6.10-5Dan Walsh 3.6.10-4Dan Walsh 3.6.10-3Dan Walsh 3.6.10-2Dan Walsh 3.6.10-1Dan Walsh 3.6.9-4Dan Walsh 3.6.9-3Dan Walsh 3.6.9-2Dan Walsh 3.6.9-1Dan Walsh 3.6.8-4Dan Walsh 3.6.8-3Dan Walsh 3.6.8-2Dan Walsh 3.6.8-1Dan Walsh 3.6.7-2Dan Walsh 3.6.7-1Dan Walsh 3.6.6-9Dan Walsh 3.6.6-8Fedora Release Engineering - 3.6.6-7Dan Walsh 3.6.6-6Dan Walsh 3.6.6-5Dan Walsh 3.6.6-4Dan Walsh 3.6.6-3Dan Walsh 3.6.6-2Dan Walsh 3.6.6-1Dan Walsh 3.6.5-3Dan Walsh 3.6.5-1Dan Walsh 3.6.4-6Dan Walsh 3.6.4-5Dan Walsh 3.6.4-4Dan Walsh 3.6.4-3Dan Walsh 3.6.4-2Dan Walsh 3.6.4-1Dan Walsh 3.6.3-13Dan Walsh 3.6.3-12Dan Walsh 3.6.3-11Dan Walsh 3.6.3-10Dan Walsh 3.6.3-9Dan Walsh 3.6.3-8Dan Walsh 3.6.3-7Dan Walsh 3.6.3-6Dan Walsh 3.6.3-3Dan Walsh 3.6.3-2Dan Walsh 3.6.3-1Dan Walsh 3.6.2-5Dan Walsh 3.6.2-4Dan Walsh 3.6.2-3Dan Walsh 3.6.2-2Dan Walsh 3.6.2-1Dan Walsh 3.6.1-15Dan Walsh 3.6.1-14Dan Walsh 3.6.1-13Dan Walsh 3.6.1-12Dan Walsh 3.6.1-11Dan Walsh 3.6.1-10Dan Walsh 3.6.1-9Dan Walsh 3.6.1-8Dan Walsh 3.6.1-7Dan Walsh 3.6.1-4Ignacio Vazquez-Abrams - 3.6.1-2Dan Walsh 3.5.13-19Dan Walsh 3.5.13-18Dan Walsh 3.5.13-17Dan Walsh 3.5.13-16Dan Walsh 3.5.13-15Dan Walsh 3.5.13-14Dan Walsh 3.5.13-13Dan Walsh 3.5.13-12Dan Walsh 3.5.13-11Dan Walsh 3.5.13-9Dan Walsh 3.5.13-8Dan Walsh 3.5.13-7Dan Walsh 3.5.13-6Dan Walsh 3.5.13-5Dan Walsh 3.5.13-4Dan Walsh 3.5.13-3Dan Walsh 3.5.13-2Dan Walsh 3.5.13-1Dan Walsh 3.5.12-3Dan Walsh 3.5.12-2Dan Walsh 3.5.12-1Dan Walsh 3.5.11-1Dan Walsh 3.5.10-3Dan Walsh 3.5.10-2Dan Walsh 3.5.10-1Dan Walsh 3.5.9-4Dan Walsh 3.5.9-3Dan Walsh 3.5.9-2Dan Walsh 3.5.9-1Dan Walsh 3.5.8-7Dan Walsh 3.5.8-6Dan Walsh 3.5.8-5Dan Walsh 3.5.8-4Dan Walsh 3.5.8-3Dan Walsh 3.5.8-1Dan Walsh 3.5.7-2Dan Walsh 3.5.7-1Dan Walsh 3.5.6-2Dan Walsh 3.5.6-1Dan Walsh 3.5.5-4Dan Walsh 3.5.5-3Dan Walsh 3.5.5-2Dan Walsh 3.5.4-2Dan Walsh 3.5.4-1Dan Walsh 3.5.3-1Dan Walsh 3.5.2-2Dan Walsh 3.5.1-5Dan Walsh 3.5.1-4Dan Walsh 3.5.1-3Dan Walsh 3.5.1-2Dan Walsh 3.5.1-1Dan Walsh 3.5.0-1Dan Walsh 3.4.2-14Dan Walsh 3.4.2-13Dan Walsh 3.4.2-12Dan Walsh 3.4.2-11Dan Walsh 3.4.2-10Dan Walsh 3.4.2-9Dan Walsh 3.4.2-8Dan Walsh 3.4.2-7Dan Walsh 3.4.2-6Dan Walsh 3.4.2-5Dan Walsh 3.4.2-4Dan Walsh 3.4.2-3Dan Walsh 3.4.2-2Dan Walsh 3.4.2-1Dan Walsh 3.4.1-5Dan Walsh 3.4.1-3Dan Walsh 3.4.1-2Dan Walsh 3.4.1-1Dan Walsh 3.3.1-48Dan Walsh 3.3.1-47Dan Walsh 3.3.1-46Dan Walsh 3.3.1-45Dan Walsh 3.3.1-44Dan Walsh 3.3.1-43Dan Walsh 3.3.1-42Dan Walsh 3.3.1-41Dan Walsh 3.3.1-39Dan Walsh 3.3.1-37Dan Walsh 3.3.1-36Dan Walsh 3.3.1-33Dan Walsh 3.3.1-32Dan Walsh 3.3.1-31Dan Walsh 3.3.1-30Dan Walsh 3.3.1-29Dan Walsh 3.3.1-28Dan Walsh 3.3.1-27Dan Walsh 3.3.1-26Dan Walsh 3.3.1-25Dan Walsh 3.3.1-24Dan Walsh 3.3.1-23Dan Walsh 3.3.1-22Dan Walsh 3.3.1-21Dan Walsh 3.3.1-20Dan Walsh 3.3.1-19Dan Walsh 3.3.1-18Dan Walsh 3.3.1-17Dan Walsh 3.3.1-16Dan Walsh 3.3.1-15Bill Nottingham 3.3.1-14Dan Walsh 3.3.1-13Dan Walsh 3.3.1-12Dan Walsh 3.3.1-11Dan Walsh 3.3.1-10Dan Walsh 3.3.1-9Dan Walsh 3.3.1-8Dan Walsh 3.3.1-6Dan Walsh 3.3.1-5Dan Walsh 3.3.1-4Dan Walsh 3.3.1-2Dan Walsh 3.3.1-1Dan Walsh 3.3.0-2Dan Walsh 3.3.0-1Dan Walsh 3.2.9-2Dan Walsh 3.2.9-1Dan Walsh 3.2.8-2Dan Walsh 3.2.8-1Dan Walsh 3.2.7-6Dan Walsh 3.2.7-5Dan Walsh 3.2.7-3Dan Walsh 3.2.7-2Dan Walsh 3.2.7-1Dan Walsh 3.2.6-7Dan Walsh 3.2.6-6Dan Walsh 3.2.6-5Dan Walsh 3.2.6-4Dan Walsh 3.2.6-3Dan Walsh 3.2.6-2Dan Walsh 3.2.6-1Dan Walsh 3.2.5-25Dan Walsh 3.2.5-24Dan Walsh 3.2.5-22Dan Walsh 3.2.5-21Dan Walsh 3.2.5-20Dan Walsh 3.2.5-19Dan Walsh 3.2.5-18Dan Walsh 3.2.5-17Dan Walsh 3.2.5-16Dan Walsh 3.2.5-15Dan Walsh 3.2.5-14Dan Walsh 3.2.5-13Dan Walsh 3.2.5-12Dan Walsh 3.2.5-11Dan Walsh 3.2.5-10Dan Walsh 3.2.5-9Dan Walsh 3.2.5-8Dan Walsh 3.2.5-7Dan Walsh 3.2.5-6Dan Walsh 3.2.5-5Dan Walsh 3.2.5-4Dan Walsh 3.2.5-3Dan Walsh 3.2.5-2Dan Walsh 3.2.5-1Dan Walsh 3.2.4-5Dan Walsh 3.2.4-4Dan Walsh 3.2.4-3Dan Walsh 3.2.4-1Dan Walsh 3.2.4-1Dan Walsh 3.2.3-2Dan Walsh 3.2.3-1Dan Walsh 3.2.2-1Dan Walsh 3.2.1-3Dan Walsh 3.2.1-1Dan Walsh 3.1.2-2Dan Walsh 3.1.2-1Dan Walsh 3.1.1-1Dan Walsh 3.1.0-1Dan Walsh 3.0.8-30Dan Walsh 3.0.8-28Dan Walsh 3.0.8-27Dan Walsh 3.0.8-26Dan Walsh 3.0.8-25Dan Walsh 3.0.8-24Dan Walsh 3.0.8-23Dan Walsh 3.0.8-22Dan Walsh 3.0.8-21Dan Walsh 3.0.8-20Dan Walsh 3.0.8-19Dan Walsh 3.0.8-18Dan Walsh 3.0.8-17Dan Walsh 3.0.8-16Dan Walsh 3.0.8-15Dan Walsh 3.0.8-14Dan Walsh 3.0.8-13Dan Walsh 3.0.8-12Dan Walsh 3.0.8-11Dan Walsh 3.0.8-10Dan Walsh 3.0.8-9Dan Walsh 3.0.8-8Dan Walsh 3.0.8-7Dan Walsh 3.0.8-5Dan Walsh 3.0.8-4Dan Walsh 3.0.8-3Dan Walsh 3.0.8-2Dan Walsh 3.0.8-1Dan Walsh 3.0.7-10Dan Walsh 3.0.7-9Dan Walsh 3.0.7-8Dan Walsh 3.0.7-7Dan Walsh 3.0.7-6Dan Walsh 3.0.7-5Dan Walsh 3.0.7-4Dan Walsh 3.0.7-3Dan Walsh 3.0.7-2Dan Walsh 3.0.7-1Dan Walsh 3.0.6-3Dan Walsh 3.0.6-2Dan Walsh 3.0.6-1Dan Walsh 3.0.5-11Dan Walsh 3.0.5-10Dan Walsh 3.0.5-9Dan Walsh 3.0.5-8Dan Walsh 3.0.5-7Dan Walsh 3.0.5-6Dan Walsh 3.0.5-5Dan Walsh 3.0.5-4Dan Walsh 3.0.5-3Dan Walsh 3.0.5-2Dan Walsh 3.0.5-1Dan Walsh 3.0.4-6Dan Walsh 3.0.4-5Dan Walsh 3.0.4-4Dan Walsh 3.0.4-3Dan Walsh 3.0.4-2Dan Walsh 3.0.4-1Dan Walsh 3.0.3-6Dan Walsh 3.0.3-5Dan Walsh 3.0.3-4Dan Walsh 3.0.3-3Dan Walsh 3.0.3-2Dan Walsh 3.0.3-1Dan Walsh 3.0.2-9Dan Walsh 3.0.2-8Dan Walsh 3.0.2-7Dan Walsh 3.0.2-5Dan Walsh 3.0.2-4Dan Walsh 3.0.2-3Dan Walsh 3.0.2-2Dan Walsh 3.0.1-5Dan Walsh 3.0.1-4Dan Walsh 3.0.1-3Dan Walsh 3.0.1-2Dan Walsh 3.0.1-1Dan Walsh 2.6.5-3Dan Walsh 2.6.5-2Dan Walsh 2.6.4-7Dan Walsh 2.6.4-6Dan Walsh 2.6.4-5Dan Walsh 2.6.4-2Dan Walsh 2.6.4-1Dan Walsh 2.6.3-1Dan Walsh 2.6.2-1Dan Walsh 2.6.1-4Dan Walsh 2.6.1-2Dan Walsh 2.6.1-1Dan Walsh 2.5.12-12Dan Walsh 2.5.12-11Dan Walsh 2.5.12-10Dan Walsh 2.5.12-8Dan Walsh 2.5.12-5Dan Walsh 2.5.12-4Dan Walsh 2.5.12-3Dan Walsh 2.5.12-2Dan Walsh 2.5.12-1Dan Walsh 2.5.11-8Dan Walsh 2.5.11-7Dan Walsh 2.5.11-6Dan Walsh 2.5.11-5Dan Walsh 2.5.11-4Dan Walsh 2.5.11-3Dan Walsh 2.5.11-2Dan Walsh 2.5.11-1Dan Walsh 2.5.10-2Dan Walsh 2.5.10-1Dan Walsh 2.5.9-6Dan Walsh 2.5.9-5Dan Walsh 2.5.9-4Dan Walsh 2.5.9-3Dan Walsh 2.5.9-2Dan Walsh 2.5.8-8Dan Walsh 2.5.8-7Dan Walsh 2.5.8-6Dan Walsh 2.5.8-5Dan Walsh 2.5.8-4Dan Walsh 2.5.8-3Dan Walsh 2.5.8-2Dan Walsh 2.5.8-1Dan Walsh 2.5.7-1Dan Walsh 2.5.6-1Dan Walsh 2.5.5-2Dan Walsh 2.5.5-1Dan Walsh 2.5.4-2Dan Walsh 2.5.4-1Dan Walsh 2.5.3-3Dan Walsh 2.5.3-2Dan Walsh 2.5.3-1Dan Walsh 2.5.2-6Dan Walsh 2.5.2-5Dan Walsh 2.5.2-4Dan Walsh 2.5.2-3Dan Walsh 2.5.2-2Dan Walsh 2.5.2-1Dan Walsh 2.5.1-5Dan Walsh 2.5.1-4Dan Walsh 2.5.1-2Dan Walsh 2.5.1-1Dan Walsh 2.4.6-20Dan Walsh 2.4.6-19Dan Walsh 2.4.6-18Dan Walsh 2.4.6-17Dan Walsh 2.4.6-16Dan Walsh 2.4.6-15Dan Walsh 2.4.6-14Dan Walsh 2.4.6-13Dan Walsh 2.4.6-12Dan Walsh 2.4.6-11Dan Walsh 2.4.6-10Dan Walsh 2.4.6-9Dan Walsh 2.4.6-8Dan Walsh 2.4.6-7Dan Walsh 2.4.6-6Dan Walsh 2.4.6-5Dan Walsh 2.4.6-4Dan Walsh 2.4.6-3Dan Walsh 2.4.6-1Dan Walsh 2.4.5-4Dan Walsh 2.4.5-3Dan Walsh 2.4.5-2Dan Walsh 2.4.5-1Dan Walsh 2.4.4-2Dan Walsh 2.4.4-2Dan Walsh 2.4.4-1Dan Walsh 2.4.3-13Dan Walsh 2.4.3-12Dan Walsh 2.4.3-11Dan Walsh 2.4.3-10Dan Walsh 2.4.3-9Dan Walsh 2.4.3-8Dan Walsh 2.4.3-7Dan Walsh 2.4.3-6Dan Walsh 2.4.3-5Dan Walsh 2.4.3-4Dan Walsh 2.4.3-3Dan Walsh 2.4.3-2Dan Walsh 2.4.3-1Dan Walsh 2.4.2-8Dan Walsh 2.4.2-7James Antill 2.4.2-6Dan Walsh 2.4.2-5Dan Walsh 2.4.2-4Dan Walsh 2.4.2-3Dan Walsh 2.4.2-2Dan Walsh 2.4.2-1Dan Walsh 2.4.1-5Dan Walsh 2.4.1-4Dan Walsh 2.4.1-3Dan Walsh 2.4.1-2Dan Walsh 2.4-4Dan Walsh 2.4-3Dan Walsh 2.4-2Dan Walsh 2.4-1Dan Walsh 2.3.19-4Dan Walsh 2.3.19-3Dan Walsh 2.3.19-2Dan Walsh 2.3.19-1James Antill 2.3.18-10James Antill 2.3.18-9Dan Walsh 2.3.18-8Dan Walsh 2.3.18-7Dan Walsh 2.3.18-6Dan Walsh 2.3.18-5Dan Walsh 2.3.18-4Dan Walsh 2.3.18-3Dan Walsh 2.3.18-2Dan Walsh 2.3.18-1Dan Walsh 2.3.17-2Dan Walsh 2.3.17-1Dan Walsh 2.3.16-9Dan Walsh 2.3.16-8Dan Walsh 2.3.16-7Dan Walsh 2.3.16-6Dan Walsh 2.3.16-5Dan Walsh 2.3.16-4Dan Walsh 2.3.16-2Dan Walsh 2.3.16-1Dan Walsh 2.3.15-2Dan Walsh 2.3.15-1Dan Walsh 2.3.14-8Dan Walsh 2.3.14-7Dan Walsh 2.3.14-6Dan Walsh 2.3.14-4Dan Walsh 2.3.14-3Dan Walsh 2.3.14-2Dan Walsh 2.3.14-1Dan Walsh 2.3.13-6Dan Walsh 2.3.13-5Dan Walsh 2.3.13-4Dan Walsh 2.3.13-3Dan Walsh 2.3.13-2Dan Walsh 2.3.13-1Dan Walsh 2.3.12-2Dan Walsh 2.3.12-1Dan Walsh 2.3.11-1Dan Walsh 2.3.10-7Dan Walsh 2.3.10-6Dan Walsh 2.3.10-3Dan Walsh 2.3.10-1Dan Walsh 2.3.9-6Dan Walsh 2.3.9-5Dan Walsh 2.3.9-4Dan Walsh 2.3.9-3Dan Walsh 2.3.9-2Dan Walsh 2.3.9-1Dan Walsh 2.3.8-2Dan Walsh 2.3.7-1Dan Walsh 2.3.6-4Dan Walsh 2.3.6-3Dan Walsh 2.3.6-2Dan Walsh 2.3.6-1Dan Walsh 2.3.5-1Dan Walsh 2.3.4-1Dan Walsh 2.3.3-20Dan Walsh 2.3.3-19Dan Walsh 2.3.3-18Dan Walsh 2.3.3-17Dan Walsh 2.3.3-16Dan Walsh 2.3.3-15Dan Walsh 2.3.3-14Dan Walsh 2.3.3-13Dan Walsh 2.3.3-12Dan Walsh 2.3.3-11Dan Walsh 2.3.3-10Dan Walsh 2.3.3-9Dan Walsh 2.3.3-8Dan Walsh 2.3.3-7Dan Walsh 2.3.3-6Dan Walsh 2.3.3-5Dan Walsh 2.3.3-4Dan Walsh 2.3.3-3Dan Walsh 2.3.3-2Dan Walsh 2.3.3-1Dan Walsh 2.3.2-4Dan Walsh 2.3.2-3Dan Walsh 2.3.2-2Dan Walsh 2.3.2-1Dan Walsh 2.3.1-1Dan Walsh 2.2.49-1Dan Walsh 2.2.48-1Dan Walsh 2.2.47-5Dan Walsh 2.2.47-4Dan Walsh 2.2.47-3Dan Walsh 2.2.47-1Dan Walsh 2.2.46-2Dan Walsh 2.2.46-1Dan Walsh 2.2.45-3Dan Walsh 2.2.45-2Dan Walsh 2.2.45-1Dan Walsh 2.2.44-1Dan Walsh 2.2.43-4Dan Walsh 2.2.43-3Dan Walsh 2.2.43-2Dan Walsh 2.2.43-1Dan Walsh 2.2.42-4Dan Walsh 2.2.42-3Dan Walsh 2.2.42-2Dan Walsh 2.2.42-1Dan Walsh 2.2.41-1Dan Walsh 2.2.40-2Dan Walsh 2.2.40-1Dan Walsh 2.2.39-2Dan Walsh 2.2.39-1Dan Walsh 2.2.38-6Dan Walsh 2.2.38-5Dan Walsh 2.2.38-4Dan Walsh 2.2.38-3Dan Walsh 2.2.38-2Dan Walsh 2.2.38-1Dan Walsh 2.2.37-1Dan Walsh 2.2.36-2Dan Walsh 2.2.36-1James Antill 2.2.35-2Dan Walsh 2.2.35-1Dan Walsh 2.2.34-3Dan Walsh 2.2.34-2Dan Walsh 2.2.34-1Dan Walsh 2.2.33-1Dan Walsh 2.2.32-2Dan Walsh 2.2.32-1Dan Walsh 2.2.31-1Dan Walsh 2.2.30-2Dan Walsh 2.2.30-1Dan Walsh 2.2.29-6Russell Coker 2.2.29-5Dan Walsh 2.2.29-4Dan Walsh 2.2.29-3Dan Walsh 2.2.29-2Dan Walsh 2.2.29-1Dan Walsh 2.2.28-3Dan Walsh 2.2.28-2Dan Walsh 2.2.28-1Dan Walsh 2.2.27-1Dan Walsh 2.2.25-3Dan Walsh 2.2.25-2Dan Walsh 2.2.24-1Dan Walsh 2.2.23-19Dan Walsh 2.2.23-18Dan Walsh 2.2.23-17Karsten Hopp 2.2.23-16Dan Walsh 2.2.23-15Dan Walsh 2.2.23-14Dan Walsh 2.2.23-13Dan Walsh 2.2.23-12Jeremy Katz - 2.2.23-11Jeremy Katz - 2.2.23-10Dan Walsh 2.2.23-9Dan Walsh 2.2.23-8Dan Walsh 2.2.23-7Dan Walsh 2.2.23-5Dan Walsh 2.2.23-4Dan Walsh 2.2.23-3Dan Walsh 2.2.23-2Dan Walsh 2.2.23-1Dan Walsh 2.2.22-2Dan Walsh 2.2.22-1Dan Walsh 2.2.21-9Dan Walsh 2.2.21-8Dan Walsh 2.2.21-7Dan Walsh 2.2.21-6Dan Walsh 2.2.21-5Dan Walsh 2.2.21-4Dan Walsh 2.2.21-3Dan Walsh 2.2.21-2Dan Walsh 2.2.21-1Dan Walsh 2.2.20-1Dan Walsh 2.2.19-2Dan Walsh 2.2.19-1Dan Walsh 2.2.18-2Dan Walsh 2.2.18-1Dan Walsh 2.2.17-2Dan Walsh 2.2.16-1Dan Walsh 2.2.15-4Dan Walsh 2.2.15-3Dan Walsh 2.2.15-1Dan Walsh 2.2.14-2Dan Walsh 2.2.14-1Dan Walsh 2.2.13-1Dan Walsh 2.2.12-1Dan Walsh 2.2.11-2Dan Walsh 2.2.11-1Dan Walsh 2.2.10-1Dan Walsh 2.2.9-2Dan Walsh 2.2.9-1Dan Walsh 2.2.8-2Dan Walsh 2.2.7-1Dan Walsh 2.2.6-3Dan Walsh 2.2.6-2Dan Walsh 2.2.6-1Dan Walsh 2.2.5-1Dan Walsh 2.2.4-1Dan Walsh 2.2.3-1Dan Walsh 2.2.2-1Dan Walsh 2.2.1-1Dan Walsh 2.1.13-1Dan Walsh 2.1.12-3Dan Walsh 2.1.11-1Dan Walsh 2.1.10-1Jeremy Katz - 2.1.9-2Dan Walsh 2.1.9-1Dan Walsh 2.1.8-3Dan Walsh 2.1.8-2Dan Walsh 2.1.8-1Dan Walsh 2.1.7-4Dan Walsh 2.1.7-3Dan Walsh 2.1.7-2Dan Walsh 2.1.7-1Dan Walsh 2.1.6-24Dan Walsh 2.1.6-23Dan Walsh 2.1.6-22Dan Walsh 2.1.6-21Dan Walsh 2.1.6-20Dan Walsh 2.1.6-18Dan Walsh 2.1.6-17Dan Walsh 2.1.6-16Dan Walsh 2.1.6-15Dan Walsh 2.1.6-14Dan Walsh 2.1.6-13Dan Walsh 2.1.6-11Dan Walsh 2.1.6-10Dan Walsh 2.1.6-9Dan Walsh 2.1.6-8Dan Walsh 2.1.6-5Dan Walsh 2.1.6-4Dan Walsh 2.1.6-3Dan Walsh 2.1.6-2Dan Walsh 2.1.6-1Dan Walsh 2.1.4-2Dan Walsh 2.1.4-1Dan Walsh 2.1.3-1Jeremy Katz - 2.1.2-3Dan Walsh 2.1.2-2Dan Walsh 2.1.2-1Dan Walsh 2.1.1-3Dan Walsh 2.1.1-2Dan Walsh 2.1.1-1Dan Walsh 2.1.0-3Dan Walsh 2.1.0-2.Dan Walsh 2.1.0-1.Dan Walsh 2.0.11-2.Dan Walsh 2.0.11-1.Dan Walsh 2.0.9-1.Dan Walsh 2.0.8-1.Dan Walsh 2.0.7-3Dan Walsh 2.0.7-2Dan Walsh 2.0.6-2Dan Walsh 2.0.5-4Dan Walsh 2.0.5-1Dan Walsh 2.0.4-1Dan Walsh 2.0.2-2Dan Walsh 2.0.2-1Dan Walsh 2.0.1-2Dan Walsh 2.0.1-1- Allow virtlogd_t domain to chat via dbus with systemd_logind Resolves: rhbz#1593740- Allow virtlogd_t domain to write inhibit systemd pipes. Resolves: rhbz#1596730- Allow certmonger to sends emails Resolves: rhbz#1588363- Allow snapperd_t domain to unmount fs_t filesystems Resolves: rhbz#1561424- Allow snapperd_t to set priority for kernel processes Resolves: rhbz#1558656- Backport several changes for snapperdfrom Fedora Rawhide Resolves: rhbz#1558656- Label /usr/libexec/dbus-1/dbus-daemon-launch-helper as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled. Resolves: rhbz#1546721- Allow openvswitch_t stream connect svirt_t Resolves: rhbz#1540702- Allow openvswitch domain to manage svirt_tmp_t sock files Resolves: rhbz#1540702 - Fix broken systemd_tmpfiles_run() interface- Allow dirsrv_t domain to create tmp link files Resolves: rhbz#1536011 - Label /usr/sbin/ldap-agent as dirsrv_snmp_exec_t Resolves: rhbz#1428568 - Allow ipsec_mgmt_t execute ifconfig_exec_t binaries - Allow ipsec_mgmt_t nnp domain transition to ifconfig_t Resolves: rhbz#1539416- Allow svirt_domain to create socket files in /tmp with label svirt_tmp_t Resolves: rhbz#1540702 - Allow keepalived_t domain getattr proc filesystem Resolves: rhbz#1477542 - Rename svirt_sandbox_file_t to container_file_t and svirt_lxc_net_t to container_t Resolves: rhbz#1538544 - Allow ipsec_t nnp transistions to domains ipsec_mgmt_t and ifconfig_t Resolves: rhbz:#1539416 - Allow systemd_logind_t domain to bind on dhcpd_port_t,pki_ca_port_t,flash_port_t Resolves: rhbz#1479350- Allow openvswitch_t domain to read cpuid, write to sysfs files and creating openvswitch_tmp_t sockets Resolves: rhbz#1535196 - Add new interface ppp_filetrans_named_content() Resolves: rhbz#1530601 - Allow keepalived_t read sysctl_net_t files Resolves: rhbz#1477542 - Allow puppetmaster_t domtran to puppetagent_t Resolves: rhbz#1376893 - Allow kdump_t domain to read kernel ring buffer Resolves: rhbz#1540004 - Allow ipsec_t domain to exec ifconfig_exec_t binaries. Resolves: rhbz#1539416 - Allow unconfined_domain_typ to create pppd_lock_t directory in /var/lock Resolves: rhbz#1530601 - Allow updpwd_t domain to create files in /etc with shadow_t label Resolves: rhbz#1412838 - Allow iptables sysctl load list support with SELinux enforced Resolves: rhbz#1535572- Allow virt_domains to acces infiniband pkeys. Resolves: rhbz#1533183 - Label /usr/libexec/ipsec/addconn as ipsec_exec_t to run this script as ipsec_t instead of init_t Resolves: rhbz#1535133 - Allow audisp_remote_t domain write to files on all levels Resolves: rhbz#1534924- Allow vmtools_t domain creating vmware_log_t files Resolves: rhbz#1507048 - Allow openvswitch_t domain to acces infiniband devices Resolves: rhbz#1532705- Allow chronyc_t domain to manage chronyd_keys_t files. Resolves: rhbz#1530525 - Make virtlog_t domain system dbus client Resolves: rhbz#1481109 - Update openvswitch SELinux module Resolves: rhbz#1482682 - Allow virtd_t to create also sock_files with label virt_var_run_t Resolves: rhbz#1484075- Allow domains that manage logfiles to man logdirs Resolves: rhbz#1523811- Label /dev/drm_dp_aux* as xserver_misc_device_t Resolves: rhbz#1520897 - Allow sysadm_t to run puppet_exec_t binaries as puppet_t Resolves: rhbz#1255745- Allow tomcat_t to manage pki_tomcat pid files Resolves: rhbz#1478371 - networkmanager: allow talking to openvswitch Resolves: rhbz#1517247 - Allow networkmanager_t and opensm_t to manage subned endports for IPoIB VLANs Resolves: rhbz#1517895 - Allow domains networkmanager_t and opensm_t to control IPoIB VLANs Resolves: rhbz#1517744 - Fix typo in guest interface file Resolves: rhbz#1468254 - Allow isnsd_t domain to accept tcp connections. Resolves: rhbz#1390208- Allow getty to use usbttys Resolves: rhbz#1514235- Allow ldap_t domain to manage also slapd_tmp_t lnk files Resolves: rhbz#1510883 - Allow cluster_t domain creating bundles directory with label var_log_t instead of cluster_var_log_t Resolves: rhbz:#1508360 - Add dac_read_search and dac_override capabilities to ganesha Resolves: rhbz#1483451- Add dependency for policycoreutils-2.5.18 becuase of new cgroup_seclabel policy capability Resolves: rhbz#1510145- Allow jabber domains to connect to postgresql ports Resolves: rhbz#1438489 - Dontaudit accountsd domain creating dirs in /root Resolves: rhbz#1456760 - Dontaudit slapd_t to block suspend system Resolves: rhbz: #1479759 - Allow spamc_t to stream connect to cyrus. Resolves: rhbz#1382955 - allow imapd to read /proc/net/unix file Resolves: rhbz#1393030 - Allow passenger to connect to mysqld_port_t Resolves: rhbz#1433464- Allow chronyc_t domain to use user_ptys Resolves: rhbz#1470150 - allow ptp4l to read /proc/net/unix file - Allow conmand to use usb ttys. Resolves: rhbz#1505121 - Label all files /var/log/opensm.* as opensm_log_t because opensm creating new log files with name opensm-subnet.lst Resolves: rhbz#1505845 - Allow chronyd daemon to execute chronyc. Resolves: rhbz#1508486 - Allow firewalld exec ldconfig. Resolves: rhbz#1375576 - Allow mozilla_plugin_t domain to dbus chat with devicekit Resolves: rhbz#1460477 - Dontaudit leaked logwatch pipes Resolves: rhbz#1450119 - Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon. Resolves: rhbz#1507048 - Allow httpd_t domain to execute hugetlbfs_t files Resolves: rhbz#1507682 - Allow nfsd_t domain to read configfs_t files/dirs Resolves: rhbz#1439442 - Hide all allow rules with ptrace inside deny_ptrace boolean Resolves: rhbz#1421075 - Allow tgtd_t domain to read generic certs Resolves: rhbz#1438532 - Allow ptp4l to send msgs via dgram socket to unprivileged user domains Resolves: rhbz#1429853 - Allow dirsrv_snmp_t to use inherited user ptys and read system state Resolves: rhbz#1428568 - Allow glusterd_t domain to create own tmpfs dirs/files Resolves: rhbz#1411310 - Allow keepalived stream connect to snmp Resolves: rhbz#1401556 - After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy Resolves: rhbz#1507089- Allow pegasus_openlmi_services_t to read generic certs Resolves: rhbz#1462292 - Allow ganesha_t domain to read random device Resolves: rhbz#1494382 - Allow zabbix_t domain to change its resource limits Resolves: rhbz:#1504074 - Add new boolean nagios_use_nfs Resolves: rhbz#1504826 - Allow system_mail_t to search network sysctls Resolves: rhbz#1505779 - Add samba_manage_var_dirs() interface - Fix typo bug in virt filecontext file - Allow nagios_script_t to read nagios_spool_t files Resolves: rhbz#1426824 - Allow samba to manage var dirs/files Resolves: rhbz#1415088 - Allow sbd_t to create own sbd_tmpfs_t dirs/files Resolves: rhbz#1380795 - Allow firewalld and networkmanager to chat with hypervkvp via dbus Resolves: rhbz#1377276 - Allow dmidecode to read rhsmcert_log_t files Resolves: rhbz#1300799 - Allow mail system to connect mariadb sockets. Resolves: rhbz#1368642 - Allow logrotate_t to change passwd and reloead services Resolves: rhbz#1450789 - Allow mail system to connect mariadb sockets. Resolves: rhbz#1368642 - Allow logrotate_t to change passwd and reloead services Resolves: rhbz#1450789 - Allow pegasus_openlmi_services_t to read generic certs Resolves: rhbz#1462292 - Allow ganesha_t domain to read random device Resolves: rhbz#1494382 - Allow zabbix_t domain to change its resource limits Resolves: rhbz:#1504074 - Add new boolean nagios_use_nfs Resolves: rhbz#1504826 - Allow system_mail_t to search network sysctls Resolves: rhbz#1505779 - Add samba_manage_var_dirs() interface - Fix typo bug in virt filecontext file - Allow nagios_script_t to read nagios_spool_t files Resolves: rhbz#1426824 - Allow samba to manage var dirs/files Resolves: rhbz#1415088 - Allow sbd_t to create own sbd_tmpfs_t dirs/files Resolves: rhbz#1380795 - Allow firewalld and networkmanager to chat with hypervkvp via dbus Resolves: rhbz#1377276 - Allow dmidecode to read rhsmcert_log_t files Resolves: rhbz#1300799 - Allow mail system to connect mariadb sockets. Resolves: rhbz#1368642 - Allow logrotate_t to change passwd and reloead services Resolves: rhbz#1450789 - Allow chronyd_t do request kernel module and block_suspend capability Resolves: rhbz#1350765 - Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label Resolves: rhbz#1447278 - Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables Resolves: rhbz#1491994 - Allow svnserve to use kerberos Resolves: rhbz#1475271 - Allow conman to use ptmx. Add conman_use_nfs boolean Resolves: rhbz#1377915 - Add nnp transition for services using: NoNewPrivileges systemd security feature Resolves: rhbz#1311430 - Add SELinux support for chronyc Resolves: rhbz#1470150 - Add dac_read_search capability to openvswitch_t domain Resolves: rhbz#1501336 - Allow svnserve to manage own svnserve_log_t files/dirs Resolves: rhbz#1480741 - Allow keepalived_t to search network sysctls Resolves: rhbz#1477542 - Allow puppetagent_t domain dbus chat with rhsmcertd_t domain Resolves: rhbz#1446777 - Add dccp_socket into socker_class_set subset Resolves: rhbz#1459941 - Allow iptables_t to run setfiles to restore context on system Resolves: rhbz#1489118 - Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_t Resolves: rhbz:#1411400 - Make nnp transition Active Resolves: rhbz#1480518 - Label tcp 51954 as isns_port_t Resolves: rhbz#1390208 - Add dac_read_search capability chkpwd_t Resolves: rhbz#1376991 - Add support for running certbot(letsencrypt) in crontab Resolves: rhbz#1447278 - Add init_nnp_daemon_domain interface - Allow xdm_t to gettattr /dev/loop-control device Resolves: rhbz#1462925 - Allow nnp trasintion for unconfined_service_t Resolves: rhbz#1311430 - Allow unpriv user domains and unconfined_service_t to use chronyc Resolves: rhbz#1470150 - Allow iptables to exec plymouth. Resolves: rhbz#1480374 - Fix typo in fs_unmount_tracefs interface. Resolves: rhbz#1371057 - Label postgresql-check-db-dir as postgresql_exec_t Resolves: rhbz#1490956- We should not ship selinux-policy with permissivedomains enabled. Resolves: rhbz#1494172 - Fix order of installing selinux-policy-sandbox, because of depedencied in sandbox module, selinux-policy-targeted needs to be installed before selinux-policy-sandbox Resolves: rhbz#1492606- Allow tomcat to setsched Resolves: rhbz#1492730 - Fix rules blocking ipa-server upgrade process Resolves: rhbz#1478371 - Add new boolean tomcat_read_rpm_db() Resolves: rhbz#1477887 - Allow tomcat to connect on mysqld tcp ports - Add ctdbd_t domain sys_source capability and allow setrlimit Resolves: rhbz#1491235 - Fix keepalived SELinux module - Allow automount domain to manage mount pid files Resolves: rhbz#1482381 - Allow stunnel_t domain setsched Resolves: rhbz#1479383 - Add keepalived domain setpgid capability Resolves: rhbz#1486638 - Allow tomcat domain to connect to mssql port Resolves: rhbz#1484572 - Remove snapperd_t from unconfined domaines Resolves: rhbz#1365555 - Fix typo bug in apache module Resolves: rhbz#1397311 - Dontaudit that system_mail_t is trying to read /root/ files Resolves: rhbz#1147945 - Make working webadm_t userdomain Resolves: rhbz#1323792 - Allow redis domain to execute shell scripts. Resolves: rhbz#1421326 - Allow system_cronjob_t to create redhat-access-insights.log with var_log_t Resolves: rhbz#1473303 - Add couple capabilities to keepalived domain and allow get attributes of all domains Resolves: rhbz#1429327 - Allow dmidecode read rhsmcertd lock files Resolves: rhbz#1300799 - Add new interface rhsmcertd_rw_lock_files() Resolves: rhbz#1300799 - Label all plymouthd archives as plymouthd_var_log_t Resolves: rhbz#1478323 - Allow cloud_init_t to dbus chat with systemd_timedated_t Resolves: rhbz#1440730 - Allow logrotate_t to write to kmsg Resolves: rhbz#1397744 - Add capability kill to rhsmcertd_t Resolves: rhbz#1398338 - Disable mysqld_safe_t secure mode environment cleansing. Resolves: rhbz#1464063 - Allow winbind to manage smbd_tmp_t files Resolves: rhbz#1475566 - Dontaudit that system_mail_t is trying to read /root/ files Resolves: rhbz#1147945 - Make working webadm_t userdomain Resolves: rhbz#1323792 - Allow redis domain to execute shell scripts. Resolves: rhbz#1421326 - Allow system_cronjob_t to create redhat-access-insights.log with var_log_t Resolves: rhbz#1473303 - Add couple capabilities to keepalived domain and allow get attributes of all domains Resolves: rhbz#1429327 - Allow dmidecode read rhsmcertd lock files Resolves: rhbz#1300799 - Add new interface rhsmcertd_rw_lock_files() Resolves: rhbz#1300799 - Label all plymouthd archives as plymouthd_var_log_t Resolves: rhbz#1478323 - Allow cloud_init_t to dbus chat with systemd_timedated_t Resolves: rhbz#1440730 - Allow logrotate_t to write to kmsg Resolves: rhbz#1397744 - Add capability kill to rhsmcertd_t Resolves: rhbz#1398338 - Disable mysqld_safe_t secure mode environment cleansing. Resolves: rhbz#1464063 - Allow winbind to manage smbd_tmp_t files Resolves: rhbz#1475566 - Add interface systemd_tmpfiles_run - End of file cannot be in comment - Allow systemd-logind to use ypbind Resolves: rhbz#1479350 - Add creating opasswd file with shadow_t SELinux label in auth_manage_shadow() interface Resolves: rhbz#1412838 - Allow sysctl_irq_t assciate with proc_t Resolves: rhbz#1485909 - Enable cgourp sec labeling Resolves: rhbz#1485947 - Add cgroup_seclabel policycap. Resolves: rhbz#1485947 - Allow sshd_t domain to send signull to xdm_t processes Resolves: rhbz#1448959 - Allow updpwd_t domain auth file name trans Resolves: rhbz#1412838 - Allow sysadm user to run systemd-tmpfiles Resolves: rbhz#1325364 - Add support labeling for vmci and vsock device Resolves: rhbz#1451358 - Add userdom_dontaudit_manage_admin_files() interface Resolves: rhbz#1323792 - Allow iptables_t domain to read files with modules_conf_t label Resolves: rhbz#1373220 - init: Add NoNewPerms support for systemd. Resolves: rhbz#1480518 - Add nnp_nosuid_transition policycap and related class/perm definitions. Resolves: rhbz#1480518 - refpolicy: Infiniband pkeys and endports Resolves: rhbz#1464484- Allow certmonger using systemctl on pki_tomcat unit files Resolves: rhbz#1481388- Allow targetd_t to create own tmp files. - Dontaudit targetd_t to exec rpm binary file. Resolves: rhbz#1373860 Resolves: rhbz#1424621- Add few rules to make working targetd daemon with SELinux Resolves: rhbz#1373860 - Allow ipmievd_t domain to load kernel modules Resolves: rhbz#1441081 - Allow logrotate to reload transient systemd unit Resolves: rhbz#1440515 - Add certwatch_t domain dac_override and dac_read_search capabilities Resolves: rhbz#1422000 - Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain Resolves: rhbz#1412072 - Allow nscd_t domain to search network sysctls Resolves: rhbz#1432361 - Allow iscsid_t domain to read mount pid files Resolves: rhbz#1482097 - Allow ksmtuned_t domain manage sysfs_t files/dirs Resolves: rhbz#1413865 - Allow keepalived_t domain domtrans into iptables_t Resolves: rhbz#1477719 - Allow rshd_t domain reads net sysctls Resolves: rhbz#1477908 - Add interface seutil_dontaudit_read_module_store() - Update interface lvm_rw_pipes() by adding also open permission - Label /dev/clp device as vfio_device_t Resolves: rhbz#1477624 - Allow ifconfig_t domain unmount fs_t Resolves: rhbz#1477445 - Label /dev/gpiochip* devices as gpio_device_t Resolves: rhbz#1477618 - Add interface dev_manage_sysfs() Resolves: rhbz#1474989- Label /usr/libexec/sudo/sesh as shell_exec_t Resolves: rhbz#1480791- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc Resolves: rhbz#1470735- Allow llpdad send dgram to libvirt Resolves: rhbz#1472722- Add new boolean gluster_use_execmem Resolves: rhbz#1469027 - Allow cluster_t and glusterd_t domains to dbus chat with ganesha service Resolves: rhbz#1468581- Dontaudit staff_t user read admin_home_t files. Resolves: rhbz#1290633- Allow couple rules needed to start targetd daemon with SELinux in enforcing mode Resolves: rhbz#1424621 - Add interface lvm_manage_metadata Resolves: rhbz#1424621- Allow sssd_t to read realmd lib files. Resolves: rhbz#1436689 - Add permission open to files_read_inherited_tmp_files() interface Resolves: rhbz#1290633 Resolves: rhbz#1457106- Allow unconfined_t user all user namespace capabilties. Resolves: rhbz#1461488- Allow httpd_t to read realmd_var_lib_t files Resolves: rhbz#1436689- Allow named_t to bind on udp 4321 port Resolves: rhbz#1312972 - Allow systemd-sysctl cap. sys_ptrace Resolves: rhbz#1458999- Allow pki_tomcat_t execute ldconfig. Resolves: rhbz#1436689- Allow iscsi domain load kernel module. Resolves: rhbz#1457874 - Allow keepalived domain connect to squid tcp port Resolves: rhbz#1457455 - Allow krb5kdc_t domain read realmd lib files. Resolves: rhbz#1436689 - xdm_t should view kernel keys Resolves: rhbz#1432645- Allow tomcat to connect on all unreserved ports - Allow ganesha to connect to all rpc ports Resolves: rhbz#1448090 - Update ganesha with another fixes. Resolves: rhbz#1448090 - Update rpc_read_nfs_state_data() interface to allow read also lnk_files. Resolves: rhbz#1448090 - virt_use_glusterd boolean should be in optional block Update ganesha module to allow create tmp files Resolves: rhbz#1448090 - Hide broken symptoms when machine is configured with network bounding.- Add new boolean virt_use_glusterd Resolves: rhbz#1455994 - Add capability sys_boot for sbd_t domain - Allow sbd_t domain to create rpc sysctls. Resolves: rhbz#1455631 - Allow ganesha_t domain to manage glusterd_var_run_t pid files. Resolves: rhbz#1448090- Create new interface: glusterd_read_lib_files() - Allow ganesha read glusterd lib files. - Allow ganesha read network sysctls Resolves: rhbz#1448090- Add few allow rules to ganesha module Resolves: rhbz#1448090 - Allow condor_master_t to read sysctls. Resolves: rhbz#1277506 - Add dac_override cap to ctdbd_t domain Resolves: rhbz#1435708 - Label 8750 tcp/udp port as dey_keyneg_port_t Resolves: rhbz#1448090- Add ganesha_use_fusefs boolean. Resolves: rhbz#1448090- Allow httpd_t reading kerberos kdc config files Resolves: rhbz#1452215 - Allow tomcat_t domain connect to ibm_dt_2 tcp port. Resolves: rhbz#1447436 - Allow stream connect to initrc_t domains Resolves: rhbz#1447436 - Allow dnsmasq_t domain to read systemd-resolved pid files. Resolves: rhbz#1453114 - Allow tomcat domain name_bind on tcp bctp_port_t Resolves: rhbz#1451757 - Allow smbd_t domain generate debugging files under /var/run/gluster. These files are created through the libgfapi.so library that provides integration of a GlusterFS client in the Samba (vfs_glusterfs) process. Resolves: rhbz#1447669 - Allow condor_master_t write to sysctl_net_t Resolves: rhbz#1277506 - Allow nagios check disk plugin read /sys/kernel/config/ Resolves: rhbz#1277718 - Allow pcp_pmie_t domain execute systemctl binary Resolves: rhbz#1271998 - Allow nagios to connect to stream sockets. Allow nagios start httpd via systemctl Resolves: rhbz#1247635 - Label tcp/udp port 1792 as ibm_dt_2_port_t Resolves: rhbz#1447436 - Add interface fs_read_configfs_dirs() - Add interface fs_read_configfs_files() - Fix systemd_resolved_read_pid interface - Add interface systemd_resolved_read_pid() Resolves: rhbz#1453114 - Allow sshd_net_t domain read/write into crypto devices Resolves: rhbz#1452759 - Label 8999 tcp/udp as bctp_port_t Resolves: rhbz#1451757- nmbd_t needs net_admin capability like smbd Resolves: rhbz#1431859 - Dontaudit net_admin capability for domains postfix_master_t and postfix_qmgr_t Resolves: rhbz#1431859 - Allow rngd domain read sysfs_t Resolves: rhbz#1451735 - Add interface pki_manage_common_files() Resolves: rhbz#1447436 - Allow tomcat_t domain to manage pki_common_t files and dirs Resolves: rhbz#1447436 - Use stricter fc rules for sssd sockets in /var/run Resolves: rhbz#1448060 - Allow certmonger reads httpd_config_t files Resolves: rhbz#1436689 - Allow keepalived_t domain creating netlink_netfilter_socket. Resolves: rhbz#1451684 - Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files. Resolves: rhbz#1451318 - Make able deply overcloud via neutron_t to label nsfs as fs_t Resolves: rhbz#1373321- Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files. Resolves: rhbz#1451318 - Allow sssd_t domain creating sock files labeled as sssd_var_run_t in /var/run/ Resolves: rhbz#1448056 Resolves: rhbz#1448060 - Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls Resolves: rhbz#1450819 - Make able deply overcloud via neutron_t to label nsfs as fs_t Resolves: rhbz#1373321 - Allow netutils setpcap capability Resolves:1444438- Update targetd policy to accommodate changes in the service Resolves: rhbz#1424621 - Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls Resolves: rhbz#1450819 - Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options. Resolves: rhbz#1415841 - Allow radius domain stream connec to postgresql Resolves: rhbz#1446145 - Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit Resolves: rhbz#1449977 - Allow glusterd_t domain start ganesha service Resolves: rhbz#1448090 - Made few cosmetic changes in sssd SELinux module Resolves: rhbz#1448060 - sssd-kcm should not run as unconfined_service_t BZ(1447411) Resolves: rhbz#1448060 - Add sssd_secrets labeling Also add named_filetrans interface to make sure all labels are correct Resolves: rhbz#1448056 - Allow keepalived_t domain read usermodehelper_t Resolves: rhbz#1449769 - Allow tomcat_t domain read pki_common_t files Resolves: rhbz#1447436 - Add interface pki_read_common_files() Resolves: rhbz#1447436- Allow hypervkvp_t domain execute hostname Resolves: rhbz#1449064 - Dontaudit sssd_selinux_manager_t use of net_admin capability Resolves: rhbz#1444955 - Allow tomcat_t stream connect to pki_common_t Resolves: rhbz#1447436 - Dontaudit xguest_t's attempts to listen to its tcp_socket - Allow sssd_selinux_manager_t to ioctl init_t sockets Resolves: rhbz#1436689 - Allow _su_t to create netlink_selinux_socket Resolves rhbz#1146987 - Allow unconfined_t to module_load any file Resolves rhbz#1442994- Improve ipa_cert_filetrans_named_content() interface to also allow caller domain manage ipa_cert_t type. Resolves: rhbz#1436689- Allow pki_tomcat_t domain read /etc/passwd. Resolves: rhbz#1436689 - Allow tomcat_t domain read ipa_tmp_t files Resolves: rhbz#1436689 - Label new path for ipa-otpd Resolves: rhbz#1446353 - Allow radiusd_t domain stream connect to postgresql_t Resolves: rhbz#1446145 - Allow rhsmcertd_t to execute hostname_exec_t binaries. Resolves: rhbz#1445494 - Allow virtlogd to append nfs_t files when virt_use_nfs=1 Resolves: rhbz#1402561- Update tomcat policy to adjust for removing unconfined_domain attr. Resolves: rhbz#1432083 - Allow httpd_t domain read also httpd_user_content_type lnk_files. Resolves: rhbz#1383621 - Allow httpd_t domain create /etc/httpd/alias/ipaseesion.key with label ipa_cert_t Resolves: rhbz#1436689 - Dontaudit _gkeyringd_t stream connect to system_dbusd_t Resolves: rhbz#1052880 - Label /var/www/html/nextcloud/data as httpd_sys_rw_content_t Resolves: rhbz#1425530 - Add interface ipa_filetrans_named_content() Resolves: rhbz#1432115 - Allow tomcat use nsswitch Resolves: rhbz#1436689 - Allow certmonger_t start/status generic services Resolves: rhbz#1436689 - Allow dirsrv read cgroup files. Resolves: rhbz#1436689 - Allow ganesha_t domain read/write infiniband devices. Resolves: rhbz#1383784 - Allow sendmail_t domain sysctl_net_t files Resolves: rhbz#1369376 - Allow targetd_t domain read network state and getattr on loop_control_device_t Resolves: rhbz#1373860 - Allow condor_schedd_t domain send mails. Resolves: rhbz#1277506 - Alow certmonger to create own systemd unit files. Resolves: rhbz#1436689 - Allow staff to systemctl virt server when staff_use_svirt=1 Resolves: rhbz#1415841 - Allow unconfined_t create /tmp/ca.p12 file with ipa_tmp_t context Resolves: rhbz#1432115 - Label /sysroot/ostree/deploy/rhel-atomic-host/* as root_t Resolves: rhbz#1428112- Alow certmonger to create own systemd unit files. Resolves: rhbz#1436689- Hide broken symptoms when using kernel 3.10.0-514+ with network bonding. Postfix_picup_t domain requires NET_ADMIN capability which is not really needed. Resolves: rhbz#1431859 - Fix policy to reflect all changes in new IPA release Resolves: rhbz#1432115 Resolves: rhbz#1436689- Allow sbd_t to read/write fixed disk devices Resolves: rhbz#1440165 - Add sys_ptrace capability to radiusd_t domain Resolves: rhbz#1426641 - Allow cockpit_session_t domain connects to ssh tcp ports. Resolves: rhbz#1413509- Update tomcat policy to make working ipa install process Resolves: rhbz#1436689- Allow pcp_pmcd_t net_admin capability. - Allow pcp_pmcd_t read net sysctls - Allow system_cronjob_t create /var/run/pcp with pcp_var_run_t Resolves: rhbz#1336211- Fix all AVC denials during pkispawn of CA Resolves: rhbz#1436383 - Update pki interfaces and tomcat module Resolves: rhbz#1436689- Update pki interfaces and tomcat module Resolves: rhbz#1436689- Dontaudit firewalld wants write to /root Resolves: rhbz#1438708 - Dontaudit firewalld to create dirs in /root/ Resolves: rhbz#1438708 - Allow sendmail to search network sysctls Resolves: rhbz#1369376 - Add interface gssd_noatsecure() Resolves: rhbz#1438036 - Add interface gssproxy_noatsecure() Resolves: rhbz#1438036 - Dontaudit pcp_pmlogger_t search for xserver logs. Allow pcp_pmlogger_t to send signals to unconfined doamins Allow pcp_pmlogger_t to send logs to journals Resolves: rhbz#1379371 - Allow chronyd_t net_admin capability to allow support HW timestamping. Resolves: rhbz#1416015 - Update tomcat policy Resolves: rhbz#1436689 Resolves: rhbz#1436383 - Allow certmonger to start haproxy service Resolves: rhbz#1349394 - Allow init noatsecure for gssd and gssproxy Resolves: rhbz#1438036- geoclue wants to dbus chat with avahi Resolves: rhbz#1434286 - Allow iptables get list of kernel modules Resolves: rhbz#1367520 - Allow unconfined_domain_type to enable/disable transient unit Resolves: rhbz#1337041 - Add interfaces init_enable_transient_unit() and init_disable_transient_unit - Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd" Resolves: rhbz#1435264 - Label sysroot dir under ostree as root_t Resolves: rhbz#1428112- Remove ganesha_t domain from permissive domains. Resolves: rhbz#1436988- Allow named_t domain bind on several udp ports Resolves: rhbz#1312972 - Update nscd_use() interface Resolves: rhbz#1281716 - Allow radius_t domain ptrace Resolves: rhbz#1426641 - Update nagios to allos exec systemctl Resolves: rhbz#1247635 - Update pcp SELinux module to reflect all pcp changes Resolves: rhbz#1271998 - Label /var/lib/ssl_db as squid_cache_t Label /etc/squid/ssl_db as squid_cache_t Resolves: rhbz#1325527 - Allow pcp_pmcd_t domain search for network sysctl Allow pcp_pmcd_t domain sys_ptrace capability Resolves: rhbz#1336211- Allow drbd load modules Resolves: rhbz#1134883 - Revert "Add sys_module capability for drbd Resolves: rhbz#1134883" - Allow stapserver list kernel modules Resolves: rhbz#1325976 - Update targetd policy Resolves: rhbz#1373860 - Add sys_admin capability to amanda Resolves: rhbz#1371561 - Allow hypervvssd_t to read all dirs. Resolves: rhbz#1331309 - Label /run/haproxy.sock socket as haproxy_var_run_t Resolves: rhbz#1386233 - Allow oddjob_mkhomedir_t to mamange autofs_t dirs. Resolves: rhbz#1408819 - Allow tomcat to connect on http_cache_port_t Resolves: rhbz#1432083 - Allow geoclue to send msgs to syslog. Resolves: rhbz#1434286 - Allow condor_master_t domain capability chown. Resolves: rhbz#1277506 - Update mta_filetrans_named_content() interface to allow calling domain create files labeled as etc_aliases_t in dir labeled as etc_mail_t. Resolves: rhbz#1167468 - Allow nova domain search for httpd configuration. Resolves: rhbz#1190761 - Add sys_module capability for drbd Resolves: rhbz#1134883 - Allow user_u users stream connect to dirsrv, Allow sysadm_u and staff_u users to manage dirsrv files Resolves: rhbz#1286474 - Allow systemd_networkd_t communicate with systemd_networkd_t via dbus Resolves: rhbz#1278010- Add haproxy_t domain fowner capability Resolves: rhbz#1386233 - Allow domain transition from ntpd_t to hwclock_t domains Resolves: rhbz#1375624 - Allow cockpit_session_t setrlimit and sys_resource Resolves: rhbz#1402316 - Dontaudit svirt_t read state of libvirtd domain Resolves: rhbz#1426106 - Update httpd and gssproxy modules to reflects latest changes in freeipa Resolves: rhbz#1432115 - Allow iptables read modules_conf_t Resolves: rhbz#1367520- Remove tomcat_t domain from unconfined domains Resolves: rhbz#1432083 - Create new boolean: sanlock_enable_home_dirs() Resolves: rhbz#1432783 - Allow mdadm_t domain to read/write nvme_device_t Resolves: rhbz#1431617 - Remove httpd_user_*_content_t domains from user_home_type attribute. This tighten httpd policy and acces to user data will be more strinct, and also fix mutual influente between httpd_enable_homedirs and httpd_read_user_content Resolves: rhbz#1383621 - Dontaudit domain to create any file in /proc. This is kernel bug. Resolves: rhbz#1412679 - Add interface dev_rw_nvme Resolves: rhbz#1431617- Allow gssproxy to get attributes on all filesystem object types. Resolves: rhbz#1430295 - Allow ganesha to chat with unconfined domains via dbus Resolves: rhbz#1426554 - add the policy required for nextcloud Resolves: rhbz#1425530 - Add nmbd_t capability2 block_suspend Resolves: rhbz#1425357 - Label /var/run/chrony as chronyd_var_run_t Resolves: rhbz#1416015 - Add domain transition from sosreport_t to iptables_t Resolves: rhbz#1359789 - Fix path to /usr/lib64/erlang/erts-5.10.4/bin/epmd Resolves: rhbz:#1332803- Update rpm macros Resolves: rhbz#1380854- Add handling booleans via selinux-policy macros in custom policy spec files. Resolves: rhbz#1380854- Allow openvswitch to load kernel modules Resolves: rhbz#1405479- Allow openvswitch read script state. Resolves: rhbz#1405479- Update ganesha policy Resolves: rhbz#1426554 Resolves: rhbz#1383784 - Allow chronyd to read adjtime Resolves: rhbz#1416015 - Fixes for chrony version 2.2 Resolves: rhbz#1416015 - Add interface virt_rw_stream_sockets_svirt() Resolves: rhbz#1415841 - Label /dev/ss0 as gpfs_device_t Resolves: rhbz#1383784 - Allow staff to rw svirt unix stream sockets. Resolves: rhbz#1415841 - Label /rhev/data-center/mnt as mnt_t Resolves: rhbz#1408275 - Associate sysctl_rpc_t with proc filesystems Resolves: rhbz#1350927 - Add new boolean: domain_can_write_kmsg Resolves: rhbz#1415715- Allow rhsmcertd_t dbus chat with system_cronjob_t Resolves: rhbz#1405341 - Allow openvswitch exec hostname and readinitrc_t files Resolves: rhbz#1405479 - Improve SELinux context for mysql_db_t objects. Resolves: rhbz#1391521 - Allow postfix_postdrop to communicate with postfix_master via pipe. Resolves: rhbz#1379736 - Add radius_use_jit boolean Resolves: rhbz#1426205 - Label /var/lock/subsys/iptables as iptables_lock_t Resolves: rhbz#1405441 - Label /usr/lib64/erlang/erts-5.10.4/bin/epmd as lib_t Resolves: rhbz#1332803 - Allow can_load_kernmodule to load kernel modules. Resolves: rhbz#1423427 Resolves: rhbz#1424621- Allow nfsd_t domain to create sysctls_rpc_t files Resolves: rhbz#1405304 - Allow openvswitch to create netlink generic sockets. Resolves: rhbz#1397974 - Create kernel_create_rpc_sysctls() interface Resolves: rhbz#1405304- Allow nfsd_t domain rw sysctl_rpc_t dirs Resolves: rhbz#1405304 - Allow cgdcbxd_t to manage cgroup files. Resolves: rhbz#1358493 - Allow cmirrord_t domain to create netlink_connector sockets Resolves: rhbz#1412670 - Allow fcoemon to create netlink scsitransport sockets Resolves: rhbz#1362496 - Allow quota_nld_t create netlink_generic sockets Resolves: rhbz#1358679 - Allow cgred_t create netlink_connector sockets Resolves: rhbz#1376357 - Add dhcpd_t domain fowner capability Resolves: rhbz#1358485 - Allow acpid to attempt to connect to the Linux kernel via generic netlink socket. Resolves: rhbz#1358478 - Rename docker module to container module Resolves: rhbz#1386916 - Allow setflies to mount tracefs Resolves: rhbz#1376357 - Allow iptables to read nsfs files. Resolves: rhbz#1411316 - Allow systemd_bootchart_t domain create dgram sockets. Resolves: rhbz#1365953 - Rename docker interfaces to container Resolves: rhbz#1386916- Allow initrc_t domain to run rhel-autorelabel script properly during boot process Resolves: rhbz#1379722 - Allow systemd_initctl_t to create and connect unix_dgram sockets Resolves: rhbz#1365947 - Allow ifconfig_t to mount/unmount nsfs_t filesystem Resolves: rhbz#1349814 - Add interfaces allowing mount/unmount nsfs_t filesystem Resolves: rhbz#1349814- Add interface init_stream_connectto() Resolves:rhbz#1365947 - Allow rhsmcertd domain signull kernel. Resolves: rhbz#1379781 - Allow kdumpgui domain to read nvme device - Allow insmod_t to load kernel modules Resolves: rhbz#1421598 - Add interface files_load_kernel_modules() Resolves: rhbz#1421598 - Add SELinux support for systemd-initctl daemon Resolves:rhbz#1365947 - Add SELinux support for systemd-bootchart Resolves: rhbz#1365953- Allow firewalld to getattr open search read modules_object_t:dir Resolves: rhbz#1418391 - Fix label for nagios plugins in nagios file conxtext file Resolves: rhbz#1277718 - Add sys_ptrace capability to pegasus domain Resolves: rhbz#1381238 - Allow sssd_t domain setpgid Resolves:rhbz#1416780 - After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. Resolves: rhbz#1350927 - Allow kdumpgui domain to read nvme device Resolves: rhbz#1415084 - su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987 - Add user namespace capability object classes. Resolves: rhbz#1368057 - Add module_load permission to class system Resolves:rhbz#1368057 - Add the validate_trans access vector to the security class Resolves: rhbz#1368057 - Add "binder" security class and access vectors Resolves: rhbz#1368057 - Allow ifconfig_t domain read nsfs_t Resolves: rhbz#1349814 - Allow ping_t domain to load kernel modules. Resolves: rhbz#1388363- Allow systemd container to read/write usermodehelperstate Resolves: rhbz#1403254 - Label udp ports in range 24007-24027 as gluster_port_t Resolves: rhbz#1404152- Allow glusterd_t to bind on glusterd_port_t udp ports. Resolves: rhbz#1404152 - Revert: Allow glusterd_t to bind on med_tlp port.- Allow glusterd_t to bind on med_tlp port. Resolves: rhbz#1404152 - Update ctdbd_t policy to reflect all changes. Resolves: rhbz#1402451 - Label tcp port 24009 as med_tlp_port_t Resolves: rhbz#1404152 - Issue appears during update directly from RHEL-7.0 to RHEL-7.3 or above. Modules pkcsslotd and vbetools missing in selinux-policy package for RHEL-7.3 which causing warnings during SELinux policy store migration process. Following patch fixes issue by skipping pkcsslotd and vbetools modules migration.- Allow ctdbd_t domain transition to rpcd_t Resolves:rhbz#1402451- Fixes for containers Allow containers to attempt to write to unix_sysctls. Allow cotainers to use the FD's leaked to them from parent processes. Resolves: rhbz#1403254- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t Resolves: rhbz#1404152 - Allow systemd to stop glusterd_t domains. Resolves: rhbz#1400493- Make working CTDB:NFS: CTDB failover from selinux-policy POV Resolves: rhbz#1402451- Add kdump_t domain sys_admin capability Resolves: rhbz#1375963- Allow puppetagent_t to access timedated dbus. Use the systemd_dbus_chat_timedated interface to allow puppetagent_t the access. Resolves: rhbz#1399250- Update systemd on RHEL-7.2 box to version from RHEL-7.3 and then as a separate yum command update the selinux policy systemd will start generating USER_AVC denials and will start returning "Access Denied" errors to DBus clients Resolves: rhbz#1393505- Allow cluster_t communicate to fprintd_t via dbus Resolves: rhbz#1349798- Fix error message during update from RHEL-7.2 to RHEL-7.3, when /usr/sbin/semanage command is not installed and selinux-policy-migrate-local-changes.sh script is executed in %post install phase of selinux-policy package Resolves: rhbz#1392010- Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device. Resolves: rhbz#1384488 - Allow glusterd to get attributes on /sys/kernel/config directory. Resolves: rhbz#1384483- Use selinux-policy-migrate-local-changes.sh instead of migrateStore* macros - Add selinux-policy-migrate-local-changes service Resolves: rhbz#1381588- Allow sssd_selinux_manager_t to manage also dir class. Resolves: rhbz#1368097 - Add interface seutil_manage_default_contexts_dirs() Resolves: rhbz#1368097- Add virt_sandbox_use_nfs -> virt_use_nfs boolean substitution. Resolves: rhbz#1355783- Allow pcp_pmcd_t domain transition to lvm_t Add capability kill and sys_ptrace to pcp_pmlogger_t Resolves: rhbz#1309883- Allow ftp daemon to manage apache_user_content Resolves: rhbz#1097775 - Label /etc/sysconfig/oracleasm as oracleasm_conf_t Resolves: rhbz#1331383 - Allow oracleasm to rw inherited fixed disk device Resolves: rhbz#1331383 - Allow collectd to connect on unix_stream_socket Resolves: rhbz#1377259- Allow iscsid create netlink iscsid sockets. Resolves: rhbz#1358266 - Improve regexp for power_unit_file_t files. To catch just systemd power unit files. Resolves: rhbz#1375462- Update oracleasm SELinux module that can manage oracleasmfs_t blk files. Add dac_override cap to oracleasm_t domain. Resolves: rhbz#1331383 - Add few rules to pcp SELinux module to make ti able to start pcp_pmlogger service Resolves: rhbz#1206525- Add oracleasm_conf_t type and allow oracleasm_t to create /dev/oracleasm Resolves: rhbz#1331383 - Label /usr/share/pcp/lib/pmie as pmie_exec_t and /usr/share/pcp/lib/pmlogger as pmlogger_exec_t Resolves: rhbz#1206525 - Allow mdadm_t to getattr all device nodes Resolves: rhbz#1365171 - Add interface dbus_dontaudit_stream_connect_system_dbusd() Resolves:rhbz#1052880 - Add virt_stub_* interfaces for docker policy which is no longer a part of our base policy. Resolves: rhbz#1372705 - Allow guest-set-user-passwd to set users password. Resolves: rhbz#1369693 - Allow samdbox domains to use msg class Resolves: rhbz#1372677 - Allow domains using kerberos to read also kerberos config dirs Resolves: rhbz#1368492 - Allow svirt_sandbox_domains to r/w onload sockets Resolves: rhbz#1342930 - Add interface fs_manage_oracleasm() Resolves: rhbz#1331383 - Label /dev/kfd as hsa_device_t Resolves: rhbz#1373488 - Update seutil_manage_file_contexts() interface that caller domain can also manage file_context_t dirs Resolves: rhbz#1368097 - Add interface to write to nsfs inodes Resolves: rhbz#1372705 - Allow systemd services to use PrivateNetwork feature Resolves: rhbz#1372705 - Add a type and genfscon for nsfs. Resolves: rhbz#1372705 - Allow run sulogin_t in range mls_systemlow-mls_systemhigh. Resolves: rhbz#1290400- Allow arpwatch to create netlink netfilter sockets. Resolves: rhbz#1358261 - Fix file context for /etc/pki/pki-tomcat/ca/ - new interface oddjob_mkhomedir_entrypoint() - Move label for /var/lib/docker/vfs/ to proper SELinux module - Allow mdadm to get attributes from all devices. - Label /etc/puppetlabs as puppet_etc_t. - Allow systemd-machined to communicate to lxc container using dbus - Allow systemd_resolved to send dbus msgs to userdomains Resolves: rhbz#1236579 - Allow systemd-resolved to read network sysctls Resolves: rhbz#1236579 - Allow systemd_resolved to connect on system bus. Resolves: rhbz#1236579 - Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t - Label all files in /dev/oracleasmfs/ as oracleasmfs_t Resolves: rhbz#1331383- Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_t Resolves:rhbz#1366915 - Allow certmonger to manage all systemd unit files Resolves:rhbz#1366915 - Grant certmonger "chown" capability Resolves:rhbz#1366915 - Allow ipa_helper_t stream connect to dirsrv_t domain Resolves: rhbz#1368418 - Update oracleasm SELinux module Resolves: rhbz#1331383 - label /var/lib/kubelet as svirt_sandbox_file_t Resolves: rhbz#1369159 - Add few interfaces to cloudform.if file Resolves: rhbz#1367834 - Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module Resolves: rhbz#1347514 - Allow krb5kdc_t to read krb4kdc_conf_t dirs. Resolves: rhbz#1368492 - Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run. Resolves: rhbz#1365653 - Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. Resolves: rhbz#1365653 - Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t type Resolves: rhbz#1331383 - A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init. Resolves: rhbz#1367834 - Allow iptables to creating netlink generic sockets. Resolves: rhbz#1364359- Allow ipmievd domain to create lock files in /var/lock/subsys/ Resolves:rhbz#1349058 - Update policy for ipmievd daemon. Resolves:rhbz#1349058 - Dontaudit hyperkvp to getattr on non security files. Resolves: rhbz#1349356 - Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_t Resolves: rhbz#1347514 - Fixed lsm SELinux module - Add sys_admin capability to sbd domain Resolves: rhbz#1322725 - Allow vdagent to comunnicate with systemd-logind via dbus Resolves: rhbz#1366731 - Allow lsmd_plugin_t domain to create fixed_disk device. Resolves: rhbz#1238066 - Allow opendnssec domain to create and manage own tmp dirs/files Resolves: rhbz#1366649 - Allow opendnssec domain to read system state Resolves: rhbz#1366649 - Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs Resolves: rhbz#1366649 - Allow rasdaemon to mount/unmount tracefs filesystem. Resolves: rhbz#1364380 - Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/ Resolves: rhbz#1367520 - Modify interface den_read_nvme() to allow also read nvme_device_t block files. Resolves: rhbz#1362564 - Label /var/run/storaged as lvm_var_run_t. Resolves: rhbz#1264390 - Allow unconfineduser to run ipa_helper_t. Resolves: rhbz#1361636- Dontaudit mock to write to generic certs. Resolves: rhbz#1271209 - Add labeling for corosync-qdevice and corosync-qnetd daemons, to run as cluster_t Resolves: rhbz#1347514 - Revert "Label corosync-qnetd and corosync-qdevice as corosync_t domain" - Allow modemmanager to write to systemd inhibit pipes Resolves: rhbz#1365214 - Label corosync-qnetd and corosync-qdevice as corosync_t domain Resolves: rhbz#1347514 - Allow ipa_helper to read network state Resolves: rhbz#1361636 - Label oddjob_reqiest as oddjob_exec_t Resolves: rhbz#1361636 - Add interface oddjob_run() Resolves: rhbz#1361636 - Allow modemmanager chat with systemd_logind via dbus Resolves: rhbz#1362273 - Allow NetworkManager chat with puppetagent via dbus Resolves: rhbz#1363989 - Allow NetworkManager chat with kdumpctl via dbus Resolves: rhbz#1363977 - Allow sbd send msgs to syslog Allow sbd create dgram sockets. Allow sbd to communicate with kernel via dgram socket Allow sbd r/w kernel sysctls. Resolves: rhbz#1322725 - Allow ipmievd_t domain to re-create ipmi devices Label /usr/libexec/openipmi-helper as ipmievd_exec_t Resolves: rhbz#1349058 - Allow rasdaemon to use tracefs filesystem. Resolves: rhbz#1364380 - Fix typo bug in dirsrv policy - Some logrotate scripts run su and then su runs unix_chkpwd. Allow logrotate_t domain to check passwd. Resolves: rhbz#1283134 - Add ipc_lock capability to sssd domain. Allow sssd connect to http_cache_t Resolves: rhbz#1362688 - Allow dirsrv to read dirsrv_share_t content Resolves: rhbz#1363662 - Allow virtlogd_t to append svirt_image_t files. Resolves: rhbz#1358140 - Allow hypervkvp domain to read hugetlbfs dir/files. Resolves: rhbz#1349356 - Allow mdadm daemon to read nvme_device_t blk files Resolves: rhbz#1362564 - Allow selinuxusers and unconfineduser to run oddjob_request Resolves: rhbz#1361636 - Allow sshd server to acces to Crypto Express 4 (CEX4) devices. Resolves: rhbz#1362539 - Fix labeling issue in init.fc file. Path /usr/lib/systemd/fedora-* changed to /usr/lib/systemd/rhel-*. Resolves: rhbz#1363769 - Fix typo in device interfaces Resolves: rhbz#1349058 - Add interfaces for managing ipmi devices Resolves: rhbz#1349058 - Add interfaces to allow mounting/umounting tracefs filesystem Resolves: rhbz#1364380 - Add interfaces to allow rw tracefs filesystem Resolves: rhbz#1364380 - Add interface dev_read_nvme() to allow reading Non-Volatile Memory Host Controller devices. Resolves: rhbz#1362564 - Label /sys/kernel/debug/tracing filesystem Resolves: rhbz#1364380 - Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1357857- Dontaudit mock_build_t can list all ptys. Resolves: rhbz#1271209 - Allow ftpd_t to mamange userhome data without any boolean. Resolves: rhbz#1097775 - Add logrotate permissions for creating netlink selinux sockets. Resolves: rhbz#1283134 - Allow lsmd_plugin_t to exec ldconfig. Resolves: rhbz#1238066 - Allow vnstatd domain to read /sys/class/net/ files Resolves: rhbz#1358243 - Remove duplicate allow rules in spamassassin SELinux module Resolves:rhbz#1358175 - Allow spamc_t and spamd_t domains create .spamassassin file in user homedirs Resolves:rhbz#1358175 - Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1357857 - Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data. Resolves: rhbz#1330464 - Allow gnome-keyring also manage user_tmp_t sockets. Resolves: rhbz#1257057 - corecmd: Remove fcontext for /etc/sysconfig/libvirtd Resolves:rhbz#1351382- Allow ipa_dnskey domain to search cache dirs Resolves: rhbz#1350957- Allow ipa-dnskey read system state. Reasolves: rhbz#1350957 - Allow dogtag-ipa-ca-renew-agent-submit labeled as certmonger_t to create /var/log/ipa/renew.log file Resolves: rhbz#1350957- Allow firewalld to manage net_conf_t files. Resolves:rhbz#1304723 - Allow logrotate read logs inside containers. Resolves: rhbz#1303514 - Allow sssd to getattr on fs_t Resolves: rhbz#1356082 - Allow opendnssec domain to manage bind chace files Resolves: rhbz#1350957 - Fix typo in rhsmcertd policy module Resolves: rhbz#1329475 - Allow systemd to get status of systemd-logind daemon Resolves: rhbz#1356141 - Label more ndctl devices not just ndctl0 Resolves: rhbz#1355809- Allow rhsmcertd to copy certs into /etc/docker/cert.d - Add interface docker_rw_config() Resolves: rhbz#1344500 - Fix logrotate fc file to label also /var/lib/logrotate/ dir as logrotate_var_lib_t Resolves: rhbz#1355632 - Allow rhsmcertd to read network sysctls Resolves: rhbz#1329475 - Label /var/log/graphite-web dir as httpd_log_t Resolves: rhbz#1310898 - Allow mock to use generic ptys Resolves: rhbz#1271209 - Allow adcli running as sssd_t to write krb5.keytab file. Resolves: rhbz#1356082 - Allow openvswitch connect to openvswitch_port_t type. Resolves: rhbz#1335024 - Add SELinux policy for opendnssec service. Resolves: rhbz#1350957 - Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd Resolves: rhbz#1350957 - label /dev/ndctl0 device as nvram_device_t Resolves: rhbz#1355809- Allow lttng tools to block suspending Resolves: rhbz#1256374 - Allow creation of vpnaas in openstack Resolves: rhbz#1352710 - virt: add strict policy for virtlogd daemon Resolves:rhbz#1311606 - Update makefile to support snapperd_contexts file Resolves: rhbz#1352681- Allow udev to manage systemd-hwdb files - Add interface systemd_hwdb_manage_config() Resolves: rhbz#1350756 - Fix paths to infiniband devices. This allows use more then two infiniband interfaces. Resolves: rhbz#1210263- Allow virtual machines to rw infiniband devices. Resolves: rhbz#1210263 - Allow opensm daemon to rw infiniband_mgmt_device_t Resolves: rhbz#1210263 - Allow systemd_hwdb_t to relabel /etc/udev/hwdb.bin file. Resolves: rhbz#1350756 - Make label for new infiniband_mgmt deivices Resolves: rhbz#1210263- Fix typo in brltty SELinux module - Add new SELinux module sbd Resolves: rhbz#1322725 - Allow pcp dmcache metrics collection Resolves: rhbz#1309883 - Allow pkcs_slotd_t to create dir in /var/lock Add label pkcs_slotd_log_t Resolves: rhbz#1350782 - Allow openvpn to create sock files labeled as openvpn_var_run_t Resolves: rhbz#1328246 - Allow hypervkvp daemon to getattr on all filesystem types. Resolves: rhbz#1349356 - Allow firewalld to create net_conf_t files Resolves: rhbz#1304723 - Allow mock to use lvm Resolves: rhbz#1271209 - Allow keepalived to create netlink generic sockets. Resolves: rhbz#1349809 - Allow mirromanager creating log files in /tmp Resolves:rhbz#1328818 - Rename few modules to make it consistent with source files Resolves: rhbz#1351445 - Allow vmtools_t to transition to rpm_script domain Resolves: rhbz#1342119 - Allow nsd daemon to manage nsd_conf_t dirs and files Resolves: rhbz#1349791 - Allow cluster to create dirs in /var/run labeled as cluster_var_run_t Resolves: rhbz#1346900 - Allow sssd read also sssd_conf_t dirs Resolves: rhbz#1350535 - Dontaudit su_role_template interface to getattr /proc/kcore Dontaudit su_role_template interface to getattr /dev/initctl Resolves: rhbz#1086240 - Add interface lvm_getattr_exec_files() Resolves: rhbz#1271209 - Fix typo Compliling vs. Compiling Resolves: rhbz#1351445- Allow krb5kdc_t to communicate with sssd Resolves: rhbz#1319933 - Allow prosody to bind on prosody ports Resolves: rhbz#1304664 - Add dac_override caps for fail2ban-client Resolves: rhbz#1316678 - dontaudit read access for svirt_t on the file /var/db/nscd/group Resolves: rhbz#1301637 - Allow inetd child process to communicate via dbus with systemd-logind Resolves: rhbz#1333726 - Add label for brltty log file Resolves: rhbz#1328818 - Allow dspam to read the passwd file Resolves: rhbz#1286020 - Allow snort_t to communicate with sssd Resolves: rhbz#1284908 - svirt_sandbox_domains need to be able to execmod for badly built libraries. Resolves: rhbz#1206339 - Add policy for lttng-tools package. Resolves: rhbz#1256374 - Make mirrormanager as application domain. Resolves: rhbz#1328234 - Add support for the default lttng-sessiond port - tcp/5345. This port is used by LTTng 2.x central tracing registry session daemon. - Add prosody ports Resolves: rhbz#1304664 - Allow sssd read also sssd_conf_t dirs Resolves: rhbz#1350535- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs. Resolves:rhbz#1331315 - Label named-pkcs11 binary as named_exec_t. Resolves: rhbz#1331315 - Allow glusterd daemon to get systemd status Resolves: rhbz#1321785 - Allow logrotate dbus-chat with system_logind daemon Resolves: rhbz#1283134 - Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid files Resolves: rhbz#1336211 - Add interface cron_read_pid_files() Resolves: rhbz#1336211 - Allow pcp_pmlogger to create unix dgram sockets Resolves: rhbz#1336211 - Add hwloc-dump-hwdata SELinux policy Resolves: rhbz#1344054 - Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t. Resolves: rhbz#1121171 - Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd() Resolves: rhbz#1259764 - Create label for openhpid log files. esolves: rhbz#1259764 - Label /var/lib/ganglia as httpd_var_lib_t Resolves: rhbz#1260536 - Allow firewalld_t to create entries in net_conf_t dirs. Resolves: rhbz#1304723 - Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals Resolves: rhbz#1288255 - Include patch from distgit repo: policy-RHEL-7.1-flask.patch. Resolves: rhbz#1329560 - Update refpolicy to handle hwloc Resolves: rhbz#1344054 - Label /etc/dhcp/scripts dir as bin_t - Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals. Resolves: rhbz#1288255- Allow firewalld_t to create entries in net_conf_t dirs. Resolves: rhbz#1304723 - Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals Resolves: rhbz#1288255 - Allow mongod log to syslog. Resolves: rhbz#1306995 - Allow rhsmcertd connect to port tcp 9090 Resolves: rhbz#1337319 - Label for /bin/mail(x) was removed but /usr/bin/mail(x) not. This path is also needed to remove. Resolves: rhbz#1262483 Resolves: rhbz#1277506 - Label /usr/libexec/mimedefang-wrapper as spamd_exec_t. Resolves: rhbz#1301516 - Add new boolean spamd_update_can_network. Resolves: rhbz#1305469 - Allow rhsmcertd connect to tcp netport_port_t Resolves: rhbz#1329475 - Fix SELinux context for /usr/share/mirrormanager/server/mirrormanager to Label all binaries under dir as mirrormanager_exec_t. Resolves: rhbz#1328234 - Allow prosody to bind to fac_restore tcp port. Resolves: rhbz#1321787 - Allow ninfod to read raw packets Resolves: rhbz#1317964 - Allow pegasus get attributes from qemu binary files. Resolves: rhbz#1260835 - Allow pegasus get attributes from qemu binary files. Resolves: rhbz#1271159 - Allow tuned to use policykit. This change is required by cockpit. Resolves: rhbz#1346464 - Allow conman_t to read dir with conman_unconfined_script_t binary files. Resolves: rhbz#1297323 - Allow pegasus to read /proc/sysinfo. Resolves: rhbz#1265883 - Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals. Resolves: rhbz#1288255 - Label tcp ports:16379, 26379 as redis_port_t Resolves: rhbz#1348471 - Allow systemd to relabel /var and /var/lib directories during boot. - Add files_relabel_var_dirs() and files_relabel_var_dirs() interfaces. - Add files_relabelto_var_lib_dirs() interface. - Label tcp port 2004 as mailbox_port_t. Resolves: rhbz#1332843 - Label tcp and udp port 5582 as fac_restore_port_t Resolves: rhbz#1321787 - Allow sysadm_t user to run postgresql-setup. Resolves: rhbz#1282543 - Allow sysadm_t user to dbus chat with oddjob_t. This allows confined admin run oddjob mkhomedirfor script. Resolves: rhbz#1297480 - Update netlink socket classes.- Allow conman to kill conman_unconfined_script. Resolves: rhbz#1297323 - Make conman_unconfined_script_t as init_system_domain. Resolves:rhbz#1297323 - Allow init dbus chat with apmd. Resolves:rhbz#995898 - Patch /var/lib/rpm is symlink to /usr/share/rpm on Atomic, due to this change we need to label also /usr/share/rpm as rpm_var_lib_t. Resolves: rhbz#1233252 - Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t Resolves: rhbz#1052880 - Add mediawiki rules to proper scope Resolves: rhbz#1301186 - Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t Resolves: rhbz#1052880 - Allow mysqld_safe to inherit rlimit information from mysqld Resolves: rhbz#1323673 - Allow collectd_t to stream connect to postgresql. Resolves: rhbz#1344056 - Allow mediawiki-script to read /etc/passwd file. Resolves: rhbz#1301186 - Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc. Resolves: rhbz#1344505 - Add labels for mediawiki123 Resolves: rhbz#1293872 - Fix label for all fence_scsi_check scripts - Allow ip netns to mounton root fs and unmount proc_t fs. Resolves: rhbz#1343776 Resolves: rhbz#1286851 - Allow sysadm_t to run newaliases command. Resolves: rhbz#1344828 - Add interface sysnet_filetrans_named_net_conf() Resolves: rhbz#1344505- Fix several issues related to the SELinux Userspace changes- Allow glusterd domain read krb5_keytab_t files. Resolves: rhbz#1343929 - Fix typo in files_setattr_non_security_dirs. Resolves: rhbz#1115987- Allow tmpreaper_t to read/setattr all non_security_file_type dirs Resolves: rhbz#1115987 - Allow firewalld to create firewalld_var_run_t directory. Resolves: rhbz#1304723 - Add interface firewalld_read_pid_files() Resolves: rhbz#1304723 - Label /usr/libexec/rpm-ostreed as rpm_exec_t. Resolves: rhbz#1340542 - Allow sanlock service to read/write cephfs_t files. Resolves: rhbz#1315332 - Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) - Added missing docker interfaces: - docker_typebounds - docker_entrypoint Resolves: rhbz#1236580 - Add interface files_setattr_non_security_dirs() Resolves: rhbz#1115987 - Add support for onloadfs - Allow iptables to read firewalld pid files. Resolves: rhbz#1304723 - Add SELinux support for ceph filesystem. Resolves: rhbz#1315332 - Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) Resolves: rhbz#1236580- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) - Added missing docker interfaces: - docker_typebounds - docker_entrypoint Resolves: rhbz#1236580 - New interfaces needed for systemd-machinectl Resolves: rhbz#1236580 - New interfaces needed by systemd-machine Resolves: rhbz#1236580 - Add interface allowing sending and receiving messages from virt over dbus. Resolves: rhbz#1236580 - Backport docker policy from Fedora. Related: #1303123 Resolves: #1341257 - Allow NetworkManager_t and policykit_t read access to systemd-machined pid files. Resolves: rhbz#1236580 - Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) - Added interfaces needed by new docker policy. Related: rhbz#1303123 - Add support for systemd-machined daemon Resolves: rhbz#1236580 - Allow rpm-ostree domain transition to install_t domain from init_t. Resolves: rhbz#1340542- dnsmasq: allow NetworkManager to control dnsmasq via D-Bus Resolves: rhbz#1336722 - Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te Resolves: rhbz#1333198 - sftpd_* booleans are functionless these days. Resolves: rhbz#1335656 - Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t. Resolves: rhbz#1335828 - Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus. Resolves: rhbz#1336760 - Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t. Resolves: rhbz#1336737 - Label /usr/libexec/storaged/storaged as lvm_exec_t to run storaged daemon in lvm_t SELinux domain. Resolves: rhbz#1264390 - Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t. Resolves: rhbz#1337061 - Revert "Allow all domains some process flags." Resolves: rhbz#1303644 - Revert "Remove setrlimit to all domains." Resolves: rhbz#1303644 - Label /usr/sbin/xrdp* files as bin_t Resolves: rhbz#1276777 - Add mls support for some db classes Resolves: rhbz#1303651 - Allow systemd_resolved_t to check if ipv6 is disabled. Resolves: rhbz#1236579 - Allow systemd_resolved to read systemd_networkd run files. Resolves: rhbz#1236579- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus. Resolves: rhbz#1336760 - Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t. Resolves: rhbz#1336737- Allow logwatch to domtrans to postqueue Resolves: rhbz#1331542 - Label /var/log/ganesha.log as gluster_log_t - Allow glusterd_t domain to create glusterd_log_t files. - Label /var/run/ganesha.pid as gluster_var_run_t. Resolves: rhbz#1335828 - Allow zabbix to connect to postgresql port Resolves: rhbz#1330479 - Add userdom_destroy_unpriv_user_shared_mem() interface. Related: rhbz#1306403 - systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments. Resolves: rhbz#1306403- We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed. Resolves: rhbz#1333952- Add interface glusterd_dontaudit_read_lib_dirs() Resolves: rhbz#1295680 - Dontaudit Occasionally observing AVC's while running geo-rep automation Resolves: rhbz#1295680 - Allow glusterd to manage socket files labeled as glusterd_brick_t. Resolves: rhbz#1331561 - Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content Resolves: rhbz#1246522 - Allow stunnel create log files. Resolves: rhbz#1296851 - Label tcp port 8181 as intermapper_port_t. Resolves: rhbz#1334783 - Label tcp/udp port 2024 as xinuexpansion4_port_t Resolves: rhbz#1334783 - Label tcp port 7002 as afs_pt_port_t Label tcp/udp port 2023 as xinuexpansion3_port_t Resolves: rhbz#1334783 - Dontaudit ldconfig read gluster lib files. Resolves: rhbz#1295680 - Add interface auth_use_nsswitch() to systemd_domain_template. Resolves: rhbz#1236579- Label /usr/bin/ganesha.nfsd as glusterd_exec_t to run ganesha as glusterd_t. Allow glusterd_t stream connect to rpbind_t. Allow cluster_t to create symlink /var/lib/nfs labeled as var_lib_nfs_t. Add interface rpc_filetrans_var_lib_nfs_content() Add new boolean: rpcd_use_fusefs to allow rpcd daemon use fusefs. Resolves: rhbz#1312809 Resolves: rhbz#1323947 - Allow dbus chat between httpd_t and oddjob_t. Resolves: rhbz#1324144 - Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. Resolves: rhbz#1324144 - Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. Resolves: rhbz#1324144 - Allow prosody to listen on port 5000 for mod_proxy65. Resolves: rhbz#1316918 - Allow pcp_pmcd_t domain to manage docker lib files. This rule is needed to allow pcp to collect container information when SELinux is enabled. Resolves: rhbz#1309454- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs. Resolves: rhbz#1319442 - Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. Resolves: rhbz#1296640 - Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits. Resolves: rhbz#1097775 - /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. Resolves: rhbz#1262483 - Allow nsd daemon to create log file in /var/log as nsd_log_t Resolves: rhbz#1293140 - Sanlock policy update. - New sub-domain for sanlk-reset daemon Resolves: rhbz#1212324 - Label all run tgtd files, not just socket files Resolves: rhbz#1280280 - Label all run tgtd files, not just socket files. Resolves: rhbz#1280280 - Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody. Resolves: rhbz#1321049 - unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets. Resolves: rhbz#1318224 - Allow prosody to listen on port 5000 for mod_proxy65. Resolves: rhbz#1316918 - Allow targetd to read/write to /dev/mapper/control device. Resolves: rhbz#1063714 - Allow KDM to get status about power services. This change allow kdm to be able do shutdown. Resolves: rhbz#1316724 - Allow systemd-resolved daemon creating netlink_route sockets. Resolves:rhbz#1236579 - Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used Resolves: rhbz#1065362 - Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t Resolves: rhbz#1321943 - Label all nvidia binaries as xserver_exec_t Resolves: rhbz#1322283- Create new permissivedomains CIL module and make it active. Resolves: rhbz#1320451 - Add support for new mock location - /usr/libexec/mock/mock. Resolves: rhbz#1271209 - Allow bitlee to create bitlee_var_t dirs. Resolves: rhbz#1268651 - Allow CIM provider to read sssd public files. Resolves: rhbz#1263339 - Fix some broken interfaces in distro policy. Resolves: rhbz#1121171 - Allow power button to shutdown the laptop. Resolves: rhbz#995898 - Allow lsm plugins to create named fixed disks. Resolves: rhbz#1238066 - Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.confResolves: rhbz#1278777 - Allow hyperv domains to rw hyperv devices. Resolves: rhbz#1309361 - Label /var/www/html(/.*)?/wp_backups(/.*)? as httpd_sys_rw_content_t.Resolves: rhbz#1246780 - Create conman_unconfined_script_t type for conman script stored in /use/share/conman/exec/ Resolves: rhbz#1297323 - Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib. - Add support for /dev/mptctl device used to check RAID status. Resolves: rhbz#1258029 - Create hyperv* devices and create rw interfaces for this devices. Resolves: rhbz#1309361 - Add fixes for selinux userspace moving the policy store to /var/lib/selinux. - Remove optional else block for dhcp ping- Allow rsync_export_all_ro boolean to read also non_auth_dirs/files/symlinks. Resolves: rhbz#1263770 - Fix context of "/usr/share/nginx/html". Resolves: rhbz#1261857 - Allow pmdaapache labeled as pcp_pmcd_t access to port 80 for apache diagnostics Resolves: rhbz#1270344 - Allow pmlogger to create pmlogger.primary.socket link file. Resolves: rhbz#1270344 - Label nagios scripts as httpd_sys_script_exec_t. Resolves: rhbz#1260306 - Add dontaudit interface for kdumpctl_tmp_t Resolves: rhbz#1156442 - Allow mdadm read files in EFI partition. Resolves: rhbz#1291801 - Allow nsd_t to bind on nsf_control tcp port. Allow nsd_crond_t to read nsd pid. Resolves: rhbz#1293140 - Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs Resolves: rhbz#1293140 - Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface. Resolves: rhbz#1265102 - Add missing labeling for /usr/libexec/abrt-hook-ccpp. Resolves: rhbz#1213409 - Allow pcp_pmie and pcp_pmlogger to read all domains state. Resolves: rhbz#1206525 - Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port. Resolves: rhbz#1275246 - cockpit has grown content in /var/run directory Resolves: rhbz#1279429 - Allow collectd setgid capability Resolves:#1310898 - Remove declaration of empty booleans in virt policy. Resolves: rhbz#1103153 - Fix typo in drbd policy - Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs. Allow drbd_t create drbd_tmp_t files in /tmp. Resolves: rhbz#1134883 - Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files. Resolves: rhbz#1293788 - Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern. Resolves: rhbz#1254188 - Allow abrt_t to read sysctl_net_t files. Resolves: rhbz#1254188 - The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system. - Allow abrt-hook-ccpp to getattr on all executables. - Allow setuid/setgid capabilities for abrt-hook-ccpp. Resolves: rhbz#1254188 - abrt-hook-ccpp needs to have setfscreate access because it is SELinux aware and compute a target labeling. Resolves: rhbz#1254188 - Allow abrt-hook-ccpp to change SELinux user identity for created objects. Resolves: rhbz#1254188 - Dontaudit write access to inherited kdumpctl tmp files. Resolves: rbhz#1156442 - Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables) Resolves: rhbz#1291801 - Label 8952 tcp port as nsd_control. Resolves: rhbz#1293140 - Allow ipsec to use pam. Resolves: rhbz#1315700 - Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020 - Allow setrans daemon to read /proc/meminfo. Resolves: rhbz#1316804 - Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg Resolves: rhbz#1298151 - Label tcp port 5355 as llmnr-> Link-Local Multicast Name Resolution Resolves: rhbz#1236579 - Add new selinux policy for systemd-resolved dawmon. Resolves: rhbz#1236579 - Add interface ssh_getattr_server_keys() interface. Resolves: rhbz#1306197 - Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106 Resolves: rhbz#1306197 - Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used. Resolves: rhbz#1309417 - Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t. Resolves: rhbz#1293788- Prepare selinux-policy package for userspace release 2016-02-23. Resolves: rhbz#1305982- Allow sending dbus msgs between firewalld and system_cronjob domains. Resolves: rhbz#1284902 - Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols. Resolves: rhbz#1242506 - Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba. Resolves: rhbz#1284972 - Add support for systemd-hwdb daemon. Resolves: rhbz#1257940 - Add interface fs_setattr_cifs_dirs(). Resolves: rhbz#1284972- Add new SELinux policy fo targetd daemon. Resolves: rhbz#1063714 - Add new SELinux policy fo ipmievd daemon. Resolves: rhbz#1083031 - Add new SELinux policy fo hsqldb daemon. Resolves: rhbz#1083171 - Add new SELinux policy for blkmapd daemon. Resolves: rhbz#1072997 - Allow p11-child to connect to apache ports. - Label /usr/sbin/lvmlockd binary file as lvm_exec_t. Resolves: rhbz#1278028 - Add interface "lvm_manage_lock" to lvm policy. Resolves: rhbz#1063714- Allow openvswitch domain capability sys_rawio. Resolves: rhbz#1278495- Allow openvswitch to manage hugetlfs files and dirs. Resolves: rhbz#1278495 - Add fs_manage_hugetlbfs_files() interface. Resolves: rhbz#1278495- Allow smbcontrol domain to send sigchld to ctdbd domain. Resolves: #1293784 - Allow openvswitch read/write hugetlb filesystem. Resolves: #1278495Allow hypervvssd to list all mountpoints to have VSS live backup working correctly. Resolves:#1247880- Revert Add missing labeling for /usr/libexec/abrt-hook-ccpp patch Resolves: #1254188- Allow search dirs in sysfs types in kernel_read_security_state. Resolves: #1254188 - Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs. Resolves: #1254188- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs Resolves: #1254188 - We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes. Resolves:#1261938- Remove labeling for modules_dep_t file contexts to have labeled them as modules_object_t. - Update files_read_kernel_modules() to contain modutils_read_module_deps_files() calling because module deps labeling could remain and it allows to avoid regressions. Resolves:#1266928- We need to require sandbox_web_type attribute in sandbox_x_domain_template(). Resolves: #1261938 - ipsec: The NM helper needs to read the SAs Resolves: #1259786 - ipsec: Allow ipsec management to create ptys Resolves: #1259786- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type. Resolves:#1261938 - Allow abrt_t domain to write to kernel msg device. Resolves: #1257828 - Allow rpcbind_t domain to change file owner and group Resolves: #1265266- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind. Resolves: #1256459- Allow dirsrv-admin script to read passwd file. Allow dirsrv-admin script to read httpd pid files. Label dirsrv-admin unit file and allow dirsrv-admin domains to use it. Resolves: #1230300 - Allow qpid daemon to connect on amqp tcp port. Resolves: #1261805- Label /etc/ipa/nssdb dir as cert_t Resolves:#1262718 - Do not provide docker policy files which is shipped by docker-selinux.rpm Resolves:#1262812- Add labels for afs binaries: dafileserver, davolserver, salvageserver, dasalvager Resolves: #1192338 - Add lsmd_plugin_t sys_admin capability, Allow lsmd_plugin_t getattr from sysfs filesystem. Resolves: #1238079 - Allow rhsmcertd_t send signull to unconfined_service_t domains. Resolves: #1176078 - Remove file transition from snmp_manage_var_lib_dirs() interface which created snmp_var_lib_t dirs in var_lib_t. - Allow openhpid_t daemon to manage snmp files and dirs. Resolves: #1243902 - Allow mdadm_t domain read/write to general ptys and unallocated ttys. Resolves: #1073314 - Add interface unconfined_server_signull() to allow domains send signull to unconfined_service_t Resolves: #1176078- Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS. Resolves:#1250456- Fix labeling for fence_scsi_check script Resolves: #1255020 - Allow openhpid to read system state Allow openhpid to connect to tcp http port. Resolves: #1244248 - Allow openhpid to read snmp var lib files. Resolves: #1243902 - Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe - Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t Resolves: #1243403 - Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl Resolves: #1255020- Fix regexp in chronyd.fc file Resolves: #1243764 - Allow passenger to getattr filesystem xattr Resolves: #1196555 - Label mdadm.conf.anackbak as mdadm_conf_t file. Resolves: #1088904 - Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc." - Allow watchdog execute fenced python script. Resolves: #1255020 - Added inferface watchdog_unconfined_exec_read_lnk_files() - Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t. Resolves: #1230877- Allow watchdog execute fenced python script. Resolves: #1255020 - Added inferface watchdog_unconfined_exec_read_lnk_files() - Label /var/run/chrony-helper dir as chronyd_var_run_t. Resolves: #1243764 - Allow dhcpc_t domain transition to chronyd_t Resolves: #1243764- Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file. Resolves: #1252442- Allow exec pidof under hypervkvp domain. Resolves: #1254870 - Allow hypervkvp daemon create connection to the system DBUS Resolves: #1254870- Allow openhpid_t to read system state. Resolves: #1244248 - Added labels for files provided by rh-nginx18 collection Resolves: #1249945 - Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db. Resolves: #1252968 - Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution. Resolves: #1243431 - Allow abrt_dump_oops_t to read proc_security_t files. - Allow abrt_dump_oops to signull all domains Allow abrt_dump_oops to read all domains state Allow abrt_dump_oops to ptrace all domains - Add interface abrt_dump_oops_domtrans() - Add mountpoint dontaudit access check in rhsmcertd policy. Resolves: #1243431 - Allow samba_net_t to manage samba_var_t sock files. Resolves: #1252937 - Allow chrome setcap to itself. Resolves: #1251996 - Allow httpd daemon to manage httpd_var_lib_t lnk_files. Resolves: #1253706 - Allow chronyd exec systemctl Resolves: #1243764 - Add inteface chronyd_signal Allow timemaster_t send generic signals to chronyd_t. Resolves: #1243764 - Added interface fs_dontaudit_write_configfs_dirs - Add label for kernel module dep files in /usr/lib/modules Resolves:#916635 - Allow kernel_t domtrans to abrt_dump_oops_t - Added to files_dontaudit_write_all_mountpoints intefface new dontaudit rule, that domain included this interface dontaudit capability dac_override. - Allow systemd-networkd to send logs to systemd-journald. Resolves: #1236616- Fix label on /var/tmp/kiprop_0 Resolves:#1220763 - Allow lldpad_t to getattr tmpfs_t. Resolves: #1246220 - Label /dev/shm/lldpad.* as lldapd_tmpfs_t Resolves: #1246220 - Allow audisp client to read system state.- Allow pcp_domain to manage pcp_var_lib_t lnk_files. Resolves: #1252341 - Label /var/run/xtables.* as iptables_var_run_t Resolves: #1243403- Add interface to read/write watchdog device - Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde Resolves:#1210237 - Allow apcupsd_t to read /sys/devices Resolves:#1189185 - Allow logrotate to reload services. Resolves: #1242453 - Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device) Resolves: #1244260 - Allow openhpid liboa_soap plugin to read generic certs. Resolves: #1244248 - Allow openhpid liboa_soap plugin to read resolv.conf file. Resolves: #1244248 - Label /usr/libexec/chrony-helper as chronyd_exec_t - Allow chronyd_t to read dhcpc state. - Allow chronyd to execute mkdir command.- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t. Resolves:#1073314 - Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS. - Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users. - Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode. - Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling. Resolves:#1183503 - Add support for /etc/sanlock which is writable by sanlock daemon. Resolves:#1231377 - Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet. Resolves:#1243775 - Allow snapperd to pass data (one way only) via pipe negotiated over dbus Resolves:#1250550 - Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.- Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files). Resolves: #1243902 - Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device Resolves: #1238079 - Allow lsm_plugin_t to rw raw_fixed_disk. Resolves:#1238079 - Allow rhsmcertd to send signull to unconfined_service.- Allow httpd_suexec_t to read and write Apache stream sockets Resolves: #1243569 - Allow qpid to create lnk_files in qpid_var_lib_t Resolves: #1247279- Allow drbd to get attributes from filesystems. - Allow redis to read kernel parameters. Resolves: #1209518 - Allow virt_qemu_ga_t domtrans to passwd_t - Allow audisp_remote_t to start power unit files domain to allow halt system. Resolves: #1186780 - Allow audisp_remote_t to read/write user domain pty. Resolves: #1186780 - Label /usr/sbin/chpasswd as passwd_exec_t. - Allow sysadm to administrate ldap environment and allow to bind ldap port to allow to setup an LDAP server (389ds). Resolves:#1221121- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te - Allow pcp_pmcd daemon to read postfix config files. - Allow pcp_pmcd daemon to search postfix spool dirs. Resolves: #1213740 - Added Booleans: pcp_read_generic_logs. Resolves: #1213740 - Allow drbd to read configuration options used when loading modules. Resolves: #1134883 - Allow glusterd to manage nfsd and rpcd services. - Allow glusterd to communicate with cluster domains over stream socket. - glusterd call pcs utility which calls find for cib.* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes.- Allow glusterd to manage nfsd and rpcd services. - Allow networkmanager to communicate via dbus with systemd_hostanmed. Resolves: #1234954 - Allow stream connect logrotate to prosody. - Add prosody_stream_connect() interface. - httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t. - Allow prosody to create own tmp files/dirs. Resolves:#1212498- Allow networkmanager read rfcomm port. Resolves:#1212498 - Remove non exists label. - Fix *_admin intefaces where body is not consistent with header. - Label /usr/afs/ as afs_files_t, Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t, Allow afs_bosserver_t read kerberos config - Remove non exits nfsd_ro_t label. - Make all interfaces related to openshift_cache_t as deprecated. - Add rpm_var_run_t label to rpm_admin header - Add jabberd_lock_t label to jabberd_admin header. - Add samba_unconfined_script_exec_t to samba_admin header. - inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t - Fix ctdb policy - Add samba_signull_winbind() - Add samba_signull_unconfined_net() - Allow ctdbd_t send signull to samba_unconfined_net_t. - Allow openshift_initrc_t to communicate with firewalld over dbus Resolves:#1221326- Allow gluster to connect to all ports. It is required by random services executed by gluster. - Add interfaces winbind_signull(), samba_unconfined_net_signull(). - Dontaudit smbd_t block_suspend capability. This is kernel bug. - Allow ctdbd sending signull to process winbind, samba_unconfined_net, to checking if processes exists. - Add tmpreaper booleans to use nfs_t and samba_share_t. - Fix path from /usr/sbin/redis-server to /usr/bin/redis-server - Allow connect ypserv to portmap_port_t - Fix paths in inn policy, Allow innd read innd_log_t dirs, Allow innd execute innd_etc_t files - Add support for openstack-nova-* packages - Allow NetworkManager_t send signull to dnssec_trigger_t. - Allow glusterd to execute showmount in the showmount domain. - Label swift-container-reconciler binary as swift_t. - Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files. - Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?" Resolves:#1213540 - Merge all nova_* labels under one nova_t.- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins Resolves:#1233550 - Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ - Add support for oddjob based helper in FreeIPA. - Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob. - Add nagios_domtrans_unconfined_plugins() interface. - Update mta_filetrans_named_content() interface to cover more db files. Resolves:#1167468 - Add back ftpd_use_passive_mode boolean with fixed description. - Allow pmcd daemon stream connect to mysqld. - Allow pcp domains to connect to own process using unix_stream_socket. Resolves:#1213709 - Allow abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly. - Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob. - Add support for oddjob based helper in FreeIPA. - Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/- Allow iptables to read ctdbd lib files. Resolves:#1224879 - Add systemd_networkd_t to nsswitch domains. - Allow drbd_t write to fixed_disk_device. Reason: drbdmeta needs write to fixed_disk_device during initialization. Resolves:#1130675 - Allow NetworkManager write to sysfs. - Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission. - Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types. - Allow NetworkManager write to sysfs. - Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. - Dontaudit apache to manage snmpd_var_lib_t files/dirs. - Add interface snmp_dontaudit_manage_snmp_var_lib_files(). - Dontaudit mozilla_plugin_t cap. sys_ptrace. - Rename xodbc-connect port to xodbc_connect - Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. - Allow iscsid write to fifo file kdumpctl_tmp_t. Appears when kdump generates the initramfs during the kernel boot. - Dontaudit chrome to read passwd file. - nrpe needs kill capability to make gluster moniterd nodes working. Resolves:#1235587- We allow can_exec() on ssh_keygen on gluster. But there is a transition defined by init_initrc_domain() because we need to allow execute unconfined services by glusterd. So ssh-keygen ends up with ssh_keygen_t and we need to allow to manage /var/lib/glusterd/geo-replication/secret.pem. - Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so. - Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password. - Label gluster python hooks also as bin_t. - Allow glusterd to interact with gluster tools running in a user domain - Add glusterd_manage_lib_files() interface. - ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. - Allow samba_t net_admin capability to make CIFS mount working. - S30samba-start gluster hooks wants to search audit logs. Dontaudit it. Resolves:#1224879- Allow glusterd to send generic signals to systemd_passwd_agent processes. - Allow glusterd to access init scripts/units without defined policy - Allow glusterd to run init scripts. - Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain. Resolves:#1224879- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block. - Allow samba-net to access /var/lib/ctdbd dirs/files. - Allow glusterd to send a signal to smbd. - Make ctdbd as home manager to access also FUSE. - Allow glusterd to use geo-replication gluster tool. - Allow glusterd to execute ssh-keygen. - Allow glusterd to interact with cluster services. - Allow glusterd to connect to the system DBUS for service (acquire_svc). - Label /dev/log correctly. Resolves:#1230932- Back port the latest F22 changes to RHEL7. It should fix most of RHEL7.2 bugs - Add cgdcbxd policy Resolves:#1072493 - Fix ftp_homedir boolean Resolve:#1097775 - Dontaudit ifconfig writing inhertited /var/log/pluto.log. - Allow cluster domain to dbus chat with systemd-logind. Resolves:#1145215 - Dontaudit write access to inherited kdumpctl tmp files Resolves:#1156442 - Allow isnsd_t to communicate with sssd Resolves:#1167702 - Allow rwho_t to communicate with sssd Resolves:#1167718 - Allow sblim_gatherd_t to communicate with sssd Resolves:#1167732 - Allow pkcs_slotd_t to communicate with sssd Resolves:#1167737 - Allow openvswitch_t to communicate with sssd Resolves:#1167816 - Allow mysqld_safe_t to communicate with sssd Resolves:#1167832 - Allow sshd_keygen_t to communicate with sssd Resolves:#1167840 - Add support for iprdbg logging files in /var/log. Resolves:#1174363 - Allow tmpreaper_t to manage ntp log content Resolves:#1176965 - Allow gssd_t to manage ssh keyring Resolves:#1184791 - Allow httpd_sys_script_t to send system log messages Resolves:#1185231 - Allow apcupsd_t to read /sys/devices Resolves:#1189185 - Allow dovecot_t sys_resource capability Resolves:#1191143 - Add support for mongod/mongos systemd unit files. Resolves:#1197038 - Add bacula fixes - Added label mysqld_etc_t for /etc/my.cnf.d/ dir. Resolves:#1203991- Label /usr/libexec/postgresql-ctl as postgresql_exec_t. - Add more restriction on entrypoint for unconfined domains. - Only allow semanage_t to be able to setenforce 0, no all domains that use selinux_semanage interface - Allow all domains to read /dev/urandom. It is needed by all apps/services linked to libgcrypt. There is no harm to allow it by default. - Update policy/mls for sockets related to access perm. Rules were contradictory. - Add nagios_run_pnp4nagios and nagios_run_sudo booleans to allow r un sudo from NRPE utils scripts and allow run nagios in conjunction w ith PNP4Nagios. Resolves:#1201054 - Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead. - Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type - Label /var/lib/tftpboot/aarch64(/.*)? and /var/lib/tftpboot/images2(/.*)? - Add support for iprdbg logging files in /var/log. - Add fixes to rhsmcertd_t - Allow puppetagent_t to transfer firewalld messages over dbus - Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script. - Added label mysqld_etc_t for /etc/my.cnf.d/ dir. - Add support for mongod/mongos systemd unit files. - cloudinit and rhsmcertd need to communicate with dbus - Allow dovecot_t sys_resource capability- ALlow mongod execmem by default. - Update policy/mls for sockets. Rules were contradictory. Resolves:#1207133 - Allow a user to login with different security level via ssh.- Update seutil_manage_config() interface. Resolves:#1185962 - Allow pki-tomcat relabel pki_tomcat_etc_rw_t. - Turn on docker_transition_unconfined by default- Allow virtd to list all mountpoints. Resolves:#1180713- pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t. - Allow fowner capability for sssd because of selinux_child handling. - ALlow bind to read/write inherited ipsec pipes - Allow hypervkvp to read /dev/urandom and read addition states/config files. - Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd. - Add glusterd_filetrans_named_pid() interface - Allow radiusd to connect to radsec ports. - Allow setuid/setgid for selinux_child - Allow lsmd plugin to connect to tcp/5988 by default. - Allow lsmd plugin to connect to tcp/5989 by default. - Update ipsec_manage_pid() interface. Resolves:#1184978- Update ipsec_manage_pid() interface. Resolves:#1184978- Allow ntlm_auth running in winbind_helper_t to access /dev/urandom.- Add auditing support for ipsec. Resolves:#1182524 - Label /ostree/deploy/rhel-atomic-host/deploy directory as system_conf_t - Allow netutils chown capability to make tcpdump working with -w- Allow ipsec to execute _updown.netkey script to run unbound-control. - Allow neutron to read rpm DB. - Add additional fixes for hyperkvp * creates new ifcfg-{name} file * Runs hv_set_ifconfig.sh, which does the following * Copies ifcfg-{name} to /etc/sysconfig/network-scripts - Allow svirt to read symbolic links in /sys/fs/cgroups labeled as tmpfs_t - Add labeling for pacemaker.log. - Allow radius to connect/bind radsec ports. - Allow pm-suspend running as virt_qemu_ga to read /var/log/pm-suspend.log - Allow virt_qemu_ga to dbus chat with rpm. - Update virt_read_content() interface to allow read also char devices. - Allow glance-registry to connect to keystone port. Resolves:#1181818- Allow sssd to send dbus all user domains. Resolves:#1172291 - Allow lsm plugin to read certificates. - Fix labeling for keystone CGI scripts. - Make snapperd back as unconfined domain.- Fix bugs in interfaces discovered by sepolicy. - Allow slapd to read /usr/share/cracklib/pw_dict.hwm. - Allow lsm plugins to connect to tcp/18700 by default. - Allow brltty mknod capability to allow create /var/run/brltty/vcsa. - Fix pcp_domain_template() interface. - Fix conman.te. - Allow mon_fsstatd to read /proc/sys/fs/binfmt_misc - Allow glance-scrubber to connect tcp/9191. - Add missing setuid capability for sblim-sfcbd. - Allow pegasus ioctl() on providers. - Add conman_can_network. - Allow chronyd to read chrony conf files located in /run/timemaster/. - Allow radius to bind on tcp/1813 port. - dontaudit block suspend access for openvpn_t - Allow conman to create files/dirs in /tmp. - Update xserver_rw_xdm_keys() interface to have 'setattr'. Resolves:#1172291 - Allow sulogin to read /dev/urandom and /dev/random. - Update radius port definition to have also tcp/18121 - Label prandom as random_device_t. - Allow charon to manage files in /etc/strongimcv labeled as ipsec_conf_t.- Allow virt_qemu_ga_t to execute kmod. - Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean. - Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs. Resolves:#1113725 - Enable OpenStack cinder policy - Add support for /usr/share/vdsm/daemonAdapter - Add support for /var/run/gluster- Remove old pkcsslotd.pp from minimum package - Allow rlogind to use also rlogin ports. - Add support for /usr/libexec/ntpdate-wrapper. Label it as ntpdate_exec_t. - Allow bacula to connect also to postgresql. - Label /usr/libexec/tomcat/server as tomcat_exec_t - Add support for /usr/sbin/ctdbd_wrapper - Add support for /usr/libexec/ppc64-diag/rtas_errd - Allow rpm_script_roles to access system_mail_t - Allow brltty to create /var/run/brltty - Allow lsmd plugin to access netlink_route_socket - Allow smbcontrol to read passwd - Add support for /usr/libexec/sssd/selinux_child and create sssd_selinux_manager_t domain for it Resolves:#1140106 - Allow osad to execute rhn_check - Allow load_policy to rw inherited sssd pipes because of selinux_child - Allow admin SELinux users mounting / as private within a new mount namespace as root in MLS - Add additional fixes for su_restricted_domain_template to make moving to sysadm_r and trying to su working correctly - Add additional booleans substitions- Add seutil_dontaudit_access_check_semanage_module_store() interface Resolves:#1140106 - Update to have all _systemctl() interface also init_reload_services(). - Dontaudit access check on SELinux module store for sssd. - Add labeling for /sbin/iw. - Allow named_filetrans_domain to create ibus directory with correct labeling.- Allow radius to bind tcp/1812 radius port. - Dontaudit list user_tmp files for system_mail_t. - Label virt-who as virtd_exec_t. - Allow rhsmcertd to send a null signal to virt-who running as virtd_t. - Add missing alias for _content_rw_t. Resolves:#1089177 - Allow spamd to access razor-agent.log. - Add fixes for sfcb from libvirt-cim TestOnly bug. - Allow NetworkManager stream connect on openvpn. - Make /usr/bin/vncserver running as unconfined_service_t. - getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain. - Label /etc/docker/certs.d as cert_t.- Label /etc/strongimcv as ipsec_conf_file_t. - Add support for /usr/bin/start-puppet-ca helper script Resolves:#1160727 - Allow rpm scripts to enable/disable transient systemd units. Resolves:#1154613 - Make kpropdas nsswitch domain Resolves:#1153561 - Make all glance domain as nsswitch domains Resolves:#1113281 - Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active - Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t Resolves:#1140106- Dontaudit access check on setfiles/load_policy for sssd_t. Resolves:#1140106 - Add kdump_rw_inherited_kdumpctl_tmp_pipes() Resolves:#1156442 - Make linuxptp services as unconfined. - Added new policy linuxptp. Resolves:#1149693 - Label keystone cgi files as keystone_cgi_script_exec_t. Resolves:#1138424 - Make tuned as unconfined domain- Allow guest to connect to libvirt using unix_stream_socket. - Allow all bus client domains to dbus chat with unconfined_service_t. - Allow inetd service without own policy to run in inetd_child_t which is unconfined domain. - Make opensm as nsswitch domain to make it working with sssd. - Allow brctl to read meminfo. - Allow winbind-helper to execute ntlm_auth in the caller domain. Resolves:#1160339 - Make plymouthd as nsswitch domain to make it working with sssd. Resolves:#1160196 - Make drbd as nsswitch domain to make it working with sssd. - Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working. - Add support for /var/lib/sntp directory. - Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc - Allow winbind to read usermodehelper - Allow telepathy domains to execute shells and bin_t - Allow gpgdomains to create netlink_kobject_uevent_sockets - Allow mongodb to bind to the mongo port and mongos to run as mongod_t - Allow abrt to read software raid state. - Allow nslcd to execute netstat. - Allow dovecot to create user's home directory when they log into IMAP. - Allow login domains to create kernel keyring with different level.- Allow modemmanger to connectto itself Resolves:#1120152 - Allow pki_tomcat to create link files in /var/lib/pki-ca. Resolves:#1121744 - varnishd needs to have fsetid capability Resolves:#1125165 - Allow snapperd to dbus chat with system cron jobs. Resolves:#1152447 - Allow dovecot to create user's home directory when they log into IMAP Resolves:#1152773 - Add labeling for /usr/sbin/haproxy-systemd-wrapper wrapper to make haproxy running haproxy_t. - ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t. - Allow nslcd to execute netstat. - Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability. - Allow nslcd to read /dev/urandom.- Add back kill permisiion for system class Resolves:#1150011- Add back kill permisiion for service class Resolves:#1150011 - Make rhsmcertd_t also as dbus domain. - Allow named to create DNS_25 with correct labeling. - Add cloudform_dontaudit_write_cloud_log() - Call auth_use_nsswitch to apache to read/write cloud-init keys. - Allow cloud-init to dbus chat with certmonger. - Fix path to mon_statd_initrc_t script. - Allow all RHCS services to read system state. - Allow dnssec_trigger_t to execute unbound-control in own domain. - kernel_read_system_state needs to be called with type. Moved it to antivirus.if. - Added policy for mon_statd and mon_procd services. BZ (1077821) - Allow opensm_t to read/write /dev/infiniband/umad1. - Allow mongodb to manage own log files. - Allow neutron connections to system dbus. - Add support for /var/lib/swiftdirectory. - Allow nova-scheduler to read certs. - Allow openvpn to access /sys/fs/cgroup dir. - Allow openvpn to execute systemd-passwd-agent in systemd_passwd_agent_t to make openvpn working with systemd. - Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files. - Add auth_use_nsswitch for portreserve to make it working with sssd. - automount policy is non-base module so it needs to be called in optional block. - ALlow sensord to getattr on sysfs. - Label /usr/share/corosync/corosync as cluster_exec_t. - Allow lmsd_plugin to read passwd file. BZ(1093733) - Allow read antivirus domain all kernel sysctls. - Allow mandb to getattr on file systems - Allow nova-console to connect to mem_cache port. - Make sosreport as unconfined domain. - Allow mondogdb to 'accept' accesses on the tcp_socket port. - ALlow sanlock to send a signal to virtd_t.- Build also MLS policy Resolves:#1138424- Add back kill permisiion for system class - Allow iptables read fail2ban logs. - Fix radius labeled ports - Add userdom_manage_user_tmpfs_files interface - Allow libreswan to connect to VPN via NM-libreswan. - Label 4101 tcp port as brlp port - fix dev_getattr_generic_usb_dev interface - Allow all domains to read fonts - Make sure /run/systemd/generator and system is labeled correctly on creation. - Dontaudit aicuu to search home config dir. - Make keystone_cgi_script_t domain. Resolves:#1138424 - Fix bug in drbd policy, - Added support for cpuplug. - ALlow sanlock_t to read sysfs_t. - Added sendmail_domtrans_unconfined interface - Fix broken interfaces - radiusd wants to write own log files. - Label /usr/libexec/rhsmd as rhsmcertd_exec_t - Allow rhsmcertd send signull to setroubleshoot. - Allow rhsmcertd manage rpm db. - Added policy for blrtty. - Fix keepalived policy - Allow rhev-agentd dbus chat with systemd-logind. - Allow keepalived manage snmp var lib sock files. - Add support for /var/lib/graphite-web - Allow NetworkManager to create Bluetooth SDP sockets - It's going to do the the discovery for DUN service for modems with Bluez 5. - Allow swift to connect to all ephemeral ports by default. - Allow sssd to read selinux config to add SELinux user mapping. - Allow lsmd to search own plguins. - Allow abrt to read /dev/memto generate an unique machine_id and uses sosuploader's algorithm based off dmidecode[1] fields. - ALlow zebra for user/group look-ups. - Allow nova domains to getattr on all filesystems. - Allow collectd sys_ptrace and dac_override caps because of reading of /proc/%i/io for several processes. - Allow pppd to connect to /run/sstpc/sstpc-nm-sstp-service-28025 over unix stream socket. - Allow rhnsd_t to manage also rhnsd config symlinks. - ALlow user mail domains to create dead.letter. - Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. - Allow pki-tomcat to change SELinux object identity. - Allow radious to connect to apache ports to do OCSP check - Allow git cgi scripts to create content in /tmp - Allow cockpit-session to do GSSAPI logins. - Allow sensord read in /proc - Additional access required by usbmuxd- Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems - Label /usr/lib/erlang/erts.*/bin files as bin_t - Add files_dontaudit_access_check_home_dir() inteface. - Allow udev_t mounton udev_var_run_t dirs #(1128618) - Add systemd_networkd_var_run_t labeling for /var/run/systemd/netif and allow systemd-networkd to manage it. - Add init_dontaudit_read_state() interface. - Add label for ~/.local/share/fonts - Allow unconfined_r to access unconfined_service_t. - Allow init to read all config files - Add new interface to allow creation of file with lib_t type - Assign rabbitmq port. - Allow unconfined_service_t to dbus chat with all dbus domains - Add new interfaces to access users keys. - Allow domains to are allowed to mounton proc to mount on files as well as dirs - Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories. - Add a port definition for shellinaboxd - Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t - Allow userdomains to stream connect to pcscd for smart cards - Allow programs to use pam to search through user_tmp_t dires (/tmp/.X11-unix) - Update to rawhide-contrib changes Resolves:#1123844- Rebase to 3.13.1 which we have in Fedora21 Resolves:#1128284- Back port fixes from Fedora. Mainly OpenStack and Docker fixes- Add policy-rhel-7.1-{base,contrib} patches- Add support for us_cli ports - Fix labeling for /var/run/user//gvfs - add support for tcp/9697 - Additional rules required by openstack, needs backport to F20 and RHEL7 - Additional access required by docker - ALlow motion to use tcp/8082 port - Allow init_t to setattr/relabelfrom dhcp state files - Dontaudit antivirus domains read access on all security files by default - Add missing alias for old amavis_etc_t type - Allow block_suspend cap for haproxy - Additional fixes for instack overcloud - Allow OpenStack to read mysqld_db links and connect to MySQL - Remove dup filename rules in gnome.te - Allow sys_chroot cap for httpd_t and setattr on httpd_log_t - Allow iscsid to handle own unit files - Add iscsi_systemctl() - Allow mongod to create also sock_files in /run with correct labeling - Allow httpd to send signull to apache script domains and don't audit leaks - Allow rabbitmq_beam to connect to httpd port - Allow aiccu stream connect to pcscd - Allow dmesg to read hwdata and memory dev - Allow all freeipmi domains to read/write ipmi devices - Allow sblim_sfcbd to use also pegasus-https port - Allow rabbitmq_epmd to manage rabbit_var_log_t files - Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input - Allow docker to status any unit file and allow it to start generic unit files- Change hsperfdata_root to have as user_tmp_t Resolves:#1076523- Fix Multiple same specifications for /var/named/chroot/dev/zero - Add labels for /var/named/chroot_sdb/dev devices - Add support for strongimcv - Use kerberos_keytab_domains in auth_use_nsswitch - Update auth_use_nsswitch to make all these types as kerberos_keytab_domain to - Allow net_raw cap for neutron_t and send sigkill to dnsmasq - Fix ntp_filetrans_named_content for sntp-kod file - Add httpd_dbus_sssd boolean - Dontaudit exec insmod in boinc policy - Rename kerberos_keytab_domain to kerberos_keytab_domains - Add kerberos_keytab_domain() - Fix kerberos_keytab_template() - Make all domains which use kerberos as kerberos_keytab_domain Resolves:#1083670 - Allow kill capability to winbind_t- varnishd wants chown capability - update ntp_filetrans_named_content() interface - Add additional fixes for neutron_t. #1083335 - Dontaudit getattr on proc_kcore_t - Allow pki_tomcat_t to read ipa lib files - Allow named_filetrans_domain to create /var/cache/ibus with correct labelign - Allow init_t run /sbin/augenrules - Add dev_unmount_sysfs_fs and sysnet_manage_ifconfig_run interfaces - Allow unpriv SELinux user to use sandbox - Add default label for /tmp/hsperfdata_root- Add file subs also for /var/home- Allow xauth_t to read user_home_dir_t lnk_file - Add labeling for lightdm-data - Allow certmonger to manage ipa lib files - Add support for /var/lib/ipa - Allow pegasus to getattr virt_content - Added some new rules to pcp policy - Allow chrome_sandbox to execute config_home_t - Add support for ABRT FAF- Allow kdm to send signull to remote_login_t process - Add gear policy - Turn on gear_port_t - Allow cgit to read gitosis lib files by default - Allow vdagent to read xdm state - Allow NM and fcoeadm to talk together over unix_dgram_socket- Back port fixes for pegasus_openlmi_admin_t from rawhide Resolves:#1080973 - Add labels for ostree - Add SELinux awareness for NM - Label /usr/sbin/pwhistory_helper as updpwd_exec_t- add gnome_append_home_config() - Allow thumb to append GNOME config home files - Allow rasdaemon to rw /dev/cpu//msr - fix /var/log/pki file spec - make bacula_t as auth_nsswitch domain - Identify pki_tomcat_cert_t as a cert_type - Define speech-dispater_exec_t as an application executable - Add a new file context for /var/named/chroot/run directory - update storage_filetrans_all_named_dev for sg* devices - Allow auditctl_t to getattr on all removeable devices - Allow nsswitch_domains to stream connect to nmbd - Allow unprivusers to connect to memcached - label /var/lib/dirsrv/scripts-INSTANCE as bin_t- Allow also unpriv user to run vmtools - Allow secadm to read /dev/urandom and meminfo Resolves:#1079250 - Add booleans to allow docker processes to use nfs and samba - Add mdadm_tmpfs support - Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java running as pki_tomcat_t - Allow vmware-user-sui to use user ttys - Allow talk 2 users logged via console too - Allow ftp services to manage xferlog_t - Make all pcp domanis as unconfined for RHEL7.0 beucause of new policies - allow anaconda to dbus chat with systemd-localed- allow anaconda to dbus chat with systemd-localed - Add fixes for haproxy based on bperkins@redhat.com - Allow cmirrord to make dmsetup working - Allow NM to execute arping - Allow users to send messages through talk - Add userdom_tmp_role for secadm_t- Add additional fixes for rtas_errd - Fix transitions for tmp/tmpfs in rtas.te - Allow rtas_errd to readl all sysctls- Add support for /var/spool/rhsm/debug - Make virt_sandbox_use_audit as True by default - Allow svirt_sandbox_domains to ptrace themselves- Allow docker containers to manage /var/lib/docker content- Allow docker to read tmpfs_t symlinks - Allow sandbox svirt_lxc_net_t to talk to syslog and to sssd over stream sockets- Allow collectd to talk to libvirt - Allow chrome_sandbox to use leaked unix_stream_sockets - Dontaudit leaks of sockets into chrome_sandbox_t - If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t - Run vmtools as unconfined domains - Allow snort to manage its log files - Allow systemd_cronjob_t to be entered via bin_t - Allow procman to list doveconf_etc_t - allow keyring daemon to create content in tmpfs directories - Add proper labelling for icedtea-web - vpnc is creating content in networkmanager var run directory - Label sddm as xdm_exec_t to make KDE working again - Allow postgresql to read network state - Allow java running as pki_tomcat to read network sysctls - Fix cgroup.te to allow cgred to read cgconfig_etc_t - Allow beam.smp to use ephemeral ports - Allow winbind to use the nis to authenticate passwords- Make rtas_errd_t as unconfined domain for F20.It needs additional fixes. It runs rpm at least. - Allow net_admin cap for fence_virtd running as fenced_t - Make abrt-java-connector working - Make cimtest script 03_defineVS.py of ComputerSystem group working - Fix git_system_enable_homedirs boolean - Allow munin mail plugins to read network systcl- Allow vmtools_helper_t to execute bin_t - Add support for /usr/share/joomla - /var/lib/containers should be labeled as openshift content for now - Allow docker domains to talk to the login programs, to allow a process to login into the container - Allow install_t do dbus chat with NM - Fix interface names in anaconda.if - Add install_t for anaconda. A new type is a part of anaconda policy - sshd to read network sysctls- Allow zabbix to send system log msgs - Allow init_t to stream connect to ipsec Resolves:#1060775- Add docker_connect_any boolean- Allow unpriv SELinux users to dbus chat with firewalld - Add lvm_write_metadata() - Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type - Allow pegasus_openlmi_storage_t to write lvm metadata - Add hide_broken_symptoms for kdumpgui because of systemd bug - Make kdumpgui_t as unconfined domain Resolves:#1044299 - Allow docker to connect to tcp/5000- Allow numad to write scan_sleep_millisecs - Turn on entropyd_use_audio boolean by default - Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. - Allow lscpu running as rhsmcertd_t to read /proc/sysinfo - Fix label on irclogs in the homedir - Allow kerberos_keytab_domain domains to manage keys until we get sssd fix - Allow postgresql to use ldap - Add missing syslog-conn port - Add support for /dev/vmcp and /dev/sclp Resolves:#1069310- Modify xdm_write_home to allow create files/links in /root with xdm_home_ - Allow virt domains to read network state Resolves:#1072019- Added pcp rules - dontaudit openshift_cron_t searching random directories, should be back ported to RHEL6 - clean up ctdb.te - Allow ctdbd to connect own ports - Fix samba_export_all_rw booleanto cover also non security dirs - Allow swift to exec rpm in swift_t and allow to create tmp files/dirs - Allow neutron to create /run/netns with correct labeling - Allow certmonger to list home dirs- Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-ask - Add sysnet_filetrans_named_content_ifconfig() interface - Allow ctdbd to connect own ports - Fix samba_export_all_rw booleanto cover also non security dirs - Allow swift to exec rpm in swift_t and allow to create tmp files/dirs - Allow neutron to create /run/netns with correct labeling - Allow kerberos keytab domains to manage sssd/userdomain keys" - Allow to run ip cmd in neutron_t domain- Allow block_suspend cap2 for systemd-logind and rw dri device - Add labeling for /usr/libexec/nm-libreswan-service - Allow locallogin to rw xdm key to make Virtual Terminal login providing smartcard pin working - Add xserver_rw_xdm_keys() - Allow rpm_script_t to dbus chat also with systemd-located - Fix ipa_stream_connect_otpd() - update lpd_manage_spool() interface - Allow krb5kdc to stream connect to ipa-otpd - Add ipa_stream_connect_otpd() interface - Allow vpnc to unlink NM pids - Add networkmanager_delete_pid_files() - Allow munin plugins to access unconfined plugins - update abrt_filetrans_named_content to cover /var/spool/debug - Label /var/spool/debug as abrt_var_cache_t - Allow rhsmcertd to connect to squid port - Make docker_transition_unconfined as optional boolean - Allow certmonger to list home dirs- Make snapperd as unconfined domain and add additional fixes for it - Remove nsplugin.pp module on upgrade- Add snapperd_home_t for HOME_DIR/.snapshots directory - Make sosreport as unconfined domain - Allow sosreport to execute grub2-probe - Allow NM to manage hostname config file - Allow systemd_timedated_t to dbus chat with rpm_script_t - Allow lsmd plugins to connect to http/ssh/http_cache ports by default - Add lsmd_plugin_connect_any boolean - Allow mozilla_plugin to attempt to set capabilities - Allow lsdm_plugins to use tcp_socket - Dontaudit mozilla plugin from getattr on /proc or /sys - Dontaudit use of the keyring by the services in a sandbox - Dontaudit attempts to sys_ptrace caused by running ps for mysqld_safe_t - Allow rabbitmq_beam to connect to jabber_interserver_port - Allow logwatch_mail_t to transition to qmail_inject and queueu - Added new rules to pcp policy - Allow vmtools_helper_t to change role to system_r - Allow NM to dbus chat with vmtools - Fix couchdb_manage_files() to allow manage couchdb conf files - Add support for /var/run/redis.sock - dontaudit gpg trying to use audit - Allow consolekit to create log directories and files - Fix vmtools policy to allow user roles to access vmtools_helper_t - Allow block_suspend cap2 for ipa-otpd - Allow pkcsslotd to read users state - Add ioctl to init_dontaudit_rw_stream_socket - Add systemd_hostnamed_manage_config() interface - Remove transition for temp dirs created by init_t - gdm-simple-slave uses use setsockopt - sddm-greater is a xdm type program- Add lvm_read_metadata() - Allow auditadm to search /var/log/audit dir - Add lvm_read_metadata() interface - Allow confined users to run vmtools helpers - Fix userdom_common_user_template() - Generic systemd unit scripts do write check on / - Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files - Add additional fixes needed for init_t and setup script running in generic unit files - Allow general users to create packet_sockets - added connlcli port - Add init_manage_transient_unit() interface - Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t - Fix userdomain.te to require passwd class - devicekit_power sends out a signal to all processes on the message bus when power is going down - Dontaudit rendom domains listing /proc and hittping system_map_t - Dontauit leaks of var_t into ifconfig_t - Allow domains that transition to ssh_t to manipulate its keyring - Define oracleasm_t as a device node - Change to handle /root as a symbolic link for os-tree - Allow sysadm_t to create packet_socket, also move some rules to attributes - Add label for openvswitch port - Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label. - Allow postfix_local to read .forward in pcp lib files - Allow pegasus_openlmi_storage_t to read lvm metadata - Add additional fixes for pegasus_openlmi_storage_t - Allow bumblebee to manage debugfs - Make bumblebee as unconfined domain - Allow snmp to read etc_aliases_t - Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem - Allow pegasus_openlmi_storage_t to read /proc/1/environ - Dontaudit read gconf files for cupsd_config_t - make vmtools as unconfined domain - Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig. - Allow collectd_t to use a mysql database - Allow ipa-otpd to perform DNS name resolution - Added new policy for keepalived - Allow openlmi-service provider to manage transitient units and allow stream connect to sssd - Add additional fixes new pscs-lite+polkit support - Add labeling for /run/krb5kdc - Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20 - Allow pcscd to read users proc info - Dontaudit smbd_t sending out random signuls - Add boolean to allow openshift domains to use nfs - Allow w3c_validator to create content in /tmp - zabbix_agent uses nsswitch - Allow procmail and dovecot to work together to deliver mail - Allow spamd to execute files in homedir if boolean turned on - Allow openvswitch to listen on port 6634 - Add net_admin capability in collectd policy - Fixed snapperd policy - Fixed bugsfor pcp policy - Allow dbus_system_domains to be started by init - Fixed some interfaces - Add kerberos_keytab_domain attribute - Fix snapperd_conf_t def- Addopt corenet rules for unbound-anchor to rpm_script_t - Allow runuser to send send audit messages. - Allow postfix-local to search .forward in munin lib dirs - Allow udisks to connect to D-Bus - Allow spamd to connect to spamd port - Fix syntax error in snapper.te - Dontaudit osad to search gconf home files - Allow rhsmcertd to manage /etc/sysconf/rhn director - Fix pcp labeling to accept /usr/bin for all daemon binaries - Fix mcelog_read_log() interface - Allow iscsid to manage iscsi lib files - Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it. - Make tuned_t as unconfined domain for RHEL7.0 - Allow ABRT to read puppet certs - Add sys_time capability for virt-ga - Allow gemu-ga to domtrans to hwclock_t - Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages - Fix some AVCs in pcp policy - Add to bacula capability setgid and setuid and allow to bind to bacula ports - Changed label from rhnsd_rw_conf_t to rhnsd_conf_t - Add access rhnsd and osad to /etc/sysconfig/rhn - drbdadm executes drbdmeta - Fixes needed for docker - Allow epmd to manage /var/log/rabbitmq/startup_err file - Allow beam.smp connect to amqp port - Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true - Allow init_t to manage pluto.ctl because of init_t instead of initrc_t - Allow systemd_tmpfiles_t to manage all non security files on the system - Added labels for bacula ports - Fix label on /dev/vfio/vfio - Add kernel_mounton_messages() interface - init wants to manage lock files for iscsi- Added osad policy - Allow postfix to deliver to procmail - Allow bumblebee to seng kill signal to xserver - Allow vmtools to execute /usr/bin/lsb_release - Allow docker to write system net ctrls - Add support for rhnsd unit file - Add dbus_chat_session_bus() interface - Add dbus_stream_connect_session_bus() interface - Fix pcp.te - Fix logrotate_use_nfs boolean - Add lot of pcp fixes found in RHEL7 - fix labeling for pmie for pcp pkg - Change thumb_t to be allowed to chat/connect with session bus type - Allow call renice in mlocate - Add logrotate_use_nfs boolean - Allow setroubleshootd to read rpc sysctl- Turn on bacula, rhnsd policy - Add support for rhnsd unit file - Add dbus_chat_session_bus() interface - Add dbus_stream_connect_session_bus() interface - Fix logrotate_use_nfs boolean - Add lot of pcp fixes found in RHEL7 - fix labeling for pmie for pcp pkg - Change thumb_t to be allowed to chat/connect with session bus type - Allow call renice in mlocate - Add logrotate_use_nfs boolean - Allow setroubleshootd to read rpc sysctl - Fixes for *_admin interfaces - Add pegasus_openlmi_storage_var_run_t type def - Add support for /var/run/openlmi-storage - Allow tuned to create syslog.conf with correct labeling - Add httpd_dontaudit_search_dirs boolean - Add support for winbind.service - ALlow also fail2ban-client to read apache logs - Allow vmtools to getattr on all fs - Add support for dey_sapi port - Add logging_filetrans_named_conf() - Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring- Update snapper policy - Allow domains to append rkhunter lib files - Allow snapperd to getattr on all fs - Allow xdm to create /var/gdm with correct labeling - Add label for snapper.log - Allow fail2ban-client to read apache log files - Allow thumb_t to execute dbus-daemon in thumb_t- Allow gdm to create /var/gdm with correct labeling - Allow domains to append rkhunterl lib files. #1057982 - Allow systemd_tmpfiles_t net_admin to communicate with journald - Add interface to getattr on an isid_type for any type of file - Update libs_filetrans_named_content() to have support for /usr/lib/debug directory - Allow initrc_t domtrans to authconfig if unconfined is enabled - Allow docker and mount on devpts chr_file - Allow docker to transition to unconfined_t if boolean set - init calling needs to be optional in domain.te - Allow uncofined domain types to handle transient unit files - Fix labeling for vfio devices - Allow net_admin capability and send system log msgs - Allow lldpad send dgram to NM - Add networkmanager_dgram_send() - rkhunter_var_lib_t is correct type - Back port pcp policy from rawhide - Allow openlmi-storage to read removable devices - Allow system cron jobs to manage rkhunter lib files - Add rkhunter_manage_lib_files() - Fix ftpd_use_fusefs boolean to allow manage also symlinks - Allow smbcontrob block_suspend cap2 - Allow slpd to read network and system state info - Allow NM domtrans to iscsid_t if iscsiadm is executed - Allow slapd to send a signal itself - Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA. - Fix plymouthd_create_log() interface - Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package - Add mozilla_plugin_exec_t for /usr/lib/firefox/plugin-container - Allow postfix and cyrus-imapd to work out of box - Allow fcoemon to talk with unpriv user domain using unix_stream_socket - Dontaudit domains that are calling into journald to net_admin - Add rules to allow vmtools to do what it does - snapperd is D-Bus service - Allow OpenLMI PowerManagement to call 'systemctl --force reboot' - Add haproxy_connect_any boolean - Allow haproxy also to use http cache port by default Resolves:#1058248- Allow apache to write to the owncloud data directory in /var/www/html... - Allow consolekit to create log dir - Add support for icinga CGI scripts - Add support for icinga - Allow kdumpctl_t to create kdump lock file Resolves:#1055634 - Allow kdump to create lnk lock file - Allow nscd_t block_suspen capability - Allow unconfined domain types to manage own transient unit file - Allow systemd domains to handle transient init unit files - Add interfaces to handle transient- Add cron unconfined role support for uncofined SELinux user - Call corenet_udp_bind_all_ports() in milter.te - Allow fence_virtd to connect to zented port - Fix header for mirrormanager_admin() - Allow dkim-milter to bind udp ports - Allow milter domains to send signull itself - Allow block_suspend for yum running as mock_t - Allow beam.smp to manage couchdb files - Add couchdb_manage_files() - Add labeling for /var/log/php_errors.log - Allow bumblebee to stream connect to xserver - Allow bumblebee to send a signal to xserver - gnome-thumbnail to stream connect to bumblebee - Allow xkbcomp running as bumblebee_t to execute bin_t - Allow logrotate to read squid.conf - Additional rules to get docker and lxc to play well with SELinux - Allow bumbleed to connect to xserver port - Allow pegasus_openlmi_storage_t to read hwdata- Allow init_t to work on transitient and snapshot unit files - Add logging_manage_syslog_config() - Update sysnet_dns_name_resolve() to allow connect to dnssec por - Allow pegasus_openlmi_storage_t to read hwdata Resolves:#1031721 - Fix rhcs_rw_cluster_tmpfs() - Allow fenced_t to bind on zented udp port - Added policy for vmtools - Fix mirrormanager_read_lib_files() - Allow mirromanager scripts running as httpd_t to manage mirrormanager pid files - Allow ctdb to create sock files in /var/run/ctdb - Add sblim_filetrans_named_content() interface - Allow rpm scritplets to create /run/gather with correct labeling - Allow gnome keyring domains to create gnome config dirs - Dontaudit read/write to init stream socket for lsmd_plugin_t - Allow automount to read nfs link files - Allow lsm plugins to read/write lsmd stream socket - Allow certmonger to connect ldap port to make IPA CA certificate renewal working. - Add also labeling for /var/run/ctdb - Add missing labeling for /var/lib/ctdb - ALlow tuned to manage syslog.conf. Should be fixed in tuned. #1030446 - Dontaudit hypervkvp to search homedirs - Dontaudit hypervkvp to search admin homedirs - Allow hypervkvp to execute bin_t and ifconfig in the caller domain - Dontaudit xguest_t to read ABRT conf files - Add abrt_dontaudit_read_config() - Allow namespace-init to getattr on fs - Add thumb_role() also for xguest - Add filename transitions to create .spamassassin with correct labeling - Allow apache domain to read mirrormanager pid files - Allow domains to read/write shm and sem owned by mozilla_plugin_t - Allow alsactl to send a generic signal to kernel_t- Add back rpm_run() for unconfined user- Add missing files_create_var_lib_dirs() - Fix typo in ipsec.te - Allow passwd to create directory in /var/lib - Add filename trans also for event21 - Allow iptables command to read /dev/rand - Add sigkill capabilityfor ipsec_t - Add filename transitions for bcache devices - Add additional rules to create /var/log/cron by syslogd_t with correct labeling - Add give everyone full access to all key rings - Add default lvm_var_run_t label for /var/run/multipathd - Fix log labeling to have correct default label for them after logrotate - Labeled ~/.nv/GLCache as being gstreamer output - Allow nagios_system_plugin to read mrtg lib files - Add mrtg_read_lib_files() - Call rhcs_rw_cluster_tmpfs for dlm_controld - Make authconfing as named_filetrans domain - Allow virsh to connect to user process using stream socket - Allow rtas_errd to read rand/urand devices and add chown capability - Fix labeling from /var/run/net-snmpd to correct /var/run/net-snmp Resolves:#1051497 - Add also chown cap for abrt_upload_watch_t. It already has dac_override - Allow sosreport to manage rhsmcertd pid files - Add rhsmcertd_manage_pid_files() - Allow also setgid cap for rpc.gssd - Dontaudit access check for abrt on cert_t - Allow pegasus_openlmi_system providers to dbus chat with systemd-logind- Fix semanage import handling in spec file- Add default lvm_var_run_t label for /var/run/multipathd Resolves:#1051430 - Fix log labeling to have correct default label for them after logrotate - Add files_write_root_dirs - Add new openflow port label for 6653/tcp and 6633/tcp - Add xserver_manage_xkb_libs() - Label tcp/8891 as milter por - Allow gnome_manage_generic_cache_files also create cache_home_t files - Fix aide.log labeling - Fix log labeling to have correct default label for them after logrotate - Allow mysqld-safe write access on /root to make mysqld working - Allow sosreport domtrans to prelikn - Allow OpenvSwitch to connec to openflow ports - Allow NM send dgram to lldpad - Allow hyperv domains to execute shell - Allow lsmd plugins stream connect to lsmd/init - Allow sblim domains to create /run/gather with correct labeling - Allow httpd to read ldap certs - Allow cupsd to send dbus msgs to process with different MLS level - Allow bumblebee to stream connect to apmd - Allow bumblebee to run xkbcomp - Additional allow rules to get libvirt-lxc containers working with docker - Additional allow rules to get libvirt-lxc containers working with docker - Allow docker to getattr on itself - Additional rules needed for sandbox apps - Allow mozilla_plugin to set attributes on usb device if use_spice boolean enabled - httpd should be able to send signal/signull to httpd_suexec_t - Add more fixes for neturon. Domtrans to dnsmasq, iptables. Make neutron as filenamtrans domain.- Add neutron fixes- Allow sshd to write to all process levels in order to change passwd when running at a level - Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range - Allow apcuspd_t to status and start the power unit file - Allow udev to manage kdump unit file - Added new interface modutils_dontaudit_exec_insmod - Allow cobbler to search dhcp_etc_t directory - systemd_systemctl needs sys_admin capability - Allow sytemd_tmpfiles_t to delete all directories - passwd to create gnome-keyring passwd socket - Add missing zabbix_var_lib_t type - Fix filename trans for zabbixsrv in zabbix.te - Allow fprintd_t to send syslog messages - Add zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port - Allow mozilla plugin to chat with policykit, needed for spice - Allow gssprozy to change user and gid, as well as read user keyrings - Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly - Allow polipo to connect to http_cache_ports - Allow cron jobs to manage apache var lib content - Allow yppassword to manage the passwd_file_t - Allow showall_t to send itself signals - Allow cobbler to restart dhcpc, dnsmasq and bind services - Allow certmonger to manage home cert files - Add userdom filename trans for user mail domains - Allow apcuspd_t to status and start the power unit file - Allow cgroupdrulesengd to create content in cgoups directories - Allow smbd_t to signull cluster - Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t - Add label for /var/spool/cron.aquota.user - Allow sandbox_x domains to use work with the mozilla plugin semaphore - Added new policy for speech-dispatcher - Added dontaudit rule for insmod_exec_t in rasdaemon policy - Updated rasdaemon policy - Allow system_mail_t to transition to postfix_postdrop_t - Clean up mirrormanager policy - Allow virt_domains to read cert files, needs backport to RHEL7 - Allow sssd to read systemd_login_var_run_t - Allow irc_t to execute shell and bin-t files: - Add new access for mythtv - Allow rsync_t to manage all non auth files - allow modemmanger to read /dev/urand - Allow sandbox apps to attempt to set and get capabilties- Add labeling for /var/lib/servicelog/servicelog.db-journal - Add support for freeipmi port - Add sysadm_u_default_contexts - Make new type to texlive files in homedir - Allow subscription-manager running as sosreport_t to manage rhsmcertd - Additional fixes for docker.te - Remove ability to do mount/sys_admin by default in virt_sandbox domains - New rules required to run docker images within libivrt - Add label for ~/.cvsignore - Change mirrormanager to be run by cron - Add mirrormanager policy - Fixed bumblebee_admin() and mip6d_admin() - Add log support for sensord - Fix typo in docker.te - Allow amanda to do backups over UDP - Allow bumblebee to read /etc/group and clean up bumblebee.te - type transitions with a filename not allowed inside conditionals - Don't allow virt-sandbox tools to use netlink out of the box, needs back port to RHEL7 - Make new type to texlive files in homedir- Allow freeipmi_ipmidetectd_t to use freeipmi port - Update freeipmi_domain_template() - Allow journalctl running as ABRT to read /run/log/journal - Allow NM to read dispatcher.d directory - Update freeipmi policy - Type transitions with a filename not allowed inside conditionals - Allow tor to bind to hplip port - Make new type to texlive files in homedir - Allow zabbix_agent to transition to dmidecode - Add rules for docker - Allow sosreport to send signull to unconfined_t - Add virt_noatsecure and virt_rlimitinh interfaces - Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipmi port - Add sysadm_u_default_contexts - Add logging_read_syslog_pid() - Fix userdom_manage_home_texlive() interface - Make new type to texlive files in homedir - Add filename transitions for /run and /lock links - Allow virtd to inherit rlimit information Resolves:#975358- Change labeling for /usr/libexec/nm-dispatcher.action to NetworkManager_exec_t Resolves:#1039879 - Add labeling for /usr/lib/systemd/system/mariadb.service - Allow hyperv_domain to read sysfs - Fix ldap_read_certs() interface to allow acess also link files - Add support for /usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt - Allow tuned to run modprobe - Allow portreserve to search /var/lib/sss dir - Add SELinux support for the teamd package contains team network device control daemon. - Dontaudit access check on /proc for bumblebee - Bumblebee wants to load nvidia modules - Fix rpm_named_filetrans_log_files and wine.te - Add conman policy for rawhide - DRM master and input event devices are used by the TakeDevice API - Clean up bumblebee policy - Update pegasus_openlmi_storage_t policy - Add freeipmi_stream_connect() interface - Allow logwatch read madm.conf to support RAID setup - Add raid_read_conf_files() interface - Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling - add rpm_named_filetrans_log_files() interface - Allow dkim-milter to create files/dirs in /tmp - update freeipmi policy - Add policy for freeipmi services - Added rdisc_admin and rdisc_systemctl interfaces - opensm policy clean up - openwsman policy clean up - ninfod policy clean up - Added new policy for ninfod - Added new policy for openwsman - Added rdisc_admin and rdisc_systemctl interfaces - Fix kernel_dontaudit_access_check_proc() - Add support for /dev/uhid - Allow sulogin to get the attributes of initctl and sys_admin cap - Add kernel_dontaudit_access_check_proc() - Fix dev_rw_ipmi_dev() - Fix new interface in devices.if - DRM master and input event devices are used by the TakeDevice API - add dev_rw_inherited_dri() and dev_rw_inherited_input_dev() - Added support for default conman port - Add interfaces for ipmi devices- Allow sosreport to send a signal to ABRT - Add proper aliases for pegasus_openlmi_service_exec_t and pegasus_openlmi_service_t - Label /usr/sbin/htcacheclean as httpd_exec_t Resolves:#1037529 - Added support for rdisc unit file - Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs - Allow runuser running as logrotate connections to system DBUS - Label bcache devices as fixed_disk_device_t - Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service - Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t- Add back setpgid/setsched for sosreport_t- Added fix for clout_init to transition to rpm_script_t (dwalsh@redhat.com)- Dontaudit openshift domains trying to use rawip_sockets, this is caused by a bad check in the kernel. - Allow git_system_t to read git_user_content if the git_system_enable_homedirs boolean is turned on - Add lsmd_plugin_t for lsm plugins - Allow dovecot-deliver to search mountpoints - Add labeling for /etc/mdadm.conf - Allow opelmi admin providers to dbus chat with init_t - Allow sblim domain to read /dev/urandom and /dev/random - Allow apmd to request the kernel load modules - Add glusterd_brick_t type - label mate-keyring-daemon with gkeyringd_exec_t - Add plymouthd_create_log() - Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6 - Allow sssd to request the kernel loads modules - Allow gpg_agent to use ssh-add - Allow gpg_agent to use ssh-add - Dontaudit access check on /root for myslqd_safe_t - Allow ctdb to getattr on al filesystems - Allow abrt to stream connect to syslog - Allow dnsmasq to list dnsmasq.d directory - Watchdog opens the raw socket - Allow watchdog to read network state info - Dontaudit access check on lvm lock dir - Allow sosreport to send signull to setroubleshootd - Add setroubleshoot_signull() interface - Fix ldap_read_certs() interface - Allow sosreport all signal perms - Allow sosreport to run systemctl - Allow sosreport to dbus chat with rpm - Add glusterd_brick_t files type - Allow zabbix_agentd to read all domain state - Clean up rtas.if - Allow smoltclient to execute ldconfig - Allow sosreport to request the kernel to load a module - Fix userdom_confined_admin_template() - Add back exec_content boolean for secadm, logadm, auditadm - Fix files_filetrans_system_db_named_files() interface - Allow sulogin to getattr on /proc/kcore - Add filename transition also for servicelog.db-journal - Add files_dontaudit_access_check_root() - Add lvm_dontaudit_access_check_lock() interface- Allow watchdog to read /etc/passwd - Allow browser plugins to connect to bumblebee - New policy for bumblebee and freqset - Add new policy for mip6d daemon - Add new policy for opensm daemon - Allow condor domains to read/write condor_master udp_socket - Allow openshift_cron_t to append to openshift log files, label /var/log/openshift - Add back file_pid_filetrans for /var/run/dlm_controld - Allow smbd_t to use inherited tmpfs content - Allow mcelog to use the /dev/cpu device - sosreport runs rpcinfo - sosreport runs subscription-manager - Allow staff_t to run frequency command - Allow systemd_tmpfiles to relabel log directories - Allow staff_t to read xserver_log file - Label hsperfdata_root as tmp_t- More sosreport fixes to make ABRT working- Fix files_dontaudit_unmount_all_mountpoints() - Add support for 2608-2609 tcp/udp ports - Should allow domains to lock the terminal device - More fixes for user config files to make crond_t running in userdomain - Add back disable/reload/enable permissions for system class - Fix manage_service_perms macro - We need to require passwd rootok - Fix zebra.fc - Fix dnsmasq_filetrans_named_content() interface - Allow all sandbox domains create content in svirt_home_t - Allow zebra domains also create zebra_tmp_t files in /tmp - Add support for new zebra services:isisd,babeld. Add systemd support for zebra services. - Fix labeling on neutron and remove transition to iconfig_t - abrt needs to read mcelog log file - Fix labeling on dnsmasq content - Fix labeling on /etc/dnsmasq.d - Allow glusterd to relabel own lib files - Allow sandbox domains to use pam_rootok, and dontaudit attempts to unmount file systems, this is caused by a bug in systemd - Allow ipc_lock for abrt to run journalctl- Fix config.tgz- Fix passenger_stream_connect interface - setroubleshoot_fixit wants to read network state - Allow procmail_t to connect to dovecot stream sockets - Allow cimprovagt service providers to read network states - Add labeling for /var/run/mariadb - pwauth uses lastlog() to update system's lastlog - Allow account provider to read login records - Add support for texlive2013 - More fixes for user config files to make crond_t running in userdomain - Add back disable/reload/enable permissions for system class - Fix manage_service_perms macro - Allow passwd_t to connect to gnome keyring to change password - Update mls config files to have cronjobs in the user domains - Remove access checks that systemd does not actually do- Add support for yubikey in homedir - Add support for upd/3052 port - Allow apcupsd to use PowerChute Network Shutdown - Allow lsmd to execute various lsmplugins - Add labeling also for /etc/watchdog\.d where are watchdog scripts located too - Update gluster_export_all_rw boolean to allow relabel all base file types - Allow x86_energy_perf tool to modify the MSR - Fix /var/lib/dspam/data labeling- Add files_relabel_base_file_types() interface - Allow netlabel-config to read passwd - update gluster_export_all_rw boolean to allow relabel all base file types caused by lsetxattr() - Allow x86_energy_perf tool to modify the MSR - Fix /var/lib/dspam/data labeling - Allow pegasus to domtrans to mount_t - Add labeling for unconfined scripts in /usr/libexec/watchdog/scripts - Add support for unconfined watchdog scripts - Allow watchdog to manage own log files- Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory. - Label /etc/yum.repos.d as system_conf_t - Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t - Allow dac_override for sysadm_screen_t - Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file. - Allow netlabel-config to read meminfo - Add interface to allow docker to mounton file_t - Add new interface to exec unlabeled files - Allow lvm to use docker semaphores - Setup transitons for .xsessions-errors.old - Change labels of files in /var/lib/*/.ssh to transition properly - Allow staff_t and user_t to look at logs using journalctl - pluto wants to manage own log file - Allow pluto running as ipsec_t to create pluto.log - Fix alias decl in corenetwork.te.in - Add support for fuse.glusterfs - Allow dmidecode to read/write /run/lock/subsys/rhsmcertd - Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files. - Additional access for docker - Added more rules to sblim policy - Fix kdumpgui_run_bootloader boolean - Allow dspam to connect to lmtp port - Included sfcbd service into sblim policy - rhsmcertd wants to manaage /etc/pki/consumer dir - Add kdumpgui_run_bootloader boolean - Add support for /var/cache/watchdog - Remove virt_domain attribute for virt_qemu_ga_unconfined_t - Fixes for handling libvirt containes - Dontaudit attempts by mysql_safe to write content into / - Dontaudit attempts by system_mail to modify network config - Allow dspam to bind to lmtp ports - Add new policy to allow staff_t and user_t to look at logs using journalctl - Allow apache cgi scripts to list sysfs - Dontaudit attempts to write/delete user_tmp_t files - Allow all antivirus domains to manage also own log dirs - Allow pegasus_openlmi_services_t to stream connect to sssd_t- Add missing permission checks for nscd- Fix alias decl in corenetwork.te.in - Add support for fuse.glusterfs - Add file transition rules for content created by f5link - Rename quantum_port information to neutron - Allow all antivirus domains to manage also own log dirs - Rename quantum_port information to neutron - Allow pegasus_openlmi_services_t to stream connect to sssd_t- Allow sysadm_t to read login information - Allow systemd_tmpfiles to setattr on var_log_t directories - Udpdate Makefile to include systemd_contexts - Add systemd_contexts - Add fs_exec_hugetlbfs_files() interface - Add daemons_enable_cluster_mode boolean - Fix rsync_filetrans_named_content() - Add rhcs_read_cluster_pid_files() interface - Update rhcs.if with additional interfaces from RHEL6 - Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t - Allow glusterd_t to mounton glusterd_tmp_t - Allow glusterd to unmout al filesystems - Allow xenstored to read virt config - Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct label - Allow mozilla_plugin_t to mmap hugepages as an executable- Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp- Allow sshd_t to read openshift content, needs backport to RHEL6.5 - Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t - Make sur kdump lock is created with correct label if kdumpctl is executed - gnome interface calls should always be made within an optional_block - Allow syslogd_t to connect to the syslog_tls port - Add labeling for /var/run/charon.ctl socket - Add kdump_filetrans_named_content() - Allo setpgid for fenced_t - Allow setpgid and r/w cluster tmpfs for fenced_t - gnome calls should always be within optional blocks - wicd.pid should be labeled as networkmanager_var_run_t - Allow sys_resource for lldpad- Add rtas policy- Allow mailserver_domains to manage and transition to mailman data - Dontaudit attempts by mozilla plugin to relabel content, caused by using mv and cp commands - Allow mailserver_domains to manage and transition to mailman data - Allow svirt_domains to read sysctl_net_t - Allow thumb_t to use tmpfs inherited from the user - Allow mozilla_plugin to bind to the vnc port if running with spice - Add new attribute to discover confined_admins and assign confined admin to it - Fix zabbix to handle attributes in interfaces - Fix zabbix to read system states for all zabbix domains - Fix piranha_domain_template() - Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files. - Allow lldpad sys_rouserce cap due to #986870 - Allow dovecot-auth to read nologin - Allow openlmi-networking to read /proc/net/dev - Allow smsd_t to execute scripts created on the fly labeled as smsd_spool_t - Add zabbix_domain attribute for zabbix domains to treat them together - Add labels for zabbix-poxy-* (#1018221) - Update openlmi-storage policy to reflect #1015067 - Back port piranha tmpfs fixes from RHEL6 - Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop - Add postfix_rw_spool_maildrop_files interface - Call new userdom_admin_user_templat() also for sysadm_secadm.pp - Fix typo in userdom_admin_user_template() - Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey - Add new attribute to discover confined_admins - Fix labeling for /etc/strongswan/ipsec.d - systemd_logind seems to pass fd to anyone who dbus communicates with it - Dontaudit leaked write descriptor to dmesg- Activate motion policy- Fix gnome_read_generic_data_home_files() - allow openshift_cgroup_t to read/write inherited openshift file types - Remove httpd_cobbler_content * from cobbler_admin interface - Allow svirt sandbox domains to setattr on chr_file and blk_file svirt_sandbox_file_t, so sshd will work within a container - Allow httpd_t to read also git sys content symlinks - Allow init_t to read gnome home data - Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to really need it. - Allow virsh to execute systemctl - Fix for nagios_services plugins - add type defintion for ctdbd_var_t - Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file - Allow net_admin/netlink_socket all hyperv_domain domains - Add labeling for zarafa-search.log and zarafa-search.pid - Fix hypervkvp.te - Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. - Add hypervkvp_unit_file_t type - Fix logging policy - Allow syslog to bind to tls ports - Update labeling for /dev/cdc-wdm - Allow to su_domain to read init states - Allow init_t to read gnome home data - Make sure if systemd_logind creates nologin file with the correct label - Clean up ipsec.te- Add auth_exec_chkpwd interface - Fix port definition for ctdb ports - Allow systemd domains to read /dev/urand - Dontaudit attempts for mozilla_plugin to append to /dev/random - Add label for /var/run/charon.* - Add labeling for /usr/lib/systemd/system/lvm2.*dd policy for motion service - Fix for nagios_services plugins - Fix some bugs in zoneminder policy - add type defintion for ctdbd_var_t - Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file - Allow net_admin/netlink_socket all hyperv_domain domains - Add labeling for zarafa-search.log and zarafa-search.pid - glusterd binds to random unreserved ports - Additional allow rules found by testing glusterfs - apcupsd needs to send a message to all users on the system so needs to look them up - Fix the label on ~/.juniper_networks - Dontaudit attempts for mozilla_plugin to append to /dev/random - Allow polipo_daemon to connect to flash ports - Allow gssproxy_t to create replay caches - Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. - Add hypervkvp_unit_file_t type- init reload from systemd_localed_t - Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd - Allow systemd_localed_t to ask systemd to reload the locale. - Add systemd_runtime_unit_file_t type for unit files that systemd creates in memory - Allow readahead to read /dev/urand - Fix lots of avcs about tuned - Any file names xenstored in /var/log should be treated as xenstored_var_log_t - Allow tuned to inderact with hugepages - Allow condor domains to list etc rw dirs- Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. - Add hypervkvp_unit_file_t type - Add additional fixes forpegasus_openlmi_account_t - Allow mdadm to read /dev/urand - Allow pegasus_openlmi_storage_t to create mdadm.conf and write it - Add label/rules for /etc/mdadm.conf - Allow pegasus_openlmi_storage_t to transition to fsadm_t - Fixes for interface definition problems - Dontaudit dovecot-deliver to gettatr on all fs dirs - Allow domains to search data_home_t directories - Allow cobblerd to connect to mysql - Allow mdadm to r/w kdump lock files - Add support for kdump lock files - Label zarafa-search as zarafa-indexer - Openshift cgroup wants to read /etc/passwd - Add new sandbox domains for kvm - Allow mpd to interact with pulseaudio if mpd_enable_homedirs is turned on - Fix labeling for /usr/lib/systemd/system/lvm2.* - Add labeling for /usr/lib/systemd/system/lvm2.* - Fix typos to get a new build. We should not cover filename trans rules to prevent duplicate rules - Add sshd_keygen_t policy for sshd-keygen - Fix alsa_home_filetrans interface name and definition - Allow chown for ssh_keygen_t - Add fs_dontaudit_getattr_all_dirs() - Allow init_t to manage etc_aliases_t and read xserver_var_lib_t and chrony keys - Fix up patch to allow systemd to manage home content - Allow domains to send/recv unlabeled traffic if unlabelednet.pp is enabled - Allow getty to exec hostname to get info - Add systemd_home_t for ~/.local/share/systemd directory- Fix lxc labels in config.tgz- Fix labeling for /usr/libexec/kde4/kcmdatetimehelper - Allow tuned to search all file system directories - Allow alsa_t to sys_nice, to get top performance for sound management - Add support for MySQL/PostgreSQL for amavis - Allow openvpn_t to manage openvpn_var_log_t files. - Allow dirsrv_t to create tmpfs_t directories - Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label - Dontaudit leaked unix_stream_sockets into gnome keyring - Allow telepathy domains to inhibit pipes on telepathy domains - Allow cloud-init to domtrans to rpm - Allow abrt daemon to manage abrt-watch tmp files - Allow abrt-upload-watcher to search /var/spool directory - Allow nsswitch domains to manage own process key - Fix labeling for mgetty.* logs - Allow systemd to dbus chat with upower - Allow ipsec to send signull to itself - Allow setgid cap for ipsec_t - Match upstream labeling- Do not build sanbox pkg on MLS- wine_tmp is no longer needed - Allow setroubleshoot to look at /proc - Allow telepathy domains to dbus with systemd logind - Fix handling of fifo files of rpm - Allow mozilla_plugin to transition to itself - Allow certwatch to write to cert_t directories - New abrt application - Allow NetworkManager to set the kernel scheduler - Make wine_domain shared by all wine domains - Allow mdadm_t to read images labeled svirt_image_t - Allow amanda to read /dev/urand - ALlow my_print_default to read /dev/urand - Allow mdadm to write to kdumpctl fifo files - Allow nslcd to send signull to itself - Allow yppasswd to read /dev/urandom - Fix zarafa_setrlimit - Add support for /var/lib/php/wsdlcache - Add zarafa_setrlimit boolean - Allow fetchmail to send mails - Add additional alias for user_tmp_t because wine_tmp_t is no longer used - More handling of ther kernel keyring required by kerberos - New privs needed for init_t when running without transition to initrc_t over bin_t, and without unconfined domain installed- Dontaudit attempts by sosreport to read shadow_t - Allow browser sandbox plugins to connect to cups to print - Add new label mpd_home_t - Label /srv/www/logs as httpd_log_t - Add support for /var/lib/php/wsdlcache - Add zarafa_setrlimit boolean - Allow fetchmail to send mails - Add labels for apache logs under miq package - Allow irc_t to use tcp sockets - fix labels in puppet.if - Allow tcsd to read utmp file - Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to access host keys - Define svirt_socket_t as a domain_type - Take away transition from init_t to initrc_t when executing bin_t, allow init_t to run chk_passwd_t - Fix label on pam_krb5 helper apps- Allow ldconfig to write to kdumpctl fifo files - allow neutron to connect to amqp ports - Allow kdump_manage_crash to list the kdump_crash_t directory - Allow glance-api to connect to amqp port - Allow virt_qemu_ga_t to read meminfo - Add antivirus_home_t type for antivirus date in HOMEDIRS - Allow mpd setcap which is needed by pulseaudio - Allow smbcontrol to create content in /var/lib/samba - Allow mozilla_exec_t to be used as a entrypoint to mozilla_domtrans_spec - Add additional labeling for qemu-ga/fsfreeze-hook.d scripts - amanda_exec_t needs to be executable file - Allow block_suspend cap for samba-net - Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t - Allow init_t to run crash utility - Treat usr_t just like bin_t for transitions and executions - Add port definition of pka_ca to port 829 for openshift - Allow selinux_store to use symlinks- Allow block_suspend cap for samba-net - Allow t-mission-control to manage gabble cache files - Allow nslcd to read /sys/devices/system/cpu - Allow selinux_store to use symlinks- Allow xdm_t to transition to itself - Call neutron interfaces instead of quantum - Allow init to change targed role to make uncofined services (xrdp which now has own systemd unit file) working. We want them to have in unconfined_t - Make sure directories in /run get created with the correct label - Make sure /root/.pki gets created with the right label - try to remove labeling for motion from zoneminder_exec_t to bin_t - Allow inetd_t to execute shell scripts - Allow cloud-init to read all domainstate - Fix to use quantum port - Add interface netowrkmanager_initrc_domtrans - Fix boinc_execmem - Allow t-mission-control to read gabble cache home - Add labeling for ~/.cache/telepathy/avatars/gabble - Allow memcache to read sysfs data - Cleanup antivirus policy and add additional fixes - Add boolean boinc_enable_execstack - Add support for couchdb in rabbitmq policy - Add interface couchdb_search_pid_dirs - Allow firewalld to read NM state - Allow systemd running as git_systemd to bind git port - Fix mozilla_plugin_rw_tmpfs_files()- Split out rlogin ports from inetd - Treat files labeld as usr_t like bin_t when it comes to transitions - Allow staff_t to read login config - Allow ipsec_t to read .google authenticator data - Allow systemd running as git_systemd to bind git port - Fix mozilla_plugin_rw_tmpfs_files() - Call the correct interface - corenet_udp_bind_ktalkd_port() - Allow all domains that can read gnome_config to read kde config - Allow sandbox domain to read/write mozilla_plugin_tmpfs_t so pulseaudio will work - Allow mdadm to getattr any file system - Allow a confined domain to executes mozilla_exec_t via dbus - Allow cupsd_lpd_t to bind to the printer port - Dontaudit attempts to bind to ports < 1024 when nis is turned on - Allow apache domain to connect to gssproxy socket - Allow rlogind to bind to the rlogin_port - Allow telnetd to bind to the telnetd_port - Allow ktalkd to bind to the ktalkd_port - Allow cvs to bind to the cvs_port- Cleanup related to init_domain()+inetd_domain fixes - Use just init_domain instead of init_daemon_domain in inetd_core_service_domain - svirt domains neeed to create kobject_uevint_sockets - Lots of new access required for sosreport - Allow tgtd_t to connect to isns ports - Allow init_t to transition to all inetd domains: - openct needs to be able to create netlink_object_uevent_sockets - Dontaudit leaks into ldconfig_t - Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls - Move kernel_stream_connect into all Xwindow using users - Dontaudit inherited lock files in ifconfig o dhcpc_t- Also sock_file trans rule is needed in lsm - Fix labeling for fetchmail pid files/dirs - Add additional fixes for abrt-upload-watch - Fix polipo.te - Fix transition rules in asterisk policy - Add fowner capability to networkmanager policy - Allow polipo to connect to tor ports - Cleanup lsmd.if - Cleanup openhpid policy - Fix kdump_read_crash() interface - Make more domains as init domain - Fix cupsd.te - Fix requires in rpm_rw_script_inherited_pipes - Fix interfaces in lsm.if - Allow munin service plugins to manage own tmpfs files/dirs - Allow virtd_t also relabel unix stream sockets for virt_image_type - Make ktalk as init domain - Fix to define ktalkd_unit_file_t correctly - Fix ktalk.fc - Add systemd support for talk-server - Allow glusterd to create sock_file in /run - Allow xdm_t to delete gkeyringd_tmp_t files on logout - Add fixes for hypervkvp policy - Add logwatch_can_sendmail boolean - Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb - Allow xdm_t to delete gkeyringd_tmp_t files on logout- Add selinux-policy-sandbox pkg0 - Allow rhsmcertd to read init state - Allow fsetid for pkcsslotd - Fix labeling for /usr/lib/systemd/system/pkcsslotd.service - Allow fetchmail to create own pid with correct labeling - Fix rhcs_domain_template() - Allow roles which can run mock to read mock lib files to view results - Allow rpcbind to use nsswitch - Fix lsm.if summary - Fix collectd_t can read /etc/passwd file - Label systemd unit files under dracut correctly - Add support for pam_mount to mount user's encrypted home When a user logs in and logs out using ssh - Add support for .Xauthority-n - Label umount.crypt as lvm_exec_t - Allow syslogd to search psad lib files - Allow ssh_t to use /dev/ptmx - Make sure /run/pluto dir is created with correct labeling - Allow syslog to run shell and bin_t commands - Allow ip to relabel tun_sockets - Allow mount to create directories in files under /run - Allow processes to use inherited fifo files- Add policy for lsmd - Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory - Update condor_master rules to allow read system state info and allow logging - Add labeling for /etc/condor and allow condor domain to write it (bug) - Allow condor domains to manage own logs - Allow glusterd to read domains state - Fix initial hypervkvp policy - Add policy for hypervkvpd - Fix redis.if summary- Allow boinc to connect to @/tmp/.X11-unix/X0 - Allow beam.smp to connect to tcp/5984 - Allow named to manage own log files - Add label for /usr/libexec/dcc/start-dccifd and domtrans to dccifd_t - Add virt_transition_userdomain boolean decl - Allow httpd_t to sendto unix_dgram sockets on its children - Allow nova domains to execute ifconfig - bluetooth wants to create fifo_files in /tmp - exim needs to be able to manage mailman data - Allow sysstat to getattr on all file systems - Looks like bluetoothd has moved - Allow collectd to send ping packets - Allow svirt_lxc domains to getpgid - Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff - Allow frpintd_t to read /dev/urandom - Allow asterisk_t to create sock_file in /var/run - Allow usbmuxd to use netlink_kobject - sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket - More cleanup of svirt_lxc policy - virtd_lxc_t now talks to dbus - Dontaudit leaked ptmx_t - Allow processes to use inherited fifo files - Allow openvpn_t to connect to squid ports - Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert() - Allow ssh_t to use /dev/ptmx - Make sure /run/pluto dir is created with correct labeling - Allow syslog to run shell and bin_t commands - Allow ip to relabel tun_sockets - Allow mount to create directories in files under /run - Allow processes to use inherited fifo files - Allow user roles to connect to the journal socket- selinux_set_enforce_mode needs to be used with type - Add append to the dontaudit for unix_stream_socket of xdm_t leak - Allow xdm_t to create symlinks in log direcotries - Allow login programs to read afs config - Label 10933 as a pop port, for dovecot - New policy to allow selinux_server.py to run as semanage_t as a dbus service - Add fixes to make netlabelctl working on MLS - AVCs required for running sepolicy gui as staff_t - Dontaudit attempts to read symlinks, sepolicy gui is likely to cause this type of AVC - New dbus server to be used with new gui - After modifying some files in /etc/mail, I saw this needed on the next boot - Loading a vm from /usr/tmp with virt-manager - Clean up oracleasm policy for Fedora - Add oracleasm policy written by rlopez@redhat.com - Make postfix_postdrop_t as mta_agent to allow domtrans to system mail if it is executed by apache - Add label for /var/crash - Allow fenced to domtrans to sanclok_t - Allow nagios to manage nagios spool files - Make tfptd as home_manager - Allow kdump to read kcore on MLS system - Allow mysqld-safe sys_nice/sys_resource caps - Allow apache to search automount tmp dirs if http_use_nfs is enabled - Allow crond to transition to named_t, for use with unbound - Allow crond to look at named_conf_t, for unbound - Allow mozilla_plugin_t to transition its home content - Allow dovecot_domain to read all system and network state - Allow httpd_user_script_t to call getpw - Allow semanage to read pid files - Dontaudit leaked file descriptors from user domain into thumb - Make PAM authentication working if it is enabled in ejabberd - Add fixes for rabbit to fix ##992920,#992931 - Allow glusterd to mount filesystems - Loading a vm from /usr/tmp with virt-manager - Trying to load a VM I got an AVC from devicekit_disk for loopcontrol device - Add fix for pand service - shorewall touches own log - Allow nrpe to list /var - Mozilla_plugin_roles can not be passed into lpd_run_lpr - Allow afs domains to read afs_config files - Allow login programs to read afs config - Allow virt_domain to read virt_var_run_t symlinks - Allow smokeping to send its process signals - Allow fetchmail to setuid - Add kdump_manage_crash() interface - Allow abrt domain to write abrt.socket- Add more aliases in pegasus.te - Add more fixes for *_admin interfaces - Add interface fixes - Allow nscd to stream connect to nmbd - Allow gnupg apps to write to pcscd socket - Add more fixes for openlmi provides. Fix naming and support for additionals - Allow fetchmail to resolve host names - Allow firewalld to interact also with lnk files labeled as firewalld_etc_rw_t - Add labeling for cmpiLMI_Fan-cimprovagt - Allow net_admin for glusterd - Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ - Add pegasus_openlmi_system_t - Fix puppet_domtrans_master() to make all puppet calling working in passenger.te - Fix corecmd_exec_chroot() - Fix logging_relabel_syslog_pid_socket interface - Fix typo in unconfineduser.te - Allow system_r to access unconfined_dbusd_t to run hp_chec- Allow xdm_t to act as a dbus client to itsel - Allow fetchmail to resolve host names - Allow gnupg apps to write to pcscd socket - Add labeling for cmpiLMI_Fan-cimprovagt - Allow net_admin for glusterd - Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ - Add pegasus_openlmi_system_t - Fix puppet_domtrans_master() to make all puppet calling working in passenger.te -httpd_t does access_check on certs- Add support for cmpiLMI_Service-cimprovagt - Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t - Label pycmpiLMI_Software-cimprovagt as rpm_exec_t - Add support for pycmpiLMI_Storage-cimprovagt - Add support for cmpiLMI_Networking-cimprovagt - Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working - Allow virtual machines and containers to run as user doains, needed for virt-sandbox - Allow buglist.cgi to read cpu info- Allow systemd-tmpfile to handle tmp content in print spool dir - Allow systemd-sysctl to send system log messages - Add support for RTP media ports and fmpro-internal - Make auditd working if audit is configured to perform SINGLE action on disk error - Add interfaces to handle systemd units - Make systemd-notify working if pcsd is used - Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t - Instead of having all unconfined domains get all of the named transition rules, - Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default. - Add definition for the salt ports - Allow xdm_t to create link files in xdm_var_run_t - Dontaudit reads of blk files or chr files leaked into ldconfig_t - Allow sys_chroot for useradd_t - Allow net_raw cap for ipsec_t - Allow sysadm_t to reload services - Add additional fixes to make strongswan working with a simple conf - Allow sysadm_t to enable/disable init_t services - Add additional glusterd perms - Allow apache to read lnk files in the /mnt directory - Allow glusterd to ask the kernel to load a module - Fix description of ftpd_use_fusefs boolean - Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process controls, but add them to svirt_lxc_net_t - Allow glusterds to request load a kernel module - Allow boinc to stream connect to xserver_t - Allow sblim domains to read /etc/passwd - Allow mdadm to read usb devices - Allow collectd to use ping plugin - Make foghorn working with SNMP - Allow sssd to read ldap certs - Allow haproxy to connect to RTP media ports - Add additional trans rules for aide_db - Add labeling for /usr/lib/pcsd/pcsd - Add labeling for /var/log/pcsd - Add support for pcs which is a corosync and pacemaker configuration tool- Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t - Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1 - Allow all domains that can domtrans to shutdown, to start the power services script to shutdown - consolekit needs to be able to shut down system - Move around interfaces - Remove nfsd_rw_t and nfsd_ro_t, they don't do anything - Add additional fixes for rabbitmq_beam to allow getattr on mountpoints - Allow gconf-defaults-m to read /etc/passwd - Fix pki_rw_tomcat_cert() interface to support lnk_files- Add support for gluster ports - Make sure that all keys located in /etc/ssh/ are labeled correctly - Make sure apcuspd lock files get created with the correct label - Use getcap in gluster.te - Fix gluster policy - add additional fixes to allow beam.smp to interact with couchdb files - Additional fix for #974149 - Allow gluster to user gluster ports - Allow glusterd to transition to rpcd_t and add additional fixes for #980683 - Allow tgtd working when accessing to the passthrough device - Fix labeling for mdadm unit files- Add mdadm fixes- Fix definition of sandbox.disabled to sandbox.pp.disabled- Allow mdamd to execute systemctl - Allow mdadm to read /dev/kvm - Allow ipsec_mgmt_t to read l2tpd pid content- Allow nsd_t to read /dev/urand - Allow mdadm_t to read framebuffer - Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t - Allow mozilla_plugin_config_t to create tmp files - Cleanup openvswitch policy - Allow mozilla plugin to getattr on all executables - Allow l2tpd_t to create fifo_files in /var/run - Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory - Allow mdadm to connecto its own unix_stream_socket - FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now. - Allow apache to access smokeping pid files - Allow rabbitmq_beam_t to getattr on all filesystems - Add systemd support for iodined - Allow nup_upsdrvctl_t to execute its entrypoint - Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch - add labeling for ~/.cache/libvirt-sandbox - Add interface to allow domains transitioned to by confined users to send sigchld to screen program - Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab - Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service - Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs. - Allow staff to getsched all domains, required to run htop - Add port definition for redis port - fix selinuxuser_use_ssh_chroot boolean- Add prosody policy written by Michael Scherer - Allow nagios plugins to read /sys info - ntpd needs to manage own log files - Add support for HOME_DIR/.IBMERS - Allow iptables commands to read firewalld config - Allow consolekit_t to read utmp - Fix filename transitions on .razor directory - Add additional fixes to make DSPAM with LDA working - Allow snort to read /etc/passwd - Allow fail2ban to communicate with firewalld over dbus - Dontaudit openshift_cgreoup_file_t read/write leaked dev - Allow nfsd to use mountd port - Call th proper interface - Allow openvswitch to read sys and execute plymouth - Allow tmpwatch to read /var/spool/cups/tmp - Add support for /usr/libexec/telepathy-rakia - Add systemd support for zoneminder - Allow mysql to create files/directories under /var/log/mysql - Allow zoneminder apache scripts to rw zoneminder tmpfs - Allow httpd to manage zoneminder lib files - Add zoneminder_run_sudo boolean to allow to start zoneminder - Allow zoneminder to send mails - gssproxy_t sock_file can be under /var/lib - Allow web domains to connect to whois port. - Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t. - We really need to add an interface to corenet to define what a web_client_domain is and - then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain. - Add labeling for cmpiLMI_LogicalFile-cimprovagt - Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules - Update policy rules for pegasus_openlmi_logicalfile_t - Add initial types for logicalfile/unconfined OpenLMI providers - mailmanctl needs to read own log - Allow logwatch manage own lock files - Allow nrpe to read meminfo - Allow httpd to read certs located in pki-ca - Add pki_read_tomcat_cert() interface - Add support for nagios openshift plugins - Add port definition for redis port - fix selinuxuser_use_ssh_chroot boolean- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean. - Allow bootloader to manage generic log files - Allow ftp to bind to port 989 - Fix label of new gear directory - Add support for new directory /var/lib/openshift/gears/ - Add openshift_manage_lib_dirs() - allow virtd domains to manage setrans_var_run_t - Allow useradd to manage all openshift content - Add support so that mozilla_plugin_t can use dri devices - Allow chronyd to change the scheduler - Allow apmd to shut downthe system - Devicekit_disk_t needs to manage /etc/fstab- Make DSPAM to act as a LDA working - Allow ntop to create netlink socket - Allow policykit to send a signal to policykit-auth - Allow stapserver to dbus chat with avahi/systemd-logind - Fix labeling on haproxy unit file - Clean up haproxy policy - A new policy for haproxy and placed it to rhcs.te - Add support for ldirectord and treat it with cluster_t - Make sure anaconda log dir is created with var_log_t- Allow lvm_t to create default targets for filesystem handling - Fix labeling for razor-lightdm binaries - Allow insmod_t to read any file labeled var_lib_t - Add policy for pesign - Activate policy for cmpiLMI_Account-cimprovagt - Allow isnsd syscall=listen - /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler - Allow ctdbd to use udp/4379 - gatherd wants sys_nice and setsched - Add support for texlive2012 - Allow NM to read file_t (usb stick with no labels used to transfer keys for example) - Allow cobbler to execute apache with domain transition- condor_collector uses tcp/9000 - Label /usr/sbin/virtlockd as virtd_exec_t for now - Allow cobbler to execute ldconfig - Allow NM to execute ssh - Allow mdadm to read /dev/crash - Allow antivirus domains to connect to snmp port - Make amavisd-snmp working correctly - Allow nfsd_t to mounton nfsd_fs_t - Add initial snapper policy - We still need to have consolekit policy - Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t - Dontaudit sandbox apps attempting to open user_devpts_t - Allow dirsrv to read network state - Fix pki_read_tomcat_lib_files - Add labeling for /usr/libexec/nm-ssh-service - Add label cert_t for /var/lib/ipa/pki-ca/publish - Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant - Allow nfsd_t to mounton nfsd_fs_t - Dontaudit sandbox apps attempting to open user_devpts_t - Allow passwd_t to change role to system_r from unconfined_r- Don't audit access checks by sandbox xserver on xdb var_lib - Allow ntop to read usbmon devices - Add labeling for new polcykit authorizor - Dontaudit access checks from fail2ban_client - Don't audit access checks by sandbox xserver on xdb var_lib - Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream - Fix labeling for all /usr/bim/razor-lightdm-* binaries - Add filename trans for /dev/md126p1- Make vdagent able to request loading kernel module - Add support for cloud-init make it as unconfined domain - Allow snmpd to run smartctl in fsadm_t domain - remove duplicate openshift_search_lib() interface - Allow mysqld to search openshift lib files - Allow openshift cgroup to interact with passedin file descriptors - Allow colord to list directories inthe users homedir - aide executes prelink to check files - Make sure cupsd_t creates content in /etc/cups with the correct label - Lest dontaudit apache read all domains, so passenger will not cause this avc - Allow gssd to connect to gssproxy - systemd-tmpfiles needs to be able to raise the level to fix labeling on /run/setrans in MLS - Allow systemd-tmpfiles to relabel also lock files - Allow useradd to add homdir in /var/lib/openshift - Allow setfiles and semanage to write output to /run/files- Add labeling for /dev/tgt - Dontaudit leak fd from firewalld for modprobe - Allow runuser running as rpm_script_t to create netlink_audit socket - Allow mdadm to read BIOS non-volatile RAM- accountservice watches when accounts come and go in wtmp - /usr/java/jre1.7.0_21/bin/java needs to create netlink socket - Add httpd_use_sasl boolean - Allow net_admin for tuned_t - iscsid needs sys_module to auto-load kernel modules - Allow blueman to read bluetooth conf - Add nova_manage_lib_files() interface - Fix mplayer_filetrans_home_content() - Add mplayer_filetrans_home_content() - mozilla_plugin_config_roles need to be able to access mozilla_plugin_config_t - Revert "Allow thumb_t to append inherited xdm stream socket" - Add iscsi_filetrans_named_content() interface - Allow to create .mplayer with the correct labeling for unconfined - Allow iscsiadmin to create lock file with the correct labeling- Allow wine to manage wine home content - Make amanda working with socket actiovation - Add labeling for /usr/sbin/iscsiadm - Add support for /var/run/gssproxy.sock - dnsmasq_t needs to read sysctl_net_t- Fix courier_domain_template() interface - Allow blueman to write ip_forward - Allow mongodb to connect to mongodb port - Allow mongodb to connect to mongodb port - Allow java to bind jobss_debug port - Fixes for *_admin interfaces - Allow iscsid auto-load kernel modules needed for proper iSCSI functionality - Need to assign attribute for courier_domain to all courier_domains - Fail2ban reads /etc/passwd - postfix_virtual will create new files in postfix_spool_t - abrt triggers sys_ptrace by running pidof - Label ~/abc as mozilla_home_t, since java apps as plugin want to create it - Add passenger fixes needed by foreman - Remove dup interfaces - Add additional interfaces for quantum - Add new interfaces for dnsmasq - Allow passenger to read localization and send signull to itself - Allow dnsmasq to stream connect to quantum - Add quantum_stream_connect() - Make sure that mcollective starts the service with the correct labeling - Add labels for ~/.manpath - Dontaudit attempts by svirt_t to getpw* calls - sandbox domains are trying to look at parent process data - Allow courior auth to create its pid file in /var/spool/courier subdir - Add fixes for beam to have it working with couchdb - Add labeling for /run/nm-xl2tpd.con - Allow apache to stream connect to thin - Add systemd support for amand - Make public types usable for fs mount points - Call correct mandb interface in domain.te - Allow iptables to r/w quantum inherited pipes and send sigchld - Allow ifconfig domtrans to iptables and execute ldconfig - Add labels for ~/.manpath - Allow systemd to read iscsi lib files - seunshare is trying to look at parent process data- Fix openshift_search_lib - Add support for abrt-uefioops-oops - Allow colord to getattr any file system - Allow chrome processes to look at each other - Allow sys_ptrace for abrt_t - Add new policy for gssproxy - Dontaudit leaked file descriptor writes from firewalld - openshift_net_type is interface not template - Dontaudit pppd to search gnome config - Update openshift_search_lib() interface - Add fs_list_pstorefs() - Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18 - Better labels for raspberry pi devices - Allow init to create devpts_t directory - Temporarily label rasbery pi devices as memory_device_t, needs back port to f18 - Allow sysadm_t to build kernels - Make sure mount creates /var/run/blkid with the correct label, needs back port to F18 - Allow userdomains to stream connect to gssproxy - Dontaudit leaked file descriptor writes from firewalld - Allow xserver to read /dev/urandom - Add additional fixes for ipsec-mgmt - Make SSHing into an Openshift Enterprise Node working- Add transition rules to unconfined domains and to sysadm_t to create /etc/adjtime - with the proper label. - Update files_filetrans_named_content() interface to get right labeling for pam.d conf files - Allow systemd-timedated to create adjtime - Add clock_create_adjtime() - Additional fix ifconfing for #966106 - Allow kernel_t to create boot.log with correct labeling - Remove unconfined_mplayer for which we don't have rules - Rename interfaces - Add userdom_manage_user_home_files/dirs interfaces - Fix files_dontaudit_read_all_non_security_files - Fix ipsec_manage_key_file() - Fix ipsec_filetrans_key_file() - Label /usr/bin/razor-lightdm-greeter as xdm_exec_t instead of spamc_exec_t - Fix labeling for ipse.secrets - Add interfaces for ipsec and labeling for ipsec.info and ipsec_setup.pid - Add files_dontaudit_read_all_non_security_files() interface - /var/log/syslog-ng should be labeled var_log_t - Make ifconfig_var_run_t a mountpoint - Add transition from ifconfig to dnsmasq - Allow ifconfig to execute bin_t/shell_exec_t - We want to have hwdb.bin labeled as etc_t - update logging_filetrans_named_content() interface - Allow systemd_timedate_t to manage /etc/adjtime - Allow NM to send signals to l2tpd - Update antivirus_can_scan_system boolean - Allow devicekit_disk_t to sys_config_tty - Run abrt-harvest programs as abrt_t, and allow abrt_t to list all filesystem directories - Make printing from vmware working - Allow php-cgi from php54 collection to access /var/lib/net-snmp/mib_indexes - Add virt_qemu_ga_data_t for qemu-ga - Make chrome and mozilla able to connect to same ports, add jboss_management_port_t to both - Fix typo in virt.te - Add virt_qemu_ga_unconfined_t for hook scripts - Make sure NetworkManager files get created with the correct label - Add mozilla_plugin_use_gps boolean - Fix cyrus to have support for net-snmp - Additional fixes for dnsmasq and quantum for #966106 - Add plymouthd_create_log() - remove httpd_use_oddjob for which we don't have rules - Add missing rules for httpd_can_network_connect_cobbler - Add missing cluster_use_execmem boolean - Call userdom_manage_all_user_home_type_files/dirs - Additional fix for ftp_home_dir - Fix ftp_home_dir boolean - Allow squit to recv/send client squid packet - Fix nut.te to have nut_domain attribute - Add support for ejabberd; TODO: revisit jabberd and rabbit policy - Fix amanda policy - Add more fixes for domains which use libusb - Make domains which use libusb working correctly - Allow l2tpd to create ipsec key files with correct labeling and manage them - Fix cobbler_manage_lib_files/cobbler_read_lib_files to cover also lnk files - Allow rabbitmq-beam to bind generic node - Allow l2tpd to read ipse-mgmt pid files - more fixes for l2tpd, NM and pppd from #967072- Dontaudit to getattr on dirs for dovecot-deliver - Allow raiudusd server connect to postgresql socket - Add kerberos support for radiusd - Allow saslauthd to connect to ldap port - Allow postfix to manage postfix_private_t files - Add chronyd support for #965457 - Fix labeling for HOME_DIR/\.icedtea - CHange squid and snmpd to be allowed also write own logs - Fix labeling for /usr/libexec/qemu-ga - Allow virtd_t to use virt_lock_t - Allow also sealert to read the policy from the kernel - qemu-ga needs to execute scripts in /usr/libexec/qemu-ga and to use /tmp content - Dontaudit listing of users homedir by sendmail Seems like a leak - Allow passenger to transition to puppet master - Allow apache to connect to mythtv - Add definition for mythtv ports- Add additional fixes for #948073 bug - Allow sge_execd_t to also connect to sge ports - Allow openshift_cron_t to manage openshift_var_lib_t sym links - Allow openshift_cron_t to manage openshift_var_lib_t sym links - Allow sge_execd to bind sge ports. Allow kill capability and reads cgroup files - Remove pulseaudio filetrans pulseaudio_manage_home_dirs which is a part of pulseaudio_manage_home_files - Add networkmanager_stream_connect() - Make gnome-abrt wokring with staff_t - Fix openshift_manage_lib_files() interface - mdadm runs ps command which seems to getattr on random log files - Allow mozilla_plugin_t to create pulseaudit_home_t directories - Allow qemu-ga to shutdown virtual hosts - Add labelling for cupsd-browsed - Add web browser plugins to connect to aol ports - Allow nm-dhcp-helper to stream connect to NM - Add port definition for sge ports- Make sure users and unconfined domains create .hushlogin with the correct label - Allow pegaus to chat with realmd over DBus - Allow cobblerd to read network state - Allow boicn-client to stat on /dev/input/mice - Allow certwatch to read net_config_t when it executes apache - Allow readahead to create /run/systemd and then create its own directory with the correct label- Transition directories and files when in a user_tmp_t directory - Change certwatch to domtrans to apache instead of just execute - Allow virsh_t to read xen lib files - update policy rules for pegasus_openlmi_account_t - Add support for svnserve_tmp_t - Activate account openlmi policy - pegasus_openlmi_domain_template needs also require pegasus_t - One more fix for policykit.te - Call fs_list_cgroups_dirs() in policykit.te - Allow nagios service plugin to read mysql config files - Add labeling for /var/svn - Fix chrome.te - Fix pegasus_openlmi_domain_template() interfaces - Fix dev_rw_vfio_dev definiton, allow virtd_t to read tmpfs_t symlinks - Fix location of google-chrome data - Add support for chome_sandbox to store content in the homedir - Allow policykit to watch for changes in cgroups file system - Add boolean to allow mozilla_plugin_t to use spice - Allow collectd to bind to udp port - Allow collected_t to read all of /proc - Should use netlink socket_perms - Should use netlink socket_perms - Allow glance domains to connect to apache ports - Allow apcupsd_t to manage its log files - Allow chrome objects to rw_inherited unix_stream_socket from callers - Allow staff_t to execute virtd_exec_t for running vms - nfsd_t needs to bind mountd port to make nfs-mountd.service working - Allow unbound net_admin capability because of setsockopt syscall - Fix fs_list_cgroup_dirs() - Label /usr/lib/nagios/plugins/utils.pm as bin_t - Remove uplicate definition of fs_read_cgroup_files() - Remove duplicate definition of fs_read_cgroup_files() - Add files_mountpoint_filetrans interface to be used by quotadb_t and snapperd - Additional interfaces needed to list and read cgroups config - Add port definition for collectd port - Add labels for /dev/ptp* - Allow staff_t to execute virtd_exec_t for running vms- Allow samba-net to also read realmd tmp files - Allow NUT to use serial ports - realmd can be started by systemctl now- Remove userdom_home_manager for xdm_t and move all rules to xserver.te directly - Add new xdm_write_home boolean to allow xdm_t to create files in HOME dirs with xdm_home_t - Allow postfix-showq to read/write unix.showq in /var/spool/postfix/pid - Allow virsh to read xen lock file - Allow qemu-ga to create files in /run with proper labeling - Allow glusterd to connect to own socket in /tmp - Allow glance-api to connect to http port to make glance image-create working - Allow keystonte_t to execute rpm- Fix realmd cache interfaces- Allow tcpd to execute leafnode - Allow samba-net to read realmd cache files - Dontaudit sys_tty_config for alsactl - Fix allow rules for postfix_var_run - Allow cobblerd to read /etc/passwd - Allow pegasus to read exports - Allow systemd-timedate to read xdm state - Allow mout to stream connect to rpcbind - Add labeling just for /usr/share/pki/ca-trust-source instead of /usr/share/pki- Allow thumbnails to share memory with apps which run thumbnails - Allow postfix-postqueue block_suspend - Add lib interfaces for smsd - Add support for nginx - Allow s2s running as jabberd_t to connect to jabber_interserver_port_t - Allow pki apache domain to create own tmp files and execute httpd_suexec - Allow procmail to manger user tmp files/dirs/lnk_files - Add virt_stream_connect_svirt() interface - Allow dovecot-auth to execute bin_t - Allow iscsid to request that kernel load a kernel module - Add labeling support for /var/lib/mod_security - Allow iw running as tuned_t to create netlink socket - Dontaudit sys_tty_config for thumb_t - Add labeling for nm-l2tp-service - Allow httpd running as certwatch_t to open tcp socket - Allow useradd to manager smsd lib files - Allow useradd_t to add homedirs in /var/lib - Fix typo in userdomain.te - Cleanup userdom_read_home_certs - Implement userdom_home_reader_certs_type to allow read certs also on encrypt /home with ecryptfs_t - Allow staff to stream connect to svirt_t to make gnome-boxes working- Allow lvm to create its own unit files - Label /var/lib/sepolgen as selinux_config_t - Add filetrans rules for tw devices - Add transition from cupsd_config_t to cupsd_t- Add filetrans rules for tw devices - Cleanup bad transition lines- Fix lockdev_manage_files() - Allow setroubleshootd to read var_lib_t to make email_alert working - Add lockdev_manage_files() - Call proper interface in virt.te - Allow gkeyring_domain to create /var/run/UID/config/dbus file - system dbus seems to be blocking suspend - Dontaudit attemps to sys_ptrace, which I believe gpsd does not need - When you enter a container from root, you generate avcs with a leaked file descriptor - Allow mpd getattr on file system directories - Make sure realmd creates content with the correct label - Allow systemd-tty-ask to write kmsg - Allow mgetty to use lockdev library for device locking - Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music - When you enter a container from root, you generate avcs with a leaked file descriptor - Make sure init.fc files are labeled correctly at creation - File name trans vconsole.conf - Fix labeling for nagios plugins - label shared libraries in /opt/google/chrome as testrel_shlib_t- Allow certmonger to dbus communicate with realmd - Make realmd working- Fix mozilla specification of homedir content - Allow certmonger to read network state - Allow tmpwatch to read tmp in /var/spool/{cups,lpd} - Label all nagios plugin as unconfined by default - Add httpd_serve_cobbler_files() - Allow mdadm to read /dev/sr0 and create tmp files - Allow certwatch to send mails - Fix labeling for nagios plugins - label shared libraries in /opt/google/chrome as testrel_shlib_t- Allow realmd to run ipa, really needs to be an unconfined_domain - Allow sandbox domains to use inherted terminals - Allow pscd to use devices labeled svirt_image_t in order to use cat cards. - Add label for new alsa pid - Alsa now uses a pid file and needs to setsched - Fix oracleasmfs_t definition - Add support for sshd_unit_file_t - Add oracleasmfs_t - Allow unlabeled_t files to be stored on unlabeled_t filesystems- Fix description of deny_ptrace boolean - Remove allow for execmod lib_t for now - Allow quantum to connect to keystone port - Allow nova-console to talk with mysql over unix stream socket - Allow dirsrv to stream connect to uuidd - thumb_t needs to be able to create ~/.cache if it does not exist - virtd needs to be able to sys_ptrace when starting and stoping containers- Allow alsa_t signal_perms, we probaly should search for any app that can execute something without transition and give it signal_perms... - Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets - Fix deny_ptrace boolean, certain ptrace leaked into the system - Allow winbind to manage kerberos_rcache_host - Allow spamd to create spamd_var_lib_t directories - Remove transition to mozilla_tmp_t by mozilla_t, to allow it to manage the users tmp dirs - Add mising nslcd_dontaudit_write_sock_file() interface - one more fix - Fix pki_read_tomcat_lib_files() interface - Allow certmonger to read pki-tomcat lib files - Allow certwatch to execute bin_t - Allow snmp to manage /var/lib/net-snmp files - Call snmp_manage_var_lib_files(fogorn_t) instead of snmp_manage_var_dirs - Fix vmware_role() interface - Fix cobbler_manage_lib_files() interface - Allow nagios check disk plugins to execute bin_t - Allow quantum to transition to openvswitch_t - Allow postdrop to stream connect to postfix-master - Allow quantum to stream connect to openvswitch - Add xserver_dontaudit_xdm_rw_stream_sockets() interface - Allow daemon to send dgrams to initrc_t - Allow kdm to start the power service to initiate a reboot or poweroff- Add mising nslcd_dontaudit_write_sock_file() interface - one more fix - Fix pki_read_tomcat_lib_files() interface - Allow certmonger to read pki-tomcat lib files - Allow certwatch to execute bin_t - Allow snmp to manage /var/lib/net-snmp files - Don't audit attempts to write to stream socket of nscld by thumbnailers - Allow git_system_t to read network state - Allow pegasas to execute mount command - Fix desc for drdb_admin - Fix condor_amin() - Interface fixes for uptime, vdagent, vnstatd - Fix labeling for moodle in /var/www/moodle/data - Add interface fixes - Allow bugzilla to read certs - /var/www/moodle needs to be writable by apache - Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest - Fix namespace_init_t to create content with proper labels, and allow it to manage all user content - Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean - Fixes for dlm_controld - Fix apache_read_sys_content_rw_dirs() interface - Allow logrotate to read /var/log/z-push dir - Fix sys_nice for cups_domain - Allow postfix_postdrop to acces postfix_public socket - Allow sched_setscheduler for cupsd_t - Add missing context for /usr/sbin/snmpd - Kernel_t needs mac_admin in order to support labeled NFS - Fix systemd_dontaudit_dbus_chat() interface - Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest - Allow consolehelper domain to write Xauth files in /root - Add port definition for osapi_compute port - Allow unconfined to create /etc/hostname with correct labeling - Add systemd_filetrans_named_hostname() interface- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean - Fixes for dlm_controld - Fix apache_read_sys_content_rw_dirs() interface - Allow logrotate to read /var/log/z-push dir - Allow postfix_postdrop to acces postfix_public socket - Allow sched_setscheduler for cupsd_t - Add missing context for /usr/sbin/snmpd - Allow consolehelper more access discovered by Tom London - Allow fsdaemon to send signull to all domain - Add port definition for osapi_compute port - Allow unconfined to create /etc/hostname with correct labeling - Add systemd_filetrans_named_hostname() interface- Fix file_contexts.subs to label /run/lock correctly- Try to label on controlC devices up to 30 correctly - Add mount_rw_pid_files() interface - Add additional mount/umount interfaces needed by mock - fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk - Fix tabs - Allow initrc_domain to search rgmanager lib files - Add more fixes which make mock working together with confined users * Allow mock_t to manage rpm files * Allow mock_t to read rpm log files * Allow mock to setattr on tmpfs, devpts * Allow mount/umount filesystems - Add rpm_read_log() interface - yum-cron runs rpm from within it. - Allow tuned to transition to dmidecode - Allow firewalld to do net_admin - Allow mock to unmont tmpfs_t - Fix virt_sigkill() interface - Add additional fixes for mock. Mainly caused by mount running in mock_t - Allow mock to write sysfs_t and mount pid files - Add mailman_domain to mailman_template() - Allow openvswitch to execute shell - Allow qpidd to use kerberos - Allow mailman to use fusefs, needs back port to RHEL6 - Allow apache and its scripts to use anon_inodefs - Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7 - Realmd needs to connect to samba ports, needs back port to F18 also - Allow colord to read /run/initial-setup- - Allow sanlock-helper to send sigkill to virtd which is registred to sanlock - Add virt_kill() interface - Add rgmanager_search_lib() interface - Allow wdmd to getattr on all filesystems. Back ported from RHEL6- Allow realmd to create tmp files - FIx ircssi_home_t type to irssi_home_t - Allow adcli running as realmd_t to connect to ldap port - Allow NetworkManager to transition to ipsec_t, for running strongswan - Make openshift_initrc_t an lxc_domain - Allow gssd to manage user_tmp_t files - Fix handling of irclogs in users homedir - Fix labeling for drupal an wp-content in subdirs of /var/www/html - Allow abrt to read utmp_t file - Fix openshift policy to transition lnk_file, sock-file an fifo_file when created in a tmpfs_t, needs back port to RHEL6 - fix labeling for (oo|rhc)-restorer-wrapper.sh - firewalld needs to be able to write to network sysctls - Fix mozilla_plugin_dontaudit_rw_sem() interface - Dontaudit generic ipc read/write to a mozilla_plugin for sandbox_x domains - Add mozilla_plugin_dontaudit_rw_sem() interface - Allow svirt_lxc_t to transition to openshift domains - Allow condor domains block_suspend and dac_override caps - Allow condor_master to read passd - Allow condor_master to read system state - Allow NetworkManager to transition to ipsec_t, for running strongswan - Lots of access required by lvm_t to created encrypted usb device - Allow xdm_t to dbus communicate with systemd_localed_t - Label strongswan content as ipsec_exec_mgmt_t for now - Allow users to dbus chat with systemd_localed - Fix handling of .xsession-errors in xserver.if, so kde will work - Might be a bug but we are seeing avc's about people status on init_t:service - Make sure we label content under /var/run/lock as <> - Allow daemon and systemprocesses to search init_var_run_t directory - Add boolean to allow xdm to write xauth data to the home directory - Allow mount to write keys for the unconfined domain - Add unconfined_write_keys() interface- Add labeling for /usr/share/pki - Allow programs that read var_run_t symlinks also read var_t symlinks - Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports - Fix labeling for /etc/dhcp directory - add missing systemd_stub_unit_file() interface - Add files_stub_var() interface - Add lables for cert_t directories - Make localectl set-x11-keymap working at all - Allow abrt to manage mock build environments to catch build problems. - Allow virt_domains to setsched for running gdb on itself - Allow thumb_t to execute user home content - Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000 - Allow certwatch to execut /usr/bin/httpd - Allow cgred to send signal perms to itself, needs back port to RHEL6 - Allow openshift_cron_t to look at quota - Allow cups_t to read inhered tmpfs_t from the kernel - Allow yppasswdd to use NIS - Tuned wants sys_rawio capability - Add ftpd_use_fusefs boolean - Allow dirsrvadmin_t to signal itself- Allow localectl to read /etc/X11/xorg.conf.d directory - Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors"" - Allow mount to transition to systemd_passwd_agent - Make sure abrt directories are labeled correctly - Allow commands that are going to read mount pid files to search mount_var_run_t - label /usr/bin/repoquery as rpm_exec_t - Allow automount to block suspend - Add abrt_filetrans_named_content so that abrt directories get labeled correctly - Allow virt domains to setrlimit and read file_context- Allow nagios to manage nagios spool files - /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6 - Add swift_alias.* policy files which contain typealiases for swift types - Add support for /run/lock/opencryptoki - Allow pkcsslotd chown capability - Allow pkcsslotd to read passwd - Add rsync_stub() interface - Allow systemd_timedate also manage gnome config homedirs - Label /usr/lib64/security/pam_krb5/pam_krb5_cchelper as bin_t - Fix filetrans rules for kdm creates .xsession-errors - Allow sytemd_tmpfiles to create wtmp file - Really should not label content under /var/lock, since it could have labels on it different from var_lock_t - Allow systemd to list all file system directories - Add some basic stub interfaces which will be used in PRODUCT policies- Fix log transition rule for cluster domains - Start to group all cluster log together - Dont use filename transition for POkemon Advanced Adventure until a new checkpolicy update - cups uses usbtty_device_t devices - These fixes were all required to build a MLS virtual Machine with single level desktops - Allow domains to transiton using httpd_exec_t - Allow svirt domains to manage kernel key rings - Allow setroubleshoot to execute ldconfig - Allow firewalld to read generate gnome data - Allow bluetooth to read machine-info - Allow boinc domain to send signal to itself - Fix gnome_filetrans_home_content() interface - Allow mozilla_plugins to list apache modules, for use with gxine - Fix labels for POkemon in the users homedir - Allow xguest to read mdstat - Dontaudit virt_domains getattr on /dev/* - These fixes were all required to build a MLS virtual Machine with single level desktops - Need to back port this to RHEL6 for openshift - Add tcp/8891 as milter port - Allow nsswitch domains to read sssd_var_lib_t files - Allow ping to read network state. - Fix typo - Add labels to /etc/X11/xorg.d and allow systemd-timestampd_t to manage them- Adopt swift changes from lhh@redhat.com - Add rhcs_manage_cluster_pid_files() interface - Allow screen domains to configure tty and setup sock_file in ~/.screen directory - ALlow setroubleshoot to read default_context_t, needed to backport to F18 - Label /etc/owncloud as being an apache writable directory - Allow sshd to stream connect to an lxc domain- Allow postgresql to manage rgmanager pid files - Allow postgresql to read ccs data - Allow systemd_domain to send dbus messages to policykit - Add labels for /etc/hostname and /etc/machine-info and allow systemd-hostnamed to create them - All systemd domains that create content are reading the file_context file and setfscreate - Systemd domains need to search through init_var_run_t - Allow sshd to communicate with libvirt to set containers labels - Add interface to manage pid files - Allow NetworkManger_t to read /etc/hostname - Dontaudit leaked locked files into openshift_domains - Add fixes for oo-cgroup-read - it nows creates tmp files - Allow gluster to manage all directories as well as files - Dontaudit chrome_sandbox_nacl_t using user terminals - Allow sysstat to manage its own log files - Allow virtual machines to setrlimit and send itself signals. - Add labeling for /var/run/hplip- Fix POSTIN scriptlet- Merge rgmanger, corosync,pacemaker,aisexec policies to cluster_t in rhcs.pp- Fix authconfig.py labeling - Make any domains that write homedir content do it correctly - Allow glusterd to read/write anyhwere on the file system by default - Be a little more liberal with the rsync log files - Fix iscsi_admin interface - Allow iscsid_t to read /dev/urand - Fix up iscsi domain for use with unit files - Add filename transition support for spamassassin policy - Allow web plugins to use badly formated libraries - Allow nmbd_t to create samba_var_t directories - Add filename transition support for spamassassin policy - Add filename transition support for tvtime - Fix alsa_home_filetrans_alsa_home() interface - Move all userdom_filetrans_home_content() calling out of booleans - Allow logrotote to getattr on all file sytems - Remove duplicate userdom_filetrans_home_content() calling - Allow kadmind to read /etc/passwd - Dontaudit append .xsession-errors file on ecryptfs for policykit-auth - Allow antivirus domain to manage antivirus db links - Allow logrotate to read /sys - Allow mandb to setattr on man dirs - Remove mozilla_plugin_enable_homedirs boolean - Fix ftp_home_dir boolean - homedir mozilla filetrans has been moved to userdom_home_manager - homedir telepathy filetrans has been moved to userdom_home_manager - Remove gnome_home_dir_filetrans() from gnome_role_gkeyringd() - Might want to eventually write a daemon on fusefsd. - Add policy fixes for sshd [net] child from plautrba@redhat.com - Tor uses a new port - Remove bin_t for authconfig.py - Fix so only one call to userdom_home_file_trans - Allow home_manager_types to create content with the correctl label - Fix all domains that write data into the homedir to do it with the correct label - Change the postgresql to use proper boolean names, which is causing httpd_t to - not get access to postgresql_var_run_t - Hostname needs to send syslog messages - Localectl needs to be able to send dbus signals to users - Make sure userdom_filetrans_type will create files/dirs with user_home_t labeling by default - Allow user_home_manger domains to create spam* homedir content with correct labeling - Allow user_home_manger domains to create HOMEDIR/.tvtime with correct labeling - Add missing miscfiles_setattr_man_pages() interface and for now comment some rules for userdom_filetrans_type to make build process working - Declare userdom_filetrans_type attribute - userdom_manage_home_role() needs to be called withoout usertype attribute because of userdom_filetrans_type attribute - fusefsd is mounding a fuse file system on /run/user/UID/gvfs- Man pages are now generated in the build process - Allow cgred to list inotifyfs filesystem- Allow gluster to get attrs on all fs - New access required for virt-sandbox - Allow dnsmasq to execute bin_t - Allow dnsmasq to create content in /var/run/NetworkManager - Fix openshift_initrc_signal() interface - Dontaudit openshift domains doing getattr on other domains - Allow consolehelper domain to communicate with session bus - Mock should not be transitioning to any other domains, we should keep mock_t as mock_t - Update virt_qemu_ga_t policy - Allow authconfig running from realmd to restart oddjob service - Add systemd support for oddjob - Add initial policy for realmd_consolehelper_t which if for authconfig executed by realmd - Add labeling for gnashpluginrc - Allow chrome_nacl to execute /dev/zero - Allow condor domains to read /proc - mozilla_plugin_t will getattr on /core if firefox crashes - Allow condor domains to read /etc/passwd - Allow dnsmasq to execute shell scripts, openstack requires this access - Fix glusterd labeling - Allow virtd_t to interact with the socket type - Allow nmbd_t to override dac if you turned on sharing all files - Allow tuned to created kobject_uevent socket - Allow guest user to run fusermount - Allow openshift to read /proc and locale - Allow realmd to dbus chat with rpm - Add new interface for virt - Remove depracated interfaces - Allow systemd_domains read access on etc, etc_runtime and usr files, also allow them to connect stream to syslog socket - /usr/share/munin/plugins/plugin.sh should be labeled as bin_t - Remove some more unconfined_t process transitions, that I don't believe are necessary - Stop transitioning uncofnined_t to checkpc - dmraid creates /var/lock/dmraid - Allow systemd_localed to creatre unix_dgram_sockets - Allow systemd_localed to write kernel messages. - Also cleanup systemd definition a little. - Fix userdom_restricted_xwindows_user_template() interface - Label any block devices or char devices under /dev/infiniband as fixed_disk_device_t - User accounts need to dbus chat with accountsd daemon - Gnome requires all users to be able to read /proc/1/- virsh now does a setexeccon call - Additional rules required by openshift domains - Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-service execute work - Allow spamd_update_t to search spamc_home_t - Avcs discovered by mounting an isci device under /mnt - Allow lspci running as logrotate to read pci.ids - Additional fix for networkmanager_read_pid_files() - Fix networkmanager_read_pid_files() interface - Allow all svirt domains to connect to svirt_socket_t - Allow virsh to set SELinux context for a process. - Allow tuned to create netlink_kobject_uevent_socket - Allow systemd-timestamp to set SELinux context - Add support for /var/lib/systemd/linger - Fix ssh_sysadm_login to be working on MLS as expected- Rename files_rw_inherited_tmp_files to files_rw_inherited_tmp_file - Add missing files_rw_inherited_tmp_files interface - Add additional interface for ecryptfs - ALlow nova-cert to connect to postgresql - Allow keystone to connect to postgresql - Allow all cups domains to getattr on filesystems - Allow pppd to send signull - Allow tuned to execute ldconfig - Allow gpg to read fips_enabled - Add additional fixes for ecryptfs - Allow httpd to work with posgresql - Allow keystone getsched and setsched- Allow gpg to read fips_enabled - Add support for /var/cache/realmd - Add support for /usr/sbin/blazer_usb and systemd support for nut - Add labeling for fenced_sanlock and allow sanclok transition to fenced_t - bitlbee wants to read own log file - Allow glance domain to send a signal itself - Allow xend_t to request that the kernel load a kernel module - Allow pacemaker to execute heartbeat lib files - cleanup new swift policy- Fix smartmontools - Fix userdom_restricted_xwindows_user_template() interface - Add xserver_xdm_ioctl_log() interface - Allow Xusers to ioctl lxdm.log to make lxdm working - Add MLS fixes to make MLS boot/log-in working - Add mls_socket_write_all_levels() also for syslogd - fsck.xfs needs to read passwd - Fix ntp_filetrans_named_content calling in init.te - Allow postgresql to create pg_log dir - Allow sshd to read rsync_data_t to make rsync working - Change ntp.conf to be labeled net_conf_t - Allow useradd to create homedirs in /run. ircd-ratbox does this and we should just allow it - Allow xdm_t to execute gstreamer home content - Allod initrc_t and unconfined domains, and sysadm_t to manage ntp - New policy for openstack swift domains - More access required for openshift_cron_t - Use cupsd_log_t instead of cupsd_var_log_t - rpm_script_roles should be used in rpm_run - Fix rpm_run() interface - Fix openshift_initrc_run() - Fix sssd_dontaudit_stream_connect() interface - Fix sssd_dontaudit_stream_connect() interface - Allow LDA's job to deliver mail to the mailbox - dontaudit block_suspend for mozilla_plugin_t - Allow l2tpd_t to all signal perms - Allow uuidgen to read /dev/random - Allow mozilla-plugin-config to read power_supply info - Implement cups_domain attribute for cups domains - We now need access to user terminals since we start by executing a command outside the tty - We now need access to user terminals since we start by executing a command outside the tty - svirt lxc containers want to execute userhelper apps, need these changes to allow this to happen - Add containment of openshift cron jobs - Allow system cron jobs to create tmp directories - Make userhelp_conf_t a config file - Change rpm to use rpm_script_roles - More fixes for rsync to make rsync wokring - Allow logwatch to domtrans to mdadm - Allow pacemaker to domtrans to ifconfig - Allow pacemaker to setattr on corosync.log - Add pacemaker_use_execmem for memcheck-amd64 command - Allow block_suspend capability - Allow create fifo_file in /tmp with pacemaker_tmp_t - Allow systat to getattr on fixed disk - Relabel /etc/ntp.conf to be net_conf_t - ntp_admin should create files in /etc with the correct label - Add interface to create ntp_conf_t files in /etc - Add additional labeling for quantum - Allow quantum to execute dnsmasq with transition- boinc_cliean wants also execmem as boinc projecs have - Allow sa-update to search admin home for /root/.spamassassin - Allow sa-update to search admin home for /root/.spamassassin - Allow antivirus domain to read net sysctl - Dontaudit attempts from thumb_t to connect to ssd - Dontaudit attempts by readahead to read sock_files - Dontaudit attempts by readahead to read sock_files - Create tmpfs file while running as wine as user_tmpfs_t - Dontaudit attempts by readahead to read sock_files - libmpg ships badly created librarie- Change ssh_use_pts to use macro and only inherited sshd_devpts_t - Allow confined users to read systemd_logind seat information - libmpg ships badly created libraries - Add support for strongswan.service - Add labeling for strongswan - Allow l2tpd_t to read network manager content in /run directory - Allow rsync to getattr any file in rsync_data_t - Add labeling and filename transition for .grl-podcasts- mount.glusterfs executes glusterfsd binary - Allow systemd_hostnamed_t to stream connect to systemd - Dontaudit any user doing a access check - Allow obex-data-server to request the kernel to load a module - Allow gpg-agent to manage gnome content (~/.cache/gpg-agent-info) - Allow gpg-agent to read /proc/sys/crypto/fips_enabled - Add new types for antivirus.pp policy module - Allow gnomesystemmm_t caps because of ioprio_set - Make sure if mozilla_plugin creates files while in permissive mode, they get created with the correct label, user_home_t - Allow gnomesystemmm_t caps because of ioprio_set - Allow NM rawip socket - files_relabel_non_security_files can not be used with boolean - Add interface to thumb_t dbus_chat to allow it to read remote process state - ALlow logrotate to domtrans to mdadm_t - kde gnomeclock wants to write content to /tmp- kde gnomeclock wants to write content to /tmp - /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde - Allow blueman_t to rwx zero_device_t, for some kind of jre - Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre - Ftp full access should be allowed to create directories as well as files - Add boolean to allow rsync_full_acces, so that an rsync server can write all - over the local machine - logrotate needs to rotate logs in openshift directories, needs back port to RHEL6 - Add missing vpnc_roles type line - Allow stapserver to write content in /tmp - Allow gnome keyring to create keyrings dir in ~/.local/share - Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on - Add interface to colord_t dbus_chat to allow it to read remote process state - Allow colord_t to read cupsd_t state - Add mate-thumbnail-font as thumnailer - Allow sectoolm to sys_ptrace since it is looking at other proceses /proc data. - Allow qpidd to list /tmp. Needed by ssl - Only allow init_t to transition to rsync_t domain, not initrc_t. This should be back ported to F17, F18 - - Added systemd support for ksmtuned - Added booleans ksmtuned_use_nfs ksmtuned_use_cifs - firewalld seems to be creating mmap files which it needs to execute in /run /tmp and /dev/shm. Would like to clean this up but for now we will allow - Looks like qpidd_t needs to read /dev/random - Lots of probing avc's caused by execugting gpg from staff_t - Dontaudit senmail triggering a net_admin avc - Change thumb_role to use thumb_run, not sure why we have a thumb_role, needs back port - Logwatch does access check on mdadm binary - Add raid_access_check_mdadm() iterface- Fix systemd_manage_unit_symlinks() interface - Call systemd_manage_unit_symlinks(() which is correct interface - Add filename transition for opasswd - Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock - Allow sytstemd-timedated to get status of init_t - Add new systemd policies for hostnamed and rename gnomeclock_t to systemd_timedate_t - colord needs to communicate with systemd and systemd_logind, also remove duplicate rules - Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock - Allow gpg_t to manage all gnome files - Stop using pcscd_read_pub_files - New rules for xguest, dontaudit attempts to dbus chat - Allow firewalld to create its mmap files in tmpfs and tmp directories - Allow firewalld to create its mmap files in tmpfs and tmp directories - run unbound-chkconf as named_t, so it can read dnssec - Colord is reading xdm process state, probably reads state of any apps that sends dbus message - Allow mdadm_t to change the kernel scheduler - mythtv policy - Update mandb_admin() interface - Allow dsspam to listen on own tpc_socket - seutil_filetrans_named_content needs to be optional - Allow sysadm_t to execute content in his homedir - Add attach_queue to tun_socket, new patch from Paul Moore - Change most of selinux configuration types to security_file_type. - Add filename transition rules for selinux configuration - ssh into a box with -X -Y requires ssh_use_ptys - Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on - Allow all unpriv userdomains to send dbus messages to hostnamed and timedated - New allow rules found by Tom London for systemd_hostnamed- Allow systemd-tmpfiles to relabel lpd spool files - Ad labeling for texlive bash scripts - Add xserver_filetrans_fonts_cache_home_content() interface - Remove duplicate rules from *.te - Add support for /var/lock/man-db.lock - Add support for /var/tmp/abrt(/.*)? - Add additional labeling for munin cgi scripts - Allow httpd_t to read munin conf files - Allow certwatch to read meminfo - Fix nscd_dontaudit_write_sock_file() interfac - Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t - llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling- Allow gnomeclock to talk to puppet over dbus - Allow numad access discovered by Dominic - Add support for HOME_DIR/.maildir - Fix attribute_role for mozilla_plugin_t domain to allow staff_r to access this domain - Allow udev to relabel udev_var_run_t lnk_files - New bin_t file in mcelog- Remove all mcs overrides and replace with t1 != mcs_constrained_types - Add attribute_role for iptables - mcs_process_set_categories needs to be called for type - Implement additional role_attribute statements - Sodo domain is attempting to get the additributes of proc_kcore_t - Unbound uses port 8953 - Allow svirt_t images to compromise_kernel when using pci-passthrough - Add label for dns lib files - Bluetooth aquires a dbus name - Remove redundant files_read_usr_file calling - Remove redundant files_read_etc_file calling - Fix mozilla_run_plugin() - Add role_attribute support for more domains- Mass merge with upstream- Bump the policy version to 28 to match selinux userspace - Rebuild versus latest libsepol- Add systemd_status_all_unit_files() interface - Add support for nshadow - Allow sysadm_t to administrate the postfix domains - Add interface to setattr on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Add systemd_status_all_unit_files() interface - Add support for nshadow - Allow sysadm_t to administrate the postfix domains - Add interface to setattr on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t sys_admin for use with afs logins - Add labeling for /var/named/chroot/etc/localtim- Allow setroubleshoot_fixit to execute rpm - zoneminder needs to connect to httpd ports where remote cameras are listening - Allow firewalld to execute content created in /run directory - Allow svirt_t to read generic certs - Dontaudit leaked ps content to mozilla plugin - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - init scripts are creating systemd_unit_file_t directories- systemd_logind_t is looking at all files under /run/user/apache - Allow systemd to manage all user tmp files - Add labeling for /var/named/chroot/etc/localtime - Allow netlabel_peer_t type to flow over netif_t and node_t, and only be hindered by MLS, need back port to RHEL6 - Keystone is now using a differnt port - Allow xdm_t to use usbmuxd daemon to control sound - Allow passwd daemon to execute gnome_exec_keyringd - Fix chrome_sandbox policy - Add labeling for /var/run/checkquorum-timer - More fixes for the dspam domain, needs back port to RHEL6 - More fixes for the dspam domain, needs back port to RHEL6 - sssd needs to connect to kerberos password port if a user changes his password - Lots of fixes from RHEL testing of dspam web - Allow chrome and mozilla_plugin to create msgq and semaphores - Fixes for dspam cgi scripts - Fixes for dspam cgi scripts - Allow confine users to ptrace screen - Backport virt_qemu_ga_t changes from RHEL - Fix labeling for dspam.cgi needed for RHEL6 - We need to back port this policy to RHEL6, for lxc domains - Dontaudit attempts to set sys_resource of logrotate - Allow corosync to read/write wdmd's tmpfs files - I see a ptrace of mozilla_plugin_t by staff_t, will allow without deny_ptrace being set - Allow cron jobs to read bind config for unbound - libvirt needs to inhibit systemd - kdumpctl needs to delete boot_t files - Fix duplicate gnome_config_filetrans - virtd_lxc_t is using /dev/fuse - Passenger needs to create a directory in /var/log, needs a backport to RHEL6 for openshift - apcupsd can be setup to listen to snmp trafic - Allow transition from kdumpgui to kdumpctl - Add fixes for munin CGI scripts - Allow deltacloud to connect to openstack at the keystone port - Allow domains that transition to svirt domains to be able to signal them - Fix file context of gstreamer in .cache directory - libvirt is communicating with logind - NetworkManager writes to the systemd inhibit pipe- Allow munin disk plugins to get attributes of all directories - Allow munin disk plugins to get attributes of all directorie - Allow logwatch to get attributes of all directories - Fix networkmanager_manage_lib() interface - Fix gnome_manage_config() to allow to manage sock_file - Fix virtual_domain_context - Add support for dynamic DNS for DHCPv6- Allow svirt to use netlink_route_socket which was a part of auth_use_nsswitch - Add additional labeling for /var/www/openshift/broker - Fix rhev policy - Allow openshift_initrc domain to dbus chat with systemd_logind - Allow httpd to getattr passenger log file if run_stickshift - Allow consolehelper-gtk to connect to xserver - Add labeling for the tmp-inst directory defined in pam_namespace.conf - Add lvm_metadata_t labeling for /etc/multipath- consoletype is no longer used- Add label for efivarfs - Allow certmonger to send signal to itself - Allow plugin-config to read own process status - Add more fixes for pacemaker - apache/drupal can run clamscan on uploaded content - Allow chrome_sandbox_nacl_t to read pid 1 content- Fix MCS Constraints to control ingres and egres controls on the network. - Change name of svirt_nokvm_t to svirt_tcg_t - Allow tuned to request the kernel to load kernel modules- Label /var/lib/pgsql/.ssh as ssh_home_t - Add labeling for /usr/bin/pg_ctl - Allow systemd-logind to manage keyring user tmp dirs - Add support for 7389/tcp port - gems seems to be placed in lots of places - Since xdm is running a full session, it seems to be trying to execute lots of executables via dbus - Add back tcp/8123 port as http_cache port - Add ovirt-guest-agent\.pid labeling - Allow xend to run scsi_id - Allow rhsmcertd-worker to read "physical_package_id" - Allow pki_tomcat to connect to ldap port - Allow lpr to read /usr/share/fonts - Allow open file from CD/DVD drive on domU - Allow munin services plugins to talk to SSSD - Allow all samba domains to create samba directory in var_t directories - Take away svirt_t ability to use nsswitch - Dontaudit attempts by openshift to read apache logs - Allow apache to create as well as append _ra_content_t - Dontaudit sendmail_t reading a leaked file descriptor - Add interface to have admin transition /etc/prelink.cache to the proper label - Add sntp support to ntp policy - Allow firewalld to dbus chat with devicekit_power - Allow tuned to call lsblk - Allow tor to read /proc/sys/kernel/random/uuid - Add tor_can_network_relay boolean- Add openshift_initrc_signal() interface - Fix typos - dspam port is treat as spamd_port_t - Allow setroubleshoot to getattr on all executables - Allow tuned to execute profiles scripts in /etc/tuned - Allow apache to create directories to store its log files - Allow all directories/files in /var/log starting with passenger to be labeled passenger_log_t - Looks like apache is sending sinal to openshift_initrc_t now,needs back port to RHEL6 - Allow Postfix to be configured to listen on TCP port 10026 for email from DSPAM - Add filename transition for /etc/tuned/active_profile - Allow condor_master to send mails - Allow condor_master to read submit.cf - Allow condor_master to create /tmp files/dirs - Allow condor_mater to send sigkill to other condor domains - Allow condor_procd sigkill capability - tuned-adm wants to talk with tuned daemon - Allow kadmind and krb5kdc to also list sssd_public_t - Allow accountsd to dbus chat with init - Fix git_read_generic_system_content_files() interface - pppd wants sys_nice by nmcli because of "syscall=sched_setscheduler" - Fix mozilla_plugin_can_network_connect to allow to connect to all ports - Label all munin plugins which are not covered by munin plugins policy as unconfined_munin_plugin_exec_t - dspam wants to search /var/spool for opendkim data - Revert "Add support for tcp/10026 port as dspam_port_t" - Turning on labeled networking requires additional access for netlabel_peer_t; these allow rules need to be back ported to RHEL6 - Allow all application domains to use fifo_files passed in from userdomains, also allow them to write to tmp_files inherited from userdomain - Allow systemd_tmpfiles_t to setattr on mandb_cache_t- consolekit.pp was not removed from the postinstall script- Add back consolekit policy - Silence bootloader trying to use inherited tty - Silence xdm_dbusd_t trying to execute telepathy apps - Fix shutdown avcs when machine has unconfined.pp disabled - The host and a virtual machine can share the same printer on a usb device - Change oddjob to transition to a ranged openshift_initr_exec_t when run from oddjob - Allow abrt_watch_log_t to execute bin_t - Allow chrome sandbox to write content in ~/.config/chromium - Dontaudit setattr on fontconfig dir for thumb_t - Allow lircd to request the kernel to load module - Make rsync as userdom_home_manager - Allow rsync to search automount filesystem - Add fixes for pacemaker- Add support for 4567/tcp port - Random fixes from Tuomo Soini - xdm wants to get init status - Allow programs to run in fips_mode - Add interface to allow the reading of all blk device nodes - Allow init to relabel rpcbind sock_file - Fix labeling for lastlog and faillog related to logrotate - ALlow aeolus_configserver to use TRAM port - Add fixes for aeolus_configserver - Allow snmpd to connect to snmp port - Allow spamd_update to create spamd_var_lib_t directories - Allow domains that can read sssd_public_t files to also list the directory - Remove miscfiles_read_localization, this is defined for all domains- Allow syslogd to request the kernel to load a module - Allow syslogd_t to read the network state information - Allow xdm_dbusd_t connect to the system DBUS - Add support for 7389/tcp port - Allow domains to read/write all inherited sockets - Allow staff_t to read kmsg - Add awstats_purge_apache_log boolean - Allow ksysguardproces to read /.config/Trolltech.conf - Allow passenger to create and append puppet log files - Add puppet_append_log and puppet_create_log interfaces - Add puppet_manage_log() interface - Allow tomcat domain to search tomcat_var_lib_t - Allow pki_tomcat_t to connect to pki_ca ports - Allow pegasus_t to have net_admin capability - Allow pegasus_t to write /sys/class/net//flags - Allow mailserver_delivery to manage mail_home_rw_t lnk_files - Allow fetchmail to create log files - Allow gnomeclock to manage home config in .kde - Allow bittlebee to read kernel sysctls - Allow logrotate to list /root- Fix userhelper_console_role_template() - Allow enabling Network Access Point service using blueman - Make vmware_host_t as unconfined domain - Allow authenticate users in webaccess via squid, using mysql as backend - Allow gathers to get various metrics on mounted file systems - Allow firewalld to read /etc/hosts - Fix cron_admin_role() to make sysadm cronjobs running in the sysadm_t instead of cronjob_t - Allow kdumpgui to read/write to zipl.conf - Commands needed to get mock to build from staff_t in enforcing mode - Allow mdadm_t to manage cgroup files - Allow all daemons and systemprocesses to use inherited initrc_tmp_t files - dontaudit ifconfig_t looking at fifo_files that are leaked to it - Add lableing for Quest Authentication System- Fix filetrans interface definitions - Dontaudit xdm_t to getattr on BOINC lib files - Add systemd_reload_all_services() interface - Dontaudit write access on /var/lib/net-snmp/mib_indexes - Only stop mcsuntrustedproc from relableing files - Allow accountsd to dbus chat with gdm - Allow realmd to getattr on all fs - Allow logrotate to reload all services - Add systemd unit file for radiusd - Allow winbind to create samba pid dir - Add labeling for /var/nmbd/unexpected - Allow chrome and mozilla plugin to connect to msnp ports- Fix storage_rw_inherited_fixed_disk_dev() to cover also blk_file - Dontaudit setfiles reading /dev/random - On initial boot gnomeclock is going to need to be set buy gdm - Fix tftp_read_content() interface - Random apps looking at kernel file systems - Testing virt with lxc requiers additional access for virsh_t - New allow rules requied for latest libvirt, libvirt talks directly to journald,lxc setup tool needs compromize_kernel,and we need ipc_lock in the container - Allow MPD to read /dev/radnom - Allow sandbox_web_type to read logind files which needs to read pulseaudio - Allow mozilla plugins to read /dev/hpet - Add labeling for /var/lib/zarafa-webap - Allow BOINC client to use an HTTP proxy for all connections - Allow rhsmertd to domain transition to dmidecod - Allow setroubleshootd to send D-Bus msg to ABRT- Define usbtty_device_t as a term_tty - Allow svnserve to accept a connection - Allow xend manage default virt_image_t type - Allow prelink_cron_system_t to overide user componant when executing cp - Add labeling for z-push - Gnomeclock sets the realtime clock - Openshift seems to be storing apache logs in /var/lib/openshift/.log/httpd - Allow lxc domains to use /dev/random and /dev/urandom- Add port defintion for tcp/9000 - Fix labeling for /usr/share/cluster/checkquorum to label also checkquorum.wdmd - Add rules and labeling for $HOME/cache/\.gstreamer-.* directory - Add support for CIM provider openlmi-networking which uses NetworkManager dbus API - Allow shorewall_t to create netlink_socket - Allow krb5admind to block suspend - Fix labels on /var/run/dlm_controld /var/log/dlm_controld - Allow krb5kdc to block suspend - gnomessytemmm_t needs to read /etc/passwd - Allow cgred to read all sysctls- Allow all domains to read /proc/sys/vm/overcommit_memory - Make proc_numa_t an MLS Trusted Object - Add /proc/numactl support for confined users - Allow ssh_t to connect to any port > 1023 - Add openvswitch domain - Pulseaudio tries to create directories in gnome_home_t directories - New ypbind pkg wants to search /var/run which is caused by sd_notify - Allow NM to read certs on NFS/CIFS using use_nfs_*, use_samba_* booleans - Allow sanlock to read /dev/random - Treat php-fpm with httpd_t - Allow domains that can read named_conf_t to be able to list the directories - Allow winbind to create sock files in /var/run/samba- Add smsd policy - Add support for OpenShift sbin labelin - Add boolean to allow virt to use rawip - Allow mozilla_plugin to read all file systems with noxattrs support - Allow kerberos to write on anon_inodefs fs - Additional access required by fenced - Add filename transitions for passwd.lock/group.lock - UPdate man pages - Create coolkey directory in /var/cache with the correct label- Fix label on /etc/group.lock - Allow gnomeclock to create lnk_file in /etc - label /root/.pki as a home_cert_t - Add interface to make sure rpcbind.sock is created with the correct label - Add definition for new directory /var/lib/os-probe and bootloader wants to read udev rules - opendkim should be a part of milter - Allow libvirt to set the kernel sched algorythm - Allow mongod to read sysfs_t - Add authconfig policy - Remove calls to miscfiles_read_localization all domains get this - Allow virsh_t to read /root/.pki/ content - Add label for log directory under /var/www/stickshift- Allow getty to setattr on usb ttys - Allow sshd to search all directories for sshd_home_t content - Allow staff domains to send dbus messages to kdumpgui - Fix labels on /etc/.pwd.lock and friends to be passwd_file_t - Dontaudit setfiles reading urand - Add files_dontaudit_list_tmp() for domains to which we added sys_nice/setsched - Allow staff_gkeyringd_t to read /home/$USER/.local/share/keyrings dir - Allow systemd-timedated to read /dev/urandom - Allow entropyd_t to read proc_t (meminfo) - Add unconfined munin plugin - Fix networkmanager_read_conf() interface - Allow blueman to list /tmp which is needed by sys_nic/setsched - Fix label of /etc/mail/aliasesdb-stamp - numad is searching cgroups - realmd is communicating with networkmanager using dbus - Lots of fixes to try to get kdump to work- Allow loging programs to dbus chat with realmd - Make apache_content_template calling as optional - realmd is using policy kit- Add new selinuxuser_use_ssh_chroot boolean - dbus needs to be able to read/write inherited fixed disk device_t passed through it - Cleanup netutils process allow rule - Dontaudit leaked fifo files from openshift to ping - sanlock needs to read mnt_t lnk files - Fail2ban needs to setsched and sys_nice- Change default label of all files in /var/run/rpcbind - Allow sandbox domains (java) to read hugetlbfs_t - Allow awstats cgi content to create tmp files and read apache log files - Allow setuid/setgid for cupsd-config - Allow setsched/sys_nice pro cupsd-config - Fix /etc/localtime sym link to be labeled locale_t - Allow sshd to search postgresql db t since this is a homedir - Allow xwindows users to chat with realmd - Allow unconfined domains to configure all files and null_device_t service- Adopt pki-selinux policy- pki is leaking which we dontaudit until a pki code fix - Allow setcap for arping - Update man pages - Add labeling for /usr/sbin/mcollectived - pki fixes - Allow smokeping to execute fping in the netutils_t domain- Allow mount to relabelfrom unlabeled file systems - systemd_logind wants to send and receive messages from devicekit disk over dbus to make connected mouse working - Add label to get bin files under libreoffice labeled correctly - Fix interface to allow executing of base_ro_file_type - Add fixes for realmd - Update pki policy - Add tftp_homedir boolean - Allow blueman sched_setscheduler - openshift user domains wants to r/w ssh tcp sockets- Additional requirements for disable unconfined module when booting - Fix label of systemd script files - semanage can use -F /dev/stdin to get input - syslog now uses kerberos keytabs - Allow xserver to compromise_kernel access - Allow nfsd to write to mount_var_run_t when running the mount command - Add filename transition rule for bin_t directories - Allow files to read usr_t lnk_files - dhcpc wants chown - Add support for new openshift labeling - Clean up for tunable+optional statements - Add labeling for /usr/sbin/mkhomedir_helper - Allow antivirus domain to managa amavis spool files - Allow rpcbind_t to read passwd - Allow pyzor running as spamc to manage amavis spool- Add interfaces to read kernel_t proc info - Missed this version of exec_all - Allow anyone who can load a kernel module to compromise kernel - Add oddjob_dbus_chat to openshift apache policy - Allow chrome_sandbox_nacl_t to send signals to itself - Add unit file support to usbmuxd_t - Allow all openshift domains to read sysfs info - Allow openshift domains to getattr on all domains- MLS fixes from Dan - Fix name of capability2 secure_firmware->compromise_kerne- Allow xdm to search all file systems - Add interface to allow the config of all files - Add rngd policy - Remove kgpg as a gpg_exec_t type - Allow plymouthd to block suspend - Allow systemd_dbus to config any file - Allow system_dbus_t to configure all services - Allow freshclam_t to read usr_files - varnishd requires execmem to load modules- Allow semanage to verify types - Allow sudo domain to execute user home files - Allow session_bus_type to transition to user_tmpfs_t - Add dontaudit caused by yum updates - Implement pki policy but not activated- tuned wants to getattr on all filesystems - tuned needs also setsched. The build is needed for test day- Add policy for qemu-qa - Allow razor to write own config files - Add an initial antivirus policy to collect all antivirus program - Allow qdisk to read usr_t - Add additional caps for vmware_host - Allow tmpfiles_t to setattr on mandb_cache_t - Dontaudit leaked files into mozilla_plugin_config_t - Allow wdmd to getattr on tmpfs - Allow realmd to use /dev/random - allow containers to send audit messages - Allow root mount any file via loop device with enforcing mls policy - Allow tmpfiles_t to setattr on mandb_cache_t - Allow tmpfiles_t to setattr on mandb_cache_t - Make userdom_dontaudit_write_all_ not allow open - Allow init scripts to read all unit files - Add support for saphostctrl ports- Add kernel_read_system_state to sandbox_client_t - Add some of the missing access to kdumpgui - Allow systemd_dbusd_t to status the init system - Allow vmnet-natd to request the kernel to load a module - Allow gsf-office-thum to append .cache/gdm/session.log - realmd wants to read .config/dconf/user - Firewalld wants sys_nice/setsched - Allow tmpreaper to delete mandb cache files - Firewalld wants sys_nice/setsched - Allow firewalld to perform a DNS name resolution - Allown winbind to read /usr/share/samba/codepages/lowcase.dat - Add support for HTTPProxy* in /etc/freshclam.conf - Fix authlogin_yubike boolean - Extend smbd_selinux man page to include samba booleans - Allow dhcpc to execute consoletype - Allow ping to use inherited tmp files created in init scripts - On full relabel with unconfined domain disabled, initrc was running some chcon's - Allow people who delete man pages to delete mandb cache files- Add missing permissive domains- Add new mandb policy - ALlow systemd-tmpfiles_t to relabel mandb_cache_t - Allow logrotate to start all unit files- Add fixes for ctbd - Allow nmbd to stream connect to ctbd - Make cglear_t as nsswitch_domain - Fix bogus in interfaces - Allow openshift to read/write postfix public pipe - Add postfix_manage_spool_maildrop_files() interface - stickshift paths have been renamed to openshift - gnome-settings-daemon wants to write to /run/systemd/inhibit/ pipes - Update man pages, adding ENTRYPOINTS- Add mei_device_t - Make sure gpg content in homedir created with correct label - Allow dmesg to write to abrt cache files - automount wants to search virtual memory sysctls - Add support for hplip logs stored in /var/log/hp/tmp - Add labeling for /etc/owncloud/config.php - Allow setroubleshoot to send analysys to syslogd-journal - Allow virsh_t to interact with new fenced daemon - Allow gpg to write to /etc/mail/spamassassiin directories - Make dovecot_deliver_t a mail server delivery type - Add label for /var/tmp/DNS25- Fixes for tomcat_domain template interface- Remove init_systemd and init_upstart boolean, Move init_daemon_domain and init_system_domain to use attributes - Add attribute to all base os types. Allow all domains to read all ro base OS types- Additional unit files to be defined as power unit files - Fix more boolean names- Fix boolean name so subs will continue to work- dbus needs to start getty unit files - Add interface to allow system_dbusd_t to start the poweroff service - xdm wants to exec telepathy apps - Allow users to send messages to systemdlogind - Additional rules needed for systemd and other boot apps - systemd wants to list /home and /boot - Allow gkeyringd to write dbus/conf file - realmd needs to read /dev/urand - Allow readahead to delete /.readahead if labeled root_t, might get created before policy is loaded- Fixes to safe more rules - Re-write tomcat_domain_template() - Fix passenger labeling - Allow all domains to read man pages - Add ephemeral_port_t to the 'generic' port interfaces - Fix the names of postgresql booleans- Stop using attributes form netlabel_peer and syslog, auth_use_nsswitch setsup netlabel_peer - Move netlable_peer check out of booleans - Remove call to recvfrom_netlabel for kerberos call - Remove use of attributes when calling syslog call - Move -miscfiles_read_localization to domain.te to save hundreds of allow rules - Allow all domains to read locale files. This eliminates around 1500 allow rules- Cleanup nis_use_ypbind_uncond interface - Allow rndc to block suspend - tuned needs to modify the schedule of the kernel - Allow svirt_t domains to read alsa configuration files - ighten security on irc domains and make sure they label content in homedir correctly - Add filetrans_home_content for irc files - Dontaudit all getattr access for devices and filesystems for sandbox domains - Allow stapserver to search cgroups directories - Allow all postfix domains to talk to spamd- Add interfaces to ignore setattr until kernel fixes this to be checked after the DAC check - Change pam_t to pam_timestamp_t - Add dovecot_domain attribute and allow this attribute block_suspend capability2 - Add sanlock_use_fusefs boolean - numad wants send/recieve msg - Allow rhnsd to send syslog msgs - Make piranha-pulse as initrc domain - Update openshift instances to dontaudit setattr until the kernel is fixed.- Fix auth_login_pgm_domain() interface to allow domains also managed user tmp dirs because of #856880 related to pam_systemd - Remove pam_selinux.8 which conflicts with man page owned by the pam package - Allow glance-api to talk to mysql - ABRT wants to read Xorg.0.log if if it detects problem with Xorg - Fix gstreamer filename trans. interface- Man page fixes by Dan Walsh- Allow postalias to read postfix config files - Allow man2html to read man pages - Allow rhev-agentd to search all mountpoints - Allow rhsmcertd to read /dev/random - Add tgtd_stream_connect() interface - Add cyrus_write_data() interface - Dontaudit attempts by sandboxX clients connectiing to the xserver_port_t - Add port definition for tcp/81 as http_port_t - Fix /dev/twa labeling - Allow systemd to read modules config- Merge openshift policy - Allow xauth to read /dev/urandom - systemd needs to relabel content in /run/systemd directories - Files unconfined should be able to perform all services on all files - Puppet tmp file can be leaked to all domains - Dontaudit rhsmcertd-worker to search /root/.local - Allow chown capability for zarafa domains - Allow system cronjobs to runcon into openshift domains - Allow virt_bridgehelper_t to manage content in the svirt_home_t labeled directories- nmbd wants to create /var/nmbd - Stop transitioning out of anaconda and firstboot, just causes AVC messages - Allow clamscan to read /etc files - Allow bcfg2 to bind cyphesis port - heartbeat should be run as rgmanager_t instead of corosync_t - Add labeling for /etc/openldap/certs - Add labeling for /opt/sartest directory - Make crontab_t as userdom home reader - Allow tmpreaper to list admin_home dir - Add defition for imap_0 replay cache file - Add support for gitolite3 - Allow virsh_t to send syslog messages - allow domains that can read samba content to be able to list the directories also - Add realmd_dbus_chat to allow all apps that use nsswitch to talk to realmd - Separate out sandbox from sandboxX policy so we can disable it by default - Run dmeventd as lvm_t - Mounting on any directory requires setattr and write permissions - Fix use_nfs_home_dirs() boolean - New labels for pam_krb5 - Allow init and initrc domains to sys_ptrace since this is needed to look at processes not owned by uid 0 - Add realmd_dbus_chat to allow all apps that use nsswitch to talk to realmd- Separate sandbox policy into sandbox and sandboxX, and disable sandbox by default on fresh installs - Allow domains that can read etc_t to read etc_runtime_t - Allow all domains to use inherited tmpfiles- Allow realmd to read resolv.conf - Add pegasus_cache_t type - Label /usr/sbin/fence_virtd as virsh_exec_t - Add policy for pkcsslotd - Add support for cpglockd - Allow polkit-agent-helper to read system-auth-ac - telepathy-idle wants to read gschemas.compiled - Allow plymouthd to getattr on fs_t - Add slpd policy - Allow ksysguardproces to read/write config_usr_t- Fix labeling substitution so rpm will label /lib/systemd content correctly- Add file name transitions for ttyACM0 - spice-vdagent(d)'s are going to log over to syslog - Add sensord policy - Add more fixes for passenger policy related to puppet - Allow wdmd to create wdmd_tmpfs_t - Fix labeling for /var/run/cachefilesd\.pid - Add thumb_tmpfs_t files type- Allow svirt domains to manage the network since this is containerized - Allow svirt_lxc_net_t to send audit messages- Make "snmpwalk -mREDHAT-CLUSTER-MIB ...." working - Allow dlm_controld to execute dlm_stonith labeled as bin_t - Allow GFS2 working on F17 - Abrt needs to execute dmesg - Allow jockey to list the contents of modeprobe.d - Add policy for lightsquid as squid_cron_t - Mailscanner is creating files and directories in /tmp - dmesg is now reading /dev/kmsg - Allow xserver to communicate with secure_firmware - Allow fsadm tools (fsck) to read /run/mount contnet - Allow sysadm types to read /dev/kmsg -- Allow postfix, sssd, rpcd to block_suspend - udev seems to need secure_firmware capability - Allow virtd to send dbus messages to firewalld so it can configure the firewall- Fix labeling of content in /run created by virsh_t - Allow condor domains to read kernel sysctls - Allow condor_master to connect to amqp - Allow thumb drives to create shared memory and semaphores - Allow abrt to read mozilla_plugin config files - Add labels for lightsquid - Default files in /opt and /usr that end in .cgi as httpd_sys_script_t, allow - dovecot_auth_t uses ldap for user auth - Allow domains that can read dhcp_etc_t to read lnk_files - Add more then one watchdog device - Allow useradd_t to manage etc_t files so it can rename it and edit them - Fix invalid class dir should be fifo_file - Move /run/blkid to fsadm and make sure labeling is correct- Fix bogus regex found by eparis - Fix manage run interface since lvm needs more access - syslogd is searching cgroups directory - Fixes to allow virt-sandbox-service to manage lxc var run content- Fix Boolean settings - Add new libjavascriptcoregtk as textrel_shlib_t - Allow xdm_t to create xdm_home_t directories - Additional access required for systemd - Dontaudit mozilla_plugin attempts to ipc_lock - Allow tmpreaper to delete unlabeled files - Eliminate screen_tmp_t and allow it to manage user_tmp_t - Dontaudit mozilla_plugin_config_t to append to leaked file descriptors - Allow web plugins to connect to the asterisk ports - Condor will recreate the lock directory if it does not exist - Oddjob mkhomedir needs to connectto user processes - Make oddjob_mkhomedir_t a userdom home manager- Put placeholder back in place for proper numbering of capabilities - Systemd also configures init scripts- Fix ecryptfs interfaces - Bootloader seems to be trolling around /dev/shm and /dev - init wants to create /etc/systemd/system-update.target.wants - Fix systemd_filetrans call to move it out of tunable - Fix up policy to work with systemd userspace manager - Add secure_firmware capability and remove bogus epolwakeup - Call seutil_*_login_config interfaces where should be needed - Allow rhsmcertd to send signal to itself - Allow thin domains to send signal to itself - Allow Chrome_ChildIO to read dosfs_t- Add role rules for realmd, sambagui- Add new type selinux_login_config_t for /etc/selinux//logins/ - Additional fixes for seutil_manage_module_store() - dbus_system_domain() should be used with optional_policy - Fix svirt to be allowed to use fusefs file system - Allow login programs to read /run/ data created by systemd_login - sssd wants to write /etc/selinux//logins/ for SELinux PAM module - Fix svirt to be allowed to use fusefs file system - Allow piranha domain to use nsswitch - Sanlock needs to send Kill Signals to non root processes - Pulseaudio wants to execute /run/user/PID/.orc- Fix saslauthd when it tries to read /etc/shadow - Label gnome-boxes as a virt homedir - Need to allow svirt_t ability to getattr on nfs_t file systems - Update sanlock policy to solve all AVC's - Change confined users can optionally manage virt content - Handle new directories under ~/.cache - Add block suspend to appropriate domains - More rules required for containers - Allow login programs to read /run/ data created by systemd_logind - Allow staff users to run svirt_t processes- Update to upstream- More fixes for systemd to make rawhide booting from Dan Walsh- Add systemd fixes to make rawhide booting- Add systemd_logind_inhibit_var_run_t attribute - Remove corenet_all_recvfrom_unlabeled() for non-contrib policies because we moved it to domain.if for all domain_type - Add interface for mysqld to dontaudit signull to all processes - Label new /var/run/journal directory correctly - Allow users to inhibit suspend via systemd - Add new type for the /var/run/inhibit directory - Add interface to send signull to systemd_login so avahi can send them - Allow systemd_passwd to send syslog messages - Remove corenet_all_recvfrom_unlabeled() calling fro policy files - Allow editparams.cgi running as httpd_bugzilla_script_t to read /etc/group - Allow smbd to read cluster config - Add additional labeling for passenger - Allow dbus to inhibit suspend via systemd - Allow avahi to send signull to systemd_login- Add interface to dontaudit getattr access on sysctls - Allow sshd to execute /bin/login - Looks like xdm is recreating the xdm directory in ~/.cache/ on login - Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jounald - Fix semanage to work with unconfined domain disabled on F18 - Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls - Virt seems to be using lock files - Dovecot seems to be searching directories of every mountpoint - Allow jockey to read random/urandom, execute shell and install third-party drivers - Add aditional params to allow cachedfiles to manage its content - gpg agent needs to read /dev/random - The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd wants to read and write - Add a bunch of dontaudit rules to quiet svirt_lxc domains - Additional perms needed to run svirt_lxc domains - Allow cgclear to read cgconfig - Allow sys_ptrace capability for snmp - Allow freshclam to read /proc - Allow procmail to manage /home/user/Maildir content - Allow NM to execute wpa_cli - Allow amavis to read clamd system state - Regenerate man pages- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- Add realmd and stapserver policies - Allow useradd to manage stap-server lib files - Tighten up capabilities for confined users - Label /etc/security/opasswd as shadow_t - Add label for /dev/ecryptfs - Allow condor_startd_t to start sshd with the ranged - Allow lpstat.cups to read fips_enabled file - Allow pyzor running as spamc_t to create /root/.pyzor directory - Add labelinf for amavisd-snmp init script - Add support for amavisd-snmp - Allow fprintd sigkill self - Allow xend (w/o libvirt) to start virtual machines - Allow aiccu to read /etc/passwd - Allow condor_startd to Make specified domain MCS trusted for setting any category set for the processes it executes - Add condor_startd_ranged_domtrans_to() interface - Add ssd_conf_t for /etc/sssd - accountsd needs to fchown some files/directories - Add ICACLient and zibrauserdata as mozilla_filetrans_home_content - SELinux reports afs_t needs dac_override to read /etc/mtab, even though everything works, adding dontaudit - Allow xend_t to read the /etc/passwd file- Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t - Add init_access_check() interface - Fix label on /usr/bin/pingus to not be labeled as ping_exec_t - Allow tcpdump to create a netlink_socket - Label newusers like useradd - Change xdm log files to be labeled xdm_log_t - Allow sshd_t with privsep to work in MLS - Allow freshclam to update databases thru HTTP proxy - Allow s-m-config to access check on systemd - Allow abrt to read public files by default - Fix amavis_create_pid_files() interface - Add labeling and filename transition for dbomatic.log - Allow system_dbusd_t to stream connect to bluetooth, and use its socket - Allow amavisd to execute fsav - Allow tuned to use sys_admin and sys_nice capabilities - Add php-fpm policy from Bryan - Add labeling for aeolus-configserver-thinwrapper - Allow thin domains to execute shell - Fix gnome_role_gkeyringd() interface description - Lot of interface fixes - Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files - Allow OpenMPI job to use kerberos - Make deltacloudd_t as nsswitch_domain - Allow xend_t to run lsscsi - Allow qemu-dm running as xend_t to create tun_socket - Add labeling for /opt/brother/Printers(.*/)?inf - Allow jockey-backend to read pyconfig-64.h labeled as usr_t - Fix clamscan_can_scan_system boolean - Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11- initrc is calling exportfs which is not confined so it attempts to read nfsd_files - Fixes for passenger running within openshift. - Add labeling for all tomcat6 dirs - Add support for tomcat6 - Allow cobblerd to read /etc/passwd - Allow jockey to read sysfs and and execute binaries with bin_t - Allow thum to use user terminals - Allow cgclear to read cgconfig config files - Fix bcf2g.fc - Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other domains - Allow dbomatic to execute ruby - abrt_watch_log should be abrt_domain - Allow mozilla_plugin to connect to gatekeeper port- add ptrace_child access to process - remove files_read_etc_files() calling from all policies which have auth_use_nsswith() - Allow boinc domains to manage boinc_lib_t lnk_files - Add support for boinc-client.service unit file - Add support for boinc.log - Allow mozilla_plugin execmod on mozilla home files if allow_ex - Allow dovecot_deliver_t to read dovecot_var_run_t - Allow ldconfig and insmod to manage kdumpctl tmp files - Move thin policy out from cloudform.pp and add a new thin poli - pacemaker needs to communicate with corosync streams - abrt is now started on demand by dbus - Allow certmonger to talk directly to Dogtag servers - Change labeling for /var/lib/cobbler/webui_sessions to httpd_c - Allow mozila_plugin to execute gstreamer home files - Allow useradd to delete all file types stored in the users hom - rhsmcertd reads the rpm database - Add support for lightdm- Add tomcat policy - Remove pyzor/razor policy - rhsmcertd reads the rpm database - Dontaudit thumb to setattr on xdm_tmp dir - Allow wicd to execute ldconfig in the networkmanager_t domain - Add /var/run/cherokee\.pid labeling - Allow mozilla_plugin to create mozilla_plugin_tmp_t lnk files too - Allow postfix-master to r/w pipes other postfix domains - Allow snort to create netlink_socket - Add kdumpctl policy - Allow firstboot to create tmp_t files/directories - /usr/bin/paster should not be labeled as piranha_exec_t - remove initrc_domain from tomcat - Allow ddclient to read /etc/passwd - Allow useradd to delete all file types stored in the users homedir - Allow ldconfig and insmod to manage kdumpctl tmp files - Firstboot should be just creating tmp_t dirs and xauth should be allowed to write to those - Transition xauth files within firstboot_tmp_t - Fix labeling of /run/media to match /media - Label all lxdm.log as xserver_log_t - Add port definition for mxi port - Allow local_login_t to execute tmux- apcupsd needs to read /etc/passwd - Sanlock allso sends sigkill - Allow glance_registry to connect to the mysqld port - Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl - Allow firefox plugins/flash to connect to port 1234 - Allow mozilla plugins to delete user_tmp_t files - Add transition name rule for printers.conf.O - Allow virt_lxc_t to read urand - Allow systemd_loigind to list gstreamer_home_dirs - Fix labeling for /usr/bin - Fixes for cloudform services * support FIPS - Allow polipo to work as web caching - Allow chfn to execute tmux- Add support for ecryptfs * ecryptfs does not support xattr * we need labeling for HOMEDIR - Add policy for (u)mount.ecryptfs* - Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage host cache - Allow dovecot to manage Maildir content, fix transitions to Maildir - Allow postfix_local to transition to dovecot_deliver - Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code - Cleanup interface definitions - Allow apmd to change with the logind daemon - Changes required for sanlock in rhel6 - Label /run/user/apache as httpd_tmp_t - Allow thumb to use lib_t as execmod if boolean turned on - Allow squid to create the squid directory in /var with the correct labe - Add a new policy for glusterd from Bryan Bickford (bbickfor@redhat.com) - Allow virtd to exec xend_exec_t without transition - Allow virtd_lxc_t to unmount all file systems- PolicyKit path has changed - Allow httpd connect to dirsrv socket - Allow tuned to write generic kernel sysctls - Dontaudit logwatch to gettr on /dev/dm-2 - Allow policykit-auth to manage kerberos files - Make condor_startd and rgmanager as initrc domain - Allow virsh to read /etc/passwd - Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs - xdm now needs to execute xsession_exec_t - Need labels for /var/lib/gdm - Fix files_filetrans_named_content() interface - Add new attribute - initrc_domain - Allow systemd_logind_t to signal, signull, sigkill all processes - Add filetrans rules for etc_runtime files- Rename boolean names to remove allow_- Mass merge with upstream * new policy topology to include contrib policy modules * we have now two base policy patches- Fix description of authlogin_nsswitch_use_ldap - Fix transition rule for rhsmcertd_t needed for RHEL7 - Allow useradd to list nfs state data - Allow openvpn to manage its log file and directory - We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly - Allow thumb to use nvidia devices - Allow local_login to create user_tmp_t files for kerberos - Pulseaudio needs to read systemd_login /var/run content - virt should only transition named system_conf_t config files - Allow munin to execute its plugins - Allow nagios system plugin to read /etc/passwd - Allow plugin to connect to soundd port - Fix httpd_passwd to be able to ask passwords - Radius servers can use ldap for backing store - Seems to need to mount on /var/lib for xguest polyinstatiation to work. - Allow systemd_logind to list the contents of gnome keyring - VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL - Add policy for isns-utils- Add policy for subversion daemon - Allow boinc to read passwd - Allow pads to read kernel network state - Fix man2html interface for sepolgen-ifgen - Remove extra /usr/lib/systemd/system/smb - Remove all /lib/systemd and replace with /usr/lib/systemd - Add policy for man2html - Fix the label of kerberos_home_t to krb5_home_t - Allow mozilla plugins to use Citrix - Allow tuned to read /proc/sys/kernel/nmi_watchdog - Allow tune /sys options via systemd's tmpfiles.d "w" type- Dontaudit lpr_t to read/write leaked mozilla tmp files - Add file name transition for .grl-podcasts directory - Allow corosync to read user tmp files - Allow fenced to create snmp lib dirs/files - More fixes for sge policy - Allow mozilla_plugin_t to execute any application - Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain - Allow mongod to read system state information - Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t - Allow polipo to manage polipo_cache dirs - Add jabbar_client port to mozilla_plugin_t - Cleanup procmail policy - system bus will pass around open file descriptors on files that do not have labels on them - Allow l2tpd_t to read system state - Allow tuned to run ls /dev - Allow sudo domains to read usr_t files - Add label to machine-id - Fix corecmd_read_bin_symlinks cut and paste error- Fix pulseaudio port definition - Add labeling for condor_starter - Allow chfn_t to creat user_tmp_files - Allow chfn_t to execute bin_t - Allow prelink_cron_system_t to getpw calls - Allow sudo domains to manage kerberos rcache files - Allow user_mail_domains to work with courie - Port definitions necessary for running jboss apps within openshift - Add support for openstack-nova-metadata-api - Add support for nova-console* - Add support for openstack-nova-xvpvncproxy - Fixes to make privsep+SELinux working if we try to use chage to change passwd - Fix auth_role() interface - Allow numad to read sysfs - Allow matahari-rpcd to execute shell - Add label for ~/.spicec - xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it - Devicekit_disk wants to read the logind sessions file when writing a cd - Add fixes for condor to make condor jobs working correctly - Change label of /var/log/rpmpkgs to cron_log_t - Access requires to allow systemd-tmpfiles --create to work. - Fix obex to be a user application started by the session bus. - Add additional filename trans rules for kerberos - Fix /var/run/heartbeat labeling - Allow apps that are managing rcache to file trans correctly - Allow openvpn to authenticate against ldap server - Containers need to listen to network starting and stopping events- Make systemd unit files less specific- Fix zarafa labeling - Allow guest_t to fix labeling - corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean - add lxc_contexts - Allow accountsd to read /proc - Allow restorecond to getattr on all file sytems - tmpwatch now calls getpw - Allow apache daemon to transition to pwauth domain - Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t - The obex socket seems to be a stream socket - dd label for /var/run/nologin- Allow jetty running as httpd_t to read hugetlbfs files - Allow sys_nice and setsched for rhsmcertd - Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports - Allow setfiles to append to xdm_tmp_t - Add labeling for /export as a usr_t directory - Add labels for .grl files created by gstreamer- Add labeling for /usr/share/jetty/bin/jetty.sh - Add jetty policy which contains file type definitios - Allow jockey to use its own fifo_file and make this the default for all domains - Allow mozilla_plugins to use spice (vnc_port/couchdb) - asterisk wants to read the network state - Blueman now uses /var/lib/blueman- Add label for nodejs_debug - Allow mozilla_plugin_t to create ~/.pki directory and content- Add clamscan_can_scan_system boolean - Allow mysqld to read kernel network state - Allow sshd to read/write condor lib files - Allow sshd to read/write condor-startd tcp socket - Fix description on httpd_graceful_shutdown - Allow glance_registry to communicate with mysql - dbus_system_domain is using systemd to lauch applications - add interfaces to allow domains to send kill signals to user mail agents - Remove unnessary access for svirt_lxc domains, add privs for virtd_lxc_t - Lots of new access required for secure containers - Corosync needs sys_admin capability - ALlow colord to create shm - .orc should be allowed to be created by any app that can create gstream home content, thumb_t to be specific - Add boolean to control whether or not mozilla plugins can create random content in the users homedir - Add new interface to allow domains to list msyql_db directories, needed for libra - shutdown has to be allowed to delete etc_runtime_t - Fail2ban needs to read /etc/passwd - Allow ldconfig to create /var/cache/ldconfig - Allow tgtd to read hardware state information - Allow collectd to create packet socket - Allow chronyd to send signal to itself - Allow collectd to read /dev/random - Allow collectd to send signal to itself - firewalld needs to execute restorecon - Allow restorecon and other login domains to execute restorecon- Allow logrotate to getattr on systemd unit files - Add support for tor systemd unit file - Allow apmd to create /var/run/pm-utils with the correct label - Allow l2tpd to send sigkill to pppd - Allow pppd to stream connect to l2tpd - Add label for scripts in /etc/gdm/ - Allow systemd_logind_t to ignore mcs constraints on sigkill - Fix files_filetrans_system_conf_named_files() interface - Add labels for /usr/share/wordpress/wp-includes/*.php - Allow cobbler to get SELinux mode and booleans- Add unconfined_execmem_exec_t as an alias to bin_t - Allow fenced to read snmp var lib files, also allow it to read usr_t - ontaudit access checks on all executables from mozilla_plugin - Allow all user domains to setexec, so that sshd will work properly if it call setexec(NULL) while running withing a user mode - Allow systemd_tmpfiles_t to getattr all pipes and sockets - Allow glance-registry to send system log messages - semanage needs to manage mock lib files/dirs- Add policy for abrt-watch-log - Add definitions for jboss_messaging ports - Allow systemd_tmpfiles to manage printer devices - Allow oddjob to use nsswitch - Fix labeling of log files for postgresql - Allow mozilla_plugin_t to execmem and execstack by default - Allow firewalld to execute shell - Fix /etc/wicd content files to get created with the correct label - Allow mcelog to exec shell - Add ~/.orc as a gstreamer_home_t - /var/spool/postfix/lib64 should be labeled lib_t - mpreaper should be able to list all file system labeled directories - Add support for apache to use openstack - Add labeling for /etc/zipl.conf and zipl binary - Turn on allow_execstack and turn off telepathy transition for final release- More access required for virt_qmf_t - Additional assess required for systemd-logind to support multi-seat - Allow mozilla_plugin to setrlimit - Revert changes to fuse file system to stop deadlock- Allow condor domains to connect to ephemeral ports - More fixes for condor policy - Allow keystone to stream connect to mysqld - Allow mozilla_plugin_t to read generic USB device to support GPS devices - Allow thum to file name transition gstreamer home content - Allow thum to read all non security files - Allow glance_api_t to connect to ephemeral ports - Allow nagios plugins to read /dev/urandom - Allow syslogd to search postfix spool to support postfix chroot env - Fix labeling for /var/spool/postfix/dev - Allow wdmd chown - Label .esd_auth as pulseaudio_home_t - Have no idea why keyring tries to write to /run/user/dwalsh/dconf/user, but we can dontaudit for now- Add support for clamd+systemd - Allow fresclam to execute systemctl to handle clamd - Change labeling for /usr/sbin/rpc.ypasswd.env - Allow yppaswd_t to execute yppaswd_exec_t - Allow yppaswd_t to read /etc/passwd - Gnomekeyring socket has been moved to /run/user/USER/ - Allow samba-net to connect to ldap port - Allow signal for vhostmd - allow mozilla_plugin_t to read user_home_t socket - New access required for secure Linux Containers - zfs now supports xattrs - Allow quantum to execute sudo and list sysfs - Allow init to dbus chat with the firewalld - Allow zebra to read /etc/passwd- Allow svirt_t to create content in the users homedir under ~/.libvirt - Fix label on /var/lib/heartbeat - Allow systemd_logind_t to send kill signals to all processes started by a user - Fuse now supports Xattr Support- upowered needs to setsched on the kernel - Allow mpd_t to manage log files - Allow xdm_t to create /var/run/systemd/multi-session-x - Add rules for missedfont.log to be used by thumb.fc - Additional access required for virt_qmf_t - Allow dhclient to dbus chat with the firewalld - Add label for lvmetad - Allow systemd_logind_t to remove userdomain sock_files - Allow cups to execute usr_t files - Fix labeling on nvidia shared libraries - wdmd_t needs access to sssd and /etc/passwd - Add boolean to allow ftp servers to run in passive mode - Allow namepspace_init_t to relabelto/from a different user system_u from the user the namespace_init running with - Fix using httpd_use_fusefs - Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it for chrome_sandbox- Rename rdate port to time port, and allow gnomeclock to connect to it - We no longer need to transition to ldconfig from rpm, rpm_script, or anaconda - /etc/auto.* should be labeled bin_t - Add httpd_use_fusefs boolean - Add fixes for heartbeat - Allow sshd_t to signal processes that it transitions to - Add condor policy - Allow svirt to create monitors in ~/.libvirt - Allow dovecot to domtrans sendmail to handle sieve scripts - Lot of fixes for cfengine- /var/run/postmaster.* labeling is no longer needed - Alllow drbdadmin to read /dev/urandom - l2tpd_t seems to use ptmx - group+ and passwd+ should be labeled as /etc/passwd - Zarafa-indexer is a socket- Ensure lastlog is labeled correctly - Allow accountsd to read /proc data about gdm - Add fixes for tuned - Add bcfg2 fixes which were discovered during RHEL6 testing - More fixes for gnome-keyring socket being moved - Run semanage as a unconfined domain, and allow initrc_t to create tmpfs_t sym links on shutdown - Fix description for files_dontaudit_read_security_files() interface- Add new policy and man page for bcfg2 - cgconfig needs to use getpw calls - Allow domains that communicate with the keyring to use cache_home_t instead of gkeyringd_tmpt - gnome-keyring wants to create a directory in cache_home_t - sanlock calls getpw- Add numad policy and numad man page - Add fixes for interface bugs discovered by SEWatch - Add /tmp support for squid - Add fix for #799102 * change default labeling for /var/run/slapd.* sockets - Make thumb_t as userdom_home_reader - label /var/lib/sss/mc same as pubconf, so getpw domains can read it - Allow smbspool running as cups_t to stream connect to nmbd - accounts needs to be able to execute passwd on behalf of users - Allow systemd_tmpfiles_t to delete boot flags - Allow dnssec_trigger to connect to apache ports - Allow gnome keyring to create sock_files in ~/.cache - google_authenticator is using .google_authenticator - sandbox running from within firefox is exposing more leaks - Dontaudit thumb to read/write /dev/card0 - Dontaudit getattr on init_exec_t for gnomeclock_t - Allow certmonger to do a transition to certmonger_unconfined_t - Allow dhcpc setsched which is caused by nmcli - Add rpm_exec_t for /usr/sbin/bcfg2 - system cronjobs are sending dbus messages to systemd_logind - Thumnailers read /dev/urand- Allow auditctl getcap - Allow vdagent to use libsystemd-login - Allow abrt-dump-oops to search /etc/abrt - Got these avc's while trying to print a boarding pass from firefox - Devicekit is now putting the media directory under /run/media - Allow thumbnailers to create content in ~/.thumbails directory - Add support for proL2TPd by Dominick Grift - Allow all domains to call getcap - wdmd seems to get a random chown capability check that it does not need - Allow vhostmd to read kernel sysctls- Allow chronyd to read unix - Allow hpfax to read /etc/passwd - Add support matahari vios-proxy-* apps and add virtd_exec_t label for them - Allow rpcd to read quota_db_t - Update to man pages to match latest policy - Fix bug in jockey interface for sepolgen-ifgen - Add initial svirt_prot_exec_t policy- More fixes for systemd from Dan Walsh- Add a new type for /etc/firewalld and allow firewalld to write to this directory - Add definition for ~/Maildir, and allow mail deliver domains to write there - Allow polipo to run from a cron job - Allow rtkit to schedule wine processes - Allow mozilla_plugin_t to acquire a bug, and allow it to transition gnome content in the home dir to the proper label - Allow users domains to send signals to consolehelper domains- More fixes for boinc policy - Allow polipo domain to create its own cache dir and pid file - Add systemctl support to httpd domain - Add systemctl support to polipo, allow NetworkManager to manage the service - Add policy for jockey-backend - Add support for motion daemon which is now covered by zoneminder policy - Allow colord to read/write motion tmpfs - Allow vnstat to search through var_lib_t directories - Stop transitioning to quota_t, from init an sysadm_t- Add svirt_lxc_file_t as a customizable type- Add additional fixes for icmp nagios plugin - Allow cron jobs to open fifo_files from cron, since service script opens /dev/stdin - Add certmonger_unconfined_exec_t - Make sure tap22 device is created with the correct label - Allow staff users to read systemd unit files - Merge in previously built policy - Arpwatch needs to be able to start netlink sockets in order to start - Allow cgred_t to sys_ptrace to look at other DAC Processes- Back port some of the access that was allowed in nsplugin_t - Add definitiona for couchdb ports - Allow nagios to use inherited users ttys - Add git support for mock - Allow inetd to use rdate port - Add own type for rdate port - Allow samba to act as a portmapper - Dontaudit chrome_sandbox attempts to getattr on chr_files in /dev - New fixes needed for samba4 - Allow apps that use lib_t to read lib_t symlinks- Add policy for nove-cert - Add labeling for nova-openstack systemd unit files - Add policy for keystoke- Fix man pages fro domains - Add man pages for SELinux users and roles - Add storage_dev_filetrans_named_fixed_disk() and use it for smartmon - Add policy for matahari-rpcd - nfsd executes mount command on restart - Matahari domains execute renice and setsched - Dontaudit leaked tty in mozilla_plugin_config - mailman is changing to a per instance naming - Add 7600 and 4447 as jboss_management ports - Add fixes for nagios event handlers - Label httpd.event as httpd_exec_t, it is an apache daemon- Add labeling for /var/spool/postfix/dev/log - NM reads sysctl.conf - Iscsi log file context specification fix - Allow mozilla plugins to send dbus messages to user domains that transition to it - Allow mysql to read the passwd file - Allow mozilla_plugin_t to create mozilla home dirs in user homedir - Allow deltacloud to read kernel sysctl - Allow postgresql_t to connectto itselfAllow postgresql_t to connectto itself - Allow postgresql_t to connectto itself - Add login_userdomain attribute for users which can log in using terminal- Allow sysadm_u to reach system_r by default #784011 - Allow nagios plugins to use inherited user terminals - Razor labeling is not used no longer - Add systemd support for matahari - Add port_types to man page, move booleans to the top, fix some english - Add support for matahari-sysconfig-console - Clean up matahari.fc - Fix matahari_admin() interfac - Add labels for/etc/ssh/ssh_host_*.pub keys- Allow ksysguardproces to send system log msgs - Allow boinc setpgid and signull - Allow xdm_t to sys_ptrace to run pidof command - Allow smtpd_t to manage spool files/directories and symbolic links - Add labeling for jetty - Needed changes to get unbound/dnssec to work with openswan- Add user_fonts_t alias xfs_tmp_t - Since depmod now runs as insmod_t we need to write to kernel_object_t - Allow firewalld to dbus chat with networkmanager - Allow qpidd to connect to matahari ports - policykit needs to read /proc for uses not owned by it - Allow systemctl apps to connecto the init stream- Turn on deny_ptrace boolean- Remove pam_selinux.8 man page. There was a conflict.- Add proxy class and read access for gssd_proxy - Separate out the sharing public content booleans - Allow certmonger to execute a script and send signals to apache and dirsrv to reload the certificate - Add label transition for gstream-0.10 and 12 - Add booleans to allow rsync to share nfs and cifs file sytems - chrome_sandbox wants to read the /proc/PID/exe file of the program that executed it - Fix filename transitions for cups files - Allow denyhosts to read "unix" - Add file name transition for locale.conf.new - Allow boinc projects to gconf config files - sssd needs to be able to increase the socket limit under certain loads - sge_execd needs to read /etc/passwd - Allow denyhost to check network state - NetworkManager needs to read sessions data - Allow denyhost to check network state - Allow xen to search virt images directories - Add label for /dev/megaraid_sas_ioctl_node - Add autogenerated man pages- Allow boinc project to getattr on fs - Allow init to execute initrc_state_t - rhev-agent package was rename to ovirt-guest-agent - If initrc_t creates /etc/local.conf then we need to make sure it is labeled correctly - sytemd writes content to /run/initramfs and executes it on shutdown - kdump_t needs to read /etc/mtab, should be back ported to F16 - udev needs to load kernel modules in early system boot- Need to add sys_ptrace back in since reading any content in /proc can cause these accesses - Add additional systemd interfaces which are needed fro *_admin interfaces - Fix bind_admin() interface- Allow firewalld to read urand - Alias java, execmem_mono to bin_t to allow third parties - Add label for kmod - /etc/redhat-lsb contains binaries - Add boolean to allow gitosis to send mail - Add filename transition also for "event20" - Allow systemd_tmpfiles_t to delete all file types - Allow collectd to ipc_lock- make consoletype_exec optional, so we can remove consoletype policy - remove unconfined_permisive.patch - Allow openvpn_t to inherit user home content and tmp content - Fix dnssec-trigger labeling - Turn on obex policy for staff_t - Pem files should not be secret - Add lots of rules to fix AVC's when playing with containers - Fix policy for dnssec - Label ask-passwd directories correctly for systemd- sshd fixes seem to be causing unconfined domains to dyntrans to themselves - fuse file system is now being mounted in /run/user - systemd_logind is sending signals to processes that are dbus messaging with it - Add support for winshadow port and allow iscsid to connect to this port - httpd should be allowed to bind to the http_port_t udp socket - zarafa_var_lib_t can be a lnk_file - A couple of new .xsession-errors files - Seems like user space and login programs need to read logind_sessions_files - Devicekit disk seems to be being launched by systemd - Cleanup handling of setfiles so most of rules in te file - Correct port number for dnssec - logcheck has the home dir set to its cache- Add policy for grindengine MPI jobs- Add new sysadm_secadm.pp module * contains secadm definition for sysadm_t - Move user_mail_domain access out of the interface into the te file - Allow httpd_t to create httpd_var_lib_t directories as well as files - Allow snmpd to connect to the ricci_modcluster stream - Allow firewalld to read /etc/passwd - Add auth_use_nsswitch for colord - Allow smartd to read network state - smartdnotify needs to read /etc/group- Allow gpg and gpg_agent to store sock_file in gpg_secret_t directory - lxdm startup scripts should be labeled bin_t, so confined users will work - mcstransd now creates a pid, needs back port to F16 - qpidd should be allowed to connect to the amqp port - Label devices 010-029 as usb devices - ypserv packager says ypserv does not use tmp_t so removing selinux policy types - Remove all ptrace commands that I believe are caused by the kernel/ps avcs - Add initial Obex policy - Add logging_syslogd_use_tty boolean - Add polipo_connect_all_unreserved bolean - Allow zabbix to connect to ftp port - Allow systemd-logind to be able to switch VTs - Allow apache to communicate with memcached through a sock_file- Fix file_context.subs_dist for now to work with pre usrmove- More /usr move fixes- Add zabbix_can_network boolean - Add httpd_can_connect_zabbix boolean - Prepare file context labeling for usrmove functions - Allow system cronjobs to read kernel network state - Add support for selinux_avcstat munin plugin - Treat hearbeat with corosync policy - Allow corosync to read and write to qpidd shared mem - mozilla_plugin is trying to run pulseaudio - Fixes for new sshd patch for running priv sep domains as the users context - Turn off dontaudit rules when turning on allow_ypbind - udev now reads /etc/modules.d directory- Turn on deny_ptrace boolean for the Rawhide run, so we can test this out - Cups exchanges dbus messages with init - udisk2 needs to send syslog messages - certwatch needs to read /etc/passwd- Add labeling for udisks2 - Allow fsadmin to communicate with the systemd process- Treat Bip with bitlbee policy * Bip is an IRC proxy - Add port definition for interwise port - Add support for ipa_memcached socket - systemd_jounald needs to getattr on all processes - mdadmin fixes * uses getpw - amavisd calls getpwnam() - denyhosts calls getpwall()- Setup labeling of /var/rsa and /var/lib/rsa to allow login programs to write there - bluetooth says they do not use /tmp and want to remove the type - Allow init to transition to colord - Mongod needs to read /proc/sys/vm/zone_reclaim_mode - Allow postfix_smtpd_t to connect to spamd - Add boolean to allow ftp to connect to all ports > 1023 - Allow sendmain to write to inherited dovecot tmp files - setroubleshoot needs to be able to execute rpm to see what version of packages- Merge systemd patch - systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online - Allow deltacloudd dac_override, setuid, setgid caps - Allow aisexec to execute shell - Add use_nfs_home_dirs boolean for ssh-keygen- Fixes to make rawhide boot in enforcing mode with latest systemd changes- Add labeling for /var/run/systemd/journal/syslog - libvirt sends signals to ifconfig - Allow domains that read logind session files to list them- Fixed destined form libvirt-sandbox - Allow apps that list sysfs to also read sympolicy links in this filesystem - Add ubac_constrained rules for chrome_sandbox - Need interface to allow domains to use tmpfs_t files created by the kernel, used by libra - Allow postgresql to be executed by the caller - Standardize interfaces of daemons - Add new labeling for mm-handler - Allow all matahari domains to read network state and etc_runtime_t files- New fix for seunshare, requires seunshare_domains to be able to mounton / - Allow systemctl running as logrotate_t to connect to private systemd socket - Allow tmpwatch to read meminfo - Allow rpc.svcgssd to read supported_krb5_enctype - Allow zarafa domains to read /dev/random and /dev/urandom - Allow snmpd to read dev_snmp6 - Allow procmail to talk with cyrus - Add fixes for check_disk and check_nagios plugins- default trans rules for Rawhide policy - Make sure sound_devices controlC* are labeled correctly on creation - sssd now needs sys_admin - Allow snmp to read all proc_type - Allow to setup users homedir with quota.group- Add httpd_can_connect_ldap() interface - apcupsd_t needs to use seriel ports connected to usb devices - Kde puts procmail mail directory under ~/.local/share - nfsd_t can trigger sys_rawio on tests that involve too many mountpoints, dontaudit for now - Add labeling for /sbin/iscsiuio- Add label for /var/lib/iscan/interpreter - Dont audit writes to leaked file descriptors or redirected output for nacl - NetworkManager needs to write to /sys/class/net/ib*/mode- Allow abrt to request the kernel to load a module - Make sure mozilla content is labeled correctly - Allow tgtd to read system state - More fixes for boinc * allow to resolve dns name * re-write boinc policy to use boinc_domain attribute - Allow munin services plugins to use NSCD services- Allow mozilla_plugin_t to manage mozilla_home_t - Allow ssh derived domain to execute ssh-keygen in the ssh_keygen_t domain - Add label for tumblerd- Fixes for xguest package- Fixes related to /bin, /sbin - Allow abrt to getattr on blk files - Add type for rhev-agent log file - Fix labeling for /dev/dmfm - Dontaudit wicd leaking - Allow systemd_logind_t to look at process info of apps that exchange dbus messages with it - Label /etc/locale.conf correctly - Allow user_mail_t to read /dev/random - Allow postfix-smtpd to read MIMEDefang - Add label for /var/log/suphp.log - Allow swat_t to connect and read/write nmbd_t sock_file - Allow systemd-tmpfiles to setattr for /run/user/gdm/dconf - Allow systemd-tmpfiles to change user identity in object contexts - More fixes for rhev_agentd_t consolehelper policy- Use fs_use_xattr for squashf - Fix procs_type interface - Dovecot has a new fifo_file /var/run/dovecot/stats-mail - Dovecot has a new fifo_file /var/run/stats-mail - Colord does not need to connect to network - Allow system_cronjob to dbus chat with NetworkManager - Puppet manages content, want to make sure it labels everything correctly- Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it - Allow all postfix domains to use the fifo_file - Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t - Allow apmd_t to read grub.cfg - Let firewallgui read the selinux config - Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp - Fix devicekit_manage_pid_files() interface - Allow squid to check the network state - Dontaudit colord getattr on file systems - Allow ping domains to read zabbix_tmp_t files- Allow mcelog_t to create dir and file in /var/run and label it correctly - Allow dbus to manage fusefs - Mount needs to read process state when mounting gluster file systems - Allow collectd-web to read collectd lib files - Allow daemons and system processes started by init to read/write the unix_stream_socket passed in from as stdin/stdout/stderr - Allow colord to get the attributes of tmpfs filesystem - Add sanlock_use_nfs and sanlock_use_samba booleans - Add bin_t label for /usr/lib/virtualbox/VBoxManage- Add ssh_dontaudit_search_home_dir - Changes to allow namespace_init_t to work - Add interface to allow exec of mongod, add port definition for mongod port, 27017 - Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t - Allow spamd and clamd to steam connect to each other - Add policy label for passwd.OLD - More fixes for postfix and postfix maildro - Add ftp support for mozilla plugins - Useradd now needs to manage policy since it calls libsemanage - Fix devicekit_manage_log_files() interface - Allow colord to execute ifconfig - Allow accountsd to read /sys - Allow mysqld-safe to execute shell - Allow openct to stream connect to pcscd - Add label for /var/run/nm-dns-dnsmasq\.conf - Allow networkmanager to chat with virtd_t- Pulseaudio changes - Merge patches- Merge patches back into git repository.- Remove allow_execmem boolean and replace with deny_execmem boolean- Turn back on allow_execmem boolean- Add more MCS fixes to make sandbox working - Make faillog MLS trusted to make sudo_$1_t working - Allow sandbox_web_client_t to read passwd_file_t - Add .mailrc file context - Remove execheap from openoffice domain - Allow chrome_sandbox_nacl_t to read cpu_info - Allow virtd to relabel generic usb which is need if USB device - Fixes for virt.if interfaces to consider chr_file as image file type- Remove Open Office policy - Remove execmem policy- MCS fixes - quota fixes- Remove transitions to consoletype- Make nvidia* to be labeled correctly - Fix abrt_manage_cache() interface - Make filetrans rules optional so base policy will build - Dontaudit chkpwd_t access to inherited TTYS - Make sure postfix content gets created with the correct label - Allow gnomeclock to read cgroup - Fixes for cloudform policy- Check in fixed for Chrome nacl support- Begin removing qemu_t domain, we really no longer need this domain. - systemd_passwd needs dac_overide to communicate with users TTY's - Allow svirt_lxc domains to send kill signals within their container- Remove qemu.pp again without causing a crash- Remove qemu.pp, everything should use svirt_t or stay in its current domain- Allow policykit to talk to the systemd via dbus - Move chrome_sandbox_nacl_t to permissive domains - Additional rules for chrome_sandbox_nacl- Change bootstrap name to nacl - Chrome still needs execmem - Missing role for chrome_sandbox_bootstrap - Add boolean to remove execmem and execstack from virtual machines - Dontaudit xdm_t doing an access_check on etc_t directories- Allow named to connect to dirsrv by default - add ldapmap1_0 as a krb5_host_rcache_t file - Google chrome developers asked me to add bootstrap policy for nacl stuff - Allow rhev_agentd_t to getattr on mountpoints - Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets- Fixes for cloudform policies which need to connect to random ports - Make sure if an admin creates modules content it creates them with the correct label - Add port 8953 as a dns port used by unbound - Fix file name transition for alsa and confined users- Turn on mock_t and thumb_t for unconfined domains- Policy update should not modify local contexts- Remove ada policy- Remove tzdata policy - Add labeling for udev - Add cloudform policy - Fixes for bootloader policy- Add policies for nova openstack- Add fixes for nova-stack policy- Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain - Allow init process to setrlimit on itself - Take away transition rules for users executing ssh-keygen - Allow setroubleshoot_fixit_t to read /dev/urand - Allow sshd to relbale tunnel sockets - Allow fail2ban domtrans to shorewall in the same way as with iptables - Add support for lnk files in the /var/lib/sssd directory - Allow system mail to connect to courier-authdaemon over an unix stream socket- Add passwd_file_t for /etc/ptmptmp- Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK) - Make corosync to be able to relabelto cluster lib fies - Allow samba domains to search /var/run/nmbd - Allow dirsrv to use pam - Allow thumb to call getuid - chrome less likely to get mmap_zero bug so removing dontaudit - gimp help-browser has built in javascript - Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t - Re-write glance policy- Move dontaudit sys_ptrace line from permissive.te to domain.te - Remove policy for hal, it no longer exists- Don't check md5 size or mtime on certain config files- Remove allow_ptrace and replace it with deny_ptrace, which will remove all ptrace from the system - Remove 2000 dontaudit rules between confined domains on transition and replace with single dontaudit domain domain:process { noatsecure siginh rlimitinh } ;- Fixes for bootloader policy - $1_gkeyringd_t needs to read $HOME/%USER/.local/share/keystore - Allow nsplugin to read /usr/share/config - Allow sa-update to update rules - Add use_fusefs_home_dirs for chroot ssh option - Fixes for grub2 - Update systemd_exec_systemctl() interface - Allow gpg to read the mail spool - More fixes for sa-update running out of cron job - Allow ipsec_mgmt_t to read hardware state information - Allow pptp_t to connect to unreserved_port_t - Dontaudit getattr on initctl in /dev from chfn - Dontaudit getattr on kernel_core from chfn - Add systemd_list_unit_dirs to systemd_exec_systemctl call - Fixes for collectd policy - CHange sysadm_t to create content as user_tmp_t under /tmp- Shrink size of policy through use of attributes for userdomain and apache- Allow virsh to read xenstored pid file - Backport corenetwork fixes from upstream - Do not audit attempts by thumb to search config_home_t dirs (~/.config) - label ~/.cache/telepathy/logger telepathy_logger_cache_home_t - allow thumb to read generic data home files (mime.type)- Allow nmbd to manage sock file in /var/run/nmbd - ricci_modservice send syslog msgs - Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly - Allow systemd_logind_t to manage /run/USER/dconf/user- Fix missing patch from F16- Allow logrotate setuid and setgid since logrotate is supposed to do it - Fixes for thumb policy by grift - Add new nfsd ports - Added fix to allow confined apps to execmod on chrome - Add labeling for additional vdsm directories - Allow Exim and Dovecot SASL - Add label for /var/run/nmbd - Add fixes to make virsh and xen working together - Colord executes ls - /var/spool/cron is now labeled as user_cron_spool_t- Stop complaining about leaked file descriptors during install- Remove java and mono module and merge into execmem- Fixes for thumb policy and passwd_file_t- Fixes caused by the labeling of /etc/passwd - Add thumb.patch to transition unconfined_t to thumb_t for Rawhide- Add support for Clustered Samba commands - Allow ricci_modrpm_t to send log msgs - move permissive virt_qmf_t from virt.te to permissivedomains.te - Allow ssh_t to use kernel keyrings - Add policy for libvirt-qmf and more fixes for linux containers - Initial Polipo - Sanlock needs to run ranged in order to kill svirt processes - Allow smbcontrol to stream connect to ctdbd- Add label for /etc/passwd- Change unconfined_domains to permissive for Rawhide - Add definition for the ephemeral_ports- Make mta_role() active - Allow asterisk to connect to jabber client port - Allow procmail to read utmp - Add NIS support for systemd_logind_t - Allow systemd_logind_t to manage /run/user/$USER/dconf dir which is labeled as config_home_t - Fix systemd_manage_unit_dirs() interface - Allow ssh_t to manage directories passed into it - init needs to be able to create and delete unit file directories - Fix typo in apache_exec_sys_script - Add ability for logrotate to transition to awstat domain- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state - Add SELinux support for ssh pre-auth net process in F17 - Add logging_syslogd_can_sendmail boolean- Add definition for ephemeral ports - Define user_tty_device_t as a customizable_type- Needs to require a new version of checkpolicy - Interface fixes- Allow sanlock to manage virt lib files - Add virt_use_sanlock booelan - ksmtuned is trying to resolve uids - Make sure .gvfs is labeled user_home_t in the users home directory - Sanlock sends kill signals and needs the kill capability - Allow mockbuild to work on nfs homedirs - Fix kerberos_manage_host_rcache() interface - Allow exim to read system state- Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files - We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t- Allow collectd to read hardware state information - Add loop_control_device_t - Allow mdadm to request kernel to load module - Allow domains that start other domains via systemctl to search unit dir - systemd_tmpfilses, needs to list any file systems mounted on /tmp - No one can explain why radius is listing the contents of /tmp, so we will dontaudit - If I can manage etc_runtime files, I should be able to read the links - Dontaudit hostname writing to mock library chr_files - Have gdm_t setup labeling correctly in users home dir - Label content unde /var/run/user/NAME/dconf as config_home_t - Allow sa-update to execute shell - Make ssh-keygen working with fips_enabled - Make mock work for staff_t user - Tighten security on mock_t- removing unconfined_notrans_t no longer necessary - Clean up handling of secure_mode_insmod and secure_mode_policyload - Remove unconfined_mount_t- Add exim_exec_t label for /usr/sbin/exim_tidydb - Call init_dontaudit_rw_stream_socket() interface in mta policy - sssd need to search /var/cache/krb5rcache directory - Allow corosync to relabel own tmp files - Allow zarafa domains to send system log messages - Allow ssh to do tunneling - Allow initrc scripts to sendto init_t unix_stream_socket - Changes to make sure dmsmasq and virt directories are labeled correctly - Changes needed to allow sysadm_t to manage systemd unit files - init is passing file descriptors to dbus and on to system daemons - Allow sulogin additional access Reported by dgrift and Jeremy Miller - Steve Grubb believes that wireshark does not need this access - Fix /var/run/initramfs to stop restorecon from looking at - pki needs another port - Add more labels for cluster scripts - Allow apps that manage cgroup_files to manage cgroup link files - Fix label on nfs-utils scripts directories - Allow gatherd to read /dev/rand and /dev/urand- pki needs another port - Add more labels for cluster scripts - Fix label on nfs-utils scripts directories - Fixes for cluster - Allow gatherd to read /dev/rand and /dev/urand - abrt leaks fifo files- Add glance policy - Allow mdadm setsched - /var/run/initramfs should not be relabeled with a restorecon run - memcache can be setup to override sys_resource - Allow httpd_t to read tetex data - Allow systemd_tmpfiles to delete kernel modules left in /tmp directory.- Allow Postfix to deliver to Dovecot LMTP socket - Ignore bogus sys_module for lldpad - Allow chrony and gpsd to send dgrams, gpsd needs to write to the real time clock - systemd_logind_t sets the attributes on usb devices - Allow hddtemp_t to read etc_t files - Add permissivedomains module - Move all permissive domains calls to permissivedomain.te - Allow pegasis to send kill signals to other UIDs- Allow insmod_t to use fds leaked from devicekit - dontaudit getattr between insmod_t and init_t unix_stream_sockets - Change sysctl unit file interfaces to use systemctl - Add support for chronyd unit file - Allow mozilla_plugin to read gnome_usr_config - Add policy for new gpsd - Allow cups to create kerberos rhost cache files - Add authlogin_filetrans_named_content, to unconfined_t to make sure shadow and other log files get labeled correctly- Make users_extra and seusers.final into config(noreplace) so semanage users and login does not get overwritten- Add policy for sa-update being run out of cron jobs - Add create perms to postgresql_manage_db - ntpd using a gps has to be able to read/write generic tty_device_t - If you disable unconfined and unconfineduser, rpm needs more privs to manage /dev - fix spec file - Remove qemu_domtrans_unconfined() interface - Make passenger working together with puppet - Add init_dontaudit_rw_stream_socket interface - Fixes for wordpress- Turn on allow_domain_fd_use boolean on F16 - Allow syslog to manage all log files - Add use_fusefs_home_dirs boolean for chrome - Make vdagent working with confined users - Add abrt_handle_event_t domain for ABRT event scripts - Labeled /usr/sbin/rhnreg_ks as rpm_exec_t and added changes related to this change - Allow httpd_git_script_t to read passwd data - Allow openvpn to set its process priority when the nice parameter is used- livecd fixes - spec file fixes- fetchmail can use kerberos - ksmtuned reads in shell programs - gnome_systemctl_t reads the process state of ntp - dnsmasq_t asks the kernel to load multiple kernel modules - Add rules for domains executing systemctl - Bogus text within fc file- Add cfengine policy- Add abrt_domain attribute - Allow corosync to manage cluster lib files - Allow corosync to connect to the system DBUS- Add sblim, uuidd policies - Allow kernel_t dyntrasition to init_t- init_t need setexec - More fixes of rules which cause an explosion in rules by Dan Walsh- Allow rcsmcertd to perform DNS name resolution - Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts - Allow tmux to run as screen - New policy for collectd - Allow gkeyring_t to interact with all user apps - Add rules to allow firstboot to run on machines with the unconfined.pp module removed- Allow systemd_logind to send dbus messages with users - allow accountsd to read wtmp file - Allow dhcpd to get and set capabilities- Fix oracledb_port definition - Allow mount to mounton the selinux file system - Allow users to list /var directories- systemd fixes- Add initial policy for abrt_dump_oops_t - xtables-multi wants to getattr of the proc fs - Smoltclient is connecting to abrt - Dontaudit leaked file descriptors to postdrop - Allow abrt_dump_oops to look at kernel sysctls - Abrt_dump_oops_t reads kernel ring buffer - Allow mysqld to request the kernel to load modules - systemd-login needs fowner - Allow postfix_cleanup_t to searh maildrop- Initial systemd_logind policy - Add policy for systemd_logger and additional proivs for systemd_logind - More fixes for systemd policies- Allow setsched for virsh - Systemd needs to impersonate cups, which means it needs to create tcp_sockets in cups_t domain, as well as manage spool directories - iptables: the various /sbin/ip6?tables.* are now symlinks for /sbin/xtables-multi- A lot of users are running yum -y update while in /root which is causing ldconfig to list the contents, adding dontaudit - Allow colord to interact with the users through the tmpfs file system - Since we changed the label on deferred, we need to allow postfix_qmgr_t to be able to create maildrop_t files - Add label for /var/log/mcelog - Allow asterisk to read /dev/random if it uses TLS - Allow colord to read ini files which are labeled as bin_t - Allow dirsrvadmin sys_resource and setrlimit to use ulimit - Systemd needs to be able to create sock_files for every label in /var/run directory, cupsd being the first. - Also lists /var and /var/spool directories - Add openl2tpd to l2tpd policy - qpidd is reading the sysfs file- Change usbmuxd_t to dontaudit attempts to read chr_file - Add mysld_safe_exec_t for libra domains to be able to start private mysql domains - Allow pppd to search /var/lock dir - Add rhsmcertd policy- Update to upstream- More fixes * http://git.fedorahosted.org/git/?p=selinux-policy.git- Fix spec file to not report Verify errors- Add dspam policy - Add lldpad policy - dovecot auth wants to search statfs #713555 - Allow systemd passwd apps to read init fifo_file - Allow prelink to use inherited terminals - Run cherokee in the httpd_t domain - Allow mcs constraints on node connections - Implement pyicqt policy - Fixes for zarafa policy - Allow cobblerd to send syslog messages- Add policy.26 to the payload - Remove olpc stuff - Remove policygentool- Fixes for zabbix - init script needs to be able to manage sanlock_var_run_... - Allow sandlock and wdmd to create /var/run directories... - mixclip.so has been compiled correctly - Fix passenger policy module name- Add mailscanner policy from dgrift - Allow chrome to optionally be transitioned to - Zabbix needs these rules when starting the zabbix_server_mysql - Implement a type for freedesktop openicc standard (~/.local/share/icc) - Allow system_dbusd_t to read inherited icc_data_home_t files. - Allow colord_t to read icc_data_home_t content. #706975 - Label stuff under /usr/lib/debug as if it was labeled under /- Fixes for sanlock policy - Fixes for colord policy - Other fixes * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log- Add rhev policy module to modules-targeted.conf- Lot of fixes * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log- Allow logrotate to execute systemctl - Allow nsplugin_t to getattr on gpmctl - Fix dev_getattr_all_chr_files() interface - Allow shorewall to use inherited terms - Allow userhelper to getattr all chr_file devices - sandbox domains should be able to getattr and dontaudit search of sysctl_kernel_t - Fix labeling for ABRT Retrace Server- Dontaudit sys_module for ifconfig - Make telepathy and gkeyringd daemon working with confined users - colord wants to read files in users homedir - Remote login should be creating user_tmp_t not its own tmp files- Fix label for /usr/share/munin/plugins/munin_* plugins - Add support for zarafa-indexer - Fix boolean description - Allow colord to getattr on /proc/scsi/scsi - Add label for /lib/upstart/init - Colord needs to list /mnt- Forard port changes from F15 for telepathy - NetworkManager should be allowed to use /dev/rfkill - Fix dontaudit messages to say Domain to not audit - Allow telepathy domains to read/write gnome_cache files - Allow telepathy domains to call getpw - Fixes for colord and vnstatd policy- Allow init_t getcap and setcap - Allow namespace_init_t to use nsswitch - aisexec will execute corosync - colord tries to read files off noxattr file systems - Allow init_t getcap and setcap- Add support for ABRT retrace server - Allow user_t and staff_t access to generic scsi to handle locally plugged in scanners - Allow telepath_msn_t to read /proc/PARENT/cmdline - ftpd needs kill capability - Allow telepath_msn_t to connect to sip port - keyring daemon does not work on nfs homedirs - Allow $1_sudo_t to read default SELinux context - Add label for tgtd sock file in /var/run/ - Add apache_exec_rotatelogs interface - allow all zaraha domains to signal themselves, server writes to /tmp - Allow syslog to read the process state - Add label for /usr/lib/chromium-browser/chrome - Remove the telepathy transition from unconfined_t - Dontaudit sandbox domains trying to mounton sandbox_file_t, this is caused by fuse mounts - Allow initrc_t domain to manage abrt pid files - Add support for AEOLUS project - Virt_admin should be allowed to manage images and processes - Allow plymountd to send signals to init - Change labeling of fping6- Add filename transitions- Fixes for zarafa policy - Add support for AEOLUS project - Change labeling of fping6 - Allow plymountd to send signals to init - Allow initrc_t domain to manage abrt pid files - Virt_admin should be allowed to manage images and processes- xdm_t needs getsession for switch user - Every app that used to exec init is now execing systemdctl - Allow squid to manage krb5_host_rcache_t files - Allow foghorn to connect to agentx port - Fixes for colord policy- Add Dan's patch to remove 64 bit variants - Allow colord to use unix_dgram_socket - Allow apps that search pids to read /var/run if it is a lnk_file - iscsid_t creates its own directory - Allow init to list var_lock_t dir - apm needs to verify user accounts auth_use_nsswitch - Add labeling for systemd unit files - Allow gnomeclok to enable ntpd service using systemctl - systemd_systemctl_t domain was added - Add label for matahari-broker.pid file - We want to remove untrustedmcsprocess from ability to read /proc/pid - Fixes for matahari policy - Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir - Allow sshd to transition to sysadm_t if ssh_sysadm_login is turned on- Fix typo- Add /var/run/lock /var/lock definition to file_contexts.subs - nslcd_t is looking for kerberos cc files - SSH_USE_STRONG_RNG is 1 which requires /dev/random - Fix auth_rw_faillog definition - Allow sysadm_t to set attributes on fixed disks - allow user domains to execute lsof and look at application sockets - prelink_cron job calls telinit -u if init is rewritten - Fixes to run qemu_t from staff_t- Fix label for /var/run/udev to udev_var_run_t - Mock needs to be able to read network state- Add file_contexts.subs to handle /run and /run/lock - Add other fixes relating to /run changes from F15 policy- Allow $1_sudo_t and $1_su_t open access to user terminals - Allow initrc_t to use generic terminals - Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs -systemd is going to be useing /run and /run/lock for early bootup files. - Fix some comments in rlogin.if - Add policy for KDE backlighthelper - sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems - sssd wants to read .k5login file in users homedir - setroubleshoot reads executables to see if they have TEXTREL - Add /var/spool/audit support for new version of audit - Remove kerberos_connect_524() interface calling - Combine kerberos_master_port_t and kerberos_port_t - systemd has setup /dev/kmsg as stderr for apps it executes - Need these access so that init can impersonate sockets on unix_dgram_socket- Remove some unconfined domains - Remove permissive domains - Add policy-term.patch from Dan- Fix multiple specification for boot.log - devicekit leaks file descriptors to setfiles_t - Change all all_nodes to generic_node and all_if to generic_if - Should not use deprecated interface - Switch from using all_nodes to generic_node and from all_if to generic_if - Add support for xfce4-notifyd - Fix file context to show several labels as SystemHigh - seunshare needs to be able to mounton nfs/cifs/fusefs homedirs - Add etc_runtime_t label for /etc/securetty - Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly - login.krb needs to be able to write user_tmp_t - dirsrv needs to bind to port 7390 for dogtag - Fix a bug in gpg policy - gpg sends audit messages - Allow qpid to manage matahari files- Initial policy for matahari - Add dev_read_watchdog - Allow clamd to connect clamd port - Add support for kcmdatetimehelper - Allow shutdown to setrlimit and sys_nice - Allow systemd_passwd to talk to /dev/log before udev or syslog is running - Purge chr_file and blk files on /tmp - Fixes for pads - Fixes for piranha-pulse - gpg_t needs to be able to encyprt anything owned by the user- mozilla_plugin_tmp_t needs to be treated as user tmp files - More dontaudits of writes from readahead - Dontaudit readahead_t file_type:dir write, to cover up kernel bug - systemd_tmpfiles needs to relabel faillog directory as well as the file - Allow hostname and consoletype to r/w inherited initrc_tmp_t files handline hostname >> /tmp/myhost- Add policykit fixes from Tim Waugh - dontaudit sandbox domains sandbox_file_t:dir mounton - Add new dontaudit rules for sysadm_dbusd_t - Change label for /var/run/faillock * other fixes which relate with this change- Update to upstream - Fixes for telepathy - Add port defition for ssdp port - add policy for /bin/systemd-notify from Dan - Mount command requires users read mount_var_run_t - colord needs to read konject_uevent_socket - User domains connect to the gkeyring socket - Add colord policy and allow user_t and staff_t to dbus chat with it - Add lvm_exec_t label for kpartx - Dontaudit reading the mail_spool_t link from sandbox -X - systemd is creating sockets in avahi_var_run and system_dbusd_var_run- gpg_t needs to talk to gnome-keyring - nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd - enforce MCS labeling on nodes - Allow arpwatch to read meminfo - Allow gnomeclock to send itself signals - init relabels /dev/.udev files on boot - gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_exec_t - nautilus checks access on /media directory before mounting usb sticks, dontaudit access_check on mnt_t - dnsmasq can run as a dbus service, needs acquire service - mysql_admin should be allowed to connect to mysql service - virt creates monitor sockets in the users home dir- Allow usbhid-ups to read hardware state information - systemd-tmpfiles has moved - Allo cgroup to sys_tty_config - For some reason prelink is attempting to read gconf settings - Add allow_daemons_use_tcp_wrapper boolean - Add label for ~/.cache/wocky to make telepathy work in enforcing mode - Add label for char devices /dev/dasd* - Fix for apache_role - Allow amavis to talk to nslcd - allow all sandbox to read selinux poilcy config files - Allow cluster domains to use the system bus and send each other dbus messages- Update to upstream- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Update to ref policy - cgred needs chown capability - Add /dev/crash crash_dev_t - systemd-readahead wants to use fanotify which means readahead_t needs sys_admin capability- New labeling for postfmulti #675654 - dontaudit xdm_t listing noxattr file systems - dovecot-auth needs to be able to connect to mysqld via the network as well as locally - shutdown is passed stdout to a xdm_log_t file - smartd creates a fixed disk device - dovecot_etc_t contains a lnk_file that domains need to read - mount needs to be able to read etc_runtim_t:lnk_file since in rawhide this is a link created at boot- syslog_t needs syslog capability - dirsrv needs to be able to create /var/lib/snmp - Fix labeling for dirsrv - Fix for dirsrv policy missing manage_dirs_pattern - corosync needs to delete clvm_tmpfs_t files - qdiskd needs to list hugetlbfs - Move setsched to sandbox_x_domain, so firefox can run without network access - Allow hddtemp to read removable devices - Adding syslog and read_policy permissions to policy * syslog Allow unconfined, sysadm_t, secadm_t, logadm_t * read_policy allow unconfined, sysadm_t, secadm_t, staff_t on Targeted allow sysadm_t (optionally), secadm_t on MLS - mdadm application will write into /sys/.../uevent whenever arrays are assembled or disassembled.- Add tcsd policy- ricci_modclusterd_t needs to bind to rpc ports 500-1023 - Allow dbus to use setrlimit to increase resoueces - Mozilla_plugin is leaking to sandbox - Allow confined users to connect to lircd over unix domain stream socket which allow to use remote control - Allow awstats to read squid logs - seunshare needs to manage tmp_t - apcupsd cgi scripts have a new directory- Fix xserver_dontaudit_read_xdm_pid - Change oracle_port_t to oracledb_port_t to prevent conflict with satellite - Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file. * These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t - Allow readahead to manage readahead pid dirs - Allow readahead to read all mcs levels - Allow mozilla_plugin_t to use nfs or samba homedirs- Allow nagios plugin to read /proc/meminfo - Fix for mozilla_plugin - Allow samba_net_t to create /etc/keytab - pppd_t setting up vpns needs to run unix_chkpwd, setsched its process and write wtmp_t - nslcd can read user credentials - Allow nsplugin to delete mozilla_plugin_tmpfs_t - abrt tries to create dir in rpm_var_lib_t - virt relabels fifo_files - sshd needs to manage content in fusefs homedir - mock manages link files in cache dir- nslcd needs setsched and to read /usr/tmp - Invalid call in likewise policy ends up creating a bogus role - Cannon puts content into /var/lib/bjlib that cups needs to be able to write - Allow screen to create screen_home_t in /root - dirsrv sends syslog messages - pinentry reads stuff in .kde directory - Add labels for .kde directory in homedir - Treat irpinit, iprupdate, iprdump services with raid policy- NetworkManager wants to read consolekit_var_run_t - Allow readahead to create /dev/.systemd/readahead - Remove permissive domains - Allow newrole to run namespace_init- Add sepgsql_contexts file- Update to upstream- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on - Add puppetmaster_use_db boolean - Fixes for zarafa policy - Fixes for gnomeclock poliy - Fix systemd-tmpfiles to use auth_use_nsswitch- gnomeclock executes a shell - Update for screen policy to handle pipe in homedir - Fixes for polyinstatiated homedir - Fixes for namespace policy and other fixes related to polyinstantiation - Add namespace policy - Allow dovecot-deliver transition to sendmail which is needed by sieve scripts - Fixes for init, psad policy which relate with confined users - Do not audit bootloader attempts to read devicekit pid files - Allow nagios service plugins to read /proc- Add firewalld policy - Allow vmware_host to read samba config - Kernel wants to read /proc Fix duplicate grub def in cobbler - Chrony sends mail, executes shell, uses fifo_file and reads /proc - devicekitdisk getattr all file systems - sambd daemon writes wtmp file - libvirt transitions to dmidecode- Add initial policy for system-setup-keyboard which is now daemon - Label /var/lock/subsys/shorewall as shorewall_lock_t - Allow users to communicate with the gpg_agent_t - Dontaudit mozilla_plugin_t using the inherited terminal - Allow sambagui to read files in /usr - webalizer manages squid log files - Allow unconfined domains to bind ports to raw_ip_sockets - Allow abrt to manage rpm logs when running yum - Need labels for /var/run/bittlebee - Label .ssh under amanda - Remove unused genrequires for virt_domain_template - Allow virt_domain to use fd inherited from virtd_t - Allow iptables to read shorewall config- Gnome apps list config_home_t - mpd creates lnk files in homedir - apache leaks write to mail apps on tmp files - /var/stockmaniac/templates_cache contains log files - Abrt list the connects of mount_tmp_t dirs - passwd agent reads files under /dev and reads utmp file - squid apache script connects to the squid port - fix name of plymouth log file - teamviewer is a wine app - allow dmesg to read system state - Stop labeling files under /var/lib/mock so restorecon will not go into this - nsplugin needs to read network state for google talk- Allow xdm and syslog to use /var/log/boot.log - Allow users to communicate with mozilla_plugin and kill it - Add labeling for ipv6 and dhcp- New labels for ghc http content - nsplugin_config needs to read urand, lvm now calls setfscreate to create dev - pm-suspend now creates log file for append access so we remove devicekit_wri - Change authlogin_use_sssd to authlogin_nsswitch_use_ldap - Fixes for greylist_milter policy- Update to upstream - Fixes for systemd policy - Fixes for passenger policy - Allow staff users to run mysqld in the staff_t domain, akonadi needs this - Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py - auth_use_nsswitch does not need avahi to read passwords,needed for resolving data - Dontaudit (xdm_t) gok attempting to list contents of /var/account - Telepathy domains need to read urand - Need interface to getattr all file classes in a mock library for setroubleshoot- Update selinux policy to handle new /usr/share/sandbox/start script- Update to upstream - Fix version of policy in spec file- Allow sandbox to run on nfs partitions, fixes for systemd_tmpfs - remove per sandbox domains devpts types - Allow dkim-milter sending signal to itself- Allow domains that transition to ping or traceroute, kill them - Allow user_t to conditionally transition to ping_t and traceroute_t - Add fixes to systemd- tools, including new labeling for systemd-fsck, systemd-cryptsetup- Turn on systemd policy - mozilla_plugin needs to read certs in the homedir. - Dontaudit leaked file descriptors from devicekit - Fix ircssi to use auth_use_nsswitch - Change to use interface without param in corenet to disable unlabelednet packets - Allow init to relabel sockets and fifo files in /dev - certmonger needs dac* capabilities to manage cert files not owned by root - dovecot needs fsetid to change group membership on mail - plymouthd removes /var/log/boot.log - systemd is creating symlinks in /dev - Change label on /etc/httpd/alias to be all cert_t- Fixes for clamscan and boinc policy - Add boinc_project_t setpgid - Allow alsa to create tmp files in /tmp- Push fixes to allow disabling of unlabeled_t packet access - Enable unlabelednet policy- Fixes for lvm to work with systemd- Fix the label for wicd log - plymouthd creates force-display-on-active-vt file - Allow avahi to request the kernel to load a module - Dontaudit hal leaks - Fix gnome_manage_data interface - Add new interface corenet_packet to define a type as being an packet_type. - Removed general access to packet_type from icecast and squid. - Allow mpd to read alsa config - Fix the label for wicd log - Add systemd policy- Fix gnome_manage_data interface - Dontaudit sys_ptrace capability for iscsid - Fixes for nagios plugin policy- Fix cron to run ranged when started by init - Fix devicekit to use log files - Dontaudit use of devicekit_var_run_t for fstools - Allow init to setattr on logfile directories - Allow hald to manage files in /var/run/pm-utils/ dir which is now labeled as devicekit_var_run_t- Fix up handling of dnsmasq_t creating /var/run/libvirt/network - Turn on sshd_forward_ports boolean by default - Allow sysadmin to dbus chat with rpm - Add interface for rw_tpm_dev - Allow cron to execute bin - fsadm needs to write sysfs - Dontaudit consoletype reading /var/run/pm-utils - Lots of new privs fro mozilla_plugin_t running java app, make mozilla_plugin - certmonger needs to manage dirsrv data - /var/run/pm-utils should be labeled as devicekit_var_run_t- fixes to allow /var/run and /var/lock as tmpfs - Allow chrome sandbox to connect to web ports - Allow dovecot to listem on lmtp and sieve ports - Allov ddclient to search sysctl_net_t - Transition back to original domain if you execute the shell- Remove duplicate declaration- Update to upstream - Cleanup for sandbox - Add attribute to be able to select sandbox types- Allow ddclient to fix file mode bits of ddclient conf file - init leaks file descriptors to daemons - Add labels for /etc/lirc/ and - Allow amavis_t to exec shell - Add label for gssd_tmp_t for /var/tmp/nfs_0- Put back in lircd_etc_t so policy will install- Turn on allow_postfix_local_write_mail_spool - Allow initrc_t to transition to shutdown_t - Allow logwatch and cron to mls_read_to_clearance for MLS boxes - Allow wm to send signull to all applications and receive them from users - lircd patch from field - Login programs have to read /etc/samba - New programs under /lib/systemd - Abrt needs to read config files- Update to upstream - Dontaudit leaked sockets from userdomains to user domains - Fixes for mcelog to handle scripts - Apply patch from Ruben Kerkhof - Allow syslog to search spool dirs- Allow nagios plugins to read usr files - Allow mysqld-safe to send system log messages - Fixes fpr ddclient policy - Fix sasl_admin interface - Allow apache to search zarafa config - Allow munin plugins to search /var/lib directory - Allow gpsd to read sysfs_t - Fix labels on /etc/mcelog/triggers to bin_t- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t - Allow saslauthd_t to create krb5_host_rcache_t files in /tmp - Fix xserver interface - Fix definition of /var/run/lxdm- Turn on mediawiki policy - kdump leaks kdump_etc_t to ifconfig, add dontaudit - uux needs to transition to uucpd_t - More init fixes relabels man,faillog - Remove maxima defs in libraries.fc - insmod needs to be able to create tmpfs_t files - ping needs setcap- Allow groupd transition to fenced domain when executes fence_node - Fixes for rchs policy - Allow mpd to be able to read samba/nfs files- Fix up corecommands.fc to match upstream - Make sure /lib/systemd/* is labeled init_exec_t - mount wants to setattr on all mountpoints - dovecot auth wants to read dovecot etc files - nscd daemon looks at the exe file of the comunicating daemon - openvpn wants to read utmp file - postfix apps now set sys_nice and lower limits - remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly - Also resolves nsswitch - Fix labels on /etc/hosts.* - Cleanup to make upsteam patch work - allow abrt to read etc_runtime_t- Add conflicts for dirsrv package- Update to upstream - Add vlock policy- Fix sandbox to work on nfs homedirs - Allow cdrecord to setrlimit - Allow mozilla_plugin to read xauth - Change label on systemd-logger to syslogd_exec_t - Install dirsrv policy from dirsrv package- Add virt_home_t, allow init to setattr on xserver_tmp_t and relabel it - Udev needs to stream connect to init and kernel - Add xdm_exec_bootloader boolean, which allows xdm to execute /sbin/grub and read files in /boot directory- Allow NetworkManager to read openvpn_etc_t - Dontaudit hplip to write of /usr dirs - Allow system_mail_t to create /root/dead.letter as mail_home_t - Add vdagent policy for spice agent daemon- Dontaudit sandbox sending sigkill to all user domains - Add policy for rssh_chroot_helper - Add missing flask definitions - Allow udev to relabelto removable_t - Fix label on /var/log/wicd.log - Transition to initrc_t from init when executing bin_t - Add audit_access permissions to file - Make removable_t a device_node - Fix label on /lib/systemd/*- Fixes for systemd to manage /var/run - Dontaudit leaks by firstboot- Allow chome to create netlink_route_socket - Add additional MATHLAB file context - Define nsplugin as an application_domain - Dontaudit sending signals from sandboxed domains to other domains - systemd requires init to build /tmp /var/auth and /var/lock dirs - mount wants to read devicekit_power /proc/ entries - mpd wants to connect to soundd port - Openoffice causes a setattr on a lib_t file for normal users, add dontaudit - Treat lib_t and textrel_shlib_t directories the same - Allow mount read access on virtual images- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs. - Allow devicekit_power to domtrans to mount - Allow dhcp to bind to udp ports > 1024 to do named stuff - Allow ssh_t to exec ssh_exec_t - Remove telepathy_butterfly_rw_tmp_files(), dev_read_printk() interfaces which are nolonger used - Fix clamav_append_log() intefaces - Fix 'psad_rw_fifo_file' interface- Allow cobblerd to list cobler appache content- Fixup for the latest version of upowed - Dontaudit sandbox sending SIGNULL to desktop apps- Update to upstream-Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access - dovecot-auth_t needs ipc_lock - gpm needs to use the user terminal - Allow system_mail_t to append ~/dead.letter - Allow NetworkManager to edit /etc/NetworkManager/NetworkManager.conf - Add pid file to vnstatd - Allow mount to communicate with gfs_controld - Dontaudit hal leaks in setfiles- Lots of fixes for systemd - systemd now executes readahead and tmpwatch type scripts - Needs to manage random seed- Allow smbd to use sys_admin - Remove duplicate file context for tcfmgr - Update to upstream- Fix fusefs handling - Do not allow sandbox to manage nsplugin_rw_t - Allow mozilla_plugin_t to connecto its parent - Allow init_t to connect to plymouthd running as kernel_t - Add mediawiki policy - dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs. - Disable transition from dbus_session_domain to telepathy for F14 - Allow boinc_project to use shm - Allow certmonger to search through directories that contain certs - Allow fail2ban the DAC Override so it can read log files owned by non root users- Start adding support for use_fusefs_home_dirs - Add /var/lib/syslog directory file context - Add /etc/localtime as locale file context- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user - Turn off iptables from unconfined user - Allow sudo to send signals to any domains the user could have transitioned to. - Passwd in single user mode needs to talk to console_device_t - Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio - locate tried to read a symbolic link, will dontaudit - New labels for telepathy-sunshine content in homedir - Google is storing other binaries under /opt/google/talkplugin - bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug - Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15 - modemmanger and bluetooth send dbus messages to devicekit_power - Samba needs to getquota on filesystems labeld samba_share_t- Dontaudit attempts by xdm_t to write to bin_t for kdm - Allow initrc_t to manage system_conf_t- Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory. - Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets - Allow confined users to read xdm_etc_t files - Allow xdm_t to transition to xauth_t for lxdm program- Rearrange firewallgui policy to be more easily updated to upstream, dontaudit search of /home - Allow clamd to send signals to itself - Allow mozilla_plugin_t to read user home content. And unlink pulseaudio shm. - Allow haze to connect to yahoo chat and messenger port tcp:5050. Bz #637339 - Allow guest to run ps command on its processes by allowing it to read /proc - Allow firewallgui to sys_rawio which seems to be required to setup masqerading - Allow all domains to search through default_t directories, in order to find differnet labels. For example people serring up /foo/bar to be share via samba. - Add label for /var/log/slim.log- Pull in cleanups from dgrift - Allow mozilla_plugin_t to execute mozilla_home_t - Allow rpc.quota to do quotamod- Cleanup policy via dgrift - Allow dovecot_deliver to append to inherited log files - Lots of fixes for consolehelper- Fix up Xguest policy- Add vnstat policy - allow libvirt to send audit messages - Allow chrome-sandbox to search nfs_t- Update to upstream- Add the ability to send audit messages to confined admin policies - Remove permissive domain from cmirrord and dontaudit sys_tty_config - Split out unconfined_domain() calls from other unconfined_ calls so we can d - virt needs to be able to read processes to clearance for MLS- Allow all domains that can use cgroups to search tmpfs_t directory - Allow init to send audit messages- Update to upstream- Allow mdadm_t to create files and sock files in /dev/md/- Add policy for ajaxterm- Handle /var/db/sudo - Allow pulseaudio to read alsa config - Allow init to send initrc_t dbus messagesAllow iptables to read shorewall tmp files Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr intd label vlc as an execmem_exec_t Lots of fixes for mozilla_plugin to run google vidio chat Allow telepath_msn to execute ldconfig and its own tmp files Fix labels on hugepages Allow mdadm to read files on /dev Remove permissive domains and change back to unconfined Allow freshclam to execute shell and bin_t Allow devicekit_power to transition to dhcpc Add boolean to allow icecast to connect to any port- Merge upstream fix of mmap_zero - Allow mount to write files in debugfs_t - Allow corosync to communicate with clvmd via tmpfs - Allow certmaster to read usr_t files - Allow dbus system services to search cgroup_t - Define rlogind_t as a login pgm- Allow mdadm_t to read/write hugetlbfs- Dominic Grift Cleanup - Miroslav Grepl policy for jabberd - Various fixes for mount/livecd and prelink- Merge with upstream- More access needed for devicekit - Add dbadm policy- Merge with upstream- Allow seunshare to fowner- Allow cron to look at user_cron_spool links - Lots of fixes for mozilla_plugin_t - Add sysv file system - Turn unconfined domains to permissive to find additional avcs- Update policy for mozilla_plugin_t- Allow clamscan to read proc_t - Allow mount_t to write to debufs_t dir - Dontaudit mount_t trying to write to security_t dir- Allow clamscan_t execmem if clamd_use_jit set - Add policy for firefox plugin-container- Fix /root/.forward definition- label dead.letter as mail_home_t- Allow login programs to search /cgroups- Fix cert handling- Fix devicekit_power bug - Allow policykit_auth_t more access.- Fix nis calls to allow bind to ports 512-1024 - Fix smartmon- Allow pcscd to read sysfs - systemd fixes - Fix wine_mmap_zero_ignore boolean- Apply Miroslav munin patch - Turn back on allow_execmem and allow_execmod booleans- Merge in fixes from dgrift repository- Update boinc policy - Fix sysstat policy to allow sys_admin - Change failsafe_context to unconfined_r:unconfined_t:s0- New paths for upstart- New permissions for syslog - New labels for /lib/upstart- Add mojomojo policy- Allow systemd to setsockcon on sockets to immitate other services- Remove debugfs label- Update to latest policy- Fix eclipse labeling from IBMSupportAssasstant packageing- Make boot with systemd in enforcing mode- Update to upstream- Add boolean to turn off port forwarding in sshd.- Add support for ebtables - Fixes for rhcs and corosync policy-Update to upstream-Update to upstream-Update to upstream- Add Zarafa policy- Cleanup of aiccu policy - initial mock policy- Lots of random fixes- Update to upstream- Update to upstream - Allow prelink script to signal itself - Cobbler fixes- Add xdm_var_run_t to xserver_stream_connect_xdm - Add cmorrord and mpd policy from Miroslav Grepl- Fix sshd creation of krb cc files for users to be user_tmp_t- Fixes for accountsdialog - Fixes for boinc- Fix label on /var/lib/dokwiki - Change permissive domains to enforcing - Fix libvirt policy to allow it to run on mls- Update to upstream- Allow procmail to execute scripts in the users home dir that are labeled home_bin_t - Fix /var/run/abrtd.lock label- Allow login programs to read krb5_home_t Resolves: 594833 - Add obsoletes for cachefilesfd-selinux package Resolves: #575084- Allow mount to r/w abrt fifo file - Allow svirt_t to getattr on hugetlbfs - Allow abrt to create a directory under /var/spool- Add labels for /sys - Allow sshd to getattr on shutdown - Fixes for munin - Allow sssd to use the kernel key ring - Allow tor to send syslog messages - Allow iptabels to read usr files - allow policykit to read all domains state- Fix path for /var/spool/abrt - Allow nfs_t as an entrypoint for http_sys_script_t - Add policy for piranha - Lots of fixes for sosreport- Allow xm_t to read network state and get and set capabilities - Allow policykit to getattr all processes - Allow denyhosts to connect to tcp port 9911 - Allow pyranha to use raw ip sockets and ptrace itself - Allow unconfined_execmem_t and gconfsd mechanism to dbus - Allow staff to kill ping process - Add additional MLS rules- Allow gdm to edit ~/.gconf dir Resolves: #590677 - Allow dovecot to create directories in /var/lib/dovecot Partially resolves 590224 - Allow avahi to dbus chat with NetworkManager - Fix cobbler labels - Dontaudit iceauth_t leaks - fix /var/lib/lxdm file context - Allow aiccu to use tun tap devices - Dontaudit shutdown using xserver.log- Fixes for sandbox_x_net_t to match access for sandbox_web_t ++ - Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory - Add dontaudit interface for bluetooth dbus - Add chronyd_read_keys, append_keys for initrc_t - Add log support for ksmtuned Resolves: #586663- Allow boinc to send mail- Allow initrc_t to remove dhcpc_state_t - Fix label on sa-update.cron - Allow dhcpc to restart chrony initrc - Don't allow sandbox to send signals to its parent processes - Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t Resolves: #589136- Fix location of oddjob_mkhomedir Resolves: #587385 - fix labeling on /root/.shosts and ~/.shosts - Allow ipsec_mgmt_t to manage net_conf_t Resolves: #586760- Dontaudit sandbox trying to connect to netlink sockets Resolves: #587609 - Add policy for piranha- Fixups for xguest policy - Fixes for running sandbox firefox- Allow ksmtuned to use terminals Resolves: #586663 - Allow lircd to write to generic usb devices- Allow sandbox_xserver to connectto unconfined stream Resolves: #585171- Allow initrc_t to read slapd_db_t Resolves: #585476 - Allow ipsec_mgmt to use unallocated devpts and to create /etc/resolv.conf Resolves: #585963- Allow rlogind_t to search /root for .rhosts Resolves: #582760 - Fix path for cached_var_t - Fix prelink paths /var/lib/prelink - Allow confined users to direct_dri - Allow mls lvm/cryptosetup to work- Allow virtd_t to manage firewall/iptables config Resolves: #573585- Fix label on /root/.rhosts Resolves: #582760 - Add labels for Picasa - Allow openvpn to read home certs - Allow plymouthd_t to use tty_device_t - Run ncftool as iptables_t - Allow mount to unmount unlabeled_t - Dontaudit hal leaks- Allow livecd to transition to mount- Update to upstream - Allow abrt to delete sosreport Resolves: #579998 - Allow snmp to setuid and gid Resolves: #582155 - Allow smartd to use generic scsi devices Resolves: #582145- Allow ipsec_t to create /etc/resolv.conf with the correct label - Fix reserved port destination - Allow autofs to transition to showmount - Stop crashing tuned- Add telepathysofiasip policy- Update to upstream - Fix label for /opt/google/chrome/chrome-sandbox - Allow modemmanager to dbus with policykit- Fix allow_httpd_mod_auth_pam to use auth_use_pam(httpd_t) - Allow accountsd to read shadow file - Allow apache to send audit messages when using pam - Allow asterisk to bind and connect to sip tcp ports - Fixes for dovecot 2.0 - Allow initrc_t to setattr on milter directories - Add procmail_home_t for .procmailrc file- Fixes for labels during install from livecd- Fix /cgroup file context - Fix broken afs use of unlabled_t - Allow getty to use the console for s390- Fix cgroup handling adding policy for /cgroup - Allow confined users to write to generic usb devices, if user_rw_noexattrfile boolean set- Merge patches from dgrift- Update upstream - Allow abrt to write to the /proc under any process- Fix ~/.fontconfig label - Add /root/.cert label - Allow reading of the fixed_file_disk_t:lnk_file if you can read file - Allow qemu_exec_t as an entrypoint to svirt_t- Update to upstream - Allow tmpreaper to delete sandbox sock files - Allow chrome-sandbox_t to use /dev/zero, and dontaudit getattr file systems - Fixes for gitosis - No transition on livecd to passwd or chfn - Fixes for denyhosts- Add label for /var/lib/upower - Allow logrotate to run sssd - dontaudit readahead on tmpfs blk files - Allow tmpreaper to setattr on sandbox files - Allow confined users to execute dos files - Allow sysadm_t to kill processes running within its clearance - Add accountsd policy - Fixes for corosync policy - Fixes from crontab policy - Allow svirt to manage svirt_image_t chr files - Fixes for qdisk policy - Fixes for sssd policy - Fixes for newrole policy- make libvirt work on an MLS platform- Add qpidd policy- Update to upstream- Allow boinc to read kernel sysctl - Fix snmp port definitions - Allow apache to read anon_inodefs- Allow shutdown dac_override- Add device_t as a file system - Fix sysfs association- Dontaudit ipsec_mgmt sys_ptrace - Allow at to mail its spool files - Allow nsplugin to search in .pulse directory- Update to upstream- Allow users to dbus chat with xdm - Allow users to r/w wireless_device_t - Dontaudit reading of process states by ipsec_mgmt- Fix openoffice from unconfined_t- Add shutdown policy so consolekit can shutdown system- Update to upstream- Update to upstream- Update to upstream - These are merges of my patches - Remove 389 labeling conflicts - Add MLS fixes found in RHEL6 testing - Allow pulseaudio to run as a service - Add label for mssql and allow apache to connect to this database port if boolean set - Dontaudit searches of debugfs mount point - Allow policykit_auth to send signals to itself - Allow modcluster to call getpwnam - Allow swat to signal winbind - Allow usbmux to run as a system role - Allow svirt to create and use devpts- Add MLS fixes found in RHEL6 testing - Allow domains to append to rpm_tmp_t - Add cachefilesfd policy - Dontaudit leaks when transitioning- Change allow_execstack and allow_execmem booleans to on - dontaudit acct using console - Add label for fping - Allow tmpreaper to delete sandbox_file_t - Fix wine dontaudit mmap_zero - Allow abrt to read var_t symlinks- Additional policy for rgmanager- Allow sshd to setattr on pseudo terms- Update to upstream- Allow policykit to send itself signals- Fix duplicate cobbler definition- Fix file context of /var/lib/avahi-autoipd- Merge with upstream- Allow sandbox to work with MLS- Make Chrome work with staff user- Add icecast policy - Cleanup spec file- Add mcelog policy- Lots of fixes found in F12- Fix rpm_dontaudit_leaks- Add getsched to hald_t - Add file context for Fedora/Redhat Directory Server- Allow abrt_helper to getattr on all filesystems - Add label for /opt/real/RealPlayer/plugins/oggfformat\.so- Add gstreamer_home_t for ~/.gstreamer- Update to upstream- Fix git- Turn on puppet policy - Update to dgrift git policy- Move users file to selection by spec file. - Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t- Update to upstream- Remove most of the permissive domains from F12.- Add cobbler policy from dgrift- add usbmon device - Add allow rulse for devicekit_disk- Lots of fixes found in F12, fixes from Tom London- Cleanups from dgrift- Add back xserver_manage_home_fonts- Dontaudit sandbox trying to read nscd and sssd- Update to upstream- Rename udisks-daemon back to devicekit_disk_t policy- Fixes for abrt calls- Add tgtd policy- Update to upstream release- Add asterisk policy back in - Update to upstream release 2.20091117- Update to upstream release 2.20091117- Fixup nut policy- Update to upstream- Allow vpnc request the kernel to load modules- Fix minimum policy installs - Allow udev and rpcbind to request the kernel to load modules- Add plymouth policy - Allow local_login to sys_admin- Allow cupsd_config to read user tmp - Allow snmpd_t to signal itself - Allow sysstat_t to makedir in sysstat_log_t- Update rhcs policy- Allow users to exec restorecond- Allow sendmail to request kernel modules load- Fix all kernel_request_load_module domains- Fix all kernel_request_load_module domains- Remove allow_exec* booleans for confined users. Only available for unconfined_t- More fixes for sandbox_web_t- Allow sshd to create .ssh directory and content- Fix request_module line to module_request- Fix sandbox policy to allow it to run under firefox. - Dont audit leaks.- Fixes for sandbox- Update to upstream - Dontaudit nsplugin search /root - Dontaudit nsplugin sys_nice- Fix label on /usr/bin/notepad, /usr/sbin/vboxadd-service - Remove policycoreutils-python requirement except for minimum- Fix devicekit_disk_t to getattr on all domains sockets and fifo_files - Conflicts seedit (You can not use selinux-policy-targeted and seedit at the same time.)- Add wordpress/wp-content/uploads label - Fixes for sandbox when run from staff_t- Update to upstream - Fixes for devicekit_disk- More fixes- Lots of fixes for initrc and other unconfined domains- Allow xserver to use netlink_kobject_uevent_socket- Fixes for sandbox- Dontaudit setroubleshootfix looking at /root directory- Update to upsteam- Allow gssd to send signals to users - Fix duplicate label for apache content- Update to upstream- Remove polkit_auth on upgrades- Add back in unconfined.pp and unconfineduser.pp - Add Sandbox unshare- Fixes for cdrecord, mdadm, and others- Add capability setting to dhcpc and gpm- Allow cronjobs to read exim_spool_t- Add ABRT policy- Fix system-config-services policy- Allow libvirt to change user componant of virt_domain- Allow cupsd_config_t to be started by dbus - Add smoltclient policy- Add policycoreutils-python to pre install- Make all unconfined_domains permissive so we can see what AVC's happen- Add pt_chown policy- Add kdump policy for Miroslav Grepl - Turn off execstack boolean- Turn on execstack on a temporary basis (#512845)- Allow nsplugin to connecto the session bus - Allow samba_net to write to coolkey data- Allow devicekit_disk to list inotify- Allow svirt images to create sock_file in svirt_var_run_t- Allow exim to getattr on mountpoints - Fixes for pulseaudio- Allow svirt_t to stream_connect to virtd_t- Allod hald_dccm_t to create sock_files in /tmp- More fixes from upstream- Fix polkit label - Remove hidebrokensymptoms for nss_ldap fix - Add modemmanager policy - Lots of merges from upstream - Begin removing textrel_shlib_t labels, from fixed libraries- Update to upstream- Allow certmaster to override dac permissions- Update to upstream- Fix context for VirtualBox- Update to upstream- Allow clamscan read amavis spool files- Fixes for xguest- fix multiple directory ownership of mandirs- Update to upstream- Add rules for rtkit-daemon- Update to upstream - Fix nlscd_stream_connect- Add rtkit policy- Allow rpcd_t to stream connect to rpcbind- Allow kpropd to create tmp files- Fix last duplicate /var/log/rpmpkgs- Update to upstream * add sssd- Update to upstream * cleanup- Update to upstream - Additional mail ports - Add virt_use_usb boolean for svirt- Fix mcs rules to include chr_file and blk_file- Add label for udev-acl- Additional rules for consolekit/udev, privoxy and various other fixes- New version for upstream- Allow NetworkManager to read inotifyfs- Allow setroubleshoot to run mlocate- Update to upstream- Add fish as a shell - Allow fprintd to list usbfs_t - Allow consolekit to search mountpoints - Add proper labeling for shorewall- New log file for vmware - Allow xdm to setattr on user_tmp_t- Upgrade to upstream- Allow fprintd to access sys_ptrace - Add sandbox policy- Add varnishd policy- Fixes for kpropd- Allow brctl to r/w tun_tap_device_t- Add /usr/share/selinux/packages- Allow rpcd_t to send signals to kernel threads- Fix upgrade for F10 to F11- Add policy for /var/lib/fprint-Remove duplicate line- Allow svirt to manage pci and other sysfs device data- Fix package selection handling- Fix /sbin/ip6tables-save context - Allod udev to transition to mount - Fix loading of mls policy file- Add shorewall policy- Additional rules for fprintd and sssd- Allow nsplugin to unix_read unix_write sem for unconfined_java- Fix uml files to be owned by users- Fix Upgrade path to install unconfineduser.pp when unocnfined package is 3.0.0 or less- Allow confined users to manage virt_content_t, since this is home dir content - Allow all domains to read rpm_script_tmp_t which is what shell creates on redirection- Fix labeling on /var/lib/misc/prelink* - Allow xserver to rw_shm_perms with all x_clients - Allow prelink to execute files in the users home directory- Allow initrc_t to delete dev_null - Allow readahead to configure auditing - Fix milter policy - Add /var/lib/readahead- Update to latest milter code from Paul Howarth- Additional perms for readahead- Allow pulseaudio to acquire_svc on session bus - Fix readahead labeling- Allow sysadm_t to run rpm directly - libvirt needs fowner- Allow sshd to read var_lib symlinks for freenx- Allow nsplugin unix_read and write on users shm and sem - Allow sysadm_t to execute su- Dontaudit attempts to getattr user_tmpfs_t by lvm - Allow nfs to share removable media- Add ability to run postdrop from confined users- Fixes for podsleuth- Turn off nsplugin transition - Remove Konsole leaked file descriptors for release- Allow cupsd_t to create link files in print_spool_t - Fix iscsi_stream_connect typo - Fix labeling on /etc/acpi/actions - Don't reinstall unconfine and unconfineuser on upgrade if they are not installed- Allow audioentroy to read etc files- Add fail2ban_var_lib_t - Fixes for devicekit_power_t- Separate out the ucnonfined user from the unconfined.pp package- Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t.- Upgrade to latest upstream - Allow devicekit_disk sys_rawio- Dontaudit binds to ports < 1024 for named - Upgrade to latest upstream- Allow podsleuth to use tmpfs files- Add customizable_types for svirt- Allow setroubelshoot exec* privs to prevent crash from bad libraries - add cpufreqselector- Dontaudit listing of /root directory for cron system jobs- Fix missing ld.so.cache label- Add label for ~/.forward and /root/.forward- Fixes for svirt- Fixes to allow svirt read iso files in homedir- Add xenner and wine fixes from mgrepl- Allow mdadm to read/write mls override- Change to svirt to only access svirt_image_t- Fix libvirt policy- Upgrade to latest upstream- Fixes for iscsid and sssd - More cleanups for upgrade from F10 to Rawhide.- Add pulseaudio, sssd policy - Allow networkmanager to exec udevadm- Add pulseaudio context- Upgrade to latest patches- Fixes for libvirt- Update to Latest upstream- Fix setrans.conf to show SystemLow for s0- Further confinement of qemu images via svirt- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild- Allow NetworkManager to manage /etc/NetworkManager/system-connections- add virtual_image_context and virtual_domain_context files- Allow rpcd_t to send signal to mount_t - Allow libvirtd to run ranged- Fix sysnet/net_conf_t- Fix squidGuard labeling- Re-add corenet_in_generic_if(unlabeled_t)* Tue Feb 10 2009 Dan Walsh 3.6.5-2 - Add git web policy- Add setrans contains from upstream- Do transitions outside of the booleans- Allow xdm to create user_tmp_t sockets for switch user to work- Fix staff_t domain- Grab remainder of network_peer_controls patch- More fixes for devicekit- Upgrade to latest upstream- Add boolean to disallow unconfined_t login- Add back transition from xguest to mozilla- Add virt_content_ro_t and labeling for isos directory- Fixes for wicd daemon- More mls/rpm fixes- Add policy to make dbus/nm-applet work- Remove polgen-ifgen from post and add trigger to policycoreutils-python- Add wm policy - Make mls work in graphics mode- Fixed for DeviceKit- Add devicekit policy- Update to upstream- Define openoffice as an x_domain- Fixes for reading xserver_tmp_t- Allow cups_pdf_t write to nfs_t- Remove audio_entropy policy- Update to upstream- Allow hal_acl_t to getattr/setattr fixed_disk- Change userdom_read_all_users_state to include reading symbolic links in /proc- Fix dbus reading /proc information- Add missing alias for home directory content- Fixes for IBM java location- Allow unconfined_r unconfined_java_t- Add cron_role back to user domains- Fix sudo setting of user keys- Allow iptables to talk to terminals - Fixes for policy kit - lots of fixes for booting.- Cleanup policy- Rebuild for Python 2.6- Fix labeling on /var/spool/rsyslog- Allow postgresl to bind to udp nodes- Allow lvm to dbus chat with hal - Allow rlogind to read nfs_t- Fix cyphesis file context- Allow hal/pm-utils to look at /var/run/video.rom - Add ulogd policy- Additional fixes for cyphesis - Fix certmaster file context - Add policy for system-config-samba - Allow hal to read /var/run/video.rom- Allow dhcpc to restart ypbind - Fixup labeling in /var/run- Add certmaster policy- Fix confined users - Allow xguest to read/write xguest_dbusd_t- Allow openoffice execstack/execmem privs- Allow mozilla to run with unconfined_execmem_t- Dontaudit domains trying to write to .xsession-errors- Allow nsplugin to look at autofs_t directory- Allow kerneloops to create tmp files- More alias for fastcgi- Remove mod_fcgid-selinux package- Fix dovecot access- Policy cleanup- Remove Multiple spec - Add include - Fix makefile to not call per_role_expansion- Fix labeling of libGL- Update to upstream- Update to upstream policy- Fixes for confined xwindows and xdm_t- Allow confined users and xdm to exec wm - Allow nsplugin to talk to fifo files on nfs- Allow NetworkManager to transition to avahi and iptables - Allow domains to search other domains keys, coverup kernel bug- Fix labeling for oracle- Allow nsplugin to comminicate with xdm_tmp_t sock_file- Change all user tmpfs_t files to be labeled user_tmpfs_t - Allow radiusd to create sock_files- Upgrade to upstream- Allow confined users to login with dbus- Fix transition to nsplugin- Add file context for /dev/mspblk.*- Fix transition to nsplugin '- Fix labeling on new pm*log - Allow ssh to bind to all nodes- Merge upstream changes - Add Xavier Toth patches- Add qemu_cache_t for /var/cache/libvirt- Remove gamin policy- Add tinyxs-max file system support- Update to upstream - New handling of init scripts- Allow pcsd to dbus - Add memcache policy- Allow audit dispatcher to kill his children- Update to upstream - Fix crontab use by unconfined user- Allow ifconfig_t to read dhcpc_state_t- Update to upstream- Update to upstream- Allow system-config-selinux to work with policykit- Fix novel labeling- Consolodate pyzor,spamassassin, razor into one security domain - Fix xdm requiring additional perms.- Fixes for logrotate, alsa- Eliminate vbetool duplicate entry- Fix xguest -> xguest_mozilla_t -> xguest_openiffice_t - Change dhclient to be able to red networkmanager_var_run- Update to latest refpolicy - Fix libsemanage initial install bug- Add inotify support to nscd- Allow unconfined_t to setfcap- Allow amanda to read tape - Allow prewikka cgi to use syslog, allow audisp_t to signal cgi - Add support for netware file systems- Allow ypbind apps to net_bind_service- Allow all system domains and application domains to append to any log file- Allow gdm to read rpm database - Allow nsplugin to read mplayer config files- Allow vpnc to run ifconfig- Allow confined users to use postgres - Allow system_mail_t to exec other mail clients - Label mogrel_rails as an apache server- Apply unconfined_execmem_exec_t to haskell programs- Fix prelude file context- allow hplip to talk dbus - Fix context on ~/.local dir- Prevent applications from reading x_device- Add /var/lib/selinux context- Update to upstream- Add livecd policy- Dontaudit search of admin_home for init_system_domain - Rewrite of xace interfaces - Lots of new fs_list_inotify - Allow livecd to transition to setfiles_mac- Begin XAce integration- Merge Upstream- Allow amanada to create data files- Fix initial install, semanage setup- Allow system_r for httpd_unconfined_script_t- Remove dmesg boolean - Allow user domains to read/write game data- Change unconfined_t to transition to unconfined_mono_t when running mono - Change XXX_mono_t to transition to XXX_t when executing bin_t files, so gnome-do will work- Remove old booleans from targeted-booleans.conf file- Add boolean to mmap_zero - allow tor setgid - Allow gnomeclock to set clock- Don't run crontab from unconfined_t- Change etc files to config files to allow users to read them- Lots of fixes for confined domains on NFS_t homedir- dontaudit mrtg reading /proc - Allow iscsi to signal itself - Allow gnomeclock sys_ptrace- Allow dhcpd to read kernel network state- Label /var/run/gdm correctly - Fix unconfined_u user creation- Allow transition from initrc_t to getty_t- Allow passwd to communicate with user sockets to change gnome-keyring- Fix initial install- Allow radvd to use fifo_file - dontaudit setfiles reading links - allow semanage sys_resource - add allow_httpd_mod_auth_ntlm_winbind boolean - Allow privhome apps including dovecot read on nfs and cifs home dirs if the boolean is set- Allow nsplugin to read /etc/mozpluggerrc, user_fonts - Allow syslog to manage innd logs. - Allow procmail to ioctl spamd_exec_t- Allow initrc_t to dbus chat with consolekit.- Additional access for nsplugin - Allow xdm setcap/getcap until pulseaudio is fixed- Allow mount to mkdir on tmpfs - Allow ifconfig to search debugfs- Fix file context for MATLAB - Fixes for xace- Allow stunnel to transition to inetd children domains - Make unconfined_dbusd_t an unconfined domain- Fixes for qemu/virtd- Fix bug in mozilla policy to allow xguest transition - This will fix the libsemanage.dbase_llist_query: could not find record value libsemanage.dbase_llist_query: could not query record value (No such file or directory) bug in xguest- Allow nsplugin to run acroread- Add cups_pdf policy - Add openoffice policy to run in xguest- prewika needs to contact mysql - Allow syslog to read system_map files- Change init_t to an unconfined_domain- Allow init to transition to initrc_t on shell exec. - Fix init to be able to sendto init_t. - Allow syslog to connect to mysql - Allow lvm to manage its own fifo_files - Allow bugzilla to use ldap - More mls fixes- fixes for init policy (#436988) - fix build- Additional changes for MLS policy- Fix initrc_context generation for MLS- Fixes for libvirt- Allow bitlebee to read locale_t- More xselinux rules- Change httpd_$1_script_r*_t to httpd_$1_content_r*_t- Prepare policy for beta release - Change some of the system domains back to unconfined - Turn on some of the booleans- Allow nsplugin_config execstack/execmem - Allow nsplugin_t to read alsa config - Change apache to use user content- Add cyphesis policy- Fix Makefile.devel to build mls modules - Fix qemu to be more specific on labeling- Update to upstream fixes- Allow staff to mounton user_home_t- Add xace support- Add fusectl file system- Fixes from yum-cron - Update to latest upstream- Fix userdom_list_user_files- Merge with upstream- Allow udev to send audit messages- Add additional login users interfaces - userdom_admin_login_user_template(staff)- More fixes for polkit- Eliminate transition from unconfined_t to qemu by default - Fixes for gpg- Update to upstream- Fixes for staff_t- Add policy for kerneloops - Add policy for gnomeclock- Fixes for libvirt- Fixes for nsplugin- More fixes for qemu- Additional ports for vnc and allow qemu and libvirt to search all directories- Update to upstream - Add libvirt policy - add qemu policy- Allow fail2ban to create a socket in /var/run- Allow allow_httpd_mod_auth_pam to work- Add audisp policy and prelude- Allow all user roles to executae samba net command- Allow usertypes to read/write noxattr file systems- Fix nsplugin to allow flashplugin to work in enforcing mode- Allow pam_selinux_permit to kill all processes- Allow ptrace or user processes by users of same type - Add boolean for transition to nsplugin- Allow nsplugin sys_nice, getsched, setsched- Allow login programs to talk dbus to oddjob- Add procmail_log support - Lots of fixes for munin- Allow setroubleshoot to read policy config and send audit messages- Allow users to execute all files in homedir, if boolean set - Allow mount to read samba config- Fixes for xguest to run java plugin- dontaudit pam_t and dbusd writing to user_home_t- Update gpg to allow reading of inotify- Change user and staff roles to work correctly with varied perms- Fix munin log, - Eliminate duplicate mozilla file context - fix wpa_supplicant spec- Fix role transition from unconfined_r to system_r when running rpm - Allow unconfined_domains to communicate with user dbus instances- Fixes for xguest- Let all uncofined domains communicate with dbus unconfined- Run rpm in system_r- Zero out customizable types- Fix definiton of admin_home_t- Fix munin file context- Allow cron to run unconfined apps- Modify default login to unconfined_u- Dontaudit dbus user client search of /root- Update to upstream- Fixes for polkit - Allow xserver to ptrace- Add polkit policy - Symplify userdom context, remove automatic per_role changes- Update to upstream - Allow httpd_sys_script_t to search users homedirs- Allow rpm_script to transition to unconfined_execmem_t- Remove user based home directory separation- Remove user specific crond_t- Merge with upstream - Allow xsever to read hwdata_t - Allow login programs to setkeycreate- Update to upstream- Update to upstream- Allow XServer to read /proc/self/cmdline - Fix unconfined cron jobs - Allow fetchmail to transition to procmail - Fixes for hald_mac - Allow system_mail to transition to exim - Allow tftpd to upload files - Allow xdm to manage unconfined_tmp - Allow udef to read alsa config - Fix xguest to be able to connect to sound port- Fixes for hald_mac - Treat unconfined_home_dir_t as a home dir - dontaudit rhgb writes to fonts and root- Fix dnsmasq - Allow rshd full login privs- Allow rshd to connect to ports > 1023- Fix vpn to bind to port 4500 - Allow ssh to create shm - Add Kismet policy- Allow rpm to chat with networkmanager- Fixes for ipsec and exim mail - Change default to unconfined user- Pass the UNK_PERMS param to makefile - Fix gdm location- Make alsa work- Fixes for consolekit and startx sessions- Dontaudit consoletype talking to unconfined_t- Remove homedir_template- Check asound.state- Fix exim policy- Allow tmpreadper to read man_t - Allow racoon to bind to all nodes - Fixes for finger print reader- Allow xdm to talk to input device (fingerprint reader) - Allow octave to run as java- Allow login programs to set ioctl on /proc- Allow nsswitch apps to read samba_var_t- Fix maxima- Eliminate rpm_t:fifo_file avcs - Fix dbus path for helper app- Fix service start stop terminal avc's- Allow also to search var_lib - New context for dbus launcher- Allow cupsd_config_t to read/write usb_device_t - Support for finger print reader, - Many fixes for clvmd - dbus starting networkmanager- Fix java and mono to run in xguest account- Fix to add xguest account when inititial install - Allow mono, java, wine to run in userdomains- Allow xserver to search devpts_t - Dontaudit ldconfig output to homedir- Remove hplip_etc_t change back to etc_t.- Allow cron to search nfs and samba homedirs- Allow NetworkManager to dbus chat with yum-updated- Allow xfs to bind to port 7100- Allow newalias/sendmail dac_override - Allow bind to bind to all udp ports- Turn off direct transition- Allow wine to run in system role- Fix java labeling- Define user_home_type as home_type- Allow sendmail to create etc_aliases_t- Allow login programs to read symlinks on homedirs- Update an readd modules- Cleanup spec file- Allow xserver to be started by unconfined process and talk to tty- Upgrade to upstream to grab postgressql changes- Add setransd for mls policy- Add ldconfig_cache_t- Allow sshd to write to proc_t for afs login- Allow xserver access to urand- allow dovecot to search mountpoints- Fix Makefile for building policy modules- Fix dhcpc startup of service- Fix dbus chat to not happen for xguest and guest users- Fix nagios cgi - allow squid to communicate with winbind- Fixes for ldconfig- Update from upstream- Add nasd support- Fix new usb devices and dmfm- Eliminate mount_ntfs_t policy, merge into mount_t- Allow xserver to write to ramfs mounted by rhgb- Add context for dbus machine id- Update with latest changes from upstream- Fix prelink to handle execmod- Add ntpd_key_t to handle secret data- Add anon_inodefs - Allow unpriv user exec pam_exec_t - Fix trigger- Allow cups to use generic usb - fix inetd to be able to run random apps (git)- Add proper contexts for rsyslogd- Fixes for xguest policy- Allow execution of gconf- Fix moilscanner update problem- Begin adding policy to separate setsebool from semanage - Fix xserver.if definition to not break sepolgen.if- Add new devices- Add brctl policy- Fix root login to include system_r- Allow prelink to read kernel sysctls- Default to user_u:system_r:unconfined_t- fix squid - Fix rpm running as uid- Fix syslog declaration- Allow avahi to access inotify - Remove a lot of bogus security_t:filesystem avcs- Remove ifdef strict policy from upstream- Remove ifdef strict to allow user_u to login- Fix for amands - Allow semanage to read pp files - Allow rhgb to read xdm_xserver_tmp- Allow kerberos servers to use ldap for backing store- allow alsactl to read kernel state- More fixes for alsactl - Transition from hal and modutils - Fixes for suspend resume. - insmod domtrans to alsactl - insmod writes to hal log- Allow unconfined_t to transition to NetworkManager_t - Fix netlabel policy- Update to latest from upstream- Update to latest from upstream- Update to latest from upstream- Allow pcscd_t to send itself signals- Fixes for unix_update - Fix logwatch to be able to search all dirs- Upstream bumped the version- Allow consolekit to syslog - Allow ntfs to work with hal- Allow iptables to read etc_runtime_t- MLS Fixes- Fix path of /etc/lvm/cache directory - Fixes for alsactl and pppd_t - Fixes for consolekit- Allow insmod_t to mount kvmfs_t filesystems- Rwho policy - Fixes for consolekit- fixes for fusefs- Fix samba_net to allow it to view samba_var_t- Update to upstream- Fix Sonypic backlight - Allow snmp to look at squid_conf_t- Fixes for pyzor, cyrus, consoletype on everything installs- Fix hald_acl_t to be able to getattr/setattr on usb devices - Dontaudit write to unconfined_pipes for load_policy- Allow bluetooth to read inotifyfs- Fixes for samba domain controller. - Allow ConsoleKit to look at ttys- Fix interface call- Allow syslog-ng to read /var - Allow locate to getattr on all filesystems - nscd needs setcap- Update to upstream- Allow samba to run groupadd- Update to upstream- Allow mdadm to access generic scsi devices- Fix labeling on udev.tbl dirs- Fixes for logwatch- Add fusermount and mount_ntfs policy- Update to upstream - Allow saslauthd to use kerberos keytabs- Fixes for samba_var_t- Allow networkmanager to setpgid - Fixes for hal_acl_t- Remove disable_trans booleans - hald_acl_t needs to talk to nscd- Fix prelink to be able to manage usr dirs.- Allow insmod to launch init scripts- Remove setsebool policy- Fix handling of unlabled_t packets- More of my patches from upstream- Update to latest from upstream - Add fail2ban policy- Update to remove security_t:filesystem getattr problems- Policy for consolekit- Update to latest from upstream- Revert Nemiver change - Set sudo as a corecmd so prelink will work, remove sudoedit mapping, since this will not work, it does not transition. - Allow samba to execute useradd- Upgrade to the latest from upstream- Add sepolgen support - Add bugzilla policy- Fix file context for nemiver- Remove include sym link- Allow mozilla, evolution and thunderbird to read dev_random. Resolves: #227002 - Allow spamd to connect to smtp port Resolves: #227184 - Fixes to make ypxfr work Resolves: #227237- Fix ssh_agent to be marked as an executable - Allow Hal to rw sound device- Fix spamassisin so crond can update spam files - Fixes to allow kpasswd to work - Fixes for bluetooth- Remove some targeted diffs in file context file- Fix squid cachemgr labeling- Add ability to generate webadm_t policy - Lots of new interfaces for httpd - Allow sshd to login as unconfined_t- Continue fixing, additional user domains- Begin adding user confinement to targeted policy- Fixes for prelink, ktalkd, netlabel- Allow prelink when run from rpm to create tmp files Resolves: #221865 - Remove file_context for exportfs Resolves: #221181 - Allow spamassassin to create ~/.spamassissin Resolves: #203290 - Allow ssh access to the krb tickets - Allow sshd to change passwd - Stop newrole -l from working on non securetty Resolves: #200110 - Fixes to run prelink in MLS machine Resolves: #221233 - Allow spamassassin to read var_lib_t dir Resolves: #219234- fix mplayer to work under strict policy - Allow iptables to use nscd Resolves: #220794- Add gconf policy and make it work with strict- Many fixes for strict policy and by extension mls.- Fix to allow ftp to bind to ports > 1024 Resolves: #219349- Allow semanage to exec it self. Label genhomedircon as semanage_exec_t Resolves: #219421 - Allow sysadm_lpr_t to manage other print spool jobs Resolves: #220080- allow automount to setgid Resolves: #219999- Allow cron to polyinstatiate - Fix creation of boot flags Resolves: #207433- Fixes for irqbalance Resolves: #219606- Fix vixie-cron to work on mls Resolves: #207433Resolves: #218978- Allow initrc to create files in /var directories Resolves: #219227- More fixes for MLS Resolves: #181566- More Fixes polyinstatiation Resolves: #216184- More Fixes polyinstatiation - Fix handling of keyrings Resolves: #216184- Fix polyinstatiation - Fix pcscd handling of terminal Resolves: #218149 Resolves: #218350- More fixes for quota Resolves: #212957- ncsd needs to use avahi sockets Resolves: #217640 Resolves: #218014- Allow login programs to polyinstatiate homedirs Resolves: #216184 - Allow quotacheck to create database files Resolves: #212957- Dontaudit appending hal_var_lib files Resolves: #217452 Resolves: #217571 Resolves: #217611 Resolves: #217640 Resolves: #217725- Fix context for helix players file_context #216942- Fix load_policy to be able to mls_write_down so it can talk to the terminal- Fixes for hwclock, clamav, ftp- Move to upstream version which accepted my patches- Fixes for nvidia driver- Allow semanage to signal mcstrans- Update to upstream- Allow modstorage to edit /etc/fstab file- Fix for qemu, /dev/- Fix path to realplayer.bin- Allow xen to connect to xen port- Allow cups to search samba_etc_t directory - Allow xend_t to list auto_mountpoints- Allow xen to search automount- Fix spec of jre files- Fix unconfined access to shadow file- Allow xend to create files in xen_image_t directories- Fixes for /var/lib/hal- Remove ability for sysadm_t to look at audit.log- Fix rpc_port_types - Add aide policy for mls- Merge with upstream- Lots of fixes for ricci- Allow xen to read/write fixed devices with a boolean - Allow apache to search /var/log- Fix policygentool specfile problem. - Allow apache to send signals to it's logging helpers. - Resolves: rhbz#212731- Add perms for swat- Add perms for swat- Allow daemons to dump core files to /- Fixes for ricci- Allow mount.nfs to work- Allow ricci-modstorage to look at lvm_etc_t- Fixes for ricci using saslauthd- Allow mountpoint on home_dir_t and home_t- Update xen to read nfs files- Allow noxattrfs to associate with other noxattrfs- Allow hal to use power_device_t- Allow procemail to look at autofs_t - Allow xen_image_t to work as a fixed device- Refupdate from upstream- Add lots of fixes for mls cups- Lots of fixes for ricci- Fix number of cats- Update to upstream- More iSCSI changes for #209854- Test ISCSI fixes for #209854- allow semodule to rmdir selinux_config_t dir- Fix boot_runtime_t problem on ppc. Should not be creating these files.- Fix context mounts on reboot - Fix ccs creation of directory in /var/log- Update for tallylog- Allow xend to rewrite dhcp conf files - Allow mgetty sys_admin capability- Make xentapctrl work- Don't transition unconfined_t to bootloader_t - Fix label in /dev/xen/blktap- Patch for labeled networking- Fix crond handling for mls- Update to upstream- Remove bluetooth-helper transition - Add selinux_validate for semanage - Require new version of libsemanage- Fix prelink- Fix rhgb- Fix setrans handling on MLS and useradd- Support for fuse - fix vigr- Fix dovecot, amanda - Fix mls- Allow java execheap for itanium- Update with upstream- mls fixes- Update from upstream- More fixes for mls - Revert change on automount transition to mount- Fix cron jobs to run under the correct context- Fixes to make pppd work- Multiple policy fixes - Change max categories to 1023- Fix transition on mcstransd- Add /dev/em8300 defs- Upgrade to upstream- Fix ppp connections from network manager- Add tty access to all domains boolean - Fix gnome-pty-helper context for ia64- Fixed typealias of firstboot_rw_t- Fix location of xel log files - Fix handling of sysadm_r -> rpm_exec_t- Fixes for autofs, lp- Update from upstream- Fixup for test6- Update to upstream- Update to upstream- Fix suspend to disk problems- Lots of fixes for restarting daemons at the console.- Fix audit line - Fix requires line- Upgrade to upstream- Fix install problems- Allow setroubleshoot to getattr on all dirs to gather RPM data- Set /usr/lib/ia32el/ia32x_loader to unconfined_execmem_exec_t for ia32 platform - Fix spec for /dev/adsp- Fix xen tty devices- Fixes for setroubleshoot- Update to upstream- Fixes for stunnel and postgresql - Update from upstream- Update from upstream - More java fixes- Change allow_execstack to default to on, for RHEL5 Beta. This is required because of a Java compiler problem. Hope to turn off for next beta- Misc fixes- More fixes for strict policy- Quiet down anaconda audit messages- Fix setroubleshootd- Update to the latest from upstream- More fixes for xen- Fix anaconda transitions- yet more xen rules- more xen rules- Fixes for Samba- Fixes for xen- Allow setroubleshootd to send mail- Add nagios policy- fixes for setroubleshoot- Added Paul Howarth patch to only load policy packages shipped with this package - Allow pidof from initrc to ptrace higher level domains - Allow firstboot to communicate with hal via dbus- Add policy for /var/run/ldapi- Fix setroubleshoot policy- Fixes for mls use of ssh - named has a new conf file- Fixes to make setroubleshoot work- Cups needs to be able to read domain state off of printer client- add boolean to allow zebra to write config files- setroubleshootd fixes- Allow prelink to read bin_t symlink - allow xfs to read random devices - Change gfs to support xattr- Remove spamassassin_can_network boolean- Update to upstream - Fix lpr domain for mls- Add setroubleshoot policy- Turn off auditallow on setting booleans- Multiple fixes- Update to upstream- Update to upstream - Add new class for kernel key ring- Update to upstream- Update to upstream- Break out selinux-devel package- Add ibmasmfs- Fix policygentool gen_requires- Update from Upstream- Fix spec of realplay- Update to upstream- Fix semanage- Allow useradd to create_home_dir in MLS environment- Update from upstream- Update from upstream- Add oprofilefs- Fix for hplip and Picasus- Update to upstream- Update to upstream- fixes for spamd- fixes for java, openldap and webalizer- Xen fixes- Upgrade to upstream- allow hal to read boot_t files - Upgrade to upstream- allow hal to read boot_t files- Update from upstream- Fixes for amavis- Update from upstream- Allow auditctl to search all directories- Add acquire service for mono.- Turn off allow_execmem boolean - Allow ftp dac_override when allowed to access users homedirs- Clean up spec file - Transition from unconfined_t to prelink_t- Allow execution of cvs command- Update to upstream- Update to upstream- Fix libjvm spec- Update to upstream- Add xm policy - Fix policygentool- Update to upstream - Fix postun to only disable selinux on full removal of the packages- Allow mono to chat with unconfined- Allow procmail to sendmail - Allow nfs to share dosfs- Update to latest from upstream - Allow selinux-policy to be removed and kernel not to crash- Update to latest from upstream - Add James Antill patch for xen - Many fixes for pegasus- Add unconfined_mount_t - Allow privoxy to connect to httpd_cache - fix cups labeleing on /var/cache/cups- Update to latest from upstream- Update to latest from upstream - Allow mono and unconfined to talk to initrc_t dbus objects- Change libraries.fc to stop shlib_t form overriding texrel_shlib_t- Fix samba creating dirs in homedir - Fix NFS so its booleans would work- Allow secadm_t ability to relabel all files - Allow ftp to search xferlog_t directories - Allow mysql to communicate with ldap - Allow rsync to bind to rsync_port_t- Fixed mailman with Postfix #183928 - Allowed semanage to create file_context files. - Allowed amanda_t to access inetd_t TCP sockets and allowed amanda_recover_t to bind to reserved ports. #149030 - Don't allow devpts_t to be associated with tmp_t. - Allow hald_t to stat all mountpoints. - Added boolean samba_share_nfs to allow smbd_t full access to NFS mounts. - Make mount run in mount_t domain from unconfined_t to prevent mislabeling of /etc/mtab. - Changed the file_contexts to not have a regex before the first ^/[a-z]/ whenever possible, makes restorecon slightly faster. - Correct the label of /etc/named.caching-nameserver.conf - Now label /usr/src/kernels/.+/lib(/.*)? as usr_t instead of /usr/src(/.*)?/lib(/.*)? - I don't think we need anything else under /usr/src hit by this. - Granted xen access to /boot, allowed mounting on xend_var_lib_t, and allowed xenstored_t rw access to the xen device node.- More textrel_shlib_t file path fixes - Add ada support- Get auditctl working in MLS policy- Add mono dbus support - Lots of file_context fixes for textrel_shlib_t in FC5 - Turn off execmem auditallow since they are filling log files- Update to upstream- Allow automount and dbus to read cert files- Fix ftp policy - Fix secadm running of auditctl- Update to upstream- Update to upstream- Fix policyhelp- Fix pam_console handling of usb_device - dontaudit logwatch reading /mnt dir- Update to upstream- Get transition rules to create policy.20 at SystemHigh- Allow secadmin to shutdown system - Allow sendmail to exec newalias- MLS Fixes dmidecode needs mls_file_read_up - add ypxfr_t - run init needs access to nscd - udev needs setuid - another xen log file - Dontaudit mount getattr proc_kcore_t- fix buildroot usage (#185391)- Get rid of mount/fsdisk scan of /dev messages - Additional fixes for suspend/resume- Fake make to rebuild enableaudit.pp- Get xen networking running.- Fixes for Xen - enableaudit should not be the same as base.pp - Allow ps to work for all process- more xen policy fixups- more xen fixage (#184393)- Fix blkid specification - Allow postfix to execute mailman_que- Blkid changes - Allow udev access to usb_device_t - Fix post script to create targeted policy config file- Allow lvm tools to create drevice dir- Add Xen support- Fixes for cups - Make cryptosetup work with hal- Load Policy needs translock- Fix cups html interface- Add hal changes suggested by Jeremy - add policyhelp to point at policy html pages- Additional fixes for nvidia and cups- Update to upstream - Merged my latest fixes - Fix cups policy to handle unix domain sockets- NSCD socket is in nscd_var_run_t needs to be able to search dir- Fixes Apache interface file- Fixes for new version of cups- Turn off polyinstatiate util after FC5- Fix problem with privoxy talking to Tor- Turn on polyinstatiation- Don't transition from unconfined_t to fsadm_t- Fix policy update model.- Update to upstream- Fix load_policy to work on MLS - Fix cron_rw_system_pipes for postfix_postdrop_t - Allow audotmount to run showmount- Fix swapon - allow httpd_sys_script_t to be entered via a shell - Allow httpd_sys_script_t to read eventpolfs- Update from upstream- allow cron to read apache files- Fix vpnc policy to work from NetworkManager- Update to upstream - Fix semoudle polcy- Update to upstream - fix sysconfig/selinux link- Add router port for zebra - Add imaze port for spamd - Fixes for amanda and java- Fix bluetooth handling of usb devices - Fix spamd reading of ~/ - fix nvidia spec- Update to upsteam- Add users_extra files- Update to upstream- Add semodule policy- Update from upstream- Fix for spamd to use razor port- Fixes for mcs - Turn on mount and fsadm for unconfined_t- Fixes for the -devel package- Fix for spamd to use ldap- Update to upstream- Update to upstream - Fix rhgb, and other Xorg startups- Update to upstream- Separate out role of secadm for mls- Add inotifyfs handling- Update to upstream - Put back in changes for pup/zen- Many changes for MLS - Turn on strict policy- Update to upstream- Update to upstream - Fixes for booting and logging in on MLS machine- Update to upstream - Turn off execheap execstack for unconfined users - Add mono/wine policy to allow execheap and execstack for them - Add execheap for Xdm policy- Update to upstream - Fixes to fetchmail,- Update to upstream- Fix for procmail/spamassasin - Update to upstream - Add rules to allow rpcd to work with unlabeled_networks.- Update to upstream - Fix ftp Man page- Update to upstream- fix pup transitions (#177262) - fix xen disks (#177599)- Update to upstream- More Fixes for hal and readahead- Fixes for hal and readahead- Update to upstream - Apply- Add wine and fix hal problems- Handle new location of hal scripts- Allow su to read /etc/mtab- Update to upstream- Fix "libsemanage.parse_module_headers: Data did not represent a module." problem- Allow load_policy to read /etc/mtab- Fix dovecot to allow dovecot_auth to look at /tmp- Allow restorecon to read unlabeled_t directories in order to fix labeling.- Add Logwatch policy- Fix /dev/ub[a-z] file context- Fix library specification - Give kudzu execmem privs- Fix hostname in targeted policy- Fix passwd command on mls- Lots of fixes to make mls policy work- Add dri libs to textrel_shlib_t - Add system_r role for java - Add unconfined_exec_t for vncserver - Allow slapd to use kerberos- Add man pages- Add enableaudit.pp- Fix mls policy- Update mls file from old version- Add sids back in - Rebuild with update checkpolicy- Fixes to allow automount to use portmap - Fixes to start kernel in s0-s15:c0.c255- Add java unconfined/execmem policy- Add file context for /var/cvs - Dontaudit webalizer search of homedir- Update from upstream- Clean up spec - range_transition crond to SystemHigh- Fixes for hal - Update to upstream- Turn back on execmem since we need it for java, firefox, ooffice - Allow gpm to stream socket to itself- fix requirements to be on the actual packages so that policy can get created properly at install time- Allow unconfined_t to execmod texrel_shlib_t- Update to upstream - Turn off allow_execmem and allow_execmod booleans - Add tcpd and automount policies- Add two new httpd booleans, turned off by default * httpd_can_network_relay * httpd_can_network_connect_db- Add ghost for policy.20- Update to upstream - Turn off boolean allow_execstack- Change setrans-mls to use new libsetrans - Add default_context rule for xdm- Change Requires to PreReg for requiring of policycoreutils on install- New upstream releaseAdd xdm policyUpdate from upstreamUpdate from upstreamUpdate from upstream- Also trigger to rebuild policy for versions up to 2.0.7.- No longer installing policy.20 file, anaconda handles the building of the app.- Fixes for dovecot and saslauthd- Cleanup pegasus and named - Fix spec file - Fix up passwd changing applications-Update to latest from upstream- Add rules for pegasus and avahi- Start building MLS Policy- Update to upstream- Turn on bash- Initial version/bin/sh/bin/shselinux-policy-targeted-sourcesmod_fcgid-selinuxcachefilesd-selinux  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~3.13.1-192.el7_5.63.13.1-192.el7_5.63.13.1-192.el7_5.6 23.13.1-192.el7_5.60.10-1      !!!"""###$$$%%%&&&'''((()))***+++,,,---...///000111222333444555666777888999:::;;;<<<===>>>???@@@AAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZ[[[\\\]]]^^^___```aaabbbcccdddeeefffggghhhiiijjjkkklllmmmnnnooopppqqqrrrssstttuuuvvvwwwxxxyyyzzz{{{|||}}}~~~                  !!!"""###$$$%%%&&&'''((()))***+++,,,---...///000111222333444555666777888999:::;;;<<<===>>>???@@@AAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZ[[[\\\]]]^^^___```aaabbbcccdddeeefffggghhhiiijjjkkklllmmmnnnooopppqqqrrrssstttuuuvvvwwwxxxyyyzzz{{{|||}}}~~~targeted.policy.sha512activecommit_numfile_contextsfile_contexts.homedirshomedir_templatemodules100abrtcilhlllang_extaccountsdcilhlllang_extacctcilhlllang_extafscilhlllang_extaiccucilhlllang_extaidecilhlllang_extajaxtermcilhlllang_extalsacilhlllang_extamandacilhlllang_extamtucilhlllang_extanacondacilhlllang_extantiviruscilhlllang_extapachecilhlllang_extapcupsdcilhlllang_extapmcilhlllang_extapplicationcilhlllang_extarpwatchcilhlllang_extasteriskcilhlllang_extauditadmcilhlllang_extauthconfigcilhlllang_extauthlogincilhlllang_extautomountcilhlllang_extavahicilhlllang_extawstatscilhlllang_extbaculacilhlllang_extbasecilhlllang_extbcfg2cilhlllang_extbindcilhlllang_extbitlbeecilhlllang_extblkmapdcilhlllang_extbluemancilhlllang_extbluetoothcilhlllang_extboinccilhlllang_extbootloadercilhlllang_extbrctlcilhlllang_extbrlttycilhlllang_extbugzillacilhlllang_extbumblebeecilhlllang_extcachefilesdcilhlllang_extcalamariscilhlllang_extcallweavercilhlllang_extcannacilhlllang_extccscilhlllang_extcdrecordcilhlllang_extcertmastercilhlllang_extcertmongercilhlllang_extcertwatchcilhlllang_extcfenginecilhlllang_extcgdcbxdcilhlllang_extcgroupcilhlllang_extchromecilhlllang_extchronydcilhlllang_extcindercilhlllang_extcipecilhlllang_extclockcilhlllang_extclogdcilhlllang_extcloudformcilhlllang_extcmirrordcilhlllang_extcobblercilhlllang_extcockpitcilhlllang_extcollectdcilhlllang_extcolordcilhlllang_extcomsatcilhlllang_extcondorcilhlllang_extconmancilhlllang_extconsolekitcilhlllang_extcontainercilhlllang_extcouchdbcilhlllang_extcouriercilhlllang_extcpucontrolcilhlllang_extcpufreqselectorcilhlllang_extcpuplugcilhlllang_extcroncilhlllang_extctdbcilhlllang_extcupscilhlllang_extcvscilhlllang_extcyphesiscilhlllang_extcyruscilhlllang_extdaemontoolscilhlllang_extdbadmcilhlllang_extdbskkcilhlllang_extdbuscilhlllang_extdcccilhlllang_extddclientcilhlllang_extdenyhostscilhlllang_extdevicekitcilhlllang_extdhcpcilhlllang_extdictdcilhlllang_extdirsrvdirsrv-admincilhlllang_extcilhlllang_extdmesgcilhlllang_extdmidecodecilhlllang_extdnsmasqcilhlllang_extdnsseccilhlllang_extdovecotcilhlllang_extdrbdcilhlllang_extdspamcilhlllang_extentropydcilhlllang_exteximcilhlllang_extfail2bancilhlllang_extfcoecilhlllang_extfetchmailcilhlllang_extfingercilhlllang_extfirewalldcilhlllang_extfirewallguicilhlllang_extfirstbootcilhlllang_extfprintdcilhlllang_extfreeipmicilhlllang_extfreqsetcilhlllang_extfstoolscilhlllang_extftpcilhlllang_extgamescilhlllang_extganeshacilhlllang_extgdomapcilhlllang_extgeocluecilhlllang_extgettycilhlllang_extgitcilhlllang_extgitosiscilhlllang_extglancecilhlllang_extglusterdcilhlllang_extgnomecilhlllang_extgpgcilhlllang_extgpmcilhlllang_extgpsdcilhlllang_extgssproxycilhlllang_extguestcilhlllang_exthddtempcilhlllang_exthostnamecilhlllang_exthsqldbcilhlllang_exthwloccilhlllang_exthypervkvpcilhlllang_exticecastcilhlllang_extinetdcilhlllang_extinitcilhlllang_extinncilhlllang_extiodinecilhlllang_extiotopcilhlllang_extipacilhlllang_extipmievdcilhlllang_extipseccilhlllang_extiptablescilhlllang_extirccilhlllang_extirqbalancecilhlllang_extiscsicilhlllang_extisnscilhlllang_extjabbercilhlllang_extjettycilhlllang_extjockeycilhlllang_extjournalctlcilhlllang_extkdumpcilhlllang_extkdumpguicilhlllang_extkeepalivedcilhlllang_extkerberoscilhlllang_extkeyboarddcilhlllang_extkeystonecilhlllang_extkismetcilhlllang_extkmsconcilhlllang_extksmtunedcilhlllang_extktalkcilhlllang_extl2tpcilhlllang_extldapcilhlllang_extlibrariescilhlllang_extlikewisecilhlllang_extlinuxptpcilhlllang_extlircdcilhlllang_extlivecdcilhlllang_extlldpadcilhlllang_extloadkeyscilhlllang_extlocallogincilhlllang_extlockdevcilhlllang_extlogadmcilhlllang_extloggingcilhlllang_extlogrotatecilhlllang_extlogwatchcilhlllang_extlpdcilhlllang_extlsmcilhlllang_extlttng-toolscilhlllang_extlvmcilhlllang_extmailmancilhlllang_extmailscannercilhlllang_extman2htmlcilhlllang_extmandbcilhlllang_extmcelogcilhlllang_extmediawikicilhlllang_extmemcachedcilhlllang_extmiltercilhlllang_extminidlnacilhlllang_extminissdpdcilhlllang_extmip6dcilhlllang_extmirrormanagercilhlllang_extmiscfilescilhlllang_extmockcilhlllang_extmodemmanagercilhlllang_extmodutilscilhlllang_extmojomojocilhlllang_extmon_statdcilhlllang_extmongodbcilhlllang_extmotioncilhlllang_extmountcilhlllang_extmozillacilhlllang_extmpdcilhlllang_extmplayercilhlllang_extmrtgcilhlllang_extmtacilhlllang_extmunincilhlllang_extmysqlcilhlllang_extmythtvcilhlllang_extnagioscilhlllang_extnamespacecilhlllang_extncftoolcilhlllang_extnetlabelcilhlllang_extnetutilscilhlllang_extnetworkmanagercilhlllang_extninfodcilhlllang_extniscilhlllang_extnovacilhlllang_extnscdcilhlllang_extnsdcilhlllang_extnslcdcilhlllang_extntopcilhlllang_extntpcilhlllang_extnumadcilhlllang_extnutcilhlllang_extnxcilhlllang_extobexcilhlllang_extoddjobcilhlllang_extopenctcilhlllang_extopendnsseccilhlllang_extopenhpidcilhlllang_extopenshiftopenshift-origincilhlllang_extcilhlllang_extopensmcilhlllang_extopenvpncilhlllang_extopenvswitchcilhlllang_extopenwsmancilhlllang_extoracleasmcilhlllang_extosadcilhlllang_extpadscilhlllang_extpassengercilhlllang_extpcmciacilhlllang_extpcpcilhlllang_extpcscdcilhlllang_extpegasuscilhlllang_extpermissivedomainscillang_extpesigncilhlllang_extpingdcilhlllang_extpiranhacilhlllang_extpkcscilhlllang_extpkicilhlllang_extplymouthdcilhlllang_extpodsleuthcilhlllang_extpolicykitcilhlllang_extpolipocilhlllang_extportmapcilhlllang_extportreservecilhlllang_extpostfixcilhlllang_extpostgresqlcilhlllang_extpostgreycilhlllang_extpppcilhlllang_extprelinkcilhlllang_extpreludecilhlllang_extprivoxycilhlllang_extprocmailcilhlllang_extprosodycilhlllang_extpsadcilhlllang_extptchowncilhlllang_extpublicfilecilhlllang_extpulseaudiocilhlllang_extpuppetcilhlllang_extpwauthcilhlllang_extqmailcilhlllang_extqpidcilhlllang_extquantumcilhlllang_extquotacilhlllang_extrabbitmqcilhlllang_extradiuscilhlllang_extradvdcilhlllang_extraidcilhlllang_extrasdaemoncilhlllang_extrdisccilhlllang_extreadaheadcilhlllang_extrealmdcilhlllang_extrediscilhlllang_extremotelogincilhlllang_extrhcscilhlllang_extrhevcilhlllang_extrhgbcilhlllang_extrhnsdcilhlllang_extrhsmcertdcilhlllang_extriccicilhlllang_extrkhuntercilhlllang_extrlogincilhlllang_extrngdcilhlllang_extroundupcilhlllang_extrpccilhlllang_extrpcbindcilhlllang_extrpmcilhlllang_extrshdcilhlllang_extrsshcilhlllang_extrsynccilhlllang_extrtascilhlllang_extrtkitcilhlllang_extrwhocilhlllang_extsambacilhlllang_extsambaguicilhlllang_extsandboxXcilhlllang_extsanlockcilhlllang_extsaslcilhlllang_extsbdcilhlllang_extsblimcilhlllang_extscreencilhlllang_extsecadmcilhlllang_extsectoolmcilhlllang_extselinuxutilcilhlllang_extsendmailcilhlllang_extsensordcilhlllang_extsetranscilhlllang_extsetroubleshootcilhlllang_extseunsharecilhlllang_extsgecilhlllang_extshorewallcilhlllang_extslocatecilhlllang_extslpdcilhlllang_extsmartmoncilhlllang_extsmokepingcilhlllang_extsmoltclientcilhlllang_extsmsdcilhlllang_extsnappercilhlllang_extsnmpcilhlllang_extsnortcilhlllang_extsosreportcilhlllang_extsoundservercilhlllang_extspamassassincilhlllang_extspeech-dispatchercilhlllang_extsquidcilhlllang_extsshcilhlllang_extsssdcilhlllang_extstaffcilhlllang_extstapservercilhlllang_extstunnelcilhlllang_extsucilhlllang_extsudocilhlllang_extsvnservecilhlllang_extswiftcilhlllang_extsysadmcilhlllang_extsysadm_secadmcilhlllang_extsysnetworkcilhlllang_extsysstatcilhlllang_extsystemdcilhlllang_exttargetdcilhlllang_exttcpdcilhlllang_exttcsdcilhlllang_exttelepathycilhlllang_exttelnetcilhlllang_exttftpcilhlllang_exttgtdcilhlllang_extthincilhlllang_extthumbcilhlllang_exttmpreapercilhlllang_exttomcatcilhlllang_exttorcilhlllang_exttunedcilhlllang_exttvtimecilhlllang_extudevcilhlllang_extulogdcilhlllang_extumlcilhlllang_extunconfinedcilhlllang_extunconfinedusercilhlllang_extunlabelednetcilhlllang_extunprivusercilhlllang_extupdfstabcilhlllang_extusbmodulescilhlllang_extusbmuxdcilhlllang_extuserdomaincilhlllang_extuserhelpercilhlllang_extusermanagecilhlllang_extusernetctlcilhlllang_extuucpcilhlllang_extuuiddcilhlllang_extvarnishdcilhlllang_extvdagentcilhlllang_extvhostmdcilhlllang_extvirtcilhlllang_extvlockcilhlllang_extvmtoolscilhlllang_extvmwarecilhlllang_extvnstatdcilhlllang_extvpncilhlllang_extw3ccilhlllang_extwatchdogcilhlllang_extwdmdcilhlllang_extwebadmcilhlllang_extwebalizercilhlllang_extwinecilhlllang_extwiresharkcilhlllang_extxencilhlllang_extxguestcilhlllang_extxservercilhlllang_extzabbixcilhlllang_extzarafacilhlllang_extzebracilhlllang_extzonemindercilhlllang_extzosremotecilhlllang_extdisabledpolicy.kernpolicy.linkedseusersseusers.linkedusers_extrausers_extra.linkedbooleans.subs_distcontextscustomizable_typesdbus_contextsdefault_contextsdefault_typefailsafe_contextfilesfile_contextsfile_contexts.binfile_contexts.homedirsfile_contexts.homedirs.binfile_contexts.localfile_contexts.local.binfile_contexts.subsfile_contexts.subs_distmediainitrc_contextlxc_contextsremovable_contextsecuretty_typessepgsql_contextssnapperd_contextssystemd_contextsuserhelper_contextusersguest_urootstaff_usysadm_uunconfined_uuser_uxguest_uvirtual_domain_contextvirtual_image_contextx_contextsloginsdocker.pppolicypolicy.31semanage.read.LOCKsemanage.trans.LOCKsetrans.confseusersselinux-policy-migrate-local-changes@targeted.serviceselinux-policy-migrate-local-changes@.serviceselinux-policy-migrate-local-changes.shtargetedbase.lstmodules-base.lstmodules-contrib.lstnonbasemodules.lst/etc/selinux//etc/selinux/targeted//etc/selinux/targeted/active//etc/selinux/targeted/active/modules//etc/selinux/targeted/active/modules/100//etc/selinux/targeted/active/modules/100/abrt//etc/selinux/targeted/active/modules/100/accountsd//etc/selinux/targeted/active/modules/100/acct//etc/selinux/targeted/active/modules/100/afs//etc/selinux/targeted/active/modules/100/aiccu//etc/selinux/targeted/active/modules/100/aide//etc/selinux/targeted/active/modules/100/ajaxterm//etc/selinux/targeted/active/modules/100/alsa//etc/selinux/targeted/active/modules/100/amanda//etc/selinux/targeted/active/modules/100/amtu//etc/selinux/targeted/active/modules/100/anaconda//etc/selinux/targeted/active/modules/100/antivirus//etc/selinux/targeted/active/modules/100/apache//etc/selinux/targeted/active/modules/100/apcupsd//etc/selinux/targeted/active/modules/100/apm//etc/selinux/targeted/active/modules/100/application//etc/selinux/targeted/active/modules/100/arpwatch//etc/selinux/targeted/active/modules/100/asterisk//etc/selinux/targeted/active/modules/100/auditadm//etc/selinux/targeted/active/modules/100/authconfig//etc/selinux/targeted/active/modules/100/authlogin//etc/selinux/targeted/active/modules/100/automount//etc/selinux/targeted/active/modules/100/avahi//etc/selinux/targeted/active/modules/100/awstats//etc/selinux/targeted/active/modules/100/bacula//etc/selinux/targeted/active/modules/100/base//etc/selinux/targeted/active/modules/100/bcfg2//etc/selinux/targeted/active/modules/100/bind//etc/selinux/targeted/active/modules/100/bitlbee//etc/selinux/targeted/active/modules/100/blkmapd//etc/selinux/targeted/active/modules/100/blueman//etc/selinux/targeted/active/modules/100/bluetooth//etc/selinux/targeted/active/modules/100/boinc//etc/selinux/targeted/active/modules/100/bootloader//etc/selinux/targeted/active/modules/100/brctl//etc/selinux/targeted/active/modules/100/brltty//etc/selinux/targeted/active/modules/100/bugzilla//etc/selinux/targeted/active/modules/100/bumblebee//etc/selinux/targeted/active/modules/100/cachefilesd//etc/selinux/targeted/active/modules/100/calamaris//etc/selinux/targeted/active/modules/100/callweaver//etc/selinux/targeted/active/modules/100/canna//etc/selinux/targeted/active/modules/100/ccs//etc/selinux/targeted/active/modules/100/cdrecord//etc/selinux/targeted/active/modules/100/certmaster//etc/selinux/targeted/active/modules/100/certmonger//etc/selinux/targeted/active/modules/100/certwatch//etc/selinux/targeted/active/modules/100/cfengine//etc/selinux/targeted/active/modules/100/cgdcbxd//etc/selinux/targeted/active/modules/100/cgroup//etc/selinux/targeted/active/modules/100/chrome//etc/selinux/targeted/active/modules/100/chronyd//etc/selinux/targeted/active/modules/100/cinder//etc/selinux/targeted/active/modules/100/cipe//etc/selinux/targeted/active/modules/100/clock//etc/selinux/targeted/active/modules/100/clogd//etc/selinux/targeted/active/modules/100/cloudform//etc/selinux/targeted/active/modules/100/cmirrord//etc/selinux/targeted/active/modules/100/cobbler//etc/selinux/targeted/active/modules/100/cockpit//etc/selinux/targeted/active/modules/100/collectd//etc/selinux/targeted/active/modules/100/colord//etc/selinux/targeted/active/modules/100/comsat//etc/selinux/targeted/active/modules/100/condor//etc/selinux/targeted/active/modules/100/conman//etc/selinux/targeted/active/modules/100/consolekit//etc/selinux/targeted/active/modules/100/container//etc/selinux/targeted/active/modules/100/couchdb//etc/selinux/targeted/active/modules/100/courier//etc/selinux/targeted/active/modules/100/cpucontrol//etc/selinux/targeted/active/modules/100/cpufreqselector//etc/selinux/targeted/active/modules/100/cpuplug//etc/selinux/targeted/active/modules/100/cron//etc/selinux/targeted/active/modules/100/ctdb//etc/selinux/targeted/active/modules/100/cups//etc/selinux/targeted/active/modules/100/cvs//etc/selinux/targeted/active/modules/100/cyphesis//etc/selinux/targeted/active/modules/100/cyrus//etc/selinux/targeted/active/modules/100/daemontools//etc/selinux/targeted/active/modules/100/dbadm//etc/selinux/targeted/active/modules/100/dbskk//etc/selinux/targeted/active/modules/100/dbus//etc/selinux/targeted/active/modules/100/dcc//etc/selinux/targeted/active/modules/100/ddclient//etc/selinux/targeted/active/modules/100/denyhosts//etc/selinux/targeted/active/modules/100/devicekit//etc/selinux/targeted/active/modules/100/dhcp//etc/selinux/targeted/active/modules/100/dictd//etc/selinux/targeted/active/modules/100/dirsrv-admin//etc/selinux/targeted/active/modules/100/dirsrv//etc/selinux/targeted/active/modules/100/dmesg//etc/selinux/targeted/active/modules/100/dmidecode//etc/selinux/targeted/active/modules/100/dnsmasq//etc/selinux/targeted/active/modules/100/dnssec//etc/selinux/targeted/active/modules/100/dovecot//etc/selinux/targeted/active/modules/100/drbd//etc/selinux/targeted/active/modules/100/dspam//etc/selinux/targeted/active/modules/100/entropyd//etc/selinux/targeted/active/modules/100/exim//etc/selinux/targeted/active/modules/100/fail2ban//etc/selinux/targeted/active/modules/100/fcoe//etc/selinux/targeted/active/modules/100/fetchmail//etc/selinux/targeted/active/modules/100/finger//etc/selinux/targeted/active/modules/100/firewalld//etc/selinux/targeted/active/modules/100/firewallgui//etc/selinux/targeted/active/modules/100/firstboot//etc/selinux/targeted/active/modules/100/fprintd//etc/selinux/targeted/active/modules/100/freeipmi//etc/selinux/targeted/active/modules/100/freqset//etc/selinux/targeted/active/modules/100/fstools//etc/selinux/targeted/active/modules/100/ftp//etc/selinux/targeted/active/modules/100/games//etc/selinux/targeted/active/modules/100/ganesha//etc/selinux/targeted/active/modules/100/gdomap//etc/selinux/targeted/active/modules/100/geoclue//etc/selinux/targeted/active/modules/100/getty//etc/selinux/targeted/active/modules/100/git//etc/selinux/targeted/active/modules/100/gitosis//etc/selinux/targeted/active/modules/100/glance//etc/selinux/targeted/active/modules/100/glusterd//etc/selinux/targeted/active/modules/100/gnome//etc/selinux/targeted/active/modules/100/gpg//etc/selinux/targeted/active/modules/100/gpm//etc/selinux/targeted/active/modules/100/gpsd//etc/selinux/targeted/active/modules/100/gssproxy//etc/selinux/targeted/active/modules/100/guest//etc/selinux/targeted/active/modules/100/hddtemp//etc/selinux/targeted/active/modules/100/hostname//etc/selinux/targeted/active/modules/100/hsqldb//etc/selinux/targeted/active/modules/100/hwloc//etc/selinux/targeted/active/modules/100/hypervkvp//etc/selinux/targeted/active/modules/100/icecast//etc/selinux/targeted/active/modules/100/inetd//etc/selinux/targeted/active/modules/100/init//etc/selinux/targeted/active/modules/100/inn//etc/selinux/targeted/active/modules/100/iodine//etc/selinux/targeted/active/modules/100/iotop//etc/selinux/targeted/active/modules/100/ipa//etc/selinux/targeted/active/modules/100/ipmievd//etc/selinux/targeted/active/modules/100/ipsec//etc/selinux/targeted/active/modules/100/iptables//etc/selinux/targeted/active/modules/100/irc//etc/selinux/targeted/active/modules/100/irqbalance//etc/selinux/targeted/active/modules/100/iscsi//etc/selinux/targeted/active/modules/100/isns//etc/selinux/targeted/active/modules/100/jabber//etc/selinux/targeted/active/modules/100/jetty//etc/selinux/targeted/active/modules/100/jockey//etc/selinux/targeted/active/modules/100/journalctl//etc/selinux/targeted/active/modules/100/kdump//etc/selinux/targeted/active/modules/100/kdumpgui//etc/selinux/targeted/active/modules/100/keepalived//etc/selinux/targeted/active/modules/100/kerberos//etc/selinux/targeted/active/modules/100/keyboardd//etc/selinux/targeted/active/modules/100/keystone//etc/selinux/targeted/active/modules/100/kismet//etc/selinux/targeted/active/modules/100/kmscon//etc/selinux/targeted/active/modules/100/ksmtuned//etc/selinux/targeted/active/modules/100/ktalk//etc/selinux/targeted/active/modules/100/l2tp//etc/selinux/targeted/active/modules/100/ldap//etc/selinux/targeted/active/modules/100/libraries//etc/selinux/targeted/active/modules/100/likewise//etc/selinux/targeted/active/modules/100/linuxptp//etc/selinux/targeted/active/modules/100/lircd//etc/selinux/targeted/active/modules/100/livecd//etc/selinux/targeted/active/modules/100/lldpad//etc/selinux/targeted/active/modules/100/loadkeys//etc/selinux/targeted/active/modules/100/locallogin//etc/selinux/targeted/active/modules/100/lockdev//etc/selinux/targeted/active/modules/100/logadm//etc/selinux/targeted/active/modules/100/logging//etc/selinux/targeted/active/modules/100/logrotate//etc/selinux/targeted/active/modules/100/logwatch//etc/selinux/targeted/active/modules/100/lpd//etc/selinux/targeted/active/modules/100/lsm//etc/selinux/targeted/active/modules/100/lttng-tools//etc/selinux/targeted/active/modules/100/lvm//etc/selinux/targeted/active/modules/100/mailman//etc/selinux/targeted/active/modules/100/mailscanner//etc/selinux/targeted/active/modules/100/man2html//etc/selinux/targeted/active/modules/100/mandb//etc/selinux/targeted/active/modules/100/mcelog//etc/selinux/targeted/active/modules/100/mediawiki//etc/selinux/targeted/active/modules/100/memcached//etc/selinux/targeted/active/modules/100/milter//etc/selinux/targeted/active/modules/100/minidlna//etc/selinux/targeted/active/modules/100/minissdpd//etc/selinux/targeted/active/modules/100/mip6d//etc/selinux/targeted/active/modules/100/mirrormanager//etc/selinux/targeted/active/modules/100/miscfiles//etc/selinux/targeted/active/modules/100/mock//etc/selinux/targeted/active/modules/100/modemmanager//etc/selinux/targeted/active/modules/100/modutils//etc/selinux/targeted/active/modules/100/mojomojo//etc/selinux/targeted/active/modules/100/mon_statd//etc/selinux/targeted/active/modules/100/mongodb//etc/selinux/targeted/active/modules/100/motion//etc/selinux/targeted/active/modules/100/mount//etc/selinux/targeted/active/modules/100/mozilla//etc/selinux/targeted/active/modules/100/mpd//etc/selinux/targeted/active/modules/100/mplayer//etc/selinux/targeted/active/modules/100/mrtg//etc/selinux/targeted/active/modules/100/mta//etc/selinux/targeted/active/modules/100/munin//etc/selinux/targeted/active/modules/100/mysql//etc/selinux/targeted/active/modules/100/mythtv//etc/selinux/targeted/active/modules/100/nagios//etc/selinux/targeted/active/modules/100/namespace//etc/selinux/targeted/active/modules/100/ncftool//etc/selinux/targeted/active/modules/100/netlabel//etc/selinux/targeted/active/modules/100/netutils//etc/selinux/targeted/active/modules/100/networkmanager//etc/selinux/targeted/active/modules/100/ninfod//etc/selinux/targeted/active/modules/100/nis//etc/selinux/targeted/active/modules/100/nova//etc/selinux/targeted/active/modules/100/nscd//etc/selinux/targeted/active/modules/100/nsd//etc/selinux/targeted/active/modules/100/nslcd//etc/selinux/targeted/active/modules/100/ntop//etc/selinux/targeted/active/modules/100/ntp//etc/selinux/targeted/active/modules/100/numad//etc/selinux/targeted/active/modules/100/nut//etc/selinux/targeted/active/modules/100/nx//etc/selinux/targeted/active/modules/100/obex//etc/selinux/targeted/active/modules/100/oddjob//etc/selinux/targeted/active/modules/100/openct//etc/selinux/targeted/active/modules/100/opendnssec//etc/selinux/targeted/active/modules/100/openhpid//etc/selinux/targeted/active/modules/100/openshift-origin//etc/selinux/targeted/active/modules/100/openshift//etc/selinux/targeted/active/modules/100/opensm//etc/selinux/targeted/active/modules/100/openvpn//etc/selinux/targeted/active/modules/100/openvswitch//etc/selinux/targeted/active/modules/100/openwsman//etc/selinux/targeted/active/modules/100/oracleasm//etc/selinux/targeted/active/modules/100/osad//etc/selinux/targeted/active/modules/100/pads//etc/selinux/targeted/active/modules/100/passenger//etc/selinux/targeted/active/modules/100/pcmcia//etc/selinux/targeted/active/modules/100/pcp//etc/selinux/targeted/active/modules/100/pcscd//etc/selinux/targeted/active/modules/100/pegasus//etc/selinux/targeted/active/modules/100/permissivedomains//etc/selinux/targeted/active/modules/100/pesign//etc/selinux/targeted/active/modules/100/pingd//etc/selinux/targeted/active/modules/100/piranha//etc/selinux/targeted/active/modules/100/pkcs//etc/selinux/targeted/active/modules/100/pki//etc/selinux/targeted/active/modules/100/plymouthd//etc/selinux/targeted/active/modules/100/podsleuth//etc/selinux/targeted/active/modules/100/policykit//etc/selinux/targeted/active/modules/100/polipo//etc/selinux/targeted/active/modules/100/portmap//etc/selinux/targeted/active/modules/100/portreserve//etc/selinux/targeted/active/modules/100/postfix//etc/selinux/targeted/active/modules/100/postgresql//etc/selinux/targeted/active/modules/100/postgrey//etc/selinux/targeted/active/modules/100/ppp//etc/selinux/targeted/active/modules/100/prelink//etc/selinux/targeted/active/modules/100/prelude//etc/selinux/targeted/active/modules/100/privoxy//etc/selinux/targeted/active/modules/100/procmail//etc/selinux/targeted/active/modules/100/prosody//etc/selinux/targeted/active/modules/100/psad//etc/selinux/targeted/active/modules/100/ptchown//etc/selinux/targeted/active/modules/100/publicfile//etc/selinux/targeted/active/modules/100/pulseaudio//etc/selinux/targeted/active/modules/100/puppet//etc/selinux/targeted/active/modules/100/pwauth//etc/selinux/targeted/active/modules/100/qmail//etc/selinux/targeted/active/modules/100/qpid//etc/selinux/targeted/active/modules/100/quantum//etc/selinux/targeted/active/modules/100/quota//etc/selinux/targeted/active/modules/100/rabbitmq//etc/selinux/targeted/active/modules/100/radius//etc/selinux/targeted/active/modules/100/radvd//etc/selinux/targeted/active/modules/100/raid//etc/selinux/targeted/active/modules/100/rasdaemon//etc/selinux/targeted/active/modules/100/rdisc//etc/selinux/targeted/active/modules/100/readahead//etc/selinux/targeted/active/modules/100/realmd//etc/selinux/targeted/active/modules/100/redis//etc/selinux/targeted/active/modules/100/remotelogin//etc/selinux/targeted/active/modules/100/rhcs//etc/selinux/targeted/active/modules/100/rhev//etc/selinux/targeted/active/modules/100/rhgb//etc/selinux/targeted/active/modules/100/rhnsd//etc/selinux/targeted/active/modules/100/rhsmcertd//etc/selinux/targeted/active/modules/100/ricci//etc/selinux/targeted/active/modules/100/rkhunter//etc/selinux/targeted/active/modules/100/rlogin//etc/selinux/targeted/active/modules/100/rngd//etc/selinux/targeted/active/modules/100/roundup//etc/selinux/targeted/active/modules/100/rpc//etc/selinux/targeted/active/modules/100/rpcbind//etc/selinux/targeted/active/modules/100/rpm//etc/selinux/targeted/active/modules/100/rshd//etc/selinux/targeted/active/modules/100/rssh//etc/selinux/targeted/active/modules/100/rsync//etc/selinux/targeted/active/modules/100/rtas//etc/selinux/targeted/active/modules/100/rtkit//etc/selinux/targeted/active/modules/100/rwho//etc/selinux/targeted/active/modules/100/samba//etc/selinux/targeted/active/modules/100/sambagui//etc/selinux/targeted/active/modules/100/sandboxX//etc/selinux/targeted/active/modules/100/sanlock//etc/selinux/targeted/active/modules/100/sasl//etc/selinux/targeted/active/modules/100/sbd//etc/selinux/targeted/active/modules/100/sblim//etc/selinux/targeted/active/modules/100/screen//etc/selinux/targeted/active/modules/100/secadm//etc/selinux/targeted/active/modules/100/sectoolm//etc/selinux/targeted/active/modules/100/selinuxutil//etc/selinux/targeted/active/modules/100/sendmail//etc/selinux/targeted/active/modules/100/sensord//etc/selinux/targeted/active/modules/100/setrans//etc/selinux/targeted/active/modules/100/setroubleshoot//etc/selinux/targeted/active/modules/100/seunshare//etc/selinux/targeted/active/modules/100/sge//etc/selinux/targeted/active/modules/100/shorewall//etc/selinux/targeted/active/modules/100/slocate//etc/selinux/targeted/active/modules/100/slpd//etc/selinux/targeted/active/modules/100/smartmon//etc/selinux/targeted/active/modules/100/smokeping//etc/selinux/targeted/active/modules/100/smoltclient//etc/selinux/targeted/active/modules/100/smsd//etc/selinux/targeted/active/modules/100/snapper//etc/selinux/targeted/active/modules/100/snmp//etc/selinux/targeted/active/modules/100/snort//etc/selinux/targeted/active/modules/100/sosreport//etc/selinux/targeted/active/modules/100/soundserver//etc/selinux/targeted/active/modules/100/spamassassin//etc/selinux/targeted/active/modules/100/speech-dispatcher//etc/selinux/targeted/active/modules/100/squid//etc/selinux/targeted/active/modules/100/ssh//etc/selinux/targeted/active/modules/100/sssd//etc/selinux/targeted/active/modules/100/staff//etc/selinux/targeted/active/modules/100/stapserver//etc/selinux/targeted/active/modules/100/stunnel//etc/selinux/targeted/active/modules/100/su//etc/selinux/targeted/active/modules/100/sudo//etc/selinux/targeted/active/modules/100/svnserve//etc/selinux/targeted/active/modules/100/swift//etc/selinux/targeted/active/modules/100/sysadm//etc/selinux/targeted/active/modules/100/sysadm_secadm//etc/selinux/targeted/active/modules/100/sysnetwork//etc/selinux/targeted/active/modules/100/sysstat//etc/selinux/targeted/active/modules/100/systemd//etc/selinux/targeted/active/modules/100/targetd//etc/selinux/targeted/active/modules/100/tcpd//etc/selinux/targeted/active/modules/100/tcsd//etc/selinux/targeted/active/modules/100/telepathy//etc/selinux/targeted/active/modules/100/telnet//etc/selinux/targeted/active/modules/100/tftp//etc/selinux/targeted/active/modules/100/tgtd//etc/selinux/targeted/active/modules/100/thin//etc/selinux/targeted/active/modules/100/thumb//etc/selinux/targeted/active/modules/100/tmpreaper//etc/selinux/targeted/active/modules/100/tomcat//etc/selinux/targeted/active/modules/100/tor//etc/selinux/targeted/active/modules/100/tuned//etc/selinux/targeted/active/modules/100/tvtime//etc/selinux/targeted/active/modules/100/udev//etc/selinux/targeted/active/modules/100/ulogd//etc/selinux/targeted/active/modules/100/uml//etc/selinux/targeted/active/modules/100/unconfined//etc/selinux/targeted/active/modules/100/unconfineduser//etc/selinux/targeted/active/modules/100/unlabelednet//etc/selinux/targeted/active/modules/100/unprivuser//etc/selinux/targeted/active/modules/100/updfstab//etc/selinux/targeted/active/modules/100/usbmodules//etc/selinux/targeted/active/modules/100/usbmuxd//etc/selinux/targeted/active/modules/100/userdomain//etc/selinux/targeted/active/modules/100/userhelper//etc/selinux/targeted/active/modules/100/usermanage//etc/selinux/targeted/active/modules/100/usernetctl//etc/selinux/targeted/active/modules/100/uucp//etc/selinux/targeted/active/modules/100/uuidd//etc/selinux/targeted/active/modules/100/varnishd//etc/selinux/targeted/active/modules/100/vdagent//etc/selinux/targeted/active/modules/100/vhostmd//etc/selinux/targeted/active/modules/100/virt//etc/selinux/targeted/active/modules/100/vlock//etc/selinux/targeted/active/modules/100/vmtools//etc/selinux/targeted/active/modules/100/vmware//etc/selinux/targeted/active/modules/100/vnstatd//etc/selinux/targeted/active/modules/100/vpn//etc/selinux/targeted/active/modules/100/w3c//etc/selinux/targeted/active/modules/100/watchdog//etc/selinux/targeted/active/modules/100/wdmd//etc/selinux/targeted/active/modules/100/webadm//etc/selinux/targeted/active/modules/100/webalizer//etc/selinux/targeted/active/modules/100/wine//etc/selinux/targeted/active/modules/100/wireshark//etc/selinux/targeted/active/modules/100/xen//etc/selinux/targeted/active/modules/100/xguest//etc/selinux/targeted/active/modules/100/xserver//etc/selinux/targeted/active/modules/100/zabbix//etc/selinux/targeted/active/modules/100/zarafa//etc/selinux/targeted/active/modules/100/zebra//etc/selinux/targeted/active/modules/100/zoneminder//etc/selinux/targeted/active/modules/100/zosremote//etc/selinux/targeted/contexts//etc/selinux/targeted/contexts/files//etc/selinux/targeted/contexts/users//etc/selinux/targeted/modules/active/modules//etc/selinux/targeted/policy//usr/lib/systemd/system/basic.target.wants//usr/lib/systemd/system//usr/libexec/selinux//usr/share/selinux//usr/share/selinux/targeted/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m32 -march=x86-64 -mtune=generic -mfpmath=sse -fasynchronous-unwind-tablescpioxz2noarch-redhat-linux-gnu   directoryASCII textASCII text, with very long lines (bzip2 compressed data, block size = 500k)ASCII text, with no line terminatorsASCII text (bzip2 compressed data, block size = 500k)exported SGML document, ASCII textemptyHTML document, ASCII textcannot open (No such file or directory)Bourne-Again shell script, ASCII text executableASCII text, with very long lines, with no line terminatorsR?7zXZ !#,C ] b2u jӫ`( %;|S$D:1w|z^Y"*@ZJf|E3,,354-_%ONh7 ̆l#L~D*{:cGPzjp*~#C}W{XzEߌnqjR4ݤhlhN˔jo7f@(#>| 8:SNa,h{BP3X[I$gӟv b?&Tr:ly1Df_[izu>JH45`䋷=`,Y0>N0x;Ht^NA?{鿩1t2q8:3 TgMBs{1{4?C%>B7~ˈ2 IℑRz.It f&AaXuMn)H41u#.K5k&%*j{9LgP4Kjge]@4ޛCW@\bgeD>P|hUsR2D]![+'d;h@P=VWt"/0s#Zȇ:/Û gbA~q:LD_0T W1.\+0N#{So{Mފ%MNQ`yKp$Vrbѡ})'^@ HQ#)%](opEDugy~6S]($ Pτ^X\ξC|@rITz[y !v eD}cʋt$(~idB,ƴ~ȍ&(Qh =} HC(800)nP~r-yUpO3Z9}mX:veYu&3I√[g}db^=;ᄖRAEе嘨QdUXhu)frx72Wּ`.!%{ \dBHVd[!25 Ъȱ(S(0}U (.ȁ$q׉ںpXuYdXRj9R僯*dAV~ᮇRm}BBayCOd?vlB$ ➇%6V=1B<^qA&8>j@ĎBS;Q*9>d{ ^3"vLͳz9SEU1*ˆyW@+Px? <`:K!ysa#JDHjRG*3/nI}ecȭU\@~?C+E0?y= hyC^ F[u#Y 1#Hz7[;m`qvSޘ4gԊ[ [5ea ցycsG=[MUSъ`oDu)bV9eRC=KWI߇9ͦwh~ ˈi$ GP7$ !y[bᴯF7$$mJCr )f)x`zy {E%8Zb`#7Ze AϜLdҧ/CxHIId{ K_,k F k4E_ZK[/w!,y5CϽ|JU=GQT8MoSSgՙ#gMh-,T*f =U hRO>J ƈP(0%dP[pd2& Mu0-0+~0N#U0mTj~s2 p[wxQ9v2ڥ(pΣނbc͑t [G<_t0JBH5M!dM!@ quy!N#L?Д^̛=$RPc" z8Rn5]nB Mr}f&90@p?{cg8F=0'h ^;")Qצ3K\֓<%kOF7+~@ !K# ySS9 CJ lr vHlÔSGv@%31U'Yrp6h.ɖYAd\s<06|8dBId xN5z%3?ڎA'[*'_}DdlL;kq t3~3F?қ]qI6Rԯi~~vU~ AM!` TȑE۵pH%"0XgkwI[!4CuPsMGn8N(wW/͘jj _t9-C_kL3o+ڥZv!;Kql>U3V64&<5Y Fod#U,sT.-9|%8|܀@ qܳ]xcw$F˳~G1E%+؄$%zK)1|Kؖ馩.W,*. ֻ]84WWuJ᝱]B: -mP1YDd22vQBad]|;;iv@& i `rbGd)/ $ CY49 PY9f[4]szGUMjjeWa۴O` ]ԤUby'O|O7 MG ܮ\nP2nj!{nҙEQ DI [WB9W{M1Aޢݥm*2,rYk#8(o n٘qPx\Hxj8 ԄϤ{Zqcm{r &,{u4V{_awEi^}<6,ŵ']r7@˻G?.߰{1lQ<6Q.&)*.Sb$6 nuAE~XLM?rƎQ.9CCa(G Hv'99;W^&;o x٧U6Mf|Iφa _Vȇ$f ֚2T;-tKcCMy<]ݘ;G'Aʉ1 @˱nޙVk5M8/w'?ռ-R0["ݢC'.,y ~3YPWC&$ GCO5:uxBtrNR|Kœԋdn(0 a2]k$SXIM'ۃm GA,Q'=:~#maBߵ2p $>DX9NC1 Ѥ*zpUdXDS ;'C"TІ܇ypL^RykH~I-a(8bE!z#nCH$L0JhT/o [oWAs4 *Ç ʂ]I92{SA1ѦiGΒ중8)F~d[b #jlV@Hsj*}%-?ဍ8 L0t B t|`U1v{(|&P/0,BjKܫK.ttS]4ar[@I҆RAlU@q^j(lf䮂K~Stq PpTgڍN@3;$aZI7DS-5v O6!тL:њ ߘîpꈺNί !uK ,DÔUg dm*c}hbrNHfJVV@Ӥa]K?jT6D .Cvv }ގhGݯ&_+k-(ݱX_$H"VL&U.{eygZ7,tֻ#4M?6dRss`?A2g ,"yӅjQE  ,?\K)Nkq3^z<`Aw |99=c~. \ 6_Ct}vn nToB.W~ ^kk!;_>+8H,gVkΨ)9Xr]Sǽ*ZZ{PXg3>KPcOIK  IF*-\3<׾'j(Ax, xj<٠ ȥF~ pd8S4&<++Lce=q\/3WEJ.n<"8z; +G:mV]n-y2 6$-e^pQ<~生9$m]UI.8 `TmЈcf¾T"Gm$Uq-s0I&iʆɿz6V<) 6cNx-Pwj1s2th=NdgX]  vL_ۏ)lG/9 ğ_y[| M;JRe3ך<ɎKa4 ,I>xӨI { yƔsp)/Ra !M?ƶ/XOszUT>JQͬS BoLG̞]t 9|4e ݏs>IW=) yto|_cp1|NNU AEӶ~QsRxzy32G5D%=C_6ejo8|~Bȁ_z6i!yЀY>6'i5mfTl#&S{bzk> Sxxۀ[3G3g8` ㋥gcͱƪDvxio#}MTTǕH& [)f |bP3ڑek<R< ]I(;bzlFL ϾwR#HZ-cH/S&S5P$cf2ʝhŽ2|^n_|a֥c1#z}WXd;(E(bF AǦ⡛'KNhC=)A̷Mp:d[m6b6;*P4g6;N{0H)JTJgpxCsgIYȐ?~Q+fY5r1Ҹ}nekdB57Z6ٲjS$&c#J'b,pɅasRMPutZ"d4&ш>Iӛ?>X\egg/ݽ(BF{WfLHdoX #AC⑪! AM| ( S{l=Z91 slYJ;\Fk"\lKj`Rqt?AG==MĨ yQG ,. IR.3:"R)~/S7Vjkt<.GVb(u Em (z]Ф#W:v#\tc k0Mu󦐔m \\{SLJ ]7?t̑Z]++4f-8 oO3S5oߛx2ΨajS9"4=:BW+*o^F9fOQ. {t{cgxVPLoCi*6 C&vhpO~ԈʯqQjՋ #Ma.$[t_~IH_.h'iJSo%2c2cK'at+pxj2kx!S$xkF6h3)lT:@҂-3Z/TѻEKyjO5u\cq :&_/+ブzsP߇ݐD_뗬ms>ʘ[jrFm[aHrȓn-˓TP,pu-53lޓ17A[;\_9zw"";3kR$a^¸ EjyB4\V,$9I:$6%>S [gcGzQQ3xlCM텵9GwO.$|by_bC U szc`k>] P0)=Vr3{KW@pV_8,tb|RqĠ9"Sd+$ z[d&.]vՄ8TPK l tR @}_thMm8 c$Aq_7LM+BȰ8AL(2,ւp]رoX3R\Uq+ ZHín#H|ϋđ0#A/ >N|So"[WP sפp?Dв:"H1yg ,<=넎'$QKc.Ⱦ~{;՚5TbmPҖM |yOEj-9 Rxv\ G9DiQ`!o>4 :<] \~&V\etbjL0 1 P 0AWb pm.ek*pgHN1~uTR7Ź:!@i߈@a=^LLmuہ0OXZGh_ZcYYU|Oʛ )7 ōtd-7AGFEsP "Ƚj 3~w'ǎ0xge/ |uF,qm y?D%9pz+h[ Up 'qlȏ z{K tjKIC-O < g^JNC荑hMgeʄIҨj?daF8생,W[)aꮩDLk7ݿ‰Y y'+`r991X,t/dsfL[ٴ\ʵ xβX€40TN8c5k17,ʴ[3MyqPl5w@ȯcW4UUT)Oܵ#E˫̡XYibUGSǷT?aP%)dW F0Jc:){-{{L6hQ&O[Y|o;i߷$ LbjV};$8cRh^'-= FFP{7do&o6/C{i-6·»#5o*abaVSs3~ϦTZgգLv-R,o~}pBQC(MR2<ɓ!ݍ0Dho1fn}5`],1 úzzy Q.1Op,u9q0B <ڕuL$E^X6 dpo*?ĿJ"G82Opas+i⬌+@җuVwdcB$sR<7Pp<3,R\f.띂&(+.w= ݮbn͘ ͚4IU~z2':-`!Ѝ㫮 ;P vGY}In-ӟ3i4PnBF([ލC2߯- < tֆQxI\ԞR#^Z685Ey|EAy0Y 2iK2 gH[1.o<Ƚ\ VE6HfHgX<$>Q/\[`mܸ]f\2T7w֮F& ?|x! FET_)LQ9q)2-;rPlq9ȕ|@/J{fv96Z+`$!,sРkӸTF3Fcάܓwa+-4 (2v}fPchx6_ZC% !z-!: 8@f+]{ujv@XXJs'}f'kDY!+$oC%EnTC$43c%VXPZ=ˌ2b#'bꝂ_|XMuNA]+$9ДS+9OSg 02yFOIa No6v:T[U^gOiE2^6<1٧r8{ zpޔ@=T N8- JguFGxO빿_Z , oŅ9kkZuLy<:*@礭(R}(#8MC] 4ds]bvA].Hg"3_ ɿĮT<#8Yx# ɱ:G' `>k l [&FImčZb? ]I ֏'}ͻH3YȢTQ>U?UTqJ߈SэpFqfWW+dq 6ǿΉ'֨Al ϭXI/МyM%Hq- .2I=U I }QB'1zB=>7!ȴwv~ꐢ-?<Ś<$b?,KC7)Dh݃ȕaGbsP_j.g5Cêf\`IeM^n/fe(k^?lygfojʎHO  eM9)۲ hyC357X7Rٗnp3T{gUVKH5¾~k楨Z .-BEˣ(j*4"@2nVh \,Ai CA7⛗ 3rI2G\^p_킑fdbC-M(ў؈Йy&^{5xZ0~0^֓;"}_њWI:q9yxIG,mAv`_R P6m4`":m [>ϗMLS׋<% /3>t;H'v =6û 4m[*W\Ec$FI']ku$Dd/UpUd{~6mXo%nt7Nfӱ|?0sY[ӅB)ف6aRFQ1a8 C>AQv0,yRϝ1EQ ,|J>xs hR{Jk 0=#SJ7*˓ :l1M r߇WC|SPB3VeF-4$e=⫛柈Ԗ]gMZ*!_вL :tvk-܁:W%4Zk3 WsʫKd*Yvnq|Kw6t4“;9~=1^FCPzW-1\.>ϩ`nb|j/@ xB>(i 4(.`emʴ|h7X#:%;{X_V-(! 30jYP$3w0h _ܝu*9r*j+'A}7yC=a\1ucC?w&UZ`PKN5ZΑѪzevx-x9@<>!~Pj1(imO`}1_#A[AdDW->ƽLw=u$x 2G[2l :{*nF6Nc YOrr券9XDšLޚcp!JJE@ux֨\^݂..\ >=4:rP)2N^I]#:Mx,(00߸!3l_YPw Vų#ur{~7N#[ng㝖Hf .b7j=ȳЛl&w(Fw̜G`M h\ ˇۛgM t6z CɰFbbhz?v`.ilnUT~@0d؂0iiI%)vk93פ{o@iY-s\~pJliX,7sn^!YӽҨ#H^ѐ"F"8/dwʅE 6ͪV=/w?ūkqfWD>>3NKcgQ@&kJN\W[~>c&[pr>#j"C+AV0|mK!غCAcb1F].*)?oVv3@&R鏽B} w3L.1dsqa\w^` .oS_kHLdvA$ DR}mȘmkÒTe}:>i>(2s'Ԙ7h(Փ5Me~Q6x$'W[4*ccrLz SغJ5skCshyk#k΂L":DɒzsЀO*P?pa9F84/TEYmf&SXwXԢ=AWfO-TK)30(܁kỲ s 7#<cqf&aby=PkƧs(g ڏ%l(h쎉W7O{fD/3\%&{(um@0_Sfw۪;9sjQ_`Α簬=oԄ['J KI0.>OFN!p5//SB(U6p'aj$,Z#-jq.>9х"x D#Љ8G:g_g`e.C.{yfXG4 hʰVgcVzN0ߢe#C[Z'SG&DCKy'Ovm)pN37FP;Ӆwwe Gv԰De׭w n1i5Sú#'׋ydC}RC+'l@5(Z :7b%h@O<$1~AZz! =ZKa1C6ɿ-D hjFn8ɅݟE’Fc2{X<»(IٺI! -amvM/տ4JMܱtcvh_hZ*uݎF2\ SڮΙ_?] _27C%m8dX1"0I53YPNCpTs(ȤKcP-NAiݶb6 ~ rD@g;_᰽d-~"~:Ս< bGT=\v9(T°eo22fψ"vs??06Y4~sPgxv: zq$eN W1@H2~!n9P~OG;{ue^Siy0xzy9Xlz#s&Z l!t%ӆmKs#Vމ 3Cϒ+nB"C%{ry0cJۗE&C>1e`8C~R`w>sC,v%EF GG.!#L5gZ4'qxU*~Up݉MX`gRjάpc zvUNKozcڷJ8rɛv\07 ?׫\z1he7QmKl-EE`K(Jx 5ZnyJWi{}^7~cvX`.;Oс ꯢǭWcɠmdbG+h86̒}4E~;= h+A?/?zxY!sOh.u\<ΖK+0yd^M6]7秲,۷!e-WV00 ~7@ƃ@vwa9I>QZdixV3lr:8?JoU^Rl+"PM"L :ߕY뛀=6ࣙ "0)B BoTL/J޲~jqh_=t1WL^dUIɂlvB>JTD]4+[aʊdugEpA w I4Q!0#pFFl_s<ٝtFcdF%vjS2io%n';/}-kb8Szʵ˶$ !B!kWi+v.kvpՎ/=jAnpmܯ%G70OL8ҞIH*Ge]\Sɖkn; EDRs~&4z.f8fDf^cъ-.|vM;@Qw9|ے6VZ`4ܖ 98k\{[Zi)aC'EM"/M^x+[˚h*0, h!JMK4Iַ(Bᮃ!UFX^g8彘62-l 1ӀC4;`P= oX`Rkw$Z TiѬZňF|*J!Zx{!/Q%HS9 $#KyT'`lOjN 2ד@%:hmg+5zpW_;@݂1J* 4ǡ }g؜LeU>BfAuWWy, C}T,!:05a"$auX0Ҋ%dMM5$3pdJ x]yO)n)9;ĉ3 w{Ӂ@hq&?m88H<$#yB7+&[Rپ 8 %?>~U]9k7{{ۇu4|0h$xt,0{,^_56'A{<#Ƭ HFVAD\W z3_iD=a -y:3[A IVmx9/m;9xؔ# >'|`Ped g Asc|ЛY_%g=uN;lm^ f!0q>5y-T-IA][ O(`*3(kr2fG+b-аIi-yfoNV%Wj$HlB2bnLJG6e G3POk Xʖ.#σ<-r*XlaywzAQ!B~9?.sZW{>W1}1m~4(@C55L4aݑu; Z$he]IY\{|twK[Zd(6M̰]߻%~cc4,xT_OZЯNpr7bMztծkX1D`5W_RR*t+bx])]{s bɘذmWPX?G{u˃XV%裞/U0芲Pp"buثVǗ!TΔ#6OI,/_~[BJ|8bǦ0 3~zH (kHMqkDZT S#8ae\`&{HT~A[ER`QA8P=d|`cd=~dzd(a]s*JYe*?p 0hnu}V>//@ӧNP,LC&n nPx^o K* 5&ƿ+oSebO8vpkk(̵FHLԼ }IU7 ?KکCaxM'W^<1k 0b  LM#a0gw ЬNė @O>րGt20U { y>LIt (T+MZ +r k=t@F`~jn<Y 5LbTҦT~l96'?Ůj׸59˞<Vx~d\J&;~ն_&Xd?hMG^xe)2jAUJ6&8THr/ԏ1`h| b d?N\uhn үyv,ΝҤ\X_0٬m&#tWhě]=iA:(hTt'QOTZ/|BBAD.=U6NwB5^@0[1Ր9HoG)`)CYn!/ErqVXbcKM=IhDA*46AW)1hRT ~ͪnՌkm~# etd[y;53*:2O 0/'sCZSɶ9;e(Vh8djŐ{:wUg&釾y=lfq2pA[4/R[(is3.f!Bs\G|s+ f8G+f#'Fe%`!dLE笓%@bLa924> +rǔVmF$OcG`l 1aq @IVFi"2Ma!.<pn0<zyG_Uy; 3㠠Ve)4x ]^^ԣ|:0sj_~Rt)oO7WFkr** Apegbpd1J^'cbM/ k q@ʹMa TKQޜwF}í/MwX#hu6ƽ9OJ3ӛ2D'o̤pu=ޕP_'M6 DC7%?` vQ6Kg%ec)<枘^DO:Fؽ^k`Wr?2jxp T"m2!{@"ȲYZ7VR%hU!]LQT/M (7IwӓZWeбahO3v; "BX<P4(O1IJH` sHwnG緷Hɯe p|c"\ ,SG:7w9.Q %-"0-Ae_ :ԙNDN!EEA2ϗ1we ]֑'QBs۾B*_xF=*|4mW9lh߯o3л"J m@V -ǹ+"TT3K .8ь=bmIMcl0}m ,N:+U a(Ybm;TMn8-iP{{~}Y9ljw>g<3ZX0\DjoxMdyv*e:I\F", _Z:?ܭup=mċ /#)}r6%]zoO5deJ[ֵv#X ?/}} w.6Hů1vl)}!:ARgFM?.?lf:CԋeiAhCz]n; ji@*wґΪ˒|SHeP@=R 8>nY'K2HDpcDo F!E ?0VIEu}vAߙXIo1Sb6V4}o]ɻF]ufDkt yޏ_ z.AtʶXIPSdZW _`lĮ>`mozv1CNtbhOF+h-Xܤ5n!iv"Ew)JRq,J{}>䃜b6rh&YYaSؙ{/p_Oj#wXVZ F1[jK;"!wTݟXK jj 8aU=" :qг6sAQY*g7+h}Il|o&6V$J;D³ fPjߣoOf>deQD?vn' |Bʆ OhX9﫟"Ǔʩ =} KR`Սaэ4lͬ v^jw?aSxy=6)iG'jTWN{fsD]ly0)+B% FpUzIױ<# LyPyY (. J7Q2(7,n)aBɛ }J]j3Z򞐉g0ƒPoϴ~X/=S?Ͳ>3#$0J B|fF9iZj9 8a'-Ѱ߈w?6T0(DNCǻ%2kW'2^~ⶹR`$1Î٪X Ů1 0]H(ʮ^ L' AA 7Yf.~G^܂C A'-K4:(xg%tbȂxK ѢDYG8$DGT sm),xbI|*׆ cE@DWkկ(GIum7pTD6,mSVV[eO% b":6o4UV vX_s)yέ1(hI+퇮ַz lk_+β$iy\8mѫEX^-.N"3,7R*:[0sץrE(c\QH TQA~F?⋑m(xk"MlO7pZl( `}ߏ3ݖ7Zq3Q+2ȿ7:;kl_A3RA$2D$HT7Jy1N-͉KmbiX>rd_c{>{߆$թ>.{eXf~2>>6B 'LjQ?43-E-o'%NaBZF^XHMmR\u`);"o Ncܓ: d;io:C7!]%g_a?v>5x`& Pm]] v'bBUPnm`}(#[Y(%$ZnԮ*4y5}EVR_5Y:KxQz!: T]T6%-?C#S; Z؆&y+LN: sq($a3ya@1䴀X_,*7i2E'؅~aoEZ*y{%{fu%G< ^E)UMtɝp֯jD_˳gZk /OI]}BY Pā`gw Z?8n[(o_blKQfԺYGC[;(͚ CҪ[[߿r4GuBK|N2*+z(g  oS!˙_XokVy> 5e,OZ`e9;tf^P/ Vrƶ" #)ʃى|2!nhP]k4!04w},R̥h"N= ,W{r,}iP6zä=-zRKk, jaaZM@x2:l>h-$,B2]bdd13A=5J+&!z%09ᄽPw1kkBS :&;JW]0qv]eN3& }K6xЫ t|K+t(ZM8H^kG YoU%w8 (YEyH8TQ]Ci_;TϴOn33.Y46*?U{ʙ&cZwE-b7y śhO=2}tắ*b]Rq*JYɰtT-¦f##q^̧!`Dly o+>2]w65FTww\qa Cż@cwpa``4KEJz]u˽$//j:jZӹj䆈u^LGGz%  wuEJƔ+qJCϵ&v^HBf4橷\ >A2>˜ĘY-?=되3^R,,|6 Т@St,h/Reoɖ<~%5`,ݹ%HT\;o}j≄(Hc"7 Yz娝`q^9SAFch I>PHZآXZ3ׅ =nyпzDѠ"設܆WIr>w{Jbt%{n5{Y%ͺg.f\;2ƂQ_?Qt  yy' s:-VG6WA=#;"-T?iYt%3VuIW2b2l:Yhɿ_lU&e쯉 0~qT\AK`S"@hR"AItpxm`}y8b/w{qσaJ-@/uĄeN ԔO8n_c/_c\^#fє>N/W*LT%xiGs\Xp !tލ!WznV# :l.ۑOA[pM %c %g6S`3{6kEcqE b Bj#p U|1ϝ87P6[P ,ŕﶒg w-Ýy'tӆ(6́[TT~;HM?4H3AyKhe+Oj1j 4#7ACv\f -P7iFjJsL5_n3ְƗ#'. ۂ mdԿ1d>X"')72=omCo91p׻Of;?˻V֠# CEuT_5`m7ƢV!AlKO~-@p#"c9X~-/+*Fx=pP&lNfEHC!NF.J*Q*/V?iGe+~zX{ z'%TwH\/(( #>PCX%j$su|~7(UQ*o ?t.?6f2q몄:ge2}IBQ s(:2լ!T#&-旀WS=6`BH&Pny|g*[o9\[³Y X*]1п~eL|J~oHwSyqVCe@Mb Q%ठya\pC&ѓX܍Iq#$9Ŏ"7ݴ"6wncu JMn?[o Utֹ0'!k7 ?p%"k) z?Q6}K_W%Ĉ'R4VgK~BKps,?Qzlq"^<`O *xEd-#u@طM&UBf&oJ #} vGP/qwn"z-68a4Sa+X4a?- @C$`+{ѹ ސ#͓SuҐC.lL˺Ϥҿ]]Ƃ?ߤ~*$,dF >c;j5 (O8 *Md:.OUi3+`k.wg* bQ'& 6B0sȀKʫ4nFo8.]iٔ^CB[qJ+6{ qv} 5,bIM?7G\5s ڻk }ʘ%0ƱĂH2,~ ;.lT7f;*J7SҚWȢ5g <\55ccB|bE{N Im KBH8]$q]N[%b:UlyϪ4nv17W?aI&DI 6u -瘠Eνo I7,?mɚŨ]E|'Ccz V J[hXxl:bh4 :$T!j-%iU,[娭KH-T+Ԥ&whLicz.S9PKT-zJR~>bM\E^^5+u CIeI!NKUN9oUT \#&f׺%`2-IW4 +eX\4niJp}GPo,y`ZzNĵe[S㗤v.p{X"bE5n8+|E(輫CVP-M+F 4*A}m)fqN%S`IO aFF M X:.U~ILBRXߥgܥ#,\Dƒѵ%DMEսY4AZcE^ʖ3S@[ҥRRͲ3pwp;?,Nځ3$zy>ư\L(NH9턊'W%EBf6EwJo%.ek 쿑}Sӽ)O¶țA3 oDlzUҐ{U^}u;5:f4}|4Nw2㔗7o9wuj;~43wb͕OׅSczYV~a-61Le1.)F\~vӷ6<_]nD;.0Fv:ztka j09؋aC;! $bgxs\(Ћ/l>V`ָPZAnAYVg@`b6ǯ1}YM8#y9|)%73SNV'i*$e#te-7D<,wԋ-ʐ+2F˻ ˋJ3"<3 {N_i3hV֙u~_89%2Jrz +{j"#ϫ! h,*)zz$tgj\Ku:- S{pEV4!^2ѲЍ% 5|r0POnP0UpGTT ڣ:S5d]0,zO$ٖ_Sϐ24 ۑ=p~936.4*%0.^ +QOA;tɺE"@" T5O0󎵤>gCjRm1Њ VhnNaFLK(i߂0Ӭ!]ƻsrfG>EqQ_+,Gm<499 ik = {tVݧ&jQNlwgKd )-o[K{Ύja/(#^\Flk/UL/zQ[ eLݩtiz^昵X QҾYU #ɮVq]rγDκSjKm 56xmm[wLVwX4t/ c|մ9hzogNRb2X\@C[H:UNAR|]'MWاHUI4TN5vZU0COb=x'[Mq9 LlTd-p{XDrkgxXV%Baek\j$oN5-bs㬺1/ !7"Nm<@ 8\ Lu[<aOa o{heem(Sb c˙"; R-F}% fv|$ss`:Jу,c^/a~:hV5!KerlSV5*cQy ؙv89b"k:z58_<*>¬%lXd3oy:sC&r N[H .t->z2dm ;7OsOb{wmIBl;x7 3Z?Xn 2xgh4S-~w;*E#/8},6;@۟drR: V7B3&ƏyLgp%Ү3sRkh)43LoUu@^4UXlUej12-$H *ĉM"=S6Y{pB^iԥIFp؆'yxdsVԥخ9!? èm6ZgV8LB[e:DܸǓOFu+ßx.wK.?$b8kyynQ9]=P{A.RJw VI _y.s,yq&fW]-u&0ΕCyk'u:@;\%l,O1҅24>gAnM%we. eP=|a xSXH ťm^xYT RZw*"<$ ^Y*ϊ] &<ذHl[dZ&s>p0]2% !98xQ!Mj{zV4;6= |idE[Q"h6qMɘS=ZSC.K5nwR= .J7p%0Lq:+Hܸ K kP+b?SXIlN6ݺĻ')wzpPG'1Y¹9goK翬- 7>J.0 _E8+@ T<<1TqMr_}|MygGvugew-JMG0 cdw#8x`HM˽ʂ!jlJf:t%`#C0##[Ij58t 1t֍'WDoFꁙeJmfXLR8Kޟg΢-9.wkE6zF]Ы1U9͈]~kHM74HV;9jąauY^*۴ַgpz? +8r睟7Grg5&1 J廣vHg8۹v2NcLQ&j8\ڬ9Пq\Y{~݁@`1 M !3xݐHɕ =6W{i{U~ ٮ^aYyBЮ4S{`{<א4WD4AFY3pUbdB J[mw797 ObEМމ 8YrXw9 ;:D Z"T]M:m_ F-/%9bO|zyaΥV;L[|: z٤YQ)G<$P UqdѨ=u:03Ɨ7DZ^S" b |5=h։mUnBvZ>%&pAQ̬M8&r}Ogg 'c2fn/ZdXUVf a͙Y>V3aN `8m=Ijo4u{qnD?…&G'͏6dT qqa wԼvP00-mK(1=fLwǩڐ1īD$KCɝܳyY9I"Iړ _<(r}jR"(8#?]!My8XT45g:'_V$'G΂_cZ-ul%:RŮ=?$qd'ِFZyL_a*O^dvt3k飲sD,bѷBƬvH=L|[=`픸IfԒ{Osxqg jgFkaMu{CRbC_tqs('OPDN&>0(sh,+p'<Ҽ$ aO*JbˡsF z㐪-ެx* BlX6嫮P;aѓ)Y"15d]/C.[J]Ý! g[[1m'ƥs>x:9Uy*ϤbypA8PTZnBz7 x҃||άqbڀ튿@(*ғꗌq8CoJ!%7 !{Q#<Ŧ?]u3ݜˀ+ēn/ ,A қ/wb6M$rXb+X*Kn>Nn^d)Yr摠mDBK0L&#{))ncJBjM"#N/Pq8XmrQc(ʲq^fo$dt/Aq 몶5JnFxn9ԔXoA ::9'Kt u͎Pd:€\bLhLH;ӵm3]5SCB.ЕÛJU>SOZ^}'Kl6TV7Ru{ǎ7~w8R͛{:(kx$.;4n){irY{YuSyzDR #F&D.IFjJ7 Qwb+m{0-wui{AI@fd{ kw1i4-jDM&U UيYAZʚҁLwR hvq'}NZ.\}:Ԕ$C9| Zqδ8iX,mOT;6fj9qC2@'L걐 ڨ,x̖,mN?kOD|~Z -tx2#wR10L\_ϖaevA퐖HJ,wEjMЭ*0>@H8& i&sxS$VkWIRPM!W'4xua>Etwa$p<)Qfձ:iJHT *p>\?d J,X%Ům,lIS Xcp'NݫLh~$s&b]/tC7ӑRD6ޓe.<sfZv>k9Eb7·ӝk8fϏğ{>jU3Ӈzq$c"HTj86tGN ›ae >gFe?)-'WOr>`EmXwuբF %~X0vsMd׬y~'JO;FQ6Opx6 }W1Qܡ4Z @^ cDЇRDB>TM ȓʼnR,y>CCSJgZ glBYx³Sm]i`j'c09❔&óS=`6&(Wv/ \cu˱/9d`F\39,VtqĹTTD`& kNV:CV: _S+V/2{ߒx19QcāaiIf@;{򾂌{*uf>f*_]:e6SqD+睼E#Y=ƈ܇E JYDO53s8y64!A;Y!| z4Is '#won"@ ?WVJIf;V/̓yEIZNH  НC܁:Sn]6`dOguýPt$50JFMmXĈn *(5Ze_{TKp?>nd sG!OYؠz3>n e6;?GC&#ib#bWmQl@MQڬD5B'b;:oK!f-'pzMײl st#x 2'J,gb'C>mQj #bg{p +>~7h O?پU ,n>B yϾծ$Fغ Lr1q xd QL䢴u=*x>@}@A*̡ɰMrJ*;6$P]F)Q& z[6+!cB}meX]TQw2E }(p Ŷ4?./R]4 O"FPz6_5N[g.Y}):P(4?UxYr,s @XNS߲ްђ#Hc:QtOmˤmqq][ mgP Ixy=E>e}ƫAst9hZ `ⶑz'Z abv ) rLcLUأ[Y[NVUǖϤ^v$jJ"Mavere:+ #| "昃Dя&JfT6˛E1qTt\Rյ`9>w;3+%s:0C) 8˴Ce"l[4Z>BE\- A Nй|c t_Q~1l8ݱkz"*ġ hgtK#\ T'4q%.K)+uY$\7J{qZ\}6-\+)OVHHIu?#2 w!ff%"M'3[wMU(MbP؟3hl7)rBE#dݚi/W$N\3S $n-Qzގc H"T'1FJ!F_ėّ{#͏C{hARYkN ̥t"kXn xbI,@.([k.5]dȘ6"R[#HzڰPRGWͼipl&~^vPqu56D*DeNMMu T Y,v#3kbO^-7HJ6`@>ђi 3fhekqją!u d} !kԔ"3 if#[υ?CB+INcko관?+((R_*0j{F%وkxw1|[MqJ׹SK"O^T1zͺa]$v/B3 , ob[scq(?Sà+K IGNcFuZ>U$6xu@0DdX6>1봒)ZrGB;O.MpUd}`)lݒ{iUa>0oi5Vj*p'$̦eEk`rP 8o iG#J1!ij_ʹe'̢Q>C^Z"pTGgKLF%0WaM&fWZb A1 x*Kk?Ocx 'oh/'ucNR9C6Y6}o j^0EM(T |c[jOVd9HSԯrKYùO;|X{\kJ0Ec_i?7-J 7mS_[%66s<Gqӧ%{HZt>8uTrh8b>.z%/%=?"оsm?V}o,]˿jq)&5W{+b#d⋻^%^]g tt/}Cy uy9hura/}7}9͕p|=P@7A9y|8\nE+#0^SƩ U01Z׵.-c +f*|)*z˙}s)I30Љz:ucHQ ^-QSi&)J&}],Q"]=Rhy͉k}߷W VQ` Cђn2ilU3F`幕g8^Ht; }ǩ.=ރѪuλ?$ U,:Jr|KG_ƆЅ# @W,VxYQr|}xuDr"F@{IDqVb DMj+W9 a?J;]W,Gv~N*bkMc4sfF!(Vx Tк$"wۤkZw%Xۨ| "pXf[1rLR>P1yPR 3@ JVJ(dhM{Ý R p5+Ȑ'}Vh}Y6]7)/`m-l_;] E$M~6%t0?F =ltzcDVŜ~)Hk,mp|u@z5!jz^"0l}|ğ!i>XRY8$5# c/t0;J?[zo D.6+ЊЁ|8"38W9Fc#WFA|ܐEW)^> ,mΒGbNKYK} M+Ίz q_PR^5!d֯E.c.%? d ~3/, Β7q+N t,!{EArlJpW9D9/Q ZsDAU_9/ Z. ](]9.NFZH= t3#DMh#3;F;KbbT 2hHՇ"X1dֳA=hP>@ٛ%\_T[0\+D쩽R{_|@ Ѳ2[l^N+Mb\k0F$WKd%00O|(YqC0p3uSRko1#MaqŒ֢#[wԡ4ObĿIbrף7@S{ZMdD=J^?At-s`$!zl`5XЅO"⠒Ƒ1<+FUŧvԁ i ޛ[ຩ:`B_O)Ayjr`4uSE.5vѵ'ii xK`~}tE3pg>If=eaf8VqͳTxqI񡀧@0?A:2ZZV.Rdxy@<ڱX_PH0I-g42X׎cG[%yzCR?CR ÈJVV68 pk߿yЪnyLh~Ě@0/$^ Io @G6i vytN YtR)bd2;3l' 2_hxܫC+֌ $NJ;X=rXB0Bx x; o4A!=TV´EӦi{b8ZGe5@%T@Ӧ)ʋ_#p/LnӽKo*܁ (P,o:An0hkHՓdn|f'<qbH] k{lW> L*lI 8ğ#]lz^mgwv@>jj#8l0ٛ @qx0),'&~8NzYl nS8FE#ഗv(*)}fpV!7Sfm(A2̥qRgN3G 5~'i^ʡ߭}ӉHNE"k4OQqws s EI~}yIO N/;P<$nb:LYh K@ܼ3@N~Nq2XFV#[-{uY /o@#3LAT7尾uţT*O{,UqVKPoorHÀkihߎ<6)(Ӣ%#j5d6zdI7)KϟA};Z.[0_glm\L2ۂ,xu |xO'Ԙf(N*rdCMT((oB35h% u~z[4φHF0=H|OCE/C3)n`i!m,hy]F|nrQ̚v8:Qpjڣ0],+MHT2&=C!k,4^Dž+(BmJC\ "kHJnSoQ ;ggdwcbWeëq$3] YqKpuTd:ٍ07qNz<5tI]VlSli7:]'%9V2"dD wf ?_ dec!EJNӯ@*MFuHjzֹf%y*v, E;aB`1pqb˧ؠqiIaUDO]+.|:8LXaVqlz߇ @ZJmG8PVnh2D`hxpǸi 㧨 ,6kWmu R+pLK?̆=$CB-xXũ$M߅G0X(vIRjuc Aږe,*ΰ Z ,OҁB>f@$)æP~}e\Bdu3&soCu!ZV*"b~V>A.N{Q~y` -9-4h9є=,Iz7]AnQ<#CKw(ʆ_iQirV Mȗa{HzVDŽ|2/O Be!߰6jl:ͧ>JpKM:RtKw(6o/7*X=UV?]S8Y@ЧVSQ+4 O #OgOpl_e5Ddj]~7 Xfu}\( ({+;pMHz%W%ш7(]Y+\r6]9E}ˍ{]h9"}Dkrƴrj=xh}a}usz입<ڑ# ʩAdT_< %Mr>J8Wc]H2<$k`ϘFa#VWg*u.s5착)o# Z4AyA+hV@IILhIg=y\CCA:;N*nN!1/4WO!K7rrg i?-W_KPL֍ap j!'b{/m^ ׫'9֌oL܁-=m~P糂 [k:j|*DfLZ2'2ˍ*EC~0ri8cV[f%@D~$AG}-XW-NO^k϶P6v-m&ȓ+puݹ<^98<)#XtֶL6>ExS$hi>p+ )}wsiaek債LͶ4luwID떸Jm(ZϤ gdA.`ñ+(jǖW) Q4E%#tx)Fo >w &@lQFZs}X k}vT ng!Sn6{%ѼQ<\_Ab9b,AY_*HdgCgx^an:w(6j{Vi02󂳃d g99PY].SELd~3c<λ^&T6 O03K~0`-uA?PP?̛lbv阰O/w7K0wAK(J4oJG)u9~%1cޑܵ/yKqd_s4kE;hQREԾp$]0 u{|{>]rHÓԜUIR#`b O%y Z>5 #EkrmkkgX/Y#P˪xT.H&o ޼ql2PD<.ʻ?g7(obbbI= W޳1+M W0k`QI? T;kuɋ^)A@=gü.n)KeȚI]ޑrْ/m?x VN~5o3&[ GQD8+ ˈNǛa oI6D0p$jD\7K,dPʨf.;C| V 2E0n-`m_Us& D[֕rQcø*w<>}wQ_'])թCJoK%q'W@定J [i=>2aJ/Œ8vfbz 4)F;Qj;4VVz{Pi]a _#cK{$Mn(/VS ]:Q$ ~`~D䅑'XX|.}wUHRI/?[IثoVVqd4h59Gd+tZg\"Kl{lIr^.Q^3Y,o cҟ6Ypy此1?:jRccթDK;Uư1h6;[;Vn{A}y:#$~?t!^۾(vH9z_}W*?F1DHbY 4.2/tVj ?(o^3 GXc.UIe Rۯp$w{vFËӤ8WԒ?^AR d$S|{ʒ_&Z;$G[DMBE"ZFH6JR\!1fPgIIKT}񕨀PIAn+z/MCqRouUb6]@XNjmI/3s2[NC D,T8&ه'Fr؂}%]>4| V0h/bN>Hx$(^NW݀32?<{)~|pwwk\_O-b0n{=`McdZ/ !/WEJÚ{G6ZJ 㖉)_Nr#sMO%hH1X!e6ސM#ʺ˜1xx? >6LnϩJJF""yH$Ht/U_F"zf| -TE+A/xkG\Qu>OY?|I*0"(qȩcV| 6@"2jPrGhK3acj4塣^j1WI~MԷȊ˜|~KqMOsy%vw) YP*xWJ쟼0ޤƜt7{a92M{0a3 @&ev[񜘁I,WmuH<6=l7չWBy97Ʉ w]B DaPځܔW)nfF5= }Z0y+&*TF4HCodLâ%IK{ܘ:lvK3xU.˹Gh3Fb;9oSS0[ZS39MK5VwloSDD ZD=Į/P vN~#, w#t: 8&A NJ&14!p*7u]k$ =͌3g \3=|4JgMdo$̌jw.r'-V0: ADZfzND\&8[nzb zC*,{[&nCv~.8,d'jGuND*fT0Ii.߉\!0E[3;Ր0w<eP b`kRD4@+ cAnGBtFP, nE#F|U*oޫΊܝno*WU`rY, Dɐ0:TYi^@Dri+F)7>TWqoHgnmڐ|IYr4 25O,6޺aB.ǥhPcdk?8=*uڨS#)i1cɜ/ s)|n g YЁ:uu#\#%Oso:w2<-Fw!ἶ6O>u哟 l@ oʱtZ:'ހeFV-NF֯ z*Dv3 Zb[6d%e,if&HoJW&pC,_`j$&HAݬ9F>R0;z%$20Dâ4vP7:_( z+۸%\~caGHWqq"%Ժ{OhX4( 5F Z@Pp,B`p|a7w`^/lړۣrޮUtC?:+5gIDu=a6 32ʁg.6c`;ELrϳJasݨ4h-u0m1IaT-5D WV{KWm2! gy m/Wt!e0!a+w:pc#`k?q_28vI~0󯗣َ@jR~ r\rŘf iܗ dʊ,+!J!|?pq#  5+TwrZ&Dwe#"~c}20U/vqڡ2P}15aQT1M6=зPYLL$( C2N/6?ۘW^&7C}xl{2r2l m\|e~-,*9\+2vL?VZ s ,D)TغRxm4ًG, fR6晴Y$^B_s^I($5pt04(5d)@ A #ߐsvy"b65VXʅiHa"LwDkZ1wtIj>0Rʈ+WPaA_1e%CI$] m:ӂ))&mpAǙ)KՈZ{_]Kӈ2l Ӥz,ݮ-%ZI)\%. {akr7}M]aGQ̤1S+C 3D<,`3Ntp7y Q[=ehV"ھ}t OiA/oe/hx/&[/h%Iup8:5ݩx(bUռaT*^~R@k(E|m#ޢW4զRMd0B2(]{t hűaG,Ɗ~4hQ h,nq W5cuޓNjvSƋ;n&S2MO*?EpC iu Fޣ;;#zZDlku?a# ]@җG_2nF6'`ķ{Qs$-O ~%Omk&bmu/nKC[_o?\ml{UXҎQHZvybN"fw~{6v`2gH9jJ"p$4#_ڌS3Ņ/*@$YĪLQ5{i^Fz͍=ﺎwe Š oPЉyfAsqęi@+́u{|UQnkp>)`iDZw?*:_CӌD-m:%E3vʾa6Vh!I4CXTߤ /. :O%Hݝx2*q+2q\Dt\S,=ɣsM39h X ,}B|,]1vNjZNn'1!qGFNQ>)cmMeIn=@ ft.iڋgPPASZ*$nO8)7 }N ]Džzq>P2@(9ïtI|̀3|fxAMfy( :K|5V5)c! %8E7⯡SѰLl& t g%Aq~yB >*!> ،ِƛ7e&FVRZ3,!ՏV@Bo |9Qb^N(\c(:‾k)^XNJS^njf;6`T#LO)V_Ϗנ|];UvrJD4.BVE~}Z' ؗ_? )1&7HRŻm $`L /-O7T2\NwZ?4֑f]. ~˒  cq73ɋVǨN?6-_F4:xnC%nMgR&~$<m7"-{( V6)oL&Sx.w9a1Jbs}E2OêfЫ*/fq "@Fϱ"ҜplYIVs;{A$'N_%jl`J}KŴ{5mDM)_ G%yL8$V.%!NAcE|U-&-7`GZw6ѯfKb:Ywar %&$~/1{0+KrƧ<& (][ŧ8W'N~/Eu7WzMRA8 ɐg|iD@jjFSʖJ^;7Kesa7 gu,z){# dĥټq43-8 GQs5J8u,DN躯c |L_B?ޮ> Z-3J(sFx<9/% l |ﬤA%ٟc矣'@0TeY<%rc#yg^-5QGX L/:JcbU̱ @u ` 8/%׸:_%%s:ċϜ>9N !S>yL!}ZT9#6ƷȂݞ"0m֨*55Zix<ļ},2(6ت{=/!3ukMl2L5$*zX𺏺ĐEWk"QJib޹Xj$D @=?X!cc3 0᲋7bK/\1!ĂѨ"ˠ)9Fⅿ mԠءw07~W2q0e;Ҷ~AO7vF~rVoa Piհv9Jo4>7Wtp#*c ڞi w} v u[aq`%O|#Oj-G@vG> 1oS }=)u/%)uProXd=`foTW̑\qtB~\U*hb3ј\ <҃2.~n|d]C7MRF#CHwQ;tbɯ#G=@O5[ CCWi&#$R{2=،faEXe.nWԤ~ڼ1-V ,VPI5;,75=Xdrx<xߨm?,c С4zJ<5&n0{I1&XȊu{K(ڳ{";"kZӇɬI-"< KfeHI72mhWrRua`ǞoPz8@ʦ~ B;WDԐr} b V -͇D"{H<{u0 J,39k3hofS`LY.(Nd,7Fl %1d. q+EGjQ$H@BF'Ϝ6avn& j ^e7'eIΣbq 0[?f PÑ{<Ȉp! 8Mh0s{Oa kx>혈3.EB a+5fPy,葠 ӤǼ bUR`'6Yi&YR;K ESC_qk34\TSEr뼣36Du0Rg}豟T t( *Ze5< #}iPuZ3 dvGEݲ+wjn)̰?i+;iZijH]4Vd(EfĒWv3TIZ6jaLdr90.T| avY )5wg8WO$-:ϰě÷t%<W b:9]z,&b+`A=Aв(4_5{Eƈ}mw1筒~}Jq?7 3=5)1>?/ 59_ a49AM'&\"H =$9 VCLDo[R\@[3x) Âxʎ5tGφɮ-|2H#\8ַS>SXϰJȒ@P/ܫzZBZ&ob ŒVwa=:X s!HV^#*?R2W)zdĹ.b<2#x.7-o47D_pZoІ׷wI gO ql[ V80TQ+rgW?A 4oލ*XQWۿ+XO0Q#~!]SFZz@T5,Yj7oу5yG' CFuv7M Vg:%^wzy!k8ኙyVڜ͈ǯ`x <Wt@ߤ C%/ ǀK>бp8cN2oqwv2j/g>ȴe_ \C u3|g=\(eD)$nHo(u|aGފt{I ٔ<`my9\Xgnѯ ղ(җlt03:n3J /AYC* [z'Iz&J)Y%D@.{ɋyfѸ5"'jXGTxtrIhH&"kHF| >8}Vz`S/8γ-0ZF3B3F=덺y-RA_˙rR"_ iIe_vpR61F g88Dt$@Yvqy%F.+$RT%".#2-iC-4݈Tmq}Ybq_%Ɋ8Sn|?PguQ^5)}]FAohƦskc5G$9ʐu?y2!4c͡֋JQS՛f?[g$/Z&nCȆ*cODh;"˫X+ %DxA-^apׇtu dUCh„5|+Xy=Y ɁfVo8˫ʊNrH;W+prԼ0_R6yxgle q29?]}>dWFYdТÁ+Q!=U@f׬Y[ਹ YxWOu߀,-!54pBJuS͌B-m#{OPJ-+9dؘţby::a_]`T%r֪z9KR]Y%F^L(}iUQU.gԱZ< J du_ 5]ݤSgcDF'jUazm"g6'DXQc;?mf%%hօ>'<, RݬdHz\)} ]s,91j oZB^Na^ ܡ;|ێ@r/ xZ}NhAĊʿX^Y "4niʇB 'FYiw[DkZPl0=%&nk\7(R.-+C꺼4uz.`4(c,sT\H{<hb%-91^, eDT'w.Wm_\^'K̮I-`lLtpQhc&o僶ǣxڍrTdӪL{y[  "W-' J{?6퇝pUS}+}82j&Ϫ&鑞Bn_r.lrM3C˾&nL5tu= &pLޯ-nKCWAjlW{PSӇ cze!(8K9 >bj陃+Hv ½( )Rjx!; j-t/NV;^ho"dfYHF2°60m(_B_i} X|RP^|—T) ?I%rxw'X9H_uDWK}<+.L?(Qkq.qV#0 +F^T{{p  )q k˗w3< ]w/,gٗ![`xcA'n4AQR6Gq|5"hq@2ޤ*W a+ u_7r&rN3E­? : y ngiF/gx:/C1 EOͮևWQPfUPӘ0jL#8n !izx[ xa~R+JF5FxmwGF#1.J a7[h e d»q;5[N~^i~$$7eѓq9{aED79zyzg1n'+Hzg{DvprQ9huO1hrՒ4U.Ppq~S]$Qc!#Ϡ!7A,@C()tTヨ wqio"\*ǛEEGipu!Hu6EVq{x<ׂVﲩZ(r&?nE uE!ltkq]ւjeI(0?yF(!%BŴ|ws444(/qm#j.Cg)4EaoX'$c?1PY˂WOp# 1\uWZ]z{Np<Ć0TӶw4̊f@XjؒB 3 {9oDǘwWxM*aP6<]e;[d G|Ј  p /+8z70iEڥϾԲ(;1}ؿϏ&}i7'[kt !vzi|Wv~r<<4n|~`k脂Ǒ,vEΰ7̹#ow W'  ,'z,. /~$t pٜlZoT Zڏ`k'A2'|7/!0C0rݡW5vn@݇Lxkl PxtG:L| ()i`"y\XH:$TA^ս@3#7(!`C(~O 27-蚗"uIk c ><>QzlT}l5'ʑOpCh1Fߓ@}<iWr~_hZz O!%!U6E}>D#2DbΟİU,ݔ7yņ~n5)cL+"0FaWfˋцAØ#rb@[ y& WKW>˃6% moVn #N{$)bmԹ1el&{]z!,43ZTjdv{{\fX䒲[^ץON\4i1mIJrA8Yu C$ꋻ8]K,r[Iy ӲRq}u3SD]آU_Go8{wR}&MIN$°ktz"ζ-5CA"16mL,S*?7]`{c!S=4}L77L9Q/x}YAH{I4xΉ\5^Wqtu" ġ4eBۣ$ZW!о{kUy}IJNbœ`z-`|>&!mS 'phzTnS(f?jF&W2G9KgΓI)^>_-.(<fVl2Z"Dd t[Jz,}a8lqf$fȦ%ԉ@5^Fxy8do~.}{w>08ʸUiN%& {`RvΑ(kdǭBHrɺS5ȟ)0ٸ lIDv!Uvͅ#NISMN5(͂sOp}]L: ,8 9Gx Qݚ dCf+t 6Ku(&Al _%lLOX eoPyLt< /^1ŋE>7A[|E}{BM5JBTp d15-کig{௱$qA-Z˳`966Ĕf6_6\ALQyݨzY*u3Ny,k 4ifxG}i+|BrK [{Z`W:6'!eWXv\T23#``۠,' [/7h}uõ"l@B'i2‡n-6['t{w{q>!V: 2y (DD?B);fK$94]3'ȰOlXSVFi.&?C~LԺE[v+=14aeSNRBZ@Un 1%6+Վ{7d$tF֩>6]{7*G E]y g5!3XS5S+L5*X10ӿdѕ21= #]ت[UѢk/Qi.>ō`hkdr"N7NQ$ Ah:̣iSp/={?]%D}PF+t?*ZBNvgɆ~bjV7Σ+VKmhݺA? cX+0^?IqU7)J^ߧr#3^ EClc6$eoM#QwqD+r*-"; 9o*?wr'5"*OY¾}rҤTJ,G4Z!⼭i}Y, +LC lِ>G D_|g_Pw]`-)>cʯ=,yԷRhķYb>~Fe+<w!=yUJT~lYhim:y2MHWD4M_pOdЃٯZXnSpMZ-(|q(;SF"P?l-*sKpǼ9kgϱ`֐F+M[D ,usmCJdIknѴ)b #]ggH]ib)0XK]y.m5#O^ v pە j G՘@ qJv*g(kg'$b NޱT9_#U=ZneOVb1h;`Nѐ@Jr^-=<:h, ptyoK%EKK Bf0!GimkKEC0H!JWz͛>eš| & a$ett]x ')Meؕu] bi|L!FUS!=9+2`3+cR/*34?W =Rax2~|Y 0If ڡ(jA2ѻ;3JaCJϙGٙGXl??Fj"x3ɫ|~/79%BޙWE.`5{_VSk#VB{imJ5L##SvB#f_-.~<1w>4oR2 p22*/J(4#IIViTE%p׭MH0}{󬾓}9=tScdlo}mH@]%<)*J0e(9p7tٲv{)D.jQT*K*vYL`iabFNMM`B{ }p* eS8pSt}ZSc?H*=_Ϩލ̱%` C S-;jsLTv Q 4r4K1w. o ^\D"%C.P+m>Tܞ:RI8 AsYlÀr!7ti'ʖ~+^Ymg,4&}]R<كUN3'iYT}IΙIJ90+Qtl6)xzch$bmLxꨇgtR0PIT`e1YJ2]xas^"7\[/D%x^c/*~_qE?%9m}dˀG͑ot} d5~EY:kTja$H-chfts{(u*OuGdm> ["yNv.rPe4i^b+fZV$|{Fլ*C(s@ñ_0遽CƥOG7Աw$X;r< A/x+ Bkۡ(V=X]ΫwhZaa/j`Hp gK# IchYN"I; ~Lke)ź3ØW'b8%I||w,fFjg³=?̞RJ?9+>oJY&5"_ÕF`P'Myy? Y H:LMq\e{cֻ~kF}@I)q/2`x *h]j1FOӧωk4FC߶2?JOܞPd196ġ#2-3mE>ڟpF]hU<aĦޘ4U-V.QW%4I?kp.2&֢w" {] !>ѭw؊Ν?@F錥ٹ8Y>czG_3RobiQ-ʩW$ő}*m*4 ]guY g=ӿ;^YsRu Q~Sg(KG5)y[VSo[FT&ź(R*ۧNd8c24iZYw_| JQ̕tQ]pZ+YC([*0}f{>Ƚ8fMDjI?2?D$p5[AҜOAѼ!E>\(3(o?N$â}WÖZׇb^Jxnڶ2hR/О~l^ ~.b`2Z ;Sr ) %?Z6̄QJJ{&}z+kŎ("׀@XyDum p:,sfFhKL8z8>Hpӯ@!Q.e|ߥ\.b7R_Iչ[j%')ևrg1J`)A 7!y@i٣2{z1۲9N)vNPUVb&&}\YwQ^W"O) KAa>멙h,)S =Z`ǿ/T #]籆ZIe` ;LGP8.x攟mkرxV`+G灘9Q%S!2j(L߹d͘|{ (($PQfQt+oQ*kX-ی!!FwMTqz3ɱTu`[$v,Aݸs=Ah?3"Y`_P!r) ]'\А{P9VehL}9Ƌnk1MMF,x3s29Pqk%0T-C|:J#|L}F9^K}uk4otopؑ_}e9* 8.-o^#A:%tذ7*݀]R:2,Fm/.4V:eRٔ`zGsR PGl1;3 b%-V:1vҬeMez8#wojrB1)c3T[WO%@4 9#8&5n*1ocIKKvq>$;>% uE:8+]ڱ2LvLd)[שL:~ED0*BaA إ,Voc&DB.Γ qz\jTs _W?S7 C=}m86tN[mR_)e q=>oj֧ ++#j ݜ_dۺE8qژT2!0n:YVugH~Hh+xYNu{9Zf\$y$0N}_͂=G&RW 4F\Y |'t}}GHbtz7e`=Kj)5 ^J}0; o1ˆBRtTzͅ+/!ٮ:]e 2"~g\S)8#-}Ѯ^"69GԤn`6;5->oeR-Z6)SwGNJ`ɭmE*V#FiߝˬX' eԜ5nMDŽ%u=<W>_S=ol{9,\=;iꉵP8zBkU&+z&`?x%Eg[2c+vmlƀu*\=qcEEgDRvj/8T9ZpO݁hɟoOInsgS -Rq~Vy9vMҵJV/T)dYQ6o2 S?\g@2VLi-JNs>u@@3Du@ d6 f0)@A!ge&~<#X|%;C[MoxO]yc+~#PɎ%TST]_yWc(:ÑJmι@bbW굜HWjɺqs~{66Ic=Gyk nV .e2- .nnpG)΂}\̗{ ,K c!orN( P櫿m/GmKFJ `,XIT'3щ+1я|k3>u,{^or~$JNmv΀[#';1+)U+T֧$6B/~s3)j;= i̽>l~$"N* L B8u!);ݐ chT*] GNPtR$bߐ^g/گ8tApm`".JVPkWVTh:ް:x2v_L62d$8\1fRgeD-3ا۾Cf-gn;t\V=s*WbkbsT\[I};^XۓW=fnW}׼}AP=5:gߑg%+=n#3♆"&,2`gQAEޮWS{Z8fG3v>g+8ai{Rģ{rhThRU)3.d.+>9E aṵxc*ǹ:;^ pz!$j_mtqm=7na&~Gp2[NP<üfa}meX5ti 8ht5E2^6/eJi$^"+ҏ)+uREfVǐ~7:b_<'k4KoWY}8SQI#;Ym9B}܇B-Y},wJ;-@d6_BI`'sx|B3$ٴ珴qxj*E:uYB]>ofo.cSxi2W;W]sF֯yHe#<"֢d_MP.%8Q+_ #|hVֺQNtc&eO4.GhF'd;  z%>1 ¯?*azV=nd}fI?P^{)̕{m{^uH4Խh!W\0{~1ܝP8kz'P(6Vk7юZf l:RmIFlhcl;&c +W1NxK: &g~жT'b_?PcA㯍w"olqmb 5 O۫׀aaoyI(&؞6ޝsɄ _eџٹp1P"%Q*앛ZoOJ춇gP}WH 1|ԐߡM.e.")3PUrpbM߄y)Δfڋ LG4~k!0=qXin-wqQR Œ;PҦ;f2sC>c Ɍ$1ƾZ۟~i"OEA"y LTr;!2_VpaKyP #C_AE ibk졘TT 4mwPC~JZ P2}~z سX2CA{|hҥCa'G>$0RxM}¨#{Z 1U|vb0+tI1=?=,Ћhno@%..F@yhX?¿'D9ƸS)O{=0Xe`r s? (5H -!u+UFp9'jS]zSȍt] 񛶘W / L=<__$#/B$Z) Ѡ 8QSCO[kڀ؆y^ >ZIj?2 Dg(}YF@ߤ?f` B! BV /~d)4QHک ;]^TvܱƺɧЕ,5 Sj7b Vw(c)W4\aDꅊyVS\[FM۽2Ws{DYL E.\CT/✦z3,*OV)q 8cha:76gAk'f4‰G`. p| 8Y/ѓȊ*.R@+t'$)']}Tg7iZ4cMYT/="։ƒ< ^Z?~i9qX^H*KدB2v_Cu¸;ϓJ-U4Z@oBneĨie7Q wR$S UӮT2frwv%ՆO y,5۷R) 3K{ç_=HZ-LoEsⵇ\q(ژesǩުN=txe!Ҙ %)` \{B̘. Qt L31>Bj³ᔅMf!Lg"{24w~DɶcFr!*•`WRN\7#+0K10ڃLC1kΌu0(n۠L*v•G\SctsR[,[ K0J)."Sj]&B},κ2iTOvSDRzŜVȣfp?)- 3S?#潶*aBIem7~ CpO[e. }+fL[YFwY6YjP=8 T=m;}6Xjc}K>;Պ%%wa(GI cE =+N%6)} i߶?:'a$' J! .ht?SQ KZ^08:*`1/iSC^E*Uޥ70:pQj";)EO٨riy3gMIMs7y-+426$k_RQ]qT<:t;7e.цn im M>ͺ*hGMc6?oSI*LS-aȞeBCrFn6 2Ϫ ֬x՞iG2A hh/ ~wlⷕ O{>RHcFlW0 >m-(4k|sQV]hM S`?+TLR#Q1|q9-L/VDւB!NI۾2 #1nǒlBV40|]:2 {)6G9II'$ۡzߪAZoFz<9(եK=+OV\"/#Dz8N U -#*!0tՇ5;c$78B ۭ Ng],: $1Jн;(SB6+ :'̎Cy=+=V ޒ0f O ZֵL܋ `"Ѫ⦻3 Zwqt w$§ ]5)hږmyBY>wd+6h|b^T2{ FB3?/o^?U5/**ikf^/ٜ Kj8꧳H3b`1q!J3,o#_HN:, ; w+O YX4PҘȈH.~6eQu3.ZE%Ϛj2hF%AʹMTFzk3T٧B ,Cs2=Wh̚2~ C-l|Yr(L^b| :IT1ͣmXOE/g(q`3lUS5L9d9=lAk n\a8º&K/#}(Rf6\:>Ҟ0 Ҭ ,B/lyPwI)l"S݂Q+={Zr] \Tj,%|!Ω8! =1$ `b0"o1zbZN:dHS`'G 亯u[yȧ?yi_*4A ;ww%<^n'T^/-9{)VĞւ-|geBd' VqS >fJboCJWY6=b9F`\')2?i,H81XolNh(WcG֮\,1SGm؇t`!vS/goι| mxQ7lƛO )M(U-Me=2ӓ[sіj+4W6 WyćRQ*EjU4+.HkҾ< (\.qg@r9|J hM&{[g)=jga2 N>#U:)6BRG[e]grw?Ϋa!joJF Z~+<j<&--]1bA>pZL(>ץfcKG!,/̙u}ļǏ\k3M]<ҵ ?;vL\Zؠ)AO&uK= ęDgS2U M.Y~>'4Z"1 әʌ>"xD BmWe#X|bxF S x.y|}O,:m֨_yG|mt|8紃`IP QݔhemS^xT2 k$]0C_`I "5E[fy=S?x˽2HS)^\1ĔKʬ}`6gu6y>aR|L}`͆V'3$tIPiى>5ώ;>2M^5_Q^?':َ> &o7r$ZCH,x,Qx>h!#'ú?[ƘSy!j4kte#OLeʡz bm#^+ŋ쎖駒"W"07}i]w֛ЮEjS4x­ͣٵu̔9&HEi;fNi@\EU-t~̹9"'6xf+ U*S}w*5ܦ[g vבd7Ȳ)/_մ@ӲHqJw/`&j3_ ?4iAS TߎQe ̌L+4'WC[w/j3 XYvZs,iZi26z0|=Y>I(VfdڛVn߭ 2dgV 8U`j` ~zIF*A!;_W<7ƳZo0w 㴰,FV("YhM,^)AuOːs.S RWAXn:Uu1<") ~.ڣ;7Z. W&@?ub^+ ec[?;w>B 8N59tB~$ h_읟j6 MnjRtIqD6˾*p80ݧ[u6(F gǰoÃk~!ViPYLQ6[{=Jj\^UtFn+XOpAox@"S5GTɤЀLI)M[TUJsؤ94V"ZF>ʥL֭m`Xi'\ ꑃFw)lQވ#0r{зwsK9N*oƆ,*丛5nW3@=r%L5vj[Y/Ǡ/;kHRNOKx {6AzlVGi K~R5( ld14mV/ )wuPDv%/bB?ׄIFJwLDjZ- kc@Q0(qLrb[Hx2Kzz˭l?Kշ+ОTh=f4, >'P tQ&nC!aA|ԎӲK~ kϠ]WJ8]P.I #4ӞnRgV27 +r=) oH>P'*(dPƁ],sr4G4)o#8,craCAa U혼4E-ʷ(]бsֺ*gU/zaj&½2@BU+r'*)Kw I=Y-;ʔPQ13h(Yrz2V* whZ,9Jds,'+^HM21mI,=)_-۬mN$iN1VG .a΋k ^.֍&+t6$̬ZƤL嚱j=ߪ,T-fh&4f3U|:2Զř.;xn@Hx9/NہN#KF5*"̜&: ۞@&,/ Hx(<>r};:L TĖ+2UgF `_􍡀">}`%nMaB/_+>-AsD-$V+eWﰜv-'Y^%l!-Jq=; /;`#%9G:lˋ(gݝTE~_ +&[#TD]OL7gc鲆d nT5F w#ڙ“Ӑ8)OFiqo?ڧjz&Ŋk+{} +/b) Zn(ԸɁvE&!o yG:VZ&IS܏mAm5vX_J /uX#f˄$sks%D(ʵk!"C9+fYUeuHxs t 7cZqVEXՙgr_2lم0m]$I( Z3%;QDn᦮*,~:tggyQ@!BFʌZP|xE(#ưeXd@&>|;Q<;Z(6 ˆ˔KDvY - *~^}C@c(1022 ?.6=꽓A V Sߘ*!;.}'Mq T7둒=<#nUg6/9! *%`No| @3b6G%[-Tƪ m̟ڊ! 8qvΎkp%+LBѹw@k6z"4Ĭ' 9?gĻfyثtqd>,_벨7 HzBzA _D`T`O|p׏t 3MЦSò˭լ)$nalNw}AƊ+Pɬ|?QG=-_B9 ;G$29; Oh2]v4 9CN0̓|+r{ˈ3핂i1ރ RzQ*eT q!0ݴ?7e1͢/xWLhض^K4lk1@'k|?D2iM0rMh]m6)p R1%~wBԶgAw"?F,G@%a( k^p#izWJ 8s6Y8!YN/XVٻ{E(E)7sOC(~3N:e[v\X[[eԆVQ6˂أِ uGCMS?θtzU1"$-+액g75!Y Dtx){0(\J )vQ~,|Rjea"VN?8a-E`?EbI2I>k-hE,>GHobx3;``u FRjS?L&e\L 4?z-a`L()U\U\a z= Q,YX6bT&30]om'{D}4t͡Rn,9 Ƌ,VM-a#[*.uq<e.O!͐ؔca3ȕ [xMΏHhgzTx"u.zS@dm?Q0rk!GiŚӅ+@$S.퇃֢c kKo jЮV9vKB\Nswnrc3kU"^*?=ú(r!!a0`#m9luywsϘ޲)YDI;Q7u#ވqtA0p"_ 8榨?XdsCkps]c >فY VWɑޙX7@%`=} -VC ? p=/urXiy΁A<;8s9W]AK5s5lI^dA}߿8$9)s.'4]Mwgm ˜mZ]Qcw#+M2ؾނ)!M_@nN`ЫCJcTI\{ëiYk&xviG_Q?T''Dɇ_="nwGaZAf]Ql {.Ы!ox.#w ƲOf]0 āH o <55ۉs!<붌KInYԊwgSgX=R4}SI\PHqH^nT c^/!A}tmTBLia3C{|6NC &H!9%g &1ld:mcP6`F h @V5…3U$Eeϥ Җ!G1Q⡳P4T"^g*#6C'쒁m?U*x =C@_^3x_ jjLX(?k8Wuʇ(v%6x LoH˵=JL5o璤K9X{RMİ]v0/ӎU̙س6^YO&EL|[?~ҊCRur_?f:yd1 d֟tSTKG9cA7oТ vi _񾟢E_R:%j+:N:gʎ^yiX`K,ljƺX܆lcA"d4(xa6y 1gX c֪iuǰ&a\l]ag=+#|gMj/BO^ɓnCKx𸋛m \za%<zQF"0ռ:3.R.@eMVb,ϙɄ3O='8_` 4Чdq/Vݗ.׭̜bHʄmoA !1ABu%fC@ Q~pS߇CEӗrqKyJZlᇮI(?v=;n#LQdu',jko/?LJQذoO)C~KQM)]d=]+{racڙ)̠3 ̺h{uX삲@ROrw Pq fV5S6.X}Ɠڵ+.;1Бׇ+Ox2jli#ӎԆ~~n_o.>dZj"GGӣD!lF=db[%$zѕ5:XXi73̯c^ī2ώAY(h#- usvTNۗی*:ܱ-쒝/aܙBpamfkR}/CV@$0&7pH\H4ɚ=ng^i20rmY^]|CcRrZ)97;O t)`%7b+V58#ÿ8gj\k3v2"%&J @@':!=ەբyI3Q*ȗN#iRLj]rk}t8,r#)*1qg7KЅJ)}Ԕkz":, 8(a"tI6oXձjgP L3D.܇UIddqHaT$ gw 2y^O7 OgnoW?SJ'YSm_rIު'#5wr8w/ZfW& qm5;Hܳ^(g3SRخ^(HYid?,a3g; ;"A0|ߴ93+vd҈DG\:F1]7_"I sO;0..,eHϠF.Ξm)=[f.l8g= SPi 9_U~3 >%|O#d5YUB-L> 'ls65 6oPe F7#+{%eA%\NfR^د~Hҳ^)T]|k=ڲ+1cR}~Hk>Ie TC|~2Vϴrʈx/<2$3%)\o-o=* }]G}rY<;"Bu |{i^k˓1_PhiR ތn&gd,h 3`bi6"u2\y(b`?0 ]ޖB1zt =#4$yFK~m7Tl$I%. 0e&HGM.%圮<#Yݤر"/MhD9 5A󋐨 6QFU{̲UI'giBy(sF:cJE`x?ih3S+ *7;駡Z#_FZM%Q3$FRp풅E:hk#Jll60ڕo㩚xbpWP+ZrAQkbp 4zW;2_bX|&3H@To-@bvz$7vݴ1kjٶD*t㦡[22@Arq9K C(⛖nvI:&!񔛽m-0<13hTt&-6gBRG,&YdjnQq/U׿~ԉIyݖ٘B>Q=omވ&7T9[ KX+ ٧oE-"I%G0 E1"$>T> ob&"P|<q'lqqI2Ioպ_ku^vu`?%&6hsZ_d1׬.tu26O`3v͛WeDΝqަH亦OrKj!pPpz6E#_5i)E@[ Ps}Gdi*|1ˤ.{#5؛XC"~hlI?' qcHftz7yXQ+1jfcޱN%Β,m{Jݦ8zF$8Ziө57+xTFǦk'.!7*$lKS)T*K0 vi5mW:0ZHV %9 Rvcqβ;N1EclIӫ1ojNC6G:EL ϲP]@5{](ee'E$fkqDIOK|My^V 9~ӫj1#v<CEG6pFYCVٛX,|!AtSkr[QNm-t͌ۇ_uy]@@X5(G$ >wkݦ3@[a7igv,q cr,vdpʧ&]3'L=9/5}'1+ȼCR3֠ a_*n?*v5CJbCxCMN6R0w8ֿ_<7_v%,ug$ Žaٕ#!A/uO3ؽgԄK kǰ+,,)q w7OW|wS}܊<~+yҾ.dӋy1 @.T:,Oe>gx=e >A.o7]#NBB? |#`@<7!3yxPsa~77U*[O:X'Q&y]:d#k'#%^ޡ){O0e2-EYw1bE r'4"kbE!_::Lͯt1eqCnk$So׻R;U#|`IG",%Ci ^DS ga=kG?!H|K{ u"B'8*4Ջ0$mb%sfn]:&K""`WMHC:ÒyhЬpGqU4M fI o)c<):'3rq_\/?ngBnko^!Rk7x=318G݁WvlnBc pֿ;je&\KxE"(B<$TC*EtV6&"=o%TckPTClO0&F/pSzw6"ʈI3829wGN Yo|]|6$x<^ 3d οLo,aՙ/&  XUț0Ac^v~dfmv٬аwl:# Ż6[Λ{4!Ͳ~չ||o09]c*UV)MoyK,?g$ fPąxh %x-֦W8 hA+ W]*KK#, >ۅAiOo}z+@oh뾮&'M(£2P/|` 9P>X<b68  j9?Hmucj=\±bYYPT?<3*#f5Gx314.ZDT>ہI%XInUp!QX+eKUr11w20$ɴunzUjas 5mm4>*h^BA~}恛 bF\z*DqMC +A`yl7c14@!nB,WEt}+x}iF4EȎghyMldv)TCưocNZ&[!)H1(mA}Έ֩52 zk"=!@xl kJVג 1[EHfr jr+İVZhT%%8g!Y:%ꠜK} ԔNFY_lЭpA? ck/p?p{1V9v':Wj5 x;U}N8ߜ"kYesH_/]+li ҟ4܀Y&VN|rK8G hmTn$')1JjK&oo9dbKWocpj yîh;>WmGAC5wt`Hkzg5/R2 #%؟r tVa.DOm >__tkM1uA aa{ Xs]U =U6|nX2*E5/q}6gC/+WjwEOa &Gh&rZm6Wӗ(V"|U]::T1hl ~VBr퇰M!]g&"\"lJmDۈDDfl١O}$t,­GOf}_;lNLh2Hej! J883[lU Qob6g1{-!&Gn|Hfydf[x<^HzJLS%*ҙ?ݬG*Bq~;y~4_/quKՠ/s ȁؖ6#h֧'DWs"PQ8to_>Ub(' M6헀MF(/[f+PD k)+d~ &Ֆ Oztvqww+$瑅A?so'o$I!? vZe@_ߔ;ZJڑiC>2)BmVWħUobkۘ4uHD^MRNjX?65;%Gz|L+W^ú f=zJr7pϺCU.0粮xPaBY"_͝*d.!.>4g`k8o~:V|t.mzvRG 9+L;o^?Ow" 7yr ]4TgrWIW?vNE뀰tH L?ǸEDoRHˇF,MG(>"q,s Gȣ弃[t mdѳ髦 HHAz"I>~NquTkT`c BؔG;tbFeZM7ȻA](ⵣ;tWyfyWJ?6K)yT@ A߰4VA{ƣ =9a2A \R}CFX˂~F1M'Js (=SDTn͐bϧR:oQxԫ~ՈK8ӘR GIq FBsX 2S/05۽z ToGpth 4W̤N7l5GI2t ?Ivo#{+*=ca@ O|QY|pa ?A&%-\x%MSDi^Sit31i%e[=Qo̓L)nuVYVlolD-^7M:J:|SNhqOצmk< #mj8t>6/\ /x*$lC~.qK35oVjΐ몄0кb4&_{.pJ#7ʘF'cA@0?TA()fZQ,] _3~Yl}f2lՋlp2+Rwe< o`Z<&dwqQݽ#N.I:j)MwX/}A3C+5`tRI T kF~Q1@mܬ̅YZMy܇Y.Yz%n0q( Zkh|ٛ ´'92(׶cbKakUE9?_|DQ?Im$Ec'a6?C3\1٠m%-f ʺQPSQZ5b_t5/kOG$E7K #.:Vշ|"J#A%3Iܳ($==hSB/TA7s*nHa4\uN;f9)|b(=QzFu99_xR xd1o/_b$ "Vən!ٝhjV2,JoHP!K=#( ХYӑۊ/QZ]/6ݤXA}` f DZ֔`EK*Va:!*4x7Nl)aM=xi_^ЖJq9ȪʀO?w3 +Pٙ>$Cl\GD\tCduMGyrX؇@oz;- W+cFVa%~ D:Mbrşy_<9P*]xqM8@ȡMP8Di"5tգ֖ /F*In]HmnX7V#ܬʠ.ͬ?3ד@d!.4xOu{`39)SR @(R.o|9 ِq:&,̤" a)hbP%_4[^F.`.ePa69p6R2Tu%ٴ xkM$3LJO1H{o)+ך7mSg f}瓂p?63vQQ[^w s?=ǍZІ.B1_,F7pdM[u~X7n C_:Q5e:٫:\gn3þ"jr:y (;c7ʈ\>)Լ)9wJ}+BJa$Pi#qܹ_+xDnN6[obyw'IO{9X p9_{N@lQj3$ [QK뱰?ip5+ܾ:%$nmaЌCW*Uly)/*'0=yUK0 _ wgD$I81*Oo#jvMNԑ([yNb.4(1 QM,9ތ4,(X{I$P'LC_l#+tV1%g"5|,y2xm'!ymg床{Puo-#$pj];pz;>y,pfl}6QjUHe`l1 |NYl 2@zASdX{¨Y ĭi`5?Ud{Bz%`U,^h\*U?/"^$ؽumy=KC\Ä^x6}?P)G㉒C~+͖Rpo+o(;"8D_Sn}iA*Ӿ\"È}&QDc k'* ]*i{thJ x"^c1U)<*E-wp͈Rpg G(Y_>ڛAeHbgpcID*8>03X+[NL:`gYi_m944d_V<K;ٝ%"r9/V $X?w %AW$i7qF1rbR9OcΓ/ՙso1CH"%kﲅ1&#JqxPi3 f'Pm~Lͩ.l!4N0pk:0d /mylfSOM`4~v;YmL%3*<&i\"OdmuyPoLh>Z[HAY u\8V9w7@nPubp= ag{&--ְk]G%`3Է=Vg݂`eQw&?O0UgE`5\Wo,H-jCNw&]1Š=x*:`95GѰl[m!8~G b±7AGRKPajaZ'±a b~hqgyx0>2cWn:]=uŐQ> +&̈́3d{41}g| gb#CРufjo W%>z=%/`NN, gQ]AO1.rJ/' 4DhBꐷԼwKJP z;Cd0+']z@E^N?I^j{/Vyh/0@n+]@Kkt/f[98'_ 6֌NBϗYد{ozǔXC!sλT,-SVd 6;l/|Dt%9nU֡Ja R[wSuZ%[(ZH52`A $Kk qz0=A8w_CGPbr+gЏ(" #:39;j+^Wj@iW?9]mcwm#wp򳻨%5վUə!Zl8epI7۶D\}}^ȢX8L%w%)y{e˪XKc[꧛ΟDRf{t__ݔ5r(p}'Yy΅ꎫ|ZYC? {Q*