container-selinux-2:2.229.0-2.module+el8.10.0+1825+623b0c20 > 6 6_6 3!pQp)Tξ7]mtZ`fZ ]mtZ`&o|ߍ:|ePRq4W$փ\5M'u MΣf(ȪUp3m OX;'?oZFurH@lQ,:\90+L(Y6PlZTJ]ӂ5@$Eߡ.PrJ!p%LIOoP#ͪ1R0R&%[e>KF'o-Sx$MZAvBj[!E;$fe8w#|.~s`CV6[Ծ;s P/k+S]ŕrzBS!V8s%+k0Ӑ9@TsKxX&Ѵk)Vor4# < $:]JXCsa^ :MÜ.Mw'-MxcAe|&wI[M< r*tzE%K}tt?RTb gk2fbb59135e0067be0f3b72a7886d7eb984823c65b7a1758fcd319d5fc68a94fc83302c9ce3c1c5568eab69c9d5fdf28befcba5b25׉3!pQp)Tξ7]mtZ`fZ ]mtZ`]3фMCoiaW p2ho$dQ5]C<ρJWQ:_16w # E ,z7ˣ4Awzz`|ktO(ISp '0Džl2.32CkW 1mx޺ ļQzxT +]BhHy W!+g(⠥ˍyH0nmH"lUeQO/EV - _V_  Ǧ&'Pˏ]"ƣ~ĕ >:h`,B$/$Rڽ,''pIpK?p;d< @ h CIPL t    @  T   l 8pS(894:/=gR>gZ@gbBgjGgHgIh,Xh@YhLZh[h\h]i<^jW bkdlemfmlm tm$umtvmmooooppCcontainer-selinux2.229.02.module+el8.10.0+1825+623b0c20SELinux policies for container runtimesSELinux policy modules for use with container runtimes.fZ ord1-prod-x86build004.svc.aws.rockylinux.org }KojiRockyGPLv2infrastructure@rockylinux.orgUnspecifiedhttps://github.com/containers/container-selinuxlinuxnoarch . /etc/selinux/config _policytype=targeted if [ -z "${_policytype}" ]; then _policytype="targeted" fi if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then [ -f /var/lib/rpm-state/file_contexts.pre ] || cp -f /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts /var/lib/rpm-state/file_contexts.pre fi# Install all modules in a single transaction if [ $1 -eq 1 ]; then /usr/sbin/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 fi export MODULES=""; for x in container; do MODULES+=/usr/share/selinux/packages/$x.pp.bz2; MODULES+=" "; done; /usr/sbin/semodule -n -s targeted -r container 2> /dev/null /usr/sbin/semodule -n -s targeted -d docker 2> /dev/null /usr/sbin/semodule -n -s targeted -d gear 2> /dev/null . /etc/selinux/config _policytype=targeted if [ -z "${_policytype}" ]; then _policytype="targeted" fi if [ "${SELINUXTYPE}" = "${_policytype}" ]; then /usr/sbin/semodule -n -s ${_policytype} -X 200 -i $MODULES /usr/sbin/selinuxenabled && /usr/sbin/load_policy || : fi . /etc/selinux/config sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types > /dev/null 2>&1 matchpathcon -qV /var/lib/containers || restorecon -R /var/lib/containers &> /dev/null || :if [ $1 -eq 0 ]; then . /etc/selinux/config _policytype=targeted if [ -z "${_policytype}" ]; then _policytype="targeted" fi if [ $1 -eq 0 ]; then if [ "${SELINUXTYPE}" = "${_policytype}" ]; then /usr/sbin/semodule -n -X 200 -s ${_policytype} -r container docker &> /dev/null || : /usr/sbin/selinuxenabled && /usr/sbin/load_policy || : fi fi fi6frb0(: BA큤A큤AAA큤A큤A큤fZ fZ fZ edfZ fZ fZ fZ fZ fZ fZ fZ fZ fZ fZ fZ fZ fZ fZ fZ 8c04ac861d425e9947eb5bc06c3125d682dc981f6327e789ebe1c4eba0d856fc7fae14152b8ba0da99d2e5a4f0ae0560d8d5286b63a573231284445a99e8c24a9e4227f868d83af4473931cee518f866ed22abf972db1ca104c674038475bdcfd8bb85c348c013c8ae5d252dad0ba613b1ba609b1bc7cffd54d2ff144e1fda47c95d8badacc674ace0d2fed4fbee4d28d2a92799b23fd5cc30cfb444ee8896b71724330eae556d61248fca0b0920b1de3697d8cd42bf56da8d062a4265ed1b9f2aaad24c9578fa9575445ab4c5208b80b1226e49174e20bb2609de935466b9ba9eb7fd75efad4068dc1e00d43c6176477d13f5c759c1986174a340cb07b822119af286e5e19e15cffaaf7b29c745c800ef94c03d90ee90e0e8e18edc2ebf8f01280274d7f1512ce4677f123f310d300672d6872c3e1f3f13144cd5a03e85ba4b0a6fa6a05496c83b67185cb54805263c502181507d1ae899909090caf986d623dd478baf01b7ef0daf441b7cd616c79ea77eb8e9d2725976b9edeec3991e3d5f67de3bb8fb85b4531702c64fa11b1fbf1746cbd844560f2f680b862915f25d69rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootcontainer-selinux-2.229.0-2.module+el8.10.0+1825+623b0c20.src.rpmcontainer-selinuxdocker-engine-selinuxdocker-selinux         /bin/sh/bin/sh/bin/sh/bin/shlibselinux-utilspolicycoreutilsrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)sedselinux-policyselinux-policy-baseselinux-policy-targeted2.5-113.0.4-14.6.0-14.0-15.2-13.14.3-80.el83.14.3-80.el83.14.3-80.el8udica0.2.6-14.14.3e@e@ed@e@eeqe'e ddhd@ddm@dcp@dbdRLdd@d @c @cc_c!@bVbbkb_b<]@b%b@bOb@aar@a@a@a@aaa+@aaa]aQ@aI@aA@a'@a&0a /` @`9@`Ȗ@```q`@`@`N@`@`dd@`Y@`&m`_T_`@_%_%_F@__"_5+@_16_p@_5_X@^n@^Ӝ@^@^^k@]@]B]]@]|@]@]X]W]R@]@\M[[ͻ[[@[[Xf@[L[K7@["X[@[@[[[Z@Z?ZZZ%Z%Z@Z - 2:2.229.0-2Jindrich Novy - 2:2.229.0-1Jindrich Novy - 2:2.228.1-1Jindrich Novy - 2:2.228.0-1Jindrich Novy - 2:2.227.0-1Jindrich Novy - 2:2.226.0-1Jindrich Novy - 2:2.224.0-1Jindrich Novy - 2:2.222.0-1Jindrich Novy - 2:2.221.1-1Jindrich Novy - 2:2.221.0-1Jindrich Novy - 2:2.219.0-1Jindrich Novy - 2:2.218.0-1Jindrich Novy - 2:2.215.0-1Jindrich Novy - 2:2.213.0-2Jindrich Novy - 2:2.213.0-1Jindrich Novy - 2:2.211.1-1Jindrich Novy - 2:2.205.0-2Jindrich Novy - 2:2.205.0-1Jindrich Novy - 2:2.199.0-1Jindrich Novy - 2:2.195.1-1Jindrich Novy - 2:2.193.0-1Jindrich Novy - 2:2.191.0-1Jindrich Novy - 2:2.190.0-1Jindrich Novy - 2:2.189.0-1Jindrich Novy - 2:2.188.0-1Jindrich Novy - 2:2.187.0-1Jindrich Novy - 2:2.183.0-1Jindrich Novy - 2:2.181.0-1Jindrich Novy - 2:2.180.0-1Jindrich Novy - 2:2.179.1-1Jindrich Novy - 2:2.178.0-1Jindrich Novy - 2:2.177.0-1Jindrich Novy - 2:2.176.0-1Jindrich Novy - 2:2.174.0-1Jindrich Novy - 2:2.173.2-1Jindrich Novy - 2:2.173.1-2Jindrich Novy - 2:2.173.1-1Jindrich Novy - 2:2.173.0-2Jindrich Novy - 2:2.173.0-1Jindrich Novy - 2:2.172.1-1Jindrich Novy - 2:2.172.0-1Jindrich Novy - 2:2.171.0-1Jindrich Novy - 2:2.170.0-1Jindrich Novy - 2:2.169.0-1Vit Mojzis - 2:2.168.0-2Jindrich Novy - 2:2.168.0-1Jindrich Novy - 2:2.167.0-1Jindrich Novy - 2:2.165.1-2Jindrich Novy - 2:2.164.2-1Jindrich Novy - 2:2.164.1-1Jindrich Novy - 2:2.163.0-2Jindrich Novy - 2:2.163.0-1Jindrich Novy - 2:2.162.2-1Jindrich Novy - 2:2.162.1-1Jindrich Novy - 2:2.162.0-1Jindrich Novy - 2:2.161.1-2Jindrich Novy - 2:2.161.1-1Jindrich Novy - 2:2.160.2-1Jindrich Novy - 2:2.160.1-1Jindrich Novy - 2:2.160.0-1Jindrich Novy - 2:2.159.0-1Jindrich Novy - 2:2.158.0-1Jindrich Novy - 2:2.156.0-1Jindrich Novy - 2:2.155.0-1Jindrich Novy - 2:2.154.0-1Jindrich Novy - 2:2.153.0-1Jindrich Novy - 2:2.152.0-1Jindrich Novy - 2:2.151.0-1Jindrich Novy - 2:2.150.0-1Jindrich Novy - 2:2.145.0-1Jindrich Novy - 2:2.144.0-1Jindrich Novy - 2:2.143.0-1Jindrich Novy - 2:2.142.0-1Jindrich Novy - 2:2.139.0-1Jindrich Novy - 2:2.138.0-1Jindrich Novy - 2:2.137.0-1Jindrich Novy - 2:2.135.0-1Jindrich Novy - 2:2.134.0-1Jindrich Novy - 2:2.132.0-1Jindrich Novy - 2:2.130.0-1Jindrich Novy - 2:2.124.0-1Jindrich Novy - 2:2.123.0-2Jindrich Novy - 2:2.123.0-1Jindrich Novy - 2:2.122.0-1Jindrich Novy - 2:2.119.0-3.gita233788Jindrich Novy - 2:2.119.0-2Jindrich Novy - 2:2.119.0-1Jindrich Novy - 2:2.116-1Jindrich Novy - 2:2.107-2Lokesh Mandvekar - 2:2.107-1Lokesh Mandvekar - 2:2.89-1.git2521d0dLokesh Mandvekar - 2:2.75-1.git99e2cfdLokesh Mandvekar - 2:2.74-1Frantisek Kluknavsky - 2:2.73-3Frantisek Kluknavsky - 2:2.73-2Dan Walsh - 2.69-3Dan Walsh - 2.69-2Dan Walsh - 2.68-1Dan Walsh - 2.67-1Dan Walsh - 2.66-1Dan Walsh - 2.64-1Dan Walsh - 2.62-1Dan Walsh - 2.61-1Dan Walsh - 2.60-1Dan Walsh - 2.58-2Dan Walsh - 2.58-1Dan Walsh - 2.57-1Dan Walsh - 2.56-1Dan Walsh - 2.55-1Dan Walsh - 2.52-1Dan Walsh - 2.51-1Dan Walsh - 2.50-1Dan Walsh - 2.49-1Dan Walsh - 2.48-1Dan Walsh - 2.41-1Dan Walsh - 2.40-1Dan Walsh - 2.39-1Dan Walsh - 2.38-1Dan Walsh - 2.37-1Dan Walsh - 2.36-1Dan Walsh - 2.35-1Dan Walsh - 2.34-1Dan Walsh - 2.33-1Dan Walsh - 2.32-1Dan Walsh - 2.31-1Dan Walsh - 2.29-1Dan Walsh - 2.28-1Dan Walsh - 2.27-1Dan Walsh - 2.24-1Dan Walsh - 2.23-1Dan Walsh - 2.22-1Troy Dawson - 2.21-3Fedora Release Engineering - 2:2.21-2Dan Walsh - 2.21-1Dan Walsh - 2.20-2Dan Walsh - 2.20-1Lokesh Mandvekar - 2:2.19-2.1Dan Walsh - 2:2.19-1Lokesh Mandvekar - 2:2.15-1.1Dan Walsh - 2:2.10-2.1Dan Walsh - 2:2.10-1Lokesh Mandvekar - 2:2.9-4Lokesh Mandvekar - 2:2.9-3Lokesh Mandvekar - 2:2.9-2Lokesh Mandvekar - 2:2.8-2Lokesh Mandvekar - 2:2.7-1Lokesh Mandvekar - 2:2.4-2Dan Walsh - 2:2.4-1Dan Walsh - 2:2.3-1Lokesh Mandvekar - 2:2.2-4Jonathan Lebon - 2:2.2-3Lokesh Mandvekar - 2:2.2-2Lokesh Mandvekar - 2:2.2-1Lokesh Mandvekar - 2:2.0-2Lokesh Mandvekar - 2:2.0-1Lokesh Mandvekar - 2:1.12.4-29- remove watch statements properly for RHEL8 and lower - Related: Jira:RHEL-2110- update to https://github.com/containers/container-selinux/releases/tag/v2.229.0 - Related: Jira:RHEL-2110- update to https://github.com/containers/container-selinux/releases/tag/v2.228.1 - Related: Jira:RHEL-2110- update to https://github.com/containers/container-selinux/releases/tag/v2.228.0 - Related: Jira:RHEL-2110- update to https://github.com/containers/container-selinux/releases/tag/v2.227.0 - Related: Jira:RHEL-2110- update to https://github.com/containers/container-selinux/releases/tag/v2.226.0 - remove dependency on policycoreutils-python-utils as it pulls in python - Related: Jira:RHEL-2110- update to https://github.com/containers/container-selinux/releases/tag/v2.224.0 - Related: Jira:RHEL-2110- update to https://github.com/containers/container-selinux/releases/tag/v2.222.0 - Related: Jira:RHEL-2110- update to https://github.com/containers/container-selinux/releases/tag/v2.221.1 - Related: Jira:RHEL-2110- update to https://github.com/containers/container-selinux/releases/tag/v2.221.0 - Related: #2176055- update to https://github.com/containers/container-selinux/releases/tag/v2.219.0 - Related: #2176055- update to https://github.com/containers/container-selinux/releases/tag/v2.218.0 - Related: #2176055- update to https://github.com/containers/container-selinux/releases/tag/v2.215.0 - Related: #2176055- add watch statement removal from container.te - Related: #2176055- update to https://github.com/containers/container-selinux/releases/tag/v2.213.0 - Related: #2176055- update to https://github.com/containers/container-selinux/releases/tag/v2.211.1 - Related: #2176055- use conditionals from https://github.com/containers/container-selinux/blob/main/container-selinux.spec.rpkg - Related: #2176055- update to https://github.com/containers/container-selinux/releases/tag/v2.205.0 - remove user_namespace class, thanks to Lokesh Mandvekar - Related: #2176055- revert back to https://github.com/containers/container-selinux/releases/tag/v2.199.0 (2.200.0 fails to build as it relies on the new selinux-policy which is not there yet) - Related: #2176055- update to https://github.com/containers/container-selinux/releases/tag/v2.195.1 - Related: #2123641- update to https://github.com/containers/container-selinux/releases/tag/v2.193.0 - Related: #2123641- update to https://github.com/containers/container-selinux/releases/tag/v2.191.0 - Related: #2123641- update to https://github.com/containers/container-selinux/releases/tag/v2.190.0 - Related: #2123641- update to https://github.com/containers/container-selinux/releases/tag/v2.189.0 - Related: #2061390- update to https://github.com/containers/container-selinux/releases/tag/v2.188.0 - Related: #2061390- update to https://github.com/containers/container-selinux/releases/tag/v2.187.0 - Related: #2061390- update to https://github.com/containers/container-selinux/releases/tag/v2.183.0 - Related: #2061390- update to https://github.com/containers/container-selinux/releases/tag/v2.181.0 - Related: #2061390- update to https://github.com/containers/container-selinux/releases/tag/v2.180.0 - Related: #2061390- update to https://github.com/containers/container-selinux/releases/tag/v2.179.1 - Related: #2001445- update to https://github.com/containers/container-selinux/releases/tag/v2.178.0 - Related: #2001445- update to https://github.com/containers/container-selinux/releases/tag/v2.177.0 - Related: #2001445- update to https://github.com/containers/container-selinux/releases/tag/v2.176.0 - Related: #2001445- update to https://github.com/containers/container-selinux/releases/tag/v2.174.0 - Related: #2001445- update to https://github.com/containers/container-selinux/releases/tag/v2.173.2 - Related: #2001445- update minimal selinux_policy dependency - Related: #2001445- update to https://github.com/containers/container-selinux/releases/tag/v2.173.1 - Related: #2001445- lockdown allow rule was removed - Related: #2001445- update to https://github.com/containers/container-selinux/releases/tag/v2.173.0 - Related: #2001445- update to https://github.com/containers/container-selinux/releases/tag/v2.172.1 - Related: #2001445- update to https://github.com/containers/container-selinux/releases/tag/v2.172.0 - Related: #2001445- update to https://github.com/containers/container-selinux/releases/tag/v2.171.0 - Related: #2001445- update to https://github.com/containers/container-selinux/releases/tag/v2.170.0 - Related: #2001445- update to https://github.com/containers/container-selinux/releases/tag/v2.169.0 - Related: #2001445- Start shipping udica templates - Related: #2001445- update to https://github.com/containers/container-selinux/releases/tag/v2.168.0 - Related: #2001445- update to https://github.com/containers/container-selinux/releases/tag/v2.167.0 - Related: #1934415- update to https://github.com/containers/container-selinux/releases/tag/v2.165.1 - Related: #1934415- update to https://github.com/containers/container-selinux/releases/tag/v2.164.2 - Related: #1934415- update to https://github.com/containers/container-selinux/releases/tag/v2.164.1 - Related: #1934415- fix the build of 2.163.0 - Resolves: #1957904- update to https://github.com/containers/container-selinux/releases/tag/v2.163.0 - Related: #1934415- update to https://github.com/containers/container-selinux/releases/tag/v2.162.2 - Related: #1934415- update to https://github.com/containers/container-selinux/releases/tag/v2.162.1 - Related: #1934415- update to https://github.com/containers/container-selinux/releases/tag/v2.162.0 - Related: #1934415- do not use lockdown class yet - it is not available in RHEL - Related: #1934415- update to https://github.com/containers/container-selinux/releases/tag/v2.161.1 - Related: #1934415- update to https://github.com/containers/container-selinux/releases/tag/v2.160.2 - Related: #1934415- update to https://github.com/containers/container-selinux/releases/tag/v2.160.1 - Related: #1934415- update to https://github.com/containers/container-selinux/releases/tag/v2.160.0 - Related: #1934415- update to https://github.com/containers/container-selinux/releases/tag/v2.159.0 - Related: #1934415- update to https://github.com/containers/container-selinux/releases/tag/v2.158.0 - Related: #1883490- update to https://github.com/containers/container-selinux/releases/tag/v2.156.0 - Related: #1883490- update to https://github.com/containers/container-selinux/releases/tag/v2.155.0 - Related: #1883490- update to https://github.com/containers/container-selinux/releases/tag/v2.154.0 - Related: #1883490- update to https://github.com/containers/container-selinux/releases/tag/v2.153.0 - Related: #1883490- update to https://github.com/containers/container-selinux/releases/tag/v2.152.0 - Related: #1883490- update to https://github.com/containers/container-selinux/releases/tag/v2.151.0 - Related: #1883490- update to https://github.com/containers/container-selinux/releases/tag/v2.150.0 - Related: #1883490- synchronize with stream-container-tools-rhel8 - Related: #1883490- update to https://github.com/containers/container-selinux/releases/tag/v2.144.0 - Related: #1821193- update to https://github.com/containers/container-selinux/releases/tag/v2.143.0 - Related: #1821193- update to https://github.com/containers/container-selinux/releases/tag/v2.142.0 - Related: #1821193- update to https://github.com/containers/container-selinux/releases/tag/v2.139.0 - Related: #1821193- update to https://github.com/containers/container-selinux/releases/tag/v2.138.0 - Related: #1821193- update to https://github.com/containers/container-selinux/releases/tag/v2.137.0 - Related: #1821193- update to https://github.com/containers/container-selinux/releases/tag/v2.135.0 - Related: #1821193- update to https://github.com/containers/container-selinux/releases/tag/v2.134.0 - Related: #1821193- synchronize containter-tools 8.3.0 with 8.2.1 - Related: #1821193- update to https://github.com/containers/container-selinux/releases/tag/v2.130.0 - don't use macros in changelog - Related: #1821193- update to 2.124.0 - Related: RHELPLAN-25139- implement spec file refactoring by Zdenek Pytela, namely: Change the uninstall command in the %postun section of the specfile to use the %selinux_modules_uninstall macro which uses priority 200. Change the install command in the %post section if the specfile to use the %selinux_modules_install macro. Replace relabel commands with using the %selinux_relabel_pre and %selinux_relabel_post macros. Change formatting so that the lines are vertically aligned in the %postun section. (https://github.com/containers/container-selinux/pull/85) - Related: RHELPLAN-25139- update to 2.123.0 - Related: RHELPLAN-25139- update to 2.122.0 - Related: RHELPLAN-25139- update to master container-selinux - bug 1769469 - Related: RHELPLAN-25139- fix post scriptlet - fail if semodule fails - bug 1729272 - Related: RHELPLAN-25139- update to 2.119.0 - Related: RHELPLAN-25139- update to 2.116 Resolves: #1748519- Use at least selinux policy 3.14.3-9.el8, Resolves: #1728700- Resolves: #1720654 - rebase to v2.107- bump to v2.89- bump to v2.75 - built commit 99e2cfd- Resolves: #1641655 - bump to v2.74 - built commit a62c2db- tweak macro for fedora - applies to rhel8 as well- moved changelog entries: - Define spc_t as a container_domain, so that container_runtime will transition to spc_t even when setup with nosuid. - Allow container_runtimes to setattr on callers fifo_files - Fix restorecon to not error on missing directory- Make sure we pull in the latest selinux-policy- Add map support to container-selinux for RHEL 7.5 - Dontudit attempts to write to kernel_sysctl_t- Add label for /var/lib/origin - Add customizable_file_t to customizable_types- Add policy for container_logreader_t- Allow dnsmasq to dbus chat with spc_t- Allow containers to create all socket classes- Label overlay directories under /var/lib/containers/ correctly- Allow spc_t to load kernel modules from inside of container- Allow containers to list cgroup directories - Transition for unconfined_service_t to container_runtime_t when executing container_runtime_exec_t.- Run restorecon /usr/bin/podman in postinstall- Add labels to allow podman to be run from a systemd unit file- Set the version of SELinux policy required to the latest to fix build issues.- Allow container_runtime_t to transition to spc_t over unlabeled filesAllow iptables to read container state Dontaudit attempts from containers to write to /proc/self Allow spc_t to change attributes on container_runtime_t fifo files- Add better support for writing custom selinux policy for customer container domains.- Allow shell_exec_t as a container_runtime_t entrypoint- Allow bin_t as a container_runtime_t entrypoint- Add support for MLS running container runtimes - Add missing allow rules for running systemd in a container- Update policy to match master branch - Remove typebounds and replace with nnp_transition and nosuid_transition calls- Add support to nnp_transition for container domains - Eliminates need for typebounds.- Allow container_runtime_t to use user ttys - Fixes bounds check for container_t- Allow container runtimes to use interited terminals. This helps satisfy the bounds check of container_t versus container_runtime_t.- Allow container runtimes to mmap container_file_t devices - Add labeling for rhel push plugin- Allow containers to use inherited ttys - Allow ostree to handle labels under /var/lib/containers/ostree- Allow containers to relabelto/from all file types to container_file_t- Allow container to map chr_files labeled container_file_t- Dontaudit container processes getattr on kernel file systems- Allow containers to read /etc/resolv.conf and /etc/hosts if volume - mounted into container.- Make sure users creating content in /var/lib with right labels- Allow the container runtime to dbus chat with dnsmasq - add dontaudit rules for container trying to write to /proc- Add support for lxcd - Add support for labeling of tmpfs storage created within a container.- Allow a container to umount a container_file_t filesystem- Allow container runtimes to work with the netfilter sockets - Allow container_file_t to be an entrypoint for VM's - Allow spc_t domains to transition to svirt_t- Make sure container_runtime_t has all access of container_t- Allow container runtimes to create sockets in tmp dirs- Add additonal support for crio labeling.- Fixup spec file conditionals- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild- Allow containers to execmod on container_share_t files.- Relabel runc and crio executables- Allow container processes to getsession- update release tag to isolate from 7.3- Fix mcs transition problem on stdin/stdout/stderr - Add labels for CRI-O - Allow containers to use tunnel sockets- Resolves: #1451289 - rebase to v2.15 - built @origin/RHEL-1.12 commit 583ca40- Make sure we have a late enough version of policycoreutils- Update to the latest container-selinux patch from upstream - Label files under /usr/libexec/lxc as container_runtime_exec_t - Give container_t access to XFRM sockets - Allow spc_t to dbus chat with init system - Allow containers to read cgroup configuration mounted into a container- Resolves: #1425574 - built commit 79a6d70- Resolves: #1420591 - built @origin/RHEL-1.12 commit 8f876c4- built @origin/RHEL-1.12 commit 33cb78b-- built origin/RHEL-1.12 commit 21dd37b- correct version-release in changelog entries- Add typebounds statement for container_t from container_runtime_t - We should only label runc not runc*- Fix labeling on /usr/bin/runc.* - Add sandbox_net_domain access to container.te - Remove containers ability to look at /etc content- use upstream's RHEL-1.12 branch, commit 56c32da for CentOS 7- properly disable docker module in %post- depend on selinux-policy-targeted - relabel docker-latest* files as well- bump to v2.2 - additional labeling for ocid- install policy at level 200 - From: Dan Walsh - Resolves: #1406517 - bump to v2.0 (first upload to Fedora as a standalone package) - include projectatomic/RHEL-1.12 branch commit for building on centos/rhel- new package (separated from docker)/bin/sh/bin/sh/bin/shcontainer-selinuxdocker-selinux 2:2.229.0-2.module+el8.10.0+1825+623b0c202:2.229.0-2.module+el8.10.0+1825+623b0c202:2.229.0-2.module+el8.10.0+1825+623b0c20 2:1.12.5-142:1.12.4-28 selinuxcontextscontainer-selinuxREADME.mddevelincludeservicescontainer.ifpackagescontainer.pp.bz2templatesbase_container.cilconfig_container.cilhome_container.cillog_container.cilnet_container.ciltmp_container.ciltty_container.cilvirt_container.cilx_container.cil/usr/share/containers//usr/share/containers/selinux//usr/share/doc//usr/share/doc/container-selinux//usr/share/selinux//usr/share/selinux/devel//usr/share/selinux/devel/include//usr/share/selinux/devel/include/services//usr/share/selinux/packages//usr/share/udica//usr/share/udica/templates/-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m32 -march=x86-64 -mtune=generic -mfpmath=sse -mstackrealign -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protectioncpioxz2noarch-redhat-linux-gnudirectoryASCII textSE Linux policy interface source . /etc/selinux/config _policytype=targeted if [ -z "${_policytype}" ]; then _policytype="targeted" fi if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then if [ -f /var/lib/rpm-state/file_contexts.pre ]; then /usr/sbin/fixfiles -C /var/lib/rpm-state/file_contexts.pre restore &> /dev/null rm -f /var/lib/rpm-state/file_contexts.pre fi fi #define license tag if not already defined/bin/shutf-8c72d60ca59900cbdd02a478b17b183f1e8fc229be72c0c56fd28f9b5459efbfacontainer-tools:rhel8:8100020240531164724:82888897?p7zXZ !#,] b2u jӫ`(y0%B̤nqwUh))\+r4mswQ2AV5dY-m[L̍=`kTz;F%$uo&XB5#X7ͮ)z &DK(" Tq:2hF4hh0g[bȞ+V^s̼R*مm9yaYֱKi5,i1L&eދfAc bm$LU~ⲗύׂ滮{TRM0530Q lW?V.gz̋wNBM[1vTC //4HaAށ 8W!ukVk$'3 QBFnCՙ o)u*e>h 1Nj^7 LpP.ch`?0oѓLSƃ=g5FS_t?_ 5z^ZOg~)k8Kl1#oA:Շ_9jZ_,8fiU[̎XKNO|Q-vaBIɪ8]x}^.MȔoS𒨹>O9k U?#;*x3֨34N*fC.Ҏg $%m12H#%1> *\~J%y=߰c^@)ԫNE;URG'_1DlpLϸ`Ho(v`$HZP(R}ڸan/qEYAC{:V,c]GXiמ2PJlzgw F7a9a}X؟%Aӣzy8DK*^M~NMVfʒՖGGt:8.1knvGV.r܎<"]9u[ Df#vD7[PI-+i V/4Eiy Ӝu K|h~|":*0 41* M}͆2}47XG'RiRǬ#ϥ~дYQ.7S|5׮7.mXSS Ef`SWT P[* 刳 8zMN_ޣ*;f$7x^At낽<;D輇[s+v"p1#,:9\Ir:xqp0tYh*Ն0Eȳihz`=6k2P˸uOsOD43S4A9Bf[JV5MG=og㋅Ƽ|"ͨm٬2 #0x,5Ӳ ȃ!~w ߛk&*vYbՒGY Ziv% gT-OIowcp*Yk@q~O!vPtjw$ݸ"LD ڜ(]VGq',:$ (f|NZȃde*O)>hEyˆa)*.Gߧg)h}xefIrA@i*v*DZ3Ź믝%~(ۤUdt5`VN*cva!Ha_eL|:їG,>|ee ?>)Cj ~&Fi42]h۩3Ỷ`Ʒ\&~kaWJc)D; L> [IFM0[[&6ɰ[t*K7-~! C07m饺g!$-l? a*Qnm V=18{D/n:-yRfD[;y\ t[5ѐV75!#Nd.ΚȦn6ȳ) wL[E{[C$_A7쿎5iD.=g@huwݼ7C"҈v/V~V{B :rDǰF3`d Ұc:a׸@Ȉ/%hl9̢JNЅR6Z>YTFaWf e|B,۲>mn|G@ܠ:"<|eǻԃLNJ=. ~z$C\/|;iAؚt9Ro|!?w21p8fއBWCUb}(u*sP%3H>HlK<}팳љF \'[L48D?S(oЁRKi)^'=JIBؓ(rժu o$QGBKlΔ |k-ūQм0KIa Uvr8z̮e4UE&yE{SËN |>a$0wS(D7zY=ryzM/b}B52hh-j[_h!ltvsMV1{-}+"Ӌtޒ| ?H ?uP֕]']M^ g]< 2BXGޙYپ ߅r}su} %ܧ"&{ KG}TCKӶh+%` bhu)c,p#dQOY"~8s[9ӄݵ6k}94>=$>m^$WRsM[r©RQ6"\CjK6! jji9`t&-GX#[=莶D)nfKIoI) c+XBNa#܌3?4#x~ڕhP6Fhsm+4:>NkMk~'k[N+%v1 wq4a4=dxfĎ Qɷ;=[96;iW%h,DO(=)Vպ9BG%ar{Z!=}CQYiwq~ u7(tXb9%ҏ.BFeY/{>lD#%>52+k4dG 42qlgsXW=1a\nxxBnGx ^83['7 ,vKظrPjsÅØeUR.gtE_ۆf_i*R-HF7M8&} ʷxt>zGp߱1\!H-9ټT-W|NQ"K/ ]n?uEǂ"GlKl&iDbE2O h{o%|3vXAT7s&Mtxr4`!,v\cᢎk bˑL$x$~^e.tlaXi egA2a89DA]Br ^aNjgUq?hP,t5?'e:p=w·hHlza$ةʢ؎v'_ׯ`sWuvPwF[dO_)v*_2QXw"t`̌XJ_ߝ3\$Z&E򒿪||ϼR{?EVR3>z_S\%GI#--3uEDCpEF* tO-E l RJI7pcQ^blIw,g׋/sXunpq$W@/j5R%BPz0o,.j氩η+ 3b}chj6!=_,=elI ^[\FcE׆aUUI)3we} Da߿W ҀƉ*I)᭨>+_$޳bZyg Ďc<\ċCބ%5?]BY4WVHa|/br _.l|ssQP>e0~yS"C\Uʀ0c9i4XtPѠ4TzC,dz_֟T).~<<+nյ? ] lw!Mƹϐv]!dڥb݉2hW/~MJKJ%@{IN`rm2\>2#vۦ`ieXg9mA/u@JbD\F2jhX#A'8ڥ_@5͸:hc0<"0ȐPߊ=D IcurR]z,3KÚ'F4UϢ gY]op>G\'o&1ٜӂD_o&C8j?%[v|f?oݍc3x^}T PbhˬZ 5s#'6RK;g*1#Tf3\2S6gi01C>*c+~QWc=IމlGmj./s?N?>#\c!B<IF1" nj@]DQ\ gF6KwG۹D\n8`ƅ+[Q`.Cs6$KOTËR6eQE3=240(>~m x*rMfph@mt76b\6*r ('iMq.o[b x) dzN/F 6LUIUUm%uu{3.V[MJQͳ*#o\&Ice+ߴ{i!] YQ!* uZYN*M~S+ Guo"ww:U42ri׬"c z֓fnefYE*gk n>-0hoxO,*СB33N$EtBɜ_bv?Ay%h(hdd͐2 KiڢԾӈAv'GSQn .x-yD|J @?r&h.])1cE\(_uOFheN:!90û|#_V+'q&~MVҲwEa3B%)Oՙ[LW)=TA!Vٕ50cc*Թ2V}O`x-MawCR5m4rt$$[_tBVwAb30ahivV,W;D1eO'` N`ʝ -ǃ):< ;VZj{tg"F沽GQ_M-R"͠TD WK4;}CcU6^˰!" XVN7 x4-m~Y˔h`Ⓟ9\xPw-mש>QR 3v8ae@quom)#۾%R| A#_Q_D7?K)B ,8s-qf!>aS2sRá,YVԽXoRkR9]|O[gj ЬĝqNh5:Ozw^]DO MVWg1BkТi`LonRzlEG[ RHqq8=(]rع?ӵxL:${X\4 ~[.iY"2Ӗ#ZZ(= Xf /t/C"/C(*K3n}Ќ#hړ4x^ъOGV;X-, !(ѧSI dVE'' 4D[àPTɏS js½tpVsfu)hO'M5'k2'uГg`|y?.\"/ >ĨPUqUoUJHQ}$ y.` t2~ϴ'M3QV6i@`25 Q ЎiDG|d`T*Ϯ)J)}DCuIѤlLe6t9Ȉ7񐆉o:lwwKz{;DOZ8=pnM{blܒçJJ\{OyyEQguRU.KwjYGFSzff ?e+S Xs\g0̿-`k-oQ">s&2$qq1B9 ePA%>e鐁!2Qt3@4s7,sjXѣ/!IPB`,Ӱ\@:-cGbC)CCH#/\;g΋y¾>bnxB-B>֕n4hn-A.bga{@7jJf\!EC~Eļ'cRIyuKX_Z][7nu^) ['ys+Q@i&\jI?AiQ>oO(*e^3JS@lpt$Ip++#FI=#ݪm|‰MyZA?(P~aِ#ۅ rx{4^H? |;6 G*Z謊K0Rǀ{&I:+RsJY3Sq@r`eM yA @/Dx~1^>|mB]aLP | bZr<~T ⣂'x(]NɆ&P,H>n/1.JUˮ6Tڪ|p"W Vr{8lVdd'66ng7 hh3=LSE{JטW`4MU; 1@Y1o!JוOj S2j5}+_ Bر#s朱l{C  q+!t˚VMB9/q赛𭞵nY9XrFtZ".d^UW4p xkR .p?]M.tFd;]ߧk.rH$ÞգYh>GC:tBHԼgq%}l?4C7d(>"čAÚ䥌HmbL=\L:be xmcD33g8`g}BN`}uT0{&=M]aXPtw#)n1;W ČQ_1^ 6TU upFT k){BajcƄS݁KyUev3d_٧Ia%5ROu&ԙ QjlS Ep#f岼g+u"S9b.W<tDo\!WMӂU3bv19}q\۶@c }ΑAPM.֟hgAq6EDv3OtK.]B-,| )Z9Ax<Բ4;uy5hZR ӝߤShsaՁ X/ `Уa"tؽD׾nV7z\Me͏$|0X%ao* .@EC.E񙦙AhyTSsڡx?l^^ck`<kTH;E6r]I\뼓TȺzĴP@dh#;d RE<=_+ȷY(YsSbwל% POG3trS΀#"޽eju uTV2i<FG~dJ6sZz9bDxhzKNe)&Mn:~)lmF aꘫsȷޱ"wDi[XMpRHqp5y,TPGIroݾ./<! q8)߃K 2:"_V84\>q8ꠜЍwz?C%5ldeޒhm"E blB+;8ܹ$UfT,`WF/(D0/ $SsYf": TNTǣG"Eb*aUg Gʥ3A蹋/ #s ^s86 N|pA&+JFnŤ!Vo+_Bh7#WI}HR\i-Ms/H;q(g=|su8+q"Ʀ#ʱ<̧<|fD} sX*jSI, ɍU{ץKCWo8 ~s^6.OiY`Gmc c.RE@Jx 0OXDzE% om+=0]%*p)$r2yJ乧f6:ًqQ^t0"ņM]{QA󜪆$3S"F^;4hԳξ鎗dCs*"[vZl2DPA;ۄEG2$6+@kmտyR<*OKϛ_zɜlqT;q UC@ owѯ&:*#ɾ^n0:&~w瀘03Z[&kcxruY"BИi=ְ^y[#w=f[hU!]5QԒJSɝ(p)~',Fq1^e4%X,ENO/£tY(w$ߴ,>L'.vq$c`wSE Cxl~[fܳVB°b]O+rGWo )XԄ*vci}d-㺞g(`@^6_\!q]H寽BIQB!w$Y5VxC`y>0wPTE͒4r J Mg#mP^F:? GCĝ7Σ".i)FrN^`Q(/yH= V( KkvCs/' z)QJn9M͒-A{eXEQ/P2<݃ x~] l$!¤['/al(Mmq)}-]Ja3t.Od$R2֠*OoGR6'-Y]S 55|糈6)қ m卵U*r)̒ '07A> cNgN)#ebexros(|hm7J*6ݴa#c]Pul"#5rJ(,-BV*-k+56nguh Y#1Q5;0YuA4׌ o}fx޳\ϛ'p6f+iifIw(ټrW񀻮_U ͝sVG})^P-~Cj%_N=Pwm lԈ`9bVd(*C( 8tH%Hv.|'"HwCn42q /S(x[;9 8HD!-"5 ,.i:yp*Ja>6i*INٛ:so|4`7E=0s{ {[k]暃Fq̣ K!ot槕 ^_x5vԭCz' I@,VY Bm* kd`n-# Hu@ю=YGT ֫)u9X 3v575>Mzr4LƄ* iOT|_HWat>G%{b% _>+=uSY9~Z$xW+@[  t(bܴV ƾ+RI|ǯXd}dl`ޮcR{[m+yM+X΅Z\1jIĽ0ѠjuYjJY#Qg>YoRoL'"=`+l>w侵N5L m>V/!{p5e:3Өୄ _.fG҄nbӊ/ǁn5G?LȯxHa"h$Q\we:CT-0ǀ:|;v Rr(a+`#)Z"UMIrspU6úFF[Yg`&K%RHIpRLXkT> 웬i2ExqbFJ5 :7^s]bS{HMd¸o+tCO!VOZRhA )?h$(=pFck%=圩Һnp{i`93js%ICzVE "֥W,>T$ר$R^. !qdCL"ZG`aL6XF!cN$4N'3kUZm؊``4JW#_aIF  K-#Z> ,1JfsqB;W>گ*c,˳6 9wqKfeLocF墂ΣI^{G.fBx)SX&ֶO4Ch&-&LSHqDZ jh:;rUIZ湣 ĞG98vQ3 *kk1ʇʱ꧇S+|chSQTƁnKX2pi.CߓL\0ء# 2:2K^߃2 M[< Q CtJA*{s(5߹Ի G/ ߧHy Y"0Uk85 C*̈́di`IUBh1ʔ-A.aIB7@շ׶o0~%;0ogo{,j .RHapkia:Bwt\IhXtD"%^ Ԙͩ7GTp(Y&!B8\YlHEq %O\Oj{k)Fi@;C8@cyD I센O`0BZ\BKj  sA=%gn6P,tS|\%&5~)Kf̑f\W.D˗z%,g;e˄EUZx[IV  [4sGF<}nCU^yT*bjXyS'\+5tMusw}!Jdm*Vg` IE> i?6Rv(GPpҥA۝F|YLׅcp1"03Ii8}w t;0͟4c9|PWn,p49Xkd( g~ 4|ۑ"B(wZI {1|Gbc?/Eϋ'vvͧw|n$֝QXײI/$ =ϧnrV#)uMlߑW_{+A-;ܶ p?(Q7Zߦζ#Ք%,-m`\TL0KkM'T ޱ+2j+ Vs;C%.8*|&JW;" RŹg g "T}GQo?Kq|G-KF]6}k]xV9]ı,ԎM[YCyVu,BtMG[^5GdiJ!kG#KO gP؁)58P:}xB`'RO,ꦘ_$2jf|xAf5C3:oc Z٭]tR!xP@ZNlK.ղeL YՁfqdնR  _g nk@ouutǚT2:袒 6Z1o1ٿŵ ^0)%xme w6s*8k{`tcory8.#g VhOK>ݘSRح)~:'N?pq1x-Q0!iX&A;SNK\:)WKdD4.;j6*']$qU wSmB; em r-L'{8]`fffjFeb;uC^j&ߤ+9 Ki1iH[4HTfۊn$A6ڬ`ۗۦYŊ..۰9 {Az'~%BL*ME$IWuϋx_ mӅM4:|Xj]c`> CM,\ݒ!(Z)e,g0J@Q5[TEM6\sdF(eT@בd\W>ův_m5MWQDµC|L~]n2YCXɠ|-1%70^W)Z. ,xfFQ܃oaHed:n %(Aw r.j@7}6CjevرFΨk'K>1Ӫ%̹ QKN8{z gEYV(=*HiA3$lP5fh )ef~ Ł՜}GS4?n'ґoMFq _U@+ uQV|ğ @ԖKa xRj.##eĩQ`W4Crg#ɤ\vvYI%'T";lG4nU"3Kl=%Y1eM0_1n$6OB-ukΕSɅgL-5f8# B]U1xX@ę^} '}|mh?嘘 |V1%D[CpOCGʹ{TI3 _60b H؝N%!^z!E Wz/~쐿*rn&;ݙ*SPNV>vD)~Y10URٚ]HTu oN24 pFZt׼c)} w1B ot{'ԂO 9Ǘ @~upI 2P?e,̎͗ū`c[*TTNm5cDwRQ=b٤T+$d34#s6,'qћEʑ9g .rFR O SmŇv{pD^卞"u-^=wd,_ z='XjjxRr'Y * oAqNdD k"JD0h xSE6,JHBܭ\?a^g6'`6yT%$MۏciEeVr!8[ppu_pL) G02+@=-0,*hFfo@U3Du+u E"ϝOLmS );%\rPsQ4' uy3фLK" l ʟoTI3$-W(FOW3_mdn}];&"'/푱hF" 2ÂPwH2OPCfN6'E2Ɍcgs ihٓʥ6Fqk *Q.O9P< ձf@Pm`xe=?I oo܁.1;'@{_Uݫ6qF nky-M]N WV|T/ZMt]KGj;c% L59z[KS"Zc4W~,.lz7Y*TU,ރfqR_ gL= xVtŴ;QbYZ`$|gE67=Kw?'}vkEB&'n@041Wdzw~yl35\Ɇ!5)5yA+go;v\S0=' 5Z|vG cP)c˃V|uvtV?!^לײ(2x Ѳ +oJݞչChATQ8M (8YTDT+-yh㍮s#e<{~՟Y5p8 K FY Hw [ |k &XLݳ{tw>Oԕx4G)rO|' ?= U j ?=6yEkZr';ՐhFc.ƪjXnU=A[=t mDHP.mЙ( p7W-Z]yDw˓9,vjŗ/kE߀N-W(J6kb5I*ޞG;8s9Ǻ^MiJQþ-<3+խLZN_0ȸPW<ۭeCK0IہY9b"YtEa`*y,jwJF!!AAOE0u N)y Ţ¢V88`R5v;=N,7K:2IDfnM*'C slk*X3^MGe2zq U7Ň0);^7[e'lvǧ<CĜU\gQx >.:URd @fRs![R6' "hōou1kOJbV(XM<ҏA9+i>nV@:qgu=ꐥ;Ҭp)D!Kˀy,@>~&:(lP󜵜zBB;K]Cj,T}&+rT}}f?su}$L(Π LE٤ oi"Tum*RG}ȋ$Ðri8MKI셄+0jCNIZ/]ppO*r8vч2E%2*aqcU-闛!|&߭p CߝU乧1uv![3g$ƚ`3b ^m DĽDs.OA|2YV^b+ OaUЛm"Oi(KKX%`ipP˴\{IéMV&9Y1{-xel1 gZ zS}|J@ZˍP,4 fcluHδIϊΌR JiX@Ⱦ343!ɦ]SRm (B߰|ȳx{@ y5?:{t.ȦwV=>tQ!l#8Lu\LFs E.&F3(锹ZJmX;F@ꪒGSs MAbYhJZ:gC! VnpA9{dqQyn凿KqjwGT8n2GFU7wy Wꀝa1K0F?(i:r.RH$cȁ( mFHGYM& 8`L˸P\d^Q$6{iV^s+Y9V0CXMKf(płoeD%Ţ``pa+]vg:H8__Eʾ\_#/4Փݵ) ٿ> s>s3Ƕۓ-N$j*YX L%gA~ W@wNO@C3r%Yt5 [6;8Zd O4rGle*>b~h*D8jZvlr&,K6فp}%:]'E@~-P:INP-&8"8MtS3k=b"˖y=A@ yAw;~jyL@SNiwHYM<$\#K#-"s0 q*ܦҁHxd>\0.,uasw<.@)VCͲa5VOP=\Ϛ岊!zBWe7kCbGXLsTwzSczO֗SZxlJ~{,T񌾁W>j ܥ5tܷpOgKmD+)~j˓T[D;'<!!u `U^+K*{g U`\Ows'6#|܆ߙv͇݂\PjXɍk(Wj%~촱nq%#0詯|}*//tꦻpļH}ǹA`I&lC^j,9}bAs_8|13P<߇Nj *?v\/6mm nMv)%}K!1[*%^&53?&WJ @W'VE1=%E7yՀ&qѡMfBAl]KYz!:O=s6m^IM#;)gWC v\S{pQOGS֕YXsY%-!ȋݹi;̠R^ :;3&׈fmBU-*rHݦQ-0*Q*+U W'Kc•]m_g8__EoYl{5?֩ Ўmf|YHSJC/iG?S6jﺃ[RA6Uw2Ǫ(1 E`G6?2$ tkAF,ȧd4[^@[T8jT6uWYD +__թ ]q="l(Aׄ6'}nFs]3GZ =ȼ &y#Js h$PKLM*G/4nXDAhKC ,AX7ԝT|\o-E$y>j.t]S9C@Ri%Y gC/?_#n.lN8*;?YI% ;f.kzz V !*5`-16} %˛8|"gwN⎒b"D; o$p``I/?*r =2OgRżmMbYk>y8w'LjVS^w=;Nq¤)lC:K̜9.7ԟTn#{ux~nFȄ&%d$0!bE$I0~*'*2Ds|eT(c5x}&jCx mGJ[gݭ@fby0L+y@MOݛiaٿǜ(afX7zM8Hǂ&&,Cʴ.7OMn_np7_^ymg뎞 ɜXӦzI|*UpvXV%I'_*>kv6'5[ܺb63yĭz`ŦvU-ei0_f"tE(Vs*X %D`]r7;}gmZot+6{o},WPlCo0cͿie΍[qw6%MQҧkVƹ#m ,J.V=i}DWs0ygํ gϛ&;6زF ?ռLI!T :3Oh\MHp)i.Wl^91} $蚂/yfӡ@E͉2I*T-ACcs&Tũk7~$֜& p1=bJ@Tߤ]@"w.1aၿ3Ft@6݁iⵏS:da᱐I !nbg4wX7m;(4 6}Ps 'O f6!r(P)עTv]gF Oljb3ad1ykX?$PވE.q4KN2K_SX͂ƨўdR7o;ltv֙ʣ«:oew3<̧x!т3òI7%E'mOhPs3PP9_#cg`[Fڡ%AVV@.?/8 ~p؜L9s8?b $`*}xqfhN`XU%v]b!BaMTG<uH>8k$>s)|{@54EF̥۫N+$!Vsɖ&swa鄮h[ekּH<-]Ԧ>i'O+:LǏYOj]1VpY:v;TX c_ڢYܤP'⌟yBP2p{`&+bH@Xx1Ahd߯$ƃ;*W1֘}/nn|g<,k~p=:W #4Ld*>0 *Pg}׀`>h: \P^0ަ}}N]fAzV l猑J] 0L@7\LDHXZG #y*n$~e!9(@6ᖖ;n:U~x`ѐye]bissD4ʵPot zv!g=&SmP|=9Gz Y& v5!RaB#B0/nr22xV]_ 6}5:#ui]] YecUڏ6f E6DamM5U*(y\6,z)A![)9GIgtyWtA!1K5y0c\|Wh?# Pj*4D>z~F߬OGsВ7ٜ)(zC^uWbNėym%tGA c '45$#4j";3\1M`e1YіĂ#]ods"_ȟeD@|C5C? {n1Kԗ+^|2ەH76._:h@f e k<["}ټ6KĸzUY*݁!K1#NOŞ#^0SW:9I?$E03/}R%NIYow oI~XonWހ$?2Hk6+jj>䝵b ʾA+MnU9%2MKMD_l"{+Vmm[PYn\ ȴGFYU>Z Όrݘs%KEP / WNuy44sn0,'p'fPES~ORz[ǴlӍy?\KYy+&] 22&s/G?m/x9foH !,K!ȎחRuxY>?9TZجC q0,)8 iS["= _T٠ o1y'TrEAM%A@Mq3~>t]v&,JV2A˭P:gۥ!XZtCjNè+c ۈ G}6{܍j, սbTjMk+$w{ *aDYԾg@2I+t1ۑ^=`de*G.=iXjAHs :G-OSwR#a!xR`Yď~deCQD'vrxo_'}ٗbG(zP;khufɊao< `Ըy dZz1?z@$k<<(ʆN3' ?n舽/?|Jr{Eq ($t6 Rubl킣zVEJ.|-BxOXyֱYR ӲÙw[Y sI" Tv&X ?|`EZeu{ &B:/R9HP^ ' Z{V4h/oθm qIR /R=Pl[k{/x6;bqc[wEs G[e ]r.]`E@Fo J[j0Tq ZE`/yu+CA)'fpM@Zh=&<5`C%AW:ATNϱ&:KOy[Y;qCz%|&Z`Wk F3*/ T͊-d(2d!*#¸6:EAj+j 4OJj EUi`gp"h#K<5GZ.H Q)0fK pi_B]VЮ^ `\cx@驋VS\y)TuzN% P*%[ϒG'nb*Tf9eDrSimP'n։xP#o<\vM|khe>og>y P3j!sǫ=^.Oz82v6m4Y7GATDAh2lR/ʁ~-r5{S4>YumX-1?x붡b; n~gդgM0]*ZߊSga/Q٘<~JYiC$ǟOoVH|0Gt q9% !v2$}<*L]R:EUVtMU10Sy9foutئc#B=E!p{rv0?1/aEY?EݱG(Ѥ bQ@Y^UDJSy}Sk$7m9u8<b3PʢCy)e` "8njr\N]TiFlLAgrt[nh4u6>.1;[7Q?Q"<EX823 MOP"~br3A2闎/c,]Z1E܀`Mֆ-K F/3JWE?n iXk?h_ۥosE ~;>`us #k~W`>+ 0{$]%`tH.W}M"q =+C 0$/hw;U 撨$+`L?㴦Z*˜U6SgjzɰK* hn%\m{^x # Ća])ִaZ3,Ikp=;Q5~|oQCkb.N|V0rz *o) +Mפ*i a,Px45dilI.pB*z#)^_je96:(,5RX+dN=b3vKl2 k*=ؒb3g5R늂:ӌn{ o_yMKnsDG<;[U0c/ ۙ &;$)q2S *9 ]QD R__>Ai"*a⇓'"`vCgnatr+OIB=kĺ?l)[%(v]2 Yr2̔\u|T{m$X-чT-]d/?U,qRm,X5  [qQC&WBnH %d3ÿCkyfe:\+lD h &lLC\u=(v|Aѧe + l5b J?<6B۪ KN_l/KǹV0-X(VW eʹIc# *Cw?QX CG\v '2837Wm1yp_"P2I FG r p QR?SvgO1S7[RSyxHN83gr|-4[3,R$5I :+G{0x,LcfڷGuw49.^ MƆb7GUГoIk_|-Mhؗԗ'l[Tw\mJ[!,k }H/¾&$ dLv-)+) W$i k735 kE,9I(K?X(dAg`m6OkTCa%&7ӫ}/NamXfϡ?/D}btxuH5&!_sj"-GUhG$[!V"?hl0 @fqə:C p!z62ќ[9:<*3:uB5NIA/`~O6BI\8E#' WڎLDHp|oq@k'V4X^|DӇ'?:\REyu(3@"ho$BR:ܡ2?HZ2`WsD2nRr(iJ/*2Agp8}"*"mᑪPIiLCimQĎ[Wf+-eߧ?+~*l @˲=: xޔ4ƵYOMm~ 骁v͑O#/IQ1`ÂUfWgƵ|GP-#}Ō6\"'TJGY38qP [B9H F4^ee˜)|ɿjkQ.8ki[0/(xizSrc@НWˆI4h {)F,Ua}4Ԁnkor1Bp .sz ܊B˳$ޚ~R Uv g$IVn$sC'R db#8YOMQ鐑ͤRjiqlr:??2v|άpK#"`b?.[4Ȭر>'r$2e~#w)|` }t~$Oe@53G{W{*V,3 Ǽy(<'hJSPq5Wtr^ϱx5'Wjӆg)tňj&䊴̰}܇(I@**0 f+Α {_ȿR#Cq-9%B_"џf(n%_(|\HnF;3Σ;Х (3/zf1x6->C"2ɬf =+&FI8wPn]USdcYgz&3˻^D'?=R qW#sW" wGy"Yob p*rH|Z|,fZjH !$&qq`tfJ0mbbul- 8\-F*2;pRF 'qL[s8{@O_rLa5g׊\ I@Y0Wfp=F7;0{%{BYNyL{ABZ lo9$tl휆A8oГqs Xd_m1uo0'R-+B.[佱zh}#wi|r'tý \WԮРTn¹@ju6Ɵg+ YZ