selinux-policy-doc-3.13.1-63.atomic.el7.7>t  DH`pW]$ƨ1 )չSGM}?ZYJ"޶E}ʥ.٦Zw.Wㄙ1^vs,kPL;^T^#=Y]jcFDkڿ+-q+pr}}/sgy £{)Lզӟ8Od(e0e^};"6V,H#ꀶi+D׊~(ʖ =R`9f;8mʶ:"dO$H 1?D }X*R&=X Vρ"v*j_FN8%g)f'4q9YHDn[ ]@5)~A89M>2) vY-tts= aA٩԰&bd#LZHw~!pjM}ms5]a쥗دBX'¦ %u$5ߑC&{1ae9a884c724d5759fbe420f36f63f1924699587lHW]$ƨqA™:`=ө}@3;kV 0B$BR%-Y&cư)52]$dTHXg}{BhB!m(}ʕbaգZQk ٹvAm$6JĔgmR5)oUk*h+c`=@'7Ͼ1c yq&cvyhWCt>a#_uel0׸C%Uteǥ3wwRTbVQg4z> C|)8?+EǶ$eFvHfYߟ}yVLWr^z59ON9l4IQ"T7x?hd , Ipt         X(89:ƚGHIXY\]^bNdefltuvw|xpdCselinux-policy-doc3.13.163.atomic.el7.7SELinux policy documentationSELinux policy documentation packageWworker1.bsys.centos.org!CentOSGPLv2+CentOS BuildSystem System Environment/Basehttp://oss.tresys.com/repos/refpolicy/linuxnoarch P i 0'iN./d;jJgkJh:]B}S?;9MHhDtk'gi36f,S9 %P0dJA(`-sE kN@B+@%-~eikOL+_'H`HYC.6YW+nIRbiRlPq4*KP?w ]dOV,[!i'?g(ttyD<a2_ViF[]n~G ʖ #dVeK7fM%nU,2>=fd:F^mdy)U<\ 696BC1* h2?,Pt;H4> +U7UvJ$j fTZ.BV {xZs+>Y^Cg!;F8IT+>m xJ59 pgQoQk_  !S1 i=S܏+!J*F!H!,Sh:9| fIuv7!)J>A큤A큤W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+W+f90d6642396bd107eb2bead87e1f4abd10f50053d71665ab6c4dc0292976a653846bbdba1149ef9edd39c6f18d37f29e5ed9cb3670521f142ed6d7d2bf9f2b8342d2c3aa4d008aad3243fd00e4723033e27e253289356cdf2cf9ec46135a8327bceb4f36b0f077b7a232a94e214b3b0a5a85152e4d89c193f92ddaba3ede1ad636143f526a3916c0b576bec80ebd5850108fb1be802edda44686f6083bad5ab1fa37bac62fa2652703459d0d28d5461fbd5c707f006adf0742f6b71d25ab332f52eec103da47bbe49e1225281c6ea7853187ba5bb452ee3ea79285dadf158405fb2603c814cd87371165468cac4e9e9183a45427140b1f1a0ce9edae8c0701fbba9630e097150a635a4888bd1b63ba32fe267a22ee2d65a91ed300365e43f54cd362a73b335564b783065ad39f15331cf4b3391343bc5e6777ad955c8c616dd929cc363505f248a9f061785002887842e33b277910ccce5616419b1e845ebcba3deac70a29319d87ea13558da54203bbcd74e7c69c76ec7738b4f4eb2e1f8b9f341fe9ac06ff0c79d1fc1724838e7c55e2994028735d2cf53e639af4859034f000398cc42ed0a362d005087a637a60c455ee42017e470591fdec6c8e6139d0b7e3822afe97f5c37a5f75fd35168da66b7ad8a35fed9cfab22310f2a3449294c771d7ff2a51b506bf36a8b84bb4ddf7921397f4dbf8653203721df7581b2898380b83bb89397964f1e9f51a34eba8db847ef48de3fbdddc1e67f98ef15e670d10aca67c081d6201b8e9711668f9171a583fe369e93391f844db90df9f3d2eebbcae3c09dcceb0760224055c94ba996ff4a0c09f150ed6a395ccd2b5d9c13f11ac0a5b5657d518570ab1750c16563d467d7de5556517b2dbcbfcad2b4325f7d046bf9f343cd8fe7909b27b5845448234d5240a5fdee1e6fc2551a02887c3f41191c8dcd4e1b2ebd212b8e23dbeee821699b4103b7cf1647429dcd7c6e8cc0d9d959c11cd2c1318ee377f2655409dd377d482c1dec1a1e386128c35bc9a107eefef727580abfc40d462a9a358309eca8d9242d234d58a192bd050b5d15ec5ff6cc997dc6cd95df75eedf62bbdbc08925f6c4b59251aa57d7f3f5f9a932b0336f9e1f8fc75946d9b9e68a24223ce782e9eac144f190ada2db2ecee7cb44735f3379f655653ba1453a0dc45fcd1a3bef686b27775a712535de78d043e6a757baa93318c0d25d9dcab68bcfc28681962aed5cada73fb1ba10954383ad73806f33299e47eb4df4297abaaaa23d1146b6b41479076327a6616e9932df395cee21ba8a919c32b7a325e43633155f0fd8dd96e8835e5847a9614978d7812ecbe8b1581d97897b1cfbc5a2e2b54b60b1f7502c0f91b46e748ac3be11d973cd5d8e7f10078e26f46fef63439d2fe8f12754e89c3f3d5f4416889a233f52fed0a42add59d48e291415ba70d4eea37f7249c495dbcae6c6a9bd4a46166e8f2d167a5b336b9b032fe5e9417f5100f69c2a9c4d75c86ca43096e728cff8da65805e7321324a53eb7a22572f0f71a355d9fb4f8bb2d932507018d74dc79e9a4b5cb9f51fceaa9f905948500d2edb220dc8c3d90e8dd9cc680c51bd6d585f34709f4d57ede11c21ece769e11da4524c309a22054494658dcaed9ef0f9adc6540b230666142687edf12a82afb78af61b293c94c6bf2284f7f898d443a06a47c32b980ac0154e3c1f079b6942a7521e019e6d81f0d6142813bc97ebd559a6d928985378cfecf6390387944e81434b513e7e45346ed380271aafa99370f9aebba6bb661825f89174d71e7efa2d5f9bd00bc465fdb51cb1c0abbffd893f26299d089a8e9a32649cf865fea37dcef4a23f27da552c7ab0053f9913f9e722d60b4acfbd58aebf2b13099bb3c327e3396f06953d91ea5a06ec67a9f630af0168ec7e357be45cc51bf228021676ab8e839dab96efd2f6c06645dc4b99c2267b2d3b52b79f40f5413d729cd47c91d7145e9550e5f350f5c63b8c378f7d01c3ef093e8da7b8c85e2be6a32012558b83885e97e58625da44cdf25a4b9e33aa50d5e8cf166952b66a8e399d70394965dd05575b43b2bcea813185830453002319650ea81bce67440eb80a8278f33fbea06b7beb64c0669a5fde91037392a92862c040d941aa22cf1bed08aa615cea5037522f2f7cd0e06ef5baff7398e87bd820c10b67400d0bffa4f36ee528d7435d0d05e132376a8b1454ec6955aa81c0ae176539229ded1a363c410015ad96965c4239b298cc77267dcbce2283d313d26bc4c2bf89ece0c6306c9888da99e45771cea44e60b89c8538c8bada1dcb4d8dd3ad527cf53124c32e1bc14430fd6e2bc3a5aad34475f5a10a57231804e19b4e34dd57cc78f18d1ed16a9c1dfe4ff72fd22c824b9306226c190c3ea127b0a2c980f5112d1afb82dc7be5c9a680b3520c8072094942638f20b661555534eff681b1e482d91c0d99fe20c151f77fe1ad1cc98e251d74d339817f03cf30cadbbcf6c82866fe7d3abbd2c0f5299d7f2ddb1e613925519b9e1d119cc376516cf5281f91897988e2e83498ba040854426c5486a92cfc1faf09153257d3e583358997270ebd607399638917fe515ad6f416a9bab68448ee3e47cb5c9d90eb2ab8fd2588498b0bd09e98b8ee0f2df2a2458ae1d94967c9e8c22d7785577a4c4a238fbb1609c3d1b16108fc8503daa0e1a20050d77f5cd0f53561f996ffaedd03a2c4cfc74860a50b971cba469a7b6dec9086e99709580d09b2451fa5a57946df39109d7b9dddba946e1768fd985099ccea19b1e4e0bf5d930b1096e16887064b3e24cca1f40a9eaff00dc8870104d54a1bd0e493cbad18dc9676dd959e8766b718ffe5f606b411ad5505f5aac3b2a4f07bcf4e7dea0f23ff209b7ca26079e3eb6d7cfe4186711c0492cedd0d105aec58c417d406836a16b670bcbe199cc5a60f39ba5d950f0dbb31ffaa1ea53e11ae2d3d7523074486a13d322c57c2aab1d0023262a63030be8324ce631a9584e1196d5289f95b0a8a4301d66d4f751638991dd9ea740de15c1591d79fcda0c88a0a82279d4acb4482887893215a881ea8caa47f2d1342e8ef0cf1b96ca8d028655478febbc038869a08bf72c4c2056ec30479cbacb8d93110b116637d104c409b9644f4f48cfe39729ac4f9218c0b28bd9aa690ffd5a568b1143bd1e3a814f126f03cd375de655a6bbccacbd0dd545d51664f957ef5b1e8390f4503b425762831fd11eb7198ca625d97ce5ce2e2a687f791b0636c7632800d8afc02c0259548a93ced9ebe17299f43a0ccadd15bf4ebdc66e48a7e278eddf6ce5a01aa2b435969014023267f3eced86eeddd34ec2f2a2e1f2ed141c78acd93a4ef8bee0eec15582a769e8e540755f730f91730d0582282245d21074ef103df949cc361228790532bc4913c9357df4efe0f642d6834eefc48333704b9993cdf353a4315470e94f98677f5c46219b577c9635aa3ceeacf7832aeeccae957cead354f529f92df1f8bf185a9383e2ea8d01e0095254fe7e6d191cf093848ac638ce9faa689f794cd1997efef311d0c03f9f92d1be42f88c93a35d2a26ab82c7047711119aeb81bdd2cc93b8e6eb072d6c863225e8c3ed09e26db2bc4366e0dd885a43aa2d28eac443506185fc34fcf24921118e61868c23b5d321ab39cf186475f8ad40e57108bbe42387efe7870eaaa67c53ab4f816c38c41f7721c6f67c1755c3100b7492a0d96673558fbcf567ccb9027a766587093bb2030297ce7ee6906317319805d07adeb1cd697d22b40110ab93e29d348cd82df45dac6930f98637c942b8b2ff6f72597e00765a4231c4f3f3d5f37be5fcee51e3db1df078f637134541b3728723ac4c2b5c892f85ce0b7f932bc4cf496467df966ec44efdb847d663d545ddd5adefad5497e33709fc060a804188bce64b0ad6c8c3d5cfcfb7c6609398318cdf9e3567bd64818725ae8d1c40b4589e61906bff76d086647616b3d0fbc1e7568b0d5ca2e5de13ac28cf2423c05e8429c6763ea7b5c8e4a660a1b0e5da0bc30f3f3fdb1568ff9e88020482e2e3ffec8e69f304383551ccc466338f0a2cd1351deee96b6b3f63874aa0a1dd886f90a4de28d53338fa46a945fa0c2c77b1343221c23e51e441052e21bbb352265a545bbddeed82bbb0beb453463f7f43f83d10fab58059f411a5f486fad6845662a0e7a12fa17f2d097befe59c6402fa9ff778dc820d4a45b9d66b03daefc4c1ac501d19924ca2422a71216716721e594bc568f84904ecdbd6b763bf21335289cf23107905eedbdc48b1a98c5bba5322d8815f32cc50cdbd5727534e656e5afeb77bca5d796a6e42c929904dc712854656d3c5fbf6c8a182db0dce6fa3fab2615c744f0fb0b2d8436acef191ab5a8e6c57fdaca0f11199baa9692a931aa0dd80c773a65393dd336cb6e3b0418c10ff9acf6d134898c882a04520a20bec204aabdce31d5bb6c5b621dad931dca8c4e062f24a875e1ed1127a82b1299227841897e55b5c93e73f6e56c5ebf56263111dabc98cf442bf2c894718cccb6fcaeec7650a228afd0c578a03d5720e39bf7a0c6eb1314124c49f373989d82bd3611526c6fc71d83daa6c205b05738b9631b31d4f97cb52e17c68162999475bb37bce5ed88fe7afa73d94d40fce07c89aad405341005c2789cfa1e9ef45f509a23d5e1ec6f1041854e1e7c691c8befcf581745e838c2300a62ba6fd98547493555e75af391a3952cfb689db53ddc059c3f2857bf37a50bb26e19cf1df465b421fdec08cad8de933c87d7d53b065536064de872f8b1bff3db4cc36e96c2f2b0640fd9ed201d564e9756dbc112e35c916d3f4beacc3b89b631554631e93f6794f751b42e02d0190f4d3e317cad854753cb637747821fc004a08278ab6031f7f44935faed8e0c2556ac1ed5ae8625db86c32075db6af3b64583c13472ddc350ecdc05bb5f3eab3140eb9d276a1e329924b677930eca3549d12aa48aab15d7efcb5dc4d34465175302d17dd98e176bcda0e319a8dd2024241bc1cb1672be8106c2397e78c74dacb78c244dcbfe81293e6e8aba1189e9b294294159c3a811751c01aee478064bffc59aaad9ecf343165dccc798c8904fda695e8275f7d2d3ba0dc2d7398b8078ad7d2c129f7bee60ee0524dc77f25f88b3a0ec83f4d7021700bbfadb6665b773811816dca966ecd8e1d8a3a5617ce0e38250c6b92b1a7b842b88582e09178ea5fa1f40fd3c7079410a71b25a59aa8708134693c7284701ed96a2b1734ad365f37173ca169e0d7a2cb6f11bde35356361966f8572c0f3f0987a043a171b259aa6ec153be821716363a64328b3e3b9def0f050964d8bab7ba4149d98f7358ad86204a6a723888023e7cfd10d05c51134624499611035bdfe392f1dfacd8add096e3aa61b2bf78f957737e10e440904dfb799db0f3c0950b97da75aa49061b19472d3a40693b8b491f631da11305e76c8122584f7c116452ac4eba9cd281f25ca566ef9d2837212d28d6f7f3393932f89bbff7d2332f8533267c0f65f707718cbad0eb7aa85f3219f609d85c19777d57b20787fc021b3c7abca16451c75ccf966b5f175e6d286c2c52941b10659f82f3169bb06dacc7439741171334173091d097244ad85b0ea80722a148ef2dfc4a7862434b4b5bc88cb208acb65bdf346a21f3da0ef4d62c55e59fb5b5cdfad2eaec4ec1d3b47f49eca5e1bb95b5800d5e69d6b60fa0a526530a3b8dbfd5234dd4fcb1c20c378f3319083cdd134b4d4591c1a4c5f80decc70cca295be0f44a258ac027650af06983c4a83319819c60c8fbe225ef050a0c117389e04da8d8123cc2f955ea9e45098c6761e7857b16a089266a7c5a7785a5982f3f94e6adb3024cfc82bcbed4db026585a1793e5f0b0c3af1c521d49fe47f7f19c356648d71e5e9d0bf06b586450ba03954347f5511224755408300c5c33dda83d2720e3f47a630c8e232adc19d2c890594780972b6052394619476595f5649b57f90d149a6ac5d8f51714e628f885650ff266ed6d62c2abb851fcd5d9ff63c756c59828f2dc96b7ed1867be706ac044e320805dc94dd6e1299be43c94826c301d7b63e0710c4e299d01d176b5dda66a5010c6819a7eb095e712622bdf217dbe5e6e346fb0d83c012f8edf438667ba4c47d7f4e9d394fd2843514421cde11a23acaaba0175eab614b6a34564a5f6bd219dff2d3b066c85be2c16cc3f1e39d520440f1767014cd8fefdce34d8295e75359df6f2d6128404086665a3f7a4f62a7e69a9b4d44457763f98aa8cc91e770bc335b3993d307283c3175b210a1475df2ae1aff68a9026b16c069231f255dc6f2bb3131301258ba5396717d1875eff372b835db30faeed5b2fdaa93b182e3a2f99d898051c264fc532b3256734e1eb10f6889f6d15b3143013b40212a3af3c5ef20268cf96f180d95b5c7ecff1440659c6b9cc9d50c990b7ac5106e305414c8cd899296fa454956de54d9dbd8dd49a5f5655239dd95c1cf878cf1a52013defde5c68a47680558c6de9c8925c319ee147c4cfbe57400b2a766263ae374652d906838c1542609a8ae2304e69f7dfd15f9fe47ebce42e67abc023b63dfe73d6cf455d84cb16a6c4c4fb10f4def48b41696e5b9334936582ce49239c58021191b1e71e34b1cd1dbc106be42f157fb80b6c9aba6733a6cda9f0bea4fd2149202af989b5a6c33cde8397d7acbf85f974de81e0e79337cf896fe7b9f3b72bdeb3ff64f1acf1ef42580a14cd6591e030df8d9353672371a32b1fd3d72ec9947f4cf7c113091663d1bdfa23ff374e261e4e70b795a84faad4eb7675697c7c40ade3e24aad515469799f9221203ca9e3965e6cf9908a974ba459983b88187820547aa10d8d9d1d5cfe7248b31fc29d8bfbf4f9241d3e6ddd0d92873dd2e52f61463d02cb122df464ff9232b91dab31b814d840039f2b0ea8c64122a6cc1381842dbcaf9076d9ec7604d96e8e3bc63d6a78d73af255357ac843c8f6b6f27821141bdbe91145355fa8e3569f16b7742fbe0c1e03cd09b9c937e73a71afd67a08630f62221ca978b6a9e08e4b769a9495c003aae533baa543713968bbc7efba89a35893cb97675d97f9dc6c3ad0756c7b7b45ee93a843afca90b6b1bf6577cdb4a7efbc5291952cc930e5ae142bbebf75a52e9c45026f69c9c6bc7ef18ef07327b01b13d8ffe4c53fd29f4d1835a93842194b4d1527ae0d6e409315e07c17a9e33bc451d91ddc54eaca666e2796805079b8e2261ea614f3c1e436d3bc6df710b6da07c5f7fa22bea9fa0db248657d39d176e774945bf29d9c769210a21b15b5287e0b292d696111360baa4a428ccf306cab76b9709ec14c51ad9cff9b7fd4861176c27cf0399efce7b8123722e6ad07cc92bf567c02c7fc24387162966c588cd89622b94149ac8c989a33f2075efa9688cf5bb612bd2d6260b6ee461fa0a951b90afa5807c91ff256ca982f3092b1056899cdbb506af5e023107ebfce896a586b50be18d83ad5dcf51b3cdd0f06eb61081c66b37773470b5620e5d8152caa9531ba61a22267751e34b2b08fef23cac02dd08477c2f56ce84c945919aa8dd7afd8698c41c6d588c05eeb9a38ca459108deb2773701328b6e4c08f3c5611a4952fc890aa1da524c1619513773de23ddfc251a05809acd0ea1f29cd26978fb82874c12621e69ea771efdbc23d93a8d5fe6358ff3083a95f9774e3915fadb1f9ea6e9189a913e023ca36c155a2ad19e1e94a8c32d9e75be8b92e7db48257c5f724e3c53e4f4235aae67903e8f5daf391e87c864ff713d8a42884eee64a1041c193a455c7d3ae797855e9b3bc9eab6838f40ed979847f0b7234a3f4cc8fda73ed87a48a4c2d6b2b6ca65dc405776555b17dce01a7f89bf199564450540249f7a81ec080ade298a28371fa166c843dab565dc55c8fbe833dfb18659e1e859e92b488746ebfccd23f6dabec7d76f88cd8f1d1fc02e6b0876c3794cb927ac51d91e78f0f104a972e5aa0f211cd49be504a3a8cc310b826f6b1427671e9c2ad4764c23097f89e063cc32fcf7c7df42d9248b197c564a259c47abd7dbc15abb571182029d4b04f0d6531f4bd48397672b70487cbd2bd8008545d0ef05a91c301a3d8a2c7a318951968db5c6f020ac7d816ef32a4a7ada3bdf471b1e69f1c2f2c7e491467f5b4c00c35f47e865214aa8089ad983c2aa9e641a814db2e01e21daff721b78971070c74c1b71d87533287c32c400c40ccc9fe7c3f56eae979ad6a891c415d56f3865283839db8e464971a4288a27f562353f35e0850a531f79a2582f2dc4bcf8a29dbe412d5e0d7c95dfefae93b896e408b6d6b0e52dc3fdc20f61aa551fcfa64ce62579a824cf91771243742778aa686875ce92ba6626ca7d66820aacd5f78beb0f7c45c6f93d40c0b56d0eb9d9c083cd872e6280ee2ab472e38d7d1ee67a289c2772aab581a4f092e3f7afef65cb0daa03f40709ccbb274775721ba95d35202e655532b7a1ca7fb5e00d6784f072aa1d3122456f17facfb223cd1495e4562e42903cce195dc10ff9e46cc77bffc8022e9f1aef241552f6a5282bdf264031372d16e3eb4ae0029d67392dd3f98f4cecc7b59c3265adf4260c862c9e91c7f7c3aef9d44c93f3f79f5f54d2877fe63256370aa0061918355ab19c117264f0bdfca456aeda31e75cd1f30bedefd58fe40e6a8d38a542ddc51307c4a1b042b8858a71947df9a3e1767d6e4b763af9a5d2e80e38bdef06166c2384e482e557e2e8bf7bb4435f06c032fdcc4d0aaa0511f8c124dc4255f7248fd41f1f919cda0edf4f9495ba7c292c2171c661927715d6d4d954a148fc3fbc776e59e7452cf2241c577fb06606f178a840a2dcdab0080a46d08c414c9ea5b65298faa4d8dae7b7d81685f4335a8a451870456867497d719b58b506cb7c0d92cf193b32bc61905130986f7671373a7bcd450ae7a5e73955107ce693f04e3584f0564c709465760b2ef877e50262dc85e3fc60426c967874f51e3cdf3e951102f9cbc51dc8eb1f921d40b95782d47afeb173c93f36bc4042630079bf7cf9ebe3c52717a239cff89322cdb853f856b1d5ac03f1722ed420f6cde69895198a0dded7bf8f35d6371ddd33708f82f71e20af4a739a9c39c91f0e3328ac16fad5b59749df434768c5bd4c8e277681feb2d4729343fedcaec3744021c2905d788c254938e2f0e3b749341d63bdd2b36ae981e96930a2080ec8a72cc9ae53f72e3154794d670221e4086dfbfaa54505cf3f66c7c560125782765bd7abd4f43aca62a3b99afb46a469d1db2a233af417d649445b3e95437a13e56a62a2e31a56df4c252a2e87f4b071f4f14c2824fd77c23ec283be333c5240814c5702fbac5db4a5a9c9156665265aff24e710636f30c0437e6f13b6b1dfbfad296956c1eba7a03ef83590ea67cf443cf44d5923c5ef371f885d5a50a499ecdd12858d2950858b70d690643cfce80cb7212abb379fa094dd8be1a454b82db372828c97cecc8abfdae66e098432a06c07f0d7f17593ed298eb7564ec132d1acd39819b411aebdab2293cb672fbae5b5994ae3a14badf90e286ee51a2f0dab20ab4576622a8b509a7a40bfc08b093d41f27edb380966e99f3bfff2ac3d0146b8556dabceee77cf0392a393b3bf3b6476986b4c40b28972cb54fa47b24b558deee3988f6cdb96945dcda00a06460a1f4a47ff366218c4c03f038ee5930393532b3ae8a2c7fc7cd031517f2c17cb25cf01bd6c826e54e3d8a851b1a48452a8982fd6928770ae44eae867848d71ba511812b314503947fb9b4c2c88ccab300ca039ad5bfce412603ac19334da19c41b2e1199d4dabe268b5a684c39e3a8b4648ac4d9a3c222a0756b37b68e935e6500c38f91eebff798f1afcd375ee366d729438ba5efec68bcf3cc5f8fd81bec6eee2e12b25a7c68b8f8c25588378ec560236403504ec44dc5cfe6dd3d757cb6df563237046f7f5b8a49bb558db8afafc4c2a14edf732757562f7f212f8cf2a566190a6a8376d0f12a6f4647e07898a7d837fa4cd7e729445027a3f24281e553f576fc02b85aaa49ce3e61f4f01985fa26c5c4d56d3d4c6683460faffadb4ef5a479cbb064a010589db2c2b6227efc50207080791532bc865893b07fe3e3959236a5de6a5674f4efbf1e1adc97860ab260695387334131600cbb77c02bff05216a1a747ce64b9f01bd96b0bbc7f249ed8d04f845ecd2a208b44999330f1347364f4d4a52764b6145027124a799715e3101c7682ac03be2910d8ed109d577b9cea8a26d86d1e7e36b029a3f2a8c6ed5ea8d5251be6d6ed24b949b68fac8b16e685e0dd5cd0d78dc9b01871957c80d277ca70879ddb6de42e0b2592e0a7bb1e9baef5c0678af627fc75ddd3ca01105639a640e15ddf74d0d1224fa051d6e29d31953973618ca3f93e6089aaca73d006d31d1df9645a0cbbf5ffc19900df549ce00938b26e427dbb299979c1045ca868fd6bded643ea8c46203ce89ea5739654da9661526fc4e2f3a933d99fa4bc50473d082e24a26c09aa91b2707a213b5493feed3ee5af876890d24999f34ca106dcd842777a6c5996d901c34efa03c0e1d63cf6a0f80bac605c341aafc9c940cf8a628fbf620a8f0368b740d9a6aad24cb66d83c1e0811f4917dfd5b3b4e367218fa2efdffc338e8b101a06b609750e9776a61179e1f95a4841c27c622573b2d3b3ed0e38ad53294d962edf4388c74ea5907adb1657b40f7389168de0be4a763e6f11ce00e01163f18806b52010937821dd1c0342f168e145d2da4de993d9d145ca1166750d484eaf88b4766c03f69011012cfa135fb651e52ec0dd65301b8b760d886b1e3663c0664d52f0b85ff275034ec7132a9987ebec47fd14ecc6b8f342cc7b78036819faff144455aaf503b47111f8b59765a9658f230111283293d2f40b1befa4c4e6aa37fa39f0c958b9bcca9ed9c839aed8e27fadc31b0b25946dac8104f2c0f655ffe0718d39f59af0fb81b8b4011ccc5ad2a04688db9f5bffd7db584592e86cc27fedaa12242b11bde0cd078f8bae7ce32671c6e282fe876dba8ed66157b7669759590d561872031bce41fc5a5067aa2e739d832c8f8adf5f4d36030c08af6771a73b94aec509c258cc64fac2e4ceaea6ddf8c72b3536f76f2e3bcdb19be378d0277f8154293a10111ad73c3aa95b1c292ba2c58a6804877a6c37c9b1bde4ddf1ef22dfd457e9d0af46e064d0610aae148fcc342ed2056e1005a35ab8360a8ab530efcf0ee0d26897750f52997b418e44e1a2837ef8052e62bca250b2cac436c5c95f20339592c1bdb021dc5618d43435186087a201f0236ecd62b1e915476d07e897d119fe37bc4cfc0f6ee7198e3628c0ee4145a148d4a78b5a6bd411efdaea339136464b3dc37ea4f36baaee5b966ae1b0b3f5b652c7ba5572a4aac71c8440cf370fc93cb326c483d30d2dd5139d32dddce0572e5430b4a3c82e9051a436922bffe2ceb842abfeb579f408953d00aa44d75acc77871f070dd2c61c0f7186bdb8c98b8111b99f3df5b690f8058401cf838a2a2261e6eeeb9f94b1a113d9b35c98520b027243f7556ec346c4fedc02a5c4f56233dd155b3eeb099b65325205416f72bab6daff2c24559d64338669a86bf38d235bbb65bd6fbcd04b6151173ce59ab6e67422e6678021ba803c3877db2da0d2f2dfdfdde478473c4c0feb3f1680b6a44e54869acc9526d71442a03f50972eeb0dd79e8c12f314d169f32e5373d7f06ec014414477192b07d0d7cd779a442344a96591f27895b7729bf27210eca2ecce983fcd0fb0a3f6ac8ca9714840e3ce9c29945f9361768c0ebaab5a4a1d8c166a26231329eb23f4e9cfbb0bcf27b85a8003eac54626422fb3179c5a377c968f868a9b7516070f3733d98fabeb520bba7e2eaced6e7ee3fc03458bc7ddf0b70d8cf324f87e8177bef24a2d53c0e142f6e4c0299ba37618622d717773c863ea1ba589a9be662ab8f93a6a7e767433730b8f68fbe911c86da27e7f4165f85eae5c7b9d960df2b5a838921bd30fd4b8c894e6ec208baeeb11a1b79f01e62eb85df11b5fc9795e7fa41f2b8260efca51e3a471c6be910b363db78617ccf670a151f95ce8f433e974a8d8f5cdf01811c41d096695e3d3e092263f236516d740e971374873b04131ee19ff12750e1b9282bc570406070fa218723d69d29740715d919bea056210ed8b75e1f79310c7bd85b4954db549a1e1a4b86f003001fb5f9998625aa7fb257475c5f9a0a64d79d022a85f411f88d385724849450fa6d5b3246c38d64c786d6f01b185dc1121dd8c0e61a044323df0ecbcb70b2fe49a569e0e924305f931ab63cff0deac0a561e54276f2dd4258f95cc551e1298d1ee2e8a132c33bf2504c91fd3ab3dd0353b5511381ac5e91066dd11201d8fc48729e493a9a6a4cc1db799f02bb9995cf034679643fb875e7ea0a46c0b5f549ad8b9c58da53a00deee8d8f9e8710189d435b7ab8db1b683149e41e7f92747d256436997ea9d0ecae96271b0b53a0fbb7322ec5b794d10e47cc241695fc21ca413d9be9b3215b752320c471c9830bf230c93e33533a0473a415c3c877071a5e75f96883eb503efb0c8717f1d9833cf58cef2205404185c426e29071a092f769eff711e7c9d61d977597c42d683ec37c5f216b97332c61a4a352b90ab6c3498a15fac10bb85002e7a1a43742ca6e507200792b00922b0f86f8ee3717491b6f71deef8c6ca855e6577e6a599ab401964bd074cc578723f5245952390d3478b780754f26c45877f12462c2fdaebcb92d6b457f781552dc322948f43a4906ae60546b5ca2c5d333c0964a5261332b5cc53f683e2236566b6a75a759092371fb1808d368a4cc344d196db9f886a2b55508f46537d8da23bf834f32ffd73113beb9171457f52ec2d367efeb7fbca9add2ef2ffcb54b777419c816a9dcb88d03c9bfa43a5c1d0093e8159278048ddc8656771ab7065c8697ceffa6173088c2987856f8df62da817c3dd1171c9cf6fc8c76fef3f4fa39feaaa99a9f1dde85c2ba5d2c19586edf1468116a01d3a0c1387a5618d5ee1bffa655b48f823f29451f24320f2e470809657bb970b8332621c19f067451685f3aeda59b2e40e46c86159ef2013540e2af11ec70866b237e8ed4bf2296cf1ae13790ce1fe595ca7720efac04162bda2145a6c9d76278570286ee9d51571c2e075e4ddfd2bd209425759458b13bdf0025c7296e3a3d91adede75290d2db41799141666b783c7d46beeae65c52986e3b19265d06bcdd3448c630689423dd45cc65a9e3339b126661ace083e9ede574cdcc38294fb05e626e76a73e98ff2e9329be537e8a17f552f680c607dd48cb0ce8ad20bf997f5ec6d8f676625a33f753baeed961559e4d0737a1ddf12f19fd6105d940d0451309518f4c1ee890a299db34d04df5b847f55fba1da3275630b2cc9bc80b1faf64eefc72a09556d4f4518d04e7252f7f0fc16794d789adb00b96f2bce4241a6091ee2f15c5f2a2c4950ad3dac38dc4e146028de7c0624076ce6fe345ee4dd91d8cd966bff10e602f9c7c24851ba2c97a91d16489877ef05745a157a2e08e1c0e45f3c5b1918b815a8f6891f3737d4d2f69ca2437a41163dc70ae51d4df1ab058f36d2021d9fcd7fa993f0d1302c0d391e9d9aa7302a0a4c9d6eecb61ab95ea7d6f3f48640730e09ac3bebad8786d22c95ba8500190a45575b1b07846f1c1e227bdaf7c9f8153f86fa5481b84dd874d7d48796e1059267244dda2fd1dbefc7d0d12c362eccfe44e3f6d30675cedfdf8df304b445d07f2cc4ce4120bfafc0ab4368d1709888e374c28d87966f364ee12eafc1a7a407cffb24ab0c3d788f831eb983d529c99318e0d03723d8bd0591911340d9bd85f7b786dc5aa7a59375e2122e3516c82a281a1be4bdfb37ac9b585db6350920705ceda2fa55a7d8bbbb0b0e830d68e6a672730bd8574ab2be3ebc7a3c2dc90e2d4979b9254ddf2e431dd6a543e7cb01de9846a12bdb8eea14bca16314ae924cf01cd62d4e731cfe293ffb212c5bd931b07b819cfd5339a3e30c7d24be79fa34e26fcb41d7a7db497d2af0267dee7a7e8d1df622c2818b1e8860094998d97a91836434e5f6494f8c40ce2fc30bcb455d1b4ae46b9485bc9893e71a0c767a4178a782f33ea6a1a2b65833fb650d271447dc26ab6d3910e89edd70559b1f6941cb84b75891eac6bbb2f3a18cbac9621688f61335bc9c011e52abf2479e659767987dd9767996be942b9528fa9152a7de2c636c11b9c09a35fc1a3e3b65d25d3ee86f2465aece75d5e01bcf31723314c61498211e0224a5e21292720e0d1302dd67103e8cb441b8d73f5e2621eeb4c9925d36fcbab40dbbef7d434c103ec0e8896c0ce71a05adc0fe7bd2dec65de7b73a7e3867e40233b4697109bb86a0021830a25bdd836c0d347fab3e07a5ed59d847100917557824d646427461126cf5815410e9b8594086b0d074fde37edc0f945c21397bb1d938ef34952f7b55a7a9abeaeabc1402f271d079c71130878cdbeed833171bcd5c92112181ba3bea3cf518981f74c16f6901a47e5c999b60fe1c12f0395b9fd4cde89b3be4982bdc3e102eb76d604c73fc9a7c6f5544cd58ad976c65f12943550fd81bef1239b67b414fdeb3ae7f69e0fc5122ed0ab62abce254cd8baa4bcfd88070d9021e8b9e4895e4413932ace261c106bcfd38a19ca576e8acb25af83b7f76aa373985271772adfdafff56001a2f12d070411e693d29ebc616d691662633a920cb206da9dca7b81f6d9d66165cfcaf5e4c24f0dbf9fc5c2af2aed01efb9553246616a41d981dd157e9ee3f8961416b34ff439c3717d89f5043476cda2c3eff04bbbe5fdd39021d33efe673bf636fdaf5997a7652779e5d792dcf6c983b18b585c421726d685c111ef6c37a833b301dba8c3081374f67b0e729448c6029af05b0389e010dd7174e35e442b424a33e4f9df31cbe1d402376090ae652797b88bcf35da7ffdeac642917dc2d31faa66e7c146324daa4f7ca2c1cf8ef46642bab610a2cf3a8abe1e72570abcd35e97955afd6cfc96bf7c89b03fcb505c459549b67adb239e6235365ef5fb47ab504cfbf59dc6164f2ccb25ae56fb766cb7364db012993c2bf005225f7bf6f087b6c700d5885ee7b84352e8fe5d0fbbd6fd83ebcf1163f6c40dd2154d4de80a340800edfa5079a546579a1a1d0b0563aec5a36dec61befe589c9614f6bf1f7712b576ebcf8e5c0841168320ff9181c851d9c8bf42dd2f84aee960a4eaccd7068e251d0a7a05f191abeb79d24759035cc31dd1b1b11cd994510bf36614a7253f7a549a9d455ce2b1b3310973077c1653fc699b74ee49878b7712e08c069e74ae90e19270688652ade6125d27e6c2ee2cd6cd062d1d0c0a105e47836f116aa6f8dd6019979a21d4ee2a27ade5a2aaef0476ae532d9f67821d07c4886409894579b335d2b52196107649a0587c58179a81d5a98e92c5cecb48101a418a260186a2e7a353356a65b8167f98e82d3dc48a0e61df5c5423ea8804e649990d99c07aa975ba42bc91e8936dbc43db06947ae67f147030234f1f80485190f679694adeef3ebada70f39fa451e052e5163c550387468f89ac6a38613ae8cb77be941ba3b5850fc2be44634244a07e8192df5944301b502be3a46601983581fccd17deec0c039bff5976934665fca72b113e849a63dfdb29e477cb00d34aacf11cee9a6d61f8842112ded6176b9aeda543b609d7bdc3a023d8821d0ba2702423b195509e0586d269d7fc0188f6421348b829e60ba877f9dcfe9ea771087d685d1756d559b0701fdc76630c4e3984c0853390a55c99b0b25c763d6a82a1590706ad8144cf9140547f7b961fb19f6570cf728e16c6ebe3bb5bb5ab0be024c8db51b5ca05f2e545486757c1c73446a2597df09f9c0f48b5ef5201b195940cd35ada5ae05ebf8b574475f434a7e7efe2a497fcef0eafe3397d8010db7be6f78a58b165afa8be722bc99933dc7906449ea0204da60362ab819ea2a5c0649ef9e9b0266040e84c368a834953dec81b26e00fdcde525440a0dd51ebdeb59dacc8a98ad7ee6b8e840a2a573131289885f2d995744c5817a46efc1f50d6d98e20bfbc376c08bbcb0e2c3eb79b41303416b55b0443debb80834e9fdd0c7c35af56c8bd08774065e189fde7e29b8038a8abd48d25cff605d05f4c61293676da4a8ccd7aafecd425e88ab573afb9235163da6537cb0c6177ebf65c05946f11fcd23b42a0f00234c4ea422b54ec7ad331b35fa2b7c70ecbfbf0b09f2317bf38e7c4c6b8356748945b9c5f593af82fc83f79befee01efa80cfef2d7168cf6e91be6030e97893e4a8a988de3006e41ecb2dbb4aef0bc905783dcce2fdcedaf3b6c60f50b9050d69b2f4a766d42192fb8d8e33bd234803746c6bc5545c25f2e26c85275b3f7ff7796b6c0cb0f57baef8360dea81ced33191fee957ffb27d880681f215381b62e5e0074d93f3032afb9f63eecc169a14f076300a6367ad5b56a50f6447416155841f86d3f7b9f4f6eece2e25753cd2ecb92a8246db124f611a74c46ec17215acd6096e166086efb1fb60a4115fe4aa40bd6ede9a921bceeb1e43eb36a8efd356b735e90c1f3f8f988b596809be2b92822ecd155da9447d0695e1bffdb4d2e4511018b90e37b31b6cbb3234fe9083d590429b523310b8a0a957b772d7839260f73b85874647fa63d043fe66fd1425a91e734a55d52d3ff5ef0e6741b8a7943409932f2df4ceb0dd398eea59cb9dc14d76a62992cbd5f28e6d3ba7c47b82e10bea7f6faa658ed2a95053e9aaa216a42f44b08876acab448cb30f9af688236d1834c8b001e3285889eaec147b534b7f0dfe461d5936b40a6ca6e70738baa16e4d5930769769470c5cd630786aac0ceec2f1c5696c9c0f54e9cfec1295b4d464450ffb2a85f4631e13d8fbd776479805db8efba3c0e04059c4542a22c52e5c5ce51a9ce3613e8cff0287ba7d54539057cb8309533fffefd14ceb355bf68f1e55b9cffd85872809b24a18544276ba5661d48adc91026ced0551c1d3e34f91fd69cf4e190c90807aef988ea40992acb548be78557d2146a1b93f9ef616db2cad227a32d0f8ced9b00335a08b0a1b427ec9d26780f133bd88659f7f71d2b614d5acb4fe908c42474da1de0692f59ef7c5eb8395509bf117638251ed42fb8b99d0c27ad24e6d71718ad90bca0018114e077b269aaff0a35c803bdb2cd0ab183bcc2c0945b7c0be438f4f0209ec48d49469b7dc627f66469d1da76c5800fef69e5b5cedba48d31ecbf5cc26c1696673f0f218bb9a32d9954d5767ec26843e05b00ab3beb8de822a48553d7460aded42b8b8d6fd94cd2462214594e54ab6ff99fc5f8909009c2bf56725dbc4f63dd24e39891517e3a6dafbf912cd0e4011fe79404353ff37065221d5d7164a9f6fcaec556e97156228fdc7322fb84b8358ed84f00d94e702cdf5f6eb4070c05f3b02fec16530d247f896fa12d9afe3aa48be319316526334b4086bfce8c0cc55bee165058123a87ca6acb389e7ed70eb95b4012201ae8949857ef407259da5787df4d3641aa616711f7189c61f0141b27a9b2dd7b0aae99adfcb40dced48224a41681e8485dada3955a658763ed8ec306a5b59e0caf2ce54c469c5ace9cb3851efa4bef3e69b36e38f5a62048ce868f9939e12da9b4c5d7cf276606aaeba002d8f24448ad8d614fc7875e425d62bc4513273637cc976b0bf473627739a44a02849cc0e380168d96461459e3792c4b56c014c36acc2b65f268ecab5fcaa9788011d1152993e3eb0fa2233f7c9ebb5ab14be02ae699c0667658647525d66572d8db28b157e7866d62511e4b85b887435a8a504da4e9dddcdab4fab36aecf8048b202cd425d26a8e29288e7ba90223fa117197ea4be55cf0d714c3b900cabba274e90fb091716412cf08337664670f8684a9b3bbb1d5e9ad5d9bfa0760a873196e354abb667b86462b9298b259425e9d69238ba4e2cfb6a8a0741b9cdcd2a46eb465782df6b73cfc085a5c6ca343a8fecb09643bcb194050c8863aa6ac667007f4350a9f0d7a8d32a97d07259568be30d244c5084cbdfd4d8455072902ccb69aabddfeac2e4a51dbe1968aa538b92393bb7ff139a1d7bfc1c1f8a28361413e18883560b5ce40ae76308d5b3e5d33d6968ad7c45597f2cdbbd39954985e14f685637a78a4ca606c6c0492ac4e5069100e082c9ea6aebd18bf6d043831cd7905347d1463eb58265985f7932eecc4a8f824bbcefbc99b18c7ca7cf9074b91d8b95aa10f7ec8548efeaf4c46425493ef046fe3762fed44eecac3abe148b60c86bd74731f7e9471a77f26aa91beb3c1548b0fff4404762fdc68ae993251b7c02b89d7beeb4afc8cca0661a63ef10626fc28704a8f17edaade69d379c7022aaac88d75dc2c95e93c484a2065676c217e8984e76a7dcf11b1dc5f64a9236b8e83fe90301c5216ccdf62d0da38336c5217134d1b73dff820ef9af51857134afb62de70278e710947f1281f9f8f9f72394325895b894d3f5d814884733556149391df608ce352a4204decc8eae9238c3bc6f38a96deb9c28a1ad5566d0cc1197ed5d2670654ba539e862ec413bfafade54b4556bd76a7bebe0a296f1bb5bc22a2fc32a392de5bbf085401ca291fd7b02001ad0006920b0a5132d4f91838261a9b6663f07a02501d653a6fc61e323d64057c2143e1e5a66d040485a829f75e7b94533b6c570c71700c33660f534ccb5762005aacbbd22cc7bfbb23ebdca023666499a23a032b3f50c97db3e9b6a0d290b26eafbd0c017109baa58ec208821892d916945c72eb17afd2a90f713eaef4f3a0ec48bccdd56a7d353f408f64d5cd463f87e841390ea62be52fb00ea20dec0d1e9753c3d07e81ca613e48cdd923e596a732a6223b3b18c927fd03fede9841b646da332af3663c559a48af9fbe6ba1b1d46fe4a5fc768bf5192852d2550a0d431ab54884c88e3206d031cb8b6e63c9dfc0a8695c0b0b5c728fba829bb849a2c1676656282205da4ee8a13e00acd8bc2e083db2117ec484db77a6edcd1bdea5bb7a04860762477c179f9e0646dd70c549cafd02978a6e19ff3b28b5372bc4e96391200ec05cee4638b02f4636b096a77f58b1bf40630b942a923d31281a68dd187e460fe4b075f3ef0353f8c20d221dc7aa01d078bb61b113fd6191eaeef57f2a59d2a8ad801b8951713e3322529ac473c5d21fd99794201865522ca3affecf07c654535a9ba50365cb9f09f2c9a4be5342774d59e00b707b9869a45a93f5a81b09b02ad91d157c1b5508718a2ce8167f023c4314dc7df4c525833adab641d4682878392d7db79cf49000dd5a97e9fda127954935d97a013a80b5472d83eba2db42a21c6ee1df23a5ad03aff294e17617f2acf9190cd25eae22155e3bb95478b57c515b9ef05030499335835c0c1c8756ccd22193a49fbbe543aeccfc8a63243da5505d320b2dc3f41d405a81c9d5478a8c59ee4db01082bd517d5a90fbcf6f06cd8a95aa9e16f643db339ee7390f55f4236a74dfe7e969912236b68feed50e4dfd26ac53991c9412fcd5545a49bae21bca2e6fa356a8f642751fb47dcaa0def998acee38b106a1992946f4f1ae3523d15903da3969a6ceaa190fe687c452dd4d5edad25588cb1d2cae2596bf81adfcf9ea1b0fe069acc7c9a9bdc55997621f0e3b27b1f4adae0ce26c4c10544f2319eb3a1e6988bf7075ef0ffc92e0fb9e86d9cdd22f3f7c15399b8031ec1ae6e43a748ca7cfc55c142b299e4436dd81fb079e210403ba90390aa685bc901a0a997b17f27509e671e9d2806ab4929765c7865f8fda38acabd6b0c08336b7f61bf81fbb80869c9a554ba4e825eff1d7a0597b086c070d7e8d701b1f493574dd0330a2de78cd99387c1e93aa5c70171ae91344c39d956c3d78cbc6c8149f28c335b5c2f45d29fdaa4cefb0ffe25c05f41b91c1ec99f8ff25f3356057b1092d0b2e9a084b23432dfec04c1e6a38766ceebdc08476898cb2288a8e1991f7c014e85f5160056125ea643eda10ce7c9de61e22926c852f83d25c65830a8c3ce0ae3fab00c59f07e53e463637aff7d2f9a2d6fe1cb76d67af7cd297f980281ebe952bd43a8378b0e8e8893a76da92511f535ad97c6dc37b33e947739062ec7d544a27ef4a228f8e62d70afd77162dbecb8c0de64c45a70bde0ddd224a866299ff988ba228f313a3a375e52bcff1b32a2216d8bf09ded1a5c8ffcd0c0513bb729f4b6c1756bb5939b8c87303fa68ba9b8a7034dc6c9470b916052fc7efe7c7848cf913844b39d333c10911072bde743b5fd7964c80a370827273f1882f6d2264ed18c53ad77f9a53c7afb114c1e3ee9a608fb570a8176078c7b20221a304a8db9a2453a3df305aa9a898f69ce2bc248cfa47bd3571f8b676a33c168537b32e0a80222b5eca11d5fb64f8cb9cbf9f7b303065a5dfebf2ae726ede19f1d94b8afd3d42f5cc06e23e3750a4040fd58e679af181ffcc8140b59fc0c1d49e6d1765f99e0c85546293a3b91e3e574a45fcff5040d4cd476d59a0b665a6ffc6d2e72ce8e919d3e0f49f4f76f7762f3d3416d37592cbb8761066fcfa2ebf172aa8c913ab89cc045acf274bbf8d6973500e39f1352bcdbd045586608920a4b0f945d085e7e5b868154dff12628bf9a83a53244040285622953ea6262350a191bf1ec6f85736af701dc0b122f68d8b0db6de1b620c4ed8b82a649e4db8914f092bfb7db4ad501363b5d2581d7d2e69e100953ca07d3799a63ecdcc1bec117d3c19c2aa967817cb52650c82cb6f1d59b87bf399ae393bd21b4dc5ecd4eb791dec80a087c89428f760f9ef09f774ba21638f333b0912232f3e5c09bd6a109787e5319a9185393e251e16b28edf9c4153e87863919d065c042520c95d325ba47e67f5bb333ec2eeaa5e4f5d070791aafc976674c4faa6932fdc478925168f5b9d5d28365dfa8d05bc8ba60c4d78dfe4f3496eaec7da85c9ad71fccee16c5886ea5b4254956af8d9d2e114e7c378d7fb4cd7c684aef905a04ea5ce0cb4e861c9bacd2a78de931cbca54d9285bad681ac10b7be0a59784f18dcbb49b30b6daeae34a7aa1345400f65dbe176319f26619c9a3ed3276434e60674e3ed7f5127654429a3bcd211e2de9dd0e5065de14e1b01e781d93212d922e57c0fd708d2fe6a7ab8b8ea7a71bec0de42076f7245ddf895bf2fd44309eb34d590c2917cb0b9bc83543c7cb75c4f60cca668d72808373e409b3b70d77bfab21605ccd83dc549c4ca6b38d12a55d554ebe8e5fdfa9282ec50d90a6c9c279333b500d31ad7033e81347d7e462532bb04b6877bc71ee320254f0338ff44f2aca315804ddc224b85f79bfef4dbeea624244d5422713ff34f5935a7da29732b5de52def73bdb9cd21ebe0176981b9966a72a2c4b2f01257662a4470e51f0659791b3c64b6f9c4244164515a77523b4937109e213c3f70e0aea1103f6b75896035fc6148ec5c61f664b315954d108934424463f30d86bac7a55ee6df50ef35974e697549c7fca7d5b0833dc49217639455c8071e6017f17d1156711ab1a474d2270a7a26229d63de10d86980a0f4f4fa8560ba3ebe8d1e894bfdf484f6dc492458ca8901cc7bb20b8a1ea6936a9fc58e5f1a2f967f1bf7c0a4b41566f1c5dff89797edbe40ccfb5d74ebc0cac2de26b1a5803c4ba76d2e5f03bc063803e5f20770dbdb21d4216835ff4d352b0270e7b7db6dd99c0bdfdf61ceba523178f8da8e0584f20ba60fc5cd90118b9b43afb2f84fef5947e93f3a80f948e276892a0fd0b155b4453c0856c5b7316faae1c05b0c78c6a9dc5b63dacf6d1686da486a11d55779ce5e95b181f2b180862ada8c6346af1481c057882a669afe49d4c26ddaf62475f3e4ac5903fdc6c047bfdd6beb6e5d280ad92008ac1cff8759e826f1b9067f4c66043cf1a8a8d7e5f75caefa763d0322f302f232be787c4d56bcac4784f46e5efd6d250a7165c04ad34416f476864d4dd400f274e7e7d2a6eb9f9b1eac1e2226ed4df310eac2f5cd3dcdf58f5b5c923c475d6650c7c67964ab04ceba8992a0f0a9e0053cc6b3281a7643c3c73252beeac02dc9c3bbf027794e5116cbf4373bb955252db618ef77cc94aae02b2c89cd79b42a85a23442d597722767377735276240230301d276d508dd9e4a3803c4b37e7de72b4251abb79e0d9459f956c47bdb5ae6171682841e81d50938eb1c699ab9fcec94d36c7d74b361ffa5d398b23f84edf7b3bf3f2325edc5271ad71da10b1d0acb075cb612b5fdf055614cae2eaab357c1ce256fd11fdb75305aa5059e0459f99964cb0760d29a0f7ef5566b0ff2aa648370b7dd9492795049a2a1c7272e6e78ecff687b6751b5b4e9b6e6bec54c5a6332638aad66c4f7a3986a2c6547c030fd612a67397ceb48a752fd7db8935bf4211b14ece33fd9ef14938397a091b956efefd26296a62eb04166f725d137528300b2911c15aa8edf69c28f6bb51448c60de81ccba0c61558ac8849a325452b912971245d8c3aaaadea0a7d9fe90b98b7b8e908c8e2952737b48c04db656774c5552238a949c9f4f461a9f58d79e4e20fc18326a5eb732dd670283349247e9d299e0d536600408e4081d520f2a012e154da465bd0968d0516b9dc8f95a76de8a8c14dad285cde8ffb1109563db0b9789c4d52476de967622370bf41d50e51a15401f60cf3c518ff2f7ac227e07cf9da5569595c07f046dbf5a049bceb6d5aba722291c8266f670fd2f4edb642f2ad40ff30ec0de5f0e924bacddeea48623c20e44c30360b9c535cc638eff2b53bdc9c6eb6eb504e5deb4rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootselinux-policy-3.13.1-63.atomic.el7.7.src.rpmselinux-policy-doc    /usr/bin/xdg-openrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)selinux-policyrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-13.13.1-63.atomic.el7.75.2-14.11.3Wj}WZWH6W9@W0{V@V_V@VCV@VZV @VqV }@V }@VBUUU@U@UpUUUUoUoU5@UUȒ@UĝUUWUU@UUK@UUU'Ua@U~@UzUv@UT@U@Tr@T@T@T7TTTC@T@TTT}Tto@TsTk4T`T[bTWn@T?@T>aT6xT6xT@S@SSDSg}@SB@S>S;S:@S9XS5d@S4S2@S0@S,)S*@S)S)S&S&S"@S!S L@SSS@SSc@SSnS @S SK@RRR@RRJ@Ra@RRR&R&RRR=RʚRR@R@R@Rv@Rv@R@RR@R R@R@R|@Rz/@Rz/@RsRpRnQRi RfhR_@R_@R[R[RSRNRNRL RIgRB@RB@R:@R1R-@R-@R(r@R' R%@R7RRNRR@Q@QQdQQ@QQޞ@Q@QکQکQ@QzQQ4Q@@Q@QKQQ@Q@Q@Q@QQ@QQQQ@Q@QQQ@Qzl@Qw@QvwQo@Qo@QnQm=@QkQfQb@Q`@Q^QZ@QQQIQGQ@j@Q9Q8@Q4Q0@Q-@Q& @Q$QQ@QQ@Q @Qh@QsPP@P@PP@P[PP!@P8@PO@P @Pf@PPqP @PP7@P@PPPYP@P@PPPM@PPd@P@PoP{@P{@P@PP5@P@P~P}L@Px@PvPvPuc@Puc@Pr@Pmz@Pmz@Pmz@Pj@Pd?Pd?Pb@PaPaP[@PXb@PWPS@PQPO'PM@PIP@@P>@P8@P7lP2&P2&P,P,P*=P(@P#@P#@P!@P!@P@PkPw@Pw@PP

@NNU@NNl@N@N@NåN@NNNN@NNN@N@NGNGNGN@N@NNS@NS@N^N^N @N @NNj@Nj@NN$@NN@N/N@N@NFNFN@NNN@N@N@N]Ni@Ni@Ni@N|tNyNx@Ns:@NoENoENiNf @N^"@N\N[@NTNS@NS@NC@NBrN:N98@N7N6@N2N.@N*N)f@N(N%qN$ @N@N7@N e@NpNpM@M@Md@Md@MM{@M@M۝M@M@M‘@M@M@M@My@My@M3@M@M@MMM@MMMMTMx@Mx@Mv@MlMbSM[@MRMQ0@MQ0@MJMGMGMA^@M>@M9u@M6@M5M4/@M4/@M0:M,F@M$]@M@M9MMMMM\@M M M@L!L!L@LL@L@L@LOLOL[@L@L@Lr@L L,@L,@Lډ@L7LLLNL@LΫLeL|L@LB@LB@LB@L@LMLL@LdLL{L*@L@L5LLA@LLLL@LcL@L@L@LzL)@L|L|L|L{@LvW@LvW@Ls@Ls@LrbLrbLmLk@LjyLe3Lc@La?@LZLYV@LXLN@LN@LMxLMxLI@LH2LF@LEL=L=L=L;L7@L LT@L@LL@L@L0LLGL@K^K^KKKj@K$@KKK@K@KK@K]K޺K@KtK#@KKՀ@K:@KK͗@KŮ@K\K\K @KKKKK9@KK@KK@K@KKKKrKK~@K,K,K,K@KK8@KKK@KK@KqKqK}+K{@K{@KuBKs@KqN@KjKie@Kf@Ka|@K`*K]KXAKTM@KPXKEKEKEKD{@KC)KA@K;@K2@K0K/c@K+nK*@K(K"4@KK>K>K>JJęJH@JH@JJJ_@J@JjJjJ@Jv@Jv@Jv@Jv@J$J@JJ0@J@J@JG@JG@J@JJ@J@J@JJJ#J@JJJ@J:J@JJQJ@J J J|@JzJyt@Jyt@Jx"JrJrJq@Jn@Jn@JmJhPJeJ\s@JW-@JT@JS8JKOJI@JCfJCfJB@J@J@J?r@J<@J;}J:,@J7@J67J2C@J0J/@J,@J%@JJB@JJMJ J dJ@J@JJ@J*@J*@II@IIA@IIII@I@IIIX@IX@IX@II@I@IcIIo@Io@IzI)@I@IܑI@@II@I@I@IԨIд@I̿In@I3I3I@II@I@IV@IIaIIm@I@I'@II2III@IIIIIIII@III@I1I@III~@I}Iy@Ix_Iw@IuItk@Itk@Io%@Ik0IeIcGIa@I`IVIO@IJ;@IHIAI>]I= @I7@I6tI3I-I@III9@I9@II IP@I@IIg@Ig@HHH@HrH~@H,H@HCHHH @H @Hf@Hf@H@H+H@H׈H׈H7@HBH@HǶH@HH|@HHH@H{@H)HHL@H@H@H@HnH}H|@Ht@HsVHr@Hl@HkmHgy@HcH`H_@H^>HRa@HQHQHO@HFHFH$@DX@DU@DN@DN@DLDH@DGwDGwDDD@@D?D?D;@D;@D:HD:HD2_D1@D1@D-D+@D+@D'D!<@D!<@D!<@DDD@D@D@DDDDDD@D@D@D@D uD $@D D @D @DDDFC@C@C@C@CCCCCR@CCCCC@Ci@CC@C@CtC@C@CC:@CECCC @C @CعCعCعCعCC@C-C-C-C@C@CCǖ@C@CáCáCP@CP@C[C @C @CCg@Cg@CCC!@C~@C,C@CCCCC@CC@C@C@CZCZC @C @CCCf@Cf@Cf@CC@CqCqC @C @C @CCC}@C7@C7@C7@CBCBCYC@C@CC}@CqCqColin Walters - 3.13.1-63.atomic.7Lukas Vrabec 3.13.1-60.7Miroslav Grepl 3.13.1-60.6Lukas Vrabec 3.13.1-60.5Lukas Vrabec 3.13.1-60.4Lukas Vrabec 3.13.1-60.3Lukas Vrabec 3.13.1-60.2Lukas Vrabec 3.13.1-60.1Miroslav Grepl 3.13.1-60Miroslav Grepl 3.13.1-59Lukas Vrabec 3.13.1-58Lukas Vrabec 3.13.1-57Miroslav Grepl 3.13.1-56Lukas Vrabec 3.13.1-55Lukas Vrabec 3.13.1-54Lukas Vrabec 3.13.1-53Lukas Vrabec 3.13.1-52Miroslav Grepl 3.13.1-51Lukas Vrabec 3.13.1-50Lukas Vrabec 3.13.1-49Lukas Vrabec 3.13.1-48Lukas Vrabec 3.13.1-47Lukas Vrabec 3.13.1-46Lukas Vrabec 3.13.1-45Lukas Vrabec 3.13.1-44Lukas Vrabec 3.13.1-43Lukas Vrabec 3.13.1-42Lukas Vrabec 3.13.1-41Lukas Vrabec 3.13.1-40Miroslav Grepl 3.13.1-39Lukas Vrabec 3.13.1-38Lukas Vrabec 3.13.1-37Lukas Vrabec 3.13.1-36Lukas Vrabec 3.13.1-35Lukas Vrabec 3.13.1-34Lukas Vrabec 3.13.1-33Lukas Vrabec 3.13.1-32Miroslav Grepl 3.13.1-31Miroslav Grepl 3.13.1-30Miroslav Grepl 3.13.1-29Miroslav Grepl 3.13.1-28Miroslav Grepl 3.13.1-27Miroslav Grepl 3.13.1-26Miroslav Grepl 3.13.1-25Miroslav Grepl 3.13.1-24Miroslav Grepl 3.13.1-23Miroslav Grepl 3.13.1-22Miroslav Grepl 3.13.1-21Miroslav Grepl 3.13.1-20Miroslav Grepl 3.13.1-19Miroslav Grepl 3.13.1-18Miroslav Grepl 3.13.1-17Miroslav Grepl 3.13.1-16Miroslav Grepl 3.13.1-15Miroslav Grepl 3.13.1-14Miroslav Grepl 3.13.1-13Miroslav Grepl 3.13.1-12Miroslav Grepl 3.13.1-11Miroslav Grepl 3.13.1-10Miroslav Grepl 3.13.1-9Miroslav Grepl 3.13.1-8Miroslav Grepl 3.13.1-7Miroslav Grepl 3.13.1-6Miroslav Grepl 3.13.1-5Miroslav Grepl 3.13.1-4Miroslav Grepl 3.13.1-3Miroslav Grepl 3.13.1-2Miroslav Grepl 3.13.1-1Miroslav Grepl 3.12.1-156Miroslav Grepl 3.12.1-155Miroslav Grepl 3.12.1-154Miroslav Grepl 3.12.1-153Miroslav Grepl 3.12.1-152Miroslav Grepl 3.12.1-151Miroslav Grepl 3.12.1-149Miroslav Grepl 3.12.1-149Miroslav Grepl 3.12.1-148Miroslav Grepl 3.12.1-147Miroslav Grepl 3.12.1-146Miroslav Grepl 3.12.1-145Miroslav Grepl 3.12.1-144Lukas Vrabec 3.12.1-143Miroslav Grepl 3.12.1-142Miroslav Grepl 3.12.1-141Miroslav Grepl 3.12.1-140Miroslav Grepl 3.12.1-139Lukas Vrabec 3.12.1-138Miroslav Grepl 3.12.1-137Miroslav Grepl 3.12.1-136Miroslav Grepl 3.12.1-135Miroslav Grepl 3.12.1-134Miroslav Grepl 3.12.1-133Miroslav Grepl 3.12.1-132Miroslav Grepl 3.12.1-131Miroslav Grepl 3.12.1-130Miroslav Grepl 3.12.1-129Miroslav Grepl 3.12.1-128Miroslav Grepl 3.12.1-127Miroslav Grepl 3.12.1-126Miroslav Grepl 3.12.1-125Miroslav Grepl 3.12.1-124Miroslav Grepl 3.12.1-123Miroslav Grepl 3.12.1-122Miroslav Grepl 3.12.1-121Miroslav Grepl 3.12.1-120Miroslav Grepl 3.12.1-119Miroslav Grepl 3.12.1-118Miroslav Grepl 3.12.1-117Miroslav Grepl 3.12.1-116Miroslav Grepl 3.12.1-115Miroslav Grepl 3.12.1-114Miroslav Grepl 3.12.1-113Miroslav Grepl 3.12.1-112Miroslav Grepl 3.12.1-111Miroslav Grepl 3.12.1-110Miroslav Grepl 3.12.1-109Miroslav Grepl 3.12.1-108Miroslav Grepl 3.12.1-107Dan Walsh 3.12.1-106Miroslav Grepl 3.12.1-105Miroslav Grepl 3.12.1-104Miroslav Grepl 3.12.1-103Miroslav Grepl 3.12.1-102Miroslav Grepl 3.12.1-101Miroslav Grepl 3.12.1-100Miroslav Grepl 3.12.1-99Miroslav Grepl 3.12.1-98Miroslav Grepl 3.12.1-97Miroslav Grepl 3.12.1-96Miroslav Grepl 3.12.1-95Miroslav Grepl 3.12.1-94Miroslav Grepl 3.12.1-94Miroslav Grepl 3.12.1-93Miroslav Grepl 3.12.1-92Miroslav Grepl 3.12.1-91Miroslav Grepl 3.12.1-90Miroslav Grepl 3.12.1-89Miroslav Grepl 3.12.1-88Miroslav Grepl 3.12.1-87Miroslav Grepl 3.12.1-86Miroslav Grepl 3.12.1-85Miroslav Grepl 3.12.1-84Miroslav Grepl 3.12.1-83Miroslav Grepl 3.12.1-82Miroslav Grepl 3.12.1-81Miroslav Grepl 3.12.1-80Miroslav Grepl 3.12.1-79Miroslav Grepl 3.12.1-78Miroslav Grepl 3.12.1-77Miroslav Grepl 3.12.1-76Miroslav Grepl 3.12.1-75Miroslav Grepl 3.12.1-74Miroslav Grepl 3.12.1-73Miroslav Grepl 3.12.1-72Miroslav Grepl 3.12.1-71Miroslav Grepl 3.12.1-70Miroslav Grepl 3.12.1-69Miroslav Grepl 3.12.1-68Miroslav Grepl 3.12.1-67Miroslav Grepl 3.12.1-66Miroslav Grepl 3.12.1-65Miroslav Grepl 3.12.1-64Miroslav Grepl 3.12.1-63Miroslav Grepl 3.12.1-62Miroslav Grepl 3.12.1-61Miroslav Grepl 3.12.1-60Miroslav Grepl 3.12.1-59Miroslav Grepl 3.12.1-58Miroslav Grepl 3.12.1-57Miroslav Grepl 3.12.1-56Miroslav Grepl 3.12.1-55Miroslav Grepl 3.12.1-54Miroslav Grepl 3.12.1-53Miroslav Grepl 3.12.1-52Miroslav Grepl 3.12.1-51Miroslav Grepl 3.12.1-50Miroslav Grepl 3.12.1-49Miroslav Grepl 3.12.1-48Miroslav Grepl 3.12.1-47Miroslav Grepl 3.12.1-46Miroslav Grepl 3.12.1-45Miroslav Grepl 3.12.1-44Miroslav Grepl 3.12.1-43Miroslav Grepl 3.12.1-42Miroslav Grepl 3.12.1-41Miroslav Grepl 3.12.1-40Miroslav Grepl 3.12.1-39Miroslav Grepl 3.12.1-38Miroslav Grepl 3.12.1-37Miroslav Grepl 3.12.1-36Miroslav Grepl 3.12.1-35Miroslav Grepl 3.12.1-34Miroslav Grepl 3.12.1-33Miroslav Grepl 3.12.1-32Miroslav Grepl 3.12.1-31Miroslav Grepl 3.12.1-30Miroslav Grepl 3.12.1-29Dan Walsh 3.12.1-28Dan Walsh 3.12.1-27Miroslav Grepl 3.12.1-26Miroslav Grepl 3.12.1-25Miroslav Grepl 3.12.1-24Miroslav Grepl 3.12.1-23Miroslav Grepl 3.12.1-22Miroslav Grepl 3.12.1-21Miroslav Grepl 3.12.1-20Miroslav Grepl 3.12.1-19Miroslav Grepl 3.12.1-18Miroslav Grepl 3.12.1-17Miroslav Grepl 3.12.1-16Miroslav Grepl 3.12.1-15Miroslav Grepl 3.12.1-14Miroslav Grepl 3.12.1-13Miroslav Grepl 3.12.1-12Miroslav Grepl 3.12.1-11Miroslav Grepl 3.12.1-10Miroslav Grepl 3.12.1-9Miroslav Grepl 3.12.1-8Miroslav Grepl 3.12.1-7Miroslav Grepl 3.12.1-6Miroslav Grepl 3.12.1-5Miroslav Grepl 3.12.1-4Miroslav Grepl 3.12.1-3Miroslav Grepl 3.12.1-2Miroslav Grepl 3.12.1-1Dan Walsh 3.11.1-69.1Miroslav Grepl 3.11.1-69Miroslav Grepl 3.11.1-68Miroslav Grepl 3.11.1-67Miroslav Grepl 3.11.1-66Miroslav Grepl 3.11.1-65Miroslav Grepl 3.11.1-64Miroslav Grepl 3.11.1-63Miroslav Grepl 3.11.1-62Miroslav Grepl 3.11.1-61Miroslav Grepl 3.11.1-60Miroslav Grepl 3.11.1-59Miroslav Grepl 3.11.1-58Miroslav Grepl 3.11.1-57Miroslav Grepl 3.11.1-56Miroslav Grepl 3.11.1-55Miroslav Grepl 3.11.1-54Miroslav Grepl 3.11.1-53Miroslav Grepl 3.11.1-52Miroslav Grepl 3.11.1-51Miroslav Grepl 3.11.1-50Miroslav Grepl 3.11.1-49Miroslav Grepl 3.11.1-48Miroslav Grepl 3.11.1-47Miroslav Grepl 3.11.1-46Miroslav Grepl 3.11.1-45Miroslav Grepl 3.11.1-44Miroslav Grepl 3.11.1-43Miroslav Grepl 3.11.1-42Miroslav Grepl 3.11.1-41Miroslav Grepl 3.11.1-40Miroslav Grepl 3.11.1-39Miroslav Grepl 3.11.1-38Miroslav Grepl 3.11.1-37Miroslav Grepl 3.11.1-36Miroslav Grepl 3.11.1-35Miroslav Grepl 3.11.1-34Miroslav Grepl 3.11.1-33Miroslav Grepl 3.11.1-32Miroslav Grepl 3.11.1-31Miroslav Grepl 3.11.1-30Miroslav Grepl 3.11.1-29Miroslav Grepl 3.11.1-28Miroslav Grepl 3.11.1-27Miroslav Grepl 3.11.1-26Miroslav Grepl 3.11.1-25Miroslav Grepl 3.11.1-24Miroslav Grepl 3.11.1-23Miroslav Grepl 3.11.1-22Miroslav Grepl 3.11.1-21Miroslav Grepl 3.11.1-20Miroslav Grepl 3.11.1-19Miroslav Grepl 3.11.1-18Miroslav Grepl 3.11.1-17Miroslav Grepl 3.11.1-16Dan Walsh 3.11.1-15Miroslav Grepl 3.11.1-14Dan Walsh 3.11.1-13Miroslav Grepl 3.11.1-12Miroslav Grepl 3.11.1-11Miroslav Grepl 3.11.1-10Dan Walsh 3.11.1-9Dan Walsh 3.11.1-8Dan Walsh 3.11.1-7Dan Walsh 3.11.1-6Miroslav Grepl 3.11.1-5Miroslav Grepl 3.11.1-4Miroslav Grepl 3.11.1-3Miroslav Grepl 3.11.1-2Miroslav Grepl 3.11.1-1Miroslav Grepl 3.11.1-0Miroslav Grepl 3.11.0-15Miroslav Grepl 3.11.0-14Miroslav Grepl 3.11.0-13Miroslav Grepl 3.11.0-12Fedora Release Engineering - 3.11.0-11Miroslav Grepl 3.11.0-10Miroslav Grepl 3.11.0-9Miroslav Grepl 3.11.0-8Miroslav Grepl 3.11.0-7Miroslav Grepl 3.11.0-6Miroslav Grepl 3.11.0-5Miroslav Grepl 3.11.0-4Miroslav Grepl 3.11.0-3Miroslav Grepl 3.11.0-2Miroslav Grepl 3.11.0-1Miroslav Grepl 3.10.0-128Miroslav Grepl 3.10.0-127Miroslav Grepl 3.10.0-126Miroslav Grepl 3.10.0-125Miroslav Grepl 3.10.0-124Miroslav Grepl 3.10.0-123Miroslav Grepl 3.10.0-122Miroslav Grepl 3.10.0-121Miroslav Grepl 3.10.0-120Miroslav Grepl 3.10.0-119Miroslav Grepl 3.10.0-118Miroslav Grepl 3.10.0-117Miroslav Grepl 3.10.0-116Miroslav Grepl 3.10.0-115Miroslav Grepl 3.10.0-114Miroslav Grepl 3.10.0-113Miroslav Grepl 3.10.0-112Miroslav Grepl 3.10.0-111Miroslav Grepl 3.10.0-110Miroslav Grepl 3.10.0-109Miroslav Grepl 3.10.0-108Miroslav Grepl 3.10.0-107Miroslav Grepl 3.10.0-106Miroslav Grepl 3.10.0-105Miroslav Grepl 3.10.0-104Miroslav Grepl 3.10.0-103Miroslav Grepl 3.10.0-102Miroslav Grepl 3.10.0-101Miroslav Grepl 3.10.0-100Miroslav Grepl 3.10.0-99Miroslav Grepl 3.10.0-98Miroslav Grepl 3.10.0-97Miroslav Grepl 3.10.0-96Miroslav Grepl 3.10.0-95Miroslav Grepl 3.10.0-94Miroslav Grepl 3.10.0-93Miroslav Grepl 3.10.0-92Miroslav Grepl 3.10.0-91Miroslav Grepl 3.10.0-90Miroslav Grepl 3.10.0-89Miroslav Grepl 3.10.0-88Miroslav Grepl 3.10.0-87Miroslav Grepl 3.10.0-86Miroslav Grepl 3.10.0-85Miroslav Grepl 3.10.0-84Miroslav Grepl 3.10.0-83Miroslav Grepl 3.10.0-82Dan Walsh 3.10.0-81.2Miroslav Grepl 3.10.0-81Miroslav Grepl 3.10.0-80Miroslav Grepl 3.10.0-79Miroslav Grepl 3.10.0-78Miroslav Grepl 3.10.0-77Miroslav Grepl 3.10.0-76Miroslav Grepl 3.10.0-75Dan Walsh 3.10.0-74.2Miroslav Grepl 3.10.0-74Miroslav Grepl 3.10.0-73Miroslav Grepl 3.10.0-72Miroslav Grepl 3.10.0-71Miroslav Grepl 3.10.0-70Miroslav Grepl 3.10.0-69Miroslav Grepl 3.10.0-68Miroslav Grepl 3.10.0-67Miroslav Grepl 3.10.0-66Miroslav Grepl 3.10.0-65Miroslav Grepl 3.10.0-64Miroslav Grepl 3.10.0-63Miroslav Grepl 3.10.0-59Miroslav Grepl 3.10.0-58Dan Walsh 3.10.0-57Dan Walsh 3.10.0-56Dan Walsh 3.10.0-55.2Dan Walsh 3.10.0-55.1Miroslav Grepl 3.10.0-55Dan Walsh 3.10.0-54.1Miroslav Grepl 3.10.0-54Dan Walsh 3.10.0-53.1Miroslav Grepl 3.10.0-53Miroslav Grepl 3.10.0-52Miroslav Grepl 3.10.0-51Dan Walsh 3.10.0-50.2Dan Walsh 3.10.0-50.1Miroslav Grepl 3.10.0-50Miroslav Grepl 3.10.0-49Miroslav Grepl 3.10.0-48Miroslav Grepl 3.10.0-47Dan Walsh 3.10.0-46.1Miroslav Grepl 3.10.0-46Dan Walsh 3.10.0-45.1Miroslav Grepl 3.10.0-45Miroslav Grepl 3.10.0-43Miroslav Grepl 3.10.0-42Miroslav Grepl 3.10.0-41Dan Walsh 3.10.0-40.2Miroslav Grepl 3.10.0-40Dan Walsh 3.10.0-39.3Dan Walsh 3.10.0-39.2Dan Walsh 3.10.0-39.1Miroslav Grepl 3.10.0-39Dan Walsh 3.10.0-38.1Miroslav Grepl 3.10.0-38Miroslav Grepl 3.10.0-37Dan Walsh 3.10.0-36.1Miroslav Grepl 3.10.0-36Dan Walsh 3.10.0-35Dan Walsh 3.10.0-34.7Dan Walsh 3.10.0-34.6Dan Walsh 3.10.0-34.4Miroslav Grepl 3.10.0-34.3Dan Walsh 3.10.0-34.2Dan Walsh 3.10.0-34.1Miroslav Grepl 3.10.0-34Miroslav Grepl 3.10.0-33Dan Walsh 3.10.0-31.1Miroslav Grepl 3.10.0-31Miroslav Grepl 3.10.0-29Miroslav Grepl 3.10.0-28Miroslav Grepl 3.10.0-27Miroslav Grepl 3.10.0-26Miroslav Grepl 3.10.0-25Miroslav Grepl 3.10.0-24Miroslav Grepl 3.10.0-23Miroslav Grepl 3.10.0-22Miroslav Grepl 3.10.0-21Dan Walsh 3.10.0-20Miroslav Grepl 3.10.0-19Miroslav Grepl 3.10.0-18Miroslav Grepl 3.10.0-17Miroslav Grepl 3.10.0-16Miroslav Grepl 3.10.0-14Miroslav Grepl 3.10.0-13Miroslav Grepl 3.10.0-12Miroslav Grepl 3.10.0-11Miroslav Grepl 3.10.0-10Miroslav Grepl 3.10.0-9Miroslav Grepl 3.10.0-8Miroslav Grepl 3.10.0-7Miroslav Grepl 3.10.0-6Miroslav Grepl 3.10.0-5Miroslav Grepl 3.10.0-4Miroslav Grepl 3.10.0-3Miroslav Grepl 3.10.0-2Miroslav Grepl 3.10.0-1Miroslav Grepl 3.9.16-30Dan Walsh 3.9.16-29.1Miroslav Grepl 3.9.16-29Dan Walsh 3.9.16-28.1Miroslav Grepl 3.9.16-27Miroslav Grepl 3.9.16-26Miroslav Grepl 3.9.16-25Miroslav Grepl 3.9.16-24Miroslav Grepl 3.9.16-23Miroslav Grepl 3.9.16-22Miroslav Grepl 3.9.16-21Miroslav Grepl 3.9.16-20Miroslav Grepl 3.9.16-19Miroslav Grepl 3.9.16-18Miroslav Grepl 3.9.16-17Dan Walsh 3.9.16-16.1Miroslav Grepl 3.9.16-16Miroslav Grepl 3.9.16-15Miroslav Grepl 3.9.16-14Miroslav Grepl 3.9.16-13Miroslav Grepl 3.9.16-12Miroslav Grepl 3.9.16-11Miroslav Grepl 3.9.16-10Miroslav Grepl 3.9.16-7Miroslav Grepl 3.9.16-6Miroslav Grepl 3.9.16-5Miroslav Grepl 3.9.16-4Miroslav Grepl 3.9.16-3Miroslav Grepl 3.9.16-2Miroslav Grepl 3.9.16-1Miroslav Grepl 3.9.15-5Miroslav Grepl 3.9.15-2Miroslav Grepl 3.9.15-1Fedora Release Engineering - 3.9.14-2Dan Walsh 3.9.14-1Miroslav Grepl 3.9.13-10Miroslav Grepl 3.9.13-9Dan Walsh 3.9.13-8Miroslav Grepl 3.9.13-7Miroslav Grepl 3.9.13-6Miroslav Grepl 3.9.13-5Miroslav Grepl 3.9.13-4Miroslav Grepl 3.9.13-3Miroslav Grepl 3.9.13-2Miroslav Grepl 3.9.13-1Miroslav Grepl 3.9.12-8Miroslav Grepl 3.9.12-7Miroslav Grepl 3.9.12-6Miroslav Grepl 3.9.12-5Dan Walsh 3.9.12-4Dan Walsh 3.9.12-3Dan Walsh 3.9.12-2Miroslav Grepl 3.9.12-1Dan Walsh 3.9.11-2Miroslav Grepl 3.9.11-1Miroslav Grepl 3.9.10-13Dan Walsh 3.9.10-12Miroslav Grepl 3.9.10-11Miroslav Grepl 3.9.10-10Miroslav Grepl 3.9.10-9Miroslav Grepl 3.9.10-8Miroslav Grepl 3.9.10-7Miroslav Grepl 3.9.10-6Miroslav Grepl 3.9.10-5Dan Walsh 3.9.10-4Miroslav Grepl 3.9.10-3Miroslav Grepl 3.9.10-2Miroslav Grepl 3.9.10-1Miroslav Grepl 3.9.9-4Dan Walsh 3.9.9-3Miroslav Grepl 3.9.9-2Miroslav Grepl 3.9.9-1Miroslav Grepl 3.9.8-7Dan Walsh 3.9.8-6Miroslav Grepl 3.9.8-5Miroslav Grepl 3.9.8-4Dan Walsh 3.9.8-3Dan Walsh 3.9.8-2Dan Walsh 3.9.8-1Dan Walsh 3.9.7-10Dan Walsh 3.9.7-9Dan Walsh 3.9.7-8Dan Walsh 3.9.7-7Dan Walsh 3.9.7-6Dan Walsh 3.9.7-5Dan Walsh 3.9.7-4Dan Walsh 3.9.7-3Dan Walsh 3.9.7-2Dan Walsh 3.9.7-1Dan Walsh 3.9.6-3Dan Walsh 3.9.6-2Dan Walsh 3.9.6-1Dan Walsh 3.9.5-11Dan Walsh 3.9.5-10Dan Walsh 3.9.5-9Dan Walsh 3.9.5-8Dan Walsh 3.9.5-7Dan Walsh 3.9.5-6Dan Walsh 3.9.5-5Dan Walsh 3.9.5-4Dan Walsh 3.9.5-3Dan Walsh 3.9.5-2Dan Walsh 3.9.5-1Dan Walsh 3.9.4-3Dan Walsh 3.9.4-2Dan Walsh 3.9.4-1Dan Walsh 3.9.3-4Dan Walsh 3.9.3-3Dan Walsh 3.9.3-2Dan Walsh 3.9.3-1Dan Walsh 3.9.2-1Dan Walsh 3.9.1-3Dan Walsh 3.9.1-2Dan Walsh 3.9.1-1Dan Walsh 3.9.0-2Dan Walsh 3.9.0-1Dan Walsh 3.8.8-21Dan Walsh 3.8.8-20Dan Walsh 3.8.8-19Dan Walsh 3.8.8-18Dan Walsh 3.8.8-17Dan Walsh 3.8.8-16Dan Walsh 3.8.8-15Dan Walsh 3.8.8-14Dan Walsh 3.8.8-13Dan Walsh 3.8.8-12Dan Walsh 3.8.8-11Dan Walsh 3.8.8-10Dan Walsh 3.8.8-9Dan Walsh 3.8.8-8Dan Walsh 3.8.8-7Dan Walsh 3.8.8-6Dan Walsh 3.8.8-5Dan Walsh 3.8.8-4Dan Walsh 3.8.8-3Dan Walsh 3.8.8-2Dan Walsh 3.8.8-1Dan Walsh 3.8.7-3Dan Walsh 3.8.7-2Dan Walsh 3.8.7-1Dan Walsh 3.8.6-3Miroslav Grepl 3.8.6-2Dan Walsh 3.8.6-1Dan Walsh 3.8.5-1Dan Walsh 3.8.4-1Dan Walsh 3.8.3-4Dan Walsh 3.8.3-3Dan Walsh 3.8.3-2Dan Walsh 3.8.3-1Dan Walsh 3.8.2-1Dan Walsh 3.8.1-5Dan Walsh 3.8.1-4Dan Walsh 3.8.1-3Dan Walsh 3.8.1-2Dan Walsh 3.8.1-1Dan Walsh 3.7.19-22Dan Walsh 3.7.19-21Dan Walsh 3.7.19-20Dan Walsh 3.7.19-19Dan Walsh 3.7.19-17Dan Walsh 3.7.19-16Dan Walsh 3.7.19-15Dan Walsh 3.7.19-14Dan Walsh 3.7.19-13Dan Walsh 3.7.19-12Dan Walsh 3.7.19-11Dan Walsh 3.7.19-10Dan Walsh 3.7.19-9Dan Walsh 3.7.19-8Dan Walsh 3.7.19-7Dan Walsh 3.7.19-6Dan Walsh 3.7.19-5Dan Walsh 3.7.19-4Dan Walsh 3.7.19-3Dan Walsh 3.7.19-2Dan Walsh 3.7.19-1Dan Walsh 3.7.18-3Dan Walsh 3.7.18-2Dan Walsh 3.7.18-1Dan Walsh 3.7.17-6Dan Walsh 3.7.17-5Dan Walsh 3.7.17-4Dan Walsh 3.7.17-3Dan Walsh 3.7.17-2Dan Walsh 3.7.17-1Dan Walsh 3.7.16-2Dan Walsh 3.7.16-1Dan Walsh 3.7.15-4Dan Walsh 3.7.15-3Dan Walsh 3.7.15-2Dan Walsh 3.7.15-1Dan Walsh 3.7.14-5Dan Walsh 3.7.14-4Dan Walsh 3.7.14-3Dan Walsh 3.7.14-2Dan Walsh 3.7.14-1Dan Walsh 3.7.13-4Dan Walsh 3.7.13-3Dan Walsh 3.7.13-2Dan Walsh 3.7.13-1Dan Walsh 3.7.12-1Dan Walsh 3.7.11-1Dan Walsh 3.7.10-5Dan Walsh 3.7.10-4Dan Walsh 3.7.10-3Dan Walsh 3.7.10-2Dan Walsh 3.7.10-1Dan Walsh 3.7.9-4Dan Walsh 3.7.9-3Dan Walsh 3.7.9-2Dan Walsh 3.7.9-1Dan Walsh 3.7.8-11Dan Walsh 3.7.8-9Dan Walsh 3.7.8-8Dan Walsh 3.7.8-7Dan Walsh 3.7.8-6Dan Walsh 3.7.8-5Dan Walsh 3.7.8-4Dan Walsh 3.7.8-3Dan Walsh 3.7.8-2Dan Walsh 3.7.8-1Dan Walsh 3.7.7-3Dan Walsh 3.7.7-2Dan Walsh 3.7.7-1Dan Walsh 3.7.6-1Dan Walsh 3.7.5-8Dan Walsh 3.7.5-7Dan Walsh 3.7.5-6Dan Walsh 3.7.5-5Dan Walsh 3.7.5-4Dan Walsh 3.7.5-3Dan Walsh 3.7.5-2Dan Walsh 3.7.5-1Dan Walsh 3.7.4-4Dan Walsh 3.7.4-3Dan Walsh 3.7.4-2Dan Walsh 3.7.4-1Dan Walsh 3.7.3-1Dan Walsh 3.7.1-1Dan Walsh 3.6.33-2Dan Walsh 3.6.33-1Dan Walsh 3.6.32-17Dan Walsh 3.6.32-16Dan Walsh 3.6.32-15Dan Walsh 3.6.32-13Dan Walsh 3.6.32-12Dan Walsh 3.6.32-11Dan Walsh 3.6.32-10Dan Walsh 3.6.32-9Dan Walsh 3.6.32-8Dan Walsh 3.6.32-7Dan Walsh 3.6.32-6Dan Walsh 3.6.32-5Dan Walsh 3.6.32-4Dan Walsh 3.6.32-3Dan Walsh 3.6.32-2Dan Walsh 3.6.32-1Dan Walsh 3.6.31-5Dan Walsh 3.6.31-4Dan Walsh 3.6.31-3Dan Walsh 3.6.31-2Dan Walsh 3.6.30-6Dan Walsh 3.6.30-5Dan Walsh 3.6.30-4Dan Walsh 3.6.30-3Dan Walsh 3.6.30-2Dan Walsh 3.6.30-1Dan Walsh 3.6.29-2Dan Walsh 3.6.29-1Dan Walsh 3.6.28-9Dan Walsh 3.6.28-8Dan Walsh 3.6.28-7Dan Walsh 3.6.28-6Dan Walsh 3.6.28-5Dan Walsh 3.6.28-4Dan Walsh 3.6.28-3Dan Walsh 3.6.28-2Dan Walsh 3.6.28-1Dan Walsh 3.6.27-1Dan Walsh 3.6.26-11Dan Walsh 3.6.26-10Dan Walsh 3.6.26-9Bill Nottingham 3.6.26-8Dan Walsh 3.6.26-7Dan Walsh 3.6.26-6Dan Walsh 3.6.26-5Dan Walsh 3.6.26-4Dan Walsh 3.6.26-3Dan Walsh 3.6.26-2Dan Walsh 3.6.26-1Dan Walsh 3.6.25-1Dan Walsh 3.6.24-1Dan Walsh 3.6.23-2Dan Walsh 3.6.23-1Dan Walsh 3.6.22-3Dan Walsh 3.6.22-1Dan Walsh 3.6.21-4Dan Walsh 3.6.21-3Tom "spot" Callaway 3.6.21-2Dan Walsh 3.6.21-1Dan Walsh 3.6.20-2Dan Walsh 3.6.20-1Dan Walsh 3.6.19-5Dan Walsh 3.6.19-4Dan Walsh 3.6.19-3Dan Walsh 3.6.19-2Dan Walsh 3.6.19-1Dan Walsh 3.6.18-1Dan Walsh 3.6.17-1Dan Walsh 3.6.16-4Dan Walsh 3.6.16-3Dan Walsh 3.6.16-2Dan Walsh 3.6.16-1Dan Walsh 3.6.14-3Dan Walsh 3.6.14-2Dan Walsh 3.6.14-1Dan Walsh 3.6.13-3Dan Walsh 3.6.13-2Dan Walsh 3.6.13-1Dan Walsh 3.6.12-39Dan Walsh 3.6.12-38Dan Walsh 3.6.12-37Dan Walsh 3.6.12-36Dan Walsh 3.6.12-35Dan Walsh 3.6.12-34Dan Walsh 3.6.12-33Dan Walsh 3.6.12-31Dan Walsh 3.6.12-30Dan Walsh 3.6.12-29Dan Walsh 3.6.12-28Dan Walsh 3.6.12-27Dan Walsh 3.6.12-26Dan Walsh 3.6.12-25Dan Walsh 3.6.12-24Dan Walsh 3.6.12-23Dan Walsh 3.6.12-22Dan Walsh 3.6.12-21Dan Walsh 3.6.12-20Dan Walsh 3.6.12-19Dan Walsh 3.6.12-16Dan Walsh 3.6.12-15Dan Walsh 3.6.12-14Dan Walsh 3.6.12-13Dan Walsh 3.6.12-12Dan Walsh 3.6.12-11Dan Walsh 3.6.12-10Dan Walsh 3.6.12-9Dan Walsh 3.6.12-8Dan Walsh 3.6.12-7Dan Walsh 3.6.12-6Dan Walsh 3.6.12-5Dan Walsh 3.6.12-4Dan Walsh 3.6.12-3Dan Walsh 3.6.12-2Dan Walsh 3.6.12-1Dan Walsh 3.6.11-1Dan Walsh 3.6.10-9Dan Walsh 3.6.10-8Dan Walsh 3.6.10-7Dan Walsh 3.6.10-6Dan Walsh 3.6.10-5Dan Walsh 3.6.10-4Dan Walsh 3.6.10-3Dan Walsh 3.6.10-2Dan Walsh 3.6.10-1Dan Walsh 3.6.9-4Dan Walsh 3.6.9-3Dan Walsh 3.6.9-2Dan Walsh 3.6.9-1Dan Walsh 3.6.8-4Dan Walsh 3.6.8-3Dan Walsh 3.6.8-2Dan Walsh 3.6.8-1Dan Walsh 3.6.7-2Dan Walsh 3.6.7-1Dan Walsh 3.6.6-9Dan Walsh 3.6.6-8Fedora Release Engineering - 3.6.6-7Dan Walsh 3.6.6-6Dan Walsh 3.6.6-5Dan Walsh 3.6.6-4Dan Walsh 3.6.6-3Dan Walsh 3.6.6-2Dan Walsh 3.6.6-1Dan Walsh 3.6.5-3Dan Walsh 3.6.5-1Dan Walsh 3.6.4-6Dan Walsh 3.6.4-5Dan Walsh 3.6.4-4Dan Walsh 3.6.4-3Dan Walsh 3.6.4-2Dan Walsh 3.6.4-1Dan Walsh 3.6.3-13Dan Walsh 3.6.3-12Dan Walsh 3.6.3-11Dan Walsh 3.6.3-10Dan Walsh 3.6.3-9Dan Walsh 3.6.3-8Dan Walsh 3.6.3-7Dan Walsh 3.6.3-6Dan Walsh 3.6.3-3Dan Walsh 3.6.3-2Dan Walsh 3.6.3-1Dan Walsh 3.6.2-5Dan Walsh 3.6.2-4Dan Walsh 3.6.2-3Dan Walsh 3.6.2-2Dan Walsh 3.6.2-1Dan Walsh 3.6.1-15Dan Walsh 3.6.1-14Dan Walsh 3.6.1-13Dan Walsh 3.6.1-12Dan Walsh 3.6.1-11Dan Walsh 3.6.1-10Dan Walsh 3.6.1-9Dan Walsh 3.6.1-8Dan Walsh 3.6.1-7Dan Walsh 3.6.1-4Ignacio Vazquez-Abrams - 3.6.1-2Dan Walsh 3.5.13-19Dan Walsh 3.5.13-18Dan Walsh 3.5.13-17Dan Walsh 3.5.13-16Dan Walsh 3.5.13-15Dan Walsh 3.5.13-14Dan Walsh 3.5.13-13Dan Walsh 3.5.13-12Dan Walsh 3.5.13-11Dan Walsh 3.5.13-9Dan Walsh 3.5.13-8Dan Walsh 3.5.13-7Dan Walsh 3.5.13-6Dan Walsh 3.5.13-5Dan Walsh 3.5.13-4Dan Walsh 3.5.13-3Dan Walsh 3.5.13-2Dan Walsh 3.5.13-1Dan Walsh 3.5.12-3Dan Walsh 3.5.12-2Dan Walsh 3.5.12-1Dan Walsh 3.5.11-1Dan Walsh 3.5.10-3Dan Walsh 3.5.10-2Dan Walsh 3.5.10-1Dan Walsh 3.5.9-4Dan Walsh 3.5.9-3Dan Walsh 3.5.9-2Dan Walsh 3.5.9-1Dan Walsh 3.5.8-7Dan Walsh 3.5.8-6Dan Walsh 3.5.8-5Dan Walsh 3.5.8-4Dan Walsh 3.5.8-3Dan Walsh 3.5.8-1Dan Walsh 3.5.7-2Dan Walsh 3.5.7-1Dan Walsh 3.5.6-2Dan Walsh 3.5.6-1Dan Walsh 3.5.5-4Dan Walsh 3.5.5-3Dan Walsh 3.5.5-2Dan Walsh 3.5.4-2Dan Walsh 3.5.4-1Dan Walsh 3.5.3-1Dan Walsh 3.5.2-2Dan Walsh 3.5.1-5Dan Walsh 3.5.1-4Dan Walsh 3.5.1-3Dan Walsh 3.5.1-2Dan Walsh 3.5.1-1Dan Walsh 3.5.0-1Dan Walsh 3.4.2-14Dan Walsh 3.4.2-13Dan Walsh 3.4.2-12Dan Walsh 3.4.2-11Dan Walsh 3.4.2-10Dan Walsh 3.4.2-9Dan Walsh 3.4.2-8Dan Walsh 3.4.2-7Dan Walsh 3.4.2-6Dan Walsh 3.4.2-5Dan Walsh 3.4.2-4Dan Walsh 3.4.2-3Dan Walsh 3.4.2-2Dan Walsh 3.4.2-1Dan Walsh 3.4.1-5Dan Walsh 3.4.1-3Dan Walsh 3.4.1-2Dan Walsh 3.4.1-1Dan Walsh 3.3.1-48Dan Walsh 3.3.1-47Dan Walsh 3.3.1-46Dan Walsh 3.3.1-45Dan Walsh 3.3.1-44Dan Walsh 3.3.1-43Dan Walsh 3.3.1-42Dan Walsh 3.3.1-41Dan Walsh 3.3.1-39Dan Walsh 3.3.1-37Dan Walsh 3.3.1-36Dan Walsh 3.3.1-33Dan Walsh 3.3.1-32Dan Walsh 3.3.1-31Dan Walsh 3.3.1-30Dan Walsh 3.3.1-29Dan Walsh 3.3.1-28Dan Walsh 3.3.1-27Dan Walsh 3.3.1-26Dan Walsh 3.3.1-25Dan Walsh 3.3.1-24Dan Walsh 3.3.1-23Dan Walsh 3.3.1-22Dan Walsh 3.3.1-21Dan Walsh 3.3.1-20Dan Walsh 3.3.1-19Dan Walsh 3.3.1-18Dan Walsh 3.3.1-17Dan Walsh 3.3.1-16Dan Walsh 3.3.1-15Bill Nottingham 3.3.1-14Dan Walsh 3.3.1-13Dan Walsh 3.3.1-12Dan Walsh 3.3.1-11Dan Walsh 3.3.1-10Dan Walsh 3.3.1-9Dan Walsh 3.3.1-8Dan Walsh 3.3.1-6Dan Walsh 3.3.1-5Dan Walsh 3.3.1-4Dan Walsh 3.3.1-2Dan Walsh 3.3.1-1Dan Walsh 3.3.0-2Dan Walsh 3.3.0-1Dan Walsh 3.2.9-2Dan Walsh 3.2.9-1Dan Walsh 3.2.8-2Dan Walsh 3.2.8-1Dan Walsh 3.2.7-6Dan Walsh 3.2.7-5Dan Walsh 3.2.7-3Dan Walsh 3.2.7-2Dan Walsh 3.2.7-1Dan Walsh 3.2.6-7Dan Walsh 3.2.6-6Dan Walsh 3.2.6-5Dan Walsh 3.2.6-4Dan Walsh 3.2.6-3Dan Walsh 3.2.6-2Dan Walsh 3.2.6-1Dan Walsh 3.2.5-25Dan Walsh 3.2.5-24Dan Walsh 3.2.5-22Dan Walsh 3.2.5-21Dan Walsh 3.2.5-20Dan Walsh 3.2.5-19Dan Walsh 3.2.5-18Dan Walsh 3.2.5-17Dan Walsh 3.2.5-16Dan Walsh 3.2.5-15Dan Walsh 3.2.5-14Dan Walsh 3.2.5-13Dan Walsh 3.2.5-12Dan Walsh 3.2.5-11Dan Walsh 3.2.5-10Dan Walsh 3.2.5-9Dan Walsh 3.2.5-8Dan Walsh 3.2.5-7Dan Walsh 3.2.5-6Dan Walsh 3.2.5-5Dan Walsh 3.2.5-4Dan Walsh 3.2.5-3Dan Walsh 3.2.5-2Dan Walsh 3.2.5-1Dan Walsh 3.2.4-5Dan Walsh 3.2.4-4Dan Walsh 3.2.4-3Dan Walsh 3.2.4-1Dan Walsh 3.2.4-1Dan Walsh 3.2.3-2Dan Walsh 3.2.3-1Dan Walsh 3.2.2-1Dan Walsh 3.2.1-3Dan Walsh 3.2.1-1Dan Walsh 3.1.2-2Dan Walsh 3.1.2-1Dan Walsh 3.1.1-1Dan Walsh 3.1.0-1Dan Walsh 3.0.8-30Dan Walsh 3.0.8-28Dan Walsh 3.0.8-27Dan Walsh 3.0.8-26Dan Walsh 3.0.8-25Dan Walsh 3.0.8-24Dan Walsh 3.0.8-23Dan Walsh 3.0.8-22Dan Walsh 3.0.8-21Dan Walsh 3.0.8-20Dan Walsh 3.0.8-19Dan Walsh 3.0.8-18Dan Walsh 3.0.8-17Dan Walsh 3.0.8-16Dan Walsh 3.0.8-15Dan Walsh 3.0.8-14Dan Walsh 3.0.8-13Dan Walsh 3.0.8-12Dan Walsh 3.0.8-11Dan Walsh 3.0.8-10Dan Walsh 3.0.8-9Dan Walsh 3.0.8-8Dan Walsh 3.0.8-7Dan Walsh 3.0.8-5Dan Walsh 3.0.8-4Dan Walsh 3.0.8-3Dan Walsh 3.0.8-2Dan Walsh 3.0.8-1Dan Walsh 3.0.7-10Dan Walsh 3.0.7-9Dan Walsh 3.0.7-8Dan Walsh 3.0.7-7Dan Walsh 3.0.7-6Dan Walsh 3.0.7-5Dan Walsh 3.0.7-4Dan Walsh 3.0.7-3Dan Walsh 3.0.7-2Dan Walsh 3.0.7-1Dan Walsh 3.0.6-3Dan Walsh 3.0.6-2Dan Walsh 3.0.6-1Dan Walsh 3.0.5-11Dan Walsh 3.0.5-10Dan Walsh 3.0.5-9Dan Walsh 3.0.5-8Dan Walsh 3.0.5-7Dan Walsh 3.0.5-6Dan Walsh 3.0.5-5Dan Walsh 3.0.5-4Dan Walsh 3.0.5-3Dan Walsh 3.0.5-2Dan Walsh 3.0.5-1Dan Walsh 3.0.4-6Dan Walsh 3.0.4-5Dan Walsh 3.0.4-4Dan Walsh 3.0.4-3Dan Walsh 3.0.4-2Dan Walsh 3.0.4-1Dan Walsh 3.0.3-6Dan Walsh 3.0.3-5Dan Walsh 3.0.3-4Dan Walsh 3.0.3-3Dan Walsh 3.0.3-2Dan Walsh 3.0.3-1Dan Walsh 3.0.2-9Dan Walsh 3.0.2-8Dan Walsh 3.0.2-7Dan Walsh 3.0.2-5Dan Walsh 3.0.2-4Dan Walsh 3.0.2-3Dan Walsh 3.0.2-2Dan Walsh 3.0.1-5Dan Walsh 3.0.1-4Dan Walsh 3.0.1-3Dan Walsh 3.0.1-2Dan Walsh 3.0.1-1Dan Walsh 2.6.5-3Dan Walsh 2.6.5-2Dan Walsh 2.6.4-7Dan Walsh 2.6.4-6Dan Walsh 2.6.4-5Dan Walsh 2.6.4-2Dan Walsh 2.6.4-1Dan Walsh 2.6.3-1Dan Walsh 2.6.2-1Dan Walsh 2.6.1-4Dan Walsh 2.6.1-2Dan Walsh 2.6.1-1Dan Walsh 2.5.12-12Dan Walsh 2.5.12-11Dan Walsh 2.5.12-10Dan Walsh 2.5.12-8Dan Walsh 2.5.12-5Dan Walsh 2.5.12-4Dan Walsh 2.5.12-3Dan Walsh 2.5.12-2Dan Walsh 2.5.12-1Dan Walsh 2.5.11-8Dan Walsh 2.5.11-7Dan Walsh 2.5.11-6Dan Walsh 2.5.11-5Dan Walsh 2.5.11-4Dan Walsh 2.5.11-3Dan Walsh 2.5.11-2Dan Walsh 2.5.11-1Dan Walsh 2.5.10-2Dan Walsh 2.5.10-1Dan Walsh 2.5.9-6Dan Walsh 2.5.9-5Dan Walsh 2.5.9-4Dan Walsh 2.5.9-3Dan Walsh 2.5.9-2Dan Walsh 2.5.8-8Dan Walsh 2.5.8-7Dan Walsh 2.5.8-6Dan Walsh 2.5.8-5Dan Walsh 2.5.8-4Dan Walsh 2.5.8-3Dan Walsh 2.5.8-2Dan Walsh 2.5.8-1Dan Walsh 2.5.7-1Dan Walsh 2.5.6-1Dan Walsh 2.5.5-2Dan Walsh 2.5.5-1Dan Walsh 2.5.4-2Dan Walsh 2.5.4-1Dan Walsh 2.5.3-3Dan Walsh 2.5.3-2Dan Walsh 2.5.3-1Dan Walsh 2.5.2-6Dan Walsh 2.5.2-5Dan Walsh 2.5.2-4Dan Walsh 2.5.2-3Dan Walsh 2.5.2-2Dan Walsh 2.5.2-1Dan Walsh 2.5.1-5Dan Walsh 2.5.1-4Dan Walsh 2.5.1-2Dan Walsh 2.5.1-1Dan Walsh 2.4.6-20Dan Walsh 2.4.6-19Dan Walsh 2.4.6-18Dan Walsh 2.4.6-17Dan Walsh 2.4.6-16Dan Walsh 2.4.6-15Dan Walsh 2.4.6-14Dan Walsh 2.4.6-13Dan Walsh 2.4.6-12Dan Walsh 2.4.6-11Dan Walsh 2.4.6-10Dan Walsh 2.4.6-9Dan Walsh 2.4.6-8Dan Walsh 2.4.6-7Dan Walsh 2.4.6-6Dan Walsh 2.4.6-5Dan Walsh 2.4.6-4Dan Walsh 2.4.6-3Dan Walsh 2.4.6-1Dan Walsh 2.4.5-4Dan Walsh 2.4.5-3Dan Walsh 2.4.5-2Dan Walsh 2.4.5-1Dan Walsh 2.4.4-2Dan Walsh 2.4.4-2Dan Walsh 2.4.4-1Dan Walsh 2.4.3-13Dan Walsh 2.4.3-12Dan Walsh 2.4.3-11Dan Walsh 2.4.3-10Dan Walsh 2.4.3-9Dan Walsh 2.4.3-8Dan Walsh 2.4.3-7Dan Walsh 2.4.3-6Dan Walsh 2.4.3-5Dan Walsh 2.4.3-4Dan Walsh 2.4.3-3Dan Walsh 2.4.3-2Dan Walsh 2.4.3-1Dan Walsh 2.4.2-8Dan Walsh 2.4.2-7James Antill 2.4.2-6Dan Walsh 2.4.2-5Dan Walsh 2.4.2-4Dan Walsh 2.4.2-3Dan Walsh 2.4.2-2Dan Walsh 2.4.2-1Dan Walsh 2.4.1-5Dan Walsh 2.4.1-4Dan Walsh 2.4.1-3Dan Walsh 2.4.1-2Dan Walsh 2.4-4Dan Walsh 2.4-3Dan Walsh 2.4-2Dan Walsh 2.4-1Dan Walsh 2.3.19-4Dan Walsh 2.3.19-3Dan Walsh 2.3.19-2Dan Walsh 2.3.19-1James Antill 2.3.18-10James Antill 2.3.18-9Dan Walsh 2.3.18-8Dan Walsh 2.3.18-7Dan Walsh 2.3.18-6Dan Walsh 2.3.18-5Dan Walsh 2.3.18-4Dan Walsh 2.3.18-3Dan Walsh 2.3.18-2Dan Walsh 2.3.18-1Dan Walsh 2.3.17-2Dan Walsh 2.3.17-1Dan Walsh 2.3.16-9Dan Walsh 2.3.16-8Dan Walsh 2.3.16-7Dan Walsh 2.3.16-6Dan Walsh 2.3.16-5Dan Walsh 2.3.16-4Dan Walsh 2.3.16-2Dan Walsh 2.3.16-1Dan Walsh 2.3.15-2Dan Walsh 2.3.15-1Dan Walsh 2.3.14-8Dan Walsh 2.3.14-7Dan Walsh 2.3.14-6Dan Walsh 2.3.14-4Dan Walsh 2.3.14-3Dan Walsh 2.3.14-2Dan Walsh 2.3.14-1Dan Walsh 2.3.13-6Dan Walsh 2.3.13-5Dan Walsh 2.3.13-4Dan Walsh 2.3.13-3Dan Walsh 2.3.13-2Dan Walsh 2.3.13-1Dan Walsh 2.3.12-2Dan Walsh 2.3.12-1Dan Walsh 2.3.11-1Dan Walsh 2.3.10-7Dan Walsh 2.3.10-6Dan Walsh 2.3.10-3Dan Walsh 2.3.10-1Dan Walsh 2.3.9-6Dan Walsh 2.3.9-5Dan Walsh 2.3.9-4Dan Walsh 2.3.9-3Dan Walsh 2.3.9-2Dan Walsh 2.3.9-1Dan Walsh 2.3.8-2Dan Walsh 2.3.7-1Dan Walsh 2.3.6-4Dan Walsh 2.3.6-3Dan Walsh 2.3.6-2Dan Walsh 2.3.6-1Dan Walsh 2.3.5-1Dan Walsh 2.3.4-1Dan Walsh 2.3.3-20Dan Walsh 2.3.3-19Dan Walsh 2.3.3-18Dan Walsh 2.3.3-17Dan Walsh 2.3.3-16Dan Walsh 2.3.3-15Dan Walsh 2.3.3-14Dan Walsh 2.3.3-13Dan Walsh 2.3.3-12Dan Walsh 2.3.3-11Dan Walsh 2.3.3-10Dan Walsh 2.3.3-9Dan Walsh 2.3.3-8Dan Walsh 2.3.3-7Dan Walsh 2.3.3-6Dan Walsh 2.3.3-5Dan Walsh 2.3.3-4Dan Walsh 2.3.3-3Dan Walsh 2.3.3-2Dan Walsh 2.3.3-1Dan Walsh 2.3.2-4Dan Walsh 2.3.2-3Dan Walsh 2.3.2-2Dan Walsh 2.3.2-1Dan Walsh 2.3.1-1Dan Walsh 2.2.49-1Dan Walsh 2.2.48-1Dan Walsh 2.2.47-5Dan Walsh 2.2.47-4Dan Walsh 2.2.47-3Dan Walsh 2.2.47-1Dan Walsh 2.2.46-2Dan Walsh 2.2.46-1Dan Walsh 2.2.45-3Dan Walsh 2.2.45-2Dan Walsh 2.2.45-1Dan Walsh 2.2.44-1Dan Walsh 2.2.43-4Dan Walsh 2.2.43-3Dan Walsh 2.2.43-2Dan Walsh 2.2.43-1Dan Walsh 2.2.42-4Dan Walsh 2.2.42-3Dan Walsh 2.2.42-2Dan Walsh 2.2.42-1Dan Walsh 2.2.41-1Dan Walsh 2.2.40-2Dan Walsh 2.2.40-1Dan Walsh 2.2.39-2Dan Walsh 2.2.39-1Dan Walsh 2.2.38-6Dan Walsh 2.2.38-5Dan Walsh 2.2.38-4Dan Walsh 2.2.38-3Dan Walsh 2.2.38-2Dan Walsh 2.2.38-1Dan Walsh 2.2.37-1Dan Walsh 2.2.36-2Dan Walsh 2.2.36-1James Antill 2.2.35-2Dan Walsh 2.2.35-1Dan Walsh 2.2.34-3Dan Walsh 2.2.34-2Dan Walsh 2.2.34-1Dan Walsh 2.2.33-1Dan Walsh 2.2.32-2Dan Walsh 2.2.32-1Dan Walsh 2.2.31-1Dan Walsh 2.2.30-2Dan Walsh 2.2.30-1Dan Walsh 2.2.29-6Russell Coker 2.2.29-5Dan Walsh 2.2.29-4Dan Walsh 2.2.29-3Dan Walsh 2.2.29-2Dan Walsh 2.2.29-1Dan Walsh 2.2.28-3Dan Walsh 2.2.28-2Dan Walsh 2.2.28-1Dan Walsh 2.2.27-1Dan Walsh 2.2.25-3Dan Walsh 2.2.25-2Dan Walsh 2.2.24-1Dan Walsh 2.2.23-19Dan Walsh 2.2.23-18Dan Walsh 2.2.23-17Karsten Hopp 2.2.23-16Dan Walsh 2.2.23-15Dan Walsh 2.2.23-14Dan Walsh 2.2.23-13Dan Walsh 2.2.23-12Jeremy Katz - 2.2.23-11Jeremy Katz - 2.2.23-10Dan Walsh 2.2.23-9Dan Walsh 2.2.23-8Dan Walsh 2.2.23-7Dan Walsh 2.2.23-5Dan Walsh 2.2.23-4Dan Walsh 2.2.23-3Dan Walsh 2.2.23-2Dan Walsh 2.2.23-1Dan Walsh 2.2.22-2Dan Walsh 2.2.22-1Dan Walsh 2.2.21-9Dan Walsh 2.2.21-8Dan Walsh 2.2.21-7Dan Walsh 2.2.21-6Dan Walsh 2.2.21-5Dan Walsh 2.2.21-4Dan Walsh 2.2.21-3Dan Walsh 2.2.21-2Dan Walsh 2.2.21-1Dan Walsh 2.2.20-1Dan Walsh 2.2.19-2Dan Walsh 2.2.19-1Dan Walsh 2.2.18-2Dan Walsh 2.2.18-1Dan Walsh 2.2.17-2Dan Walsh 2.2.16-1Dan Walsh 2.2.15-4Dan Walsh 2.2.15-3Dan Walsh 2.2.15-1Dan Walsh 2.2.14-2Dan Walsh 2.2.14-1Dan Walsh 2.2.13-1Dan Walsh 2.2.12-1Dan Walsh 2.2.11-2Dan Walsh 2.2.11-1Dan Walsh 2.2.10-1Dan Walsh 2.2.9-2Dan Walsh 2.2.9-1Dan Walsh 2.2.8-2Dan Walsh 2.2.7-1Dan Walsh 2.2.6-3Dan Walsh 2.2.6-2Dan Walsh 2.2.6-1Dan Walsh 2.2.5-1Dan Walsh 2.2.4-1Dan Walsh 2.2.3-1Dan Walsh 2.2.2-1Dan Walsh 2.2.1-1Dan Walsh 2.1.13-1Dan Walsh 2.1.12-3Dan Walsh 2.1.11-1Dan Walsh 2.1.10-1Jeremy Katz - 2.1.9-2Dan Walsh 2.1.9-1Dan Walsh 2.1.8-3Dan Walsh 2.1.8-2Dan Walsh 2.1.8-1Dan Walsh 2.1.7-4Dan Walsh 2.1.7-3Dan Walsh 2.1.7-2Dan Walsh 2.1.7-1Dan Walsh 2.1.6-24Dan Walsh 2.1.6-23Dan Walsh 2.1.6-22Dan Walsh 2.1.6-21Dan Walsh 2.1.6-20Dan Walsh 2.1.6-18Dan Walsh 2.1.6-17Dan Walsh 2.1.6-16Dan Walsh 2.1.6-15Dan Walsh 2.1.6-14Dan Walsh 2.1.6-13Dan Walsh 2.1.6-11Dan Walsh 2.1.6-10Dan Walsh 2.1.6-9Dan Walsh 2.1.6-8Dan Walsh 2.1.6-5Dan Walsh 2.1.6-4Dan Walsh 2.1.6-3Dan Walsh 2.1.6-2Dan Walsh 2.1.6-1Dan Walsh 2.1.4-2Dan Walsh 2.1.4-1Dan Walsh 2.1.3-1Jeremy Katz - 2.1.2-3Dan Walsh 2.1.2-2Dan Walsh 2.1.2-1Dan Walsh 2.1.1-3Dan Walsh 2.1.1-2Dan Walsh 2.1.1-1Dan Walsh 2.1.0-3Dan Walsh 2.1.0-2.Dan Walsh 2.1.0-1.Dan Walsh 2.0.11-2.Dan Walsh 2.0.11-1.Dan Walsh 2.0.9-1.Dan Walsh 2.0.8-1.Dan Walsh 2.0.7-3Dan Walsh 2.0.7-2Dan Walsh 2.0.6-2Dan Walsh 2.0.5-4Dan Walsh 2.0.5-1Dan Walsh 2.0.4-1Dan Walsh 2.0.2-2Dan Walsh 2.0.2-1Dan Walsh 2.0.1-2Dan Walsh 2.0.1-1- Backport patches for to ensure rpm-ostreed has the install_exec_t label Resolves: rhbz#1340542- Allow glusterd domain read krb5_keytab_t files. Resolves: rhbz#1344630- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus. Resolves:#1340365- Label /var/log/ganesha.log as gluster_log_t - Allow glusterd_t domain to create glusterd_log_t files. - Label /var/run/ganesha.pid as gluster_var_run_t. Resolves: rhbz#1333903- Label /usr/bin/ganesha.nfsd as glusterd_exec_t to run ganesha as glusterd_t. - Allow glusterd_t stream connect to rpbind_t. - Allow cluster_t to create symlink /var/lib/nfs labeled as var_lib_nfs_t. - Add interface rpc_filetrans_var_lib_nfs_content() - Add new boolean: rpcd_use_fusefs to allow rpcd daemon use fusefs. Resolves: rhbz#1333875 Resolves: rhbz#1333903- Allow openvswitch domain capability sys_rawio Resolves: rhbz#1299405- Add fs_manage_hugetlbfs_files() interface. Resolves: rhbz#1299405 - Allow openvswitch to manage hugetlfs files and dirs Resolves: rhbz#1299405- Allow openvswitch read/write hugetlb filesystem. Resolves: rhbz#1299405 - Allow smbcontrol domain to send sigchld to ctdbd domain. Resolves: rhbz#1301522Allow hypervvssd to list all mountpoints to have VSS live backup working correctly. Resolves:#1247880- Revert Add missing labeling for /usr/libexec/abrt-hook-ccpp patch Resolves: #1254188- Allow search dirs in sysfs types in kernel_read_security_state. Resolves: #1254188 - Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs. Resolves: #1254188- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs Resolves: #1254188 - We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes. Resolves:#1261938- Remove labeling for modules_dep_t file contexts to have labeled them as modules_object_t. - Update files_read_kernel_modules() to contain modutils_read_module_deps_files() calling because module deps labeling could remain and it allows to avoid regressions. Resolves:#1266928- We need to require sandbox_web_type attribute in sandbox_x_domain_template(). Resolves: #1261938 - ipsec: The NM helper needs to read the SAs Resolves: #1259786 - ipsec: Allow ipsec management to create ptys Resolves: #1259786- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type. Resolves:#1261938 - Allow abrt_t domain to write to kernel msg device. Resolves: #1257828 - Allow rpcbind_t domain to change file owner and group Resolves: #1265266- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind. Resolves: #1256459- Allow dirsrv-admin script to read passwd file. Allow dirsrv-admin script to read httpd pid files. Label dirsrv-admin unit file and allow dirsrv-admin domains to use it. Resolves: #1230300 - Allow qpid daemon to connect on amqp tcp port. Resolves: #1261805- Label /etc/ipa/nssdb dir as cert_t Resolves:#1262718 - Do not provide docker policy files which is shipped by docker-selinux.rpm Resolves:#1262812- Add labels for afs binaries: dafileserver, davolserver, salvageserver, dasalvager Resolves: #1192338 - Add lsmd_plugin_t sys_admin capability, Allow lsmd_plugin_t getattr from sysfs filesystem. Resolves: #1238079 - Allow rhsmcertd_t send signull to unconfined_service_t domains. Resolves: #1176078 - Remove file transition from snmp_manage_var_lib_dirs() interface which created snmp_var_lib_t dirs in var_lib_t. - Allow openhpid_t daemon to manage snmp files and dirs. Resolves: #1243902 - Allow mdadm_t domain read/write to general ptys and unallocated ttys. Resolves: #1073314 - Add interface unconfined_server_signull() to allow domains send signull to unconfined_service_t Resolves: #1176078- Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS. Resolves:#1250456- Fix labeling for fence_scsi_check script Resolves: #1255020 - Allow openhpid to read system state Allow openhpid to connect to tcp http port. Resolves: #1244248 - Allow openhpid to read snmp var lib files. Resolves: #1243902 - Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe - Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t Resolves: #1243403 - Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl Resolves: #1255020- Fix regexp in chronyd.fc file Resolves: #1243764 - Allow passenger to getattr filesystem xattr Resolves: #1196555 - Label mdadm.conf.anackbak as mdadm_conf_t file. Resolves: #1088904 - Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc." - Allow watchdog execute fenced python script. Resolves: #1255020 - Added inferface watchdog_unconfined_exec_read_lnk_files() - Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t. Resolves: #1230877- Allow watchdog execute fenced python script. Resolves: #1255020 - Added inferface watchdog_unconfined_exec_read_lnk_files() - Label /var/run/chrony-helper dir as chronyd_var_run_t. Resolves: #1243764 - Allow dhcpc_t domain transition to chronyd_t Resolves: #1243764- Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file. Resolves: #1252442- Allow exec pidof under hypervkvp domain. Resolves: #1254870 - Allow hypervkvp daemon create connection to the system DBUS Resolves: #1254870- Allow openhpid_t to read system state. Resolves: #1244248 - Added labels for files provided by rh-nginx18 collection Resolves: #1249945 - Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db. Resolves: #1252968 - Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution. Resolves: #1243431 - Allow abrt_dump_oops_t to read proc_security_t files. - Allow abrt_dump_oops to signull all domains Allow abrt_dump_oops to read all domains state Allow abrt_dump_oops to ptrace all domains - Add interface abrt_dump_oops_domtrans() - Add mountpoint dontaudit access check in rhsmcertd policy. Resolves: #1243431 - Allow samba_net_t to manage samba_var_t sock files. Resolves: #1252937 - Allow chrome setcap to itself. Resolves: #1251996 - Allow httpd daemon to manage httpd_var_lib_t lnk_files. Resolves: #1253706 - Allow chronyd exec systemctl Resolves: #1243764 - Add inteface chronyd_signal Allow timemaster_t send generic signals to chronyd_t. Resolves: #1243764 - Added interface fs_dontaudit_write_configfs_dirs - Add label for kernel module dep files in /usr/lib/modules Resolves:#916635 - Allow kernel_t domtrans to abrt_dump_oops_t - Added to files_dontaudit_write_all_mountpoints intefface new dontaudit rule, that domain included this interface dontaudit capability dac_override. - Allow systemd-networkd to send logs to systemd-journald. Resolves: #1236616- Fix label on /var/tmp/kiprop_0 Resolves:#1220763 - Allow lldpad_t to getattr tmpfs_t. Resolves: #1246220 - Label /dev/shm/lldpad.* as lldapd_tmpfs_t Resolves: #1246220 - Allow audisp client to read system state.- Allow pcp_domain to manage pcp_var_lib_t lnk_files. Resolves: #1252341 - Label /var/run/xtables.* as iptables_var_run_t Resolves: #1243403- Add interface to read/write watchdog device - Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde Resolves:#1210237 - Allow apcupsd_t to read /sys/devices Resolves:#1189185 - Allow logrotate to reload services. Resolves: #1242453 - Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device) Resolves: #1244260 - Allow openhpid liboa_soap plugin to read generic certs. Resolves: #1244248 - Allow openhpid liboa_soap plugin to read resolv.conf file. Resolves: #1244248 - Label /usr/libexec/chrony-helper as chronyd_exec_t - Allow chronyd_t to read dhcpc state. - Allow chronyd to execute mkdir command.- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t. Resolves:#1073314 - Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS. - Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users. - Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode. - Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling. Resolves:#1183503 - Add support for /etc/sanlock which is writable by sanlock daemon. Resolves:#1231377 - Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet. Resolves:#1243775 - Allow snapperd to pass data (one way only) via pipe negotiated over dbus Resolves:#1250550 - Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.- Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files). Resolves: #1243902 - Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device Resolves: #1238079 - Allow lsm_plugin_t to rw raw_fixed_disk. Resolves:#1238079 - Allow rhsmcertd to send signull to unconfined_service.- Allow httpd_suexec_t to read and write Apache stream sockets Resolves: #1243569 - Allow qpid to create lnk_files in qpid_var_lib_t Resolves: #1247279- Allow drbd to get attributes from filesystems. - Allow redis to read kernel parameters. Resolves: #1209518 - Allow virt_qemu_ga_t domtrans to passwd_t - Allow audisp_remote_t to start power unit files domain to allow halt system. Resolves: #1186780 - Allow audisp_remote_t to read/write user domain pty. Resolves: #1186780 - Label /usr/sbin/chpasswd as passwd_exec_t. - Allow sysadm to administrate ldap environment and allow to bind ldap port to allow to setup an LDAP server (389ds). Resolves:#1221121- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te - Allow pcp_pmcd daemon to read postfix config files. - Allow pcp_pmcd daemon to search postfix spool dirs. Resolves: #1213740 - Added Booleans: pcp_read_generic_logs. Resolves: #1213740 - Allow drbd to read configuration options used when loading modules. Resolves: #1134883 - Allow glusterd to manage nfsd and rpcd services. - Allow glusterd to communicate with cluster domains over stream socket. - glusterd call pcs utility which calls find for cib.* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes.- Allow glusterd to manage nfsd and rpcd services. - Allow networkmanager to communicate via dbus with systemd_hostanmed. Resolves: #1234954 - Allow stream connect logrotate to prosody. - Add prosody_stream_connect() interface. - httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t. - Allow prosody to create own tmp files/dirs. Resolves:#1212498- Allow networkmanager read rfcomm port. Resolves:#1212498 - Remove non exists label. - Fix *_admin intefaces where body is not consistent with header. - Label /usr/afs/ as afs_files_t, Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t, Allow afs_bosserver_t read kerberos config - Remove non exits nfsd_ro_t label. - Make all interfaces related to openshift_cache_t as deprecated. - Add rpm_var_run_t label to rpm_admin header - Add jabberd_lock_t label to jabberd_admin header. - Add samba_unconfined_script_exec_t to samba_admin header. - inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t - Fix ctdb policy - Add samba_signull_winbind() - Add samba_signull_unconfined_net() - Allow ctdbd_t send signull to samba_unconfined_net_t. - Allow openshift_initrc_t to communicate with firewalld over dbus Resolves:#1221326- Allow gluster to connect to all ports. It is required by random services executed by gluster. - Add interfaces winbind_signull(), samba_unconfined_net_signull(). - Dontaudit smbd_t block_suspend capability. This is kernel bug. - Allow ctdbd sending signull to process winbind, samba_unconfined_net, to checking if processes exists. - Add tmpreaper booleans to use nfs_t and samba_share_t. - Fix path from /usr/sbin/redis-server to /usr/bin/redis-server - Allow connect ypserv to portmap_port_t - Fix paths in inn policy, Allow innd read innd_log_t dirs, Allow innd execute innd_etc_t files - Add support for openstack-nova-* packages - Allow NetworkManager_t send signull to dnssec_trigger_t. - Allow glusterd to execute showmount in the showmount domain. - Label swift-container-reconciler binary as swift_t. - Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files. - Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?" Resolves:#1213540 - Merge all nova_* labels under one nova_t.- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins Resolves:#1233550 - Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ - Add support for oddjob based helper in FreeIPA. - Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob. - Add nagios_domtrans_unconfined_plugins() interface. - Update mta_filetrans_named_content() interface to cover more db files. Resolves:#1167468 - Add back ftpd_use_passive_mode boolean with fixed description. - Allow pmcd daemon stream connect to mysqld. - Allow pcp domains to connect to own process using unix_stream_socket. Resolves:#1213709 - Allow abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly. - Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob. - Add support for oddjob based helper in FreeIPA. - Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/- Allow iptables to read ctdbd lib files. Resolves:#1224879 - Add systemd_networkd_t to nsswitch domains. - Allow drbd_t write to fixed_disk_device. Reason: drbdmeta needs write to fixed_disk_device during initialization. Resolves:#1130675 - Allow NetworkManager write to sysfs. - Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission. - Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types. - Allow NetworkManager write to sysfs. - Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. - Dontaudit apache to manage snmpd_var_lib_t files/dirs. - Add interface snmp_dontaudit_manage_snmp_var_lib_files(). - Dontaudit mozilla_plugin_t cap. sys_ptrace. - Rename xodbc-connect port to xodbc_connect - Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. - Allow iscsid write to fifo file kdumpctl_tmp_t. Appears when kdump generates the initramfs during the kernel boot. - Dontaudit chrome to read passwd file. - nrpe needs kill capability to make gluster moniterd nodes working. Resolves:#1235587- We allow can_exec() on ssh_keygen on gluster. But there is a transition defined by init_initrc_domain() because we need to allow execute unconfined services by glusterd. So ssh-keygen ends up with ssh_keygen_t and we need to allow to manage /var/lib/glusterd/geo-replication/secret.pem. - Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so. - Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password. - Label gluster python hooks also as bin_t. - Allow glusterd to interact with gluster tools running in a user domain - Add glusterd_manage_lib_files() interface. - ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. - Allow samba_t net_admin capability to make CIFS mount working. - S30samba-start gluster hooks wants to search audit logs. Dontaudit it. Resolves:#1224879- Allow glusterd to send generic signals to systemd_passwd_agent processes. - Allow glusterd to access init scripts/units without defined policy - Allow glusterd to run init scripts. - Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain. Resolves:#1224879- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block. - Allow samba-net to access /var/lib/ctdbd dirs/files. - Allow glusterd to send a signal to smbd. - Make ctdbd as home manager to access also FUSE. - Allow glusterd to use geo-replication gluster tool. - Allow glusterd to execute ssh-keygen. - Allow glusterd to interact with cluster services. - Allow glusterd to connect to the system DBUS for service (acquire_svc). - Label /dev/log correctly. Resolves:#1230932- Back port the latest F22 changes to RHEL7. It should fix most of RHEL7.2 bugs - Add cgdcbxd policy Resolves:#1072493 - Fix ftp_homedir boolean Resolve:#1097775 - Dontaudit ifconfig writing inhertited /var/log/pluto.log. - Allow cluster domain to dbus chat with systemd-logind. Resolves:#1145215 - Dontaudit write access to inherited kdumpctl tmp files Resolves:#1156442 - Allow isnsd_t to communicate with sssd Resolves:#1167702 - Allow rwho_t to communicate with sssd Resolves:#1167718 - Allow sblim_gatherd_t to communicate with sssd Resolves:#1167732 - Allow pkcs_slotd_t to communicate with sssd Resolves:#1167737 - Allow openvswitch_t to communicate with sssd Resolves:#1167816 - Allow mysqld_safe_t to communicate with sssd Resolves:#1167832 - Allow sshd_keygen_t to communicate with sssd Resolves:#1167840 - Add support for iprdbg logging files in /var/log. Resolves:#1174363 - Allow tmpreaper_t to manage ntp log content Resolves:#1176965 - Allow gssd_t to manage ssh keyring Resolves:#1184791 - Allow httpd_sys_script_t to send system log messages Resolves:#1185231 - Allow apcupsd_t to read /sys/devices Resolves:#1189185 - Allow dovecot_t sys_resource capability Resolves:#1191143 - Add support for mongod/mongos systemd unit files. Resolves:#1197038 - Add bacula fixes - Added label mysqld_etc_t for /etc/my.cnf.d/ dir. Resolves:#1203991- Label /usr/libexec/postgresql-ctl as postgresql_exec_t. - Add more restriction on entrypoint for unconfined domains. - Only allow semanage_t to be able to setenforce 0, no all domains that use selinux_semanage interface - Allow all domains to read /dev/urandom. It is needed by all apps/services linked to libgcrypt. There is no harm to allow it by default. - Update policy/mls for sockets related to access perm. Rules were contradictory. - Add nagios_run_pnp4nagios and nagios_run_sudo booleans to allow r un sudo from NRPE utils scripts and allow run nagios in conjunction w ith PNP4Nagios. Resolves:#1201054 - Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead. - Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type - Label /var/lib/tftpboot/aarch64(/.*)? and /var/lib/tftpboot/images2(/.*)? - Add support for iprdbg logging files in /var/log. - Add fixes to rhsmcertd_t - Allow puppetagent_t to transfer firewalld messages over dbus - Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script. - Added label mysqld_etc_t for /etc/my.cnf.d/ dir. - Add support for mongod/mongos systemd unit files. - cloudinit and rhsmcertd need to communicate with dbus - Allow dovecot_t sys_resource capability- ALlow mongod execmem by default. - Update policy/mls for sockets. Rules were contradictory. Resolves:#1207133 - Allow a user to login with different security level via ssh.- Update seutil_manage_config() interface. Resolves:#1185962 - Allow pki-tomcat relabel pki_tomcat_etc_rw_t. - Turn on docker_transition_unconfined by default- Allow virtd to list all mountpoints. Resolves:#1180713- pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t. - Allow fowner capability for sssd because of selinux_child handling. - ALlow bind to read/write inherited ipsec pipes - Allow hypervkvp to read /dev/urandom and read addition states/config files. - Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd. - Add glusterd_filetrans_named_pid() interface - Allow radiusd to connect to radsec ports. - Allow setuid/setgid for selinux_child - Allow lsmd plugin to connect to tcp/5988 by default. - Allow lsmd plugin to connect to tcp/5989 by default. - Update ipsec_manage_pid() interface. Resolves:#1184978- Update ipsec_manage_pid() interface. Resolves:#1184978- Allow ntlm_auth running in winbind_helper_t to access /dev/urandom.- Add auditing support for ipsec. Resolves:#1182524 - Label /ostree/deploy/rhel-atomic-host/deploy directory as system_conf_t - Allow netutils chown capability to make tcpdump working with -w- Allow ipsec to execute _updown.netkey script to run unbound-control. - Allow neutron to read rpm DB. - Add additional fixes for hyperkvp * creates new ifcfg-{name} file * Runs hv_set_ifconfig.sh, which does the following * Copies ifcfg-{name} to /etc/sysconfig/network-scripts - Allow svirt to read symbolic links in /sys/fs/cgroups labeled as tmpfs_t - Add labeling for pacemaker.log. - Allow radius to connect/bind radsec ports. - Allow pm-suspend running as virt_qemu_ga to read /var/log/pm-suspend.log - Allow virt_qemu_ga to dbus chat with rpm. - Update virt_read_content() interface to allow read also char devices. - Allow glance-registry to connect to keystone port. Resolves:#1181818- Allow sssd to send dbus all user domains. Resolves:#1172291 - Allow lsm plugin to read certificates. - Fix labeling for keystone CGI scripts. - Make snapperd back as unconfined domain.- Fix bugs in interfaces discovered by sepolicy. - Allow slapd to read /usr/share/cracklib/pw_dict.hwm. - Allow lsm plugins to connect to tcp/18700 by default. - Allow brltty mknod capability to allow create /var/run/brltty/vcsa. - Fix pcp_domain_template() interface. - Fix conman.te. - Allow mon_fsstatd to read /proc/sys/fs/binfmt_misc - Allow glance-scrubber to connect tcp/9191. - Add missing setuid capability for sblim-sfcbd. - Allow pegasus ioctl() on providers. - Add conman_can_network. - Allow chronyd to read chrony conf files located in /run/timemaster/. - Allow radius to bind on tcp/1813 port. - dontaudit block suspend access for openvpn_t - Allow conman to create files/dirs in /tmp. - Update xserver_rw_xdm_keys() interface to have 'setattr'. Resolves:#1172291 - Allow sulogin to read /dev/urandom and /dev/random. - Update radius port definition to have also tcp/18121 - Label prandom as random_device_t. - Allow charon to manage files in /etc/strongimcv labeled as ipsec_conf_t.- Allow virt_qemu_ga_t to execute kmod. - Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean. - Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs. Resolves:#1113725 - Enable OpenStack cinder policy - Add support for /usr/share/vdsm/daemonAdapter - Add support for /var/run/gluster- Remove old pkcsslotd.pp from minimum package - Allow rlogind to use also rlogin ports. - Add support for /usr/libexec/ntpdate-wrapper. Label it as ntpdate_exec_t. - Allow bacula to connect also to postgresql. - Label /usr/libexec/tomcat/server as tomcat_exec_t - Add support for /usr/sbin/ctdbd_wrapper - Add support for /usr/libexec/ppc64-diag/rtas_errd - Allow rpm_script_roles to access system_mail_t - Allow brltty to create /var/run/brltty - Allow lsmd plugin to access netlink_route_socket - Allow smbcontrol to read passwd - Add support for /usr/libexec/sssd/selinux_child and create sssd_selinux_manager_t domain for it Resolves:#1140106 - Allow osad to execute rhn_check - Allow load_policy to rw inherited sssd pipes because of selinux_child - Allow admin SELinux users mounting / as private within a new mount namespace as root in MLS - Add additional fixes for su_restricted_domain_template to make moving to sysadm_r and trying to su working correctly - Add additional booleans substitions- Add seutil_dontaudit_access_check_semanage_module_store() interface Resolves:#1140106 - Update to have all _systemctl() interface also init_reload_services(). - Dontaudit access check on SELinux module store for sssd. - Add labeling for /sbin/iw. - Allow named_filetrans_domain to create ibus directory with correct labeling.- Allow radius to bind tcp/1812 radius port. - Dontaudit list user_tmp files for system_mail_t. - Label virt-who as virtd_exec_t. - Allow rhsmcertd to send a null signal to virt-who running as virtd_t. - Add missing alias for _content_rw_t. Resolves:#1089177 - Allow spamd to access razor-agent.log. - Add fixes for sfcb from libvirt-cim TestOnly bug. - Allow NetworkManager stream connect on openvpn. - Make /usr/bin/vncserver running as unconfined_service_t. - getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain. - Label /etc/docker/certs.d as cert_t.- Label /etc/strongimcv as ipsec_conf_file_t. - Add support for /usr/bin/start-puppet-ca helper script Resolves:#1160727 - Allow rpm scripts to enable/disable transient systemd units. Resolves:#1154613 - Make kpropdas nsswitch domain Resolves:#1153561 - Make all glance domain as nsswitch domains Resolves:#1113281 - Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active - Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t Resolves:#1140106- Dontaudit access check on setfiles/load_policy for sssd_t. Resolves:#1140106 - Add kdump_rw_inherited_kdumpctl_tmp_pipes() Resolves:#1156442 - Make linuxptp services as unconfined. - Added new policy linuxptp. Resolves:#1149693 - Label keystone cgi files as keystone_cgi_script_exec_t. Resolves:#1138424 - Make tuned as unconfined domain- Allow guest to connect to libvirt using unix_stream_socket. - Allow all bus client domains to dbus chat with unconfined_service_t. - Allow inetd service without own policy to run in inetd_child_t which is unconfined domain. - Make opensm as nsswitch domain to make it working with sssd. - Allow brctl to read meminfo. - Allow winbind-helper to execute ntlm_auth in the caller domain. Resolves:#1160339 - Make plymouthd as nsswitch domain to make it working with sssd. Resolves:#1160196 - Make drbd as nsswitch domain to make it working with sssd. - Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working. - Add support for /var/lib/sntp directory. - Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc - Allow winbind to read usermodehelper - Allow telepathy domains to execute shells and bin_t - Allow gpgdomains to create netlink_kobject_uevent_sockets - Allow mongodb to bind to the mongo port and mongos to run as mongod_t - Allow abrt to read software raid state. - Allow nslcd to execute netstat. - Allow dovecot to create user's home directory when they log into IMAP. - Allow login domains to create kernel keyring with different level.- Allow modemmanger to connectto itself Resolves:#1120152 - Allow pki_tomcat to create link files in /var/lib/pki-ca. Resolves:#1121744 - varnishd needs to have fsetid capability Resolves:#1125165 - Allow snapperd to dbus chat with system cron jobs. Resolves:#1152447 - Allow dovecot to create user's home directory when they log into IMAP Resolves:#1152773 - Add labeling for /usr/sbin/haproxy-systemd-wrapper wrapper to make haproxy running haproxy_t. - ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t. - Allow nslcd to execute netstat. - Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability. - Allow nslcd to read /dev/urandom.- Add back kill permisiion for system class Resolves:#1150011- Add back kill permisiion for service class Resolves:#1150011 - Make rhsmcertd_t also as dbus domain. - Allow named to create DNS_25 with correct labeling. - Add cloudform_dontaudit_write_cloud_log() - Call auth_use_nsswitch to apache to read/write cloud-init keys. - Allow cloud-init to dbus chat with certmonger. - Fix path to mon_statd_initrc_t script. - Allow all RHCS services to read system state. - Allow dnssec_trigger_t to execute unbound-control in own domain. - kernel_read_system_state needs to be called with type. Moved it to antivirus.if. - Added policy for mon_statd and mon_procd services. BZ (1077821) - Allow opensm_t to read/write /dev/infiniband/umad1. - Allow mongodb to manage own log files. - Allow neutron connections to system dbus. - Add support for /var/lib/swiftdirectory. - Allow nova-scheduler to read certs. - Allow openvpn to access /sys/fs/cgroup dir. - Allow openvpn to execute systemd-passwd-agent in systemd_passwd_agent_t to make openvpn working with systemd. - Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files. - Add auth_use_nsswitch for portreserve to make it working with sssd. - automount policy is non-base module so it needs to be called in optional block. - ALlow sensord to getattr on sysfs. - Label /usr/share/corosync/corosync as cluster_exec_t. - Allow lmsd_plugin to read passwd file. BZ(1093733) - Allow read antivirus domain all kernel sysctls. - Allow mandb to getattr on file systems - Allow nova-console to connect to mem_cache port. - Make sosreport as unconfined domain. - Allow mondogdb to 'accept' accesses on the tcp_socket port. - ALlow sanlock to send a signal to virtd_t.- Build also MLS policy Resolves:#1138424- Add back kill permisiion for system class - Allow iptables read fail2ban logs. - Fix radius labeled ports - Add userdom_manage_user_tmpfs_files interface - Allow libreswan to connect to VPN via NM-libreswan. - Label 4101 tcp port as brlp port - fix dev_getattr_generic_usb_dev interface - Allow all domains to read fonts - Make sure /run/systemd/generator and system is labeled correctly on creation. - Dontaudit aicuu to search home config dir. - Make keystone_cgi_script_t domain. Resolves:#1138424 - Fix bug in drbd policy, - Added support for cpuplug. - ALlow sanlock_t to read sysfs_t. - Added sendmail_domtrans_unconfined interface - Fix broken interfaces - radiusd wants to write own log files. - Label /usr/libexec/rhsmd as rhsmcertd_exec_t - Allow rhsmcertd send signull to setroubleshoot. - Allow rhsmcertd manage rpm db. - Added policy for blrtty. - Fix keepalived policy - Allow rhev-agentd dbus chat with systemd-logind. - Allow keepalived manage snmp var lib sock files. - Add support for /var/lib/graphite-web - Allow NetworkManager to create Bluetooth SDP sockets - It's going to do the the discovery for DUN service for modems with Bluez 5. - Allow swift to connect to all ephemeral ports by default. - Allow sssd to read selinux config to add SELinux user mapping. - Allow lsmd to search own plguins. - Allow abrt to read /dev/memto generate an unique machine_id and uses sosuploader's algorithm based off dmidecode[1] fields. - ALlow zebra for user/group look-ups. - Allow nova domains to getattr on all filesystems. - Allow collectd sys_ptrace and dac_override caps because of reading of /proc/%i/io for several processes. - Allow pppd to connect to /run/sstpc/sstpc-nm-sstp-service-28025 over unix stream socket. - Allow rhnsd_t to manage also rhnsd config symlinks. - ALlow user mail domains to create dead.letter. - Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. - Allow pki-tomcat to change SELinux object identity. - Allow radious to connect to apache ports to do OCSP check - Allow git cgi scripts to create content in /tmp - Allow cockpit-session to do GSSAPI logins. - Allow sensord read in /proc - Additional access required by usbmuxd- Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems - Label /usr/lib/erlang/erts.*/bin files as bin_t - Add files_dontaudit_access_check_home_dir() inteface. - Allow udev_t mounton udev_var_run_t dirs #(1128618) - Add systemd_networkd_var_run_t labeling for /var/run/systemd/netif and allow systemd-networkd to manage it. - Add init_dontaudit_read_state() interface. - Add label for ~/.local/share/fonts - Allow unconfined_r to access unconfined_service_t. - Allow init to read all config files - Add new interface to allow creation of file with lib_t type - Assign rabbitmq port. - Allow unconfined_service_t to dbus chat with all dbus domains - Add new interfaces to access users keys. - Allow domains to are allowed to mounton proc to mount on files as well as dirs - Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories. - Add a port definition for shellinaboxd - Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t - Allow userdomains to stream connect to pcscd for smart cards - Allow programs to use pam to search through user_tmp_t dires (/tmp/.X11-unix) - Update to rawhide-contrib changes Resolves:#1123844- Rebase to 3.13.1 which we have in Fedora21 Resolves:#1128284- Back port fixes from Fedora. Mainly OpenStack and Docker fixes- Add policy-rhel-7.1-{base,contrib} patches- Add support for us_cli ports - Fix labeling for /var/run/user//gvfs - add support for tcp/9697 - Additional rules required by openstack, needs backport to F20 and RHEL7 - Additional access required by docker - ALlow motion to use tcp/8082 port - Allow init_t to setattr/relabelfrom dhcp state files - Dontaudit antivirus domains read access on all security files by default - Add missing alias for old amavis_etc_t type - Allow block_suspend cap for haproxy - Additional fixes for instack overcloud - Allow OpenStack to read mysqld_db links and connect to MySQL - Remove dup filename rules in gnome.te - Allow sys_chroot cap for httpd_t and setattr on httpd_log_t - Allow iscsid to handle own unit files - Add iscsi_systemctl() - Allow mongod to create also sock_files in /run with correct labeling - Allow httpd to send signull to apache script domains and don't audit leaks - Allow rabbitmq_beam to connect to httpd port - Allow aiccu stream connect to pcscd - Allow dmesg to read hwdata and memory dev - Allow all freeipmi domains to read/write ipmi devices - Allow sblim_sfcbd to use also pegasus-https port - Allow rabbitmq_epmd to manage rabbit_var_log_t files - Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input - Allow docker to status any unit file and allow it to start generic unit files- Change hsperfdata_root to have as user_tmp_t Resolves:#1076523- Fix Multiple same specifications for /var/named/chroot/dev/zero - Add labels for /var/named/chroot_sdb/dev devices - Add support for strongimcv - Use kerberos_keytab_domains in auth_use_nsswitch - Update auth_use_nsswitch to make all these types as kerberos_keytab_domain to - Allow net_raw cap for neutron_t and send sigkill to dnsmasq - Fix ntp_filetrans_named_content for sntp-kod file - Add httpd_dbus_sssd boolean - Dontaudit exec insmod in boinc policy - Rename kerberos_keytab_domain to kerberos_keytab_domains - Add kerberos_keytab_domain() - Fix kerberos_keytab_template() - Make all domains which use kerberos as kerberos_keytab_domain Resolves:#1083670 - Allow kill capability to winbind_t- varnishd wants chown capability - update ntp_filetrans_named_content() interface - Add additional fixes for neutron_t. #1083335 - Dontaudit getattr on proc_kcore_t - Allow pki_tomcat_t to read ipa lib files - Allow named_filetrans_domain to create /var/cache/ibus with correct labelign - Allow init_t run /sbin/augenrules - Add dev_unmount_sysfs_fs and sysnet_manage_ifconfig_run interfaces - Allow unpriv SELinux user to use sandbox - Add default label for /tmp/hsperfdata_root- Add file subs also for /var/home- Allow xauth_t to read user_home_dir_t lnk_file - Add labeling for lightdm-data - Allow certmonger to manage ipa lib files - Add support for /var/lib/ipa - Allow pegasus to getattr virt_content - Added some new rules to pcp policy - Allow chrome_sandbox to execute config_home_t - Add support for ABRT FAF- Allow kdm to send signull to remote_login_t process - Add gear policy - Turn on gear_port_t - Allow cgit to read gitosis lib files by default - Allow vdagent to read xdm state - Allow NM and fcoeadm to talk together over unix_dgram_socket- Back port fixes for pegasus_openlmi_admin_t from rawhide Resolves:#1080973 - Add labels for ostree - Add SELinux awareness for NM - Label /usr/sbin/pwhistory_helper as updpwd_exec_t- add gnome_append_home_config() - Allow thumb to append GNOME config home files - Allow rasdaemon to rw /dev/cpu//msr - fix /var/log/pki file spec - make bacula_t as auth_nsswitch domain - Identify pki_tomcat_cert_t as a cert_type - Define speech-dispater_exec_t as an application executable - Add a new file context for /var/named/chroot/run directory - update storage_filetrans_all_named_dev for sg* devices - Allow auditctl_t to getattr on all removeable devices - Allow nsswitch_domains to stream connect to nmbd - Allow unprivusers to connect to memcached - label /var/lib/dirsrv/scripts-INSTANCE as bin_t- Allow also unpriv user to run vmtools - Allow secadm to read /dev/urandom and meminfo Resolves:#1079250 - Add booleans to allow docker processes to use nfs and samba - Add mdadm_tmpfs support - Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java running as pki_tomcat_t - Allow vmware-user-sui to use user ttys - Allow talk 2 users logged via console too - Allow ftp services to manage xferlog_t - Make all pcp domanis as unconfined for RHEL7.0 beucause of new policies - allow anaconda to dbus chat with systemd-localed- allow anaconda to dbus chat with systemd-localed - Add fixes for haproxy based on bperkins@redhat.com - Allow cmirrord to make dmsetup working - Allow NM to execute arping - Allow users to send messages through talk - Add userdom_tmp_role for secadm_t- Add additional fixes for rtas_errd - Fix transitions for tmp/tmpfs in rtas.te - Allow rtas_errd to readl all sysctls- Add support for /var/spool/rhsm/debug - Make virt_sandbox_use_audit as True by default - Allow svirt_sandbox_domains to ptrace themselves- Allow docker containers to manage /var/lib/docker content- Allow docker to read tmpfs_t symlinks - Allow sandbox svirt_lxc_net_t to talk to syslog and to sssd over stream sockets- Allow collectd to talk to libvirt - Allow chrome_sandbox to use leaked unix_stream_sockets - Dontaudit leaks of sockets into chrome_sandbox_t - If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t - Run vmtools as unconfined domains - Allow snort to manage its log files - Allow systemd_cronjob_t to be entered via bin_t - Allow procman to list doveconf_etc_t - allow keyring daemon to create content in tmpfs directories - Add proper labelling for icedtea-web - vpnc is creating content in networkmanager var run directory - Label sddm as xdm_exec_t to make KDE working again - Allow postgresql to read network state - Allow java running as pki_tomcat to read network sysctls - Fix cgroup.te to allow cgred to read cgconfig_etc_t - Allow beam.smp to use ephemeral ports - Allow winbind to use the nis to authenticate passwords- Make rtas_errd_t as unconfined domain for F20.It needs additional fixes. It runs rpm at least. - Allow net_admin cap for fence_virtd running as fenced_t - Make abrt-java-connector working - Make cimtest script 03_defineVS.py of ComputerSystem group working - Fix git_system_enable_homedirs boolean - Allow munin mail plugins to read network systcl- Allow vmtools_helper_t to execute bin_t - Add support for /usr/share/joomla - /var/lib/containers should be labeled as openshift content for now - Allow docker domains to talk to the login programs, to allow a process to login into the container - Allow install_t do dbus chat with NM - Fix interface names in anaconda.if - Add install_t for anaconda. A new type is a part of anaconda policy - sshd to read network sysctls- Allow zabbix to send system log msgs - Allow init_t to stream connect to ipsec Resolves:#1060775- Add docker_connect_any boolean- Allow unpriv SELinux users to dbus chat with firewalld - Add lvm_write_metadata() - Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type - Allow pegasus_openlmi_storage_t to write lvm metadata - Add hide_broken_symptoms for kdumpgui because of systemd bug - Make kdumpgui_t as unconfined domain Resolves:#1044299 - Allow docker to connect to tcp/5000- Allow numad to write scan_sleep_millisecs - Turn on entropyd_use_audio boolean by default - Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. - Allow lscpu running as rhsmcertd_t to read /proc/sysinfo - Fix label on irclogs in the homedir - Allow kerberos_keytab_domain domains to manage keys until we get sssd fix - Allow postgresql to use ldap - Add missing syslog-conn port - Add support for /dev/vmcp and /dev/sclp Resolves:#1069310- Modify xdm_write_home to allow create files/links in /root with xdm_home_ - Allow virt domains to read network state Resolves:#1072019- Added pcp rules - dontaudit openshift_cron_t searching random directories, should be back ported to RHEL6 - clean up ctdb.te - Allow ctdbd to connect own ports - Fix samba_export_all_rw booleanto cover also non security dirs - Allow swift to exec rpm in swift_t and allow to create tmp files/dirs - Allow neutron to create /run/netns with correct labeling - Allow certmonger to list home dirs- Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-ask - Add sysnet_filetrans_named_content_ifconfig() interface - Allow ctdbd to connect own ports - Fix samba_export_all_rw booleanto cover also non security dirs - Allow swift to exec rpm in swift_t and allow to create tmp files/dirs - Allow neutron to create /run/netns with correct labeling - Allow kerberos keytab domains to manage sssd/userdomain keys" - Allow to run ip cmd in neutron_t domain- Allow block_suspend cap2 for systemd-logind and rw dri device - Add labeling for /usr/libexec/nm-libreswan-service - Allow locallogin to rw xdm key to make Virtual Terminal login providing smartcard pin working - Add xserver_rw_xdm_keys() - Allow rpm_script_t to dbus chat also with systemd-located - Fix ipa_stream_connect_otpd() - update lpd_manage_spool() interface - Allow krb5kdc to stream connect to ipa-otpd - Add ipa_stream_connect_otpd() interface - Allow vpnc to unlink NM pids - Add networkmanager_delete_pid_files() - Allow munin plugins to access unconfined plugins - update abrt_filetrans_named_content to cover /var/spool/debug - Label /var/spool/debug as abrt_var_cache_t - Allow rhsmcertd to connect to squid port - Make docker_transition_unconfined as optional boolean - Allow certmonger to list home dirs- Make snapperd as unconfined domain and add additional fixes for it - Remove nsplugin.pp module on upgrade- Add snapperd_home_t for HOME_DIR/.snapshots directory - Make sosreport as unconfined domain - Allow sosreport to execute grub2-probe - Allow NM to manage hostname config file - Allow systemd_timedated_t to dbus chat with rpm_script_t - Allow lsmd plugins to connect to http/ssh/http_cache ports by default - Add lsmd_plugin_connect_any boolean - Allow mozilla_plugin to attempt to set capabilities - Allow lsdm_plugins to use tcp_socket - Dontaudit mozilla plugin from getattr on /proc or /sys - Dontaudit use of the keyring by the services in a sandbox - Dontaudit attempts to sys_ptrace caused by running ps for mysqld_safe_t - Allow rabbitmq_beam to connect to jabber_interserver_port - Allow logwatch_mail_t to transition to qmail_inject and queueu - Added new rules to pcp policy - Allow vmtools_helper_t to change role to system_r - Allow NM to dbus chat with vmtools - Fix couchdb_manage_files() to allow manage couchdb conf files - Add support for /var/run/redis.sock - dontaudit gpg trying to use audit - Allow consolekit to create log directories and files - Fix vmtools policy to allow user roles to access vmtools_helper_t - Allow block_suspend cap2 for ipa-otpd - Allow pkcsslotd to read users state - Add ioctl to init_dontaudit_rw_stream_socket - Add systemd_hostnamed_manage_config() interface - Remove transition for temp dirs created by init_t - gdm-simple-slave uses use setsockopt - sddm-greater is a xdm type program- Add lvm_read_metadata() - Allow auditadm to search /var/log/audit dir - Add lvm_read_metadata() interface - Allow confined users to run vmtools helpers - Fix userdom_common_user_template() - Generic systemd unit scripts do write check on / - Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files - Add additional fixes needed for init_t and setup script running in generic unit files - Allow general users to create packet_sockets - added connlcli port - Add init_manage_transient_unit() interface - Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t - Fix userdomain.te to require passwd class - devicekit_power sends out a signal to all processes on the message bus when power is going down - Dontaudit rendom domains listing /proc and hittping system_map_t - Dontauit leaks of var_t into ifconfig_t - Allow domains that transition to ssh_t to manipulate its keyring - Define oracleasm_t as a device node - Change to handle /root as a symbolic link for os-tree - Allow sysadm_t to create packet_socket, also move some rules to attributes - Add label for openvswitch port - Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label. - Allow postfix_local to read .forward in pcp lib files - Allow pegasus_openlmi_storage_t to read lvm metadata - Add additional fixes for pegasus_openlmi_storage_t - Allow bumblebee to manage debugfs - Make bumblebee as unconfined domain - Allow snmp to read etc_aliases_t - Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem - Allow pegasus_openlmi_storage_t to read /proc/1/environ - Dontaudit read gconf files for cupsd_config_t - make vmtools as unconfined domain - Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig. - Allow collectd_t to use a mysql database - Allow ipa-otpd to perform DNS name resolution - Added new policy for keepalived - Allow openlmi-service provider to manage transitient units and allow stream connect to sssd - Add additional fixes new pscs-lite+polkit support - Add labeling for /run/krb5kdc - Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20 - Allow pcscd to read users proc info - Dontaudit smbd_t sending out random signuls - Add boolean to allow openshift domains to use nfs - Allow w3c_validator to create content in /tmp - zabbix_agent uses nsswitch - Allow procmail and dovecot to work together to deliver mail - Allow spamd to execute files in homedir if boolean turned on - Allow openvswitch to listen on port 6634 - Add net_admin capability in collectd policy - Fixed snapperd policy - Fixed bugsfor pcp policy - Allow dbus_system_domains to be started by init - Fixed some interfaces - Add kerberos_keytab_domain attribute - Fix snapperd_conf_t def- Addopt corenet rules for unbound-anchor to rpm_script_t - Allow runuser to send send audit messages. - Allow postfix-local to search .forward in munin lib dirs - Allow udisks to connect to D-Bus - Allow spamd to connect to spamd port - Fix syntax error in snapper.te - Dontaudit osad to search gconf home files - Allow rhsmcertd to manage /etc/sysconf/rhn director - Fix pcp labeling to accept /usr/bin for all daemon binaries - Fix mcelog_read_log() interface - Allow iscsid to manage iscsi lib files - Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it. - Make tuned_t as unconfined domain for RHEL7.0 - Allow ABRT to read puppet certs - Add sys_time capability for virt-ga - Allow gemu-ga to domtrans to hwclock_t - Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages - Fix some AVCs in pcp policy - Add to bacula capability setgid and setuid and allow to bind to bacula ports - Changed label from rhnsd_rw_conf_t to rhnsd_conf_t - Add access rhnsd and osad to /etc/sysconfig/rhn - drbdadm executes drbdmeta - Fixes needed for docker - Allow epmd to manage /var/log/rabbitmq/startup_err file - Allow beam.smp connect to amqp port - Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true - Allow init_t to manage pluto.ctl because of init_t instead of initrc_t - Allow systemd_tmpfiles_t to manage all non security files on the system - Added labels for bacula ports - Fix label on /dev/vfio/vfio - Add kernel_mounton_messages() interface - init wants to manage lock files for iscsi- Added osad policy - Allow postfix to deliver to procmail - Allow bumblebee to seng kill signal to xserver - Allow vmtools to execute /usr/bin/lsb_release - Allow docker to write system net ctrls - Add support for rhnsd unit file - Add dbus_chat_session_bus() interface - Add dbus_stream_connect_session_bus() interface - Fix pcp.te - Fix logrotate_use_nfs boolean - Add lot of pcp fixes found in RHEL7 - fix labeling for pmie for pcp pkg - Change thumb_t to be allowed to chat/connect with session bus type - Allow call renice in mlocate - Add logrotate_use_nfs boolean - Allow setroubleshootd to read rpc sysctl- Turn on bacula, rhnsd policy - Add support for rhnsd unit file - Add dbus_chat_session_bus() interface - Add dbus_stream_connect_session_bus() interface - Fix logrotate_use_nfs boolean - Add lot of pcp fixes found in RHEL7 - fix labeling for pmie for pcp pkg - Change thumb_t to be allowed to chat/connect with session bus type - Allow call renice in mlocate - Add logrotate_use_nfs boolean - Allow setroubleshootd to read rpc sysctl - Fixes for *_admin interfaces - Add pegasus_openlmi_storage_var_run_t type def - Add support for /var/run/openlmi-storage - Allow tuned to create syslog.conf with correct labeling - Add httpd_dontaudit_search_dirs boolean - Add support for winbind.service - ALlow also fail2ban-client to read apache logs - Allow vmtools to getattr on all fs - Add support for dey_sapi port - Add logging_filetrans_named_conf() - Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring- Update snapper policy - Allow domains to append rkhunter lib files - Allow snapperd to getattr on all fs - Allow xdm to create /var/gdm with correct labeling - Add label for snapper.log - Allow fail2ban-client to read apache log files - Allow thumb_t to execute dbus-daemon in thumb_t- Allow gdm to create /var/gdm with correct labeling - Allow domains to append rkhunterl lib files. #1057982 - Allow systemd_tmpfiles_t net_admin to communicate with journald - Add interface to getattr on an isid_type for any type of file - Update libs_filetrans_named_content() to have support for /usr/lib/debug directory - Allow initrc_t domtrans to authconfig if unconfined is enabled - Allow docker and mount on devpts chr_file - Allow docker to transition to unconfined_t if boolean set - init calling needs to be optional in domain.te - Allow uncofined domain types to handle transient unit files - Fix labeling for vfio devices - Allow net_admin capability and send system log msgs - Allow lldpad send dgram to NM - Add networkmanager_dgram_send() - rkhunter_var_lib_t is correct type - Back port pcp policy from rawhide - Allow openlmi-storage to read removable devices - Allow system cron jobs to manage rkhunter lib files - Add rkhunter_manage_lib_files() - Fix ftpd_use_fusefs boolean to allow manage also symlinks - Allow smbcontrob block_suspend cap2 - Allow slpd to read network and system state info - Allow NM domtrans to iscsid_t if iscsiadm is executed - Allow slapd to send a signal itself - Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA. - Fix plymouthd_create_log() interface - Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package - Add mozilla_plugin_exec_t for /usr/lib/firefox/plugin-container - Allow postfix and cyrus-imapd to work out of box - Allow fcoemon to talk with unpriv user domain using unix_stream_socket - Dontaudit domains that are calling into journald to net_admin - Add rules to allow vmtools to do what it does - snapperd is D-Bus service - Allow OpenLMI PowerManagement to call 'systemctl --force reboot' - Add haproxy_connect_any boolean - Allow haproxy also to use http cache port by default Resolves:#1058248- Allow apache to write to the owncloud data directory in /var/www/html... - Allow consolekit to create log dir - Add support for icinga CGI scripts - Add support for icinga - Allow kdumpctl_t to create kdump lock file Resolves:#1055634 - Allow kdump to create lnk lock file - Allow nscd_t block_suspen capability - Allow unconfined domain types to manage own transient unit file - Allow systemd domains to handle transient init unit files - Add interfaces to handle transient- Add cron unconfined role support for uncofined SELinux user - Call corenet_udp_bind_all_ports() in milter.te - Allow fence_virtd to connect to zented port - Fix header for mirrormanager_admin() - Allow dkim-milter to bind udp ports - Allow milter domains to send signull itself - Allow block_suspend for yum running as mock_t - Allow beam.smp to manage couchdb files - Add couchdb_manage_files() - Add labeling for /var/log/php_errors.log - Allow bumblebee to stream connect to xserver - Allow bumblebee to send a signal to xserver - gnome-thumbnail to stream connect to bumblebee - Allow xkbcomp running as bumblebee_t to execute bin_t - Allow logrotate to read squid.conf - Additional rules to get docker and lxc to play well with SELinux - Allow bumbleed to connect to xserver port - Allow pegasus_openlmi_storage_t to read hwdata- Allow init_t to work on transitient and snapshot unit files - Add logging_manage_syslog_config() - Update sysnet_dns_name_resolve() to allow connect to dnssec por - Allow pegasus_openlmi_storage_t to read hwdata Resolves:#1031721 - Fix rhcs_rw_cluster_tmpfs() - Allow fenced_t to bind on zented udp port - Added policy for vmtools - Fix mirrormanager_read_lib_files() - Allow mirromanager scripts running as httpd_t to manage mirrormanager pid files - Allow ctdb to create sock files in /var/run/ctdb - Add sblim_filetrans_named_content() interface - Allow rpm scritplets to create /run/gather with correct labeling - Allow gnome keyring domains to create gnome config dirs - Dontaudit read/write to init stream socket for lsmd_plugin_t - Allow automount to read nfs link files - Allow lsm plugins to read/write lsmd stream socket - Allow certmonger to connect ldap port to make IPA CA certificate renewal working. - Add also labeling for /var/run/ctdb - Add missing labeling for /var/lib/ctdb - ALlow tuned to manage syslog.conf. Should be fixed in tuned. #1030446 - Dontaudit hypervkvp to search homedirs - Dontaudit hypervkvp to search admin homedirs - Allow hypervkvp to execute bin_t and ifconfig in the caller domain - Dontaudit xguest_t to read ABRT conf files - Add abrt_dontaudit_read_config() - Allow namespace-init to getattr on fs - Add thumb_role() also for xguest - Add filename transitions to create .spamassassin with correct labeling - Allow apache domain to read mirrormanager pid files - Allow domains to read/write shm and sem owned by mozilla_plugin_t - Allow alsactl to send a generic signal to kernel_t- Add back rpm_run() for unconfined user- Add missing files_create_var_lib_dirs() - Fix typo in ipsec.te - Allow passwd to create directory in /var/lib - Add filename trans also for event21 - Allow iptables command to read /dev/rand - Add sigkill capabilityfor ipsec_t - Add filename transitions for bcache devices - Add additional rules to create /var/log/cron by syslogd_t with correct labeling - Add give everyone full access to all key rings - Add default lvm_var_run_t label for /var/run/multipathd - Fix log labeling to have correct default label for them after logrotate - Labeled ~/.nv/GLCache as being gstreamer output - Allow nagios_system_plugin to read mrtg lib files - Add mrtg_read_lib_files() - Call rhcs_rw_cluster_tmpfs for dlm_controld - Make authconfing as named_filetrans domain - Allow virsh to connect to user process using stream socket - Allow rtas_errd to read rand/urand devices and add chown capability - Fix labeling from /var/run/net-snmpd to correct /var/run/net-snmp Resolves:#1051497 - Add also chown cap for abrt_upload_watch_t. It already has dac_override - Allow sosreport to manage rhsmcertd pid files - Add rhsmcertd_manage_pid_files() - Allow also setgid cap for rpc.gssd - Dontaudit access check for abrt on cert_t - Allow pegasus_openlmi_system providers to dbus chat with systemd-logind- Fix semanage import handling in spec file- Add default lvm_var_run_t label for /var/run/multipathd Resolves:#1051430 - Fix log labeling to have correct default label for them after logrotate - Add files_write_root_dirs - Add new openflow port label for 6653/tcp and 6633/tcp - Add xserver_manage_xkb_libs() - Label tcp/8891 as milter por - Allow gnome_manage_generic_cache_files also create cache_home_t files - Fix aide.log labeling - Fix log labeling to have correct default label for them after logrotate - Allow mysqld-safe write access on /root to make mysqld working - Allow sosreport domtrans to prelikn - Allow OpenvSwitch to connec to openflow ports - Allow NM send dgram to lldpad - Allow hyperv domains to execute shell - Allow lsmd plugins stream connect to lsmd/init - Allow sblim domains to create /run/gather with correct labeling - Allow httpd to read ldap certs - Allow cupsd to send dbus msgs to process with different MLS level - Allow bumblebee to stream connect to apmd - Allow bumblebee to run xkbcomp - Additional allow rules to get libvirt-lxc containers working with docker - Additional allow rules to get libvirt-lxc containers working with docker - Allow docker to getattr on itself - Additional rules needed for sandbox apps - Allow mozilla_plugin to set attributes on usb device if use_spice boolean enabled - httpd should be able to send signal/signull to httpd_suexec_t - Add more fixes for neturon. Domtrans to dnsmasq, iptables. Make neutron as filenamtrans domain.- Add neutron fixes- Allow sshd to write to all process levels in order to change passwd when running at a level - Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range - Allow apcuspd_t to status and start the power unit file - Allow udev to manage kdump unit file - Added new interface modutils_dontaudit_exec_insmod - Allow cobbler to search dhcp_etc_t directory - systemd_systemctl needs sys_admin capability - Allow sytemd_tmpfiles_t to delete all directories - passwd to create gnome-keyring passwd socket - Add missing zabbix_var_lib_t type - Fix filename trans for zabbixsrv in zabbix.te - Allow fprintd_t to send syslog messages - Add zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port - Allow mozilla plugin to chat with policykit, needed for spice - Allow gssprozy to change user and gid, as well as read user keyrings - Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly - Allow polipo to connect to http_cache_ports - Allow cron jobs to manage apache var lib content - Allow yppassword to manage the passwd_file_t - Allow showall_t to send itself signals - Allow cobbler to restart dhcpc, dnsmasq and bind services - Allow certmonger to manage home cert files - Add userdom filename trans for user mail domains - Allow apcuspd_t to status and start the power unit file - Allow cgroupdrulesengd to create content in cgoups directories - Allow smbd_t to signull cluster - Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t - Add label for /var/spool/cron.aquota.user - Allow sandbox_x domains to use work with the mozilla plugin semaphore - Added new policy for speech-dispatcher - Added dontaudit rule for insmod_exec_t in rasdaemon policy - Updated rasdaemon policy - Allow system_mail_t to transition to postfix_postdrop_t - Clean up mirrormanager policy - Allow virt_domains to read cert files, needs backport to RHEL7 - Allow sssd to read systemd_login_var_run_t - Allow irc_t to execute shell and bin-t files: - Add new access for mythtv - Allow rsync_t to manage all non auth files - allow modemmanger to read /dev/urand - Allow sandbox apps to attempt to set and get capabilties- Add labeling for /var/lib/servicelog/servicelog.db-journal - Add support for freeipmi port - Add sysadm_u_default_contexts - Make new type to texlive files in homedir - Allow subscription-manager running as sosreport_t to manage rhsmcertd - Additional fixes for docker.te - Remove ability to do mount/sys_admin by default in virt_sandbox domains - New rules required to run docker images within libivrt - Add label for ~/.cvsignore - Change mirrormanager to be run by cron - Add mirrormanager policy - Fixed bumblebee_admin() and mip6d_admin() - Add log support for sensord - Fix typo in docker.te - Allow amanda to do backups over UDP - Allow bumblebee to read /etc/group and clean up bumblebee.te - type transitions with a filename not allowed inside conditionals - Don't allow virt-sandbox tools to use netlink out of the box, needs back port to RHEL7 - Make new type to texlive files in homedir- Allow freeipmi_ipmidetectd_t to use freeipmi port - Update freeipmi_domain_template() - Allow journalctl running as ABRT to read /run/log/journal - Allow NM to read dispatcher.d directory - Update freeipmi policy - Type transitions with a filename not allowed inside conditionals - Allow tor to bind to hplip port - Make new type to texlive files in homedir - Allow zabbix_agent to transition to dmidecode - Add rules for docker - Allow sosreport to send signull to unconfined_t - Add virt_noatsecure and virt_rlimitinh interfaces - Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipmi port - Add sysadm_u_default_contexts - Add logging_read_syslog_pid() - Fix userdom_manage_home_texlive() interface - Make new type to texlive files in homedir - Add filename transitions for /run and /lock links - Allow virtd to inherit rlimit information Resolves:#975358- Change labeling for /usr/libexec/nm-dispatcher.action to NetworkManager_exec_t Resolves:#1039879 - Add labeling for /usr/lib/systemd/system/mariadb.service - Allow hyperv_domain to read sysfs - Fix ldap_read_certs() interface to allow acess also link files - Add support for /usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt - Allow tuned to run modprobe - Allow portreserve to search /var/lib/sss dir - Add SELinux support for the teamd package contains team network device control daemon. - Dontaudit access check on /proc for bumblebee - Bumblebee wants to load nvidia modules - Fix rpm_named_filetrans_log_files and wine.te - Add conman policy for rawhide - DRM master and input event devices are used by the TakeDevice API - Clean up bumblebee policy - Update pegasus_openlmi_storage_t policy - Add freeipmi_stream_connect() interface - Allow logwatch read madm.conf to support RAID setup - Add raid_read_conf_files() interface - Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling - add rpm_named_filetrans_log_files() interface - Allow dkim-milter to create files/dirs in /tmp - update freeipmi policy - Add policy for freeipmi services - Added rdisc_admin and rdisc_systemctl interfaces - opensm policy clean up - openwsman policy clean up - ninfod policy clean up - Added new policy for ninfod - Added new policy for openwsman - Added rdisc_admin and rdisc_systemctl interfaces - Fix kernel_dontaudit_access_check_proc() - Add support for /dev/uhid - Allow sulogin to get the attributes of initctl and sys_admin cap - Add kernel_dontaudit_access_check_proc() - Fix dev_rw_ipmi_dev() - Fix new interface in devices.if - DRM master and input event devices are used by the TakeDevice API - add dev_rw_inherited_dri() and dev_rw_inherited_input_dev() - Added support for default conman port - Add interfaces for ipmi devices- Allow sosreport to send a signal to ABRT - Add proper aliases for pegasus_openlmi_service_exec_t and pegasus_openlmi_service_t - Label /usr/sbin/htcacheclean as httpd_exec_t Resolves:#1037529 - Added support for rdisc unit file - Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs - Allow runuser running as logrotate connections to system DBUS - Label bcache devices as fixed_disk_device_t - Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service - Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t- Add back setpgid/setsched for sosreport_t- Added fix for clout_init to transition to rpm_script_t (dwalsh@redhat.com)- Dontaudit openshift domains trying to use rawip_sockets, this is caused by a bad check in the kernel. - Allow git_system_t to read git_user_content if the git_system_enable_homedirs boolean is turned on - Add lsmd_plugin_t for lsm plugins - Allow dovecot-deliver to search mountpoints - Add labeling for /etc/mdadm.conf - Allow opelmi admin providers to dbus chat with init_t - Allow sblim domain to read /dev/urandom and /dev/random - Allow apmd to request the kernel load modules - Add glusterd_brick_t type - label mate-keyring-daemon with gkeyringd_exec_t - Add plymouthd_create_log() - Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6 - Allow sssd to request the kernel loads modules - Allow gpg_agent to use ssh-add - Allow gpg_agent to use ssh-add - Dontaudit access check on /root for myslqd_safe_t - Allow ctdb to getattr on al filesystems - Allow abrt to stream connect to syslog - Allow dnsmasq to list dnsmasq.d directory - Watchdog opens the raw socket - Allow watchdog to read network state info - Dontaudit access check on lvm lock dir - Allow sosreport to send signull to setroubleshootd - Add setroubleshoot_signull() interface - Fix ldap_read_certs() interface - Allow sosreport all signal perms - Allow sosreport to run systemctl - Allow sosreport to dbus chat with rpm - Add glusterd_brick_t files type - Allow zabbix_agentd to read all domain state - Clean up rtas.if - Allow smoltclient to execute ldconfig - Allow sosreport to request the kernel to load a module - Fix userdom_confined_admin_template() - Add back exec_content boolean for secadm, logadm, auditadm - Fix files_filetrans_system_db_named_files() interface - Allow sulogin to getattr on /proc/kcore - Add filename transition also for servicelog.db-journal - Add files_dontaudit_access_check_root() - Add lvm_dontaudit_access_check_lock() interface- Allow watchdog to read /etc/passwd - Allow browser plugins to connect to bumblebee - New policy for bumblebee and freqset - Add new policy for mip6d daemon - Add new policy for opensm daemon - Allow condor domains to read/write condor_master udp_socket - Allow openshift_cron_t to append to openshift log files, label /var/log/openshift - Add back file_pid_filetrans for /var/run/dlm_controld - Allow smbd_t to use inherited tmpfs content - Allow mcelog to use the /dev/cpu device - sosreport runs rpcinfo - sosreport runs subscription-manager - Allow staff_t to run frequency command - Allow systemd_tmpfiles to relabel log directories - Allow staff_t to read xserver_log file - Label hsperfdata_root as tmp_t- More sosreport fixes to make ABRT working- Fix files_dontaudit_unmount_all_mountpoints() - Add support for 2608-2609 tcp/udp ports - Should allow domains to lock the terminal device - More fixes for user config files to make crond_t running in userdomain - Add back disable/reload/enable permissions for system class - Fix manage_service_perms macro - We need to require passwd rootok - Fix zebra.fc - Fix dnsmasq_filetrans_named_content() interface - Allow all sandbox domains create content in svirt_home_t - Allow zebra domains also create zebra_tmp_t files in /tmp - Add support for new zebra services:isisd,babeld. Add systemd support for zebra services. - Fix labeling on neutron and remove transition to iconfig_t - abrt needs to read mcelog log file - Fix labeling on dnsmasq content - Fix labeling on /etc/dnsmasq.d - Allow glusterd to relabel own lib files - Allow sandbox domains to use pam_rootok, and dontaudit attempts to unmount file systems, this is caused by a bug in systemd - Allow ipc_lock for abrt to run journalctl- Fix config.tgz- Fix passenger_stream_connect interface - setroubleshoot_fixit wants to read network state - Allow procmail_t to connect to dovecot stream sockets - Allow cimprovagt service providers to read network states - Add labeling for /var/run/mariadb - pwauth uses lastlog() to update system's lastlog - Allow account provider to read login records - Add support for texlive2013 - More fixes for user config files to make crond_t running in userdomain - Add back disable/reload/enable permissions for system class - Fix manage_service_perms macro - Allow passwd_t to connect to gnome keyring to change password - Update mls config files to have cronjobs in the user domains - Remove access checks that systemd does not actually do- Add support for yubikey in homedir - Add support for upd/3052 port - Allow apcupsd to use PowerChute Network Shutdown - Allow lsmd to execute various lsmplugins - Add labeling also for /etc/watchdog\.d where are watchdog scripts located too - Update gluster_export_all_rw boolean to allow relabel all base file types - Allow x86_energy_perf tool to modify the MSR - Fix /var/lib/dspam/data labeling- Add files_relabel_base_file_types() interface - Allow netlabel-config to read passwd - update gluster_export_all_rw boolean to allow relabel all base file types caused by lsetxattr() - Allow x86_energy_perf tool to modify the MSR - Fix /var/lib/dspam/data labeling - Allow pegasus to domtrans to mount_t - Add labeling for unconfined scripts in /usr/libexec/watchdog/scripts - Add support for unconfined watchdog scripts - Allow watchdog to manage own log files- Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory. - Label /etc/yum.repos.d as system_conf_t - Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t - Allow dac_override for sysadm_screen_t - Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file. - Allow netlabel-config to read meminfo - Add interface to allow docker to mounton file_t - Add new interface to exec unlabeled files - Allow lvm to use docker semaphores - Setup transitons for .xsessions-errors.old - Change labels of files in /var/lib/*/.ssh to transition properly - Allow staff_t and user_t to look at logs using journalctl - pluto wants to manage own log file - Allow pluto running as ipsec_t to create pluto.log - Fix alias decl in corenetwork.te.in - Add support for fuse.glusterfs - Allow dmidecode to read/write /run/lock/subsys/rhsmcertd - Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files. - Additional access for docker - Added more rules to sblim policy - Fix kdumpgui_run_bootloader boolean - Allow dspam to connect to lmtp port - Included sfcbd service into sblim policy - rhsmcertd wants to manaage /etc/pki/consumer dir - Add kdumpgui_run_bootloader boolean - Add support for /var/cache/watchdog - Remove virt_domain attribute for virt_qemu_ga_unconfined_t - Fixes for handling libvirt containes - Dontaudit attempts by mysql_safe to write content into / - Dontaudit attempts by system_mail to modify network config - Allow dspam to bind to lmtp ports - Add new policy to allow staff_t and user_t to look at logs using journalctl - Allow apache cgi scripts to list sysfs - Dontaudit attempts to write/delete user_tmp_t files - Allow all antivirus domains to manage also own log dirs - Allow pegasus_openlmi_services_t to stream connect to sssd_t- Add missing permission checks for nscd- Fix alias decl in corenetwork.te.in - Add support for fuse.glusterfs - Add file transition rules for content created by f5link - Rename quantum_port information to neutron - Allow all antivirus domains to manage also own log dirs - Rename quantum_port information to neutron - Allow pegasus_openlmi_services_t to stream connect to sssd_t- Allow sysadm_t to read login information - Allow systemd_tmpfiles to setattr on var_log_t directories - Udpdate Makefile to include systemd_contexts - Add systemd_contexts - Add fs_exec_hugetlbfs_files() interface - Add daemons_enable_cluster_mode boolean - Fix rsync_filetrans_named_content() - Add rhcs_read_cluster_pid_files() interface - Update rhcs.if with additional interfaces from RHEL6 - Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t - Allow glusterd_t to mounton glusterd_tmp_t - Allow glusterd to unmout al filesystems - Allow xenstored to read virt config - Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct label - Allow mozilla_plugin_t to mmap hugepages as an executable- Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp- Allow sshd_t to read openshift content, needs backport to RHEL6.5 - Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t - Make sur kdump lock is created with correct label if kdumpctl is executed - gnome interface calls should always be made within an optional_block - Allow syslogd_t to connect to the syslog_tls port - Add labeling for /var/run/charon.ctl socket - Add kdump_filetrans_named_content() - Allo setpgid for fenced_t - Allow setpgid and r/w cluster tmpfs for fenced_t - gnome calls should always be within optional blocks - wicd.pid should be labeled as networkmanager_var_run_t - Allow sys_resource for lldpad- Add rtas policy- Allow mailserver_domains to manage and transition to mailman data - Dontaudit attempts by mozilla plugin to relabel content, caused by using mv and cp commands - Allow mailserver_domains to manage and transition to mailman data - Allow svirt_domains to read sysctl_net_t - Allow thumb_t to use tmpfs inherited from the user - Allow mozilla_plugin to bind to the vnc port if running with spice - Add new attribute to discover confined_admins and assign confined admin to it - Fix zabbix to handle attributes in interfaces - Fix zabbix to read system states for all zabbix domains - Fix piranha_domain_template() - Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files. - Allow lldpad sys_rouserce cap due to #986870 - Allow dovecot-auth to read nologin - Allow openlmi-networking to read /proc/net/dev - Allow smsd_t to execute scripts created on the fly labeled as smsd_spool_t - Add zabbix_domain attribute for zabbix domains to treat them together - Add labels for zabbix-poxy-* (#1018221) - Update openlmi-storage policy to reflect #1015067 - Back port piranha tmpfs fixes from RHEL6 - Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop - Add postfix_rw_spool_maildrop_files interface - Call new userdom_admin_user_templat() also for sysadm_secadm.pp - Fix typo in userdom_admin_user_template() - Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey - Add new attribute to discover confined_admins - Fix labeling for /etc/strongswan/ipsec.d - systemd_logind seems to pass fd to anyone who dbus communicates with it - Dontaudit leaked write descriptor to dmesg- Activate motion policy- Fix gnome_read_generic_data_home_files() - allow openshift_cgroup_t to read/write inherited openshift file types - Remove httpd_cobbler_content * from cobbler_admin interface - Allow svirt sandbox domains to setattr on chr_file and blk_file svirt_sandbox_file_t, so sshd will work within a container - Allow httpd_t to read also git sys content symlinks - Allow init_t to read gnome home data - Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to really need it. - Allow virsh to execute systemctl - Fix for nagios_services plugins - add type defintion for ctdbd_var_t - Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file - Allow net_admin/netlink_socket all hyperv_domain domains - Add labeling for zarafa-search.log and zarafa-search.pid - Fix hypervkvp.te - Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. - Add hypervkvp_unit_file_t type - Fix logging policy - Allow syslog to bind to tls ports - Update labeling for /dev/cdc-wdm - Allow to su_domain to read init states - Allow init_t to read gnome home data - Make sure if systemd_logind creates nologin file with the correct label - Clean up ipsec.te- Add auth_exec_chkpwd interface - Fix port definition for ctdb ports - Allow systemd domains to read /dev/urand - Dontaudit attempts for mozilla_plugin to append to /dev/random - Add label for /var/run/charon.* - Add labeling for /usr/lib/systemd/system/lvm2.*dd policy for motion service - Fix for nagios_services plugins - Fix some bugs in zoneminder policy - add type defintion for ctdbd_var_t - Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file - Allow net_admin/netlink_socket all hyperv_domain domains - Add labeling for zarafa-search.log and zarafa-search.pid - glusterd binds to random unreserved ports - Additional allow rules found by testing glusterfs - apcupsd needs to send a message to all users on the system so needs to look them up - Fix the label on ~/.juniper_networks - Dontaudit attempts for mozilla_plugin to append to /dev/random - Allow polipo_daemon to connect to flash ports - Allow gssproxy_t to create replay caches - Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. - Add hypervkvp_unit_file_t type- init reload from systemd_localed_t - Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd - Allow systemd_localed_t to ask systemd to reload the locale. - Add systemd_runtime_unit_file_t type for unit files that systemd creates in memory - Allow readahead to read /dev/urand - Fix lots of avcs about tuned - Any file names xenstored in /var/log should be treated as xenstored_var_log_t - Allow tuned to inderact with hugepages - Allow condor domains to list etc rw dirs- Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. - Add hypervkvp_unit_file_t type - Add additional fixes forpegasus_openlmi_account_t - Allow mdadm to read /dev/urand - Allow pegasus_openlmi_storage_t to create mdadm.conf and write it - Add label/rules for /etc/mdadm.conf - Allow pegasus_openlmi_storage_t to transition to fsadm_t - Fixes for interface definition problems - Dontaudit dovecot-deliver to gettatr on all fs dirs - Allow domains to search data_home_t directories - Allow cobblerd to connect to mysql - Allow mdadm to r/w kdump lock files - Add support for kdump lock files - Label zarafa-search as zarafa-indexer - Openshift cgroup wants to read /etc/passwd - Add new sandbox domains for kvm - Allow mpd to interact with pulseaudio if mpd_enable_homedirs is turned on - Fix labeling for /usr/lib/systemd/system/lvm2.* - Add labeling for /usr/lib/systemd/system/lvm2.* - Fix typos to get a new build. We should not cover filename trans rules to prevent duplicate rules - Add sshd_keygen_t policy for sshd-keygen - Fix alsa_home_filetrans interface name and definition - Allow chown for ssh_keygen_t - Add fs_dontaudit_getattr_all_dirs() - Allow init_t to manage etc_aliases_t and read xserver_var_lib_t and chrony keys - Fix up patch to allow systemd to manage home content - Allow domains to send/recv unlabeled traffic if unlabelednet.pp is enabled - Allow getty to exec hostname to get info - Add systemd_home_t for ~/.local/share/systemd directory- Fix lxc labels in config.tgz- Fix labeling for /usr/libexec/kde4/kcmdatetimehelper - Allow tuned to search all file system directories - Allow alsa_t to sys_nice, to get top performance for sound management - Add support for MySQL/PostgreSQL for amavis - Allow openvpn_t to manage openvpn_var_log_t files. - Allow dirsrv_t to create tmpfs_t directories - Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label - Dontaudit leaked unix_stream_sockets into gnome keyring - Allow telepathy domains to inhibit pipes on telepathy domains - Allow cloud-init to domtrans to rpm - Allow abrt daemon to manage abrt-watch tmp files - Allow abrt-upload-watcher to search /var/spool directory - Allow nsswitch domains to manage own process key - Fix labeling for mgetty.* logs - Allow systemd to dbus chat with upower - Allow ipsec to send signull to itself - Allow setgid cap for ipsec_t - Match upstream labeling- Do not build sanbox pkg on MLS- wine_tmp is no longer needed - Allow setroubleshoot to look at /proc - Allow telepathy domains to dbus with systemd logind - Fix handling of fifo files of rpm - Allow mozilla_plugin to transition to itself - Allow certwatch to write to cert_t directories - New abrt application - Allow NetworkManager to set the kernel scheduler - Make wine_domain shared by all wine domains - Allow mdadm_t to read images labeled svirt_image_t - Allow amanda to read /dev/urand - ALlow my_print_default to read /dev/urand - Allow mdadm to write to kdumpctl fifo files - Allow nslcd to send signull to itself - Allow yppasswd to read /dev/urandom - Fix zarafa_setrlimit - Add support for /var/lib/php/wsdlcache - Add zarafa_setrlimit boolean - Allow fetchmail to send mails - Add additional alias for user_tmp_t because wine_tmp_t is no longer used - More handling of ther kernel keyring required by kerberos - New privs needed for init_t when running without transition to initrc_t over bin_t, and without unconfined domain installed- Dontaudit attempts by sosreport to read shadow_t - Allow browser sandbox plugins to connect to cups to print - Add new label mpd_home_t - Label /srv/www/logs as httpd_log_t - Add support for /var/lib/php/wsdlcache - Add zarafa_setrlimit boolean - Allow fetchmail to send mails - Add labels for apache logs under miq package - Allow irc_t to use tcp sockets - fix labels in puppet.if - Allow tcsd to read utmp file - Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to access host keys - Define svirt_socket_t as a domain_type - Take away transition from init_t to initrc_t when executing bin_t, allow init_t to run chk_passwd_t - Fix label on pam_krb5 helper apps- Allow ldconfig to write to kdumpctl fifo files - allow neutron to connect to amqp ports - Allow kdump_manage_crash to list the kdump_crash_t directory - Allow glance-api to connect to amqp port - Allow virt_qemu_ga_t to read meminfo - Add antivirus_home_t type for antivirus date in HOMEDIRS - Allow mpd setcap which is needed by pulseaudio - Allow smbcontrol to create content in /var/lib/samba - Allow mozilla_exec_t to be used as a entrypoint to mozilla_domtrans_spec - Add additional labeling for qemu-ga/fsfreeze-hook.d scripts - amanda_exec_t needs to be executable file - Allow block_suspend cap for samba-net - Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t - Allow init_t to run crash utility - Treat usr_t just like bin_t for transitions and executions - Add port definition of pka_ca to port 829 for openshift - Allow selinux_store to use symlinks- Allow block_suspend cap for samba-net - Allow t-mission-control to manage gabble cache files - Allow nslcd to read /sys/devices/system/cpu - Allow selinux_store to use symlinks- Allow xdm_t to transition to itself - Call neutron interfaces instead of quantum - Allow init to change targed role to make uncofined services (xrdp which now has own systemd unit file) working. We want them to have in unconfined_t - Make sure directories in /run get created with the correct label - Make sure /root/.pki gets created with the right label - try to remove labeling for motion from zoneminder_exec_t to bin_t - Allow inetd_t to execute shell scripts - Allow cloud-init to read all domainstate - Fix to use quantum port - Add interface netowrkmanager_initrc_domtrans - Fix boinc_execmem - Allow t-mission-control to read gabble cache home - Add labeling for ~/.cache/telepathy/avatars/gabble - Allow memcache to read sysfs data - Cleanup antivirus policy and add additional fixes - Add boolean boinc_enable_execstack - Add support for couchdb in rabbitmq policy - Add interface couchdb_search_pid_dirs - Allow firewalld to read NM state - Allow systemd running as git_systemd to bind git port - Fix mozilla_plugin_rw_tmpfs_files()- Split out rlogin ports from inetd - Treat files labeld as usr_t like bin_t when it comes to transitions - Allow staff_t to read login config - Allow ipsec_t to read .google authenticator data - Allow systemd running as git_systemd to bind git port - Fix mozilla_plugin_rw_tmpfs_files() - Call the correct interface - corenet_udp_bind_ktalkd_port() - Allow all domains that can read gnome_config to read kde config - Allow sandbox domain to read/write mozilla_plugin_tmpfs_t so pulseaudio will work - Allow mdadm to getattr any file system - Allow a confined domain to executes mozilla_exec_t via dbus - Allow cupsd_lpd_t to bind to the printer port - Dontaudit attempts to bind to ports < 1024 when nis is turned on - Allow apache domain to connect to gssproxy socket - Allow rlogind to bind to the rlogin_port - Allow telnetd to bind to the telnetd_port - Allow ktalkd to bind to the ktalkd_port - Allow cvs to bind to the cvs_port- Cleanup related to init_domain()+inetd_domain fixes - Use just init_domain instead of init_daemon_domain in inetd_core_service_domain - svirt domains neeed to create kobject_uevint_sockets - Lots of new access required for sosreport - Allow tgtd_t to connect to isns ports - Allow init_t to transition to all inetd domains: - openct needs to be able to create netlink_object_uevent_sockets - Dontaudit leaks into ldconfig_t - Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls - Move kernel_stream_connect into all Xwindow using users - Dontaudit inherited lock files in ifconfig o dhcpc_t- Also sock_file trans rule is needed in lsm - Fix labeling for fetchmail pid files/dirs - Add additional fixes for abrt-upload-watch - Fix polipo.te - Fix transition rules in asterisk policy - Add fowner capability to networkmanager policy - Allow polipo to connect to tor ports - Cleanup lsmd.if - Cleanup openhpid policy - Fix kdump_read_crash() interface - Make more domains as init domain - Fix cupsd.te - Fix requires in rpm_rw_script_inherited_pipes - Fix interfaces in lsm.if - Allow munin service plugins to manage own tmpfs files/dirs - Allow virtd_t also relabel unix stream sockets for virt_image_type - Make ktalk as init domain - Fix to define ktalkd_unit_file_t correctly - Fix ktalk.fc - Add systemd support for talk-server - Allow glusterd to create sock_file in /run - Allow xdm_t to delete gkeyringd_tmp_t files on logout - Add fixes for hypervkvp policy - Add logwatch_can_sendmail boolean - Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb - Allow xdm_t to delete gkeyringd_tmp_t files on logout- Add selinux-policy-sandbox pkg0 - Allow rhsmcertd to read init state - Allow fsetid for pkcsslotd - Fix labeling for /usr/lib/systemd/system/pkcsslotd.service - Allow fetchmail to create own pid with correct labeling - Fix rhcs_domain_template() - Allow roles which can run mock to read mock lib files to view results - Allow rpcbind to use nsswitch - Fix lsm.if summary - Fix collectd_t can read /etc/passwd file - Label systemd unit files under dracut correctly - Add support for pam_mount to mount user's encrypted home When a user logs in and logs out using ssh - Add support for .Xauthority-n - Label umount.crypt as lvm_exec_t - Allow syslogd to search psad lib files - Allow ssh_t to use /dev/ptmx - Make sure /run/pluto dir is created with correct labeling - Allow syslog to run shell and bin_t commands - Allow ip to relabel tun_sockets - Allow mount to create directories in files under /run - Allow processes to use inherited fifo files- Add policy for lsmd - Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory - Update condor_master rules to allow read system state info and allow logging - Add labeling for /etc/condor and allow condor domain to write it (bug) - Allow condor domains to manage own logs - Allow glusterd to read domains state - Fix initial hypervkvp policy - Add policy for hypervkvpd - Fix redis.if summary- Allow boinc to connect to @/tmp/.X11-unix/X0 - Allow beam.smp to connect to tcp/5984 - Allow named to manage own log files - Add label for /usr/libexec/dcc/start-dccifd and domtrans to dccifd_t - Add virt_transition_userdomain boolean decl - Allow httpd_t to sendto unix_dgram sockets on its children - Allow nova domains to execute ifconfig - bluetooth wants to create fifo_files in /tmp - exim needs to be able to manage mailman data - Allow sysstat to getattr on all file systems - Looks like bluetoothd has moved - Allow collectd to send ping packets - Allow svirt_lxc domains to getpgid - Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff - Allow frpintd_t to read /dev/urandom - Allow asterisk_t to create sock_file in /var/run - Allow usbmuxd to use netlink_kobject - sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket - More cleanup of svirt_lxc policy - virtd_lxc_t now talks to dbus - Dontaudit leaked ptmx_t - Allow processes to use inherited fifo files - Allow openvpn_t to connect to squid ports - Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert() - Allow ssh_t to use /dev/ptmx - Make sure /run/pluto dir is created with correct labeling - Allow syslog to run shell and bin_t commands - Allow ip to relabel tun_sockets - Allow mount to create directories in files under /run - Allow processes to use inherited fifo files - Allow user roles to connect to the journal socket- selinux_set_enforce_mode needs to be used with type - Add append to the dontaudit for unix_stream_socket of xdm_t leak - Allow xdm_t to create symlinks in log direcotries - Allow login programs to read afs config - Label 10933 as a pop port, for dovecot - New policy to allow selinux_server.py to run as semanage_t as a dbus service - Add fixes to make netlabelctl working on MLS - AVCs required for running sepolicy gui as staff_t - Dontaudit attempts to read symlinks, sepolicy gui is likely to cause this type of AVC - New dbus server to be used with new gui - After modifying some files in /etc/mail, I saw this needed on the next boot - Loading a vm from /usr/tmp with virt-manager - Clean up oracleasm policy for Fedora - Add oracleasm policy written by rlopez@redhat.com - Make postfix_postdrop_t as mta_agent to allow domtrans to system mail if it is executed by apache - Add label for /var/crash - Allow fenced to domtrans to sanclok_t - Allow nagios to manage nagios spool files - Make tfptd as home_manager - Allow kdump to read kcore on MLS system - Allow mysqld-safe sys_nice/sys_resource caps - Allow apache to search automount tmp dirs if http_use_nfs is enabled - Allow crond to transition to named_t, for use with unbound - Allow crond to look at named_conf_t, for unbound - Allow mozilla_plugin_t to transition its home content - Allow dovecot_domain to read all system and network state - Allow httpd_user_script_t to call getpw - Allow semanage to read pid files - Dontaudit leaked file descriptors from user domain into thumb - Make PAM authentication working if it is enabled in ejabberd - Add fixes for rabbit to fix ##992920,#992931 - Allow glusterd to mount filesystems - Loading a vm from /usr/tmp with virt-manager - Trying to load a VM I got an AVC from devicekit_disk for loopcontrol device - Add fix for pand service - shorewall touches own log - Allow nrpe to list /var - Mozilla_plugin_roles can not be passed into lpd_run_lpr - Allow afs domains to read afs_config files - Allow login programs to read afs config - Allow virt_domain to read virt_var_run_t symlinks - Allow smokeping to send its process signals - Allow fetchmail to setuid - Add kdump_manage_crash() interface - Allow abrt domain to write abrt.socket- Add more aliases in pegasus.te - Add more fixes for *_admin interfaces - Add interface fixes - Allow nscd to stream connect to nmbd - Allow gnupg apps to write to pcscd socket - Add more fixes for openlmi provides. Fix naming and support for additionals - Allow fetchmail to resolve host names - Allow firewalld to interact also with lnk files labeled as firewalld_etc_rw_t - Add labeling for cmpiLMI_Fan-cimprovagt - Allow net_admin for glusterd - Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ - Add pegasus_openlmi_system_t - Fix puppet_domtrans_master() to make all puppet calling working in passenger.te - Fix corecmd_exec_chroot() - Fix logging_relabel_syslog_pid_socket interface - Fix typo in unconfineduser.te - Allow system_r to access unconfined_dbusd_t to run hp_chec- Allow xdm_t to act as a dbus client to itsel - Allow fetchmail to resolve host names - Allow gnupg apps to write to pcscd socket - Add labeling for cmpiLMI_Fan-cimprovagt - Allow net_admin for glusterd - Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ - Add pegasus_openlmi_system_t - Fix puppet_domtrans_master() to make all puppet calling working in passenger.te -httpd_t does access_check on certs- Add support for cmpiLMI_Service-cimprovagt - Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t - Label pycmpiLMI_Software-cimprovagt as rpm_exec_t - Add support for pycmpiLMI_Storage-cimprovagt - Add support for cmpiLMI_Networking-cimprovagt - Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working - Allow virtual machines and containers to run as user doains, needed for virt-sandbox - Allow buglist.cgi to read cpu info- Allow systemd-tmpfile to handle tmp content in print spool dir - Allow systemd-sysctl to send system log messages - Add support for RTP media ports and fmpro-internal - Make auditd working if audit is configured to perform SINGLE action on disk error - Add interfaces to handle systemd units - Make systemd-notify working if pcsd is used - Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t - Instead of having all unconfined domains get all of the named transition rules, - Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default. - Add definition for the salt ports - Allow xdm_t to create link files in xdm_var_run_t - Dontaudit reads of blk files or chr files leaked into ldconfig_t - Allow sys_chroot for useradd_t - Allow net_raw cap for ipsec_t - Allow sysadm_t to reload services - Add additional fixes to make strongswan working with a simple conf - Allow sysadm_t to enable/disable init_t services - Add additional glusterd perms - Allow apache to read lnk files in the /mnt directory - Allow glusterd to ask the kernel to load a module - Fix description of ftpd_use_fusefs boolean - Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process controls, but add them to svirt_lxc_net_t - Allow glusterds to request load a kernel module - Allow boinc to stream connect to xserver_t - Allow sblim domains to read /etc/passwd - Allow mdadm to read usb devices - Allow collectd to use ping plugin - Make foghorn working with SNMP - Allow sssd to read ldap certs - Allow haproxy to connect to RTP media ports - Add additional trans rules for aide_db - Add labeling for /usr/lib/pcsd/pcsd - Add labeling for /var/log/pcsd - Add support for pcs which is a corosync and pacemaker configuration tool- Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t - Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1 - Allow all domains that can domtrans to shutdown, to start the power services script to shutdown - consolekit needs to be able to shut down system - Move around interfaces - Remove nfsd_rw_t and nfsd_ro_t, they don't do anything - Add additional fixes for rabbitmq_beam to allow getattr on mountpoints - Allow gconf-defaults-m to read /etc/passwd - Fix pki_rw_tomcat_cert() interface to support lnk_files- Add support for gluster ports - Make sure that all keys located in /etc/ssh/ are labeled correctly - Make sure apcuspd lock files get created with the correct label - Use getcap in gluster.te - Fix gluster policy - add additional fixes to allow beam.smp to interact with couchdb files - Additional fix for #974149 - Allow gluster to user gluster ports - Allow glusterd to transition to rpcd_t and add additional fixes for #980683 - Allow tgtd working when accessing to the passthrough device - Fix labeling for mdadm unit files- Add mdadm fixes- Fix definition of sandbox.disabled to sandbox.pp.disabled- Allow mdamd to execute systemctl - Allow mdadm to read /dev/kvm - Allow ipsec_mgmt_t to read l2tpd pid content- Allow nsd_t to read /dev/urand - Allow mdadm_t to read framebuffer - Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t - Allow mozilla_plugin_config_t to create tmp files - Cleanup openvswitch policy - Allow mozilla plugin to getattr on all executables - Allow l2tpd_t to create fifo_files in /var/run - Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory - Allow mdadm to connecto its own unix_stream_socket - FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now. - Allow apache to access smokeping pid files - Allow rabbitmq_beam_t to getattr on all filesystems - Add systemd support for iodined - Allow nup_upsdrvctl_t to execute its entrypoint - Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch - add labeling for ~/.cache/libvirt-sandbox - Add interface to allow domains transitioned to by confined users to send sigchld to screen program - Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab - Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service - Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs. - Allow staff to getsched all domains, required to run htop - Add port definition for redis port - fix selinuxuser_use_ssh_chroot boolean- Add prosody policy written by Michael Scherer - Allow nagios plugins to read /sys info - ntpd needs to manage own log files - Add support for HOME_DIR/.IBMERS - Allow iptables commands to read firewalld config - Allow consolekit_t to read utmp - Fix filename transitions on .razor directory - Add additional fixes to make DSPAM with LDA working - Allow snort to read /etc/passwd - Allow fail2ban to communicate with firewalld over dbus - Dontaudit openshift_cgreoup_file_t read/write leaked dev - Allow nfsd to use mountd port - Call th proper interface - Allow openvswitch to read sys and execute plymouth - Allow tmpwatch to read /var/spool/cups/tmp - Add support for /usr/libexec/telepathy-rakia - Add systemd support for zoneminder - Allow mysql to create files/directories under /var/log/mysql - Allow zoneminder apache scripts to rw zoneminder tmpfs - Allow httpd to manage zoneminder lib files - Add zoneminder_run_sudo boolean to allow to start zoneminder - Allow zoneminder to send mails - gssproxy_t sock_file can be under /var/lib - Allow web domains to connect to whois port. - Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t. - We really need to add an interface to corenet to define what a web_client_domain is and - then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain. - Add labeling for cmpiLMI_LogicalFile-cimprovagt - Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules - Update policy rules for pegasus_openlmi_logicalfile_t - Add initial types for logicalfile/unconfined OpenLMI providers - mailmanctl needs to read own log - Allow logwatch manage own lock files - Allow nrpe to read meminfo - Allow httpd to read certs located in pki-ca - Add pki_read_tomcat_cert() interface - Add support for nagios openshift plugins - Add port definition for redis port - fix selinuxuser_use_ssh_chroot boolean- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean. - Allow bootloader to manage generic log files - Allow ftp to bind to port 989 - Fix label of new gear directory - Add support for new directory /var/lib/openshift/gears/ - Add openshift_manage_lib_dirs() - allow virtd domains to manage setrans_var_run_t - Allow useradd to manage all openshift content - Add support so that mozilla_plugin_t can use dri devices - Allow chronyd to change the scheduler - Allow apmd to shut downthe system - Devicekit_disk_t needs to manage /etc/fstab- Make DSPAM to act as a LDA working - Allow ntop to create netlink socket - Allow policykit to send a signal to policykit-auth - Allow stapserver to dbus chat with avahi/systemd-logind - Fix labeling on haproxy unit file - Clean up haproxy policy - A new policy for haproxy and placed it to rhcs.te - Add support for ldirectord and treat it with cluster_t - Make sure anaconda log dir is created with var_log_t- Allow lvm_t to create default targets for filesystem handling - Fix labeling for razor-lightdm binaries - Allow insmod_t to read any file labeled var_lib_t - Add policy for pesign - Activate policy for cmpiLMI_Account-cimprovagt - Allow isnsd syscall=listen - /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler - Allow ctdbd to use udp/4379 - gatherd wants sys_nice and setsched - Add support for texlive2012 - Allow NM to read file_t (usb stick with no labels used to transfer keys for example) - Allow cobbler to execute apache with domain transition- condor_collector uses tcp/9000 - Label /usr/sbin/virtlockd as virtd_exec_t for now - Allow cobbler to execute ldconfig - Allow NM to execute ssh - Allow mdadm to read /dev/crash - Allow antivirus domains to connect to snmp port - Make amavisd-snmp working correctly - Allow nfsd_t to mounton nfsd_fs_t - Add initial snapper policy - We still need to have consolekit policy - Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t - Dontaudit sandbox apps attempting to open user_devpts_t - Allow dirsrv to read network state - Fix pki_read_tomcat_lib_files - Add labeling for /usr/libexec/nm-ssh-service - Add label cert_t for /var/lib/ipa/pki-ca/publish - Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant - Allow nfsd_t to mounton nfsd_fs_t - Dontaudit sandbox apps attempting to open user_devpts_t - Allow passwd_t to change role to system_r from unconfined_r- Don't audit access checks by sandbox xserver on xdb var_lib - Allow ntop to read usbmon devices - Add labeling for new polcykit authorizor - Dontaudit access checks from fail2ban_client - Don't audit access checks by sandbox xserver on xdb var_lib - Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream - Fix labeling for all /usr/bim/razor-lightdm-* binaries - Add filename trans for /dev/md126p1- Make vdagent able to request loading kernel module - Add support for cloud-init make it as unconfined domain - Allow snmpd to run smartctl in fsadm_t domain - remove duplicate openshift_search_lib() interface - Allow mysqld to search openshift lib files - Allow openshift cgroup to interact with passedin file descriptors - Allow colord to list directories inthe users homedir - aide executes prelink to check files - Make sure cupsd_t creates content in /etc/cups with the correct label - Lest dontaudit apache read all domains, so passenger will not cause this avc - Allow gssd to connect to gssproxy - systemd-tmpfiles needs to be able to raise the level to fix labeling on /run/setrans in MLS - Allow systemd-tmpfiles to relabel also lock files - Allow useradd to add homdir in /var/lib/openshift - Allow setfiles and semanage to write output to /run/files- Add labeling for /dev/tgt - Dontaudit leak fd from firewalld for modprobe - Allow runuser running as rpm_script_t to create netlink_audit socket - Allow mdadm to read BIOS non-volatile RAM- accountservice watches when accounts come and go in wtmp - /usr/java/jre1.7.0_21/bin/java needs to create netlink socket - Add httpd_use_sasl boolean - Allow net_admin for tuned_t - iscsid needs sys_module to auto-load kernel modules - Allow blueman to read bluetooth conf - Add nova_manage_lib_files() interface - Fix mplayer_filetrans_home_content() - Add mplayer_filetrans_home_content() - mozilla_plugin_config_roles need to be able to access mozilla_plugin_config_t - Revert "Allow thumb_t to append inherited xdm stream socket" - Add iscsi_filetrans_named_content() interface - Allow to create .mplayer with the correct labeling for unconfined - Allow iscsiadmin to create lock file with the correct labeling- Allow wine to manage wine home content - Make amanda working with socket actiovation - Add labeling for /usr/sbin/iscsiadm - Add support for /var/run/gssproxy.sock - dnsmasq_t needs to read sysctl_net_t- Fix courier_domain_template() interface - Allow blueman to write ip_forward - Allow mongodb to connect to mongodb port - Allow mongodb to connect to mongodb port - Allow java to bind jobss_debug port - Fixes for *_admin interfaces - Allow iscsid auto-load kernel modules needed for proper iSCSI functionality - Need to assign attribute for courier_domain to all courier_domains - Fail2ban reads /etc/passwd - postfix_virtual will create new files in postfix_spool_t - abrt triggers sys_ptrace by running pidof - Label ~/abc as mozilla_home_t, since java apps as plugin want to create it - Add passenger fixes needed by foreman - Remove dup interfaces - Add additional interfaces for quantum - Add new interfaces for dnsmasq - Allow passenger to read localization and send signull to itself - Allow dnsmasq to stream connect to quantum - Add quantum_stream_connect() - Make sure that mcollective starts the service with the correct labeling - Add labels for ~/.manpath - Dontaudit attempts by svirt_t to getpw* calls - sandbox domains are trying to look at parent process data - Allow courior auth to create its pid file in /var/spool/courier subdir - Add fixes for beam to have it working with couchdb - Add labeling for /run/nm-xl2tpd.con - Allow apache to stream connect to thin - Add systemd support for amand - Make public types usable for fs mount points - Call correct mandb interface in domain.te - Allow iptables to r/w quantum inherited pipes and send sigchld - Allow ifconfig domtrans to iptables and execute ldconfig - Add labels for ~/.manpath - Allow systemd to read iscsi lib files - seunshare is trying to look at parent process data- Fix openshift_search_lib - Add support for abrt-uefioops-oops - Allow colord to getattr any file system - Allow chrome processes to look at each other - Allow sys_ptrace for abrt_t - Add new policy for gssproxy - Dontaudit leaked file descriptor writes from firewalld - openshift_net_type is interface not template - Dontaudit pppd to search gnome config - Update openshift_search_lib() interface - Add fs_list_pstorefs() - Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18 - Better labels for raspberry pi devices - Allow init to create devpts_t directory - Temporarily label rasbery pi devices as memory_device_t, needs back port to f18 - Allow sysadm_t to build kernels - Make sure mount creates /var/run/blkid with the correct label, needs back port to F18 - Allow userdomains to stream connect to gssproxy - Dontaudit leaked file descriptor writes from firewalld - Allow xserver to read /dev/urandom - Add additional fixes for ipsec-mgmt - Make SSHing into an Openshift Enterprise Node working- Add transition rules to unconfined domains and to sysadm_t to create /etc/adjtime - with the proper label. - Update files_filetrans_named_content() interface to get right labeling for pam.d conf files - Allow systemd-timedated to create adjtime - Add clock_create_adjtime() - Additional fix ifconfing for #966106 - Allow kernel_t to create boot.log with correct labeling - Remove unconfined_mplayer for which we don't have rules - Rename interfaces - Add userdom_manage_user_home_files/dirs interfaces - Fix files_dontaudit_read_all_non_security_files - Fix ipsec_manage_key_file() - Fix ipsec_filetrans_key_file() - Label /usr/bin/razor-lightdm-greeter as xdm_exec_t instead of spamc_exec_t - Fix labeling for ipse.secrets - Add interfaces for ipsec and labeling for ipsec.info and ipsec_setup.pid - Add files_dontaudit_read_all_non_security_files() interface - /var/log/syslog-ng should be labeled var_log_t - Make ifconfig_var_run_t a mountpoint - Add transition from ifconfig to dnsmasq - Allow ifconfig to execute bin_t/shell_exec_t - We want to have hwdb.bin labeled as etc_t - update logging_filetrans_named_content() interface - Allow systemd_timedate_t to manage /etc/adjtime - Allow NM to send signals to l2tpd - Update antivirus_can_scan_system boolean - Allow devicekit_disk_t to sys_config_tty - Run abrt-harvest programs as abrt_t, and allow abrt_t to list all filesystem directories - Make printing from vmware working - Allow php-cgi from php54 collection to access /var/lib/net-snmp/mib_indexes - Add virt_qemu_ga_data_t for qemu-ga - Make chrome and mozilla able to connect to same ports, add jboss_management_port_t to both - Fix typo in virt.te - Add virt_qemu_ga_unconfined_t for hook scripts - Make sure NetworkManager files get created with the correct label - Add mozilla_plugin_use_gps boolean - Fix cyrus to have support for net-snmp - Additional fixes for dnsmasq and quantum for #966106 - Add plymouthd_create_log() - remove httpd_use_oddjob for which we don't have rules - Add missing rules for httpd_can_network_connect_cobbler - Add missing cluster_use_execmem boolean - Call userdom_manage_all_user_home_type_files/dirs - Additional fix for ftp_home_dir - Fix ftp_home_dir boolean - Allow squit to recv/send client squid packet - Fix nut.te to have nut_domain attribute - Add support for ejabberd; TODO: revisit jabberd and rabbit policy - Fix amanda policy - Add more fixes for domains which use libusb - Make domains which use libusb working correctly - Allow l2tpd to create ipsec key files with correct labeling and manage them - Fix cobbler_manage_lib_files/cobbler_read_lib_files to cover also lnk files - Allow rabbitmq-beam to bind generic node - Allow l2tpd to read ipse-mgmt pid files - more fixes for l2tpd, NM and pppd from #967072- Dontaudit to getattr on dirs for dovecot-deliver - Allow raiudusd server connect to postgresql socket - Add kerberos support for radiusd - Allow saslauthd to connect to ldap port - Allow postfix to manage postfix_private_t files - Add chronyd support for #965457 - Fix labeling for HOME_DIR/\.icedtea - CHange squid and snmpd to be allowed also write own logs - Fix labeling for /usr/libexec/qemu-ga - Allow virtd_t to use virt_lock_t - Allow also sealert to read the policy from the kernel - qemu-ga needs to execute scripts in /usr/libexec/qemu-ga and to use /tmp content - Dontaudit listing of users homedir by sendmail Seems like a leak - Allow passenger to transition to puppet master - Allow apache to connect to mythtv - Add definition for mythtv ports- Add additional fixes for #948073 bug - Allow sge_execd_t to also connect to sge ports - Allow openshift_cron_t to manage openshift_var_lib_t sym links - Allow openshift_cron_t to manage openshift_var_lib_t sym links - Allow sge_execd to bind sge ports. Allow kill capability and reads cgroup files - Remove pulseaudio filetrans pulseaudio_manage_home_dirs which is a part of pulseaudio_manage_home_files - Add networkmanager_stream_connect() - Make gnome-abrt wokring with staff_t - Fix openshift_manage_lib_files() interface - mdadm runs ps command which seems to getattr on random log files - Allow mozilla_plugin_t to create pulseaudit_home_t directories - Allow qemu-ga to shutdown virtual hosts - Add labelling for cupsd-browsed - Add web browser plugins to connect to aol ports - Allow nm-dhcp-helper to stream connect to NM - Add port definition for sge ports- Make sure users and unconfined domains create .hushlogin with the correct label - Allow pegaus to chat with realmd over DBus - Allow cobblerd to read network state - Allow boicn-client to stat on /dev/input/mice - Allow certwatch to read net_config_t when it executes apache - Allow readahead to create /run/systemd and then create its own directory with the correct label- Transition directories and files when in a user_tmp_t directory - Change certwatch to domtrans to apache instead of just execute - Allow virsh_t to read xen lib files - update policy rules for pegasus_openlmi_account_t - Add support for svnserve_tmp_t - Activate account openlmi policy - pegasus_openlmi_domain_template needs also require pegasus_t - One more fix for policykit.te - Call fs_list_cgroups_dirs() in policykit.te - Allow nagios service plugin to read mysql config files - Add labeling for /var/svn - Fix chrome.te - Fix pegasus_openlmi_domain_template() interfaces - Fix dev_rw_vfio_dev definiton, allow virtd_t to read tmpfs_t symlinks - Fix location of google-chrome data - Add support for chome_sandbox to store content in the homedir - Allow policykit to watch for changes in cgroups file system - Add boolean to allow mozilla_plugin_t to use spice - Allow collectd to bind to udp port - Allow collected_t to read all of /proc - Should use netlink socket_perms - Should use netlink socket_perms - Allow glance domains to connect to apache ports - Allow apcupsd_t to manage its log files - Allow chrome objects to rw_inherited unix_stream_socket from callers - Allow staff_t to execute virtd_exec_t for running vms - nfsd_t needs to bind mountd port to make nfs-mountd.service working - Allow unbound net_admin capability because of setsockopt syscall - Fix fs_list_cgroup_dirs() - Label /usr/lib/nagios/plugins/utils.pm as bin_t - Remove uplicate definition of fs_read_cgroup_files() - Remove duplicate definition of fs_read_cgroup_files() - Add files_mountpoint_filetrans interface to be used by quotadb_t and snapperd - Additional interfaces needed to list and read cgroups config - Add port definition for collectd port - Add labels for /dev/ptp* - Allow staff_t to execute virtd_exec_t for running vms- Allow samba-net to also read realmd tmp files - Allow NUT to use serial ports - realmd can be started by systemctl now- Remove userdom_home_manager for xdm_t and move all rules to xserver.te directly - Add new xdm_write_home boolean to allow xdm_t to create files in HOME dirs with xdm_home_t - Allow postfix-showq to read/write unix.showq in /var/spool/postfix/pid - Allow virsh to read xen lock file - Allow qemu-ga to create files in /run with proper labeling - Allow glusterd to connect to own socket in /tmp - Allow glance-api to connect to http port to make glance image-create working - Allow keystonte_t to execute rpm- Fix realmd cache interfaces- Allow tcpd to execute leafnode - Allow samba-net to read realmd cache files - Dontaudit sys_tty_config for alsactl - Fix allow rules for postfix_var_run - Allow cobblerd to read /etc/passwd - Allow pegasus to read exports - Allow systemd-timedate to read xdm state - Allow mout to stream connect to rpcbind - Add labeling just for /usr/share/pki/ca-trust-source instead of /usr/share/pki- Allow thumbnails to share memory with apps which run thumbnails - Allow postfix-postqueue block_suspend - Add lib interfaces for smsd - Add support for nginx - Allow s2s running as jabberd_t to connect to jabber_interserver_port_t - Allow pki apache domain to create own tmp files and execute httpd_suexec - Allow procmail to manger user tmp files/dirs/lnk_files - Add virt_stream_connect_svirt() interface - Allow dovecot-auth to execute bin_t - Allow iscsid to request that kernel load a kernel module - Add labeling support for /var/lib/mod_security - Allow iw running as tuned_t to create netlink socket - Dontaudit sys_tty_config for thumb_t - Add labeling for nm-l2tp-service - Allow httpd running as certwatch_t to open tcp socket - Allow useradd to manager smsd lib files - Allow useradd_t to add homedirs in /var/lib - Fix typo in userdomain.te - Cleanup userdom_read_home_certs - Implement userdom_home_reader_certs_type to allow read certs also on encrypt /home with ecryptfs_t - Allow staff to stream connect to svirt_t to make gnome-boxes working- Allow lvm to create its own unit files - Label /var/lib/sepolgen as selinux_config_t - Add filetrans rules for tw devices - Add transition from cupsd_config_t to cupsd_t- Add filetrans rules for tw devices - Cleanup bad transition lines- Fix lockdev_manage_files() - Allow setroubleshootd to read var_lib_t to make email_alert working - Add lockdev_manage_files() - Call proper interface in virt.te - Allow gkeyring_domain to create /var/run/UID/config/dbus file - system dbus seems to be blocking suspend - Dontaudit attemps to sys_ptrace, which I believe gpsd does not need - When you enter a container from root, you generate avcs with a leaked file descriptor - Allow mpd getattr on file system directories - Make sure realmd creates content with the correct label - Allow systemd-tty-ask to write kmsg - Allow mgetty to use lockdev library for device locking - Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music - When you enter a container from root, you generate avcs with a leaked file descriptor - Make sure init.fc files are labeled correctly at creation - File name trans vconsole.conf - Fix labeling for nagios plugins - label shared libraries in /opt/google/chrome as testrel_shlib_t- Allow certmonger to dbus communicate with realmd - Make realmd working- Fix mozilla specification of homedir content - Allow certmonger to read network state - Allow tmpwatch to read tmp in /var/spool/{cups,lpd} - Label all nagios plugin as unconfined by default - Add httpd_serve_cobbler_files() - Allow mdadm to read /dev/sr0 and create tmp files - Allow certwatch to send mails - Fix labeling for nagios plugins - label shared libraries in /opt/google/chrome as testrel_shlib_t- Allow realmd to run ipa, really needs to be an unconfined_domain - Allow sandbox domains to use inherted terminals - Allow pscd to use devices labeled svirt_image_t in order to use cat cards. - Add label for new alsa pid - Alsa now uses a pid file and needs to setsched - Fix oracleasmfs_t definition - Add support for sshd_unit_file_t - Add oracleasmfs_t - Allow unlabeled_t files to be stored on unlabeled_t filesystems- Fix description of deny_ptrace boolean - Remove allow for execmod lib_t for now - Allow quantum to connect to keystone port - Allow nova-console to talk with mysql over unix stream socket - Allow dirsrv to stream connect to uuidd - thumb_t needs to be able to create ~/.cache if it does not exist - virtd needs to be able to sys_ptrace when starting and stoping containers- Allow alsa_t signal_perms, we probaly should search for any app that can execute something without transition and give it signal_perms... - Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets - Fix deny_ptrace boolean, certain ptrace leaked into the system - Allow winbind to manage kerberos_rcache_host - Allow spamd to create spamd_var_lib_t directories - Remove transition to mozilla_tmp_t by mozilla_t, to allow it to manage the users tmp dirs - Add mising nslcd_dontaudit_write_sock_file() interface - one more fix - Fix pki_read_tomcat_lib_files() interface - Allow certmonger to read pki-tomcat lib files - Allow certwatch to execute bin_t - Allow snmp to manage /var/lib/net-snmp files - Call snmp_manage_var_lib_files(fogorn_t) instead of snmp_manage_var_dirs - Fix vmware_role() interface - Fix cobbler_manage_lib_files() interface - Allow nagios check disk plugins to execute bin_t - Allow quantum to transition to openvswitch_t - Allow postdrop to stream connect to postfix-master - Allow quantum to stream connect to openvswitch - Add xserver_dontaudit_xdm_rw_stream_sockets() interface - Allow daemon to send dgrams to initrc_t - Allow kdm to start the power service to initiate a reboot or poweroff- Add mising nslcd_dontaudit_write_sock_file() interface - one more fix - Fix pki_read_tomcat_lib_files() interface - Allow certmonger to read pki-tomcat lib files - Allow certwatch to execute bin_t - Allow snmp to manage /var/lib/net-snmp files - Don't audit attempts to write to stream socket of nscld by thumbnailers - Allow git_system_t to read network state - Allow pegasas to execute mount command - Fix desc for drdb_admin - Fix condor_amin() - Interface fixes for uptime, vdagent, vnstatd - Fix labeling for moodle in /var/www/moodle/data - Add interface fixes - Allow bugzilla to read certs - /var/www/moodle needs to be writable by apache - Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest - Fix namespace_init_t to create content with proper labels, and allow it to manage all user content - Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean - Fixes for dlm_controld - Fix apache_read_sys_content_rw_dirs() interface - Allow logrotate to read /var/log/z-push dir - Fix sys_nice for cups_domain - Allow postfix_postdrop to acces postfix_public socket - Allow sched_setscheduler for cupsd_t - Add missing context for /usr/sbin/snmpd - Kernel_t needs mac_admin in order to support labeled NFS - Fix systemd_dontaudit_dbus_chat() interface - Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest - Allow consolehelper domain to write Xauth files in /root - Add port definition for osapi_compute port - Allow unconfined to create /etc/hostname with correct labeling - Add systemd_filetrans_named_hostname() interface- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean - Fixes for dlm_controld - Fix apache_read_sys_content_rw_dirs() interface - Allow logrotate to read /var/log/z-push dir - Allow postfix_postdrop to acces postfix_public socket - Allow sched_setscheduler for cupsd_t - Add missing context for /usr/sbin/snmpd - Allow consolehelper more access discovered by Tom London - Allow fsdaemon to send signull to all domain - Add port definition for osapi_compute port - Allow unconfined to create /etc/hostname with correct labeling - Add systemd_filetrans_named_hostname() interface- Fix file_contexts.subs to label /run/lock correctly- Try to label on controlC devices up to 30 correctly - Add mount_rw_pid_files() interface - Add additional mount/umount interfaces needed by mock - fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk - Fix tabs - Allow initrc_domain to search rgmanager lib files - Add more fixes which make mock working together with confined users * Allow mock_t to manage rpm files * Allow mock_t to read rpm log files * Allow mock to setattr on tmpfs, devpts * Allow mount/umount filesystems - Add rpm_read_log() interface - yum-cron runs rpm from within it. - Allow tuned to transition to dmidecode - Allow firewalld to do net_admin - Allow mock to unmont tmpfs_t - Fix virt_sigkill() interface - Add additional fixes for mock. Mainly caused by mount running in mock_t - Allow mock to write sysfs_t and mount pid files - Add mailman_domain to mailman_template() - Allow openvswitch to execute shell - Allow qpidd to use kerberos - Allow mailman to use fusefs, needs back port to RHEL6 - Allow apache and its scripts to use anon_inodefs - Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7 - Realmd needs to connect to samba ports, needs back port to F18 also - Allow colord to read /run/initial-setup- - Allow sanlock-helper to send sigkill to virtd which is registred to sanlock - Add virt_kill() interface - Add rgmanager_search_lib() interface - Allow wdmd to getattr on all filesystems. Back ported from RHEL6- Allow realmd to create tmp files - FIx ircssi_home_t type to irssi_home_t - Allow adcli running as realmd_t to connect to ldap port - Allow NetworkManager to transition to ipsec_t, for running strongswan - Make openshift_initrc_t an lxc_domain - Allow gssd to manage user_tmp_t files - Fix handling of irclogs in users homedir - Fix labeling for drupal an wp-content in subdirs of /var/www/html - Allow abrt to read utmp_t file - Fix openshift policy to transition lnk_file, sock-file an fifo_file when created in a tmpfs_t, needs back port to RHEL6 - fix labeling for (oo|rhc)-restorer-wrapper.sh - firewalld needs to be able to write to network sysctls - Fix mozilla_plugin_dontaudit_rw_sem() interface - Dontaudit generic ipc read/write to a mozilla_plugin for sandbox_x domains - Add mozilla_plugin_dontaudit_rw_sem() interface - Allow svirt_lxc_t to transition to openshift domains - Allow condor domains block_suspend and dac_override caps - Allow condor_master to read passd - Allow condor_master to read system state - Allow NetworkManager to transition to ipsec_t, for running strongswan - Lots of access required by lvm_t to created encrypted usb device - Allow xdm_t to dbus communicate with systemd_localed_t - Label strongswan content as ipsec_exec_mgmt_t for now - Allow users to dbus chat with systemd_localed - Fix handling of .xsession-errors in xserver.if, so kde will work - Might be a bug but we are seeing avc's about people status on init_t:service - Make sure we label content under /var/run/lock as <> - Allow daemon and systemprocesses to search init_var_run_t directory - Add boolean to allow xdm to write xauth data to the home directory - Allow mount to write keys for the unconfined domain - Add unconfined_write_keys() interface- Add labeling for /usr/share/pki - Allow programs that read var_run_t symlinks also read var_t symlinks - Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports - Fix labeling for /etc/dhcp directory - add missing systemd_stub_unit_file() interface - Add files_stub_var() interface - Add lables for cert_t directories - Make localectl set-x11-keymap working at all - Allow abrt to manage mock build environments to catch build problems. - Allow virt_domains to setsched for running gdb on itself - Allow thumb_t to execute user home content - Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000 - Allow certwatch to execut /usr/bin/httpd - Allow cgred to send signal perms to itself, needs back port to RHEL6 - Allow openshift_cron_t to look at quota - Allow cups_t to read inhered tmpfs_t from the kernel - Allow yppasswdd to use NIS - Tuned wants sys_rawio capability - Add ftpd_use_fusefs boolean - Allow dirsrvadmin_t to signal itself- Allow localectl to read /etc/X11/xorg.conf.d directory - Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors"" - Allow mount to transition to systemd_passwd_agent - Make sure abrt directories are labeled correctly - Allow commands that are going to read mount pid files to search mount_var_run_t - label /usr/bin/repoquery as rpm_exec_t - Allow automount to block suspend - Add abrt_filetrans_named_content so that abrt directories get labeled correctly - Allow virt domains to setrlimit and read file_context- Allow nagios to manage nagios spool files - /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6 - Add swift_alias.* policy files which contain typealiases for swift types - Add support for /run/lock/opencryptoki - Allow pkcsslotd chown capability - Allow pkcsslotd to read passwd - Add rsync_stub() interface - Allow systemd_timedate also manage gnome config homedirs - Label /usr/lib64/security/pam_krb5/pam_krb5_cchelper as bin_t - Fix filetrans rules for kdm creates .xsession-errors - Allow sytemd_tmpfiles to create wtmp file - Really should not label content under /var/lock, since it could have labels on it different from var_lock_t - Allow systemd to list all file system directories - Add some basic stub interfaces which will be used in PRODUCT policies- Fix log transition rule for cluster domains - Start to group all cluster log together - Dont use filename transition for POkemon Advanced Adventure until a new checkpolicy update - cups uses usbtty_device_t devices - These fixes were all required to build a MLS virtual Machine with single level desktops - Allow domains to transiton using httpd_exec_t - Allow svirt domains to manage kernel key rings - Allow setroubleshoot to execute ldconfig - Allow firewalld to read generate gnome data - Allow bluetooth to read machine-info - Allow boinc domain to send signal to itself - Fix gnome_filetrans_home_content() interface - Allow mozilla_plugins to list apache modules, for use with gxine - Fix labels for POkemon in the users homedir - Allow xguest to read mdstat - Dontaudit virt_domains getattr on /dev/* - These fixes were all required to build a MLS virtual Machine with single level desktops - Need to back port this to RHEL6 for openshift - Add tcp/8891 as milter port - Allow nsswitch domains to read sssd_var_lib_t files - Allow ping to read network state. - Fix typo - Add labels to /etc/X11/xorg.d and allow systemd-timestampd_t to manage them- Adopt swift changes from lhh@redhat.com - Add rhcs_manage_cluster_pid_files() interface - Allow screen domains to configure tty and setup sock_file in ~/.screen directory - ALlow setroubleshoot to read default_context_t, needed to backport to F18 - Label /etc/owncloud as being an apache writable directory - Allow sshd to stream connect to an lxc domain- Allow postgresql to manage rgmanager pid files - Allow postgresql to read ccs data - Allow systemd_domain to send dbus messages to policykit - Add labels for /etc/hostname and /etc/machine-info and allow systemd-hostnamed to create them - All systemd domains that create content are reading the file_context file and setfscreate - Systemd domains need to search through init_var_run_t - Allow sshd to communicate with libvirt to set containers labels - Add interface to manage pid files - Allow NetworkManger_t to read /etc/hostname - Dontaudit leaked locked files into openshift_domains - Add fixes for oo-cgroup-read - it nows creates tmp files - Allow gluster to manage all directories as well as files - Dontaudit chrome_sandbox_nacl_t using user terminals - Allow sysstat to manage its own log files - Allow virtual machines to setrlimit and send itself signals. - Add labeling for /var/run/hplip- Fix POSTIN scriptlet- Merge rgmanger, corosync,pacemaker,aisexec policies to cluster_t in rhcs.pp- Fix authconfig.py labeling - Make any domains that write homedir content do it correctly - Allow glusterd to read/write anyhwere on the file system by default - Be a little more liberal with the rsync log files - Fix iscsi_admin interface - Allow iscsid_t to read /dev/urand - Fix up iscsi domain for use with unit files - Add filename transition support for spamassassin policy - Allow web plugins to use badly formated libraries - Allow nmbd_t to create samba_var_t directories - Add filename transition support for spamassassin policy - Add filename transition support for tvtime - Fix alsa_home_filetrans_alsa_home() interface - Move all userdom_filetrans_home_content() calling out of booleans - Allow logrotote to getattr on all file sytems - Remove duplicate userdom_filetrans_home_content() calling - Allow kadmind to read /etc/passwd - Dontaudit append .xsession-errors file on ecryptfs for policykit-auth - Allow antivirus domain to manage antivirus db links - Allow logrotate to read /sys - Allow mandb to setattr on man dirs - Remove mozilla_plugin_enable_homedirs boolean - Fix ftp_home_dir boolean - homedir mozilla filetrans has been moved to userdom_home_manager - homedir telepathy filetrans has been moved to userdom_home_manager - Remove gnome_home_dir_filetrans() from gnome_role_gkeyringd() - Might want to eventually write a daemon on fusefsd. - Add policy fixes for sshd [net] child from plautrba@redhat.com - Tor uses a new port - Remove bin_t for authconfig.py - Fix so only one call to userdom_home_file_trans - Allow home_manager_types to create content with the correctl label - Fix all domains that write data into the homedir to do it with the correct label - Change the postgresql to use proper boolean names, which is causing httpd_t to - not get access to postgresql_var_run_t - Hostname needs to send syslog messages - Localectl needs to be able to send dbus signals to users - Make sure userdom_filetrans_type will create files/dirs with user_home_t labeling by default - Allow user_home_manger domains to create spam* homedir content with correct labeling - Allow user_home_manger domains to create HOMEDIR/.tvtime with correct labeling - Add missing miscfiles_setattr_man_pages() interface and for now comment some rules for userdom_filetrans_type to make build process working - Declare userdom_filetrans_type attribute - userdom_manage_home_role() needs to be called withoout usertype attribute because of userdom_filetrans_type attribute - fusefsd is mounding a fuse file system on /run/user/UID/gvfs- Man pages are now generated in the build process - Allow cgred to list inotifyfs filesystem- Allow gluster to get attrs on all fs - New access required for virt-sandbox - Allow dnsmasq to execute bin_t - Allow dnsmasq to create content in /var/run/NetworkManager - Fix openshift_initrc_signal() interface - Dontaudit openshift domains doing getattr on other domains - Allow consolehelper domain to communicate with session bus - Mock should not be transitioning to any other domains, we should keep mock_t as mock_t - Update virt_qemu_ga_t policy - Allow authconfig running from realmd to restart oddjob service - Add systemd support for oddjob - Add initial policy for realmd_consolehelper_t which if for authconfig executed by realmd - Add labeling for gnashpluginrc - Allow chrome_nacl to execute /dev/zero - Allow condor domains to read /proc - mozilla_plugin_t will getattr on /core if firefox crashes - Allow condor domains to read /etc/passwd - Allow dnsmasq to execute shell scripts, openstack requires this access - Fix glusterd labeling - Allow virtd_t to interact with the socket type - Allow nmbd_t to override dac if you turned on sharing all files - Allow tuned to created kobject_uevent socket - Allow guest user to run fusermount - Allow openshift to read /proc and locale - Allow realmd to dbus chat with rpm - Add new interface for virt - Remove depracated interfaces - Allow systemd_domains read access on etc, etc_runtime and usr files, also allow them to connect stream to syslog socket - /usr/share/munin/plugins/plugin.sh should be labeled as bin_t - Remove some more unconfined_t process transitions, that I don't believe are necessary - Stop transitioning uncofnined_t to checkpc - dmraid creates /var/lock/dmraid - Allow systemd_localed to creatre unix_dgram_sockets - Allow systemd_localed to write kernel messages. - Also cleanup systemd definition a little. - Fix userdom_restricted_xwindows_user_template() interface - Label any block devices or char devices under /dev/infiniband as fixed_disk_device_t - User accounts need to dbus chat with accountsd daemon - Gnome requires all users to be able to read /proc/1/- virsh now does a setexeccon call - Additional rules required by openshift domains - Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-service execute work - Allow spamd_update_t to search spamc_home_t - Avcs discovered by mounting an isci device under /mnt - Allow lspci running as logrotate to read pci.ids - Additional fix for networkmanager_read_pid_files() - Fix networkmanager_read_pid_files() interface - Allow all svirt domains to connect to svirt_socket_t - Allow virsh to set SELinux context for a process. - Allow tuned to create netlink_kobject_uevent_socket - Allow systemd-timestamp to set SELinux context - Add support for /var/lib/systemd/linger - Fix ssh_sysadm_login to be working on MLS as expected- Rename files_rw_inherited_tmp_files to files_rw_inherited_tmp_file - Add missing files_rw_inherited_tmp_files interface - Add additional interface for ecryptfs - ALlow nova-cert to connect to postgresql - Allow keystone to connect to postgresql - Allow all cups domains to getattr on filesystems - Allow pppd to send signull - Allow tuned to execute ldconfig - Allow gpg to read fips_enabled - Add additional fixes for ecryptfs - Allow httpd to work with posgresql - Allow keystone getsched and setsched- Allow gpg to read fips_enabled - Add support for /var/cache/realmd - Add support for /usr/sbin/blazer_usb and systemd support for nut - Add labeling for fenced_sanlock and allow sanclok transition to fenced_t - bitlbee wants to read own log file - Allow glance domain to send a signal itself - Allow xend_t to request that the kernel load a kernel module - Allow pacemaker to execute heartbeat lib files - cleanup new swift policy- Fix smartmontools - Fix userdom_restricted_xwindows_user_template() interface - Add xserver_xdm_ioctl_log() interface - Allow Xusers to ioctl lxdm.log to make lxdm working - Add MLS fixes to make MLS boot/log-in working - Add mls_socket_write_all_levels() also for syslogd - fsck.xfs needs to read passwd - Fix ntp_filetrans_named_content calling in init.te - Allow postgresql to create pg_log dir - Allow sshd to read rsync_data_t to make rsync working - Change ntp.conf to be labeled net_conf_t - Allow useradd to create homedirs in /run. ircd-ratbox does this and we should just allow it - Allow xdm_t to execute gstreamer home content - Allod initrc_t and unconfined domains, and sysadm_t to manage ntp - New policy for openstack swift domains - More access required for openshift_cron_t - Use cupsd_log_t instead of cupsd_var_log_t - rpm_script_roles should be used in rpm_run - Fix rpm_run() interface - Fix openshift_initrc_run() - Fix sssd_dontaudit_stream_connect() interface - Fix sssd_dontaudit_stream_connect() interface - Allow LDA's job to deliver mail to the mailbox - dontaudit block_suspend for mozilla_plugin_t - Allow l2tpd_t to all signal perms - Allow uuidgen to read /dev/random - Allow mozilla-plugin-config to read power_supply info - Implement cups_domain attribute for cups domains - We now need access to user terminals since we start by executing a command outside the tty - We now need access to user terminals since we start by executing a command outside the tty - svirt lxc containers want to execute userhelper apps, need these changes to allow this to happen - Add containment of openshift cron jobs - Allow system cron jobs to create tmp directories - Make userhelp_conf_t a config file - Change rpm to use rpm_script_roles - More fixes for rsync to make rsync wokring - Allow logwatch to domtrans to mdadm - Allow pacemaker to domtrans to ifconfig - Allow pacemaker to setattr on corosync.log - Add pacemaker_use_execmem for memcheck-amd64 command - Allow block_suspend capability - Allow create fifo_file in /tmp with pacemaker_tmp_t - Allow systat to getattr on fixed disk - Relabel /etc/ntp.conf to be net_conf_t - ntp_admin should create files in /etc with the correct label - Add interface to create ntp_conf_t files in /etc - Add additional labeling for quantum - Allow quantum to execute dnsmasq with transition- boinc_cliean wants also execmem as boinc projecs have - Allow sa-update to search admin home for /root/.spamassassin - Allow sa-update to search admin home for /root/.spamassassin - Allow antivirus domain to read net sysctl - Dontaudit attempts from thumb_t to connect to ssd - Dontaudit attempts by readahead to read sock_files - Dontaudit attempts by readahead to read sock_files - Create tmpfs file while running as wine as user_tmpfs_t - Dontaudit attempts by readahead to read sock_files - libmpg ships badly created librarie- Change ssh_use_pts to use macro and only inherited sshd_devpts_t - Allow confined users to read systemd_logind seat information - libmpg ships badly created libraries - Add support for strongswan.service - Add labeling for strongswan - Allow l2tpd_t to read network manager content in /run directory - Allow rsync to getattr any file in rsync_data_t - Add labeling and filename transition for .grl-podcasts- mount.glusterfs executes glusterfsd binary - Allow systemd_hostnamed_t to stream connect to systemd - Dontaudit any user doing a access check - Allow obex-data-server to request the kernel to load a module - Allow gpg-agent to manage gnome content (~/.cache/gpg-agent-info) - Allow gpg-agent to read /proc/sys/crypto/fips_enabled - Add new types for antivirus.pp policy module - Allow gnomesystemmm_t caps because of ioprio_set - Make sure if mozilla_plugin creates files while in permissive mode, they get created with the correct label, user_home_t - Allow gnomesystemmm_t caps because of ioprio_set - Allow NM rawip socket - files_relabel_non_security_files can not be used with boolean - Add interface to thumb_t dbus_chat to allow it to read remote process state - ALlow logrotate to domtrans to mdadm_t - kde gnomeclock wants to write content to /tmp- kde gnomeclock wants to write content to /tmp - /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde - Allow blueman_t to rwx zero_device_t, for some kind of jre - Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre - Ftp full access should be allowed to create directories as well as files - Add boolean to allow rsync_full_acces, so that an rsync server can write all - over the local machine - logrotate needs to rotate logs in openshift directories, needs back port to RHEL6 - Add missing vpnc_roles type line - Allow stapserver to write content in /tmp - Allow gnome keyring to create keyrings dir in ~/.local/share - Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on - Add interface to colord_t dbus_chat to allow it to read remote process state - Allow colord_t to read cupsd_t state - Add mate-thumbnail-font as thumnailer - Allow sectoolm to sys_ptrace since it is looking at other proceses /proc data. - Allow qpidd to list /tmp. Needed by ssl - Only allow init_t to transition to rsync_t domain, not initrc_t. This should be back ported to F17, F18 - - Added systemd support for ksmtuned - Added booleans ksmtuned_use_nfs ksmtuned_use_cifs - firewalld seems to be creating mmap files which it needs to execute in /run /tmp and /dev/shm. Would like to clean this up but for now we will allow - Looks like qpidd_t needs to read /dev/random - Lots of probing avc's caused by execugting gpg from staff_t - Dontaudit senmail triggering a net_admin avc - Change thumb_role to use thumb_run, not sure why we have a thumb_role, needs back port - Logwatch does access check on mdadm binary - Add raid_access_check_mdadm() iterface- Fix systemd_manage_unit_symlinks() interface - Call systemd_manage_unit_symlinks(() which is correct interface - Add filename transition for opasswd - Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock - Allow sytstemd-timedated to get status of init_t - Add new systemd policies for hostnamed and rename gnomeclock_t to systemd_timedate_t - colord needs to communicate with systemd and systemd_logind, also remove duplicate rules - Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock - Allow gpg_t to manage all gnome files - Stop using pcscd_read_pub_files - New rules for xguest, dontaudit attempts to dbus chat - Allow firewalld to create its mmap files in tmpfs and tmp directories - Allow firewalld to create its mmap files in tmpfs and tmp directories - run unbound-chkconf as named_t, so it can read dnssec - Colord is reading xdm process state, probably reads state of any apps that sends dbus message - Allow mdadm_t to change the kernel scheduler - mythtv policy - Update mandb_admin() interface - Allow dsspam to listen on own tpc_socket - seutil_filetrans_named_content needs to be optional - Allow sysadm_t to execute content in his homedir - Add attach_queue to tun_socket, new patch from Paul Moore - Change most of selinux configuration types to security_file_type. - Add filename transition rules for selinux configuration - ssh into a box with -X -Y requires ssh_use_ptys - Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on - Allow all unpriv userdomains to send dbus messages to hostnamed and timedated - New allow rules found by Tom London for systemd_hostnamed- Allow systemd-tmpfiles to relabel lpd spool files - Ad labeling for texlive bash scripts - Add xserver_filetrans_fonts_cache_home_content() interface - Remove duplicate rules from *.te - Add support for /var/lock/man-db.lock - Add support for /var/tmp/abrt(/.*)? - Add additional labeling for munin cgi scripts - Allow httpd_t to read munin conf files - Allow certwatch to read meminfo - Fix nscd_dontaudit_write_sock_file() interfac - Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t - llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling- Allow gnomeclock to talk to puppet over dbus - Allow numad access discovered by Dominic - Add support for HOME_DIR/.maildir - Fix attribute_role for mozilla_plugin_t domain to allow staff_r to access this domain - Allow udev to relabel udev_var_run_t lnk_files - New bin_t file in mcelog- Remove all mcs overrides and replace with t1 != mcs_constrained_types - Add attribute_role for iptables - mcs_process_set_categories needs to be called for type - Implement additional role_attribute statements - Sodo domain is attempting to get the additributes of proc_kcore_t - Unbound uses port 8953 - Allow svirt_t images to compromise_kernel when using pci-passthrough - Add label for dns lib files - Bluetooth aquires a dbus name - Remove redundant files_read_usr_file calling - Remove redundant files_read_etc_file calling - Fix mozilla_run_plugin() - Add role_attribute support for more domains- Mass merge with upstream- Bump the policy version to 28 to match selinux userspace - Rebuild versus latest libsepol- Add systemd_status_all_unit_files() interface - Add support for nshadow - Allow sysadm_t to administrate the postfix domains - Add interface to setattr on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Add systemd_status_all_unit_files() interface - Add support for nshadow - Allow sysadm_t to administrate the postfix domains - Add interface to setattr on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t sys_admin for use with afs logins - Add labeling for /var/named/chroot/etc/localtim- Allow setroubleshoot_fixit to execute rpm - zoneminder needs to connect to httpd ports where remote cameras are listening - Allow firewalld to execute content created in /run directory - Allow svirt_t to read generic certs - Dontaudit leaked ps content to mozilla plugin - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - init scripts are creating systemd_unit_file_t directories- systemd_logind_t is looking at all files under /run/user/apache - Allow systemd to manage all user tmp files - Add labeling for /var/named/chroot/etc/localtime - Allow netlabel_peer_t type to flow over netif_t and node_t, and only be hindered by MLS, need back port to RHEL6 - Keystone is now using a differnt port - Allow xdm_t to use usbmuxd daemon to control sound - Allow passwd daemon to execute gnome_exec_keyringd - Fix chrome_sandbox policy - Add labeling for /var/run/checkquorum-timer - More fixes for the dspam domain, needs back port to RHEL6 - More fixes for the dspam domain, needs back port to RHEL6 - sssd needs to connect to kerberos password port if a user changes his password - Lots of fixes from RHEL testing of dspam web - Allow chrome and mozilla_plugin to create msgq and semaphores - Fixes for dspam cgi scripts - Fixes for dspam cgi scripts - Allow confine users to ptrace screen - Backport virt_qemu_ga_t changes from RHEL - Fix labeling for dspam.cgi needed for RHEL6 - We need to back port this policy to RHEL6, for lxc domains - Dontaudit attempts to set sys_resource of logrotate - Allow corosync to read/write wdmd's tmpfs files - I see a ptrace of mozilla_plugin_t by staff_t, will allow without deny_ptrace being set - Allow cron jobs to read bind config for unbound - libvirt needs to inhibit systemd - kdumpctl needs to delete boot_t files - Fix duplicate gnome_config_filetrans - virtd_lxc_t is using /dev/fuse - Passenger needs to create a directory in /var/log, needs a backport to RHEL6 for openshift - apcupsd can be setup to listen to snmp trafic - Allow transition from kdumpgui to kdumpctl - Add fixes for munin CGI scripts - Allow deltacloud to connect to openstack at the keystone port - Allow domains that transition to svirt domains to be able to signal them - Fix file context of gstreamer in .cache directory - libvirt is communicating with logind - NetworkManager writes to the systemd inhibit pipe- Allow munin disk plugins to get attributes of all directories - Allow munin disk plugins to get attributes of all directorie - Allow logwatch to get attributes of all directories - Fix networkmanager_manage_lib() interface - Fix gnome_manage_config() to allow to manage sock_file - Fix virtual_domain_context - Add support for dynamic DNS for DHCPv6- Allow svirt to use netlink_route_socket which was a part of auth_use_nsswitch - Add additional labeling for /var/www/openshift/broker - Fix rhev policy - Allow openshift_initrc domain to dbus chat with systemd_logind - Allow httpd to getattr passenger log file if run_stickshift - Allow consolehelper-gtk to connect to xserver - Add labeling for the tmp-inst directory defined in pam_namespace.conf - Add lvm_metadata_t labeling for /etc/multipath- consoletype is no longer used- Add label for efivarfs - Allow certmonger to send signal to itself - Allow plugin-config to read own process status - Add more fixes for pacemaker - apache/drupal can run clamscan on uploaded content - Allow chrome_sandbox_nacl_t to read pid 1 content- Fix MCS Constraints to control ingres and egres controls on the network. - Change name of svirt_nokvm_t to svirt_tcg_t - Allow tuned to request the kernel to load kernel modules- Label /var/lib/pgsql/.ssh as ssh_home_t - Add labeling for /usr/bin/pg_ctl - Allow systemd-logind to manage keyring user tmp dirs - Add support for 7389/tcp port - gems seems to be placed in lots of places - Since xdm is running a full session, it seems to be trying to execute lots of executables via dbus - Add back tcp/8123 port as http_cache port - Add ovirt-guest-agent\.pid labeling - Allow xend to run scsi_id - Allow rhsmcertd-worker to read "physical_package_id" - Allow pki_tomcat to connect to ldap port - Allow lpr to read /usr/share/fonts - Allow open file from CD/DVD drive on domU - Allow munin services plugins to talk to SSSD - Allow all samba domains to create samba directory in var_t directories - Take away svirt_t ability to use nsswitch - Dontaudit attempts by openshift to read apache logs - Allow apache to create as well as append _ra_content_t - Dontaudit sendmail_t reading a leaked file descriptor - Add interface to have admin transition /etc/prelink.cache to the proper label - Add sntp support to ntp policy - Allow firewalld to dbus chat with devicekit_power - Allow tuned to call lsblk - Allow tor to read /proc/sys/kernel/random/uuid - Add tor_can_network_relay boolean- Add openshift_initrc_signal() interface - Fix typos - dspam port is treat as spamd_port_t - Allow setroubleshoot to getattr on all executables - Allow tuned to execute profiles scripts in /etc/tuned - Allow apache to create directories to store its log files - Allow all directories/files in /var/log starting with passenger to be labeled passenger_log_t - Looks like apache is sending sinal to openshift_initrc_t now,needs back port to RHEL6 - Allow Postfix to be configured to listen on TCP port 10026 for email from DSPAM - Add filename transition for /etc/tuned/active_profile - Allow condor_master to send mails - Allow condor_master to read submit.cf - Allow condor_master to create /tmp files/dirs - Allow condor_mater to send sigkill to other condor domains - Allow condor_procd sigkill capability - tuned-adm wants to talk with tuned daemon - Allow kadmind and krb5kdc to also list sssd_public_t - Allow accountsd to dbus chat with init - Fix git_read_generic_system_content_files() interface - pppd wants sys_nice by nmcli because of "syscall=sched_setscheduler" - Fix mozilla_plugin_can_network_connect to allow to connect to all ports - Label all munin plugins which are not covered by munin plugins policy as unconfined_munin_plugin_exec_t - dspam wants to search /var/spool for opendkim data - Revert "Add support for tcp/10026 port as dspam_port_t" - Turning on labeled networking requires additional access for netlabel_peer_t; these allow rules need to be back ported to RHEL6 - Allow all application domains to use fifo_files passed in from userdomains, also allow them to write to tmp_files inherited from userdomain - Allow systemd_tmpfiles_t to setattr on mandb_cache_t- consolekit.pp was not removed from the postinstall script- Add back consolekit policy - Silence bootloader trying to use inherited tty - Silence xdm_dbusd_t trying to execute telepathy apps - Fix shutdown avcs when machine has unconfined.pp disabled - The host and a virtual machine can share the same printer on a usb device - Change oddjob to transition to a ranged openshift_initr_exec_t when run from oddjob - Allow abrt_watch_log_t to execute bin_t - Allow chrome sandbox to write content in ~/.config/chromium - Dontaudit setattr on fontconfig dir for thumb_t - Allow lircd to request the kernel to load module - Make rsync as userdom_home_manager - Allow rsync to search automount filesystem - Add fixes for pacemaker- Add support for 4567/tcp port - Random fixes from Tuomo Soini - xdm wants to get init status - Allow programs to run in fips_mode - Add interface to allow the reading of all blk device nodes - Allow init to relabel rpcbind sock_file - Fix labeling for lastlog and faillog related to logrotate - ALlow aeolus_configserver to use TRAM port - Add fixes for aeolus_configserver - Allow snmpd to connect to snmp port - Allow spamd_update to create spamd_var_lib_t directories - Allow domains that can read sssd_public_t files to also list the directory - Remove miscfiles_read_localization, this is defined for all domains- Allow syslogd to request the kernel to load a module - Allow syslogd_t to read the network state information - Allow xdm_dbusd_t connect to the system DBUS - Add support for 7389/tcp port - Allow domains to read/write all inherited sockets - Allow staff_t to read kmsg - Add awstats_purge_apache_log boolean - Allow ksysguardproces to read /.config/Trolltech.conf - Allow passenger to create and append puppet log files - Add puppet_append_log and puppet_create_log interfaces - Add puppet_manage_log() interface - Allow tomcat domain to search tomcat_var_lib_t - Allow pki_tomcat_t to connect to pki_ca ports - Allow pegasus_t to have net_admin capability - Allow pegasus_t to write /sys/class/net//flags - Allow mailserver_delivery to manage mail_home_rw_t lnk_files - Allow fetchmail to create log files - Allow gnomeclock to manage home config in .kde - Allow bittlebee to read kernel sysctls - Allow logrotate to list /root- Fix userhelper_console_role_template() - Allow enabling Network Access Point service using blueman - Make vmware_host_t as unconfined domain - Allow authenticate users in webaccess via squid, using mysql as backend - Allow gathers to get various metrics on mounted file systems - Allow firewalld to read /etc/hosts - Fix cron_admin_role() to make sysadm cronjobs running in the sysadm_t instead of cronjob_t - Allow kdumpgui to read/write to zipl.conf - Commands needed to get mock to build from staff_t in enforcing mode - Allow mdadm_t to manage cgroup files - Allow all daemons and systemprocesses to use inherited initrc_tmp_t files - dontaudit ifconfig_t looking at fifo_files that are leaked to it - Add lableing for Quest Authentication System- Fix filetrans interface definitions - Dontaudit xdm_t to getattr on BOINC lib files - Add systemd_reload_all_services() interface - Dontaudit write access on /var/lib/net-snmp/mib_indexes - Only stop mcsuntrustedproc from relableing files - Allow accountsd to dbus chat with gdm - Allow realmd to getattr on all fs - Allow logrotate to reload all services - Add systemd unit file for radiusd - Allow winbind to create samba pid dir - Add labeling for /var/nmbd/unexpected - Allow chrome and mozilla plugin to connect to msnp ports- Fix storage_rw_inherited_fixed_disk_dev() to cover also blk_file - Dontaudit setfiles reading /dev/random - On initial boot gnomeclock is going to need to be set buy gdm - Fix tftp_read_content() interface - Random apps looking at kernel file systems - Testing virt with lxc requiers additional access for virsh_t - New allow rules requied for latest libvirt, libvirt talks directly to journald,lxc setup tool needs compromize_kernel,and we need ipc_lock in the container - Allow MPD to read /dev/radnom - Allow sandbox_web_type to read logind files which needs to read pulseaudio - Allow mozilla plugins to read /dev/hpet - Add labeling for /var/lib/zarafa-webap - Allow BOINC client to use an HTTP proxy for all connections - Allow rhsmertd to domain transition to dmidecod - Allow setroubleshootd to send D-Bus msg to ABRT- Define usbtty_device_t as a term_tty - Allow svnserve to accept a connection - Allow xend manage default virt_image_t type - Allow prelink_cron_system_t to overide user componant when executing cp - Add labeling for z-push - Gnomeclock sets the realtime clock - Openshift seems to be storing apache logs in /var/lib/openshift/.log/httpd - Allow lxc domains to use /dev/random and /dev/urandom- Add port defintion for tcp/9000 - Fix labeling for /usr/share/cluster/checkquorum to label also checkquorum.wdmd - Add rules and labeling for $HOME/cache/\.gstreamer-.* directory - Add support for CIM provider openlmi-networking which uses NetworkManager dbus API - Allow shorewall_t to create netlink_socket - Allow krb5admind to block suspend - Fix labels on /var/run/dlm_controld /var/log/dlm_controld - Allow krb5kdc to block suspend - gnomessytemmm_t needs to read /etc/passwd - Allow cgred to read all sysctls- Allow all domains to read /proc/sys/vm/overcommit_memory - Make proc_numa_t an MLS Trusted Object - Add /proc/numactl support for confined users - Allow ssh_t to connect to any port > 1023 - Add openvswitch domain - Pulseaudio tries to create directories in gnome_home_t directories - New ypbind pkg wants to search /var/run which is caused by sd_notify - Allow NM to read certs on NFS/CIFS using use_nfs_*, use_samba_* booleans - Allow sanlock to read /dev/random - Treat php-fpm with httpd_t - Allow domains that can read named_conf_t to be able to list the directories - Allow winbind to create sock files in /var/run/samba- Add smsd policy - Add support for OpenShift sbin labelin - Add boolean to allow virt to use rawip - Allow mozilla_plugin to read all file systems with noxattrs support - Allow kerberos to write on anon_inodefs fs - Additional access required by fenced - Add filename transitions for passwd.lock/group.lock - UPdate man pages - Create coolkey directory in /var/cache with the correct label- Fix label on /etc/group.lock - Allow gnomeclock to create lnk_file in /etc - label /root/.pki as a home_cert_t - Add interface to make sure rpcbind.sock is created with the correct label - Add definition for new directory /var/lib/os-probe and bootloader wants to read udev rules - opendkim should be a part of milter - Allow libvirt to set the kernel sched algorythm - Allow mongod to read sysfs_t - Add authconfig policy - Remove calls to miscfiles_read_localization all domains get this - Allow virsh_t to read /root/.pki/ content - Add label for log directory under /var/www/stickshift- Allow getty to setattr on usb ttys - Allow sshd to search all directories for sshd_home_t content - Allow staff domains to send dbus messages to kdumpgui - Fix labels on /etc/.pwd.lock and friends to be passwd_file_t - Dontaudit setfiles reading urand - Add files_dontaudit_list_tmp() for domains to which we added sys_nice/setsched - Allow staff_gkeyringd_t to read /home/$USER/.local/share/keyrings dir - Allow systemd-timedated to read /dev/urandom - Allow entropyd_t to read proc_t (meminfo) - Add unconfined munin plugin - Fix networkmanager_read_conf() interface - Allow blueman to list /tmp which is needed by sys_nic/setsched - Fix label of /etc/mail/aliasesdb-stamp - numad is searching cgroups - realmd is communicating with networkmanager using dbus - Lots of fixes to try to get kdump to work- Allow loging programs to dbus chat with realmd - Make apache_content_template calling as optional - realmd is using policy kit- Add new selinuxuser_use_ssh_chroot boolean - dbus needs to be able to read/write inherited fixed disk device_t passed through it - Cleanup netutils process allow rule - Dontaudit leaked fifo files from openshift to ping - sanlock needs to read mnt_t lnk files - Fail2ban needs to setsched and sys_nice- Change default label of all files in /var/run/rpcbind - Allow sandbox domains (java) to read hugetlbfs_t - Allow awstats cgi content to create tmp files and read apache log files - Allow setuid/setgid for cupsd-config - Allow setsched/sys_nice pro cupsd-config - Fix /etc/localtime sym link to be labeled locale_t - Allow sshd to search postgresql db t since this is a homedir - Allow xwindows users to chat with realmd - Allow unconfined domains to configure all files and null_device_t service- Adopt pki-selinux policy- pki is leaking which we dontaudit until a pki code fix - Allow setcap for arping - Update man pages - Add labeling for /usr/sbin/mcollectived - pki fixes - Allow smokeping to execute fping in the netutils_t domain- Allow mount to relabelfrom unlabeled file systems - systemd_logind wants to send and receive messages from devicekit disk over dbus to make connected mouse working - Add label to get bin files under libreoffice labeled correctly - Fix interface to allow executing of base_ro_file_type - Add fixes for realmd - Update pki policy - Add tftp_homedir boolean - Allow blueman sched_setscheduler - openshift user domains wants to r/w ssh tcp sockets- Additional requirements for disable unconfined module when booting - Fix label of systemd script files - semanage can use -F /dev/stdin to get input - syslog now uses kerberos keytabs - Allow xserver to compromise_kernel access - Allow nfsd to write to mount_var_run_t when running the mount command - Add filename transition rule for bin_t directories - Allow files to read usr_t lnk_files - dhcpc wants chown - Add support for new openshift labeling - Clean up for tunable+optional statements - Add labeling for /usr/sbin/mkhomedir_helper - Allow antivirus domain to managa amavis spool files - Allow rpcbind_t to read passwd - Allow pyzor running as spamc to manage amavis spool- Add interfaces to read kernel_t proc info - Missed this version of exec_all - Allow anyone who can load a kernel module to compromise kernel - Add oddjob_dbus_chat to openshift apache policy - Allow chrome_sandbox_nacl_t to send signals to itself - Add unit file support to usbmuxd_t - Allow all openshift domains to read sysfs info - Allow openshift domains to getattr on all domains- MLS fixes from Dan - Fix name of capability2 secure_firmware->compromise_kerne- Allow xdm to search all file systems - Add interface to allow the config of all files - Add rngd policy - Remove kgpg as a gpg_exec_t type - Allow plymouthd to block suspend - Allow systemd_dbus to config any file - Allow system_dbus_t to configure all services - Allow freshclam_t to read usr_files - varnishd requires execmem to load modules- Allow semanage to verify types - Allow sudo domain to execute user home files - Allow session_bus_type to transition to user_tmpfs_t - Add dontaudit caused by yum updates - Implement pki policy but not activated- tuned wants to getattr on all filesystems - tuned needs also setsched. The build is needed for test day- Add policy for qemu-qa - Allow razor to write own config files - Add an initial antivirus policy to collect all antivirus program - Allow qdisk to read usr_t - Add additional caps for vmware_host - Allow tmpfiles_t to setattr on mandb_cache_t - Dontaudit leaked files into mozilla_plugin_config_t - Allow wdmd to getattr on tmpfs - Allow realmd to use /dev/random - allow containers to send audit messages - Allow root mount any file via loop device with enforcing mls policy - Allow tmpfiles_t to setattr on mandb_cache_t - Allow tmpfiles_t to setattr on mandb_cache_t - Make userdom_dontaudit_write_all_ not allow open - Allow init scripts to read all unit files - Add support for saphostctrl ports- Add kernel_read_system_state to sandbox_client_t - Add some of the missing access to kdumpgui - Allow systemd_dbusd_t to status the init system - Allow vmnet-natd to request the kernel to load a module - Allow gsf-office-thum to append .cache/gdm/session.log - realmd wants to read .config/dconf/user - Firewalld wants sys_nice/setsched - Allow tmpreaper to delete mandb cache files - Firewalld wants sys_nice/setsched - Allow firewalld to perform a DNS name resolution - Allown winbind to read /usr/share/samba/codepages/lowcase.dat - Add support for HTTPProxy* in /etc/freshclam.conf - Fix authlogin_yubike boolean - Extend smbd_selinux man page to include samba booleans - Allow dhcpc to execute consoletype - Allow ping to use inherited tmp files created in init scripts - On full relabel with unconfined domain disabled, initrc was running some chcon's - Allow people who delete man pages to delete mandb cache files- Add missing permissive domains- Add new mandb policy - ALlow systemd-tmpfiles_t to relabel mandb_cache_t - Allow logrotate to start all unit files- Add fixes for ctbd - Allow nmbd to stream connect to ctbd - Make cglear_t as nsswitch_domain - Fix bogus in interfaces - Allow openshift to read/write postfix public pipe - Add postfix_manage_spool_maildrop_files() interface - stickshift paths have been renamed to openshift - gnome-settings-daemon wants to write to /run/systemd/inhibit/ pipes - Update man pages, adding ENTRYPOINTS- Add mei_device_t - Make sure gpg content in homedir created with correct label - Allow dmesg to write to abrt cache files - automount wants to search virtual memory sysctls - Add support for hplip logs stored in /var/log/hp/tmp - Add labeling for /etc/owncloud/config.php - Allow setroubleshoot to send analysys to syslogd-journal - Allow virsh_t to interact with new fenced daemon - Allow gpg to write to /etc/mail/spamassassiin directories - Make dovecot_deliver_t a mail server delivery type - Add label for /var/tmp/DNS25- Fixes for tomcat_domain template interface- Remove init_systemd and init_upstart boolean, Move init_daemon_domain and init_system_domain to use attributes - Add attribute to all base os types. Allow all domains to read all ro base OS types- Additional unit files to be defined as power unit files - Fix more boolean names- Fix boolean name so subs will continue to work- dbus needs to start getty unit files - Add interface to allow system_dbusd_t to start the poweroff service - xdm wants to exec telepathy apps - Allow users to send messages to systemdlogind - Additional rules needed for systemd and other boot apps - systemd wants to list /home and /boot - Allow gkeyringd to write dbus/conf file - realmd needs to read /dev/urand - Allow readahead to delete /.readahead if labeled root_t, might get created before policy is loaded- Fixes to safe more rules - Re-write tomcat_domain_template() - Fix passenger labeling - Allow all domains to read man pages - Add ephemeral_port_t to the 'generic' port interfaces - Fix the names of postgresql booleans- Stop using attributes form netlabel_peer and syslog, auth_use_nsswitch setsup netlabel_peer - Move netlable_peer check out of booleans - Remove call to recvfrom_netlabel for kerberos call - Remove use of attributes when calling syslog call - Move -miscfiles_read_localization to domain.te to save hundreds of allow rules - Allow all domains to read locale files. This eliminates around 1500 allow rules- Cleanup nis_use_ypbind_uncond interface - Allow rndc to block suspend - tuned needs to modify the schedule of the kernel - Allow svirt_t domains to read alsa configuration files - ighten security on irc domains and make sure they label content in homedir correctly - Add filetrans_home_content for irc files - Dontaudit all getattr access for devices and filesystems for sandbox domains - Allow stapserver to search cgroups directories - Allow all postfix domains to talk to spamd- Add interfaces to ignore setattr until kernel fixes this to be checked after the DAC check - Change pam_t to pam_timestamp_t - Add dovecot_domain attribute and allow this attribute block_suspend capability2 - Add sanlock_use_fusefs boolean - numad wants send/recieve msg - Allow rhnsd to send syslog msgs - Make piranha-pulse as initrc domain - Update openshift instances to dontaudit setattr until the kernel is fixed.- Fix auth_login_pgm_domain() interface to allow domains also managed user tmp dirs because of #856880 related to pam_systemd - Remove pam_selinux.8 which conflicts with man page owned by the pam package - Allow glance-api to talk to mysql - ABRT wants to read Xorg.0.log if if it detects problem with Xorg - Fix gstreamer filename trans. interface- Man page fixes by Dan Walsh- Allow postalias to read postfix config files - Allow man2html to read man pages - Allow rhev-agentd to search all mountpoints - Allow rhsmcertd to read /dev/random - Add tgtd_stream_connect() interface - Add cyrus_write_data() interface - Dontaudit attempts by sandboxX clients connectiing to the xserver_port_t - Add port definition for tcp/81 as http_port_t - Fix /dev/twa labeling - Allow systemd to read modules config- Merge openshift policy - Allow xauth to read /dev/urandom - systemd needs to relabel content in /run/systemd directories - Files unconfined should be able to perform all services on all files - Puppet tmp file can be leaked to all domains - Dontaudit rhsmcertd-worker to search /root/.local - Allow chown capability for zarafa domains - Allow system cronjobs to runcon into openshift domains - Allow virt_bridgehelper_t to manage content in the svirt_home_t labeled directories- nmbd wants to create /var/nmbd - Stop transitioning out of anaconda and firstboot, just causes AVC messages - Allow clamscan to read /etc files - Allow bcfg2 to bind cyphesis port - heartbeat should be run as rgmanager_t instead of corosync_t - Add labeling for /etc/openldap/certs - Add labeling for /opt/sartest directory - Make crontab_t as userdom home reader - Allow tmpreaper to list admin_home dir - Add defition for imap_0 replay cache file - Add support for gitolite3 - Allow virsh_t to send syslog messages - allow domains that can read samba content to be able to list the directories also - Add realmd_dbus_chat to allow all apps that use nsswitch to talk to realmd - Separate out sandbox from sandboxX policy so we can disable it by default - Run dmeventd as lvm_t - Mounting on any directory requires setattr and write permissions - Fix use_nfs_home_dirs() boolean - New labels for pam_krb5 - Allow init and initrc domains to sys_ptrace since this is needed to look at processes not owned by uid 0 - Add realmd_dbus_chat to allow all apps that use nsswitch to talk to realmd- Separate sandbox policy into sandbox and sandboxX, and disable sandbox by default on fresh installs - Allow domains that can read etc_t to read etc_runtime_t - Allow all domains to use inherited tmpfiles- Allow realmd to read resolv.conf - Add pegasus_cache_t type - Label /usr/sbin/fence_virtd as virsh_exec_t - Add policy for pkcsslotd - Add support for cpglockd - Allow polkit-agent-helper to read system-auth-ac - telepathy-idle wants to read gschemas.compiled - Allow plymouthd to getattr on fs_t - Add slpd policy - Allow ksysguardproces to read/write config_usr_t- Fix labeling substitution so rpm will label /lib/systemd content correctly- Add file name transitions for ttyACM0 - spice-vdagent(d)'s are going to log over to syslog - Add sensord policy - Add more fixes for passenger policy related to puppet - Allow wdmd to create wdmd_tmpfs_t - Fix labeling for /var/run/cachefilesd\.pid - Add thumb_tmpfs_t files type- Allow svirt domains to manage the network since this is containerized - Allow svirt_lxc_net_t to send audit messages- Make "snmpwalk -mREDHAT-CLUSTER-MIB ...." working - Allow dlm_controld to execute dlm_stonith labeled as bin_t - Allow GFS2 working on F17 - Abrt needs to execute dmesg - Allow jockey to list the contents of modeprobe.d - Add policy for lightsquid as squid_cron_t - Mailscanner is creating files and directories in /tmp - dmesg is now reading /dev/kmsg - Allow xserver to communicate with secure_firmware - Allow fsadm tools (fsck) to read /run/mount contnet - Allow sysadm types to read /dev/kmsg -- Allow postfix, sssd, rpcd to block_suspend - udev seems to need secure_firmware capability - Allow virtd to send dbus messages to firewalld so it can configure the firewall- Fix labeling of content in /run created by virsh_t - Allow condor domains to read kernel sysctls - Allow condor_master to connect to amqp - Allow thumb drives to create shared memory and semaphores - Allow abrt to read mozilla_plugin config files - Add labels for lightsquid - Default files in /opt and /usr that end in .cgi as httpd_sys_script_t, allow - dovecot_auth_t uses ldap for user auth - Allow domains that can read dhcp_etc_t to read lnk_files - Add more then one watchdog device - Allow useradd_t to manage etc_t files so it can rename it and edit them - Fix invalid class dir should be fifo_file - Move /run/blkid to fsadm and make sure labeling is correct- Fix bogus regex found by eparis - Fix manage run interface since lvm needs more access - syslogd is searching cgroups directory - Fixes to allow virt-sandbox-service to manage lxc var run content- Fix Boolean settings - Add new libjavascriptcoregtk as textrel_shlib_t - Allow xdm_t to create xdm_home_t directories - Additional access required for systemd - Dontaudit mozilla_plugin attempts to ipc_lock - Allow tmpreaper to delete unlabeled files - Eliminate screen_tmp_t and allow it to manage user_tmp_t - Dontaudit mozilla_plugin_config_t to append to leaked file descriptors - Allow web plugins to connect to the asterisk ports - Condor will recreate the lock directory if it does not exist - Oddjob mkhomedir needs to connectto user processes - Make oddjob_mkhomedir_t a userdom home manager- Put placeholder back in place for proper numbering of capabilities - Systemd also configures init scripts- Fix ecryptfs interfaces - Bootloader seems to be trolling around /dev/shm and /dev - init wants to create /etc/systemd/system-update.target.wants - Fix systemd_filetrans call to move it out of tunable - Fix up policy to work with systemd userspace manager - Add secure_firmware capability and remove bogus epolwakeup - Call seutil_*_login_config interfaces where should be needed - Allow rhsmcertd to send signal to itself - Allow thin domains to send signal to itself - Allow Chrome_ChildIO to read dosfs_t- Add role rules for realmd, sambagui- Add new type selinux_login_config_t for /etc/selinux//logins/ - Additional fixes for seutil_manage_module_store() - dbus_system_domain() should be used with optional_policy - Fix svirt to be allowed to use fusefs file system - Allow login programs to read /run/ data created by systemd_login - sssd wants to write /etc/selinux//logins/ for SELinux PAM module - Fix svirt to be allowed to use fusefs file system - Allow piranha domain to use nsswitch - Sanlock needs to send Kill Signals to non root processes - Pulseaudio wants to execute /run/user/PID/.orc- Fix saslauthd when it tries to read /etc/shadow - Label gnome-boxes as a virt homedir - Need to allow svirt_t ability to getattr on nfs_t file systems - Update sanlock policy to solve all AVC's - Change confined users can optionally manage virt content - Handle new directories under ~/.cache - Add block suspend to appropriate domains - More rules required for containers - Allow login programs to read /run/ data created by systemd_logind - Allow staff users to run svirt_t processes- Update to upstream- More fixes for systemd to make rawhide booting from Dan Walsh- Add systemd fixes to make rawhide booting- Add systemd_logind_inhibit_var_run_t attribute - Remove corenet_all_recvfrom_unlabeled() for non-contrib policies because we moved it to domain.if for all domain_type - Add interface for mysqld to dontaudit signull to all processes - Label new /var/run/journal directory correctly - Allow users to inhibit suspend via systemd - Add new type for the /var/run/inhibit directory - Add interface to send signull to systemd_login so avahi can send them - Allow systemd_passwd to send syslog messages - Remove corenet_all_recvfrom_unlabeled() calling fro policy files - Allow editparams.cgi running as httpd_bugzilla_script_t to read /etc/group - Allow smbd to read cluster config - Add additional labeling for passenger - Allow dbus to inhibit suspend via systemd - Allow avahi to send signull to systemd_login- Add interface to dontaudit getattr access on sysctls - Allow sshd to execute /bin/login - Looks like xdm is recreating the xdm directory in ~/.cache/ on login - Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jounald - Fix semanage to work with unconfined domain disabled on F18 - Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls - Virt seems to be using lock files - Dovecot seems to be searching directories of every mountpoint - Allow jockey to read random/urandom, execute shell and install third-party drivers - Add aditional params to allow cachedfiles to manage its content - gpg agent needs to read /dev/random - The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd wants to read and write - Add a bunch of dontaudit rules to quiet svirt_lxc domains - Additional perms needed to run svirt_lxc domains - Allow cgclear to read cgconfig - Allow sys_ptrace capability for snmp - Allow freshclam to read /proc - Allow procmail to manage /home/user/Maildir content - Allow NM to execute wpa_cli - Allow amavis to read clamd system state - Regenerate man pages- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- Add realmd and stapserver policies - Allow useradd to manage stap-server lib files - Tighten up capabilities for confined users - Label /etc/security/opasswd as shadow_t - Add label for /dev/ecryptfs - Allow condor_startd_t to start sshd with the ranged - Allow lpstat.cups to read fips_enabled file - Allow pyzor running as spamc_t to create /root/.pyzor directory - Add labelinf for amavisd-snmp init script - Add support for amavisd-snmp - Allow fprintd sigkill self - Allow xend (w/o libvirt) to start virtual machines - Allow aiccu to read /etc/passwd - Allow condor_startd to Make specified domain MCS trusted for setting any category set for the processes it executes - Add condor_startd_ranged_domtrans_to() interface - Add ssd_conf_t for /etc/sssd - accountsd needs to fchown some files/directories - Add ICACLient and zibrauserdata as mozilla_filetrans_home_content - SELinux reports afs_t needs dac_override to read /etc/mtab, even though everything works, adding dontaudit - Allow xend_t to read the /etc/passwd file- Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t - Add init_access_check() interface - Fix label on /usr/bin/pingus to not be labeled as ping_exec_t - Allow tcpdump to create a netlink_socket - Label newusers like useradd - Change xdm log files to be labeled xdm_log_t - Allow sshd_t with privsep to work in MLS - Allow freshclam to update databases thru HTTP proxy - Allow s-m-config to access check on systemd - Allow abrt to read public files by default - Fix amavis_create_pid_files() interface - Add labeling and filename transition for dbomatic.log - Allow system_dbusd_t to stream connect to bluetooth, and use its socket - Allow amavisd to execute fsav - Allow tuned to use sys_admin and sys_nice capabilities - Add php-fpm policy from Bryan - Add labeling for aeolus-configserver-thinwrapper - Allow thin domains to execute shell - Fix gnome_role_gkeyringd() interface description - Lot of interface fixes - Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files - Allow OpenMPI job to use kerberos - Make deltacloudd_t as nsswitch_domain - Allow xend_t to run lsscsi - Allow qemu-dm running as xend_t to create tun_socket - Add labeling for /opt/brother/Printers(.*/)?inf - Allow jockey-backend to read pyconfig-64.h labeled as usr_t - Fix clamscan_can_scan_system boolean - Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11- initrc is calling exportfs which is not confined so it attempts to read nfsd_files - Fixes for passenger running within openshift. - Add labeling for all tomcat6 dirs - Add support for tomcat6 - Allow cobblerd to read /etc/passwd - Allow jockey to read sysfs and and execute binaries with bin_t - Allow thum to use user terminals - Allow cgclear to read cgconfig config files - Fix bcf2g.fc - Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other domains - Allow dbomatic to execute ruby - abrt_watch_log should be abrt_domain - Allow mozilla_plugin to connect to gatekeeper port- add ptrace_child access to process - remove files_read_etc_files() calling from all policies which have auth_use_nsswith() - Allow boinc domains to manage boinc_lib_t lnk_files - Add support for boinc-client.service unit file - Add support for boinc.log - Allow mozilla_plugin execmod on mozilla home files if allow_ex - Allow dovecot_deliver_t to read dovecot_var_run_t - Allow ldconfig and insmod to manage kdumpctl tmp files - Move thin policy out from cloudform.pp and add a new thin poli - pacemaker needs to communicate with corosync streams - abrt is now started on demand by dbus - Allow certmonger to talk directly to Dogtag servers - Change labeling for /var/lib/cobbler/webui_sessions to httpd_c - Allow mozila_plugin to execute gstreamer home files - Allow useradd to delete all file types stored in the users hom - rhsmcertd reads the rpm database - Add support for lightdm- Add tomcat policy - Remove pyzor/razor policy - rhsmcertd reads the rpm database - Dontaudit thumb to setattr on xdm_tmp dir - Allow wicd to execute ldconfig in the networkmanager_t domain - Add /var/run/cherokee\.pid labeling - Allow mozilla_plugin to create mozilla_plugin_tmp_t lnk files too - Allow postfix-master to r/w pipes other postfix domains - Allow snort to create netlink_socket - Add kdumpctl policy - Allow firstboot to create tmp_t files/directories - /usr/bin/paster should not be labeled as piranha_exec_t - remove initrc_domain from tomcat - Allow ddclient to read /etc/passwd - Allow useradd to delete all file types stored in the users homedir - Allow ldconfig and insmod to manage kdumpctl tmp files - Firstboot should be just creating tmp_t dirs and xauth should be allowed to write to those - Transition xauth files within firstboot_tmp_t - Fix labeling of /run/media to match /media - Label all lxdm.log as xserver_log_t - Add port definition for mxi port - Allow local_login_t to execute tmux- apcupsd needs to read /etc/passwd - Sanlock allso sends sigkill - Allow glance_registry to connect to the mysqld port - Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl - Allow firefox plugins/flash to connect to port 1234 - Allow mozilla plugins to delete user_tmp_t files - Add transition name rule for printers.conf.O - Allow virt_lxc_t to read urand - Allow systemd_loigind to list gstreamer_home_dirs - Fix labeling for /usr/bin - Fixes for cloudform services * support FIPS - Allow polipo to work as web caching - Allow chfn to execute tmux- Add support for ecryptfs * ecryptfs does not support xattr * we need labeling for HOMEDIR - Add policy for (u)mount.ecryptfs* - Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage host cache - Allow dovecot to manage Maildir content, fix transitions to Maildir - Allow postfix_local to transition to dovecot_deliver - Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code - Cleanup interface definitions - Allow apmd to change with the logind daemon - Changes required for sanlock in rhel6 - Label /run/user/apache as httpd_tmp_t - Allow thumb to use lib_t as execmod if boolean turned on - Allow squid to create the squid directory in /var with the correct labe - Add a new policy for glusterd from Bryan Bickford (bbickfor@redhat.com) - Allow virtd to exec xend_exec_t without transition - Allow virtd_lxc_t to unmount all file systems- PolicyKit path has changed - Allow httpd connect to dirsrv socket - Allow tuned to write generic kernel sysctls - Dontaudit logwatch to gettr on /dev/dm-2 - Allow policykit-auth to manage kerberos files - Make condor_startd and rgmanager as initrc domain - Allow virsh to read /etc/passwd - Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs - xdm now needs to execute xsession_exec_t - Need labels for /var/lib/gdm - Fix files_filetrans_named_content() interface - Add new attribute - initrc_domain - Allow systemd_logind_t to signal, signull, sigkill all processes - Add filetrans rules for etc_runtime files- Rename boolean names to remove allow_- Mass merge with upstream * new policy topology to include contrib policy modules * we have now two base policy patches- Fix description of authlogin_nsswitch_use_ldap - Fix transition rule for rhsmcertd_t needed for RHEL7 - Allow useradd to list nfs state data - Allow openvpn to manage its log file and directory - We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly - Allow thumb to use nvidia devices - Allow local_login to create user_tmp_t files for kerberos - Pulseaudio needs to read systemd_login /var/run content - virt should only transition named system_conf_t config files - Allow munin to execute its plugins - Allow nagios system plugin to read /etc/passwd - Allow plugin to connect to soundd port - Fix httpd_passwd to be able to ask passwords - Radius servers can use ldap for backing store - Seems to need to mount on /var/lib for xguest polyinstatiation to work. - Allow systemd_logind to list the contents of gnome keyring - VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL - Add policy for isns-utils- Add policy for subversion daemon - Allow boinc to read passwd - Allow pads to read kernel network state - Fix man2html interface for sepolgen-ifgen - Remove extra /usr/lib/systemd/system/smb - Remove all /lib/systemd and replace with /usr/lib/systemd - Add policy for man2html - Fix the label of kerberos_home_t to krb5_home_t - Allow mozilla plugins to use Citrix - Allow tuned to read /proc/sys/kernel/nmi_watchdog - Allow tune /sys options via systemd's tmpfiles.d "w" type- Dontaudit lpr_t to read/write leaked mozilla tmp files - Add file name transition for .grl-podcasts directory - Allow corosync to read user tmp files - Allow fenced to create snmp lib dirs/files - More fixes for sge policy - Allow mozilla_plugin_t to execute any application - Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain - Allow mongod to read system state information - Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t - Allow polipo to manage polipo_cache dirs - Add jabbar_client port to mozilla_plugin_t - Cleanup procmail policy - system bus will pass around open file descriptors on files that do not have labels on them - Allow l2tpd_t to read system state - Allow tuned to run ls /dev - Allow sudo domains to read usr_t files - Add label to machine-id - Fix corecmd_read_bin_symlinks cut and paste error- Fix pulseaudio port definition - Add labeling for condor_starter - Allow chfn_t to creat user_tmp_files - Allow chfn_t to execute bin_t - Allow prelink_cron_system_t to getpw calls - Allow sudo domains to manage kerberos rcache files - Allow user_mail_domains to work with courie - Port definitions necessary for running jboss apps within openshift - Add support for openstack-nova-metadata-api - Add support for nova-console* - Add support for openstack-nova-xvpvncproxy - Fixes to make privsep+SELinux working if we try to use chage to change passwd - Fix auth_role() interface - Allow numad to read sysfs - Allow matahari-rpcd to execute shell - Add label for ~/.spicec - xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it - Devicekit_disk wants to read the logind sessions file when writing a cd - Add fixes for condor to make condor jobs working correctly - Change label of /var/log/rpmpkgs to cron_log_t - Access requires to allow systemd-tmpfiles --create to work. - Fix obex to be a user application started by the session bus. - Add additional filename trans rules for kerberos - Fix /var/run/heartbeat labeling - Allow apps that are managing rcache to file trans correctly - Allow openvpn to authenticate against ldap server - Containers need to listen to network starting and stopping events- Make systemd unit files less specific- Fix zarafa labeling - Allow guest_t to fix labeling - corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean - add lxc_contexts - Allow accountsd to read /proc - Allow restorecond to getattr on all file sytems - tmpwatch now calls getpw - Allow apache daemon to transition to pwauth domain - Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t - The obex socket seems to be a stream socket - dd label for /var/run/nologin- Allow jetty running as httpd_t to read hugetlbfs files - Allow sys_nice and setsched for rhsmcertd - Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports - Allow setfiles to append to xdm_tmp_t - Add labeling for /export as a usr_t directory - Add labels for .grl files created by gstreamer- Add labeling for /usr/share/jetty/bin/jetty.sh - Add jetty policy which contains file type definitios - Allow jockey to use its own fifo_file and make this the default for all domains - Allow mozilla_plugins to use spice (vnc_port/couchdb) - asterisk wants to read the network state - Blueman now uses /var/lib/blueman- Add label for nodejs_debug - Allow mozilla_plugin_t to create ~/.pki directory and content- Add clamscan_can_scan_system boolean - Allow mysqld to read kernel network state - Allow sshd to read/write condor lib files - Allow sshd to read/write condor-startd tcp socket - Fix description on httpd_graceful_shutdown - Allow glance_registry to communicate with mysql - dbus_system_domain is using systemd to lauch applications - add interfaces to allow domains to send kill signals to user mail agents - Remove unnessary access for svirt_lxc domains, add privs for virtd_lxc_t - Lots of new access required for secure containers - Corosync needs sys_admin capability - ALlow colord to create shm - .orc should be allowed to be created by any app that can create gstream home content, thumb_t to be specific - Add boolean to control whether or not mozilla plugins can create random content in the users homedir - Add new interface to allow domains to list msyql_db directories, needed for libra - shutdown has to be allowed to delete etc_runtime_t - Fail2ban needs to read /etc/passwd - Allow ldconfig to create /var/cache/ldconfig - Allow tgtd to read hardware state information - Allow collectd to create packet socket - Allow chronyd to send signal to itself - Allow collectd to read /dev/random - Allow collectd to send signal to itself - firewalld needs to execute restorecon - Allow restorecon and other login domains to execute restorecon- Allow logrotate to getattr on systemd unit files - Add support for tor systemd unit file - Allow apmd to create /var/run/pm-utils with the correct label - Allow l2tpd to send sigkill to pppd - Allow pppd to stream connect to l2tpd - Add label for scripts in /etc/gdm/ - Allow systemd_logind_t to ignore mcs constraints on sigkill - Fix files_filetrans_system_conf_named_files() interface - Add labels for /usr/share/wordpress/wp-includes/*.php - Allow cobbler to get SELinux mode and booleans- Add unconfined_execmem_exec_t as an alias to bin_t - Allow fenced to read snmp var lib files, also allow it to read usr_t - ontaudit access checks on all executables from mozilla_plugin - Allow all user domains to setexec, so that sshd will work properly if it call setexec(NULL) while running withing a user mode - Allow systemd_tmpfiles_t to getattr all pipes and sockets - Allow glance-registry to send system log messages - semanage needs to manage mock lib files/dirs- Add policy for abrt-watch-log - Add definitions for jboss_messaging ports - Allow systemd_tmpfiles to manage printer devices - Allow oddjob to use nsswitch - Fix labeling of log files for postgresql - Allow mozilla_plugin_t to execmem and execstack by default - Allow firewalld to execute shell - Fix /etc/wicd content files to get created with the correct label - Allow mcelog to exec shell - Add ~/.orc as a gstreamer_home_t - /var/spool/postfix/lib64 should be labeled lib_t - mpreaper should be able to list all file system labeled directories - Add support for apache to use openstack - Add labeling for /etc/zipl.conf and zipl binary - Turn on allow_execstack and turn off telepathy transition for final release- More access required for virt_qmf_t - Additional assess required for systemd-logind to support multi-seat - Allow mozilla_plugin to setrlimit - Revert changes to fuse file system to stop deadlock- Allow condor domains to connect to ephemeral ports - More fixes for condor policy - Allow keystone to stream connect to mysqld - Allow mozilla_plugin_t to read generic USB device to support GPS devices - Allow thum to file name transition gstreamer home content - Allow thum to read all non security files - Allow glance_api_t to connect to ephemeral ports - Allow nagios plugins to read /dev/urandom - Allow syslogd to search postfix spool to support postfix chroot env - Fix labeling for /var/spool/postfix/dev - Allow wdmd chown - Label .esd_auth as pulseaudio_home_t - Have no idea why keyring tries to write to /run/user/dwalsh/dconf/user, but we can dontaudit for now- Add support for clamd+systemd - Allow fresclam to execute systemctl to handle clamd - Change labeling for /usr/sbin/rpc.ypasswd.env - Allow yppaswd_t to execute yppaswd_exec_t - Allow yppaswd_t to read /etc/passwd - Gnomekeyring socket has been moved to /run/user/USER/ - Allow samba-net to connect to ldap port - Allow signal for vhostmd - allow mozilla_plugin_t to read user_home_t socket - New access required for secure Linux Containers - zfs now supports xattrs - Allow quantum to execute sudo and list sysfs - Allow init to dbus chat with the firewalld - Allow zebra to read /etc/passwd- Allow svirt_t to create content in the users homedir under ~/.libvirt - Fix label on /var/lib/heartbeat - Allow systemd_logind_t to send kill signals to all processes started by a user - Fuse now supports Xattr Support- upowered needs to setsched on the kernel - Allow mpd_t to manage log files - Allow xdm_t to create /var/run/systemd/multi-session-x - Add rules for missedfont.log to be used by thumb.fc - Additional access required for virt_qmf_t - Allow dhclient to dbus chat with the firewalld - Add label for lvmetad - Allow systemd_logind_t to remove userdomain sock_files - Allow cups to execute usr_t files - Fix labeling on nvidia shared libraries - wdmd_t needs access to sssd and /etc/passwd - Add boolean to allow ftp servers to run in passive mode - Allow namepspace_init_t to relabelto/from a different user system_u from the user the namespace_init running with - Fix using httpd_use_fusefs - Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it for chrome_sandbox- Rename rdate port to time port, and allow gnomeclock to connect to it - We no longer need to transition to ldconfig from rpm, rpm_script, or anaconda - /etc/auto.* should be labeled bin_t - Add httpd_use_fusefs boolean - Add fixes for heartbeat - Allow sshd_t to signal processes that it transitions to - Add condor policy - Allow svirt to create monitors in ~/.libvirt - Allow dovecot to domtrans sendmail to handle sieve scripts - Lot of fixes for cfengine- /var/run/postmaster.* labeling is no longer needed - Alllow drbdadmin to read /dev/urandom - l2tpd_t seems to use ptmx - group+ and passwd+ should be labeled as /etc/passwd - Zarafa-indexer is a socket- Ensure lastlog is labeled correctly - Allow accountsd to read /proc data about gdm - Add fixes for tuned - Add bcfg2 fixes which were discovered during RHEL6 testing - More fixes for gnome-keyring socket being moved - Run semanage as a unconfined domain, and allow initrc_t to create tmpfs_t sym links on shutdown - Fix description for files_dontaudit_read_security_files() interface- Add new policy and man page for bcfg2 - cgconfig needs to use getpw calls - Allow domains that communicate with the keyring to use cache_home_t instead of gkeyringd_tmpt - gnome-keyring wants to create a directory in cache_home_t - sanlock calls getpw- Add numad policy and numad man page - Add fixes for interface bugs discovered by SEWatch - Add /tmp support for squid - Add fix for #799102 * change default labeling for /var/run/slapd.* sockets - Make thumb_t as userdom_home_reader - label /var/lib/sss/mc same as pubconf, so getpw domains can read it - Allow smbspool running as cups_t to stream connect to nmbd - accounts needs to be able to execute passwd on behalf of users - Allow systemd_tmpfiles_t to delete boot flags - Allow dnssec_trigger to connect to apache ports - Allow gnome keyring to create sock_files in ~/.cache - google_authenticator is using .google_authenticator - sandbox running from within firefox is exposing more leaks - Dontaudit thumb to read/write /dev/card0 - Dontaudit getattr on init_exec_t for gnomeclock_t - Allow certmonger to do a transition to certmonger_unconfined_t - Allow dhcpc setsched which is caused by nmcli - Add rpm_exec_t for /usr/sbin/bcfg2 - system cronjobs are sending dbus messages to systemd_logind - Thumnailers read /dev/urand- Allow auditctl getcap - Allow vdagent to use libsystemd-login - Allow abrt-dump-oops to search /etc/abrt - Got these avc's while trying to print a boarding pass from firefox - Devicekit is now putting the media directory under /run/media - Allow thumbnailers to create content in ~/.thumbails directory - Add support for proL2TPd by Dominick Grift - Allow all domains to call getcap - wdmd seems to get a random chown capability check that it does not need - Allow vhostmd to read kernel sysctls- Allow chronyd to read unix - Allow hpfax to read /etc/passwd - Add support matahari vios-proxy-* apps and add virtd_exec_t label for them - Allow rpcd to read quota_db_t - Update to man pages to match latest policy - Fix bug in jockey interface for sepolgen-ifgen - Add initial svirt_prot_exec_t policy- More fixes for systemd from Dan Walsh- Add a new type for /etc/firewalld and allow firewalld to write to this directory - Add definition for ~/Maildir, and allow mail deliver domains to write there - Allow polipo to run from a cron job - Allow rtkit to schedule wine processes - Allow mozilla_plugin_t to acquire a bug, and allow it to transition gnome content in the home dir to the proper label - Allow users domains to send signals to consolehelper domains- More fixes for boinc policy - Allow polipo domain to create its own cache dir and pid file - Add systemctl support to httpd domain - Add systemctl support to polipo, allow NetworkManager to manage the service - Add policy for jockey-backend - Add support for motion daemon which is now covered by zoneminder policy - Allow colord to read/write motion tmpfs - Allow vnstat to search through var_lib_t directories - Stop transitioning to quota_t, from init an sysadm_t- Add svirt_lxc_file_t as a customizable type- Add additional fixes for icmp nagios plugin - Allow cron jobs to open fifo_files from cron, since service script opens /dev/stdin - Add certmonger_unconfined_exec_t - Make sure tap22 device is created with the correct label - Allow staff users to read systemd unit files - Merge in previously built policy - Arpwatch needs to be able to start netlink sockets in order to start - Allow cgred_t to sys_ptrace to look at other DAC Processes- Back port some of the access that was allowed in nsplugin_t - Add definitiona for couchdb ports - Allow nagios to use inherited users ttys - Add git support for mock - Allow inetd to use rdate port - Add own type for rdate port - Allow samba to act as a portmapper - Dontaudit chrome_sandbox attempts to getattr on chr_files in /dev - New fixes needed for samba4 - Allow apps that use lib_t to read lib_t symlinks- Add policy for nove-cert - Add labeling for nova-openstack systemd unit files - Add policy for keystoke- Fix man pages fro domains - Add man pages for SELinux users and roles - Add storage_dev_filetrans_named_fixed_disk() and use it for smartmon - Add policy for matahari-rpcd - nfsd executes mount command on restart - Matahari domains execute renice and setsched - Dontaudit leaked tty in mozilla_plugin_config - mailman is changing to a per instance naming - Add 7600 and 4447 as jboss_management ports - Add fixes for nagios event handlers - Label httpd.event as httpd_exec_t, it is an apache daemon- Add labeling for /var/spool/postfix/dev/log - NM reads sysctl.conf - Iscsi log file context specification fix - Allow mozilla plugins to send dbus messages to user domains that transition to it - Allow mysql to read the passwd file - Allow mozilla_plugin_t to create mozilla home dirs in user homedir - Allow deltacloud to read kernel sysctl - Allow postgresql_t to connectto itselfAllow postgresql_t to connectto itself - Allow postgresql_t to connectto itself - Add login_userdomain attribute for users which can log in using terminal- Allow sysadm_u to reach system_r by default #784011 - Allow nagios plugins to use inherited user terminals - Razor labeling is not used no longer - Add systemd support for matahari - Add port_types to man page, move booleans to the top, fix some english - Add support for matahari-sysconfig-console - Clean up matahari.fc - Fix matahari_admin() interfac - Add labels for/etc/ssh/ssh_host_*.pub keys- Allow ksysguardproces to send system log msgs - Allow boinc setpgid and signull - Allow xdm_t to sys_ptrace to run pidof command - Allow smtpd_t to manage spool files/directories and symbolic links - Add labeling for jetty - Needed changes to get unbound/dnssec to work with openswan- Add user_fonts_t alias xfs_tmp_t - Since depmod now runs as insmod_t we need to write to kernel_object_t - Allow firewalld to dbus chat with networkmanager - Allow qpidd to connect to matahari ports - policykit needs to read /proc for uses not owned by it - Allow systemctl apps to connecto the init stream- Turn on deny_ptrace boolean- Remove pam_selinux.8 man page. There was a conflict.- Add proxy class and read access for gssd_proxy - Separate out the sharing public content booleans - Allow certmonger to execute a script and send signals to apache and dirsrv to reload the certificate - Add label transition for gstream-0.10 and 12 - Add booleans to allow rsync to share nfs and cifs file sytems - chrome_sandbox wants to read the /proc/PID/exe file of the program that executed it - Fix filename transitions for cups files - Allow denyhosts to read "unix" - Add file name transition for locale.conf.new - Allow boinc projects to gconf config files - sssd needs to be able to increase the socket limit under certain loads - sge_execd needs to read /etc/passwd - Allow denyhost to check network state - NetworkManager needs to read sessions data - Allow denyhost to check network state - Allow xen to search virt images directories - Add label for /dev/megaraid_sas_ioctl_node - Add autogenerated man pages- Allow boinc project to getattr on fs - Allow init to execute initrc_state_t - rhev-agent package was rename to ovirt-guest-agent - If initrc_t creates /etc/local.conf then we need to make sure it is labeled correctly - sytemd writes content to /run/initramfs and executes it on shutdown - kdump_t needs to read /etc/mtab, should be back ported to F16 - udev needs to load kernel modules in early system boot- Need to add sys_ptrace back in since reading any content in /proc can cause these accesses - Add additional systemd interfaces which are needed fro *_admin interfaces - Fix bind_admin() interface- Allow firewalld to read urand - Alias java, execmem_mono to bin_t to allow third parties - Add label for kmod - /etc/redhat-lsb contains binaries - Add boolean to allow gitosis to send mail - Add filename transition also for "event20" - Allow systemd_tmpfiles_t to delete all file types - Allow collectd to ipc_lock- make consoletype_exec optional, so we can remove consoletype policy - remove unconfined_permisive.patch - Allow openvpn_t to inherit user home content and tmp content - Fix dnssec-trigger labeling - Turn on obex policy for staff_t - Pem files should not be secret - Add lots of rules to fix AVC's when playing with containers - Fix policy for dnssec - Label ask-passwd directories correctly for systemd- sshd fixes seem to be causing unconfined domains to dyntrans to themselves - fuse file system is now being mounted in /run/user - systemd_logind is sending signals to processes that are dbus messaging with it - Add support for winshadow port and allow iscsid to connect to this port - httpd should be allowed to bind to the http_port_t udp socket - zarafa_var_lib_t can be a lnk_file - A couple of new .xsession-errors files - Seems like user space and login programs need to read logind_sessions_files - Devicekit disk seems to be being launched by systemd - Cleanup handling of setfiles so most of rules in te file - Correct port number for dnssec - logcheck has the home dir set to its cache- Add policy for grindengine MPI jobs- Add new sysadm_secadm.pp module * contains secadm definition for sysadm_t - Move user_mail_domain access out of the interface into the te file - Allow httpd_t to create httpd_var_lib_t directories as well as files - Allow snmpd to connect to the ricci_modcluster stream - Allow firewalld to read /etc/passwd - Add auth_use_nsswitch for colord - Allow smartd to read network state - smartdnotify needs to read /etc/group- Allow gpg and gpg_agent to store sock_file in gpg_secret_t directory - lxdm startup scripts should be labeled bin_t, so confined users will work - mcstransd now creates a pid, needs back port to F16 - qpidd should be allowed to connect to the amqp port - Label devices 010-029 as usb devices - ypserv packager says ypserv does not use tmp_t so removing selinux policy types - Remove all ptrace commands that I believe are caused by the kernel/ps avcs - Add initial Obex policy - Add logging_syslogd_use_tty boolean - Add polipo_connect_all_unreserved bolean - Allow zabbix to connect to ftp port - Allow systemd-logind to be able to switch VTs - Allow apache to communicate with memcached through a sock_file- Fix file_context.subs_dist for now to work with pre usrmove- More /usr move fixes- Add zabbix_can_network boolean - Add httpd_can_connect_zabbix boolean - Prepare file context labeling for usrmove functions - Allow system cronjobs to read kernel network state - Add support for selinux_avcstat munin plugin - Treat hearbeat with corosync policy - Allow corosync to read and write to qpidd shared mem - mozilla_plugin is trying to run pulseaudio - Fixes for new sshd patch for running priv sep domains as the users context - Turn off dontaudit rules when turning on allow_ypbind - udev now reads /etc/modules.d directory- Turn on deny_ptrace boolean for the Rawhide run, so we can test this out - Cups exchanges dbus messages with init - udisk2 needs to send syslog messages - certwatch needs to read /etc/passwd- Add labeling for udisks2 - Allow fsadmin to communicate with the systemd process- Treat Bip with bitlbee policy * Bip is an IRC proxy - Add port definition for interwise port - Add support for ipa_memcached socket - systemd_jounald needs to getattr on all processes - mdadmin fixes * uses getpw - amavisd calls getpwnam() - denyhosts calls getpwall()- Setup labeling of /var/rsa and /var/lib/rsa to allow login programs to write there - bluetooth says they do not use /tmp and want to remove the type - Allow init to transition to colord - Mongod needs to read /proc/sys/vm/zone_reclaim_mode - Allow postfix_smtpd_t to connect to spamd - Add boolean to allow ftp to connect to all ports > 1023 - Allow sendmain to write to inherited dovecot tmp files - setroubleshoot needs to be able to execute rpm to see what version of packages- Merge systemd patch - systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online - Allow deltacloudd dac_override, setuid, setgid caps - Allow aisexec to execute shell - Add use_nfs_home_dirs boolean for ssh-keygen- Fixes to make rawhide boot in enforcing mode with latest systemd changes- Add labeling for /var/run/systemd/journal/syslog - libvirt sends signals to ifconfig - Allow domains that read logind session files to list them- Fixed destined form libvirt-sandbox - Allow apps that list sysfs to also read sympolicy links in this filesystem - Add ubac_constrained rules for chrome_sandbox - Need interface to allow domains to use tmpfs_t files created by the kernel, used by libra - Allow postgresql to be executed by the caller - Standardize interfaces of daemons - Add new labeling for mm-handler - Allow all matahari domains to read network state and etc_runtime_t files- New fix for seunshare, requires seunshare_domains to be able to mounton / - Allow systemctl running as logrotate_t to connect to private systemd socket - Allow tmpwatch to read meminfo - Allow rpc.svcgssd to read supported_krb5_enctype - Allow zarafa domains to read /dev/random and /dev/urandom - Allow snmpd to read dev_snmp6 - Allow procmail to talk with cyrus - Add fixes for check_disk and check_nagios plugins- default trans rules for Rawhide policy - Make sure sound_devices controlC* are labeled correctly on creation - sssd now needs sys_admin - Allow snmp to read all proc_type - Allow to setup users homedir with quota.group- Add httpd_can_connect_ldap() interface - apcupsd_t needs to use seriel ports connected to usb devices - Kde puts procmail mail directory under ~/.local/share - nfsd_t can trigger sys_rawio on tests that involve too many mountpoints, dontaudit for now - Add labeling for /sbin/iscsiuio- Add label for /var/lib/iscan/interpreter - Dont audit writes to leaked file descriptors or redirected output for nacl - NetworkManager needs to write to /sys/class/net/ib*/mode- Allow abrt to request the kernel to load a module - Make sure mozilla content is labeled correctly - Allow tgtd to read system state - More fixes for boinc * allow to resolve dns name * re-write boinc policy to use boinc_domain attribute - Allow munin services plugins to use NSCD services- Allow mozilla_plugin_t to manage mozilla_home_t - Allow ssh derived domain to execute ssh-keygen in the ssh_keygen_t domain - Add label for tumblerd- Fixes for xguest package- Fixes related to /bin, /sbin - Allow abrt to getattr on blk files - Add type for rhev-agent log file - Fix labeling for /dev/dmfm - Dontaudit wicd leaking - Allow systemd_logind_t to look at process info of apps that exchange dbus messages with it - Label /etc/locale.conf correctly - Allow user_mail_t to read /dev/random - Allow postfix-smtpd to read MIMEDefang - Add label for /var/log/suphp.log - Allow swat_t to connect and read/write nmbd_t sock_file - Allow systemd-tmpfiles to setattr for /run/user/gdm/dconf - Allow systemd-tmpfiles to change user identity in object contexts - More fixes for rhev_agentd_t consolehelper policy- Use fs_use_xattr for squashf - Fix procs_type interface - Dovecot has a new fifo_file /var/run/dovecot/stats-mail - Dovecot has a new fifo_file /var/run/stats-mail - Colord does not need to connect to network - Allow system_cronjob to dbus chat with NetworkManager - Puppet manages content, want to make sure it labels everything correctly- Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it - Allow all postfix domains to use the fifo_file - Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t - Allow apmd_t to read grub.cfg - Let firewallgui read the selinux config - Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp - Fix devicekit_manage_pid_files() interface - Allow squid to check the network state - Dontaudit colord getattr on file systems - Allow ping domains to read zabbix_tmp_t files- Allow mcelog_t to create dir and file in /var/run and label it correctly - Allow dbus to manage fusefs - Mount needs to read process state when mounting gluster file systems - Allow collectd-web to read collectd lib files - Allow daemons and system processes started by init to read/write the unix_stream_socket passed in from as stdin/stdout/stderr - Allow colord to get the attributes of tmpfs filesystem - Add sanlock_use_nfs and sanlock_use_samba booleans - Add bin_t label for /usr/lib/virtualbox/VBoxManage- Add ssh_dontaudit_search_home_dir - Changes to allow namespace_init_t to work - Add interface to allow exec of mongod, add port definition for mongod port, 27017 - Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t - Allow spamd and clamd to steam connect to each other - Add policy label for passwd.OLD - More fixes for postfix and postfix maildro - Add ftp support for mozilla plugins - Useradd now needs to manage policy since it calls libsemanage - Fix devicekit_manage_log_files() interface - Allow colord to execute ifconfig - Allow accountsd to read /sys - Allow mysqld-safe to execute shell - Allow openct to stream connect to pcscd - Add label for /var/run/nm-dns-dnsmasq\.conf - Allow networkmanager to chat with virtd_t- Pulseaudio changes - Merge patches- Merge patches back into git repository.- Remove allow_execmem boolean and replace with deny_execmem boolean- Turn back on allow_execmem boolean- Add more MCS fixes to make sandbox working - Make faillog MLS trusted to make sudo_$1_t working - Allow sandbox_web_client_t to read passwd_file_t - Add .mailrc file context - Remove execheap from openoffice domain - Allow chrome_sandbox_nacl_t to read cpu_info - Allow virtd to relabel generic usb which is need if USB device - Fixes for virt.if interfaces to consider chr_file as image file type- Remove Open Office policy - Remove execmem policy- MCS fixes - quota fixes- Remove transitions to consoletype- Make nvidia* to be labeled correctly - Fix abrt_manage_cache() interface - Make filetrans rules optional so base policy will build - Dontaudit chkpwd_t access to inherited TTYS - Make sure postfix content gets created with the correct label - Allow gnomeclock to read cgroup - Fixes for cloudform policy- Check in fixed for Chrome nacl support- Begin removing qemu_t domain, we really no longer need this domain. - systemd_passwd needs dac_overide to communicate with users TTY's - Allow svirt_lxc domains to send kill signals within their container- Remove qemu.pp again without causing a crash- Remove qemu.pp, everything should use svirt_t or stay in its current domain- Allow policykit to talk to the systemd via dbus - Move chrome_sandbox_nacl_t to permissive domains - Additional rules for chrome_sandbox_nacl- Change bootstrap name to nacl - Chrome still needs execmem - Missing role for chrome_sandbox_bootstrap - Add boolean to remove execmem and execstack from virtual machines - Dontaudit xdm_t doing an access_check on etc_t directories- Allow named to connect to dirsrv by default - add ldapmap1_0 as a krb5_host_rcache_t file - Google chrome developers asked me to add bootstrap policy for nacl stuff - Allow rhev_agentd_t to getattr on mountpoints - Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets- Fixes for cloudform policies which need to connect to random ports - Make sure if an admin creates modules content it creates them with the correct label - Add port 8953 as a dns port used by unbound - Fix file name transition for alsa and confined users- Turn on mock_t and thumb_t for unconfined domains- Policy update should not modify local contexts- Remove ada policy- Remove tzdata policy - Add labeling for udev - Add cloudform policy - Fixes for bootloader policy- Add policies for nova openstack- Add fixes for nova-stack policy- Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain - Allow init process to setrlimit on itself - Take away transition rules for users executing ssh-keygen - Allow setroubleshoot_fixit_t to read /dev/urand - Allow sshd to relbale tunnel sockets - Allow fail2ban domtrans to shorewall in the same way as with iptables - Add support for lnk files in the /var/lib/sssd directory - Allow system mail to connect to courier-authdaemon over an unix stream socket- Add passwd_file_t for /etc/ptmptmp- Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK) - Make corosync to be able to relabelto cluster lib fies - Allow samba domains to search /var/run/nmbd - Allow dirsrv to use pam - Allow thumb to call getuid - chrome less likely to get mmap_zero bug so removing dontaudit - gimp help-browser has built in javascript - Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t - Re-write glance policy- Move dontaudit sys_ptrace line from permissive.te to domain.te - Remove policy for hal, it no longer exists- Don't check md5 size or mtime on certain config files- Remove allow_ptrace and replace it with deny_ptrace, which will remove all ptrace from the system - Remove 2000 dontaudit rules between confined domains on transition and replace with single dontaudit domain domain:process { noatsecure siginh rlimitinh } ;- Fixes for bootloader policy - $1_gkeyringd_t needs to read $HOME/%USER/.local/share/keystore - Allow nsplugin to read /usr/share/config - Allow sa-update to update rules - Add use_fusefs_home_dirs for chroot ssh option - Fixes for grub2 - Update systemd_exec_systemctl() interface - Allow gpg to read the mail spool - More fixes for sa-update running out of cron job - Allow ipsec_mgmt_t to read hardware state information - Allow pptp_t to connect to unreserved_port_t - Dontaudit getattr on initctl in /dev from chfn - Dontaudit getattr on kernel_core from chfn - Add systemd_list_unit_dirs to systemd_exec_systemctl call - Fixes for collectd policy - CHange sysadm_t to create content as user_tmp_t under /tmp- Shrink size of policy through use of attributes for userdomain and apache- Allow virsh to read xenstored pid file - Backport corenetwork fixes from upstream - Do not audit attempts by thumb to search config_home_t dirs (~/.config) - label ~/.cache/telepathy/logger telepathy_logger_cache_home_t - allow thumb to read generic data home files (mime.type)- Allow nmbd to manage sock file in /var/run/nmbd - ricci_modservice send syslog msgs - Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly - Allow systemd_logind_t to manage /run/USER/dconf/user- Fix missing patch from F16- Allow logrotate setuid and setgid since logrotate is supposed to do it - Fixes for thumb policy by grift - Add new nfsd ports - Added fix to allow confined apps to execmod on chrome - Add labeling for additional vdsm directories - Allow Exim and Dovecot SASL - Add label for /var/run/nmbd - Add fixes to make virsh and xen working together - Colord executes ls - /var/spool/cron is now labeled as user_cron_spool_t- Stop complaining about leaked file descriptors during install- Remove java and mono module and merge into execmem- Fixes for thumb policy and passwd_file_t- Fixes caused by the labeling of /etc/passwd - Add thumb.patch to transition unconfined_t to thumb_t for Rawhide- Add support for Clustered Samba commands - Allow ricci_modrpm_t to send log msgs - move permissive virt_qmf_t from virt.te to permissivedomains.te - Allow ssh_t to use kernel keyrings - Add policy for libvirt-qmf and more fixes for linux containers - Initial Polipo - Sanlock needs to run ranged in order to kill svirt processes - Allow smbcontrol to stream connect to ctdbd- Add label for /etc/passwd- Change unconfined_domains to permissive for Rawhide - Add definition for the ephemeral_ports- Make mta_role() active - Allow asterisk to connect to jabber client port - Allow procmail to read utmp - Add NIS support for systemd_logind_t - Allow systemd_logind_t to manage /run/user/$USER/dconf dir which is labeled as config_home_t - Fix systemd_manage_unit_dirs() interface - Allow ssh_t to manage directories passed into it - init needs to be able to create and delete unit file directories - Fix typo in apache_exec_sys_script - Add ability for logrotate to transition to awstat domain- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state - Add SELinux support for ssh pre-auth net process in F17 - Add logging_syslogd_can_sendmail boolean- Add definition for ephemeral ports - Define user_tty_device_t as a customizable_type- Needs to require a new version of checkpolicy - Interface fixes- Allow sanlock to manage virt lib files - Add virt_use_sanlock booelan - ksmtuned is trying to resolve uids - Make sure .gvfs is labeled user_home_t in the users home directory - Sanlock sends kill signals and needs the kill capability - Allow mockbuild to work on nfs homedirs - Fix kerberos_manage_host_rcache() interface - Allow exim to read system state- Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files - We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t- Allow collectd to read hardware state information - Add loop_control_device_t - Allow mdadm to request kernel to load module - Allow domains that start other domains via systemctl to search unit dir - systemd_tmpfilses, needs to list any file systems mounted on /tmp - No one can explain why radius is listing the contents of /tmp, so we will dontaudit - If I can manage etc_runtime files, I should be able to read the links - Dontaudit hostname writing to mock library chr_files - Have gdm_t setup labeling correctly in users home dir - Label content unde /var/run/user/NAME/dconf as config_home_t - Allow sa-update to execute shell - Make ssh-keygen working with fips_enabled - Make mock work for staff_t user - Tighten security on mock_t- removing unconfined_notrans_t no longer necessary - Clean up handling of secure_mode_insmod and secure_mode_policyload - Remove unconfined_mount_t- Add exim_exec_t label for /usr/sbin/exim_tidydb - Call init_dontaudit_rw_stream_socket() interface in mta policy - sssd need to search /var/cache/krb5rcache directory - Allow corosync to relabel own tmp files - Allow zarafa domains to send system log messages - Allow ssh to do tunneling - Allow initrc scripts to sendto init_t unix_stream_socket - Changes to make sure dmsmasq and virt directories are labeled correctly - Changes needed to allow sysadm_t to manage systemd unit files - init is passing file descriptors to dbus and on to system daemons - Allow sulogin additional access Reported by dgrift and Jeremy Miller - Steve Grubb believes that wireshark does not need this access - Fix /var/run/initramfs to stop restorecon from looking at - pki needs another port - Add more labels for cluster scripts - Allow apps that manage cgroup_files to manage cgroup link files - Fix label on nfs-utils scripts directories - Allow gatherd to read /dev/rand and /dev/urand- pki needs another port - Add more labels for cluster scripts - Fix label on nfs-utils scripts directories - Fixes for cluster - Allow gatherd to read /dev/rand and /dev/urand - abrt leaks fifo files- Add glance policy - Allow mdadm setsched - /var/run/initramfs should not be relabeled with a restorecon run - memcache can be setup to override sys_resource - Allow httpd_t to read tetex data - Allow systemd_tmpfiles to delete kernel modules left in /tmp directory.- Allow Postfix to deliver to Dovecot LMTP socket - Ignore bogus sys_module for lldpad - Allow chrony and gpsd to send dgrams, gpsd needs to write to the real time clock - systemd_logind_t sets the attributes on usb devices - Allow hddtemp_t to read etc_t files - Add permissivedomains module - Move all permissive domains calls to permissivedomain.te - Allow pegasis to send kill signals to other UIDs- Allow insmod_t to use fds leaked from devicekit - dontaudit getattr between insmod_t and init_t unix_stream_sockets - Change sysctl unit file interfaces to use systemctl - Add support for chronyd unit file - Allow mozilla_plugin to read gnome_usr_config - Add policy for new gpsd - Allow cups to create kerberos rhost cache files - Add authlogin_filetrans_named_content, to unconfined_t to make sure shadow and other log files get labeled correctly- Make users_extra and seusers.final into config(noreplace) so semanage users and login does not get overwritten- Add policy for sa-update being run out of cron jobs - Add create perms to postgresql_manage_db - ntpd using a gps has to be able to read/write generic tty_device_t - If you disable unconfined and unconfineduser, rpm needs more privs to manage /dev - fix spec file - Remove qemu_domtrans_unconfined() interface - Make passenger working together with puppet - Add init_dontaudit_rw_stream_socket interface - Fixes for wordpress- Turn on allow_domain_fd_use boolean on F16 - Allow syslog to manage all log files - Add use_fusefs_home_dirs boolean for chrome - Make vdagent working with confined users - Add abrt_handle_event_t domain for ABRT event scripts - Labeled /usr/sbin/rhnreg_ks as rpm_exec_t and added changes related to this change - Allow httpd_git_script_t to read passwd data - Allow openvpn to set its process priority when the nice parameter is used- livecd fixes - spec file fixes- fetchmail can use kerberos - ksmtuned reads in shell programs - gnome_systemctl_t reads the process state of ntp - dnsmasq_t asks the kernel to load multiple kernel modules - Add rules for domains executing systemctl - Bogus text within fc file- Add cfengine policy- Add abrt_domain attribute - Allow corosync to manage cluster lib files - Allow corosync to connect to the system DBUS- Add sblim, uuidd policies - Allow kernel_t dyntrasition to init_t- init_t need setexec - More fixes of rules which cause an explosion in rules by Dan Walsh- Allow rcsmcertd to perform DNS name resolution - Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts - Allow tmux to run as screen - New policy for collectd - Allow gkeyring_t to interact with all user apps - Add rules to allow firstboot to run on machines with the unconfined.pp module removed- Allow systemd_logind to send dbus messages with users - allow accountsd to read wtmp file - Allow dhcpd to get and set capabilities- Fix oracledb_port definition - Allow mount to mounton the selinux file system - Allow users to list /var directories- systemd fixes- Add initial policy for abrt_dump_oops_t - xtables-multi wants to getattr of the proc fs - Smoltclient is connecting to abrt - Dontaudit leaked file descriptors to postdrop - Allow abrt_dump_oops to look at kernel sysctls - Abrt_dump_oops_t reads kernel ring buffer - Allow mysqld to request the kernel to load modules - systemd-login needs fowner - Allow postfix_cleanup_t to searh maildrop- Initial systemd_logind policy - Add policy for systemd_logger and additional proivs for systemd_logind - More fixes for systemd policies- Allow setsched for virsh - Systemd needs to impersonate cups, which means it needs to create tcp_sockets in cups_t domain, as well as manage spool directories - iptables: the various /sbin/ip6?tables.* are now symlinks for /sbin/xtables-multi- A lot of users are running yum -y update while in /root which is causing ldconfig to list the contents, adding dontaudit - Allow colord to interact with the users through the tmpfs file system - Since we changed the label on deferred, we need to allow postfix_qmgr_t to be able to create maildrop_t files - Add label for /var/log/mcelog - Allow asterisk to read /dev/random if it uses TLS - Allow colord to read ini files which are labeled as bin_t - Allow dirsrvadmin sys_resource and setrlimit to use ulimit - Systemd needs to be able to create sock_files for every label in /var/run directory, cupsd being the first. - Also lists /var and /var/spool directories - Add openl2tpd to l2tpd policy - qpidd is reading the sysfs file- Change usbmuxd_t to dontaudit attempts to read chr_file - Add mysld_safe_exec_t for libra domains to be able to start private mysql domains - Allow pppd to search /var/lock dir - Add rhsmcertd policy- Update to upstream- More fixes * http://git.fedorahosted.org/git/?p=selinux-policy.git- Fix spec file to not report Verify errors- Add dspam policy - Add lldpad policy - dovecot auth wants to search statfs #713555 - Allow systemd passwd apps to read init fifo_file - Allow prelink to use inherited terminals - Run cherokee in the httpd_t domain - Allow mcs constraints on node connections - Implement pyicqt policy - Fixes for zarafa policy - Allow cobblerd to send syslog messages- Add policy.26 to the payload - Remove olpc stuff - Remove policygentool- Fixes for zabbix - init script needs to be able to manage sanlock_var_run_... - Allow sandlock and wdmd to create /var/run directories... - mixclip.so has been compiled correctly - Fix passenger policy module name- Add mailscanner policy from dgrift - Allow chrome to optionally be transitioned to - Zabbix needs these rules when starting the zabbix_server_mysql - Implement a type for freedesktop openicc standard (~/.local/share/icc) - Allow system_dbusd_t to read inherited icc_data_home_t files. - Allow colord_t to read icc_data_home_t content. #706975 - Label stuff under /usr/lib/debug as if it was labeled under /- Fixes for sanlock policy - Fixes for colord policy - Other fixes * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log- Add rhev policy module to modules-targeted.conf- Lot of fixes * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log- Allow logrotate to execute systemctl - Allow nsplugin_t to getattr on gpmctl - Fix dev_getattr_all_chr_files() interface - Allow shorewall to use inherited terms - Allow userhelper to getattr all chr_file devices - sandbox domains should be able to getattr and dontaudit search of sysctl_kernel_t - Fix labeling for ABRT Retrace Server- Dontaudit sys_module for ifconfig - Make telepathy and gkeyringd daemon working with confined users - colord wants to read files in users homedir - Remote login should be creating user_tmp_t not its own tmp files- Fix label for /usr/share/munin/plugins/munin_* plugins - Add support for zarafa-indexer - Fix boolean description - Allow colord to getattr on /proc/scsi/scsi - Add label for /lib/upstart/init - Colord needs to list /mnt- Forard port changes from F15 for telepathy - NetworkManager should be allowed to use /dev/rfkill - Fix dontaudit messages to say Domain to not audit - Allow telepathy domains to read/write gnome_cache files - Allow telepathy domains to call getpw - Fixes for colord and vnstatd policy- Allow init_t getcap and setcap - Allow namespace_init_t to use nsswitch - aisexec will execute corosync - colord tries to read files off noxattr file systems - Allow init_t getcap and setcap- Add support for ABRT retrace server - Allow user_t and staff_t access to generic scsi to handle locally plugged in scanners - Allow telepath_msn_t to read /proc/PARENT/cmdline - ftpd needs kill capability - Allow telepath_msn_t to connect to sip port - keyring daemon does not work on nfs homedirs - Allow $1_sudo_t to read default SELinux context - Add label for tgtd sock file in /var/run/ - Add apache_exec_rotatelogs interface - allow all zaraha domains to signal themselves, server writes to /tmp - Allow syslog to read the process state - Add label for /usr/lib/chromium-browser/chrome - Remove the telepathy transition from unconfined_t - Dontaudit sandbox domains trying to mounton sandbox_file_t, this is caused by fuse mounts - Allow initrc_t domain to manage abrt pid files - Add support for AEOLUS project - Virt_admin should be allowed to manage images and processes - Allow plymountd to send signals to init - Change labeling of fping6- Add filename transitions- Fixes for zarafa policy - Add support for AEOLUS project - Change labeling of fping6 - Allow plymountd to send signals to init - Allow initrc_t domain to manage abrt pid files - Virt_admin should be allowed to manage images and processes- xdm_t needs getsession for switch user - Every app that used to exec init is now execing systemdctl - Allow squid to manage krb5_host_rcache_t files - Allow foghorn to connect to agentx port - Fixes for colord policy- Add Dan's patch to remove 64 bit variants - Allow colord to use unix_dgram_socket - Allow apps that search pids to read /var/run if it is a lnk_file - iscsid_t creates its own directory - Allow init to list var_lock_t dir - apm needs to verify user accounts auth_use_nsswitch - Add labeling for systemd unit files - Allow gnomeclok to enable ntpd service using systemctl - systemd_systemctl_t domain was added - Add label for matahari-broker.pid file - We want to remove untrustedmcsprocess from ability to read /proc/pid - Fixes for matahari policy - Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir - Allow sshd to transition to sysadm_t if ssh_sysadm_login is turned on- Fix typo- Add /var/run/lock /var/lock definition to file_contexts.subs - nslcd_t is looking for kerberos cc files - SSH_USE_STRONG_RNG is 1 which requires /dev/random - Fix auth_rw_faillog definition - Allow sysadm_t to set attributes on fixed disks - allow user domains to execute lsof and look at application sockets - prelink_cron job calls telinit -u if init is rewritten - Fixes to run qemu_t from staff_t- Fix label for /var/run/udev to udev_var_run_t - Mock needs to be able to read network state- Add file_contexts.subs to handle /run and /run/lock - Add other fixes relating to /run changes from F15 policy- Allow $1_sudo_t and $1_su_t open access to user terminals - Allow initrc_t to use generic terminals - Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs -systemd is going to be useing /run and /run/lock for early bootup files. - Fix some comments in rlogin.if - Add policy for KDE backlighthelper - sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems - sssd wants to read .k5login file in users homedir - setroubleshoot reads executables to see if they have TEXTREL - Add /var/spool/audit support for new version of audit - Remove kerberos_connect_524() interface calling - Combine kerberos_master_port_t and kerberos_port_t - systemd has setup /dev/kmsg as stderr for apps it executes - Need these access so that init can impersonate sockets on unix_dgram_socket- Remove some unconfined domains - Remove permissive domains - Add policy-term.patch from Dan- Fix multiple specification for boot.log - devicekit leaks file descriptors to setfiles_t - Change all all_nodes to generic_node and all_if to generic_if - Should not use deprecated interface - Switch from using all_nodes to generic_node and from all_if to generic_if - Add support for xfce4-notifyd - Fix file context to show several labels as SystemHigh - seunshare needs to be able to mounton nfs/cifs/fusefs homedirs - Add etc_runtime_t label for /etc/securetty - Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly - login.krb needs to be able to write user_tmp_t - dirsrv needs to bind to port 7390 for dogtag - Fix a bug in gpg policy - gpg sends audit messages - Allow qpid to manage matahari files- Initial policy for matahari - Add dev_read_watchdog - Allow clamd to connect clamd port - Add support for kcmdatetimehelper - Allow shutdown to setrlimit and sys_nice - Allow systemd_passwd to talk to /dev/log before udev or syslog is running - Purge chr_file and blk files on /tmp - Fixes for pads - Fixes for piranha-pulse - gpg_t needs to be able to encyprt anything owned by the user- mozilla_plugin_tmp_t needs to be treated as user tmp files - More dontaudits of writes from readahead - Dontaudit readahead_t file_type:dir write, to cover up kernel bug - systemd_tmpfiles needs to relabel faillog directory as well as the file - Allow hostname and consoletype to r/w inherited initrc_tmp_t files handline hostname >> /tmp/myhost- Add policykit fixes from Tim Waugh - dontaudit sandbox domains sandbox_file_t:dir mounton - Add new dontaudit rules for sysadm_dbusd_t - Change label for /var/run/faillock * other fixes which relate with this change- Update to upstream - Fixes for telepathy - Add port defition for ssdp port - add policy for /bin/systemd-notify from Dan - Mount command requires users read mount_var_run_t - colord needs to read konject_uevent_socket - User domains connect to the gkeyring socket - Add colord policy and allow user_t and staff_t to dbus chat with it - Add lvm_exec_t label for kpartx - Dontaudit reading the mail_spool_t link from sandbox -X - systemd is creating sockets in avahi_var_run and system_dbusd_var_run- gpg_t needs to talk to gnome-keyring - nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd - enforce MCS labeling on nodes - Allow arpwatch to read meminfo - Allow gnomeclock to send itself signals - init relabels /dev/.udev files on boot - gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_exec_t - nautilus checks access on /media directory before mounting usb sticks, dontaudit access_check on mnt_t - dnsmasq can run as a dbus service, needs acquire service - mysql_admin should be allowed to connect to mysql service - virt creates monitor sockets in the users home dir- Allow usbhid-ups to read hardware state information - systemd-tmpfiles has moved - Allo cgroup to sys_tty_config - For some reason prelink is attempting to read gconf settings - Add allow_daemons_use_tcp_wrapper boolean - Add label for ~/.cache/wocky to make telepathy work in enforcing mode - Add label for char devices /dev/dasd* - Fix for apache_role - Allow amavis to talk to nslcd - allow all sandbox to read selinux poilcy config files - Allow cluster domains to use the system bus and send each other dbus messages- Update to upstream- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Update to ref policy - cgred needs chown capability - Add /dev/crash crash_dev_t - systemd-readahead wants to use fanotify which means readahead_t needs sys_admin capability- New labeling for postfmulti #675654 - dontaudit xdm_t listing noxattr file systems - dovecot-auth needs to be able to connect to mysqld via the network as well as locally - shutdown is passed stdout to a xdm_log_t file - smartd creates a fixed disk device - dovecot_etc_t contains a lnk_file that domains need to read - mount needs to be able to read etc_runtim_t:lnk_file since in rawhide this is a link created at boot- syslog_t needs syslog capability - dirsrv needs to be able to create /var/lib/snmp - Fix labeling for dirsrv - Fix for dirsrv policy missing manage_dirs_pattern - corosync needs to delete clvm_tmpfs_t files - qdiskd needs to list hugetlbfs - Move setsched to sandbox_x_domain, so firefox can run without network access - Allow hddtemp to read removable devices - Adding syslog and read_policy permissions to policy * syslog Allow unconfined, sysadm_t, secadm_t, logadm_t * read_policy allow unconfined, sysadm_t, secadm_t, staff_t on Targeted allow sysadm_t (optionally), secadm_t on MLS - mdadm application will write into /sys/.../uevent whenever arrays are assembled or disassembled.- Add tcsd policy- ricci_modclusterd_t needs to bind to rpc ports 500-1023 - Allow dbus to use setrlimit to increase resoueces - Mozilla_plugin is leaking to sandbox - Allow confined users to connect to lircd over unix domain stream socket which allow to use remote control - Allow awstats to read squid logs - seunshare needs to manage tmp_t - apcupsd cgi scripts have a new directory- Fix xserver_dontaudit_read_xdm_pid - Change oracle_port_t to oracledb_port_t to prevent conflict with satellite - Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file. * These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t - Allow readahead to manage readahead pid dirs - Allow readahead to read all mcs levels - Allow mozilla_plugin_t to use nfs or samba homedirs- Allow nagios plugin to read /proc/meminfo - Fix for mozilla_plugin - Allow samba_net_t to create /etc/keytab - pppd_t setting up vpns needs to run unix_chkpwd, setsched its process and write wtmp_t - nslcd can read user credentials - Allow nsplugin to delete mozilla_plugin_tmpfs_t - abrt tries to create dir in rpm_var_lib_t - virt relabels fifo_files - sshd needs to manage content in fusefs homedir - mock manages link files in cache dir- nslcd needs setsched and to read /usr/tmp - Invalid call in likewise policy ends up creating a bogus role - Cannon puts content into /var/lib/bjlib that cups needs to be able to write - Allow screen to create screen_home_t in /root - dirsrv sends syslog messages - pinentry reads stuff in .kde directory - Add labels for .kde directory in homedir - Treat irpinit, iprupdate, iprdump services with raid policy- NetworkManager wants to read consolekit_var_run_t - Allow readahead to create /dev/.systemd/readahead - Remove permissive domains - Allow newrole to run namespace_init- Add sepgsql_contexts file- Update to upstream- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on - Add puppetmaster_use_db boolean - Fixes for zarafa policy - Fixes for gnomeclock poliy - Fix systemd-tmpfiles to use auth_use_nsswitch- gnomeclock executes a shell - Update for screen policy to handle pipe in homedir - Fixes for polyinstatiated homedir - Fixes for namespace policy and other fixes related to polyinstantiation - Add namespace policy - Allow dovecot-deliver transition to sendmail which is needed by sieve scripts - Fixes for init, psad policy which relate with confined users - Do not audit bootloader attempts to read devicekit pid files - Allow nagios service plugins to read /proc- Add firewalld policy - Allow vmware_host to read samba config - Kernel wants to read /proc Fix duplicate grub def in cobbler - Chrony sends mail, executes shell, uses fifo_file and reads /proc - devicekitdisk getattr all file systems - sambd daemon writes wtmp file - libvirt transitions to dmidecode- Add initial policy for system-setup-keyboard which is now daemon - Label /var/lock/subsys/shorewall as shorewall_lock_t - Allow users to communicate with the gpg_agent_t - Dontaudit mozilla_plugin_t using the inherited terminal - Allow sambagui to read files in /usr - webalizer manages squid log files - Allow unconfined domains to bind ports to raw_ip_sockets - Allow abrt to manage rpm logs when running yum - Need labels for /var/run/bittlebee - Label .ssh under amanda - Remove unused genrequires for virt_domain_template - Allow virt_domain to use fd inherited from virtd_t - Allow iptables to read shorewall config- Gnome apps list config_home_t - mpd creates lnk files in homedir - apache leaks write to mail apps on tmp files - /var/stockmaniac/templates_cache contains log files - Abrt list the connects of mount_tmp_t dirs - passwd agent reads files under /dev and reads utmp file - squid apache script connects to the squid port - fix name of plymouth log file - teamviewer is a wine app - allow dmesg to read system state - Stop labeling files under /var/lib/mock so restorecon will not go into this - nsplugin needs to read network state for google talk- Allow xdm and syslog to use /var/log/boot.log - Allow users to communicate with mozilla_plugin and kill it - Add labeling for ipv6 and dhcp- New labels for ghc http content - nsplugin_config needs to read urand, lvm now calls setfscreate to create dev - pm-suspend now creates log file for append access so we remove devicekit_wri - Change authlogin_use_sssd to authlogin_nsswitch_use_ldap - Fixes for greylist_milter policy- Update to upstream - Fixes for systemd policy - Fixes for passenger policy - Allow staff users to run mysqld in the staff_t domain, akonadi needs this - Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py - auth_use_nsswitch does not need avahi to read passwords,needed for resolving data - Dontaudit (xdm_t) gok attempting to list contents of /var/account - Telepathy domains need to read urand - Need interface to getattr all file classes in a mock library for setroubleshoot- Update selinux policy to handle new /usr/share/sandbox/start script- Update to upstream - Fix version of policy in spec file- Allow sandbox to run on nfs partitions, fixes for systemd_tmpfs - remove per sandbox domains devpts types - Allow dkim-milter sending signal to itself- Allow domains that transition to ping or traceroute, kill them - Allow user_t to conditionally transition to ping_t and traceroute_t - Add fixes to systemd- tools, including new labeling for systemd-fsck, systemd-cryptsetup- Turn on systemd policy - mozilla_plugin needs to read certs in the homedir. - Dontaudit leaked file descriptors from devicekit - Fix ircssi to use auth_use_nsswitch - Change to use interface without param in corenet to disable unlabelednet packets - Allow init to relabel sockets and fifo files in /dev - certmonger needs dac* capabilities to manage cert files not owned by root - dovecot needs fsetid to change group membership on mail - plymouthd removes /var/log/boot.log - systemd is creating symlinks in /dev - Change label on /etc/httpd/alias to be all cert_t- Fixes for clamscan and boinc policy - Add boinc_project_t setpgid - Allow alsa to create tmp files in /tmp- Push fixes to allow disabling of unlabeled_t packet access - Enable unlabelednet policy- Fixes for lvm to work with systemd- Fix the label for wicd log - plymouthd creates force-display-on-active-vt file - Allow avahi to request the kernel to load a module - Dontaudit hal leaks - Fix gnome_manage_data interface - Add new interface corenet_packet to define a type as being an packet_type. - Removed general access to packet_type from icecast and squid. - Allow mpd to read alsa config - Fix the label for wicd log - Add systemd policy- Fix gnome_manage_data interface - Dontaudit sys_ptrace capability for iscsid - Fixes for nagios plugin policy- Fix cron to run ranged when started by init - Fix devicekit to use log files - Dontaudit use of devicekit_var_run_t for fstools - Allow init to setattr on logfile directories - Allow hald to manage files in /var/run/pm-utils/ dir which is now labeled as devicekit_var_run_t- Fix up handling of dnsmasq_t creating /var/run/libvirt/network - Turn on sshd_forward_ports boolean by default - Allow sysadmin to dbus chat with rpm - Add interface for rw_tpm_dev - Allow cron to execute bin - fsadm needs to write sysfs - Dontaudit consoletype reading /var/run/pm-utils - Lots of new privs fro mozilla_plugin_t running java app, make mozilla_plugin - certmonger needs to manage dirsrv data - /var/run/pm-utils should be labeled as devicekit_var_run_t- fixes to allow /var/run and /var/lock as tmpfs - Allow chrome sandbox to connect to web ports - Allow dovecot to listem on lmtp and sieve ports - Allov ddclient to search sysctl_net_t - Transition back to original domain if you execute the shell- Remove duplicate declaration- Update to upstream - Cleanup for sandbox - Add attribute to be able to select sandbox types- Allow ddclient to fix file mode bits of ddclient conf file - init leaks file descriptors to daemons - Add labels for /etc/lirc/ and - Allow amavis_t to exec shell - Add label for gssd_tmp_t for /var/tmp/nfs_0- Put back in lircd_etc_t so policy will install- Turn on allow_postfix_local_write_mail_spool - Allow initrc_t to transition to shutdown_t - Allow logwatch and cron to mls_read_to_clearance for MLS boxes - Allow wm to send signull to all applications and receive them from users - lircd patch from field - Login programs have to read /etc/samba - New programs under /lib/systemd - Abrt needs to read config files- Update to upstream - Dontaudit leaked sockets from userdomains to user domains - Fixes for mcelog to handle scripts - Apply patch from Ruben Kerkhof - Allow syslog to search spool dirs- Allow nagios plugins to read usr files - Allow mysqld-safe to send system log messages - Fixes fpr ddclient policy - Fix sasl_admin interface - Allow apache to search zarafa config - Allow munin plugins to search /var/lib directory - Allow gpsd to read sysfs_t - Fix labels on /etc/mcelog/triggers to bin_t- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t - Allow saslauthd_t to create krb5_host_rcache_t files in /tmp - Fix xserver interface - Fix definition of /var/run/lxdm- Turn on mediawiki policy - kdump leaks kdump_etc_t to ifconfig, add dontaudit - uux needs to transition to uucpd_t - More init fixes relabels man,faillog - Remove maxima defs in libraries.fc - insmod needs to be able to create tmpfs_t files - ping needs setcap- Allow groupd transition to fenced domain when executes fence_node - Fixes for rchs policy - Allow mpd to be able to read samba/nfs files- Fix up corecommands.fc to match upstream - Make sure /lib/systemd/* is labeled init_exec_t - mount wants to setattr on all mountpoints - dovecot auth wants to read dovecot etc files - nscd daemon looks at the exe file of the comunicating daemon - openvpn wants to read utmp file - postfix apps now set sys_nice and lower limits - remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly - Also resolves nsswitch - Fix labels on /etc/hosts.* - Cleanup to make upsteam patch work - allow abrt to read etc_runtime_t- Add conflicts for dirsrv package- Update to upstream - Add vlock policy- Fix sandbox to work on nfs homedirs - Allow cdrecord to setrlimit - Allow mozilla_plugin to read xauth - Change label on systemd-logger to syslogd_exec_t - Install dirsrv policy from dirsrv package- Add virt_home_t, allow init to setattr on xserver_tmp_t and relabel it - Udev needs to stream connect to init and kernel - Add xdm_exec_bootloader boolean, which allows xdm to execute /sbin/grub and read files in /boot directory- Allow NetworkManager to read openvpn_etc_t - Dontaudit hplip to write of /usr dirs - Allow system_mail_t to create /root/dead.letter as mail_home_t - Add vdagent policy for spice agent daemon- Dontaudit sandbox sending sigkill to all user domains - Add policy for rssh_chroot_helper - Add missing flask definitions - Allow udev to relabelto removable_t - Fix label on /var/log/wicd.log - Transition to initrc_t from init when executing bin_t - Add audit_access permissions to file - Make removable_t a device_node - Fix label on /lib/systemd/*- Fixes for systemd to manage /var/run - Dontaudit leaks by firstboot- Allow chome to create netlink_route_socket - Add additional MATHLAB file context - Define nsplugin as an application_domain - Dontaudit sending signals from sandboxed domains to other domains - systemd requires init to build /tmp /var/auth and /var/lock dirs - mount wants to read devicekit_power /proc/ entries - mpd wants to connect to soundd port - Openoffice causes a setattr on a lib_t file for normal users, add dontaudit - Treat lib_t and textrel_shlib_t directories the same - Allow mount read access on virtual images- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs. - Allow devicekit_power to domtrans to mount - Allow dhcp to bind to udp ports > 1024 to do named stuff - Allow ssh_t to exec ssh_exec_t - Remove telepathy_butterfly_rw_tmp_files(), dev_read_printk() interfaces which are nolonger used - Fix clamav_append_log() intefaces - Fix 'psad_rw_fifo_file' interface- Allow cobblerd to list cobler appache content- Fixup for the latest version of upowed - Dontaudit sandbox sending SIGNULL to desktop apps- Update to upstream-Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access - dovecot-auth_t needs ipc_lock - gpm needs to use the user terminal - Allow system_mail_t to append ~/dead.letter - Allow NetworkManager to edit /etc/NetworkManager/NetworkManager.conf - Add pid file to vnstatd - Allow mount to communicate with gfs_controld - Dontaudit hal leaks in setfiles- Lots of fixes for systemd - systemd now executes readahead and tmpwatch type scripts - Needs to manage random seed- Allow smbd to use sys_admin - Remove duplicate file context for tcfmgr - Update to upstream- Fix fusefs handling - Do not allow sandbox to manage nsplugin_rw_t - Allow mozilla_plugin_t to connecto its parent - Allow init_t to connect to plymouthd running as kernel_t - Add mediawiki policy - dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs. - Disable transition from dbus_session_domain to telepathy for F14 - Allow boinc_project to use shm - Allow certmonger to search through directories that contain certs - Allow fail2ban the DAC Override so it can read log files owned by non root users- Start adding support for use_fusefs_home_dirs - Add /var/lib/syslog directory file context - Add /etc/localtime as locale file context- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user - Turn off iptables from unconfined user - Allow sudo to send signals to any domains the user could have transitioned to. - Passwd in single user mode needs to talk to console_device_t - Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio - locate tried to read a symbolic link, will dontaudit - New labels for telepathy-sunshine content in homedir - Google is storing other binaries under /opt/google/talkplugin - bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug - Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15 - modemmanger and bluetooth send dbus messages to devicekit_power - Samba needs to getquota on filesystems labeld samba_share_t- Dontaudit attempts by xdm_t to write to bin_t for kdm - Allow initrc_t to manage system_conf_t- Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory. - Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets - Allow confined users to read xdm_etc_t files - Allow xdm_t to transition to xauth_t for lxdm program- Rearrange firewallgui policy to be more easily updated to upstream, dontaudit search of /home - Allow clamd to send signals to itself - Allow mozilla_plugin_t to read user home content. And unlink pulseaudio shm. - Allow haze to connect to yahoo chat and messenger port tcp:5050. Bz #637339 - Allow guest to run ps command on its processes by allowing it to read /proc - Allow firewallgui to sys_rawio which seems to be required to setup masqerading - Allow all domains to search through default_t directories, in order to find differnet labels. For example people serring up /foo/bar to be share via samba. - Add label for /var/log/slim.log- Pull in cleanups from dgrift - Allow mozilla_plugin_t to execute mozilla_home_t - Allow rpc.quota to do quotamod- Cleanup policy via dgrift - Allow dovecot_deliver to append to inherited log files - Lots of fixes for consolehelper- Fix up Xguest policy- Add vnstat policy - allow libvirt to send audit messages - Allow chrome-sandbox to search nfs_t- Update to upstream- Add the ability to send audit messages to confined admin policies - Remove permissive domain from cmirrord and dontaudit sys_tty_config - Split out unconfined_domain() calls from other unconfined_ calls so we can d - virt needs to be able to read processes to clearance for MLS- Allow all domains that can use cgroups to search tmpfs_t directory - Allow init to send audit messages- Update to upstream- Allow mdadm_t to create files and sock files in /dev/md/- Add policy for ajaxterm- Handle /var/db/sudo - Allow pulseaudio to read alsa config - Allow init to send initrc_t dbus messagesAllow iptables to read shorewall tmp files Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr intd label vlc as an execmem_exec_t Lots of fixes for mozilla_plugin to run google vidio chat Allow telepath_msn to execute ldconfig and its own tmp files Fix labels on hugepages Allow mdadm to read files on /dev Remove permissive domains and change back to unconfined Allow freshclam to execute shell and bin_t Allow devicekit_power to transition to dhcpc Add boolean to allow icecast to connect to any port- Merge upstream fix of mmap_zero - Allow mount to write files in debugfs_t - Allow corosync to communicate with clvmd via tmpfs - Allow certmaster to read usr_t files - Allow dbus system services to search cgroup_t - Define rlogind_t as a login pgm- Allow mdadm_t to read/write hugetlbfs- Dominic Grift Cleanup - Miroslav Grepl policy for jabberd - Various fixes for mount/livecd and prelink- Merge with upstream- More access needed for devicekit - Add dbadm policy- Merge with upstream- Allow seunshare to fowner- Allow cron to look at user_cron_spool links - Lots of fixes for mozilla_plugin_t - Add sysv file system - Turn unconfined domains to permissive to find additional avcs- Update policy for mozilla_plugin_t- Allow clamscan to read proc_t - Allow mount_t to write to debufs_t dir - Dontaudit mount_t trying to write to security_t dir- Allow clamscan_t execmem if clamd_use_jit set - Add policy for firefox plugin-container- Fix /root/.forward definition- label dead.letter as mail_home_t- Allow login programs to search /cgroups- Fix cert handling- Fix devicekit_power bug - Allow policykit_auth_t more access.- Fix nis calls to allow bind to ports 512-1024 - Fix smartmon- Allow pcscd to read sysfs - systemd fixes - Fix wine_mmap_zero_ignore boolean- Apply Miroslav munin patch - Turn back on allow_execmem and allow_execmod booleans- Merge in fixes from dgrift repository- Update boinc policy - Fix sysstat policy to allow sys_admin - Change failsafe_context to unconfined_r:unconfined_t:s0- New paths for upstart- New permissions for syslog - New labels for /lib/upstart- Add mojomojo policy- Allow systemd to setsockcon on sockets to immitate other services- Remove debugfs label- Update to latest policy- Fix eclipse labeling from IBMSupportAssasstant packageing- Make boot with systemd in enforcing mode- Update to upstream- Add boolean to turn off port forwarding in sshd.- Add support for ebtables - Fixes for rhcs and corosync policy-Update to upstream-Update to upstream-Update to upstream- Add Zarafa policy- Cleanup of aiccu policy - initial mock policy- Lots of random fixes- Update to upstream- Update to upstream - Allow prelink script to signal itself - Cobbler fixes- Add xdm_var_run_t to xserver_stream_connect_xdm - Add cmorrord and mpd policy from Miroslav Grepl- Fix sshd creation of krb cc files for users to be user_tmp_t- Fixes for accountsdialog - Fixes for boinc- Fix label on /var/lib/dokwiki - Change permissive domains to enforcing - Fix libvirt policy to allow it to run on mls- Update to upstream- Allow procmail to execute scripts in the users home dir that are labeled home_bin_t - Fix /var/run/abrtd.lock label- Allow login programs to read krb5_home_t Resolves: 594833 - Add obsoletes for cachefilesfd-selinux package Resolves: #575084- Allow mount to r/w abrt fifo file - Allow svirt_t to getattr on hugetlbfs - Allow abrt to create a directory under /var/spool- Add labels for /sys - Allow sshd to getattr on shutdown - Fixes for munin - Allow sssd to use the kernel key ring - Allow tor to send syslog messages - Allow iptabels to read usr files - allow policykit to read all domains state- Fix path for /var/spool/abrt - Allow nfs_t as an entrypoint for http_sys_script_t - Add policy for piranha - Lots of fixes for sosreport- Allow xm_t to read network state and get and set capabilities - Allow policykit to getattr all processes - Allow denyhosts to connect to tcp port 9911 - Allow pyranha to use raw ip sockets and ptrace itself - Allow unconfined_execmem_t and gconfsd mechanism to dbus - Allow staff to kill ping process - Add additional MLS rules- Allow gdm to edit ~/.gconf dir Resolves: #590677 - Allow dovecot to create directories in /var/lib/dovecot Partially resolves 590224 - Allow avahi to dbus chat with NetworkManager - Fix cobbler labels - Dontaudit iceauth_t leaks - fix /var/lib/lxdm file context - Allow aiccu to use tun tap devices - Dontaudit shutdown using xserver.log- Fixes for sandbox_x_net_t to match access for sandbox_web_t ++ - Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory - Add dontaudit interface for bluetooth dbus - Add chronyd_read_keys, append_keys for initrc_t - Add log support for ksmtuned Resolves: #586663- Allow boinc to send mail- Allow initrc_t to remove dhcpc_state_t - Fix label on sa-update.cron - Allow dhcpc to restart chrony initrc - Don't allow sandbox to send signals to its parent processes - Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t Resolves: #589136- Fix location of oddjob_mkhomedir Resolves: #587385 - fix labeling on /root/.shosts and ~/.shosts - Allow ipsec_mgmt_t to manage net_conf_t Resolves: #586760- Dontaudit sandbox trying to connect to netlink sockets Resolves: #587609 - Add policy for piranha- Fixups for xguest policy - Fixes for running sandbox firefox- Allow ksmtuned to use terminals Resolves: #586663 - Allow lircd to write to generic usb devices- Allow sandbox_xserver to connectto unconfined stream Resolves: #585171- Allow initrc_t to read slapd_db_t Resolves: #585476 - Allow ipsec_mgmt to use unallocated devpts and to create /etc/resolv.conf Resolves: #585963- Allow rlogind_t to search /root for .rhosts Resolves: #582760 - Fix path for cached_var_t - Fix prelink paths /var/lib/prelink - Allow confined users to direct_dri - Allow mls lvm/cryptosetup to work- Allow virtd_t to manage firewall/iptables config Resolves: #573585- Fix label on /root/.rhosts Resolves: #582760 - Add labels for Picasa - Allow openvpn to read home certs - Allow plymouthd_t to use tty_device_t - Run ncftool as iptables_t - Allow mount to unmount unlabeled_t - Dontaudit hal leaks- Allow livecd to transition to mount- Update to upstream - Allow abrt to delete sosreport Resolves: #579998 - Allow snmp to setuid and gid Resolves: #582155 - Allow smartd to use generic scsi devices Resolves: #582145- Allow ipsec_t to create /etc/resolv.conf with the correct label - Fix reserved port destination - Allow autofs to transition to showmount - Stop crashing tuned- Add telepathysofiasip policy- Update to upstream - Fix label for /opt/google/chrome/chrome-sandbox - Allow modemmanager to dbus with policykit- Fix allow_httpd_mod_auth_pam to use auth_use_pam(httpd_t) - Allow accountsd to read shadow file - Allow apache to send audit messages when using pam - Allow asterisk to bind and connect to sip tcp ports - Fixes for dovecot 2.0 - Allow initrc_t to setattr on milter directories - Add procmail_home_t for .procmailrc file- Fixes for labels during install from livecd- Fix /cgroup file context - Fix broken afs use of unlabled_t - Allow getty to use the console for s390- Fix cgroup handling adding policy for /cgroup - Allow confined users to write to generic usb devices, if user_rw_noexattrfile boolean set- Merge patches from dgrift- Update upstream - Allow abrt to write to the /proc under any process- Fix ~/.fontconfig label - Add /root/.cert label - Allow reading of the fixed_file_disk_t:lnk_file if you can read file - Allow qemu_exec_t as an entrypoint to svirt_t- Update to upstream - Allow tmpreaper to delete sandbox sock files - Allow chrome-sandbox_t to use /dev/zero, and dontaudit getattr file systems - Fixes for gitosis - No transition on livecd to passwd or chfn - Fixes for denyhosts- Add label for /var/lib/upower - Allow logrotate to run sssd - dontaudit readahead on tmpfs blk files - Allow tmpreaper to setattr on sandbox files - Allow confined users to execute dos files - Allow sysadm_t to kill processes running within its clearance - Add accountsd policy - Fixes for corosync policy - Fixes from crontab policy - Allow svirt to manage svirt_image_t chr files - Fixes for qdisk policy - Fixes for sssd policy - Fixes for newrole policy- make libvirt work on an MLS platform- Add qpidd policy- Update to upstream- Allow boinc to read kernel sysctl - Fix snmp port definitions - Allow apache to read anon_inodefs- Allow shutdown dac_override- Add device_t as a file system - Fix sysfs association- Dontaudit ipsec_mgmt sys_ptrace - Allow at to mail its spool files - Allow nsplugin to search in .pulse directory- Update to upstream- Allow users to dbus chat with xdm - Allow users to r/w wireless_device_t - Dontaudit reading of process states by ipsec_mgmt- Fix openoffice from unconfined_t- Add shutdown policy so consolekit can shutdown system- Update to upstream- Update to upstream- Update to upstream - These are merges of my patches - Remove 389 labeling conflicts - Add MLS fixes found in RHEL6 testing - Allow pulseaudio to run as a service - Add label for mssql and allow apache to connect to this database port if boolean set - Dontaudit searches of debugfs mount point - Allow policykit_auth to send signals to itself - Allow modcluster to call getpwnam - Allow swat to signal winbind - Allow usbmux to run as a system role - Allow svirt to create and use devpts- Add MLS fixes found in RHEL6 testing - Allow domains to append to rpm_tmp_t - Add cachefilesfd policy - Dontaudit leaks when transitioning- Change allow_execstack and allow_execmem booleans to on - dontaudit acct using console - Add label for fping - Allow tmpreaper to delete sandbox_file_t - Fix wine dontaudit mmap_zero - Allow abrt to read var_t symlinks- Additional policy for rgmanager- Allow sshd to setattr on pseudo terms- Update to upstream- Allow policykit to send itself signals- Fix duplicate cobbler definition- Fix file context of /var/lib/avahi-autoipd- Merge with upstream- Allow sandbox to work with MLS- Make Chrome work with staff user- Add icecast policy - Cleanup spec file- Add mcelog policy- Lots of fixes found in F12- Fix rpm_dontaudit_leaks- Add getsched to hald_t - Add file context for Fedora/Redhat Directory Server- Allow abrt_helper to getattr on all filesystems - Add label for /opt/real/RealPlayer/plugins/oggfformat\.so- Add gstreamer_home_t for ~/.gstreamer- Update to upstream- Fix git- Turn on puppet policy - Update to dgrift git policy- Move users file to selection by spec file. - Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t- Update to upstream- Remove most of the permissive domains from F12.- Add cobbler policy from dgrift- add usbmon device - Add allow rulse for devicekit_disk- Lots of fixes found in F12, fixes from Tom London- Cleanups from dgrift- Add back xserver_manage_home_fonts- Dontaudit sandbox trying to read nscd and sssd- Update to upstream- Rename udisks-daemon back to devicekit_disk_t policy- Fixes for abrt calls- Add tgtd policy- Update to upstream release- Add asterisk policy back in - Update to upstream release 2.20091117- Update to upstream release 2.20091117- Fixup nut policy- Update to upstream- Allow vpnc request the kernel to load modules- Fix minimum policy installs - Allow udev and rpcbind to request the kernel to load modules- Add plymouth policy - Allow local_login to sys_admin- Allow cupsd_config to read user tmp - Allow snmpd_t to signal itself - Allow sysstat_t to makedir in sysstat_log_t- Update rhcs policy- Allow users to exec restorecond- Allow sendmail to request kernel modules load- Fix all kernel_request_load_module domains- Fix all kernel_request_load_module domains- Remove allow_exec* booleans for confined users. Only available for unconfined_t- More fixes for sandbox_web_t- Allow sshd to create .ssh directory and content- Fix request_module line to module_request- Fix sandbox policy to allow it to run under firefox. - Dont audit leaks.- Fixes for sandbox- Update to upstream - Dontaudit nsplugin search /root - Dontaudit nsplugin sys_nice- Fix label on /usr/bin/notepad, /usr/sbin/vboxadd-service - Remove policycoreutils-python requirement except for minimum- Fix devicekit_disk_t to getattr on all domains sockets and fifo_files - Conflicts seedit (You can not use selinux-policy-targeted and seedit at the same time.)- Add wordpress/wp-content/uploads label - Fixes for sandbox when run from staff_t- Update to upstream - Fixes for devicekit_disk- More fixes- Lots of fixes for initrc and other unconfined domains- Allow xserver to use netlink_kobject_uevent_socket- Fixes for sandbox- Dontaudit setroubleshootfix looking at /root directory- Update to upsteam- Allow gssd to send signals to users - Fix duplicate label for apache content- Update to upstream- Remove polkit_auth on upgrades- Add back in unconfined.pp and unconfineduser.pp - Add Sandbox unshare- Fixes for cdrecord, mdadm, and others- Add capability setting to dhcpc and gpm- Allow cronjobs to read exim_spool_t- Add ABRT policy- Fix system-config-services policy- Allow libvirt to change user componant of virt_domain- Allow cupsd_config_t to be started by dbus - Add smoltclient policy- Add policycoreutils-python to pre install- Make all unconfined_domains permissive so we can see what AVC's happen- Add pt_chown policy- Add kdump policy for Miroslav Grepl - Turn off execstack boolean- Turn on execstack on a temporary basis (#512845)- Allow nsplugin to connecto the session bus - Allow samba_net to write to coolkey data- Allow devicekit_disk to list inotify- Allow svirt images to create sock_file in svirt_var_run_t- Allow exim to getattr on mountpoints - Fixes for pulseaudio- Allow svirt_t to stream_connect to virtd_t- Allod hald_dccm_t to create sock_files in /tmp- More fixes from upstream- Fix polkit label - Remove hidebrokensymptoms for nss_ldap fix - Add modemmanager policy - Lots of merges from upstream - Begin removing textrel_shlib_t labels, from fixed libraries- Update to upstream- Allow certmaster to override dac permissions- Update to upstream- Fix context for VirtualBox- Update to upstream- Allow clamscan read amavis spool files- Fixes for xguest- fix multiple directory ownership of mandirs- Update to upstream- Add rules for rtkit-daemon- Update to upstream - Fix nlscd_stream_connect- Add rtkit policy- Allow rpcd_t to stream connect to rpcbind- Allow kpropd to create tmp files- Fix last duplicate /var/log/rpmpkgs- Update to upstream * add sssd- Update to upstream * cleanup- Update to upstream - Additional mail ports - Add virt_use_usb boolean for svirt- Fix mcs rules to include chr_file and blk_file- Add label for udev-acl- Additional rules for consolekit/udev, privoxy and various other fixes- New version for upstream- Allow NetworkManager to read inotifyfs- Allow setroubleshoot to run mlocate- Update to upstream- Add fish as a shell - Allow fprintd to list usbfs_t - Allow consolekit to search mountpoints - Add proper labeling for shorewall- New log file for vmware - Allow xdm to setattr on user_tmp_t- Upgrade to upstream- Allow fprintd to access sys_ptrace - Add sandbox policy- Add varnishd policy- Fixes for kpropd- Allow brctl to r/w tun_tap_device_t- Add /usr/share/selinux/packages- Allow rpcd_t to send signals to kernel threads- Fix upgrade for F10 to F11- Add policy for /var/lib/fprint-Remove duplicate line- Allow svirt to manage pci and other sysfs device data- Fix package selection handling- Fix /sbin/ip6tables-save context - Allod udev to transition to mount - Fix loading of mls policy file- Add shorewall policy- Additional rules for fprintd and sssd- Allow nsplugin to unix_read unix_write sem for unconfined_java- Fix uml files to be owned by users- Fix Upgrade path to install unconfineduser.pp when unocnfined package is 3.0.0 or less- Allow confined users to manage virt_content_t, since this is home dir content - Allow all domains to read rpm_script_tmp_t which is what shell creates on redirection- Fix labeling on /var/lib/misc/prelink* - Allow xserver to rw_shm_perms with all x_clients - Allow prelink to execute files in the users home directory- Allow initrc_t to delete dev_null - Allow readahead to configure auditing - Fix milter policy - Add /var/lib/readahead- Update to latest milter code from Paul Howarth- Additional perms for readahead- Allow pulseaudio to acquire_svc on session bus - Fix readahead labeling- Allow sysadm_t to run rpm directly - libvirt needs fowner- Allow sshd to read var_lib symlinks for freenx- Allow nsplugin unix_read and write on users shm and sem - Allow sysadm_t to execute su- Dontaudit attempts to getattr user_tmpfs_t by lvm - Allow nfs to share removable media- Add ability to run postdrop from confined users- Fixes for podsleuth- Turn off nsplugin transition - Remove Konsole leaked file descriptors for release- Allow cupsd_t to create link files in print_spool_t - Fix iscsi_stream_connect typo - Fix labeling on /etc/acpi/actions - Don't reinstall unconfine and unconfineuser on upgrade if they are not installed- Allow audioentroy to read etc files- Add fail2ban_var_lib_t - Fixes for devicekit_power_t- Separate out the ucnonfined user from the unconfined.pp package- Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t.- Upgrade to latest upstream - Allow devicekit_disk sys_rawio- Dontaudit binds to ports < 1024 for named - Upgrade to latest upstream- Allow podsleuth to use tmpfs files- Add customizable_types for svirt- Allow setroubelshoot exec* privs to prevent crash from bad libraries - add cpufreqselector- Dontaudit listing of /root directory for cron system jobs- Fix missing ld.so.cache label- Add label for ~/.forward and /root/.forward- Fixes for svirt- Fixes to allow svirt read iso files in homedir- Add xenner and wine fixes from mgrepl- Allow mdadm to read/write mls override- Change to svirt to only access svirt_image_t- Fix libvirt policy- Upgrade to latest upstream- Fixes for iscsid and sssd - More cleanups for upgrade from F10 to Rawhide.- Add pulseaudio, sssd policy - Allow networkmanager to exec udevadm- Add pulseaudio context- Upgrade to latest patches- Fixes for libvirt- Update to Latest upstream- Fix setrans.conf to show SystemLow for s0- Further confinement of qemu images via svirt- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild- Allow NetworkManager to manage /etc/NetworkManager/system-connections- add virtual_image_context and virtual_domain_context files- Allow rpcd_t to send signal to mount_t - Allow libvirtd to run ranged- Fix sysnet/net_conf_t- Fix squidGuard labeling- Re-add corenet_in_generic_if(unlabeled_t)* Tue Feb 10 2009 Dan Walsh 3.6.5-2 - Add git web policy- Add setrans contains from upstream- Do transitions outside of the booleans- Allow xdm to create user_tmp_t sockets for switch user to work- Fix staff_t domain- Grab remainder of network_peer_controls patch- More fixes for devicekit- Upgrade to latest upstream- Add boolean to disallow unconfined_t login- Add back transition from xguest to mozilla- Add virt_content_ro_t and labeling for isos directory- Fixes for wicd daemon- More mls/rpm fixes- Add policy to make dbus/nm-applet work- Remove polgen-ifgen from post and add trigger to policycoreutils-python- Add wm policy - Make mls work in graphics mode- Fixed for DeviceKit- Add devicekit policy- Update to upstream- Define openoffice as an x_domain- Fixes for reading xserver_tmp_t- Allow cups_pdf_t write to nfs_t- Remove audio_entropy policy- Update to upstream- Allow hal_acl_t to getattr/setattr fixed_disk- Change userdom_read_all_users_state to include reading symbolic links in /proc- Fix dbus reading /proc information- Add missing alias for home directory content- Fixes for IBM java location- Allow unconfined_r unconfined_java_t- Add cron_role back to user domains- Fix sudo setting of user keys- Allow iptables to talk to terminals - Fixes for policy kit - lots of fixes for booting.- Cleanup policy- Rebuild for Python 2.6- Fix labeling on /var/spool/rsyslog- Allow postgresl to bind to udp nodes- Allow lvm to dbus chat with hal - Allow rlogind to read nfs_t- Fix cyphesis file context- Allow hal/pm-utils to look at /var/run/video.rom - Add ulogd policy- Additional fixes for cyphesis - Fix certmaster file context - Add policy for system-config-samba - Allow hal to read /var/run/video.rom- Allow dhcpc to restart ypbind - Fixup labeling in /var/run- Add certmaster policy- Fix confined users - Allow xguest to read/write xguest_dbusd_t- Allow openoffice execstack/execmem privs- Allow mozilla to run with unconfined_execmem_t- Dontaudit domains trying to write to .xsession-errors- Allow nsplugin to look at autofs_t directory- Allow kerneloops to create tmp files- More alias for fastcgi- Remove mod_fcgid-selinux package- Fix dovecot access- Policy cleanup- Remove Multiple spec - Add include - Fix makefile to not call per_role_expansion- Fix labeling of libGL- Update to upstream- Update to upstream policy- Fixes for confined xwindows and xdm_t- Allow confined users and xdm to exec wm - Allow nsplugin to talk to fifo files on nfs- Allow NetworkManager to transition to avahi and iptables - Allow domains to search other domains keys, coverup kernel bug- Fix labeling for oracle- Allow nsplugin to comminicate with xdm_tmp_t sock_file- Change all user tmpfs_t files to be labeled user_tmpfs_t - Allow radiusd to create sock_files- Upgrade to upstream- Allow confined users to login with dbus- Fix transition to nsplugin- Add file context for /dev/mspblk.*- Fix transition to nsplugin '- Fix labeling on new pm*log - Allow ssh to bind to all nodes- Merge upstream changes - Add Xavier Toth patches- Add qemu_cache_t for /var/cache/libvirt- Remove gamin policy- Add tinyxs-max file system support- Update to upstream - New handling of init scripts- Allow pcsd to dbus - Add memcache policy- Allow audit dispatcher to kill his children- Update to upstream - Fix crontab use by unconfined user- Allow ifconfig_t to read dhcpc_state_t- Update to upstream- Update to upstream- Allow system-config-selinux to work with policykit- Fix novel labeling- Consolodate pyzor,spamassassin, razor into one security domain - Fix xdm requiring additional perms.- Fixes for logrotate, alsa- Eliminate vbetool duplicate entry- Fix xguest -> xguest_mozilla_t -> xguest_openiffice_t - Change dhclient to be able to red networkmanager_var_run- Update to latest refpolicy - Fix libsemanage initial install bug- Add inotify support to nscd- Allow unconfined_t to setfcap- Allow amanda to read tape - Allow prewikka cgi to use syslog, allow audisp_t to signal cgi - Add support for netware file systems- Allow ypbind apps to net_bind_service- Allow all system domains and application domains to append to any log file- Allow gdm to read rpm database - Allow nsplugin to read mplayer config files- Allow vpnc to run ifconfig- Allow confined users to use postgres - Allow system_mail_t to exec other mail clients - Label mogrel_rails as an apache server- Apply unconfined_execmem_exec_t to haskell programs- Fix prelude file context- allow hplip to talk dbus - Fix context on ~/.local dir- Prevent applications from reading x_device- Add /var/lib/selinux context- Update to upstream- Add livecd policy- Dontaudit search of admin_home for init_system_domain - Rewrite of xace interfaces - Lots of new fs_list_inotify - Allow livecd to transition to setfiles_mac- Begin XAce integration- Merge Upstream- Allow amanada to create data files- Fix initial install, semanage setup- Allow system_r for httpd_unconfined_script_t- Remove dmesg boolean - Allow user domains to read/write game data- Change unconfined_t to transition to unconfined_mono_t when running mono - Change XXX_mono_t to transition to XXX_t when executing bin_t files, so gnome-do will work- Remove old booleans from targeted-booleans.conf file- Add boolean to mmap_zero - allow tor setgid - Allow gnomeclock to set clock- Don't run crontab from unconfined_t- Change etc files to config files to allow users to read them- Lots of fixes for confined domains on NFS_t homedir- dontaudit mrtg reading /proc - Allow iscsi to signal itself - Allow gnomeclock sys_ptrace- Allow dhcpd to read kernel network state- Label /var/run/gdm correctly - Fix unconfined_u user creation- Allow transition from initrc_t to getty_t- Allow passwd to communicate with user sockets to change gnome-keyring- Fix initial install- Allow radvd to use fifo_file - dontaudit setfiles reading links - allow semanage sys_resource - add allow_httpd_mod_auth_ntlm_winbind boolean - Allow privhome apps including dovecot read on nfs and cifs home dirs if the boolean is set- Allow nsplugin to read /etc/mozpluggerrc, user_fonts - Allow syslog to manage innd logs. - Allow procmail to ioctl spamd_exec_t- Allow initrc_t to dbus chat with consolekit.- Additional access for nsplugin - Allow xdm setcap/getcap until pulseaudio is fixed- Allow mount to mkdir on tmpfs - Allow ifconfig to search debugfs- Fix file context for MATLAB - Fixes for xace- Allow stunnel to transition to inetd children domains - Make unconfined_dbusd_t an unconfined domain- Fixes for qemu/virtd- Fix bug in mozilla policy to allow xguest transition - This will fix the libsemanage.dbase_llist_query: could not find record value libsemanage.dbase_llist_query: could not query record value (No such file or directory) bug in xguest- Allow nsplugin to run acroread- Add cups_pdf policy - Add openoffice policy to run in xguest- prewika needs to contact mysql - Allow syslog to read system_map files- Change init_t to an unconfined_domain- Allow init to transition to initrc_t on shell exec. - Fix init to be able to sendto init_t. - Allow syslog to connect to mysql - Allow lvm to manage its own fifo_files - Allow bugzilla to use ldap - More mls fixes- fixes for init policy (#436988) - fix build- Additional changes for MLS policy- Fix initrc_context generation for MLS- Fixes for libvirt- Allow bitlebee to read locale_t- More xselinux rules- Change httpd_$1_script_r*_t to httpd_$1_content_r*_t- Prepare policy for beta release - Change some of the system domains back to unconfined - Turn on some of the booleans- Allow nsplugin_config execstack/execmem - Allow nsplugin_t to read alsa config - Change apache to use user content- Add cyphesis policy- Fix Makefile.devel to build mls modules - Fix qemu to be more specific on labeling- Update to upstream fixes- Allow staff to mounton user_home_t- Add xace support- Add fusectl file system- Fixes from yum-cron - Update to latest upstream- Fix userdom_list_user_files- Merge with upstream- Allow udev to send audit messages- Add additional login users interfaces - userdom_admin_login_user_template(staff)- More fixes for polkit- Eliminate transition from unconfined_t to qemu by default - Fixes for gpg- Update to upstream- Fixes for staff_t- Add policy for kerneloops - Add policy for gnomeclock- Fixes for libvirt- Fixes for nsplugin- More fixes for qemu- Additional ports for vnc and allow qemu and libvirt to search all directories- Update to upstream - Add libvirt policy - add qemu policy- Allow fail2ban to create a socket in /var/run- Allow allow_httpd_mod_auth_pam to work- Add audisp policy and prelude- Allow all user roles to executae samba net command- Allow usertypes to read/write noxattr file systems- Fix nsplugin to allow flashplugin to work in enforcing mode- Allow pam_selinux_permit to kill all processes- Allow ptrace or user processes by users of same type - Add boolean for transition to nsplugin- Allow nsplugin sys_nice, getsched, setsched- Allow login programs to talk dbus to oddjob- Add procmail_log support - Lots of fixes for munin- Allow setroubleshoot to read policy config and send audit messages- Allow users to execute all files in homedir, if boolean set - Allow mount to read samba config- Fixes for xguest to run java plugin- dontaudit pam_t and dbusd writing to user_home_t- Update gpg to allow reading of inotify- Change user and staff roles to work correctly with varied perms- Fix munin log, - Eliminate duplicate mozilla file context - fix wpa_supplicant spec- Fix role transition from unconfined_r to system_r when running rpm - Allow unconfined_domains to communicate with user dbus instances- Fixes for xguest- Let all uncofined domains communicate with dbus unconfined- Run rpm in system_r- Zero out customizable types- Fix definiton of admin_home_t- Fix munin file context- Allow cron to run unconfined apps- Modify default login to unconfined_u- Dontaudit dbus user client search of /root- Update to upstream- Fixes for polkit - Allow xserver to ptrace- Add polkit policy - Symplify userdom context, remove automatic per_role changes- Update to upstream - Allow httpd_sys_script_t to search users homedirs- Allow rpm_script to transition to unconfined_execmem_t- Remove user based home directory separation- Remove user specific crond_t- Merge with upstream - Allow xsever to read hwdata_t - Allow login programs to setkeycreate- Update to upstream- Update to upstream- Allow XServer to read /proc/self/cmdline - Fix unconfined cron jobs - Allow fetchmail to transition to procmail - Fixes for hald_mac - Allow system_mail to transition to exim - Allow tftpd to upload files - Allow xdm to manage unconfined_tmp - Allow udef to read alsa config - Fix xguest to be able to connect to sound port- Fixes for hald_mac - Treat unconfined_home_dir_t as a home dir - dontaudit rhgb writes to fonts and root- Fix dnsmasq - Allow rshd full login privs- Allow rshd to connect to ports > 1023- Fix vpn to bind to port 4500 - Allow ssh to create shm - Add Kismet policy- Allow rpm to chat with networkmanager- Fixes for ipsec and exim mail - Change default to unconfined user- Pass the UNK_PERMS param to makefile - Fix gdm location- Make alsa work- Fixes for consolekit and startx sessions- Dontaudit consoletype talking to unconfined_t- Remove homedir_template- Check asound.state- Fix exim policy- Allow tmpreadper to read man_t - Allow racoon to bind to all nodes - Fixes for finger print reader- Allow xdm to talk to input device (fingerprint reader) - Allow octave to run as java- Allow login programs to set ioctl on /proc- Allow nsswitch apps to read samba_var_t- Fix maxima- Eliminate rpm_t:fifo_file avcs - Fix dbus path for helper app- Fix service start stop terminal avc's- Allow also to search var_lib - New context for dbus launcher- Allow cupsd_config_t to read/write usb_device_t - Support for finger print reader, - Many fixes for clvmd - dbus starting networkmanager- Fix java and mono to run in xguest account- Fix to add xguest account when inititial install - Allow mono, java, wine to run in userdomains- Allow xserver to search devpts_t - Dontaudit ldconfig output to homedir- Remove hplip_etc_t change back to etc_t.- Allow cron to search nfs and samba homedirs- Allow NetworkManager to dbus chat with yum-updated- Allow xfs to bind to port 7100- Allow newalias/sendmail dac_override - Allow bind to bind to all udp ports- Turn off direct transition- Allow wine to run in system role- Fix java labeling- Define user_home_type as home_type- Allow sendmail to create etc_aliases_t- Allow login programs to read symlinks on homedirs- Update an readd modules- Cleanup spec file- Allow xserver to be started by unconfined process and talk to tty- Upgrade to upstream to grab postgressql changes- Add setransd for mls policy- Add ldconfig_cache_t- Allow sshd to write to proc_t for afs login- Allow xserver access to urand- allow dovecot to search mountpoints- Fix Makefile for building policy modules- Fix dhcpc startup of service- Fix dbus chat to not happen for xguest and guest users- Fix nagios cgi - allow squid to communicate with winbind- Fixes for ldconfig- Update from upstream- Add nasd support- Fix new usb devices and dmfm- Eliminate mount_ntfs_t policy, merge into mount_t- Allow xserver to write to ramfs mounted by rhgb- Add context for dbus machine id- Update with latest changes from upstream- Fix prelink to handle execmod- Add ntpd_key_t to handle secret data- Add anon_inodefs - Allow unpriv user exec pam_exec_t - Fix trigger- Allow cups to use generic usb - fix inetd to be able to run random apps (git)- Add proper contexts for rsyslogd- Fixes for xguest policy- Allow execution of gconf- Fix moilscanner update problem- Begin adding policy to separate setsebool from semanage - Fix xserver.if definition to not break sepolgen.if- Add new devices- Add brctl policy- Fix root login to include system_r- Allow prelink to read kernel sysctls- Default to user_u:system_r:unconfined_t- fix squid - Fix rpm running as uid- Fix syslog declaration- Allow avahi to access inotify - Remove a lot of bogus security_t:filesystem avcs- Remove ifdef strict policy from upstream- Remove ifdef strict to allow user_u to login- Fix for amands - Allow semanage to read pp files - Allow rhgb to read xdm_xserver_tmp- Allow kerberos servers to use ldap for backing store- allow alsactl to read kernel state- More fixes for alsactl - Transition from hal and modutils - Fixes for suspend resume. - insmod domtrans to alsactl - insmod writes to hal log- Allow unconfined_t to transition to NetworkManager_t - Fix netlabel policy- Update to latest from upstream- Update to latest from upstream- Update to latest from upstream- Allow pcscd_t to send itself signals- Fixes for unix_update - Fix logwatch to be able to search all dirs- Upstream bumped the version- Allow consolekit to syslog - Allow ntfs to work with hal- Allow iptables to read etc_runtime_t- MLS Fixes- Fix path of /etc/lvm/cache directory - Fixes for alsactl and pppd_t - Fixes for consolekit- Allow insmod_t to mount kvmfs_t filesystems- Rwho policy - Fixes for consolekit- fixes for fusefs- Fix samba_net to allow it to view samba_var_t- Update to upstream- Fix Sonypic backlight - Allow snmp to look at squid_conf_t- Fixes for pyzor, cyrus, consoletype on everything installs- Fix hald_acl_t to be able to getattr/setattr on usb devices - Dontaudit write to unconfined_pipes for load_policy- Allow bluetooth to read inotifyfs- Fixes for samba domain controller. - Allow ConsoleKit to look at ttys- Fix interface call- Allow syslog-ng to read /var - Allow locate to getattr on all filesystems - nscd needs setcap- Update to upstream- Allow samba to run groupadd- Update to upstream- Allow mdadm to access generic scsi devices- Fix labeling on udev.tbl dirs- Fixes for logwatch- Add fusermount and mount_ntfs policy- Update to upstream - Allow saslauthd to use kerberos keytabs- Fixes for samba_var_t- Allow networkmanager to setpgid - Fixes for hal_acl_t- Remove disable_trans booleans - hald_acl_t needs to talk to nscd- Fix prelink to be able to manage usr dirs.- Allow insmod to launch init scripts- Remove setsebool policy- Fix handling of unlabled_t packets- More of my patches from upstream- Update to latest from upstream - Add fail2ban policy- Update to remove security_t:filesystem getattr problems- Policy for consolekit- Update to latest from upstream- Revert Nemiver change - Set sudo as a corecmd so prelink will work, remove sudoedit mapping, since this will not work, it does not transition. - Allow samba to execute useradd- Upgrade to the latest from upstream- Add sepolgen support - Add bugzilla policy- Fix file context for nemiver- Remove include sym link- Allow mozilla, evolution and thunderbird to read dev_random. Resolves: #227002 - Allow spamd to connect to smtp port Resolves: #227184 - Fixes to make ypxfr work Resolves: #227237- Fix ssh_agent to be marked as an executable - Allow Hal to rw sound device- Fix spamassisin so crond can update spam files - Fixes to allow kpasswd to work - Fixes for bluetooth- Remove some targeted diffs in file context file- Fix squid cachemgr labeling- Add ability to generate webadm_t policy - Lots of new interfaces for httpd - Allow sshd to login as unconfined_t- Continue fixing, additional user domains- Begin adding user confinement to targeted policy- Fixes for prelink, ktalkd, netlabel- Allow prelink when run from rpm to create tmp files Resolves: #221865 - Remove file_context for exportfs Resolves: #221181 - Allow spamassassin to create ~/.spamassissin Resolves: #203290 - Allow ssh access to the krb tickets - Allow sshd to change passwd - Stop newrole -l from working on non securetty Resolves: #200110 - Fixes to run prelink in MLS machine Resolves: #221233 - Allow spamassassin to read var_lib_t dir Resolves: #219234- fix mplayer to work under strict policy - Allow iptables to use nscd Resolves: #220794- Add gconf policy and make it work with strict- Many fixes for strict policy and by extension mls.- Fix to allow ftp to bind to ports > 1024 Resolves: #219349- Allow semanage to exec it self. Label genhomedircon as semanage_exec_t Resolves: #219421 - Allow sysadm_lpr_t to manage other print spool jobs Resolves: #220080- allow automount to setgid Resolves: #219999- Allow cron to polyinstatiate - Fix creation of boot flags Resolves: #207433- Fixes for irqbalance Resolves: #219606- Fix vixie-cron to work on mls Resolves: #207433Resolves: #218978- Allow initrc to create files in /var directories Resolves: #219227- More fixes for MLS Resolves: #181566- More Fixes polyinstatiation Resolves: #216184- More Fixes polyinstatiation - Fix handling of keyrings Resolves: #216184- Fix polyinstatiation - Fix pcscd handling of terminal Resolves: #218149 Resolves: #218350- More fixes for quota Resolves: #212957- ncsd needs to use avahi sockets Resolves: #217640 Resolves: #218014- Allow login programs to polyinstatiate homedirs Resolves: #216184 - Allow quotacheck to create database files Resolves: #212957- Dontaudit appending hal_var_lib files Resolves: #217452 Resolves: #217571 Resolves: #217611 Resolves: #217640 Resolves: #217725- Fix context for helix players file_context #216942- Fix load_policy to be able to mls_write_down so it can talk to the terminal- Fixes for hwclock, clamav, ftp- Move to upstream version which accepted my patches- Fixes for nvidia driver- Allow semanage to signal mcstrans- Update to upstream- Allow modstorage to edit /etc/fstab file- Fix for qemu, /dev/- Fix path to realplayer.bin- Allow xen to connect to xen port- Allow cups to search samba_etc_t directory - Allow xend_t to list auto_mountpoints- Allow xen to search automount- Fix spec of jre files- Fix unconfined access to shadow file- Allow xend to create files in xen_image_t directories- Fixes for /var/lib/hal- Remove ability for sysadm_t to look at audit.log- Fix rpc_port_types - Add aide policy for mls- Merge with upstream- Lots of fixes for ricci- Allow xen to read/write fixed devices with a boolean - Allow apache to search /var/log- Fix policygentool specfile problem. - Allow apache to send signals to it's logging helpers. - Resolves: rhbz#212731- Add perms for swat- Add perms for swat- Allow daemons to dump core files to /- Fixes for ricci- Allow mount.nfs to work- Allow ricci-modstorage to look at lvm_etc_t- Fixes for ricci using saslauthd- Allow mountpoint on home_dir_t and home_t- Update xen to read nfs files- Allow noxattrfs to associate with other noxattrfs- Allow hal to use power_device_t- Allow procemail to look at autofs_t - Allow xen_image_t to work as a fixed device- Refupdate from upstream- Add lots of fixes for mls cups- Lots of fixes for ricci- Fix number of cats- Update to upstream- More iSCSI changes for #209854- Test ISCSI fixes for #209854- allow semodule to rmdir selinux_config_t dir- Fix boot_runtime_t problem on ppc. Should not be creating these files.- Fix context mounts on reboot - Fix ccs creation of directory in /var/log- Update for tallylog- Allow xend to rewrite dhcp conf files - Allow mgetty sys_admin capability- Make xentapctrl work- Don't transition unconfined_t to bootloader_t - Fix label in /dev/xen/blktap- Patch for labeled networking- Fix crond handling for mls- Update to upstream- Remove bluetooth-helper transition - Add selinux_validate for semanage - Require new version of libsemanage- Fix prelink- Fix rhgb- Fix setrans handling on MLS and useradd- Support for fuse - fix vigr- Fix dovecot, amanda - Fix mls- Allow java execheap for itanium- Update with upstream- mls fixes- Update from upstream- More fixes for mls - Revert change on automount transition to mount- Fix cron jobs to run under the correct context- Fixes to make pppd work- Multiple policy fixes - Change max categories to 1023- Fix transition on mcstransd- Add /dev/em8300 defs- Upgrade to upstream- Fix ppp connections from network manager- Add tty access to all domains boolean - Fix gnome-pty-helper context for ia64- Fixed typealias of firstboot_rw_t- Fix location of xel log files - Fix handling of sysadm_r -> rpm_exec_t- Fixes for autofs, lp- Update from upstream- Fixup for test6- Update to upstream- Update to upstream- Fix suspend to disk problems- Lots of fixes for restarting daemons at the console.- Fix audit line - Fix requires line- Upgrade to upstream- Fix install problems- Allow setroubleshoot to getattr on all dirs to gather RPM data- Set /usr/lib/ia32el/ia32x_loader to unconfined_execmem_exec_t for ia32 platform - Fix spec for /dev/adsp- Fix xen tty devices- Fixes for setroubleshoot- Update to upstream- Fixes for stunnel and postgresql - Update from upstream- Update from upstream - More java fixes- Change allow_execstack to default to on, for RHEL5 Beta. This is required because of a Java compiler problem. Hope to turn off for next beta- Misc fixes- More fixes for strict policy- Quiet down anaconda audit messages- Fix setroubleshootd- Update to the latest from upstream- More fixes for xen- Fix anaconda transitions- yet more xen rules- more xen rules- Fixes for Samba- Fixes for xen- Allow setroubleshootd to send mail- Add nagios policy- fixes for setroubleshoot- Added Paul Howarth patch to only load policy packages shipped with this package - Allow pidof from initrc to ptrace higher level domains - Allow firstboot to communicate with hal via dbus- Add policy for /var/run/ldapi- Fix setroubleshoot policy- Fixes for mls use of ssh - named has a new conf file- Fixes to make setroubleshoot work- Cups needs to be able to read domain state off of printer client- add boolean to allow zebra to write config files- setroubleshootd fixes- Allow prelink to read bin_t symlink - allow xfs to read random devices - Change gfs to support xattr- Remove spamassassin_can_network boolean- Update to upstream - Fix lpr domain for mls- Add setroubleshoot policy- Turn off auditallow on setting booleans- Multiple fixes- Update to upstream- Update to upstream - Add new class for kernel key ring- Update to upstream- Update to upstream- Break out selinux-devel package- Add ibmasmfs- Fix policygentool gen_requires- Update from Upstream- Fix spec of realplay- Update to upstream- Fix semanage- Allow useradd to create_home_dir in MLS environment- Update from upstream- Update from upstream- Add oprofilefs- Fix for hplip and Picasus- Update to upstream- Update to upstream- fixes for spamd- fixes for java, openldap and webalizer- Xen fixes- Upgrade to upstream- allow hal to read boot_t files - Upgrade to upstream- allow hal to read boot_t files- Update from upstream- Fixes for amavis- Update from upstream- Allow auditctl to search all directories- Add acquire service for mono.- Turn off allow_execmem boolean - Allow ftp dac_override when allowed to access users homedirs- Clean up spec file - Transition from unconfined_t to prelink_t- Allow execution of cvs command- Update to upstream- Update to upstream- Fix libjvm spec- Update to upstream- Add xm policy - Fix policygentool- Update to upstream - Fix postun to only disable selinux on full removal of the packages- Allow mono to chat with unconfined- Allow procmail to sendmail - Allow nfs to share dosfs- Update to latest from upstream - Allow selinux-policy to be removed and kernel not to crash- Update to latest from upstream - Add James Antill patch for xen - Many fixes for pegasus- Add unconfined_mount_t - Allow privoxy to connect to httpd_cache - fix cups labeleing on /var/cache/cups- Update to latest from upstream- Update to latest from upstream - Allow mono and unconfined to talk to initrc_t dbus objects- Change libraries.fc to stop shlib_t form overriding texrel_shlib_t- Fix samba creating dirs in homedir - Fix NFS so its booleans would work- Allow secadm_t ability to relabel all files - Allow ftp to search xferlog_t directories - Allow mysql to communicate with ldap - Allow rsync to bind to rsync_port_t- Fixed mailman with Postfix #183928 - Allowed semanage to create file_context files. - Allowed amanda_t to access inetd_t TCP sockets and allowed amanda_recover_t to bind to reserved ports. #149030 - Don't allow devpts_t to be associated with tmp_t. - Allow hald_t to stat all mountpoints. - Added boolean samba_share_nfs to allow smbd_t full access to NFS mounts. - Make mount run in mount_t domain from unconfined_t to prevent mislabeling of /etc/mtab. - Changed the file_contexts to not have a regex before the first ^/[a-z]/ whenever possible, makes restorecon slightly faster. - Correct the label of /etc/named.caching-nameserver.conf - Now label /usr/src/kernels/.+/lib(/.*)? as usr_t instead of /usr/src(/.*)?/lib(/.*)? - I don't think we need anything else under /usr/src hit by this. - Granted xen access to /boot, allowed mounting on xend_var_lib_t, and allowed xenstored_t rw access to the xen device node.- More textrel_shlib_t file path fixes - Add ada support- Get auditctl working in MLS policy- Add mono dbus support - Lots of file_context fixes for textrel_shlib_t in FC5 - Turn off execmem auditallow since they are filling log files- Update to upstream- Allow automount and dbus to read cert files- Fix ftp policy - Fix secadm running of auditctl- Update to upstream- Update to upstream- Fix policyhelp- Fix pam_console handling of usb_device - dontaudit logwatch reading /mnt dir- Update to upstream- Get transition rules to create policy.20 at SystemHigh- Allow secadmin to shutdown system - Allow sendmail to exec newalias- MLS Fixes dmidecode needs mls_file_read_up - add ypxfr_t - run init needs access to nscd - udev needs setuid - another xen log file - Dontaudit mount getattr proc_kcore_t- fix buildroot usage (#185391)- Get rid of mount/fsdisk scan of /dev messages - Additional fixes for suspend/resume- Fake make to rebuild enableaudit.pp- Get xen networking running.- Fixes for Xen - enableaudit should not be the same as base.pp - Allow ps to work for all process- more xen policy fixups- more xen fixage (#184393)- Fix blkid specification - Allow postfix to execute mailman_que- Blkid changes - Allow udev access to usb_device_t - Fix post script to create targeted policy config file- Allow lvm tools to create drevice dir- Add Xen support- Fixes for cups - Make cryptosetup work with hal- Load Policy needs translock- Fix cups html interface- Add hal changes suggested by Jeremy - add policyhelp to point at policy html pages- Additional fixes for nvidia and cups- Update to upstream - Merged my latest fixes - Fix cups policy to handle unix domain sockets- NSCD socket is in nscd_var_run_t needs to be able to search dir- Fixes Apache interface file- Fixes for new version of cups- Turn off polyinstatiate util after FC5- Fix problem with privoxy talking to Tor- Turn on polyinstatiation- Don't transition from unconfined_t to fsadm_t- Fix policy update model.- Update to upstream- Fix load_policy to work on MLS - Fix cron_rw_system_pipes for postfix_postdrop_t - Allow audotmount to run showmount- Fix swapon - allow httpd_sys_script_t to be entered via a shell - Allow httpd_sys_script_t to read eventpolfs- Update from upstream- allow cron to read apache files- Fix vpnc policy to work from NetworkManager- Update to upstream - Fix semoudle polcy- Update to upstream - fix sysconfig/selinux link- Add router port for zebra - Add imaze port for spamd - Fixes for amanda and java- Fix bluetooth handling of usb devices - Fix spamd reading of ~/ - fix nvidia spec- Update to upsteam- Add users_extra files- Update to upstream- Add semodule policy- Update from upstream- Fix for spamd to use razor port- Fixes for mcs - Turn on mount and fsadm for unconfined_t- Fixes for the -devel package- Fix for spamd to use ldap- Update to upstream- Update to upstream - Fix rhgb, and other Xorg startups- Update to upstream- Separate out role of secadm for mls- Add inotifyfs handling- Update to upstream - Put back in changes for pup/zen- Many changes for MLS - Turn on strict policy- Update to upstream- Update to upstream - Fixes for booting and logging in on MLS machine- Update to upstream - Turn off execheap execstack for unconfined users - Add mono/wine policy to allow execheap and execstack for them - Add execheap for Xdm policy- Update to upstream - Fixes to fetchmail,- Update to upstream- Fix for procmail/spamassasin - Update to upstream - Add rules to allow rpcd to work with unlabeled_networks.- Update to upstream - Fix ftp Man page- Update to upstream- fix pup transitions (#177262) - fix xen disks (#177599)- Update to upstream- More Fixes for hal and readahead- Fixes for hal and readahead- Update to upstream - Apply- Add wine and fix hal problems- Handle new location of hal scripts- Allow su to read /etc/mtab- Update to upstream- Fix "libsemanage.parse_module_headers: Data did not represent a module." problem- Allow load_policy to read /etc/mtab- Fix dovecot to allow dovecot_auth to look at /tmp- Allow restorecon to read unlabeled_t directories in order to fix labeling.- Add Logwatch policy- Fix /dev/ub[a-z] file context- Fix library specification - Give kudzu execmem privs- Fix hostname in targeted policy- Fix passwd command on mls- Lots of fixes to make mls policy work- Add dri libs to textrel_shlib_t - Add system_r role for java - Add unconfined_exec_t for vncserver - Allow slapd to use kerberos- Add man pages- Add enableaudit.pp- Fix mls policy- Update mls file from old version- Add sids back in - Rebuild with update checkpolicy- Fixes to allow automount to use portmap - Fixes to start kernel in s0-s15:c0.c255- Add java unconfined/execmem policy- Add file context for /var/cvs - Dontaudit webalizer search of homedir- Update from upstream- Clean up spec - range_transition crond to SystemHigh- Fixes for hal - Update to upstream- Turn back on execmem since we need it for java, firefox, ooffice - Allow gpm to stream socket to itself- fix requirements to be on the actual packages so that policy can get created properly at install time- Allow unconfined_t to execmod texrel_shlib_t- Update to upstream - Turn off allow_execmem and allow_execmod booleans - Add tcpd and automount policies- Add two new httpd booleans, turned off by default * httpd_can_network_relay * httpd_can_network_connect_db- Add ghost for policy.20- Update to upstream - Turn off boolean allow_execstack- Change setrans-mls to use new libsetrans - Add default_context rule for xdm- Change Requires to PreReg for requiring of policycoreutils on install- New upstream releaseAdd xdm policyUpdate from upstreamUpdate from upstreamUpdate from upstream- Also trigger to rebuild policy for versions up to 2.0.7.- No longer installing policy.20 file, anaconda handles the building of the app.- Fixes for dovecot and saslauthd- Cleanup pegasus and named - Fix spec file - Fix up passwd changing applications-Update to latest from upstream- Add rules for pegasus and avahi- Start building MLS Policy- Update to upstream- Turn on bash- Initial version  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~3.13.1-63.atomic.el7.7selinux-policyMakefile.exampleexample.fcexample.ifexample.tehtmladmin.htmladmin_bootloader.htmladmin_consoletype.htmladmin_dmesg.htmladmin_netutils.htmladmin_su.htmladmin_sudo.htmladmin_usermanage.htmlapps.htmlapps_seunshare.htmlbooleans.htmlcontrib.htmlcontrib_abrt.htmlcontrib_accountsd.htmlcontrib_acct.htmlcontrib_ada.htmlcontrib_afs.htmlcontrib_aiccu.htmlcontrib_aide.htmlcontrib_aisexec.htmlcontrib_ajaxterm.htmlcontrib_alsa.htmlcontrib_amanda.htmlcontrib_amavis.htmlcontrib_amtu.htmlcontrib_anaconda.htmlcontrib_antivirus.htmlcontrib_apache.htmlcontrib_apcupsd.htmlcontrib_apm.htmlcontrib_apt.htmlcontrib_arpwatch.htmlcontrib_asterisk.htmlcontrib_authbind.htmlcontrib_authconfig.htmlcontrib_automount.htmlcontrib_avahi.htmlcontrib_awstats.htmlcontrib_backup.htmlcontrib_bacula.htmlcontrib_bcfg2.htmlcontrib_bind.htmlcontrib_bird.htmlcontrib_bitlbee.htmlcontrib_blueman.htmlcontrib_bluetooth.htmlcontrib_boinc.htmlcontrib_brctl.htmlcontrib_brltty.htmlcontrib_bugzilla.htmlcontrib_bumblebee.htmlcontrib_cachefilesd.htmlcontrib_calamaris.htmlcontrib_callweaver.htmlcontrib_canna.htmlcontrib_ccs.htmlcontrib_cdrecord.htmlcontrib_certmaster.htmlcontrib_certmonger.htmlcontrib_certwatch.htmlcontrib_cfengine.htmlcontrib_cgdcbxd.htmlcontrib_cgroup.htmlcontrib_chrome.htmlcontrib_chronyd.htmlcontrib_cinder.htmlcontrib_cipe.htmlcontrib_clamav.htmlcontrib_clockspeed.htmlcontrib_clogd.htmlcontrib_cloudform.htmlcontrib_cmirrord.htmlcontrib_cobbler.htmlcontrib_cockpit.htmlcontrib_collectd.htmlcontrib_colord.htmlcontrib_comsat.htmlcontrib_condor.htmlcontrib_conman.htmlcontrib_consolekit.htmlcontrib_corosync.htmlcontrib_couchdb.htmlcontrib_courier.htmlcontrib_cpucontrol.htmlcontrib_cpufreqselector.htmlcontrib_cpuplug.htmlcontrib_cron.htmlcontrib_ctdb.htmlcontrib_cups.htmlcontrib_cvs.htmlcontrib_cyphesis.htmlcontrib_cyrus.htmlcontrib_daemontools.htmlcontrib_dante.htmlcontrib_dbadm.htmlcontrib_dbskk.htmlcontrib_dbus.htmlcontrib_dcc.htmlcontrib_ddclient.htmlcontrib_ddcprobe.htmlcontrib_denyhosts.htmlcontrib_devicekit.htmlcontrib_dhcp.htmlcontrib_dictd.htmlcontrib_dirmngr.htmlcontrib_dirsrv-admin.htmlcontrib_dirsrv.htmlcontrib_distcc.htmlcontrib_djbdns.htmlcontrib_dkim.htmlcontrib_dmidecode.htmlcontrib_dnsmasq.htmlcontrib_dnssec.htmlcontrib_dnssectrigger.htmlcontrib_dovecot.htmlcontrib_dpkg.htmlcontrib_drbd.htmlcontrib_dspam.htmlcontrib_entropyd.htmlcontrib_etcd.htmlcontrib_evolution.htmlcontrib_exim.htmlcontrib_fail2ban.htmlcontrib_fcoe.htmlcontrib_fetchmail.htmlcontrib_finger.htmlcontrib_firewalld.htmlcontrib_firewallgui.htmlcontrib_firstboot.htmlcontrib_fprintd.htmlcontrib_freeipmi.htmlcontrib_freqset.htmlcontrib_ftp.htmlcontrib_games.htmlcontrib_gatekeeper.htmlcontrib_gdomap.htmlcontrib_gear.htmlcontrib_geoclue.htmlcontrib_gift.htmlcontrib_git.htmlcontrib_gitosis.htmlcontrib_glance.htmlcontrib_glusterd.htmlcontrib_gnome.htmlcontrib_gnomeclock.htmlcontrib_gpg.htmlcontrib_gpm.htmlcontrib_gpsd.htmlcontrib_gssproxy.htmlcontrib_guest.htmlcontrib_hadoop.htmlcontrib_hal.htmlcontrib_hddtemp.htmlcontrib_hostapd.htmlcontrib_howl.htmlcontrib_hypervkvp.htmlcontrib_i18n_input.htmlcontrib_icecast.htmlcontrib_ifplugd.htmlcontrib_imaze.htmlcontrib_inetd.htmlcontrib_inn.htmlcontrib_iodine.htmlcontrib_iotop.htmlcontrib_ipa.htmlcontrib_irc.htmlcontrib_ircd.htmlcontrib_irqbalance.htmlcontrib_iscsi.htmlcontrib_isns.htmlcontrib_jabber.htmlcontrib_java.htmlcontrib_jetty.htmlcontrib_jockey.htmlcontrib_journalctl.htmlcontrib_kde.htmlcontrib_kdump.htmlcontrib_kdumpgui.htmlcontrib_keepalived.htmlcontrib_kerberos.htmlcontrib_kerneloops.htmlcontrib_keyboardd.htmlcontrib_keystone.htmlcontrib_kismet.htmlcontrib_kmscon.htmlcontrib_ksmtuned.htmlcontrib_ktalk.htmlcontrib_kudzu.htmlcontrib_l2tp.htmlcontrib_ldap.htmlcontrib_lightsquid.htmlcontrib_likewise.htmlcontrib_linuxptp.htmlcontrib_lircd.htmlcontrib_livecd.htmlcontrib_lldpad.htmlcontrib_loadkeys.htmlcontrib_lockdev.htmlcontrib_logrotate.htmlcontrib_logwatch.htmlcontrib_lpd.htmlcontrib_lsm.htmlcontrib_mailman.htmlcontrib_mailscanner.htmlcontrib_man2html.htmlcontrib_mandb.htmlcontrib_mcelog.htmlcontrib_mcollective.htmlcontrib_mediawiki.htmlcontrib_memcached.htmlcontrib_milter.htmlcontrib_minidlna.htmlcontrib_minissdpd.htmlcontrib_mip6d.htmlcontrib_mirrormanager.htmlcontrib_mock.htmlcontrib_modemmanager.htmlcontrib_mojomojo.htmlcontrib_mon_statd.htmlcontrib_mongodb.htmlcontrib_mono.htmlcontrib_monop.htmlcontrib_motion.htmlcontrib_mozilla.htmlcontrib_mpd.htmlcontrib_mplayer.htmlcontrib_mrtg.htmlcontrib_mta.htmlcontrib_munin.htmlcontrib_mysql.htmlcontrib_mythtv.htmlcontrib_naemon.htmlcontrib_nagios.htmlcontrib_namespace.htmlcontrib_ncftool.htmlcontrib_nessus.htmlcontrib_networkmanager.htmlcontrib_ninfod.htmlcontrib_nis.htmlcontrib_nova.htmlcontrib_nscd.htmlcontrib_nsd.htmlcontrib_nslcd.htmlcontrib_nsplugin.htmlcontrib_ntop.htmlcontrib_ntp.htmlcontrib_numad.htmlcontrib_nut.htmlcontrib_nx.htmlcontrib_oav.htmlcontrib_obex.htmlcontrib_oddjob.htmlcontrib_oident.htmlcontrib_openca.htmlcontrib_openct.htmlcontrib_openhpi.htmlcontrib_openhpid.htmlcontrib_openshift-origin.htmlcontrib_openshift.htmlcontrib_opensm.htmlcontrib_openvpn.htmlcontrib_openvswitch.htmlcontrib_openwsman.htmlcontrib_oracleasm.htmlcontrib_osad.htmlcontrib_pacemaker.htmlcontrib_pads.htmlcontrib_passenger.htmlcontrib_pcmcia.htmlcontrib_pcp.htmlcontrib_pcscd.htmlcontrib_pegasus.htmlcontrib_perdition.htmlcontrib_pesign.htmlcontrib_pingd.htmlcontrib_piranha.htmlcontrib_pkcs.htmlcontrib_pki.htmlcontrib_plymouthd.htmlcontrib_podsleuth.htmlcontrib_policykit.htmlcontrib_polipo.htmlcontrib_portage.htmlcontrib_portmap.htmlcontrib_portreserve.htmlcontrib_portslave.htmlcontrib_postfix.htmlcontrib_postfixpolicyd.htmlcontrib_postgrey.htmlcontrib_ppp.htmlcontrib_prelink.htmlcontrib_prelude.htmlcontrib_privoxy.htmlcontrib_procmail.htmlcontrib_prosody.htmlcontrib_psad.htmlcontrib_ptchown.htmlcontrib_publicfile.htmlcontrib_pulseaudio.htmlcontrib_puppet.htmlcontrib_pwauth.htmlcontrib_pxe.htmlcontrib_pyzor.htmlcontrib_qemu.htmlcontrib_qmail.htmlcontrib_qpid.htmlcontrib_quantum.htmlcontrib_quota.htmlcontrib_rabbitmq.htmlcontrib_radius.htmlcontrib_radvd.htmlcontrib_raid.htmlcontrib_rasdaemon.htmlcontrib_razor.htmlcontrib_rdisc.htmlcontrib_readahead.htmlcontrib_realmd.htmlcontrib_redis.htmlcontrib_remotelogin.htmlcontrib_resmgr.htmlcontrib_rgmanager.htmlcontrib_rhcs.htmlcontrib_rhev.htmlcontrib_rhgb.htmlcontrib_rhnsd.htmlcontrib_rhsmcertd.htmlcontrib_ricci.htmlcontrib_rkhunter.htmlcontrib_rlogin.htmlcontrib_rngd.htmlcontrib_rolekit.htmlcontrib_roundup.htmlcontrib_rpc.htmlcontrib_rpcbind.htmlcontrib_rpm.htmlcontrib_rshd.htmlcontrib_rssh.htmlcontrib_rsync.htmlcontrib_rtas.htmlcontrib_rtkit.htmlcontrib_rwho.htmlcontrib_samba.htmlcontrib_sambagui.htmlcontrib_samhain.htmlcontrib_sandbox.htmlcontrib_sandboxX.htmlcontrib_sanlock.htmlcontrib_sasl.htmlcontrib_sblim.htmlcontrib_screen.htmlcontrib_sectoolm.htmlcontrib_sendmail.htmlcontrib_sensord.htmlcontrib_setroubleshoot.htmlcontrib_sge.htmlcontrib_shorewall.htmlcontrib_shutdown.htmlcontrib_slocate.htmlcontrib_slpd.htmlcontrib_slrnpull.htmlcontrib_smartmon.htmlcontrib_smokeping.htmlcontrib_smoltclient.htmlcontrib_smsd.htmlcontrib_smstools.htmlcontrib_snapper.htmlcontrib_snmp.htmlcontrib_snort.htmlcontrib_sosreport.htmlcontrib_soundserver.htmlcontrib_spamassassin.htmlcontrib_speech-dispatcher.htmlcontrib_speedtouch.htmlcontrib_squid.htmlcontrib_sssd.htmlcontrib_stapserver.htmlcontrib_stunnel.htmlcontrib_svnserve.htmlcontrib_swift.htmlcontrib_swift_alias.htmlcontrib_sxid.htmlcontrib_sysstat.htmlcontrib_tcpd.htmlcontrib_tcsd.htmlcontrib_telepathy.htmlcontrib_telnet.htmlcontrib_tftp.htmlcontrib_tgtd.htmlcontrib_thin.htmlcontrib_thumb.htmlcontrib_thunderbird.htmlcontrib_timidity.htmlcontrib_tmpreaper.htmlcontrib_tomcat.htmlcontrib_tor.htmlcontrib_transproxy.htmlcontrib_tripwire.htmlcontrib_tuned.htmlcontrib_tvtime.htmlcontrib_tzdata.htmlcontrib_ucspitcp.htmlcontrib_ulogd.htmlcontrib_uml.htmlcontrib_updfstab.htmlcontrib_uptime.htmlcontrib_usbmodules.htmlcontrib_usbmuxd.htmlcontrib_userhelper.htmlcontrib_usernetctl.htmlcontrib_uucp.htmlcontrib_uuidd.htmlcontrib_uwimap.htmlcontrib_varnishd.htmlcontrib_vbetool.htmlcontrib_vdagent.htmlcontrib_vhostmd.htmlcontrib_virt.htmlcontrib_vlock.htmlcontrib_vmtools.htmlcontrib_vmware.htmlcontrib_vnstatd.htmlcontrib_vpn.htmlcontrib_w3c.htmlcontrib_watchdog.htmlcontrib_wdmd.htmlcontrib_webadm.htmlcontrib_webalizer.htmlcontrib_wine.htmlcontrib_wireshark.htmlcontrib_wm.htmlcontrib_xen.htmlcontrib_xfs.htmlcontrib_xguest.htmlcontrib_xprint.htmlcontrib_xscreensaver.htmlcontrib_yam.htmlcontrib_zabbix.htmlcontrib_zarafa.htmlcontrib_zebra.htmlcontrib_zoneminder.htmlcontrib_zosremote.htmlglobal_booleans.htmlglobal_tunables.htmlindex.htmlinterfaces.htmlkernel.htmlkernel_corecommands.htmlkernel_corenetwork.htmlkernel_devices.htmlkernel_domain.htmlkernel_files.htmlkernel_filesystem.htmlkernel_kernel.htmlkernel_mcs.htmlkernel_mls.htmlkernel_selinux.htmlkernel_storage.htmlkernel_terminal.htmlkernel_ubac.htmlkernel_unlabelednet.htmlroles.htmlroles_auditadm.htmlroles_logadm.htmlroles_secadm.htmlroles_staff.htmlroles_sysadm.htmlroles_sysadm_secadm.htmlroles_unconfineduser.htmlroles_unprivuser.htmlservices.htmlservices_postgresql.htmlservices_ssh.htmlservices_xserver.htmlstyle.csssystem.htmlsystem_application.htmlsystem_authlogin.htmlsystem_clock.htmlsystem_fstools.htmlsystem_getty.htmlsystem_hostname.htmlsystem_hotplug.htmlsystem_init.htmlsystem_ipsec.htmlsystem_iptables.htmlsystem_libraries.htmlsystem_locallogin.htmlsystem_logging.htmlsystem_lvm.htmlsystem_miscfiles.htmlsystem_modutils.htmlsystem_mount.htmlsystem_netlabel.htmlsystem_selinuxutil.htmlsystem_setrans.htmlsystem_sysnetwork.htmlsystem_systemd.htmlsystem_udev.htmlsystem_unconfined.htmlsystem_userdomain.htmltemplates.htmltunables.htmlpolicyhelp/usr/share/doc//usr/share/doc/selinux-policy//usr/share/doc/selinux-policy/html//usr/share/selinux/devel/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=genericcpioxz2noarch-redhat-linux-gnudirectoryASCII textSE Linux policy interface sourceSE Linux policy module sourceHTML document, ASCII textassembler source, ASCII text?7zXZ !#,Uto] b2u jӫ`(i*^nH)Oi .B#R`棝/`V831ͲY.{eƢKDA{V8q@pj;Vg* Yȝ5[8=Zǹ:$1UPys7%D(&Z"RZmX $lum\.@tIId=9~Pynb*N?J$շW>頸$9J$Q@j64Բf`g KbpSϾ-89&Q cH1u!Yus[8C? ql|X8|7 lVB5aZ&@B7٢re:\Å#ؔ !H+iM<ĺC{4d\»W&~ _ WRox:] / 5FUBK D[f3ws+r^=Xj1@m Qy.ۂDt!:$K@F)}w2_> N|V\#xwwZIqӧtUCz.lx2jI6p!&zr"9 Ϲ@Cy@GA: 3X "VW=w66l= UZB 0:h `ӷ,Hh͕M^ 2Uz ԳB2ɫnS~i%5p\yyJ!`ZNr q=)#-_):`wf6L)(}*qu6LkK\)ma$Lz֑)KPN.Ew ʞ]2S2 #R }a܆.E*y'w_w{ `%L1Tq'}eJ( ?")74X"5☤CCK$zjXTW,W ɕ}[Y!zv*7ׄCya/$ҁ-i\6#zShQ~<Z+I.bϞ_ˆAU AR\YfU[mA^8G<̉: K~G eߠ{ ff/x??sz8K OUA}͋E_/6r%BTn?3&cI#ɋ?[?8k?[lLZqQ]ՋM#s;*^)tIG >\UR >Y5,౗ *f3ZuUWoӭZ.i)o;M6}AFir+̼AYcUoB7 &A8 ]@K2µjÈRɡZAR0d;y=. ->nohM4`*"ss⎉yn~ klb0wDƪ~F8K/Sq1I㙞+Ŏj֫7s2i6\p/4UttuT$μd,q"o |[;#; Skw҉#6>@/h}Hӭӏm~Na ]TV1c!Ph nqӷR߂,EF`L[>~\й:M-ÐLʐ!Xc020onPC8>fuT)l t;J+93,z+ V =a|5BY)-[!XM{5E!pZ[G:n'v:y6MÔ?x*=t$vHI5Ђʍݔ nծ](]ѽuexfwsMޛϞ]֣ګM24oj&WjxSp8[q+n8A<}=⨵ï *_PBh 6'bˠiϋE~3ѣ!gWՈH;17Ac0G]R6kR"a~-?R :߃q\] ^Mm6`3ŜoBL]sOǮ`F8,AJ'&hQ &جqp X%Gou+C)oeEׁxCMQI3bto%ɵ{oT `U_JZuէ K]dOeaַ\&uj:O8^5{W #om,ح埒#1IEˋ*X@=7F=LD-lXYYJ-l#,tCDo1B̄uU Dm9H~Kz5·os$pCBON FC53bC(nd9;l~1ii+U<E@k"l')y}(0ڎŸ߯j[9 x!N s8%5d_9iL7B6\ѹ*283^5Um$I@WG.ïyN-mكh.nlIHA }E(z(%f{U8>`T}ūQ%G^52|¾:k]M-!}nbNW#uֵ[QPnjS/lqPmr]|dvP{yܛJUș%)y@cywonۢcYd1߬Zq[?l8aO5.8<&:>G~aԬZD^{^%Qso6n iU>SЍBt avEY`*B.\5{Yܐ↧a:&v7@,bRܡZlt "Jc|u;ĥ.Ke^|T*vnjpl"6^zavOr0&y}h֙Tȸ/5qC~[nq|7Xae52 LEݡ3ȋ1"ʉ$g29ȯ?x nPaBYhXp}ty6hrӱ4U0Q:.m›U/A=#&;"SDV'Tf-ȍXouX"ky+pv,X5Ỉ5 PN]eC68J5v.|:Mk߶D?Z?~ (1?e*$%"iEyA1fy_"S9K[VmǒOS"ěrB5X^b[L$FV}jaj% 1m²u hgkA<3=o.m0t~O׈4H!j36L<.X]ee|r:śQlBOo+nLյݑ^/p}=?T^ICG! fpJU :SJý)p)YfAPdIgt:V'LO\*U2},|X餸'Vnii0u~X28K§H[Q"/ .ucdv!S^ဘ%8%Nn$)DaB!emLSJtKg ƍ2kf|*W@}0'qn҅=8\Bs&;8C+5_d1>;^jTn7qqX+ UX ׺q() |n&fɭ/6jEA*VQ%)fv,tPo?ֹ d[?oZ8(4XOޒVBb07!:%.S6Ѐo5l;O]%(jʢKWnuJ!ث ;a`d)(/ay$a.P=(#>챲aHhؼb ֑P8=Mpv$NOFT@NY!> ^6+.׷Eċ̺A*V ,x-bH5VEvg 833=?8 &}J92@T,*[;UhV}9r57 7/(hM$ M13C'2yEZpf!Vn:TDt!I҅K"Utj>k_G$=]Eď/ML, m 7}k  M!Z&LY| B6nmy߀ܳ챳O\ sOLdA+6In ` ^`qIKI<90wHoHzi5*Eɭ{dU\n=%`ZY`ECyOO$=^E)/3є ,%MTΓ;ucjR!ts1~)\@[BQ#Br#WݓG\|t:9unq#^ z,/Bd9GH LE-@UFl7gSq^kv't̂>1`Ea)ku4BBb-ӭdYjz\;!{!CE!'``QHHj˪&*Kgn=ͦ5. EVZ=.'{(B9[>x_Q(CEhW>5ZyJ9)ͩ^wR%euIdѹv&\}sC_q9pKY^y,ic"}Rѽ_vhFV;=AbBI{XkxGS:J_ݛ,WW +K=W= 7 3oئ 5m`xKV.PqMXWF:s]6؍v0O!]Q22:g:Nb%AO:1.92ȌHl"ssx)*I }ꭨ'ǿx0Vn@/?dCR7Cd *qʛ4'o xvOfj^'ֺ))ɚz!GB{IQtlJp.j! 5bzm76h/텔=ԮC 45bBWUg~h 6Caߌ {ëdH{l0A[5=>WꯥVAQ0oW'K+ O]fxNwlWE(3,B;+`_ZZק )#d3 s O5%HPp/ :@Sr׊8FPGR}qIM|*^8SNJ3LKLG-iSeHQUo#k{0"[cm2߲pY=TUfDG8di^r9GqBx`{']W d=bX>N^z7a{zFԁ.X|ĨhUW%ޒ|9h^?Ϩ2f֖W#TQB#52@8"(j0 QRV6) ;en[Bk`WQ hb9;G >oP;yw3޾ғ $4E;M^xNXRD@'ɹ\!KeVZz"m~4c61GanG"q"ioQm +N*_ro2 A.TSi@бiJIY=aڤ?(Vw["> +*n l_QIjEĒt^k% ]'2|Gx_["^$Nz,;k¯V՘r d(V?z59E-B@jq쯽Z 2I`(PH>ş zw%{.K0f?YյLm!=^i!ogb#דdt%<B .7 LsWyxC6I.̉s]*?ǐ5`+_t:2+1<|T}2!JX Ic 兜bcRXu2vM~[ zYڍ,N01Lښ0%H2 7$LA^rf!!7^U SucH nx z# eOUϔ \cǵT{ɯ|"Ko n'[S>nE%ko@T؍LļRhiGalʹ> sRe6sXLJ{jw)˓3(6iuJ _qXf];sIug;_̩Gzt^U l42Qh5r9ͤWZì qvjOV1&"Udx.mN@Eu~3f|g:t”2[O,6U"M (h ت: FAAqŗ+2њqK,oXDٗ5+P:NY΅,`u #ԴOwߴs_gmjcj սUuߤB`JwE奤!}h(@d/Uɑlxs.e3  wU) ?M뚤?^*r[N-赼82#JQ|1гc*@kxgGv.Ci ɳ5iyykeM u]?8TpSjV ^U FHJ{Q72c)]4ɬweϯ0Q̅|.DL8Ȗby<_xLr61hBYX[aeW;MVj-J\Ѩ9"Lĕ 5OPU*ۜoyu[ה2!`K fRyRTME տKtŬL[ƌ O=h {;62f|s1VnO/vN< hDQj +ᕁ8f|(z .d p$]mY*2|SmԣK!+@?QU9i;S+7ݗuǰIe7&FqĪ- 7{E#,cx.r8Pހ=}gsB)v_A*։ cPg^&C>501_Mz=푿[n{k+m^3 ;{xz}yْ:J`%4Ծm-/s *[+Nr( +^Xǹe U”&/' ֝+^"ŹRvX%^Qǘ UWne0,ȝa8Тn91Vu$ѣDy b!\E̜x s֢NA>+(XbrBSV\UઐQ I8HO Fvi,hR9bձ&=3ar+?Ddlgk?Մ~}~[Eocn zA7A+׬2hYiE& !*%;8 8(\1[L-4)+P,W~>~KmpޠvkIⲰr2Q(W[kxw !P3ʝ=beXm ? I益c:ƺ4IMG4i2ʢy#}UT~7X֯% X.@FzjօWZ] :Oc]B!1O-(=b̩B15+=AtLW>cj!cf~` ?CIw&9 *O~0v'h5{o"x 0Շ94!>'d=v 3O<8ఏ60R"*c[ٚzL@dp&WiJڙX L,b/vWHj=iER1l'] $w$No3]8ޚK]͛VIvg骋i1!Հaˇ+鮪zEZiIyoWq/ڝzP_oHg+u^d :v/+QB0Q hٶ)W5a&vi xLjC=(؅}nd} 7/ծM<V  1^`B=@Ŕ-P{r;&C2tGBz3+b 9+'7 vSJsհZPWM-HȸzJixh&iz3CT*@#Oʿ2X:EϩU.E~ ʀvOpn7dVnaEj"*4ZBNg)*A; -k0bUqm0mc69şpvH;ߗb6 kBdXUK(o~4[d,6]) ގ(5z7#jMS{[ahSH#pwP 옭-bdQ-Gp5f+v6o,.Qpc25C (l pb@~]񵞨k!*RcNO0:Qʡ,B?< 9ȰM(r5F_LNn@ԊِpSW7IWkL>ڶZvF;Zj ɠr4}9*+|SS},Pf?UW6a_6# b? W7e9ۿa[ JJ8s{41Jk o2*XXg,z!2Kt_*n`G"d8!ckӂ;v;1{zjXޮ|7r16J/phpp' 3Oj}ܠ)g4Y\{wǜ1lgnt8ɜ飵$w _ qZp,f{,!鿯nvS}qeXH[Ɵz2oeHHh9{fg&>1OE|zc r> ?PC؅TcdzC "'B WK|zzwf5d^}9[?S=njfkoEk_Z&Y.(!c.^R E]4 ta"??]0(+LPX*zҰr%ν l6t}˷?b4lb9m>휱I:IFZ;L]W-_ÈẐ|4fV XZ3n$(W t Rޔ^w(&2oMTcYiH"w׀U9#үq2Wy[-dUKJMr@S]t[bı7kbsmB AyuX#0ҵvG /dR lp<_0#A}]z "o1] nR6K=ggk4T․JM2[73_GJNM./idռ_dI)f07""~|kǞ*joiK:P R6|zQG8?N4SK|maLiw-x:r1هΟߛy|Jylşntv54b\V~fn6KHON&nUH9s ߴ aշ|R\Rp .(Xua6)?iLE1 ls}20h9u8qZ&+.n-^vid3ۍF7-60Ywũ,݌%8>ӜCTHE@9XѩKQ2kK;\򶣘]&ٷ2n$dB | `z/¿*$PQL 7o^9BA " ~ScF)]Q[Ƽ1M2?I Om2Awk9~-TȔ#)(Rdmxf.=뷨G❍e. .MYmx߃fZA$xع<|b/k)NAd̓{W\)'=3XK9BQJCm?v0~9_9a\\hSp[Еbe$T>IV/Pt>EA}hT*s8{gJز]ek YJL54G рNˋSq'(A$!|1@뗞7 Wؿjwsɉ\y\0*nqx ijE ޮpV<̵B3td/A9AKES;~{;ڿR#ai ﱘ]TtM{%M'0 ^+bDr"DWHׯ OLMSICl4됥hc|KsO&p16*/zVR8(3^W@B7]iB#_-_EdӱܝU]BrXk6k&`9=_2˘w>Er?)n3BU O' 6;7QEq5lM Q}]Ck"eM|Ie+f½hm[D\b87CtU6`3CehD~)'6|>s=,'X> ]57=0t k)7g ilY!MIb1RsĽIAw'tX sDbY08yBbzĘ7Av`1V _93rt|Fk#}+GWyrnOD[n7D#nj; B>0gIĥ+5tg/,5{oU%E:5~U_]6Bgɢ7y3EW.FƫΌ D;%Fbԉ..#vZ!oB4 ?xT5eH zDN3X<@$(ź 8T#zX{FEYSEn(7'E1eIX4L96qofa㋈S*Z؎,Ǧa zX7M3dRIGU"ɗ[5aF}dSeoTՍ7{v4A_S@)w}qQWR񮠕Ʒ4]θ[p7RC m(!L<|3f$3ϏP4O8@Zφ5޴$D~mU`|ZzݑP ߚYU"6ʨQ'(H'AܙgHo6F71n}i)+w3dPɐ CXyq~m.$_-]"עgmN ' 6{@ӀQyOUc.VG@ pIq8\I1|,%h]bh+1ivl_eAo~ohn>q䄿<!sQ[Z^_1W%;|u0X=TJZo~+#^6ճ d^I$)cApnN[wGIHCWq(&)b&3$W&/fT63֑nx$-Q pU<SQ:|3σ{lYX/xhJo;5w/L00̕Go}dz "khtǕX\&sP9ҟM;]kңq8o1.5%K0ij&geN$Fܿd %$%&5{_CGebG0K~刎3•0Gfrn~dQ6v$^.N>o,GRrbZo/t~|`5;>MUv2꨷CvhN-%ydyϛzO OJgbB-̆TQӡeLOw/%[ʌHAqw? 5.zRHddx/B~s %Tlyf+E۞eM`g$.zaK!CU[Fl Q׸b՗d? R|Awt4݇r|t jl9U-~$#D HBֿ,^ota^2~Ig(#ݦ/c (]Ĭ_f8nt7[G*FrY3v`f5^2 |h̳aフ|JKu?wB۲nWKbrAXܤ ۚƂ X5L7"0c\xx]##Q>v@q`עd l|6zBZ({I1Q?)5i8O'p ۼRPߤlf.$wM/-?\14ܤ[x/8ys2J2$$1;JcU\rt3lT^$gXm?&ж׫UiI ľiD{QI\&ґÈemO\wVg\LëwT}d cP>ص@rTJ#K?4L~@Yvɸ}^LAܶ4sN?2Q1f0h%!x.%F^XT˼7,N`ޙ{ЦUݠTyvy ~=u:N@AM"QUρB|9AR$.ɱgX|RId1+1ʛa+:0(Ae7Rvƛܹ]>wp"#ygLzݵ4G/gΚ&KO+c YBMhڴba)Dϸdw(Lv_̮pnrDLԝz? 9ueYGjѭ%< ƥ $ ΕpnI/9QfZ[w/"TDzp%4. tk!,/ۍiYJN09r 7xF,ވMoBcQ<ZDNFn&i}f0*cLAt=Lò]4q4DF{/\>NAlbJ(-*!G9Em'm"n i*_ΌJxO tr)"DՑ̹?U31uBܹ\/5yz#U0~cCSнB<>A蓋QqE[hp5K Vp+Uہb'~62c֬Job&Gdb ^6uh|)l t$o&Hr$P!zդBOrɾYEqT)"C ~PpvTbea%}Z!kTsFdF㺵7jCw| #C,wyAzW} >ɇ‘6ל4,A7 y/]ķ*^KqhLwwcs ζ %(jk&^gڹSeH3[[*qСJr3og]{ 8 |asI bm1Wip^Tgq=yLdc("h9+O0:ZlH;-V"I[MF\bȞ]/ս` MkĹ!x^M^ 2z5Ŏ6K٫gi?6X92k6I<1T$@Q9NJ˟lV;ԉVXE{qE tTQyދ˄V> WBF.+0"Ov!1EdN6ɇZ_uWL![Ÿz"%7Єu.\|h ^Je7><2s)%iZ$<% Y.neLʱ5`rxPܶmS+aNW3i4p4 74C=D ,}H.n &SsLnۥy'+!Z1FkJŀrH?кCwB+b(d5W;\26ZbB~ Qh: {H9JT7  "v4_J I(a-S@/pG&ۢIdb%WB0 p9aWv`l2›v!d,3v t?3KBŨݞ&`ͅ&] >0q[G`UO\ (; } pj\]Z !q9FJY-<;nAjPLEB3ٸ6#RŽ^}: 9ВE/XwPca5LrAxG?({H(Y0 Mrv *e h8MagߚHQzEb\eR4Cbm˰3T9KKa;|5``Mga$/Nw/:%Biy-[7ŚGSL#U/$-&jUA;@r m.XhwY`kbS|++K q+Hp):F?[8+UV`o`yF2Cr~:5Q>ѻ=T>R?rjS2\bdaSzӭA zc/1ė=4Rv t!z(vw5fǽ$%bXsmhp4h.S+sl%Aɡz=/k߻Jic3s@uéPjY@uG 6=I>]95,6esq(B_!uakZ#&6E mD]иEĸFV -ئi-᜔Դ3=MWNIW&B0 Y|!5Wq,Pu|Q^hcIw=cZ/rܰm} kDc)>ML)ØOyYgd ۹Uo:?d' aJ/ }(486s<'(g3y|t*l+7Nj6ycoZ"$xdyȕ5I(k/, )Ap%Ge=H_%GW !Z3W*/q JV̦ nvN~q*f(ų tA-ыKmMW n.6w[vjBZetir4rF&OGk4X<>گN}"$fX+E_gҡћD35fsG SYN6,gP5R#j,%[d5Uۋau-X>USYoϹ=sYrޡE⏬T8ʼ'W)`N* a^{`N!;zu/Pu=\"<|)Nd)%!>U?Fnpw 2MRj'oi; ?$ 揤`1MSA50U^m{ߗb9UIRZJŠNQ{阳H.*=(~1|L~ykђ zQ^Aj3ЌbFsah<3"CfA1Hs$]ףX` <ϙktD ݙ OA ;PG.4{BSƴho T.2rkv6yڻ#{20F8M0  գ$ٍ#fիm@ZZY͋_}J^b`g̈́4Y ޛursq5,~BIš|2VJ;b̽XwAxiQޏjÏܩvD \>_L!&>#Gz] ߗ{'qc"hCϭlr$7-zhFmb}ߍ,:ow "a1 sQE7[T.?Yȷ&(̈́B;ʮ28` uS@Uy#hfQG v!\KG9i!Ȧ+ukhɦ49N[?;Yy8<ꁆBp_2=#[m#7LaeSdYŦeͳ~qhnoPGN~ˤټ(Y%|ڈxjP8k|kN^SZyFuF퐷aH6d#{e!ң"2IGۘE<`NW+)]WPQH-^3p090g2^eS~l-)| {ޜ_=1| x_J.\9RBKY\`ՑugmvSI.v$CȲs b S# )W?LJX)=$erN9V ZwJ Ʈ2".yFxSSG;vI @E͔]>qztғpC6뗥3@DV@~_L&tI\vV>iPo Ya#8<Ώ4Ũdjb]jďJ+rƧ[ ;Hս=!(aMnO>ȳau?Fkpf.S ՝A!* B٢ɪEj 쐡w"[Vp4:O[9Õ<$o{P{򑛘sV(9-0ɵ,R|'y˚zrG,0>7+\},fUj+ G$*ۑ :%L "r>Pa2*4A7yP@D DNA䋲/?7Th#Tʎ.*j%B+Emܡg0ی#fg dd0Ťw$iήg>'zz|荷#AvbY?$DhXZ [<ʵg\rlKo0 i^8^ Yk[ 3S̏ev6Y1$`QMlB*5A: }۹*/YکI Kst&\Pq,%-:j $Y^>Ru'$Ra6Y@&=FNtWq b2i8;'B}rB>%pJ;~j 88(]bCS0Z_QS:S4~Oh6^_@ʡ( \#.T{fDR2 ,ݭ z-X6pbT1rQ9'rJ2;z!{hv',ݽfT8s?fQdFUm{O2Pc 7Jg0n0?*G"Ў# 'xqݯ>M:+Uč`Wǣ8KΈޓղIG@dJYSUrAO`kx.ӈuW.[pXҹ$#^6ўMPWɔ bdyC ި/kUf; 2Ӟ6+f2kGsFhDwv7]@fD&]ܯ = kirN}yxIQ#`-~|ZxOGÞYfeX կzǙYEnNh-7 1r1æ+BzAYrژ_,g'^W!kݕUqqPxҽ- SR9fSZ rdG훌7d\&))Zt_= $z9n)(ߩkr1}Xz>o]) tK "vI#>+;ABs+<|w'ḛ<9+?Itb VLlUmV5]qގhe!za;ylU6Tv"9jAntNDraS}*~co gђ+Q7na? i(qz3~k\ p9My+dZ/&o[Jb;V;6|lZMUsǞ7lA9|8^}{J7"KG%\`FnX))W<|,?uyc?a)}3uhxKuGok9ҒO[ ioT1K%Q6 0ªå؟5TOF5=NJtZ(ixr b.뮄E =ە ^0KXu͔h+ɗ+C,ou:6Γ1q.#:Nac :fCM/R8icg =tiIcS?pߖwndPbΰ' gp;o:?;RU Oȁ3gcT U@* 6\Q[xDJFa)ʻ5Џ2@wP[ny50l M𼘸elbE<ưyI0X{-5NLb+ S*vx\=Lu݈3,n4ݴoi#sF` *TIŒV {N_l3_͒zu5ˮmD:Tj 嵠λw9!(Ll JX)ţw/ 9/&+)PrÃ:Z'~u/5WcWZ|D>|@m1 58If}:ͱ{jU'jҖf" )ӄE">r'T*L*x\~((|2$!lJ5a=l m2/wc_@8t2Z>9v{w0e78pYKs nFalS_nC|@bwRt[aBޓ&=| @McD tIQ;\1,4:BC\ID/3({!H Zg :UZz:D!sٝF,ӭ[jȰ@B?KA04pbHMc-dDc&i _X' rmOl'!جE5ppdMݷxg 66*G"'[O۝KF4CWؾI"L՜>,jvcbYTOn XbvĂ/x TG`mOûȨ;eb,4fșOdud3`xa>hW'8{}`UĺF?5ƭcbg6Dt,Tpfv-'N^9Jnv؝1 K\ZS֤h6@ Sj7*֪AwޔGP72"LonҒ'oV㼷g\hʾ0I$r Ia?`mŋ}V9Ak.ֈ. -_rWu[&3ݶ lG-&Tů+Mq;)f; "?s?O֒ޒr_H/7x BEPvy/QܯEM5}8'_o|dI %3%Z-!&سm+% vG)#66=TA͗*n_sbޔLCǦd#U56=aa.RՑ; IЀ -"m}GCL٪q/!)fF4Anɘg E]k"Zʻq0 ʎRY6FmXC8A$Zif0MisV0oʵ0U%-qM&݂zpB3d5*z,a>)]#n xŜѭl0d{tĕ>}j<*&Q*PP`/TȦ9!hK6auD iX7IavQ0Fb#~*O2 Gr$(K چv4^&6@%Gj,!z du6ϙQN.`h3b_F.~UudxFWXc;Ye%][=^-)ON4PK].@&y/vې4%pL $c5Ư>bi;7ixz$[-c]AQ"`19L %]U$&\Q+SńeRq<Vd=m)*2yңضZK.K3Si"w +01ִ,t衕pjCB#X\mS }p#efai\=(F@f8>S0 G8LZ! 7 EXm@Jk<OzՓXo'2=jQz}8dOYX (.cۛcn{% `9who#Ҋ_o(P6Ꜽ:PlebT.x5JIBdOpqK"қ-Oct+,Czt;L$qň0HE*pU?UK!]wN@l]@=b R=Q o )zxcy2.}e0FUo E Y5ԧPFb{Bf#N$W"QG %=Вt ϧQA3‹s6BL|/]W,| LKi@i9H@{~"/}\n #q4S]dCܠ'҇QCDvWGk@ B9]N*LSVЕ 9D޶$8 靠psBB P 3KS}ϯy"C$Xyj("[i|,'g>~řQ M|q3&űЌ50Pg(uêpj2A~o+tMY Znr\)ePOBߙH8Ov;ge5^Q:D'L?>iuł-[gHL tv{=`<@ȭtq0\mʧg1c"{G)ctzAQ *ŷ6>R]i;Nqůq:r ԯhk@jCʱ8puhEʲȔePXfg]xB'l0lZ31,No@cՊ5!E愴M ?`mJQ ] &B.7L&T|!|_U1$>:^!5w-gh͛ror ۦgS:9;Ώ@5cv}TVS׷lH1 ;W]p);>%Jk<8FGXY"ޑ6>}]_ -Hl۞ZQx) =>T&5,{ ;2ğ7ŝ@Rd~걤 =S/ -+oji឴gd z͊%:*kٓ;O8!"mk/msozPѱN>E:J#3Ӟqџ,*-E(߬i%8μ3*y%ϡro mLJޟ@b{Ha'O?S s&_XOHY۱ip \ж4Smc֡c%{,3}@vpp`Fټ0# imJԢSY!.7Mb%~Lv۶@ف չP:i-B7:A?枛t)I d5rfQh?{l&vwv)ޱRg}!͎j6fPx- Vbymss"Hjn8T+_IrvEtţ.  lci_ÙAji#˫ Nu 5 ,DPR T8cMmY$+1gxY+G4 OA ]SO~}uRShP aitwyGYdǹ:B\{)Uʘ/Tg]EڌE>VK;58",bQ*a6G¥ 3](+}[ 0j7`]4?Wvj[?v,KrFEq>ԛlw/!H&z0$ލ$BγQ^_eb0hc~_~إD̡y>#lws,ܹ 7!+S:2F=4vf%!.&z |d\ C_{C)]@Xly㇘ x,gϓ0<%78DC9\h#Нi=4q zט#]^#vl'E$lN˵$n6ΫYoͯ#P*$b=b0]J/S,W*o$*52ٜ%|`fc!D8C7QVٿ@sw|'F)#~%b? 1~p.D<)2p3l\>E;>18H[<Vu3p>FNzrKa Џ~A*s\d㣦h{4ycK^Klm{wi25DBL|n6'\Hl0W ԋJ=`Rʶ)v]mhM$֌oDV3o{/YG0'FLw-]+`[S_Y .K%Q uO_8ߛ{Aп=z'l4\= θJu< H>̼EXV;du"%.*Ut!e1gCZƼ<ŗ@ݒ0E":/Ni\jq-w>yo( )v>EUXPsz՟P_?~q;<a!%,y U{D3 Ǖ(lWqq!kPHSPiaXW 59;I(ߋT,u|} 5e {.1tJa|=7wA+/𦂛r3<," lo&]}3hp1dRN+Ͼ˳ދ3.unڜV/i0G} Ga(Jt-; (Fr䚩!9pI !>w< E?0I+hST=j۵mw/UP-:FL0vP+s)i33xlgF~n?$7!L1zjb A; GkV?U7U.Qܣ ƁjIt&EBHvm;^\X@E2m:_ h8&QmDתCP pŋ7Nm%M65 wCo8Fߺ Qr'/M8ؼԱz=#rh4.NSV9vH,.ÃσZmZ 26_vozn"?X|'^\Q~6{FA 6B_;t&% Dr?7עMBUײE-樀mB(_~tؐ( t ޥKVF9̛(#j%ό#}S jVfZ[|rZ{,PПȨ H'{P$hY+o21¼fv0cj_EשRnS=?dJJr6:cr7I@VΪ~/ D͒xvrζl>![}0beK5n_=sd7L1oLZ15?(Hϫ{u'@{J4#2 :'UO@^2 9l8D3Oze_*\#FTnւ-LfY"fe1CuZ*.(PB95S-]Ɛ!],V$ܞfWjϴ8tR9|;ҫRKo2u4Xi)P!Z+<ݎ-K b\*BJ#+6tI+#G;(TƔ89'3=7RqHH9d(yȃ`\yLpfSrmrg7 BbΐIO__1W~w C(^v k&еpV8h"V!¢ 6"TEcAeRw']Ӭ!zxώ[3_m@Z vb&`cWW_ ?o8z.,Zs.qZ` w=Q>|tl1|S8˿Ι#/ LP2f -G^Ak㏵ .uP@,`^˭8.mR޿g]T-0CJ8G=` && W;(X٦&!hHGHT. +0j㽗䧮FKPFp{ I'HCO4H[;:z϶QJӤ0W# ZIbY;ci gmMng7^[G8 8d]*]6oR)oKGmR6eȼkc 7g #eh;3ȇoX>60UU%:@NK"nc^.btqӘU*枃GO/0#,DSiM_;T]p//Aӆ1s<yk@CPvGՈR0OApC[aQ>!֑rX W\E3SFR榾A^])JA^{\oz=V`sd bJ`)l7z%]B35yh٭fsK3#^G(?A꠩*3|! L7*bLyٞ)_0">0Tvoʽ6BxAZ h|c~LU4%7L]v@GOzDw|b0tXV|t}ĕ."vM{'h{S/Gy#XVMbf`C)A5e u o峄\C WWr{ϐ88}(vFv0r!՞r͡I_!)2SHݣqWНu, 9b`_]o;q9:A'GOɻݼs2oNd9 <)ܢǕޖh@] v]a&*d(/,]s$xy9fBWaCG*/ӾPgcOBI1*:7tf4viNώ$! `[H1z;p3p,K;v%!SC1:lo6o(vW3LlrmPy,\3{PkNSWuy&:i/R %d\b}?B3P Iuvi>2eQ|]}6})5J:6ۄV"Z6v D5/}g8`NERrѷ#,= ga7Uf8ӚD5}gi\N-`"VVU4-i[QL@~<0ŬPY'gz&o{Fx9 YJ+{tZdB=!^ɪ4}MU>M3kώcd;/V 1f!nl X O-&2zia 4\)q5Kvh)w}I࿠ciQ?';S .ĞKav\ȣ?3q# X HheKw6=u"T2h_SsLt)[Z M'1#E vqrR Wh[Zxk/dNBwk)nt8sL?$n傁R<M iXc^ρQl<{5|[w&ѧܜGXgwl.CߛZAI(qrS=  oefm~nAtDC0yP(@;cyuU\o?Sq_\{BV| Ԧ&9WKN3, )Y!f'ddpʕ҆Ri9s=}LS>Ѻ,h>>)g!iݣ٧}mSn^7APXs(N^|0K?ejkW( c=H*?u|i;޻i8<2A=^lA:3m-<2吲P֡);e8_O0ꬿTyE=?!?w$d8vcz'gd}Em6p{3+} q%ODh4 ZMbV9kH}pV@hé:4Α3*dFL/fehYϴ;ʵ=&T ۣ-e8m@#uz;knڙ?𦧷/*Dӹ5%Ll h'9i Nn ˖+X=t_FSwW3a \r^89$?JarypsV?Dre˲5&iL4jIcq!zHՇn$/) $'ȉ(y{p\b8~~f7'~C|!1bSawʰY>^9]9p”h̣ETH8"'lPIl*^6G~&EcMy2B>K$nn m_v?߀XV=`= 9ß]n[L+貨Cswh#sF>PgJwR`nrܞVaGRuvux@X+rnrRmS,PSs70L~6sf2qd${r(-%f"/Eh;z.l,&<m)r`GʧBR$2qYC|YyܕA⽾dѤVN@vlݗ"8tۡ>\!g5јn %ZgK ~:d|Z.o[ӳ,=I&%˲ZwԎcJ 5s$FD4ގ:maA:=>PS#[$|DGvVMlB%;3ʖ 7.iǎ9˾'%jvD㑂O{ܒQ䙁te(GG"Gq:'G(ozDeJATD2Ɇplmxv$Z/6FaV<ܯHA,a%2R?# I q{dubpDfGlS#YrkW/]'TKHg͉ċ0Jӱ:[_X6{=*ܜ pO&x cJsj.Ϥ8u7 K|rWKܚ KIa]exhK0bP2T,lZٓڂs,&W~1\Y2 -W%-39 Y RQ´U)̕4E9ʹpM2Qp7 S y;ӛ7 ^h1YBS4a9"4*MHrp-P^c]-2t8V*n#k= ߨ8*3W`ULzI[G!˒FOeIl^d EJ UHb/còan&E)E: k==T>.U)Ѷ[(_[hD*cfL<˵h7h6D_hWv<ZՎKp!a@yDi?; Vuߔ:("3 `t ۴n^EC1`ͮ SG9gYBG`9\'܅]mDֵ}+Ʉ{[^oibا:s LZu#&^*C`D~/Aߢ[lkÝtLq^zCМ,זK?3}8ABL-%^Msu8EU<lV6m'q|]ce,FZS|6ƧI݊tWt/;B`y> ftgͱ\qj`1nR fE\4q~Pp{GJ[Kԝff%O ˠĜe|Ft!A5f{6J3G xHKp]#n4X-Ⱇ؄m?uw,u<TwMisyos/&5m8zKvߘ!h<ѲTRs%yi#6ԲBjR\:lL[Rzk#816|Da` 6")P)z@d:FU !7ٸ%ђyTv)uQħGmG|6ZKF,$-dv1% %ٺ0@dx$ YՑ^Mͳ?)9@U$'C/[%}Z5~2X$; ۛ)gb|g,sY`".|t,|IKX ߸>]xX2 d_b`5ՔYUt&ߜFZ|ajp u܁7eJAwW=Q,9KKN Is1nj8@ζC^Gg:m'Vl}ᎆQ r: "z"jz/Pk۳DrZgu9LCWL%%֤+E!Ц YzV$3pSdQXU63*eY modfXM2Z4! jU7ԇ{9YPn"J20o9î=pWDlz[r 3jo#, lѰ>vXĘkyXܞy`:AEki[hsJgu zˏy AEVPNJZF)U!ETd #ͫ`ڍCܡUȂGkyKP=mاQh!>WA!c+ (sżNW+p=ʹGB!\U 4x?2y|dEdMJ=%MGkemIͅg.^Ff|dAdKob?\v ۴&;L'p^kyq((TFٱ"`A r۪gUʙI(nc?ݐBbG:ꂉVǒȫe`UCˆv8C_sRY`|!ia1GcM$_OR\zQ gbÒqnd{ҝCCU ZT5,&9.t]4^QohD33Fva`CՈᏯK*NFGhBNL6%p ÞT:A#7p"/~- KS]uP#Au-N㚋Ɋ6AvVw06h9]q5PJjrԮEF: mP Hh*EmX3^-"xۖl? n/FL$B[*yf_Qɭ k_j#Q~X0e\P32!f o4"!yGcveqtO=8(>*WB21ep>ENt&6џLn'VRt, ..*ϒ9xu3ηLݠ+ν\@r~ء1L$^5[hVH |zt0>%Xth! 3$j= 5]n]kbP/kMYVngu*zzT*T/g f>\i?쐛u/. ]%5:%V.W.O81FxD|톉Gw~yG5ZVa8Q4s7r>xքFa耾|'3X &bZG',[Ya q3`kK= ":R(t^c8XI9?^6ZckH"WFiӺ`6lDY}4HȺ)JY]IƟrH5A^Jz:u;!lv3wkw:0kix t!M fv鿫2f1-+=MjMBh\}9s 38P I>>Ç$K|]$.%(pDž@*F,'CYEKFk';U&gwz8?H IZy%}ʉRV -\$.rrE__q D|J;lC'HD_'}*/%P/bl(ޕ4` ]AXF2HѱLnCCR 5ͦb俖qu.x Mϧ H(`uhǀ[rM'8% (ZZycW)OLxY ͉{MJ&v(_pjN3ta )J/o^J#(_xMavuZr1?la՟ـ-n"gWnb/1 ٰ=56 SZ^ ?HK瘭N7Gy%RO` kΥgFZ 78i?"(arkBSgx|c%!\kfsBn_;|A\1\Ys]SLQ %şDXjvUQA6L>APT$Q튗5Gz<%S26nu\N," 79Bܶ'SRdE9%GwS oϚqXVّ5r(M\bhփS3MP9- I=DC4*'1i$s֣ok.Ypi`Ji="AVkb X;uiڟ::8hoCk@GAx|`v6/K7+Jv=g9}lq"V? Y3C6ZgqA Ω79Be nh©* R6&Y?ZV$0">GueRe"@Y'9 Lq,4qu'&?H t*. Z Zۑӱ~_QaYDAw_zeƓ/+ϽOΕ‚F.OAZ[xAUTjygmU:!D 4#0vVۮF(<y⻧jf<8w'ŝۀ 8 T;hy#Mx[v?Q^CAJde(> Vc)[FJ>Mj Ӳ s@HV(發:[V%(&RzP$ĢQRp6SQRs#tsx^Ы3䨒q=&*@hw-ϺLPHP\3h&8GOx F%V7y+^) 2?y#O gxb!%ކv49#ٝY9a .(,vN|ExEjW*#@BGw=' u"0crNq$C%c{48HEtF˥ry!2DC'"8S0Rv%V &`Զ_ , ct>U(dfT!674<=lȍѽie\wMWӈ5[_2g'Hib'xDJ.)L@p̨Nr^U&&mRF׶u灹`6:B]TG}T6z_+t>du gavgjPτUۆ}y)Jũ۶tɏ-v 5\j}J?s+iBË@; rӂvřwx;JN3 o]H&z3%̰E_" O4a',)sis;\Szq%GEޔ_WXݵOM/dJ-UqId?)eG9(t 4/?2mo[R̿MҦg,OI <8ĤU^:Ȉ;uQp>8@.\:rt)^<~f¾P!0t|#5ů"e 8j8}U/zVMQJ&!Ww"L1 _}f[x:1 Sh9 C'_#rGz+M K׋ptkl6 ~WvZB!4陼c`p7H>W*߬To=p@Ԏ?X⺠;XOalK?θlEK _meP!L>k攕tD3VDMqYQUh}J Xq1h7pO/MK Is͵T-+dz 8r6誽jTْկV7P{HViU!˛:sAu`"Ռ  .dޖ54 5@(@leWT|ƽhfWsĮF'FV1 A5d:afuQףy|\L4t0_+r \4ma 8̋%wp.J^s[EZmTS+ 44'g 4f-Vkt+u[fO;o٬ FbHb鄨l DE=cO<#)daR3؝E:}\@'8JO\xX):\زE@* HK>:OFd=ѳ -2a%}F@`1Q ~+'6Zn0*(H<#jHQ)Kqf/f(OȚ࿴}" =}1VBHQ)x#ZĒ׸]so81 ..}}ȧI$)?6JĚo ZkWp@ddkZS N5uRr (V8k)s-כ`?'IB/TLK~1> %NBm|;EG[Hj;f v3&uēԘݚ6 k(0c<@'`I0ͷp1H0444Է$M,ύ2,6j9 /S2E'!4 f/ ŭKuq}}^Gr׽vFv91 ׿:]Ǚ2Pq (E~^'4gO:ۑ9`K"Xɜ[LW-'63JDm ȳ#wު5'ع8bGeߣg ~.&G-"WySWay<$v=f97g \MNQ~݇R+V )\5a7GaT+lGV=@ekl)WaװOɅibXCmE{pپuLRs] T@iW5*1]ڱ#r&ѡ*!~ `aؐRg-lD32T#h~zMv)I]`9˃;bg접eB.6,#j-7Q߁FV=~ج~-ot8-EB̖92{0Ի&q3_iҳUq`\~cֻ(KْVS2&q&wErDn{: 'Jʉa&>,zH s˔E2 `,og }]25Wd5sa^}T%٨&JSf!|xlyBxӳXq:Ԍt5Ih gp[]N mmLfvF]fn`~/Y{{a?%[⎱N6e,u̽ 7k``79:U&لw^='[DJ}  YYSBn*T|“% .wn[\kTd{Kuh+I-b}Bp YJf )wC_9xNܥ+CT!W JѧO09LaSa.G"."[(p:Lcl BDIsެ7^ý0k!c˫>EƏOa0e7XX=E㿒ѩo9ɵFH{::c͌!Qi9] cԫQ邙>Q{ < -rZRVOW  _?znÃwep6{wvvt}:#1b $C|o5i% 2#d;AvXq־dQ&!${֏H><(5jnkm 3mF.;pH`c,ڠ|uSmv5Cr.qK@MӉ-Zڎs.+&Cg}ަ֖CD.A:N0#' 1$:;\x6[/A}~QupmqrK2Ԏ}[hd-`="*=iݧq@c&{f]k9đ;=5Aݍ- Zmg?p{FH/E]Ȑ?Q$PYP:*1<x2%HEտz ńt3Oঊp%hȮ`J_MHq,U]%_IIϫW A-[NNwV+G&UhaA;u_,. rN>p}qC kTq)cIsA>Sz(r\V&ޤdZ+HK$pcC?y<ڽSoYwDNFQ)Q1FQ8'mDe2?ʭ3ʓRp3Xyq{1c~2MRLyYEQ_z[LDNma({AҗKTěJ+iXV:w$&gA)Qg[2`Q.涊ymL޵P?N|%UwrJ&tDp ?zk6^ov''\5IēKe|s%}ö5en`NVE@@9L['A37 0L:2J:^1Rzx,>|cWhr-R9rE_Qŷyyv' -q"VJ- t#VZbO{Q-I<Doe C9Ǎ"2[ɤrkg9b?I 0 * |ۭ~\+lH T/*pjz!S:^А=n'v0cO)M >nD4Za"*2 p^J+:G ŢP>$S81Y$MqiGvI2QV=&ԇjɩcYd5 KOJ+`#OjZh>pOVt7Rr`RY}bF rWc8mӿ\Ƙ]DKy\DNLga~OCD3m^GGJ4gQVFaK*9?$)SӱBC3!J' ՙ8OEБvmVX͹NЩыǨ:*ILHZVCXPxKja+vo&Y^>9{ &tx"5H$dlL%gASNä`ˊg~afȍGO]h~ߌ13 ~Ɣ+g?SY2N4.ɂ`wȈ擘ܼF*}v|9--J ?mh2M)E;X+Z UC=/W lBm=7 X!`_ɍ78sfAţFќ(8*,*A/{c-]g&*G(WZ OGKm ` 렷_?R.k_IA:2@yT~BDNLX JOʠ0_b-)55C)sS[ `@=nzF,BF`Vp, cM2 (6#YS)Rn53דOL9ۖMM;x6diǹl 1Rk~3uSR[>˻T㶇 Zq^6q[d<( Dw,^,g^KTcm*N9 #I΋[5^7 ~=-MQjD. lPHgM|uڦZk{+*XÏcȵî:3}WڣLhdENX. 퍡X'p8'-Bo\o\>ebcOieF"bj_m#V% KJZx7%7۸t*bc,nX }ײ S\&'#@[s.nЩM2Pye/`=7 .6l}t[KṀ , ۬;5WɱaGszB&yZH@׷i41G]"h3$uO`nHslc}|Aw ,gt.r'K3OFyJ=֝r^Y{ibҒ9byU>n^GYOT"=N239ٙ0U4JXWgI:KQL1n),eXT6t>,WXNfcݒ&X2t]Hz {REpv}nL0x{X; "EGd2Q=W$sN7[z3p'{PB%K ?4wC)Y* Ɠ XTC>V6<# ^V*}Nj:՞Ug>UŢ-X4(gwrn&j'uBiPΪ bmY Imo8 YĊ)hQ~7 ̭|z^IA 41b*Í8t!(C:g4E*'ZJ\H :(b [(0a3=NOWl K4|V+~3/G9XIUO/3;)MO/seDsh%ů ,i-w^zH+kDb5US+O SCűZӏS6(zIihπK[쇗 b:4_rAd 4Zhf^%'!`7Cu| ˆ\Jst|*k!`^6ƷO'%uIxoV#'0WaiJQڶG$M_\)l0Εv,܃^kXE[-wtHZ V,QBd-<½ bLY+Q]/V#ISCO_Re!<Ǒ;9zK{-k|S l WMȈʀߗoK[a]]<`auxKkx"|?yx [IM+f%{)/hʂ~/Tf"IEÛmb}簽p`GF[5QOXMܛ&`p,`#@cH <ܞyA!VK.w,0qd?x_$"v뱇s啽/o.Nٗw린Jw_gBg_XM- V΁ 1Yy`qPmX9]Yϩ(|YiϢE^ 8ZIik_*шp2*!)@ ;{\3YJbi:~IΫHv\盙\҉.dq6 bDp4~ky?l. ˀkeL {qe,3Q]'=@(7jYMJ&lg/XN@k1KFtd,lKzR[ě`̭X*HfȭjKdPcC\}'(J. )gc QZ198!x ̕rlW"I = E xI:@q;"τ>Tw16f8\ey.Jg_47nkͳqRU CAJlGL֢ ֙R fO "0: eC R2Hli'][Դm9 R1oOu|vZ\tfVHiIDHB#^ML )7"=ٚ c8NJtS^/ѽ[SX\Gj$HUO B{`xqXALi7_ <Dyf>zءs'd[1>L/(6^+׺}IrF8$ߖ?rҘ@S[l*TS%Ӷt^<_Q"FpٯAb#&_>*\ GW$ぼɢz5O婏hʪ;: oopq *UL>X/Ck"RsI{W|V=[ÙDVndAO%d[Ifd,_Am#~;Q5yAK6!c KˏohHmgmq>wMp).Bڑs$xx[? L"'yTX^8ˑX!v+dI86YOvB+K ߐSq$W'9dkyg(e_m({~ OzJ_pٙ,x@H9.wdNk:^W = 2 M~kcȩ8~U ^cV> [B.ZJ+n$F@*-WE-g]ґA( +?s08!ɳMhrRM߅4c )w/I:9*iߒD0~q 1:- Kba 2p[fX{scz1xv6 >v3pثLW2x%P͉F9}*LkU2oUޜ7Ƞ5œ݅t?'G3Mq| R ;ϫZx| u$L9[L%eӴInZ1MLF"v.>;x$ɨXVT22yJQ FB1}[(o<j:5OGiKn8" ߨƙ$'ͣY5ˑ9j/W=HBLa0ByŝEF=fx`9OJ bFd\L|p(gq9.bcN_AyT(0XAuݏ R_}Z2 NhV2O8Moq4 [GTy&6LB.LzP6Iz[̵ZQ~`Wd?5]J즨! `,I5|kUI4(TX62E`0S6֧v D}t3Bex $0kuT:}h- 11=$GY`aC[A'clNJܓDMYhJ4"Qt)WAnw;&5[K 2e:Ry~Z-`JyT6m*L<#^sXPKi| A?'PFgjrR%tSs+fq0D= Qy;Zuei]+LW"tVNRfG5%b8S-UBy)dǦ8pGs0RW8鳶op)`O4#SHCa"EA b|TGY%cf7ݛ\᝕*4?z>EO2U{P}|)Qa#X-ޔ8 Dɽ%q_@UZ1E\լhI42#8a's +]ÜͲ ~EBT* ]&0:%Urvy%{D (シ{{ɝ.s$wݹPvB_hp-)'XI/-'OyVF㠹@Tff+/kHCF$%59.: (܂k&M0zY?y%g"Մ+b)r=] HttE;iYMp;>˘;pWZ}T}NPiMxbY>YR+#-l':/w(WZ r@5ҧvNR{` 'hd>ԭ{]au6:Pb^{t_IN[\F:(/tɠRg8\0E% *1X41 #4_$c5O@mzgpzzs*2SOrT\A]Z9(~ϥ/kbbӗlbenu-EQP|N\Z)wH@,8gRXu룪ai^621YSr+E&J+UfWJƊhze~fk+o)}!$U?g;#Fist~ #Djc';P h,"y z1q UT 6T $F"3ict:w^1 _<`#‹o~X8y72d`8po%J&Qހt{RID='s+ 7rlcf>OU reEԕ]!\o?]jԏvp1n_TaȻ׈zeRNCۦ}وu<0]#,eRh߄/2?`fVlkIb˒v{eSB+[vbv YK)Ha$\"(cƮGE)*+[{‚rh~~+C9 7HE(6xi9ܜI>~m{" U`3ݷ#sOn+p"/ g!,R[EG|)%$b}uS Y3U93ƣfӼX/L㖜H;`u85PT %AŖ4<$1_']e/jG׀*9Po[tcgOXlP'prQ٪ZYlд̖AF>L:eP_y Pk! Bc#o1/!eф<<+ :7KtÿX%Rҁ:L!7n2sy; 䂡P0EiXh'tf-w̶AlɷDlElk'պf c h.`Σ6 $sۑgIȵ~0 Ns@k&D Y⿤T?S6?xN*slj}Nql]&.Ov)7coUOk.<Ǚ\cM@җ_E|GnPZ6'ͮ RNНH9VZGfq͸+uX4O^y;FgٙyܳA(&M3*4!VAЧrkNiEy2rl2_$G xc*Lu6hD})XET%^g(gm{FM| RݫZ$Zɶ QpV L<U˴\2xHG)_a#6ZWM{[?+yi %!QWJs;Rb}"c\T?gY-|ld Ke,CJ DVh\[}lf (NZy.ai'At]**;D, s4mSʬԈ0`=.Pz8[2_DЈ&yB'Zrw2$gp@;A*=ږD|^+dwVg5Qm5ln٩Mtg/_̠GIyko^JlгjdG)hD:WH ՒEِR ɖ3 jq ŢmQ@|)=CP0Amy08 i f5ÈL}NmzҤ|bD3`+yEBe0n:@lVn _:;c5đD`]@`=8|jvƣ)dr{(ZēZ$L%3>  Kw~н ~l^'Qupb/Neq >”90U \ptPmEG(%Zdž )b'u'8hbpS{.n=. 8wղz/Ӯ )Ny|0ДgJ 3NxtbB2x v GpڛKzLڒhʊIf'5sf>_?`ӕN JS&v<]ۓ^"o@b<+0pLaS$'Ry"G3-\qDfuj9Bz!mgIG֓PmAcڔ0f1iH z ^N e&kԘج~d [Tn ntZZdTOލhrT`ZJv_|fx>*@!CL{KSJLF-k& 8mPq԰Ge)/[5(ɴ09VȴૻYztqvk&;*#sɤ}>k#!!I${g5wǽW@7ۭI jp :_k#$ {*~XxW=}m>ߧh}Mk|OOn@}eYNi!Y@BSl]iQԧiuBɗ)u&Dz>_';?K -2KoR8V$-r Jo|Ƣ(XWqͨ37Ն_(ԔN06B]NN*PkcK+%7RI ='9TefǙox8E$ /Q> շS "/q)05#CmRqEZz_b@b}Y)6uZ-=&"_'FͲM$D czOgtyU9;n>X1=$ٻxfB_x9d~y YC0Liyƾژ 5nQ |A_ #%-0i|wƹbXR ªenԹ7S9l3QJ{;ZއJU ˦j ؓ՚-k<3anD՟ޮV$~{"K`vofԚ<ࣗϚfH (y]Qe *UY? I8s\>~RyIY:_DԭRHNɧgAi.zi _\v[2:֦*BsAT4JA:ƥ1/*dcvrnz򙧯m\uy s}$0/7;%C\aZ4`B 9Sm=>=m8ԐwKD.A峽jrNNpJFotԆ4<[{t ʰƐm1ANMaQ6pE"aronBTHi~:kxTU(O69;i7:?$TjAݰCփ* 56Ϝ[]sˡ:KR?NL((ԀSkh-O8(2&D?I})`ni(U)YdAF Z ժAIdv+ rnKfO@Z'ہuNo%*F4l_-🌚ۋըD7~Y8H-M !mg?_ՔwO>o\6j~,|AYY~qv_ci$~g.R259$}sʔ*7X|fՌj.?InMHO8W@R2^'ώZ Wƪ 'Y.k$3i3bodxW#~U#1.qb$ܖ@TBl`" &t(}'#Z *Gu^RH+Z!"̔v< Eg!BgL2}?׺m}JaC+(A5j(S+7N(΅SW%u5}[>ն:3PMrAoD㸩0o,@+b`XW| 숹@y{^q䃂kG9R0N+aQoO|vr E}.: \`T|G9F4N>!^ Kj:zaE/YF6%1˖m";y;9\,3Vlɚo"}&ʢV-S<5_b%Nݪ+01B%PTx12WU36vfV5;+ح%#SLh=uf!,# &#󖯼?u!]o5(32 :`,j ȯ~=қKaU_uz\ӖjIs2+A*=x]'py% U(>n1vʶr{nJ\π#hYo畿)f׷# )u|`oᴗr (S PKo#e4>Qˆώ)j[WmcVƧjsП1;eo0U5Mf Bs"Mf!`lGȚXd5g"i|歷7T\_(Ւbk'K;7}vȼoY)d8ȭ%g3PE)t4ԶAmY*)W.LܚcAoF1.LfɒکGcIt- ^{ @68Ek,QE+X!$;|^S uȞMjand슻4 ޞMo帖3Yį:W O2O5.G!0wP3V5#Kz#tIAhMxRXu2ĩowަ M&o};6to=}A9"c(nPtATg1p=S(&n"7<۩W|!dP2KT,'==uKJ=_V3FOTdGǒsr/D/NbQ/;FCFn;65t$n;)78% €aF~!^kH(2Ը6}j坿Px]P2ě+3.PJ|//_cErqJ :Ey$=Aaܯ>LS>k`@sa4WƺGQӒ׊z;C>V̋*`1 V_$_rMըїxaϢ> yޚdK"Ŧl֚vJlU**;z=ҍ.fAPٕvs' P |ryRK3HP/0xFݞ2"cz^tJ Oy -Xn,J<^xKdIe_H# a@u!A8n|'dͯ|ҹ IU=다2u7JHUۙ@G`{;uHĉ5hcZ#Al$,Ly #TjvOw^oni- v9][UUU!VWdǵ*)b2M)v[E3YfǰaѕMe)-EƬxݼ#o١5%_BBEzH,8hj{ \A[(D%`(o% vCVă+YKสT`1`xRok+[}7x{P XQ(C4JpxH||]:R=<6-`^ px|E5[[M[sHBMˎEr7_/VB6 M^:،ޘ1%4/ˆ$Gc`x> oo s8g0A5[IUR[fsI{%8ѓaq!^ڍF+,Y6$7J`^1u2gyts[%I=Pa?~فf .1t|FP`;)O@3Ղ)\pX9qsd,1R6vK|ITHv޶ h mwE6H(P}l =шYUE"kF!-,iXG?5^kGą`fqBf8Ꝍ[$ѡOИD:bBJkt&[z1ѷ *+Nw ; ˬ(΄ߚt5g]}!Nԯ>{ rcCeoI,3aB[O p Ὴ`|JEwq1dH;Ǎ^v-og<z6i* l ](2ӧvBe+$%4 /1H(W'TtELcSڲOu`=9H ,Iҥ%A(v`N: kvz-cb:/A).}w8)t_W65UħjwttF_rOg=qSVnHj.&ߖ*Kxo2mCf|Y Sw ?"fS4u&w<;p=r"}tr#%?*sݑ7~mLxE,CZ `"hv$1l([~S &gŠoDxFw\_-KX֒)[ḯxZW[f1Rב:|?4FW/4} "e:FtV/F<%7@d#εYȖ3gmOw1)T?r!Λbˌ>7 Bo$B۲q3v@\ίW%Hw=;ܬN7nEy$$\١=h6[,D!@}W]S_f~"R erq f5R^/499NFY|" ^͓իb9&]cؘYĝhWJ'&'EazId5mBsocﭗfoAW g9=,SE1$" 7 vĩ3K/'.R-Ӈd,WCdaQ3zrVFj ߆~ǾJ[Bs [o. ˘#ǝLEKuT2܄ 5$<͇7K(#=(b I}h" VnV%o ʹ3 hoXIXNpݝGՓ=pS{n.tQVbSu8vK0/w洡k=.p2} 90|@ڧM8qEeQvjw]ޭ^!7 WzE\@ qXУ۪̓luVuVh-;f*dq<5ݭ%[ -3ջnJh!gqH(q%U,ն3uǍ Q20<UnjDCs B g42*ջU\X^ ꊝ&Clٓ?dfbe'v i81-w~WIoIN160sJ̏(v[ ] v냭N"e1T a{}Cj.Z{P_UΆ ^U'z>{'<CG`%ƫ a+.:fj)L٭,h<҂8yd?`״;$LIiz 8,X1AVɒG|,i1Խ.fb.j@@p̼zyY\%_Q>Ťn0E멈;$,>GHOevf2+X#~M*yy@"Ƭxŷ .wwKnw㽐Xo^j]hd!$mٝo4}DfLC!TS;VNr`bvD~ӰYA՜_mۢ<\A::>T6$y22lv/MotU :OZ4%@`65ɖrb/= + ,"JհqטYwkؘm1Q^t)@"߼ ?LE_YDQecUic]6ӕ~;˘hE ^oƥ4}-Ew}HKԯ:Lt{ߋ񋍞%bEN%`jVyOy`ߧ< c¸2㚠FV+W/(iek}%ˑ-6ݗʉOrv8"&uPZM\̚ac[7<*e{'mSIsc<I2YrO^j}Af\1И%~AꊦVo`g88aW% *"x514O.ӞwCNB7G"K)k6+j$1vT {~9f>@(/~QfO'OcRgPٍ,̞hYMK`m BWxVv+4m8papňONQ8o)CRBX]?m!޻!e:t']({Oc^젶t2fdD נCme fj.Z}I W u$ ڣ?Zz"pΘvioLfAJy7z- bW*@߾4^ ӜWkU B^?V|Hײ2MoYSigUCj $qnO-d7$FOSYblwRQU&>JI-.Pl | -w,m &K 4~>#M&:uF9=aR- gBG&ټd$دd-wg3k^NF9jGѱ2aTYlh걇s+m]=H.CfE,e]m0R<d .Ey.{*+0wf۟0+c 0@9OoS PCZ3]ײ8yI %kSc: o(}(9*_xnR1,,bpaxNC9\O1=U&\6鞱y:2{ `{ $ꜚ]UUBPӌg$߿m⌗^!kML< 'e }Q]'ק?@/)SM,7? J!fu&rȝgpҌ3) ]jGeߔ&8^aH=%|WǺԱ)?4ZhŐ ʗ}($^VOzl-@'*]B09oq>_ #̕gN'Se?BA:68Ԍe3aV ')j^4 >obC./G:."V438QVneK_W{G75XGwsyTqߎq7\Gd1al1a("=b c7+x%n,G3S.PCCc6; [ *5fD-v~WqHչ: bM;c7XwibIm{lJ}(;$7AgK2q 2.5x%h.ء 2ROcWcNViϨOdD"c5!q /=a>R\-p^߬KlݞES/ߠlZ+$\zL1]eck6\hEbm]ʅkxDbs %'P1)|wC$6/* P{Cu^֭ SZ6!Ho<&@KT#pNtCa+_~W8uI/M0JQ8-mFAѶQgP%F"y}BOgn +QBzOn'ġc{Қ I|[Sȓg XK4%hsߓ? Rrts?p̎8Au);: RYM7 t7 BjjEy@Aq]J4\RMwEK9l7-ey&Zt`ł|ɲwΉb ?hq!{?~TCnyzUY{H'DB]QøTxc;X6o#Aڅ\kYFc!O>;@eZmx Ar~ňZG+ תԷB["nw-5!7g>iYL-C*uqM{+ѷ߳hnf,_ gٜ/QAUKS܎%ܫuKiI܊!EIh mi*#23YXGjZshͷhΎu] QV8sEҲAs?LUObAtUå:% oAkʼngF޻4#=L|8Ϊ;$#&aBBu<MCA`4̐F=H{ۥ\S$8 WWv@ƒO$'*X"Sw?8f狭UGH Ќj6RD#gs4vcA':E銫POf0Z~z\`8,@B7Ucv DIc0.z8cT7&`mdGFm+F)Lt/ tTq:Q C]opM/[[y` y7COӑ+#7!UuRU?=KZL1ˣ`\?;E&"]d-ʠYx0AHƮi?l-NyAQNuAy[[jf{ SXgG++Z}%@|N{rΉՍ-$?$*wpX&^=EƺCV;Uʉ: _kA\cp?9ݪ=dj]W@5E%ڃaZ( H;$&r!R3?h:]p֤֛.+Py3hu.zKG.4'cucjàvևG 2oVe|C/S74mZeVVY0RpAng=H iסG㋷FP03y|({tpgW+0Ҳ`;>jdov!kvU$TMjI. @]`X{0>#ǣoZ'kKt l@l8%pHk[E>ҁkw%엸=}ǬϏJ9<&ZW4֬byF5O7ч-H0M@Gf[fjx0tHYHHީ@H3x?L9׻@ FTh/EdX *wU'-g-|BPk5zm[(ės{ N[~$Rgts+B U >=ZzCSR]s]%wOmkŧy{ G`J[E %Nj)3*DL[z=NPU?x/0*q?fnC"l/S]8{~o[zW]aZ t^>%u|3 7gNj{W&Oa|WM,y X8uA6#Z=AALGIl/rNZ/7QYDvMr6ǀN h c)G ڴ,:&,)wŬgޏ^z%(į1I*FFbGI}ܚ.;Kb]yHL5-*E,c l/c j5KwO#deÌhO@% vo_6YM |Vk\)㏄GǸ~ q.O?l WDܙ'>~ Nk4%;C&5]vY|E(zgG1VR(4Ըݗ[:xDwc6-[R˜䢳Fugwy gS%>^|O E@|(‘-Cql^s ~Et /~{ޏ,gI?@9rO>gL+em2_)kznsPGwUye\[`ֽV᜺ڇL`+eٛ?_7*KōyznV R R=a::ֵG\Ƭ$>.oac 5vJq+ǿϔNC^" 3BfR l(s*vOu1w5Kإ8@$;\!grg ]qF'92~P&+`B <%Zaf殺bHLѹ.hjۙ1 O@,x3F:h+CTiߜ]9aPYAeAT=ݿ[0# ڎtHKJ6Z9!'V4T9mAXdwb.P{OBh&ȨwHHΒj[y7&:LQ-󮟦[NsP4}p4M_YNvN/F[cfkF"Yw2]V]2>! ;!=[.Ks() fbmDcWO 4V’Fڱlz,5=ލV=Ď`l\ Ÿـ#/  5ֆR5-rdi4cH{\`&87fh*`?)S]TNGkSrk!TLE^{(+)Tjp>VpjEI ԁ͢g 7f˶ϯ۲z B-GY⒚J]w0XtxeHv<4W-!v*)'"*V&BD;--ΩyHszJ|N4~l|-Ga+!rF39ڙ: IY))ۚmixmk;a)GΧ03M~*`{H^1s]%_ڈ:AR|6{o4F +{W`PKpݟ 좢׮4A> =L( m4Y8l.ͱS@He1 9)#6)" %yUZЮp. d ]ifN=DQ(Wf$[Oew҇VOݐv(ߪۛA`.3C@wJ;&ƶ^:j?]8;(JU{ ){Nfz #wd)ݻHTpjER)ݖnY>#RMwlHTD& 7= [&HFKzR /mGsZiŖtuوUSjdS6v \pxN)|Og ^Ŷf['bCxIɇ"/,;wuAG+)yN֜n)K|;Lp\et'u;a^vBPwg90tbTL@eSDp]mj8hwK?-O 20 ə4iTC~^fTp8 7Ŧw&sDj~r`?66O^4n<dWsBq[Xh-lyYϤ 08d) "L@(@ߵyhfA(M{,SsP&G A\e|iG_X«MT'[!6BͰn·.Tϟ,]J>w] ڎbUaky F wFʬ[ S>jՑTH JK=4tz&s[N(w?Fΐ9Flq RTBR;EG%~ZנI0SҘ іxzyU$GSR1rG?t圭3hfh,8?{9=eJcS7?3H[q{xZmxa2 t[GPT#8L0@: bH,?Mȍ}{+KdEDrgC&/د fgKWӌH*aEKpB/Mm Ve~e4v-4DL9qM,K;r%+,W]wRh"^ Os1|""@_U¿yT='׃Vq)6Kv;ނS[ 6%ecMndB`{ܦ_ yͻU 9&;,q-p9:*W 1р 'j:/sU@1 _A7DsS*<;+9ɰxהSʅ?S6\K+s E rMzQb5)Edrrwﰞɼ3y(xXsH,\o:w hzS؇(8aYů6V>4.{)@ (GO_霽3NLv,>hES~݄y suR*"SsKx.H{`ٱJ^_W[_2Fdn"cU]go1:":rnO2y v]큤࢓?z2}@KX,mt1mB `-G(wj;6?mDl/bSJ5MaTiC3CGp2 9L7oz/QN-+<)n(WU{=ū.M$n.%*UW1nYf[` #F=@/5ϫp 9I"k"EwG:*HVI90!Uc)A%4M1HF- q<:##8ڟ:DR[ .<k vK#Ayw^lS`Qr,9U4=׫p_IQ|邸nG*3V+rWވ+6f1?FopaVy!h2\4u:t;]>ux̀AoGm6w/%ԉe(yXfT٢T,4TBw;Nc%^)E9`.r.s;m L@6LF3iNYx*zRU\/d\;@NtሻpȩY i->x~e)cS NV4G(n0B{353s ȕP3W8.Nt6):^(I2s8!J،m(GOCzg๝ imDUD\Z3~w^zB^qez2 #PVGnѐ12^]W@*dA_7h1 4(׿KFD˥suޗPaAIFt5P{\\1pblHHzq:1ЀE[:GUR{V6?DUϑԎ.Gf=4Թ\D; Ν+||5%˶=7ņ9ovɖ-Sjy4sB!TLbgbD(Ju-M,OlYcƁNIrx8ӯZcmё>UHjDx$eS \vܪ}i/9չ+Cyo qÞWeim+JXP-?iqr5-kNkO+7n|Jؓo]f wguyW1;%">_wG< 7m٨҃m qvLc_*KYÔ|쳷|`n*ߚvUoۦ!}5S_݂OZ*jSo.s;?-af+BJhV1c/%j0?1z_ϪvVȔŲ`FI%~QU6R!9^@P ĸ~MTqBϲ9XC:rrU%i #\f?\4?qFg*VM=[YЙѣNв4, 7A@7iQ5cpqS`;,S0:Wr?[=r^y["4UI?L6i:J^+4A4Vե3Z%(N?z< bu_M̞f[˒3pRjS 㹺DC:A\<ߠ]Om.߷ ciʹVǚ2ZZR$Rՠ~^RـGL2 o:w\/8Jپ?WD#SU&tyu]1D `B Ip`wSpi~ -N>Vп Cl_t W Q=prΠf~JN2]sxBTm3 )f̗#Xj)u}͆pD4X(G@#glAvE5=Bi&4N̬RX] +Qɫ\u{kpyb 7y>r\̜AܩX[?57‡^4߲[12f`WKz>"ܯ46{B YB#R{7?ރŐhVΥɢn9BP^'VcXk$tW0-i$+msxm*7T00#:mB04˱8~ۡ\0/M$|((}hcE`!vrs -F!™|d<2=>drVdg Ͻ/clP H(T\(%y DfW̶ J6Һ7D3Aky,K)˘@1bvy[L9'5}LhM<8j-/bi;W8Ay\-bHgD/9>q> "iRrz@&mBX<^+zwV>᝘^xk(](@bA>j[D o&33p3jmYOmԲ  J rG@..ojOc0f>MhpYq(,鱦dO%|~¸\Y/ZEPz B>_j"L,!9 `@X.@b'4sySM _&VAlG hds ;Zdxj?٧eJ 77$??Mou1V*K%P 6Rp?R nW deAe$P(ղMdQ;`>&}/,nC,&@CuXƼV3M`|Kgf&n´%h#`ܙ)eYzhz{t`DRxQ/%țt@^b_lT,i=9X:cΓGy#I9AyiFq=P3}0=<5RDCC,kϽy͍G?-_IŒ|7":gސ,)ǐ\ё-V(˴haԛj%k}(X_+eB‡yҔZ_L/NYG9Ep:,a&鈶 qg6J#eV6hìe11'WB9U7AKQKƺeo|md =5aN@'(yЮڼ7pz! ,Wuʭ]8ȶAI-2yO l@;!anM8xH!^tlD1r~`.o.+5.4*.q憐]0`-пԝQZY8VN dg'mw#Bujc@2$*?(^VhKb'Pf* Àr!XrP-EO%?aX\m&0I'(c`C)(5}N Cʧ!.X__;}bFkR]ѻW='fBhH*̰1HaFG1# aj~ ѻbue 9#CXQ;*ER2 f‰5D MT.ITiɆzfTQ,nP|Fl.yc.ʦh  %Ieت#1MAF\y 3BVt&B TO1㫦W1#_oe0?${`l`$|:._{]r?0GcwDPcx"z>Pl%7 3NCcrl1:׍,Apl7fF!7`v2F \#E *lP-ֲ2 l]*H+ř AG*Želq],;%I'GdFr8dyOs,6^ޛ6xg—>ͲmfDSM(evyJSٯ5R9ChO ̗ZIi,3.1yj.nfaǾ)=-13p`ܘsNh7`!۪' M?6tJ@fc Oe3r_MuWa boo#felI6=ZNcM&=un^͈r[ UUE՘Z>tDvtpFpe ^2vk刲zNL>MjyZ&F{@䰎0~AR.uD70^ߢwac{#]n= S=.y ,$Qڱgߌڐу(ɨU]s%,Pd*@ʅ7>+1&!o?|LVav*IEqoNcyfP=*1'H5/ݶzq"wl+k-nj#.xx?'u {YٙMՕ ZSÐNB>ueC&p3 4#H%;47{f܈'t|?h ߪxU-2vkg1 6\2 PcE6 4Ǜ(rjばZF uu1tDKmn 575VNjxbtOd9F,B ąiӗ-bCuEOlSsX9gO]XKЏ4*'Jj \`H ^8%Ou6vaW۳v / u@uk$ZdK{|:Z3:(3WbA1GPjzKC?QTpF'-&,xZ-Z$x IePb@l 6^AVv1@nOb}6Q+D Љ~j 6%: Gr%ccdwt>v7s σ&S" AYbsLwojTgD%bӵ{-UC!ZgS#!tDNz>k}mCϓ3Tp1Q'8/X\pU2Lg`.`: k^a7@8cڙݚes>%[7DjJkjQ4"e^l'"vX|߾.D p8c}]ʼnA[*\I1E'$O?žՆW;KKrD5FQ-P4_k*?><͖I a4kU`kRU.ljN_SIY} CȵhŃ2@H>x }hƹUx< . 槶Mzku Ŀ g0j۹\ tݭgLځؚ/O޲0O֡_U%%}&-Jw-PP@?H~hL\? }LqC DHY\ xR|NW.OK=j *W}v.SvRK{$T6; KOSY]2]ݧ|}-~ UsʒO[y^wzXkAq.7Z[4zxoEPcC|g<#u" /j8xT;bF95Y4 >VFns)+T_NhiN*β~$G'ӳ:s:BUK>K!Hj,&klԀ-ēZ/ 7M[ yIB#.ůRɓlzoeRJ B9Df#>lF:Ch~X{%c03; mT~EDKS\lt6[ukF2\r. M Xۅ,),z<7c>}Pxzꦝwti6II7CzWK: F3ثԲGpq<,O&IA2D3ւW " NU_5 U:«Ca5t.No$gY~Շň4K$Qjvk"tV@S|U,_bæBh*4LƑ=/!E/?R6zVB{<Kt=_ʚ{֪</1ryKTY'a d XZV "mM>J8N_? b*GЮR-C8H R4!V u̽;Hrಈ0iCb ^c*TyT5̍w@4gE686>9 ErS̯O)&}x.^і_kHXaAru؂δ:T|& j@K%bGE޲}S k SpOuhw #վ?zk.]Xc=qpj,/~ $Kr!(L_xLKw5?i܃R&`nmJ"~"lp铯oYS|g\zS!9KK&>C#ϯb+AQ=vy7Gs#9h5G\ %:[nm (4{blD& `5/o`9/wuv4}*s3W?p<;o[)]&uTTm w$!ўrL n= &4}6WF?ܻύ.\,~*AwAdzї~Coj,? vxwU(k[+H)hujRG*ϊxz;SLM^~`yԅ3m=CE]I׶Y?-5 po"zATNn fX/$륔uP=JtǤ͖W`uC$0@"qʞ= /Iu|d}G˅;nj%؊;H|yW}uևڲ~ LM49ꧥ|NVhrӦ*(Kf3jϷ6o\Y#2|p}-[B:֓],N[rFH2(EX'tW+N)]݁/2; _ $>F@իs MzXpNFr#kEuԀ1_z@!4X DE)0mxF4k]t,V8 VSa,$?[nr23\g|6HW;ӋW22<+I)Xbd<Kyvrmɺwocc[H xfxIOڲuۦ}\.JG0vW*.7|N04jh]B 'wLJ_B%8&.'@RKu]'[;|(FNKB~'4H/vt4UIj!CS4ut0%f>ég o6eA|`oXΩt7Ϸ4xf:m'kSc*(Ls-zIfnGƚ^Zzoj1m6@ӱ=h*V!-/4ݟP.sy')EvEp-K?JP8GlZv틛k/8~[=7ٖeȮ P1xd洬| tG]=<$"1mGlws!GH6fs_y(g|ÃBD_9+㵔Xg2F8/d8; U*a [+/ FO䘸UYJgLo d7@WhPc4 'AmmB7# ٗQ\@F_cMqBLCHc;)>hK jևY&M7 .Q\w{LJq>[5'OpFEfJT ` w*ei&HO _l*4'q>,v(= _Hw@nCFJGEcUMU;*XFE9':>zX [0  nW'me7ԳFLL4s 73<2e\t(mC@/eGNLcU$<<bfdɶLWӏrk`֩E(UvgQ9 *Os<%l} dhzʑ[s{8DGz32p':Kv9^ dKqwU8m @8D(5@7'e L8i${ݿDM?ߔ7@NAӂpdA[XLu$3ev;gORWԾ! co>EZWɽݤ ե[r|A}9Qa/ H1}$ E4%1#C9Ű+sޯ)W-L:i)vs)L|vn^\\Ob;eaqЍJD! _CPV1aCIy78t %΄u7qBǺQl.ތLTxuItR\RLVm01b~)3ܤqh3b6)RV֦lܲsGlkZ ffW]*18Qr5uUuk#4nCԆ:;#jhn|OzĈ4 ;>Mt)*\p}a+yX+ʑ;;i)v- + va(og*\qDiO1Dt?1p .P̘0pd^qF,<_L_ndɨpiG8 ōͱ%ZB^8gK>P穩?pqdyiʳdWY9@q6zƕlO`\/\sI2 H5O>I7@405ˤ.+3g,;1[Ucf|D~F|F$SB .Gm2E4u~Z;TPS*g7Ūk_OmmW{7:7B|wRn5MCB_w3 g~ ,-K?Dd rg<[,hdmǍOI+M1I BuJNI}€0)O^gV8Ae@wM9o6NwD䣜cAp;(ĵσπsvɢ;h2*o›]K  ?ՑBklϦPUzf x#]^=BFnOdLHft!BS6IS),/ChFKrHVĖތ-޲TH?6Kv?밞Fb0ƎA_\f ^N)뷿U'$ 9Eʱ!Ļ3qk[vכKtWUmT24ht^6Q^,d7ALSȲ~ڊ^enep%*ê6$J?JP2'7S:{[C*/l@߶jjIuDK4\+! ϩGvl8> Kk֮JS Ҩsu&a+_eCD:e8^ZRˎ6YgHO ^jl#wSm#˳*1#Y f Vqe C/J6k.[d*-*ȽQ l*5'qLow"$a ~*I{RF?R3+p^=#VH>=OЮ)t*E}'Kt<zw%9p#D<.6lGE E uGʁJoW`ŰeWޤشwh^2˫W`G"!9/M7R pc*-Lp*v6?n«c0E(Y{CQi'txi%!w9m!ͥ fBRD>tv+V}ͷ ͗:53X)-8T|U~}ɒuyU%W'bQԚNӗbYR^? Mɞ߲en[=jU L,`kx <9Gg=%.hIY:b x+zq=/WûSn=B]x5&Nl`Y0K,_ۣIfEnfTL=mgeVaVya$`S2"!?1?o3wDs2)7HK/I.r] \7qv~8jz()x2ևk1v}M|v`[֝$=5rvV-ۗm xR: d<t̀ FR5֠m*>ƥLdGi2OsSv95(MH3!umS8͐I>Ys)IC̈,WBw̪ ;}Xj^7B4#}0Eqq&^`MU0'j.Rj˂Će0=Fx[u2|rjRO/x,Q~|MH/NxO"W]ϐ3$hD-K?x-s9@,2K-<˼؄>&A%r& JuC >'v^6>m"JvqѴ vho&1KjzwԺ#T qU=iV8it6 "~D\0} V\#$c$au&iZn.U4,Z>p-`KۅډTU5jޮw>꩑Dʆ·dUzsS : VQDI$kvRͥ51AUliӔtAuѨX e(*t.IBь!}5Ə,$C}Ȳ0_-G("ںeO*_mM+, 4b78-)i-Û/VN&N;|gv̊oC%3N3."y~!LJ,<=O&}4GA gΏi:O4Zy^5)7ἠ{yyYcRYd tڤg F`3k xcH7as |CV2] vVSeЬ & G`;P<Z[p2$3p5fLo)Tjpkw4?3̬T1^341N9g 3Z v/L,x-|nbWǡGΛU"B#mXjs>w./ VbKZ;y/Avnk%5o k6s:˰Q׏է)(_IbA|nb j3_5vSi d3my,+ \" 컹DFH-=6s+̬ԞD8>LP5h?ܟF6@9@%4 )Z$>7i&bW@_XGԢrlpWڃ3<ł3x\i7 8gBMZ^Ӕ:ecAgJr̃hhW MĴcg^uR̃x* &nPLKYzۇ)~|I,(^ry`BjfKxN@JHcFQzq 2#ǒf x@h Jf}&PTޯ2Skʍ *2[[94Jלď6[?v -~V#EiMub UÝ>>ؐ;KqM$ RfA3NOb0$WTe=`ﮜZs7$|!z/MudrG+VS*,<)Ÿs  4DI6M Зꦂ,3܍7!Yf#{|S-*yI$6A xBo$Z w67*!xһhз_s]{rym0 diO+/hJ́v0Z "3v9̊J *yŗ&3"SH6,`?0൏``]oxC''aՔ>>~7?.պP[dEjt^7ѼE_TGJ1O:3xGF ^4yil#U=q'^ҕlF6P,FM"o"LŬeoi!4Rt% 2) 0cOڔ&?pT(=%%o;+#(ە p[$(l8r.›I&~[S<+v+P*Ms fas^֦!}8ϴXX֭o$~` `l6) ȫE'@~Qxd momA#t1C"^eRed09 rctY7}At851GƤ4nJ5H4䲖x 'r|w[ةԷv>W~w~ O*x듕,BnV C'#SDux(MȢ*=X m"gcK|N%AA>97vCэ2 g0N$;cK_WUct? ,m\"JN1ۖB"FG 浑e$SvtqC`ŝ jb)>Zl\,qUSVȮJ+&PT|[U LQS? Y N|CkEN!ݹ:Pg\ֳ_N]6 D}/^sBJ^=#LŸNk齖PC_ób͏Hj,^pMcBE"vh540S IHv0GQ2J,Gp>.s-鑗?e;!dN U`8PbCL!!8O)ssnފ" 8!m֨:iwߊocl\8ov2-=&)+6$lܠ`I9RВKXa:'t둅r. C Av~"t6&[PCr5BƂv&oQO sựwcSqP[135,6] /x+]#C9C6eߝI&Ur(?dmRl9ʪCKwaF5&%0}IJmpB e"X;XҚD]䍫ju?u7_Ȅ4~Mc_ۤ G.B>8\e=صvI8C)5eVp&1#tHZxzCG_@MꀚeYxh }MtF렾dgNy-JHBXz]#(w47qz+o A>Hl{fRчYG/^Rx߀MEB`_,)ӄf,KXIf;gГٕB(ƪZ8R5G0̾rZ3~S=/Ypg-$lğ)`)+@]";<>_gx6ELѾ&*p5e|J3/P=(&DK1l6W|ֹ]ڵE..Bw#'[ 2_c-zBc0Tb&VM z'GKf dy@n77#hnҕL$W(7*âj&PMѣGjF:}xO>gIY=׬%;hq~k]olKZJ  sĵWSH:I /yILY>L9yh`lG/*HvlJ1`hTvՁZpH]0BƚN*Gx|G~"הEEQG!W·pC7}x Mh'"~EnXQqm^ޟ⍔u ۭO֐tUc0 DMc:M  q9btPk#j,jhs]86f.A;6~23X g#rm [3SQb.liʷ}%hc.F[Ӛ(Lͅd]@9ͅuY c_&!I8#R`u m]3IƇN^"a<ҿd dI!=eǑLm.ϊ.b1}٧A2YᚋVAV782tI!g %9L 0 oO.fx$2 ._#,\fxia#]3Ӫ sU9MgK3C#e_GxJ&B?ZnjM=rt{&29\lâOm"rD 6x9sřA\X kC7ׅ\⎽7?!ߒgx`l ;9Q8W?b)C9^I$*@jQP./Rj1染 }('NkQ҉  k7 |O\H46T1V̄em0',-2Z#c6kߌT:R HNM<jC3aJ$N đqL]sɹ"UMlrL},aN.R*v7!).,U÷\],kx E@rq]mHvl 0f{C{N-/'+%(yVNJ=̝%8ordI |H:Y6K]r& wH+B\1eyW = 4f!),yfE"Z,/ xC&yޕ/K [ǀdLb,F'RU 0wMšTUڏAҸ +7n6 }Q2pzC8<*v :7hZ<4kAnAXtcHꊀUN}:Vt0 *.z"2 DtjOMN JfׯF7lc0xhʯ++"_-d FɅ/Upv$ΏB*u ]8QwxJ.@ye:RVEL5DCF:*Ճ:7ddze <Č PO6aILΉ(Bǖ`O +~[:4NNRF4V+H x3eQDDƫ;/EY"9'P'mĊTK9&8} ACyIKE\$ 4؟+pG6SN\O K].Z:h T8^}C*JѴ #2|'㍧a =.J܎ Y.͆\/mL(UOq?Ydhz:Z'CYkNL~9/zElq{`@S !xsu^lcAح(+j6&ʭEDGX_7N&Y\3^?ߌ9U."wx8k`A[:*7/X=.=)_\$j[0fIQ Q3.18?Pyͼ^O^}3e0w^o ZP֔ntgϪ%hXFcjo@znbn'ﻧCƮ٫ xN;1kW5`'UXVpVҾ6f_FtDV/ bVןFpB>w盅O?3Хfq¥.*W>Z;#1Ojv#UIH˛GXKg3&㒣@OtqXSot_%yeǓQ#{z֌ݛ.Nyqw%v8Ȝ}Z ot.TC޸ |$|7!˓& n?G7၈N_{9+o}w|=33WvL#-O8 6!|OD`ϴӃ!e[)#_H/_r.Ekt^I֭2Q Y~.J$5@!:ӁY3Ƿڟ˙% 3{xk_MZ?0x iuόiM!~[s:~&$( &SBom!64Mb< 'uwi\XX nƓY*?P RCWsh2ulryi ^qf.7o|3)Az]%ycdBdɉjrðApm{`'d; Yg+\'ƈ2;R8u[(!bfW&:kYȅYstX$+F>V5l %ɇE]]Է}Ŝ~lv^u!F{?axtMmL\SI;@"9{sA]gauH5~V*wU3ETL?n'r+/RvŒi-M)y\uLApu}'P#(.;#3k.-tPmczVƾٯ C>G3TTِJ8OprY/! JomYPoC6«D نsʹ"(?8"MUaVxcssf#Gf mD8p}Tw%[j_1eT>A#H!P iOunc!`y߼iE=E\c"{ucM9T'kiwʻA_, c_=Thr ]"Oϲn1dz[̬Tu5ry~1i]u1mǢܷy~!&y٧;8d"X].T_L/zLj{Š_7px`Q}`ö97. U^Ep݅mFA~Y?M%(=ĸD" /57gx]g@|<< q#K 3o 38mOnjZ3de2Mtnjs-!9%us_`YgD2"9 VՓL*qbQEDmDȏ02ur5z:hwNutBT` dG#ެb@5c -]N%ɽqxfH$۶I헽 d:=3O—Dr"Lv&әn5Đ %b;ٯ@-F2FX_Mɚp@ ` I/3ר_-1QeՂUo&?.~YD M@y={}aM<'m``n@:}*s.άpH2i+BMqNpd3Me"A3N` lj{nTlCijH-%}3ZEÖT)'n! 4tc< FOly'řM鑢[tJA xן?0gz6AaAL軪^GpJIR0;#s5eb AǼko ż5yNf:M ]P'TE*q00st^W,oTo Yu4ޗQ<31Ł)O-7NwQ@(C~lqjkxZcls&6ֵ/X4u#psˏtK6:ӦZGQQŻQ8vJȧbsO׍.:fjlT%nY؛tI@3ΫiN]zറ>bexsԩIA%y0:КL:vmMwH F~SƏMÌ`99TEnUj0 r ԖnoSkZȲK{|17fN<ɢ^3iCo-]]5s`rŕ&E{lI`#`^&B.چjhm+#kVPs0~[9y<L݆t7攺3:$to540]W[F@9&K _ṛs[iW D|.4m:CcsH szR[5rSS_x2_Z#;EdBAn~Xnv%g\XY((_rwb.@!F[[z7 Y%6 U44_ aiECG "坅=wDd[%$^IjYȣ-}gXYyJ2.)ғ[ї1}΂  齵[d޶=HM%/j3µ7D%\ p!r0[g&N?,QN O 7&zѰe~hvxC)EϬCNwz7vKZ3hڍ_i+>]'lԔ~ !5i'1m'O<}|.Yg(z+1ܯ៾JK·iwꐦ ht%lMG?nEl`w!s>auy׳8_:p9mQhm͔&>:N]wqE)Յe~FcZj 7ꔌhsx8aS%'0"]^~0%R;uLݗ]OǨ.p;0q׃v)(8Qw*b'Q!yD9ʏ#li7ڡ@4%,4)(23Ct$O яA[P@ܥ&*ƹlx7 ]EJ5$t$ }MZw\/h﹐uM~R'}a <]QM@H䍦MՎTͲ0*סec ˆ%IAo a1mTH,/ Ve7eځ z֐+1 ~TQ*Ȱg+0 n "WE]@yq Wi Av?~ȘZ=yG)ьU\悷%L=f{{92Iȳz1hOxW ,~HB:h7D0(CGV,*='avXqv,leh>1V!CzT86e?vht0M3;Vx`~H!m? vVCY4ۇmq!F/e5׹q,k!S@t' DŊ}nv#+ :3쭘v䂥{;/M-G`=yC'1ٛ)ڥu# h, X@'\Y搜~R z}xyketw ;@k7tL{'2LʝM\MK/ჁoƳp ^+bm{U +iN TW/扉.Dvl^_,ׅ%[XӞBzTon|~ERƩ 455'=΋gTfć9WbµZa r jIOP;9/2^CRL&* %L6\eZ``rsL:>>N8^KMRJ&boxRa( E)z )+gI9̟?'їoA[b5\ʜO_6;#h[s07qM^4EIϼzk wz h'*k9:EY?Q&弢DccNg.pci:#=c>=xh.gp[v,h;_70Wȅa֋+rm1k+T ζ䪝jTKin"1#}H15_А`sWȀqvge/$c|?sH* |v@zZ#n{MC 4mt\#n@ע5SX_T"6X3LI8Q31b*`O{L*>_5 |*ړA~N$c9bynYY0 ZazpӗJGS]6s]W]r沘]Wմh.;#6gh_ba[$`[oJ?q3OW^r4G"k՗r\ap3*܆M:wz(L,HQu$!av6̽ 3>SޘgP' @nɹJ 8V؋@G#|4b@el8P{#S6nTiglǗ|6%n&"-j:/'lC֣wRLe(5PBS;=cEJ-cCWaͩ&3@\\5q:?ܸ4LfsLklN gšrxtP+4N'N ,6DŽޕsq4Ij@ѤUXC[Zw ܾNjkhcG.BZx@-] Ad`]h#=%-է:8+ff?I:,mn/4FP} zUsuQ-g*`@GQ+H(qyѕ \˂P(ҧȰ=|ےRַ{'wY U\ nn;頵˼DH;+/N¦ `/}K!/NG6bHtj^/UmBxk:r 4xg-Ui:*@"pt`+{"Ԙ{ 1y>䳠d:3<˷JeZ jt8(`oMy3<΀0:-u{T" sKC`%?j2|9BO>(I!:+|=|{|ˊ P֢ ,^Qޛ?]*{Ж`>Uznƈc ,rO%ɿB&YO/]|zS'*X#vZqc0Mz\3E_&&rcn&S(xzuB4~=Mri_ aa2KB0'V,Y91af9d"#TvԀJ`}^jk9S8Z*_ze~L8jPCش07iP*&*#a%`## 4Uec p^צ噣BTS@*BܞhC%*R%|׃ +L&_o'rBU=Ԗ`g,zȸK赲:XCV!ZrXʧF@mA5FP-ɏ^` ѩO^ 9si p8>Lĉ6~U{7DWZ?M#ӃbfhX]]et~0'DEA[=w8B5~,0{i>,:5J [VFT~f;T:LԔ6EnT~ϕ.TW{QK9+DRnk*1nb͝)\3 Ltzo1{mR@ѿEDڳS젒@^w\V_|g}9y:BI|'4oO+enG]3bzswfN= = 7pMl.@C;V^NHj`VsHz^saV[z3V9 Ł\bˠgVb.GևVIЌFѹ`W+[j=y(wF##]zA#ӚKP-W][->G@ȑlAb,t8{ BR 7d x)dǤ6|  /+ޅV󻽤%h yw6=qBЗ1a/r (K;X]Ƞ"fUO_Tz:噌+#S{j%ZwcZK a?ؕzqD(}cqwd?aZF#Z>0 +~ϬBqb  i k򒪛ޥ_1 l :)ys&1.EJo3B\l:fAʊPuXYj| Eōf"Ŋtŵ$*F`yQ|e_ІvUZscbeHnϼgClf::$jqѵ6|"V{c#LCrƍv&Y Ir!y&æɱ #ŦIދZXL ؼT %\!Bݰ%t 3sl3Eml@By:?uSB=1n-2r/w1Hv\uzx ?R 5L/=D?"3 zA/$?0`D'I+@S]UCi1Ҽ)an" FSRR[ta, V=U vQ8eUI€B3{߈^lƆ\GtFWԧ슯kwg\G98Y _4lg[1v8v%*=!WHUn*z|7f}kRNf_ ?g;Z!/l,(ܽ.>`(D-iEd:fpyqx|`)UDN7̗(_W*hh`@CHvz92:pxO'$%Tw)` r~oh$Su_USܺ0ጳV{uɛQus4@\R;2aK1"DVY!3-',q_Yc^A&wyStK ό|%yk{᧌ɒ9̮h\ p @QזW6DF lځ3ׄI@T~{vѯvcΜ\LCu^ {/ j)WT._)ٮBtpFɋ>/o0t]wiQ11O(kAq lDF]eT`yZ_:$ yYkC˒ hſ7[RLP:{g2w+  ^W:Id*qn '2ԪN! n͈QX\w®`!(Z~UJ^OH~*2̿͠3z!s8е*E$0.fOJp33_ϘٱT&"8|(>0LE[gx+| |.(dFmM@]/픧wqO"dzG}{7 eBǥe>p:0Qt~PCRzU\ CMè;D|ΕnhG%lk]%Uw灘 "¶N@թi ~'CJ*XZ^>u9%U|gc' m++b z/L݇(<udFC_$7<#q?ЙO?WHI,ݭL0",#c藤v"GY duaïy!g*|J|s\f*~~qF;H|_c%ېG,9)XߐZ"͝ZĖB)jN5mHaDd!E_;WGޢpr5̶ଜD7C;1fj4f ZVIs ٕuJ 4 Ʌ\r >sr? cK|}}\-&TO%rv%h?_&"_^D)9XR%>p [@ʲfRlmg3ҙ /"t? ^ cd% [`٥iw;MnDtgT"O7]t51X[=f^Md?.2,RgDfb< JЮ,3 ɉ&aml7w"p3H-$*w Kel`Jugc{ƽ1 r-X KH6h)6 ,,ΐ4Imu4W2Y'TnAMOJ7Y"W$1uuIʭb}}T+ JjAKa+פuO  ؒvw(J1 ZS!}&'ĥEOOՈ5 q P"c(QRKGi^+؊5)@ޙh%PlGR*BX&5/`qPfU'崠8f2ꞝ?'4V=," HuB.٨cL`vȇѴ+{;*'<<ȝ|ML@Q3bJ;Ѫwr2sEco0! 2*$ Ռl1!,L9b44*jFdgyJL`;'}镳H |3׶[o nPIUq3)*9 m8(Ċ77Ё!s +6L\fStcٗ;}Rr:D0!ҪɎa?C|8o^ۃ60P !Co#^Tk4}\~ 62`J# 0zڞv-6SIJl&1jF:$TVۗU7aTh ]s(/娼_M>"p{r:3RCcD1dEcr,DHQCD?Ӹ(xNSۄ.m=ǷlDMnXXSvȬ4TLʶ|9-IbBogH f\'s NfneXڋP;M, cзrӇ\ #i of].q+3P_PnxuDۘFz= i3XA?ݻiOq,Bn۬NTSX &{inufGdO6?yX3$bm=[+)'ث,: z"iޅK#-NLssLhگw IQ΀# 9@T{^]v#ѨLc"0p oTF=/L?l\w-]-q5.fcDŨJ {GGrС\ BI5o k00ɪ$Xw/r[ 2f^{7l? Qnt eF;߫Q'iEC5798-OmkX[Y!&S9,v $Uww7Rua=,Ky`S{aWfdR/l4e` /Ng, =[q#MQ^*}iw<HXͱ:C+$mUɖAZᎣIs&EI1OmdM=v0(֓٨._VR-Kmi5詤ħN>G6\3NLhLu|? ƖIbc[+ip@kpm@`+aby 7y]ctWF5s\Q;~KNHV9{P/@aa(-VKH=Yc%AH҆ n$1:B U[]}!߱ p;j. 6qDsGO>.;h"bݑiM*ψ^ erW+c LrlMQQdqHfity\:rF K/c*yΜ.\_ٱ3JV&.lMuQ{l /'D?iO._tw.Ab&.{qlv)ק3`iB]mLR}UE▬dN1LmreNc&D.džx^W-6E^I6͵1c _GЂUѣo\ԯP\u a.{ ,ˢ/U:&υ(JM_;B7Xf܊Kk8c 1קAJ9&Y#M#S18훬5e0凸b"^ְKo=/:ASBvg-:㗨wTۍ} u (M7x!iY*|6A 2-[+ܷ*|K"P%Yjvq8Q'ۋw^$rmi\o5MI2HAFR Bz!O"bs9!prD`$r8&I^~5"]\~hƣZ>AKe;THjݺCHybw 5R5rN;;-W'P'kC!OWzR.VP0JDXS=]372կPV@E,U#bD4ȣ.^Z;ID y}e"g!&ڭJ{9<ϥ>Sj]QDԡpwLmI_h9&`7 r*'a?I|BߊfY7k&Kmv"!TܿǧG ;&{CXx҈_c,4©rP!c\"=mxV_;zngUya?QWM'JӨfa3/g0/րaXku;mhXGuصUG(b4kdogWf6yQGRj&#Pkz&StI(FU٬´L gfc$Qaa1ฯ@&5FKE5EE TZ<Ȋzm)wHjxTI5~<#/i%Z3Ũj֋䗟,{oQj(k2DVxy P*ٌF)Klc tg՚s"-U J+<4Jlbh53SB!oKLZ󩍴5#2=zh.-L-]G;}2-O%3-JxG&4ө)d`}V7U@㒜~ ӽʦSFY3$%Zvn&y6;nA. y*#>\GXi:R=5-k4sI*lYnf& PB^Gў;aGTzԇ)@uZ 2wx P\[+k,DZrJZB+pidsΐdcgųXat@I-YaL=o Ҧʹ6aDJ2꩒ G))}A+{!dfւK؜49G)ͲgF+uv08M g5HtfFHqOU40@σ2Ϙ$_.oqT?U fղ8HAGҷRGpDwAj#N7n 7QHUXct+ZF rQE;=#}̅1K7_36Xf~jhe3=*9M z6싽}ijm' bRpe bP1Ő}b7/Tr*RQz1Ier1xq|Al$Hp|33EĐ$K?rH^k# YqAyh1w Ԁ&qQiy!Md:)}@;B_6/l(t3TsC^&q ?˯d8WGY+h/V|&V`*N%2ѬA'Yq{(upF&i UH?n0r-NbA:ДH'9T*0њ|;ە\E *NGC`SތTAQ;*T'KX#61M%5SFO~dN wyV3{b' j`{8ٲ3Kܸѫ%c*n-`MD\!~߀De>FviKB2s%_fk(6GYP XJڶK^_XkbiSxԯ&ݻ"@k iZ~{xW7˳Wu_:2WDZR|jNh7m_+ (HLhhql27xSՙrp`wSKna0:5DbXjˠuahK!'ȶ@TlΣVBU#8۸_zȴ+E}P`Vb*#dMg&N}ϓ^0cWN Cӏ3NM.1AX6 , 3J>ޔM`>eAw ttdscUhu9>~#|63tozP0>(>5 p`zA5bTDa(.u...3=TET!ׅw:y_ٶWmo39)]U b279FA*wŊ^njs?\)/4: l ɵḣxTیkۄ`MgC4ޘ.9Υ#_޿ybd N_bho{[ށ,G@yfN!Bט~| e|nE`W:uZkiRfOt6O6S6 Jx;Էmv9 R(4zbbcЏ1N|:<-7`pQPl/i#g-Vf|y[7qSHfK˵ӦW8U+dޖU2R^{1eИv+8J}MG+O/iuE4f_ 7F7wc3륶q|?e0J޾==4k=Je/vd`dqQ{4y]>,TZSH\:<:|& |Mi :4jߦ&LޗLƼԲ_;['ǗN~)J(*EzpN*'rH>qO# 1.DZ f1g9mmgfzʞYT^ %fzBLD[նr=8H0P;(fg"8 ]Vs[#"6<ÿ,Tf4{3l:rK эkI~fg mQQm 9xy0Ԧm _E]WĐF*6kK2$۽TY,K~wG12q'&ÍcXXp3nD1R̂df]' +ym$;<%#>2 Ozud k|ٳ%>^B:Djpێ^v?4wNnHH X\>2HvIQeۆz N6}uw=a^kH~.P>3CTF$4w,U -k;uXIЊL!rA5".Cxw7yX:eZ7wHi:wjT>a`t[*LcЖ ꗱl=2cU+d\k]P_`sC`U\9귣_8HajC69ch:H:nǸ>11,{4:dQ85`xjԗpEvrcjەLC%hqn:tH6xߋx|+b2@~>) »+H4~?O5j qw5FVd.:T/pX9}Mbrnrn R )J3Xm~_'=^I8zր+CkMdG&X-/e5[ЏꅆgnÞfqrܢ=L? W\EKKnd?q7)mCߩd`~6!у{|W_Cyĥ \k+OkfjkҮoŔ1٥Gm&b)+*,ihxgXU1Gwvm܈|mVԀ/wdjGqEz%L~60ZF]%,yn^:Xzd!I-1dp\q;A#f%ff}V- @J.c.Y]j`3OkOc': ŽJH'EBVT9b\HM)7 ~{ u]ԄY,?ois;ƺCBm]scHc>|PΜz 0 W=UR1D0&LhVwtDG# }mˠ1L𨼌%MF8uؘX7(^x2Ug଑?"]b)Aޡ!0qƢh&Sb׉3 -ay oA+Ц>*-Jk]q{&9iDmJIGgV1)AL_'tExiSJFLM-u_%'Qoy]tfeݴV"2<f@^-'a2;#3!׏8D2)3qt;) "^::"\]׳y5G뮯BQ~[o2=_Ceki= (hpr2ъ6d"-qdNl\`kڳo9R_+lpƿ[e s5`!D'E"]F]l<8pjW/0V*/Q=`* #qmKTiۤv{ Jfͻ Bf"fP.'zj7\=( 28i K.վ B3ɆΈF}l1XQ~IhS=[4 eޛOxrP;*mB $=.N}’: j)>mZuX!檝OiH($y68XK >oQG:p5=;gYwy'ݶXI*Zf|od~ƅha#bq"Cl~bQk68)Kc}f/G@#~;J\Oz{o@c 9$ h.EԻ*PFpL.MלT&YpZNNѩ-:tzg;GrviG˛NQ %儷5kbtH69ž4_ڙ] _۝~Qq̯V++y|$ƥYա;VF_1Xo=w_0*9R|3I珆OÊ6L?; 5H6f"Kyp}*~=o^JC'>F@7OHszFL v(5sx;i?v nk dp;2?.}Ȧdp Lv3Z3+xv_*]oAh\4sQq_|B4*A$7V_LoH ]l sE2G&S~r/*fС+wPNy|7e ? t6Ɣ[+OOK)sd:_S}w X9tmc4[rP-pg/'q/~шlI~U 3`Ջ(mT =k(U4o"_vBY@ "?15i#2X) :`h}yK`?35.+)( Ȣ{aG^Х-* &'{ƂɺbklTP^*% zw#p_Z”HRZ$uimuZ2E/NGu+a՚&Ϳ !T6e@JNG(ǧjݱN1*𸴹pً9JGVe*󫓔ЊC(Ȃfwj5mk/vQB=0;w) NaEe5oLaXk_G dyy{-]wy39R!yϫP~Ѕ2vShL-D\jYP"i m \IJ#I['1ﱋvȅP ͏]@e MI C^'{SF5!5fs!!^YWh5 P!Vjtzc{h8M2mdD+Es}Ɋ߆f;ߥPn#2Dd wc/)mNch܌I6ϤmyǾp,3s^ݽ|$/W|l_d Il?T}!Z!mjy|zN>AO j3"_п+_9EPܝ[nbPC:Y.k 8z;rciN& eV"S?Fٝؤ* %A#DʱV1b3bͲ!F#G8d9GzN<};%=V G 蛌^ 8/5{Q: Ow Qs8ˆ:J  T:).,䍅ezt>{C~X.᠝4%a5E}a/it>9!yK>ޟiK7]w akNSAjn@D瘴>@ӱ?ůKگPSzq1ҡ&S|d1"gF$~j7@h\ .GJiȮ *po^S&{S 1)okQ=If<`%7eu: (CCzgjZ/Ak`݇%.>mG/ӛ(H k9fT٩Qsl&L6KݼURS#W|Sm]PGaLզ.}X q. `[6,|ke dMR9u<]XO$ǞBL7s]jnr% h/E<-& 5::_(Q KLjtفP?(cW/\mkjFY|bZK0o2}RPwZdz.wJS0 ]Bǂ!Nքe65#G0,qxl0i%'LshUh.8,Yb8I.2a`c})zߞ&FZ"osY]E ߩ˂Ǭ/y@ϟg' EX,}/V>J gBi4H[҅몿w fNBt2[_icy)zc3>TUXtǿwe Fʩ:R0.7]ZR%{Nv >߫\#HX- !]y]V QkvRM=3f%mŦtVv aؗLf(eЯDG2+WnwT׵͂SE)2 @[EQ@"^ww'!P.G f_yU3H ڹxJR8$KO0^;%V*Ϋ36xnR]- ~pp9,o3wKh|U(@[4z&"E @lUƒ/ $_^ qC'&|II"&a(N9Ug[4Wr!<Q1Kݡ '?D"^ד0JPomnki㥣/HNe]" /e\(< dg> &VqY.DtY);$iۏL37*0q&^D ct̓qYҦ;2}}MWR[iJM(MgBml>gaСmIf]>Uqޔr J-^ݻ`X!^,oNAo`@{䠶&=v`^oZWdew(L(̜j"~K$I˫]) `=V,wTa=Q42$(MZ|$_r B!eA0\ % ǕT=nY#5 fMZ˜(DEi\HgbB!D /!Gcel e@豈wXy#ګX;5BӿcBU>Bv7SQ8&/HPԡ 0wx OS5RD ,M {|_I˳|1[Γ2TL- {lLđaqpdC8v3>oU:{xl"n>ySkC& }2+Cڗ{E/(~,Ӓ"= ۚ;l~('z >(Q4 1-27a%(R܃#P7b)5m-]1% 'HB-GoEI*}Q-=hI@)$gu}wpM};gٮS@O%F *K fX O> i_"q'HKK 2R"p]2lHy|,#˺dCL}ST4@z^r{ /NkQ ǒcr)-jny&}PeE֯d~Ƈ%HhEa'Hݛu%r%"(K6 t3ZlUz~wNZ%_o2c4" v%S]H,mC4BӉ]u3 %J 2bKCbBQFyG٭|-b!+aFd08>~TZY"Iqey̓?2V7+%^;6BaSYn6mH-z%z+p|7(mpnb_s1CK*4*:Pw6G ̌g^YKrG8̽n @$ l-VmsY:vsu`s(S4㏂ !G6l{>91x fykXT]z!oP=剹Qx˩-۵@!?E嗲yykO,2&/2r?qƃ^^3]=pRY4Q.6>"^obX,^F~0KQk[9(T>,)GXUk Y,v^,}@Yu0+k)l1u-cvJ TDh :yJeO"s (2q.~9uВ肩#$裬Zo4J&^D\WP!N`C?A4 =ٸn>S۹ ;wX4X9ݔ0V4D]DYb_&CIM};'a.*^Y׍i2RN#r>jχPJv;3p] ~.Hq7pC/K$ĝwݔK|̬*rڃ73k$ W_Kxbs"Þ~IKsdʐZ [3 HB**I[ؔ6tWL=T:O܇^d QܢyN=ꁽ@ A@NT_-NCڼ|]J Hsy3WSEsfbp_Ju_dxGnjM\͔tKPPYV=0!^`@0>yC3 2)6Ol7k6u &n u6'!%Įhe cμW\.|9[Qjɣ'">3co@LΔFpOQ/5#{Gf@^5vt\dP} ̑ƞoCHS_?:g BhOgߢbNќ& N?WyHIAud !-tqu!e^͓LiwIRbe`=[`b,n*.ѶEI9Wo\űzBa1+- 2L8y -"ִ]ᖘH l|9i3⤮L(1ڒ 1snmc'PދPn%֤z) ݚ#.D@GEt ;T FA~ħINhҼ'Hhy`tdYuJ#6RAS,؏ʓe9Hf3"C1]U34&e h|:^S*ௌ`{&*BHo{3= N\_@^w"-4\-݄3GٳCh&#N9ᅬ)\_lrļb1SqYm%.aB>fo`w, ajKA~X 1-=̯Jߘxi7ȿĴP]­DV ԝ_BI^-KKB&}^k7mM_2\a,¶B캆Mi44s7˾uP8<)t| ͐C:u c˳f>lҼ"`;`JP(%3d0 7Xg ;~B! sw`nR_}e{'W)R? +qIOzvu1!fc1CuD>p k{hAߨA:'l) ˪`K EW/zs6&'Ir .c9ֵLi1ڶI]] AHG5˥ }[\qQs5&*C.Q*-+EX~-y -DB4AaJs=ƣo7E"~p1&\WtG_!1KUBT7+/(պ ̨؀uX?Oȼu7uk Oآnäឃxd#۲)X㋋:t@Y<.N_ٰ߅Elw.E4v )z¯!&fp5hcJ̶s%nB0p~$˦d.2 ekL*$_ͩZ 9//6ݨ=,:T !C_p]T#ǿ9I_WJj|s*<Hrњ\8®XQzf*Y2kawϑI֟:Ю v{qr%b01 |S7 *qu`w)mck+8n<hWaU-. 7s%U{¥E̹d**S0Bt5fzo.҉\D[^ApU ´`m?wv-Th=YmpAtu/ SxСR Cvs$azN|.b8xM2Bꅲ(izFaysOWm?i: `[: O_0X;1D"}wBmrf[BuǤ_SN +4TiB J`9*1 ۀ($'ߕ3&Vtf`b'iwgv|> P/td[mӒ\Gk/LHF )OȤJfOD:x\O)2I| g@nt#RG%rgEh%':@5SDzLKŸ5$ ͡MP@=Z%5[j2JAH|ncO #p3#H+`) pH;=ߋyVMu0AbYqFJيGW-M u #1lƁ)k`r%crE*H.;"-F'_OoDD`4FT9d" @ƴwHvHI2[@}_cfԗuy,G.pһo ұKoX?PixLձ (=JWͳt9] gז$8~ s-\F%ziRlv7>!Y&':2sBmm%ݫJ;"8rkjim 9BO!r=KOZ+_NT6a. j"oShmQO S!Pfg(2ďs`?,_j/Oxӥ.@yC 8RVw)f}HAmWTg?`BXX03;9Y{m*yyn;$T'+4+.0}$GWgFNܦ>FbUq|ZhBRg:L s-F~^MHK/mHKfX8V58%`[:,k(NqQ T /8q xD% "`C.$}ߒv; wkMj~*p $&9pN[evd?y" "4 hYlAFwBNaA՜G*evOۺt~mYX eGg!qd  ˤ-9Lڡ NR2Nt! _s(2mTǑL*~1练( "n"TK >v0խ |o*C'(Dxo%3&r `>vL9/l(F- hQ@=Rh.>_v\ UBe0t ]GXBMgyЩp-eYѮ[p~9y,D%\|m" "mlxXz"Sm2Pa1Ǟp,M%tMziJE˞ө H>^(UM9"0\xJwdoB D1V0ɦ 9 <سXZV'Q+6x<֕ V(O?9GG*, CQՏS/@f?6NɎ$#t2zx<%1#7b|̃ak]GM3-}~]s}wqȈ/HU.>e-[렣i٭7n1F12BR\'\e{۶A H` /hGGEGCJB!4Lbj)p`7,?|5FLJù#G4Hnw Q(|̘iק2~9H]yfT~pN1WD[cxx̰fH" U\Pa0qGUziI&a՗~uA ͵aK 8*ENhe"^j@ibrР=-\z{E%i/UD2yf0P*~*jif3^^{bh =|1Kҕ>#`gUY߳L]U`oIAT}wprky|R9ؗqNF'蝡{Z{I /3S7]-| =KwLh?9t #kQU M^ޚéA@`YLهWM?Qx3`ضB涄-̈́ՇMQtkp ]he1}:fv%+A1^s 퍈I&IcZ1Wd ]n0m"KlZ f}y4{OCQ[>Tc-2oY/Y˛y4۶Ys=u8 ?tWt.(&LQRyCڮXب{#`zwdσ/X+Id5{g͈9jH'l`ݲJL^,kf'SZP7\+q!n=%}Nz >w)I &VT6éw)|q;st86(d(T1gyQ 8T+QCI*ߔ5Zfklom/^KLa Z% "G)i׸_ϑˊu{dwJix;f ȺSMw`ǀla .ܣÖ!V\ﭽtl4+q0*e+-pG5&=d+'2Cu ^RkٗֈrZ" q즊8Yv8-7oїxDiڱ4Og (4\Iƙj9Ov${«kb՝B}%4$8ogGďHz"~@426[Lx8δqoJ-6#hu gW *LuE gUR@ZOqCq8kw2n>߸pR.{8\0jT!e+nl0MMAt_)uGNިa^I$ITPlPA%iaj!7SC+YV "8I"gqb+k3S+hF'jyxl%06w3`ސdN מvH:ZU85NQ(r M#e/>Fj>[ZO{9]z/?b4sVes< N L(&C|ζ|Чoܐ-GѣUK+Mfe gu۴_$f_ d.}/)'9X<Ǔ:$"Px{kVd 1&PIbÝKUW52XG<}I']C񍈇)S6TEH*:.o3teյ[6!\Ԃg8խ5̤(ZX|R$cy㋂2iǩ9/HC\wBxee6]l=-l6i+FfTDBuCM8KLp 4EFiIU`0]ܽAo2}R)%JZ9SD{I4][VG I|MY_U qqo/tf1 .C|bbf.̶Cd}uH/z־-8ts~?@khH [C{ AM/ԘA${$l`uz8l|UlXZۑTױ)M1#f Q^.3r8? ecO+jz3++@ٞlxW!JCK=9KPʺQ @jЮnoWL\Cp&]q꠷i^2*ܜXFb-NŴ5c窓8+}-[[r9zC;̐ 48񴌳 ?4oz w*8Y?ԅ;R|=m',]"]j;&>:1 Gv_,)>v!֖XT+dDj՝τe}mI] >Λ1v5hrLUQ"]ָğ@4KϨ; yctּ@_5- Xrf5y-9JF}rKodFPy>` éքhCۍ?17mOG08ሕ`H]hAtC>jfuC]P ̩GCv&٢( ^O8)7U'HT7B@qK[aJ;+ R+LF3( [ 8DjK ^j2EA 1H{>bok|>yzRj=Ml^DW5? pt]ۛ -t!X|F@PnL]CQOڑ3'qDdT(u\H |[Y<& T{ok"wBr^Ued_S5ty*LgRFb@ lv7؆>i?zG7y3KTZ1pkHZ SْSmN=,B6t{5C?VZW h+6CPB(T? ߯&?]޶e ނؖp\?0*3S2B_քO Im(;W iD-cRl&[.62YcΚCUm6v;ց\k2Tt.]֨h=\(W;Mf{3 G1Rٲt3l| bL2齲ۅ},?_{QfS0Dl M($1*hO6&H>SVB%fLv`)SА$;ޥ4&{7e#) LPVAR^߲@rZD;c,YJT)ْL/!/l$aą>{ CV< Ut.q4ZItR#(bi+xe,՞ŴB.w W:;q;$6nx,Exo#betFz6bqI h J';̿ -_!2JWzOw{7k \́{$0;*q2B}Uo-e01>;vHg 4<~[&<X ;"CnhU+%>& &*,ifMWv>KXZ:fӂ+~HfJ?'4Xhǧ6MC.YeLä;-%V,0)ҟOe?&Ro?\ۤW5 d{߻2W莻Fč#179KP*YhB%fNr̰*% u,_zT=㮻a oQIENYXeJcCWB4S|sNw6^_Kq=\Dm7ݾ0Me"masC%MJSXn7~`!&9 =muHGhkc&<yb,50J}-ﮬ9hDM&e )VO\̵ p)Xt\_π WmJRd2~g%":שttxʈKI%>̯%)B4G>^/͘^q̧poNaAE{-b-!^@{ I @3 |.Hdsflq/Fm۟Fy <I%isLR}N.݈EbI[}~&ޕ[HRJOZ baEA~BTHo 5>;9-nVCpg`4= l&)rdKgrgʨKvT-3i02&R:+mk&!$ҝ;Ȫ6Wj*uqUVOΟacvkDF*Q'AO\_=,Ů}+zzXj}RӟS\#K(=^@8>i l \O`glk-.P^Q+GdZ͵0U/1oPǶr#cn$dWQ}ok.g4K/miX?*}-bsseXn|6X@kC6W_l܈RF[2D]-q\3BGNr'rg[L֑di[ +rdO^Q#:ʜx[tq> +##˳*ΚT\(zfu};y!4˺:'9,!KZ7 $P@ "agahX,,Bw@3@ᶀ(I=Gv?<止@z6­^W!JM>"nb6(LZ3_>h%tI.{2Qv/[NX+ I.a3=v/e<!z>w"U^ ECPq~@f2d \1xʁT-΅ϝNPOѬ?|G4a_+.cwtz fReM?bG %L[,1UNYb`=EF6P_CxFC$G:f\y|>ff\bieg,twpă˭(}AD7"wm;+A.;  LNlY9.!)DA,RL-nDOn{6Fذ$x#9v4?s"/gTnyXIo6knW\Y%JC 3gBᅤ',oj* ͊SCEM#'"#q∜kkÏR sN[ΡD\泐͊e &9+ D3HD"WAHS?)_ٺEHWOxV/&#ml2KswgxST̷?gӕ7]{H?Z(dʲj*}\bvsw E3u%xw79Z:nLf]|gl{|`zjfWS"o9q\'a 7zt]z saK=q͌\J~ |EurU'/BpU}̔>jE]Zг.Uևh돌Sv4D8 )|,RWY7(?2M#; I:2ȵr=(Y䬒AuTD}sQ~٤e.-J^=Ƅ".= Lit~u=| B̏#Y<ԚʹFc\72ҥ5i&%hMRT4Dt삊wMNqoXeb=xRGB#}k?!K>!HFkj;o )_fQǜπ4go`mQ{ K Քܟo*\aC7ȜE5}vDFɦA 2Zj o5c^9a륫|,A >ϑ@ =?GsO䷄11YWa:׺;5N8ٙzT<-sx^K,Ja:x#O[wI7O_P< PTd9$=C#A5lcDw=ͿYhmكDŽty{? tb>+1zcj_13 :`*dZĒFq)JIKS5h go 1$ jʕ&l7,ތH1'bn`' NMg0$WUj=#vBT"Y>0Bl`0W`ͻ7쐋h[iMB&(3/ Sm{!5Ak H~b^"X-8N0Q6ʎzJm0seچ?M:ǣ]7&4T' jۖcI =_?ϻ׋;k[2Y)@ôK9 R̝,'τ+Ctd~m K] ;R”:L|1Sa|K=x׍@R,ŒwmT±Kp` @/a'ފ 0]͏9+QY:X>HhF+GC,)nx$.;j|BZQ̑:y$zE)mxHxɱ3莯!ť>I#^ B4\knzH5$FiQ;$y>m~@Yf{Ip5[oP֦=ٛ};uӞ }Tt+0Qx㻧s3`GBG& ,VٜrLk7_}x$SpC솴ɺ0F5 AbP=ijLB al"᧞H(ܭZ慚TV:44ST>:|aքVOomiV{@۵9XFMӜ귺j|~Z|oY @[n泉68JU :䯾^?@}́nӪMқ_8i)eK37&&VoyS(K7S&~C,|&AaPzxs"2\D>z*)c}V֧?&D^B^.=SE l]~;}G7xQz<\ 9.*ĿE)˜nf&b)a #\sQvaFa,foؓ4$˯s^Q9vD؈3NIm$hBj4&'9'+;&밭n-_g.Z<'>S ;WL2<&Z I^"PI3|p J0xp4s}O[y7O15w{f*Ñ@9Ҷ808[v:}-!^ט!e<xEH~rjE\=9/Q~׍`\u3E!G_nM \17F Xj҅Р`+G+'@+z c>{Ͻt=Fd}uȮbmB!W?]5/M4j7arhYɸh&Uj8km=Fa/Gd* ΃A)PuZ{ϤQ4y3˖L(Rgzkz}TBmfnE.S4RF0Ab@Zj,aϙ92NYFsxT" jqjA)L!2Q f]bI#Xڤz?`%Q;GgrX/kqp@V![9rf+<.57r$ lrH%,Ƞ3`,ftHF4SB(` E.̦M wT}iIم 1hAݩ?w`6|:vԲFFuq:=}f1lWW$L8XmΛ^:>^v< r)`ձYlOቬ (މ,duRj%BZ Ϫ߉0sd Eo_`Պ`>/ hTxLm8 6 "Vij"_ e6kM€8!:#}bn gIpͬYMZs?=UhjinY,7P9NURR~%'?|~o;  ,춆IQ@0ׁ3'0REg؈M~V[=Qku貺FK.I҂w ~gb\GT M6[xb436QhGcW21ӄ'(DXV+.yDZ7r ~:MXJHj}iqfG_HZD JGoc̈d4Z`quHTq1_.9\? SqႻz'[Rmc fC A].w߸4% `( 9 _ C| ! Xa`z-*z5 c6pSSJa~0dc@ k)`lP+6cLFV>QGL!cuoW/6"w2<$=^ \UuN+摍')P|>{L|?OZjMLcA5(֟ `(c.X S|/cդˎc@B:j`|..3![X񲔒Hg|aB`SjU3~wRT?Ϲ] tWDƂhTKJ^Ph`GkX7`qOchrytN!bXWS3=#iQA7(P6w kHHe(E$]lGH]@|Y^b"̔GP. cɧGoȿ9u $50spFC&!V[ZD'ZW]}`hr4F m YZ5IӁ~pyz 7S掴wu/fHnJU/npBM{^2c("lR`}j( Ae}SD}$эQFwDds5ޑ'SV,[| ص_z yl_Ȟ Sj'%[dt_֜?wQ|/CĝWpz#lVzʏ2(8_4Z&Iو4col:OX|ˏH;-{)^eG?W<Іu/&q5lvif hUv&U rLVt,w!"Je7ճ2p'uѹķ H٘ħeJh/`QV4αUZYޔ<8?$&4z w3x 綃1\XK@!_2JFf4 ]VKLheŅzbG Veii*٩.ա:"9%?ICzu`6vVП?(p*y`n//2W; CMKxbm1ުx+ U.Rw/~ 3*>!{Ln\cɤiwt!Xu9bJPywmh`b8ƪ~%a嚾Kw"N[fr;Mb8E@273\Od4vMӨ SCޖ5`.)$@M[bh`s?LYsa[E֎T$ɂh2&|d:yW-r ˖Bk8tN F~2R5N%΅51*j7Z_3HXQ (X/<t,7atǓڶIFTGe@b$e;~ ڃ -^vV-Pי<222N-6V8;ٯ!w)d}"Rn5%:D=IYs%Fowe.BXK٥)۷`p˕'E:%FMy}* -o= 펓ya pm3:j6v+%o to5YAKLfPgeC_4Xыmե xϸ7J=$U 7f&(9;`a<=zEY r#EhoXk8^%ңU6`'"m=,N5 DU+?A8OO/=-ިk~>n ox3VNB_[7yţSi%gr&UK<4D`%R(o.rx:.t@y6@( }Lyĭ*CY>_ijj {P嘽-}H(o@a‚SܽʾfGU7UTob1X4н ;77iQORem{J ٩,_=''ߐLe~0vic2x"cv\lpC0T-͜7dW: s-]l&J4Hf(>Iy DX܆Fքϲl0T;7(xy}dlc;rfc+yH fTQӑ; EbV $0UaN8DpTϷHbd .YX}͸%%EIH: WT%jsK7Ӫ[OCG>t5#kܢFLv-e2Sa㢛X?S0W=c:y6&M$w(i/?=\1 b^ؽvZ_Tȩܴ쵸%Nǚ1};˚>T0H^FL씹3TlΓV0jDQ'Fjl, 4~{Տ_,­wmp5(alj_nPڏ6e 1 o+8J.e;WePC̄8/6&4O}F D<ʀDrg;ǻZJk szo[csEjYs DT4US6݆n>dW:qpwmkb 0 Hg ?Z v 02(CJe!Ce W w8ޱņ:" sr-ai\4j9>`;R?PK)8t@.L/Vy(AbAp ܬ<׻ۃ$^ dr(Cf"EDU:0ow>Usv=0+ɛd* \M^DIweȟ53MI 7/ 7ӥ{qj+4%t1) A{Eh(J_#Hg/3aYl-PU~R( v vq" ;+bοIxC#o.UL+H3lZ!2I:~;h $fؘ <mR7oʖKogUӘ8.'k tiux \bm1sU qy:;ϯU,筦_;V2a]7hbS9jܰBԟi߹C+qh i]y=]exUTq2:@pzP`֗ɣ<Ȭ\t%ߘtҤh5;leEv#_KZ&t(f+gꔉa~pZ/hӧ`2슉Ljmm{?8>P<[+B?4@\=-;մq70)]L$8ܵ-H(gf;m: *G؟$ay> 42Bi^ѹol|C^I|12rM'ɛ9?'j0 k- PXd$WGu%PJaװBشO3m_/*dAS@R8R!ٺO*.#⨌¶_RLx0@ޘ~o'IR`nogv Wf QaETr.~+}%NH*k*7e?RJπr`}Ҏ|w3౽S8W`Hbhxuj ̐f楺xxVA- z@xͰa#4i;Q2ktTV?_~\bΰN.h|Ӌ@m־Ku½֕oL)"܆/ۓ1dt{\4ZDPQ۝^Tvp#J)b>teOZoW_X``P2`4>Q80˥<^fIt@$Q˦:rbQUog3\f<,7TK@}B-J'9Q3c&`# n:LHlz,[Ӵ,trKD{ -iVFjz?+z iT>@7jMХ43${RqA˒;( WRוp!b1?e*`e!K޺Z?".a4kBPj=~H$۶{2R%FQPcðpQB 4=|﷋SpH(NH2I?S$ۿЁ)\ u8& dDtT@ 1 b+Acٍrr]5ș.U.zpIPF vwLߺy:ffl3M[D3.^ܠ4cC٫<;,O0(X6\rDލT,}H>ԇ =[r&`9 )@ +9[vٻ02.TfDY_OO<;X"3AA5ɐ8 1N$ra}]fy{O2CM!=fܔ+X-[50p U }GыQ+d A3#r~5/ .VmL uX rxx/#s4rXq1],hb%4i\+* Au1 y/ɒ Dg?*t< SF4r&!1S]n>Cm |O߫R^RW'S!w F!=3BM(!W[A~u,~MOn2.z5,`V{"j3%Cm,P}]XYIWe$a*{^z0,djD7|VdÝ蘡FOm B׾|>C`ZƘb'/Hv'X IaW)eUyR~џ(\`|b3vЪ0 o]6ͱp#d[o^":@D/G:0Tbd#-&T %w} [AQ#'f"ms=sg4HS/b qIȻ?7.6"._AT~L@[bMTM?mh9a#xR WBiLCJh,Fh 0 w~L0B<̐x?gozցȕA,Qq0qwrQ??oN"qc$ѫ[s9BV^ˇ(,)V ׭g g׬e?!*5Tn |1iMlk>1fbDOG_U^用!cx϶W}t/\_$KU_B}"<"<hX@8^]YocY}3x.ؕ6eM!SU5RC=(`ET5:'B\y{|**h=y(No%F _z`"Ǽr|~-utXIⷾ=m}*"rHO×Umi_7@ G Av¸_ٶoxn⸧o\\=SA?#R? u)KtmO]QdZlW^`]mJ jo4o59c 610܅v.G!ŐYb{~?%*1FpQ2.{p]'L7.9V5|A,s|奴}rA\8@zOc rSs"4A*ẻ6i 58O"ch4z[s b2ȫp#Lm~r>I$s>l6OfJ&?lc8#z}?WpMZ "wxwEG"fKҤoe_D'lzw1\s#@EyWN`ޜvY^/+ŝe8tj8/5S~q ?`` "*YGIqTCuu'q8e[ٖrυ lv-AN0Fy$J)FXnVRXp 'N :Da =c$ ɋ= 䳻2ޠׁ$R؛#k zJ5xd*0"AfP ^c9Vd n ^2 e*X]k3D6ps(i $ Nu>WlXX?<!: <4v^ĘUpOs#// 9ɂaiC‰oQfLTcs q.Zfႇr<ʝO1Œ뤶%AkWqu"h`|45'S:6`M!I[{4Uzߓz&UP<)tT2M8y]qUP2 p0zci$qRצ1*W  RIByXCmRCJ [ZwmU/=G5'E(q]'w!W8"[ H$Gk%DKn=B0YQ[rXu;ykfw/<&8"XcrfK&TJt>Z{8xYq~m C [QЋ_.,{.6 "WX+_SMimt6͕VE?`` sN؊BﱵkIYR~#4`mqJ]wSQDɵ9ĨRlc"}75XYnf&C7m0ٵZND(/Dؚ-Ƞ=R-2fEvz K+l=x3F -͍Tt~*mߎOˇDB?&迵 ?nbi!3SdEZrS@ЃŠn5**El]#A(#RLq88+-`fAkh9sAb8e W?KJ}:ެ"glZ= ۷$r1$j e,Z?+?|~Ҩ%M=!\3b)؆,B6:.B !=@aF_`4V |Ǐ,50HkodR}aN WU[ڢjQ257NP[D s sxW@Vj`b°R]P[rM\Lզm}n=WQjONo?… LIha] S pKrɏ fZ-V?ͨ/ edwZgX;1[b>aq`](Mؤ13D"fV_}C,T]i0RK3,sf&6ެajzeF -݇CĖQ{hLXsM:$)\[ 5' xk~yGvżjbIYlDChHV)S],+nj¨{,Y](4 eP=y\Ҩc_ЦyLOC|G!ױ4+Ê<V]K)܏&0:a񈁠X7cLiRw.U5s094>F3b949sҞ3aٟCqUŁzzjj _7:BRx:ĵ*IyAxn&rw?YduB>ִrocwO seg E٤Ŏ3+>aENwoaU)U=p$M$y@&ZN)( ;Z=C3tqŎ\$S͗f*i߁u6&]T=&op[hIibf茸 gΙAi!KFD %|[VJk~M,֭<2Nh2%w.jRY¸o[*@n`1 EFbT rҰ+RP̜|: |Z"UF~s0}=8K)TH+t|ΞU/7nYD0tq[w?mzIh@9l%nFߋV2v?fqUKL[-a[HXzeFJAYkv/HT1XUCߙ,ٝC$f~tLGA[Zj(0bW ṷq20&RG2ܴz;6CL#B5rڣ%4[mL-6Ա0mdؕnk0Snh K;~=8Յn8k&&NBFcD5?=[H, SmTC")ld.6XZ[ڿcFJBxȾƆGU5WE0QnI J\|up*<5>.VL<aAP,T28 O,2 @dwDfiv!3҅4kvia8voa쓝K,le!!]aգun qtObܵI=wN a7Fv9;Ѳ4փݗ_}@٭蔪aú aΚREz]"#>܌$iB Gڧ5jx)J9و$PM)%6.e$@`Bb6,#l-JOB{ S=0)M=rɵ A; .n:;)8=^<P(Ye4qrjkEz=˯^i3d-S+|_}Ŏ`@"ie1Dp9*^iRwut~M?5r#],<(k3ǭgyd) <H#Ahz vC2Vuy}Sz."">+~S蟊zkW9A,{M估-]|K]*[=úC>@~ "zJ6M V/zCŒH# F1<i: PV}u Ո}(BhE#f+]yӌsNwKk;KD{KVNôYa7Xn?Xx8ùSE=f֜nKvBWdp-0 6t7"_>Ec? ꘌ8h@`1'薯% c:#Z$o?!K4yGSIҜD"s )[!>J͓rd$;ܹHjْY"[`G|/ؚmrddwf2XkJoDuލ?7 0/]Hz^h˞ G˙G&K;؋ܰh ( &!mլR-"9r˯}d]SP"ZfD.|$&~TLwiI)breu W_ż22 Sث^VzMǠQxP05Z]ީv923DI:B3WPg%ˑo}=_x-GR8PC҃~In:Ԥ.YB_v&d> JEb`;b>l'ߺmlJcȞNC 攰 Y"z[MQIOSY~6@T }A'W64>N+=J찎$(%k*0EeݰB-cAf(ߒG~!m6$jad%NE9Y b0GMm}!kKӔApN4VK)+<X.pQ5,g ~ ^k<xTxц9' K8m%|%sL%(;X .;-9*"Rѳe <mP)Zxl{B >!T+\cd}qh'0=vnF< DLjM7"ב+#ݪy366:nf1ᆞh'( {mi{EЪ:H`s @̢ܺߋ-# }=h7$Dv0hº&5v䪿چcm![;Lh]Cg$+YYcB DC *=%pc=!^\p ><ɯk<:x<~-h Z$a*P8l{pS[lKU2{L k/wCuf#o3eM4peRntO mKΰNmKG.[2"fiZ5G pTDC UMj ZpT2`qyÑ~dDJI%wc(8&m#ke>!%' Q''\u#6Kxl,*E@A!q_`QƖX-77ݍ=dNx)M煙$w@Gm܊z[tH5:vI?]wsQ+28=L0F,;ZCkc#vq.`P"r35!ϦCHCU$ 2JIVݿ!aܭF5/ᄃSЮr)3F)}Z&BsrCa#sҐr} '[F )O0&9uq>*]_"313^ڹ7[`Gn5ljiahZ 5ƕ+SE*  ЋXJL`kJ|0,S- yyÑS7W|!+~DzljU1gp MhlhV:!(5`~Pn {Si;,+g_7_DHTNmQa ,kT$bArR'e8gzFR_Xg(QUVE(;O"m"&4vB;Z8u zbS|f/+[r-`NiCbl/R(ڻJN\;yBi~Zc>UG!k+\Kv]rt,ZAȪ&?يh$xU0E&KnLrZ>L+PoHROD/c-$oG@Gd;<qȤ>ٌD%S]C2\H$" ڣ|s *xи;xDU6d9Q˕nz_lК"-DP[ '_QH_7`_"\'pFB,);F>w-k4K^x^(S˨]Ndv]srM '8(24@1"@nqnڗ"զ 3."P `<:9Xڌbh[etc. qq51<1Y-D?>k1xW*0/ykb8+a^$DWDq/[GfҚT=3[1feJed9cW.drKwkS0ͮ޹{92vqzeh dXVn{~'Z15@;8,y>|_F*TЬ̨vI]ӃEFCn 4c>?T@^ xmQt=b^> 0i\tcJkr˱D'KB:#3~bV<̓ zMV v>Xg#o 6 "iP+j3m)e΃5ΔLv_] xoɢԏg88g%Di>I4L cL\+YrGFdtw! jlNe;f^ 늟hsθd]h+WD^gQ!N:֨az]*%> )s308۰b Y15c<=A̬õogMUR{-Y_HSg =*C`O r Zo?Y)>XDTF. t 2=K~js fTvLeԍ{9v;G^VX2EI2TyH=)$if9viŔ /K~Ty#m >GZʁ$Q ϲ%Hg#]CqS^k¦4怃0YZ;|3GRƦ1$Ї-2j_`;+Y+ ڳTV0Rnak'H"-7td9_A/T`[ʭ j%o|]נKXE)LQ;Oqj&J-**Z8HgBˤЁ)8fW4M x/ӝ рectNa>U"Fi*@TS|Oh0}̣Yߺg!Y=BZ˝_Hyw%bXWbeLa4@N*݌x6Q8eS)9X?%eSOWсÚ/Ӓv4pf@HHn{ ̼d˾#E^ Dq;,IbK a/^v~k`Qx=  Iʢbl NYfO`2eO2еfzMp>VxG3{ڕw\^idj55AN,#&W2 ;윹?AJNgT25,0@3 %w0~oV$Go&tdd[GKpD B2ʔn 1Dkx}շ: ڟ?3_n\ܸɅS0ep¬%J ݁?7,9^pk m]ku厇Q=e[ͽ΃jPZr9EPe<@5wS80l#' mR|U ''RNJRŕ;Cœⴜ~M#@[Avive :nD.Zb= ۴B.!(50˞ c݁I?d Ns*ejF`+ BI%XDҝzzuNx 쎢s$!b>'JՀ'`W+~>sA2Q*/z7!|6ɐ/b&SS,PC<&+dy^!SF-BYRpml`C}kC %$[㯚4؀E~tMh]Cfhc* |>Tιg3$uszsi hd5@_g/DžѠ}~LfW1ڭ&W}6jBe@"@6f}F"޿f[7 peGI'gO+fK*3bWW'Qa1-f.r\ƋE ^AY8DŮl3r.j=I"Gs$Y w,3SBOO F`oЬz.Osg"nFyor|-smC|tt܇GO|Nk9tt]u],֟t6i?ʀ4UNn=0ᝂ ]`Gz*I]בZ+wg9B9XYnKnWqr/>i$Kn#IUd9@cdwS\,X3xk"ǾS.[h*X˂q&GK+I@Re/?ҐO@ԣjst=_c9bӡ ږWCn,T |4epY܈ov{/HwMY.䂪+}@"<l-un,A[{ώl|8 J᧾+PN5<軆OL ?/] ;kߝPFj7Em^ 5{d]:t+QVliׂS0"צ^39[n' SOѫnTUrطJOP\[T鋶q 򥙔0Pl<6?Z_(=9tzE:8 [~g՘ЪTe5hK V2Soj"`aOJ'(Oc}QY2)s,Z]fw^\}xq[8V9*vqj T҆`oq¤f+-N 0G|'k7MR7%VKƿSl/"ϸ!{p`XoLskJcw{-}NzT]F!Pǎ[wJЇf* RML{s猰u/8xK/xlh_+,uH~BcbogAfz.|Z$!k8g 7f9vS-Eu^Xl.Hߡ3r-.K/ˑo;yUT?哹s'F"]:EHi4݆^x\S+BnWp4Yn;Gz(Bd( is ˵-1\0BQ9v9E;m4;CIeHՄ4ȽR|o|A"Yv'o*o;(휍}|,f&I/_^_~#ut¼Й5grI*I_7ym@CqD yZ8m~C"n(v&>kO!=h4x`؍ņ6LǞT@ v),&SsS7R(37Xvԋ3h7(G-h`Զ6'A9D;2gw0 710bwJ[HFA-F͍dR`HU7JUpqחPlZGsHWVPwF?|N{EЍQ{n8;'Ys|8:Qyr9en)cbܷlMO5~ArhL@N"{yO}v.G@A0Mwfk ZZp9Dg@8ϲ;&df7]GCwВτxcJ6 Hy*{ၩ% k.,ZNcqC4Q$sV8y+2xŘkS bxW;?,]ugvzɦT$ S3*f#A_Xv]Y_><` UvH,XoZ!SC} A,#eZpqk H6i]:)=gY yc z`~ШK,Z*Գ`[y@5Ϧ"L+¥Β4x 4x=9 E+ Sح{I<}/(e YggeSXܪcBEA CY,@Ʋ%p4E諨zj|SGkC=:y(ƒ_} m-?\VǒwOn=|Q(b9xO\b6O v Pe&0z~ɞ=p7&{3z)kt{W{`{BW {,*BNPPxj73~41 5g Xn -;k/]s4 4|Z|66c HqQWZ m6~kxPH-zԱ$A!̨bڮ|Q ׃#2x !]Zo9+r1IůB9FAf1J=9ɏC$O'DKc+#+AoC.STiM5v* *=49^lVd98.R@qm 毨h:v0ID≲'sb 9ziQdT62G_6*0u*W u:aы<Vٴ3d)]m!:sc1Bަ7&iC2"ȉ7WLjE\ ~ %,ԣLě%&r}{>ᖑ S!czDw$E*<5o-: i{[JZSJzqOaGL4ep^®!Oq1;㕢-R]%=hʂYC'~DևjfB• &c35{t#3b<ԛz"w?\*! @L- XJCVdjM?5I"zf&w NLPbBJG6qJnxqT0WxWp7KC8Ȓ#XE sT8|cRZu9Hk"jT19Դ.}֞Fs`ˤCkbr}>sw8bo![Ow)_qRK]!{` ҊHxIfeW[<1˗d8fIFba҆0y-灩ן$:u p6=ښG@_ ߈"ϗ+^Oiq]!)C)VX-$o7{!~Q4.Oa(d&$r?tvatĭ`F& zΔg43B5D( ¼czĩp6o]8ƌWgACd'Mdlọ7Yfſe9GhX=]lL.uaQhMy0_F=dn"қcAk|ƭHY_;?cÿmDQlɤ'>++SNP7̣! CnKUgٞ-r! =嫍K鲸oNvP~J m8O"pœ.W!7ZbG/|kE(jW)b_ՊT}Vר>ZYXݲQl 4Dd䶖_^M~lWeaAU8DiDǀF/vcyE,}NdT c +[Q^ٱڣu `q0 ײI#0Xj Ǐ6L(tc-s:OdUku'QMs|1,tjsobEr|߿$M6w=Z9鰒fS ?d%ÙSk! mjG:+ \zU(V~( =NG}np.] 06.UzLЪΉF{xN|t {Ƅz+Y1;Z :.:8Xk6!Ch%s2/m. q{к'Y tr=\@3AݧyGٴ~%v4Aa=(TGnAɫ)0e7ť26fei6W2_.NMԱzvPg!"sU#Zlg^Z4EeUV7˜Es1TS4+Y7ݸ:2oC2X^t;0}NIij-ќpnm&#)6) Оm8p7FSOPh|2 *Hg SiڤASG0KB*Ji9 @q2O&p$GpXLK)8a\l]s]oNn!i0|]~c@z JyaK%;;ar8+'K Tҕ{o\Oֹgj 52"D grkK$ܮN<]'*{Y;n ʉKy>Ķ% p އt֙6zɒ• ɆꀭӬS`~iVR?G(ɛ2,I1Y&|-yOm b| h$KAg2|go~/7(W'qE-t 5L:v"9}"C;kwHqƬ(b y_z:Fkӷ[6cs*XLh)Ɏ/"tPd W CUH%mžV5oQ`I0{J`| HGtD$8/hKDk1dc*x_g5N^\.qр bWP #~WFWc~8& @G%ix(Bf_Y?u.=VJ~ʈY Oz&ւ2b / "$1܎0"hF% [g[m/OiJ Z3+) "CA7(<ܬkG.krxH.֣_cSj-R<"K=!:rYՒJ:Js1_ 0~=Ѭ8뇜I&𼽻!Qsl me"s 5oo^H8,8~CSf4~ Y+}|t | @P`";We k(чNv& /inG1 vKFۄn g2O殴D/wmkmYom.-/SKUB[c^fNv/K}_d~/4\}Q&\|Ja FWSD<{ž6<9'Ճ0{mő&ͧ~s6x=Rcܻ+=ʕv:WoDwE! `el .T  8|4NR* %/F6=.X&8 ќy|`U+u Y"3 b뻑_ ?Q2Qa,PEn I z~(vB{Zr<1֧׮5C1BRy3*n/`0{er$1S~ qV1xV_2?md3*ǾMHP! P-EzŶ\w=ItZGq~Aap2Ez5_+B5ePyHxʻUv^3VGzzq>b_PƠ8bhߎ58ǐ! νNfL0.h!huC+Q\l Zw[*npÞh>:q:[̓t˒`'C~MK)JˢFΟ$3! 0^:U Q C忌}Xa3Oݥ`lQQ]/rvflN߿Oe.t!An)M ȕaY]gtHGZ ,r,r $+hʭ,~IJKPPw6$3'|a)Hl~ +1!DoIκ'>;C榁F` [{|CCXE#.{_HGzK6*79V(<;BlKa65 &ϗzޮ4\x"^mXfO`)Cqx+,4G BCξ#5Ʈ+mAْpS TbbUFJ*.|e}_,m Vfoڋ䵗2aZSD^9'A4# ̇A6"DgURͩyF>KB43,D3trA i|0oHQXY{*̋^˧WtpW=: U)/KY }Pۀ98B`en ..Z;zNj8T=FY$ӫd}Of掊$P) 4V ,GBs!)RjXfYh'dȯcxv1pg?{3 gkAՠb Ec]YùaDwjN[uJ̬#)@}xf:Gy6DZ`*#z1K T9ŰӰDKLlftz^'ݞO/_pAEt^|Oz=pB1G{BdrnσKǽrY%Q#ؽCVZpnfk`DDZ&RDƪZ_?Uz~4*Bp^Y9A$x9riG 6Ky]tjޤNlCcMؼ`u1Fڀ J <<9F\9c}ޡ0ѽ&>̞>ۗmLWX^ A`-|Wr돒,J64ŖjZI*)zrWEmWF{y]%F++535l deX̆N%:)W㑾`4x_.'AwzC<?`Mt ~=WrpJGr&gjJyr,ʩ~ A,Qs$@ m,BY{Y{ax\",i*C}:dVպU"[O=O_ɾF2!*>}2"M긭'W\'^(+|t>|~6hf?GN~wL)@Yw:p8z ae3Q%lSA<X&~J ,1ʿ43)qt6Ot^#|!0IpP#"yrLžhNGk @I#C ]!rfgh31|3ʆ^mPNpׁGSՃw:*"t%% qV6 1z>EE%$aNK?΁i qO;+0]RVbr*<š&o@h-]ȟ:vDU?ɝ8z)YT4h {Lw,z؆pt=(Pb6oWY*ҳm f'auoNhuqBdTj2G?Kcf`CQ;\Nf](tFfaPL2`} 'u 핰_ݹ^zMۈŰ"JݻDG\mS9qy3|'IO45cC?dJZpzx0!"DJa_rI2#Bby=arR1w9K<+Э4{ZNNIv_SDXZ {HWP:A1甧l_+x@YO+-F&AˣI]6h}Pv[kOsrzC%KL@LX86@u`=2 4ޮ _ MṿTW'g"Q|z`9׫S`{ 4E7)BI'F,e(WWˈH< _)_f^O aOCv `=5%JG=bQϙ[$߈u\Ov]֩YaU{oϛ?.hHY .Lks123:?;R '$>B iGT[Qwr^ %d71ms_[b)(C`F$0E= ^ dԾ% ۊo>üS@_iOЀ)\̅D#5`iPt[QryLݷtpYWP82t5/jcW`1pģ܈% $g5\N =ϚrNm[D{Oi-|)̚rXNp7bfEMf+æL_3zRUZj2MʪO0 s5ۼ˰ ck3x7ΓPght{'&&Cݙݻohhp@Kˋգb D_Q*\0*}[m?oVM2nQ$&vd4b"pC\aFf3QB9 M٣[9,Nm/~͉Bl",q"5MǥN6|8zqEO{D4&:{) &'o`>W'v;WIl;YuOJ9XyV'G5|^1l-@(ך?\]ZԴ<@V_ta '0Ogt‰vmT+FI\*$=2;7H#7*ߘz69O*~H͗V 0p˄[7ާt;DYkF}p,.T ۝xcn&'t1aEr7H<Q(UQ1;&c8[%]uDŽwVp;\ۯ s5F6 W&iŰThD\?gBoFe@1%@J¤6HCt !a;GH#9IK"7%ož `7^Xܺl \Ɗ|A5h#!۫?S|#Ι#:^ V+X<ٖ]4l6^!{x}\$K݉РM'q/8].0,y1 tWLf@bZ` DR9:E L\nlC_, dV+4oڿYh6uG +6-g(I1Cs4boC ] "֨ wI9ZfMoKɸ¾GH;RaM҆G ? M WQbHQx):!ZHhQUl} z=D|iPdC4*<h Lq/r'4c~'u7C,VW(!sk PO!w`jiBaj%' ,2F}Vi^`>pzGba^ap7SFXkJTO.tjdpu *,p*mT#!6*ŢXG+rmEζ/|CJ8-(H'Rup~#%!Z,y^HI0@9ϛF3TOgTdɼYvy'%bbY̽qWF6k`M;g8@R}$ aZNts'M"\KY8\Z$J=Vg¼ -b?6~bOVBPU3OJ=K N>SDOZcߍhǻ*Ei=eUXMiYa-ϝ8~&cTކ4 SFݙ'sh˰FaUB0ۊ('-A+)ĀqgJ@׮Uԃmcp M-kLln,V5TKww2&]RFMtsvkh>l{kwOװ 6F25c!!٢P+.6B<.0y6f'y(-WsŲR.•2oM \W`^B1~NW*n]1u[k`,c|#(}.*|#'v֑s8hOx>W6eVr@usàWO2Ӯo;=O{(6}?{%tCs0qeջd}(7jWz:Kc>F* =MNԘvXq !öɸy3.FYƿ%X,X{3{-42iq[}}BK /JQ&v"HFkOeaLQqE)%d'26˦~79R\{3?WT$vz.=}UGL?6ԛ9`-(gSE g*h{)lsF/v0+3Ȯw k !_<Y?>$VY}K0F|xe"'h.? }QEc1m!\Adͅ÷TܥyG*ŅRd<,VCd~-Og $8.LȭJ!{:+kD[~`s_B9ٜɎb DeOM2Kt;`j |Qy_2F}']v֮'rOQƶ%5OPo IR(b5Þ`Wݞ"v;ԺnZX5_05 qU&4tS`zE'Iv&p#.oUHeVKN)^џeX,Oukȁh>VZx!g7luX>y}.wPp+"G#P'NG0\ FܨY;) Af@&VC'p f6ɋKx\fշJ?|n<׎F)WAn1[: #cXG5Q8|miXA&Y0Dig6 ]Ik1jfM"#Ё@щfm_bыy&lKOnJ ?#}p° :c +REDŽmlsW /l_ͫ%8#VnЏ-׍EGH2|yAPϽ" {fE`ϯcW9n^R_{>eM4tjFqšzfJV[RKȓg S.zb]JlSV@lm%ȥ5Xd&2(f!\1nĴ5@6HhfܼњMV6 Pon'm#^94l0ڔ&~>W H|:i(a<@e%hEl44#%K)#M$p?V *7mR׫lc`É13ȶ6A H!@ˀ2tYJx%y`S`L/u [MM%^HצU$gJ߈r͞g3i" >ez(qZ- g}r0QFXgT k>سz>}wduPG6poq!p_Ans)AP } |f6۰-4uk4I:Wk;=X8}d0?rj{3,ݓEKWg,\ e!}Vĵ5{-ֱ t\l c,#wAwYr 0 m%ip~J~7,?{ JRP1?+5ܫY`yFySA O4xA)`f7_éh;-Ti/|B]+.2ֳG*{w FUtEA)FnqԒf&xn3u(:YJDF6v, V&Y@%Ш(O:ĬJsZ}^.ya YEwgq!_fz{+"_CW5+$b]%j ?7Kt`Q@ ^?Hizxp!mΓ$9 Eq z 5@4l_r(zg fDw*i`V[ҾPwx8U 'hq.\3ZɨX! y'SS&@C$G̋طWd\{3YE|8v0M49՗qžר.|J޵]d@e`keL^>rj3o"tg[k`PY+64`~hw/a|j;|Jk,RPok;K\yh,(nGX(Yw%,UnkE !6o&q'>8bqKrbĺQyٔ(`dީs65]ǥuszX0U-7Xח`I𺱿U2\ 87N> ۡń枬ʂw/xɢmK!*[@mu ;ß]6[+ kB^c6{)ei` 19"G/ -LKxL&bBJwyDGֺݧ3awj<xC\M3V 2a‡hV47C0$>@ 3"QdbKvz3ً tO0{hQ**FS 2`WeׄNfH7i8 +hnA0"gj(L @D?R6s|.Ƨ+IP<.TSB利M6T HM CQOX% hH=xoNbf?F%ԳOn|g$|X[+/Ya̡-l!M(97[MNJu`ޜ8`h9GY*Wd/tӪQ۵ tv 6qvB 0"ped犤1u9T2MHpoioj7^^_/jLLH~}!_!M{yk 0:OиjJwp6a8y]#菻=5|JqaBt2(^\ڛ})+˛T#NE^<|(HIϕT23\# gYˑƁfTWV_V uY$"3<}׎'!~HgPrުEWDeMZg+y9<:*^)^"Y^t׉ +2=<Ӯf}'Δnvt^.dR: '#Ωug\I#"itMN Ώ`Ef 7Po&M a3 *{#LM<Jm#hX>@: Z{5Є=\2j0"6Q׍.LuN:Faž"!a{ -"}:\px 9ޞ5rΊ;E>JIK0[Cm PdR9^ʖ׆]c ۤϒ+&ZX . _Dtêl+`uKK-`OWi׏Q^Vw `Z91laAuِyR[soO)J?3Kc$|2ZaXL7z 3-o# p+"5=t,4GEE/`IaD"V~n0n~H9@l/Ss%h Ž; ^.vlUU!ŴnYכ .w^\1+;P&{A-N 's5@Sv NRmkKD21}2Yu*( o/Bh^V 9k᪇.48QOQV^^RL uCD9塩)o@ u ,/D, W־ M&NQ?׵ZбQnާs[G:5bIogBx>n,$& d6'snQ]=#S…+U9vkb*^`Yy+tYöh{l{C cX/O?W+PFL l>T}qmo*p8=gQO_!+:7~]AvEyCEDɔ Ƚ{B%wVJ yD$ 0~f)LS B*3޲'Y膚{/} z&|;ZT69tZZHA̸'iKKA!6.B-σ#j|J תh! Zm599?^6cGMg4Ab^&6³~b%EaK Pt/WXL=( owNLeJt#k>*%9@8SyBVdjk ʊLa! JV lf*?ѹ P좟+t=D@|=F7b<\j4p5liUmh P<Wy~]ONEW䦓z'9{IfFUC*M!%HW75 ~(_c7ϿvG ZX6yGpM@qLRYrSLi/}MZ_DdB4_}@(m&g?W_NRhx$/|lўהy? oTJ}ɛA9E 1Bkr81XS^w#nL%F!D]M~ɔ]ߜ! L<Q.fCsaaO9 7)WPw( V(/CZԈ}`k)51ϳ3 ' m9|-BǰڅOz=PRP8=o b@&q!Nx=E0>_"tA!$?|x@cCyZ w!?S?(\ ux.W_fpX8 00ijoZ@hТIW6;2T2$fWL,V@Gz'y#WL"B~ DsFC}E$/=itj v(2$6vQbɿ3<j[ z3AC8WЈ®+a4 ,2 ^>#sy.L&v5)%vR ϦAV2 Ќ3>GBPW Rm-m^"f+t㧹wS"}0M?C[`-â; O wlfBǫp^v{I=Z3t%XT1ol)*tE;Xٯ+~VcرBB;RhTt>p6dGSF*t0!I(v)UnР%8\_tć#C!?,5YOFEu*msI)*3ξ0 ~W6a\1C4RQϜJ]tr5,bbU+}u}=1beTx9k5ɔܣ,?PPdn,Ld)$:ڰ98bGP<³=Ю~$JkFń)DfЗ{ "Ahψ5$=&+9W$db(e45Ĵ1O"BtdK 0uЄ` -x8!onf-cHᗧ +hJ{9WX8jd{X# n[c{;IiH&PzBO)*" oߗCE|nTݔmb~|7Üa?2腄 l{-庉̤R[ga4]S/XJ@a(B'3j:;1H pk-!S8&0XWKLSDEwdf/sՙ&WU@UJ3/6&I%D$9yuM)eu2ܸ}%$yZ"iA6X[2T-v5 =ra⸙]pWfuֻ&J2_ĸ$G{f૝ k4)S(n@$.fOtpIKa.3s.hԩ郀ϑ*;θa@o^uʚteq{k>v~C`qA*u˥?uu:#ސ)nd n{(B4bݘg0$Ǐ2Z_U(I0<{eGkyl߼wM쭡vMhtz5'֭<4 x XHbSo-o1񨮁ƀdͺ ןe1d/v= -:m'QD{Yשz}`8I)*l嬰߾}z;dlkd)[~?=SNY HJbgokҊp M9:fq#((!sXvszmU}}L 5Ɂ޾K-e eGN.G0ٖv7651%'Y=pl[6~r]eyT(JB:b3M!/Ρ,qgS-,bF5gUQxA0&* s2H~@!!O1軱<[SZnKƀ'U6DR1Br377lE HjRO|ˑ pb2s샿5I6r},4*Tw =57CwUpe謝,IxXKmis*WZS I6/}\jfNj\j*nFT $( c o^YD0{{Zr9GVhTʞXaw!8u Ѓ h6{:*A1h|򨘙~E0~qORp j랞%^ȘbSk#h+CY,B0K/Nwƹnǿ ڣd=3U_h]ᵜuմJYb/Ԍ+N CgW9ld'`q7 v$g`w&\4$$/0_ pB mU|գlVOmm.}}r?ld#}T^I&ԄT75DyKnʐS 1AYK`mRS |I1 jD-;'[cN''Ld]ؒ/?(W?-Wތǯ:pt"~ZҐnps%T?]мf<-K?FK:myiA:.I􋰸\aRčIN>+iЗ2l13Q掙.OzZP1 lxa2tV_nUL^Aa{O'lp4.|F/$S:gKcBk~c?ݤ:ř2%zܲ~=y k:BL xJ0-ɞV%dF# 2 Ju4Ui1.1R=ny_"Zxӥ`4]ꠃїal?}ͻ7&(wt)mtdɬ&P -EeR+K!bEm:5yg[(DyЅN. Yk.Xg[=; b׮"umdɻaf6{Gm6z *e_nek.9̋.Rs=6uؤi2?t +(Me'*\]vKdz|ptP@m`qPOiMLYUm`r0Ҙd%3lfiɗWe y15xg3(RU6 TF:*oQڶ Q6K}Qf6Ġo]dCO >]`E<%IR[ca -B]7K֞ɪA[B!kԐ% ^ɪ Iûrcҧㅽ\G8|}F'L^LOؖ5 >Umg0Ÿ{(#3ltb*aw!m@+kPk)u2}ԺVDΖG`LiZ?Q=H!dxr#ZaI/&vҴiOwh_iFfԽ5o2;6ĪA Pδh{ F7Ja+CpFnlJ1C*JVig-cƒ~<ݳ:c2ˉUUC ῱ٷ ݞP{c2L9+;:@s~L/qͱy\Z"itn=@=1Uss>ʽR )O9aUꗘl0qQy5C+k)H:|7Ѝg$$f7-ca 'KndXuD97=:*Ak7qmyT+[niV8 LCB8˱OaH$/9.ޥMcN4wՎ#dHjw)$n>cACM\Zc4*Dɚ.YSvLOw5E rC9\pȑ;AasG# ȩcs<@$Үuo(90lvHj h"V#)+A17.tq_CeA!4$Fq~|dLlg-1sMív}. =̓q~  lg81TK.u[^e7 ʀ<W9+5;QfFn$9Y'"荴J|ʥ7dCuX9hzGIlPl2tC"&x JR)#nXb4.fq/[;Sn9*& VmX['򔈁!Z[>錊Lb"ɿi)MR06$F3wgUbE(>þ6 'Rv:C'%c+נlaF{ MxMؿ z,ixָuGNv]ht]. _s^G}qPoܐo|'aQG9!ө'魶1\ #2 ۰ OWۺ*b RAD Ւ(6!}Fۧ󴋒Ps`ZME)TKvUi<ټ6ux> Ѻq> c #J˨25l;"U Mv?G~r?&#!cM`cN*mDZ[BeGl3̑]+e {Ŗk`9 X,d(չh^O9&_e1ðMRn5hb\8hZ3q?~Q.h_ܕd"ˆ* QV]4\kj8LeA "#fձt.Eؿ%$CC (^=2c{de ϛ5j-DghQCrQ'PES6:].YC%;Ola^{#P(KL|[GtM D_Lgg\ܭ^V)lJыG;8NT)6N!:}/z-zzĿxvC˄R%g<  SC+/ v\&O{Z$#*Ht-@ȴBs

Pp;eCG1EЬ &R™r#MͻmIP]N\O46-W"TΓ&BJIzdJ[Ե4Q,Q&e , UM4MK+նIWz LSmz~fw ڴ׉'WĝCX:_b(u2Y~>?eڒl$bɀ}c_#y2"Ru=7Jȭכ_Zk_*rl䡭&> C+ߔ*ˏB9 {ueY6B\j QV5 Xc:z8JC5Nc*dZ( zv|1bo{n;%}KTz:Ԣue ,5W'O4L#['} &' 齄 SoW;#Lb0W?ނfM."t9Yࣗ{i^XA3:=@$i)Xa:`B"|*"a uKf $:sk7&5g' \zuAooT퐳9w͚sDA6RxFt8X- 5ȤOc։AZk` ۊ?>6[IKw@;iAwKe${';-IDQ7nQ] 0+hJ:^($Jiޖ" Lj7aXNxjI/؉*U)S ] nJ1Af ։\4^Ljʹ)4{lgALip]kSmr|΂1g jH<~e&L%Eˠy$ |Y@˚YvR=WHp/^ۗm+`YYUE$ u%2^JϥQT?m)ƜfQϏ0wK8#aT!aER !YImؼќ_0km"U:5-yZrXqI MU ʗAz8R e[^ʰb38 \k]>Ä+5vr3Eޡ֓@l> 1#=&ǭpy |N2U#fND|3(-m%߀ r+prAu5B{>iF[)8QcaXol@#]H=`i6jp!_~]9G,ay8 Ok6G<.N.!x}"iOt5+\b /ڽ{'HfP1Yd!vi2u&c-bJ#u= RQZ! %ԁuJ.;kzp`®\=e֏ől/"̤+#8p=0 2MN%Vr]C |8yͣ1(M8IZvޮ,~qfZߓ]g;nUSFsu$6"dDra;Y Mw&R+ۃhH |Kqh䈞_*kWGU/u5Q˩gV[{ #ӝɥW@Up[Yg>jQ`_/p *.ʮw$5@6;Y[i-/FQH*cVf*ߢ)gN)kd-Fik hRyDdyspx ]"8$jNj HVc6E-P@LNukȕqI @CtBHFMtgAgvw '?2屦PrqCB)_`c^ZG',+S [v''nY"сxm\8z^6P!`&V:ˊ,Њ5zoqeGrкULxj=s(pZWL n:OΑݣ<0o1 SpQ2himeo;]>BGwp<*n`B:yH)q:JvSn^1#pp!**dbJ E׳(8ܡjNyS>8"90n#(L]ysi FGAPdAm 'Vx)W&)x\AYn#!{N3߯y>Xw. jZqx1J 33CF˾ M3@.H"@jleK3,MOt6LZ{̝ܻ&7gzZpD~(j$ZdQ"N,T+po։3 +X;ݯ;T l}a8zCdXu$_7"cJL4V' 1}צLv_Üg:s93'4zpXv }:o:3١1^ s4`ó- TM< WBz]/Dǧ7X$iYQg$:?貯XuE6؟T`=1DI\ +C할O_ ;[@Џ Mr6Qɮ](]}%ٺߔ*] uVh3#G.I?LDYb:ݩr}58A6"iR߮ 9 HKL6 MdsMeq_{O2=NPFy]seTvggQUL_8qYڴSA?LozL4Ao<ݺ}cPwCصߣo`ؑu"b ԨJ1Wh)Қ^1"uݐ ~z=DN:wۍ(*" D,fdhuD 9q*Ýd6G_:1^-Ihtzj_f,4 tF5۽aᅨSl|z"ѐ,gģ /aQc e'r,Av/F TZؑE02簸yۦpËiG;"R- X"ߐ(}vf٫-{ĘMuN.n_/E$߃:+a VeP?t=t X.ޛeFdNnʧW ? ̀Dٰ+Lp ^#@HgJ{Z[U4">LD'a]nGcmRKA=~{1xIbr_ 'cd9 _o葍n}` % S1@Z|c(e1ߦ#]с&ƳLzG ;mvp+rdqR =-=mǥV!|)Zdeۥ& جC:7`3S,f71-;08 h+\+#̵u!/,d=iw&+l;SA62)$K6sg w܏I/VC 5ʆr FԹ_׊| ڴ5 lkVDQFr+>8 73sk-_'٩8Ԡ]mFEUl%X9<< 8^R0a^3fICq"t~Qtt)`[OsbqxE5]k OF/ꮥea@DZ9\ ˡ #%HlPՒeeb[qڦ?9 t%`>nr#dӳni FO9~ƒ9%DXcڕ$r>6i!} Λ#y6`9bc59Ig-Q> Î-H~FP[{e!|ʅ@P㶙<.U?+ ׄ\_GďΣmcc}SU -}ۼf$IX( _j_7k[Z'8#ٰ ꦋ LɼX8w]z1⭫iTev_]b|̭ Jv-ex~ȧQ]1-ס/^{HG `Uyz2ڦ5SPz;2IQO!ڣoXu75E3,)Xy7sOfJr8@etDHP\;==_gl̕ʺA.dElop[PL27 .gsL_ܟ =.wx40m{N5"+t&KN\niЍA8xM.hҘa`¯9R""KBؘ;xVRVW/7(% I oRK8iQPG, ץViH7`Rd^sC)SAvPg0O&FFoaЉx6dREweK/  aPl8f/qg!G #loPK70J<$&a؝Ф+ §')T %0P4}_@ޕ؊V ڮA (E0qSn@RM@9ދ&]n'~&kBϫeM/-}ȋ?wr*.s*C&3T n~ +'*=q+uw7#+jFtO»&=Crkm[9U-CQUu 1&j'Qgdxfu/^;䝭S tP:T xY9w5?w`wS^q:8CA*nNO!/=hv$/,A}]T'OJh,<\#yghnT>vpsl-XD zcR(VghLxj'HPȡtgse'U~PI5A5< ?E.9s{P'7kLadư碷Z /gh_@q]WF*t3OxaJm -O*k"1"E@ffhysJniA  Q^ ~bɻ@Kq\cR#"ME"V6jB(<]@q+x_^f~:̦ 4t)5%emMR zp  nI6֥qD)WZ Zmi4@X[LjѪ"A<~ XMЌϛjE]#@c)"o w%[- 6b4 rkGjFCv N焀GP^QL}7 Ka"nx g޵ش{?͐0b_Q}Vd`G.ULF37<ז Mw Oƙ{pIYh3k iKQ6BH 7G꣰/*J)YVR#\pDy[_8 k 8w%G*cԳN֜\l:b6ca:I"SoM[Mf% 1Ȣn xz|͙0_ P6d po$˔6CuبaWWU]3L0wezGw;WIt{Ϛ?SMl?HmF%8!gN߮6o3oNm9tE$3qm{͐&hf;yZ/#`Cjһ Q1h0nZCZ [WI΀TKm!|!I[^Pdɾn OWlJOb5Gkw M' VwFnmLQ9Q:`q KMnR|ᠯ,EK>鷺=׀ܦv{iIEWx@\´<[/pXO1,j*ߚHݪv ;!JiIVA1R nS'5@b9qRulg`/-]Lq fq4/M#s*Gɚům?eDŽjJ`g}b% OW.g:=HtBD8+&UYa'PpepwV2;^gբO" "VNf?JSFFӈ4 R41HPSTiUTl~`Jdӓ_}Hq[7y߉>QeW7)w*XY#J[Q2bHǃz:l$BU}?fV(l:-l:r:,z?\ e0dLȵXMc+^bxP}2ш]$wÏiv&a)'[mtS@bh{uά)-% L*]B}Ա;Om2 =w 88]?I;5׬[ծҲ\1IZM?b-0oiÄ0eF .m6.`LB>4o}pk5e"QJ` x>|oG Y36KS2e"0sI!1нZݜd.HԢ.?n}?lX0z9'UO,r?րO0[Kɷ =b1>.fϮ hTČ Մ"f'g3wD(VXswtŰ:'jD_S-—]<Dc"x| ;?O \!~QIXN W_X"Li¨*GP.H ˱ ;% v-0`es>TAx!WRڞȧ;BކvGlU dЙ|S ):c=1/K߳.IH"#{~1+oi)xh? M"Xܳ>]a%4ڄD6 ^^/Yj'IEM[ D ]rp|jQ9a{R K=Fէj h8S;|8a6S%JO፧nRi5oYI+'W2{12#MȠċV[e@"7oE~h%jiH(b4~|]:3֗x@H^ Hf 5k=S hsٯ`mVڊ#`*-.GivTYW(í'I{%ۈr {L{}e؝EŨ)KLZ(OxP8.5j[== 4j/l"J F<*ȏ^bBoFXG]MESsG)eR i7L_󧝜))|W@[Γp`v =7GwT0<ɻU 3lnJUW|@B˜vN$~Ta pn J=O]qS%ڣS>-UU zhԢ -kGat!=wyzg"wAؕH4DQw3(]2ʷC;2AV${ɋ"n*,^1M!P<'VBCfʾX5B6dL@>oV:BcVsR Bi{]xIucFHEWU~@Ɂy0MO-TBpwRڦ?|w u㼬,:c%C @MU|Rqeo}n'ٞY-_ݾQCj%<``3l9ů񚐣+6UiCLSaT!0E } bk\̷Fr2S4';>X<ǸoOlK~7-t x߾ /۶n;\aFìk/VTb (JgHgxXvs}L1=ܷė?F7S1W9Tl]v 5gߜ׭Rt xc1nunUTT$CS+G 1lFDZ륟#-ң?9P&Q*[L~4h:j {Ƒ۾KoYLAN݅sZ&}by]=&A):}h <#̗o1 RcϞ}JRƐ 18_>y9(QN1c%tWpN,CQ7qĿ.L$qwE8ݟ7(J#Ѱm`Um钳н: T"k&ߜC|~Tq]U_u*2[ZHnmJ+o>FMM05KnC3 nm@;nC@gED0;u{SC1TA+k߀ F4ЌG֍x VX?cu.]z+/}k׈AcK8*w^Y弶Aa"5?f9m3߳GڃnWAesBАf3Bx7ltOg8ᵁ" ϡH?AAI}1qhLiQ@VUTD#'5BS2MV/(8 哷rv`x Dt$ `#9 Fz ኮa'&k[35tP@JG`RUM")}#Pw͎aKA@nQ7 zh(W.%rwǿV_}k'Mrڤ9"O=$v0hn_7ה=wخv цs^|EKƏ:hM@!tcy]Q3]H|<,$>GeO&_汳ZmTωV1&. $ޒyBvI&¸UZld&vMyu,uUT>@Q?#y?PbzkN ~_5?O 1MhN)GiXT~`hm)aJ?f?tUq)a((/Qٖ\X)R(p{m߾toGxNpO;7Xj֡*mevɭ gBl.jʁ[w2⒁4ZP]g K=+_yK@oO  Kzzu:=&#dvo3/U#BHiQ[FA&Dm_6 AGT<BgˈB?&s?)``Cfv?r9~ 0$F &tC)gL;(kR|_.  'X_m;2M"q:- 8v6<=?mUdF"@Z?cȵ@CL|Ď[ʠ r[Q+KyŃ?{<<̘ ő݌`3C;y-Ԋ=#ݏZnfZkAWnZ 4]Dˣ2A^7ƔDy;Z8)½ץf=="v ?)J[]Bug;lH4?xp^ޚoGci<_V;lvZ˚e]@*`?qnzX3 `cE A_Ʉ[h#&\2"EM 0nB.5=J6nrIy(*_xSJ}aB6!svГU$R{YCuђf(C B ׎FboCQyk('Y<И *aXT*x8 }GB_@)kݏO31ͯ(u [/YddA}.vbF}KLI<^VsUmk@ڌUk-ekP{8ե4TpA ~ 去\<8;(?n 2EY64 }='CT&jaPE m N HNb*t[!'GOhU$m/1:ua-/B଄,@y ,0%ȣ fJkvqKb71 vn_OЏp?gz $OE~y"އWvZlސT|슳 `].VmturN?Ơff3d08Y O |F 3+Cx ˎ*(zYDLA:t;m`S#L\m)+I6RG>I*lYS!5㄃٪c_;0szW Ӣ)dx6ˠ9Gyp *O(/0/ O(Ԭb( SJݷOZɴ1W4ĞmReYЂh 5L4"YͲy}ooZ\_T,je3Ș&5YC$gvh…LEḀf {;$52<ʯ=*ȃ?&h @) h'ueʞ.ٳO ꗣ <g6o/>wGT]uQVK (b1(M2 ct6w9iOKv\FPI+yg(y'NtSka`1 c =/Pʤ-$moɫ%ɝ>ߍ{m1Q8EM֖oSI(i/WG@t՟%ղu`c>%2>%ӘZۻ'<`PfZ!l)4hyrS2)HCB˩ ); hX[j@.tίI@ k#N;g XQ'͇wI3]zwkptM ( ::%~-h <j}q<^"ۜPb)G >0Jgxk·a.$o:Cl&.R5[9996YS:Jk^(,}yQ>6e ^>LCO/ApTC=uuv Idnսpɂ|AƉw![B2}&D,Kd%,2T"B'Y˫)-#n6@iDb|,n{%G Q"yi]&IyCtn4stI[1@Å$p&- 慑hjkJn%|>b=Ç\ [dsojM (;yW8WfB"Aa8ϽIX!xl(:DG{`6M fV0`s"x:k^~.V\&NyLi"SZrT␿8q}"黖Y`EQ򔛸 r"kw])_N&f+ACّ4J$is@&.0=#d:VgNt^/?n4H| H`- .$2Nl4BW42) "<0JW)c9k23x#Qz?O[.>G(o!\=dWhܾb ^!)lΙ}ybۥ!zu(>%“aU4oZSR#&mXVw`Dw֌'{P\DSxl3B\c%ln4c`B-lc z/+~,ksIQ1Ԧ{h]D"AqCw"V ZfLBZ(oY:pv4 )lo-*v ]Zjx_|fzEQ[;)'Yxr_"8S3JT1#u=0Jyzk{CGwl1隔"*j?01;+grLO'wO@U^,SG|CD_kG:l x (G¹&:"51SVG{j3~t9vںRM}I|1cM3*0Õڑp7 #x!% U}ko%=3IztkxjP+p7~ %8JtQLz#+FxcIEM߬,ft;;! Ȃ.~rm%C]uNeOs4K5(.E{b78@ 1 [T 8o>ލ*D@Y7Vd;o^b-%(ey*;c6TfaDZ=@Q3eiŷrgx~bI̴fr.5"2M vO\9Py!v6mQ];WD#/x@֔dž3QZ0'jY]٣~ȧgNd<mԳMZDiRg%k;ŤK}1\ CFѧez8s<4yz߹Yr*N׎ ,WXFZ. ;RZSE#ONmC,9|QH&@5k926Vl 5R٭8KHMp`,K*U%HX3+)fuZk(pjm*Au)D00wzaF}o_aE ,elaFr{qNc*M@ވ /O?y4l _}šX‚5W~uİPLhZQؒۛw@B%&lڞ|<Ħ蚯1Cz>^=xԟDld\яyuAE/Qo?{3PHہ7&e#eN>m;IM>&򫮕CMe"`CE}9@⢦OWKY.n%}89Zi.{lgu}.w_Fnٿk9/+^1`Js}Yz皕 oX,Iŧc#QU9lǛ1PwV.a‘ d !,T@af$&80^m_64&ݜXGQ&\Sf$q7f㛢:@U*B;{-+[̷PqT/6Ս"Z&TQsHlYbEq8cm=aSHQYQ$bV'}ЕVڐa Эظf 7u4vv8H-VT&xf⍅K2q*v;m:džCF5~z(Zߎ]GZRYa޳_wh\ z\g>o(Q!MGŒ>Ɂܚ ̎&:=ݮ#WHYxV[NM)l蕖PsO { =6[YM֕>]JiM wӈ~}1c U2/AEA'%:A.>J|ZE5у + ̉m[Wo+lKZ:|@fND`vp/ݔ֍a)u |hsmZ/9 dbF]W.N;f?]R!:$&W7o}vRXջoY@4z+ۢ:rL![<&ՎeC 'wWBR[iwj+F ?$KE$$]S-tBw6rN!:`H]Ua.u>kl;T-H|3sɯi ]C9;V-4† Q+8p Nӭ<Gm=!{uFD˙vֲ'*o1do: b aBk0ED!]A%_"w}3Q+o.f/9OjS2("tDqNU dBt q1H|(PtYhUXU!ASW E 53BgVD)v8x`=QEEF%w-t|dG"hrU(ǣ n* ѭgXr -r=80^mxQԖsxat Rz`YxA etʤ? ^0zSgJ} "9MDk6?ƚv%]j: b4}F}E ·'y4A^~Xk3")h,)B8 V"9#)<Ռ8 ΦrBm00LIϢT KJcZ?u_Q~]d;~, OlJڅl 0v/Wl|jvuk GVk*YDRxEesM0OM/]ÒHҺyꇴ=;i:o\9m&Z6nIw8ykY" l?V]lS  Db.%qfOְVG^ANfܗ)h㹝)W8MϪ-%7F5) *ǁ2S,:qi4mD· X;2gX[j_& EMj>^cqssr D 2e: R^`i4Z)mHYKQ'#v6Gy<(xeLaַ@$^OS&u2z o]  mMmD~0VT8s pGoGMp=O/;k1N# =RK, *Yx9X2DR~/t5Fb#hNB3ȗbfzћ-xԛPVધ{ӹC8?SYRHGl?~\Ezd teZY"&f^Ör}gcU#ZisSxϡV4L&iJL?vimxVngQjgʍa,7]ztq%Rs\O˜dfԝmD*P7 }9z{]Ӛǽ/.` l&O`|!tu >1ݸ/dho0?(i"(JgPR!_"bT/0NmHzL?krS|p&']&YJ ΜM1_u-ԛ#d! $ҳoN ]x/jBلV] n E3ڍi,dRM5$.9˿;`| zIr M KG$᪆ZpRgfMT%½,9. 2 o*T^E;hZEdG_swu-<I@͇3Asf2Lv.J o]5$JGsM|1Tcs K8%7,hҬ=W*@msQ򿍩+{}^Q~@0@Z$нܬ#CRG}9h>)LHECᏌKP⨴c; ,uMs ғOXROJUIA+rFʩ3eۃA_gYNҨ$n\'4O\ Qgc]U,~&$ږՠA# O)")h%gT3W_;wWN!KT?7 WrljWy^.r~#dvSw5+|KUqqh-@RLW UE<7>v(ABf Ӷ-x^rE8C͈B UWtfPM,8iƈ|sedrłE!#S#^^ s7ÁU-'V@H$խU*IZq%9#CY;$Mdts`9N}-ĿA^8g$T$I堰 }~B&Vsn04/j3r!R8b>| 3!7\+:)QM΀aHv_pC%0^$]H0q+} 8_!B(j F=OX7E&EI.{G1\@ Vǿ+w4j?dr2%_lbD}MC :m.SW~Q@ 9d&[<j-E޵ 4}J ]F 1GEKVLs aOp/equNgN_ړ, > ȩb ]k^weIA˜661sppl 0]Iشkk2F+ޑBa}:B⫀YpP#*R'bqNrV~1 +ҵ A'Uwv86|g4Wr-zHNOQ8t+Wl3Àћ9u(pڽ鯄}#̒vtB|2KapL{I5/=9@T*RǞh+Jm^qb,_A^ 5*|l5cU vإos6T'М7Y" J jy{c\ d @Y2?LثYLR&vox&02npu}.+b[`'Bwb@ݱgqjXOƠykO.G5.%7'#7z@$>.D[Chj?Yʩq)k"RaaN: 䵘X?2aƛoDpM@VFyFHBa D7 9`A\.|?mYNJFUᅳG1DyS`~n,NP^YrwndS˩%9݂w"'k;CՉKrI?~MrS">Jj”׎Loj|5R;JBP΋9#c~~aB>~_Iԉw*Va;yTCԇ!^$rUw\ );>o& ?Yb[HH.-Q9‘tݼ9q=zAߜsMcV}"y/p"|!9}:/]n/!`*.|^J2 D,Uٳ.8uªfXw:l2P |tC_zXU}!ppzg4cIc,GROuC_t7Ux6Ü|揃LB~hPR$q?*sew |Z;Ch"oPdNL7xT-kG1Yygw߳vXKv v2&ͺ{YIDدzB[lۙ[9Z_jbhuZuK`Sj m{续$MS]"c@^\G<XSpx񉾥(92tF!;lC)@@Yj>iŦYFWx( M"JYZMGn<*33^Bܬ .BrV.?yG$c SbZZsR~+ܣJX\pZ˔/EyЮaUU`z+4ӹG~/c"]wGhp'wbǸԮS O˭څqsj}AvI렻rt@![Yײַ \R3=juV‹OM#k+;vBF_w};X8"XBLNӊAHd98Jf D1_g=пW("*|qlYCMp9e{sA_ y?.*8͚' W>&beCT~0GW޽4OV8q0$W,%qrv]Ŝ?{QbRٜTDš$>@;}Or8iCr\Apu+l{D{*FnR i?Tc<%MECj|tۋyUcxSK{II!1 |eq`h lcߘģ37ؖaUP(uz_?JNEf>Ucߠ+xKn jjIC^G69R>CRI :D}U&=8jLo'/br#ŵxM`QSIL3wF QE\csPzК:R=H,PDQ-:z{aÍe/vE1,$%HI "VQ'ʻi0V<r x|¦\H_j B b!.'"hv<6e=F𚛴>&BHԛ1- 0ӋW+)|EKم2n'0!i1BvbiE[Kk rY4z2fֺ1ڊLb7&`eιpElDH3'[^LQN!yQR!:2#fa/5G>ӘqU9[7XVGiVoSx3zq2Oiat>uFa=FYn\# )m78ƒCWua ;Ӛ}ԶZ^ t- CxVk'p-Xr .,*/m`i%k -ieEdϫf>aa+m3PsKi&!ʻb{q9N[DK `œVFlx!.CvCgL=sV0c#kS`HQ:|sm~S6V4`3 fGS1aҜiT&yk{~uEL?5o[; y,Oy\̽?hTloհ~\ْ0)u 9_H\K^ߟ0vN6e45FPY&x kY0 uƚ|H k'kDB91?m] CσkgһQJlήuyxߠ;oOBng>X[ SA.å…#I_`z4 NUP5ڳMAnҤ+}S߷v@f== 0O׷k5alGA72f<2NQ̐DZQN`l\O$@@>!;˄ 0ۢ 9SpDF#y(Ѣaޮ̹o8Bb~ӽ.GfE2M jY=Cn6ƹi-L1a".>9;9'QآÁz7?g&Ǣi8'ZDyRo ,+^ ELO@9;PѳX 3Gg*e|{!pbIiU}ބ?K}Zwl8W,hsq7ԄV żbG '%U>Bcty8}JH sP 9%_S,͜m.j61 UCYV9xtXYiGt1ᷓ5@83o5߉D& "x:f[cK9(橔tCòPk~8`(Gʵ9̞BX9/j -Ax}Cwn'3ӐC+:%-!'7监N#\A ?MA*0L ;':7NW{Ƕ'}کDS]m"OL! s).d>0qťp傕ynȹVU) rh"2{;\R 5Owٛ L+^ uDdDс &.% )ҫ,8(E%AF LNe3SRӽ(,P˗ѸZao@[P#nr~mCZ îE{K<}%`1ܼğ5qb\*2v<Уj [hNb]|4VKwZR>wCQr~&#{`ߝ*9}_KN`Jf֡}<Լ)yeMJR]iI6q64`xB˸gI;>qkh8%F n9˵ I@):5*B`:-P[ ꒸rW_$[(6KQOCkEM#dBA=& x"$̃PpQ= i&kVLR q#dNҢN`m"(U`7y_8Y-෪bHG0s|LB*fܶmxI9z/>i詩VyÚB س>kMl1~=WɡY ⧗o)Ky,ô +C(y-1Ϭ\;$``ñ)96pgh6S+MjVL.?*1s֘]{sRie8iC/^d16P(UqV=Rog-Yӎ\4|hwhbg{eﭣ#fYi2\^륺+]x>(?4.Ԛģ>dbyűB.PbtRZ`:J91Hk&E4&.H3/$P %ߕ8hiQĄ{;khl6WuY%ESŇ.D>t.@'l- K Xznk2T1E p[T5( JT&󜺲H ^sl"1 {,%;K#F4d2pRJ+p5L~%V0 j}Lndܿ5oJKla)0xTX*L ͐4b`qNu"J*־=lZLwAkw}B.aȍ[:Ӻ* X@Ag<J B ^"?%k'tgf&a"#b;m^;^}ۻ[BBFED|֒n R#V^r0P,7|0ʅ|i1$Y&/mxh/|᫐/]{ uX8Ce!7%F>PD _n1€fA]:ڜBBX]PFk'oGW97|UᎿܲ\҃H5BUߑo&~'ה%I$ԚvW"S>NL53YFCA:3~(뙷V^|؜dI0m KC^p?$GQQ]J_$Z GiȊu^ t5dH3pupN(*)ka3]zz -EaO #6o-C M 3:,(Pm#[1;7>[Fv-]ił6ꍟxx\TgJa&; *J Eaҵ+=ZAѤT^W$@4DZ\!2pYS;gAoC ݂!R.|߶! ?Ҵה*hm+D{+ o8u q&]Лnw{3DD)I!3SEUZ  mwYL˻15M=k糍_4ՖNG@fjF1.d{,s[S"P>UcX֒>Z0f|mQ,! ƴ?GDož&TeNE%.w*>>}E) W,iO-V4<>ۘ^XB+q3ɳ{`j^oV]qLKCS)y=o[m].hp \aqvE钍lY3+f6Hڏ=_S-:eZK/L>:^n()[L$ذ*]Gٻjr} v^@uM͌!' edlma%*D${CJ;eK3 LzLH1/NNr`lb Fvpo)(8C\qhzj"RFxsjz3< {5d6d> | *~ۨ ZVum/C&Ѱ3K {v9=V+p&2r8~Y ]Ds &>9TL _Z>9^ܣ3+uV}u6ŢzyQS301!ЩY#yr<j.l#׊= &9 F %$/%]A@^д5`D_8r{(ްA_XBSđKHI[W61Xwݡy.7WXY/_V6EYNRYrɀYV4'()T[K#kblQh' җv1unߣ&kTi- Eox!.X"ו,rn^Mb篼θcPS,㣴Rtu2 z̵2s*p)Aθ rDl01Lx~ӓ6\V/tᔣjelN ފm]SSrizn !eJB(YAY>WqP,O<lwy+_?з2@VP^5WCCgL&$y!zY*⽝mp,Pn LmM澑yCB w} e;W7 UA:ܓnS7_#61_WZU,Փ{cp5Q32yӴ?Ui\ㇰ!hc`imM9~^ A9xԯ7q0;?ڽ"B,Byf=ROr#57iN=Het EEz`ZVy86pEobNtn*Lb+:9/ZDw 5> Rzl= ?~$}\eL`,֣4c}0^#:_Rv^wZCKWdQPF%n\ŚE o5٪zٵw  oG{zK`2ZNFO YQLSi "xѓOMH˝v ʺKqBFis|ZyEBiL>:CY?Ph2[ {R@c%x@y_9+Tʛ%=ȣm1a=07@j˞tᴀ\} ^m<@)x[ksnB.*A<"[c'*WVn(T&hx+:na:!;,#Wxyw*/bg]pd9pggN@]uH^Bh%=n﫩 W򉲑ٸ? HԹ=A1hO6nao ԴC`8sicI6YdKlyXO$DչdnA ;sS_fA*0^Ř qO")t78@Y3+$AM)&B>F P{L+d-,J+z/g ܔy!нTr[<^˶)`SJD%F,"bkT0iuUL+lcQHI&v"Oqૻo-cio_=sa#N$]q1Kc&>1+L"S4|˯l΄d̞&`<;7A:ǎd!52A"9^L-WyX t!g| o&N #Dn"w:_fЌ$̈/|Jw|#}6 ,d^,XtpWs-X=q7: aH#}̰B;K+C T~mo3mLrQkdrQ!USqؼBm`?Ly;zL.aKiXo!4} s|#`<]֤CԼl(׺Gi.R]'h]wFɞ!ia͂;yñHFRp~yDyI -xՒO((bvK+̒U;i}Æ?1) 7X%7 o[LhEB{!V&%u'{,4`ݼYG%~H;y5yN(ʇEkA4G5{6Z;N5[ōCH$%Ghg:M3\ԁo94čDm0ߌ!DNdTJf#6QLV@ ©ȯk+c9s<#xAf5V óbva\ϠaVCI&@ΤCVqY--^;NST6`BB5Ŷ>Ld*5=JUwf]oV̂rA`Wr֓c{jC-Y)ztXSB)&)d$hnCտVW/-DY<~w7 ob"2E~[AD)1U<A'p IZKfOiv9[ֲbaRt%Z1kH E`+ej'{;69ADW8:mԴSIW_KcS\~!"QpIfݿ/S(טI]7(pI[T 7^"\.l5V-Ÿfd9҇^K1 &[ =X.ೂ :Rx|zΨFڇ^%Hwf{m8;)JI/>(CC gPѻ'sUxlmkY0=1<٘^A~,oEN5HmWW(_[F**G)6GfH49fڇ]o16F՚=|kUخ7̈́O1>YŴdhC1gD[0%|Aҗ9,/70/$TҎ6;g#c؍0z0(;j|7B8Xc74wwNh"{-h':kVfMWH,qk -JGU?\ 0YNe5PY&QPB,[ %Q'WMN*u7#B'N>Y2Ώϓcd[?ܷc\O Kr-#erۀAzO51py| _M;>n/0t 5y9IPC|33yX\ni+P:qQ,ZV(+*_N=F/~bXO\s]{3ts&Ha1]I~B1؂7 EAJu*]Y)њ!x17Tj'5!ՓmFm6g.c^ܙ IϺq#TZ!;ZWuى _GF ȶJh,YzI9ŽƎr/̸c|Z/paex*XLyl+vl,YD,UE1doc1憒뀹+l8u;w Kef]#Z5^~Sxe4ZD*!L E2t#x١58jJS4ٍLʹEw9Vڸ2X.((wl3דw7B>nGQ #N5:CrYMY`Spl42S_b*skJuAz!F%9 tc;O qŞ#?o\EJ_5 Kå+T -VgPKwZ`,OSFocꦉs8ڮerBfHm=)gN'GP& n%S`F;MtG9䢮#[GK]&ȴB̾Ci,#g Y@gbtρϊ0@]5F6Ӷ&h(sW 쮣,PUcΙHZZ6sU._L[:@.k_Ƥ6-CyZ<X%bxK7|O?O{"0tdx(ovbbXd{X SB(]-_{ڸM\O~v⡿AnO_˅#v<;zREXs[?)gLkhw#TI}{''q"Hp D }2ݨ=ңu;)AMENSbhL0[W\@e%]R tX pK@>=C 'u].2qS٩?֎ce0@v|}fQ$F 7z WrKxq jYYm<.gB;=@2ԜP5Z bϤ 1&q. J.[x]c!9-TNEk?΃Ÿ^Mol8@PEX9f55FI8 I&a(7e t/Yҹ.M?Жa+h )cηKk *-ijz"0*]9p:h^qd"i I] G'V΂&(e,^fef:ԛ5p֘[g*?'|`1Wؑ$*L )xi*xk')eYQLp:%L{,;$  T7ԙ||O yle[oh(QLg9(mْY&0jr܈sj@HueÇn7S?8}h).Mq,IH)^l0鷱@/sA2^) @y ϼo1ah/0 ?: 4'`ު->.,K#x[`'T"z{oj؟u=(_%֪ Do{<0)[[* ?vYQK? > )p<س]k[Tb:j\L#/kÔH$hN"Kd|rGp BӜ&ӽKȾwMƸE˂H^Ƭ̉ʳ%ؒM2dTg^P3ޘD2X\6Uq2$SEa|1.#*G>fLQh8eI۪5WBń8}<*cŌލ5KQ((,K*\|7Wi4Y˩y2`an\5:@_[R,nSHw GpfB͖>,'@YȦy׎q}hP-FyH"!NI/bi혱!B2)يvuKK}48]$F Č2$M<|V{!CLcns&M `5:E^0l\bVԋ4 kC mоg,_&9њ]n97CͦG ZXt&T.]h66F(I]񩌐V) X$"s%*34*MԄ_ >dq\Zޠ/R5(|D`e7,-:Dx2 ^dMLvfP !f[Iq\><:HBP[].1@}z ڃo&Y_|x&Ĝ5)3Р`d߁ˆh \|XznA% iTp4H{LV_Jeҋ|ۏc,hs݂b <ٵi–[S }5czRIa(_LОLx@hjSa;ʾB+_=t$mUƣ`鄪$CX]ASD TJי"*;k<>cI%$ypJ4Dw Y@ܵΫH#,Z I`1%ﳒAG{:A8q>|5h 2E<& b ,>?wğ.Ǚ];q"k6t7.rdO_L B yybو2q'1>X]JrM0'BMfK\>薠iyʬTO @DڹIUs4zνq%Z5gqEm=+8 LB4;+,6q!9+FlՈ^˜. ˇ &yr9g܍Xn-iJ}o}ҿ.$¾zk %\0R#qzߡ\SEk~6O0z8-TF"k* Eb[Ϙޚj!/ -37sWma.ZNj2MpNArQ< u!#\FٛGFH٣%2jb]k eR]e.ihT̯[\z Ũ)1p.U5SͲIi&̳XS`EF'|l#m&nK[pvVE"ocŮ|6"Wv.=jcQ aEN[ͬ$ܹl[goq)A3 Mm a()tJZVsvbII$#/HT.Xi{YPÉǦު-#ہj]{rP#q?g(]6ba'&ޫ@D4=xR~̟i8T !;o-*!bH&yS̋?[u8/1$%Y w48ZVwY0I\ר)fMoa<.j dSh[o %[.Y?,c kWG[s{̇w5S]EƔ ~QU~t^Ga$vV-}F3AO}LXpM1=]@\G>15cq^ƯOr6g)Z)Ƥw |%lqIBÔYc'};ɴ树^r>.cxǧNS^"DvIj쓍$S8y9F_bŝ9 rT8rN{erӴ,6~ Ik8jjPI) r_[JSiίB2y>6wna2RzJx|#ٞw3kj~c %kD*=3|y][scOUF㾥ctzxyR'aō(;`kC%"ŏwTf5Yf[s퐤6}N%%E)홣0H-O:g6s2o"JрaͧD0 BznɟL_2GZq q4:پ΍IDd']wåX!t! /Ӥ>7,؎nm?bX9~c\b,"77;,#7Jԗ q3b7S0JQP+̪r')Y-YUDW]V~ުI+/8bNJSa)T&LVZqGq$O?enLexu?gao`MJn!Hu))ۋhp|8tN/4- hXF,]:蜋_v|θjuo2eA\AgJYpYm{%;CGSq:\e˞ u@w0hg}A=2q߱3ߺE| #DR^l1$@,%lh)b}};Wm'ŐǷE%mS|'{W{/|lm _C ً16hJqAKޠKI,$|M;_ _QڡvMuwLup&Pm+{0r`gm: /Q)AŝN6";:U"8;Õ a+_ƕRHL+~f_˻?ųד;1NCҫ⺒,MGжSa&WBu|`[Ld9(I`1ʨ3A&-"@eȹHR1oYPY ҽX( !]M22#T|p6ڲDJNW5ZZ {Q;D2E骺JXکrg4w”mֵ:زX N7%/eܥ1Hj+ YǡUzM~@{xZ  @f^I&gI0Rc m6٦kS|o%FLfd $p{Y@ wV6Rx8F#Lxr&65%yH [)21AI^{̲6~ ׼5V /g}Uʽ@l!;9y@h;@Tn[8w+ lB/Su_qfd85.Y%JQTiY-hR4~nU@3e:~bMhP_nFU}59+ >'0|޹ ~͜4Uңм z˚Z;qK]P[8:{.If / Tz=]D훾5TޚyOvjS@%)rA!`_8q PIűHl+ಷ }T֯)d k\^ӽ ʜ//\'}T"CSʢf^rk ON9)/SQ(@~Y0.X^6sݯM -jT=3Sҩ 6F h27:ISgaܺ;kY{4U? O@Ps3=yHÁ=|)VMF5ٰw2XBq%WTS#ab0rbCiI|N4mq Cɓ[1GHS"{VrW,|;G:yfz)ªO9,^(|Zs`n>6%ŵb˥اp7OHuhKS/אmh{i<~9sViHSU5+y&s{b=lApZD€~$ZȆT\ڀOZhif')c#+(X`9* 5;T7{ä bUR2OD}PJl 9Jhc2ĕ{~]ù@y,f.fw,Es+M *jEk!pR4yÓ+=U@&k:pxПO/ƱW_=>s`$WX4)3XUb/omFy< ; -T¼}["١8R>",1>ZܭƏxuI_Q-)|zmeD v%dI|+KV(Jt&2 IO=E` JH6z~DGn9\UmH  Zdhi hSh" h0VUQ~ԈWFXG9.}LWbi$kdP3D扮7)e<l'Y` qç6N=C!UAc 0Y~eXqxv/! t1l߲3%`CN0ڷoklN h--- O6D<,ޮD#'L Zߖ_*ՉN8;B8S>4>5;7;yǃe+,xZV:rًťNIUPVBlU(ti蔪?:qf_P:\Zz)-D~Q{K/NZlI'\>B<aR D 2- [J>>WgYCGi|Xu z XK oa(s /ZGiR4<+ j0>{Sz\&7mt}ߦ[WѮVaKR|p6&3\F.\Xo8y qLEaO96ZQ[{֧-sR ɠN!0"PuRCE~:/Q*99 ]kn~bb!6k $ġ6{?y^6*.:xlcOX[Tϰ#o,򓈫8ɒ8p7?(?k .?g`AGcZ z: P4 17&<t'ڂYF/ {6ˁ&gZv1֬*S9 QET99?Lâ= W[eB?idGYBϵj Q'sBx ΚWlZUwW,n AFo ԩ69 #L̈+xXGY "MBPSPgqcQ~u_Yq[S,K.$cM@#˰)[k OO$^'pvTƭ#/`nhVމ vTsϧ"vЄ ܔT"x?҅"u%CRաil)96.#hSN#T7eF 4pkU9s#SGA-԰&_Aؿ yaD#<4Tl` uF?sפZDBm)_%uHhAn6 mʎPA+DOhSسEU4wN~z@OU[4zal%~BUP[g63GxOXROCCT _Q=Zw68WT[3׷]YdL肽qm"֮7u_8brZjLQ! w8ǯj&s8XTHr?|m3̞*ptzk aO:hodDT9*=Dz3&&쌍_+O9VTJ Gdi eTjTT$p\@H3VL,f$[ N*~!4lj;PA窡,韴VydCxmȩrK}Jy1^ZBFim!s, U:y"tw gLoy<$:K\#l)ĥؑX¥3?PIɾyr HAѲ;EZ㱇9`W7 g,Uދ6ƻUunml{ Dt$(@J]eXLlqRVk{v `>5hGSPS799I箈\/k()ՂU}=Z aE1K2V!?*:"z/w%ӆ'7qtBCg!f}|HLD?/p 6³"ԔEWdUz_:{O,@W:\;AoD!\Yu.ZQQlu4pͳAO PfJzW78]|Trm|_h: J"mVӄ`}AM#pMKu̖N cZ[Fnԭx)w̝%J0`ۈ) =[KΦ\>eHl줧Oi?K3h5ZWz@m!0~C=hy륅@@`|݂Pb8q zʗ5J]&uOW< +^:ٶꙇ].B}@4wyg*ud]A tHf6\K\X%i0J Mȝy^ϟPFܤ\JM}$ ?<BM_܊@ /iCp~SUcZiCMef(H_}~ R$SϦIe>N#C@- mU2[IiH%&w |vGAAFL.)gOd*&nO^,Aڮ Ǣs#;JJWqD"H! Qv(JfR^k;i$ʜH39HDBEd)| p,{AZx}LK(yxfz ShF|UiZ iqz!P@u(3=Uy ^iY߬Pwl RV2 -^/ךYPj"kAYXbhshU \ !VW/aW7V1NL^rV7d*V#ⶽpo=FNGS7y ?y4k}NNIjE.zZ%6V}1{g+xE9GcW9;D?.? $ykCzҗ6@Vwo\%5y$>KޠϚY}#lqE|,4 G?h_xe*C7N( \ܴͫi OMZih!RzN< WwPL&4qLn">z=LT4_*yGaWZ=~>J=U"XHۑfRzhZT2Ĵֱ-[-2YsgǾH̰AUu[˜X.%fm'M* X1R"(V\*['AC!~r#O8B\[PܾoLսn~=p4@_Zˆ|+~OECL,Ƿ@cL[=/F-D5+B1u%ş[Za~ʩ˃WviYHĹpZ- 7@7R"`<W^:.9XrxKt(z"JYusr_0(IzVUXlٖl݄ʀ!T@ !GiڡYL1C"q58et2\%plw;E䒂n:w}_I^G:<V q^=4F%Ꮩ0[gy CGof!H'_\^/#J#BvgkvyTC `W$"x%#@e?@ڐ"il Ca;jgZz)i$GŘ34B^O>[PEQ~]pǤ+LTʊMSFE+mX-jPHqq+ Ї7*2 qؼv8֏=*g5!Jv͙R0:Ǟa ]f,#4 C#tVHY{ r޲pEμ9)W<ߞצץUP1n2X|i,#)PeL!̏O۱xzybu {sVjy\m>ϟp<#3z!`$@k±6d/ORxv$ye)l5yM0:_G$ r]FB TfЯJ~,uO ۽8gAZӧ\M8X?K}PxviTJQ^QSqJ4vZ}G?Gd˓yjUMj5ؼ+l5Bڻk_6Ju\/nshAY9tI;t\Jx6cq/.:9q?PjXT˷OhplM bn`0p{If92&@*@,$2c\)d:,A[:Zҩ ow<&^jssВ 1Gjng״P#Y=,D-*>  X0U­l{T8~0QqI/G )2 OiISPTiwc7Eݎ &>%Z6W?> h*=b Fwda PRbQ'2MGqRDꤌxH4f3<ߥ k hNHr):H2Ld^_ H۸H<ǣ,6s*0} [.J}da,Bv lVoZi\,3@M.MPU=X\d*-ˤtvxZی#pU8 ~Ѵe&Jle3hA'b_p@k^=[: 8+u<9uTpp#Ҹ fEp1$3]2;aX3nN9j&_\e'/{u+NqT+IFu}V#/sf.K"k<ֳFV%=E6m?ج49:ۿV"+~UZiNai-% lΥ 3" X }mk q)12[VC&JwL\<q]z]菛evD~xaa<. {ʞC:iCS˪f̊i=pFLPVXԳZk?#!#~cq1!9'! &Jgf+ǣ ;xrj9fXh8Mns(O˒qD5-r>a)?I&Cc%:ϏWz|AҾ1>%B2/?S+Vr}k>&l2~;s6TϒJ *u̽-e#13؞òLCz7*70n-bl[S+NAuU o44z J >U m&5vRA%Q_$!ՂL!{J= u 2yzd}PmȌ KBBw&=µGC d1>a|Fz )E+$%+Od(z( Jܪ 5 Te`22< L2.`_AT2 # rQ9٬xa}$A"|S=}f{+2$-D@ŗYGwangm|Ƨh YYft6!@uuyO9!{q"F Ÿ oVxbң@&yY(sqCpZvn GcxG7P&49 %|S" ⁽b}2p٨'S:5%V %@~aa@(J̭K+¦H^P#Kc5rsY?ŅI~NkVxat%dq'fBœ:_yK2Sb\(d&:WICp*o*XG}g;uY4JO|F~. x+) >6 PM6JbșlxA;6,:Z" _khwiP絑Z N J@AHE{at%I17Xx՜w=ۮNw|%݌z(#+ gk6+z}CFxh8$@\ikǂ.Xʤ:ortkG8(- Mq2Ig4=rF +NnZM|4Hr3RoO|.'mVz<]XP9 4e{nO{sMMgC^N~_ `jK~~۩dj{DܵM;pIRpZ$ P!DB BlH9#w~be5*:02зW}O)k޻wJ=}+69dA!EVPqR,v :ڮ/!oζ:^_B>hyEh!w!Y]%GďSuVՊp1_/h:%HR<+o.+Ԋ$)O3Lm ,dYGHueV7}Qa:$=^XVjo4ZܝQٹ2Wn9{3R}*?EŒiZhѣ ɮLVdôBJTa*pmC%.3l kqaU@*>TZ4 <fvto ;VwGVXί[rMkaXK+ͦ rB2} @gW.Ll `sh({wmer&YB}?u#W)k^?آ#͐seF2P7,#. ]y6&%1%n9p]cp.ό!m0]rV}|z-u2щJT#9j vftqɨ*/XtL5[;WA3(|$Gg*8hF і,4GĪ\XW1X\n@,H6C L3J7tL8$&OP7ϳQZuXL.4]ojlHWg ڛ /+E3Y>k_2;ZZ\A7e`f,Eu;?B5Gĥem!eZ0h\=IfwMS]>:Rq lXcBz 4^#U 鯅/: uM~6bV"#EcW8MhteVM&9Jǵ?5󓢵`7`H$o'n$YiNKnop`O{Ă. KC4I1ɲ,z1z{mQrpJMfV, qú5XyH?X_!6Xʩ?gcfQb*I˯%Ƥ;cק]07ŭ`͇nI{Gkv@* ̿Լ1Vl G,\F( NGnFb_+9vHŵIJu;[d[gPDARxT AKxBmCdZfV  !c QC?9HRsow.kٟ} LkkB"DL&XpYDOU pޞ, gKĹ) 8S`⦫LmAD?dGR9h#x^%GI,[21*:R9߮VW})dh/¢nE#Wj%'%}}RT@ʍ8-wC.~mŅPYB@K=x@|ɧ@D(=ӬՔIJ6v0# BeJi,Q=NҌFdBN.Q*6Ƀ\$3S{6A|'椯Y*ި-RCwNθR꺺]{@Վl`E"(]LvE-ch3eP&#r\ #XDOcVkI6iUDH<SoR9;CoE{8PƓTOm]$K Lbh7mF[Ue:iV15ჹQx( uQfZr=T;h2iqs ؛ddk7#CJOĵ](UAf+6 L3!^DžBK隄y2꺵Yq0?]#ƜLtޝy 3J ul#gb ?$Fv|6:]?|jՆ6l"dmV.uS_1Gi, 95aB1Ziݪ?>$z=n?4~Ig Q}3$'T1YɹB*0%gQ!;GFSg02Uب2B2&{ƢduKܓ7^*ޤmb?>kF刮_ =GeqMM ;,E F=؊:@1 ']17aPMS9D5k3lۯ }Qb(ᴠS~GG^lm: Rvz$ ~St,<XMlno\ʅ(HX emX'qL| ES“"L&6lD^Iw.68ٵrWu/ H^_ȀD %!G0쉒Ge͊䂸ynXf\JRWI뎐?KeIUUqsHG?vsrK*u,\/77 ?`v ꓭܪgx9C\ʙdu$aH9\9ҚF}&Wvqv->f]!c#d 0vС@zَc`4_c28F4<=P2GbY3'p3}~PAT4q(Ukڔ}R\α2B{Xio@׮ze4Aa4y6r.6{fKHIxI) ˎXY]Q)۵;ӚͶ ?'LzZJ ̙Hw# ыb8֌:tk HogZ:nŧɒ,ԏFH JiLf/Rrbn6Ę?:Z_gb42]_ D__8= E.FEc4"e]9ũ6-;K^m35n ,c'~VFHa|jE栰j|ݓO!brYJSѸ.":0y'>`-0a`:|?G WW35!~Ƴ0)`Wr{# N﷿BXc@ʢfE[U fZk|bYӞ6,]J Ee *~I j'&mk|bn+NUtbDmE[%:8‚`u˱Np SPztaxxhrp]JoBT;D]WH\`Z{(a_5`;9fs#T 1?_}[ض7͠^yYj .~El)dfm0Nq)t#"w yHjOmz?xhhw0l#nd+rA/0Ld !Gr)o+=AVSf럥kj ?O /INKqiAbLWBNHf>@)4]K@Qe:[QlBVy!>Ld4c_.uRub$3}׽H#dzCH2}6ޙih#(ZR҂*M 'xhSFh)v@S?ڑe<$T%g~Mv/μ4VE %7h{Ll"ϊNI3Hbi֝7^~}A_!XMAS,pUPwuE @PBjm-ےT7ERbX۔0 >`-_wZ`WP@zmW1_ڽy?;{RTXϼيrX56#`N}d/4?u!1ʓސ3|Z &@9.4G9:y/*K!CtMP yB1\|>e7]z-/{MLy΃BZZ6RFk{MbrΝك0ffگkoSpՔ[b&+=nz N=ddF0w&7YNk96O\#@B)yiڄ_D~*0yDblP=m-w%7q8ɵ Y}틄i$ ld!WX1Τ/Lຸƣ`XoX\]?%=\{>j~p;\DO+,7MWTryKU0V'J|,oCj!7ԮO>&P.{Z3tgܧtY5z(-OiZ\KȽߘFQ:`xwk@9SQPR ӥ//n-:$Scʅ=W!RD8$2/T7[k:c 3SwӧCq(^_Uc<Pzt9 ew/KG0@yf-DސS[P70ЕY_A$@vBw7E04SvtX =Fd[f7>J zi^f=s{ӳiu2 rQt֎.A|e@fٗ4b,RT/ aO+*d'L5NzA r[-D齏Sg "'hz,XܛMF]|~V zhO[<1'P%TWQ]K .8~ʭzi.ӲddGi3t=܀g;#M`ޱW cRlW Gc: ulj.x Vϻyſm<֖aZ*3#P䤴}*D v!'X1 4ש@SS^>|a:xÐ-d k~ML 쫖A;ZcI܁Z0ޮJ1;F,TsCf.Vg$ϿR Ipu[ I ErL;/x>syf*Ahv>jOr2-r1rY }6#hgvMxj2XtQ@Y*Ir"]uJoW~;!Un)'$%9Z1;9"AO]: kFY'|]:F'd.|5VMG@8 } _u0^XnI*q&ֱ#)n]Y*hͲFH=OU6'!:emV9 s}z {GUw90ۋYz ;˸VUykYt'X~rQg?%muR$hhrH>MKg щ)d\UVXבmnĮLpkӃ=*̙O/FS$*;N̲bm'}]VHr8t/) Yj8Ɍwwߗ3z-t;1(ir%i}fom7kz5zNp!~%6L01o *4&`~!}O{%x/ˌ )Dt^F\Z f6UOvIVGn̟(n`YvhV62o[|"xhT,EL/3cd0ɽ {Gܥ,^-PFJpزcBfؼt$lQ3dhBjhj :kQLn< @k[LDv$o? 1)}?m+!"(,ZflK7]0Ij&%ÃHnԡuQ@8IP}=6~ RK& r@KcιG&r]Tt@V\Ap$}֬)5ۑmz0k83i~uU@z$Do%wD4LUt=QՑ ,gg ]lxୢdb]qSK bP@)e^쁌o Kq\W.0C2 j^ӰЛIk̪0ثzzƔByHfZS_ 8^3do_*F.9kg1Lclφ`p/H?$z}{L.r $dZa /Zj#abTF!ZH!:Bҏ W_V ->%=;5|+UtQKQcOk[%FMUJYS#G͒Df=@RA=rTq<4U-9!SRu5s"VM-~;MPM䪞oP!s׾ꑄg C41@ճtogDmĜŌ%Ş\%L8\C}e S fe\e>CkԢ+?^ܑ)2'KhU^kN/AI a%T!:WC߁)窧ᡷ)ufO&=>J~s"jZ'iF KRE2B xA)v<&Ε8xcE@iNdu{X^ _$@+MUm1WNeHYk~ 'd0l[j |}Hl!8nNV@'*>s+7Ɲ%'d m";chM-AiW}>h-c8&9$xY枘աפOi&ĝ.o cvѠ9[O"vPQBV'|Y>Ophט$6Qxjg56%M%~>@ ~5`ψj9):(45 %+YET3;2Eۡ`E-@^9'xƒhQRz&sΫ{l&  h`98.E/IFX DJw?2V5o TaQ[a\OmP,kC#L`]"il'(SwYǗ'2͍z aI?۽{װu|}7&ٟ~q3 pb B#!"V bÁ\OV|xNV{ F SDO2Wb^'03C}᥆0DiugK4әWp=kꈵ)e`+`l;tc+qBJ]2'.4LA# ^k$/ 4,d B[)?0W*BSag{TA5m:dFV"wɣcpqu-P:Y }p4XN'(SڅZO,! \tkME1&\_y[ ' NxxaYO(Q_Ct$g<#z4rDw2ĵC,h#=Vc۠v;߮>z:awwCEɱwhjzjyb1QqԵE(ب4 .x:*.{O5ϻ Xad]Vƻ'r&8̕.H WABܠ&nRlB+\P|ԏt#M )P.aD2N^Fvtm:(wgg1f#k';"H+ o\/̱6nk_u+ PR#8߂:Վ~y‹pSt[Z,h3[Wq_Q4#6l<>f- r_:)Ќ3ޠy&M57]r7 % ӊg?G<5h\(6ihbLA$\h"#0351hYČc",kK1 (rn2&fĶ wSnlV6tLkq;Y7 tjJd2wH$1 F:=MS݀5j'Abr8Ol*mP et 4Ph'K1J(PjU.)I>+ɓհ7^]:d3L%. V!-i<$c}\bjfMxkRZgQoG&L tɑGUq"qHua,'|+laܳy&p"6^2SSk="uzgfY2N[&ҭHS(anfB8~2ֺ8Gto:$,g78mM㸌Jmс]ދ?.p5>PwEjie^ۨzhKI h:\fb'_X-m*LԈGaܴPcAuuj5`>;.e(pb3s)3/Tb OVo}'Lqe&ZTtț I^\j<ڿꭡExKWDb:@ȷ6c݌Sa߼0S!_8 E;hb+Z! ]HbܨF|KsX(R,R?σzƥVPaq̫dV ꆁq(|F!&(| txkmvΔGq#rTx"uQҳQg$@ |B)5UV (F~0-Ln|H#Զ؍b„uPhteV`ȹ!u`g^nB֝K]?m)r\&SbGup3}=ۢgE[W|wRRժlJ @WmiV֥9 !oq7I神ȝu Ԫ3*&Tn -׺N@ dK@Q=kQߋaU!p@Y넆wqbϸ\il.PMWE#T;O>4gq3o{FErUyᓩ |r:gR 6Df[urogφX!֩3<F+0zհ5rd̓^iY;̿ݐ/2) XW9B%+嬏cOovYE9f@{٠Q$X|rX0ŏ-?2#a+Vf }rnoKjD0|3$H2/.'2HhLִԓqNk_:H}qIލuD99lk|(P-el]b˼ 7$,ZvRW$E:P-u%gr;H׊ڍ#7{rk@LatyĢ4niǤ_TeC7BO3f/X}Jw䐀zPd 4WzPjfpwF:n1QxnGTWf`\yAj(g3]Eŝ9=CMy)}jV-N1 Er2C;s6>Qr#BL.'jjGbş6[W FP-$Y%ͅ4B (n( `VLJ"2l&<8ʌu3b -4lLvJ ݽFs 7Qq1!'| y3ӌ7= jxB,Bڧy*PBLS?s5^"P?>U$u{J{KYP!'NdB4?"77۹MߑIul횱r8 0נR@x :Dk7ձiؗ-0W:_0!aYl?וZpi)w1OWGQU ?-\'0d|>=sm0BU WAF"޳pU9n'$//r˿m}ϫXPV& G~69Et99 =Et#>"IIm+3꯾3KJ ^.>rӻ[Ȧ7'g@#.PppR\N9b7F4 wCMmo۠JxhRh"_+k:idN6,^0;"RuDPis% ]SA՘#A̛6{nfrafnf1i52[WpʽY s4ZxWՓCDA+j]uviq p?/^D{洶ؑlXBWI@moMG8b9i e]>w_NWXх)V%hmoZ|aBR);ƺDph Y &6ADN >gBx3b&ZVVwfSlO3SC%ulz cMj]H\q>E&79V$h١!0HeùCx%xV7My5׷li#F m]0M W<etygڜu]0iKo#5Mͳ2#D=&(yl^3Pl=0Tge3([lllzȽ 8/Z*~\XMI-IWM 8De.\e7yvy$Y`(6$^f*pZVN,aYL-apr.`̌"8Qqh*u8/Θ;MKgqU䅌zz*f=w!׮PP$5d4^ӬfJrj\r8vW==u_sV 5a-NNdN78!kAl'+ FSym՚+=~fmS! >u=3>iOzP@^)~*IøܨĜ[)RǢ̅:W;OIe[1r}#+ւh Bި'"-ek@]"ys.9-(.s{(kӨ`zdTD8W;w]å…gKX@@goNu&}c|O f߸ū6%* J2m>ޥōɈ{?!Ŝdףp1#qta]H0Ӄ|MwH#&LxBkm&nFZ$.uąa`'Ԃ\%;T"A_F3œxD `x՝~1'cb+LRv.{2t%fcC]<\Z4_=T;yi0;>?eѢGf>AE 81x⤿\\yQRn:/xl\bNTEl# [Ք^orΟx?)QZ`&cȟcSY?GkN[{. *'hEp/~׎5nBk& a5} #g)]( A`)t7Sm\fDY'&ޝS; )Z%? '| nXXLž, cz12z1?<d/No3BMU-=69dEO>Ū;R ^kt'yjc8DK"[,-Eo2<1Zw;nbl1 2쮉NsC^ZsPsħ8#;8YSQ`^耘t)_K;&=TnE DqeN%_ѵi?R-lIR+|&b{px^a|2@YƋde,mVMSљ-.WT?#; U'p7cB =H *pBIesъ×߻і~1ڪ'ѫgȫA2u:gwj@˿8%Wu*~ciMY2G\ K,Y@]KrIn(#wM~m#GhڢT%tC:/V$s+ѻ/m/I_ jZdPK?GPvS[e*HQSw<پ7QnV7L&@ƧL00V%EG~w"ѷёCV'ٿNǫc8Ae^+_2n(1nJizҸ'ckbՈ]Eìl 1 :gb)Pd&ӱ*"ҰƁB6cOP:z SV-9rY$ /G+L]`w]K{CT-ϟB¦ ڐ ޯ$b6qgIxȫڀ~^`%'D6gńzL<<;y 08Wsi}l- OFŃ䉋l yJC,~qY,8l~](ᬥ@̥ S *=~jЊ3LtJyzMF9;1YK}LP;م 6%҆`Ke9$9gilɐ9zu@q1|: ջҀMDl0T9q0X>Zc.6'Em~mUrAm3 ""0% h>wR) 6WrҷJ j+ W~M3M3Lpkmq# sg޲eİSEC[Q34jcJO+:99Z{pځcVY [PA$!I Al"Fu[*`G?Ebj; z֦;͙*:4(F1T܏Fۂ%=L!s8#^ b"FZ^qgaFi۪T7: kWLchud."+]l­>iY5M2JB..X[XO0edR3T?e̍yOvuusˈ s0 cfC@:sB$?V*`ib?Oҷ0s3mTcH;"eI Rf(Gt(a@d0n@r1ÈT=\o~hO ʗoʒEz][\*w̸vtH'NɈ@Qڅo)Ȳ]3֤Zhn J ԺrqD YVOOgUZ-JԊ*_,5Mbl?T]4/~@L@/+):,3tFE.&d5c(55* gºZ#8 8 IkKQm՜}Z]vxc3}8a6z@t4'XvذPɖi-zm*Jm1gv!`XQ!pߪef2њok6]LNC>f sms0ѨuP "7Tv8Н9/z?եŗߓ@ b8ݘ\?prZíɘ./hqmsJ}ifۜz$hAĠ.J${=]$}! شq!h8St:-+*.ɬƮŽ"./G:jطF)ԵB, <TǍ,LnmpbBk/d3PW Оزi]%d 6gWw[`]y?s׭z Ƨ$ zK?l_kyB Aؒpw,%QвeOH%-x~8)U<ޝ`j5٨U|_" 4)FtEV^k:7LLpQ::ʦu =5:/oxESQ6:T ) \U5N{wJfU<LP Iul^4ON9v pijߌ=vƒH6s3&V']UON ^!g/*!9OG 0,;+TwȾ0sٛ]@F]ȳ9=u.mv<⧗dȍ&5J2Vr?b^`;.9ڼtH켁l#u i-K /75>I@YQe&\s9_M6minu ^f3@VnȣQi##GkRdoH>xD/`r'ufWpKo^XFy5^ည@4q> kqN|HȤaݐ@ieXYI0}tr`$DK Mf>:sP`{1EQ)-+$զ&_ppNxElb=Δ7ɝW90{Uߤ,gMt_{),[Z@T!5 㾥R`:"Q-5L{H4~r϶/RьDTj/9gqr(Ӹ{g"{%uWRHk?ɵ2n0f`~6)&),jʂ U*|ēo.4{˾PdR|mjz`^c)${(PҳOYy ~Բj #b/"mcJ ;p E*_SZʪŪ/5.2}U{m^&:hޟ$~%奩co(>d!K#=W-8[K_%"5I7"ʺQ"}}Խ ~*>?zY{Ur_Rlز#R߼Q/5k20Ftb@V;qEW7@dޘ[@ilKQt.#u? ?̨O(}EI5 ɠ.@YvSoI^ہQPANh1Ќ'⊭CYHeO (5c=wx|u /eC'Vù*`c9q*AMkVs"Ȳqֿ\c/ wY/pd$c*1R:/{;v =yBFJZBQFc\4շkSNC$O"tRw1ӟ4*W&2G!_1\&o [=xt1y_Q ]B`QJeBtS 3g %N/ U~N?$îVoڶ͛!@M74O i+ѝG7--uZC:}|L&]ѵYt)v)wRTZe=Y^8hSvXa/ *'e<:kƫ%5?ݖN7+]Ca NP|ar~Ep \p*< <5SfĂn]&v +<,r` #:n)R]LE?H^pF1i,7CM0>NÃ6%76haV^mJH?ҚS0A<FD3]5{ AdH냀VP~ lLp'^TwP|yu`BglUι ծR'S3[WQWp%Ջ3"RRbЉ]y^>%;V;C]44J㛨MN!1Fy0LDc*I؛<߰EYVI)`fq26fQΒ.,8#4QTAYHZvFz)bT?NbY*IUvkb;ĽliPC\ n":YD-F`; 3cwmܡ^!%wh] >jJ˙~ˈas0ﮦV˃pP1) h:UɆ;aB쭹;}(xMvl` ˉ 9"0b`:lI(`JD(.K}~zL.cO)iMlf1\F;}y#K6eٲNWpĂ}ӂ[Xm-=]73k=v *̀h[Z1H~3#Q#5:w) ̂tWiiUxzgfLYع%akFA@.@#:' T՚gpmN"BJ\͗3ũ.Iā59\1D݆~D nT}&ǯ6>K캦jmKOm$7 zd@п~ɖ4B0v5gze*Yy=r1փNǜe$Ln(\ 64XRLy"qNu Ƈm >h$DjϭFmc [':@&.w0 $mb.h8Xӂ#o;(A0lqPVx*P|IV qt.~d ViJQEPeFlc3)!D=~;`RRo۴lcQ@4x6WƉKt>=܎::ͅ},H+cMM:lXe3h3[H(ozfT"G$z2 ` ƫrtBWʅc-C A/K Ug k\48OE6a9$[KE.ԭWğbD:T^5c$ĜoFs>YHݴqCapE]SjGJhoiOSD$Vr'V4Rz;BJFW1\$Z M.Oք "l?zf1i&Mx\ى| OVE@L.ȭh֖XBo'ּHmʑqIdw;Y+>x@s06QOg@ ]j\\ҒFۚnپ^9tP}^vF~kvȮEiIJ.b)Ox0|#K&N* L܊~㔊OM/Z5nE*4e _ Dz#XbHd*≈g41;:+̭M#?bg$=.]j FנIHbG.녾9[Bg)o 68oos-%Elpi4q oV\^-N=YTk>-j(]?dy w/nj)WA*.m1}zN|u<1Ynŋ5B)Р"Fw ~ңP$+̉d-Gg gj"z!(xr%_̞ĝ@UR.fbl9x?h;Şc. ]Jsjc6;JguC9Oҳ2x5ZXZΦVUرn$= DL{&v,DTF  jiy5*zᷬu|mm=]oߝۛ!V*U 2>M59|C~9ۮ?v/"ԮT=Ӯ4_߰.Iv삑ƘH#ҘF EEх%I: L; 8!=[fJl{lB' \5ekFlH:phM[xZ*gd^ck3O:>|*Z_=c ay`[iK҃"o,y!V`ߧ9|=Z Չ|kr*c'}F[ wW[v&'O^$͡l -G䚙bPD;m~ꏅƙHN$H}j~ 7rmdCю. u5)zMbEyqFɥ^K'- g U'EC]NW } 1r hz#F6G`l70zr}8֚Kj69K*G6.%%>7=tdٞAV>F"ԣ-+c /wo*UdkHAyyu l_g4|e$c4) ~HmO:TUtJđ^6?{]CT7ҦdKW&m@8nJZ?Gr( C چׯժ%{X,O'3]ˡ93.FWÓI&ck$7j>"`Oϲvڹ) ^*՟DQW/4&Hfrv+!:3(pFUyκ)1viO1l`#zynb`7qrKIx~;GD&) }Xq*/|Zf"^7`%skza?NDbEnsp=ԓAc%A@f>/(خ[;J/HGASX?WW'<)TsGICUOȴ/n}!hOlBzM1؃OOwrq$fu҅" wj_Ր!c:l+\h-kG^1v'S0Zw LQ+>B4cZbCơ2dn~S?pU DPlp5ϗ/얐^ GGt\/dwIΰx iQ hf6vN/JKfdr lၝ̅3d{QmeS$;(o+ȼ?+mt6ڙN%M\ F+L5$Yeq^IMQzj)]JF"Ak,6k` F8/C.<1>큋M{e%S le댂u91q>>FWޢs3z(P3Tw 6Vm˻7Ec>:4Y諰3&hވӪ4){M@O 0ZۨgN&Fo\jKE10+d3Z"5VBEOȖsM.&;gaxpO@e@up͎P@82W7TZƓSҖ&h8Ϧ7p>Ko6Ur"i$yqI^-ngM%x蔕I-uag0/9gJe z,%jQ Z픇EnEHZ~eH P>(1Z4{:Ђݟy%In~9tN,Ъv6p1lF1L2i0̟wt1O x;u}f!I48'l홆 [B/<6ٿ޿YA17\yP4C25CT]zoutؽtAn}i!9Vi=תͪ;v# ;״=\yB&;ZsT1_[T՞K7n,9ٺЛ̈?YH\g {bx۾@?_p,,a5#[Wݖ\<-MD@H- U1OC*ܑ?8tz5a$'kJKbN쾭\yx!-:[$FퟸcvӅ~a LO.lV}!]"[wV R)ԺŬZ';m-߆  xWU곦[%智qAs]Y,3c\Yokw cD!Km4Fs .iَIR/Co}>_:%[q<q@y"Hze 1!:b0\SG"5 x6$Sv=E`(ЫaѶnB=Jh74Tkq.Bq6 0kf怒 'LpF!yxY&`Bdj}WKVW.Uoh0rdܪҥnBWYzBq=- б4T"jwEC0%p䯠m=Qρ.E0)eC?ԗ~crtD~2Ȟ9>^26*GYZ)ZFi(-ev)씡ndcg޶O]Zv XV0daIڬuuRoJ;Ld#uqsΗuYk5ӜѤFםTK67L4Kd\IF~%;FՆR6>03D-bdB8(!MVMhކd=**HuG H3n՗#sOdbdwoV=߫!`L4=7$$HM?>EMIn-}tX(XB{~}]rT*^MUFBq=]5T=+6&MbA~žek;?=֐\ BejC⼘$ |(L0^Y*+F ~,W42hW,N_Bn"0lU%qcL"jAloL~ n~%$j{%kAv#H=Q?g@}P'ubfApVr3BseRl7 "K,Ȥ0k] eAR]sR'aU4Oݓ Ss)6 T"? h+=F+Q/o$8V*ɫkCThkxO_ ×b{XF]F eE8褏&߆]&^^d nQDI2rNV6SH9+ߛu/`Mq+]ZѶ<f2Gzޑ#U_ i@G䖇3mwpmC> __;s(`DѨ>ME,Q\ЙđUw_x[Tg{ZkMQ%AuǀUBl`0i!%7#C)ᅱr73覜OZ3XoÏx [ITĻck0@Nc: 8[aܝޯ 7W:еa'/#m*Gݦ;㬘٭ A_vN.I2!Q۹Th&k}8'ZbBs bnXUb*NG>3pR_%D mT oo1gY/Y.N"}46} x-QKaPs]T^+}G [9VBn,y48lEg(eZy9w/X`A` U*.X;;׹PkׂXgf+\;ѨP3߳ tޔ#͑ FK ?i1c¸+1n~]tHT5cU*y'"r58PSخO;.'wY:;Z m/&`!S}v緈Z4vn16i/9tOaX>y8଑V݁_MV 6 "4NC^XHv5nyT^Aj@d[ק rɇJHv7#T6[)P_WZt{rc fe_ DK[8ƨɉ9uv@^){ =ɶB !b._UF[mTY},>6:ϯ/Ԁ_thr;IɃOemB\[hK%-Idtt8gNس8pZ2AVGP1_*]w/]!:SnJ ڮ̓{+C0ݛ2y͛f >vSVR/3aq ~OE Ѽt8ܧybG"W%3e 2OkxL{ %#T'rLc_ub+`AT#Un(Mْؗzc5}bk{_n ؉AֶF%aʄ(#$|dm^:)5gaSPJu-3n5]uWIn&}"er8\˨tͽ-a X[g+@^ɓ?y}P~4ug^p)bYT}$&Li+ݫi%IJc q*[D]o* i%#ooj߳;?LVF!.x&EJ}g@/N*h,CݬL[ vJ@{a`H{4^jt>$YE)'"=+0NT zR!^va>Y;ғŚo4.Sc-O%?hY QFW_y)E8GMU;`ȴ@Y< P(r@7X!෉3@`wITLr΢?$ ڛ4݋$}JvGM\g%d6KCɮ] >g.SMM$֔V=~GT_!5ma0SG0žYo%W zi -:%zCY!W+ ~F?In97?~x=QW KƈZ0kwʈy4:G +G&*3sezDFy5Ų䂜d#=m瓕ng=zI: `xGG@Vqa:)*isinovp^G_Q,bѳat10ࣇ'edz#h k3pDƑ ihVmXW9kN&MGVae=w|o8oIT</U 1x#[+I]Fy$GeَϫwG»ONW=|_fi hf#JV$n_d\RQ!^!(W@T5{>nj*xd1WX8Mܷbl}e>0zdm!罔n0߈?aݣ !=9%t$*ZHR!)?ϳOA fll)^-1qlyIf=Oڽv:@0df24}ơQzXfO͹qztMFCp]}€by`dԼ?dYhu3/0A+:' {\kRiڈ W\^K4f2Tǚ`OMxѣ-YwZ=G>u-lDl-=g5trGE¸3g D.-[p& M&X"MԹ@B>h:a4u²{:m.pshPeo"9הt{9;9:= MkrXxea8Y<YHY.ﵧɸ"4ﷵq0ֆVFx<,.W~4 ^$K]oEwq;z8f,izwORRKg zϕu"yTϚՑj=Lز%ڨ٠IN M,[p,(u tBwm1v8Gd=%Fqu*jLh7$lsh{-f8\ovTũO|7.&AƴT&gH8vjkQ/"lGs-* Z}$b,MGL{FVh.@/$ҷ¾ $H˫[` o-קd:"Vkai8and)mI\:ɥH \+AX05heW2x2ӸʐA/ȟTG/ Q%/(a`M1O9O.8AVvT=&1Hp(CUحcʿ/yHKޚ|t}G0kdBGBU⳥I}EJ1wUdu[PgV~~+㳪^nxCc hS6MB& @SRUfh1{03(f\|koMV|LAbE*j 3q?T?A)ZZy 0_lNnVF4wۇ3y* ٴ+2k-]q5}JT[M-GDPsغ 03&8wȞj4# byxoMxY܍%1%ueV59>%AQ&#yo1\f}uku<Ӓ^ Tèy`egAɋ᧰r$'6,@cthexI)G&JV!ᵘʒг3'7àsqfs6lx1%to<܋ͣf6WyQ-#gm »FMYߞ\ wH~?OI|S9AuvXùNIIg ,m\M2$<Q/ǕBSLCfb&`. ]=Zssu4%fuNJlS0͕陬o@@#E٦ĕ.T5SX7%O2Bj@Aꅟ W7riq?F7Gš>u1T3n>Te``nbv?]SOwN5;&q4u4eF7Vֺ輤H-uߓa~P-0J\ˏSޢ ,Zwm}1-'- MȗD*ό%l hCe:/8dʗ2F\⃢CH soXPvYi/9uq6˂ ;<+n\v )ǘhDYǪ#sY|z>pfߨCq[OyMi4B\'YJKMwE7& jLzvp SS999[;pr\2$A t4O|pCRGvDX.^+a-췔? iAdzFp1`nX6,RGJg\PM /C]DibCԋS3җv=nOYPaNoDP! ;=oW0J`+˻;c.+v;a RX/Ǘsڭ@:,jehۑBgJVI9tkbl=ђFO }ZSr>zoFr 7;sEOH#M7PH5ׁBMe*9\.Q, K^S"i[J$f9ǺgO0(D t> C&+O؊u+]HPL3\4&3Q3Z'؉Dm^`JIg>2`(pAD>T㾩srKȶˆKýq%V,rR`g$kSGJDMᖕXK& ~;Q4eJpؐFE#FMbĜυW3}KXKɖ0x qˉؿy#eC0< ?&e2|~Q8OO&ÅTֽ-9vi{,iǝkpi dc.? }{Ad 0"#_2 ~$Wͣk\A @b^'7g$u2Ό ^?5`,Q`ˉVp8HF.'fv8uT< ClG0-)'LT7>h &XJSE0oDXgtGVh3I9 3=vZa b}/!a>?@9cLp B%$1*2D8Lq jx% XB\:8(͗/-ңLH]sQӊe҉0KH/ TjDX&g /PG;^v4Ph $:d] ZQUҍzj/ *t*uG!W`Z4;Eҿf My[9qF ⟤Oi1q3GJ_q,x.?V,5;5籯+)9QQށfT_FV}1qX< 6+hndP49bm(N5 EǢ1_UD0B g%|N8X> 7bOWn"q0pn:urjL@fK\}fʷ|>Z<:0G*sG\vDƋrT;a*EHjg6%:`縻ԯ$If\n9F 5s~ Eh9;{-TnaVd0ٯOKb6qV18A-9 7@/Eď436@)fiO@D3)ӕs^YvS[?GѩMŒNǿc!P?1FuUoNIYV{z~|>pL,y x@~5> t:aD\],sFV{@&H7 DM~=u/h=k 4䥹09}88J6P!.2F&L8~pd˛y3m$n`?Tu!K…C0sR{}n}FqBےkS@(g(Pw37Cԝ@|]ٕZ@"p.2eZVQIJ"Z\7§##7N. :xy)SEYWY@r0EyVCcrq/8`zqCI'َ| ǘ6aEoC傔rgIQTsrY1'4`?Egt,% 8yMF{ez\L8p@p8X.]Y7ʥ(XndS1I-(bfQ$@0/6FX6׏ Ac9"=b6k)2BHԀ~nZ7 U/Pt[g==G;ؚw9AрGA I0_q*7yhC`Oƺ4)S1F gJ{@Q躣x8;Fނs NXiZښv-)-A5xy fzo,[ZB"|OtbFpjhBGzJPI(hUE9o+!xpgwi-[U"="gͳU/G#̢vg[g'8 "WOw|9[M9g*qE<3lxFSvn7[ހRxG?9꣉i|b$% 4Q Xw'캾?msv7wU|/6+bL񢑫κ#x +0Ïqû+tߏ0JX b3)s/v2 5I~EY#;;uw&\t/'^STNQ\B@)ADZjgiBxd&܎%q {jh7ZE[87up!zo%ST0.C؆sfd<}J!6Ӈ6_cpԎNSL>*z?מZzlKa5xՁ55ú'hX *(?*&pMM.#id_ZN[-cXYǘ5ݬMٺ|fE~$bٯE_hq L%R*oa`y:Z%tb{eyY&izKҷB_  Eah3SZ!cIҥ*}Or?4{/gP7Zc; Έ} I+ !*P]gi%;stgeˮAWai .rXﺺ𴃙|6MKjRoDƸtK7Bh; a}GS#.'٤>c=ȓaJnz-Kk@cIIX@ewX50-(**$һ(-܌0ʍ7ձ`eɸqDu#ut~HoCݫy@N\Ngúd^ΜƆ:!6W}Rz3x86ilU4a[ 3 W9#G<^FT7Yc1.^~:~ֱ5PNEjAMn+V!\bPo)SE!_W^x:6-[.51#c#%r2't8T+U2i*ېZyf;c6<\u^9b/*/D-|dCOJOP.UgȾ/cl@tòiuO|4R^ {qCnp^}:&,#!!y<-޹d 咱)g//YnCgB|!$hiyuض[Ntktly]'|uR4eT.'9&K+mfܦ t)sRa>!?t0X{gw!:Dߥʚ0ңjjZ@%ȣ,O.@6,8鳱A<0GX5ιRJ2ެv,l%l~8VYJs8<茿;fW_ffRӀ"Xn14L;6 DjT`gu+[ě9Bfru=9f:z X{" UB2"ۂ\4iij7"B3{y[rH!kZyb;ILN#&<!Vd4?7LּT`|7yEw"YYqL&r )95;AK=qs 6\D\7=+Y>$/c;7e8[hCU8Z ]t]:A diL9 VXg^ualF5*@[]g$ܛxچ8_4;ǞB]JpZqЂG>`^[ЈJOYPGJ)*N/k54)ϙ-z]Op<hz#=Cb>QMMZP]TͿяs ݺ/^@AFjC#la, i0B.M]^5A}TzoA|x=Ŕ\AI-Fw+Vgaőw^נwo?\D2Vk(nA#VS]Lg']W B2O@rs d@oFS3 l˚$ S+yX75WqY؁;SR֥]T{C@} ́ش&ÐaLI uw]O\w:+F"fߢL`tk`yeMSIA(4*5r0ksk"*lnu:a&4?p_[T9.FL8Č_[EE0,M죀j^0@<3Uݫ=§d2ԃI}$ZtYT_\>ҳ yeK4EvUnv9KQDmjv+Z4#M^KVw}7#t?K̈́*Qp Dm[ڼS_OSwOyyx@ՕOtTѻ#¿/!ACnN&õ*UU;zFbTa9h?OLq g!V/M§:$L3v`v\O`8&xJߵF^[-\pwR(v#+EaW )W 4k Sx8f N\&C*,lEiq>tJ) xA%(W/- FzCݲY;}{TnՕ0 w>35Ǩ'J0a_m&4FPCJy.NlTYXࠇ>sh.* H:W~nnox!AS90@ӝlU<0D0PH$,KgR9=Ag i@$B>ʛݰƭH0P@c,{KRwpwL Vjk|*=iH|Bw H@}V8.A >nwA"rGۣ kЬO#\ L]2FcmiWCOْL |7nQM^Y^%2aSA[O^MAf_B)]@t>2@Wam}3Xu+]8Tp>d.hDv:O|t EwZYMmU=V?=`" Bc[IM{KkVOPaU/oWPEb4Y([ѫ7K' P}ߤU~+חwⰐhWfckM nc?d %ݒ,,_!;9 %zV:]snKd?X2Y哚TwU&D_51LEKfqV*yr~mJPm񟋍A&VB<6)CdYV q>m| t?u2QzV9NY|x^Ii b:疼W$~Ǜ'$&;gTY'$K<~,,2u T` ueiq4h}8 Sx5hĂgˡ SGY>h4')0LSC|/Ff;pقsDtޔIPRW X8FN^e3(37?] DH!ЗHnLzI-7sq5at謅3Eh+U6Uqh9U|g8W0pv@K7\.mI]- Iga5KN (3G\.f_S$0銄GcDް׳2a6:X{oDD# >LZ$=32cvBjpṀD.e+Y|ЍwBLӐ36VB.ay>Xj7QF&$ 52չ".@%E@_]ሬ3PEm<9Olj7K/Z˰_  –$wFejGP.h): cU>U\ 8SwZcxQm"HkG ^xʃ槩FLfAVR4|zl3)A" ߨGd-&$˨_I͔) ~p r} \1wcήn6MKtj[.6S>7yĆ-Fv|&4M5mqdf5ij|-v+򬬃-@l:> 8=z̎aoOv@LhN9܌zYnɲ>nNv+Ґ?{R7#[Il"P+Zd/O ?&=ǼK>$b+ĞкnÄc*!<4|ߏk! VTE7ףrCʏ1v!9-idD-@)M =΁?'T_'i F Wi1yW ׇ_ )3AuV7Y-Sr6^aA[ŬєwUe,)~=V1DG'Ϸ,J+̀{tgV`L% '}- `R~Flm<(jc"8F`w-ә |09D*Oo3=Ԫ;ɓJջ?@wyDOm3Ɋ _)ګAgKjLɂ\riY)(gLg@u. nIHq<]Ʈ)ziU% b Z?Jqrjުwu] '~h)F'f:#gA:59)#AVE:$\=\f@C.qpL[S0*~1ZAT`4j$c%ecuʥp{x ں-h+7Ow2[J"&qisF>!|- z rG^Hz=2;,7(rD2X3@<F#tr|=vnHU "<+g}3^\y !UZFfe,yםp}!&ɤ4͏ ำ`@?4\,Hp&<P|gRj^,yO;cmϘ>#7{W)GjA3Բ:i]/0 ;Ґ^9Pf.pHwJ@%¡*jӆxIo~ս}M7d'7>`䰃"0VgB6{pRp5Q.J?ф꛴_L2iÏLvQYϛ4b'J^Ɍ9+g HM7N#h<]8{ʐX/:nGj <؋@<H]QX]rR1A>pNs*#Pko_UcE0?b8>^攘cV?n R '=T`+^sepTM*71{<.hwFx a_&ֳ;W ״_YMX֮56y,?BB@lX=SiϳyU/ohFvNaJ@ŠMM؞, E.R&@TcUCD඾B÷,F\FKg6^3׼O@Gprq(Z]ԫFzi3nA}b3u-a>8,H>ᩛ29Zm)xTCbݗ B8!Z `3m5y{O|K)3tH``;|\+/5%tyнgpӼx?oZ)Niu3sHQQnyeI#|hq@tHC5 9BF Ss `K3(<#*Gb{lZ_?JԪ4BUjZOE[5z'8t,E.L~ৼw<hMqٓn^ڜQ vsb[J :*z4qhަ{0q|xfp;W~ hW<2 moz,ChIxcq?jHfph dL4TdG  4.v r k>n| .ٝfmV6?&ܓLAs|?_` nwdpHEOp"&bUR29"! +W_ю"Cd_9U4PPyw ­#@ rk\S'ߑXGn#&VcՕbZ)B80|?^uC%Acglդ4`4T*+X9&޽6B<{I@!Y.IIR{2ӼhodTTI^FA}ާo{E<▕$p *X.߲Lv]#F5=$3ԍGsbCl#f~#ȣ2c4I] .S~߱SuW"Hٙ@eEn~0rjDRiF _kgFm(7ԼՕVq{~ (w2UJC40YK#@MASDfcƁ<f̫Q1إ3EڧZ>A"r_3ĕ8aƙw`5цLF}!<Vʜ(t Pݐ*Sh|sWr_ *+2XOþwx\_2 ɹV6 ]pi\ywM5d?8ޙIN Yj{B6 Oc0rڔ6foCU92a`@$/NX>N(*I=~JHCZ9Ye:W!M ;e P*7 jpNcGJd^MTҬyڸV YohhA3zpRN7umaL& AIMOvAF r7?K47RC(·s1;ěYaM1'+Āțpqz&_<#鼀4QcKi%)/0"ZWMS1>J)Fj_3>xnQGzcڢgFU0XkYߪ,!sk6\#eZ5V<<4YW3ynG ^RId`˻+kfIsp#|v ޞL+dߞejθَ%M^;[I3AysGJIr/ݫFILyl\dJ3h c!\3#T?DSNJZ6 M:p=AdDN&WSы* zkQl̃odΊD[=tw".HmWm33^zh4(K<9R<ղlwey?mE[8i8!nJDw=Ll)]>oL(\!jUEF+kLΆil\Tݹw47E5&6s[L.lbV*[|xd`zlH)+G.qwɉ)jTaJ͖o>DŽ9kٟ<3h'LJ: A^C 9X*-K7Ҙk5AE Ytu7#BtYWcpX{|ZUG97ouAͩG)&I# QงTP(eOA[gJ~;jIaps+>-قž/"oKܜ+S6: ?3@UAqaW8uȜAg={؀Yk!Fi+]BÇǷ!VE`ğ&$C|sO}(xڪN+iI6xb &*kW-Ia*2xφPx Z.w>εtv 92\Z.߅Jv +e8nhZq=-5 ծlCHѐU+@#d+Բq97 E7w^/, n#( {P~ : oڜvDz,07ףw FF~z?ώyo`G!B PA zW%q2 IWOKқ=[3zHg#oQ$Wwe`m[WJa:m_+߀_@W^ӹULB>qR[C6U5V_uOPwI NGXӷ4p} "ԭ4of:Y6,['Dqw"|h!X'H.\J iFRnx6+tW̧Pk@o"!n/~b-#biyE ȕ٥ԔA #)kwC F(=!קGY|לmc6M `)BaY-yٚTs(Ƅr*.%Fv~u ͮE\iڟgpO=wPs6LpмWmq@*-;˘*`bP&Id*3M3WpX`hSJ-n*9XY^[iy>FaOYi5Ryhj HyQd.Q$4ɘdžvp nLeBnkm+^5% Ҙ{ < }\gܰECR<2LVޭݰ_@F3=Dl= :ڱx!h1pI@Gra?7)NHUoH_ JkIVzjN-L"F)(Z?"s I7NW/,Ԧ_^'Vdh-춷]LS>Z| co$vieg4qOǠC } W/م<NKߨcO9g""yH dړ+=eu/*a!^\ ơ vG 9Z@h3/!-1zH #XW܂΄- e`ze (Q8 ݜuR/ iHJ y& Re^!s*4QSҞOo)z.6RƌbЈvN**pw%?d9~\"_>Q0@oV6#Zp4y!\n쩓U6t@DNW("+*kayZn&E]M^@ʇ#47.V^PJ-^2-Y *_0@mR0OYa]: *P'pݪ؉oSʷUO=1%>.ĽbI>" #Z7]єVfD]x~-tXq%^޻~PN( <}uavPe5J3UKTDT"?^?@tXs5]~m2mG K=MXΔǮ0̀*w}՗>brїAqTu5&,OW:Tb s7!@.9¥/Ch?Q[cч`@E;PEژCv2q+* nY1c.\[WN V#1|L5 Ɉ^)ƒFƤlcu09G`h(/ԣ8""X VC\z"n'YS}y&@Gw%΄k6M'MxZ x8 ]HlKѬ_)XE&[BoUd/ŵ$mjMM~KLj=%T ʕh=Ku3Ibjclt=۾ĝ-._U7"fӡ~V'_)7BZ.Q91ld.ոKp 3oStzi޸LQQlb U2NVkY;ͅ-{^:Z1F'0X boL;E 8>"wσRU+w!H<7z/VlVk"fT- $0V"t$ p 3\pUJ%ҵ5# jډka|[?×z]mkF qOnV&Yk Éڡ˟]P TJ1Xp ?P E-s# yHT!'FS$,5-/hրWq]n|7 h^Uu6?w _.w/"]ҶAɏ3o4w17+$fQU fRNOfEv~mZǬZb$O;rEm5Nqc* Jh'mP_{g]} i V%0h"dg]1gQV]P`;c!p?Oͧj1zHGݭ  fƱrh쒮SF*O hlx#m`'drBijawȓx|%NWn;/ݫi۞ Pq(u YЯl;jԙ?u^'Xa=kئPk-ޢI.q4D p ?ZYՙqz_ت;N3kih*r- (cJYv a[cV!v HB}h/N"R$E$UH~⍩CQFR"#<L@€)&7Yeŀ}WLb(N H GGVl9l6zhLhdh X|';AʤKP"1 0҈j3۰7xw1aé7v砕JB"?s֤O(sPUJ+h|r6{]f_MO*mai$yV`Svb'g D׀uWk@;m㺚g*o[Qm6$ˁ Tq^v![)%4o9kd6xQTL˖Hy(U*%WΞ s&H ; ZGp^UI=\`2z-sO%^Q/${JZ3t thTo5y_h`.0g#Ci-]c"3( R:)#d茇syWŧ؞g`#TOPOˋ3|ѳ̜b>AqRXL2iEV:Fn` 0 9ZV`gjU6aH zf]^ KabFIUwbB%àK2 &Ao(_톑nX@LE`"6=$@MB \="XQjJƻ=43(n+25zI%tySõfi<>' rؽh&(LHRMMPtu[7%sn72 yÈNЖ|2}^?Z.0aWj*側H){H/wI=绎^ۅ[7 Nы5D}Gಐ VU6&Xz_/FaQٱV^w˭YeR˷mwRkн2'5=.cs}>"S`Np ;gdvk1M@dqpեgLpfW~a0'4g~K=FOi1IR@#/`aBܳ9soUu)N[`۽b26ީcɸORv铍Ŏ- A ~wqLYa9lWպypl{px KӠSo# {~*DFTy$6Wݚ&=`ƫاt4 $;Ԗr{@D z}rp:<`܁=[RX/IGU\Fm I,8gjϤ 2yRLQsFH2s9mV!v!O|Eo&Їh`,,F2[nV_ѹ?n39 ҈nh"! g !+'z茛=,O``\E68ؿH閜TacA)TA0dCٵo$PdC*U2vi30"[9LZ%R=t-,+HG˸xŁW &6ަ:wXcYȞ N[X$ .bZz?JB{ DU(B`х_~CތXN;M"}W9o@  3-~Gm"c.~[nv}4S\O+{NFc-THz6^OMg1اGy@#bD`6Iu /쁏ZOm&T}`;W"Y3Fgd_&v׌\$b$SLIx01Xc1(I[C& V}J"cؤ>Rʳt]ĊFM<]{Ɗ} R9!0{QAg/#kk?S vԞVy%NKJUػž'R6:^l'f[c_b܉G%cZdoP&Mn.HbWLb#-]rbSäLNL^;6z{.3{ޡmB ^ _D}lL!6Bvi:uBʆoVqN u9Pu\_X ;3 $b5w~76m1SlOKcL3k?m9#MG c`XI]1-O"Jb4@"&uw9T؜ʽ\ևI82ftl' EZ prO#aCccKDW_iUڃʶi?mpTsF5`}1 @]ktfG[%)M1oA6O!B ?$jP4fN*x1 6CuAE"Y@f1LrULq sI?~yNj돤RRe컯$BRQGJ+GV8@!3@;d:?1YpPn捇Hvذs @HIyfe .둰HI&܍ljݝ҂.$ƇS;<m2!򗘂15mDAa{W΁tR>1KNsj\oYKlѨoӅ _ǭE{(*бsQ)O!5tccKYʇ"@ "\ݓ61[ c#Ĉ9m #0Y 6ij3LX>uC'i'՞P*ڠ)M G ?uΈnt ռٺ?Xl wWOeaza6Y68ZI#B#I96AL -ngo, I9LwZVA $6e&PUX+rR6b|Y9z)75gKg@ J=5MHWZ~vS 9z[c~pV^V)yڗ{9_H}X”xG];s~ŐWhwAEˋw|4 Ka[.Z)8XuMǠ J+yBbhgId̲~Eg$P@b\9`[$J!2z&jd쾬joH5U^4fiZbUǼ@j8hIF$PBawJHiŸdNEM-AqɖM"Y/d8 a( 4O"֒߉gwuWTJszǜٍƽP /T4IVLJF&ŃTEWݛ"DRk}N|1)_O"N61UtTB1PEYd`]SǩyYIglxY5eu3ԩl)Xҩ-z""tg(=VO +iپ-{]ҷ%<( gX 7Tkk)Kߥ5&(EG15Ik6?VӋjd=hzV2NvppF" s[izv ZA)xqd<ŚgW88<ȅދ΋x~9FCrͳuuAuF6Gb?-_L1/=H%aӪ G /o C.j JLx\>CtyUb"Hse\i}uYKC6 1,6y`IE9&zݢ\- 8TTNiORH%[8eRכC l2ɩv2hc5|ELn/} .8B,+e!.\:/=3apWAgYDo"&p{{VB߽#4̐#\I W8X*U~xd V`}p N0c/#A\kz`m;qLfsK]>WSG7?diGQLSN3#Sù Mv(g+V ;ӄB|שQ5JĂNө8sͭ,Ձ S왹Y=GQ|z-l 6 a/pk=K<8Jweb hGuQZ5 ՛=@f? 6B:@(s[xtN V :Ξ6~$gElc:I􊤥]E5VЍaKm<k-k,$[>dL5/"%mu$)Td9_,v˘~5#MIO7Fg`ߏS!six!fɔ|JC4GNr[tݢQi}  ktK%@\-Xqi 5זe܈+jLaѨvӋG+ VT6z 385fJܞ?7Ɲs؁vAx³D쥘!&SV1H䃶S'Kpr1WaZ7ALێKfy\(b0ԹAC۫`bf zOǤ~7a+gm_,0u ;B#.ӉG.z 4"7$?] ƃJ';H@˛=YG6r-;V0}:Rj 9i.5Zgt"BQ#ƮsC5RQ4Q -ߒ'tc[l$\a IpaF%{ IP/)+ʖ\߾SaIVEM6ɨ8Ph3Pch*{ ns _fx?@{٫W{`7XJ/ӦC 45[2u}(YllUYX3H, J@BMqU1't b-Ҥ>WT_uN8=k2r-=D}ՠ('*%̋y}Wev*;kZ S׳oPj0yr[cCټⰕfںH¯g2SŀvT8o@<r%g.#漏 l9#&!35ol ȃ y'hhGS#SW$w.;ӇlǧWP?xW9'Jjqe>H%ͨ+5gAoG$B)RWwp]Zd_lvBRF*m&HP~Huq4fB`dw$gӣ6#}W A١USG~vWcƇ_b;jp5}RCפ/M J'બW|i]UEMLK[ƙʷ*kLRC K)Cq$=\u"'rG Xб: @h}pcL[*xZ((v|9/]̀YZuik&3[ҵֲ j3T.jA h(_9*^HCYKn-NBBjU3:ZW|A>î j[tD;,ϱ#Oh$7E "#a5 WB-kCMβd *UqQh{-U5*E(0G 7.!'cDc5ؾ2hfZ!QsbNd#ctS ]6RFQ@~3qvgnwoc)rNs>7NCx;8 ?[}}+}yLDL -bS?"&j ¹?dcQ$xTԮ DN` \~a Tc>pJJs8 04D.';>h+t`b0Q fE6lW֫:AN0oV3d ?eVP&MpD0B2ʥvBKnឧ*.-ElNNJXo&vSnZu׹|y"{|3&b,>6WVOY| i6dg8lO:Liv4qp$Ѐ8 l6FIm#UZHi= 5%wPJiMTβզE!_bzg\/F{R]?+@q~3x( n=3!帖+hBc+C`Ba]Ԟbٹ[U>t|UjWE ~O̘i>hLx$܍9Rwe 'n9ZZ-Iidw[! O32]v7FqrQ~6Gb&M:FD[ p;$o9aAߌ'+ p#Tqg*t;eT'缟4i3 LJ(4SA<܋GhFW qN\E̻8"JSl#~WH 'K<BNw0Ժm6jc`#Eڸia PK6{HEFHτ(I\uU/(}G]#;;nRSfuG@P<ۚ n?=.a f'aŮa){gGLCZ<Yo1Oz-n(=- WΊ)y#tsMtwuy: ~&᝞ڒ s ;2HO lgϰK(sV\4MV\%ll՞W 4,+B>x uJWq-,Yb!kFt>""3yt䭉suǦ? N"{R~v֨X`Üjࣺ/1a4@j'bԿ0 P% g8B c*ԈZD5|OSB:(X)\2SXJebc@7f*8~%YωxHԗɢ_Gz1fᱎΫ&XU9 5f2*Lρ@a*Wh*;alb0!0>Y\Ϛ@KRRyx}9;zUl3C.u#i sڀ4AQthͯxZ#P<0\ϐ:ۂ@]Y QdvKdVs ^R-AN?\A=?"+KHFd,G=ӈk$}FvEsV]U`仈YuW; Kl0ud!m%WrxV,SxLClp^e_ȃ7I.xKxnQDn>"|0tUa犬ufTe[v&,uژƄ-=ww(bUl[$nºxI+{=#\(R7\V+؄ng[펢g3s0\sԑj:ػ9'D"e P9AbeHL/d8/GV.Rx4i8? w_"!!}W&@۳ Ƿdzy  =ۡeŁgo{@HťI$XỴ"n~2_|R!]ȥkF:)#+3LoVC;ג?z">%՚mlnZ_t0G#涘tc] Lf+`vA<&[P}x?בICiڦXtB*Q}أO̝H*H_摷"oY_4[<3 ,6wE~*6p{6pGb82 g#$:t>š~TjdE}a@l1?4IR꘴ ^b.ȇz~€ob&y%{9 UCkb%'1kn}x]aWM9v]ըK+VIV&}h{a+@nh!Ach֫(F7b`) tu!_["|gtX6лDP9 i6AmvȰ..T<@ qڂ|!=Xζ=ѡ^(CRJ_d,$_ڜY<=$Zt,QL* .R\,LvxzjH2>Tr_qZ w/w+S ;GqLȫvx,lq0Y,&mkK}#7Sz=0bx g-N-)?Jf,㺟 hzQH/mA:Ibl*SMܩPU~,I;d+ gu^_<%-9Ԙj|5o۳ Lw2kry;/O&0,\IZ$ {MaYkSSe߶ȅ5?E'Y|=2P,8# >֗[QY@2|СbMiLqNEKmFrQ:M=u<(ʵ^'14]I#d2Ҥ|+[A5tqacrar/xh,n$m.vM(?@W \/O:BC Hdڞt:Ŏi#Hnp,V]" m]r, Ր]y'D" a< e]s\ݺ6U247Dl%A8e͵BɝkBHK$g(Si)*s10쯋t1}H@BPӦyBoszk~T d('K W3O@!ULL{k[RqyCX{|[d"j U(i ,U~`:a L<"._=NpK2> =1L0Fb%?wj(*-s VӤK MlWcu`t|ƋWߗb 5=*pɤKM(eRĮX?p^TdD.mf&ʞ1hBAj;omR$@Z!Z&'rF0x!(XjHbkwiv?ܣOR{eHu3[iDK}B]Ϫbлq}c" *qtq2jkjʿσ\oetL \x4sӋ?N3ִjQ4gf4U68T6ri8KW';)ԞWe ^dTLw|c ?tݷ&a"sKJs%-zF K)\|~zv8{}GK-y)i>A\ <(gh L8&.t+) D_EkIleT}w8nfYʠX&}-:5odBv7Q7Nq!9BJ IĒ*0I?Q玨z.m{.pW#]|_/; ^ e5Q+Dn~rJ*l'M:йWQʫ*뭪_k$z>b\Ta$L ^ܻ/ 3<͆^Ǝf5h%Vhn\^=\$uOr›\_Pг>v&ąw2b*\l€ygÇuʼ_K>,ȁs$؊Ţ-r+?D;)j ΃.5D:&%cgQ ˟?P45{Cٯd~YwwrC.?PLQ!L?LIqBX M. iܢ|x9tt/o `/[mƎXP5f@wO .{AFAN sN\+ 6!q!X5 $r21T+R98r0Mc$# xiYiv5v祯߆AE/t{C1bylHˑ/ ^#GÍ1(5)`z ^`KM"+19#XMY-5tL]h+ uԌ[Xp}'NFI˵vN*0=c&nD' xscf-U9r?@S[EZ =w!{h#` hNƞ쨈6Y>:me1IOp+u MM.(eWuE&c;_ͼj7ؿPu tV X${=?:;8g,d+5HS}mLV ã-Yjy6*0Q^9ruoFw>3\^>ʈ;U{ (#ctY.D ٴq{WDJfם0*Le՗ G2J.m_3_L}tFg,r)Xa*OMRw͉rw4s6E]4s:p7.`7X.S-z+%E@PL6 k!ETvJ)9xlnd(eP-ؘ=RC G wkv?Pڬ֒ s7DGSE4@ZߢCo@q:>Op9%Thp^Rj*m Q8o@k!F"{2Ip[=In *qZf}{L7W>X*G&*tO2ɍTbYވOV{"H(.8+?7Uk)I tp65!cK G_["U涒"3:Dozz5_6^] =Av#(ه|b=ȉ 5~?wO͘ւ(~J@P+j 겕J_ Y%9@Ckg\J~$U~ECVz],:qx)-FZW/;b3gc٭8ɌenދK|eʼaSV]l[=e/V~f-yּ:ϔAyvNГFsխ,$)ޠi&-[R&lYdGwy=nFH'ӸiVPG%bt!RJzE>eBp4Ǔ 2k:į)oQNنGY8, hqQu[ pCQۊx6dTY@*= }M"B$` נՊ MOb)QkAUi%_ܳs`Hj;u$+<;d$V&g@Z\3]3<@`#^` V𰩜e\lꡆ㚐":}GPT ~J͝ՓH<3#*A.iaAx ڮ|z[~0g_#+eQUI_Jj^S~DBʱP1izxrqٜCkCpn<bp|"۱8'' A4pc1NN$' >-NVu~@15nr=ĚCUxL5Đ`$SXvr[WZKjٍ28UX8N^)]?9y B KY2WFQ4Xdu5vE0V7(o,療0{q?S8E[ 1=)LpwlGȅxrj> emI1vI4~v%M[BћrF`c.8-fuA9N,|,Cirtu8gs`nu"c8P?]ߟy3Oej 5`H{ټ.4Ͽ4yy2whvg="X}6wSѝYirPĚ'ZY1"JS}Z|fPfbBn+U? -Twk@2欬 CׅnVptxJ<!wź7mȓ^9>aTqP f.a DZ(crRZPW~TİCPYa8V7v20p~rXl>BFN?l dvKf7g| -E~ՑD fu"rX!Zz+Lꋨ%xV׆a`X[0v}GK\ӐoÞ6 :\䭼2 !-YHw[ӽ]u=dj0liAvVd2T7+x!m0ϕ 4 |)oI 1ؐ?PjP SH*Ǵ?tlK`xMGyC i5`g>{/΍ qZe3y$ idrKN8.yϻB_M*ۣa9q~4]BOAϟMvMc9!3:nHw>Jb$}ƺQJ$A+.,ǫɝI#Nڃ%xyzT! ~oGj$R/ G3m~0~0Ti? ݈#s\ap)UvwBb%+X!K[|BbkGZȗ rI+bNcR8NbN5=޺-VN@9^P$.jHvWS%VX]^>.-#?9(ʫCAG go5Lԡ\gSakpŦ,ĂM$pw$V% U_d#&F'+: \4P1kӭ}'^vWFe(E}::ڙL~71hfZD -g8aC~)D,͌hέD\beLś&\v0x3I7gʙ*wd1e @'ӑHo(Q}5m6FinaM<#:\c>[R05!WI00F)Cr&?)[<|a&:Eٿv;p=M}F:n+U14KD89Qf _iReqA1_T&\"?RVO%XbO rAx"[Mz3Ó5%atI?*-6Z.t[doT yb$;Ep `:nnlmBn*bkX #r+/#Oǧ| Uob<+Uer<|O% .˽, A|p@έ"о#ړvn7Ħ`'s ?himWv Uظ kY`(v@f[Bј2 Dt O;nlYAZ^*Qn*Y*&zrUJ_ Y(4ATwGTQZ6W9aQCj*Q4u1ȯfU(= ;^'5(gkC%T/ C ^6yˋh3#RZtd70 4B N  8`;lu~wn6veRB^l|?O|imbMso̙(Dh_db0H1)+WD]2bEkʳ j7zL&7U5G0[?mz6xF曎q_B(u#AF=qOS2NПv`" ^~:`i&]gH|>qmĊXqbi?99[-aV=s9TJ^4;iv67F kے^Wm>4A/a㞉6rw7ʢ 3°D@ujAP*WgN.H Nf#pٰ"T!)Iٴ%xfb/.Fk!w"sMz}qm__XAօ׼_-UIu"iAQ4?HeOw&ʹ&ڰ  kuUkTV9"̥qw"JEuȣ](Z>1s/ڣ!S`Z`nࣻL7{)GxkL|o MTlޕtY$]u6 M.޶$7uo8Axz&HtysM#>*S~_+V*Xsb$Pw=?^I<4szLI08$,0- 865Op0LW]`Az `ntKOV@s}GVw:t#Cs :$p lhH|D--'W?m$-vޟDFVܲ0m3;n VS^@o'@H罼Ĕ/q?KU}keπ9M*bI6 "-e̷AwXdʎ u~X֚ܥx ZG$O^4EO=-zɭ3^t`I{?gnd3&gT^W7߼2<&4#8άJW6.Zz+Uus+oTHG\d  %gk$}9X`XQh`az*E+0α#8 AÝ*qeoZ_;f3k(1?j$poC1t'ڍZ=Hr!+=6rD-ZDHJzT }G6ՔRF|b3!Qs}U Xr 4g`*hWyщTw6l{6Q9ey'V-15JEL\շHܱ亰Js%NJWmu@sBQsNc]ِӹ$oU%zY=Ї k.:.,X+@0zVgv7씼CIj@DdxPӪf€W%,<JWWDz39Xbntu#Hܷʔ9[:/|~$q3Q"JYN05L5 i@$_ހ$/|n+q-\LuSUIb >.Yp2ê{D3h1oOIcoo+˅<Z2[ڽ$L(Ϯw@z~Y 5x_?~dWƿ~ݤ4Z &avm.q];eykLB4Qz\fwQm_p2ݴgco3YYɖ  &>G֡:-|`GS<dI^p捻`yg\4kZ ʒ2@z$ :<\a8@uEdxQ(eE -9ȇOH#te2lڪ z]Ւ:8@ w?i՟go)Ӽ< aT 1B}]Qs՛5ܟ5g@wA"FPyrz덡xN"{~)R)TNi8G~+_ŝ tVvD=eGϟ ݭ@ZL8u$|NhE3yֿrTayR?pH-AD+ Re#sN=B>GvDŽYt\( ^|ݷ i& Rt f<0PVD(wJk?w-Che+>sؐG%;Ld N[;s^nо͚u@uԽ[+ GFGe:RFݹ69j@:%]9 OҹͥrmNz? PIK:omH,&~v 䍵_6fy3&ف6A9J`>o}b:8_&j (SvX;GṘ.z+1k{EEy'S 鱸R+Lvt&V'vdO'R5ȶj}O`v\Ɵ|58_B; çS, .+\b#p{̩rvx=FrpX4,K;Rl"0Of:CId gHu#oăVpa,+b }JG:Y0!Vߥ*kI+8T-B&Vţ/Q[$q$ ARkS,Zm)=XMmx򭑄x\Jz#Xq).&$>^G_Sk쯨_ˠx rc%x*t{ktjItdy+ܝ=s.A& (׻{q7*~4QQ/*sm*a?p,N@s;iS?WQE7}BxGi U^Q0a˘^R{6\uYDɔ$&r p(o&b#oLRtʎ|=7n&u}+ZyJ!YvU9fO<%5N8v*( 7"aVؼ~ԎnrJNc-Yس#N1l s睛YugVUۤP{ 9ZͥXmqT6ݍd9|R:i\6ϝ1擢xqyI1 7q0tEQ{>r#@˹Yk VۗV%ԏGQ7H)Q 2e=:K6j n3eM:ux`, }Z1qH2* 8/e;{!_cuMukW.@}PİbJt{mK%R8d1F çdzNhj>#^3XCkgN,U fPyKUX}g,2*i @֣gR=iyd wH$=YjSK5H\3RnD.QVeJr1?fͯ1.C٬~;zS^g#bV;!D/u6?/VRYirܥ?p}(O[xFv仇Qc"_BR& > yR_{yF\NBp =_ =~2݁IP.׾y%)IJ\ycPL(1* Sf):P#sy1A2ϓwVR.b^ |tCmVz T:zq(}=ļ5=VzZc#LC :ȭռ[۳^"o\Djف :{H-WuuXyWDws~dE 0Mh3B5"l-fsépO2lKSĺ>7dZr^x2m*}|N Cq+#Gb܂8<dᘝ,=ToDQB{1TBY}C;tv0ȗ ֩]gp 6:kG\D)?|0 Lw=/gXӾp\/ >rxyb5ϊ?aɌ(/QMﰍ1֣WeR7߷\AH< u]"a vcXgn&TCz4p]%Y Q-/a JhGv[oDG OƼ7e7Օ~Z3Pmmv|/}8 dL'QY5XWC&D XknPh'Ⱥ}U';xƆ$YNm}\pNOt uAx CVFk$/5P|ԋx8"We.W|ڍ*DcSbjƳyUZHF::%19֞e{TzbSX?3%FHyAgQKe)@ |~߀Pok4TEtrR7NN,(ίD_]^H,=Ԛ9B)1*Y B"}D%ju׀VOt}.>XA-lǨi_!ڞ*s݊v:}((a +N=^}fr)݊opȅLxE{ cYBBfeEYut?X8C];˧?l `c( )!Ŋ*(YӋB®cф?RMaC vk/:{zr(;{7<:\RW1H\WFCW_ G!Hhqo>bvZdc-9/Cty p}A,664o)?Z qvŎ6^KYJ[5zg7g sP|=9zvS$A,-Z> 0\oa6mY]b&+>we< (~ 4L^Օ*q{ q+)6f%T ? |  V##Lxc;) M+&D(69 /sdsMsh[/ݙs[0Hг'bBa#[5+V׾f7P2:BMX|#[V,NE"IkFהc /S󦫏tE:7擲mJqX:sUR!4 U6w:]l>)0O$8>Jjnm?cvamD DCUk$չ#t#B9`(7?|~W5ms5KED(W^KegT43|3+.Ԝw`eOe9u{n8[w#8 xLcjk6Ik`/rgw#NB7F[3uAL2ˈڮRJwȊ>6Ƌw>$N8}Uc2JJ09'6?r1'\ P6J k˺]. L.s_@:>zγPվ̎+˥g]dKI;ju4`͗N# =CaqȺƫp'lKR[,,D\SG [kNge*;΃^YòNxvW8_> nğEu06*/E0&V˫VY]kJ^I)KjZ4%IH0G>Jg(]y=PM0zh)e2o9K}jb'T!x1.+Y@( }fI*V`AXwO`:\'9AԼX"rH@K0CgD >o]\qp,>r[>!~cɸw:V)~BE^;FřQEePI$ ]>ZDY?U»A@,WSxNf 6>{[|qQ6|*;Ib xWu~kx&E_{l6W;U|A%h¹x4zo; YJ'bKWVg[σ*@n$r/m3 4eE-mLUl&Xtϵ;W^B=ID"hv˗>(!,m9)lNs9.ұ-?';pLl~!; t`Ȥs[z%2Xw+x;ļs|o %lUq9*6W0+zV^sH0!*d\Vs7rRL6N˜h8B,6. 7ZAB@(-SztRojԂ<NŚmׁ%WjpJ[iXx[d^:V+˲GaXؔȭD|_BU0b֭Pv0]2O)4=?;GTr .=TC"A\wb١I 7{P3XDBD6jV[9\ 4ڛeF3bp0<;l_*(F`kBG rZ\ρg=2*}r=$N bs%E|4sS.h9{IZh}i\bdeO0%W$FImMF8䯙j&G-!xtagqa~yu,o  d,}w jw 9l e̼Ice'WF$]T.PoT3v37DsHhuq57~,RVJ!\*QhmYILdws7h+U^úZAx3MZݵHWSg$y^1 >Hg[uHG0^@k{SȾ_͟. ȕcRz49Q68RH@zUMjjZ DDU1q岉`UYl oKt )zVgq'ՁN@mϷ{IӝRR K h:4&,(aWħ_I{T84Ãqn$,=1r>w#J:#"mMd Y AL|U;gB{­t (g-c;<8=ר*_g@<ךō6@^c3]rR9Qfz55eҔF(Zj>CRjFk9y>襻 pu]MU6wZ'¿P),ЯNjai̧n",6ޜEߍ6r%;)l mCZ/˯c $.+(ѕ/6 upۤtVkb /g{`*ўMJڱ4W{Kٛ\4Ŏ)­"Bsz@+o#e- "!j= 1:ݭ:fm\'f$Y·&)n6b7ՃC%ztzʷQVm')"9?%&Hڈ0Ddɰ) Ǖ;CUفtaؒ>w %8Ϣ:2PAD()ӿ4+r>@pLt:>P\}}` 4+b~* d͜z͎֩t G*!mEU\#s^rZ~~põp,I2A-VEnP재?QUпmk@;2Y*.ʓlV|Y}bZOc:@tidN>fup0 ;Dixb3PPB}/ߐO'X=;'I$J,zSb ߴ)yZGƒKab Y,&^#9(%჻1iE!MDMF@*4~ϱ[ʶ1^"vV(Y`xY qN"'y#|RȦ7(X}nVOUQϋ7EgE2/1O&VdJ`%8Nju_t@e;@ayvxs_ 0`&tL/xi1 }űTEw[pfcd2ke}<:ƣAr"f/[}Ή^\0 ~cnUϱ}'Ip/J`w 3&*}"rKvBag,sxy"zuۘ^|xy_ =acGAwK9MTH2=GpT%/K* c(1kfHot_nWvi^ͮq fYnv 3Ow9J hVb$NXᕐm6K'jp/rssƱN'eYQmo;%ߙ}J{~"w}NIo=wMKx. 1T㜳 #E˱^v Rz'aj-Q3Taȁ3R  ]Z%]r+G3S!w bX&Ik `+7"/Iѓ7br#}rا$QKѬy^A<5_ItЖY: `󡝭v=L!/2ZbwVqeP͗C>co8H('7iVϱ >qqexV{yQ<}& 4NB -ZNTc;r=[fa GHp"{d.0A6?Su1̸9 3LwMB91%ykӨVn /Ģ4ՓyА4!R!A+ԊvYU]3= 5 vA"ۊ@bD}C;'ht,aG%,$C |4ybԷFu:酪~#ks6z斵`HmS ?IWO Ay<{[l}y@ja>0;*ː-ȻU:p},%KD ]>bu:ou[pxXܞf;#G \F.z]@b'Po:+ Ҙ P` D8<;CzCwTKcEgLk- Q\f3*18=~7L BM1lgߥϝ]Hd@P!{"wle`4r{)gSɱyd{߫Fɠ" ېV1aSauX/ږG 7Al\xpa(q!.krӕB\TT5{Xe>Ȇˈn?gx~F/tT9QYlI\&@Gtʟ6Ϻ[Y&a&"c>Gc |H*t)K`D1m"vrГkA+L5=Ex젾vqk2TVP#fR$&b 3l]_|]lySco΋ҊJh;rB5wZ^)`bO|%E+ ٕDdLbxD1[fQ\ˁMJ~Vxo/גFd3 g j~s~2u!WF/Ū05Y.l얥J߰bUcT!dO*r3 {ds& Qsr]Jfj]3G=u4i{0Pn|J pPRe9CCj6ea\لqur\#bK4%k8T~):9imX$N̨l)X3Qm.MFۘ@ɤvcҍIM91 k/41nuby,g{W]'5`|k?ϕoOwJE(g#'ɝFq +8KEǝTAFp!&_UWThL0s 2XdRdۮڵDXC0e܈ϳ\B>?ZϼU_(X;M㷮fҝ!>H-iC*2Y{WMnQ5rkf/|k@3ng絳g[)^Yjs͑!u ?TI5샲 "wzu3shIYГ lx@ٕXJi^ė˼K}x6ܕ./S pmMyD 'IKMS[Yg}Țe+ ]zIg2=b MnHⱊi͵ ʻfaf`3n$$Quaehx7P% ) *q_;+) VUocS=qlvmP-oMD Xة:nLfv8f9K[LML9!/K"Z7F:HU;z -́,F\_}ngPh(QŘi01dq?jC9J2}fUȢ(NG! [^?%8Clq)Ivl (ˤ gWUIvRF2tº#6LM`|d)6Ḙۘ7mMb>w#"ێ@?0>G&TpwSnݝ̍[Ő|P Ke-fYxECg7<>5*$#&*1WE" {Ŝ*"r)cj4]TFpZsͱ6F9O@M)j8&@D?30֒ .ҜPQo-JG*!dK˿G ։ϴArB%GN=41y* W⯝v\+@4rVjPHߗYw'"ދ.fo|*\Z 0f”{q/ sg =>bjԀيq=$'ry#y[F}_ cg\/3fS=|uOl1hp?.ᯗVtL^/a!CYȟMo X0Zthyg#9/> '1Pϕ!4< ycd&l%/7|=҈ݓ @롦P!NPؗ_XՏ!5c-"PGD A"bIDgUe]4D;GڪKtj ;Hqa|!f9}t{id 8k0z9hA5ձ8pkQaHh! fbeR;Sm?>Ϊ܎ {ޔJⰾ`Іm1]\pA[QL3\ lggˎ)/*5*<!">DVeUUD\h8b!a§gS':$Zfpw~e`!U|6fp[)uc߮ta2QQo_Yf=Η; Pr0ƾvɵ22i~XA Vk?xW?-//^D^[dim^V[D+xCWP<]"{ [ ^m]X/bK E-iw,g7,o‡0:fn @=,+`2Cdc~ ZeH_ dMcƆTT?ڸtن{U>yGw o@NU m UDqy9d*Lk#x}{|46P'?̀V(c̕ R&3rf? (S+}M8&3aRV9Jy\БlrdE7g.!0Iv Ztp5ghH8 ta8B7t!(ϬL=*Ӏ$&ϽT̡q'x&\4dO.R0#&IGX#&)}YY؜q^ \P=zr[0`/܆fG#lW`[\>SSt,>-R#bWA_ڷ\ymy!rH}fǏgᬔ&~3730MN1Y*y>43' [ EYzI' YT?V](D(y"kJEBgro{,Y2 >?g7~zL`Z?tK6Ocahu8`&b~.#zYHz]E(JAc.?H5-ѡ#uwk"1Rr'`3JLFŨb򫿡a*}_ v4 Rع@ k;JJJ2 2+`yy֮:'NYC3DH<|Y7wIgu<#̘:xVd*{[3b4/-ӄ* |ieΐ!Àe ;M9 ޢ?yUpӹT:pJ$)s-T>÷B+v\0eRy8Kt)غEauSBIb69]>Ή;< w|Y:=OshPݻꋒg,}~SqvҀ^`0Sz^)@9ήh]wPwXc6wܩzTDdƘ&R-Ksp.rYϼ$4v"Ig% q)zݓ"rCɞXg9!9ۈ&A{ 9)+YbZ;^6y8SN xUU/!&y`F4f {ϔ Mg+ay%@jW0PD3Y)5#wQd8?ՖjdVBvvskni?Qnt)%9nIqY9"=d,}qfc+v+sޭr"ŮN&$]wEw2 aqd@1Nh3ˋӱjPGNSu:'rhoo=Vg}{ܚLObHA"B .ҳV9JF/P^:DUPE£ˋlX =;R'5K9Қ#޿ij5$)^ 5bo@`3K #ϪLȟRVhoqz䈉[+kZ㻑ET]奙2PwY|G,6UM` ):ii]z>IG0`=%9ȏ/`:AH R6OCCN`&X+RNLV8e&zc[P0n'ӼdXsL0(jX Y-UYkc^WpFT(?ln< [)'? iuxQH-[ƧBʻ4hF yׁrڐ^l"''^^A;`C_I`=팭|JD<}3n|fG&2iIQ?թCX~0ZfFf˛E8,T<.-hHZq .BikM*VjMݰ]u%!V'Hluarp1ۻ4[ M}\X7(]Id 𜍄=ȭ0Dۏdt! fBx&E0 H/C~ !>?6w!hpp? P<`}Sa`*D=EضOY5>XX 9x~YWzsH>k; YvvnHZG.bkB9'$mZlAZoKP`P4*ooEʊX(!|{_ke\&&\b ^c=.阷_zۈ<%ތ6dmvvY%=vp]ci*R7<wwJpSy0P&?62o^#6zW}@Y 3ɔUϤ]e,ѰNF! ƗUb9k}ÿITjάT-vCs(spŕ}L“G=q1@ p8oYw(ȄFX"WV1! XH)(8g_~LAM>pjaڳ)oo( tȃ֎E+Wvjc<) NC!:67C\wg[(@ v0nQzaLVsA*6\޲C'|2{ 7wEcZXJNFrlʢx͟9|ϔS 2"(ɳ`[m|<ـ{Bl(.tDCA0?E(Q/RW5aG5n,@KACD' IemcISw(h_k,~ ^@\swtޜ .G@@5׆oȝ(Z^YlCe?.d[?Cc}s`؇sQ~o^ K-zD3O&DϏsĞwonk 9]ȪK ~Y6^}L$2sʸ@쏌@g006_,|k徱Kw㒓!D)~ ogqG y>5E;Jl%'zt,N[u}/eWE?E7@S谚Z)f>WSzgMAEmm~= Nbj8w|a̧2ԗk#J6~rU<4W*Ĝ] LoR?t2Z89+yltL%=3Vy!*mVU[[l1~XN"!g;ГVlcQNndK {/(a7XlOC87x+̎jVU l OwjodA+1-D*6 R{y ZpVRcӧvK7&kBgV)*PpH{%ALY]S8g lK̟nX>ES L"͂\ۛ2Qȝr7p3C+t.Y a0ίu- wJ4"]!BwDHk]k$Ik8YnrѾi2#RO5.:fjr \x5dTZ[A$"3/ "7Ro_DSGmvW`6PbPKCU`UpAoFLhO[WDH5(ݐ@ڢ?|}Y+L l/'<_T"9 @qIf_j{xj.;[Þ9EPvăAJnO Cin+L2}䞪'/4PKKj`%Ғ08S*#U$@f2%`q5V|jfL33h~B+ hR`}uݹԏi )Wfc:9f;4ZQ#)ď(Ͷ:za: +>q s]i1;&2ԲnePos'P9cVӗCf܅&P.:Yt^nJ&:E[)pq)έDQS8dHEK_ ??]CբߎVfʆ CcAUCIMsH+8 DDԘ\iϷ-q$ִVen'608G*h00A7R smlȅL J]v55iЈ_+,G#Wz? nKYmÀ,P&C4Z G*+įt+4)kAx$@gk05VGO7KOd겖+RBtUnr`6uPխpaImg]nR8>:@ޫ%K`(?PsnC}1m}(2NͣnL);']ԺӦσIZ &sCҽt sO-PSPh;)e7?M̗{uEsƜ5+- .F&Pү)VZN2{k_1]_}|tA0G'qX|(]W;KæEuS?Z^5!wuÕ <]~ n(&zA@ 9 PUK绍 1v̙ؼ}ɜJiaY>̔HDw捃~ J;(jq?I0aF x҂FJ_c[dxɊP{J r/m舣4Vر)0S"6D uuX2%21n/c>u9S &0,?| 3`}lz+ٟG=>>2 uk֊K(: _G kWr  xʼ*C'-Ԧ4e7RWƢe)paIG1GܵԥT_k{Z}hjý#u!L*38 "7?N0$qP KMYByoNv%6%gd%Bꘊ'Թe W{0BSx^(d\?ţg|rw9w'zdg&O i')JӇKuELt 5ip-}jtrEkw3?&ey>;:B;g0ĢHF&&a. 9ʮuy[HrEd(/D]E N|XN+Ƈ7S/ Pg1 µAlFA{*D`_zPX8.i:zl7`(xm4+uZy?E:=Ӡ`>3.8k?Dc݌J._鐔,ůA1@3ka]ȶ*{RB>沑{P.d8 Up.Q3l# `1Sn1uԩFvì7jVaHu,|#^'4~~ MQK5ыwYH Ki崊Kc'!lT-ytHPk5-[ ȷ;/]/Z4!y[.].v9y ҨnZghF" `vL]L뢸M(1uF10nB 1hWGa3iXU$%(_ɸ6Ce!6[/sQĠ(1H|b`m II+[%L]-Z }ZZ;[cv~?[j\gg)Fe;=S:Wֺ/4ot'%?Q?mk9ؒvj=YB *m۫LV:Vt[XFbEo4 4i<9Em΅J.6)6RK?דNݳt/Vb"O +Jy%KŒ-HDtnM Ye+VGbο\lV:xLK'T;JG }[ : '>tSղWZ=r**lji|yx(1mzf`o؄ӜA'H3D=JP\=5$r201Vi@/a310,4PQ.{®ȴ\yS0lMe@]u\/Iqm6z pxX$(\ &\uYnx`kgtx@ G\XEl4n;T ˉ(SYai-t؃{3sՐBd8^#~\ɧ%Nq$?m+:#mgZ3nlJM[>{t w H!s+m2 eq`=~P&ť~T6gpU !B#~c!TĐx @yI44pa:ӪؗjP83RܩS҃=tK( JKڃ.EKTxET E㎌A6jl"lJ-,LvyIf:w~ɈJfw5J2 ^9ah-ƜKTTz*n:+26kF.X3`^󌄽F_ORoi࿦GOe/]q):G;J~ dwjFwƱmxrqŤ/ TIyIJ$g.1Qx,"Eg.L)#$i%:nA{6 dzK2rw`4JJ.υ6Uɼۅ(v _ROiTΠQ$H{.0juKpj'_OՌkiUƹB浆R&<"V>YmY=fߎ[mEW'%E1+Sic {8dE+)5'O߲ dXzʐT=ΡZ\O( :K*Q}D؟iF]t^Z :BɻHB\ !,@dn^Hoh_!`ɣhdhB>BpTnbIW+iZi#m.[j.Q?+`۶;L`9zP~/^Xear)-R3.qH bC_;[!2D][dil{n QF?=W 1e`[78?WЏIٯ7|;(Z6}bV;{)T?6vˤ|׊`R*{|?i_tOf38 %Wny ,0*9PgW@k|LOCsuJ..AܛZz/n-33E_A܆!㞼rdNEê)KTJLWJ:+1٢Vܼ/JDb[pWr/T?VԗjNResJq'>)i,7×2%l.|-|uq9$VUB}ެ|]1Z@C%8ϗD8C9D\Kob&ZNڭ vyTrC+3#J,,9'uz1'8. O/мhMnG)Ds&+$ֺ[Um ;(O_!nHhl~Zšfnt,_i ihf8N}v O6$'LA5Ai*vtU@ZbUSbEH^E_vYL@NzGJFj]C QUqa};PX`NHL9C=&i|3~J|.?؇ҟZ[fvc+/ [Pt>UAنV\'q[u2OEa[ ӷVdj"bM9cFC裯av"hggS1*AC@$Z:6;ڛA)XX8Ba^(ƖTLlu%9d{-OեNhُ0vglH oEm,>ģ؁,]0|dt C|)Q3 zȲ>}8>oY |Ņ`71P͝\d8cĺ$Vǜyv~goA!eLLf{Uq빸յl|70ɒ7ڄ1thWu|b׭ʨr(ssiʿsƆy_Flץ7jP7 YH-B5yd#:ծ*0vԃlo EYj=!G>7ֆ6/+rmRg bQƪ=^ zф|fVAnR VPY [^Z\iN~6/h X}ԍw9YD1ENs(=N gvl^'[@f:7FK$/ATAK( |rBY:]'>GV9wpɩHOX-կFju4.=Ux+In  Gu/p=6Z(̧]L ȫ5ǪQS̷s:s58V ‚K )(׍3hq=80UeӤ&K5!OZ?v搨qۧ`.%=(Pq>fG#Rl~*:P>TN[1gq\ Sbe5Mq0pIni[,BDS3#.za@K:8Mmyv:Xqn]k[fCX?K=0l8t=]R/P[l{_e)FI&|4g0&x'F(&9 H3Z* E>5oWϩ58JP뛄@A%tB3aXEfM>^kdXp+4IDr?}sO2vHIYiBIM~3-FE1_1HO#<$ +vPFsoݣ!)ߎj%sY+<6>ݳuJ3z#?f0m[ҡ2V<d{?>MBFD?ex}Z/| ofع(4uU͝511qL'adW9XG? t RqUe^0R&e0 Ф(7pI fMq@s1aK}3Y4 ˊлӊ!;$`4i)xJ| kC þwz0t`;1"TxMBt]:]}xH} s~a\úQ ,kyMٮi]i [^c~JkvK%FlJe_[ 9 x>Ȁpސ2~zԗpC,Ƣ3@uO4cF>N d4ZG:fKC9d5dW^5]DYD7c= 'K]_8!Uij\«\t8_@**RYҖ(q1+E-Y~4K \pٜT[y;J}v 5 @Ơ ]{mXyIs ktSQV3RV{℆:{}$=AO'/>OȐC>F`Z5ʇywڭ#𔵛WXnKdnC6Pi-ov!IT=)Sktg6{'V꿮g !B%2 A:J*ùeUAk-)lp?^jZ8_y\λHZy0t#eawCxłBNzPǮ< L}tIWFԒc!"zgL0ïڴa&[T u#7;@˜qЏ$S;HrtLZ Gy#edf殩1[1l{)Xui%Z} ];>JF0xR|9ٔR'/vʻ9uLk(vݘcoɦr)QKızZOW[O%@H(yQӌe/4zT NJ;ՙ}KZō]%`jPZPI|ȆH@.”Øaߟc{g FWI7g. JQ}|imȆ@`Eh'Gf&h{\8S25[kydc$[RJ5k|'O^ E,ZPod3)RX/No XJ7xpfuX!ٗI~폷%0LY`B95|dr`q"H^q,|).)Ryܭ P;MCj$V0q}MQSxL׎hڀL8zP z4@% o˿>:sj7eyAenvAU(<`T\H16 u_kޔs[0OH%50); ;4T3b2k ֍r7qiƮ !KWXatc$)11-`6qjefD!^umd,,_ZET‘ n ^!MwC]0"~ ]\>-X-PTдU*xs'7C33&QG5GauOgJji229w\=.N !GE #UW!f47C\c6C )6A(!#ꗆNd۳ˑz2PW6̹fs}oz=a]֤5gu|Z<.K8=S~m=Y꠷1kOӎwtBLݟQ>X-z H֨)`eExIy;CFR?ݜni$L Ҳ,_ŵکԏ؛LwFőF_*B{rdOY̡tmDN&1kUA5gC ~@$H 4WYa"2Bu fz% 62V7VNsSuS {*Ѭӈ,[ U Q< ~قfۆ+ Wk_s,PS2?P׹я,fO\ Ǵ7LY$IZkx>+䫢Tuy9KE|@ECX" |IxԣoVBt"< A4t,Zd}D?ãWA2w]~8siAa4>y*`{LxlZ2g"[+ j@ 0m?# Lu `〧Pc\D-+2%*&h>6F)B5`oYy)f Z%c#|-v-Ef^8kg 1,:F&dPTg+GSZ*Q=mfJG\Gw[TZѧ _,xfhHɺ>- 0eph9bEk\ A<9HNEDG}FG9)9A_LIu>bm6q94e}ԹgxsxoĹ|b=&j!\碖2x"].ƖyNn$ºR)櫆M_ܢv[~5#$"4)Ju(Je>PK qv-%&xzz'0,.Jޒ±Rja*9:XhLt;@ .Qt[-;g6a :}q9ZBC)76%y搼cѲ#b5[ŪFv3܎iec.X ]% Le_zƜvK%Yt95}h9A=ctceyԲrE ]l0‹ pcm"ԁ7>B*4I=Ox '喕)VY\0gimY-A!\*f;h}bEAh߷ܶEQ#}fOaYGEZéPQ [k/]][lP! %lP\{)n$֬6)=G+2JOyJ`h5d܅`U-AsylMDMŲ[&|mn+[ x^W>P[Øxm x6Q{W!Y<f{6ԠP,U!u`\XI3'!FWBk~.dGa:‡8 μ2v1HAФ7dP̐I^CF`z64=I] YOe+Q5|3)E*ACGW]%DԤ6 ~gokBJ~xҕN49$]ccBpH]~N!:Iu 5֤ 1Ce\q o1v[؋1ri+a6^GI鋦;ݔ /B9e㎻u ITs Z*T$ 7AFxOkQ&tv+ŀ Wߞ{rz!G^R=K#7'$rh g\40]@-r;>R>!Dդ \⳶U<"'յfV6k8^l2*;y]XV|@ eMI %n܊qQF~?c}Ӏ)jhI%'_&/QSӦ{/œ ,ag&)nu'qF$6-\ pis8OB|%׃ ^ah]\iv|^9껱)j ,O,7Y<-{i3щ ڝC~3}͙O$)HDv0aH=&}_. )tMXǵ>;ŊU7-e&af0uOdRS|5ޚjف _B}ꊿd DnO^dyc!jKAWj2cr؇fnԡ~MuXZbϒn%蓽tc/U'Fe‘cÆɶ-Sӈ` /4[Ngdg:} S, B4F1w1v賹|ήxzwKXckuN5:Ą.@j<{mdYFxE pI~gƨT6E~y Uwlm9n,8]|k;rǩe^qoށH5D6gڂҀߡoN jI eI <ý 6jԬ!>!}5YX7obSSOi̗]Mn\N$>לD;hBVTSļbc *P]?أ)*njN NMi)UKXE?7_$YpˎY+޽t)~O=dVϒiW ~M6ȲYEqɪӭ83ǐٽÂO'JRfu=y'Aĵ >Ql8m-bDS00ǸZ"Zv$=td[W>ƥ"ћίZ% Aujh.D ".?:? }(I31K@^n^9Ik:IWWh}t/K>6nQ"|ErD֓@N@ GX:?v-l-/ wJ,Ų2 ҵ2 SƤ9. ]܃JxDˣ/HlfC9_:Z]EJ*å9X jJW9R&v5wmH.RjP%g%*G>ĕvWbu b%tM2qA-sm KkI3%*),m7iʨ-)JPn"y4 mo |J[CVCᯖ^h69@ C;w|P %‘3_699͝:_ [lSw&EYs~^z+RPT-S[EisFAYRd#~Cp?4rK ۩|~ѨrQ>^J@0J^TȨAq6&mӒ9>w{eO UE br7#*/dC) l0f'%%X | FIؑ@  )rDJ[o?*Oϗ|+6=*dޭf#ĚFUoNtNG=뎉y#te*R4!,Gv ^X; 0lP(\..D|ɐEu"/yQ u~L}iXx1%!b4d j~~S?Rgj ?M+\|yNt^A烣xD,%fhڀCu pec~y)צYh 1ZbjZ oqH^.i:[@k^G HE%; )sjQLR+\PA?]lCr|~`ݖkW/.P]x-/tfE1. "v!+2O0ReZ1҄=D5OϜj.?|0[STRu,79~Yi$}^GbA gdh5bW_P-|KN|Eʤ+ga/+*ûeЊݧ-"SY%ZioF:#zC;TCտOjl븿T2iX;,ABB>>֎'ɑގUa*]ep<R `ωд­պR(%@9@oy?[Ap:_;R{>kS5(qP׷썐D4,`% (Dڢ67.VOn D`nT]H%9;(1vw6oTfTɺYXn]mNm$0iK&$mMECnX pMW er8˓M xi4y0?>D z֜$]8v<-߽ ;}@<W&)t7`g\A0]B}9",)Sna&([ J4eaS;jQ}DqJn=RU`kip.$)iqj^JȂo/qke_f_cCzIjf2 -50"-9wE/ %|4X1EʐJcVR:.&E"dDiʑ:ll('DbR˅т}-|`*Ǖ]eBT Nְ` yYuqt7eaJE:mQq]x3 lsȋfq{FSlo[J f|"ND= VBΉ"ijm*mΣ`E:y1WE,cT Pi@2^ x@7 /QP#Sَԟک "Dec~F}G hT1LŎrtQ#65+ؼSY.ZaUمsζKu{ m ͙u2ح9 brhnO 6Et:SE]Q9Lrv[L(NwZBoy͜$}ʭ #RSB@,*4Xⴇ0.&wPS.ןHXd-=&L3@J6e:/)UK-5ZIg|"6@y/Fl>Ӂ(B N؎GAS^=Zv)zF92뺎Wx:,{j:a3R>&7ܲr큭5z+P~TBTga"WH+fd% !{ LBtKke`OU0OCP6_7w {۠'OEys~yoT/U_~''N3fFy4mu-M0CRFUDl fxID}Q3'dnXmխQxKD nM0ͳ1\ϳG#gc*|r$ ۞֯8c7'5$#MXc4@)Iޡ.bĶ-xߏWj%v'?=ta;_|~U0Rz)$ &")#1ɽbŕ; #3.%nC`W\Y2yNR8ʡ }4*ӛXޥ;)A'Q1bRϔ凋agts/+j͡gd} kQA^g7y)U5E#ʨW͊<80b+TQ}\QK1#`,|(l,-& :pUPΧ(zw$Ujfb@򰂕>嗷XV hf,Af fih_@%4U[$OlE*6olqq%ɩP6JUP>5cN(ډ5;Z3)33nKPFJGı_ \Q~Jf3,/\9.DڛWoaYiTcd'"&U"$'ED糕? G ~ =:e#`Jt%yɰ?/xIѩNX4 0K A8 u*af#uY*Iwp()UIqC: |Mqƾ~\_ Qx]NZϚTT4أhF=G6v~,< xX+\oYQq!\0W뷜>Lim͗L11|{i (k]&ՇlU63`ھ)6S:(,:ILTL+|('ëO/uUg<%=h J&;5![MI M[vg[ DPO`0?o-P<́^qHフLk"VXĆ h,z%NB >gc[ȘpKkUֳEris4^+R{Vc3jf-ܸp5qU8<~Y2O`aX;s &j%ZMK<.`?{|ߓF}Q} I aqjO|֮2%@@iDE7o%=EU5 sYGET +ƭ^kb[gbPIm.R+sMec6- ň3Aۜ(Ӗ!oIsb]k21w,Jؗ5P%/b65Y/x5 nY8+s`N&ti`@eYx8.aݑ0aKO^1UԒ.Of\i[wo—-9/2eͽewЇս2878Ջv?ִռITՖ'G?b1Ҋ>Z Njz%>w) J,c4Z.R\X w\eJLM.ŗH5Htzh/uDAK2L:/j{ۣwWLQKCMǃ3$ CNqoE<' PphƢ';כ>Ղv8(6 ɌCY m-x6Qg\x+oX5j!^ŬjM!~}@?5+Vi̽~"G֚=5_7b=Z?cmBoyu¿O/wK(![*_ :ma`,m&*s⩙} \sh4:rȽ5χC\TʓH71UigxbRE:ktE4F!)EkJ7%ZRCHFNͭI-ք6&&a*ZLn;!pZMO1|hՈ*_} =5z쥎'9B+{i+ߒU^Q]GD6v1frQdfUaV[[]Tap}6kfk\d9ZN \rmi^@(u,7"ߺ|'уSvܦkH`  y|x21V jt7?0 p8yJճ[ 1zV/-F8̀怴h]bK0r#"zzN qI !a A^~#S2m@6s7Vּ{U~hڒ )#+EBjaI@Gk kGhIi{5Ml2ݻC 9+-6 W(B{ VH$'./hޮ,RF V3x㑜zwG-Y|@Ҕ-{_0bvšnEd/ 6t1DŽ62c:q 5_rM=Ef5H'D Io ,߹ʤׁGa>f-(ZWT }"$Hԁ}ˑaKpk*gŦd0yq]3swvg1X殇6x . z5$(pHeub !J]IaB}7,ωarrYVWLxH-HH]phLCUoY=I⽸XeG';! &/WW .WqkRLilUJ^Ȫk@J(4?ê*1K`Ž8$b ? %BS/~<*}b]D JjNeԻg&VDQR}YQɪ"s$~^%E%'c$HS&,Zz N:0gGjoސ-{0q6)Kþ=?<8 [99>8]mc[!!CU2r]%dMr>g752+H-Pco$y_\+7<ŃmJrp%-~4x (&BkUgk5rU!hŝ}700Jw ;^87_jF^o>:]J5lBnxbkH c ֮z/Jp7U Q @c~$-adx'8Gf^߳e zYaD>q$e[hPᓡ΋O?s߲ Ϫ'_yǔU!ǂ/̆4+_L *qb$syuN Dj +/gm: ]^>ޯDZqyHph/"{蹢m A_b?>w]Nӭ>[*)zqj]0]\u'dj.]קXz)`ā;Z7*)7iFJx`9a42{, +aOը Ttߒ=>7LpDGE6 PjO4$Y&,|Ⱥ1 E KWޤKуIo[ǯ<58 (GO+=d&BmuvCNZE7W}cRQ Ғ"\WԻ&]O>9ffNz=a_4y9!,?["l韜K2O(Ywn e^yDEcƦPwaΊv\$&D>A $ 1TlLm~Ov-}f-Եä햟St@o(^ 4}s ;Δk!3nA@@ !m٪FitlB*(Ne,n̨ALSL>Puk%8?iR]LWx|a`-} OkP:u ,t@F{i.qR` w*x  nE6'bBy0|ԅ [JN$ܕh XaO@>QЁNݹ\n͚@b%#q 9-Kw5K?@`;;9z|qL )ބyXQ%TPǟM qATaF).Wyk0p3vYg5_O8 p" 0_oWm GTxibF/!OG#!XO^QVUiJ"js]y!b R#ޫ|Pq\so9$z9x9qs2tH -nUM0T٦L[.MRlȪ&_^8g?.H-tMLxΒ'1xgRmm>T*_-tRXYa%6!3 KpdezO},eؾ) EZV5bߊ]WHϚiW9.[Lxzy!/`,/Nk{Sqga2UUb' )HjK 2F t(1 jKw:)],>{ gl`[,:庥ῃW̘&hLflރjp_Kd`l ҈j;GA{AA,{X~rN,ZIu†z p;\{B{+9W2l=F*`)+f/IP9Έv6@wM }q;)1cKSR!Nd%No`hŏ[*pR=ŌY#yLc>.p3Bgscּ=;z|m1肔n7A/h¶a]:եS}Dw5eBtdݲr F(k A )E^u/"qYYڥZV:w^W*#LYI;PN$SX [.~/DaIG$[WL,_?8]x8Pgg/"}!h:@T;TV  #.$`sh:BJv -2¥C[a e>QZ̿^B2pgvI2?[ŪÁ3T{KFeAf3N©]m-.)3 "T:oU벋udřl1J dh$≍º^0)EKŠu3[,i;FfUPt[0}؄pLjHDӼXzRb˵\'~t #UrUMNwB ?Y'xK1>.1c?j;T=^~?,-5:@l_JfER^sX?~ 1u""{=εQʯ4Vu iʪLmAuQ»_9\Ff%&(,**<,isNreӧ G{[5 ;%'EwPdx[ Hzm۽Gd>=D1gO+'7v8VC)OqޖrJF?>5_=P]C_ |c@pn7/&rE G!M2'4e@l[>c3 ID VCKk&W{ym~B4r/d7&6pd,{kGa&| P.&k?Z/M+6mg# RQ&RIWFkP*pߧ)ڒs7;A!g|-138(iԬhvTl"2m AAq!5KqԑB3uC[1nK B$!7,QBu٪m2iWʐۭ?YL&t}΃ǜí),Th5_1"qoWl-n<vOC->`2o%mۺS!߻0qZ)FE(tL %&aׯinnB޸D#yv|Uzչ/Kg kH3'2)NX|*[!?SoA -k7_avK@]t$ RM%Ȑ$kVHlX'&݆7/߸S x&EN 8P^NRN|8Sq,Rݍ:$(* =&ei"ػF>nZ!Y#mqo b yn] D).?Va(NJBK%(D R‹%9[~bP x]imXt3tvA~﴾FGO #I}{i:M96?Xtֳ!rC[uZ\uF(O1ON_ҘhH tUʬTo', ¹JЭ[G qਰ.wʷRYf$V&"!.i_ݞ: ʽN 4f7yP+!Ak v7 n)%k*,*o0m9c)HfPwYsҩwث򯢫>py7PII<R3"̂dE!-FI0 \T7+ME1 u_bA؝lA=XD!Umz&\rzia"Y w Ѥ벂-]=~lrRQSz\JȽvag)|̮{gчf%kCX0P(O[NcO<\k[CE52FeїʓjOԬN5Q񫳍fS1r*& gx̪$!fpC.M0f.uLBE3&CIY+DUc\m~o@Z{Hֈbމrc0~-ynĻUE,s1"h9̹%%zri|f~]6Pߐ!k 0vӿ]+;dWkb MV7kEM\8%JA#dl`c)kz'̊)EA zIeY>.ۢ-$n]DzH*"330A*"'W[:p„e΁ Ԑdz,ҽIKh *Θ"WOŜnB,+h3TH-u;PP(T(xHN p 6pg9{li˝܈¼3ھP3oJ[c"ͭ *tςNFzsSobz u~[ͥEGawEO01C4MpVLH#kj>fշYpjNbU_<dί$ͧt6. F:6(Í*jvm.&ݙvk hד5 4a!C"{ߤ`j<?gp'~)95%_(+x7}z _#һ8 :&UM{,ȸ'2m/ru|'[ᨗ_xGG녫l s#yn 8WQp|n)3@yUݷ!mʬu*Ja;B ?ps3]?YC.$ީSƀУ'[ÁylDaPTIx4î8PR$KkAkdΎǍtw_<'jJq"<\_i#bw:GXni6煨Tu _Wr4g9bvt[h[F@NnjK~ lw­+LxZO~7Ui}K}V  ܃;l51"ZD>,YVZMs&?IJu7vPYxҕ*ƞg_*w<+:r٠%uL'_ f}Zt6(a>фy $H.?}+׎./5C؏>.DĈԉ[F+R!q~'ui*H}-igegRPd~'ZrL^Th *_7mܷ fEhb_(5@VQ'ݎlﹰ(bM4 3rvV{8f}?6k9_SF.~`n_@/x9Sv|z]gt#_?[c]nbVV.{G=7-%(X s]j-{)!k>=n,$>\4t &Tê AW[j'yG{+򲘽.ڒO/?-¶6H)I0+_jq•u+-c@jp8ރTs2ơ8&"7 ku3+CDB'h]uWMxl`Z!7AaOjxhRl*x3󏔸d+PP'&fV 1Q'LLymƑ҄d0!+t~bDH& FBơewe0,xp6N]o=6Y"2E߂ fjy:OYCj[*)lg9J" .`8[KA8xɛ]>2iU|R vRc7m/`"y@)JX.PQ(ptGS[|S&D`)K \W<0@,_xc՝;k/ГE $y 2 I0>)̒Nw/.rhu~]l{ G]EȪ/RQ媇R:g%d?+]B+ Qäփ6Il(2}*J#b|Q5Ld9 }L%N2:f#TߚS\C`bf$ʤ6PYBf/cteTu{pF)FD^O> % %OxR1٫_iCR6k@]ttmsf53-V*yON, w*뙵ɐNNōS>Jɩ^;CI̎0=L6Q{ DZ 7vzww_rWהh.e)?p[[K9_~{ѫ?̗ij~+Za"뎥Awޯ-k Q^,դoOms^B+>` h C!%MXZqo^a3H4aLˣ[sFç&joAdҍ5Vj+E3E<_tD}r\"DO„IZ N2ߛ,LO00qS=_a2K|tUN3Ƈo!\QYDS 4g{2=Gz))'];VPWBŚӣY6!Mg&)lch+={=NYߣe@B+ݏo-2> |Mpb Dǭ5|&L?p<sTke;'2ՓpIɸ}?ۡRo=5x<@Ϟ&CXG#OB) ƻGbOQB!㏛,5ip% J[\VΊ(k&1raRà-hEⳭCGgP[lVz<( a gH8٘ 6&~EA;MN[[ka5хIۺ?ВgaFEK +}odvgaţ'. & 5gC'"yCE46T$-+xo5%}5mZb,D׸P;odԑnCs14'Z;ӗ݆:3 „Z?t݂f<(0ji, Qrmό`@1'ể|bA4oomџiQ:h/#r^wv9SZ5w뤣E ڂhU È2[\"lE;EREƵN;]}&]ݵ4o(AAW 'Ҙ0f(DCZo#S4Ĝ:6ٟ,f>0(ê- ¿fZV"+b;; "R/nLy3OkaIՅd) _z\ZHXi* p7Ijzt=NFچK* U;W&3m?bVL֧Жc|HQ0F[#:2(S9Zs_L)<¹Hgf!؎,r#ӹ+po@J"wah^KKQ+ٜ`g7#y-xÒ"+ƙ-u .?bE\Z/~2ZjV0?ڞ\^Z9t#ո6{s@ۧ hc\۾!t4Kh5ndʧ^`!VYƅtU^Vi>p$O/82 (+!ʰ<+,JA@HG#AnXIblƆBZ>;WդGC.F@?{7i_IN&9c'y0^Qj眢/y]X6>~,clG6 Ř#qYfs"sЁq¡ 28|Ev5VmJ= גU˿ґpZc+f)(xR||R-ֱre')|pyl|5(kvD"g7NkA0E7dscU{Vtk9#`. W%R޴|EK@9AkЂRe:WOi۪JY]s&_72ǰj9M Xmq&kTfY&xlR(j #,|jNb׶A?w B] Blz"WL*y EwZРd߀rc.SԾr%_U7ud^K7Y*;O9'myT2k)' }H[&< :[ɛu\%=O_RdqfKEЛa'6)"n8^\ɁB ~ڥKBqbnYE9iv([<L@%)GHf?؅c*) M2e*y|>F1wd{Qozsz{0d4)I4m_Ǥ)zs[8ٺn5ߤ) JQ?{/S(u+V%d JbyIg3ѻ&xpBc\0)aAҜ{&ݖۣQTY>cGKz\ԫ&ߙV3phZ^7.N}@?hk?bFQ3`{s«C'viDҀBx贕C;m$ 굹S[c o?#j;EKarGhJma  s߾> \ Nt6xZ-W `ONwgE? TSh\/OG2iUd`\׆.^27[7BTyҚTZ!bHw ,I0 bV[碑n8ߠ037ߤ|D~OlN=@0[5. Vw@+έ1@>rI|<.ՎX{xk.^R\rQқ_b)36{􃑱"(|s3>6DU'\WHMB-.;Z-y\sJjUMhEwn@Sl + NqBPbrEzY:HVÅuU S[l9, O|vכwcS?CzKAl Jg{$śM$n ?sh ^sR=r?,ͫFNh .^qMpD/ 5XT]IMem@ G}kwbeȻ;I1lX1N}8Nw{rzSs kw=-VlzCsY.y5Zd3;yn>8E3,g+~[ubt1:&`yI'-. =U2F%Vqhڋ'k ? v P'c&l?jFq10+o'$$.JkeUw0"ת,+^/~_vq~UڻRGx]nwe(*iGq=%h cPt /A g:[,ub~:wV܄g 4.LMС8g%sAZ(FF {!rI=$ Iy"JD whyj=_ W Z.y=kB*PuNu]}ЊG!B4:ǻ6UNx³<"TX;J1Τ hM?a0;T!TxW΢6f2Ԓ Ue 7(CzG~Ŷgv wcECc);|A@]0i{MqUOԶ01ƒQKldzIA.iXB˃Æ~5h_f^Sp{m~  ;C=LQ{>5\̹Klfe.=>z"[7M@Ig Q[? ?^7AD.|BNMBCtפV)WEw] Y6G k0(G,gkY\<~l83 m:h1>'Yy\9AF2rqHr" tFH_5]3kFX4&M9xDXx):,ֱ~6ILAٚ9-a @dTiX գ0n[C7Nw2E }NyH5MQH*${%PFcc/ w9yGKbM Чgn!HUiI^WyD._2!=T9"I~,K|pzK w`qti_QP< ?M Zo&qks@`: ql%L*4گiɱJG#ӌnT2Iy1"]#ɜv:^ "{W+}_Գ=Z>9MX̹4TS&8؞ZO}z#O]B>{ 2)ܡJCb<}^~a[nЇnؘ=Tǒ5ŅhgH[OO݊.Pk'Oi^xx5FhKLz#y6lgL)R:CawX!xs:6`n$ѵNQ- K+6gpAaбayB!f 梓03oG/d7/w,ׇH2؟֜ mkxǡXSiRN庆FDC?\0$~-h^J]㎉8V. c]gαo%cQ]B?'Y'N[n|ˈW=WStyd'oT٦eoӜvaգ3qd0+<6!\7).46> THV #fs\dcj%\sQc5YGEbtFY!gZY/ENG&2gm$5~q#*iiӺik&o;@ޜԁ\e|Y0t2[#d-&>^tAi>)cqB$G]_JjQs)9ԬIԾ=wOc6]bJuvk3CigbEb8~"$pu&#wPR3$/-Mt)D+0>?gwUЊT41_ v]|e~8uya.0Kο`%CExyͻ\7faӛԜ5eGffȗ6(zSV,`.'vA&lxY!ih2)P]&DR#ackt'np0;iX ꯊd ot6&g%AՐR yx=NB)rؽ-D!0iBn 'ol#wݧ!Բ&Wȯ+#y2:TEB 1@,BJ<<^P^]w'W[oZ)S[WWd;XΧJhdߥwV|rixD-=$F `Ii2'Y>?-A*(E@ >^_Ȕ6h1fRD" e! Aw*,l16zXɰ} B(ab̸.A߹w?1]M }1O==hpܿŦ+ʻ9qLFKԘfqT5S\}{Epe"҆1Bb τ`w]s J&,. (HmO3Q#XNMTA1CU׋/_M=HEr$pJH_ާ@Fa_$e.򢞔p{Y|֦QWzFoE肃[揟Shn]V?bs@mB3@: })d@ 8y'J~>*6(( #L[ *~T рn? ,I9`cJ.a:6+ W.t4D)BŁa(*tTjaQͅ#-,)ֲѴ&y5d":h;Q8BEp8A2+ed4/F7a#*=GQ30B]\4Cv|hV͇] 8]Jc`;HqXV؈_p\Z8NgOCcp@?!&&Eʱ|]]]sbǵɩd+e3Z\le)'ݭTH&UW|(lw:Esu#)$Ky!I*gaCSRjN +)fcM$%*M6qq^?e>D4)B߱=B[mW!SLrBuMπ!v##odba)›>8MP: n'0)Gow8D1d齎" I^ Ud!M ;Xx`@91-2&}ܕ}Ek:”OدMQ٪TI;M?9GDk(3oGx/+Y^˂.VM]2F{5쪝%IWɪSo\@ɍx =4T6 }Ω\H@",r~mm y<@''>^^l$N 2 EG aܼ/% bڸ>DicI/U$DYӟToF>/d1^m.t#x)fʏ_.F}ʖdYJ7X-JP3!)|85!"kk^GP3\nr1ç4TA4f^W(8݋/)HQRn,"h~=ZV먜 rO(WyC ܎Q (2v:vSy۵=3N >'e./D ];iF lbzME%!Y;ldfwI噀"q߂)59~%^2gp5j%3DiE}c W†`jy_0޷Ejhk^񞲝_ EG-q5 |[FOAmR\]kEK^Q J B.dh׆[~؉+QtDaȻDs=/ 0(8Ǘr6 2 W5DJNzηbo|ra*9`/=9da[և&jwk9/H݃x؈칖Wʂj)Rv~ҬCB Bp#0%M-KrTWR& =(kE˔u0fY2#{\?8ѹUtt t댗JCȼ 3 RU K5hsR-kvbwYkN^Q7i&4#umj3ݔbG|mSݫU?f"SQ.&[=| Ki:IMl(q՜0ppibKlȝ_'AcD頺z]d78@@ǒT$lR>qvFHso36G_B|n ۶LJ<!6zgN7h'P$ :|>n4{JŭZoܼR:}qiXi<>.L* VIj KxsgCk{ z\ZCɼa7T6_ Bh<8rR]@ D$& R`1{k#{#.|jЧJfέZmU ߃#)g'G̻ kʆlw)>cZM/~nλ~:aDl^  ̍  WfU}R֜:0>3wtΰHk. |A]݇vj:*8i"`=Qг%X(y 8%]Cz88_t6oYC2D;:,XA>PW.BҺuj kcqf;rFM EZ<Li# PV瀼B7s&9&9y[\mIqhog9/0A%sph횃,oyrڻU"}3F.˘-0h{L.tf|(Rj?9V73Kwj}:ocd\ {ExN\%Xm-N)7Vž]Wg6nJ?`rș604_Rn1Z.n#d/oY~Dy ]6jw.Xk3^vU>98XUSICjo2kwN_3KJ+pasl a\bU6S(BnRFrN vET_.ϿVNiC.}$K5"PP E[ y~N$+L'\y(03^n>_bC ~\;&^:Z Nz D{ w^b@Z#AB ͊W2l\';mc櫽C,l2nJ,wёh/Bo1Z ]s ǜ^X\%* CC(+uq&p> HtLW5c:o^!laHF,ېtih#k" ,H1BNf>-c~${tH+szP2GFG<2%DKU#1A v/pez3Vw0\ʱ4w{APΣ-3W0&&k賗.& FBMvalBexD!(Pb|Ոzd O By ߄EUO&;v5GO3=kǺNFGt*ܼ0bq5(i G:㗥FC&6Ra], cMgݰ<ńMx>OdVw .m8Vv @@o bAAQcU /Gh4R$fڑTi tV~GQ++#*;=9QP,V^>k gz/s8B|L2%ף|IB7aبG$êH*V Խ#U9_on*䈴ֶC;-Y لҠ̳o5+žz!_4^<5)S 3vnвVҵhDv<}ڔߪCH D6u4!1~@op}6.l*MFғog}F&KCYGj[BtG>tJl4` @&cl Rƣ}ydh? 9@OH.)@C*ij^IF jX hl|6ݖ&ѺZ= |@Ѷ=*]VL`,  䶇>}Q8> iA;ߌ `͘𰿘|y@F<켤kyO^U~ ƪ.326]%,̩A>ӏUͩz=o[yPߞ87A=X2:gB)6kOY[tjp4 HidY22o>|J5O3S7ȹ{]^TKZ)xq5 {H`Cy0kPB_g(a+on[~6-\$F-ua `ӯl Zi Ga>ɢƿ53jTu'+,D2~9|z ~ARy 잠/QY~`R7uoF$8UܳJU),a_;0gS|IT+D^sLG0Fï{~XB^^#1 ]MkV%`>K?94ť=ʞK2;C"oV :u*ƯU[h-VPb rN/B-RٯY{Ǟk?zS8srS7ۚQ[7ACOi&W~@fh+5Q(S$JA쯅Ɏɣd@C*/{N.q5k*:R=%]sUB*B4s4ZtlG gwJ>FwIs2IrLI{R?x"'*pKiY=I?MKC߾U@zoGYoz,^"CRȗ:rbu]gg{x f&tbIvv=Z ȝQ#&uԕbF ~Zh7``IZC!/Ac{Ys\.h,`L%c 0V'xL&Pg7,Vpe-{Jh圗[6Y\#s9D870 ܂KЮleR|7ր& =m*M: Ҽ9ʏl|kB,$=X]4`-:Mfuȣ,3indּ-ԭQ5G%+Ǖ?.=xJn5#<%dQw*mJ0y*ͦѬyѭj$t>dfq2Ԯ0sƽ"pcnx˰_UMB䑀GGzp{r$ cG?!Ml.^QgD;mYq˓|^)ڠ<)Pj@9)Ke. PK \3%wkw`5ZoCQ'ڐNFg"N#cȃM3$GnY`5"MSb_)( !ZlmJn]?GπEؓ:KPny:eײ*L~ ۬dмu *._拏p7듾l-i_,}0 u`74$3[iִE|? g64<:r.tA8 WܔN /5@]9. H$p 9*݀D=A!E0͆54YvM&.B d*Vji[K ړgÇm3>Wp'[9g.P~o(էJ<2YRKOq^;g4Z\uGj+^v[u/\`yR2$՝Z?u$i+ h7b?W6kCmLRe+ڌ5ZFLoL@>f8\-=;p`;S}3al%CK*sٌ !xXLj axt 5|="D `I;p# ߂PtD<J!LװE'kY!Gۙmx3aJsa΁[\@OYϚ܋fZ {hVAGPdwpyVEݟ'HaVt?"C7e$';*(8TSiHTG*j(30lM4??缐8:}\JEOP?*Q"|D♴aKW~O2jv~8<T`3sjɬ󗅄"/,!r0fjṕ`T*W-%SiԹtnε,봊˹|]j\rU|Q} {og%3p֏ 3 6il*"W 6ܖ{u21@7SBٿY4s*=0]b-#Uy:k7;ޤ*+T'lYɣHomZ=ޥWxcc T ԣXNDC+3Iּe_OEt#5{J2#S!V7tg*D}xeAYB`m<[@1= nᇑr0KiwC_[ 忂E jf}5Bwl5X7h@X%YmQn|p:PCK#iOTQSx\SBWQ|@o;3bTWKG=+"+ K0.xIlsvQD}Kq !@HOUK^*!GXM"]=3c@_.1G=O4e1Y_H~Wce\ҩC&(1 a*UMt6Qi6uCܜ?m&K7PPK Nia1%4bǥ`ױ0r? DZ\99K[.yd!5CZ,eVc~Vg#I\3C~`s%!x)0UjѝqU#̴:gKGwL_f#+$)Hu,0)M{/W:=ai *[ƿeDN>!N;*Am&C t&9Z<9\DC6V<9qo2^vVylw4)Rh|(]>Bؑ'{1@V;F{&! #D"Vf.6xfȣ=韠 4+?8? L;/]:PYT+ѯR 8f<ہz}MIWNӽٌfiU8-P W IXK6}Bat}uBz#뽞UC"ồq< 7_l{:xpMa7su" fddZo TmZlxdQԷ@]L p2 [e8n+6^ʣ¹Dct>-OZ1۟(`n\uQ`+k)B@DXD_G p)5[惓Nê0Y>v"TC  ڌ%WŊZ EcYļcVhI+zd#IcleZ4kװ%:nto2>p/ bd疙+)/s8^ hS+IZh7~HZWWБ^n2`SMg3Ա)n[I r_p2WTjǥ9V6lkCͅL:`&r+K%@V}Hj:O4;ltlT \J>2"-{& (ym ڶ['@BzBA,pM _ʇ |^3PА%6[ےi' Nғf9ʀ921#?=/;7j%;%#Y 'icB$7kr\6.d0ڰ xQVuV ]UN xe弞/?ʠR:Ӽ{`Ud֝L˼lnj؈>6~iLS4ҎcM @sTo\dIy%x QB ˏMmy<: >bGSč t%[PqgP9pgv5 8V wwpJuYʞ{NukHe<4[AR۝b HK8XWBCU$c>'c}e[CsP߉LE󫍂G6}>N _f32<f\HNҙnUW d 6]Jp'_-c{gj|JX]=&y*!W6d njV;"H?P #WP8V7;ֈvej`61Z@#^<(55AĒ3G8GM97-bfoc+eJCTPfo §;{5O?ټ)Rne5)'Cںі)S߰GN8}Lw81%/[̹w^?p?a/%$d7gJȎ+Q24,޷ZoIB_:^OÙK `mQ[o|E6,{dl7i[TNhWP"r#5b{*圻lVy(J6Zq[ ڱl?O?Wdov1}Oq*_esA{8a /@Ovq"tM#Z,,EaqE3ߠ8zC1{f u6aiCeWB 8b,7tZOaLAUj#L$[!<h&$)0N[-F,i!${$#|{3`^Ovvi2zV8G'`|B#"|t@ـVӋ-iAŬj*ؒDx/@&_,7y.(tXSyRcKZ*H `gmBxJ|mK`gU ,=9pv7R5vV6``u 4H'Jfw'-z0BJǶA?4صJBRZYFѥ9+f.zQ5Jr( aSMH ʰY/|X#}tL6xdiv@l[ v,zn]F>}%.Q\8V8b̑gP%i(7ͤqO@4BcW9{aSC[uv*5R$&ٔpM 6IEPiYB]gtJT"_cu"+jž@̎[ؓܺN/]1L]ciU܈?nU;$,_5~ϿUDv3RT}4򑦤R]VII)Z`S#9\QO_1S' C?&#@939UBO 9W#ykƄ2gh)bKp 3ExIn=}Sk (h 8ZY갯w  h -FQ~fAƒQܹs+y' C(a=IGpj{L 'Xudܩ4$bz19d$b=k>$Y/K$A% QeM`cW $-tԣO9qGtXXQ#:M-ҨuNɐ07ʴ\_jOjNa::y~[svlI1?ip% ˏigKoNYYf9|ngg[6;m!Q0/||qs][3/az'[MI9xř0Ktw*֯` 'Z/P^KrZڟq:9{Rуٜ8͠"x $vy^QH-'X%MW45l>ClΜe ({j}TA&6QQ/݁*rԎkxy$L_p`Nj;q+BpPWOU9m!_v<嚧܅`VyO6 {iG^#;ބ|MX'DE& jsAHʄiqVRPENf9T0} l'ovTap!S =9XYeKEGK"9=. ;$Ơ/ PVg066XTcUbfEMZKJK5οp}Y THwiXDfAq)̫ [ p̉ >˵{Vdk? z6ӰyR = F*&$ EPD,ʩ홍ħd/_o6 ԑUeTtbʧW0br5^l/%d6+ TPk[s:֓tDMfX4DGM*Uܽ \\O<(4 &fj>rVq~@>w=ѯJ\|PYwY3Θ>0Bjn _ZΪ踗>l } fu<k^ﳮ&|2J1P=ߜ4U=,e4 _} sDB6yIlxsifFz|ķnM(M?qHިrYnF.}wP]05RfeC3%u-~/hGɃI*ޟ,fp$ 'aNhp*=h\n' \4HT;W;-OM M&gxv'XǺla*:PgX[gCKǴGٷ1'q 4\&37BN9.cG 4@6aXPէo Um9睩Ӹbʊ';Szoo)v.6=;cn}+a86k&,|j.%rBR=,VR\M_1x$$Ps|Ji,c':DHm-Q*{xaChI0(]H#`|I`{@ Nk8|&1el Rܰ!7wqe riA?L>n <)_}|"0FV'6,8b+#oCTZU.ܷ|!o9KXUz!nRL,7(IfZ_EU}_u!|0+ OYkc0[(+m5_],aJFOzSAj+a0&%3ᏦXy2C)SՋ|'9%d'pB^S`>=HPcK8i`Tq bGc5pl=|htC:fIwd t;5%3{x_*j̅OHbAzzhQI:7Q }!ېw0s2;0gބdLڀo7 >(7 ʩ@6Q.xn=h"YgùgYo\0qly/@ |KxT]N3.MY3q6JɃm%֨z35,up y7pa3Y_3vPI|qI$7akgf_VtMc!);/˼󗋟3=7?Q^y◞_Y ;~4Kc*p6j?~u V}< sLP5] zs̘Z/_0ygH *ɏ^<^r)U Ot{X7a8.?D0 \9c[k63bJl\|ZK!T+6\̭t OD[r7/q;%1VoX'#Ό4tCu}sU^\GI=!m5>mx DȚ A&kф=̮ 6- ߗMOm3Z2ޮ8Nh$5oc4*O1qE=O43\PC4w!:zH e$-[*jh,M9@?Ό /nZlӠ ŭ;f:4?ziW'$h.9NaB˿byI?3'RW 2E6:/hL/%羁+Rļh^k1&tqys9:[6s8S>Flm$*ByMף^cR? jT|%xyC}UXUV.̊ʬ 5cQ_>8,:~(h[sD.{jiс4O(>rV4OqJF ~k?Ch\kϛm/l hXfXJb'E^fEGEM^ &uF{<@E5n.KyqԚN1WbAaᵂYQGE'B5Ƿ[(?E"Q(RLJ =~"A?Wl{7f"Fbd:!G lۮ 좘|ہp(yi%X3Q'%eI{aYK}`= ⤪YYQ7芣!uJUy'LnpH f#naf&}Id܌Ԡ"r[ʑ}ȺT(W5r?lBEPvD Ģt{ 7i GA\-6LbhbS"qKȝKJ"rME9CoE|}5O~{1CDPުQԐ)g& }aO,ػ?VwEUz0Z).2hzgZc7}+q(쾟WfelCQeWYTc2pH`(?9Y}㞆8w(PǠBTOb-濩 tHݠSIm{1H]z!1Dq/Cq기X}!zaJCUөt@'Rl b*؜&cTR/z𥳐\(j9(Eg̛`l.I2 s=#q%Ul(q ÈMb$wYډ94.KKȗ]x!A蘌x<=)Z, S1/U8,EY_ndN[_4ȗs \ G6JʷY_H*)ŏ^wkw=Z\NEA1jTKuN?Ǹ :̪u]נ0ǞxR'755Ϲ@&H  OK%ɼS)y0Mj r2y.iU& skxa,Zy(HT2,xhXTLu(2Eem;x$JJw|~ww͑/FU9|,+ nF~j&6O4AnqS0T+D "uD|nLB K{858uCRAnՕUCˑC5(fW8oɪ0_ڒ%S!rS]cJ4~t2Os E)gW~ɫy pk~4buvDtu*5Rt|.@ZrĆQf4ؓpN|qO$yP ϳJ3TH,z8p Շ=W@ﰙ'u, Ljxș4Z^Y.Fc"K< oJ-ge|y;d sjd$p%m8r+7RYҎHDD1hhcƪ4=T˲[Z#K[~t]UrA+koE1iSx&'t:Sɞ#a)8ߔpqae2j92ByKNW21+M#Yݚ׻[ -n?hz@„COӣú' {u*@'nGykp|=,=f`3J莏O\[\A 6jw4VVI:<4 ;'MSwHOyk^NA+Y r$)ҤYtu9ZvikdSR= HT24(P&GPD$ 'P˹ ^Oa/j]$GK-d Z`>5ݤ)P7QGiPؙ;:]i"8~éFYb%f9-}W6ܳeSr՘hfZGyC7JoP ɰvv>~H@ :2V >[:tP,iEE}H{Yf:ԆF6/ q|O&ݯ w>\`B,#+p(-2t"Ͼ xͺ6,ENT{x?Q M'+pб2J}Rr:&"y >|h"\~GBl!!w$$ TXS2̙J=:ar!ΖbZ8.wW~v5=jgmdNj=,A )(镕W'FF0Im6irFP +3N&>aswAYFꎃ1Sfy>ni'n0׶ת<A[%͒.K* lz):q#rb{* ddr;CږM4+̤#U"۫2(%r /kc@-:& mY7a(( Vӟ]NOoIڠ;-"F,_Q_Ow񦎢ȋjY/G*56SrB9~!’!!'ȡI, nVHD2(ڼ!"FmOvW7uaثV5S{9z0-}co8 \8pPw8zC tYG|fYKNwၜK>w]bV7 -f+ኊafNҐ! b|!"h._4dl򞇣j|.14Bà2`UX`D*W/H/eMv `S֖o~Ɏ(w*C3Ij_Kx=kYdCY>t׫38N4iD (™$L,=J? ,iKښzu);)vbȯx:z#8졉07rE`Wu(_9\ʓ56z`,VΣ2ԫyJp0VյazMUeiAOD.b?A'd r lPmREq{cds>7 f3N2eg/TYQvXV$Á-V{~A O{KT?Հ.g/% vCtYP#Xk[!cFD:~u!bX_x{`2%fO5f(?l.R r5JB&.}$H(1ۈ寒a|5h_Tڒ?VC2-BWܛ%7 9[oYH0[ =_|;WEjzп4;0Ā!apo&me\Z d#3ɺ~G9+j>!lpy ! d[d>JKh98كKPՎIT`iE)D?Kyx f [*F6PF|eGvXk6Y_xsU8GEF!m#z6Iȱ[N[r#\n[" "|v-dyݽv4$Y Ŝ Zn]N?4 GʎVcuonM?F%H5Ԣ1$, >]UP[af3529ma7ЙrQ^[y]~i19(+>kiy(ᅥsjS^X6]/0sab7 Еt|ŞS텪xd@Bk3ܯښ)ܦZx"Q`(arGw{[*tm@-rԧZJ[E2JE['cޔYhW0P !0zA'YA%WV ɩr\|rqv#9y=8TmiY:ǻ|Ruf+ ʭ lALVCݔRv䊱-'%k }!#al[zmr2RYQ꬧T<]hJ#% jů!0xVs{ݹ L5;ns , y_[4c .+%k1{;ӽ2C+%5΍} t*gTMsqPz ڱ`䊿ieK@=VG'Nlo]erb`j463Háf{R^_m(rt5.s ȗQc"Ĺ!V8>!1j9,e.?}4FD K:DSOɴ3_@u|PTsOB7;&~U w]mSs~p EQIoSe^|'6a`fD~X.hR$) Vme0TV5pXG5QFbIk#E,F'Ie=sJ%\ȗlMS]wBMAWE0a Ta¾r; ]7$2=bp 5g_,J ws$ ^a<_s:oK؆H;[4rK wH$+MⶼI,mZ./h+Z Awn5\nAψ/ߗSbҥS-z,' [ZYmc7N2[ywDFt͊3+f~3h%9M r~т %π7lB_o1yf{;Og-*Ansnd~D^RF Ԯ!EN2TRݒ-w.Em<x**prdK—kt. :޷'}2W6: T4@off @塌L:u(-tz06z&P?ZTV . \poɛ9 3{Q$H`ǠLW>"0>#RPhd͟i6K$$4G |< H'?e8CCk<JWgy*ŪIPm{^_2 F%L%WdC~|9`\(Kjx߷ĉ)́zPۊlFq. Al=$6xm|6g9v: ;`՞ȳ9l#׊J9|Vz)2vS{84`{Tpvj;@MqxwWZ6smL_R(럐 ŭ@a +APzjs#\ㅝ@~VRy eBo ~|/{J{APe c)@y 31˖ERݮ,Osџ%񓨠ϫ+l5A31*g&4t=I%2C1pyBV=]i;0[£D:uwSh)_O0Bo'] /O:D{]\Z[:V +|V@)Tr.`*x uMmYC@M#Ω? ]'"C$tLGvڗqMQaigb@+\|~RMNMĭ9ϚH4nؑFrIsE_L*oIojf[I`)Ll>Yh! 1 F8:$f5i4f:d M l'Gޭy߁+]}MNAlbM[p`'hNŘXzv> yԘbjCj vy8N/ \22llaIsh o#k>?1۬,Ժ,C:E( z⏊UC:jyɰI`7_7|15$4["fL SôH!cϾfijoY47;<%~܊SQԺd5EP[>ԢK:siYPʓ$^!KڏZo:5}#f8j-mاJIlq^m %RkosNFL o\ٺ{zLE^٘l(EWf(RXgk4˦ Zˆ ܬhƻ zm>|M =L&`yw'CN%Ȼ_86S޺jBuYX]U45o5|6-!"( s7#x1 /?]%[Pk</q"CцhѬ*%.AJܠH *s=`9&%ֈ3Gs٢Ս׳`. 4{Wd0ZEڱ0"!ꢄ츸Pi3|H7GV`i$hC2@oϹ /DYUf 8KuZuLAO, %+W )Ȩ&_C8D7&&ڌwCOو[IpRaxzbJ3Jp)CBXKJZ8ҸϾss5NipYOkgԼ#`Cޤ5hb2[&VyX!7;䧆 l:ʯ6XE}d`b}[G\H-* AG7"jpxX91HCI=3L@ێSF}'|MQЦ.H 8obO4Vm9eNCD薠'g3S\_®֠[nh4VZ[LC%kY :ؚ5'J֠z?Dd~ɋ;c1Ikt"A(օum\Ui խJY4U@r5JW=T"x5m?OiKFvџcgA㊣?sb GNo9ml%C:L0iJ:`$9ыeRфoa/!&`GVj<.5xDAI0 TWC.?)ʫBw's׼%C tv[U|jGۊ"}nג@*%"^^y Ҕ BTp!?\Ւ8p!?[%91:.t`W/t &VZsEWb_G JF C{=A <_UzTmQ{W7*X#x>t-@1U/nk>@'e)gc3Hqtiu>D_G^xi<: u}J;dB3!M'Y̋.n>_`N}{-هJR\˜,Hv0jEXiyl+CS(B=!wtkMMRAAƝl)`[KZY{_ZIL3R,AIH([g |MAY+L)ΆCI`|b!wO2{=R[ykm>qGA3Bzbّɨ1c==.!U(hWy[Bs)z*H.1 ҹp%ՀS! ' %aa \o4qyl"H%1*Ajm2`.Htxרz xURv3۔bOCiئzSt|0,f3kpؿrpQ0x Zz$bhs̈́ìa,5_8]>߷_. b~B˥؁05ZyU@xߘ)$yU +MK7q^q SM [ MKڂd :|l!3e=)WX"Ȁ4Zd@DIAhj })&ԤjaO-'@=qW_=)22W7HLm)IF[ye!P(QЧ&x>@i':nU)I E:AmE<߆\rS\%1T:*b)D8D@Zr=MO2م#.Gd]pvf"J7@b 0tI {Hg0"Xqcj zw. b MP@8-5$rӆX d 7 +(nL-?`.!TCD6߇1([ #ͭLk06%;bNEH"l`э"n^>}*Tkw ed80> m_=ע % iy/ҁݏ*c췭)ӌ qӍe%I\zi[O,] @[[2X1 RhJȅ2LAQJRBnqm+]plXʮd%vahjǣd*ky0]nq0'˘6؇0湰ϩӎ@|@%iɭ+/|qk lfF0Uт'hS~rvQuZ0.btwj~9IqH'E4B̏E^v ڝP 1G"F6l=g^嗨`K.GFl1% Sn,?by}BH}^|}_DbHpp)a|}1{!&jTIb]|#2B}VD i+*\6LR{5b/f9r38aP?=UIOЩY7&dW"[Z>}.]\q?s7FX(KoE"JWa^yuVL8-/Qլ u-tpA'E|NނPˢ!h {E W.APOUjCZL tF|چڌvv΋kN kbM5?RPΉHT~szq#[h8&s wKqↃ7{0dBb]ٱJɄ;kbfyTݼ}J>.U| v8lzl'ktvQj'Lq |G0t6xK7asYke\We-de# JV /EH]vAw*-σXcdHЀbqk<8cַlݚ\9= )F:DSxXV~G-ǩ׬bG{;RpM╵AݪFQ^1PswxIV`Xh9R}_'saW{T"eOބ/΂zńٯJI2 ^IZso陏\)ɥ5qgF''9@+ɃLZ\^xU1Fq[EEqӘbXޅ>Wiٔ>cέr=| \=|ߡ74-;%uʇ` ,g))w&RaE*aN`F? $.ʈ dW۴g[nȑ˔^ru b?Rnt%$#}Vud '4oPPi?apoI%yقT MdW=X{zZsz I"#bhVl5YY fY@c+LZ8rJ0D(%mL$ԩvZԝxLH ̺T+ lxw9Юft#}BbޒBu2*9Blqt HLe<-fyΡ 36҇)SM /ȩf=R[5Lſr:hȖaA@BQ{\KGC9{\aoqso$[sb퍈y dUKLl:~B+k@Z DDXǍHO|Հ8geh{Roji{ɚƉgTjي8Z=u)UrGtGS0Rj{L\! #}PYӳk$.6<\DK,2X3EpgnS5]KzMQrہ>l^3mb%S3~r"~rPCfcž=:]3KX! =_ `QS[ȁ'ho\LUao 8(hOQ牞DtjdVܠ/V{uսyՒ@ywSS:A*}v JO0Air 0SvȚ`Trd5Nxԙެ/DDMD`7+l?/g;i - 4\>80ΎN\bVeCXn%Ѩf+b5~N1p@zb5wP\?̂kKUF6!P۾ʁ,ʞ`(0/ }"ܳ_5"Yimڟ,1'W8{ha$');cUt1Qϓ&Net-6έ0YP%:fbKX@LTzf~D:#=iyrdr~\PG!@9)y@NjZR s u Z~`]"!U J=Ai2*C! :9侎U^5Ǵu8f7LwWIZVii9{_<FCƾӾ6"|~UЛܤ˷"4}85 Ts69ĥ>wew9:~Rwe6kkk~ qDϵ2-[ֲe;c~]ү X; :@kF+sp(R|MGFtY ~KO!BYFC} vOnvOfAwDRuypꒂ5 `K !nTMY̾MrbxZ" c<,AF4O)M>g׆FB 4:ñ$im a2a̬usAҥ%ch_'7eJ@e~} b!k3v~k!}kTjUr_U\}[{Kjf(&Hpa%5'DI#bbҩ|ɘfiBeOas[ jbf̢Zwp AG'S+>@[ ѓx{-nj΍FѣK|Uhɚ%`Y1:ͮ\eT!%g(SbxǟhL0ͥKC!XRi9JNy7&1woOKEbQ2 -8@6HU!wc9Y-"Wst˜)AK-WE&[hD#*FgWF"}}ɌE^4-8s[%I%lș T%4p{c4]c@LG%ʴJTuJ̈́ ucSrNWz#nJiU,#Laۧjm;ՖQŠVӌ2@[FI0HHXmrp"X3weԿe z2 BX黇,|Ɲ9#5m&]̋r"]^is] +SymUIJk_"S2,KCKKnZ#q"sB÷u.\62htCǹʫȤ;u̻I2rF%b1QkUGB\LJ,ex7[MvꈩP,.MF.j97[>Oխ8C!RJQMk?)oopׯhiV_şۄ%B3UH~*]`LAbyC'aP_4^=yN1qrh)IuC-]{Ӿt.tҸZNݐ2͐❏(,Dh'(ӡledw9Q86esT Y^Rl$RV+DEgO6=XnATX'W( 0^ |V.M1R/j/dTB i}0Hҹ[/ !OEŃEXpDҩ8|> /5F^P1>H񕾕t5B.}5~eo}+5PZgREGIvّ*D[RU:D#<TsH8j{~Uk;Q#!Nw;9:P!{K,,$$T@}MWepڗRD4!hVQ UOtz(K|Zu튨{c={1Ȁb^ZޑD8XtJ͡3\I,Wb ٞ!/}G۪Ewc/?5D(}h⍙>ؙdNOГf+3S:xsyTs d*כq9*^2T 'S-gȪl 9LI;I_p du\7~Ĩz"m~XGsa۳K.,'֓[ u,uvUb( "{gK%B֭ uuL/jo.ǢP]?SםYTd_c k~3_!~x>UМ}R.(y$qoofte'2"gVűPUi6E)2<v-Z{3O/5_z  .F=(p4309wJ`w`ZElq +=k3~ka7.?<0J7흽`A+'8mH*;, \ڽ= ;ϙ~PoTKO>kKD٦g%8JE+q 2.#?8o&@m_"/^U"f-O VmݳHKxp No$x8kVA0P4FBCCv~ӿ~*bѫYhj=QIZ(5xn8jShm쨗K^F-'Venvɇ1DAYò\ϼTW:G,-dNNe] Nz ̧woMa^^%:& (5WJj}:@7|o 7NJh{T¼ =d!:q+l4#l mF+AʗkA[NWzbBjkch2n)sR qK⻤/V`y1-beĖ|"z\4-򲩾qОz%0=hEA%<]r00 Hٗ JdUjFίr8׳|' Cנ1q+ ; ~ўxxEB2Jww,Cf }[S:%|]힫I(l†%&fPѬʍ֣s9?|uCh-!Ӵ&Sh10i0N ~n-ھ+oxv4Lb21trXC $t|mY#JIah$/S?;N~VWc/ߩx!:oNlxǍG*/i7༕- 3ZY[AOT$ښrx|Hn8{/hE|-ʽ+9jE&dj38FqψBR}nvWrybSpVj󫌏C5;s$.I⎿*]h`owroWͼ%t9 ix||J/@eF^qs'6{ˎNe ~ḍ%9GtT81 G:Ж[3mB݇ Q xA̶ Wϛhpps  CPQ WQLLk' jDXZ͵w o;')3yŤRJM8:\ለjIS.C{_(aɚ\-Ro3̎(H3TtP-vkRsBnB%SuLfw[Ԛ@&̔J}:0LѾCrYkz#*VW޿qX:D .-N4l? eFX.M NԨ>e;ΖcH[0&Ӝvcvkԥ>P6xGEBCNA2R~yzI2(>_o }'빫_lPUHH OVyv ,`{}"@ME܅ng$A+cbO[,˄?JP䓙H>*@Q**=&Qv7 xҧ8Eoj?Iz}w,Qcb*%P7:>geLiƨdEsk_({G| sX{Y)/}UP!IOm頉l=`_+} ?$/ G'imBظգjw@2 ?M*p=$Xޭ%} i+0Z3L౩C=c#pjh-J&Z̋9pm禚QJ{n,BIG!\e20~ \#[[?oxJ ~) PUhR#1 վ} ,1z(0=9NF{k)) E22atQe 5-w6h|\z$M&5.Y4ySFmX e{ Z|3ZWG3<)h:i9r>/3M;,&("4"N@dX{{lO!Ѥ3(fj삍g?e:M͒NI %Ggc}?h'F_$G*Y#$\+XtYeP8a/l) K6c&wo7>5JB +PJhu~0FfpuJZ/%oѸ)7"Y31a#l\^X`(iE܄a7w%Pp&NJ)(UGPViA#IJ\`jVfTȚt) ^3>r5I\B_-= J1t-gʅCȱٽqkÙ'mT6-j?өD-47$ruGzr}S葐|`0?pz ^y4;` Ptme[M>iN_X 0v;WK\7(|L%x~/-x<G2!V:6`Y` nGߐ.j%& HL | l5ץdQQ`#ZZ*s!F ̓5a?C'ێL˄lrEt@# zϧc,sT7@ 7x\Ro`X@܅7kJf,lByJ~wB6UgF3 ȅtN-6b:}DLH L]fXp-$NXB-zK -dKs-9Eu켌xM'P4>{߄~S{?z> )"+ds@!0 ;BCՃR y)V38}p/$#L1"Ǜ:I@Gc& (dk%dw`;uV` {FL y(1Cy<DOJaQ81XQ!iZO'eSP%TjnRb[XX5dh_ ZI =Dm 498ԅ?kg.^JL4,s.L4xQSOlY†N3'd{~ߪ(-ɱuUtaq|ME8"@DDc3} >v_aiKhmZQR2=t;QmZ[5OwӺ}VStSJ%dcBFZ";aUO %ܗ,:0 pU Ͻ|Q0=fzvvߊ"M7m]QKBvXgpgƽ&N9Pg1W]ABE:OnX?!s\[&ȸJj(𕔨5|ʖa]bvVS:y7 kqQk 8?Luo!فȝGlgY47Df)?_3 +BQ sv&iZyeh`IѡA3c>֍iTe)4kW5~o O@'0sIS#En8bhP|eS>r0ʓXnhXdGTkXˎDۇ8D2` 9̬q*ƏDo~zyWU}#l# CfqO`h *L($qҠV@hL^-z,MɱOx27IpBļd`G,X-9&9~([ZưdWT5itSf_6j{*;ʆ4Yn@g'Z~U@?l0l-J9nk`j)0!c;5 wSTƫ8_/cGsx tKJLZish r*#i?R7cjd>;PC]'4O-Ab3JoZ9#[>@R3jA0 mz)/. Bqm#Th).65K脶 f#sCdYō&@/5݋v^Tn ǴeU\7win5 lpjΫ~0IkPG^rKX皧?{5mPGp#X33#᧖,TJgoFp4b60Sҏ(J1;PZgi%!% ~$"d匃枛?>I'R l$` 䫫ZxӋ<&|Z2w-}a=t7q{B|XA=XܟGP5J#B囁WY6,{"`gU@@7[dTQ y(^_?&~(A0 G)kRmtҜX2|TE~BUFu#icQ*}(Y ޲D,j8)K'.:r~iեAk6䑞XtZf&iҘd05e`.J^C1@I)h74t+}ZoV콊f?7lTj'ű>$]ӾP&~~ēѺQ>@_0E'E3Mfݮܼv%*֘+L X* tYDC5PaOVo2~;=hԄoAV1`Doϝ 1fT8Ɇ9$)=ϙVO(E.q aP9 C~)S_af7յA1 S >EvSoo,4VFe`cV"0 y p.*[RkL6? }д&RڦWy3ȣ\6e>:l-+oOA2H)2p<"" Q~qeǨ..9Ɂ,@1̣?Qpx&C}ٳ4Z{Jm 2Z*OLьMdB'r@ eιWV!ѷ0?M֦__]4 i0\a+K쿿KZ#_|1'`Ikfqw_:.؛1e6-٭ҺcU4l 4)q7xŵ0kT$JbTաirc0fSUj=&$>f2s+H3H@cp׽*hK'?&]RDݼ,ʎ}mL]^hRgؤ-=~FXt3舉_)x,0 lrEO/Mo708X$^O?{;tpGmԴM.?b`|X*yqB*&p.KZYE =pN93I:h)HKj hSO^zI[`-#~ +RKO†2"Bd (OyqS!91VU4S?3/oK6S jHP} vb-;/>0L&")< 8H-5x/7&Vl(B<8dtZWMHLje/6"~2S6.n@C S PclHA է;o>W0J}!k;XPLU`qunc\ VYdcE|\oc_nIwmK& \C1݀dWs޶F&AVsOh[Wto?4İΪN|Q1 FЦ@Ex:tGd=?$g3(^kr+Iwu׶>W]laxBյ8D5uy>@oWkҩsx0] 4b\Hv:rn&G7_n:]K70?o_ГHCͱ(g$ZήƷă_Օ_44gpoW\e1LdJ0CkKn\-f#mrI+Xd!ś8LJN*[qi j8(%4J#$/1v7 ўicb1>SGa/Ϥ(EU<U˜H^ >VFrdҼGtm׵ԵU9KUWɥYۚ))G2t, ^'ۑKp9nhcrx-v%KŦ<2bO~|LJ =T;9LKirVX$#h>cЂi3и:`{HLFn&ٔ7qhY:9Skw}X.i{F=nk4ÑNVX `!WB˜T. h?|>hG8H4%X4,tȊ=;.CUԥh~8?=i7zW3XSҬ`M2{uev*~ :'~{G@BǓG]&3 QY@T煽ý.`Sn9{!qXnژ*;nuaG:\@"/ޘq؊,3}Y>-B_Ӎг3ANoz㌂x/ :,ch0~f`kSQ|v{q iLwF IḤ;'{sJ]>դ0, T\Ykon)J'Z|(y@ L't{ Y'<* P_5.'OdcqR}ۆ7,gJB^%MN;n hF)Y0%34clZѬO%u*zZt8+Yg;/gzɅ_%A%jJӰ5-,w8õ @?nӿaݝC2!k8cw4d+TGyn u<~7UyŚ{^/lgĥ>LzmB-ampщJFh-e|̝G_a+⏈:p 0xeummnۉAF:bAmR$g:2 sy㞇7[usi7C5LJ< uqI1>Ȏxc(s;X,Z̏_L嬯mH*u:\,cb{"Hu:T:埪DTm3Dt8'&Bs32;Ez@- B_[݄K_у 泡"P R>DML̠bisJvP_|E,Jv9tPR: Di t18Hִōp <DpR}*3^BP1+OdY>r\b+~88'܃?s!Ʌc[g/Iַ .ߒ<崤.n1~] abnxweZCB lπ&'{bOa ű@PR𯰺)kFTTvLZeNfu%Ue~P"B *9r)p5B KrO@Ӆh.Aw_uO\Lkfƌ(Z??.Ztv9J=FXBKt.*7Ĩ(kDq{e݀yy47kYA=EkCê9뀊l~_s/X?s~v˒r`e<>V8Ugb^]))+%"=YgoG!4K!g/e NI'ɤ9sgI:0]R\wŐ7eE&:~9[V ӞG$;L'+TKԼ40ِ cz4LRdJVŝRr'_VRfᡠSs5W, i%UMտ&BDzWϛ-vkM)2rt]Oj̯AR [6`Ԙ.d^2^,_&uaJB2W9"&yl=QX\:9P01#vJSQt:\0܉s'M C+C5r. hW}񮏚hZ bC̥@&}3{yĘ0}y3)I9:_b άJ*.| [?Hi7xtFpg&+lnpՌ)s FN EirLg> /2an*^Jnt{yx 9k6•L{g퓚)0s2ml8PUatK|Vgij1! ClG8:'U3MoaZO(LT)=Qӕx?2iՂʯCwc*hs|u{HRgNfG_s9_ D9 {WFK2U084S(W!3^ ԗ?K3ؓƮBISr͐D>VS $pّcH1Kd(a}~.g\)@ c,$.hV,Y7JUK4Z*v5l%?[2)R/ M C&dC )ɿLBdv8G^] Rz8+yZ\u`qz?ȼB9N^$Ϳ  >.WH{ /҈$ | } O"C14ٺ%:+[2"!9'yIq(t9AP/;9Xm?F[9% /Jķw}.& ը ~Jy9|;En0O5wCvdsǿrTrPkp&ybQXEqy}AZ6=} 3@ҴKyҬ>hj ̟p#goѼJip3̈"CK4 ͋rv; xEFwRT_%4Qb lj Jz0ha]An۠ςOt)ZyՎIzPOVOmȮK9 p6  \;mp۴\0&)EEw)ekQaOim.;5m"Hk (ۣ:;͜AxCfp" Fc9^:C"s*TYt?4B_u+`t`#KQ8e*y4b:ͥHȝ~`<맞N@+ ou^kM<\4I:ܰF;[ʁxj9=?Vy!t:PTF Ze$tS>EDXkf M;FIhɇ缒+0ƑGD-t b3oQkۺf^fauɖpIͲ1KPZ:&(`Gm~w(@yTی0j%)?Rrfd@p|nSωzRVuΕM:8JS oeBG:oE67zᐉlJVxut5y\5.G+I 1i5t A6hҦ1k7GUIagX^o0^3-}f>PP)J@Fܢ .>hIgЖu.N]?1ƩbpîNvY.泷O~7U<$[ @7xZ\Kxؘ:" #43ޝEZi}6}_p [/޽<n[u$$aST&bđ $B*7nO9!  "<Yʪ{بizjFh+5" ɒ(Y!bJiL4h$(8NjA,-Pqaq.P"MNhAn:>ߑ7D(â,97^\m~]w ;ՏsifщuxScZtפk@_8H{ʹ׬}Jȳ} y[k<+ 3)a:O<2nGڂ/ya ;iLN%'hR" yq~vt@qVP[b{Vna2IDlcNr^ 8{jOƹ 8 v|A6LP""bHBǔmRV h%"'WMBvF3˸ޙ~/lཝ $\k.ex^ h'ayɕL(wFr#ýt|.1AN}AdwܤE៛C1ݲ➇܈tdm^cCP:58qP-Q, ]Kw\r<}!}=*NHr}P`9j׽Rj9"Cy& *>)9eSփp!N}Sl^/IšlbHl5&>cL:Ǝ>/ ZtEC}@ttN+QH _u&9zi9iؙhS,}dc@SuGU瀯ڲ,şUO (?IQ0e# eϨ<1W5kx4`;Yb^?F? f tU!7W ưZp$k$#aRt1xv? g2JcY:E$߽snkT(8lR(I&-g MgnHRX ^cWX%`sҶ[!ɗ] %.̵|= T%&L6kF8._%/5Âb~^{;7&V A`"R!# fXW%d_M[IKg4ښ/-Qx6QP:x.'QPITPDn>ۛcNP,ux`PKU֨:Y}.9FSBm޽M?`|Y&R]ȵec>Wj ệqUC4|84(=m2%Xwel% Xv~x~&o!4{l/Zp+$Ң}yٹ>Cc6 Q,^V:WK`/d2M*@jvdUbG5R"o|U$yK2[}9ehM USCԩNu.Dz_Q *B4K5< </6-# 6 @qV r0z9\[Sꈲȏz"")j:Z6x?q?¦;V Y~s)RF)GϹ#Am9q_y7B2ށQ<l)1݇|f", !' G2a7NYp&Y^]{L_tF+1EuL71+fXum I9.\HqG"UqYJr~׺!mǯaO3tE?HݖN_HH;J!J}.ԐÎWvKE xzTܨ,fUڶ<TE@5a 28vI(gTڊ32z3N/u -:!m}%MkTe0K"sQ7)p9k=S)MZg7ILȇv:v,"(4En.8Y_(kX ًR]}n 2_Ó:j\iM ΀g6͉FbܘdX 4_܃!d> yWgdEiM~1\ђ һ!splgS]VRCCf1h;_WŨ#J=1⥬4d\/@ {Q'"!+H>M!m6տJ嶸3yop^ٿWeCT0E,)=bYO+ipHktEN]kxmK$-j`DVv4퇔? %-W' [QbnrvK2=}-IȒwy(Cc7ytXIXr.cg-hy2{ ϰZ[B*9e,/{·!1V,s(Q^HpC ̾Y([RDOYXhͻIDžyz@ uKE+Ş5xneV65eY:U yp/P 'u:U@}K'ɭZ]}%8%|V-R4_NunG1!~LL=JfB|*G ]#D֧tu g_ѡ*A,b!)O$I q?xF@Dz0qBYKqO'd$m3@/d%Y8!zLx.-]ë$;* ߦMr@@[x˵$) B ԭؖh{E<$U`9un ʛqUAΜ]ӯc8hCx>7}X:tNRߍN`%c+興2L+o䶣.d#lLs_9YFGSԥGbFR*h$ilYr~u]t6;h.X[|˵ŕS "Fë!O\ӛKgk~Ѳ:ҞwJRMid;5 gTϔ7ץb#D6K6ӛ=JޮrA{6f{jͥr^LeTxnP)F5 It.? Fpt!4$\5H.gV$%Sn*<{G]>H #P詂 ZuH]a#xJj>3d u +]?Yݸb5FhAnAu"ω>g" o fFL[ny7dY:?*oqK@z'CgP(j89:WۭêW*3Nֵ@u$pq/ M/) #$3<9\~9)QB P 0 M N_!/Ǔ tukD9b[cT :1jޥdpG;P U\+ K % 0 /jZ!t<K.-6U#ҏ@8bV75B.zCQu Ų7PWH̩#3[c`$+҈~T`O%bhѮ:񰫛" H{̹"HmR}'=0W^ U~f¿~$_jVY˵!_aP%'7;¢`TуA.PTE•oF2̦L7 +b}gO >#)Dz D6|MK SNf~z_?F-E3g-WnA:ϚQ le_Vib]fY0m]~"P&-Y\T@Omi }yb[.ǫG9,l),O j@#(yLeo*3)D+)sQx*~~Q*fSOlz+bR+v*Cw;$g>a|zi&6uzuwH s`+漟 MJrjI$se'/]-C0eK7^u?(,OYaީ %)(}HT W;꞉㱅r#/X]d\)vVɕ_^2RLHQ"Sal@ M^m$` ]>3W;q\4UB"6LLl[FYKMjʭr'VFLc%D3wx0JWϒ=YJ+9[f أnXLQZg=EvRx 9E⠕+Ђ*bj9IGZyh"/_bB]%,fo;]0I`1 EZv;5#f(.FjE4)d,V0drgPBro @q=2 PAr0S+QbMT?.Q`T3'5Lxdp[98}Ns#x°QƏr\C{czrI>MnRƷ- 3sYbOr7Z]3eѮd"Z4T9O`{IoQᷚV04;|UvrR`fQW[k /g30HQU ־2 ytU;;BkֵzZ=a~wt9:A{r-]/. *WZXT7[,kǝ?HV ʦhIЍ^gNS!lb4F*63_>kdžw b l] mļH l{XBto߯QT;&=[/zYa##]ymG]FA"jg] H& tb҂G aO\%p~*gxHe97TNҋh#=drJQGeY|b(^m,)֞d_CZ6Nۖ#L=G!時ζZA;)rJe2hS3 `_mwL[}a4i\JWS{J|Zl9=L|2#.csc8-=h!(ng :>ԴJ 1|kח?{SS\_%yvJ 8Vy`/}ĉ>EutqNɍWVT3 {.ޔ=I-7wP~z'~ChK;QzȢ$V<\{d.W<.:Kh}u\4Ƨ. Qu>/+r?+N~.vŦ/ٞ>PⲎ[* PR~? >Pp;MEy`d.87Gqsy?4M|x?I:i$[">*&%FՇTu7kTmY HC0B]tr!==(iKN}oX0 )jUy!W!+G_ٯu+s=mSHs3"g,:x$HP-,[dN}kt 5Es_c2$Rt$Gl0p:yڛg#~Ԫ'6w|i>tP ^a6qG1qJf2[#+L#/'w# ؚTt}5f~Ѓ90gA1,BXmRG}j8,PRUEb "wSxT"#tNU $};|e_4cUP`,gw Ѕ)k6}4رX\Y)bCXaE|Ue&=irtuVUOˠ e*20w 9Cn+8eGafS;"xw(A:ڝQ`% W H]s79v(Kv6_QV[>JۣU7J=Xڢ.4hNRY܀ CX<'l%]'6OڟFlx1"4OefStj@ULؔBak!0)$* E:z"`,u~=͒я>J{%,'3JK4Ǽ#Y`hwŬHxU$;3#?LnXfaGkQ(w'R%9Pi>p=71ze1BwRvqI+`^uWohH]"kس+A~M(X2$6Gj)\DE/)r=*-5Cug0i}0 m%o:Px/DWQEYDgevT#冐͜f5'Vs'8QY]GD5î/򫾠802Dy{m η6hqrߓjd,oxSY|[7mgPt/r#ʶ/n8pŒŜIoYfEћ஑I=|D).tݐ.U־Ra@L??b<,J9¥蝶N`yK $уVa TzDO^lO?6?DrmhmvxsvnUywxܶ[)cyZR!2 5&%7s{;J |BR.a)Ȝut7LaMo{P|8>,?i}3¤H~9&&oѮ{_2 wV+4\TDN9soJu)-*O vX !BG5*&W+HQ =y)qgԩK])R+1Nh3Q_a\]L*lAsX3암͕T͂ebkx %fKdS=HH m~<,bS9k-STؤ*:#O*ϾȘ V2{oN* G߬SKiύյ5EժV;=b>z rlOy |cD/7eiewx]I5Ս:c5P0!^-[}5ZjNpT".J!kdN7j;)QeY'L1T{wd$(: .w}z)3$I?N5_"%xǞ6Q|D 2I7 P42j4r6-̠W)|MGq*Zd= @^hYZ]7oO_ZTJYx_ur̠B$ظ<|$eu؏)<y8h]xT6dwA3 B~IF[Q-md!HNELnnყ=(h<;n!Fojݣx\v(E c,64[7᫽@vt{'/R0[#jR*§'0Serħ9O\o c58q?E-.ԦyYD,b{Hnpv{5eo7|-'xӡ+cGB/&?%{FƤ[.]\QԓZB$.yGБ-x*S8YT*`8$?U#k9wY.ij3LD6)|Zrw:-OЅT5q5k󶽫轿o8 {HTzxL0վ+niBHr\oHEO$"</x4@ wy4M UjeU d=CayRy^ج˕BPJf+rP J!=g /DHo\`;E&QJ#dbA $n[ 1Ohٱ羶ix#>XziF|HIc1ՉCvpX#]]Gyn.JK*~ S*9bMdkw5WFrPESQؑv- Zb`V5|fI,tM?ۄ(WqLg8p.fIUs17Ro|c=yy $^0̊9fit*j~b'zdy aV2 byT.P>N,h2%@ʂy Y MЩ̜,D_ `5p,}a2L*^+Rmb:u5(lI46l̛S;|l~-(X4+i"B{![ql"hmJ`!o = *)5A*bR3hs|4$솁;?3 ꛱농bFX~&CA/"d[9xkXqTx&YQ}JPH8} A+o\\a$n$}K&iF#$,rOL<1泽J;Avw:wt!?Nhbڌn۹\/;+Ak=`5lٓ Ƽ9S'O;ura`dH_,LŕF=5ET'DWy["fP5Ԣ+i[0Urf wmkμn?23Ey>)pxtz t\q)5h*mLk*>D 92Ֆ- ,Na4)yΙ$2硉ywpJR?w3lpm: CSbmߒ~>L̾7< %s5aG$:ʺ-i-`PbE4!AwHO BYlCZ4~Ōl4t8CqLp13\T# A2 2S/>Y)Ͽ\!> fj3yi@̲Aq&W.} 3^@O ܤ w%0kt! psǨerϥ7A[:huջ!֯aP~۰@ixC:69(&Cdr>=9PDPEx58kA IuJжQK]`or{mNa'6jso7]=s_WhZ%Yq"nKP`tngªTW?݈Nf-4b_U':$@^&ӕ+a2Ko4 ۋLżHaA/Zn&Χ:4)cla-绥 ?`?Z`O>oB1d2=4e6<Vx5CVn#}wf'J?@ OdNpITjYճLqƬ<5TU 6kLH3EdV+y$bɒLFf"= ^pRh E21}g 7X=TB4UP-VG }0[tzI.2&7"Tƿ+5G2[9)g195%ZR}~GHin9&[m.16}U\1'R6<.trJ |ƊjI/ _B.s$WJBn s9#~:&) [N*xqH'&r V6Q;qP M`n݊)\=H,k~)!1:[fJDN\13}{`$m.y7!g3LԁV =|tPi!Jnk/MZ8H(Kғ)~![~;ӹ3u? SR)GfrPj$X8i3e0t-ӑ=msNW !?+j/5SYՂcYg' 8[FK%vMUmEӷX"" !e+b]/U˦|\7 7!7i;FB,; .`hki*raUU*fB 26DWW.ݮ/>shJS;ْ>j\^(\#=JGH\0t/ӂ8>]u(y5)Ib`܍DXTNR64Ib-÷1TE9+`~!"_!dA&hʂZMo%@Xߧ<'08u&8iW\)Bq_ :[twg7A_ES x}6wtl\Ӂ^ԝ˻D5Df'$Z|wɓb#Z'+W}ՃKFr#}i#n{-JtIQwUTǵO +~,%xyj,efl,,kh]E?=?Lke7| A"HuIaxSqQ[506io K_dQ;n\RάkLXUEpjs3sirh]+Wri10=f.DęQWB&7$,¼}Dм<!z(SrG^,$ޢK7~#H#$L LJx0? ؗ ,8wT\58@kNĄ왯 A>]s1DG" N (!DA T> 2Zi{OAo]cbО2$1y'3nk~+QYJ9P`yq. `|a|5. oAiy;)Y~d{Gʬ%RUR׿ӞK[_˜6 kH"^wjE j/.?e_h)$)Z)OȂYŌ` hq~5ɆNY?XƑ=J`ѹ J1:CET_Pqǧd@k1KɒN4X Ņٿ!%L*{5*8d-DGOf)e P_\m(ǥ4} I N :?ҭD63"-.7]; R'A%`;!=9&UOF3xu!vi.>g)Tؕz!PWt 'v`o:{'R;qDn+mO]ɧ웼0Cu|(Pϙ2VOSz['l! g}h#SX6~`ϚV) öCV,?k?!'>fZr7Ϸ; Ɣ< K,O'd1E #I&2&ڒ{DSEj"+5-Ġ23P緻e ^[Xգ"s<7( 3Q>H:]_ןϸ;CN4d8*1L`i/N `R"pK,R=8k0.CA2*e(q CwwYaiĂ)O֝U!1|@c]}N؉װkPw>fdã7|qxKSO}VrX3( /i;O|mxOR~t;P 4 ٱܼ3|̒7@S'`#_s&^ ɴf]xt7(?:sʚ, MB>tRθJNP@[~ 3ȳxe9SǯP̦6C*j~s;/D a% @MrpxN!_6 4/4y;D sp>$?\9)/G$| `bd |nUie^:&@=cH앓g|Pt"1O{S6vx@ /]Ih{:DI ,sqź Dо]c)8 J(Wj5#?P+bk=ql(_fv6Z)= $] eN_ oϼ³mho$.&Yr|\ m ngצP?)޹.t4LRQ} 3ʬف"ڈ88Ht m:.5TG&k󶄻 9O8 -&A|ETH s$c8%sp2f׼s"L ʐF 1rM<"g?Io_䋘O"NӨ[~."X%!.&pQL*Z$>_D׵Xj闆us_/H˂:R6j35JC}2N(RPmicܜz% JC B-)1lad1hi肨ިkx#kɓR{KpƍoUs#= m|ikݲ¤oO~wfò]<5[n)#ؗH\*WLײ}TNm4?#E(1UY(# E T^(njTsFqF(ȄJk,6~nFXь[3?V88tC-b$Oԓ6tCx ߜo,d.&@GnGHU`cm<0%ӝ;w6_1T_:.`KOq{x37 CS,aEN#(kjAF֝+}pd yAQŀ︴)Y2_'7i5 U)g3!=sB@:"d_` }&e?Q~cA7̰Ν/(JtJqKɝKZ&iaQ%q$2"՝cn6>2h(SI, 3L|WGup?z}\&r`m?-:2<u eV$hQQߋO-_!r읤̑85RڙKвދ"o Oy"z8wkQB2g#HO{YJN&$?BfELwB1a:IT:)j(7tH6UFb4Ã{iLn'F4'mPbX~2lϙK+嚰%W;y3@8Gu^D0rv2s>1vJ+"!Y?kgxA4 Bhgс\$D;EJ.=v""_L࿝_-P"nY >!^x5ELO{Q$FI!ޕ_h3gWnbg`ꆫH&}F?\ j,2zNR߉LƦw!§_^> Y%.l]+xbL{rN:hMBQp5etg 3X~ ^z7Arw0vBƝpJbHJߊerB+3dTpF1ֈ?(zf6 ^M%:8(!W00t^pv-ONPn-!]7,U&[j*DM]_m-A@7+鿸p6zrpoעMR0AO ]I|ވglJFemI_=>Gf Y|XQ9oh M;kU%. r e 威\)U#ʧ(4|Qq39 -$,9mfYDϭ%4{C/[n)D$zOAҍ@ԵVK5nbLin!ⰷU&/z5e'':Rnsƚ-V1jj5P]Ee + F EN߯ݒԳko }17Xvƫk;%WaA-]qw%w/(!MPb~ )-՜R; LdL@}%m뉝 %y! _iJpk6BdOݦ!~DEXbq[fʢs~U,!>6h\_Ռ-H4k>:#AU:y P4\x&u*8 A_ŻIdbq&[E(a-Wu.O/>hEUIZN5$.<^HC9h<~e=\ևsQNfaVKRa=PȨ-oz{s1_#ޝ4(R aso ~*)cY.4 9W_r][ @0㸊 N؛ܷ{e,;&lSee :me;7 lVRq͜RG=q ȼ賸C!J+zʑS?)5_i%0S[Y#+pyJĤwN = wIbn>}qEĝy?eS*7 +WWD6,lj칥LIƴbD‚h_,E/hZ$i?s48bK!fp⧜[ BLFGg)fS!ޏˢgU\kH`˂BqOP-p$`g]hDf?4~kmlAϖ3=:03-y7q~|EWt#H葛:&ٔI2%-c &v)W XBnc^1qlp{+Tw0Bh}^k7Gx1 )BU-e< xB+xV=Ѧ-"ïOH.Sc'~hIF~O!؍}sѫt9VCq#uD{w{OOȋI8"GOW,74eV!$i75bJ=DEkBp若 6~J$jN?YSJ9c雈8ND!|Gq@xj%&;#pp eY{[hIbl:ѡ=6װ·RɘV٫ /?L}#@2|xvPygcVj +sV{4 NEZL̻Uθӹ91KxμTQ7 |!p.R뫆%Ae鈎( ӏ9\"h@o(I~޿ 0'wb hi/!3ouN+^mlQ]o2 +Ng_@~h}q(!1vAP*y~j`b&[S dAgc5Ž`$ṞT=Jq]v&Vp[J]=q 6xGs%kV>s-|-j6X&Ǘ{63,jח.2ݿpf t!0<6R]FYfgǤ[һ)jHTy40!f@ѩZz!aLU_ OM=?3/<^0(.as3 H=wH[O;Ν EQF:%©?;E8\E?mY@U WOfݖ]mE,ZfXq/!riw˜\<.d0+:Lw֔ԝb"9ff ⯢E6žKR(meK~1xkPq2?"[D!OY2,I oFA>< rλ& ϾjȈ%A ;쉿[e~I 6Wܕ ^7IBcv} Ox3Xl?kOUѿtr( GV cC,r3. u!V1cQ֠G9  tg9{#(g`jg̏oFzt,'PbEk0ѵt-\p=dTmzn`H—Lr;Lac%U䨮aY~p6n+ ͈{G1lez;FkҼ@ߜe؁&|Ǘ N9\Wleo1/ڂl^[RT?`hck%NQDQǘE9w L~]@]ҳTYuFhw%-pBel׮G10+q$n5wB#|Z؟F~ a7ޞ%6ϖrvVҖ "kUl<&FRmvK)f6a.d&ZFS:&!Q?8tb di2/$(12%$o`Ux޸L1ߵfc v9q;(@(lisLHmlYO.fuL:c;O=$%n[9ha P@yaGdJ4Z-X N^j}z%k>F:'Swj{A]wWKIg[GM۸'ݠʼn%LlL~i 2^ռDdO$*5Va"d#f ,U ty9UMweڷe}jY9sK8gYǨϗ0ɹ(G΢,О9"Hkk+6 BC!5"xF vr%*4,-&7OC[8w4-{|D)48@k%rY%5;bs ~_=P|۶;z =U0_s붟W (-,?]+;nF܉|0aԸi򄉙b?G | =15Y>-],OG6|ė#2k~r2]5≰CZ)6&+*t8/6}H*MHSo7&:ʼEpM܍PE\DIC>Ȱ%t/o+ut]BqVYkfc$Q3aUF 7c./xT-7Jx?ҌI]i&W 俔6|tğ~6&i:YgF>.ky)Y: w+晠3]-Nhd!xzvacAw6&6F_z\a1tU20ߚY=6Y:v5_\*1߀029袵6ʯ["-,ł٦^'_z&c^UdW ` 1{ZzR-;n$4~AkhQC _3Q%nR}MFN7lٶ\f"S_IE9b 0O!>^{jUz!XFϼ_Jb/)1YC .B/ JJQ0͖,N?&Ud>2٨ ",~Z:` >g'ffVnïH,8M>"faiexzIc[Pn|K%N̋|(n 9"vТy6N/^wP3Bzr"EPp:thSK'Ώg+K O58 T^[8$ae'KdvHJ2ƛ2rl^+Ki2ݢDr*li=}Qa\µY뻲nH;Z- hDoІkm{G V}]C97&Lኼ [o0oiA}*Ej.v-;fXߓX>wdOy^?FQ%<gv;Sfc2俩Pg(nK~u]PlEy[ӱϭkRk$ʐfhT#?ڻ C))@p_ k_IㆍM-4t1H &uFR̰ӰjP {Ż!P_|1)*UN3 %~W?Qt(| z [x[skva_RE'VYR}X6s~!-ѣhHzKNUspoᬛ/4V34q |#@ 2Q S3xgf= esnr4n@,M:{=a1DN*uBQjL^P*lxG{.2Hs7ױ2,e<4n'8 :m">r풫ْԃywߥ0׀ 2hA,T{C |ಸMH3Ɏ:Ʒy#aA$Rب|W1&$gb`5} Û% %q əm.tQRy+J1OKTH]F͢S tPQ" "!UnHb쨁XHK^Hfs4o.N곁f|Putg x}Ne9M+FǪ=Q5|nϼ92gXݥ{+ގ(_.Q,hSN4I݁Oa^.MX̯MJ^uVf8&XQF.EC=HlO12id0?zÌ%774-KU2Ags5֬SB)i$YZDᙺK+[ќf@G^n/5d<>+.NYq. `0<#\0ێdMHu7xFRr༪1x*O cJ8]KU1\tiQ`sz \c-!HD6r7If-L%_>N y a˝;jITK\T+ خpW^nLx*R"HHZjC˚Hˆ]' Vm1 xt{;N ri|!1WY!fӯMsتӚ@I$jDTtؿ qgٜY\W.V~6kK&?t0Hq P/Ekywr׎-G5JJ/ &ld+e㢘/F [ƀ6i"Qug7f6{šZl}:>SC5 ynP8? 9+ ,=5;>fj&KwQ,d/_@v$adqoL-:=nXvrgՙ%661vGi[Mr!I tOi&!{ `A N$R/&Fԏe}I,p^z^`o$3}x|7KȎ @o) (Mo]q<2!sqSN3?_-Q&2r6ݵD%go# FX}/"2;s 8LBXs>ao+K׉gsC6;dPxzMe^b)QЊ~Z.6/a-=/lk))ݧlS4$[34bQ _lql7d٧!QhD?GԜ n}.$O/̂h2e?"^9.`:zť_U`s4y6>?5Xl Ogõ.<[9Bիj|'#S@ɋ*tu=|ݑ-Ц92oEa"[:5I=q]AʽK^FU #]N cw`}߅l:m WgsU?Ok$I烎nKYxU;% cAtԝR*TIęc9pyHA'  N Ѡ-r"&HZ Mf%52T6@^K/6mA`xE_8\+(osVOju3>#:c迮Jɳw:.y%Xx rb>rN(먅]~шvr yO3=_byR?J52+g^=r pYF"xTJ\f@W4JGCP}#$Mqa3S#ѫe[ /PeE} ߁'(mp;Ϛ^2Xjbtrҩ:Fɺ%La]pd 5JVƓt,# M!Ms~8`3Wd@6׋s9.UciP04_b*זu75J}tJھՃdN sMMz[jH6S|Z@b}J$G0K5WqdYJAo_{:j[t#4̼)>FֳY'N&!J1lV953U}=z" 0ZuBرd_A.VTE1&ed쫵߳ iats$JnBrtm;Yxۇ!!t4b5zZ \|ks*&1,?>A&}g.knƯ BdD0Y_I}xBj,t@#WE[:zLNjRd!8,4\ä5M-p9bן_Y;՞j܋t]|1TqNxe܈70"S1E30[﷩9 - о;c ^n~$oK? aNJ!𿳚اݪh՚%Bcn~' p tOϸ8J4;X&RÃ:}w@ EmC&;cNXik؞ݎHӶ)5PW1mG;_:!FEq )q;q0w!AK^M!FfU IH_&A#Z %da*U;R^;,X&ZO tjk[WxxKֱh+QŗS$SdFJTeg(bcaur)%@3. siH.b9EJJ֛o/q)ie+AU-Ƿb~,l!^j)H*̥Y)`t|ԼGy>G6 !3-9PQg@"E!$ MO$\[կ<,'W@s`9ϜL j2|Pp|ţnFޅhnYH.|*/Jyob 5_aoO"t1d1՝,k&lGU쇛A-aVW bd[-4ôDžh.KV5.rS.gda `9u9ԩM/U*6gw*\i8nk B3"]uD-Gk2h"|$jpOu"Ƴ94VEw'?Ki-E휼K$ 0ea$˄UeAa)yv6ZQ~|f/ `84 E(^u," )!+um;X&)x(OΛuCH'= iJ@hq?vYR:1ǢǘDӖT ,hr<9׷tPJb$ɘMw*G?\T߂+S\Ox0~M>jH;Xr+-( lWb uC0,hsXndG V,`t3`wP&WI.GbF$6oֆ[+34 U6Z[!1RXHP_vlNEOe~xa`aY7)nD|&jծ9,pcDՈwͲ7tDZQCXRsBďћ!CcjD_/XH `%j>Y-X˄YCM=A ?86!"}&/\lg`+E Ѥ}u\>5RL{ 9hstdƨf۷c T`J/Xqǥd{Y^]V5"̼&N+D_zTbx* :Ħ3(2Q)ΌQ:ȕ3^)+PfI_/(a15bA} n/Zdr.Cwe =518ppwzqлj'#UeC`eBAd=p\>:#:BQx O~"YG\MB]ogLEBZU=)J \G\ݔg-Pn"{,EH ,Ћ _F0x_H56؞ˆhg(KdZ-y\>r@P3JPO0uwM^Ouq .)g;HqpH[z$L%S &skNV2#d\#.Cr3c~^}csR]4a+}!b~B'`FR Yn6ߑw?=j%hNFw.^k~j(I'ƕyIQ6C2!YW1<Ꮵ[F=wI'|v%j!% [G+Tc5&/pd[!|䄟 W%qw%= 1OVӊWdj뎮I3-rϋaz%$:>#,g"h ¹h7u"׫$cv: 7+w('`Lp.oU' .fh(K60t>0]?sğ@|3  XƘY вCq5Y3$뤳.m'-z3qފG+yEݍ P'މN-vy,GB5w_=Kف>PPT %FBFYvD^'neNiֻMv>9vxvǯ $ L;\* ј3n 0 M[NP[ LYtR= mP;|oePV8<,W J&ilVI߇uk™%7 =ӯAnafVH'n~Vgk{+Z *@bZ2a>kB'[. jzA[5q/k*:xhP'ʩ4=REm-3p"3KriÑyp 1J _,"נ6 41 0:o$b2jxT(T2}iv7`BeR#u~pxeR AD)B ld \ñ8`5;Q!< b\ɌgFebܚe%nMBpŒfv^X)txÊ< c/:"~4n;+P~0Jc/e"PxwH5 ;f[j&}gڡGrhg'r6"˳soPD *X'6BK5o.K|th6UCÔ67: ڢjhÿTwbVss15U6C?8 6tq>.4MAzP 1l ֽCq.{Nc_Lq] 8CcIEÈ=Bc',Sܸ&mT2Y\ovqhVҜF9̽A/V箶H;)F cy @6'cGI I&I C 2?b_RtTHk8} {}taʸAu\RT bĚJ'ANn֝voIUW DLt=KD1.3gVBFhi7\KQ}Ē1I:v/}䘑0%1 O-`8t=^cp8F"FT$3KCږNJm3;dC?V8ZÚ"EogtŒ,-4+Ǎc[)A~>G/ST) QF֋.y@FfOQpAtc^b6M (G|)P0}woP&mIN^zEG֥P{H&, Q8illZư_{ vKZ<ʸnӮ[ 6ySMʬ-- 5(lϪOK<)wzXc`#G,"r ZjqMjFza,ta6;.8>,Eʓ&q)":GU`9# ?Sa#ܕ "n8 2lVE{yXTɈf5/lҙ̤'ߟrLRI;9PM9du`g%A>۫Q`ʣp(MzY&t:';u8k>QLO'JtwRZ S(jR*E9Zfs GÝ@) ފ^bJ8dO"9@;rEa[_: 6 gw2  f3pZaIQ0c.k!!23ԟ~aHvngL[jO_}Q(1o[TXwndNON q%&JPʔ??(Y󴺂k1FuO"~DcDB]ݺ&g@ֳ̲33Lr[(C9Y-AVqAL((},'E2ww;1E0 tW!VGH@9~!fLh#e"iQB}TSV<-Sۛ_ ,'Ң[)O]HJ'zƠONFSfTP+I+f=ZKtkuP*x3t.&4tq),u ։{Vy|5FL>s<-5Zg/5*yϣ$-ǃ0\ۥݜ7*WDvsrҢh68,b۳ |@+d/f\P'ᅯOvcok,8 s;7C"8]  ]d ^9gnA5iVLN~A?#JjTal-_tq)!H;3a}u,Lr$EP7^E[et֯Mg|wŮ+=2/ن<yũ+ju4Yu 5w:M#uH8Kݕ8.['Irs٣ ^츊,>'fZhz#:^@:,`PNC*Yk6tѧFA» 3oFvs}H 1섩U/@P_!ݯ<~ A=I.s.$C(#,.@g5*hVY ?DŽ=ӑlfei1%]suRN ,d`~0uwX33f.o5nZc> ,$]*s>`v#@axZADbHuF2!eܝI/q2P3dٹõՒ^/ -*)ЈOdJXH jm T6ʑRP%h4,~A2!D4=n2ڿJXƯjcAE8a4Ә &2d~o6IpY&"/᩶3ݨNOqrkMl2tT`E9D/ROO1S~iqh4^a\+ U 'sBP &g4C戺AR}MIB!0 h]CZq\k;0U]T,!+PeE[;%$3F<{:eUM>}I;~X&2bZ.F~&.poy)`ZɛsW4 pde_Ϡ4me$H{'4yJ5eGwbp"it^]_c󛥺R]wk@YRha&mÚ1UpΊPz %'Y!¦ 1[bǤW= 9^Hh{:s0pX [~V&+TO,Xc&NM,}6Yd{w8aqJv7WS>d>bOզm,{lDiRj!!{*|V!=J=:ZI_*o'bgC6ʔAvޟJi~1X ^lgjurU1/-2KN6#PR'_ނ.1iiG8)zxϑ]Iӡ1(m8|Um1*ۆvT?픬oe{C<1KDkSX$BŚm &`lc%sYoͩYk,ll 3$μ LH$f8Ӳ] r#4@Ե|N7Bb!%wO*(MFArSo"?U,='QK4ZcbAjJZlH̠`)?##u9qpu~45(RZFɩ{bU[;Nַ~]-$] h/6Q8ѓ=F^T,ť/b?f@ڶ̣'*8ʘ*!h;?!$zzƣfh4hdTExR= sd|[6<9\,}lD@2ϩǡYn- vTŸDp[E֧O9irYHz #*Uu]@4k[$E^%xULNՊ GѸQIUODHWݶō;Jl-X)6~>**%Dܚ7 @"hqƳ= O=.=do/d\Vp%֐L)w'i|~C߇fz'$XmٸɳUCRR=Zq88z~` drK>CE GJWO*"mb~L3 \|pںU.ydqZفy3<:5\-8@ ї /}!vWJJM LKJhneDs$b@I PocrI Ug P'ӢZXY!GũKIE#_]O $AB͑U}ӹ5ޱaEB7fю->2ˢe*Q$* T; H-0F+ub>1`Ym~C0oC%MCꠔ+@u w?ֿ#J_i/tC&VZmE]H$v3"(^wZhLhn8K7M+HѽujW-NȹV''R'3\XL+]աoި|-Ǜ) b 8O˲V[%]RtG?6ZWnrJ>BnVʭ=GWc9RC>b.֡H`$ d+(B2@pbDaCfBrlY!p0ȈF7sD58Bjnf )>Kst6(Pg5gm:yG2p\JcR HS8Gh5Cx?m#ٖW]A^IoGEo_@d5劔S̕Sy}~\Ȋ_W8.a2O (tiHR,Z5 D -;<,s+NCZe4 [2}IWHmЙ}}IG~09/oFgzșR*͛='KI҅}]-U'5j2?2 {x0 y@8JՂfx937bf_5BX`Gm9Vs>ݲT(e Q\:lBM% ~z.N\ftx6dbIIOfZI,+JFv^2~M%|zY ǯt7RE&|0)H|wW#}̽.ymk hS65IS`_*LpCIaP#cgӁXئ|Pb֥ cԢ^c 0ʐqKro ~%E6 2FX7;yc UveH*܅p(H [ }>ngʇ f¶栍E(@㎈.0)ŭ;& 7\jO>ڐp$O!||4I:ױ ɭb\.yw˹TӢc#ngEճ314JR_bs=_F`B]j!V Br ҷ$J[FTks%YI?BV+(j|xVԴVqf}m`Hl5n7!PitY0Uj}0t*`;߱ƗzKFRm,Zx _2W̕-J#w1,a a8MENjVAȊY۩K릅V}]&cp5~`!G^0>4^: ۴N 6yGp!q{w%ֿ23ؑ;,1_,̴fD$؂ GU/R讏r WICܮ[4g a5M=-'7%.&=ID ֡z|Vw)kv>"j7iQNxy^V=LVLՆ5.'k8m+o ze+>CH)|SC7X۵0$`È _p?X5kZeȫ}6g_0$ V=A\a~[3^~kHٳE" R/ey8\"J{-) %+@0ջ4E=;{Պ=^'_wI }Rp˚(J_Hɴn(I&U0+:L1}Q`Ek1!p/QtL t|"6#Xk7%k|8DObҝ(Y@}@rR/bj@2d-X<< ;]b%Ө^Gc)ht3&=MXH)(3u誛GhC[z{zVuLG"SMDijJ T2.r _cǚEHt i!|\ct´z= HD o{LYӱR8MY\~0YB iPi-"{#ѬQ+NGRm?jjd2˨I$ל 0Am5-,.TE}Kcre~풍כaF1m+[1kއ07=k)N˖#5f?DݢTܼTᣋ M%~)ٗjDs,`UzH*>/vMyقK*O6J[\"MZAf,v6/GlS("+1 l CmcVk9&z ;To c,W68ΤγFީ"H(ZhƚLNt< ei'5H&L&}A;TUZná{dpX{bܪ"\Ҟeʀ%/jgCzE- L/b-SBYiHq|ۢC!>?w{ I`I7C2j"^1hU ԮZ& $bOJ,OfvvCM[Gޠ1yЁT5Nuޕ9 :h"SFߘH/ԻUYi)6.kXi݂ᳺHsNw W'ؽ? ^Eck*uhK5H]Ŕdoek4`OE#;`F?7&a0 (FEw@;AW֪ϪAoö́V)8 ztbt0j~Q_ wFbȰ#R8 V8&P>os»,Z>`-ܟU>BWw6Dj ߱F~ޣF`#iFbBY{+!R+uDz^PNIP;.oBHZ!37 ((5ؤ/ƣ㼃4st nv7utV*ɖvyʦ" |oG6ghPN0FQv=h$a{&uҕH(x6|JNX|yGL1.) Bz#Ē0[of4y59k';'ӥ8li8za0U/>yuDu'xxe0)]v3+ao"<mF]V;$U&KaEn=ղVzR(r " axZ]KWEmWs~$%BHgA#?Z3"3JSV<3wǣԂt&մJ-Rx`+Rr(qʻǘySWAF>- s1n/DMΑZ f;NBeVd[ !mu )aE:ǻ< ̛N磎s 9/ح aOJ{\i Ĝc7Pqk Wx2`JFPy5z`LމȐC f1֘xz{{L4˿ N XD 7 ԯ߂]'NK.,@\X% M#8 }˘h?$rdz9A~ Q{ V0u~Z `TǍCL9cf. LlH. &(Ɵ{~K~ioݖ9m: xbhg X4m;}q^t-lL(*.8w=+_1 $UO"~p#d$^Ume vP7={i3>u/ž?5=sr1iQ֧mL}2:ũ 6 x"A0SqK1^{)1wΊU\čKDQ>4Jm¥8!7Z-\#TO&NZӒnGms lI: YZ