selinux-policy-20210716-150400.5.3.1 >  A dEp9|ݔjGΒ ^g.>-XDz^gܸF)o짬I`<pa~ qѨ\?L_ IfGLP:dI3/?{VRctpU27|G/;! ƻvA._2dYG,K'KaCmkN4@Y߫:j9nGt&E37/Q":Ժ:C=fae1272f19f2ecbbbdfaea6bc0d6128d8d4f193792123c0d15cc7ef381352a940d5a13206666f5cdf2373d5e2e5cf70ed1064d0fwdEp9| C< xk&M )nK%^2.S:rUsZg< ywH# ]߆e\VtR;{~˙^cY9'Yq$YaKL񼚆/9`]PtcM懶A%5<3OwW;Ћdu+@fh Zظ+Kƙ,.]&ٸ+5 tN作8Oht|ڧs,{t֣;*ЬwQYP`zZBcgp>pBR?Rd ' D6G ]oc(H X h  P Xx  @  p  A ( }8 ?9 ?:?>Nj@NrFNzGNHNINXNYN\O]O(^ObP*cPdQeQfQlQuQvQzQRR R{RRRRCselinux-policy20210716150400.5.3.1SELinux policy configurationSELinux Reference Policy. A complete SELinux policy that can be used as the system policy for a variety of systems and used as the basis for creating other policies.dE0goat29bSUSE Linux Enterprise 15SUSE LLC GPL-2.0-or-laterhttps://www.suse.com/System/Managementhttps://github.com/fedora-selinux/selinux-policy.gitlinuxnoarchif [ ! -s /etc/selinux/config ]; then # new install, use old sysconfig file if that exists, # else create new one. if [ -f /etc/sysconfig/selinux-policy ]; then mv /etc/sysconfig/selinux-policy /etc/selinux/config else echo " # This file controls the state of SELinux on the system. # SELinux can be completly disabled with the \"selinux=0\" kernel # commandline option. # # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. SELINUX=permissive # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted " > /etc/selinux/config fi ln -sf ../selinux/config /etc/sysconfig/selinux-policy /usr/sbin/restorecon /etc/selinux/config 2> /dev/null || : fi [ -z "${TRANSACTIONAL_UPDATE}" -a -x /usr/bin/systemd-tmpfiles ] && /usr/bin/systemd-tmpfiles --create /usr/lib/tmpfiles.d/selinux-policy.conf || : if [ $1 -eq 1 ]; then pam-config -a --selinux fi exit 0if [ $1 = 0 ]; then /usr/sbin/setenforce 0 2> /dev/null if [ -s /etc/selinux/config ]; then sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config fi fi exit 0=`FYA큤A큤AAdDdCdCdCdEdCdDdD,2ebe069ec6774859f1b7560c51f7492bba2de4debae704970cccb7a6f51f1d69dea195ebf93528d769ea3d2e1f4a8d72f77491e2fc2981ce913fa20bdf4389ec204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994Qrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootselinux-policy-20210716-150400.5.3.1.src.rpmconfig(selinux-policy)selinux-policy     /bin/sh/bin/sh/usr/bin/sha512sumconfig(selinux-policy)pam-configpam-configpolicycoreutilsrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)selinux-tools20210716-150400.5.3.13.13.0.4-14.6.0-14.0-15.2-14.14.3d@b@b?b~a\>@aUa(a'@a#aaj@`t`#@`E`ٹ`@`N@``@``}p`KW`Gc@`4@_=___@_Z@_P_N7_2@_*@_!d__ @^?@^|@^f/^M#@]M`@]'$\X)@[@[1ZZ/Z@Z@X,X,ŬUUU4@UU\w@T@T T@T7T7T^jsegitz@suse.comfilippo.bonazzi@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.comales.kedroutek@suse.comjsegitz@suse.comales.kedroutek@suse.comlnussel@suse.delnussel@suse.dejsegitz@suse.comgmbr3@opensuse.orgaplanas@suse.comjsegitz@suse.comlnussel@suse.delnussel@suse.dejsegitz@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.comales.kedroutek@suse.comjsegitz@suse.comkukuk@suse.comkukuk@suse.comjsegitz@suse.comkukuk@suse.comkukuk@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.comkukuk@suse.comkukuk@suse.comkukuk@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.dejsegitz@suse.dejsegitz@suse.dejsegitz@suse.dejsegitz@suse.dejsegitz@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.comrgoldwyn@suse.comjsegitz@suse.comrbrown@suse.comrbrown@suse.commwilck@suse.commwilck@suse.comjsegitz@novell.comjsegitz@novell.comjsegitz@novell.comjsegitz@novell.comjsegitz@novell.comjsegitz@novell.comjsegitz@novell.comjsegitz@novell.comjsegitz@novell.comjsegitz@novell.comjsegitz@novell.comledest@gmail.com- Use /var/adm/update-scripts in macros.selinux-policy. The rpm state directory doesn't exist on SUSE systems (bsc#1213593)- Update fix_systemd.patch to add udev_read_pid_files(systemd_gpt_generator_t) (bsc#1200814)- Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for systemd_gpt_generator_t (bsc#1200911)- Added fix_hypervkvp.patch to fix issues with hyperv labeling (bsc#1193987)- Add init_watch_unallocated_ttys.patch to fix services with StandardOutput=tty (bsc#1187313)- Fix auditd service start with systemd hardening directives (bsc#1190918) * add fix_auditd.patch- fix rebootmgr does not trigger the reboot properly (boo#1189878) * fix managing /etc/rebootmgr.conf * allow rebootmgr_t to cope with systemd and dbus messaging- Properly label cockpit files - Allow wicked to communicate with network manager on DBUS (bsc#1188331)- Added policy module for rebootmgr (jsc#SMO-28)- Allow systemd-sysctl to read kernel specific sysctl.conf (fix_kernel_sysctl.patch, boo#1184804)- Fix quoting in postInstall macro- Update to version 20210716 - Remove interfaces for container module before building the package (bsc#1188184) - Updated * fix_init.patch * fix_systemd_watch.patch to adapt to upstream changes- Use tabrmd SELinux modules from tpm2.0-abrmd instead of storing here- Add tabrmd SELinux modules from upstream (bsc#1187925) https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux - Automatic spec-cleaner to fix ordering and misaligned spaces- Update to version 20210419 - Dropped fix_gift.patch, module was removed - Updated wicked.te to removed dropped interface - Refreshed: * fix_cockpit.patch * fix_hadoop.patch * fix_init.patch * fix_logging.patch * fix_logrotate.patch * fix_networkmanager.patch * fix_nscd.patch * fix_rpm.patch * fix_selinuxutil.patch * fix_systemd.patch * fix_systemd_watch.patch * fix_thunderbird.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_unprivuser.patch * fix_xserver.patch- allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units that trigger on changes in those. Added fix_systemd_watch.patch - own /usr/share/selinux/packages/$SELINUXTYPE/ and /var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install files there- allow cockpit socket to bind nodes (fix_cockpit.patch) - use %autosetup to get rid of endless patch lines- Updated fix_networkmanager.patch to allow NetworkManager to watch its configuration directories - Added fix_dovecot.patch to fix dovecot authentication (bsc#1182207)- Added Recommends for selinux-autorelabel (bsc#1181837) - Prevent libreoffice fonts from changing types on every relabel (bsc#1185265). Added fix_libraries.patch- Transition unconfined users to ldconfig type (bsc#1183121). Extended fix_unconfineduser.patch- Update to version 20210419 - Refreshed: * fix_dbus.patch * fix_hadoop.patch * fix_init.patch * fix_unprivuser.patch- Adjust fix_init.patch to allow systemd to do sd-listen on tcp socket [bsc#1183177]- Update to version 20210309 - Refreshed * fix_systemd.patch * fix_selinuxutil.patch * fix_iptables.patch * fix_init.patch * fix_logging.patch * fix_nscd.patch * fix_hadoop.patch * fix_unconfineduser.patch * fix_chronyd.patch * fix_networkmanager.patch * fix_cron.patch * fix_usermanage.patch * fix_unprivuser.patch * fix_rpm.patch - Ensure that /usr/etc is labeled according to /etc rules- Update to version 20210223 - Change name of tar file to a more common schema to allow parallel installation of several source versions - Adjust fix_init.patch- Update to version 20210111 - Drop fix_policykit.patch (integrated upstream) - Adjust fix_iptables.patch - update container policy- Updated fix_corecommand.patch to set correct types for the OBS build tools- wicked.fc: add libexec directories - Update to version 20201029 - update container policy- Update to version 20201016 - Use python3 to build (fc_sort.c was replaced by fc_sort.py which uses python3) - Drop SELINUX=disabled, "selinux=0" kernel commandline option has to be used instead. New default is "permissive" [bsc#1176923].- Update to version 20200910. Refreshed * fix_authlogin.patch * fix_nagios.patch * fix_systemd.patch * fix_usermanage.patch - Delete suse_specific.patch, moved content into fix_selinuxutil.patch - Cleanup of booleans-* presets * Enabled user_rw_noexattrfile unconfined_chrome_sandbox_transition unconfined_mozilla_plugin_transition for the minimal policy * Disabled xserver_object_manager for the MLS policy * Disabled openvpn_enable_homedirs privoxy_connect_any selinuxuser_direct_dri_enabled selinuxuser_ping (aka user_ping) squid_connect_any telepathy_tcp_connect_generic_network_ports for the targeted policy Change your local config if you need them - Build HTML version of manpages for the -devel package- Drop BuildRequires for python, python-xml. It's not needed anymore- Drop fix_dbus.patch_orig, was included by accident - Drop segenxml_interpreter.patch, not used anymore- macros.selinux-policy: move rpm-state directory to /run and make sure it exists- Cleanup spec file and follow more closely Fedora - Label /sys/kernel/uevent_helper with tmpfiles.d/selinux-policy.conf - Move config to /etc/selinux/config and create during %post install to be compatible with upstream and documentation. - Add RPM macros for SELinux (macros.selinux-policy) - Install booleans.subs_dist - Remove unused macros - Sync make/install macros with Fedora spec file - Introduce sandbox sub-package- Add policycoreutils-devel as BuildRequires- Update to version 20200717. Refreshed * fix_fwupd.patch * fix_hadoop.patch * fix_init.patch * fix_irqbalance.patch * fix_logrotate.patch * fix_nagios.patch * fix_networkmanager.patch * fix_postfix.patch * fix_sysnetwork.patch * fix_systemd.patch * fix_thunderbird.patch * fix_unconfined.patch * fix_unprivuser.patch * selinux-policy.spec - Added update.sh to make updating easier- Updated fix_unconfineduser.patch to allow unconfined_dbusd_t access to accountsd dbus - New patch: * fix_nis.patch - Updated patches: * fix_postfix.patch: Transition is done in distribution specific script- Added module for wicked - New patches: * fix_authlogin.patch * fix_screen.patch * fix_unprivuser.patch * fix_rpm.patch * fix_apache.patch- Added module for rtorrent - Enable snapper module in minimum policy to reduce issues on BTRFS Updated fix_snapper.patch to prevent relabling of snapshot- New patches: * fix_accountsd.patch * fix_automount.patch * fix_colord.patch * fix_mcelog.patch * fix_sslh.patch * fix_nagios.patch * fix_openvpn.patch * fix_cron.patch * fix_usermanage.patch * fix_smartmon.patch * fix_geoclue.patch * suse_specific.patch Default systems should now work without selinuxuser_execmod - Removed xdm_entrypoint_pam.patch, necessary change is in fix_unconfineduser.patch - Enable SUSE specific settings again- Update to version 20200219 Refreshed fix_hadoop.patch Updated * fix_dbus.patch * fix_hadoop.patch * fix_nscd.patch * fix_xserver.patch Renamed postfix_paths.patch to fix_postfix.patch Added * fix_init.patch * fix_locallogin.patch * fix_policykit.patch * fix_iptables.patch * fix_irqbalance.patch * fix_ntp.patch * fix_fwupd.patch * fix_firewalld.patch * fix_logrotate.patch * fix_selinuxutil.patch * fix_corecommand.patch * fix_snapper.patch * fix_systemd.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_chronyd.patch * fix_networkmanager.patch * xdm_entrypoint_pam.patch - Removed modules minimum_temp_fixes and targeted_temp_fixes from the corresponding policies - Reduced default module list of minimum policy by removing apache inetd nis postfix mta modules - Adding/removing necessary pam config automatically - Minimum and targeted policy: Enable domain_can_mmap_files by default - Targeted policy: Disable selinuxuser_execmem, selinuxuser_execmod and selinuxuser_execstack to have safe defaults- Moved back to fedora policy (20190802) - Removed spec file conditionals for old SELinux userland - Removed config.tgz - Removed patches: * label_sysconfig.selinux.patch * label_var_run_rsyslog.patch * suse_additions_obs.patch * suse_additions_sslh.patch * suse_modifications_apache.patch * suse_modifications_cron.patch * suse_modifications_getty.patch * suse_modifications_logging.patch * suse_modifications_ntp.patch * suse_modifications_usermanage.patch * suse_modifications_virt.patch * suse_modifications_xserver.patch * sysconfig_network_scripts.patch * segenxml_interpreter.patch - Added patches: * fix_djbdns.patch * fix_dbus.patch * fix_gift.patch * fix_java.patch * fix_hadoop.patch * fix_thunderbird.patch * postfix_paths.patch * fix_nscd.patch * fix_sysnetwork.patch * fix_logging.patch * fix_xserver.patch * fix_miscfiles.patch to fix problems with the coresponding modules - Added sedoctool.patch to prevent build failures - This also adds three modules: * packagekit.(te|if|fc) Basic (currently permissive) module for packagekit * minimum_temp_fixes.(te|if|fc) and * targeted_temp_fixes.(te|if|fc) both are currently necessary to get the systems to boot in enforcing mode. Most of them obviosly stem from mislabeled files, so this needs to be worked through and then removed eventually Also selinuxuser_execstack, selinuxuser_execmod and domain_can_mmap_files need to be enabled. Especially the first two are bad and should be removed ASAP- Update to refpolicy 20190609. New modules for stubby and several systemd updates, including initial support for systemd --user sessions. Refreshed * label_var_run_rsyslog.patch * suse_modifications_cron.patch * suse_modifications_logging.patch * suse_modifications_ntp.patch * suse_modifications_usermanage.patch * suse_modifications_xserver.patch * sysconfig_network_scripts.patch- Update to refpolicy 20190201. New modules for chromium, hostapd, and sigrok and minor fixes for existing modules. Refreshed suse_modifications_usermanage.patch- Change default state to disabled and disable SELinux after uninstallation of policy to prevent unbootable system (bsc#1108949, bsc#1109590)- Use refpolicy 20180701 as a base - Dropped patches * allow-local_login_t-read-shadow.patch * dont_use_xmllint_in_make_conf.patch * label_sysconfig.selinux-policy.patch * policy-rawhide-base.patch * policy-rawhide-contrib.patch * suse_modifications_authlogin.patch * suse_modifications_dbus.patch * suse_modifications_glusterfs.patch * suse_modifications_ipsec.patch * suse_modifications_passenger.patch * suse_modifications_policykit.patch * suse_modifications_postfix.patch * suse_modifications_rtkit.patch * suse_modifications_selinuxutil.patch * suse_modifications_ssh.patch * suse_modifications_staff.patch * suse_modifications_stapserver.patch * suse_modifications_systemd.patch * suse_modifications_unconfined.patch * suse_modifications_unconfineduser.patch * suse_modifications_unprivuser.patch * systemd-tmpfiles.patch * type_transition_contrib.patch * type_transition_file_class.patch * useradd-netlink_selinux_socket.patch * xconsole.patch Rebased the other patches to apply to refpolicy - Added segenxml_interpreter.patch to not use env in shebang - Added rpmlintrc to surpress duplicate file warnings- Add overlayfs as xattr capable (bsc#1073741) * add-overlayfs-as-xattr-capable.patch- Added * suse_modifications_glusterfs.patch * suse_modifications_passenger.patch * suse_modifications_stapserver.patch to modify module name to make the current tools happy- Repair erroneous changes introduced with %_fillupdir macro- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- POLCYVER depends both on the libsemanage/policycoreutils version and the kernel. The former is more important for us, kernel seems to have all necessary features in Leap 42.1 already. - Replaced = runtime dependencies on checkpolicy/policycoreutils with "=". 2.5 policy is not supposed to work with 2.3 tools, The runtime policy tools need to be same the policy was built with.- Changes required by policycoreutils update to 2.5 * lots of spec file content needs to be conditional on policycoreutils version. - Specific policycoreutils 2.5 related changes: * modules moved from /etc/selinux to /var/lib/selinux (https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration) * module path now includes includes priority. Users override default policies by setting higher priority. Thus installed policy modules can be fully verified by RPM. * Installed modules have a different format and path. Raw bzip2 doesn't suffice to create them any more, but we can process them all in a single semodule -i command. - Policy version depends on kernel / distro version * do not touch policy., rather fail if it's not created - Enabled building mls policy for Leap (not for SLES) - Other * Bug: "sandbox.disabled" should be "sandbox.pp.disabled" for old policycoreutils * Bug: (minimum) additional modules that need to be activated: postfix (required by apache), plymouthd (required by getty) * Cleanup: /etc -> %{sysconfdir} etc.- fixed missing role assignment in cron_unconfined_role- Updated suse_modifications_ipsec.patch, removed dontaudits for ipsec_mgmt_t and granted matching permissions- Added suse_modifications_ipsec.patch to grant additional privileges to ipsec_mgmt_t- Minor changes for CC evaluation. Allow reading of /dev/random and ipc_lock for dbus and dhcp- Transition from unconfined user to cron admin type - Allow systemd_timedated_t to talk to unconfined dbus for minimal policy (bsc#932826) - Allow hostnamectl to set the hostname (bsc#933764)- Removed ability of staff_t and user_t to use svirt. Will reenable this later on with a policy upgrade Added suse_modifications_staff.patch- Added dont_use_xmllint_in_make_conf.patch to remove xmllint usage in make conf. This currently breaks manual builds. - Added BuildRequires for libxml2-tools to enable xmllint checks once the issue mentioned above is solved- adjusted suse_modifications_ntp to match SUSE chroot paths- Added * suse_additions_obs.patch to allow local builds by OBS * suse_additions_sslh.patch to confine sslh - Added suse_modifications_cron.patch to adjust crontabs contexts - Modified suse_modifications_postfix.patch to match SUSE paths - Modified suse_modifications_ssh.patch to bring boolean sshd_forward_ports back - Modified * suse_modifications_dbus.patch * suse_modifications_unprivuser.patch * suse_modifications_xserver.patch to allow users to be confined - Added * suse_modifications_apache.patch * suse_modifications_ntp.patch and modified * suse_modifications_xserver.patch to fix labels on startup scripts used by systemd - Removed unused and incorrect interface dev_create_all_dev_nodes from systemd-tmpfiles.patch - Removed BuildRequire for selinux-policy-devel- Major cleanup of the spec file- removed suse_minimal_cc.patch and splitted them into * suse_modifications_dbus.patch * suse_modifications_policykit.patch * suse_modifications_postfix.patch * suse_modifications_rtkit.patch * suse_modifications_unconfined.patch * suse_modifications_systemd.patch * suse_modifications_unconfineduser.patch * suse_modifications_selinuxutil.patch * suse_modifications_logging.patch * suse_modifications_getty.patch * suse_modifications_authlogin.patch * suse_modifications_xserver.patch * suse_modifications_ssh.patch * suse_modifications_usermanage.patch - Added suse_modifications_virt.patch to enable svirt on s390x- fix bashism in post script/bin/sh/bin/shgoat29 169209169620210716-150400.5.3.120210716-150400.5.3.1selinuxconfigmacros.selinux-policyselinux-policy.confselinux-policyCOPYINGselinuxpackages/etc//etc/selinux//usr/lib/rpm/macros.d//usr/lib/tmpfiles.d//usr/share/doc/packages//usr/share/doc/packages/selinux-policy//usr/share//usr/share/selinux/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:30253/SUSE_SLE-15-SP4_Update_Products_Micro53_Update/af66a8593b70fc75a3fcc2c6e9ecc1de-selinux-policy.SUSE_SLE-15-SP4_Update_Products_Micro53_Updatecpioxz5noarch-suse-linuxdirectoryemptyUTF-8 Unicode textASCII textSQZ8!4Bgauditcontainer-selinuxpolicycoreutils-python-utilspython3-policycoreutilsselinux-autorelabelselinux-toolsutf-8fd624c1d3f5d23a69da50702c0c3cfa934ee0d00c3bc020e08241fa01508e9b3?7zXZ !t/go ] crt:bLL Z6|ԬsFvjJ7zz˄ҐkQ&/ ,jS^ϝVox9SbeAڑfSMq ɭ/EgHkv=^Wa*#U}tH4IǬvd ՘{?:)Dӻw& ])J,>c<bP oE2*_g]Ih)񑥗͉ x6>p/%R4}j$zcK#Tk!Z1ڥ\Y\'AҬв!tn-σvUs v b*˥;ɂhsDqOffx̓c1kO)DlXusPۋ|FMGFUY#͙ieY)MArV<y0?/}t/DmSpQ4k^;~A[n!#U$uM'rd*3s k\jg3JМvʡYf4I}t ^R ]x_T#KpUzcq`?$d[)ƙ#^kNfF! t=SbZԆԊq2VD崊lff3}$kFS*<@`YYUDP9,237U6Wa{7r;~)RJD7f3iPYDZM$2!?D mph/xm9hA4kȯ43\10F&E&tVA6"ZXV:ԵrK$^0Ֆȱ$&-frƣIO"c2CK Y&/BtO5x>H ]:>ԎɄ6P#I̳4;WJ0{˱[cVx,Rsֲ:X-(Hr8D/E)Ɛ,dQ9][ a4UjҤRSЯ 3V  1;DLM (Y!tT &]49z;顳$g_\#>6\0QZQs-pL1 P eɴg/*rFJ4ʴ4Ax JTl%@u'L /nZ;BQ6Xy 1hQjJFj ో,88GsL$$TGFIԹ"uj9e~pl ;8?Զ،Ё jQܚuUgO|r#m#"lj 3T0Y(pAL`B\Ubsy5kw ڷV,~TCvR Ë\< u Gi?>ý`&=fzwyjԤ}B jJ/ƴjܯBGZɃzgSwoĴ 8t8lFB.߂Msi¼B§}K1Jx6DS< Io7WV/i5sk0"pP1MK ͂D 9h6QY'J^:~-#=p$ [.=FmuKDL* B{xsZMe:lM#nJ%Osľ8f?)Fq%=| Jr SgW'm,\!b5*2 E.".#2^ y-QYkUJSW\\2NO'>dt[#g[=cdOmnt2[CU,xvRqvPҖtrc3eB5i /9*TʗoI5[\pҏU?: `,G^ %$#q2Xʮ.QF$vnd>l8F@O1ӆs(jrp*i/x.7&aМʾpVWօ.SƁ)u?l+݇WfnGqOv6KHjrX4)t8XLvXIj4Pʧrp(,[NF:%{X#1\)Ƕ8[j,uaV3Yh{YWG a^T=0G;7g,.IgyAA J+T^WfgKPNֲ>bk!L=;UЗ p jHYںdj+3ll3_t\& N;3(]Ŋa|ϝ*^Û:M1A"n:[l5OU#Ddo<.K}C)CT6;@r3j<P=܅nĽ Ξ}*cBLEQVj2X0j? `!S Jr!3,Pp0qG|@e6i!;d5[C#BW,F21t'?oi$4\ݏ2hic~Ex:#5*0@\HAe4!'n$=Hz{R?9:?rWb\5 nmyM=cTz Yi(nXxPBSENt>vnexUau()2ޘ3>(_~(ִMHrfH9Wa+Ȳįiwm248S dm$z>mE E 0AYqMU1f -eڤ] f:2hXR%srsl&*uR`Ueuz>'J)g.:Y3}0"$HO {<v!+T{ p>&$bf!BG"˹t|> FH\wmgGȫ6tFEj-`3>lυY]/K:MEGV+$ X׮9rSSZ`P]YWP*)`i( HlgaiJLٵ={V<8m#QFQ"&ڋֽ>yᔽ%hxʅ2Z 9tsW7X` 1"zuA#j$ù#P(ab'sFítFPHU-n\|5r9ӎ&o}T'GWќ0l fq{0D?7.il;ZBIk_ ,c;m8h8e 7y`F<k'N?;V/>|4Jviw2M opH|[$ܐW4_G_5oAXJ ;-۾IlrE+Gt;ϣJ_d0Lt߳ JVӺp'M~{fQ53UQ،Pqh9$7X_+xGι0жϾ M! d$2,v$7_V.֦*&= )v@yZ&޴& >[x`XD)Rb Q.uê"rwO{cYl0ft9<ĀU-F Ŷ?G쪃h=K݀{x4jm?B-|s$jUhDR&b[I;SgzC$w9+JV}(\6ݥ޶!Vٺ~93x <8(b/8m8Raր^=LpW`8SyPѪܽ sQ]2^q86+stٻ"ЬT x=&U[6.̼ʱmݡ,##VO#"m܉TKSYqrQAB E< :ē$N˓sxV_nWwVz|=)^^Jq-r<$"TcF#9̸d"GRX0H`6za 6l7n0)FBGh\7tv YGlHȣ\q,,qWoVjn`ɬp< 0=s}^^ iT8SF-~hGfKkN@yۉ`4]IB*aߋ%Q1R)443^gQk$ĸz<.I?񀣿^BcA |εah If Rw֒i1"j>]bVX~a[tRBn=ax QĹ-&Xj w |Vol_K/{Y+Lɂ[ 9 ɼB#[ ;6{c\AӧM{lfE>pdgHD#Ccyeyh~[z "}G%C{+CLz-k QԲ5[eYԩ.8ck0kѿ(v쐥Uԣ?O4ݾmU9H\(&5K<5u=/Xo8 G\8b:AZa2>qh\D?XqlW!s΀׊|>$#$p28o#<4+"1-qn#G/)Kh3;˅VEwŋ=! ۋ@'qYP0NXe2 u:eM R`o`UK9漸i-5Y ņ)(1@OK {6N?]NFL)lg[z$HI7'N 8iPdo v[C.'m?H96/?czZ~g̘O?`Qʙ?\9Co%"U 0#bQW dvAUgwKX{ k w#b`Nɰ',x9$S/vz9CHBB*$@zGk'8r<3X'\ ȹ+υ9)/ɬIĦ-| inZA2dH_ 70ww"eZ6)zWHצ3A%Ʋ)&;uE;t', csu~Џ⩻E slT[*ʞ$|ě 4niPu]͵402| 5{KEb4뺲{ @lF2%MX<`eKnF1`e|MD0\trMa47xռ廰F[TP&"$t߀B+)pq͹< n='LN<]Zܥ&w\F6/y^,뽚bMS!ԂX͈e ӣ8 qw@釹=+zDN"a[GE=V|J{D=C)$e 42Z4[Z*S$IpE.W*=5 TWc-5=N}$$Bև^Owneѽ ɮH+,>u_`0Yy ݺO!h T նQ%%rghe 9`=$a9LYŤ=|Te73~4! 5n!@_7+4)y@ר?A`IDPz3|F T7cу;F$[F/"ĨyR.ou?}Ső~S UP5金Ow[$"<,'@-]Fc9aG!S8$Bh4Bwx7M{Dw=K0LbnmϦz%@y8w6myWGj#=KlFCJϲaxh:? }{ Gr sNȢ9晧lZ'" Iu) fii?ejq$~F$ r_4 aSm>"~O_/X-v`9 Br/4BA hrs\LVaI=G*d=kL􄓞&pHvSnu-MuR2҅9Z] o[Tƭ(|C-!Ӱ?Y\q› !tAB{` tD]:k D>~ׁ }Pb_]b"ƠAv;-*h%鯓9mi?jpTMX4D<1uuncgc,АwԎ䀬cҪ} u}/mNg!@Z6|N1@KV`c΢`"?GT`&D!ODor) 9j] YqCڦXXؐb;NrG7Nj^ڿɘ=/nZpQusqhr @>ox 7Č8oы J9;?I.[YAM1bCTt6Ԯ~ gfiR{id88tkr<%*NIM Nu{J!WtĊFeϳ":$ط&8'Է9Μ 3UeD%'5d[5+Z;鄅 CD)E9!WappcN~Z*$5Y=cJ2oWpn&@L YZ