selinux-policy-devel-3.14.3-139.el8_10 > 6 6_6 3!pQp)Tξ7]mtZ`f ]mtZ`cyn_G‰WDޅ+EEU 9}?]iMPqD튲Dpq|P&n4[hl57dl1d|A@,g=ځ]qmfU@ف!Z?fp'ugjϓfZ,͙ClwTik^^bdsKBJ+~QQYLI"MGU}+Q[BO!YCsn+%\anvwHX7bnnG{7tV(0sl18 Z . 00ʤPנ39amF;I(&ttxq7:^)x hw_!d\AP>jTLcafq^l֥=ӛ_y$j+V9X:\vݘ PW/7gO8DpL >M2AY\2i YZXUv*e4dbb186e119788fad2f6921b5ed399fb63ad616c59dffaf0381c5a6e5341b0ddd9acf8794e683e686431d5321e9d113a745c718l3!pQp)Tξ7]mtZ`f ]mtZ`pDݶ8~|褺ĩOك4x%P. ? O~d}H' ftZ$\k@<W)h _0NNJ'&r,F%*4g5la"Wan_^LZր+DN>mI=}=2u"ZcanƊ\IUBU`F^Ju|aNv4 YHDp 򘔠.SnLQbz)8[=^VQu\5qs]B9"q*nC0pLpZh/A('h?ig]~" < P%YxX}8~ Ai 羃BA Gv܉ /KU Z8O**9 QWʝZXqlF{!٥2hg4 ;YCa݅Jk>lb%C'Zf}gI>p; ? d ) >pt "`v8v "$v -v Bv v Tv,vzvv     ( 8 $V9)|V:]VV> 7G 7vH MvI cvX iY i \ i4v]  v^ ub Id e f l t vu vv  x |  Cselinux-policy-devel3.14.3139.el8_10SELinux policy develSELinux policy development and man page packagef ord1-prod-x86build002.svc.aws.rockylinux.orgcNKojiRockyGPLv2+infrastructure@rockylinux.orgUnspecifiedhttps://github.com/fedora-selinux/selinux-policylinuxnoarchselinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null exit 0 Fp riԛr:#Q!*;"(# 8>] SS$l%5/,}?#l@=G"E:,3<! &M|&%C6f%/N-&b7n+)H,")D'8''.v) )4.#++()!1Z"!#J##"'#M(#J}!"7 j%*&&]N"+Ec*$z=.~';, 2&l& )&'%),+4x",0"1e% [v"$Xk2'=;u%k0#6%+1?w$&n$#,),o%.)f,.'&:&1,~\'8"_&!%,*04,W$)m- ; )&#<?#4+,2$&b+'a**s)5T.QWc'8#7!+ ,++"+A1<*!;E's#F"g%,+i$*,.2m.*j'$(Ї "c3G$h.!* V,=(P21+a=w;z#E&4!J2O8+#Ro+,')!F,v& h,,$-9#<~ 8(#T. "(*@3+,..%0%)X~0#w1`Y#;#$&4(,##)wE&&+%#&'%- '!%~-3P,"L/Z% !;B##2'4R%UmYB'<$1-,<%E%9'>'1f' 5'#$)A2!R"(v#6=F#:&&22c,. 1/'/=7j& 2['+2.,5" ##p.'+KK$l%(]> (|G&)5,&m(& ")+'u(j'L)&&&*'44DNH1v"%S k0'U,"(*')+/(17e&6 99 !F7+a"L<((.!W)(%$-3#?* #K%!{$-*(* J2d?,*-q!;a$|$)*B,=. 0*'K"p!7(+"-)=+?[9 #SSFi+''&5d+3=*)a #+!q0&&\'M8X #O)T:B,,&RR%';6')%',U2=$'2_L?/k+(  %*('E 'E'E'&%G"2-6)#$%> T&$$#2N2*B'$9)#1/'<#F "2:'BP/"8W",D+2++w,+w,H4-(XAu%C&J'q>(\(Q j@$0,M(-Qh:0#@#U ]2)7nPj~tT&$KH$$,')/)&M**'#'*"(o%W"8Y.(g+$ &R+(9#j-# 1B+(+*+%y).&1%&$%p3C9%2'0 )`$&u84"2I)r0$)6"V,0!0' " $~-$3zV%,0;yq!4Y$/%*)/E$:&0x! -!$Y:.V .Z'G-?"(H6QUm-H*-++oq"$<,ZP~7c%&6$n"?,2"Q+@))-),\)6N%:?tZd| 2@U oV 2 H:3 v* '8  O<)K fD M1  x  Kk  6y|-" Y .N~Z' -U ?*pR> }% @ ! 6xq ; V*c[ Y%Gb  -S+U Pe*1.;  vp )  B}p6 w+27G "jaco dp  !N ;F+ (t  + ;Q$n3@ N\1>)(f x'" c '  ;Y   =/+ F.B#  P' g= T#9+Z f^\gj"  X*T, $ 8 j-K W8&F `3Y auV;F C[D& 8 2  1+S Q "r| #P  jQ: %K EX$ `  *L 8+, EcIn8W " aB&ZCf0kb T4 NMDٕWHY$=u/ _Dk 4] V i1q)|  Η = +  H(U+0"^-$3eUɖ!A!@q:CA큤A큤A큤A큤A큤A큤A큤A큤A큤A큤A큤f ffffffffffftftftfufufufufufufufufufufufufufvfvfvfvfvfvfvfvfvfvfvfvfwfwfwfwfwfwfwfwffwfwfwfwfxfxfxfxfxfxfxfxfxfxfxfxfyfyfyfyfyfyfyfyfyfyfyfzfzfzfzfzfzfzfzfzfzfzfzf{f{f{f{f{f{f{f{f{f{f{f{f{f|f|f|f|f|f|f|f|f|f|f|f|f}f}f}f}f}f~f~f~f~f~f~f~ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc263086458d46b1623514dda7edd909d1c167df3727c6309e75685bf999f06f7cd065e896d7eb11e238a05b9102359ea370ec75b27785a81935c985899ed2df6846bbdba1149ef9edd39c6f18d37f29e5ed9cb3670521f142ed6d7d2bf9f2b8342d2c3aa4d008aad3243fd00e4723033e27e253289356cdf2cf9ec46135a8327bceb4f36b0f077b7a232a94e214b3b0a5a85152e4d89c193f92ddaba3ede1ad6cf23b6e1d1554087a92c4d4a34efadf00bf0ca456f8c2afa8bc05b3271ef533c932ad5fbf1461fe242ba280a1aed9761688951f63b236bc2f61cef1523529e68627f03f5db2d3069a7d4f6444a3dff081322122d29721a7d8f8908ab13fa5300632a1cf684131b1e35c6f06c49be7052a65dd2efdc34f8126a7491f397669a5bc04c7d46cd1c8eed68311abb0c113a2f01d8bf23408fe7b284b38cc48b51e71dca6d9cf53a34e773476f49562e4acc4aa0f182dd95ad0f27899710b07a546ab9da5d341bb9058ca90935eeb087cd3ce3e5652768f6c45d2576dfa4392349ac26ecc00ead7dfda067f76ba4fb0ade937f995a809a89ab42f26a4464c0308b74648785dd32b312ec6be76542fb209ce3d5f850e5e442cccec472447c05ab6ef2d426a9a93d2485d1639de8688f0164a11c8ef5f9b0e4699ea0b32ac6e45b0ee8885e0d135e2e976a828f3b665e3a711f0d578143d89c21c98a2cc2ce6d9a104d59f41171dd88ae859c4cbd82cbe9c1eb70e3863fe68a7c5492c5af374a26a2e889186e911074983b703a995a993559dd7b20391879022cf0af95842665807fd5add212678a6eee0d338bd6d3254de25e3b4fb02b4fb1aed96b0b5a4646e1bf571758b5bc38724c48e73a4055d98154537caca0f16f9523f3253e5ea1ec0b8f7fda8417987d55f971af938edb57fb34879a6f11e99e93d4254caa280552375b92968e3de280bc382134a554c328bdc869424ef2f6a1b2983e580a541b361dcbc65d868eea0d6c545f51a68349d84b0d441342e4392fd19717c4dce19612d59dc874c44f1e059bf000a53937e0258f6e50c3578b637153d11b70704dca127277da337256819b1cdfab82ea84b6276b53d640496731c7c86bdea7dd171ac4c7e536509cfa19f941c8b77808f93d5a871c239e6d9c383c6849278de93f8a3138d9dabeb701f4a01ada9f00d116444149c9ff55f584b3ffc084e811024686599652cdd7393d851e551fa6b0308b22b3c235319f8e6772a49191639c62c9a09340a0057b67d28ef0f9060f0ab6bb49eb2fbb9185464c7f167ce8c975da871f37890dd4f10adfb475f3c127299c335571b63d82b32ff1acd875a8f0763d63fb7b1d94bd91f085c35a51fcc2f4faf64df88f53df65327a023df160081df315cbbb421fd3e0457a7eefae051fab0ceff38b89b67c15e1fdd9f57f54548749e34ef34737f39ac10212003925957d35202082a23c24d3139ee0d8ce1edcffc132dda4bd0a8d382bc9115403565f19ac9c9ebdd9986b48b2bd31870ade4b8ccbfeddc1d74e19128fabc5bfb905f575b77bcbf998c2290bacbdf0187500bf36192214a176f8b38ffaa971f29592c2a37a992a613ea18482bbe6047db106731e6e557f9ccdd05161f947a2eab58770feb81cac7a5c6e100dac2053bd5842759784e049db7fab4827dc1ff788e9f30c888d23f7e558d9ff0980644a320862833f21a3daf097b8642eed776635f28f491297ccfe7ec790ae26129334c1ebabb60f302df96028348a5413bb2535d43754c7092ee1593fa3809dd199592919ec323b0bc9859c4f9eec102103927bb7d2c8c8aead2794c5b5bc1dc4c0715c0e566f1452035f8546b6d01286d452a10812d241210f78dccbc6efb8afd0277cd6b56a24aa2d036af0f1b885a3637fef30ce90ac59f102ad4ca01ca3b8e5d6b383b4d329aefb56998aa790d7d85c872a7727cd800b73943865bf0ace91d2fa3fd89931dc38752b4b01b85adf70b0d954591a4029213061fe7fb4f9846e3995e5d27f358a6361231411119aa2bc210b17a7d5d37baa1b8e6005ef871d7262ed0177dbfeccebf320c768970467eea11095621c9466936e85b4eb4a32027c11f7313a1eee9bda12babb52186133d99f1d0f4c5abbdaac4ea5e59b48bd622803abc35849840e96e360d46963656fe04cd71debf57d74cf60737d831eee92c4836643ad9ece6f8fc8859d0c1aa9b33053778ed2d60148c5b0ae3e52f81354b9ecbe86562630dc6c2971ff31b61ce927a031192fe7d19a7da62ae08e90e2af3e09f104b2cc9111fbc8ed02552195e7776b498d6b3ae46c763af6b5b39364b3786c97efd5f4841b3359d2e1bf66c49c48cde0bea78c4e51f43067d34cda17f60a77d6d9d765f529a8c1a4485c663885dd9aa92a91555e82fc679247819d7bc0185d80f21e46b940a5871fb091486db1f25d9f47931228ce630b19886969f5c2b94f57e6a2048f18b0766a10944336eec8bd21cacc84ee43db0f469da082324a3f8bf2e5984262335426235afdbcf97cdd2ed2567c714d6a55797bd0815a553a63e1c3d99986f472b4cc21d6c2673948385cf92129aa356140a1b212e3bd46132990b41114987f00b012b0087f0f0c74c4c4ea41cc91caa8672e232998230978743b0104822eae05b598d09b692a592c16ea9be00445a6d77bde1eafab6ed3ca63730f506e38ec293105978b8f6554c3f6636d21a8fc1f33a1030062e4f8bec6e9de01edc3b6980d573e98b915caf000e1102f35210660d7092a676e2ab8fd751541cc2d9411f78370702349e8e8c38baab7bf51da14fe3a7c4d5aebacad3b7bfd92640ad8e0e96b497753e4ff3f425e287d91f7db0a4668cf0cfc88b6764f8a003aa2e8f4c76e1caf6444f86161f4ae92dc42e380b5ae67e0bac015930b425b3eea48f8b4d497bebb294e7585347c62ef41d9d3c8a53bcab995de1caa5bc6a1de46277bcdccbdccc7dddb4d8a1294e4a4b015bee394b87be55b765a508e3543b19cc340f5e3cd87cd55c8a156b80657e73af4de67141e414a5ed11a3aabaf556700830f9867f4fc5410de0bfa4794e52653af817502f6c54f69f45c0e7cca4ab1ece2a4efe65f5ae0d142ce9e0cf36d08cbcf5d5385d943e8d98daf9c17d2f9d9cc461c33b596721b721f6c39a8c9065b4a83fffa49f661cfdb0d53e85d141aaf668d105b8aed16ce9fcc53184fa3ce9034eb146c6f64df6ff1ee659fe3d9eab0e52ce72c69a069ac63fc718b7d96cd11c2a69c333ee6e325efb34a9e7fafdc7faa5526c4d6ff90c464bc13c6e3aafbcb03815c4cba3b9417cfe2cc187b27f62f34b2ac47bb92f3da6acd9273e3863f4ed6072e297f18b2f45c5f8af0a14718b3889d126bf7aa613ea8c30b03994614a6a084b62c77b22849cc619192af073b9facdb56dbf348a3477dda1ae702252f5877473190b2b9a6d7890f39a740f0967d478c100b3c81aa67db652b2809f499e1a26024cc8eb452c1280f36486061cbbf62b237ab9c7293a5609b64a4f4a3d5a183f419bdb71c3ef651363b3295e021c86c1473b05fa85889e855d7ad7f0cfa69fdca3a7f6d0679ec871320debd132e1012d89ce14775c16f7072b15972cf6fe27c3520bb4583f9b56479fbb7d29b5dea7b31dacfa5194b143dacc4d1f8f4c1b7291c171d03ab27277d7b3d2fd1297b0c3268c5c4e8957d21bf2426874584736c4f2a8f5c09c84a5fa5125f6328632b78fb5512bbe7ac80f9780860d8f646cd0a01ae5e1d7a7d4ffa8e7ba774ea46d9aa2986c8a6c268f61b07620694dcc1bb2522219136072c0e6ec8576490e58715984009b6f121ee90be94a968ff82fac4702e8337aa759bd7122ec7a3110928354aba8b613c30dec231a6177566af9bca6357cf42ac3b7cdc24badb232e3a0c8f4adb4ad82e013f60a60718391cd1d77d59803cb27e2fdad870b36fe78bec777452c423feff6cc9c2e289f2d14be82e46d4fe69174356d181158d8a9ceba3dc17e5bfbed021571ed8999b73de615615cbb2181de2bdc35a09d6ad351c2ba2e7ade35f6f17754c4b1bb2c2a8bc56347f6ee2024758da6b54998ccf1e7b8f195c588eedaf4a00c4f0a1471d453fd10763604b985cfbbd214f7e17047a3a15cc4dc1802f624305818a170bc0d226db3f426bc99fc2d0fd5b490538cea15628b8c2c0505d6a4cd61601b6694c4a61675a22239d6d58b6c98f99fd63587b93a77915620492e914210d842ddc1ccdc6f9a877a2420289bf7bc5b0ea1d37863a4a93c94a2793fb16121953320f486f95d4b00a0f3982bc9eeb453c790ce2d8b9e90fb673dd3258f73cf537cfb9eb0337e7fc756112774b0736d92c29e0cd832ab3399d5062d0dd6ae2e8d1a7c1e7667ce924c5c7735d9f657f859178f451ce343185624526f4b6c31b3633d7cf73586f70dbd1a31ab1f2ba4ce036ad3e423ad7c24db0b3e01a7f29be35a0fcf823023e4c9923a06d113acd63fef701ca0f7bf0fd32e0619a6efc4e3dcf8c3156940066576e0fa37ad94df175bb2568320c52985c5a6b75660f0dd5638885d132d0d6bafc4200cb07f35a5a3f879b8b20c691503ad050b8398990d3e09bbae999346d2103a2e9ba5c3f34c427fa3903505d3993ff5cdaf31775bafbfa175791b0e01ce9104d05f01a61902dfb66f38b00fe68854438d7615474890ba66d6aeeecfe9a5299bd94db45b84d82acc06fab4b95d0bfb9e323d5e53c9e0f8ef9b9065a39f2ba05a9292e3207aeaae727caeccbfa36dd4093be9811f9ce33f5f9831c5990eda4d01835ee4c5880191d47c5a36d2d8031563583928484d37ea21bcc454e2aafdfeb20b3c4322aa22bb4b9bc1bf37692f069a82dd5d96665fe0a39d93a63303f9601902e11bd97cadafcdb82f0a14b6fed7b8d388bccd3c88a69a4441170b061ceb2e06974af4e1aa6f14e72715c4980eb8735a0116f5380e03806f8ea0ca3ae5e5b742b50bb97b8498162c734221a861e011aaa80da9c6d48d7034394d069d4ca0045a1b619db404712cd0ea241c53f2b7885f969d6bcf4298128646df9b858518428cc7649c6263b5899f684a022dd70bf63b6bd82a93518e595106959441a9930b85d826fdf43f569ff560ecce734945da5f0118d00c84fe1ad69033c8b1637ccf4c4ef3cad373540a3556141f0a4c1bcd4efee5f2f6ec1f05761947e18da7121d834074e925f8607bb088b868b29b74209847acceed4f3e195d3f9cce638c83cb176cf653ebe2873761dec198f2d43f49cd46fb413c06cc6ef371c74508bea1635ce9856a8e0331380c414771a8d6a0c85b3a44e30a34f9c720a3786a02bb0ac9df2270d46b257f0fe4d4817b0751301862c99d78c35bea303d799cced0e05e87110adbba85a3618ba9f7fcd3726bedf021575f94917232712fee8137fc1a31bd7b19fa2b8b1fb22843c8e8d5ddd7f2b59407a75ba2a5a7cb6cce8d8426830764596333acd45dcf16e806a9fdd8231056f53a6b0d779670749997b04b664e08d7d8633ebac69a25ea24a243ea876811cfb8a9f1fb260c0bd17bc6b1edcfc1a6d2fc9f9b30b5016a53b3aa08c2a80f8ed1d5059a7bf673f4cf1e43995a88aee77c715597b11c04adbb089b570f23f4f13369352d7473ebf29146ec402b78450eba88b31b33ced6615231d2f6ebaf9a7fa0e6e0517702b5465f062f0b26afa8479c1a12040a3a17c2aa7f90d026e532d79371b877cc128a9aff2cf0ff93364963c18bbfd4fc084b16560f88fba675ed31aaf9518f12eb7c8e796e59354ca4f69767c5d8139f76606ed8886fc6988735cef553bbbc2ee39c7e55bd774a57acf9e17d4c8e95bed8b80994c5c3d444a08688a69c06728ae38079af4a7c9a1ae347f74e8569a7f2da9b160d117d9c97e1fa9b4e634b791501955d868152a19091ed08f15c8ec9e068fd49e29c0ef0188de77f0b0b714c56bb24c3dd191ac4812bc59435e816353c5aa751253b953e87a629a75975b813de64faa2373d895f50b277e3c81aaa33712517393402089542651f9de5d26758a2989f1b1441d1723e9ce01ae395d27c6567153b8c0f397331910e3156d9c169f13af7b130ad40544f7cb5b0ee40d24dc4b92b49dab0cb268b121e97c016673fb543c27bce44ebe6395d03bfdd561e4e9bcc2dcf50dbbf1aefd0edd4f998d6a2a930bf0e29aa6dbd06c8f4b4535b6428148c843b51fa837baae1fde73b840c33278145461906eecd8634a461d425124dab574470f3ad792073110330fb875d190c26122ed2936d077f10d58c86d004ff99d8551e6ff156b664ebeef6bb68b9bd946e6c4159c6d5c4c3a878d8e0bff1f8c4e892fad1ec554328cbdc6d659ca99301bb354e8979f3c2c775ab22e1a4431c7678e77a829cf547f6a9e5cd023e14c9074ae29fe2cd6710217c20de903bb8ccb11ff8ee2090193bad893a4ae843813bc67d582ac4e8aa78cbd929ace28720d6410c0db2de7e9d4c12ea0305ed34883effe18f8f5ff5c402c0002c88db0275fc02bb069ee12984694da21b65c16670d9d302e49a7808d68e80143b909b4ead11070fdc6e25f6c071757b74fa11a40f5f3695949cd2e5160d7acd5c04332baf8d91cac3a7a5f14fa24fc1144ea5e490cc4c33aae244f30e2f6c64c3927148c5210e4c56c7fd036ab566ec9964ce32803ff622b3fd1b03cacbb7e2bafecc2a27987bdcb94dda816a9e8b76c9936889ea7ef930801406355dbf7492dabfed2f384fe2e9fd5e2beae4e74130b0161a9d1497f0363817e8b706ac2679ee5ccaa2f064aa7570526c1af745e36262035509b83dcdb42837035d09e418ba5cb2151cfa3710407e3c5a99e9e4bde1a5e52ee0c10372fe06b5dde5505c200b8947221f075ebec78c1f44d2c194e90aafb9542aa0b4e4a701c26a685d39af2c7f33c041425b19779f2fb97ee8d548c77ab0be9bb2658bfa705db2c646e1b4e3b0803695226797d1d9cc52f802a164b8c69dca03592a077bd90a6e3d5bd2b8a27a7b8c3575b56fd68ae8993ffc1a7d5462211f7959aff777f8c0ecda9174daa79d55bb26fc3cc89512dd5edb16f05a8ecb948961fab44c1e573c2af229835fe0ab3c5ab9ff0fdef9f16c2b821d55dd0f6f6760c6b06a856d0296595662e697faabb1a12acce3e480a29b7f319acc3a923027a626a7fbcbe5132497014eac714f43f04d0f193233882ac34639b2c870909b1c5b846c9ec4c999b3580a4455a5bc6c8633da234bc6f57a0273f0f0bcea6d09bd0bdaea3f6feeb8a03567f4a0140f82b67d616c0e5482db192970c9e824c602f72bcf0ab2a75927954b7cda5fc2d237058d73a28f10e2193f5ab88a18c4b76011019305f9a24e34b4e322b033f1791b0d294fc220ce4f5121618bc4f8ca7b88fb53b37e826575fdb79f7dde2f48c9dbc350ea999220f225f62b656aae6fc8cb1e918c4331b36e7536f8b16e3090414d021f195a0ad0de9ddb4ff4d0290d1d85fefc25b673d30026dd0b0e92894e577f85ec7c23da94be6283de6698a311b1fc91426f294325daee1aabb757b7926e52ee487a51df0776b9b6294cb6489f2cd187f824c3dd327e0c9ee434cd3159b9421452b5ff413b96c21007e6ce759c55794c3d1e768b67af1fb83f025ae85ca2bf36a608e1ce7b422eda7a73e4e71606703da273408e7feeddb8dbfdc8cc0bb98c1fa842eee6afc9f157dd94425fb89fbf79335561846c69b04fa477b7732ffe251c9e7d3ba0e0dfbabefdeca0d400e4fffdf702223921e5772fc2d95e84b0e5a5fc88040bd2e9770dee5db36db202fed754bdf6894fd1dcfb21026a3dd2af97e37a9cd7f4aafd4d7dabad7d6b81c03d61be0f2fbe08748a0bf77b459ff6c2884a43b7887367ca80079730a8b0bb07bceab39bddce6c50f39dfea112a7425853bc93e3f2d420ccca17192118e1e7ebbea40eb2e837f2daefba863a5ee181412113bce819245f46a376142eda9ecd5a53c9c2d820f90497d731f3940d02c4d3a196201638561737580935c2ccdb0ab3f17565114fb051f48b9db66a73ed2208a443e55085e9edba0e723e5a40f20673d31a11d5ef742fd8546b6121c5cd8041fb156342da3c185675dbf0f6917ed2e275e608decd0ec072300c56643759fba6d589874d5e4365bd63c481f15e9295632b1863711dac8ea552e1d09a92dc63936d42c203448d26f6d2d5b1980e56c4086254f90630fe5ad4acd7e6909d5ebc4937c66dd2092b3c009e9ad2c2f33bb41bb0b10ab5ac3dd854245f17416f97208a9aaf731f23187612162e654acd0912f36c385223cb45fd82d91cababfea336b85fe63a995617d422168f4b4aff7a067387f81ffcb06554bd4c81cdd0860e65b9383dd331bcf8baf8d9de637590bbdafc1f9d04702463d1ecd48da7412feb1bea223fb7a728389a6f88de2a220cf084223ee429494fc6db6b19b3029dcc1773dcf2cc3896406b8d054b752d9ded7161304fe576e18ff198af01852707990d1a6361b06df55a061defe64e727fe3b6f2c9add4591cade75622f743154e89c233d828ccb3c7f19d3c53c91b7ce0c57e14d60c9b0ac763579b93e5f63869aaa8ca575256808bd5a50b7801e8ace93f86ea398bf0d53fc50687a236aa399046d68f233e3b131f690186f7d59b80d4908d644c631a587b88ec6c1658976d9e08dc32f1d61fe609a279e2582d4e9de28574e26291db8c415dc111acef77ab1c07b7daf8274994cc5e66de66ce453ad6edee494b279469f1cfe8bc3135b5bb9c0a7c2f9822782446cd3f1239fe136e76244bfc0d176a964b57d86975ae94df2dcfce6d67195110ea6b82e1f8ce6ffc63f34cbb68bf31e9e96ec8ec7e68dcc459fb08394589038ba2aa01ef412c07cf187be9f2d70385a4f8a472e1720b42a0c6bd64d60f1eb6978851fb8692507e8835fbbc68423270fc9b6e88e70bf87ae67774b2b705db5f2132a98ad974adcb836aabbcf0730d5bdedb4a809fc1245d29c9116f3b833c839067cd0e02f34619f17936d851680ad54a504d5cb817ba1a966dc1c4d0f05ea00aaa2833950560d912b0fb5800059a560959cacd80e54ed29ad8a17d9fc7cf719351875b82d00a15e5577b2ec8fabc060c97045a7ef87ea45735fd19e218b7ee4dd098f8cbdd8820d655dc826291d10bbab32243a739f25aac359568f79410ddddf1726f8f312a4de39e2ce7a9acce6eeeaf6d74d1b39b28f2f9697f4316829b54768417a007d8c65e8d5bccb016c8d9d18092cd6d397e8a08fa6592c5e86bc8dc8d0dbbb9fb31038790216056f89cffd69c97f5cf0ce81506e9e58908b1b309d41b55e3632068926d2db13b320b527f2f12e706ad2a03178623b3f0345fc13d4fd8d2515b97d853df44c1394ad7c525d2c64960b4317b0f35f50516d782c0fcf02f43d51073db2c80d0a885d09b3100fbaf185588a7e1b1a3c014ca2f5a900a946cf143d4e2a48b618b1cd7ed7a35e0f496cefaf4f54a960488bab39b6bf9a5f42f37b2bfe1d93459f41e2497497b51a8f8d18148182231310ab5c9a0a87255ccfa11c0bb68cabc4b72217d538c404383f606b202894569d86a0fa69de19c753862cb7713a5e1cb11fd2a29c65e4fd52b733ee182467ed9a229a099f33a1af93e8f26c11a976b4e58a356b277ce5bd25f533e96177a64dae445dbf0e5297b43846e3c764646a695ab15c5a5bf518fdeb9bb75e0176b1c77e74a4c083d4538de329e5910f7152dbc5e632fa41613d67ea3149bf38e1b35d4dfcc6a3a040d6861e178a047eddf3ecf8c4dec8bc5aa35a3a9d368dbccef3c2c881e1fd03b1d98c5f11ac59b0868ba7a7a9a517839902c531b3ced159fc1fb5f3812b7659d928452614b1b16db458803104801a5a726f087cc1c2bea189a1398165dc0c2d5773653234974da892fc77e804475891addb7f797398596c3d53cb20710267985a3cf567441fda97d7a951573359559d77f62a94348b56e083312c22ef4ed3dd0cd76ef084b4f388f43046bab1737cb1fb207d0ee36d71d7c5565e7769f4256f0d80a36f5b04627b97e43bff5c86447d8df0f24517ec8532da5ff70395d727c714d19216296e3988b60ab44f6855ff799694486f5803e5dd9ced3d43adbaf585429229c8609a0aab36a119ee991f522b32745b433ab6681f165ef0d4479f7fd3d62e6824e77d8e11b11d062b3b4a494ce92277a53138aaf89febeb2fd0afa1727eab9cd74e4ee8894be6385a92053392a1f382f9f64be6cd4ff0b69c8f03eed29a708aa526261b868fbb18ea47e42578d63b8825086f883fc547b2ea6cc0d245fcd73033681d8b67bd8e48dbc0a96d64ebd6bcbeca47e62d9470173c5e304ff1c41345e2f3a2c54a67f7f005a737260964cf9d0a91710d12086798ca25fd6692d6419f27df2762719f3a0cf7768e14ae91a87e87b074ba743e1ee7181ffdfa4db58bbb84818edcc96c94323b6e955130ff84894fe0e9060eb98cbeb069b5fc14070641487dbfcdc0fe91251bd5691451173c50ffb5d3514ab59854988431196e2f3a78f2476b7a56f125377e1f7abd2403281967f54f31bbea1ba0464effeef45cf7dce28dee1845da7c9c473dcf84e7ea40c452b1fc727308558db980fd3ce35929b98867d1219e14e20556e8b5a73f517ad1b2878c25fe232c9409f6f8ed95301eb16a4849d22a4df66b691a76152ff75087dbcac377f00eb0cb7b8ce0df9551554090b1b6a704628daacecbb4875fbee297dc2a755a6be2430c290abcaa1913e665c04b4a3a91b51c10944a28ce523370a9681ff56420dbafc0478fe3fa961c2b9c84de21a6427e9a738730caaa8abfb098dd7bbac5354dd0f057d93dc1f31efb10af8c6a7f4d0e3ffcf0ba226937132e046f59a91b010f803bb2194136425def91ae3e4c8bf60e22546a2229309143550b2a2a118ee2c5651cde817041b8c760d39d2b5ee161ea7ee4aa0aef3511a1bec83b2365b55c4829e45743bb0f465e05aa32926cb30e13e6a54e1f2d8a6298def3e2024f1b48eec8ace8449cced7e6a9ae65ff839e99d1b931c810b99e3f45fe4c87ca3db301e07cde8f715d277b51e2abaf038e3180b901b7aa994978b7f492523c4d293d5676345441884aaaf7564129673a1ec0ea8fdaf49601566e7c0e9803e8bb1a826f350379c2d233f8aa114f6fe79c35cb682b00fac5896a37b9c4d6eca1028cb56660cb1c20a1c032d6f965cd19c95ed8265344faa20fafbd007b3f8e46335bcffa51b44b54e1a6be906463a4fed37905c2e092e7e3222e579ad5b5e783fd297da60db15009091c59eb667e0c6075949c945b8a0e85f4b817ff6ef29bf75c1ced39304004bf23a4ded6a364ee58574ff6ccee208e964f99c61a5644f1ea7688645d10d8ff9f2cf53899a025b61adee59a7849332df9d2b559cd2ace578308ed0eb64a6c19c97a86b98ac52d05c6fe12846d399f635370d3f71f3518214bd15d6dbcab82a870d1772b7e6e04d3438b508941c63a04e033c46477ae38d44db2d045912bec3ff5652b1898bf4bddb779996b7e8b0a0714ec5419fb76f5cb658783736268ddcdbeb7c0f25a7c1cc2d8b71c20bd05c4b93c191e979656420bae05b5c275bbbe686e2342fb3445d6cd87ba11cb43592bbef55a261ea0f58ffc9a61bf944e36d05e11971e50557c28cd5f17819db69962ab441dea3cc64cabed8d2f1885c78e99839a9dacd625a15de222682788da2ccb07b23b2bdb1a3ef0757d598e5cfb4dd9932ce7f2203fe92c714f269cd6a6719a1f5ea7a4802e8e67f21fe8baa593db7a2effa69c3fdbfe25e458a54f9e979959095482296d77bfc1ebb213f647c693e6da7a9c782774023f1085f65b8df0e8c931a2025878c8fbecf9766678f39700ad46aa51e60d7d41d4c0a304087f2b634874ab08cf5ddc8d2acd9d8a663f2715f5f9624cfd730299f17ed6f3a8e50cdfc089d12c51bc8df08a3e2ee20ee8495c33399adbb4bf736898f8686b2449722360d87538874fc1625ec2f0db85081a69ccc7825b3213ad05136d4d3cbeb315eae2b05ca968adb56ecabde7d726f51fcb52949678ab0dea33c2e65f2e6710ffe47a2daadaf9bfcda982b6b4b2ed5359ec410b9a47197ed11c64f0f6437b2d8cc314d672a8dea093c93c731ef61eb6fe97a46ba2ea47e1785bb8736de862fc5dea2e0ddbb13bf7c2e7b41763f7d3221885c656186fe6c17e097265afb7e3fda8caa128b0abe63bd45162ae9ac69db556bdb0699d58573c115ef2a00eb561ba49ce0e3406ea21e450fcd1bae8736c00765c0f47315e8461aec640f089ec8130707d5c9ec46ad116662c686a14f166dd5af799f187e9c632b9eb37bf83a183251e7aac2fb42bd2f2dc5562cb45d721bd96a9c561ebdfc35432c5dda40ad22e05c3df3fc595f68bd250e7f680552dc6503368c97c6a63a96d8a656639a1a3747b5d10831a5ce4377d4cd601c01679ebc54b7ada3f2989617b8ff70ea766f92ae42a5754164edd3f3f072bcd8b8bf6cd3a5971b23d9fec2ba39e02f289e00813f93a2167f7cb4659270ce42fe4da01e207177c592213c385b1e152e9fb687258721b44c66cf2f61977941d3eaeb35cc7c80f5243774f6e34b09f01bcc7d560f14fce10acc6f92466ffdc47595cf7f3c163647e8b14cb9129ea677052470626f6e984f1e35a05c91a2a2698288ae7e6f4d76ebb6e6e619d58e274f11bd5ac7187b3da6c9c9ee2838940387e46eced4f909e1957dae964dd8d1452e3650b42b5ac8c8af3634180a9e24691b1a4899fbcc2c29714cda4a5e435ec75b2a12dfdd6e4acd3b804dfbc557843860f9e72619beb85dd4b21ad97ee8880f7da056673e40afac56159771ea20ea3f4f2151a01de98fae3059032ed87b0c81e40488c76c7c8667e20da5b14a9899caa9f385a15f2e6d1eb1d28a0deebbd8b0f6c5ac6dde08e522bc58a53b61fa7ffa2af7205441af00982a4cf9f789ab0d0587678d18c3f1070a4140c18a84d54b431b54ef49073292f73b7edf870a20d19efb9e105f2ac3d9267cf833e948fbce840f37fbb92c45fccbc570bfeefd1499a63d3dbfb356bfb819f24cd47377f9a7e50fdf804cf3e64c94b01c46f0834d0bcde61a157ec4d050a1174725b459bbf1ddea81f611647ae013252b0aee6a8027e20cddc357dbe0e3aa7066d9a09334af2a71a9f1c5b2c4805deb742a052e11334a8cdc9997768c286db6d5f6e1b588d8d20d5347d95232851e011e2afb864a4cbe52f4e46c5b6d9c8fd89d18008dbf2d111b296434f4074a4b53e632b4c9854d7f4582800f7349a57811c500142fbff88a666379723de7e7ecb028e46de1de13e1713b52004ba42866a49470ddb9b3211e612a9dc5b0ef39cba6d6ffa6d4be698a19144eac56d01965267d7527e5605d41ee550b855a28db264495f969e156cc169bf5a0e68ee1a6212ca350e133a55b49fdfc89768432a8bf1479d4574f4ef90c502d6f0ca37dfae4d36b3fa50a42c43a80226e61cbff4d19691cf7a68ee69188f8dfcf83128b4cd262cff64b933c24f7420c15d819e2b838482758c1cdaaf4856ea27b0d96f5a4b55519f0b199a1b255e4558551aec77040d51633fbf33062cb1c5a1e1c8d4f52684682c1830cee2778716410adb0f634fa5a32396652b0ac584e4a135e82c66be8f043ee71cbe852ab5e192dc1cbc71b981b12881c97f5bdfbbf57e3cd9a2d63b0c2b37504b11fce4401595c2eff253ef14e1d37f99352bc11b176813241117e81358f45c083c11da9d1c298dd36e977f22be47a6162aba450d155bc3a4e3788c6953003d4945fbedccd5e930ca618e2c2127376563a1244b769c7f9e184a821f35d8cf39fd5721e2a282c551ca61af8156d49fce2a5800392a7df792c0912f6fd5a1cf1060addc2c66dfded3c9176a6bd65d1fa9a05caf70a593832c86d001bf59694cc1ff59c9fd4ecc140bfc03f822df82cdebbd0547a31c2f94128f03acacf1568d6c07854e8de3bc7e24f24e030fc16841caaa39f2cead4dbcc1a295320ce6321d794c4b355ddf4e41355d800077c1885bed7e072664b0abe09fbaaeefd914e053335dc21f163dafc6cd106a48ab392fe896ddcbe081480abd998526cecf348afa4af3366bdd8724dfdf588053fd802d2fdb161cca251fa98338696a2beb6c95f2e608f9b0769cedf3e2b9ef0499166798778461ec8c9bbd80bf95b016b3936b78c684279f6d07ed421c64f4bbc2dbf3eea10f684caf6a53271f1a22c88cd407befd705a6226afdbc5523155cb102de6118ddcdade5061c3972f19cf22d891b124755e7fafe5c12d4a96e0ea2eb71912ab9078aecf075972230e2a8513d04c58666fdd95bb928155837dad218922d61101e7b529c9649efb6333dfed8adc20c31c67ca7d9c568e9063860d277da51d1783513ddcfba17af2c944805f312ce02074391168b0b03c171b0c51b3c8fe28812b8b3b3e895ca8ed91af36b836e35ae8b62a8ae2620c67b8be765cc54ff87a29f79c6e857d30cf2b8d8919028bd2eec70b78a8493a76353fa6799332e50f83d6ebd69397e78c715be3f41c486fcf224c0c60d7f1cc8ca4724afc942a3922a2309ff8ef315e118e8b8ea40a0e55746b73591d1e95a82a2632146981ed59d10a6c507a8aff959cb25fa8bba884267aa19522c9cd888d717047e422aac24633623a80507a287d4679af1e75795fc62036841ffb5b54a1ec6cc72515e6bc8ae7380544c78c691e1fec729493963191dd486a12e451a2f554d4b1741e8cb2034afbbaa18f96fb1f97cbaef6c5654eb85f31e18746f3f4abf840a37d4c151b9d15eedb9ae0cca2601cbda335252216ebbaf86d5821e2fa786dd9df5e8816e122b4c5577b50031743b1898ff06333c328860c50aa052912364ae56528d36c6f861a862b328333578121a907eca2848b4bdd3b5a8f02f7479151e81de0d5350b7e6f8c6fcc930e5d028668c452c9aadaeecf39f882681f27d7a62d13f9fe0b7b91a95d356c68c3af42016d53513b950b66f6998b036e5f9658ef9b84e026360f318b8663828e4c865ad1cbd1159be67e56004b67aee53ef1c229da0c62104e47125732be8c8d4889cf6358ed9a4d49c11880f680f87a8810e69aa52e2398de39ca4249c44a0ea604d81dc28f1da5395dcd8164d22a801e90d196f315cf7ef4e6fb322e915e677e245c6dac953bd805fe736653525e1f2f79a1df6e32b29f554f29c4f4631677ebc64cb1de15e9c01877e0b257c115e051f96cbbd8998d999f42dd6c49e9e8867dc4f2675725c9ced4860feac568d9dfe4106314407500feed4546d12ab976691e7c41f1fab450aa61dbad6f40dcbbf9a43c773d5b57f9adadcb68c7d71bf3c10c45f3c162bb2d5b46465a1ede2dc9eef2b01088626374b98beb9c91b8ca22417b74b465e6723dbc7961a5875e82af5a7559aefd0f41c24d2459bcbc29bb745f66ae97c1e2d23cc31d09374efd3a3aa103779e84bd78131286ab6ca4a4816aa7538f50d23b213630e4e25b76eeba4c556d158f428dc358a6da18ad916fe8e8177e82691d1b2cfdefcac91daa55fe13c2e4cc110758e421e165ebcd3a668500fbf9b4927c1f0994cd26faaf6dbb39bce116df2880a1192f81c7d2721f32032d66eb956aca125042e427d129c3b1c8ddb10b5193a849a499cf2ac1c3505335bbe1bb04231689664fd2f5de52b1b99644ff1eafabef69e2a2bcc89b190f347969b6bc012cc7e79ac71ea2c64a7f994f52f8428a9b8e90e18b56e813114522d949807aa0737902b2ea207216ef044edf172859d44f17a6d039ff8bfa72c8708c88d52e2277fcab9e9ab600edf0957c5e791cca71948a6c34380a3a6ecae3575c9716a6e5b4e9e2b393072fd5db040b9b928bef80ccdc9beabeb7a0b7acdce6973853f30cb547aa4ac5d79c79f998e0b70a16546b2250d15eab4b07a81693950102d31a6a25c9289523e13af66f1d758e3a4fb2256eacaf96572ef788ce9fa0fd2d4cbae08700f204c1705ab9ecb92c4537278db791d56c02d5eaba798ad3ea9736311b1b454cac2433e0fa799d3054f9379e30f3ca84e6e8179e8961603967f7f8272b9643ed4fded708044b44dd7494f4faec2b5e607af8207651aa8dce7ead2510711cf601f0d494076325a970280b49ae9961570f4d6ff911c85ced9c852563dd05d28a1288e241707d71720cbde4aac82446cd29233bbe8d051747dcac09c98da8ec1c45786548f2f6e194e964e16836ea39c183926a83dc25f25dc7ca018afd750467d472adf21a951ea7980e6b0107933a040f1e0c82c0a2129b49463aade51fafc793ee260e23721e1fc9b7f2892f38aaecd95e9aead5a9614dd287f01761626d9a29f391abaac057f89ee2c0bebf0761fb56b4240a9b27d13e4afb29f22e4044055369d0a248be0f59a48aecf3234fad149d3bf3ecea681547b439374e96fae1437f9524d0b2f07ce0bf0e25602d4e2e956289b34a799e1d584aa4bc6ea4295b2d676f4d0cfd3ae1be66ee78e9d59a4671aa1d618f94858cbff59ebf0f5ca2e8532ab9ba2978f59c5080c183ab1458c9c7f255a8556b71b4b79411abdf2fd0a3a010723d718838ad9a9dbf819d3b00d1146df30a7e613090037d0f0b53de86e4067bc77b639a8f88ec0ec5fe4ec7dd2017f8de1428bacae24d4666b381a4c60ab54e7763058edeeb1ece320b099002f8e85619c218547cb25be45f77e85b6455dacf9e032a69bfceec5b8ffd813d391899ba964ba0213fb8f8534ca897edf12c7ee0275c2e5ada846a7c586097998a710658c37efedb11bd443bf5c448e5562fda577435d0c97d46560976b5b29420bf1a61a33b5f75882ba6158e0abb2abe1a0f316055a01a81e80e3404b97816ea0859925dd4ec1e796be7287f5d08991f069b7b9a8372089cb8d3a760c8faf6aa8534779719c479662e0c4b8074f15cd1e6a1525a6183dd4e44fc8bd266681558580d19b69e876c5b912da86d4bc0489d488e43523db21197c2cd138d5b3bc2122e0b892b54cd2b2f503b7a32a4f920fc7c8ffc82a101ca97c2fdb5be53b659484eb4f7601ab25974a284b371870bcc1db1c9050e7c2325d416ca040c857b46a2841ee989b5716d7d67c9c346e094a1bcb615f47f3cce743eff20e44c549bad30ad21905bdf3911c04f61a33d32d344068bedb308be76054462628f14374a456d151256a305856ae2e44621546c5fdfaed4180b7998faff7e28b17148ec912f05d00d223051fd4cd4824780507aa218b2b5aa6e3f5f7d89ecf954fb06ef397439d5110d5132432a583623dfbe61fa47c4872464683b5821bec59899fb3c2f61dcee4b84338a00699e17640c72aa999d8a69c9bfbd11ac1c691864a915d1ded2541f0d7eca5595ad8c9d15293631fced47459ba466783c32ac37ec8a80eebcad35f48ec7583fc50c379d60e99eb45c6edc0cfe1fb3d7d53261afc31dc03d68ac9b2eb25daf9674d9d2f467960c796f5a649e9e29659a00c374f795fec919b11337819f7872a6d679e4def9a8406061e2b9f54eb061e2dd3ae55dda12b089487ba981c2421e939c522128bacd457ddbb35716682f1ab23707a0878ddf15900897a98ddf0fbd6823df119f8eca95c1e8429b5151ca267cf944414ff1a644f0ab132b2392af62cd1d65a96f8ad0b75bb9f50d065bd4b8f1829cc9e924fd5f216e4c04efa026314499ccb7b877151746ada261560441b92d014e029b0ced0fdc7c7c351fb194c7628ee4e04c7c54e25dbf124d313d3912cebb1a71a5d4978e77736dfe7d1abc0fa05929c8eb31fe41c0a754083e66ddabab867b3c8fbccf532ce0f26e8b2df6c9408eaa1af0b0b70c1a80fc2656b380006007eb20e17400f8b2d45643f59b3976c3df304564aed08dfb6e9cdabc4c6d024555cd63e51ecde9bbc1c72993b52f410b4b4f2ccda7fbd5b83b22a5f3a0d4c18a8a3c9fb7d9242d7b8a1ea39bc5f40de8b813105dd045b346da48b31000929531dce6320c796b08ef7528f1726a951be4773b6bf2992346d6ec3b569badd2a6277041803d35888764b13371a528f03c0854102a2fa1dc095c516f57084697d3f2f43d5076aec9186f2f8427c0e694d8f314bb73f3f8a89b7cdd7b8ec2e860aa16e9435907cdcce37f303373c0723c29122a689d5d83d2085a87adbb2ee68993abcbeba6a4210d9baff73ff6de2fe1e3089265664a1c54acdae6ae852c665eaaff658c9fa479af79cd01f55739ebc524b9266fb32f6c65dd8a5721a069d9574acc49f6b0c7b5e4310ffd96da913628f1ca899c3de6b807ae61f60ba24fbd104a49700f9fecf45c6c1681d28ebfd4dc42de3420cd0f2eb1279f5e7b5d69c0df77b48a337c571e9997da50e4270145397b341c3e8ecbf165289e5f8ca1a5bf915b2960417c7f896c07539ba1df587da022689c74fd8a55aca7b4f6fc06207f443ead795d07e4a54d9bea946c1ccc2ded83b22e622cf4adcb18f247c93edf0e6719a702fea55002e7f087c478b264c950a9cac0c588542e869b542b46f7a2ea18194accfc98dc38ce20f5eaaee9741b79d17919d699789330d1c1e793c7160eb69d29db4c1eb2106bc60c1323bc55abf9259a7b03d13627bed1f1c98a4dd303708405f0eb3bfbc77d1e4e54dc6e490bb2cd4d8b3a111c95322a2d4daf35273fd443ece6248f0d91e6b72ffa0f39064aa2bba1dfdfea14bc46c5a0efd926dab68ab8b61ec40dfa32ca191ec2fc767bd186fe144c5cb574f9682cb4a68693954e2f4e3e5f0025aaf6156b68d7b2f7f9fb7d28b3d9f91a15cb3648d10e7529199cbb42f7cf19102048a746d01c62a8189665ea25586e7cdaebfd57aded9aeef190c0eeb93f7d7972b94a74f02590ff562beef61e78bdc67b6984ef4eb0f23639d1690609f5fe4dfd51adf3a2ef7a8298d687a3648f0692637ac96c62ed1b0b81dcd781b7a16796da32262df1546ca498eea59bd983a89b66866292469b6d8e2780aa4e93e000085bd04391740d09eb25f9fbd04171a04f94efb1079a1a7d323e07c78268934bdb4f6661adbf164b36d5e31fbc871a61091d74973b7cb55552b16a22fb5f2ec9b7254ce7731f1385e53a86fe5181ade7b5c7e4daea537e3e5473591356920673c2277e2d955c592a1c62d4ee6f3afee499c9b4f8d9ca102f7da6f283d735b8522f1116715507521151c2b9555bd035ba720a46345587e8ff103a65cb172fe8a1dfaa0d187e9825318cd37b796834dd202833115015992ac56abcb67d7e2dc216c7be9add2481be3834127672646c7761e6ad4f5829baa3359086b109c826cb18b90aaf8d8cb75ab8b4c4c2b0c804e93a04f15e5bcd0c181960d38741f21e76f7d0c60d6bd43fce4249f1ac5f1b84d996fdd867bae74c4772145b4ec71888fa445f7afb290aa119e8918cc9ad34caf5ebafd49948a169518d82358369968b342017ca7f3aefb45bd823028184df33210ed60e1bbe403e7bd377c4a1eb408f36797819692091a697dd0f96f18953d3571c71ffaeb4c6adcd1b196f97273ee326e368b44d5b6eb6e932ae33f66dd0423ab3f87ab6f504165e88c0bbe83f44f868e722fc3173643c5dabefc0cb041ce02739a18eb0c5fc222287b483b3adc7e8dedde94b9e22da0279ec6b525f627edac11888ce3c3ffc901903508bc79a72789c1c256bf8e67769cf4795d31a59c4948c1c78c82752fe4c71ce4ec9958cabfc2e64cf39c4f1a7487ef627ed7cb6f03e1a8143a864a99a65c8f96e2fbc7f596b03146d7ebdf2a14681a93b03413dfd5eed953eb70b9a3ade5418be2608244a441825c18a3495e67ae9a1b07e6894781e0933d3376e2d827b689b613f7328c38b890ffb792128184faff86cc0d09d816bfc290d1fb50dab7f997e8dec1b233520277290f81bf752588e72a74ebf0ec1bd02ace9ce8e66cd176cfbb64345a565d29298dbebb95b7bac45ea25913d786783782f4d4daf80e3d4f3b7a6a9b63d972078e37fbfbc6ecd84db6b35ae828916d2b1fc66a7b80ed247115d2c2e4bba9fabddcc0738f4e82cc6c6579d96ef0035bc46cb04c13308ad43c079507d0813fffa6096e56bd0369696c1e148800385a114236da832275d7d269010c16fb8bb13e326348a7385b5423594bd1643a5d247f30bfc6b19a74f35ac813a745ced43802851a287a2c7191f8ac1f39bdf31c805b28dd37fb2f2f8eb74aa328c404be2b3d8223bd52bd7d60e703adf6b7428b0ab4d97706e7110798cd4233e49322436b823517fefd85aae69f4f9f6bf8547a9702c651913c3bd7f5a89f252d0910c8953a0dd2d9e13c2b263fc6233435aabe9d926d181d5117973bc4f2f65ba3200445bcc988a7eb3504f22049733381bd9aa7f0889eee8777271bccd16e97ec6454712fdb68c498664fddc77bda306083bd004ce29ec932927a91ff0429a2a813abd6300ca65d5b528a2fd2e56204827a8aea97b48cf31a3a8d3238366451615a069817b75a3daffd7521491cfb50d15ea37eb6705426d58223ff2ec4d78347be5faff362a9020acb93adfd61748bdc3a7dc2baa6581ceda8f4d83b87f600297f6f7d2ac5e866081142402656e80f1273307dd149786985da40b754f7ab60edbcbb4b8800154da9cd7e3a2fba80caa00ddbc563d2e0ce1667e0983506d908881e74beef0ffc77064b1e5b5c7cb1dad4b25b8e27b04e76371cb996bdb94f8721fa8d83241a14eb7bbc46eaa75590ee65fa0b4b2137c2dc312a6a0ff5bed4a2a58286d74cc00899b1c5415d035961a8f0622bd8bb307f0625c7fbab6ffbd30db52f5e489983e417a2265c7a3406f590a362eca0de70e02272c1040fa1286bd3a037a9ffa01dca65acbc6767a04e9b9117cf8ed30e9e6fe662122448cf840db93ae007fdf995f3e3baf4c8d0155b0af2ec2971ed4b4d8544516e988a64a3c993f49c0f7ca2af2a71352eae34e2062107d072c79c016823d0ca8960c1826a9cdb3c7a910337102684476246aa711f847d2e8a1cab590da725816dae029ff5b982b75f259d3805eada6d79d017ad22b294c968cb0d1264acd32df67a290659482da161adcc83bc57e6b3c59016521a1bb20ef0476572c3d2b6089fac406739627564b8a5c1d4493794d4aea62b1dea0bc221b8ba62a25f52d194e77d2a00dffa586422f812d9c51ea1c0b2342666ef61acf92587e32e2e47c775992853824c45226d2cee2509fddaf94903609b7a0a530634cbd2edca2fe446889373918ce769a757d1bd6d859296bbacb03cef2fba0e3b971e8f39db9672d2f33bc149415d1d34d186b9e258998b03af5390d7500c7e6c96ce54b4fd9085cd86fae5357986afce335cc10e5f7a56905bd6e425bf0ca7b8190174d70cc7641a57e3fe783c47c1277d416cb44abb5be282337748dad960a6299459d8cc3436c79bca1364036c3c341b481bbb4c045cd33a27c808ea013e9452c49e774bd0fc56a6cddc4df3907a17db2d5ceb823b603f2db7f3c210a9a8d2c6c4fceff857e1dc86db18a6663bad451a8ccc9e73db90e459f022444dadf50df884f46a73fea50f7ba5cb3fa79732eccd162001756fe1ab5a3beb160a7d9879db07e3696c39480f204a1ef6124efacdfaa57802936114062d8d3b52833462c1909213785c65a5aa23c563f7be76bbf217035e44c14bbea757cbea65f638b4bfc467aa23b1bbe7c4535a27947aa69a9b0107fd0352a7491d6191d68f04fde89442b365c0ae1ffdac4d601cd63a0ea6e69ad5d32e61a1436c3d00836353922232f8d8e64b191b4d9892fcb62ae8b17b69202d8bf8b32818c68d3fc7c0f1e0a31cde5b7c1efb08df24bc54c3a6297e2791a2bbab31558a21e4596fa6c2f87ace7c040820ab07604fd3be3a2f799c1e5cd5a023dfa05c8454b429a25e84e7912a2438032a8efc9f11532c1d75c801c03a3930ba4b4ce9eebda03288cedfeb4b255e5fa9543dd2d79743c008e25f6ae81e3255faf722018500c4fb77baf6ace424992659bb840d0031c468e46bc951171a84fe5e8163608afb48b3906a7f73ae882eadc1a40c8ae5a49c06690bf40c15f33333799bfdf99193402ae9dc9eb0b2effac11b41fffbf2d349180d7f742ba3c2beaf59e89e40e4eddef0276b21b008e6ee10606d192cd9c707f928f2221943c16b1d03c5cd8c11f11a247aae4e068c3d27c42bac16cd64e01c5294afbe324a4ac06b3cd81d3c67bbbe3f5ae3c593fc092b2a1c8659797e799ea6a845caa8dcd8af1e92d21816aa0e73cd0aab2a4ed5206dfaf4fdc89ff7cd848a70ac6fe1a2c0cf2948f2e68c8c1c378539d6cfcf8059746d864bdd51dccad05208467deb71fbad15a7d0512c9071c4dc5d3adc621878caa10574c5926bf025c8bca8fab90a5bfa0abacf298b98ecbc84d3aea9bb624cacbb8fa30f871207d38ea875e4dc500cef4d3d0d892e3c38fba376cd95a3d26207229c0b952b4dc005583957fd6a638346d8944059ce7c09414d55bae1794333fc332427798b5e830184f176e9e36e0baa50a10c5c147dea0e0389a17e994548f91f9886cbd0a64535e26c1ae1b8567259b92aaab08b8cd49a7c995180986d6dc5ae2e2cbda25e204eaa2c5a04b1de3b12e49455b8d96d1ee7229e3ea98d905a0099125a645039482b77ff827f88c743fa9c7f1bc68cf99ea3236ea8560083a36c0061a4c7c90c9757d04a1c8c20540c23d1c0892b096c8e532e9854b76bc792b39d8a6b7a8a141f679a81a135cac9e9197dbb72f2cb809c0c6440206b329d459f50990c3204792a996cbd4f582982ca4a86a29ccb321ae9e6df66eaf2535bcf6b98079cd06a1af9c008d94e308c3fa19e9d990b47dc7fe025d07492a3e6eef413986922cc0fba93583e7085f64b18c1c228e61e2356b6b4e11031c017e15ed42f65eb4536755f01c2c82584c4ce8eef54fd397712876aa868196f0ad77b706afccfd7df048eccdf7994acf73928aed71a0099eaac2148508ab8f4cf146b9f17e372d93ce193e2cc4eb43cd8aad99081e8be0f9759b1cc2d57fe7e1ea61490a5a369ce0c43427bdc26e77da6b48b427c7613d35feb4431e8f808aef33fd00fbafa2c8637bc58dbf9a820698a8e695db78707c67fedf5e94f0a3836b602770250f5b12417c948e9933c58bfd451317780ca16364f83d2e8c2b2a5e0108886d3135c77ed534b1024f799f2d2c5c1f08cb1882cb161a45817b426b0c834ea008634fc57009bec56441a55d6903d64c9cc9df6efb7e3f73eb44956913c6b91441f937f56713a01aafd3e8926e35d80cdf0030eb74921c275127181a438177ac5c2360a4d1efe0ec9caa5930c3eb16cf460b342f975ff03bd21aeb94ef48dd291ebc183a910cd52b26f3432fa9a35049d5cdae3c60d0e3e27ca0dd0a75ed05e4df908679ae094e6eb852fd3f90f865b26c2897f959760ecbae837937611b84385c2a59c499e8e10e97d8ea8b888bd5d3043329d3034918c75bf4e5e493665387d2024f9a570b008cc5cb685c67643f84bb8f2f25e81fda674a90e721d5addc670d15edba689053765f7cc5cc61070c637c5a3c59c17db89394e0a77da43e310e4ae54e22b49f89ff6349446e80d38cdac6c230ae55e536d58a93c308a5084f481fa1197a6927849addbfb294b0acb38dd8e14426cbc0770e5ae0493ba2037eda0b8a87a0137c7fc93447f52d0932e0baf869d626bc08edbd38c444d87f87e532d7bd6236b2c35eb8cdb687f95bc30ad9f252299899eb5850a4d0f62e5a9c6e6382cb7f421292d719beabcc499e1fdb6fdd5ee00f305ec8557c4f1c3e2db9b850b1d4ea270918c92a0e3902d6b94a55f43a6a03afec07b31129b0ea6e5111a38d32dbcf07ad729d6eee7966503243fd09b46aa212f4bcc5dbf0659db99791ece6f8abd92f9d9aa835a68be0ac0dc7c2eb87b50dfb7957338839bbb18915187fd4cca70319bdcd279aeaad79bf556edf0de27248deb897bbb556dd856864b0f8512220a8086882fb82872c99e9365e20eee3cc6faae4eebf0372db9c84402cc67ee1554387a41f6465281c3864013e8a871c6a6afd63718222a719fc0e6c36e40fae0d64aa2206abfb8d9538e3877c861cc131a3a1a184e46d3ea0d08e6e76889f00528c0ee409207cda9178265e55b4b871accb15fcc2bd5b4dd4bd59355a4c624d82aca5c18bd73101dcda5f33bcd6553bcbdf5254bc87dfa9430572e0f8e61c6acd9f8efdfbb698060a9555cc978145471740c190d41c1a6df977ce5cc11de7eadff0ef03bc09b5c2ef701a6bd2cb45a812c708217a5d708b06a2689a3cd4f6899320e92d964ebcc23422a3a5c4f8241d3d134199d55ae4b35ca8accd604b7b001aa5e40514d7f1a10d06e73c4e0b12474035a430cf0853094a81095ebb199ba02962afe256c3af8fa7ceed2f9646bd8f4cc6998bd868f1bb5dc9c819a94e305145b7faa79cb956d02ca87b5b9ec639fd431273bbc24c631ae3aa2cbdca4952d8b242642d2d9c5c136a1e17011eef5c882b370745984e2ca2b03346d3c033891537f8a5f72a1fff05ac6d769c77691e0816e4c70752d9bea2a3a7a484d852019dffb7c749e5dc6f128885dbb63c4cc9bbcd3aec4eced0f09ce42670cd94ab5b991a3967f9e53a276fb927a6bcc277fea6375e2924953363f8f09fb3b67a0ba24d2d2e3d2a4daa686a5ed968a4e3fdae788051dd122de3b5fef6b85b86d1f2a7ee18691c795a40b4c5add93063e665055fa3816bd12a36d30b203eda7277ca317932c0579ecf6cbb2243e1f19f3a2b30dc37cebf8bfe2d997e23c0bf9eef099c1cb1916083ba87b006f186de8b90727e19b9e9901d30c28364b595e1781a8ef0f67d62722fdfad1f93395b0a1ab7c849cbfd28c73c197a0109cc8c7ecfb840e27d59fea3a41a761ebf742c21e34ef7818c388751c857e99176c41502d806b6e763f7ad86358e4e35b721db50a06d89dff9ddbc6e01ddd542656add73c8faee2c076e99eef15429817ab0b2be6286e572bd2496889cd41f1eaa6b7daebc60853a55027977c116294ba7ea79ef3c742f8748c9281b825bae1f85f1e57461e8e9d7bc58d50b2feb2b7c83f161a6fa7963d0b6e8c46c06df27cdd20ff5fab9225b3e5232b4be329e4f39ec0a934c908b7f20d99e943e36bcbdf3bff0b0d466daab8e89ebad469e676b08392d18b2a8c6e0d9441e7d0423eec1f1118c9cb3dd5975f3dddbcd6f8f8815ad03a35072b14a5b622c9361f6f80a412ba1cfac64ffe85ee413613357ab54248febeb864944d605617418b6776ef539dabc182b38a8e27027edd0c0813187e4e4c811505e6bcd1d24034ed35ced35c8daa36fc4f12b0804e428c565d7c56c96464d35379bdfe6d327df0c844513a798acc1bbe380a02080c84c5215a49dfd58b024649c63d262debaa66e0fed11aea1a5bdca73dedb8e46e0c35e0ca929ea7c79b0d6da084b3112fecc79ce0eab0fcafe011838d762f95d5fade0aa924946a45922c1ba22d377710013d7ca896fa202d098a551552bdc7cfbebd90987775e968e990eff63713ec532dbba3191faeec214bce8058272a21fb3ee398a033c4814da4cbf3dec054d54774112dd9d818711a7a5b200637fdf54c6aafe8c6d3aef711ed0cc4d26bf57907ee7d29c86c2daeee93d37af2229d5e8ad11d7a460cbcc0ea8b4b291845903dc927149abaa76b263061c664f8dac51b04653d3047922c6de9b2d244f553a3681650379fddf20ecfbe8a3abea3a8a9d6a4a571e25bf79206256d0a796170957113f7dc9e4a0d90cef5b97bc46735ecca5533ed4db9e4affaab8b6b1fb3f19aa80cb9b2507665ee5b58e37f094cc85d1f4a1ebb3821d3e7ad7d6ffeab5e532621cf9c9492998f9a990cb4a9530b9069714b94effefe5ece1298372856a90dd82894efa983a8ecaaf83d40e1df5a2ff0319035254e70d81acc1748f9834e3166a04ae66e71d37f3ff9bd2488f82c385ba57fc0122e8a48593fdd5d7e0b76c9f3ec383a0861e8c96e2720500306b161e01ade7fc93a5b6cfa32e1ea513b2af34c0fecddd10316eecc32e57e29a64c3086934a9c71b3b20c4b95daf2d2fb60c306cd29490b5c5a22c8cdd385a7065f8856a77e02b33cfc5ef362c15abdf03f5890af2405e68794159c345a63ea9e6fbd79767788f8fec8c9a289ba69066ebfef7f4d75c2aee8d78ceef029202c35dac7f6bed832575ef94bd9e9c46704d3f310812d67a878a30485109b9e940289dc9b99240ee7736dfc64b113e5106da059c9d772c7a38c536b942cf2d8cb82b66ca443cf6fb3e58a1ef41a40dd4a21ff9aad9ddb5353bc78ce15d85be036d175a5f193b367a15811bc173cf1256a9764867712121ba3eee9efc3fc1541b6f210bbdd98601856de5265bfc39e4b565f720841a28b62478084bfffd4c2b50dd33dc5449fc76ee725c7847e4d33771d077a61c3ff881b0550c642bc6b1aa64e64d64bf59f06d65ceae59ad0c4346b7b1b8c2e5f9a91724a0781ce15ea517b4724eb324dfbd7d57edee57644721c37244ae98d0e6bbfb10d1534a160ce5ca453cc1312dd740f80c528efca1ccc62778a047896573ea2ca5c48ef2ff217e4c20f7ac009d61a307461aa075d3199e730d1857a2c815dc3a9aff49029a81b5e44ee3c9563e0f59b3058d48e867e3c9126a1db77e1f9c7065216701159489a4f46fd6ad040df21cc9a2ea280e0d69754b71280b701d84a0d471c4ec0fd1037d10a7aa283a83806c834a9258fbec264d913e52af8649c6ad803adf786d2cc7e2da8381d98f52d1cda57514e994433c44ee4f0bf6965bf0a9a1b5312edd74bead71482b02741f8115be5a25bc33bc13f6aba49e372aaf918327a295c08a28ca3f1bccb8ada014e9b8445a344ec9d73cedde6529fb8984f2e6f40628847e52a865145a83c777ac13ec80ed4356c63f3c345d0d185164c35ff0714e2f10c6f380765c907a9472e85a31230b96239131433a8438552717cef919d567e6aca95bef0af3456b3d2607413fd2255b4b69d810041da1fd586cc73e11f3c2f8a0b3ac59bd93e18d4875124d373adfac4d58241171d22bb3fb179d45ebb368dbd28ec0a9d04bbf0fb2322e4c3d8e9ed3ba20dd876361a89612e476ecb72baa0252a245659d972f8b48eda4c000f5da941ae9bd3acd1576c1c118f98529815161e01e336dafc375975e714affe6a848da7ee7a3e3378b8233cab76f1992dca861c0eb849b01aee281f41d2ec7387e241f2551973067060c76bd31da8301593d3d5f2fc27b92e9fb05d4f36dffc98a39224372179dfaf13df20dfe41d7cc5bcace0dc14baef79974fd9f0da869488cf5dd40bd8d423819606e82a912945d3bb0d8302973b98997d41aada917720b877823394af3fe2d2e5715bba12a90c70835f0c37b4a098f36a68c7c50c5c536972ce96599158469e3dd72bfdf7dc127d0ee50a1e5dc2ca2b64266841b696a87b92727906c24237d7d3be9665ba1a17dc4482977443beea3373c4196459070d063bb3203c2b522672614eef436a90ce6f2e8e19cd27ac8cfc7484379e9d43ec993f9a261e55e557ba9a3f0cdde8cdf99382e32cf9f8ee337cb596fd1843aa284e943aef1e1dc84a15b3ffcc6196edec4133af025befa2fb7026cd66bf9b91e98e18fb392fc28d8ce37f718cdd2e2bf2bff8aeeeaed3fc8cd17d3e0ada671928e247f677f236ecba17da39614bc64046187fd016f2c19d5adea8ecc0a15afd24f095013df49bf1f34f812ea7bb280d706f3c624a2bccd3aaf2cdc5c146b26f8520892cd3950f84aa07938be512367f1a0fd0d1b50a1d8662482c9fee0c39a8cc74cf49a88b6f4b03158b4af0274ce3e6b4215778514d73a26027ececc35bc5baa8cb5cb5a235de93e68fbe2904e69269d7dfab2862a3d7d040d69163fa736a8edcdb71bc3916e32a63e2d550fd77ca4d50d7016c4db86e5dd87acb818f634221c329e8d0ec5d2f43144c883af822b0f4b9c6d31e8b48cb4904832b15a9a920cf59e043a43cce70864cd9dd469ec5394e43d557862de427e517d5b21ce860c47f1b499d88977e7ad0aa247fd1f0d3000e1cc519bed5dd27c613e2af3586d0c5a2c41c602d4b8a6df8737803067d61fca52c2080bb7e522c8e39c941addb31aea2347ad6cc6d3c206ae597178c54f40e05d827bb80ac93b007eccd8934a0d14e346428fbd6fb8abb9de91a2d2dcb9b3d5a62a9d27d3253fbf2e937e2abc77b2e70eedbee84f3c520ef679dc4c69cc2e67c8e7fa07e8deaa164889c381429df32f52828375c258c05d5f29016051497cb211ffc1d7a0c45af9eb2ce2e8ca34b74a3bb3a07fbb04b82c3bfc7f85aeed913c00909f536a786491e12e008c4fe53d7a688af8fa28215c76068a167dcc64fd380f20d7105a71b289968ffbc22f1ec263a6770004f0e91d7412ad4bf6a1791b4f82d6e5506c800dc6c67d4040916a56e430b2be7a5adf78b69e00ec3b32780186d3cddc3ebfcbac5ee876696debbafbe9213b8d2e38ac8575ecaeeb327d0293cd45ec86b09b8c5abab849ea307686ccdbd09740704c31bcfb115a3eedac68fb581533597101080aea7c039ee10b10e3949d54d6b7cc088411f23934c5504a54104c03c6a533227f2e3b3ef80615a16b06a9088692c8dd525370154abaeccd8ccb2fb4799c3daafb153af6e057b1b5774484624e1a2db0874808b97a5d868066eba849f20ea401ed0c517617105f181d994069b9b23e38278ba9cad50a43afab2db516af32ae3639c09c9c0677661c4ac044808b14df1223e1d5c73bb8562f491670a72c0330e5a5b0c58e35dbc60d9060709568357839f842bd6fc97763617b7176b13ff83709ad5cfc3d21ccb2fe93b8ea1a3d93f4b7576e481e3a654bb956cddc59d706f5a9ef7ce1f7514feb991dad40fc9abd54e6e7ed26b878367b7603677cd39fc924847b5b94e3eaedb4fa65d0f7b7abc63bf06bad5fb18b42dd573d2f72bba11b82f042948a4dd615f27d8024f158910da34c8402a03c80f82a788b2cf6c75b6d48745ad746efd3937a4a5e89e7e859f23d1d58c436bae0b650079449961823af904f6e58bd272e1262a1d057d372a9fd3d40a9b625acd795f9645b0d6a272c22cf93deb09feb3539aa7fde1b138b8a82430ba4417bcc114b91d338c4328cf79f700723a703b6fcbefb8dbae98e350717b4a44ecd7d9ead0d5732b3be58c90de842cdc5d0ff609a1dd0db72d177559a78be9e05091b09b9d5a79fadb383983fbcab3efce661ef463e8eac1fe5f7b6894547c0e98baf768962d0b69ac808c864ae3c77bc87d8e6c4eae9e13eeeb0f2ae7dab86bb53002019296e658937044715256bad55cb6d2282e33c18144a598e4a245c6f9166abe43d17883aea7257c371409b195316ca9c61e2bd3723e46a4def2476b7f4ea38e6fa3cc654475f8eeae3ec62cba6a9744bcb0ca8834bb396efff668aad19348c8df8b0a15fbf40838b4e0d2a0ab08df1737dc972bf3239f83fee38b50b5ec4dc5e52d9fbbedf68a1aef8e8eaf6f4e23ca59fce09b979777e560cf0e100a38a917db527b4e1dff126a1fb7c9b31340de6c0638fc8c9b3d13d7f6cfb107053fb71d021c3af7a878be254919601d9c4eaf86b9397acd29f607a2ff92e37f83f5cd1bf93f55fa134c4ec0ac5c34f7882abb624f040d308ad86dae0ed3f4e253b6eeca2e90305164d368e610c5648c610b103af674017e2e52263dc11eada7a32e47fbad3a5209dc377164f7144a939faefc712249979ecf221fa5a50f8781950d3bc3cf385c7f03d723140adedceceed031312577aee05dbf6e95a1c95a9889a113c63140de5b194d202f30b5a5272f9f5d3cfe13ea183a454d2bc8cbfd1d5de7fe6e61ef07707e7791192c794a111242611288835f32c68fcfdcee127ace6c9fba99189854b044ae042b7701f1df1f745f7847a96606fea979b71e4774a0a81a95d7196f9c2e13a8842fa9df11f64081ef7a3e9e467e48446eee2ca28ae0ae8fcc16c79598b0ed4c9220a41f37c0eb72524710873e1946bd6e6dd52639be20c9318c4ac0a9b84ee1d9c29f8c72da658b72fe8a9a93facab2be97ede6539271a22502cdedb9d06188eaea7e09a28126e81d494c39e3e62c40ce59fcee4c3a90b2124216b3ba8189953313840c5f61ebebb8ad3b668fbfb9bccd9ac8169445dd7b5da1e0d73de9dea4e3fdd8b4cb98b3e6deb31e36dd7709f798985151b03b14cc7cd8e1318faa111f0f80c49be21923b8959e996377065eb1b3bdd002eecd21e8d109eea39d40b5a885e20219e98e900adcc27bf1a635d7ba9f10dfb799da69e740daa9dc6cab37d173cee47bde5f0b983e6acdb2d007f6ad21a937c54d5b3d08da2454e1ba01b6cc10008ec73ace226d9ed4965a41087f2ad1725be7fc413581c8aebd960178a6faab220c7d827b0f596f90842d537acf6693d01c23baa9a4699c1cd092b415eb3a4b696191db1d17680fb550881e3ebe3f7b9194867fdd1affc007e3037ac2b962c17d2d6e998a7fe6313be6219360176f2e869275971ffad10ab68b921df8302e525c16788aad3f3ac1e6b05c6a36b87cc7227457b8534c972e1331492d9e752924fd67d94821aca514897d973fd2d6dcd0358e1edb99bc5eb72220cb1a1014b555bd0180e40838ff258bc6ec21e9bcfb9113a6b03599ada2d2ee98d4bcadaf9dfa9edd972e6c43e3d214458a5cf5607a996ca47a02bffb5354a9880840478030d0fd3da46ff2730940ce28ab81770cfca8793132189ad8491346b940a7a7447e4a18f6be8e5500e609a74e89039a7743e819b7c388f76c308f69ed5e751f5ab62ac83b67d24c2fd78120f1e9fdce911f7ee8e631209c0032ddf0e98af674733fdaa276a56c3eb1baa4ec5b175f339c116ad41b2ccef46d99b81f22fb1a12726ce6c7e85447af3f6290df8d6adb0886dba46aa59e3c96248caed4a8702a910dabad2028f0047b9b5fb77f118c21dc1ad106c4ce8481f61fe6033d3d11f7b6ad58ff5e143d7fd2b88041b59f44f3904e5eb15b4165360c91a1d38bfd6d2d7ee4aa4e32a7768473d00fa600cf464933ebd587ce82dd40f5c312e1cca875040fab5bb16aa1d44d39cc027e84c4cb387d978b377565c0fc899ee7277470555c0b380609da7a6cc2571bbb967c83ea9e5737aae0e1812203d11ca570cb51a08da17246f08e2fc25d2ef7b9896b4c7adb49cd7cafd980611f904527fe2bb98e80cf9833de6a0ad8c395240b4b2ec0faec7188e6b628c7686c4d49fa68dfcb7a4aeb41388a571f9a32b909e0ae9415e6e4991c93e331b31251ddf8247673cd768b753b027f9cbd78ff4adf14274945262fc15103e278ca8744180bb5e5498ce14cba4b046fbdfdbe36cef2846c1bfa762eec463c22982c923c695292969d87a58c5ae23b093f65ef7a73c3497692cd897697eac813cb3b5f931ea1d01046421cf956f0b320d58b9b438d35ec95adc6855daca0b14adacd3d5268b6ad822b1cb4a17ef593e424e163a2c6a6c50ce79e554a9d7679182d7e6ef474900778ec107f45ec72dbf86973b094ca206bb02b25b54d6bf6cccb0bb9158892c1345c8eef1b2a75feabb8a33e738e070592387a0b255142a2e0e0080a30ee943a3cbc0f1f3457ef7a38684059dc6d96d7d70cc25fd0d4adc48e6d952d14bd406b0cf3ee3c2de516e17a417bf35546f297279fd7ce17cef88361593cc479702657c7b2eb37d7e18d65fae0d429b6e64c10310d16d712e7f4c3cff0d014ba30d8edb2101ca1071b13ba25cc2c8d00bd9b129047ea789d44995018a73b6c0e794aacd80c81c0e45a9e670e3db806c21559fcb86955a1793e1cc2111ddb8ff231ca483ae98938a67ab6c4777e151a228bb16c907976b14dcd621f02488feccd3c520bc9e987145d400998ddb1f1395c95994848b7d30c728cf747ce053464ffdca24f8d3188fc7b6d61e6e238fe41b92807ebb2afcf1754cf94a0d186cb22a1cba36a1722739431ef0201a085e20f5e315826115671e8adb837444c361da2aecf5322beec0cf076a19c17c4acc5d33d80efbfae55fb382879ae9c580a2a467f8f1871a4dbdd7dac80f5627f3671eda2f0f0ca783b2a7cfbeed7f58ace2453b33704fbc10524cec6093fe2bd4b8d30146810c4353b86bba4ecb52142f30b8eb890b9f189ae13522624451c400beaf8f1c798b6a6815f0eccdf4f850ff7c0d7f42b5f3bb1fc7d8f4253ce310c8379c5e9b05ebf65262a5666e604b368c31b6d839581c840ac29334169adcdf21c5f6b1447bb779e8380855290b3d3944378ee7855bc0db34b306055b30f901250f145201ed4b38bee2082a6bb4c71969b98cd2aabb70a22440b120e72b1f39ec405b300ac7e4071f8660923f2606ed4e649bf3a8cecdeb23901f82ab6401505410e27397ffbac3f2db0547849b8860e578220eca15884a2b6325c6d108929c27f55704f0649f4a457d057dfc1af49e7a1500344d08a25121133cf796f97099dc6d3ffb016084652f390d1b2762bfcb7a094ce0a46347947993907a2baee581ff6735956aef8159904f217dc20223c857e7cf1efffc7902554ad215478f88e3b1f1a7e4ba9541ad5c999618357f6866b207e00d5204f99a79f774d4332ab724dad9f9b842dcd7c8ba47d800728409dae11289c6f311040343baf0ebf67e3189058ae5d5c192b0c1165daf266ddd25060ca6be19db74974649c076a7faf07e7b4dce6b1544bc99e4cbafb1127f13447f921471490ec211b263dc8555b06db81ea317ac1eb59917c5b946a28c090557512c996427e808b5fa0e44cfc6c16641804d2eda9feb5ed526e46bdfe9437335f60fc0fcd7660ca5e88a70ec9d7ee3e42313864e8bc19930e4f84064be9dd9cd7346af33712046c730d1832c41b254bbfcbdfe82ad755b20a1ae9ae76cfa6a9f92ac009c18ea7d3e2b2f40d10f978398541615c76334c6881100abf41091c5e758a5299f4cf46d9438c86856daf76d61dd17266fe20a061ede53fd63299545ec0e314af59fa4fa56ebebb5adda183198c93e9ee46543cee1f1b27c95e1b98e59652ec9cf87b66e41422a8dbd4fd78d68896df516bfb6bed358c9af18c8b0c3e7d306feedfe93d66b4e7e3bdf745224c828eee693dcd8a4538f39c47067ae1e47f6a3c13bc7bf0f233f6faaaccba10d132d26901bbdb7ac02b196fe244871a3cc0a21b4107d95202afe435e8057fe3365deda4d769e3957fe5e21323ca0a6414261ea1d9522d8b0f3022ba60842fa7c3acc70b4934508b2e62096b0b5455813506e730b9eba29ccf95aa99b77f8acd3e2247c61db64607d6c405cfbc5d48eddcaae483fae871d6aab7101dcbf2c2fb29dbf437f95a1f78664dbc5a3f51f06a6996dc993685bb417f2ff707f364a3c86845671557406ab7d8156e5e8c5ecdd8dc38aa077eb7cefade31bbc6c2d61af1552e0afc7139ae7ccaf12dde1a6a55f7f52f53e06b46bf456d08e6d116f9d39b09c252c9b9fbd6917de04dc7b95133f4656a418fed6b5fff1cac21c02c13b74e37dca8760d4f51b671d565c94ac6f1c1f8892e75376c6064b0077fc6113526b0d594a5b259d33a64034f4bb3beea0365e4dc99255b048d10e2ea9da7c2e8cba0af37dd164bea48f1c862698b51f6234d8cd98586e3930196a863e18c2ae58e90bcc3bf4363df6e67800376fdcd3c007bfbcfa46498092af21708daeed27f840da70bb20c1add8127aaf9d14397f08ab15492286b32f67d0ffb27878665ce465c6780cc1b054acc5bbce10f8da53911a740573eb82fe092adfca7abdf6e328ca9ca6a56f5d6923120011b03444e7fc21f01275ae5e8473d742f194c480b974bb03dc55800b99305720709ad4d8b1bd05caa64a7341346abc9aa7fa82228043bb404ec31d49a406d139271751157827b07e2cac15e1879a6b1f1e5e4dcd60654bba85bd134f22a70c63922ffb0057e7c393e972aed941b0e7840f965d2db9dadae94d94c890fa9de8b5a17abe3e8437ae7f679c08bed01a6af50cec079310abd3cc60fd3c057175793ec3c48f129e93c7f16acafbb5e7ada132de32957972f6a9efdff40386fcb20689fd4bf7c052a755a82aae7d14ef591e396593c2b38a98ce4c8ac3644ae13c4aed09592483426375cb738ada41c1d8f4349ba35f4bfab0d05866868a09dd0973daefb8c3c81aedce646a2912bb4694b933c13a9f4d74af5e733497ba119139d7c01e38bf2713e32499b8c078f809ceeb00c271ea1f63bdac431dced67a93ca12b840e20d41674bdaf01a45090dac1309f192856fd209eb5a950172f89b4bf345b73da7936e89812ea2567a26ba950806ed54bcbd65c8e18fed2f3e972b47df0e5aee18d08b6dd8e4fec6a0689ad2bab7645c1cdd00e0b5c4f87b37c503a0f3d49e0d2a398000aa17e3daa53ed03b3f866bccd6d36e1e2db58904854322f2ea288a326f7fda6e5d7f34e40824289d8c1f0579e7056e2e5d5ffae56b98d904856f90850969355350de522901ce9d635a2d938faaf96f00a338d64d075437e5af375558f59d7bd89b77ff01ae05b4cb71e984cda1ce9493f8767abe798c42987eeecce22910f7ab1583c015d88708c8ec1c776e6a4fea6c5effa3e6f338c215b28376745742fc04d042e519a52aea18791d26ebc4313663b55caf87a1735f4ee499efaa4864f09f0018f8512d973ed41149995f59b06535b2be5bf6823e6659d8dd160e398cf404a7d53c8a95fe4d5b7f019f9225f27e9eb4143b795236001e437eaeca6c7143cd826a6ed470b391d8a1415b85939b999987c8efea669a70b962fea7f83ff0dcef972e2043cdc7c612d4e349834440a7b0760d4ef2ed601e017202967ee097afffd482324f50f21ffb0d87dbe206fa49d6355e909a3d7c337cf214589502589593dcda2b3adc96764d5c3f4486939bec22fc4ca0dfe6bca3d683016b3ffdb6a4cf2005c6e5d8de7ea07d7a3d02c8a2e83fe98ec6104aa3d3a96a85db100c95b53b54edc689a94283783de45ea551ae91045348ba1638c1b64f73dc3b0f1be1f73fbd815f4c47f5b38dd90c0bbe860df3fe29fffcb1efc6c9ff9cf867c956fbd8ee80ee06cc9412169bb5df28d1e539f43b327b1cbed2c47740bf194da32e8bd2f2baf31a4d07fef72a9247f5f604abdd567f153506d33d79f017c3eee12d1f19f353f846d037c9d9b3fdc01440aeb6effdc9bc2ef40d5433c1d7815fa6ae4f41bbb8ba86cca71b6b50102e1a1a0fb5e0df0512a050ed1d3c622928404fdfd10743469ad7764d90ba19ecbe94a52319c4e7fb7eca14b264f436fd35943dcc545a61ae49d567e5d84f52136d25d3d989e44900291e6d5a038852a6e6f685ee19e7668234d954a054187c75d2d85d6a457bad8a1c3b185c6d4eb9b065447d05b8e513a80103a655984e93ce363ca21423a497c6844564cb9d0e9c8c19b37e0ce351c09fd42b97f577c0999618a3fd6dcfbf78bc6c5d2f77d8542b4a085e9421d4edd714915e6bcce30d9823e41ba09565a28e8c4a09cf303cf9b77190c938993df944d0f1bdf831ee449b28276798fa8ff57fcdce55dd1197e877e3e62444de7e3cff99d6d28479cd3dca9d1c4a9bfbc191fccd481325ee2112abd252eefd92cfd028e74dc316f3cfe79631adf7a30d52711d451549e80d3962f9bd094f7a16d5c62e5348b6e72af680a9d3ca58abbb903dceba4ded1c7323385447a5deed58fdc573f42d850f8f78b96c315666939da353c17e1c0d399926cb9beea3e7e2da0c4f6c384b8314d7e21bb720a788286e2c341d646b5ffc6076da06c4af045ea4d4a61dfb6dc989a44906030e683d214505ef2e5800d0a62e47b8da206844eea1067210a22ed6ae7deaf947d6e808c36e3e364624e1c43e86d9ffb926897274c896d0f7da96f43ca228cb1030173eb6d84a6808f39e65f14777b0f2f77a6ab8037178ee2b96c7ebc1c43fc94a5b4b2aa0f6756da8a37913c7d9f0d287cd023128badd32e9ff0c29cdc65001c60f8c70c471e5af22a204e24afa905e36fa7a5d8eab5dfb4ac1b249c0cacfdcaa534ece102f47b8ddae2ed2078f5298e595b377534a7212b9ef94ad31c3b9d44887de5017582d2f54c6f6924847be1c08f59cbd03d9a9c8b2f42e8675cae2dfb3bed9f8ba69f4a5807a5af84be0304e890debfeb5d46a6f929908b330e0c6daa7a4d26bb42591aaca9b47e2f0ad501c882d51d54d88bd36b1fee8dce81137eefa3a033c6776a04670d31d0ef6711b250687723193fb12a91b85b07ddef617fbe930c2338818fdad469ea1f0da7cb639c363acbcd7a6fee18d07e75cc707a85a81a2aa1555f0cbc38dbb6f1b0d3f98c289c6188a46034889be226da4dcd9566dfa2cbc8b9ec2929d1ab1227aabbea63d2e09d4815be0a3e40000f135587be20621e2cd4767211e2a09cff57ca1c7b7bb0a66c81111ef526622b82b368a07e0ccab13296731f0b37187c7cec3085ee479081848d248d1323c6f127f2cccde7e98bf516674e4eb5008470fe12dd231b9b5e072aa3a528da0b37bbe42632a5dc6d28967eb5659f4359fbf53380995052032f4746906b2308d94a4e137b250925f75f78f91eaeaccb4b3d7c56ca246e5a1a83b9a998ae8a41622c96ecffdba3bdd3979a6cf7fbd7d95623b79f91fa1c2257baa3816903f97afb8e699053638ba19f3ffdd2b52f70c8fad0e0c4f6e78079ea1fc58ed9299f08b4ab7c1b2db98d3bbd10a218353a4bc9de6f60aaf8241c2d7bc6e407eb8c73fadc7c95002975a13ce249651a7739b2a2806bae23318547be687f240ed8a8bef08a413b558ae8b4af79f994e5425ef948f89f08c4de4cd951835f66b806016d4b57a8caffdf40be402b745037edd9e87524f28879514b5675dae01a9c49589f324503718f51c3044821c646c749cc8a564f0a7623288f0ab7ce66604555d87406332661736d75dda1249d77138696a69db12150efb7f06094c170a2b6ba95ff668cca88659874656a09291bbfd184a5065044b3531f0a190fc9ad878ca518913801e4ad572fd6b2473752a805f4d97e499335ceb8ff422e85e46ebf33b3430c3fa9165ce951dc24bb3ddf9f4e2aa3683542c0f5e30eff89284080d38d82352ec3f09ab6a155e2f79d99dbffa7273830e9ba38b28ff461372a119cb2a8d8d513f401ea74b59e154e9620a99d5145615423e636c3f2d3befe2e48c5a09a192ed18ee8b4c0d030f795a6d284649bb89c8bd3932c56162bebb3c85c20b81ce2d69a18abae69d26e77b4fbb165e86c9571ebd37d2c38b0fb89357e3ed0932c6b1639bc6cb3ed2c72864fa3b838ddd08e65189dacefdb70ec4420aabe06e61f108b2ffb9e6abb726fbcaa405509b5e8ef8d06499fa2419426caad01806d1365b0d89d0086be8e96e1d276ce046b1d0d1b638b2899cc92bfb6319922af887507bd3bcf777e8c7cdd9f29065d4282798373088b891f976f2438201d23dd2cea07b7cd604ebda0a004256d7efa1dfd7d4c5663db9595ca136bfdb37473ecd8de3fb0c64883cf793455045f365af6cac36b392fb6615603a603ff27bd62c384ab5754a12d6771adac504a3b0063fd6aba4c085490c8c7854c28e29d0fbcd8b6dd2f6c3338beb7eaeb17fb9fe3be29a43ad4fa6e8a5fdc0cc354087fa9a1a08f01736573ca3e62535669725334607ccf45e725e66aa8a5b3bca4d4d825c63e38ff3096b30bde4023b3f47c141acbbd17c0e66c517c508b915d6a0668258179ea3565360c770954f48f07d8cb5dc89a8f0e5714735c7374c67ad26c37ca0a9bf3f64d46ab48d2c15719338e3095bb12addd5f2cced60fdddbe6539e7e83dc2e418fa0ba96b0d48ca1be8cd18659bbcc959e6cfe77633cff48d3c763ca8a7a1c97ad29c166bc9924d3f9733cff3a9c4b9f04ce097fa4c2cbc2802e1bfe0007af9e9f8666e37329831a463874607cbfc75f3ee94aaec4eeacf236fb41ddc38cecbbcdaebc867dd132428e2acd4c77546253022a2be51d3dbf1effbd4a63a96531bdeadd91fdbf97a663f60cf4528b9127687fe480c38256412781d0ff301e87eeb9e0279c115ee1e25bdedde807ec46b704c58d4145e876755297f35faa467a06e44a611b8f280e3876252d1b415ad7a1a4ac2e7a870b6bf2b5b57de7e3f65b5e828006bb941d30c818ea81e33ccf9db94b8a441a973756f28806812e5d22838ba8df0f065409cfa780bd0540a27fcfb74735558da7a1d65a7fca97a223b63779f60b7fb8f10113931f52589fd8bd7eb157523eb2854aadee240c81042b6e86945b636d200330784145e52f0ae954705dc29bf1cb19c54424e8d0e66df61d62d388234a8e6182465a80f3fc6c5bdfa09af726ada9d114df5adbd67a24bd25d42ddb8e6b21c820786b6a3e836c8e11880096c88a76e6b3465b2d61fb111456da58dcbccf7b19b300c88db34699a9ca265599305c22a780e0e1bed18fec6aa777cbd0e9969533401615f79cacfe402f11629b80171a0fb8a59135ce072b263f4b1f743a2f93126ccb16103c733ad014b65d0acdee6cfd3c5ab24062ffee7c486fac40a8c51689c28a3032ca1425ca75eea29f937026b9a529ed2da3f112b6752dcc1c65de63eec90b2a45bd13821f0af4f50e7841f7728a561e1eba6347867bd07c78f06683d2d2e0509e2530289fefa834d66c050df98cf6b0f111f7500652ca14cab4a41fa2d18f1c664626ba70f874a836531bf36bc75a640db5c12bb3e8e1f6daf0af8ab13bfb584840e799fdf5a5e5aa9676aad0722a01e30db706e67788d558e44bd0fb600b177d88096f96dacfd78b5757cbfc7b91f65f4001f080ab3cc4f59dc8c20bebffc2c8fbbcbe03275dcddf8690b9c5048d4ce4c85894ff4f824dec0eb1c6d8360ded5fe83317b80007e6cbd82ed2bc55f8de4e5abcecdfbc41f9e80a83a072d01418a2a544f718ec3d4f6332d1bb2aebb00c6ca66b9999e6bd2bc490523859f0db1dea63779b9f1f84d52cbf3e7dcede8214080c6b54916f512426bc9447266897ad4078118867e0d6746cd99378ff539066b246ecd123bcb3597c4acc172ea13c1e260468fe12b1696ba737e1984e9b593f774c3db1696be6964319b9f9388707bae3ee0858528e3658741dc271e80974045f3ccdcf5c271fa4458e81023f42761c5eb37375dea4e4d4d8b1de0b4724631cb35b0043e7ac67c4edf767115670eaf50370af4cd2637de6c760e5750b8bda3c5351c16a9a5ebc02e2ea24cd10e9fe31deaf0e250d869f933642bcb9da2dd7ae6d92e3c3242c2ca4908bb60f19d68897616973b67dd1f1b037c460f7181782191858f2003a4146daa41901058972d7baf5088dd5f89f294ddf5d0b6af191f36df14250213469c2735942e825ae6d36406817d2ec872e739cc1cb9f0bee817e95e37bb38c24b9bab958654afa1a38dc4c3155c37d1310f014a5860de0637d0a48d23331bf8afc9f5cef164c130ca4a472b360b92d4552f083d6ffc381f8b033bcc0550c42ea706ca15026f0d4171c06e6e3ed636e2d7cfa928565a6159778a1ad8e150586464d1215d367b61973883e040b884d6256f40f491ec481db2224d0f029dd6a063b53a425b1c7f6940061d8cc99268b793289ee3e3741e8c4368441ddb9cc5c47845c02ab67194a7f27a109036ef7c44c33ea236f799350705cf63fa5a8ed6d8075b8d483c41a589c4ef7efb716cf495f839a1f22ae44478a93a06a841f84baf32dc091f1ff4e1edb59b165101d4f4baed7a169fc0d9617a426fa536430d1dc22c79ef99b0474f5fc4a7812efe5c9e2e9f1a23edfed2340ce460b118525836600127c410d977d7f2e9a89a6b571289479ee50ec969a026d8054077f783ac7038fc45f1d7972c01d4ff6811fb44dbad8a5de90b39b8a8fcc80d1979500f0ebfb4fca0cded7c2f6b75451425480e7477a2eb357f6c1f36171ca4cd5ee36fda6a7de9f0c630430e796fcae444eddb481d8c61f7c1c1a6b6b6df269eb1c69ddb5d6e2c4bde345e22546ca393c69f48b4d52019f1cd025393fb97d193b53654aa6bf784c660040145a5d5da90092751a9294b526d087323a04313b76cbe6447ab73707f48abe7628a2d8e2b0a5de8dc8e7d4baf10cf6fb714170a8d0e808f9b00d1e3796967ea69bbf899bb84605751b423872250ad5e61d0f9888d4d03819a2890edf34670c90d83f71d451e1b1d8a983ef581d08f3f83863de1e3785a3320ee1652bc1a553fde8f73da96ace4c55e5d140bc4211918ed8694dcc5d974ff47276c8c157260e9099cb8042fc9f9a258a6a107023ad1f91a1cef61a74521564bee71c2c055606b183fb3e5f02c21d21f45d8c3dceb63edb8779d4e54668ea48b3d283b141db2e76e2cd4f4f609d47125519bb969771a27a1294840aa2b2e7e3e356cf38dbe18353db051906a1bc6e6e1beadf2ccfbb6d4c875a5e52e7f968c8bfc4709adfad10b5d2901740c54625168f306997e9ff6a4dd6bd9c89a3ef3b92c964dbdc4ff838901ea5cffa0a235943bd55cdffcab784c64a03089030fea08c28cf13a58a35e43883a9feaa5b6552041142f20a916a2b4bb0c0892a4ccf1a8707b3bd537b359cd86f831c655102f69601746ba8a29cd9a089cc3796df03360f77c6727dfe70cf7bd1ee97bd070a1b8ff7798ba8dc2e1ca6f09c1ac987da350d1929136cd346b5347b4aa00aa08b1707ffd7ed550b167233ae883db4791025d4d3f0893cae53d0ee29569290f29b0f73b691f05895c9a2c40357ea89b2fdebe78c41e14f014919d17cbe67b0fe6fa854d65c7a2fa0804dd88d8638caa595e49d2bcb1eb6bb45aa447c4f6ff29d308b7785fa01213a796bf7f61237c38b7d6fa76cb760315659cb37e2c88a9cfa7d48353a5e160709aa599f17ab5076cf9010a1aff139e7d908e73c96c1eeda61568730981f77f749455f6d4efa787d9fd40630cae5ce4d302f7cb502afb8a092b1a0447db8c42d95be45ad25ca5db36cd0f24768173e21b968e7f38503c70bfe56101b8152b3e1a32d922a58f5a1ae61985bfefe2c742d6245784917567b62e05c813e445bdaf61f5c8d71ba598beefc7a2ddfab7b17a455cabf8acab61554a4c1e649c4d228fea931d30314849cb63eea6684d5410dc66d24fa96739949aa615777b13a0849df0f9b95023bfb065c29379f515d4eb24965f0da79ebfa7af2b3852ee22611953769bc08b0df17def102abf69d9e9d2ab0854760e6ee324c6d35d804f0069d65636227f3004c2d56d0715ed7927e5055ba108c61b351295cb0252e6ea42aff99fdb346df85b0c1a04319194fecf0e1fe8624d25fea12a31fc3cbf2b630faad532648fb513d7908ca4e067e6c9bd56a635ba2884c97a074fd7e5d32a98c6ac2563323e1d7b40da5cc1f7a66385ef4badc4fb28ea729d6a406b13db81f59251659084f059081828fbc0a287f21a7481d8dbacdb4cd8714741779ce7f0b10d23bffed168fe6f15298797240be1ab25efd139f8f6663e275121659798aa25963f01fb9366b0eea86b68b02f48c74ddfd8f7d326a5bcdd419a78d76dc27507ab0aa42971abb2fb8f1b624d62e13980139cfdec46acd5a48fcfc5b86a5e940a9849b14c16368fbd87c5fb40b8f410d515fd63ddfc55c529e5871a4988f6b1478222f54769ccbe8ee2f3b735fa774ab209ee535a968e7f5c73ae0b5de7c384522f475b368931a1de116ebda609dc409be066408bee0e78025206148549b902a710b99d4bd952dd40c959415547f11343fb2be1233678bcf7d349560ff71b11f5ea8eef27435e40088394228db93f8063dea3693be95fa1569f3b3c91b8b67f0b77d4a7523cf67d842d97ff491ac1842f40f10eacde168aec22d2d14732daa332ab4a4c30248538e83dd7ea1a05b01483596063ef1d97aab563911c5b3e686f315b4a614c8323a9ffcda63fc42f72a9a0ef50bf647469bdcf7149a89c14818c0ea9b5fee05682c065ca8a468c08a196dbd01fcfb65793adb6d3e944eb05ebaa6293ccd2c598ab02a7935c9032bb556e10a0a2e7d508f1d60276b6a8186759960374cfed62f261cbbe8b3e4cf488116b5b194add0074a593366f9f4c8ab554393017f7dbcff227adc4f71578342e2d84814a1c949f6d51703ab19ba4460a1548b29a5b52b5214a1bed29e9cc43e8b0590aa3070424a755fbeff2c6ce21c722042d196d7192681845c6f898923b56e5f3a7370eaa6dde6d978e89f788d512a80fc498c33ff338ec7f0c3c600de2bb10c1afe00f096a9ae8df2b5e49cab7828c8b23e925e8b46f8ae63e024d51c5cce6b972e070373aad3419669fce258a3be7b3bbeee648a0c7caae41e311133ffb39641b1c27b2c7b535ed8de3a7d0bb24df04d2a26b682474fe9c6b733c9a915f074afa2ca520df6a1bd0bc3d55b94c577b96524c0d0f947b1409e87432f5d5746f6b41ba27b06cb4aa0208f4c31853d2b8156de7501f515e9a9955a91003d955e9d64080cb8010b54d350db79d3f32b95068a570ea03232c72c60631d150f317724b11b487dc910d98e2cb9460ddd235a8dc716278e888689c0d5f78ab6b4aa1b365f5ca128ad8c3e9b4e1820ccba707c08903f40cfb25eb3ad1c2d6683543f6eb8e1b962cf0657bead354f86f08fb83acf0f2d15cdb76cebfbe9efddee249045cc81f0360110d2c9c77265cacf1808e1c01c426620d8e9353ff01078bb31d4e49983b38764b57ede033442be57fe2e7eddbafccba9c67435feef3aa6476bb9f59c22a7186659791f24ea5aa27ff0350e301a756fec499d85eb9faf9d258948c695b4e4b40868d434e085dc2312d4b88b59481e3859337cfc1ef484b9f3f2d5f351ce8cf7e17db47b09b29b6646db4334883c7dead3bc7d0ee01dcae538c3d49b1714f3c113d06102aef49d645173306c4f207ec6eac2475bc8fa26926eaab8daa466e6c34ab10668fa741b86b382e92b2214397f748cd625ba2b58e697d0180c69fda71d034cc0670d4abb988426bd872fd41b642ecbfb6be68dfa4f337b9bceacf8ad6859003e3b15df556b725db15931170c51f9c3abe623c5671ad3c1c8990e16b5508a890bb1f9e8d2487295eee1701bcac5abc493de597d5d9cba5cd5af580949919869f4f652c32fabbfa516fd7e11158d2757bcdf0f755df173d3f8a550f91664ee1fbfd1fe2e59ae2715ff9aeea4f6e5041aa73aea79be007519d9e80f3fc68f329869d7f478fe0119f2111f54df2cf7b560fb1b47165ffc152892a6e7ca85fd4a93d959cc47b672bafe1bb8c1cb498e137b9d84ad9319b4f3ee99c68d6b79db08bcbe71bd7d43beac5e3096a2c6a472c0df4bce2087fe04ae6fc39eff4ea505292100fa2e449a20358a447dac2e932e04d7d18ffdbd3f64116e120f3aae0392e635702f6ab8282c7bedeee6904bc2880bd57531f848c8fa136e125585af4a7a7f206ae99a126a67330b01e99d67b16e0f0f06f556418d3eaebac9ecaf854ac4e450620e22a388b25ae4efdcae411eda11fb962a74e49e12d0b5c0bfb29649733d2d9b3f5ba6eaa3a947e97d87b88b38004929dc94e88cf4dcb922d31a3bb9f5171d85a0a03cc4c51d0a2ce10fea4c1355bb710ada6ec0f119d49e92bcf83625e059154c30087ad81a28529444ddd23369481478f6025b8a6c997d73887e3ff12e12feb5b1939f61c73c0709582ba97883728722837edd1db6f102788d29df604047d15a1852a5dd7fc7c74f30d392c0a8534255713cca7653257ce25fdeced943975bb6ba8593235be0f4f199d174f7843c720ccc6baf0215e17be990c8d2c9236224392020c2760c7d5610f539f02f2d083e892d69f78c18e755a0f356d6c90a8306674d83c32907c66a654183ed03d261ae20ddc26354f38aa3bdf0760380fc09bd7f12b225901dcc213c71318e05bbebd80f524cf5061ec623cf5bc895b4a6077976a7ddfb9c0cd3fa783259354b6a2d9f284552ed221b78d0b55e8eae65c02003e58fb60c50bff4d44d5bbf786a3f5cbd49c3cc914fc3c602d082d7557c3f7ab7ace38536e001bcf52eb0ef80154322b310e2ea795fe7333d0ba333dc1a7a853d0b9825e34ff5cc055917311b257cf36bf141a2decab2f2adcb50466bd0432e09ff47d854ff60e1443cc6d6dacc027bc112c705ab3b693ee8aaa27e1148a12b64f50391ded5b45a4717b069d8ddda39f26146c9218a9180caf42f8620ff20f9681d46a8953f4291f3de9ff279d00cb82789f9f3390a83d0f9d38050aec674c5c92bff62cf37d43b50905fbfac7db15ec9b87718506278758c5130ab3dde09e10f99acda0b754c13d3fbc4146072820f8d8c6bc31e53a2d4d14c2cfe9a6558b3398ed59bc10b4a1822dd6fb02884f6d44ccefd2acae2137921c5c0e61af9b6845095b45d27820b326e1306ee3ae43d05624e3e2bb39362187700f383b59c51594cb7ae9af7a6e004d2ae29e9ed089968a55efcaa2f352d7892d188ca75e7d8b33424e35bae6a8c5f626df14f3e5d064fb2646ec78dfb0623448f5c54666a6b57111956291dcd7f5a4d181bca27e3145020dc777335c526de9ec2d3451247e2f3f3002408fb776a822a58c313e8616d49869e70d2e7926ab78c4f2c95e286db19b74770a15064005f43ccac5d10198033f1a16ef1b73e2323c65e432e36d88f691fe0099039c3205c2a7fe4765f0144c40af1e3f1de0bfd3acab42a72ecac8dc39a281f1c19b64c8c71eb8535c29c8f8b60a4aaad677de1e20a0f21a524e0bb3e1e91926c4021f3070eb5de9d98a8df57c41452f66e5ce5936a44c2f28964d40060785b473ea028eb849177849e72334592472ec6b9266ba318e4dab03e7fc0b6aeeda0ecbd71930b366a33a19fa73ec0ec86774ec8058516fa1771def7e4dbac84f8db1de0015aafbd1f2d74e64e65fe58fc43a361506c8326df8dd839b4192d6684be9a5ad7a314311338d8e70f500cc013737345f5bdf8e40c2691b6aef6dbca85f899a11f28e106230ec14e5d647a1d9ab31f34a1107621ce08ee5421e74da75fed5eb0c36720ac7bf257418746f2b2c0c9be338ceaef7d92553822f42548bdcaeaaea8e587244be6f308f3dca9392b7f4212460c5df99a70d00195f6aa67023b00fa611d4d09cabe9af0010edd6aab27dc4e4815cdd63292e5edb1a572dbf1c307cc0127d6ae1a2edfd548dfbcf3360079f6cb5de7778ead94d8ea779f40a51468df59c9f68f9b642929d27db1b62b28faa2f28889ef015c1b547c2a7fa8b98ceff4c4e721b8d7caac45aec0866c1e62eda03a822517e99d42a6a679d36aea470b4ae2a2f97fef10c28943ea9861b09ba728bb660b6bbe5b2f052c88b744bf24caaae05561feb1a5735f213b9bd71892f0188050dd475e72c9740ae547d17dba345b4fafa7aa952bd9e0639a2d3566ee4e9ad19515d523d2e4f36d26ff1e7ef1b609eb3b126823314ba667be6d09e7c435b4d6e68e5a8f1345e55f2a71d50b8b8b105b87c9be2458431d77b36ccd6f89235c8512dbb2d57f8c59f560879332543b473d0d19165422d731c2350156be4658e3d17ab99a5e2816e0bfeb8868a7cb38627522e5d2d86b7307a41f3ad81341c03ca0d7e571b4dbebf47d47a90638207314b6b00686d4427b56330750f0121d400e9d590df382d206d0d812187260693fd726374ab708767b3ff731a9774e56647d00e859363bbd82163dbfbad7876eb9f59177df7d61b778b6f3d7bdec7845e71ca9d580b4e31e47f422588d47691d26fae2c91a9cec647376c3061b1a41f12ad3ea960b18424e474d5462a6b43b3b083d7b8eb3cd3e3fb8ad176138ee32c53af44e90cf24ac6d1b3f3a0fc446c2b2d7211c2136b646c59ef7a8ac5a4faf92f201651879cab5905e6c5ad9b39ee8b357259ac5051ca342f48cb3b5f641e6cd4b740095645d8343e36752b1b57a0f6e303a6a7cf32fc24a3870bc0e3897e96712d82a1226ba8190e35d5c030376271bd0b9b847ee282bc64ea37e2740d6f9d933b26d7255701f8be67aac7299b091e2048947f23a93c985b761fb16454f89dd5cc893f1fa3aa7bd95015c9da68d57bcc35ea31bf25d69551683c6931093b2aadd0f37ed969977c3ccdd733ab7c2f4e9044c52b62bb1bd35e003f04997fed5be5cae12ed7ff297ccccf99f5aaf8488601f66f11b9cfdd0d91241fed97d3c0088963cfbe070f039e5fcac771780e6b2b245be54f17cfe37e425c0de47acc34e25519300a8afff1f835d63680fd56064190b99b6b0c723e7411d0b183ec38d0aae036bab9785586d3d50a0d062a3038681769da5820da23528c36df7f3c9a828fb0adb085ad78d7e6e4aef8f03c9a8d58346d1e28d60587f8ddb0e229c0265810ca93037a76f107de5cf9998413d3c68d6243afa58f2dff4bbb6a97c5c6cfb5f9dc23aa7393ff18ceadaf4bbc3deb8791ab6744ce12d16f90fff60c7d88ad8a30b82042edb1fb6c6411d873e295d3e86ff5ccb94ca3ae8bd5f6b6f6baef56ff9d9f00356a9ea3de0bd2fe57b27e053bb9c43b968d6df1b566c55bbb5cfdb63ea3de57945b10e6a3f47ee0d8ab2d7f8cc651eb5cbaa2c6b617062a51b3ac075fadbea8b53d0b6d626f8f422601b5970555af23daaa136003404a09be4da7e838550a9ef2de09228e09b6dc2cc97221bfd0ac131d90c33861c5b993c7248555c7a15c9d90fe9af8d8b0726206064249cf946b1d411ad00720e7bc8fb18a50376e236f6728abaac402c079cf7f67027fa945b4782c2a06ec557cc466964d2bf2cf0ec14ebdfe615cfb1133491ccc415e202f1ab98e3c738ea119238f3ccc569ff46181e0b82c4d96056e1d9861336ec1693ecccaec87086306a2a2d0a307c23534b7ccd69b929a228e000126b3b93d629afb1aa9f487a25701d6ee99e4cf2f5b9f207f73e11763352830ec4e195996180fc56c5d84d0615352894cf5b67f2b1e91974da5e501a8b09f090edde5e77c5366c947b3a2746ce229b5754f6427e403fcb271e487fccf3d74e0fe67009ce4d32c4fc1808882f1d4b65436887c30ac2a06f8c8c8f48d1dc75e1446f6e02f13305f0ac1c859912dab3370f14e7959902351550bd14b3d5b317d49280a614cc168828321052e72c9dc85363229509eecdf69f29633a0106284eacd3998c630db20e49958f0d8366044fc900284d5e8db58504fbd6975535a2ee1ead79b6cc88bc6831f661b1fee9d97dcd7f598338c12befa546a75c7bc8670d1a67e2ba26e887a979bb75dd041a02155669ef036a56fb6a09e102860e8b7c784b367da4df13f70a59c5bf9933e95654b7701b41963d33993a9e0f46e728113e6c6d1af537131e660fc783f6eca4c4955b4ffa5e69b9053ef13d7ce45b06c8ca19b089427137c2c4fe1d83960fa769571a7a5803886ae0e2e02555ecaa67a0dd06c1d8a963ad52aef1b26f73e9c57fd52286f2bc6ce8df8781d3c4c68912a05deaf4ef510089374b5a3ea63672190ae97c9a0c79dbd339b36ca5abfece9fbf33a0212ab92816befb48284a50dc3b3723b72c452f7045bb5276d9812a322c2711c831a4554a7c53288733fecbbbf9f48d272d6b65926e6491c7204b34f76048735d6256dc1a9ed16a62193ef707a785456133801b11691fdd576103235c6baf34cd1e6f0064bb73257598c1ca1a9ac923e1f15c3375dd1496e042aa31618ea4c48794deab0502b6dbe03c1a49ee52728fd3ec92389993e7464e8d8040e60b211d75bcec5adb4a19ca20af1f2232c652fc25159e12e858f3d07f08910093953401a8f70c11236df7992bc2e113e51b20b22a2296639fa6133b6015f802d66852bb2b4b698f1e8a81a76e67687d0b8508a371a3cfb18254265d57413dd9aaae3742eaa265f3456bf9dbdfb08fdf6b477a6a10fdad90e7a3355697aec35bf22a8f84b655ed7fb307d0489142c045faaa914e81c608e59c6f88b82749d9567c46aca74b4e1978b741a44795d277cf7243127e1597f2e5a3ae676b42c162909e2ace617e94f4be37ed7a939c279a4b0f6346c5f52f3bf1869e84850f7eb5cdca4b4c988afbdabb7d440a2ec3de96ec06b56b4b9701e95e5ca10b6589c2733c81269da2cfc17b3d47fa89dd30503200099ee675147c9e6f97da5e3a7856a4decc4b8c165c4ef804f41c533835ac27e46741496675a2431086b71971f0d40370dbbb119242adaf4e729ddf8d1e04b69a669486aff6a0ee039a66c9961c66e0d6d5f78f3a1fff5432c41265936aea1995776862f892861c937f5904d376a339dbf99a02cc9cff84c27f206c5afe488c953a574c797e99f22b5c917e5fd1a90f3c17a4868d0688696a13dc911ff02f1ad4b6203e9d92f77bbe78470dca7c72009d61b3df1e7871b60921a0d54a6ebcaa148260672a3aedff2f9764f8197d9a0b6c934cceb6820a41476eb1b6a9110af53bb182dbf95046145f6bdf102b1cfa86a5afa8b08e603fc927f0460fa9563545c88d7ca5916dfdb5c9b6c767d520679e66bf673ec64502185615b13d9a131fa4651e5c8b40eaa278c771c4fef3acc35ef76d167f79eb68279911984ac9da9e54eb431dd2340ca6c72e04c2da65412db02aaa324874f35b46c64cc57880b8089587a8d07e642201d30a2b61d6f4d6a25f729de0d9db63c6779cbf2a576a132b4028bf070686f89adfaa5ca91fade9b6f6b4df65a63848c502d2d24b94201e4713ecd2aafce1b7eb28ae4f96ab46476eefc5392d6ba2fe7220eb3458363b121c138d122a188c3dc60454f7ef6fbe7479cf56d1a20347d7960a7330ee392fbb02e0d5b59f7881035d8439568b8f438c0d91f38b1467eb4194f28f7a1558882f831aa7bf0679b0059c10180c66abaff9d238887a05ff23493cb18235efb163adc0a06a2c8099bbda391161ad30f52ab2c7627ab44e1ec88fcbfa08277e4418a7a2286601e56877d6269595c4885c64ea809e9c121caa5532d4aaeadb9e9e6651be49f25470bb0dee83448cd59ad75f4cdcdf2d6c3346d6065ca27b286622eb28fee3ce4399894dfbd1846725fad67fa2b818870e0aad72f9499e1fc776431e6fa6a6858f5c6f1f0b56126e8f912a126053d445f27429a596842da82b1c3b8308ffab9ca5d5c88a2d39b0f44968b0ab67222c6b93f8c0bc50b971c85bf56b5a5bc31f07ff08ab6a1a0efd540c6a576459d8a575315aa78bcf94595bcd6d5e6ec1a87dedd3d68b05b165669b092dfa982a46c280e74a34a0f8c70c8ed19ab900e2c03ad69eb6b27212135f5f24733ee36f8a575b61ac92220605305dc398214609f1e31edd55c8185c46fc00880f28beba2b50b042b26b20d8fd7f26fd662142b0440addcbd3a64e6ee99bb583676f96927d779481a0647ae6a8cc059d35daea794868326bdb485de1940b2a0c5b90489666a5ad85e2a4c336c730d0cc6280111fd237f90c67e4f6815889ffd803bd9cce441ac59e2aadd6e546f9ac17507798d056b2a421d381866b954c30d33a932a629b67e2745913efa188f9bbce163bb69ed44d12c9167c406883793d6e073e31f74637aa4a17c833e8e32f61a1f30c7e5a0bcc855822a97b8f50dda07cdd069129c234908c5b5f913f70cfa5c6ebbade99e2d4a5a9b2a872a1b1fc75c65337ddb01ea09c027bb0ab8c5bb00cfe363edbbcaaccd3b997cf926dd2ccdc64d98cdaa4389d8e3c46a789810929302c1e8d10c233932e1144928018bde47eaef06a82746533c7a4b9ffb519bcc35ce9f22bf1a3c48c8b111b8d8f4c3424689455aa6a7f74a615d155a747fa68bb7210b8557073f3fd7cfbcb3a57eab551aead27af9f716c1d528efcf4723c5755ddd767ba5543f9a7b1c112d10174ee53670c3efa51b94b73a0922dd298c2ae4bc7585bafc8404413f0042165cdf82fc68e9466646ef85d2a9b52bf523fe8094b7dd275c84288aa10f6fe14c5dd5f3e8b2e30e2f182083b5a1f4b0072bb58e0004fb9868578a1e1fcb8be370bfec6c5b2d0318eef1e9bb50ab89fd834ab0e625af5527a5e6f82f8a3a405eff949692ed2338cb902ca715293b77dadec10b53bf024f432daa9e080dd7f2810c25b850e8c2e0b405d1375275fa5e832390fdc7373e6977f682b358897fdf88ccd4f323356b80cc556eba9346d54c0472b377c06d453348058467141f388a523f6ee723496005e37bbb98d321df49a1884bc3561c19198cc35f2ff429ea6efe3161f569f92e1da035ff641f28c04a0a8064c94101ff7fae10b6a2b278cfbf572df771fa2f418875f6789a371f37167e03c26c143794808a9cba3f10821c3a9a6a419e06c57f5a6dff47370620808ab3cf1354a9c6ef3df8ac0f7256c498f6e49f4600973e7f6450eac82fddf8d4796723db8f2aeaa4c2eeb90405d1ac832bcc1a55bbffa814c3471d27765a5ed6edb3566edd96e20e6f108402df41b49faf48b75484ce9d37936b2f26672e807319017464e5c969602a55c80b87015b9e97a4ca9886fb973646865870cb31f71f4910078171caf39f72cdeaad984296d2e2b92cd1adeee99c4fd2b3013b296f399eb4ecdc03177ac292e562cbab5e054acd21318a4a10a4805330476c9099e3d7660d79a3b2b8be3c14d05fe246eb1c9964761289d097f71472a6beaa0127023697956632f8ba77250559a15ce9e7f270e6eb1edb62586cfc31cd4fcbed345891201cb9f2834761f84bd88f6ab147e6b3f1ff90139f9c6c4fcca9dca67f6f4474b102eb1d4765f13ddda3746d54e44bdd32806a9a8a179baf0f8d75593777e79ad9eb9a370db4ce21cf5fc496d6e521ddd7f2e86d2fce6bcd92f1dd8028592154f1a8734fedac7795d4c039d5ebd66d4ac8475a137ed935f20c7fad6ec11db1f86058949a36165489f84d9cda1b1bc1d4e247187d32e953e61716bb585c1d0454f7b965292fae8b22536dd70cab60356d1dbd744f7011c840ea57f5b80a17340138bbef39b38a34631fcb4ae8d262656ab1557b3d74e09da980adc68b54c5eb56ba9716374b1522367425691f578ca5d4cfdf22220b7694610d9eff4fad493158fdef22d1c936252b49153004e8c5ae8b53fc55dfc7aee6769d559dc6d0a439d4d709b116e3abb4ead94bc8cda7b0bd12c0a96a151ff242377453f06983beb82d144028101cfc7cb7b12abe9a1ce9de7f714f1c7c24357c98d11145b5a768f01b6e6f2b7dc7415fc8903152ef5ac63bc7c809dac26285b073ead41b407439c924534d55ab6996b7ecc14b7b499624b294b767111b76681e3bd0002113c7e3206caed1bb371017282861167e89adf88b8d62ff2eda57edbf34127932d7e0f30341c9dc91aadf9f536c32c97ba20607bd2711ce7fad2a83149529b060620ac3c8be317fcc60c721d23665f16c9e7eb87b8e591da318ca5d60a8cd6c7acc1d3c2d7a06e4483f0186f62e2ba305649189c5e53605892ca44ea79e249bc821f3e82e1c1583e7aadb19f0c574c2e138adaa6efbd425980613fbab36ff49733b6179e15246bc89971830913c0c225e6fd33bab45f351768e60d9016b5dbe6c9f4cce77d160878dcf7617c0ef4ca694e5296247c2b25e68f21aad91dbfd3570ff554b35b890a621845400369864133c4c47d049c5244b8fedde9583f6a393575339a30e67b722aaecb228a57c43ec86768f732eaa843d810a0faa286e1fbe63bdc46bf9e852e349d15c0a170c8fffabd3dc7839f6a8190b7184ec66bf453b4eb894885d61e9e21438073e1729f784790935607c7cfded186c2a6b134916d591421f72aef18288cd68f97f0998c659a81d73526766309ac0300415da7b642dfe8ba7e3c9c37af67b4893f119f69985e1e16f4bfc24a1dbb04462575658584d7a752252839e0787f8dd7c339ece7735d629018c7944e523b01ebef381626ef7a5808f3cd480608145f7ed753aecec1308e456ddfee4dfb559bb6fb36cfa647b5777228cee24821962f8350ed090a538f12a50724188e273c645315f4da6267f040104edf9029bbb4da1884407f8437f5d1665d870885f1bfcc6b28d3f367465ef32dae8fdb43ffbde43f567c66814edd3044600edb7d1a8f04cd3baaceebe9bc8d7bd026ac9a9e67bb78382bd068555baee3664a461831989b94c420c1bfc0b53e8e4a1b26a67764ff9d721bd676265bfd2d76548d3ee2aff5fa8c6f28673111195dd8108568c5baeb5928123cc3c1b07c07cfdfb5d1b71a90bc96b083b75ada40678238949c508ba6ce3af28e601b3ff5c087f63876b575fd2eb7323053775f5487a6dabf336946eda37230d3afe6a75e16af37a9193bf5ed51d5efbe577c4527d4cf0d0b8fa8a5f15c3a0c86b2984c2fa556522afdc5cf3989be38b3f1489a775cc80126f4d1a8441834285954db30d2035e886940aa2254c6a7fa3587c874574b47e8979ae0986eb3088e01a1a670b2d7b5f7f042960fea80d5a4b7db00cdcb715765d11897aac6584687657e883a35e36f6bb2e461ef2ffbb4694e11a41c08e8059b623f10c48f63c62fb5a371680dbcbaefc2f43d32e52de3db301729a1b604cf905eaf28e369efd2b04c8a6bb11d60be37de8897e2fd350db4d073e1e0ecdc8d430eadbcce1121b8707672e7be13b6d7f55feeac9255fee7808bc202d73ca18dc7b5a165d56eed13d674d686b32e5e1b363008b478444a6551f616b4549380f8a672ca159fdf34bd141f5de7b6dd367854ba7fd6658e0ab2ee66dd20f2bbf921f3cc5a0563ec062df41b6c9a4aadd81c262a9683ed1f5beed2cb04acb8ed18581103daeee290630e04d67226f6ac86d5c680cd7cf4c79256d383aad62adb72a01eec6d9f098efef19a0e2a5acaeb445b7101f575d355b78412015f131c0f41055d5c7c4ae60adade6c6fb97aa9226edb450e9c188133f2b5ab21b3600f488f34a18db510c4fb0c894345fc280833c53bb2bcc559bc70effc2b5eca18b6d2a609fba4f8f44f77c93b8ef7d642011a633d790ec454d67642a944ad1d2aa5e96bc51819452dbfd7177f3dd9e1579be6ac226caa88435614d0c29b519def4c5f36f85425bdaf8dbf6e858cd02aca16c6c9d82a0f18c5090080164047f2e975e9ffeac708d3a2b8be97695b2736897676ed49b9dfda9c890da00b0cb6da8a832264cdb48d8779e719246a6a830fd4033094135fd6b9e636240a4e0349526f4536b5bd4b736cdfcd4a0b7c5cd456799cf9de7fe2dc4021352d035c46fc026844f4485ecae7ad9895ec4be80b251ee82cb392bbd7183039d952a0d4d1ed64f506d9efe23b37f970187481518b39553343e89b89c2f6dcce66804b8d45e1d55ec1dc36cc679e462ef0170344a83a53bc23044a873d608da8320ac65e235db368ec238efc73a0203508252577fec225b42f66ed7935d065051184cc0371494b774893d57f30bcfbd03c71a5692a5caaf20789d4cd55e735f94098af00e67e7ab05445d0aa4ae5e9341a0bd13ec16b8fffad1ec16400a87741fcf99e0fa5ff0746b289e878605d3299cef6af5f66e6ddb2355d6387d4229529bedffda6fe0a77c0907cdfcf445c8c720eff421ee021081d34d0b73b54b3d84781a1ada9dc628a4b59f6253f1a3cff7e82c31014abdfb9015711302df5363c688e3232679cfe23c0b273f68c0e161f6548b3dc63e79e78879d8913c604b2e2e1479d3baef68d298c7e447c3d63eaf6d6003331130e4a70df1d89d4ac6bfc50c642cc8cc1b05040cae31594015470b104163e85a9f519ec28427b47a3a8a0b92dac1276436acbb54bac573e9b83af6955baaecb4bce382e3a4fa7497c2090c7b09d07dc08802666b3170b048f32a5e2b15ea0b47983b492c11092b2965020b95212512f554e5f682df2a59998bc4e001446ecd83c2da92777bb26d75957c8d170caff2d1572dee417551be25c2b0446cb6bbccead36a25e3a2f523bc9b6fe3537b3fe0aa0918ff2e90d41ab5d8203c9701bce444c75654c447d47af38893d3aeb5a1e2a9aeefedeb370856e18a5d8d9993f604cc8b426fbb2b25601df442b472e6b5d3c2dde368e1329c36b3915b82af2137dbe48a5ab8cf13af4b255dbd31ea11473575a63c08ff3d36ed69a0982b7e2faf5910693472572e02cd26f6516c534b3aa2dc2c514afac39c0505302e6e64a760e475bdc50b64f802fd83ffc56f99177e399c256d93b6fe616073e922ccea2b525ecc70eb2050aa8f78849593ea07476ed3a20d2fb50b3187dbe3e6ae2ad25a984b8bfc02b1a584fd52817f2c16f6d26828f8fe32f5863cd938c5d2c7cab425f6ceb0ffbe6df9c7fe9cc0c691c73a8c85f8c15e444af446d55533dce1da13b0be855eb55c3b875737d2d808069bc4635414c0b351a5d7445f5090602e8c23e34caad4dabb76072ce6ae8beaf03e48c627465dda54afd436d47f007c5b1c7b52cf55830d6a3dbcd561bac52be9e131182f46854ba40f55c86c7935413f3c9ebaedcf03d1f1632504826c687c14fad8ac88c613e1132a9380cd4259650f47d22a9432d8cb7b98cdddb3002d632bf8594a54219f40a87d10337a9ee57baac17f1bdbc0da79c5898fbf9ebb3dc1bb2ffe8ad5eb8ab90e70f448d5fe3fad48c56d1bfcd93dd5b11f413eaeb15c0056ce58e6652cffa6da783774a82e27db165d9d8363eb85fac1235aad08742b7a0de43fceac011431c3dbee7f921e8c450df5545947de40fa8ad3c2f8f52d1728c2fcf55f6d1ebbd74086b553b14dd513b6350e3a768b8678ca52b18189a5b85564134db150477a016b7824e73e59449451b33fddc3c4882bcfb8fadc832221b930ce558d1ee8981056a55dd9e93efb056e1f0eabfe7cba14af9e4525f606603b73db52ab6cf63e9ca95d7a6725b310044eef55661f6baa9775f96a245abd0122b84590b748d11e36778668804478853cc95a6b177be3e89ad0d4dd55cf07353cb8977d3bd98060e117840d167f0db84d406970401cb2938b18074c16b36f9fd560d2658a28f3aee83ffb01f39fd96972dbcddd32018d34891143f8288664e979993eba480034fdab02115f30ad476c5814c52236c013fbcf872b2bec78e28b9bade0d8068763d1c1507988bb08ec86bdc172be2728a56f5a01fe1666e4700cbc5dc1ef9f7674f1fa53a82de533f9084a762ef55562b17634c10f12f1430c0c7be8aa9798546cd20c5eff8408a3cb350afaddd7ee636cd8ec151e393db773f5bbd9e176a34373d86ef942dd0d79b9e271371ed04fc6bee281bbcbc2cb0964bfde1e396a4c18625e8e24c29951cbdc14718e6d5109b0c08565d7735b9bca70a223539dda13c5e09eedc6ac0cfbf99a4807070785cf8dcebbab95d7a05ef72583571f7cf3444111c2d7cf6631862d9975944aad75d7121705fae35559fcc29c10be0ef7945100115b9f3c54195f6ba9878e79c64132a7fe77767413faf8cbbecf2ff69e85ec340b5692343cbd35c12b18aabc308b5d49214f95c8abe9237658b6f43919438f0789c7154d639c21103181eb034aea16574d9b6b961ebaa798d75ac2904f37e5a683dbb687f10e0818620bbadd332c64b26e0a1f4c6f64cfe00b35e9c5c8265032b1bb6ba5b13d924d0d200a10249cf5b69919d56f2f8ee7d0400c4ebf7153181646511f2519b3bca740aec21d724ced7aa4b820ab901cdfea9c89112d9e50021c63c6707ad027f5ca0be19cb4de574ebbafd938b3e9570d8be400d97da0ee86ba610153c7075ffa8b175ef3946454d98d904b82ce7ca96ff4cbac78721ac8c31f05fbb8e42c55b32556888450385e35405c447660e6807c569b56a9f990e72d85a9ec7a825493800eb525bdaa89bffc60649d63fb0284a9c4fd576ad72a86371c8e8b2f43c27ce93027d0c7593926a6d69e87ea5795b61888c1aa80f605d1ba68fb1af27697f8a409f800b9405fc44a2b9542950272a93dbe235848a624a062475e5add956b5197b8ef53b358a9699db8f97597ab3c57c2944b11186e1df36974cc03a7c87606755b499406d36a35de492a26104537262c92b8738f13b77228da9da9a4204d570ddf9d0a531e500c8a74a39861bd0251600aaf50cad6aed53eb87d0c59dbd9ce85b1bd3f273c5feba378d9e6e43c8848d5ec133e47a9aa5bc6f49295e63884fcb22e77fc54e4941241b888a31aa59e107b714f37d474deb8b9a62bd3a6e3867e6b8a972ffcbdd03d0c486b23ded8d3e2b73ee1bddf6e6b882c2c99a76d84afbe43e940900401b12e2bb19faa9fc5f784f4fbf349d8a5fdb1d013bd26bc6ceb9c64ddecd8dd9296a4ace9362de6cad7bb3b395799a1c98d7ab4b909d19699256f2e028fa054ce49aa8645fe511b26b9008618461360e2a2d7f37d314d7c0952890d0bdc4aa6b3865b1a96a150c2dcf0ebbabd87f87c14285b7475ea9fb1a2b772092d94e4a2332122b14c958c48dc2d147d4f797e5cbb1ade04c953f37555803900b7091ad9c274db66dba1ad056534beb09ff8030ec81d88848d7089d787aaaf897a74f9f91692557e5b306cbc359b986356bdfe5682a624c554dc42f3e521c76711beaa01733ba252670a55910720d4e62e0d294f49c7a5be941ab31619b07f28784a8196105c38585cc580c163bf49652580005831db26cccceb5b7090ccbb64e3f688ee9129eb96c86d54b8e964b408b0dc8c7ed62b948f5b8aa34d2504b86738beb66c982288ebfd7b2b729af552856a2d69a43380d8e3582bf5a0844ad15b75115a79b3c343c89878acf7ae1caa8de40ff4e4477098611550bc2bd9b1babecabd881bbf974e3a45a1ad1d81816db8e485d029101155c57641e2839a65c77e5eb43ccd16f81f626bd74c084bacde9e7716266b39a463ab4a1f2055fbdc00c20ea10db76139a5b90e106bfa4a51f41d475c303d094b6aa0303775b834388fee4d6677e18deecb5eaf9e87c3ce3ed1fd31c48265872ab70cfa02a2ae532f431bced4a4d8a3a429cf87501da07cc214b18724ec1c587951ba0b1dc970bda7dc0ef804fdefebadee0965e023312ab274d01ff551753dc0b7afc85e10b68a9f56428cc2267fab541213b3ce4ce53b48aec637c8ea474774f6bdaa573f4eed9fd4998559a0670d82f622dc57e6e475c63c832aa4b17c31f83ba5d7ca5db9fdc57d4dbc9e8affaad3b65d1b6c83654c1043417f2b0ca0b1a93bc6796b4987ad6ba7a6a34ab279628d06e54a3c4bf0b75df9f602ac32d1ea696219afb6952a294f4b540cce84a33242e065c609afa4e97d83aed8fbc70e410bb4ac1e64656c713f72378bfbae088c13d3e8e1fadbd2f5cfa1718d26c9376cb66449aecd642d476cdd411ab79511ea6608cfc1686b83d4ea4a0f8f197a759b62753860ab0c47b8caa719338d29ee89c6953ed4beebf5685b8b2ba9eb59fcefa66329670c5fe2ca4435c41b5ec4bddd9a69aa5727f8c7026cc337e7f5ea2b85d3e6eadf65d1da59921e9601684cbd6db98176793a8a778e4f97171b0a271463c772de46a0436964b32a57a00ff7e9b78ca13c7461b83510e664df7c9cff87000730bc13d1873fff6820acdf616958584a2a2e22d4485153818ddfe711c3fc14fb30aa9336100044e5a37d30d6d246459a6c6c38a28b0ee36c5f4ded811a115f23d4853e71cfbc48617fc8d469baeafc65234b2284f93d2a41953de6549f9c41b571867bbb6ff418332d3cbcc109f85d59203bc4d40b080faa9496ca152ffea1641a2a4ee112dc0c847d2e48462d24a9a066c76ad222a70ef70373f65e9cf0780289af7a3d8d168265f3864c5d2e933bacfa2424be11948b89596109584ca6e8ee0144c3d99a82cfab8846844f118601ab906b0b44730d79c9169db3822060b3fe635b51c060ba336c774dd1a5612319c004cd5a626743a468607a7cce9fd29ece8b85e868444b17ce733e80d2eae2e43585ed707a50ce1b2a2173dceff5f35b4dfeb79a69e18ae83d3f8445f0dd7f896096bd7e10383a59f95db4cd85ed6e54ca1cf899e13cd8fcf8d894fdde52f8598fb1581d304ddb30b9ea55855c10e841f7d8f299aa638c7f426e8439ea12dc583595a27e7da4c00ad6e04975e7986d4d7f5182ad6ac51225ea5bf595012f4da7a714ff27a654cbc5614843c848aaa8d1e71be240742e0225408d964430303d332924cf588f4c0bfb75f32c2907095476f00465ce5377a0864ea08f2916a2194b915e61d9829ba0af574d7d8d4fc61be6557c49d9b1893796a674dcd4a2d0ab1540da21721f9ba2889d40d11d15a03f47fb9b4758fb5d396fc3ef09dd2eb17340651bbd4d4d302171b64a5d134a14c2f5761d69baf6e087645f1569ae3c9430bd62569a771c3c9d386357852630d14d59bccaae73e88e79fd335da885dbc26e317a560e886b46237a9bf974c90f17e8d1a3193eb8f6a8a4085fe6afcfc6625155f230cf9543577db3bb7206646fe6712ef6526bede90b1b6a2097c65e5fe31067891f4fc4290939e06c2dca3293634d1380cbea8776653dcd705517ec2d729f81f6402d576f5dabf30f4a8cdc49be08c481f63d7595360804f33291665408c80c03c205b4f72361e2950d32c7279a81d3d6a36479bb03f1ac6bfca0e129b096f3fc11b1a31322a3603bdbcf5f25ef6983aabfde61dbbfb31aebf6a6438c0de64b0fb581468f66ee9d1559cd86932cc10dfcfd6aa57117c1057fd8c1101721abe480d5f5069dfbe7b86cbb28d5c225733e9c7e7674418cc7696f6bc482688210a51cea3c76ba11c21c21d75191c1f92f2834c1a9f9c6d1be9ad98508e7b4876621c126d0a3b9432e15f6aef3241bebfc3cb8f2dab4b96f97a61ee2e7312845d3614d817793f6c40190d7b17ef2b7bfc8ce665fc927dfd178722fa98d37e58d5c3ea763893f1f46390b9e412bb7b986e6f26e6b4998a7b7252bee2a919d92a4f63bcbccf52f7a4236cac4964dce74ba8572e8481de412bb53a0ec1667d3f64526bce5b1d39bbeb8de188cb48a4da106d75927070fe2d32e39ec6b17bf04964082339dd202f683351fabfe38d8bc07b96495b56be9c69adf49958224936770455c97be2e895476df55af2d69e308a5b1f898d2d60896055b8f95f99cda6c961be77245025b3aae7411644fea5d5ed7c0f9fb6a9d48af4287b4be060236cee349ec67d4e94f6da473e30d4d406d95c62c1e7814aafe12b62e4ebfa9b4421b156a67e6743bb98d4bd17da6eec1e5a6591e5b6215675d6704257ca0cd1f71717e12fb61f365c8309df3e3e7646cf2ca5bf8fbb0e602e769c5510b11bbf114744ee38b80e0200a059a64daa7b699ea04851f976a7ac131cc0e2da1375524def3476375b4c4fc0e8e9e114f8873394b2ae418d4bff3bb202b523d2b7c897bbbac4f2af74dd5887ca6f5bfdc6a379332dd8f0a6a3b5792c1f1921642c1498dc23802f39f4e43e8f51f3415daa93f1985ad00c9e8768cad571d2016f57b05337882a38ad9f4470d205b1eb895de995fe90369bf0b6c0d73c5923465938cf6750d0a46ef63875d8eb0958c48459bae7ed3d0e6f1a4ff0c876e86f23f199e98d6fc6810cc76de5161e8c5d2e502ef34cdae2115a05ce7760248fbf9d29f89d80de97a7c4ce37d6999ed4c07f8ed151b79ca99ee5dd09997a3b46ebdf6d49f6cd679b8e78382dbe503ce80d0e16ec91260a81a8e783e8329afae6e8fd44a38e739c25adb41b9255b58f00138b008b836da2c6b6d2648b2405acba415fe62fcbc5b42fc53457edcb1fcd33e5ceb852368d203e52eb6c6e78cf2251e5bccbc84ba59315b0ec131f4d7918938aca1ae654dcf0175de3bd6738cc5d8c7e1e8a8fe6504a8509c8096771a310a646d260984ee9ac7a4f0a9711bec588f2f4509ff79b15f5f8f25dda90cff81f891754f2e4f018759f00fe2143dd5e41b70243bcfbc865404528f5ab9f0294df4a33d91655979a99966ed20dc8f71b998b7eef11a3f775ca329ddfd72b9fc903d68831c3fbf71f5272edf2fbecb8ddf3324c6deb3c9652ccf36a440b6d0c281d65028a08d8377a606e099c8ad9f42dcac63554b356a129a9e9573fcfb207b27baa436c6d4ddb4f8580d914a1263461e304db5e0815f7dd9b755db529032597b77053d40092e81f471ea9f9e151fcc3d75c82a53c4f9c1bd6751380cebc23aab182c9546a8382de635f413823ff33b0b7be5716623eda6bfcc2e65ea2ebcd8d70a6e0144a4d3259c66b79ebafcafb81463c38a8c549e1324384b40c0b50f560da0d8d975358f54153f286e78c8cfbc76cf3e2540614252d267ac9327d13fde8abc4b282014be61a11450aa26626c478ccab01c380f39cea9dc5d67501ab68b06bdcd7a83e021fae40a871189080f72b5bc388e5d1b7b9ed0dc64361df3bb16fdd9bbff821eda6d9c8f6eb4ebad0d80fc45576ab4426f0b390ce9fb42312c23430d040d85efa8cde8e1a3c47a082d33cbea897edf90b00820032156816c8cc1218b9cbc41108f910a9a072afb6d94c20b5daa083a8c6f1e49570a82b779b06e91e01e049165b8c31e0bfa5f27cfa8dbae38eb06202e05692a8c3e9604142ea1a8b5049050176f3f0fd7deb7094b96dca67a7fab85f80275b5616414ba3d11bed295420cb62860d5a01fe557eba85cab0dfbdd4ed1d7f30cdc0540690d7bfc99ff1e5975172fd8d1a31c8aeba8d5f4a3c402c736d11e5f9221de3b1ff8d88cffe418b47578fa17671b4b70ebdf40a36ec697ece2a6d2b170bd083c0efd515b81acdf567d259d9e4eb88adf806531bcb71f2dc8767476674ae2a516ec7cd69f396dfe2eac84b732b21008111b16796ea62181f264aaa19c362b426516c97bbdbbf0b0daa22240bad8ec46f7ad780d9eb488ce1e8d257b2463001d0b6efb20ab9a32a2a8c512652579e47911309d12d0e6657554e36e001a7b5ab76bd5450398cb8bbdc95af1bf6ff5032d0227d09de5c3d7723f01b31f7695d0bb9ee36ce353300ecbf558d33a13e5d998b5cec54b5968271a32ce79f80118678f2978011bbaa86de2c5208ec0d8a27530177aff08cc3cea393c6a99b548ecd27cb7cbe505f7ec0ba2cdbff7fc98215044eff87f28e65559c9b030a0676eac25552b5961084f162e8bb638d52c81b091ddbdaaf684c6f1cce30ff4c8c60f55148aed8bc5894c22114a2f37c483bd9d9eb809a483f918cd901f9c48251f8dcb19f35d61bf1105ec96e66ff132c0c98f104ba3694d817354be5b54aa4ff472d1246081249957ec24a608894a93ad18003cb35a752e91df73a688cd65b92b754071ce3f6328f76c6d6f455ec9ae6b2da422bfff203c6e8780e5f6d9263e624ca0f67da540d1897c1e4e41c8b70c4fd455fbd6649d36f54adb32a85ed69d81552ddf2e2878f85120b57279c645236986f1affba9e034017145436f7519e5681fa5b9940890979fb54be43bbf3edab1ff7eb6bf33f108e9ac1a08eb16c954b88a844e3119adf5950b44014eb6e2e801b52fcb7f132e73c90a500854889daf334eb214bcac70f4990de6a7043ee234489f88176e66bd858291d9de7054c6bdcedbb9f19ebedfab02d238b3dad7a1c81164845393d04f6ebbefcc12aeb4435ee17c39f40bc1fc24280da5d9f98c372fd5afc77f0d7f38658bb86153e8c7472376a5d735412237aea47881eb714a56fa8b01d13665bf5f8bec499d5ce22fffa67023a06e65a0102a2e0f1dc429a5dd109bc3de5bef59a8492c6f849e7cf1c2a665d6b5844e749d36a714fc4eb8f652fe79b889ef808d2d515a143bd50327674d18780056158238e627e37eaf784b4505976a7c3561f4c11d3d6507b4c18b802110be70e1266ecd65aa25fca95101be53f115bc97eae15376985c251c7a573cfe9c25a08cdeaf8947ee43a8811df8b17cbcadb416d8c3086d499e15c9ce6a2ff3f0a14b11fa51cbbd10e8c3d4cefe80d00110a008aff7aed1c6d66dfb2edfa2605d155c2d97a1c2877fd1bf4d770ed807c05226a6ba175466a682f96917edc482dda45c9cfb27755a7725912ffa86855c637bdb06cdd60d7c48a7559e5c603b8558d430d9e21ecaf8c51f26de813819fb878199014dea84874d11e319609135d4251944a93718a1549871f86355fe5a68d7606fc3f83bf746c52415b9650ea140eee5d36cd656a147ba6f1b20a1b9ecd8edd8995f6638811f14c06a67b4ab6800ed2367d05c103b290a38f653a80dbc7d75ff1ef5d33bd4556966a12ec5d841c8f2e4a188effa17e7717146acfc1fb55ca6b0d7fac7dc4cf555c31fd997f1b6c6efa9a1603c52997eaf97aaf8b905b62ab8b7eda2750b9832e96a6d88b17b2a15b8a3457c5a97357f0a6e4ae30bf054a4e74dfb2af63dad0b61ff21f4f95994201c284fe8f586948c544ff57e966e71831cabb038bf8bb5ffffb635e2f81eae099d8101d72ecd052af1d87b874f9bbc55eab02c151e601843afc2885ab9824b294c7d32e6352066793e8ccf66630748b92b4dd65e921a3fd65eaac38e1075dfb693547ffab4087b976da1f9afb9d3a71bd1150229740c4524ba4586067642afd1e879f1c20026776865e5aa7f398fe11d01523fef651a51831927c4ff33037a7266fbe6b3093c4b404805b0a3894ec6323198cf7f1ff8722b410825ce70a29765ee2ff045baa8bc882ddcc27fc068621403d8f35050937af5b2aa890c0e23df2b6d760108547ed30d6b52c5c26387b70c4fd455fbd6649d36f54adb32a85ed69d81552ddf2e2878f85120b57279c6f43fe992938b647c214a05d7d72a1e1aaaaa4c591b343a2c593b8a5a50d7156e@rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootselinux-policy-3.14.3-139.el8_10.src.rpmselinux-policy-devel      /bin/sh/usr/bin/makecheckpolicym4policycoreutils-develrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)selinux-policyselinux-policy2.92.9-193.0.4-14.6.0-14.0-15.2-13.14.3-139.el8_103.14.3-139.el8_104.14.3eee7@eee)eyee@eKx@eSe@dd d"d@d!dr@d@doMd\dBzd7cc@ck@c@c @cEcn9@cQ8@cF@c@cd@bbb@bb@blb=bw@brjbbbN@b<]@b)@bs@b @ba@a7aNaa@aLa)@abapaZaC1a(a&0a @aj@a@`t`` @`Ȗ@`@`r`O@`OL@`@`3`-@`%@``U__H@_@__#_@_cO_BZ@_5+@_'@_!d_^^^^b^^@^^oj@^K^G@^0"@^&^ P@^@^[^g@^@^@]}@]e@]]Γ@]M@]@]]W]c@]n]y@]i]Z@]V]S]QT]J@]>]1]%@]$\F@\\ \@\ޢ@\\@\\\o@\f\ac\ac\Z@\Z@\T4\T4\P@@\I\@V>@V>@VVwV&@VVvVV<@VVpVhVetV\:@VTQ@VO @VA@V@V/g@V&,V&,V@VZVqVqV }@VBUU@U@U@UU@UȒ@UU@UUK@UUb@U'UU3@UJ@UUv@Uv@UHUB@U4@U.RU-@U#U:U@U hUT@TTE@T@T@TTT[@T T TfT T TTT@T@T}Ty@TxcTmTl@Tl@TeT`T\@TWn@TPTFJTAT=@T2@T*@T @T@TT=@T=@T@SSvS0S@SSSuSuSuS/SϣSS @S@S@SS"@SS-SDSSP@S~@S{CSr @Sj @Sj @ShSg}@SZN@SW@SQSCSCS>S:@S4S2@S1oS&S&S"@S!S L@S L@S@SS@Sz@S(S 4@S?SK@R@R@R'R'R>RRUR@R߲RR@R@RΏ@RʚRRRR@R@R@R@R@R@RiR@R|@Rz/@Rz/@RsRpRnQRi RfhR_@R_@R[RSRNRNRL RIgRB@RB@R:@R1R-@R-@R(r@R' R%@R7RRNRR@Q@QQdQQ@QQޞ@Q@QکQکQ@QzQQ4Q@@Q@QKQQ@Q@Q@Q@QQ@QQQQ@Q@QQQ@Qzl@Qw@QvwQo@Qo@QnQm=@QkQfQb@Q`@Q^QZ@QQQIQGQ@j@Q9Q8@Q4Q0@Q-@Q& @Q$QQ@QQ@Q @Qh@QsPP@P@PP@P[PP!@P8@PO@P @Pf@PPqP @PP7@P@PPPYP@P@PPPM@PPd@P@PoP{@P{@P@PP5@P@P~P}L@Px@PvPvPuc@Puc@Pr@Pmz@Pmz@Pmz@Pj@Pd?Pd?Pb@PaPaP[@PXb@PWPS@PQPO'PM@PIP@@P>@P8@P7lP2&P2&P,P,P*=P(@P#@P#@P!@P!@P@PkPw@Pw@PP

@NNU@NNl@N@N@NåN@NNNN@NNN@N@NGNGNGN@N@NNS@NS@N^N^N @N @NNj@Nj@NN$@NN@N/N@N@NFNFN@NNN@N@N@N]Ni@Ni@Ni@N|tNyNx@Ns:@NoENoENiNf @N^"@N\N[@NTNS@NS@NC@NBrN:N98@N7N6@N2N.@N*N)f@N(N%qN$ @N@N7@N e@NpNpM@M@Md@Md@MM{@M@M۝M@M@M‘@M@M@M@My@My@M3@M@M@MMM@MMMMTMx@Mx@Mv@MlMbSM[@MRMQ0@MQ0@MJMGMGMA^@M>@M9u@M6@M5M4/@M4/@M0:M,F@M$]@M@M9MMMMM\@M M M@L!L!L@LL@L@L@LOLOL[@L@L@Lr@L L,@L,@Lډ@L7LLLNL@LΫLeL|L@LB@LB@LB@L@LMLL@LdLL{L*@L@L5LLA@LLLL@LcL@L@L@LzL)@L|L|L|L{@LvW@LvW@Ls@Ls@LrbLrbLmLk@LjyLe3Lc@La?@LZLYV@LXLN@LN@LMxLMxLI@LH2LF@LEL=L=L=L;L7@L LT@L@LL@L@L0LLGL@K^K^KKKj@K$@KKK@K@KK@K]K޺K@KtK#@KKՀ@K:@KK͗@KŮ@K\K\K @KKKKK9@KK@KK@K@KKKKrKK~@K,K,K,K@KK8@KKK@KK@KqKqK}+K{@K{@KuBKs@KqN@KjKie@Kf@Ka|@K`*K]KXAKTM@KPXKEKEKEKD{@KC)KA@K;@K2@K0K/c@K+nK*@K(K"4@KK>K>K>JJęJH@JH@JJJ_@J@JjJjJ@Jv@Jv@Jv@Jv@J$J@JJ0@J@J@JG@JG@J@JJ@J@J@JJJ#J@JJJ@J:J@JJQJ@J J J|@JzJyt@Jyt@Jx"JrJrJq@Jn@Jn@JmJhPJeJ\s@JW-@JT@JS8JKOJI@JCfJCfJB@J@J@J?r@J<@J;}J:,@J7@J67J2C@J0J/@J,@J%@JJB@JJMJ J dJ@J@JJ@J*@J*@II@IIA@IIII@I@IIIX@IX@IX@II@I@IcIIo@Io@IzI)@I@IܑI@@II@I@I@IԨIд@I̿In@I3I3I@II@I@IV@IIaIIm@I@I'@II2III@IIIIIIII@III@I1I@III~@I}Iy@Ix_Iw@IuItk@Itk@Io%@Ik0IeIcGIa@I`IVIO@IJ;@IHIAI>]I= @I7@I6tI3I-I@III9@I9@II IP@I@IIg@Ig@HHH@HrH~@H,H@HCHHH @H @Hf@Hf@H@H+H@H׈H׈H7@HBH@HǶH@HH|@HHH@H{@H)HHL@H@H@H@HnH}H|@Ht@HsVHr@Hl@HkmHgy@HcH`H_@H^>HRa@HQHQHO@HFHFH$@DX@DU@DN@DN@DLDH@DGwDGwDDD@@D?D?D;@D;@D:HD:HD2_D1@D1@D-D+@D+@D'D!<@D!<@D!<@DDD@D@D@DDDDDD@D@D@D@D uD $@D D @D @DDDFC@C@C@C@CCCCCR@CCCCC@Ci@CC@C@CtC@C@CC:@CECCC @C @CعCعCعCعCC@C-C-C-C@C@CCǖ@C@CáCáCP@CP@C[C @C @CCg@Cg@CCC!@C~@C,C@CCCCC@CC@C@C@CZCZC @C @CCCf@Cf@Cf@CC@CqCqC @C @C @CCC}@C7@C7@C7@CBCBCYC@C@CC}@CqCqZdenek Pytela - 3.14.3-139Zdenek Pytela - 3.14.3-138Zdenek Pytela - 3.14.3-137Zdenek Pytela - 3.14.3-136Zdenek Pytela - 3.14.3-135Zdenek Pytela - 3.14.3-134Zdenek Pytela - 3.14.3-133Zdenek Pytela - 3.14.3-132Zdenek Pytela - 3.14.3-131Lukas Vrabec - 3.14.3-130Lukas Vrabec - 3.14.3-129Zdenek Pytela - 3.14.3-128Zdenek Pytela - 3.14.3-127Zdenek Pytela - 3.14.3-126Zdenek Pytela - 3.14.3-125Zdenek Pytela - 3.14.3-124Zdenek Pytela - 3.14.3-123Nikola Knazekova - 3.14.3-122Zdenek Pytela - 3.14.3-121Zdenek Pytela - 3.14.3-120Zdenek Pytela - 3.14.3-119Zdenek Pytela - 3.14.3-118Zdenek Pytela - 3.14.3-117Zdenek Pytela - 3.14.3-116Zdenek Pytela - 3.14.3-115Zdenek Pytela - 3.14.3-114Zdenek Pytela - 3.14.3-113Zdenek Pytela - 3.14.3-112Zdenek Pytela - 3.14.3-111Zdenek Pytela - 3.14.3-110Zdenek Pytela - 3.14.3-109Zdenek Pytela - 3.14.3-108Zdenek Pytela - 3.14.3-107Zdenek Pytela - 3.14.3-106Zdenek Pytela - 3.14.3-105Zdenek Pytela - 3.14.3-104Zdenek Pytela - 3.14.3-103Zdenek Pytela - 3.14.3-102Zdenek Pytela - 3.14.3-101Zdenek Pytela - 3.14.3-100Zdenek Pytela - 3.14.3-99Zdenek Pytela - 3.14.3-98Nikola Knazekova - 3.14.3-97Zdenek Pytela - 3.14.3-96Zdenek Pytela - 3.14.3-95Nikola Knazekova nknazeko@redhat.com - 3.14.3-94Zdenek Pytela - 3.14.3-93Zdenek Pytela - 3.14.3-92Zdenek Pytela - 3.14.3-91Zdenek Pytela - 3.14.3-90Zdenek Pytela - 3.14.3-89Zdenek Pytela - 3.14.3-88Zdenek Pytela - 3.14.3-87Zdenek Pytela - 3.14.3-86Zdenek Pytela - 3.14.3-85Zdenek Pytela - 3.14.3-84Zdenek Pytela - 3.14.3-83Zdenek Pytela - 3.14.3-82Zdenek Pytela - 3.14.3-81Zdenek Pytela - 3.14.3-80Zdenek Pytela - 3.14.3-79Zdenek Pytela - 3.14.3-78Zdenek Pytela - 3.14.3-77Zdenek Pytela - 3.14.3-76Zdenek Pytela - 3.14.3-75Zdenek Pytela - 3.14.3-74Zdenek Pytela - 3.14.3-73Zdenek Pytela - 3.14.3-72Zdenek Pytela - 3.14.3-71Zdenek Pytela - 3.14.3-70Zdenek Pytela - 3.14.3-69Zdenek Pytela - 3.14.3-68Zdenek Pytela - 3.14.3-67Zdenek Pytela - 3.14.3-66Zdenek Pytela - 3.14.3-65Zdenek Pytela - 3.14.3-64Zdenek Pytela - 3.14.3-63Zdenek Pytela - 3.14.3-62Zdenek Pytela - 3.14.3-61Zdenek Pytela - 3.14.3-60Zdenek Pytela - 3.14.3-59Zdenek Pytela - 3.14.3-58Zdenek Pytela - 3.14.3-57Zdenek Pytela - 3.14.3-56Zdenek Pytela - 3.14.3-55Zdenek Pytela - 3.14.3-54Zdenek Pytela - 3.14.3-53Zdenek Pytela - 3.14.3-52Zdenek Pytela - 3.14.3-51Zdenek Pytela - 3.14.3-50Zdenek Pytela - 3.14.3-49Zdenek Pytela - 3.14.3-48Zdenek Pytela - 3.14.3-47Zdenek Pytela - 3.14.3-46Zdenek Pytela - 3.14.3-45Zdenek Pytela - 3.14.3-44Zdenek Pytela - 3.14.3-43Zdenek Pytela - 3.14.3-42Zdenek Pytela - 3.14.3-41Lukas Vrabec - 3.14.3-40Lukas Vrabec - 3.14.3-39Zdenek Pytela - 3.14.3-38Lukas Vrabec - 3.14.3-37Lukas Vrabec - 3.14.3-36Lukas Vrabec - 3.14.3-35Lukas Vrabec - 3.14.3-34Lukas Vrabec - 3.14.3-33Lukas Vrabec - 3.14.3-32Lukas Vrabec - 3.14.3-31Zdenek Pytela - 3.14.3-30Lukas Vrabec - 3.14.3-29Lukas Vrabec - 3.14.3-28Lukas Vrabec - 3.14.3-27Lukas Vrabec - 3.14.3-26Lukas Vrabec - 3.14.3-25Lukas Vrabec - 3.14.3-24Lukas Vrabec - 3.14.3-23Lukas Vrabec - 3.14.3-22Lukas Vrabec - 3.14.3-21Lukas Vrabec - 3.14.3-20Lukas Vrabec - 3.14.3-19Lukas Vrabec - 3.14.3-18Lukas Vrabec - 3.14.3-17Lukas Vrabec - 3.14.3-16Lukas Vrabec - 3.14.3-15Lukas Vrabec - 3.14.3-14Lukas Vrabec - 3.14.3-13Lukas Vrabec - 3.14.3-12Lukas Vrabec - 3.14.3-11Lukas Vrabec - 3.14.3-10Lukas Vrabec - 3.14.3-9Lukas Vrabec - 3.14.3-8Lukas Vrabec - 3.14.3-7Lukas Vrabec - 3.14.3-6Lukas Vrabec - 3.14.3-5Lukas Vrabec - 3.14.3-4Lukas Vrabec - 3.14.3-3Lukas Vrabec - 3.14.3-2Lukas Vrabec - 3.14.3-1Lukas Vrabec - 3.14.1-61Lukas Vrabec - 3.14.1-60Lukas Vrabec - 3.14.1-59Lukas Vrabec - 3.14.1-58Lukas Vrabec - 3.14.1-57Lukas Vrabec - 3.14.1-56Lukas Vrabec - 3.14.1-55Lukas Vrabec - 3.14.1-54Lukas Vrabec - 3.14.1-53Lukas Vrabec - 3.14.1-52Lukas Vrabec - 3.14.1-51Lukas Vrabec - 3.14.1-50Lukas Vrabec - 3.14.1-49Lukas Vrabec - 3.14.1-48Lukas Vrabec - 3.14.1-47Lukas Vrabec - 3.14.1-46Lukas Vrabec - 3.14.1-45Lukas Vrabec - 3.14.1-44Lukas Vrabec - 3.14.1-43Lukas Vrabec - 3.14.1-42Lukas Vrabec - 3.14.1-41Lukas Vrabec - 3.14.1-40Lukas Vrabec - 3.14.1-39Lukas Vrabec - 3.14.1-38Lukas Vrabec - 3.14.1-37Lukas Vrabec - 3.14.1-36Daniel Kopeček - 3.14.1-35Lukas Vrabec - 3.14.1-34Lukas Vrabec - 3.14.1-33Lukas Vrabec - 3.14.1-32Lukas Vrabec - 3.14.1-31Lukas Vrabec - 3.14.1-30Lukas Vrabec - 3.14.1-29Lukas Vrabec - 3.14.1-28Lukas Vrabec - 3.14.1-27Lukas Vrabec - 3.14.1-26Lukas Vrabec - 3.14.1-25Lukas Vrabec - 3.14.1-24Lukas Vrabec - 3.14.1-23Lukas Vrabec - 3.14.1-22Lukas Vrabec - 3.14.1-21Lukas Vrabec - 3.14.1-20Lukas Vrabec - 3.14.1-19Lukas Vrabec - 3.14.1-18Lukas Vrabec - 3.14.1-17Lukas Vrabec - 3.14.1-16Lukas Vrabec - 3.14.1-15Lukas Vrabec - 3.14.1-14Lukas Vrabec - 3.14.1-13Lukas Vrabec - 3.14.1-12Lukas Vrabec - 3.14.1-11Lukas Vrabec - 3.14.1-10Lukas Vrabec - 3.14.1-9Igor Gnatenko - 3.14.1-8Lukas Vrabec - 3.14.1-7Lukas Vrabec - 3.14.1-6Lukas Vrabec - 3.14.1-5Lukas Vrabec - 3.14.1-4Lukas Vrabec - 3.14.1-3Lukas Vrabec - 3.14.1-2Lukas Vrabec - 3.14.1-1Lukas Vrabec - 3.13.1-310Lukas Vrabec - 3.13.1-309Lukas Vrabec - 3.13.1-308Lukas Vrabec - 3.13.1-307Lukas Vrabec - 3.13.1-306Lukas Vrabec - 3.13.1-305Lukas Vrabec - 3.13.1-304Lukas Vrabec - 3.13.1-303Lukas Vrabec - 3.13.1-302Lukas Vrabec - 3.13.1-301Lukas Vrabec - 3.13.1-300Lukas Vrabec - 3.13.1-299Lukas Vrabec - 3.13.1-298Lukas Vrabec - 3.13.1-297Lukas Vrabec - 3.13.1-296Lukas Vrabec - 3.13.1-295Lukas Vrabec - 3.13.1-294Petr Lautrbach - 3.13.1-293Lukas Vrabec - 3.13.1-292Lukas Vrabec - 3.13.1-291Lukas Vrabec - 3.13.1-290Lukas Vrabec - 3.13.1-289Lukas Vrabec - 3.13.1-288Lukas Vrabec - 3.13.1-287Lukas Vrabec - 3.13.1-286Lukas Vrabec - 3.13.1-285Lukas Vrabec - 3.13.1-284Lukas Vrabec - 3.13.1-283Lukas Vrabec - 3.13.1-282Lukas Vrabec - 3.13.1-281Lukas Vrabec - 3.13.1-280Lukas Vrabec - 3.13.1-279Lukas Vrabec - 3.13.1-278Lukas Vrabec - 3.13.1-277Lukas Vrabec - 3.13.1-276Lukas Vrabec - 3.13.1-275Lukas Vrabec - 3.13.1-274Lukas Vrabec - 3.13.1-273Lukas Vrabec - 3.13.1-272Lukas Vrabec - 3.13.1-271Lukas Vrabec - 3.13.1-270Lukas Vrabec - 3.13.1-269Petr Lautrbach - 3.13.1-268Lukas Vrabec - 3.13.1-267Fedora Release Engineering - 3.13.1-266Lukas Vrabec - 3.13.1-265Lukas Vrabec - 3.13.1-264Lukas Vrabec - 3.13.1-263Lukas Vrabec - 3.13.1-262Lukas Vrabec - 3.13.1-261Lukas Vrabec - 3.13.1-260Lukas Vrabec - 3.13.1-258Lukas Vrabec - 3.13.1-257Lukas Vrabec - 3.13.1-256Lukas Vrabec - 3.13.1-255Lukas Vrabec - 3.13.1-254Lukas Vrabec - 3.13.1-253Michael Scherer - 3.13.1-252Lukas Vrabec - 3.13.1-251Lukas Vrabec - 3.13.1-250Lukas Vrabec - 3.13.1-249Adam Williamson - 3.13.1-248Lukas Vrabec - 3.13.1-247Lukas Vrabec - 3.13.1-246Lukas Vrabec - 3.13.1-245Lukas Vrabec - 3.13.1-244Lukas Vrabec - 3.13.1-243Lukas Vrabec - 3.13.1-242Lukas Vrabec - 3.13.1-241Lukas Vrabec - 3.13.1-240Lukas Vrabec - 3.13.1-239Lukas Vrabec - 3.13.1-238Lukas Vrabec - 3.13.1-237Lukas Vrabec - 3.13.1-236Lukas Vrabec - 3.13.1-235Lukas Vrabec - 3.13.1-234Lukas Vrabec - 3.13.1-233Lukas Vrabec - 3.13.1-232Lukas Vrabec - 3.13.1-231Lukas Vrabec - 3.13.1-230Lukas Vrabec - 3.13.1-229Lukas Vrabec - 3.13.1-228Lukas Vrabec - 3.13.1-227Lukas Vrabec - 3.13.1-226Lukas Vrabec - 3.13.1-225Lukas Vrabec - 3.13.1-224Lukas Vrabec - 3.13.1-223Lukas Vrabec - 3.13.1-222Miroslav Grepl - 3.13.1-221Lukas Vrabec - 3.13.1-220Lukas Vrabec - 3.13.1-219Colin Walters - 3.13.1-218Lukas Vrabec 3.13.1-216Lukas Vrabec 3.13.1-215Lukas Vrabec 3.13.1-214Lukas Vrabec 3.13.1-213Lukas Vrabec 3.13.1-212Lukas Vrabec 3.13.1-211Lukas Vrabec 3.13.1-210Lukas Vrabec 3.13.1-209Lukas Vrabec 3.13.1-208Lukas Vrabec 3.13.1-207Lukas Vrabec 3.13.1-206Lukas Vrabec 3.13.1-205Lukas Vrabec 3.13.1-204Lukas Vrabec 3.13.1-203Lukas Vrabec 3.13.1-202Lukas Vrabec 3.13.1-201Lukas Vrabec 3.13.1-200Lukas Vrabec 3.13.1-199Lukas Vrabec 3.13.1-198Lukas Vrabec 3.13.1-197Lukas Vrabec 3.13.1-196Lukas Vrabec 3.13.1-195Lukas Vrabec 3.13.1-194Lukas Vrabec 3.13.1-193Lukas Vrabec 3.13.1-192Lukas Vrabec 3.13.1-191Lukas Vrabec 3.13.1-190Lukas Vrabec 3.13.1-189Lukas Vrabec 3.13.1-188Lukas Vrabec 3.13.1-187Lukas Vrabec 3.13.1-186Lukas Vrabec 3.13.1-185Lukas Vrabec 3.13.1-184Lukas Vrabec 3.13.1-183Lukas Vrabec 3.13.1-182Lukas Vrabec 3.13.1-181Lukas Vrabec 3.13.1-180Lukas Vrabec 3.13.1-179Lukas Vrabec 3.13.1-178Lukas Vrabec 3.13.1-177Lukas Vrabec 3.13.1-176Lukas Vrabec 3.13.1-175Lukas Vrabec 3.13.1-174Lukas Vrabec 3.13.1-173Lukas Vrabec 3.13.1-172Lukas Vrabec 3.13.1-171Lukas Vrabec 3.13.1-170Lukas Vrabec 3.13.1-169Lukas Vrabec 3.13.1-168Lukas Vrabec 3.13.1-167Lukas Vrabec 3.13.1-166Lukas Vrabec 3.13.1-165Lukas Vrabec 3.13.1-164Lukas Vrabec 3.13.1-163Miroslav Grepl 3.13.1-162Lukas Vrabec 3.13.1-161Lukas Vrabec 3.13.1-160Miroslav Grepl 3.13.1-159Miroslav Grepl 3.13.1-158Miroslav Grepl 3.13.1-157Lukas Vrabec 3.13.1-156Lukas Vrabec 3.13.1-155Lukas Vrabec 3.13.1-154Lukas Vrabec 3.13.1-153Lukas Vrabec 3.13.1-152Lukas Vrabec 3.13.1-151Lukas Vrabec 3.13.1-150Lukas Vrabec 3.13.1-149Lukas Vrabec 3.13.1-148Lukas Vrabec 3.13.1-147Lukas Vrabec 3.13.1-146Lukas Vrabec 3.13.1-145Lukas Vrabec 3.13.1-144Miroslav Grepl 3.13.1-143Lukas Vrabec 3.13.1-142Lukas Vrabec 3.13.1-141Miroslav Grepl 3.13.1-140Lukas Vrabec 3.13.1-139Lukas Vrabec 3.13.1-138Lukas Vrabec 3.13.1-137Lukas Vrabec 3.13.1-136Lukas Vrabec 3.13.1-135Lukas Vrabec 3.13.1-134Lukas Vrabec 3.13.1-133Lukas Vrabec 3.13.1-132Lukas Vrabec 3.13.1-131Miroslav Grepl 3.13.1-130Miroslav Grepl 3.13.1-129Miroslav Grepl 3.13.1-128Lukas Vrabec 3.13.1-127Lukas Vrabec 3.13.1-126Lukas Vrabec 3.13.1-125Lukas Vrabec 3.13.1-124Lukas Vrabec 3.13.1-123Lukas Vrabec 3.13.1-122Lukas Vrabec 3.13.1-121Lukas Vrabec 3.13.1-120Lukas Vrabec 3.13.1-119Lukas Vrabec 3.13.1-118Lukas Vrabec 3.13.1-117Lukas Vrabec 3.13.1-116Lukas Vrabec 3.13.1-115Lukas Vrabec 3.13.1-114Lukas Vrabec 3.13.1-113Lukas Vrabec 3.13.1-112Lukas Vrabec 3.13.1-111Lukas Vrabec 3.13.1-110Lukas Vrabec 3.13.1-109Lukas Vrabec 3.13.1-108Lukas Vrabec 3.13.1-107Lukas Vrabec 3.13.1-106Lukas Vrabec 3.13.1-105Lukas Vrabec 3.13.1-104Dan Walsh 3.13.1-103Lukas Vrabec 3.13.1-101Lukas Vrabec 3.13.1-100Lukas Vrabec 3.13.1-99Lukas Vrabec 3.13.1-98Lukas Vrabec 3.13.1-97Lukas Vrabec 3.13.1-96Lukas Vrabec 3.13.1-95Lukas Vrabec 3.13.1-94Lukas Vrabec 3.13.1-93Lukas Vrabec 3.13.1-92Lukas Vrabec 3.13.1-91Lukas Vrabec 3.13.1-90Lukas Vrabec 3.13.1-89Lukas Vrabec 3.13.1-88Miroslav Grepl 3.13.1-87Lukas Vrabec 3.13.1-86Lukas Vrabec 3.13.1-85Lukas Vrabec 3.13.1-84Lukas Vrabec 3.13.1-83Miroslav Grepl 3.13.1-82Lukas Vrabec 3.13.1-81Lukas Vrabec 3.13.1-80Lukas Vrabec 3.13.1-79Lukas Vrabec 3.13.1-78Lukas Vrabec 3.13.1-77Lukas Vrabec 3.13.1-76Lukas Vrabec 3.13.1-75Kevin Fenzi - 3.13.1-74Lukas Vrabec 3.13.1-73Lukas Vrabec 3.13.1-72Miroslav Grepl 3.13.1-71Miroslav Grepl 3.13.1-70Tom Callaway 3.13.1-69Miroslav Grepl 3.13.1-68Lukas Vrabec 3.13.1-67Miroslav Grepl 3.13.1-66Lukas Vrabec 3.13.1-65Lukas Vrabec 3.13.1-64Miroslav Grepl 3.13.1-63Miroslav Grepl 3.13.1-62Miroslav Grepl 3.13.1-61Miroslav Grepl 3.13.1-60Miroslav Grepl 3.13.1-59Miroslav Grepl 3.13.1-58Miroslav Grepl 3.13.1-57Fedora Release Engineering - 3.13.1-56Miroslav Grepl 3.13.1-55Miroslav Grepl 3.13.1-54Miroslav Grepl 3.13.1-53Miroslav Grepl 3.13.1-52Miroslav Grepl 3.13.1-51Miroslav Grepl 3.13.1-50Miroslav Grepl 3.13.1-49Miroslav Grepl 3.13.1-48Miroslav Grepl 3.13.1-47Miroslav Grepl 3.13.1-46Miroslav Grepl 3.13.1-45Miroslav Grepl 3.13.1-44Miroslav Grepl 3.13.1-43Miroslav Grepl 3.13.1-42Miroslav Grepl 3.13.1-41Miroslav Grepl 3.13.1-40Miroslav Grepl 3.13.1-39Miroslav Grepl 3.13.1-38Miroslav Grepl 3.13.1-37Miroslav Grepl 3.13.1-36Miroslav Grepl 3.13.1-35Miroslav Grepl 3.13.1-34Miroslav Grepl 3.13.1-33Miroslav Grepl 3.13.1-32Miroslav Grepl 3.13.1-31Miroslav Grepl 3.13.1-30Miroslav Grepl 3.13.1-29Miroslav Grepl 3.13.1-28Miroslav Grepl 3.13.1-27Miroslav Grepl 3.13.1-26Miroslav Grepl 3.13.1-25Miroslav Grepl 3.13.1-24Miroslav Grepl 3.13.1-23Miroslav Grepl 3.13.1-22Miroslav Grepl 3.13.1-21Miroslav Grepl 3.13.1-20Miroslav Grepl 3.13.1-19Miroslav Grepl 3.13.1-18Miroslav Grepl 3.13.1-17Miroslav Grepl 3.13.1-16Miroslav Grepl 3.13.1-15Miroslav Grepl 3.13.1-14Miroslav Grepl 3.13.1-13Miroslav Grepl 3.13.1-12Miroslav Grepl 3.13.1-11Miroslav Grepl 3.13.1-10Miroslav Grepl 3.13.1-9Miroslav Grepl 3.13.1-8Miroslav Grepl 3.13.1-7Miroslav Grepl 3.13.1-6Miroslav Grepl 3.13.1-5Miroslav Grepl 3.13.1-4Miroslav Grepl 3.13.1-3Dan Walsh 3.13.1-2Miroslav Grepl 3.13.1-1Miroslav Grepl 3.12.1-100Miroslav Grepl 3.12.1-99Miroslav Grepl 3.12.1-98Miroslav Grepl 3.12.1-97Miroslav Grepl 3.12.1-96Miroslav Grepl 3.12.1-95Miroslav Grepl 3.12.1-94Miroslav Grepl 3.12.1-93Miroslav Grepl 3.12.1-92Miroslav Grepl 3.12.1-91Miroslav Grepl 3.12.1-90Miroslav Grepl 3.12.1-89Miroslav Grepl 3.12.1-88Miroslav Grepl 3.12.1-87Miroslav Grepl 3.12.1-86Miroslav Grepl 3.12.1-85Miroslav Grepl 3.12.1-84Miroslav Grepl 3.12.1-83Miroslav Grepl 3.12.1-82Miroslav Grepl 3.12.1-81Miroslav Grepl 3.12.1-80Miroslav Grepl 3.12.1-79Miroslav Grepl 3.12.1-78Miroslav Grepl 3.12.1-77Miroslav Grepl 3.12.1-76Miroslav Grepl 3.12.1-75Miroslav Grepl 3.12.1-74Miroslav Grepl 3.12.1-73Miroslav Grepl 3.12.1-72Miroslav Grepl 3.12.1-71Miroslav Grepl 3.12.1-70Miroslav Grepl 3.12.1-69Miroslav Grepl 3.12.1-68Miroslav Grepl 3.12.1-67Miroslav Grepl 3.12.1-66Miroslav Grepl 3.12.1-65Miroslav Grepl 3.12.1-64Miroslav Grepl 3.12.1-63Miroslav Grepl 3.12.1-62Miroslav Grepl 3.12.1-61Miroslav Grepl 3.12.1-60Miroslav Grepl 3.12.1-59Miroslav Grepl 3.12.1-58Miroslav Grepl 3.12.1-57Miroslav Grepl 3.12.1-56Miroslav Grepl 3.12.1-55Miroslav Grepl 3.12.1-54Miroslav Grepl 3.12.1-53Miroslav Grepl 3.12.1-52Miroslav Grepl 3.12.1-51Miroslav Grepl 3.12.1-50Miroslav Grepl 3.12.1-49Miroslav Grepl 3.12.1-48Miroslav Grepl 3.12.1-47Miroslav Grepl 3.12.1-46Miroslav Grepl 3.12.1-45Miroslav Grepl 3.12.1-44Miroslav Grepl 3.12.1-43Miroslav Grepl 3.12.1-42Miroslav Grepl 3.12.1-41Miroslav Grepl 3.12.1-40Miroslav Grepl 3.12.1-39Miroslav Grepl 3.12.1-38Miroslav Grepl 3.12.1-37Miroslav Grepl 3.12.1-36Miroslav Grepl 3.12.1-35Miroslav Grepl 3.12.1-34Miroslav Grepl 3.12.1-33Miroslav Grepl 3.12.1-32Miroslav Grepl 3.12.1-31Miroslav Grepl 3.12.1-30Miroslav Grepl 3.12.1-29Dan Walsh 3.12.1-28Dan Walsh 3.12.1-27Miroslav Grepl 3.12.1-26Miroslav Grepl 3.12.1-25Miroslav Grepl 3.12.1-24Miroslav Grepl 3.12.1-23Miroslav Grepl 3.12.1-22Miroslav Grepl 3.12.1-21Miroslav Grepl 3.12.1-20Miroslav Grepl 3.12.1-19Miroslav Grepl 3.12.1-18Miroslav Grepl 3.12.1-17Miroslav Grepl 3.12.1-16Miroslav Grepl 3.12.1-15Miroslav Grepl 3.12.1-14Miroslav Grepl 3.12.1-13Miroslav Grepl 3.12.1-12Miroslav Grepl 3.12.1-11Miroslav Grepl 3.12.1-10Miroslav Grepl 3.12.1-9Miroslav Grepl 3.12.1-8Miroslav Grepl 3.12.1-7Miroslav Grepl 3.12.1-6Miroslav Grepl 3.12.1-5Miroslav Grepl 3.12.1-4Miroslav Grepl 3.12.1-3Miroslav Grepl 3.12.1-2Miroslav Grepl 3.12.1-1Dan Walsh 3.11.1-69.1Miroslav Grepl 3.11.1-69Miroslav Grepl 3.11.1-68Miroslav Grepl 3.11.1-67Miroslav Grepl 3.11.1-66Miroslav Grepl 3.11.1-65Miroslav Grepl 3.11.1-64Miroslav Grepl 3.11.1-63Miroslav Grepl 3.11.1-62Miroslav Grepl 3.11.1-61Miroslav Grepl 3.11.1-60Miroslav Grepl 3.11.1-59Miroslav Grepl 3.11.1-58Miroslav Grepl 3.11.1-57Miroslav Grepl 3.11.1-56Miroslav Grepl 3.11.1-55Miroslav Grepl 3.11.1-54Miroslav Grepl 3.11.1-53Miroslav Grepl 3.11.1-52Miroslav Grepl 3.11.1-51Miroslav Grepl 3.11.1-50Miroslav Grepl 3.11.1-49Miroslav Grepl 3.11.1-48Miroslav Grepl 3.11.1-47Miroslav Grepl 3.11.1-46Miroslav Grepl 3.11.1-45Miroslav Grepl 3.11.1-44Miroslav Grepl 3.11.1-43Miroslav Grepl 3.11.1-42Miroslav Grepl 3.11.1-41Miroslav Grepl 3.11.1-40Miroslav Grepl 3.11.1-39Miroslav Grepl 3.11.1-38Miroslav Grepl 3.11.1-37Miroslav Grepl 3.11.1-36Miroslav Grepl 3.11.1-35Miroslav Grepl 3.11.1-34Miroslav Grepl 3.11.1-33Miroslav Grepl 3.11.1-32Miroslav Grepl 3.11.1-31Miroslav Grepl 3.11.1-30Miroslav Grepl 3.11.1-29Miroslav Grepl 3.11.1-28Miroslav Grepl 3.11.1-27Miroslav Grepl 3.11.1-26Miroslav Grepl 3.11.1-25Miroslav Grepl 3.11.1-24Miroslav Grepl 3.11.1-23Miroslav Grepl 3.11.1-22Miroslav Grepl 3.11.1-21Miroslav Grepl 3.11.1-20Miroslav Grepl 3.11.1-19Miroslav Grepl 3.11.1-18Miroslav Grepl 3.11.1-17Miroslav Grepl 3.11.1-16Dan Walsh 3.11.1-15Miroslav Grepl 3.11.1-14Dan Walsh 3.11.1-13Miroslav Grepl 3.11.1-12Miroslav Grepl 3.11.1-11Miroslav Grepl 3.11.1-10Dan Walsh 3.11.1-9Dan Walsh 3.11.1-8Dan Walsh 3.11.1-7Dan Walsh 3.11.1-6Miroslav Grepl 3.11.1-5Miroslav Grepl 3.11.1-4Miroslav Grepl 3.11.1-3Miroslav Grepl 3.11.1-2Miroslav Grepl 3.11.1-1Miroslav Grepl 3.11.1-0Miroslav Grepl 3.11.0-15Miroslav Grepl 3.11.0-14Miroslav Grepl 3.11.0-13Miroslav Grepl 3.11.0-12Fedora Release Engineering - 3.11.0-11Miroslav Grepl 3.11.0-10Miroslav Grepl 3.11.0-9Miroslav Grepl 3.11.0-8Miroslav Grepl 3.11.0-7Miroslav Grepl 3.11.0-6Miroslav Grepl 3.11.0-5Miroslav Grepl 3.11.0-4Miroslav Grepl 3.11.0-3Miroslav Grepl 3.11.0-2Miroslav Grepl 3.11.0-1Miroslav Grepl 3.10.0-128Miroslav Grepl 3.10.0-127Miroslav Grepl 3.10.0-126Miroslav Grepl 3.10.0-125Miroslav Grepl 3.10.0-124Miroslav Grepl 3.10.0-123Miroslav Grepl 3.10.0-122Miroslav Grepl 3.10.0-121Miroslav Grepl 3.10.0-120Miroslav Grepl 3.10.0-119Miroslav Grepl 3.10.0-118Miroslav Grepl 3.10.0-117Miroslav Grepl 3.10.0-116Miroslav Grepl 3.10.0-115Miroslav Grepl 3.10.0-114Miroslav Grepl 3.10.0-113Miroslav Grepl 3.10.0-112Miroslav Grepl 3.10.0-111Miroslav Grepl 3.10.0-110Miroslav Grepl 3.10.0-109Miroslav Grepl 3.10.0-108Miroslav Grepl 3.10.0-107Miroslav Grepl 3.10.0-106Miroslav Grepl 3.10.0-105Miroslav Grepl 3.10.0-104Miroslav Grepl 3.10.0-103Miroslav Grepl 3.10.0-102Miroslav Grepl 3.10.0-101Miroslav Grepl 3.10.0-100Miroslav Grepl 3.10.0-99Miroslav Grepl 3.10.0-98Miroslav Grepl 3.10.0-97Miroslav Grepl 3.10.0-96Miroslav Grepl 3.10.0-95Miroslav Grepl 3.10.0-94Miroslav Grepl 3.10.0-93Miroslav Grepl 3.10.0-92Miroslav Grepl 3.10.0-91Miroslav Grepl 3.10.0-90Miroslav Grepl 3.10.0-89Miroslav Grepl 3.10.0-88Miroslav Grepl 3.10.0-87Miroslav Grepl 3.10.0-86Miroslav Grepl 3.10.0-85Miroslav Grepl 3.10.0-84Miroslav Grepl 3.10.0-83Miroslav Grepl 3.10.0-82Dan Walsh 3.10.0-81.2Miroslav Grepl 3.10.0-81Miroslav Grepl 3.10.0-80Miroslav Grepl 3.10.0-79Miroslav Grepl 3.10.0-78Miroslav Grepl 3.10.0-77Miroslav Grepl 3.10.0-76Miroslav Grepl 3.10.0-75Dan Walsh 3.10.0-74.2Miroslav Grepl 3.10.0-74Miroslav Grepl 3.10.0-73Miroslav Grepl 3.10.0-72Miroslav Grepl 3.10.0-71Miroslav Grepl 3.10.0-70Miroslav Grepl 3.10.0-69Miroslav Grepl 3.10.0-68Miroslav Grepl 3.10.0-67Miroslav Grepl 3.10.0-66Miroslav Grepl 3.10.0-65Miroslav Grepl 3.10.0-64Miroslav Grepl 3.10.0-63Miroslav Grepl 3.10.0-59Miroslav Grepl 3.10.0-58Dan Walsh 3.10.0-57Dan Walsh 3.10.0-56Dan Walsh 3.10.0-55.2Dan Walsh 3.10.0-55.1Miroslav Grepl 3.10.0-55Dan Walsh 3.10.0-54.1Miroslav Grepl 3.10.0-54Dan Walsh 3.10.0-53.1Miroslav Grepl 3.10.0-53Miroslav Grepl 3.10.0-52Miroslav Grepl 3.10.0-51Dan Walsh 3.10.0-50.2Dan Walsh 3.10.0-50.1Miroslav Grepl 3.10.0-50Miroslav Grepl 3.10.0-49Miroslav Grepl 3.10.0-48Miroslav Grepl 3.10.0-47Dan Walsh 3.10.0-46.1Miroslav Grepl 3.10.0-46Dan Walsh 3.10.0-45.1Miroslav Grepl 3.10.0-45Miroslav Grepl 3.10.0-43Miroslav Grepl 3.10.0-42Miroslav Grepl 3.10.0-41Dan Walsh 3.10.0-40.2Miroslav Grepl 3.10.0-40Dan Walsh 3.10.0-39.3Dan Walsh 3.10.0-39.2Dan Walsh 3.10.0-39.1Miroslav Grepl 3.10.0-39Dan Walsh 3.10.0-38.1Miroslav Grepl 3.10.0-38Miroslav Grepl 3.10.0-37Dan Walsh 3.10.0-36.1Miroslav Grepl 3.10.0-36Dan Walsh 3.10.0-35Dan Walsh 3.10.0-34.7Dan Walsh 3.10.0-34.6Dan Walsh 3.10.0-34.4Miroslav Grepl 3.10.0-34.3Dan Walsh 3.10.0-34.2Dan Walsh 3.10.0-34.1Miroslav Grepl 3.10.0-34Miroslav Grepl 3.10.0-33Dan Walsh 3.10.0-31.1Miroslav Grepl 3.10.0-31Miroslav Grepl 3.10.0-29Miroslav Grepl 3.10.0-28Miroslav Grepl 3.10.0-27Miroslav Grepl 3.10.0-26Miroslav Grepl 3.10.0-25Miroslav Grepl 3.10.0-24Miroslav Grepl 3.10.0-23Miroslav Grepl 3.10.0-22Miroslav Grepl 3.10.0-21Dan Walsh 3.10.0-20Miroslav Grepl 3.10.0-19Miroslav Grepl 3.10.0-18Miroslav Grepl 3.10.0-17Miroslav Grepl 3.10.0-16Miroslav Grepl 3.10.0-14Miroslav Grepl 3.10.0-13Miroslav Grepl 3.10.0-12Miroslav Grepl 3.10.0-11Miroslav Grepl 3.10.0-10Miroslav Grepl 3.10.0-9Miroslav Grepl 3.10.0-8Miroslav Grepl 3.10.0-7Miroslav Grepl 3.10.0-6Miroslav Grepl 3.10.0-5Miroslav Grepl 3.10.0-4Miroslav Grepl 3.10.0-3Miroslav Grepl 3.10.0-2Miroslav Grepl 3.10.0-1Miroslav Grepl 3.9.16-30Dan Walsh 3.9.16-29.1Miroslav Grepl 3.9.16-29Dan Walsh 3.9.16-28.1Miroslav Grepl 3.9.16-27Miroslav Grepl 3.9.16-26Miroslav Grepl 3.9.16-25Miroslav Grepl 3.9.16-24Miroslav Grepl 3.9.16-23Miroslav Grepl 3.9.16-22Miroslav Grepl 3.9.16-21Miroslav Grepl 3.9.16-20Miroslav Grepl 3.9.16-19Miroslav Grepl 3.9.16-18Miroslav Grepl 3.9.16-17Dan Walsh 3.9.16-16.1Miroslav Grepl 3.9.16-16Miroslav Grepl 3.9.16-15Miroslav Grepl 3.9.16-14Miroslav Grepl 3.9.16-13Miroslav Grepl 3.9.16-12Miroslav Grepl 3.9.16-11Miroslav Grepl 3.9.16-10Miroslav Grepl 3.9.16-7Miroslav Grepl 3.9.16-6Miroslav Grepl 3.9.16-5Miroslav Grepl 3.9.16-4Miroslav Grepl 3.9.16-3Miroslav Grepl 3.9.16-2Miroslav Grepl 3.9.16-1Miroslav Grepl 3.9.15-5Miroslav Grepl 3.9.15-2Miroslav Grepl 3.9.15-1Fedora Release Engineering - 3.9.14-2Dan Walsh 3.9.14-1Miroslav Grepl 3.9.13-10Miroslav Grepl 3.9.13-9Dan Walsh 3.9.13-8Miroslav Grepl 3.9.13-7Miroslav Grepl 3.9.13-6Miroslav Grepl 3.9.13-5Miroslav Grepl 3.9.13-4Miroslav Grepl 3.9.13-3Miroslav Grepl 3.9.13-2Miroslav Grepl 3.9.13-1Miroslav Grepl 3.9.12-8Miroslav Grepl 3.9.12-7Miroslav Grepl 3.9.12-6Miroslav Grepl 3.9.12-5Dan Walsh 3.9.12-4Dan Walsh 3.9.12-3Dan Walsh 3.9.12-2Miroslav Grepl 3.9.12-1Dan Walsh 3.9.11-2Miroslav Grepl 3.9.11-1Miroslav Grepl 3.9.10-13Dan Walsh 3.9.10-12Miroslav Grepl 3.9.10-11Miroslav Grepl 3.9.10-10Miroslav Grepl 3.9.10-9Miroslav Grepl 3.9.10-8Miroslav Grepl 3.9.10-7Miroslav Grepl 3.9.10-6Miroslav Grepl 3.9.10-5Dan Walsh 3.9.10-4Miroslav Grepl 3.9.10-3Miroslav Grepl 3.9.10-2Miroslav Grepl 3.9.10-1Miroslav Grepl 3.9.9-4Dan Walsh 3.9.9-3Miroslav Grepl 3.9.9-2Miroslav Grepl 3.9.9-1Miroslav Grepl 3.9.8-7Dan Walsh 3.9.8-6Miroslav Grepl 3.9.8-5Miroslav Grepl 3.9.8-4Dan Walsh 3.9.8-3Dan Walsh 3.9.8-2Dan Walsh 3.9.8-1Dan Walsh 3.9.7-10Dan Walsh 3.9.7-9Dan Walsh 3.9.7-8Dan Walsh 3.9.7-7Dan Walsh 3.9.7-6Dan Walsh 3.9.7-5Dan Walsh 3.9.7-4Dan Walsh 3.9.7-3Dan Walsh 3.9.7-2Dan Walsh 3.9.7-1Dan Walsh 3.9.6-3Dan Walsh 3.9.6-2Dan Walsh 3.9.6-1Dan Walsh 3.9.5-11Dan Walsh 3.9.5-10Dan Walsh 3.9.5-9Dan Walsh 3.9.5-8Dan Walsh 3.9.5-7Dan Walsh 3.9.5-6Dan Walsh 3.9.5-5Dan Walsh 3.9.5-4Dan Walsh 3.9.5-3Dan Walsh 3.9.5-2Dan Walsh 3.9.5-1Dan Walsh 3.9.4-3Dan Walsh 3.9.4-2Dan Walsh 3.9.4-1Dan Walsh 3.9.3-4Dan Walsh 3.9.3-3Dan Walsh 3.9.3-2Dan Walsh 3.9.3-1Dan Walsh 3.9.2-1Dan Walsh 3.9.1-3Dan Walsh 3.9.1-2Dan Walsh 3.9.1-1Dan Walsh 3.9.0-2Dan Walsh 3.9.0-1Dan Walsh 3.8.8-21Dan Walsh 3.8.8-20Dan Walsh 3.8.8-19Dan Walsh 3.8.8-18Dan Walsh 3.8.8-17Dan Walsh 3.8.8-16Dan Walsh 3.8.8-15Dan Walsh 3.8.8-14Dan Walsh 3.8.8-13Dan Walsh 3.8.8-12Dan Walsh 3.8.8-11Dan Walsh 3.8.8-10Dan Walsh 3.8.8-9Dan Walsh 3.8.8-8Dan Walsh 3.8.8-7Dan Walsh 3.8.8-6Dan Walsh 3.8.8-5Dan Walsh 3.8.8-4Dan Walsh 3.8.8-3Dan Walsh 3.8.8-2Dan Walsh 3.8.8-1Dan Walsh 3.8.7-3Dan Walsh 3.8.7-2Dan Walsh 3.8.7-1Dan Walsh 3.8.6-3Miroslav Grepl 3.8.6-2Dan Walsh 3.8.6-1Dan Walsh 3.8.5-1Dan Walsh 3.8.4-1Dan Walsh 3.8.3-4Dan Walsh 3.8.3-3Dan Walsh 3.8.3-2Dan Walsh 3.8.3-1Dan Walsh 3.8.2-1Dan Walsh 3.8.1-5Dan Walsh 3.8.1-4Dan Walsh 3.8.1-3Dan Walsh 3.8.1-2Dan Walsh 3.8.1-1Dan Walsh 3.7.19-22Dan Walsh 3.7.19-21Dan Walsh 3.7.19-20Dan Walsh 3.7.19-19Dan Walsh 3.7.19-17Dan Walsh 3.7.19-16Dan Walsh 3.7.19-15Dan Walsh 3.7.19-14Dan Walsh 3.7.19-13Dan Walsh 3.7.19-12Dan Walsh 3.7.19-11Dan Walsh 3.7.19-10Dan Walsh 3.7.19-9Dan Walsh 3.7.19-8Dan Walsh 3.7.19-7Dan Walsh 3.7.19-6Dan Walsh 3.7.19-5Dan Walsh 3.7.19-4Dan Walsh 3.7.19-3Dan Walsh 3.7.19-2Dan Walsh 3.7.19-1Dan Walsh 3.7.18-3Dan Walsh 3.7.18-2Dan Walsh 3.7.18-1Dan Walsh 3.7.17-6Dan Walsh 3.7.17-5Dan Walsh 3.7.17-4Dan Walsh 3.7.17-3Dan Walsh 3.7.17-2Dan Walsh 3.7.17-1Dan Walsh 3.7.16-2Dan Walsh 3.7.16-1Dan Walsh 3.7.15-4Dan Walsh 3.7.15-3Dan Walsh 3.7.15-2Dan Walsh 3.7.15-1Dan Walsh 3.7.14-5Dan Walsh 3.7.14-4Dan Walsh 3.7.14-3Dan Walsh 3.7.14-2Dan Walsh 3.7.14-1Dan Walsh 3.7.13-4Dan Walsh 3.7.13-3Dan Walsh 3.7.13-2Dan Walsh 3.7.13-1Dan Walsh 3.7.12-1Dan Walsh 3.7.11-1Dan Walsh 3.7.10-5Dan Walsh 3.7.10-4Dan Walsh 3.7.10-3Dan Walsh 3.7.10-2Dan Walsh 3.7.10-1Dan Walsh 3.7.9-4Dan Walsh 3.7.9-3Dan Walsh 3.7.9-2Dan Walsh 3.7.9-1Dan Walsh 3.7.8-11Dan Walsh 3.7.8-9Dan Walsh 3.7.8-8Dan Walsh 3.7.8-7Dan Walsh 3.7.8-6Dan Walsh 3.7.8-5Dan Walsh 3.7.8-4Dan Walsh 3.7.8-3Dan Walsh 3.7.8-2Dan Walsh 3.7.8-1Dan Walsh 3.7.7-3Dan Walsh 3.7.7-2Dan Walsh 3.7.7-1Dan Walsh 3.7.6-1Dan Walsh 3.7.5-8Dan Walsh 3.7.5-7Dan Walsh 3.7.5-6Dan Walsh 3.7.5-5Dan Walsh 3.7.5-4Dan Walsh 3.7.5-3Dan Walsh 3.7.5-2Dan Walsh 3.7.5-1Dan Walsh 3.7.4-4Dan Walsh 3.7.4-3Dan Walsh 3.7.4-2Dan Walsh 3.7.4-1Dan Walsh 3.7.3-1Dan Walsh 3.7.1-1Dan Walsh 3.6.33-2Dan Walsh 3.6.33-1Dan Walsh 3.6.32-17Dan Walsh 3.6.32-16Dan Walsh 3.6.32-15Dan Walsh 3.6.32-13Dan Walsh 3.6.32-12Dan Walsh 3.6.32-11Dan Walsh 3.6.32-10Dan Walsh 3.6.32-9Dan Walsh 3.6.32-8Dan Walsh 3.6.32-7Dan Walsh 3.6.32-6Dan Walsh 3.6.32-5Dan Walsh 3.6.32-4Dan Walsh 3.6.32-3Dan Walsh 3.6.32-2Dan Walsh 3.6.32-1Dan Walsh 3.6.31-5Dan Walsh 3.6.31-4Dan Walsh 3.6.31-3Dan Walsh 3.6.31-2Dan Walsh 3.6.30-6Dan Walsh 3.6.30-5Dan Walsh 3.6.30-4Dan Walsh 3.6.30-3Dan Walsh 3.6.30-2Dan Walsh 3.6.30-1Dan Walsh 3.6.29-2Dan Walsh 3.6.29-1Dan Walsh 3.6.28-9Dan Walsh 3.6.28-8Dan Walsh 3.6.28-7Dan Walsh 3.6.28-6Dan Walsh 3.6.28-5Dan Walsh 3.6.28-4Dan Walsh 3.6.28-3Dan Walsh 3.6.28-2Dan Walsh 3.6.28-1Dan Walsh 3.6.27-1Dan Walsh 3.6.26-11Dan Walsh 3.6.26-10Dan Walsh 3.6.26-9Bill Nottingham 3.6.26-8Dan Walsh 3.6.26-7Dan Walsh 3.6.26-6Dan Walsh 3.6.26-5Dan Walsh 3.6.26-4Dan Walsh 3.6.26-3Dan Walsh 3.6.26-2Dan Walsh 3.6.26-1Dan Walsh 3.6.25-1Dan Walsh 3.6.24-1Dan Walsh 3.6.23-2Dan Walsh 3.6.23-1Dan Walsh 3.6.22-3Dan Walsh 3.6.22-1Dan Walsh 3.6.21-4Dan Walsh 3.6.21-3Tom "spot" Callaway 3.6.21-2Dan Walsh 3.6.21-1Dan Walsh 3.6.20-2Dan Walsh 3.6.20-1Dan Walsh 3.6.19-5Dan Walsh 3.6.19-4Dan Walsh 3.6.19-3Dan Walsh 3.6.19-2Dan Walsh 3.6.19-1Dan Walsh 3.6.18-1Dan Walsh 3.6.17-1Dan Walsh 3.6.16-4Dan Walsh 3.6.16-3Dan Walsh 3.6.16-2Dan Walsh 3.6.16-1Dan Walsh 3.6.14-3Dan Walsh 3.6.14-2Dan Walsh 3.6.14-1Dan Walsh 3.6.13-3Dan Walsh 3.6.13-2Dan Walsh 3.6.13-1Dan Walsh 3.6.12-39Dan Walsh 3.6.12-38Dan Walsh 3.6.12-37Dan Walsh 3.6.12-36Dan Walsh 3.6.12-35Dan Walsh 3.6.12-34Dan Walsh 3.6.12-33Dan Walsh 3.6.12-31Dan Walsh 3.6.12-30Dan Walsh 3.6.12-29Dan Walsh 3.6.12-28Dan Walsh 3.6.12-27Dan Walsh 3.6.12-26Dan Walsh 3.6.12-25Dan Walsh 3.6.12-24Dan Walsh 3.6.12-23Dan Walsh 3.6.12-22Dan Walsh 3.6.12-21Dan Walsh 3.6.12-20Dan Walsh 3.6.12-19Dan Walsh 3.6.12-16Dan Walsh 3.6.12-15Dan Walsh 3.6.12-14Dan Walsh 3.6.12-13Dan Walsh 3.6.12-12Dan Walsh 3.6.12-11Dan Walsh 3.6.12-10Dan Walsh 3.6.12-9Dan Walsh 3.6.12-8Dan Walsh 3.6.12-7Dan Walsh 3.6.12-6Dan Walsh 3.6.12-5Dan Walsh 3.6.12-4Dan Walsh 3.6.12-3Dan Walsh 3.6.12-2Dan Walsh 3.6.12-1Dan Walsh 3.6.11-1Dan Walsh 3.6.10-9Dan Walsh 3.6.10-8Dan Walsh 3.6.10-7Dan Walsh 3.6.10-6Dan Walsh 3.6.10-5Dan Walsh 3.6.10-4Dan Walsh 3.6.10-3Dan Walsh 3.6.10-2Dan Walsh 3.6.10-1Dan Walsh 3.6.9-4Dan Walsh 3.6.9-3Dan Walsh 3.6.9-2Dan Walsh 3.6.9-1Dan Walsh 3.6.8-4Dan Walsh 3.6.8-3Dan Walsh 3.6.8-2Dan Walsh 3.6.8-1Dan Walsh 3.6.7-2Dan Walsh 3.6.7-1Dan Walsh 3.6.6-9Dan Walsh 3.6.6-8Fedora Release Engineering - 3.6.6-7Dan Walsh 3.6.6-6Dan Walsh 3.6.6-5Dan Walsh 3.6.6-4Dan Walsh 3.6.6-3Dan Walsh 3.6.6-2Dan Walsh 3.6.6-1Dan Walsh 3.6.5-3Dan Walsh 3.6.5-1Dan Walsh 3.6.4-6Dan Walsh 3.6.4-5Dan Walsh 3.6.4-4Dan Walsh 3.6.4-3Dan Walsh 3.6.4-2Dan Walsh 3.6.4-1Dan Walsh 3.6.3-13Dan Walsh 3.6.3-12Dan Walsh 3.6.3-11Dan Walsh 3.6.3-10Dan Walsh 3.6.3-9Dan Walsh 3.6.3-8Dan Walsh 3.6.3-7Dan Walsh 3.6.3-6Dan Walsh 3.6.3-3Dan Walsh 3.6.3-2Dan Walsh 3.6.3-1Dan Walsh 3.6.2-5Dan Walsh 3.6.2-4Dan Walsh 3.6.2-3Dan Walsh 3.6.2-2Dan Walsh 3.6.2-1Dan Walsh 3.6.1-15Dan Walsh 3.6.1-14Dan Walsh 3.6.1-13Dan Walsh 3.6.1-12Dan Walsh 3.6.1-11Dan Walsh 3.6.1-10Dan Walsh 3.6.1-9Dan Walsh 3.6.1-8Dan Walsh 3.6.1-7Dan Walsh 3.6.1-4Ignacio Vazquez-Abrams - 3.6.1-2Dan Walsh 3.5.13-19Dan Walsh 3.5.13-18Dan Walsh 3.5.13-17Dan Walsh 3.5.13-16Dan Walsh 3.5.13-15Dan Walsh 3.5.13-14Dan Walsh 3.5.13-13Dan Walsh 3.5.13-12Dan Walsh 3.5.13-11Dan Walsh 3.5.13-9Dan Walsh 3.5.13-8Dan Walsh 3.5.13-7Dan Walsh 3.5.13-6Dan Walsh 3.5.13-5Dan Walsh 3.5.13-4Dan Walsh 3.5.13-3Dan Walsh 3.5.13-2Dan Walsh 3.5.13-1Dan Walsh 3.5.12-3Dan Walsh 3.5.12-2Dan Walsh 3.5.12-1Dan Walsh 3.5.11-1Dan Walsh 3.5.10-3Dan Walsh 3.5.10-2Dan Walsh 3.5.10-1Dan Walsh 3.5.9-4Dan Walsh 3.5.9-3Dan Walsh 3.5.9-2Dan Walsh 3.5.9-1Dan Walsh 3.5.8-7Dan Walsh 3.5.8-6Dan Walsh 3.5.8-5Dan Walsh 3.5.8-4Dan Walsh 3.5.8-3Dan Walsh 3.5.8-1Dan Walsh 3.5.7-2Dan Walsh 3.5.7-1Dan Walsh 3.5.6-2Dan Walsh 3.5.6-1Dan Walsh 3.5.5-4Dan Walsh 3.5.5-3Dan Walsh 3.5.5-2Dan Walsh 3.5.4-2Dan Walsh 3.5.4-1Dan Walsh 3.5.3-1Dan Walsh 3.5.2-2Dan Walsh 3.5.1-5Dan Walsh 3.5.1-4Dan Walsh 3.5.1-3Dan Walsh 3.5.1-2Dan Walsh 3.5.1-1Dan Walsh 3.5.0-1Dan Walsh 3.4.2-14Dan Walsh 3.4.2-13Dan Walsh 3.4.2-12Dan Walsh 3.4.2-11Dan Walsh 3.4.2-10Dan Walsh 3.4.2-9Dan Walsh 3.4.2-8Dan Walsh 3.4.2-7Dan Walsh 3.4.2-6Dan Walsh 3.4.2-5Dan Walsh 3.4.2-4Dan Walsh 3.4.2-3Dan Walsh 3.4.2-2Dan Walsh 3.4.2-1Dan Walsh 3.4.1-5Dan Walsh 3.4.1-3Dan Walsh 3.4.1-2Dan Walsh 3.4.1-1Dan Walsh 3.3.1-48Dan Walsh 3.3.1-47Dan Walsh 3.3.1-46Dan Walsh 3.3.1-45Dan Walsh 3.3.1-44Dan Walsh 3.3.1-43Dan Walsh 3.3.1-42Dan Walsh 3.3.1-41Dan Walsh 3.3.1-39Dan Walsh 3.3.1-37Dan Walsh 3.3.1-36Dan Walsh 3.3.1-33Dan Walsh 3.3.1-32Dan Walsh 3.3.1-31Dan Walsh 3.3.1-30Dan Walsh 3.3.1-29Dan Walsh 3.3.1-28Dan Walsh 3.3.1-27Dan Walsh 3.3.1-26Dan Walsh 3.3.1-25Dan Walsh 3.3.1-24Dan Walsh 3.3.1-23Dan Walsh 3.3.1-22Dan Walsh 3.3.1-21Dan Walsh 3.3.1-20Dan Walsh 3.3.1-19Dan Walsh 3.3.1-18Dan Walsh 3.3.1-17Dan Walsh 3.3.1-16Dan Walsh 3.3.1-15Bill Nottingham 3.3.1-14Dan Walsh 3.3.1-13Dan Walsh 3.3.1-12Dan Walsh 3.3.1-11Dan Walsh 3.3.1-10Dan Walsh 3.3.1-9Dan Walsh 3.3.1-8Dan Walsh 3.3.1-6Dan Walsh 3.3.1-5Dan Walsh 3.3.1-4Dan Walsh 3.3.1-2Dan Walsh 3.3.1-1Dan Walsh 3.3.0-2Dan Walsh 3.3.0-1Dan Walsh 3.2.9-2Dan Walsh 3.2.9-1Dan Walsh 3.2.8-2Dan Walsh 3.2.8-1Dan Walsh 3.2.7-6Dan Walsh 3.2.7-5Dan Walsh 3.2.7-3Dan Walsh 3.2.7-2Dan Walsh 3.2.7-1Dan Walsh 3.2.6-7Dan Walsh 3.2.6-6Dan Walsh 3.2.6-5Dan Walsh 3.2.6-4Dan Walsh 3.2.6-3Dan Walsh 3.2.6-2Dan Walsh 3.2.6-1Dan Walsh 3.2.5-25Dan Walsh 3.2.5-24Dan Walsh 3.2.5-22Dan Walsh 3.2.5-21Dan Walsh 3.2.5-20Dan Walsh 3.2.5-19Dan Walsh 3.2.5-18Dan Walsh 3.2.5-17Dan Walsh 3.2.5-16Dan Walsh 3.2.5-15Dan Walsh 3.2.5-14Dan Walsh 3.2.5-13Dan Walsh 3.2.5-12Dan Walsh 3.2.5-11Dan Walsh 3.2.5-10Dan Walsh 3.2.5-9Dan Walsh 3.2.5-8Dan Walsh 3.2.5-7Dan Walsh 3.2.5-6Dan Walsh 3.2.5-5Dan Walsh 3.2.5-4Dan Walsh 3.2.5-3Dan Walsh 3.2.5-2Dan Walsh 3.2.5-1Dan Walsh 3.2.4-5Dan Walsh 3.2.4-4Dan Walsh 3.2.4-3Dan Walsh 3.2.4-1Dan Walsh 3.2.4-1Dan Walsh 3.2.3-2Dan Walsh 3.2.3-1Dan Walsh 3.2.2-1Dan Walsh 3.2.1-3Dan Walsh 3.2.1-1Dan Walsh 3.1.2-2Dan Walsh 3.1.2-1Dan Walsh 3.1.1-1Dan Walsh 3.1.0-1Dan Walsh 3.0.8-30Dan Walsh 3.0.8-28Dan Walsh 3.0.8-27Dan Walsh 3.0.8-26Dan Walsh 3.0.8-25Dan Walsh 3.0.8-24Dan Walsh 3.0.8-23Dan Walsh 3.0.8-22Dan Walsh 3.0.8-21Dan Walsh 3.0.8-20Dan Walsh 3.0.8-19Dan Walsh 3.0.8-18Dan Walsh 3.0.8-17Dan Walsh 3.0.8-16Dan Walsh 3.0.8-15Dan Walsh 3.0.8-14Dan Walsh 3.0.8-13Dan Walsh 3.0.8-12Dan Walsh 3.0.8-11Dan Walsh 3.0.8-10Dan Walsh 3.0.8-9Dan Walsh 3.0.8-8Dan Walsh 3.0.8-7Dan Walsh 3.0.8-5Dan Walsh 3.0.8-4Dan Walsh 3.0.8-3Dan Walsh 3.0.8-2Dan Walsh 3.0.8-1Dan Walsh 3.0.7-10Dan Walsh 3.0.7-9Dan Walsh 3.0.7-8Dan Walsh 3.0.7-7Dan Walsh 3.0.7-6Dan Walsh 3.0.7-5Dan Walsh 3.0.7-4Dan Walsh 3.0.7-3Dan Walsh 3.0.7-2Dan Walsh 3.0.7-1Dan Walsh 3.0.6-3Dan Walsh 3.0.6-2Dan Walsh 3.0.6-1Dan Walsh 3.0.5-11Dan Walsh 3.0.5-10Dan Walsh 3.0.5-9Dan Walsh 3.0.5-8Dan Walsh 3.0.5-7Dan Walsh 3.0.5-6Dan Walsh 3.0.5-5Dan Walsh 3.0.5-4Dan Walsh 3.0.5-3Dan Walsh 3.0.5-2Dan Walsh 3.0.5-1Dan Walsh 3.0.4-6Dan Walsh 3.0.4-5Dan Walsh 3.0.4-4Dan Walsh 3.0.4-3Dan Walsh 3.0.4-2Dan Walsh 3.0.4-1Dan Walsh 3.0.3-6Dan Walsh 3.0.3-5Dan Walsh 3.0.3-4Dan Walsh 3.0.3-3Dan Walsh 3.0.3-2Dan Walsh 3.0.3-1Dan Walsh 3.0.2-9Dan Walsh 3.0.2-8Dan Walsh 3.0.2-7Dan Walsh 3.0.2-5Dan Walsh 3.0.2-4Dan Walsh 3.0.2-3Dan Walsh 3.0.2-2Dan Walsh 3.0.1-5Dan Walsh 3.0.1-4Dan Walsh 3.0.1-3Dan Walsh 3.0.1-2Dan Walsh 3.0.1-1Dan Walsh 2.6.5-3Dan Walsh 2.6.5-2Dan Walsh 2.6.4-7Dan Walsh 2.6.4-6Dan Walsh 2.6.4-5Dan Walsh 2.6.4-2Dan Walsh 2.6.4-1Dan Walsh 2.6.3-1Dan Walsh 2.6.2-1Dan Walsh 2.6.1-4Dan Walsh 2.6.1-2Dan Walsh 2.6.1-1Dan Walsh 2.5.12-12Dan Walsh 2.5.12-11Dan Walsh 2.5.12-10Dan Walsh 2.5.12-8Dan Walsh 2.5.12-5Dan Walsh 2.5.12-4Dan Walsh 2.5.12-3Dan Walsh 2.5.12-2Dan Walsh 2.5.12-1Dan Walsh 2.5.11-8Dan Walsh 2.5.11-7Dan Walsh 2.5.11-6Dan Walsh 2.5.11-5Dan Walsh 2.5.11-4Dan Walsh 2.5.11-3Dan Walsh 2.5.11-2Dan Walsh 2.5.11-1Dan Walsh 2.5.10-2Dan Walsh 2.5.10-1Dan Walsh 2.5.9-6Dan Walsh 2.5.9-5Dan Walsh 2.5.9-4Dan Walsh 2.5.9-3Dan Walsh 2.5.9-2Dan Walsh 2.5.8-8Dan Walsh 2.5.8-7Dan Walsh 2.5.8-6Dan Walsh 2.5.8-5Dan Walsh 2.5.8-4Dan Walsh 2.5.8-3Dan Walsh 2.5.8-2Dan Walsh 2.5.8-1Dan Walsh 2.5.7-1Dan Walsh 2.5.6-1Dan Walsh 2.5.5-2Dan Walsh 2.5.5-1Dan Walsh 2.5.4-2Dan Walsh 2.5.4-1Dan Walsh 2.5.3-3Dan Walsh 2.5.3-2Dan Walsh 2.5.3-1Dan Walsh 2.5.2-6Dan Walsh 2.5.2-5Dan Walsh 2.5.2-4Dan Walsh 2.5.2-3Dan Walsh 2.5.2-2Dan Walsh 2.5.2-1Dan Walsh 2.5.1-5Dan Walsh 2.5.1-4Dan Walsh 2.5.1-2Dan Walsh 2.5.1-1Dan Walsh 2.4.6-20Dan Walsh 2.4.6-19Dan Walsh 2.4.6-18Dan Walsh 2.4.6-17Dan Walsh 2.4.6-16Dan Walsh 2.4.6-15Dan Walsh 2.4.6-14Dan Walsh 2.4.6-13Dan Walsh 2.4.6-12Dan Walsh 2.4.6-11Dan Walsh 2.4.6-10Dan Walsh 2.4.6-9Dan Walsh 2.4.6-8Dan Walsh 2.4.6-7Dan Walsh 2.4.6-6Dan Walsh 2.4.6-5Dan Walsh 2.4.6-4Dan Walsh 2.4.6-3Dan Walsh 2.4.6-1Dan Walsh 2.4.5-4Dan Walsh 2.4.5-3Dan Walsh 2.4.5-2Dan Walsh 2.4.5-1Dan Walsh 2.4.4-2Dan Walsh 2.4.4-2Dan Walsh 2.4.4-1Dan Walsh 2.4.3-13Dan Walsh 2.4.3-12Dan Walsh 2.4.3-11Dan Walsh 2.4.3-10Dan Walsh 2.4.3-9Dan Walsh 2.4.3-8Dan Walsh 2.4.3-7Dan Walsh 2.4.3-6Dan Walsh 2.4.3-5Dan Walsh 2.4.3-4Dan Walsh 2.4.3-3Dan Walsh 2.4.3-2Dan Walsh 2.4.3-1Dan Walsh 2.4.2-8Dan Walsh 2.4.2-7James Antill 2.4.2-6Dan Walsh 2.4.2-5Dan Walsh 2.4.2-4Dan Walsh 2.4.2-3Dan Walsh 2.4.2-2Dan Walsh 2.4.2-1Dan Walsh 2.4.1-5Dan Walsh 2.4.1-4Dan Walsh 2.4.1-3Dan Walsh 2.4.1-2Dan Walsh 2.4-4Dan Walsh 2.4-3Dan Walsh 2.4-2Dan Walsh 2.4-1Dan Walsh 2.3.19-4Dan Walsh 2.3.19-3Dan Walsh 2.3.19-2Dan Walsh 2.3.19-1James Antill 2.3.18-10James Antill 2.3.18-9Dan Walsh 2.3.18-8Dan Walsh 2.3.18-7Dan Walsh 2.3.18-6Dan Walsh 2.3.18-5Dan Walsh 2.3.18-4Dan Walsh 2.3.18-3Dan Walsh 2.3.18-2Dan Walsh 2.3.18-1Dan Walsh 2.3.17-2Dan Walsh 2.3.17-1Dan Walsh 2.3.16-9Dan Walsh 2.3.16-8Dan Walsh 2.3.16-7Dan Walsh 2.3.16-6Dan Walsh 2.3.16-5Dan Walsh 2.3.16-4Dan Walsh 2.3.16-2Dan Walsh 2.3.16-1Dan Walsh 2.3.15-2Dan Walsh 2.3.15-1Dan Walsh 2.3.14-8Dan Walsh 2.3.14-7Dan Walsh 2.3.14-6Dan Walsh 2.3.14-4Dan Walsh 2.3.14-3Dan Walsh 2.3.14-2Dan Walsh 2.3.14-1Dan Walsh 2.3.13-6Dan Walsh 2.3.13-5Dan Walsh 2.3.13-4Dan Walsh 2.3.13-3Dan Walsh 2.3.13-2Dan Walsh 2.3.13-1Dan Walsh 2.3.12-2Dan Walsh 2.3.12-1Dan Walsh 2.3.11-1Dan Walsh 2.3.10-7Dan Walsh 2.3.10-6Dan Walsh 2.3.10-3Dan Walsh 2.3.10-1Dan Walsh 2.3.9-6Dan Walsh 2.3.9-5Dan Walsh 2.3.9-4Dan Walsh 2.3.9-3Dan Walsh 2.3.9-2Dan Walsh 2.3.9-1Dan Walsh 2.3.8-2Dan Walsh 2.3.7-1Dan Walsh 2.3.6-4Dan Walsh 2.3.6-3Dan Walsh 2.3.6-2Dan Walsh 2.3.6-1Dan Walsh 2.3.5-1Dan Walsh 2.3.4-1Dan Walsh 2.3.3-20Dan Walsh 2.3.3-19Dan Walsh 2.3.3-18Dan Walsh 2.3.3-17Dan Walsh 2.3.3-16Dan Walsh 2.3.3-15Dan Walsh 2.3.3-14Dan Walsh 2.3.3-13Dan Walsh 2.3.3-12Dan Walsh 2.3.3-11Dan Walsh 2.3.3-10Dan Walsh 2.3.3-9Dan Walsh 2.3.3-8Dan Walsh 2.3.3-7Dan Walsh 2.3.3-6Dan Walsh 2.3.3-5Dan Walsh 2.3.3-4Dan Walsh 2.3.3-3Dan Walsh 2.3.3-2Dan Walsh 2.3.3-1Dan Walsh 2.3.2-4Dan Walsh 2.3.2-3Dan Walsh 2.3.2-2Dan Walsh 2.3.2-1Dan Walsh 2.3.1-1Dan Walsh 2.2.49-1Dan Walsh 2.2.48-1Dan Walsh 2.2.47-5Dan Walsh 2.2.47-4Dan Walsh 2.2.47-3Dan Walsh 2.2.47-1Dan Walsh 2.2.46-2Dan Walsh 2.2.46-1Dan Walsh 2.2.45-3Dan Walsh 2.2.45-2Dan Walsh 2.2.45-1Dan Walsh 2.2.44-1Dan Walsh 2.2.43-4Dan Walsh 2.2.43-3Dan Walsh 2.2.43-2Dan Walsh 2.2.43-1Dan Walsh 2.2.42-4Dan Walsh 2.2.42-3Dan Walsh 2.2.42-2Dan Walsh 2.2.42-1Dan Walsh 2.2.41-1Dan Walsh 2.2.40-2Dan Walsh 2.2.40-1Dan Walsh 2.2.39-2Dan Walsh 2.2.39-1Dan Walsh 2.2.38-6Dan Walsh 2.2.38-5Dan Walsh 2.2.38-4Dan Walsh 2.2.38-3Dan Walsh 2.2.38-2Dan Walsh 2.2.38-1Dan Walsh 2.2.37-1Dan Walsh 2.2.36-2Dan Walsh 2.2.36-1James Antill 2.2.35-2Dan Walsh 2.2.35-1Dan Walsh 2.2.34-3Dan Walsh 2.2.34-2Dan Walsh 2.2.34-1Dan Walsh 2.2.33-1Dan Walsh 2.2.32-2Dan Walsh 2.2.32-1Dan Walsh 2.2.31-1Dan Walsh 2.2.30-2Dan Walsh 2.2.30-1Dan Walsh 2.2.29-6Russell Coker 2.2.29-5Dan Walsh 2.2.29-4Dan Walsh 2.2.29-3Dan Walsh 2.2.29-2Dan Walsh 2.2.29-1Dan Walsh 2.2.28-3Dan Walsh 2.2.28-2Dan Walsh 2.2.28-1Dan Walsh 2.2.27-1Dan Walsh 2.2.25-3Dan Walsh 2.2.25-2Dan Walsh 2.2.24-1Dan Walsh 2.2.23-19Dan Walsh 2.2.23-18Dan Walsh 2.2.23-17Karsten Hopp 2.2.23-16Dan Walsh 2.2.23-15Dan Walsh 2.2.23-14Dan Walsh 2.2.23-13Dan Walsh 2.2.23-12Jeremy Katz - 2.2.23-11Jeremy Katz - 2.2.23-10Dan Walsh 2.2.23-9Dan Walsh 2.2.23-8Dan Walsh 2.2.23-7Dan Walsh 2.2.23-5Dan Walsh 2.2.23-4Dan Walsh 2.2.23-3Dan Walsh 2.2.23-2Dan Walsh 2.2.23-1Dan Walsh 2.2.22-2Dan Walsh 2.2.22-1Dan Walsh 2.2.21-9Dan Walsh 2.2.21-8Dan Walsh 2.2.21-7Dan Walsh 2.2.21-6Dan Walsh 2.2.21-5Dan Walsh 2.2.21-4Dan Walsh 2.2.21-3Dan Walsh 2.2.21-2Dan Walsh 2.2.21-1Dan Walsh 2.2.20-1Dan Walsh 2.2.19-2Dan Walsh 2.2.19-1Dan Walsh 2.2.18-2Dan Walsh 2.2.18-1Dan Walsh 2.2.17-2Dan Walsh 2.2.16-1Dan Walsh 2.2.15-4Dan Walsh 2.2.15-3Dan Walsh 2.2.15-1Dan Walsh 2.2.14-2Dan Walsh 2.2.14-1Dan Walsh 2.2.13-1Dan Walsh 2.2.12-1Dan Walsh 2.2.11-2Dan Walsh 2.2.11-1Dan Walsh 2.2.10-1Dan Walsh 2.2.9-2Dan Walsh 2.2.9-1Dan Walsh 2.2.8-2Dan Walsh 2.2.7-1Dan Walsh 2.2.6-3Dan Walsh 2.2.6-2Dan Walsh 2.2.6-1Dan Walsh 2.2.5-1Dan Walsh 2.2.4-1Dan Walsh 2.2.3-1Dan Walsh 2.2.2-1Dan Walsh 2.2.1-1Dan Walsh 2.1.13-1Dan Walsh 2.1.12-3Dan Walsh 2.1.11-1Dan Walsh 2.1.10-1Jeremy Katz - 2.1.9-2Dan Walsh 2.1.9-1Dan Walsh 2.1.8-3Dan Walsh 2.1.8-2Dan Walsh 2.1.8-1Dan Walsh 2.1.7-4Dan Walsh 2.1.7-3Dan Walsh 2.1.7-2Dan Walsh 2.1.7-1Dan Walsh 2.1.6-24Dan Walsh 2.1.6-23Dan Walsh 2.1.6-22Dan Walsh 2.1.6-21Dan Walsh 2.1.6-20Dan Walsh 2.1.6-18Dan Walsh 2.1.6-17Dan Walsh 2.1.6-16Dan Walsh 2.1.6-15Dan Walsh 2.1.6-14Dan Walsh 2.1.6-13Dan Walsh 2.1.6-11Dan Walsh 2.1.6-10Dan Walsh 2.1.6-9Dan Walsh 2.1.6-8Dan Walsh 2.1.6-5Dan Walsh 2.1.6-4Dan Walsh 2.1.6-3Dan Walsh 2.1.6-2Dan Walsh 2.1.6-1Dan Walsh 2.1.4-2Dan Walsh 2.1.4-1Dan Walsh 2.1.3-1Jeremy Katz - 2.1.2-3Dan Walsh 2.1.2-2Dan Walsh 2.1.2-1Dan Walsh 2.1.1-3Dan Walsh 2.1.1-2Dan Walsh 2.1.1-1Dan Walsh 2.1.0-3Dan Walsh 2.1.0-2.Dan Walsh 2.1.0-1.Dan Walsh 2.0.11-2.Dan Walsh 2.0.11-1.Dan Walsh 2.0.9-1.Dan Walsh 2.0.8-1.Dan Walsh 2.0.7-3Dan Walsh 2.0.7-2Dan Walsh 2.0.6-2Dan Walsh 2.0.5-4Dan Walsh 2.0.5-1Dan Walsh 2.0.4-1Dan Walsh 2.0.2-2Dan Walsh 2.0.2-1Dan Walsh 2.0.1-2Dan Walsh 2.0.1-1- Allow wdmd read hardware state information Resolves: RHEL-27507- Allow wdmd list the contents of the sysfs directories Resolves: RHEL-27507 - Allow linuxptp configure phc2sys and chronyd over a unix domain socket Resolves: RHEL-27394- Differentiate between staff and sysadm when executing crontab with sudo Resolves: RHEL-1388 - Allow su domains write login records Resolves: RHEL-2606 - Revert "Allow su domains write login records" Resolves: RHEL-2606 - Add crontab_admin_domtrans interface Resolves: RHEL-1388 - Allow gpg manage rpm cache Resolves: RHEL-11249- Transition from sudodomains to crontab_t when executing crontab_exec_t Resolves: RHEL-1388 - Fix label of pseudoterminals created from sudodomain Resolves: RHEL-1388 - Allow login_userdomain to manage session_dbusd_tmp_t dirs/files Resolves: RHEL-22500 - Label /dev/ngXnY and /dev/nvme-subsysX with nvme_device_t Resolves: RHEL-23442 - Allow admin user read/write on fixed_disk_device_t Resolves: RHEL-23434 - Only allow confined user domains to login locally without unconfined_login Resolves: RHEL-1628 - Add userdom_spec_domtrans_confined_admin_users interface Resolves: RHEL-1628 - Only allow admindomain to execute shell via ssh with ssh_sysadm_login Resolves: RHEL-1628 - Add userdom_spec_domtrans_admin_users interface Resolves: RHEL-1628 - Move ssh dyntrans to unconfined inside unconfined_login tunable policy Resolves: RHEL-1628 - Allow utempter_t use ptmx Resolves: RHEL-25002 - Dontaudit subscription manager setfscreate and read file contexts Resolves: RHEL-21639 - Don't audit crontab_domain write attempts to user home Resolves: RHEL-1388 - Add crontab_domtrans interface Resolves: RHEL-1388 - Add dbus_manage_session_tmp_files interface Resolves: RHEL-22500 - Allow httpd read network sysctls Resolves: RHEL-22748 - Allow keepalived_unconfined_script_t dbus chat with init Resolves: RHEL-22843- Label /tmp/libdnf.* with user_tmp_t Resolves: RHEL-11249 - Allow su domains write login records Resolves: RHEL-2606 - Allow gpg read rpm cache Resolves: RHEL-11249 - Allow unix dgram sendto between exim processes Resolves: RHEL-21903 - Allow hypervkvp_t write access to NetworkManager_etc_rw_t Resolves: RHEL-17687 - Add interface for write-only access to NetworkManager rw conf Resolves: RHEL-17687 - Allow conntrackd_t to use sys_admin capability Resolves: RHEL-22276- Allow syslog to run unconfined scripts conditionally Resolves: RHEL-10087 - Allow syslogd_t nnp_transition to syslogd_unconfined_script_t Resolves: RHEL-10087 - Allow collectd connect to statsd port Resolves: RHEL-19482 - Allow collectd_t read network state symlinks Resolves: RHEL-19482 - Allow collectd_t domain to create netlink_generic_socket sockets Resolves: RHEL-19482 - Allow opafm search nfs directories Resolves: RHEL-19426 - Allow mdadm list stratisd data directories Resolves: RHEL-21374- Label /dev/acpi_thermal_rel char device with acpi_device_t Resolves: RHEL-18027 - Allow sysadm execute traceroute in sysadm_t domain using sudo Resolves: RHEL-9947 - Allow sysadm execute tcpdump in sysadm_t domain using sudo Resolves: RHEL-15398 - Add support for syslogd unconfined scripts Resolves: RHEL-10087 - Label /dev/wmi/dell-smbios as acpi_device_t Resolves: RHEL-18027 - Make named_zone_t and named_var_run_t a part of the mountpoint attribute Resolves: RHEL-1954 - Dontaudit rhsmcertd write memory device Resolves: RHEL-17721- Allow sudodomain read var auth files Resolves: RHEL-16567 - Update cifs interfaces to include fs_search_auto_mountpoints() Resolves: RHEL-14072 - Allow systemd-localed create Xserver config dirs Resolves: RHEL-16715 - Label /var/run/auditd.state as auditd_var_run_t Resolves: RHEL-14376 - Allow auditd read all domains process state Resolves: RHEL-14471 - Allow sudo userdomain to run rpm related commands Resolves: RHEL-1679 - Remove insights_client_watch_lib_dirs() interface Resolves: RHEL-16185- Additional permissions for ip-vrf Resolves: RHEL-9981 - Allow ip an explicit domain transition to other domains Resolves: RHEL-9981 - Allow winbind_rpcd_t processes access when samba_export_all_* is on Resolves: RHEL-5845 - Allow system_mail_t manage exim spool files and dirs Resolves: RHEL-14186- Label msmtp and msmtpd with sendmail_exec_t Resolves: RHEL-1678 - Set default file context of HOME_DIR/tmp/.* to <> Resolves: RHEL-1099 - Improve default file context(None) of /var/lib/authselect/backups Resolves: RHEL-3539- Set default file context of /var/lib/authselect/backups to <> Resolves: RHEL-3539 - Add file context specification for /usr/libexec/realmd Resolves: RHEL-2147 - Add numad the ipc_owner capability Resolves: RHEL-2415- Allow ssh_agent_type manage generic cache home files Resolves: rhbz#2177704 - Add chromium_sandbox_t setcap capability Resolves: rhbz#2221573- Allow cloud_init create dhclient var files and init_t manage net_conf_t 3 Resolves: rhbz#2229726- Allow cloud_init create dhclient var files and init_t manage net_conf_t 1/2 Resolves: rhbz#2229726 - Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t Resolves: rhbz#2177704 - Allow cloud_init create dhclient var files and init_t manage net_conf_t 2/2 Resolves: rhbz#2229726 - Make insights_client_t an unconfined domain Resolves: rhbz#2225527 - Allow insights-client create all rpm logs with a correct label Resolves: rhbz#2229559 - Allow insights-client manage generic logs Resolves: rhbz#2229559- Allow user_u and staff_u get attributes of non-security dirs Resolves: rhbz#2216151 - Allow unconfined user filetrans chrome_sandbox_home_t 1/2 Resolves: rhbz#2221573 - Allow unconfined user filetrans chrome_sandbox_home_t 2/2 Resolves: rhbz#2221573 - Allow insights-client execmem Resolves: rhbz#2225233 - Allow svnserve execute postdrop with a transition Resolves: rhbz#2004843 - Do not make postfix_postdrop_t type an MTA executable file Resolves: rhbz#2004843 - Allow samba-dcerpc service manage samba tmp files Resolves: rhbz#2210771 - Update samba-dcerpc policy for printing Resolves: rhbz#2210771- Add the files_getattr_non_auth_dirs() interface Resolves: rhbz#2076937 - Update policy for the sblim-sfcb service Resolves: rhbz#2076937 - Dontaudit sfcbd sys_ptrace cap_userns Resolves: rhbz#2076937 - Label /usr/sbin/sos with sosreport_exec_t Resolves: rhbz#2167731 - Allow sa-update manage spamc home files Resolves: rhbz#2222200 - Allow sa-update connect to systemlog services Resolves: rhbz#2222200 - Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t Resolves: rhbz#2222200- Label only /usr/sbin/ripd and ripngd with zebra_exec_t Resolves: rhbz#2213606 - Allow httpd tcp connect to redis port conditionally Resolves: rhbz#2213965 - Exclude container-selinux manpage from selinux-policy-doc Resolves: rhbz#2218362- Update cyrus_stream_connect() to use sockets in /run Resolves: rhbz#2165752 - Allow insights-client map generic log files Resolves: rhbz#2214572 - Allow insights-client work with pipe and socket tmp files Resolves: rhbz#2207819 - Allow insights-client getsession process permission Resolves: rhbz#2207819 - Allow keepalived to manage its tmp files Resolves: rhbz#2179335- Update pkcsslotd policy for sandboxing 2/2 Resolves: rhbz#2208162 - Update pkcsslotd policy for sandboxing 1/2 Resolves: rhbz#2208162 - Allow abrt_t read kernel persistent storage files Resolves: rhbz#2207914 - Add allow rules for lttng-sessiond domain Resolves: rhbz#2203509 - Allow rpcd_lsad setcap and use generic ptys Resolves: rhbz#2107106 - Allow samba-dcerpcd connect to systemd_machined over a unix socket Resolves: rhbz#2107106 - Dontaudit targetd search httpd config dirs Resolves: rhbz#2203720- Allow unconfined service inherit signal state from init Resolves: rhbz#2177254 - Allow systemd-pstore delete kernel persistent storage files Resolves: rhbz#2181558 - Add fs_delete_pstore_files() interface Resolves: rhbz#2181558 - Allow certmonger manage cluster library files Resolves: rhbz#2177836 - Allow samba-rpcd work with passwords Resolves: rhbz#2107106 - Allow snmpd read raw disk data Resolves: rhbz#2160000 - Allow cluster_t dbus chat with various services Resolves: rhbz#2196524- Add unconfined_server_read_semaphores() interface Resolves: rhbz#2183351 - Allow systemd-pstore read kernel persistent storage files Resolves: rhbz#2181558 - Add fs_read_pstore_files() interface Resolves: rhbz#2181558 - Allow insights-client work with teamdctl Resolves: rhbz#2185158 - Allow insights-client read unconfined service semaphores Resolves: rhbz#2183351 - Allow insights-client get quotas of all filesystems Resolves: rhbz#2183351- Allow login_pgm setcap permission Resolves: rhbz#2172541 - Label /run/fsck with fsadm_var_run_t Resolves: rhbz#2184348 - Add boolean qemu-ga to run unconfined script Resolves: rhbz#2028762 - Allow dovecot-deliver write to the main process runtime fifo files Resolves: rhbz#2170495 - Allow certmonger dbus chat with the cron system domain Resolves: rhbz#2173289 - Allow insights-client read all sysctls Resolves: rhbz#2177607- Fix opencryptoki file names in /dev/shm Resolves: rhbz#2028637 - Allow system_cronjob_t transition to rpm_script_t Resolves: rhbz#2154242 - Revert "Allow system_cronjob_t domtrans to rpm_script_t" Resolves: rhbz#2154242 - Allow httpd work with tokens in /dev/shm Resolves: rhbz#2028637 - Allow keepalived to set resource limits Resolves: rhbz#2168638 - Allow insights-client manage fsadm pid files- Allow sysadm_t run initrc_t script and sysadm_r role access Resolves: rhbz#2039662 - Allow insights-client manage fsadm pid files Resolves: rhbz#2166802 - Add journalctl the sys_resource capability Resolves: rhbz#2136189- Fix syntax problem in redis.te Resolves: rhbz#2112228 - Allow unconfined user filetransition for sudo log files Resolves: rhbz#2164047 - Allow winbind-rpcd make a TCP connection to the ldap port Resolves: rhbz#2152642 - Allow winbind-rpcd manage samba_share_t files and dirs Resolves: rhbz#2152642 - Allow insights-client work with su and lpstat Resolves: rhbz#2134125 - Allow insights-client read nvme devices Resolves: rhbz#2143878 - Allow insights-client tcp connect to all ports Resolves: rhbz#2143878 - Allow redis-sentinel execute a notification script Resolves: rhbz#2112228- Add interfaces in domain, files, and unconfined modules Resolves: rhbz#2141311 - Allow sysadm_t read/write ipmi devices Resolves: rhbz#2148561 - Allow sudodomain use sudo.log as a logfile Resolves: rhbz#2143762 - Add insights additional capabilities Resolves: rhbz#2158779 - Allow insights client work with gluster and pcp Resolves: rhbz#2141311 - Allow prosody manage its runtime socket files Resolves: rhbz#2157902 - Allow system mail service read inherited certmonger runtime files Resolves: rhbz#2143337 - Add lpr_roles to system_r roles Resolves: rhbz#2151111- Allow systemd-socket-proxyd get attributes of cgroup filesystems Resolves: rhbz#2088441 - Allow systemd-socket-proxyd get filesystems attributes Resolves: rhbz#2088441 - Allow sysadm read ipmi devices Resolves: rhbz#2148561 - Allow system mail service read inherited certmonger runtime files Resolves: rhbz#2143337 - Add lpr_roles to system_r roles Resolves: rhbz#2151111 - Allow insights-client tcp connect to various ports Resolves: rhbz#2151111 - Allow insights-client work with pcp and manage user config files Resolves: rhbz#2151111 - Allow insights-client dbus chat with various services Resolves: rhbz#2152867 - Allow insights-client dbus chat with abrt Resolves: rhbz#2152867 - Allow redis get user names Resolves: rhbz#2112228 - Add winbind-rpcd to samba_enable_home_dirs boolean Resolves: rhbz#2143696- Allow ipsec_t only read tpm devices Resolves: rhbz#2147380 - Allow ipsec_t read/write tpm devices Resolves: rhbz#2147380 - Label udf tools with fsadm_exec_t Resolves: rhbz#1972230 - Allow the spamd_update_t domain get generic filesystem attributes Resolves: rhbz#2144501 - Allow cdcc mmap dcc-client-map files Resolves: rhbz#2144505 - Allow insights client communicate with cupsd, mysqld, openvswitch, redis Resolves: rhbz#2143878 - Allow insights client read raw memory devices Resolves: rhbz#2143878 - Allow winbind-rpcd get attributes of device and pty filesystems Resolves: rhbz#2107106 - Allow postfix/smtpd read kerberos key table Resolves: rhbz#1983308- Add domain_unix_read_all_semaphores() interface Resolves: rhbz#2141311 - Allow iptables list cgroup directories Resolves: rhbz#2134820 - Allow systemd-hostnamed dbus chat with init scripts Resolves: rhbz#2111632 - Allow systemd to read symlinks in /var/lib Resolves: rhbz#2118784 - Allow insights-client domain transition on semanage execution Resolves: rhbz#2141311 - Allow insights-client create gluster log dir with a transition Resolves: rhbz#2141311 - Allow insights-client manage generic locks Resolves: rhbz#2141311 - Allow insights-client unix_read all domain semaphores Resolves: rhbz#2141311 - Allow winbind-rpcd use the terminal multiplexor Resolves: rhbz#2107106 - Allow mrtg send mails Resolves: rhbz#2103675 - Allow sssd dbus chat with system cronjobs Resolves: rhbz#2132922 - Allow postfix/smtp and postfix/virtual read kerberos key table Resolves: rhbz#1983308- Add the systemd_connectto_socket_proxyd_unix_sockets() interface Resolves: rhbz#208441 - Add the dev_map_vhost() interface Resolves: rhbz#2122920 - Allow init remount all file_type filesystems Resolves: rhbz#2122239 - added policy for systemd-socket-proxyd Resolves: rhbz#2088441 - Allow virt_domain map vhost devices Resolves: rhbz#2122920 - Allow virt domains to access xserver devices Resolves: rhbz#2122920 - Allow rotatelogs read httpd_log_t symlinks Resolves: rhbz#2030633 - Allow vlock search the contents of the /dev/pts directory Resolves: rhbz#2122838 - Allow system cronjobs dbus chat with setroubleshoot Resolves: rhbz#2125008 - Allow ptp4l_t name_bind ptp_event_port_t Resolves: rhbz#2130168 - Allow pcp_domain execute its private memfd: objects Resolves: rhbz#2090711 - Allow samba-dcerpcd use NSCD services over a unix stream socket Resolves: rhbz#2121709 - Allow insights-client manage samba var dirs Resolves: rhbz#2132230- Add the files_map_read_etc_files() interface Resolves: rhbz#2132230 - Allow insights-client manage samba var dirs Resolves: rhbz#2132230 - Allow insights-client send null signal to rpm and system cronjob Resolves: rhbz#2132230 - Update rhcd policy for executing additional commands 4 Resolves: rhbz#2132230 - Allow insights-client connect to postgresql with a unix socket Resolves: rhbz#2132230 - Allow insights-client domtrans on unix_chkpwd execution Resolves: rhbz#2132230 - Add file context entries for insights-client and rhc Resolves: rhbz#2132230 - Allow snmpd_t domain to trace processes in user namespace Resolves: rhbz#2121084 - Allow sbd the sys_ptrace capability Resolves: rhbz#2124552 - Allow pulseaudio create gnome content (~/.config) Resolves: rhbz#2124387- Allow unconfined_service_t insights client content filetrans Resolves: rhbz#2119507 - Allow nsswitch_domain to connect to systemd-machined using a unix socket Resolves: rhbz#2119507 - Add init_status_all_script_files() interface Resolves: rhbz#2119507 - Add dev_dontaudit_write_raw_memory() and dev_read_vsock() interfaces Resolves: rhbz#2119507 - Update insights-client policy for additional commands execution 5 Resolves: rhbz#2119507 - Confine insights-client systemd unit Resolves: rhbz#2119507 - Update insights-client policy for additional commands execution 4 Resolves: rhbz#2119507 - Change rhsmcertd_t to insights_client_t in insights-client policy Resolves: rhbz#2119507 - Allow insights-client send signull to unconfined_service_t Resolves: rhbz#2119507 - Update insights-client policy for additional commands execution 3 Resolves: rhbz#2119507 - Allow journalctl read init state Resolves: rhbz#2119507 - Update insights-client policy for additional commands execution 2 Resolves: rhbz#2119507- Label 319/udp port with ptp_event_port_t Resolves: rhbz#2118628 - Allow unconfined and sysadm users transition for /root/.gnupg Resolves: rhbz#2119507 - Add the kernel_read_proc_files() interface Resolves: rhbz#2119507 - Add userdom_view_all_users_keys() interface Resolves: rhbz#2119507 - Allow system_cronjob_t domtrans to rpm_script_t Resolves: rhbz#2118362 - Allow smbd_t process noatsecure permission for winbind_rpcd_t Resolves: rhbz#2117199 - Allow chronyd bind UDP sockets to ptp_event ports Resolves: rhbz#2118628 - Allow samba-bgqd to read a printer list Resolves: rhbz#2118958 - Add gpg_filetrans_admin_home_content() interface Resolves: rhbz#2119507 - Update insights-client policy for additional commands execution Resolves: rhbz#2119507 - Allow gpg read and write generic pty type Resolves: rhbz#2119507 - Allow chronyc read and write generic pty type Resolves: rhbz#2119507 - Disable rpm verification on interface_info Resolves: rhbz#2119472- Allow networkmanager to signal unconfined process Resolves: rhbz#1918148 - Allow sa-update to get init status and start systemd files Resolves: rhbz#2011239 - Allow samba-bgqd get a printer list Resolves: rhbz#2114737 - Allow insights-client rpm named file transitions Resolves: rhbz#2104913 - Add /var/tmp/insights-archive to insights_client_filetrans_named_content Resolves: rhbz#2104913 - Use insights_client_filetrans_named_content Resolves: rhbz#2104913 - Make default file context match with named transitions Resolves: rhbz#2104913 - Allow rhsmcertd to read insights config files Resolves: rhbz#2104913 - Label /etc/insights-client/machine-id Resolves: rhbz#2104913- Do not call systemd_userdbd_stream_connect() for winbind-rpcd Resolves: rhbz#2108383 - Update winbind_rpcd_t Resolves: rhbz#2108383 - Allow irqbalance file transition for pid sock_files and directories Resolves: rhbz#2111916 - Update irqbalance runtime directory file context Resolves: rhbz#2111916- Update samba-dcerpcd policy for kerberos usage 2 Resolves: rhbz#2096825- Allow domain read usermodehelper state information Resolves: rhbz#2083504 - Remove all kernel_read_usermodehelper_state() interface calls Resolves: rhbz#2083504 - Allow samba-dcerpcd work with sssd Resolves: rhbz#2096825 - Allow winbind_rpcd_t connect to self over a unix_stream_socket Resolves: rhbz#2096825 - Update samba-dcerpcd policy for kerberos usage Resolves: rhbz#2096825 - Allow keepalived read the contents of the sysfs filesystem Resolves: rhbz#2098189 - Update policy for samba-dcerpcd Resolves: rhbz#2083504 - Remove all kernel_read_usermodehelper_state() interface calls 2/2 Resolves: rhbz#2083504 - Update insights_client_filetrans_named_content() Resolves: rhbz#2091117- Allow transition to insights_client named content Resolves: rhbz#2091117 - Add the insights_client_filetrans_named_content() interface Resolves: rhbz#2091117 - Update policy for insights-client to run additional commands 3 Resolves: rhbz#2091117- Add the init_status_config_transient_files() interface Resolves: rhbz#2091117 - Allow init_t to rw insights_client unnamed pipe Resolves: rhbz#2091117 - Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling Resolves: rhbz#2091117 - Allow insights-client get status of the systemd transient scripts Resolves: rhbz#2091117 - Allow insights-client execute its private memfd: objects Resolves: rhbz#2091117 - Update policy for insights-client to run additional commands 2 Resolves: rhbz#2091117 - Do not call systemd_userdbd_stream_connect() for insights-client Resolves: rhbz#2091117 - Use insights_client_tmp_t instead of insights_client_var_tmp_t Resolves: rhbz#2091117 - Change space indentation to tab in insights-client Resolves: rhbz#2091117 - Use socket permissions sets in insights-client Resolves: rhbz#2091117 - Update policy for insights-client to run additional commands Resolves: rhbz#2091117 - Change rpm_setattr_db_files() to use a pattern Resolves: rhbz#2091117 - Add rpm setattr db files macro Resolves: rhbz#2091117 - Fix insights client Resolves: rhbz#2091117 - Do not let system_cronjob_t create redhat-access-insights.log with var_log_t Resolves: rhbz#2091117- Update logging_create_generic_logs() to use create_files_pattern() Resolves: rhbz#2081907 - Add the auth_read_passwd_file() interface Resolves: rhbz#2083504 - Allow auditd_t noatsecure for a transition to audisp_remote_t Resolves: rhbz#2081907 - Add support for samba-dcerpcd Resolves: rhbz#2083504 - Allow rhsmcertd create generic log files Resolves: rhbz#1852086 - Allow ctdbd nlmsg_read on netlink_tcpdiag_socket Resolves: rhbz#2090800- Allow ifconfig_t domain to manage vmware logs Resolves: rhbz#1721943 - Allow insights-client manage gpg admin home content Resolves: rhbz#2060834 - Add the gpg_manage_admin_home_content() interface Resolves: rhbz#2060834 - Label /var/cache/insights with insights_client_cache_t Resolves: rhbz#2063195 - Allow insights-client search gconf homedir Resolves: rhbz#2087069 - Allow insights-client create and use unix_dgram_socket Resolves: rhbz#2087069 - Label more vdsm utils with virtd_exec_t Resolves: rhbz#2063871 - Label /usr/libexec/vdsm/supervdsmd and vdsmd with virtd_exec_t Resolves: rhbz#2063871 - Allow sblim-gatherd the kill capability Resolves: rhbz#2082677 - Allow privoxy execmem Resolves: rhbz#2083940- Allow sysadm user execute init scripts with a transition Resolves: rhbz#2039662 - Change invalid type redisd_t to redis_t in redis_stream_connect() Resolves: rhbz#1897517 - Allow php-fpm write access to /var/run/redis/redis.sock Resolves: rhbz#1897517 - Allow sssd read systemd-resolved runtime directory Resolves: rhbz#2060721 - Allow postfix stream connect to cyrus through runtime socket Resolves: rhbz#2066005 - Allow insights-client create_socket_perms for tcp/udp sockets Resolves: rhbz#2073395 - Allow insights-client read rhnsd config files Resolves: rhbz#2073395 - Allow sblim-sfcbd connect to sblim-reposd stream Resolves: rhbz#2075810 - Allow rngd drop privileges via setuid/setgid/setcap Resolves: rhbz#2076641 - Allow rngd_t domain to use nsswitch Resolves: rhbz#2076641- Create macro corenet_icmp_bind_generic_node() Resolves: rhbz#2070870 - Allow traceroute_t and ping_t to bind generic nodes. Resolves: rhbz#2070870 - Allow administrative users the bpf capability Resolves: rhbz#2070983 - Allow insights-client search rhnsd configuration directory Resolves: rhbz#2073395 - Allow ntlm_auth read the network state information Resolves: rhbz#2073349 - Allow keepalived setsched and sys_nice Resolves: rhbz#2008033 - Revert "Allow administrative users the bpf capability" Resolves: rhbz#2070983- Add interface rpc_manage_exports Resolves: rhbz#2062183 - Allow sshd read filesystem sysctl files Resolves: rhbz#2061403 - Update targetd nfs & lvm Resolves: rhbz#2062183 - Allow dhcpd_t domain to read network sysctls. Resolves: rhbz#2059509 - Allow chronyd talk with unconfined user over unix domain dgram socket Resolves: rhbz#2065313 - Allow fenced read kerberos key tables Resolves: rhbz#1964839- Allow hostapd talk with unconfined user over unix domain dgram socket Resolves: rhbz#2068007- Allow chronyd send a message to sosreport over datagram socket - Allow systemd-logind dbus chat with sosreport Resolves: rhbz#2062607- Allow systemd-networkd dbus chat with sosreport Resolves: rhbz#1949493 - Allow sysadm_passwd_t to relabel passwd and group files Resolves: rhbz#2053457 - Allow confined sysadmin to use tool vipw Resolves: rhbz#2053457 - Allow sosreport dbus chat with abrt and timedatex Resolves: rhbz#1949493 - Remove unnecessary /etc file transitions for insights-client Resolves: rhbz#2031853 - Label all content in /var/lib/insights with insights_client_var_lib_t Resolves: rhbz#2031853 - Update insights-client policy Resolves: rhbz#2031853 - Update insights-client: fc pattern, motd, writing to etc Resolves: rhbz#2031853 - Remove permissive domain for insights_client_t Resolves: rhbz#2031853 - New policy for insight-client Resolves: rhbz#2031853 - Add the insights_client module Resolves: rhbz#2031853 - Update specfile to buildrequire policycoreutils-devel >= 2.9-19 - Add modules_checksum to %files- Allow postfix_domain read dovecot certificates 1/2 Resolves: rhbz#2043599 - Dontaudit dirsrv search filesystem sysctl directories 1/2 Resolves: rhbz#2042568 - Allow chage domtrans to sssd Resolves: rhbz#2054718 - Allow postfix_domain read dovecot certificates 2/2 Resolves: rhbz#2043599 - Allow ctdb create cluster logs Resolves: rhbz#2049481 - Allow alsa bind mixer controls to led triggers Resolves: rhbz#2049730 - Allow alsactl set group Process ID of a process Resolves: rhbz#2049730 - Dontaudit mdadm list dirsrv tmpfs dirs Resolves: rhbz#2011174 - Dontaudit dirsrv search filesystem sysctl directories 2/2 Resolves: rhbz#2042568 - Revert "Label NetworkManager-dispatcher service with separate context" Related: rhbz#1989070 - Revert "Allow NetworkManager-dispatcher dbus chat with NetworkManager" Related: rhbz#1989070- Allow NetworkManager-dispatcher dbus chat with NetworkManager Resolves: rhbz#1989070- Fix badly indented used interfaces Resolves: rhbz#2030156 - Allow domain transition to sssd_t 1/2 Resolves: rhbz#2022690 - Allow confined users to use kinit,klist and etc. Resolves: rhbz#2026598 - Allow login_userdomain open/read/map system journal Resolves: rhbz#2046481 - Allow init read stratis data symlinks 2/2 Resolves: rhbz#2048514 - Label new utility of NetworkManager nm-priv-helper Resolves: rhbz#1986076 - Label NetworkManager-dispatcher service with separate context Resolves: rhbz#1989070 - Allow domtrans to sssd_t and role access to sssd Resolves: rhbz#2030156 - Creating interface sssd_run_sssd() Resolves: rhbz#2030156 - Allow domain transition to sssd_t 2/2 Resolves: rhbz#2022690 - Allow timedatex dbus chat with xdm Resolves: rhbz#2040214 - Associate stratisd_data_t with device filesystem Resolves: rhbz#2048514 - Allow init read stratis data symlinks 1/2 Resolves: rhbz#2048514 - Allow rhsmcertd create rpm hawkey logs with correct label Resolves: rhbz#1949871- Allow NetworkManager talk with unconfined user over unix domain dgram socket Resolves: rhbz#2044048 - Allow system_mail_t read inherited apache system content rw files Resolves: rhbz#1988339 - Add apache_read_inherited_sys_content_rw_files() interface Related: rhbz#1988339 - Allow rhsm-service execute its private memfd: objects Resolves: rhbz#2029873 - Allow dirsrv read configfs files and directories Resolves: rhbz#2042568 - Label /run/stratisd with stratisd_var_run_t Resolves: rhbz#1879585 - Fix path for excluding container.if from selinux-policy-devel Resolves: rhbz#1861968- Revert "Label /etc/cockpit/ws-certs.d with cert_t" Related: rhbz#1907473- Set default file context for /sys/firmware/efi/efivars Resolves: rhbz#2039458 - Allow sysadm_t start and stop transient services Resolves: rhbz#2031065 - Label /etc/cockpit/ws-certs.d with cert_t Resolves: rhbz#1907473 - Allow smbcontrol read the network state information Resolves: rhbz#2033873 - Allow rhsm-service read/write its private memfd: objects Resolves: rhbz#2029873 - Allow fcoemon request the kernel to load a module Resolves: rhbz#1940317 - Allow radiusd connect to the radacct port Resolves: rhbz#2038955 - Label /var/lib/shorewall6-lite with shorewall_var_lib_t Resolves: rhbz#2041447 - Exclude container.if from selinux-policy-devel Resolves: rhbz#1861968- Allow sysadm execute sysadmctl in sysadm_t domain using sudo Resolves: rhbz#2013749 - Allow local_login_t get attributes of tmpfs filesystems Resolves: rhbz#2015539 - Allow local_login_t get attributes of filesystems with ext attributes Resolves: rhbz#2015539 - Allow local_login_t domain to getattr cgroup filesystem Resolves: rhbz#2015539 - Allow systemd read unlabeled symbolic links Resolves: rhbz#2021835 - Allow userdomains use pam_ssh_agent_auth for passwordless sudo Resolves: rhbz#1917879 - Allow sudodomains execute passwd in the passwd domain Resolves: rhbz#1943572 - Label authcompat.py with authconfig_exec_t Resolves: rhbz#1919122 - Dontaudit pkcsslotd sys_admin capability Resolves: rhbz#2021887 - Allow lldpd connect to snmpd with a unix domain stream socket Resolves: rhbz#1991029- Allow unconfined_t to node_bind icmp_sockets in node_t domain Resolves: rhbz#2025445 - Allow rhsmcertd get attributes of tmpfs_t filesystems Resolves: rhbz#2015820 - The nfsdcld service is now confined by SELinux Resolves: rhbz#2026588 - Allow smbcontrol use additional socket types Resolves: rhbz#2027740 - Allow lldpd use an snmp subagent over a tcp socket Resolves: rhbz#2028379- Allow sysadm_t read/write pkcs shared memory segments Resolves: rhbz#1965251 - Allow sysadm_t connect to sanlock over a unix stream socket Resolves: rhbz#1965251 - Allow sysadm_t dbus chat with sssd Resolves: rhbz#1965251 - Allow sysadm_t set attributes on character device nodes Resolves: rhbz#1965251 - Allow sysadm_t read and write watchdog devices Resolves: rhbz#1965251 - Allow sysadm_t connect to cluster domains over a unix stream socket Resolves: rhbz#1965251 - Allow sysadm_t dbus chat with tuned 2/2 Resolves: rhbz#1965251 - Update userdom_exec_user_tmp_files() with an entrypoint rule Resolves: rhbz#1920883 - Allow sudodomain send a null signal to sshd processes Resolves: rhbz#1966945 - Allow sysadm_t dbus chat with tuned 1/2 Resolves: rhbz#1965251 - Allow cloud-init dbus chat with systemd-logind Resolves: rhbz#2009769 - Allow svnserve send mail from the system Resolves: rhbz#2004843 - Allow svnserve_t domain to read system state Resolves: rhbz#2004843- VQP: Include IANA-assigned TCP/1589 Resolves: rhbz#1924038 - Label port 3785/udp with bfd_echo Resolves: rhbz#1924038 - Allow sysadm_t dbus chat with realmd_t Resolves: rhbz#2000488 - Support sanlock VG automated recovery on storage access loss 1/2 Resolves: rhbz#1985000 - Revert "Support sanlock VG automated recovery on storage access loss" Resolves: rhbz#1985000 - Support sanlock VG automated recovery on storage access loss Resolves: rhbz#1985000 - radius: Lexical sort of service-specific corenet rules by service name Resolves: rhbz#1924038 - radius: Allow binding to the BDF Control and Echo ports Resolves: rhbz#1924038 - radius: Allow binding to the DHCP client port Resolves: rhbz#1924038 - radius: Allow net_raw; allow binding to the DHCP server ports Resolves: rhbz#1924038 - Support hitless reloads feature in haproxy Resolves: rhbz#2015423 - Allow redis get attributes of filesystems with extended attributes Resolves: rhbz#2015435 - Support sanlock VG automated recovery on storage access loss 2/2 Resolves: rhbz#1985000 - Revert "Support sanlock VG automated recovery on storage access loss" Resolves: rhbz#1985000- Support sanlock VG automated recovery on storage access loss Resolves: rhbz#1985000 - Allow proper function sosreport in sysadmin role Resolves: rhbz#1965251 - Allow systemd execute user bin files Resolves: rhbz#1860443 - Label /dev/crypto/nx-gzip with accelerator_device_t Resolves: rhbz#2011166 - Allow ipsec_t and login_userdomain named file transition in tmpfs Resolves: rhbz#2001599 - Support sanlock VG automated recovery on storage access loss Resolves: rhbz#1985000 - Allow proper function sosreport via iotop Resolves: rhbz#1965251 - Call pkcs_tmpfs_named_filetrans for certmonger Resolves: rhbz#2001599 - Allow ibacm the net_raw and sys_rawio capabilities Resolves: rhbz#2010644 - Support new PING_CHECK health checker in keepalived Resolves: rhbz#2010873 - Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script Resolves: rhbz#2011239- Allow unconfined domains to bpf all other domains Resolves: rhbz#1991443 - Allow vmtools_unconfined_t domain transition to rpm_script_t Resolves: rhbz#1872245 - Allow unbound connectto unix_stream_socket Resolves: rhbz#1905441 - Label /usr/sbin/virtproxyd as virtd_exec_t Resolves: rhbz#1854332 - Allow postfix_domain to sendto unix dgram sockets. Resolves: rhbz#1920521- Allow rhsmcertd_t dbus chat with anaconda install_t Resolves: rhbz#2004990- Introduce xdm_manage_bootloader booelan Resolves: rhbz#1994096 - Rename samba_exec() to samba_exec_net() Resolves: rhbz#1855215 - Allow sssd to set samba setting Resolves: rhbz#1855215 - Allow dirsrv read slapd tmpfs files Resolves: rhbz#1843238 - Allow rhsmcertd to create cache file in /var/cache/cloud-what Resolves: rhbz#1994718- Label /usr/bin/Xwayland with xserver_exec_t Resolves: rhbz#1984584 - Label /usr/libexec/gdm-runtime-config with xdm_exec_t Resolves: rhbz#1984584 - Allow D-bus communication between avahi and sosreport Resolves: rhbz#1916397 - Allow lldpad send to kdumpctl over a unix dgram socket Resolves: rhbz#1979121 - Revert "Allow lldpad send to kdump over a unix dgram socket" Resolves: rhbz#1979121 - Allow chronyc respond to a user chronyd instance Resolves: rhbz#1993104 - Allow ptp4l respond to pmc Resolves: rhbz#1993104 - Allow lldpad send to unconfined_t over a unix dgram socket Resolves: rhbz#1993270- Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory" Resolves: rhbz#1887739 - Allow sysadm to read/write scsi files and manage shadow Resolves: rhbz#1956302 - Allow rhsmcertd execute gpg Resolves: rhbz#1887572 - Allow lldpad send to kdump over a unix dgram socket Resolves: rhbz#1979121 - Remove glusterd SELinux module from distribution policy Resolves: rhbz#1816718- Allow login_userdomain read and map /var/lib/systemd files Resolves: rhbz#1965251 - Allow sysadm acces to kernel module resources Resolves: rhbz#1965251 - Allow sysadm to read/write scsi files and manage shadow Resolves: rhbz#1965251 - Allow sysadm access to files_unconfined and bind rpc ports Resolves: rhbz#1965251 - Allow sysadm read and view kernel keyrings Resolves: rhbz#1965251 - Allow bootloader to read tuned etc files Resolves: rhbz#1965251 - Update the policy for systemd-journal-upload Resolves: rhbz#1913414 - Allow journal mmap and read var lib files Resolves: rhbz#1965251 - Allow tuned to read rhsmcertd config files Resolves: rhbz#1965251 - Allow bootloader to read tuned etc files Resolves: rhbz#1965251 - Confine rhsm service and rhsm-facts service as rhsmcertd_t Resolves: rhbz#1846081 - Allow virtlogd_t read process state of user domains Resolves: rhbz#1797899 - Allow cockpit_ws_t get attributes of fs_t filesystems Resolves: rhbz#1979182- Add the unconfined_dgram_send() interface Resolves: rhbz#1978562 - Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern() Resolves: rhbz#1936522 - Add checkpoint_restore cap2 capability Resolves: rhbz#1973325 - Allow fcoemon talk with unconfined user over unix domain datagram socket Resolves: rhbz#1978562 - Allow hostapd bind UDP sockets to the dhcpd port Resolves: rhbz#1977676 - Allow NetworkManager read and write z90crypt device Resolves: rhbz#1938203 - Allow abrt_domain read and write z90crypt device Resolves: rhbz#1938203 - Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t Resolves: rhbz#1937111 - Allow mdadm read iscsi pid files Resolves: rhbz#1924716- Allow dyntransition from sshd_t to unconfined_t Resolves: rhbz#1947841- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template Resolves: rhbz#1947841 - Allow transition from xdm domain to unconfined_t domain. Resolves: rhbz#1947841 - Allow nftables read NetworkManager unnamed pipes Resolves: rhbz#1967857 - Create a policy for systemd-journal-upload Resolves: rhbz#1913414 - Add dev_getattr_infiniband_dev() interface. Resolves: rhbz#1972522 - Allow tcpdump and nmap get attributes of infiniband_device_t Resolves: rhbz#1972522 - Allow fcoemon create sysfs files Resolves: rhbz#1978562 - Allow nftables read NetworkManager unnamed pipes Resolves: rhbz#1967857 - Allow radius map its library files Resolves: rhbz#1854650 - Allow arpwatch get attributes of infiniband_device_t devices Resolves: rhbz#1936522- Allow systemd-sleep get attributes of fixed disk device nodes Resolves: rhbz#1931460 - Allow systemd-sleep create hardware state information files Resolves: rhbz#1968610 - virtiofs supports Xattrs and SELinux Resolves: rhbz#1899703 - Label 4460/tcp port as ntske_port_t Resolves: rhbz#1961207 - Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro. Resolves: rhbz#1961207 - Allow chronyd_t to accept and make NTS-KE connections Resolves: rhbz#1961207 - Dontaudit NetworkManager write to initrc_tmp_t pipes Resolves: rhbz#1963162 - Allow logrotate rotate container log files Resolves: rhbz#1892170 - Allow rhsmd read process state of all domains and kernel threads Resolves: rhbz#1878020- Allow nmap create and use rdma socket Resolves: rhbz#1844530 - Label /.k5identity file allow read of this file to rpc.gssd Resolves: rhbz#1951093 - Label /var/lib/kdump with kdump_var_lib_t Resolves: rhbz#1965985 - Label /run/libvirt/common with virt_common_var_run_t Resolves: rhbz#1966842- Allow using opencryptoki for ipsec Resolves: rhbz#1894132 - Remove all kernel_getattr_proc() interface calls Resolves: rhbz#1967125 - Allow domain stat /proc filesystem Resolves: rhbz#1967125 - Allow pkcs-slotd create and use netlink_kobject_uevent_socket Resolves: rhbz#1969725 - Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans() Resolves: rhbz#1894132 - Allow using opencryptoki for certmonger Resolves: rhbz#1894132 - install_t: Allow NoNewPriv transition from systemd Resolves: rhbz#1955547 - Remove all kernel_getattr_proc() interface calls Resolves: rhbz#1967125 - Allow httpd_sys_script_t read, write, and map hugetlbfs files Resolves: rhbz#1966133- Add /var/usrlocal equivalency rule Resolves: rhbz#1943381 - Label '/var/usrlocal/(.*/)?sbin(/.*)?' as bin_t Resolves: rhbz#1943381 - Label /dev/trng with random_device_t Resolves: rhbz#1934483 - Allow systemd-sleep transition to sysstat_t Resolves: rhbz#1927551 - Allow systemd-sleep transition to tlp_t Resolves: rhbz#1927551 - Allow systemd-sleep transition to unconfined_service_t on bin_t executables Resolves: rhbz#1927551 - Allow systemd-sleep execute generic programs Resolves: rhbz#1948070 - Allow systemd-sleep execute shell Resolves: rhbz#1954358 - Allow nsswitch_domain read init pid lnk_files Resolves: rhbz#1860924 - Introduce logging_syslogd_list_non_security_dirs tunable Resolves: rhbz#1823669 - Add sysstat_domtrans() to allow systemd-sleep transition to sysstat_t Resolves: rhbz#1927551 - Change param description in cron interfaces to userdomain_prefix Resolves: rhbz#1801249 - Add missing declaration in rpm_named_filetrans() Resolves: rhbz#1801249- Allow pluto IKEv2 / ESP over TCP Resolves: rhbz#1931848 - Label SDC(scini) Dell Driver Resolves: rhbz#1936882 - Add file context specification for /var/tmp/tmp-inst Resolves: rhbz#1919253 - Allow virtlogd_t to create virt_var_lockd_t dir Resolves: rhbz#1941464 - Allow cups-lpd read its private runtime socket files Resolves: rhbz#1919399- Allow systemd the audit_control capability conditionally Resolves: rhbz#1861771- Disallow user_t run su/sudo and staff_t run su Resolves: rhbz#1907517- Relabel /usr/sbin/charon-systemd as ipsec_exec_t Resolves: rhbz#1889542- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context Resolves: rhbz#1874527 Resolves: rhbz#1877044 - Allow rhsmcertd bind tcp sockets to a generic node Resolves: rhbz#1923985 - Allow ipsec_mgmt_t mmap ipsec_conf_file_t files Resolves: rhbz#1889542 - Allow strongswan start using swanctl method Resolves: rhbz#1889542 - Allow systemd-importd manage machines.lock file Resolves: rhbz#1788055- Allow rtkit_daemon_t domain set process nice value in user namespaces Resolves: rhbz#1910507 - Allow gpsd read and write ptp4l_t shared memory. Resolves: rhbz#1803845 - Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type Resolves: rhbz#1804626 - Allow Certmonger to use opencryptoki services Resolves: rhbz#1894132 - Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm Resolves: rhbz#1815603 - Allow rhsmcertd_t read kpatch lib files Resolves: rhbz#1895322 - Allow ipsec_t connectto ipsec_mgmt_t Resolves: rhbz#1848355 - Allow IPsec to use opencryptoki services Resolves: rhbz#1894132 - Allow systemd-importd create /run/systemd/machines.lock file Resolves: rhbz#1788055- Allow rhsmcertd_t domain transition to kpatch_t Resolves: rhbz#1895322 - Revert "Add kpatch_exec() interface" Resolves: rhbz#1895322 - Revert "Allow rhsmcertd execute kpatch" Resolves: rhbz#1895322 - Dontaudit NetworkManager_t domain to write to kdump temp pipies Resolves: rhbz#1842897 - Allow NetworkManager_t domain to get status of samba services Resolves: rhbz#1781806 - Allow openvswitch create and use xfrm netlink sockets Resolves: rhbz#1916046 - Allow openvswitch_t perf_event write permission Resolves: rhbz#1916046 - Add write_perf_event_perms object permission set Related: rhbz#1916046- Add kpatch_exec() interface Resolves: rhbz#1895322 - Allow rhsmcertd execute kpatch Resolves: rhbz#1895322 - Allow openvswitch_t perf_event open permission Resolves: rhbz#1916046 - Allow openvswitch fowner capability and create netlink sockets Resolves: rhbz#1883980 - Add net_broadcast capability to openvswitch_t domain Resolves: rhbz#1883980 - Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files Resolves: rhbz#1883980 - Allow machinectl to run pull-tar Resolves: rhbz#1788055- Allow wireshark create and use rdma socket Resolves: rhbz#1844370 - Allow to use nnp_transition in pulseaudio_role Resolves: rhbz#1854471 - Allow certmonger fsetid capability Resolves: rhbz#1873211 - Add rsync_sys_admin tunable to allow rsync sys_admin capability Resolves: rhbz#1889673 - Allow sysadm read and write /dev/rfkill Resolves: rhbz#1831630 - Allow staff_u run pam_console_apply Resolves: rhbz#1817690 - Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t Resolves: rhbz#1907485- Add cron_dbus_chat_system_job() interface Resolves: rhbz#1883906 - Dontaudit firewalld dac_override capability Resolves: rhbz#1759010 - Allow tcsd the setgid capability Resolves: rhbz#1898694 - Allow timedatex dbus chat with cron system domain Resolves: rhbz#1883906 - Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain Resolves: rhbz#1854299 - Allow pcp-pmcd manage perf_events Resolves: rhbz#1901958 - Label /dev/isst_interface as cpu_device_t Resolves: rhbz#1902227 - Allow ipsec set the context of a SPD entry to the default context Resolves: rhbz#1880474 - Allow sysadm_u user and unconfined_domain_type manage perf_events Resolves: rhbz#1901958 - Add manage_perf_event_perms object permissions set Resolves: rhbz#1901958 - Add perf_event access vectors. Resolves: rhbz#1901958 - Remove "ipa = module" from modules-targeted-contrib.conf Resolves: rhbz#1461914- Allow kexec manage generic tmp files Resolves: rhbz#1896424 - Update systemd-sleep policy Resolves: rhbz#1850177 - Add groupadd_t fowner capability Resolves: rhbz#1884179- Allow dovecot bind to smtp ports Resolves: rhbz#1881884 - Change fetchmail temporary files path to /var/spool/mail Resolves: rhbz#1853389 - Set file context for symlinks in /etc/httpd to etc_t Resolves: rhbz#1900650 - Allow dnsmasq read public files Resolves: rhbz#1782539 - Fix range for unreserved ports Resolves: rhbz#1794531 - Introduce logging_syslogd_append_public_content tunable Resolves: rhbz#1823672 - Add files_search_non_security_dirs() interface Resolves: rhbz#1823672 - Add miscfiles_append_public_files() interface Resolves: rhbz#1823672- Let keepalived bind a raw socket Resolves: rhbz#1895130 - Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pid Resolves: rhbz#1853389 - Allow arpwatch create and use rdma socket Resolves: rhbz#1843409 - Set correct default file context for /usr/libexec/pcp/lib/* Resolves: rhbz#1886369 - Allow systemd-logind manage efivarfs files Resolves: rhbz#1869979 - Allow systemd_resolved_t to read efivarfs Resolves: rhbz#1869979 - Allow systemd_modules_load_t to read efivarfs Resolves: rhbz#1869979 - Allow read efivarfs_t files by domains executing systemctl file Resolves: rhbz#1869979 - Introduce systemd_read_efivarfs_type attribute Resolves: rhbz#1869979- Allow init dbus chat with kernel Resolves: rhbz#1694681 - Confine systemd-sleep service Resolves: rhbz#1850177 - Add default file context for /usr/libexec/pcp/lib/* Resolves: rhbz#1886369 - Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability Resolves: rhbz#1873658 - Add fstools_rw_swap_files() interface Resolves: rhbz#1850177- Allow plymouth sys_chroot capability Resolves: rhbz#1869814- Allow certmonger fowner capability Resolves: rhbz#1870596 - Define named file transition for saslauthd on /tmp/krb5_0.rcache2 Resolves: rhbz#1870300 - Label /usr/libexec/qemu-pr-helper with virtd_exec_t Resolves: rhbz#1867115- Add ipa_helper_noatsecure() interface unconditionally Resolves: rhbz#1853432 - Conditionally allow nagios_plugin_domain dbus chat with init Resolves: rhbz#1750821 - Revert "Update allow rules set for nrpe_t domain" Resolves: rhbz#1750821 - Add ipa_helper_noatsecure() interface to ipa.if Resolves: rhbz#1853432 - Allow tomcat map user temporary files Resolves: rhbz#1857675 - Allow tomcat manage user temporary files Resolves: rhbz#1857675 - Add file context for /sys/kernel/tracing Resolves: rhbz#1847331 - Define named file transition for sshd on /tmp/krb5_0.rcache2 Resolves: rhbz#1848953- Allow kadmind manage kerberos host rcache Resolves: rhbz#1863043 - Allow virtlockd only getattr and lock block devices Resolves: rhbz#1832756 - Allow qemu-ga read all non security file types conditionally Resolves: rhbz#1747960 - Allow virtlockd manage VMs posix file locks Resolves: rhbz#1832756 - Add dev_lock_all_blk_files() interface Resolves: rhbz#1832756 - Allow systemd-logind dbus chat with fwupd Resolves: rhbz#1851932 - Update xserver_rw_session macro Resolves: rhbz#1851448- Revert "Allow qemu-kvm read and write /dev/mapper/control" This reverts commit f948eaf3d010215fc912e42013e4f88870279093. - Allow smbd get attributes of device files labeled samba_share_t Resolves: rhbz#1851816 - Allow tomcat read user temporary files Resolves: rhbz#1857675 - Revert "Dontaudit and disallow sys_admin capability for keepalived_t domain" Resolves: rhbz#1815281 - Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t Resolves: rhbz#1848953 - Allow auditd manage kerberos host rcache files Resolves: rhbz#1855770- Additional support for keepalived running in a namespace Resolves: rhbz#1815281 - Allow keepalived manage its private type runtime directories Resolves: rhbz#1815281 - Run ipa_helper_noatsecure(oddjob_t) only if the interface exists Resolves: rhbz#1853432 - Allow oddjob_t process noatsecure permission for ipa_helper_t Resolves: rhbz#1853432 - Allow domain dbus chat with systemd-resolved Resolves: rhbz#1852378 - Define file context for /var/run/netns directory only Related: rhbz#1815281- Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t Resolves: rhbz#1836820- Allow virtlogd_t manage virt lib files Resolves: rhbz#1832756 - Allow pdns server to read system state Resolves: rhbz#1801214 - Support systemctl --user in machinectl Resolves: rhbz#1788616 - Allow chkpwd_t read and write systemd-machined devpts character nodes Resolves: rhbz#1788616 - Allow init_t write to inherited systemd-logind sessions pipes Resolves: rhbz#1788616 - Label systemd-growfs and systemd-makefs as fsadm_exec_t Resolves: rhbz#1820798 - Allow staff_u and user_u setattr generic usb devices Resolves: rhbz#1783325 - Allow sysadm_t dbus chat with accountsd Resolves: rhbz#1828809- Fix description tag for the sssd_connect_all_unreserved_ports tunable Related: rhbz#1826748 - Allow journalctl process set its resource limits Resolves: rhbz#1825894 - Add sssd_access_kernel_keys tunable to conditionally access kernel keys Resolves: rhbz#1802062 - Make keepalived work with network namespaces Resolves: rhbz#1815281 - Create sssd_connect_all_unreserved_ports boolean Resolves: rhbz#1826748 - Allow hypervkvpd to request kernel to load a module Resolves: rhbz#1842414 - Allow systemd_private_tmp(dirsrv_tmp_t) Resolves: rhbz#1836820 - Allow radiusd connect to gssproxy over unix domain stream socket Resolves: rhbz#1813572 - Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?' Resolves: rhbz#1832231 - Modify kernel_rw_key() not to include append permission Related: rhbz#1802062 - Add kernel_rw_key() interface to access to kernel keyrings Related: rhbz#1802062 - Modify systemd_delete_private_tmp() to use delete_*_pattern macros Resolves: rhbz#1836820 - Allow systemd-modules to load kernel modules Resolves: rhbz#1823246 - Add cachefiles_dev_t as a typealias to cachefiles_device_t Resolves: rhbz#1814796- Remove files_mmap_usr_files() call for particular domains Related: rhbz#1801214 - Allow dirsrv_t list cgroup directories Resolves: rhbz#1836795 - Create the kerberos_write_kadmind_tmp_files() interface Related: rhbz#1841488 - Allow realmd_t dbus chat with accountsd_t Resolves: rhbz#1792895 - Allow nagios_plugin_domain execute programs in bin directories Resolves: rhbz#1815621 - Update allow rules set for nrpe_t domain Resolves: rhbz#1750821 - Allow Gluster mount client to mount files_type Resolves: rhbz#1753626 - Allow qemu-kvm read and write /dev/mapper/control Resolves: rhbz#1835909 - Introduce logrotate_use_cifs boolean Resolves: rhbz#1795923 - Allow ptp4l_t sys_admin capability to run bpf programs Resolves: rhbz#1759214 - Allow rhsmd mmap /etc/passwd Resolves: rhbz#1814644 - Remove files_mmap_usr_files() call for systemd_localed_t Related: rhbz#1801214 - Allow domain mmap usr_t files Resolves: rhbz#1801214 - Allow libkrb5 lib read client keytabs Resolves: rhbz#1831769 - Add files_dontaudit_manage_boot_dirs() interface Related: rhbz#1803868 - Create files_create_non_security_dirs() interface Related: rhbz#1840265 - Add new interface dev_mounton_all_device_nodes() Related: rhbz#1840265 - Add new interface dev_create_all_files() Related: rhbz#1840265 - Allow sshd write to kadmind temporary files Resolves: rhbz#1841488 - Create init_create_dirs boolean to allow init create directories Resolves: rhbz#1832231 - Do not audit staff_t and user_t attempts to manage boot_t entries Resolves: rhbz#1803868 - Allow systemd to relabel all files on system. Resolves: rhbz#1818981 - Make dbus-broker service working on s390x arch Resolves: rhbz#1840265- Make boinc_var_lib_t label system mountdir attribute Resolves: rhbz#1779070 - Allow aide to be executed by systemd with correct (aide_t) domain Resolves: rhbz#1814809 - Allow chronyc_t domain to use nsswitch Resolves: rhbz#1772852 - Allow nscd_socket_use() for domains in nscd_use() unconditionally Resolves: rhbz#1772852 - Allow gluster geo-replication in rsync mode Resolves: rhbz#1831109 - Update networkmanager_read_pid_files() to allow also list_dir_perms Resolves: rhbz#1781818 - Allow associating all labels with CephFS Resolves: bz#1814689 - Allow tcpdump sniffing offloaded (RDMA) traffic Resolves: rhbz#1834773- Update radiusd policy Resolves: rhbz#1803407 - Allow sssd read NetworkManager's runtime directory Resolves: rhbz#1781818 - Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t Resolves: rhbz#1777506 - Allow ipa_helper_t to read kr5_keytab_t files Resolves: rhbz#1769423 - Add ibacm_t ipc_lock capability Resolves: rhbz#1754719 - Allow opafm_t to create and use netlink rdma sockets. Resolves: rhbz#1786670 - Allow ptp4l_t create and use packet_socket sockets Resolves: rhbz#1759214 - Update ctdbd_t policy Resolves: rhbz#1735748 - Allow glusterd synchronize between master and slave Resolves: rhbz#1824662 - Allow auditd poweroff or switch to single mode Resolves: rhbz#1826788 - Allow init_t set the nice level of all domains Resolves: rhbz#1819121 - Label /etc/sysconfig/ip6?tables\.save as system_conf_t Resolves: rhbz#1776873 - Add file context entry and file transition for /var/run/pam_timestamp Resolves: rhbz#1791957- Allow ssh-keygen create file in /var/lib/glusterd Resolves: rhbz#1816663 - Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files Resolves: rhbz#1819243 - Remove container interface calling by named_filetrans_domain. - Makefile: fix tmp/%.mod.fc target Resolves: rhbz#1821191- Allow NetworkManager read its unit files and manage services - Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t Resolves: rhbz#1806894- Update virt_read_qemu_pid_files inteface Resolves: rhbz#1782925- Allow vhostmd communication with hosted virtual machines - Add and update virt interfaces Resolves: rhbz#1782925- Dontaudit timedatex_t read file_contexts_t and validate security contexts Resolves: rhbz#1779098- Make stratisd_t domain unconfined for RHEL-8.2 Resolves: rhbz#1791557 - stratisd_t policy updates Resolves: rhbz#1791557- Label /stratis as stratisd_data_t Resolves: rhbz#1791557- Allow stratisd_t domain to read/write fixed disk devices and removable devices. Resolves: rhbz#1790795- Added macro for stratisd to chat over dbus - Add dac_override capability to stratisd_t domain - Allow userdomain to chat with stratisd over dbus. Resolves: rhbz#1787298- Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directory Resolves: rhbz#1778126- Allow create udp sockets for abrt_upload_watch_t domains Resolves: rhbz#1777761- Allow sssd_t domain to read kernel net sysctls Resolves: rhbz#1777042- Allow userdomain dbus chat with systemd_resolved_t Resolves: rhbz#1773463 - Allow init_t read and setattr on /var/lib/fprintd Resolves: rhbz#1781696 - Allow sysadm_t dbus chat with colord_t Resolves: rhbz#1772669 - Allow confined users run fwupdmgr Resolves: rhbz#1772619 - Allow confined users run machinectl Resolves: rhbz#1772625 - Allow systemd labeled as init_t domain to create dirs labeled as var_t Resolves: rhbz#1778126 - Allow systemd labeled as init_t domain to manage faillog_t objects Resolves: rhbz#1671019 - Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces Resolves: rhbz#1781696 - Allow pulseaudio create .config and dgram sendto to unpriv_userdomain Resolves: rhbz#1703231 - Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030) Resolves: rhbz#1777761 - Change type in transition for /var/cache/{dnf,yum} directory Resolves: rhbz#1686833 - Revert "Update zebra SELinux policy to make it work also with frr service" This reverts commit 73653250a252ad6eefcb3aae00749017e396ab8d. - Revert "Label only regular files inside /usr/lib/frr direcotry as zebra_exec_t" This reverts commit a19eb1021cbd6c637344954cead54caae081e07c. - Allow stratis_t domain to request load modules Resolves: rhbz#1726259 - Allow stratisd to connect to dbus Resolves: rhbz#1726259 - Run stratisd service as stratisd_t Resolves: rhbz#1726259 - Add support for smart card authentication in cockpit BZ(1690444) Resolves: rhbz#1771414 - cockpit: Support split-out TLS proxy Resolves: rhbz#1771414 - cockpit: Allow cockpit-session to read cockpit-tls state Resolves: rhbz#1771414 - Update cockpit policy Resolves: rhbz#1771414 - cockpit: Support https instance factory Resolves: rhbz#1771414 - cockpit: Allow cockpit-session to read cockpit-tls state directory Resolves: rhbz#1771414 - Fix nonexisting types in rtas_errd_rw_lock interface Resolves: rhbz#1744234- Allow timedatex_t domain to read relatime clock and adjtime_t files Resolves: rhbz#1771513- Update timedatex policy to add macros Resolves: rhbz#1771513- Allow timedatex_t domain dbus chat with both confined and unconfined users Resolves: rhbz#1771513 - Fix typo bugs in rtas_errd_read_lock() interface Resolves: rhbz#1750096 - Allow timedatex_t domain to systemctl chronyd domains Resolves: rhbz#1771513 - Fix typo in dev_filetrans_all_named_dev() Resolves: rhbz#1750096- New policy for rrdcached Resolves: rhbz#1726255 - Update timedatex policy - Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if - Add new macro systemd_timedated_status to systemd.if to get timedated service status Resolves: rhbz#1730204 - Update lldpad_t policy module Resolves: rhbz#1726246 - Dontaudit sandbox web types to setattr lib_t dirs Resolves: rhbz#1739858 - Fix typo in cachefiles device Resolves: rhbz#1750096- Allow sssd_t domain to read gnome config and named cache files Resolves: rhbz#1743907 - Allow httpd_t to signull mailman_cgi_t process Resolves: rhbz#1686462 - Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files Resolves: rhbz#1758545 - Allow cachefilesd_t domain to read/write cachefiles_device_t devices Resolves: rhbz#1750096 - Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policy Resolves: rhbz#1750096 - Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_t Resolves:rhbz#1746511 - Label libvirt drivers as virtd_exec_t Resolves: rhbz#1745076 - Update apache and pkcs policies to make active opencryptoki rules Resolves: rhbz#1744198 - Introduce new bolean httpd_use_opencryptoki Resolves: rhbz#1744198 - Allow gssproxy_t domain read state of all processes on system Resolves: rhbz#1752031 - Dontaudit tmpreaper_t getting attributes from sysctl_type files Resolves: rhbz#1730204 - Added macro for timedatex to chat over dbus. Resolves: rhbz#1730204 - Run timedatex service as timedatex_t Resolves: rhbz#1730204 - Run lldpd service as lldpad_t. Resolves: rhbz#1726246 - Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald - Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t Resolves: rhbz#1765065 - Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files Resolves: rhbz#1744234 - Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command. Resolves: rhbz#1765065 - Update tmpreaper_t policy due to fuser command Resolves: rhbz#1765065 - Allow fail2ban_t domain to create netlink netfilter sockets. Resolves: rhbz#1766415 - Label /dev/cachefilesd as cachefiles_device_t Resolves: rhbz#1750096 - Label udp 8125 port as statsd_port_t Resolves: rhbz#1746511 - Allow systemd(init_t) to load kernel modules Resolves: rhbz#1758255 - Dontaudit sys_admin capability for auditd_t domains Resolves: rhbz#1669040 - Allow x_userdomain to dbus_chat with timedatex. Resolves: rhbz#1730204- Allow confined users to run newaliases Resolves:rhbz#1750405 - Add interface mysql_dontaudit_rw_db() Resolves: rhbz#1747926 - Label /var/lib/xfsdump/inventory as amanda_var_lib_t Resolves: rhbz#1739137 - Allow tmpreaper_t domain to read all domains state Resolves: rhbz#1765065 - Allow ipa_ods_exporter_t domain to read krb5_keytab files Resolves: rhbz#1759900 - Allow rhsmcertd_t domain to read rtas_errd lock files Resolves: rhbz#1744234 - Add new interface rtas_errd_read_lock() Resolves: rhbz#1744234 - Donaudit ifconfig_t domain to read/write mysqld_db_t files Resolves: rhbz#1747926- Label only regular files inside /usr/lib/frr direcotry as zebra_exec_t Resolves: rhbz#1714984 - Dontaudit and disallow sys_admin capability for keepalived_t domain Resolves: rhbz#1729174 - Allow processes labeled as keepalived_t domain to get process group Resolves: rhbz#1746955- Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files Resolves: rhbz#1756006 - Allow user domains to manage user session services Resolves: rhbz#1727887 - Allow staff and user users to get status of user systemd session Resolves: rhbz#1727887- Allow user_mail_domain attribute to manage files labeled as etc_aliases_t. Resolves: rhbz#1750405 - Allow dlm_controld_t domain to read random device Resolves: rhbz#1752943 - Allow haproxy_t domain to read network state of system Resolves: rhbz#1746974 - Allow avahi_t to send msg to lpr_t Resolves: rhbz#1752843 - Create new type ipmievd_helper_t domain for loading kernel modules. Resolves: rhbz#1673804 - networkmanager: allow NetworkManager_t to create bluetooth_socket Resolves: rhbz#1747768 - Label /etc/named direcotory as named_conf_t Resolves: rhbz#1759505 - Update aide_t domain to allow this tool to analyze also /dev filesystem Resolves: rhbz#1758265 - Update zebra SELinux policy to make it work also with frr service Resolves: rhbz#1714984 - Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects. Resolves: rhbz#1711909 - Allow chronyc_t domain to append to all non_security files Resolves: rhbz#1696252 - Allow httpd_t domain to read/write named_cache_t files Resolves: rhbz#1690484 - Add new interface bind_rw_cache() Resolves: rhbz#1690484 - Label /var/run/mysql as mysqld_var_run_t Resolves: rhbz#1687867 - Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t. Resolves: rhbz#1612552 - Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t types Resolves: rhbz#1647971 - Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces Resolves: rhbz#1663874 - Update gnome_dontaudit_read_config Resolves: rhbz#1663874 - Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports Resolves: rhbz#1687499 - Update keepalived policy Resolves: rhbz#1728332 - Add sys_admin capability for keepalived_t labeled processes Resolves: rhbz#1729174 - Fix abrt_upload_watch_t in abrt policy Resolves: rhbz#1737419 - Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label Resolves: rhbz#1737550 - Allow amanda_t to manage its var lib files and read random_device_t Resolves: rhbz#1739137 - Allow zebrat_t domain to read state of NetworkManager_t processes BZ(1739983) Resolves: rhbz#1743684 - Allow pesign_t domain to read/write named cache files. Resolves: rhbz#1745429 - Allow login user type to use systemd user session Resolves: rhbz#1727887 - Allow avahi_t to send msg to xdm_t Resolves: rhbz#1755401 - Allow ldconfig_t domain to manage initrc_tmp_t objects Resolves: rhbz#1756006 - Add new interface init_write_initrc_tmp_pipes() - Add new interface init_manage_script_tmp_files() - Add new interface udev_getattr_rules_chr_files() - Run lvmdbusd service as lvm_t Resolves: rhbz#1726166 - Label 2618/tcp and 2618/udp as priority_e_com_port_t - Label 2616/tcp and 2616/udp as appswitch_emp_port_t - Label 2615/tcp and 2615/udp as firepower_port_t - Label 2610/tcp and 2610/udp as versa_tek_port_t - Label 2613/tcp and 2613/udp as smntubootstrap_port_t - Label 3784/tcp and 3784/udp as bfd_control_port_t - Allow systemd labeled as init_t domain to remount rootfs filesystem Resolves: rhbz#1698197 - Add interface files_remount_rootfs() - New interface files_append_non_security_files() - Allow domains systemd_networkd_t and systemd_logind_t to chat over dbus Resolves: rhbz#1612552 - Update userdomains to pass correct parametes based on updates from cron_*_role interfaces Resolves: rhbz#1647971 - Dontaudit sys_admin capability for iptables_t SELinux domain Resolves: rhbz#1669040 - Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132) Resolves: rhbz#1671019 - Allow userdomains to dbus chat with policykit daemon Resolves: rhbz#1727902 - Allow ipsec_t domain to read/write named cache files Resolves: rhbz#1743777 - Add sys_admin capability for ipsec_t domain Resolves: rhbz#1753662- Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces. - Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label Resolves: rhbz#1720639- Update cpucontrol_t SELinux policy Resolves: rhbz#1743930- Allow dlm_controld_t domain to transition to the lvm_t Resolves: rhbz#1732956- Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t Resolves: rhbz#1669485 - Fix typo in networkmanager_append_log() interface Resolves: rhbz#1687460 - Update gpg policy to make ti working with confined users Resolves: rhbz#1640296- Allow audisp_remote_t domain to read kerberos keytab Resolves: rhbz#1740146- Dontaudit abrt_t domain to read root_t files Resolves: rhbz#1734403 - Allow ipa_dnskey_t domain to read kerberos keytab Resolves: rhbz#1730144 - Update ibacm_t policy - Allow dlm_controld_t domain setgid capability Resolves: rhbz#1738608 - Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmp Resolves: rhbz#1740146 - Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirs Resolves: rhbz#1670139- Allow cgdcbxd_t domain to list cgroup dirs Resolves: rhbz#1651991- Allow search krb5_keytab_t dirs for interfaces kerberos_read_keytab() and kerberos_rw_keytab Resolves: rhbz#1730144 - Allow virtlockd process read virtlockd.conf file Resolves: rhbz#1733185 - Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t. Resolves: rhbz#1733185 - Allow brltty to request to load kernel module Resolves: rhbz#1689955 - Add svnserve_tmp_t label forl svnserve temp files to system private tmp Resolves: rhbz#1729955 - Dontaudit svirt_tcg_t domain to read process state of libvirt Resolves: rhbz#1732500 - Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool Resolves: rhbz#1732381 - Allow cyrus work with PrivateTmp Resolves: rhbz#1725023 - Make cgdcbxd_t domain working with SELinux enforcing. Resolves: rhbz#1651991 - Remove system_r role from staff_u user. Resolves: rhbz#1677052 - Add systemd_private_tmp_type attribute Resolves: rhbz#1725023 - Allow systemd to load kernel modules during boot process. Resolves: rhbz#1644805- Make working wireshark execute byt confined users staff_t and sysadm_t Resolves: rhbz#1712788 - Label user cron spool file with user_cron_spool_t Resolves: rhbz#1727342 - Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool Resolves: rhbz#1668667 - Update svnserve_t policy to make working svnserve hooks Resolves: rhbz#1729955 - Allow varnishlog_t domain to check for presence of varnishd_t domains Resolves: rhbz#1730270 - Allow lsmd_t domain to execute /usr/bin/debuginfo-install Resolves: rhbz#1720648 - Update sandboxX policy to make working firefox inside SELinux sandbox Resolves: rhbz#1663874 - Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services Resolves: rhbz#1695248 - Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices Resolves: rhbz#1690484 - Allow opafm_t domain to modify scheduling information of another process. Resolves: rhbz#1725874 - Allow gssd_t domain to list tmpfs_t dirs Resolves: rhbz#1674470 - Allow mdadm_t domain to read tmpfs_t files Resolves: rhbz#1669996 - Allow sbd_t domain to check presence of processes labeled as cluster_t Resolves: rhbz#1669595 - Dontaudit httpd_sys_script_t to read systemd unit files Resolves: rhbz#1670139 - Allow blkmapd_t domain to read nvme devices Resolves: rhbz#1669985 - Update cpucontrol_t domain to make working microcode service Resolves: rhbz#1669485 - Allow domain transition from logwatch_t do postfix_postqueue_t Resolves: rhbz#1669162 - Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test' Resolves: rhbz#1696252 - Allow httpd_sys_script_t domain to mmap httpdcontent Resolves: rhbz#1693137 - Allow sbd_t to manage cgroups_t files Resolves: rhbz#1715134 - Update wireshark policy to make working tshar labeled as wireshark_t Resolves: rhbz#1711005 - Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files Resolves: rhbz#1719083 - Allow sbd_t domain to use nsswitch Resolves: rhbz#1723498 - Allow sysadm_t and staff_t domains to read wireshark shared memory Resolves: rhbz#1712788 - Label /usr/libexec/utempter/utempter as utemper_exec_t Resolves: rhbz#1729571 - Allow unconfined_domain_type to setattr own process lnk files. Resolves: rhbz#1730500 - Add interface files_write_generic_pid_sockets() - Dontaudit writing to user home dirs by gnome-keyring-daemon Resolves: rhbz#1689797 - Allow staff and admin domains to setpcap in user namespace Resolves: rhbz#1673922 - Allow staff and sysadm to use lockdev Resolves: rhbz#1673269 - Allow staff and sysadm users to run iotop. Resolves: rhbz#1671241 - Dontaudit traceroute_t domain require sys_admin capability Resolves: rhbz#1671672 - Dontaudit dbus chat between kernel_t and init_t Resolves: rhbz#1669095 - Allow systemd labeled as init_t to create mountpoints without any specific label as default_t Resolves: rhbz#1696144- Fix minor changes to pass coverity scan Resolves: rhbz#1728578- Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files - Label /var/kerberos/krb5 as krb5_keytab_t Resolves: rhbz#1669975 - Allow sbd_t domain to manage cgroup dirs Resolves: rhbz#1715134 - Allow wireshark_t domain to create netlink netfilter sockets Resolves: rhbz#1711005 - Allow gpg_agent_t domain to use nsswitch Resolves: rhbz#1567073 - Allow httpd script types to mmap httpd rw content Resolves: rhbz#1693137 - Allow confined users to login via cockpit Resolves: rhbz#1718814 - Replace "-" by "_" in speechdispatcher types names - Change condor_domain declaration in condor_systemctl - Update interface networkmanager_manage_pid_files() to allow manage also dirs Resolves: rhbz#1720070 - Update virt_use_nfs() boolean to allow virt_t to mmap nfs_t files Resolves: rhbz#1719083 - Fix all interfaces which cannot by compiled because of typos Resolves: rhbz#1687460 - Allow auditd_t domain to send signals to audisp_remote_t domain Resolves: rhbz#1726659 - Allow associate efivarfs_t on sysfs_t Resolves: rhbz#1709747 - Allow userdomain attribute to manage cockpit_ws_t stream sockets Resolves: rhbz#1718814 - Allow ssh_agent_type to read/write cockpit_session_t unnamed pipes - Add interface ssh_agent_signal() - Dontaudit unpriv_userdomain to manage boot_t files Resolves: rhbz#1723773 - Allow crack_t domain read /et/passwd files Resolves: rhbz#1721132 - Allow dhcpc_t domain to manage network manager pid files Resolves: rhbz#1720070- Allow redis_t domain to read public sssd files Resolves: rhbz#1718200 - Label /usr/sbin/nft as iptables_exec_t Resolves: rhbz#1656891- Allow sbd_t domain to read tmpfs_t symlinks Resolves: rhbz#1715134- Allow kadmind_t domain to read home config data Resolves: rhbz#1664983 - Allow sbd_t domain to readwrite cgroups Resolves: rhbz#1715134 - Label /var/log/pacemaker/pacemaker as cluster_var_log_t Resolves: rhbz#1712058 - Allow certmonger_t domain to manage named cache files/dirs- Allow kadmind_t domain to read pkcs11 module configs Resolves: rhbz#1664983 - Allow kadmind_t domain to read named_cache_t files Resolves: rhbz#1703241 - Fix bind_read_cache() interface to allow only read perms to caller domains - Allow chronyc_t domain to create own tmpfiles and allow communicate send data over unix dgram sockets Resolves: rhbz#1711909 - Allow wireshark_t domain to create fifo temp files Resolves: rhbz#1711005 - Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t Resolves :rhbz#1656837 - Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files Resolves: rhbz#1648854 - Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t Resolves:rhbz#1688671 - Add dac_override capability to namespace_init_t domain Resolves: rhbz#1557420 - Label /usr/sbin/corosync-qdevice as cluster_exec_t Resolves: rhbz#1690925 - Label /usr/libexec/dnf-utils as debuginfo_exec_t Resolves: rhbz#1711183 - Allow rtkit_scheduled for sysadm Resolves: rhbz#1703241 - Fix find commands in Makefiles - Allow associate all filesystem_types with fs_t Resolves: rhbz#1614209 - Allow init_t to manage session_dbusd_tmp_t dirs Resolves: rhbz#1688671 - Allow systemd_gpt_generator_t to read/write to clearance Resolves: rhbz#1558573 - Allow su_domain_type to getattr to /dev/gpmctl Resolves: rhbz#1593667- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t Resolves :rhbz#1656837 - Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files Resolves: rhbz#1648854 - Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t Resolves:rhbz#1688671 - Add dac_override capability to namespace_init_t domain Resolves: rhbz#1557420 - Label /usr/sbin/corosync-qdevice as cluster_exec_t Resolves: rhbz#1690925 - Label /usr/libexec/dnf-utils as debuginfo_exec_t Resolves: rhbz#1711183 - Label /usr/bin/tshark as wireshark_exec_t Resolves: rhbz#1710962 - Allow rhsmcertd_t domain to read rpm cache files Resolves: rhbz#1641648 - Allow associate all filesystem_types with fs_t Resolves: rhbz#1614209 - Allow init_t to manage session_dbusd_tmp_t dirs Resolves: rhbz#1688671 - Allow systemd_gpt_generator_t to read/write to clearance Resolves: rhbz#1558573 - Allow su_domain_type to getattr to /dev/gpmctl Resolves: rhbz#1593667 - Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users Resolves: rhbz#1709372- Rebase with Fedora 30 package selinux-policy-3.14.3-34.fc30 Resolves: rhbz#1673107- Rebase with Fedora 30 package selinux-policy-3.14.3-31.fc30 Resolves: rhbz#1673107- Fix interface kernel_mounton_kernel_sysctl() Resolves: rhbz#1700222- Rebase with Fedora 30 package selinux-policy-3.14.3-28.fc30 Resolves: rhbz#1673107- Add dac_override capability for sbd_t SELinux domain Resolves: rhbz#1677325 - Allow syslogd_t domain to send null signal to all domains on system Resolves: rhbz#1676923- Update kdump_manage_crash() interface to allow also manage dirs by caller domain Resolves: rhbz#1627861- Add dac_override capability to spamd_t domain Resolves: rhbz#1567073- Allow ibacm_t domain to read system state and label all ibacm sockets and symlinks as ibacm_var_run_t in /var/run Resolves: rhbz#1635674 - Update mount_read_pid_files macro to allow also list mount_var_run_t dirs Resolves: rhbz#1664448 - Allow userdomain to stop systemd user session during logout. Resolves: rhbz#1664448- Allow read network state of system for processes labeled as ibacm_t Resolves: rhbz#1635674 - Allow ibacm_t domain to send dgram sockets to kernel processes Resolves: rhbz#1635674 - Allow virt_doamin to read/write dev device Resolves: rhbz#1672188 - Update ibacm_t policy after testing lastest version of this component Resolves: rhbz#1635674 - Allow sensord_t domain to mmap own log files Resolves:rhbz#1656055 - Label /dev/sev char device as sev_device_t Resolves: rhbz#1672188- Allow virt_doamin to read/write dev device Resolves: rhbz#1672188 - Update ibacm_t policy after testing lastest version of this component Resolves: rhbz#1635674 - Allow sensord_t domain to mmap own log files Resolves:rhbz#1656055 - Add dac_override capability for ipa_helper_t Resolves: rhbz#1668168 - Allow sensord_t domain to use nsswitch and execute shell Resolves: rhbz#1656055 - Allow opafm_t domain to execute lib_t files Resolves: rhbz#1627861 - Allow opafm_t domain to manage kdump_crash_t files and dirs Resolves: rhbz#1627861 - Label /dev/sev char device as sev_device_t Resolves: rhbz#1672188- Fix broken config files because of missing level specification in user_t contexts Resolves: rhbz#1664448- Allow sensord_t domain to use nsswitch and execute shell Resolves: rhbz#1656055 - Allow opafm_t domain to execute lib_t files Resolves: rhbz#1627861- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains Resolves: rhbz#1664448 - Allow systemd to read selinux logind config Resolves: rhbz#1664448 - Fix userdom_admin_user_template() interface by adding bluetooth,alg,dccp create_stream_socket permissions. - Allow transition from init_t domain to user_t domain during ssh login with confined user user_u Resolves: rhbz#1664448- Fix userdom_admin_user_template() interface by adding bluetooth,alg,dccp create_stream_socket permissions. Resolves: rhbz#1557301- Allow tangd_t domain to bind on tcp ports labeled as tangd_port_t Resolves: rhbz#1664345 - Create tangd_port_t with default label tcp/7406 Resolves: rhbz#1664345 - Remove tangd_t domain from permissive domains. Resolves: rhbz#1664345- Change label of /usr/libexec/lm_sensors/sensord-service-wrapper from lsmd_exec_t to sensord_exec_t Resolves: rhbz#1656055 - Make kpatch_t domain application domain to allow users to execute kpatch in kpatch_t domain. Resolves: rhbz#1630198 - Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets Resolves: rhbz#1557301 - Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domain Resolves: rhbz#1630198- Update nslcd_t domain to allow view kernel and systemd keyrings Resolves: rhbz#1657916 - Allow arpwatch_t domains to execute shell BZ(1644568) - Allow processes labeled as ipa_otpd_t stream connect to sssd. - Add new SELinux domain pcp_plugin_t. Resolves: rhbz#1648386 - Remove all ganesha bits from gluster and rpc policy Resolves: rhbz#1639227 - Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_t Resolves: rhbz#1656837 - Add dac_override capability to ssad_t domains Resolves: rhbz#1655551 - Allow pesign_t domain to read gnome home configs Resolves: rhbz#1644796 - Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_t Resolves: rhbz#1656055 - Allow rngd_t domains read kernel state Resolves: rhbz#1656054 - Allow certmonger_t domains to read bind cache Resolves: rhbz#1655077 - Allow ypbind_t domain to stream connect to sssd Resolves: rhbz#1583953 - Allow rngd_t domain to setsched Resolves: rhbz#1653872 - Add interface init_view_key() - Allow systemd to mmap all pidfiles Resolves: rhbz#1622548 - Add files_map_all_pids() interface - Allow passwd_t domain mamange sssd public nad lib files, read pid files and send signals to sssd_t domains Resolves: rhbz#1657291 - Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_t Resolves: rhbz#1639846 - Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t - Add sys_resource capability to the systemd_passwd_agent_t domain Resolves: rhbz#1590981 - Allow ipsec_t domains to read bind cache Resolves: rhbz#1654692 - kernel/files.fc: Label /run/motd as etc_t - Allow systemd to stream connect to userdomain processes Resolves: rhbz#1644733- Allow sanlock_t domain to read/write sysfs_t files Resolves: rhbz#1647594 - Add dac_override capability to postfix_local_t domain - Allow ypbind_t to search sssd_var_lib_t dirs - Allow virt_qemu_ga_t domain to write to user_tmp_t files - Allow systemd_logind_t to dbus chat with virt_qemu_ga_t - Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files - Label /var/lib/private/systemd/ as init_var_lib_t Resolves: rhbz#1649312 - Allow initrc_t domain to create new socket labeled as init_t - Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket. Resolves: rhbz#1639675 - Add tracefs_t type to mountpoint attribute Resolves: rhbz#1647819 - Allow useradd_t and groupadd_t domains to send signals to sssd_t Resolves: rhbz#1651531 - Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636) - Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utils Resolves: rhbz#1651531- Update pesign policy to allow pesign_t domain to read bind cache files/dirs Resolves: rhbz#1644796 - Add dac_override capability to mdadm_t domain Resolves: rhbz#1599646 - Create ibacm_tmpfs_t type for the ibacm policy Resolves: rhbz#1581715 - Dontaudit capability sys_admin for dhcpd_t domain Resolves: rhbz#1635643 - Makes rhsmcertd_t domain an exception to the constraint preventing changing the user identity in object contexts. Resolves: rhbz#1639181 - Allow abrt_t domain to mmap generic tmp_t files Resolves:rhbz#1644727 - Label /usr/sbin/wpa_cli as wpa_cli_exec_t Resolves: rhbz#1644899 - Allow sandbox_xserver_t domain write to user_tmp_t files Resolves:rhbz#1644315 - Dontaudit thumb_t domain to setattr on lib_t dirs BZ(1643672) - Dontaudit cupsd_t domain to setattr lib_t dirs BZ(1636766) - Add dac_override capability to postgrey_t domain BZ(1638954) - Allow thumb_t domain to execute own tmpfs files BZ(1643698) - Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063) - Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948) - Allow certutil running as ipsec_mgmt_t domain to mmap ipsec_mgmt pid files Dontaudit ipsec_mgmt_t domain to write to the all mountpoints Resolves: rhbz#1644727 - Add interface files_map_generic_tmp_files() - Add dac_override capability to the syslogd_t domain Resolves: rhbz#1644373 - Create systemd_timedated_var_run_t label - Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202) - Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675) - kernel/files.fc: Label /run/motd.d(/.*)? as etc_t - Allow ipsec_mgmt_t process to send signals other than SIGKILL, SIGSTOP, or SIGCHLD to the ipsec_t domains BZ(1638949)- Add dac_override capability to ftpd_t domain Resolves: rhbz#1641049 - Allow X display manager to check status and reload services which are part of x_domain attribute Resolves: rhbz#1641082- Allow gpg_t to create own tmpfs dirs and sockets - Allow rhsmcertd_t domain to relabel cert_t files - Add SELinux policy for kpatch Resolves: rhbz#1630198 - Allow nova_t domain to use pam - sysstat: grant sysstat_t the search_dir_perms set - Allow boltd_t domain to dbus chat with fwupd_t domain BZ(1633786) - Allow caller domains using cron_*_role to have entrypoint permission on system_cron_spool_t files BZ(1625645) - Add interface cron_system_spool_entrypoint() - Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes BZ(1637676) - Add interfaces for boltd SELinux module - Add dac_override capability to modemmanager_t domain BZ(1636608) - Add interface miscfiles_relabel_generic_cert() - Make kpatch policy active - Fix userdom_write_user_tmp_dirs() to allow caller domain also read/write user_tmp_t dirs - Dontaudit sys_admin capability for netutils_t domain - Label tcp and udp ports 2611 as qpasa_agent_port_t - Allow systemd to mount boltd_var_run_t dirs BZ(1636823) - Label correctly /var/named/chroot*/dev/unrandom in bind chroot.- Update rpm macros for selinux policy from sources repository: https://github.com/fedora-selinux/selinux-policy-macros Resolves: rhbz#1633198 - Allow boltd_t to read fwupd_t processes state - Turn named_write_master_zones boolean on by default. Resolves: rhbz#1633158 - Label /etc/rhsm as rhsmcertd_config_t Resolves: rhbz#1636212 - Allow httpd_t domain to write to httpd_config_t dirs if httpd_run_ipa boolean is turned on Resolves: rhbz#1624930 - Allow dhcpd_t domain to mmap dhcpd_state_t files Resolves: rhbz#1635643 - Allow abrt_t domain to manage usr_t dirs Resolves: rhbz#1619001 - Allow certmonger_t domain to manage cockpit pid files Resolves: rhbz#1629685 - Update opafm_t domain after basic testing this service Resolves: rhbz#1627861 - Allow systemd-tty-ask to ask for password of encrypted partions during boot Resolves: rhbz#1638666 - Update sysnet_read_dhcp_config interface to allow caller domain also mmap dhcp_etc_t files - Add interface files_manage_usr_dirs()- Allow ibacm_t domain to read/write to infiniband devices Allow ibacm_t domain to getattr tmpfs_t filesystem. Resolves: rhbz#1635674 - Update SELinux policy for libreswan based on the latest rebase 3.26 Resolves: rhbz#1637089- Allow cockpit to create motd file in /var/run/cockpit Resolves: rhbz#1629678 - Allow cockpit_t domain to read systemd state Resolves: rhbz#1629588- Tomcat should not be unconfined domain - Fix typo in cockpit interfaces we have cockpit_var_run_t files not cockpit_var_pid_t - Add interface apcupsd_read_power_files() - Allow systemd labeled as init_t to execute logrotate in logrotate_t domain - Allow dac_override capability to amanda_t domain - Allow geoclue_t domain to get attributes of fs_t filesystems - Update selinux policy for rhnsd_t domain based on changes in spacewalk-2.8-client Resolves: rhbz#1629678 Resolves: rhbz#1629685 Resolves: rhbz#1626100 Resolves: rhbz#1629588 Resolves: rhbz#1630317- Tomcat should not be unconfined domain - Allow cockpit_t domain to read systemd state - Allow abrt_t domain to write to usr_t files - Allow cockpit to create motd file in /var/run/cockpit - Label /usr/sbin/pcsd as cluster_exec_t - Allow pesign_t domain to getattr all fs - Allow tomcat servers to manage usr_t files - Dontaudit tomcat serves to append to /dev/random device - Allow dirsrvadmin_script_t domain to read httpd tmp files - Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs - Revert "Allow firewalld_t domain to read random device" - Allow postfix domains to mmap system db files - Allow geoclue_t domain to execute own tmp files - Allow virt_qemu_ga_t domain to read network state BZ(1592145) - Update ibacm_read_pid_files interface to allow also reading link files - Allow zebra_t domain to create packet_sockets - Allow opafm_t domain to list sysfs - Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t - Add boolean: domain_can_mmap_files. - Allow sshd_t domain to read cockpit pid files - Allow syslogd_t domain to manage cert_t files - Allow getattr as part of files_mounton_kernel_symbol_table. - Fix typo "aduit" -> "audit" - Revert "Add new interface dev_map_userio()" - Add new interface dev_map_userio() - Allow systemd to read ibacm pid files Resolves: rhbz#1615318 Resolves: rhbz#1619001 Resolves: rhbz#1627646- Merge remote-tracking branch 'fedora-contrib/f28' into rhel8.0-contrib - Tomcat should not be unconfined domain - Update ibacm_read_pid_files interface to allow also reading link files - Allow zebra_t domain to create packet_sockets - Allow opafm_t domain to list sysfs - Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t - Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs. - Allow chronyd_t domain to read virt_var_lib_t files - Allow tomcat services create link file in /tmp - Label /etc/shorewall6 as shorewall_etc_t - Allow winbind_t domain kill in user namespaces - Allow firewalld_t domain to read random device - Allow abrt_t domain to do execmem - Allow geoclue_t domain to execute own var_lib_t files - Allow openfortivpn_t domain to read system network state - Allow dnsmasq_t domain to read networkmanager lib files - sssd: Allow to limit capabilities using libcap - sssd: Remove unnecessary capability - sssd: Do not audit usage of lib nss_systemd.so - Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file - Add correct namespace_init_exec_t context to /etc/security/namespace.d/* - Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files - Allow exim_t domain to mmap bin files - Allow mysqld_t domain to executed with nnp transition - Allow svirt_t domain to mmap svirt_image_t block files - Add caps dac_read_search and dav_override to pesign_t domain - Allow iscsid_t domain to mmap userio chr files - Merge remote-tracking branch 'fedora-base/f28' into rhel8.0-base - Revert "Add new interface dev_map_userio()" - Add new interface dev_map_userio() - Allow systemd to read ibacm pid files - Allow systemd to create symlinks in for /var/lib - Add comment to show that template call also allows changing shells - Document userdom_change_password_template() behaviour - Merge remote-tracking branch 'fedora-base/f28' into rhel8.0-base - update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file - Fix typo in logging SELinux module - Allow usertype to mmap user_tmp_type files - In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue - Revert "Add execute_no_trans permission to mmap_exec_file_perms pattern" - Add boolean: domain_can_mmap_files. - Allow ipsec_t domian to mmap own tmp files - Add .gitignore file - Add execute_no_trans permission to mmap_exec_file_perms pattern - Allow sudodomain to search caller domain proc info - Allow audisp_remote_t domain to read auditd_etc_t - netlabel: Remove unnecessary sssd nsswitch related macros - Allow to use sss module in auth_use_nsswitch - Limit communication with init_t over dbus - Add actual modules.conf to the git repo - Add few interfaces to optional block - Allow sysadm_t and staff_t domain to manage systemd unit files - Add interface dev_map_userio_dev() Resolves: rhbz#1623411 Resolves: rhbz#1624648 Resolves: rhbz#1596618 Resolves: rhbz#1574878 Resolves: rhbz#1577324 Resolves: rhbz#1625202 Resolves: rhbz#1581715 Resolves: rhbz#1625127- Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket Resolves: rhbz#1621142 - Add interface devicekit_mounton_var_lib() - Allow httpd_t domain to mmap tmp files - Allow tcsd_t domain to have dac_override capability - Allow cupsd_t to rename cupsd_etc_t files - Allow iptables_t domain to create rawip sockets - Allow amanda_t domain to mmap own tmpfs files - Allow fcoemon_t domain to write to sysfs_t dirs - Allow dovecot_auth_t domain to have dac_override capability - Allow geoclue_t domain to mmap own tmp files - Allow chronyc_t domain to read network state - Allow apcupsd_t domain to execute itself - Allow modemmanager_t domain to stream connect to sssd - Allow chonyc_t domain to rw userdomain pipes - Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files - Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks - Allow nagios_script_t domain to mmap nagios_spool_t files - Allow geoclue_t domain to mmap geoclue_var_lib_t files - Allow geoclue_t domain to map generic certs - Update munin_manage_var_lib_files to allow manage also dirs - Allow nsd_t domain to create new socket file in /var/run/nsd.ctl - Fix typo in virt SELinux policy module - Allow virtd_t domain to create netlink_socket - Allow rpm_t domain to write to audit - Allow nagios_script_t domain to mmap nagios_etc_t files - Update nscd_socket_use() to allow caller domain to stream connect to nscd_t - Allow kdumpctl_t domain to getattr fixed disk device in mls - Fix typo in stapserver policy - Dontaudit abrt_t domain to write to usr_t dirs - Revert "Allow rpcbind to bind on all unreserved udp ports" - Allow rpcbind to bind on all unreserved udp ports - Allow virtlogd to execute itself - Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files - Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs - Allos systemd to socket activate ibacm service - Allow dirsrv_t domain to mmap user_t files - Allow dhcpc_t domain to read /dev/random - Allow systemd to mounton device_var_lib_t dirs - Allow systemd to mounton kernel system table - Label also chr_file /dev/mtd.* devices as fixed_disk_device_t - Allow syslogd_t domain to create netlink generic sockets - Label /dev/tpmrm[0-9]* as tpm_device_t - Update dev_filetrans_all_named_dev() to allow create event22-30 character files with label event_device_t - Update userdom_security_admin() and userdom_security_admin_template() to allow use auditctl - Allow insmod_t domain to read iptables pid files - Allow systemd to mounton /etc - Allow initrc_domain to mmap all binaries labeled as systemprocess_entry - Allow xserver_t domain to start using systemd socket activation - Tweak SELinux policy for systemd to allow DynamicUsers systemd feature - Associate several proc labels to fs_t - Update init_named_socket_activation() interface to allow systemd also create link files in /var/run- Dontaudit abrt_t domain to write to usr_t dirs - Revert "Allow rpcbind to bind on all unreserved udp ports" - Allow rpcbind to bind on all unreserved udp ports - Allow virtlogd to execute itself - Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files - Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs - Allos systemd to socket activate ibacm service - Allow dirsrv_t domain to mmap user_t files - Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files - Allow kdumpctl to write to files on all levels - Allow httpd_t domain to mmap httpd_config_t files - Allow sanlock_t domain to connectto to unix_stream_socket - Revert "Add same context for symlink as binary" - Allow mysql execute rsync - Update nfsd_t policy because of ganesha features - Allow conman to getattr devpts_t - Allow tomcat_domain to connect to smtp ports - Allow tomcat_t domain to mmap tomcat_var_lib_t files - Allow nagios_t domain to mmap nagios_log_t files - Allow kpropd_t domain to mmap krb5kdc_principal_t files - Allow kdumpctl_t domain to read fixed disk storage - Allow xserver_t domain to start using systemd socket activation - Tweak SELinux policy for systemd to allow DynamicUsers systemd feature - Associate several proc labels to fs_t - Update init_named_socket_activation() interface to allow systemd also create link files in /var/run - Fix typo in syslogd policy - Update syslogd policy to make working elasticsearch - Label tcp and udp ports 9200 as wap_wsp_port - Allow few domains to rw inherited kdumpctl tmp pipes- Add missing tarball from sources Resolves: rhbz#1615312- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildroot Resolves: rhbz#1615312- Fix issue with aliases in apache interface file Resolves: rhbz#1596618 - Add same context for symlink as binary - Allow boltd_t to send logs to journal - Allow colord_use_nfs to allow colord also mmap nfs_t files - Allow mysqld_safe_t do execute itself - Allow smbd_t domain to chat via dbus with avahi daemon - cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t - Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain - Add alias httpd__script_t to _script_t to make sepolicy generate working - Allow gpg_t domain to mmap gpg_agent_tmp_t files - Allow kprop_t domain to read network state - Add support boltd policy - Allow kpropd domain to exec itself - Allow pdns_t to bind on tcp transproxy port - Add support for opafm service - Allow hsqldb_t domain to read cgroup files - Allow rngd_t domain to read generic certs - Allow innd_t domain to mmap own var_lib_t files - Update screen_role_temaplate interface - Allow chronyd_t domain to mmap own tmpfs files - Allow chronyd_t domain to mmap own tmpfs files - label /var/lib/pgsql/data/log as postgresql_log_t - Allow sysadm_t domain to accept socket - Allow systemd to manage passwd_file_t - Allow sshd_t domain to mmap user_tmp_t files - Allow systemd to mounont boltd lib dirs - Allow sysadm_t domain to create rawip sockets - Allow sysadm_t domain to listen on socket - Update sudo_role_template() to allow caller domain also setattr generic ptys- Allow sblim_sfcbd_t domain to mmap own tmpfs files - Allow nfsd_t domain to read krb5 keytab files - Allow nfsd_t domain to manage fadm pid files - Allow virt_domain to create icmp sockets BZ(1609142) - Dontaudit oracleasm_t domain to request sys_admin capability - Update logging_manage_all_logs() interface to allow caller domain map all logfiles- Allow aide to mmap all files - Revert "Allow firewalld_t do read iptables_var_run_t files" - Revert "Allow firewalld to create rawip sockets" - Allow svirt_tcg_t domain to read system state of virtd_t domains - Update rhcs contexts to reflects the latest fenced changes - Allow httpd_t domain to rw user_tmp_t files - Fix typo in openct policy - Allow winbind_t domian to connect to all ephemeral ports - Allow firewalld_t do read iptables_var_run_t files - Allow abrt_t domain to mmap data_home files - Allow glusterd_t domain to mmap user_tmp_t files - Allow mongodb_t domain to mmap own var_lib_t files - Allow firewalld to read kernel usermodehelper state - Allow modemmanager_t to read sssd public files - Allow openct_t domain to mmap own var_run_t files - Allow nnp transition for devicekit daemons - Allow firewalld to create rawip sockets - Allow firewalld to getattr proc filesystem - Dontaudit sys_admin capability for pcscd_t domain - Revert "Allow pcsd_t domain sys_admin capability" - Allow fetchmail_t domain to stream connect to sssd - Allow pcsd_t domain sys_admin capability - Allow cupsd_t to create cupsd_etc_t dirs - Allow varnishlog_t domain to list varnishd_var_lib_t dirs - Allow mongodb_t domain to read system network state BZ(1599230) - Allow zoneminder_t to getattr of fs_t - Allow tgtd_t domain to create dirs in /var/run labeled as tgtd_var_run_t BZ(1492377) - Allow iscsid_t domain to mmap sysfs_t files - Allow httpd_t domain to mmap own cache files - Add sys_resource capability to nslcd_t domain - Fixed typo in logging_audisp_domain interface - Add interface files_mmap_all_files() - Add interface iptables_read_var_run() - Allow systemd to mounton init_var_run_t files - Update policy rules for auditd_t based on changes in audit version 3 - Allow systemd_tmpfiles_t do mmap system db files - Don't setup unlabeled_t as an entry_type - Allow unconfined_service_t to transition to container_runtime_t - Improve domain_transition_pattern to allow mmap entrypoint bin file.- Allow cupsd_t domain to mmap cupsd_etc_t files - Allow kadmind_t domain to mmap krb5kdc_principal_t - Allow virtlogd_t domain to read virt_etc_t link files - Allow dirsrv_t domain to read crack db - Dontaudit pegasus_t to require sys_admin capability - Allow mysqld_t domain to exec mysqld_exec_t binary files - Allow abrt_t odmain to read rhsmcertd lib files - Allow winbind_t domain to request kernel module loads - Allow tomcat_domain to read cgroup_t files - Allow varnishlog_t domain to mmap varnishd_var_lib_t files - Allow innd_t domain to mmap news_spool_t files - Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t - Allow fenced_t domain to reboot - Allow amanda_t domain to read network system state - Allow abrt_t domain to read rhsmcertd logs - Fix typo in radius policy - Update zoneminder policy to reflect latest features in zoneminder BZ(1592555) - Label /usr/bin/esmtp-wrapper as sendmail_exec_t - Update raid_access_check_mdadm() interface to dontaudit caller domain to mmap mdadm_exec_t binary files - Dontaudit thumb to read mmap_min_addr - Allow chronyd_t to send to system_cronjob_t via unix dgram socket BZ(1494904) - Allow mpd_t domain to mmap mpd_tmpfs_t files BZ(1585443) - Allow collectd_t domain to use ecryptfs files BZ(1592640) - Dontaudit mmap home type files for abrt_t domain - Allow fprintd_t domain creating own tmp files BZ(1590686) - Allow collectd_t domain to bind on bacula_port_t BZ(1590830) - Allow fail2ban_t domain to getpgid BZ(1591421) - Allow nagios_script_t domain to mmap nagios_log_t files BZ(1593808) - Allow pcp_pmcd_t domain to use sys_ptrace usernamespace cap - Allow sssd_selinux_manager_t to read/write to systemd sockets BZ(1595458) - Allow radiusd_t domain to mmap radius_etc_rw_t files - Allow git_script_t domain to read and mmap gitosis_var_lib_t files BZ(1591729) - Add dac_read_search capability to thumb_t domain - Add dac_override capability to cups_pdf_t domain BZ(1594271) - Add net_admin capability to connntrackd_t domain BZ(1594221) - Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234) - Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476) - Allow motion_t to mmap video devices BZ(1590446) - Add dac_override capability to mpd_t domain BZ(1585358) - Allow fsdaemon_t domain to write to mta home files BZ(1588212) - Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337) - Allow sssd_t domain to write to general cert files BZ(1589339) - Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483) - Allow cockpit_session_t to read kernel network state BZ(1596941) - Allow devicekit_power_t start with nnp systemd security feature with proper SELinux Domain transition BZ(1593817) - Allows systemd to get attribues of core kernel interface BZ(1596928) - Dontaudit syslogd to watching top llevel dirs when imfile module is enabled - Revert "Allow unconfined and sysadm users to use bpftool BZ(1591440)" - Allow userdomain sudo domains to use generic ptys - Allow systemd labeled as init_t to get sysvipc info BZ(1600877) - Label /sbin/xtables-legacy-multi and /sbin/xtables-nft-multi as iptables_exec_t BZ(1600690) - Remove duplicated userdom_delete_user_home_content_files - Add systemd_dbus_chat_resolved interface - Allow load_policy_t domain to read/write to systemd sockets BZ(1582812) - Add new interface init_prog_run_bpf() - Allow unconfined and sysadm users to use bpftool BZ(1591440) - Label /run/cockpit/motd as etc_t BZ(1584167) - Allow systemd_machined_t domain to sendto syslogd_t over unix dgram sockets - Add interface userdom_dontaudit_mmap_user_home_content_files() - Allow systemd to listen bluetooth sockets BZ(1592223) - Allow systemd to remove user_home_t files BZ(1418463) - Allow xdm_t domain to mmap and read cert_t files BZ(1553761) - Allow nsswitch_domain to mmap passwd_file_t files BZ(1518655) - Allow systemd to delete user temp files BZ(1595189) - Allow systemd to mounton core kernel interface - Add dac_override capability to ipsec_t domain BZ(1589534) - Allow systemd domain to mmap lvm config files BZ(1594584) - Allow systemd to write systemd_logind_inhibit_var_run_t fifo files - Allow systemd_modules_load_t to access unabeled infiniband pkeys- Add ibacm policy - Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_t - Allow kdumpgui_t domain to allow execute and mmap all binaries labeled as kdumpgui_tmp_t - Allow rpm to check if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect. Allow rpm to reload systemd services - Allow crond_t domain to create netlink selinux sockets and dac_override cap. - Allow radiusd_t domain to have dac_override capability - Allow amanda_t domain to have setgid capability - Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad domain to exec journalctl_exec_t binary - Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label - Allow abrt_t domain to write to rhsmcertd pid files - Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control - Add vhostmd_t domain to read/write to svirt images - Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files - Allow sssd_t and slpad_t domains to mmap generic certs - Allow chronyc_t domain use inherited user ttys - Allow stapserver_t domain to mmap own tmp files - Update nscd_dontaudit_write_sock_file() to dontaudit also stream connect to nscd_t domain - Merge pull request #60 from vmojzis/rawhide - Allow tangd_t domain stream connect to sssd - Allow oddjob_t domain to chat with systemd via dbus - Allow freeipmi domains to mmap sysfs files - Fix typo in logwatch interface file - Allow spamd_t to manage logwatch_cache_t files/dirs - Allow dnsmasw_t domain to create own tmp files and manage mnt files - Allow fail2ban_client_t to inherit rlimit information from parent process - Allow nscd_t to read kernel sysctls - Label /var/log/conman.d as conman_log_t - Add dac_override capability to tor_t domain - Allow certmonger_t to readwrite to user_tmp_t dirs - Allow abrt_upload_watch_t domain to read general certs - Allow chornyd_t read phc2sys_t shared memory - Add several allow rules for pesign policy: - Add setgid and setuid capabilities to mysqlfd_safe_t domain - Add tomcat_can_network_connect_db boolean - Update virt_use_sanlock() boolean to read sanlock state - Add sanlock_read_state() interface - Allow zoneminder_t to getattr of fs_t - Allow rhsmcertd_t domain to send signull to postgresql_t domain - Add log file type to collectd and allow corresponding access - Allow policykit_t domain to dbus chat with dhcpc_t - Adding new boolean keepalived_connect_any() - Allow amanda to create own amanda_tmpfs_t files - Allow gdomap_t domain to connect to qdomap_port_t - /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type - Allow ntop_t domain to create/map various sockets/files. - Enable the dictd to communicate via D-bus. - Allow inetd_child process to chat via dbus with abrt - Allow zabbix_agent_t domain to connect to redis_port_t - Allow rhsmcertd_t domain to read xenfs_t files - Allow zabbix_agent_t to run zabbix scripts - Fix openvswith SELinux module - Fix wrong path in tlp context file BZ(1586329) - Update brltty SELinux module - Allow rabbitmq_t domain to create own tmp files/dirs - Allow policykit_t mmap policykit_auth_exec_t files - Allow ipmievd_t domain to read general certs - Add sys_ptrace capability to pcp_pmie_t domain - Allow squid domain to exec ldconfig - Update gpg SELinux policy module - Allow mailman_domain to read system network state - Allow openvswitch_t domain to read neutron state and read/write fixed disk devices - Allow antivirus_domain to read all domain system state - Allow targetd_t domain to red gconf_home_t files/dirs - Label /usr/libexec/bluetooth/obexd as obexd_exec_t - Allow init_t domain to create netlink rdma sockets for ibacm policy - Update corecmd_exec_shell() interface to allow caller domain to mmap shell_exec_t files - Allow lvm_t domain to write files to all mls levels - Add to su_role_template allow rule for creating netlink_selinux sockets - Allow sysadm_t domain to mmap hwdb db - Allow udev_t domain to mmap kernel modules - Allow sysadm_screen_t to have capability dac_override and chown - Allow sysadm_t domain to mmap journal - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Label /etc/systemd/system.control/ dir as systemd_unit_file_t - Merge pull request #215 from bachradsusi/merge-conf-from-fedora - Allow sysadm_t and staff_t domains to use sudo io logging - Allow sysadm_t domain create sctp sockets - Add snapperd_contexts to the policy - Use system_u:system_r:unconfined_t:s0 in userhelper_context - Remove unneeded system_u seusers mapping. - Fedora targeted default user is unconfined_u, root is unconfined_u as well - Update config to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users. - Change failsafe_context to unconfined_r:unconfined_t:s0 - Update lxc_contexts from Fedora config.tgz - Add lxc_contexts config file - Allow traceroute_t domain to exec bin_t binaries - Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override - Add new interface dev_map_sysfs() - Allow sshd_keygen_t to execute plymouthd - Allow systemd_networkd_t create and relabel tun sockets - Add new interface postgresql_signull() - Merge pull request #214 from wrabcak/fb-dhcpc - Allow dhcpc_t creating own socket files inside /var/run/ Allow dhcpc_t creating netlink_kobject_uevent_socket, netlink_generic_socket, rawip_socket BZ(1585971) - Allow confined users get AFS tokens - Allow sysadm_t domain to chat via dbus - Associate sysctl_kernel_t type with filesystem attribute- Fix typos in zabbix.te file - Add missing requires - Allow tomcat domain sends email - Fix typo in sge policy - Allow certmonger to sends emails - Allow tomcat_t do mmap tomcat_tmp_t files - Improve sge_rw_tcp_sockets interface - Adding new interface: sge_rw_tcp_sockets() - Update sge_execd_t domain with few rules - Add new zabbix_run_sudo boolean - Allow virtual machines to manage cephfs filesystems. - Allow rhsmcertd_t domain to read sssd public files and stream connect to sssd - Add dac_override capability to sendmail_t domain - Fix typo in netutils.te file - Update traceroute_t domain to allow create dccp sockets - Update ssh_keysign policy - Allow sshd_t domain to read/write sge tcp sockets- Update ctdb domain to support gNFS setup - Allow authconfig_t dbus chat with policykit - Allow lircd_t domain to read system state - Revert "Allow fsdaemon_t do send emails BZ(1582701)" - Typo in uuidd policy - Allow tangd_t domain read certs - Allow vpnc_t domain to read configfs_t files/dirs BZ(1583107) - Allow vpnc_t domain to read generic certs BZ(1583100) - Label /var/lib/phpMyAdmin directory as httpd_sys_rw_content_t BZ(1584811) - Allow NetworkManager_ssh_t domain to be system dbud client - Allow virt_qemu_ga_t read utmp - Add capability dac_override to system_mail_t domain - Update uuidd policy to reflect last changes from base branch - Add cap dac_override to procmail_t domain - Allow sendmail to mmap etc_aliases_t files BZ(1578569) - Add new interface dbus_read_pid_sock_files() - Allow mpd_t domain read config_home files if mpd_enable_homedirs boolean will be enabled - Allow fsdaemon_t do send emails BZ(1582701) - Allow firewalld_t domain to request kernel module BZ(1573501) - Allow chronyd_t domain to send send msg via dgram socket BZ(1584757) - Add sys_admin capability to fprint_t SELinux domain - Allow cyrus_t domain to create own files under /var/run BZ(1582885) - Allow cachefiles_kernel_t domain to have capability dac_override - Update policy for ypserv_t domain - Allow zebra_t domain to bind on tcp/udp ports labeled as qpasa_agent_port_t - Allow cyrus to have dac_override capability - Dontaudit action when abrt-hook-ccpp is writing to nscd sockets - Fix homedir polyinstantion under mls - Fixed typo in init.if file - Allow systemd to remove generic tmpt files BZ(1583144) - Update init_named_socket_activation() interface to also allow systemd create objects in /var/run with proper label during socket activation - Allow systemd-networkd and systemd-resolved services read system-dbusd socket BZ(1579075) - Fix typo in authlogin SELinux security module - Allod nsswitch_domain attribute to be system dbusd client BZ(1584632) - Allow audisp_t domain to mmap audisp_exec_t binary - Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file - Label tcp/udp ports 2612 as qpasa_agetn_port_t- Add dac_override to exim policy BZ(1574303) - Fix typo in conntrackd.fc file - Allow sssd_t to kill sssd_selinux_manager_t - Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db is turned on - Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp - Allow policykit_auth_t to read udev db files BZ(1574419) - Allow varnishd_t do be dbus client BZ(1582251) - Allow cyrus_t domain to mmap own pid files BZ(1582183) - Allow user_mail_t domain to mmap etc_aliases_t files - Allow gkeyringd domains to run ssh agents - Allow gpg_pinentry_t domain read ssh state - Allow gpg_agent_t to send msgs to syslog/journal - Add dac_override capability to dovecot_t domain - Allow nscd_t domain to mmap system_db_t files - Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files - Allow mailman_mail_t domain to search for apache configs - Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets. - Improve procmail_domtrans() to allow mmaping procmail_exec_t - Allow ptrace arbitrary processes - Allow jabberd_router_t domain read kerberos keytabs BZ(1573945) - Allow certmonger to geattr of filesystems BZ(1578755) - Allow hypervvssd_t domain to read fixed disk devices - Allow several domains to manage ecryptfs_t filesystem - Allow userdom_use_user_ttys for loadkeys_t domain - Add dac_override capability to cachefiles_kernel_t domain - Allow blueman to execute ldconfig BZ(1577581) - Allow gpg_pinentry_t domain to read state of gpg_t processes - Add dac_override capability to cgconfig_t domain BZ(1574649) - Add dac_override to glusterd_t domain BZ(1578501) - Allow fsdaemon_t to create own fsdaemon_var_lib_t dirs BZ(1569724) - Allow plymouth_t domain to read/write systemd sockets BZ(1578882) - Allow use of U2F Yubikey as authentication for a sudo command BZ(1578915) - Append map permission to apache_read_modules() interface - Allow certwatch_t domain to getattr of extended attributes fs_t filesystem - Add new interface: dirsrv_noatsecure() - Add dac_override capability to remote_login_t domain - Allow chrome_sandbox_t to mmap tmp files - Update ulogd SELinux security policy - Allow sysadm_u use xdm - Allow xdm_t domain to listen ofor unix dgram sockets BZ(1581495) - Add interface ssh_read_state() - Fix typo in sysnetwork.if file - Update dev_map_xserver_misc interface to allo mmaping char devices instead of files - Allow noatsecure permission for all domain transitions from systemd. - Allow systemd to read tangd db files - Fix typo in ssh.if file - Allow xdm_t domain to mmap xserver_misc_device_t files - Allow xdm_t domain to execute systemd-coredump binary - Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set - Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries - Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary - Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries - Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries. - Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface - Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used - Associate sysctl_vm_overcommit_t with fs_t - Allow systemd creating bluetooth sockets - Allow ssh client to read network sysctl BZ(1574170) - Allow systemd_resolved_t and systemd_networkd_t to read dbus pid files - Allow sysadm user to sys_ptrace cap_userns - Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create /run/gdm/custom.conf with proper xdm_var_run_t label. - Allow ssh client to read network state BZ(1574174) - Allow ssh basic client to read/write to tun tap devices BZ(1574184) - Allow ssh basic client to create tun sockets BZ(1574186) - Disable secure mode environment cleansing for dirsrv_t- Disable secure mode environment cleansing for dirsrv_t - - Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create /run/gdm/custom.conf with proper xdm_var_run_t label.- Add dac_override capability to remote_login_t domain - Allow chrome_sandbox_t to mmap tmp files - Update ulogd SELinux security policy - Allow rhsmcertd_t domain send signull to apache processes - Allow systemd socket activation for modemmanager - Allow geoclue to dbus chat with systemd - Fix file contexts on conntrackd policy - Temporary fix for varnish and apache adding capability for DAC_OVERRIDE - Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets - Add label for /usr/sbin/pacemaker-remoted to have cluster_exec_t - Allow nscd_t domain to be system dbusd client - Allow abrt_t domain to read sysctl - Add dac_read_search capability for tangd - Allow systemd socket activation for rshd domain - Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t - Allow kdump_t domain to map /boot files - Allow conntrackd_t domain to send msgs to syslog - Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t - Allow swnserve_t domain to stream connect to sasl domain - Allow smbcontrol_t to create dirs with samba_var_t label - Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760) - Allow tangd to read public sssd files BZ(1509054) - Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212) - Allow ctdb_t domain modify ctdb_exec_t files - Allow firewalld_t domain to create netlink_netfilter sockets - Allow radiusd_t domain to read network sysctls - Allow pegasus_t domain to mount tracefs_t filesystem - Allow psad_t domain to read all domains state - Allow tomcat_t domain to connect to mongod_t tcp port - Allow dovecot and postfix to connect to systemd stream sockets - Make nmbd_t domain dbus system client BZ(1569856) - Merge pull request #55 from SISheogorath/fix/tlp-policy - Merge pull request #54 from tmzullinger/rawhide - Allow also listing system_dbusd_var_run_t dirs in dbusd_read_pid_files macro BZ(1566168) - Allow gssproxy_t domain to read gssd_t state BZ(1572945) - Allow create systemd to mount pid files - Add files_map_boot_files() interface - Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760) - Fix typo xserver SELinux module - Allow systemd to mmap files with var_log_t label - Allow x_userdomains read/write to xserver session - Allow users staff and sysadm to run wireshark on own domain - Fix typos s/xserver/xdm/ for allow creating xserver misc devices - Allow systemd-bootchart to create own tmpfs files - Merge pull request #213 from tmzullinger/rawhide - Allow xdm_t domain to install Nouveau drivers BZ(1570996)- Allow unconfined_domain_type to create libs filetrans named content BZ(1513806)- Allow dnssec_trigger_t domain to read system network state BZ(1570205) - Add dac_override capability to mailman_mail_t domain - Add dac_override capability to radvd_t domain - Update openvswitch policy - Add dac_override capability to oddjob_homedir_t domain - Allow slapd_t domain to mmap slapd_var_run_t files - Rename tang policy to tangd - Allow virtd_t domain to relabel virt_var_lib_t files - Allow logrotate_t domain to stop services via systemd - Add tang policy - Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t - Allow snapperd_t daemon to create unlabeled dirs. - Make httpd_var_run_t mountpoint - Allow hsqldb_t domain to mmap own temp files - We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence - Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP - Add new Boolean tomcat_use_execmem - Allow nfsd_t domain to read/write sysctl fs files - Allow conman to read system state - Allow brltty_t domain to be dbusd system client - Allow zebra_t domain to bind on babel udp port - Allow freeipmi domain to read sysfs_t files - Allow targetd_t domain mmap lvm config files - Allow abrt_t domain to manage kdump crash files - gnome_data_filetrans macro should be in optional block - Allow netutils_t domain to create bluetooth sockets - Allow traceroute to bind on generic sctp node - Allow traceroute to search network sysctls - Allow systemd to use virtio console - Label /dev/op_panel and /dev/opal-prd as opal_device_t - Label /run/ebtables.lock as iptables_var_run_t - Allow udev_t domain to manage udev_rules_t char files. - Assign babel_port_t label to udp port 6696 - Add new interface lvm_map_config - Merge pull request #212 from stlaz/patch-1 - Allow local_login_t reads of udev_var_run_t context- Allow networkmanager domain to write to ecryptfs_t files BZ(1566706) - Allow l2tpd domain to stream connect to sssd BZ(1568160) - Dontaudit abrt_t to write to lib_t dirs BZ(1566784) - Allow NetworkManager_ssh_t domain transition to insmod_t BZ(1567630)- Allow certwatch to manage cert files BZ(1561418) - Allow abrt_dump_oops_t domain to mmap all non security files BZ(1565748) - Allow gpg_t domain mmap cert_t files Allow gpg_t mmap gpg_agent_t files - Allow NetworkManager_ssh_t domain use generic ptys. BZ(1565851) - Allow pppd_t domain read/write l2tpd pppox sockets BZ(1566096) - Allow xguest user use bluetooth sockets if xguest_use_bluetooth boolean is turned on. - Allow pppd_t domain creating pppox sockets BZ(1566271) - Allow abrt to map var_lib_t files - Allow chronyc to read system state BZ(1565217) - Allow keepalived_t domain to chat with systemd via dbus - Allow git to mmap git_(sys|user)_content_t files BZ(1518027) - removed boinc dev_getattr_*_dev - Allow iptables_t domain to create dirs in etc_t with system_conf_t labels - Allow x userdomain to mmap xserver_tmpfs_t files - Allow sysadm_t to mount tracefs_t - Allow unconfined user all perms under bpf class BZ(1565738) - Allow SELinux users (except guest and xguest) to using bluetooth sockets - Add new interface files_map_var_lib_files() - Allow user_t and staff_t domains create netlink tcpdiag sockets - Allow systemd-networkd to read sysctl_t files - Allow systemd_networkd_t to read/write tun tap devices - refpolicy: Update for kernel sctp support- Add new boolean redis_enable_notify() - Label /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t - Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/ - Allow svnserve_t domain to manage kerberos rcache and read krb5 keytab - Add dac_override and dac_read_search capability to hypervvssd_t domain - Label /usr/lib/systemd/systemd-fence_sanlockd as fenced_exec_t - Allow samba to create /tmp/host_0 as krb5_host_rcache_t - Add dac_override capability to fsdaemon_t BZ(1564143) - Allow abrt_t domain to map dos files BZ(1564193) - Add dac_override capability to automount_t domain - Allow keepalived_t domain to connect to system dbus bus - Allow nfsd_t to read nvme block devices BZ(1562554) - Allow lircd_t domain to execute bin_t files BZ(1562835) - Allow l2tpd_t domain to read sssd public files BZ(1563355) - Allow logrotate_t domain to do dac_override BZ(1539327) - Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t - Add capability sys_resource to systemd_sysctl_t domain - Label all /dev/rbd* devices as fixed_disk_device_t - Allow xdm_t domain to mmap xserver_log_t files BZ(1564469) - Allow local_login_t domain to rread udev db - Allow systemd_gpt_generator_t to read /dev/random device - add definition of bpf class and systemd perms- Allow accountsd_t domain to dac override BZ(1561304) - Allow cockpit_ws_t domain to read system state BZ(1561053) - Allow postfix_map_t domain to use inherited user ptys BZ(1561295) - Allow abrt_dump_oops_t domain dac override BZ(1561467) - Allow l2tpd_t domain to run stream connect for sssd_t BZ(1561755) - Allow crontab domains to do dac override - Allow snapperd_t domain to unmount fs_t filesystems - Allow pcp processes to read fixed_disk devices BZ(1560816) - Allow unconfined and confined users to use dccp sockets - Allow systemd to manage bpf dirs/files - Allow traceroute_t to create dccp_socketsFedora Atomic host using for temp files /sysroot/tmp patch, we should label same as /tmp adding file context equivalence BZ(1559531)- Allow smbcontrol_t to mmap samba_var_t files and allow winbind create sockets BZ(1559795) - Allow nagios to exec itself and mmap nagios spool files BZ(1559683) - Allow nagios to mmap nagios config files BZ(1559683) - Fixing Ganesha module - Fix typo in NetworkManager module - Fix bug in gssproxy SELinux module - Allow abrt_t domain to mmap container_file_t files BZ(1525573) - Allow networkmanager to be run ssh client BZ(1558441) - Allow pcp domains to do dc override BZ(1557913) - Dontaudit pcp_pmie_t to reaquest lost kernel module - Allow pcp_pmcd_t to manage unpriv userdomains semaphores BZ(1554955) - Allow httpd_t to read httpd_log_t dirs BZ(1554912) - Allow fail2ban_t to read system network state BZ(1557752) - Allow dac override capability to mandb_t domain BZ(1529399) - Allow collectd_t domain to mmap collectd_var_lib_t files BZ(1556681) - Dontaudit bug in kernel 4.16 when domains requesting loading kernel modules BZ(1555369) - Add Domain transition from gssproxy_t to httpd_t domains BZ(1548439) - Allow httpd_t to mmap user_home_type files if boolean httpd_read_user_content is enabled BZ(1555359) - Allow snapperd to relabel snapperd_data_t - Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets - Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled - Allow insmod_t to load modules BZ(1544189) - Allow systemd_rfkill_t domain sys_admin capability BZ(1557595) - Allow systemd_networkd_t to read/write tun tap devices - Add shell_exec_t file as domain entry for init_t - Label also /run/systemd/resolved/ as systemd_resolved_var_run_t BZ(1556862) - Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module BZ(1557347) - Improve userdom_mmap_user_home_content_files - Allow systemd_logind_t domain to setattributes on fixed disk devices BZ(1555414) - Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module - Allow semanage_t domain mmap usr_t files - Add new boolean: ssh_use_tcpd()- Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets - Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled - Allow semanage_t domain mmap usr_t files - Add new boolean: ssh_use_tcpd()- Update screen_role_template() to allow also creating sockets in HOMEDIR/screen/ - Allow newrole_t dacoverride capability - Allow traceroute_t domain to mmap packet sockets - Allow netutils_t domain to mmap usmmon device - Allow netutils_t domain to use mmap on packet_sockets - Allow traceroute to create icmp packets - Allos sysadm_t domain to create tipc sockets - Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets- Allow rpcd_t domain dac override - Allow rpm domain to mmap rpm_var_lib_t files - Allow arpwatch domain to create bluetooth sockets - Allow secadm_t domain to mmap audit config and log files - Update init_abstract_socket_activation() to allow also creating tcp sockets - getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain. - Add SELinux support for systemd-importd - Create new type bpf_t and label /sys/fs/bpf with this type- allow bluetooth_t domain to create alg_socket bz(1554410) - allow tor_t domain to execute bin_t files bz(1496274) - allow iscsid_t domain to mmap kernel modules bz(1553759) - update minidlna selinux policy bz(1554087) - allow motion_t domain to read sysfs_t files bz(1554142) - allow snapperd_t domain to getattr on all files,dirs,sockets,pipes bz(1551738) - allow l2tp_t domain to read ipsec config files bz(1545348) - allow colord_t to mmap home user files bz(1551033) - dontaudit httpd_t creating kobject uevent sockets bz(1552536) - allow ipmievd_t to mmap kernel modules bz(1552535) - allow boinc_t domain to read cgroup files bz(1468381) - backport allow rules from refpolicy upstream repo - allow gpg_t domain to bind on all unereserved udp ports - allow systemd to create systemd_rfkill_var_lib_t dirs bz(1502164) - allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t bz(1483655) - allow xdm_t domain to sys_ptrace bz(1554150) - allow application_domain_type also mmap inherited user temp files bz(1552765) - update ipsec_read_config() interface - fix broken sysadm selinux module - allow ipsec_t to search for bind cache bz(1542746) - allow staff_t to send sigkill to mount_t domain bz(1544272) - label /run/systemd/resolve/stub-resolv.conf as net_conf_t bz(1471545) - label ip6tables.init as iptables_exec_t bz(1551463) - allow hostname_t to use usb ttys bz(1542903) - add fsetid capability to updpwd_t domain bz(1543375) - allow systemd machined send signal to all domains bz(1372644) - dontaudit create netlink selinux sockets for unpriv selinux users bz(1547876) - allow sysadm_t to create netlink generic sockets bz(1547874) - allow passwd_t domain chroot - dontaudit confined unpriviliged users setuid capability- Allow l2tpd_t domain to create pppox sockets - Update dbus_system_bus_client() so calling domain could read also system_dbusd_var_lib_t link files BZ(1544251) - Add interface abrt_map_cache() - Update gnome_manage_home_config() to allow also map permission BZ(1544270) - Allow oddjob_mkhomedir_t domain to be dbus system client BZ(1551770) - Dontaudit kernel bug when several services requesting load kernel module - Allow traceroute and unconfined domains creating sctp sockets - Add interface corenet_sctp_bind_generic_node() - Allow ping_t domain to create icmp sockets - Allow staff_t to mmap abrt_var_cache_t BZ(1544273) - Fix typo bug in dev_map_framebuffer() interface BZ(1551842) - Dontaudit kernel bug when several services requesting load kernel module- Allow vdagent_t domain search cgroup dirs BZ(1541564) - Allow bluetooth_t domain listen on bluetooth sockets BZ(1549247) - Allow bluetooth domain creating bluetooth sockets BZ(1551577) - pki_log_t should be log_file - Allow gpgdomain to unix_stream socket connectto - Make working gpg agent in gpg_agent_t domain - Dontaudit thumb_t to rw lvm pipes BZ(154997) - Allow start cups_lpd via systemd socket activation BZ(1532015) - Improve screen_role_template Resolves: rhbz#1534111 - Dontaudit modemmanager to setpgid. BZ(1520482) - Dontaudit kernel bug when systemd requesting load kernel module BZ(1547227) - Allow systemd-networkd to create netlink generic sockets BZ(1551578) - refpolicy: Define getrlimit permission for class process - refpolicy: Define smc_socket security class - Allow transition from sysadm role into mdadm_t domain. - ssh_t trying to communicate with gpg agent not sshd_t - Allow sshd_t communicate with gpg_agent_t - Allow initrc domains to mmap binaries with direct_init_entry attribute BZ(1545643) - Revert "Allow systemd_rfkill_t domain to reguest kernel load module BZ(1543650)" - Revert "Allow systemd to request load kernel module BZ(1547227)" - Allow systemd to write to all pidfile socketes because of SocketActivation unit option ListenStream= BZ(1543576) - Add interface lvm_dontaudit_rw_pipes() BZ(154997) - Add interfaces for systemd socket activation - Allow systemd-resolved to create stub-resolv.conf with right label net_conf_t BZ(1547098)- refpolicy: Define extended_socket_class policy capability and socket classes - Make bluetooth_var_lib_t as mountpoint BZ(1547416) - Allow systemd to request load kernel module BZ(1547227) - Allow ipsec_t domain to read l2tpd pid files - Allow sysadm to read/write trace filesystem BZ(1547875) - Allow syslogd_t to mmap systemd coredump tmpfs files BZ(1547761)- Fix broken cups Security Module - Allow dnsmasq_t domain dbus chat with unconfined users. BZ(1532079) - Allow geoclue to connect to tcp nmea port BZ(1362118) - Allow pcp_pmcd_t to read mock lib files BZ(1536152) - Allow abrt_t domain to mmap passwd file BZ(1540666) - Allow gpsd_t domain to get session id of another process BZ(1540584) - Allow httpd_t domain to mmap httpd_tmpfs_t files BZ(1540405) - Allow cluster_t dbus chat with systemd BZ(1540163) - Add interface raid_stream_connect() - Allow nscd_t to mmap nscd_var_run_t files BZ(1536689) - Allow dovecot_delivery_t to mmap mail_home_rw_t files BZ(1531911) - Make cups_pdf_t domain system dbusd client BZ(1532043) - Allow logrotate to read auditd_log_t files BZ(1525017) - Improve snapperd SELinux policy BZ(1514272) - Allow virt_domain to read virt_image_t files BZ(1312572) - Allow openvswitch_t stream connect svirt_t - Update dbus_dontaudit_stream_connect_system_dbusd() interface - Allow openvswitch domain to manage svirt_tmp_t sock files - Allow named_filetrans_domain domains to create .heim_org.h5l.kcm-socket sock_file with label sssd_var_run_t BZ(1538210) - Merge pull request #50 from dodys/pkcs - Label tcp and udp ports 10110 as nmea_port_t BZ(1362118) - Allow systemd to access rfkill lib dirs BZ(1539733) - Allow systemd to mamange raid var_run_t sockfiles and files BZ(1379044) - Allow vxfs filesystem to use SELinux labels - Allow systemd to setattr on systemd_rfkill_var_lib_t dirs BZ(1512231) - Allow few services to dbus chat with snapperd BZ(1514272) - Allow systemd to relabel system unit symlink to systemd_unit_file_t. BZ(1535180) - Fix logging as staff_u into Fedora 27 - Fix broken systemd_tmpfiles_run() interface- Escape macros in %changelog- Label /usr/sbin/ldap-agent as dirsrv_snmp_exec_t - Allow certmonger_t domain to access /etc/pki/pki-tomcat BZ(1542600) - Allow keepalived_t domain getattr proc filesystem - Allow init_t to create UNIX sockets for unconfined services (BZ1543049) - Allow ipsec_mgmt_t execute ifconfig_exec_t binaries Allow ipsec_mgmt_t nnp domain transition to ifconfig_t - Allow ipsec_t nnp transistions to domains ipsec_mgmt_t and ifconfig_t- Allow openvswitch_t domain to read cpuid, write to sysfs files and creating openvswitch_tmp_t sockets - Add new interface ppp_filetrans_named_content() - Allow keepalived_t read sysctl_net_t files - Allow puppetmaster_t domtran to puppetagent_t - Allow kdump_t domain to read kernel ring buffer - Allow boinc_t to mmap boinc tmpfs files BZ(1540816) - Merge pull request #47 from masatake/keepalived-signal - Allow keepalived_t create and write a file under /tmp - Allow ipsec_t domain to exec ifconfig_exec_t binaries. - Allow unconfined_domain_typ to create pppd_lock_t directory in /var/lock - Allow updpwd_t domain to create files in /etc with shadow_t label- Allow opendnssec daemon to execute ods-signer BZ(1537971)- rpm: Label /usr/share/rpm usr_t (ostree/Atomic systems) - Update dbus_role_template() BZ(1536218) - Allow lldpad_t domain to mmap own tmpfs files BZ(1534119) - Allow blueman_t dbus chat with policykit_t BZ(1470501) - Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_t BZ(1507110) - Allow postfix_master_t and postfix_local_t to connect to system dbus. BZ(1530275) - Allow system_munin_plugin_t domain to read sssd public files and allow stream connect to ssd daemon BZ(1528471) - Allow rkt_t domain to bind on rkt_port_t tcp BZ(1534636) - Allow jetty_t domain to mmap own temp files BZ(1534628) - Allow sslh_t domain to read sssd public files and stream connect to sssd. BZ(1534624) - Consistently label usr_t for kernel/initrd in /usr - kernel/files.fc: Label /usr/lib/sysimage as usr_t - Allow iptables sysctl load list support with SELinux enforced - Label HOME_DIR/.config/systemd/user/* user unit files as systemd_unit_file_t BZ(1531864)- Merge pull request #45 from jlebon/pr/rot-sd-dbus-rawhide - Allow virt_domains to acces infiniband pkeys. - Allow systemd to relabelfrom tmpfs_t link files in /var/run/systemd/units/ BZ(1535180) - Label /usr/libexec/ipsec/addconn as ipsec_exec_t to run this script as ipsec_t instead of init_t - Allow audisp_remote_t domain write to files on all levels- Allow aide to mmap usr_t files BZ(1534182) - Allow ypserv_t domain to connect to tcp ports BZ(1534245) - Allow vmtools_t domain creating vmware_log_t files - Allow openvswitch_t domain to acces infiniband devices - Allow dirsrv_t domain to create tmp link files - Allow pcp_pmie_t domain to exec itself. BZ(153326) - Update openvswitch SELinux module - Allow virtd_t to create also sock_files with label virt_var_run_t - Allow chronyc_t domain to manage chronyd_keys_t files. - Allow logwatch to exec journal binaries BZ(1403463) - Allow sysadm_t and staff_t roles to manage user systemd services BZ(1531864) - Update logging_read_all_logs to allow mmap all logfiles BZ(1403463) - Add Label systemd_unit_file_t for /var/run/systemd/units/- Removed big SELinux policy patches against tresys refpolicy and use tarballs from fedora-selinux github organisation- Use python3 package in BuildRequires to ensure python version 3 will be used for compiling SELinux policy- auth_use_nsswitch() interface cannot be used for attributes fixing munin policy - Allow git_script_t to mmap git_user_content_t files BZ(1530937) - Allow certmonger domain to create temp files BZ(1530795) - Improve interface mock_read_lib_files() to include also symlinks. BZ(1530563) - Allow fsdaemon_t to read nvme devices BZ(1530018) - Dontaudit fsdaemon_t to write to admin homedir. BZ(153030) - Update munin plugin policy BZ(1528471) - Allow sendmail_t domain to be system dbusd client BZ(1478735) - Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645) - Allow named file transition to create rpmrebuilddb dir with proper SELinux context BZ(1461313) - Dontaudit httpd_passwd_t domain to read state of systemd BZ(1522672) - Allow thumb_t to mmap non security files BZ(1517393) - Allow smbd_t to mmap files with label samba_share_t BZ(1530453) - Fix broken sysnet_filetrans_named_content() interface - Allow init_t to create tcp sockets for unconfined services BZ(1366968) - Allow xdm_t to getattr on xserver_t process files BZ(1506116) - Allow domains which can create resolv.conf file also create it in systemd_resolved_var_run_t dir BZ(1530297) - Allow X userdomains to send dgram msgs to xserver_t BZ(1515967) - Add interface files_map_non_security_files()- Make working SELinux sandbox with Wayland. BZ(1474082) - Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169) - Allow dspam_t to mmap dspam_rw_content_t files BZ(1528723) - Allow collectd to connect to lmtp_port_t BZ(1304029) - Allow httpd_t to mmap httpd_squirrelmail_t files BZ(1528776) - Allow thumb_t to mmap removable_t files. BZ(1522724) - Allow sssd_t and login_pgm attribute to mmap auth_cache_t files BZ(1530118) - Add interface fs_mmap_removable_files()- Allow crond_t to read pcp lib files BZ(1525420) - Allow mozilla plugin domain to mmap user_home_t files BZ(1452783) - Allow certwatch_t to mmap generic certs. BZ(1527173) - Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876) - Add interface userdom_map_user_home_files() - Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/* as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202) - Allow xdm_t dbus chat with modemmanager_t BZ(1526722) - All domains accessing home_cert_t objects should also mmap it. BZ(1519810)- Allow thumb_t domain to dosfs_t BZ(1517720) - Allow gssd_t to read realmd_var_lib_t files BZ(1521125) - Allow domain transition from logrotate_t to chronyc_t BZ(1436013) - Allow git_script_t to mmap git_sys_content_t BZ(1517541) - Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t BZ(1464803) - Label /run/openvpn-server/ as openvpn_var_run_t BZ(1478642) - Allow colord_t to mmap xdm pid files BZ(1518382) - Allow arpwatch to mmap usbmon device BZ(152456) - Allow mandb_t to read public sssd files BZ(1514093) - Allow ypbind_t stream connect to rpcbind_t domain BZ(1508659) - Allow qpid to map files. - Allow plymouthd_t to mmap firamebuf device BZ(1517405) - Dontaudit pcp_pmlogger_t to sys_ptrace capability BZ(1416611) - Update mta_manage_spool() interface to allow caller domain also mmap mta_spool_t files BZ(1517449) - Allow antivirus_t domain to mmap antivirus_db_t files BZ(1516816) - Allow cups_pdf_t domain to read cupd_etc_t dirs BZ(1516282) - Allow openvpn_t domain to relabel networkmanager tun device BZ(1436048) - Allow mysqld_t to mmap mysqld_tmp_t files BZ(1516899) - Update samba_manage_var_files() interface by adding map permission. BZ(1517125) - Allow pcp_pmlogger_t domain to execute itself. BZ(1517395) - Dontaudit sys_ptrace capability for mdadm_t BZ(1515849) - Allow pulseaudio_t domain to mmap pulseaudio_home_t files BZ(1515956) - Allow bugzilla_script_t domain to create netlink route sockets and udp sockets BZ(1427019) - Add interface fs_map_dos_files() - Update interface userdom_manage_user_home_content_files() to allow caller domain to mmap user_home_t files. BZ(1519729) - Add interface xserver_map_xdm_pid() BZ(1518382) - Add new interface dev_map_usbmon_dev() BZ(1524256) - Update miscfiles_read_fonts() interface to allow also mmap fonts_cache_t for caller domains BZ(1521137) - Allow ipsec_t to mmap cert_t and home_cert_t files BZ(1519810) - Fix typo in filesystem.if - Add interface dev_map_framebuffer() - Allow chkpwd command to mmap /etc/shadow BZ(1513704) - Fix systemd-resolved to run properly with SELinux in enforcing state BZ(1517529) - Allow thumb_t domain to mmap fusefs_t files BZ(1517517) - Allow userdom_home_reader_type attribute to mmap cifs_t files BZ(1517125) - Add interface fs_map_cifs_files() - Merge pull request #207 from rhatdan/labels - Merge pull request #208 from rhatdan/logdir - Allow domains that manage logfiles to man logdirs- Make ganesha nfs server- Add interface raid_relabel_mdadm_var_run_content() - Fix iscsi SELinux module - Allow spamc_t domain to read home mail content BZ(1414366) - Allow sendmail_t to list postfix config dirs BZ(1514868) - Allow dovecot_t domain to mmap mail content in homedirs BZ(1513153) - Allow iscsid_t domain to requesting loading kernel modules BZ(1448877) - Allow svirt_t domain to mmap svirt_tmpfs_t files BZ(1515304) - Allow cupsd_t domain to localization BZ(1514350) - Allow antivirus_t nnp domain transition because of systemd security features. BZ(1514451) - Allow tlp_t domain transition to systemd_rfkill_t domain BZ(1416301) - Allow abrt_t domain to mmap fusefs_t files BZ(1515169) - Allow memcached_t domain nnp_transition becuase of systemd security features BZ(1514867) - Allow httpd_t domain to mmap all httpd content type BZ(1514866) - Allow mandb_t to read /etc/passwd BZ(1514903) - Allow mandb_t domain to mmap files with label mandb_cache_t BZ(1514093) - Allow abrt_t domain to mmap files with label syslogd_var_run_t BZ(1514975) - Allow nnp transition for systemd-networkd daemon to run in proper SELinux domain BZ(1507263) - Allow systemd to read/write to mount_var_run_t files BZ(1515373) - Allow systemd to relabel mdadm_var_run_t sock files BZ(1515373) - Allow home managers to mmap nfs_t files BZ(1514372) - Add interface fs_mmap_nfs_files() - Allow systemd-mount to create new directory for mountpoint BZ(1514880) - Allow getty to use usbttys - Add interface systemd_rfkill_domtrans() - Allow syslogd_t to mmap files with label syslogd_var_lib_t BZ(1513403) - Add interface fs_mmap_fusefs_files() - Allow ipsec_t domain to mmap files with label ipsec_key_file_t BZ(1514251)- Allow pcp_pmlogger to send logs to journal BZ(1512367) - Merge pull request #40 from lslebodn/kcm_kerberos - Allow services to use kerberos KCM BZ(1512128) - Allow system_mail_t domain to be system_dbus_client BZ(1512476) - Allow aide domain to stream connect to sssd_t BZ(1512500) - Allow squid_t domain to mmap files with label squid_tmpfs_t BZ(1498809) - Allow nsd_t domain to mmap files with labels nsd_tmp_t and nsd_zone_t BZ(1511269) - Include cupsd_config_t domain into cups_execmem boolean. BZ(1417584) - Allow samba_net_t domain to mmap samba_var_t files BZ(1512227) - Allow lircd_t domain to execute shell BZ(1512787) - Allow thumb_t domain to setattr on cache_home_t dirs BZ(1487814) - Allow redis to creating tmp files with own label BZ(1513518) - Create new interface thumb_nnp_domtrans allowing domaintransition with NoNewPrivs. This interface added to thumb_run() BZ(1509502) - Allow httpd_t to mmap httpd_tmp_t files BZ(1502303) - Add map permission to samba_rw_var_files interface. BZ(1513908) - Allow cluster_t domain creating bundles directory with label var_log_t instead of cluster_var_log_t - Add dac_read_search and dac_override capabilities to ganesha - Allow ldap_t domain to manage also slapd_tmp_t lnk files - Allow snapperd_t domain to relabeling from snapperd_data_t BZ(1510584) - Add dac_override capability to dhcpd_t doamin BZ(1510030) - Allow snapperd_t to remove old snaps BZ(1510862) - Allow chkpwd_t domain to mmap system_db_t files and be dbus system client BZ(1513704) - Allow xdm_t send signull to all xserver unconfined types BZ(1499390) - Allow fs associate for sysctl_vm_t BZ(1447301) - Label /etc/init.d/vboxdrv as bin_t to run virtualbox as unconfined_service_t BZ(1451479) - Allow xdm_t domain to read usermodehelper_t state BZ(1412609) - Allow dhcpc_t domain to stream connect to userdomain domains BZ(1511948) - Allow systemd to mmap kernel modules BZ(1513399) - Allow userdomains to mmap fifo_files BZ(1512242) - Merge pull request #205 from rhatdan/labels - Add map permission to init_domtrans() interface BZ(1513832) - Allow xdm_t domain to mmap and execute files in xdm_var_run_t BZ(1513883) - Unconfined domains, need to create content with the correct labels - Container runtimes are running iptables within a different user namespace - Add interface files_rmdir_all_dirs()- Allow jabber domains to connect to postgresql ports - Dontaudit slapd_t to block suspend system - Allow spamc_t to stream connect to cyrys. - Allow passenger to connect to mysqld_port_t - Allow ipmievd to use nsswitch - Allow chronyc_t domain to use user_ptys - Label all files /var/log/opensm.* as opensm_log_t because opensm creating new log files with name opensm-subnet.lst - Fix typo bug in tlp module - Allow userdomain gkeyringd domain to create stream socket with userdomain- Merge pull request #37 from milosmalik/rawhide - Allow mozilla_plugin_t domain to dbus chat with devicekit - Dontaudit leaked logwatch pipes - Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon. - Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546) - Allow chronyd daemon to execute chronyc. BZ(1507478) - Allow pdns to read network system state BZ(1507244) - Allow gssproxy to read network system state Resolves: rhbz#1507191 - Allow nfsd_t domain to read configfs_t files/dirs - Allow tgtd_t domain to read generic certs - Allow ptp4l to send msgs via dgram socket to unprivileged user domains - Allow dirsrv_snmp_t to use inherited user ptys and read system state - Allow glusterd_t domain to create own tmpfs dirs/files - Allow keepalived stream connect to snmp- Allow zabbix_t domain to change its resource limits - Add new boolean nagios_use_nfs - Allow system_mail_t to search network sysctls - Hide all allow rules with ptrace inside deny_ptrace boolean - Allow nagios_script_t to read nagios_spool_t files - Allow sbd_t to create own sbd_tmpfs_t dirs/files - Allow firewalld and networkmanager to chat with hypervkvp via dbus - Allow dmidecode to read rhsmcert_log_t files - Allow mail system to connect mariadb sockets. - Allow nmbd_t domain to mmap files labeled as samba_var_t. BZ(1505877) - Make user account setup in gnome-initial-setup working in Workstation Live system. BZ(1499170) - Allow iptables_t to run setfiles to restore context on system - Updatre unconfined_dontaudit_read_state() interface to dontaudit also acess to files. BZ(1503466)- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t - Allow chronyd_t do request kernel module and block_suspend capability - Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label - Allow slapd_t domain to mmap files labeled as slpad_db_t BZ(1505414) - Allow dnssec_trigger_t domain to execute binaries with dnssec_trigeer_exec_t BZ(1487912) - Allow l2tpd_t domain to send SIGKILL to ipsec_mgmt_t domains BZ(1505220) - Allow thumb_t creating thumb_home_t files in user_home_dir_t direcotry BZ(1474110) - Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables - Allow svnserve to use kerberos - Allow conman to use ptmx. Add conman_use_nfs boolean - Allow nnp transition for amavis and tmpreaper SELinux domains - Allow chronyd_t to mmap chronyc_exec_t binary files - Add dac_read_search capability to openvswitch_t domain - Allow svnserve to manage own svnserve_log_t files/dirs - Allow keepalived_t to search network sysctls - Allow puppetagent_t domain dbus chat with rhsmcertd_t domain - Add kill capability to openvswitch_t domain - Label also compressed logs in /var/log for different services - Allow inetd_child_t and system_cronjob_t to run chronyc. - Allow chrony to create netlink route sockets - Add SELinux support for chronyc - Add support for running certbot(letsencrypt) in crontab - Allow nnp trasintion for unconfined_service_t - Allow unpriv user domains and unconfined_service_t to use chronyc- Drop *.lst files from file list - Ship file_contexts.homedirs in store - Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522) - Allow haproxy daemon to reexec itself. BZ(1447800) - Allow conmand to use usb ttys. - Allow systemd_machined to read mock lib files. BZ(1504493) - Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081)- Fix typo in virt file contexts file - allow ipa_dnskey_t to read /proc/net/unix file - Allow openvswitch to run setfiles in setfiles_t domain. - Allow openvswitch_t domain to read process data of neutron_t domains - Fix typo in ipa_cert_filetrans_named_content() interface - Fix typo bug in summary of xguest SELinux module - Allow virtual machine with svirt_t label to stream connect to openvswitch. - Label qemu-pr-helper script as virt_exec_t so this script won't run as unconfined_service_t- Merge pull request #19 from RodrigoQuesadaDev/snapper-fix-1 - Allow httpd_t domain to mmap httpd_user_content_t files. BZ(1494852) - Add nnp transition rule for services using NoNewPrivileges systemd feature - Add map permission into dev_rw_infiniband_dev() interface to allow caller domain mmap infiniband chr device BZ(1500923) - Add init_nnp_daemon_domain interface - Allow nnp transition capability - Merge pull request #204 from konradwilk/rhbz1484908 - Label postgresql-check-db-dir as postgresql_exec_t- Allow boinc_t to mmap files with label boinc_project_var_lib_t BZ(1500088) - Allow fail2ban_t domain to mmap journals. BZ(1500089) - Add dac_override to abrt_t domain BZ(1499860) - Allow pppd domain to mmap own pid files BZ(1498587) - Allow webserver services to mmap files with label httpd_sys_content_t BZ(1498451) - Allow tlp domain to read sssd public files Allow tlp domain to mmap kernel modules - Allow systemd to read sysfs sym links. BZ(1499327) - Allow systemd to mmap systemd_networkd_exec_t files BZ(1499863) - Make systemd_networkd_var_run as mountpoint BZ(1499862) - Allow noatsecure for java-based unconfined services. BZ(1358476) - Allow systemd_modules_load_t domain to mmap kernel modules. BZ(1490015)- Allow cloud-init to create content in /var/run/cloud-init - Dontaudit VM to read gnome-boxes process data BZ(1415975) - Allow winbind_t domain mmap samba_var_t files - Allow cupsd_t to execute ld_so_cache_t BZ(1478602) - Update dev_rw_xserver_misc() interface to allo source domains to mmap xserver devices BZ(1334035) - Add dac_override capability to groupadd_t domain BZ(1497091) - Allow unconfined_service_t to start containers- Drop policyhelp utility BZ(1498429)- Allow cupsd_t to execute ld_so_cache_t BZ(1478602) - Allow firewalld_t domain to change object identity because of relabeling after using firewall-cmd BZ(1469806) - Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026) - Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin. BZ(1487531) - Add unix_stream_socket recvfrom perm for init_t domain BZ(1496318) - Allow systemd to maange sysfs BZ(1471361)- Switch default value of SELinux boolean httpd_graceful_shutdown to off.- Allow virtlogd_t domain to write inhibit systemd pipes. - Add dac_override capability to openvpn_t domain - Add dac_override capability to xdm_t domain - Allow dac_override to groupadd_t domain BZ(1497081) - Allow cloud-init to create /var/run/cloud-init dir with net_conf_t SELinux label.BZ(1489166)- Allow tlp_t domain stream connect to sssd_t domain - Add missing dac_override capability - Add systemd_tmpfiles_t dac_override capability- Remove all unnecessary dac_override capability in SELinux modules- Allow init noatsecure httpd_t - Allow mysqld_t domain to mmap mysqld db files. BZ(1483331) - Allow unconfined_t domain to create new users with proper SELinux lables - Allow init noatsecure httpd_t - Label tcp port 3269 as ldap_port_t- Add new boolean tomcat_read_rpm_db() - Allow tomcat to connect on mysqld tcp ports - Add new interface apache_delete_tmp() - Add interface fprintd_exec() - Add interface fprintd_mounton_var_lib() - Allow mozilla plugin to mmap video devices BZ(1492580) - Add ctdbd_t domain sys_source capability and allow setrlimit - Allow systemd-logind to use ypbind - Allow systemd to remove apache tmp files - Allow ldconfig domain to mmap ldconfig cache files - Allow systemd to exec fprintd BZ(1491808) - Allow systemd to mounton fprintd lib dir- Allow svirt_t read userdomain state- Allow mozilla_plugins_t domain mmap mozilla_plugin_tmpfs_t files - Allow automount domain to manage mount pid files - Allow stunnel_t domain setsched - Add keepalived domain setpgid capability - Merge pull request #24 from teg/rawhide - Merge pull request #28 from lslebodn/revert_1e8403055 - Allow sysctl_irq_t assciate with proc_t - Enable cgourp sec labeling - Allow sshd_t domain to send signull to xdm_t processes- Allow passwd_t domain mmap /etc/shadow and /etc/passwd - Allow pulseaudio_t domain to map user tmp files - Allow mozilla plugin to mmap mozilla tmpfs files- Add new bunch of map rules - Merge pull request #25 from NetworkManager/nm-ovs - Make working webadm_t userdomain - Allow redis domain to execute shell scripts. - Allow system_cronjob_t to create redhat-access-insights.log with var_log_t - Add couple capabilities to keepalived domain and allow get attributes of all domains - Allow dmidecode read rhsmcertd lock files - Add new interface rhsmcertd_rw_lock_files() - Add new bunch of map rules - Merge pull request #199 from mscherer/add_conntrackd - Add support labeling for vmci and vsock device - Add userdom_dontaudit_manage_admin_files() interface- Allow domains reading raw memory also use mmap.- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404) - Fix denials during ipa-server-install process on F27+ - Allow httpd_t to mmap cert_t - Add few rules to make tlp_t domain working in enforcing mode - Allow cloud_init_t to dbus chat with systemd_timedated_t - Allow logrotate_t to write to kmsg - Add capability kill to rhsmcertd_t - Allow winbind to manage smbd_tmp_t files - Allow groupadd_t domain to dbus chat with systemd.BZ(1488404) - Add interface miscfiles_map_generic_certs()- Allow abrt_dump_oops_t to read sssd_public_t files - Allow cockpit_ws_t to mmap usr_t files - Allow systemd to read/write dri devices.- Add couple rules related to map permissions - Allow ddclient use nsswitch BZ(1456241) - Allow thumb_t domain getattr fixed_disk device. BZ(1379137) - Add interface dbus_manage_session_tmp_dirs() - Dontaudit useradd_t sys_ptrace BZ(1480121) - Allow ipsec_t can exec ipsec_exec_t - Allow systemd_logind_t to mamange session_dbusd_tmp_t dirs- Allow cupsd_t to execute ld_so_cache - Add cgroup_seclabel policycap. - Allow xdm_t to read systemd hwdb - Add new interface systemd_hwdb_mmap_config() - Allow auditd_t domain to mmap conf files labeled as auditd_etc_t BZ(1485050)- Allow couple map rules- Make confined users working - Allow ipmievd_t domain to load kernel modules - Allow logrotate to reload transient systemd unit- Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain - Allow nscd_t domain to search network sysctls - Allow iscsid_t domain to read mount pid files - Allow ksmtuned_t domain manage sysfs_t files/dirs - Allow keepalived_t domain domtrans into iptables_t - Allow rshd_t domain reads net sysctls - Allow systemd to create syslog netlink audit socket - Allow ifconfig_t domain unmount fs_t - Label /dev/gpiochip* devices as gpio_device_t- Allow dirsrv_t domain use mmap on files labeled as dirsrv_var_run_t BZ(1483170) - Allow just map permission insead of using mmap_file_pattern because mmap_files_pattern allows also executing objects. - Label /var/run/agetty.reload as getty_var_run_t - Add missing filecontext for sln binary - Allow systemd to read/write to event_device_t BZ(1471401)- Allow sssd_t domain to map sssd_var_lib_t files - allow map permission where needed - contrib: allow map permission where needed - Allow syslogd_t to map syslogd_var_run_t files - allow map permission where needed- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc - Label /usr/libexec/sudo/sesh as shell_exec_t- refpolicy: Infiniband pkeys and endport- Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524) - After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy - refpolicy: Define and allow map permission - init: Add NoNewPerms support for systemd. - Add nnp_nosuid_transition policycap and related class/perm definitions.- Update for SELinux userspace release 20170804 / 2.7 - Omit precompiled regular expressions from file_contexts.bin files- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild- Allow llpdad send dgram to libvirt - Allow abrt_t domain dac_read_search capability - Allow init_t domain mounton dirs labeled as init_var_lib_t BZ(1471476) - Allow xdm_t domain read unique machine-id generated during system installation. BZ(1467036) - Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518)- Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518)- Add new boolean gluster_use_execmem- Allow cluster_t and glusterd_t domains to dbus chat with ganesha service - Allow iptables to read container runtime files- Allow boinc_t nsswitch - Dontaudit firewalld to write to lib_t dirs - Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_t - Allow thumb_t domain to allow create dgram sockets - Disable mysqld_safe_t secure mode environment cleansing - Allow couple rules needed to start targetd daemon with SELinux in enforcing mode - Allow dirsrv domain setrlimit - Dontaudit staff_t user read admin_home_t files. - Add interface lvm_manage_metadata - Add permission open to files_read_inherited_tmp_files() interface- Allow sssd_t to read realmd lib files. - Fix init interface file. init_var_run_t is type not attribute- Allow rpcbind_t to execute systemd_tmpfiles_exec_t binary files. - Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into rawhide - Allow qemu to authenticate SPICE connections with SASL GSSAPI when SSSD is in use - Fix dbus_dontaudit_stream_connect_system_dbusd() interface to require TYPE rather than ATTRIBUTE for systemd_dbusd_t. - Allow httpd_t to read realmd_var_lib_t files - Allow unconfined_t user all user namespace capabilties. - Add interface systemd_tmpfiles_exec() - Add interface libs_dontaudit_setattr_lib_files() - Dontaudit xdm_t domain to setattr on lib_t dirs - Allow sysadm_r role to jump into dirsrv_t- Merge pull request #10 from mscherer/fix_tor_dac - Merge pull request #9 from rhatdan/rawhide - Merge pull request #13 from vinzent/allow_zabbix_t_to_kill_zabbix_script_t - Allow kdumpgui to read removable disk device - Allow systemd_dbusd_t domain read/write to nvme devices - Allow udisks2 domain to read removable devices BZ(1443981) - Allow virtlogd_t to execute itself - Allow keepalived to read/write usermodehelper state - Allow named_t to bind on udp 4321 port - Fix interface tlp_manage_pid_files() - Allow collectd domain read lvm config files. BZ(1459097) - Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into rawhide - Allow samba_manage_home_dirs boolean to manage user content - Merge pull request #14 from lemenkov/rabbitmq_systemd_notify - Allow pki_tomcat_t execute ldconfig. - Merge pull request #191 from rhatdan/udev - Allow systemd_modules_load_t to load modules- Allow keepalived domain connect to squid tcp port - Allow krb5kdc_t domain read realmd lib files. - Allow tomcat to connect on all unreserved ports - Allow keepalived domain connect to squid tcp port - Allow krb5kdc_t domain read realmd lib files. - Allow tomcat to connect on all unreserved ports - Allow ganesha to connect to all rpc ports - Update ganesha with few allow rules - Update rpc_read_nfs_state_data() interface to allow read also lnk_files. - virt_use_glusterd boolean should be in optional block - Add new boolean virt_use_glusterd - Add capability sys_boot for sbd_t domain Allow sbd_t domain to create rpc sysctls. - Allow ganesha_t domain to manage glusterd_var_run_t pid files. - Create new interface: glusterd_read_lib_files() Allow ganesha read glusterd lib files. Allow ganesha read network sysctls - Add few allow rules to ganesha module - Allow condor_master_t to read sysctls. - Add dac_override cap to ctdbd_t domain - Add ganesha_use_fusefs boolean. - Allow httpd_t reading kerberos kdc config files - Allow tomcat_t domain connect to ibm_dt_2 tcp port. - Allow stream connect to initrc_t domains - Add pki_exec_common_files() interface - Allow dnsmasq_t domain to read systemd-resolved pid files. - Allow tomcat domain name_bind on tcp bctp_port_t - Allow smbd_t domain generate debugging files under /var/run/gluster. These files are created through the libgfapi.so library that provides integration of a GlusterFS client in the Samba (vfs_glusterfs) process. - Allow condor_master_t write to sysctl_net_t - Allow nagios check disk plugin read /sys/kernel/config/ - Allow pcp_pmie_t domain execute systemctl binary - Allow nagios to connect to stream sockets. Allow nagios start httpd via systemctl - xdm_t should view kernel keys - Hide broken symptoms when machine is configured with network bounding. - Label 8750 tcp/udp port as dey_keyneg_port_t - Label tcp/udp port 1792 as ibm_dt_2_port_t - Add interface fs_read_configfs_dirs() - Add interface fs_read_configfs_files() - Fix systemd_resolved_read_pid interface - Add interface systemd_resolved_read_pid() - Allow sshd_net_t domain read/write into crypto devices - Label 8999 tcp/udp as bctp_port_t- Dontaudit net_admin capability for domains postfix_master_t and postfix_qmgr_t - Add interface pki_manage_common_files() - Allow rngd domain read sysfs_t - Allow tomcat_t domain to manage pki_common_t files and dirs - Merge pull request #3 from rhatdan/devicekit - Merge pull request #12 from lslebodn/sssd_sockets_fc - Allow certmonger reads httpd_config_t files - Allow keepalived_t domain creating netlink_netfilter_socket. - Use stricter fc rules for sssd sockets in /var/run - Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files. - Allow sssd_t domain creating sock files labeled as sssd_var_run_t in /var/run/ - Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit - ejabberd small fixes - Update targetd policy to accommodate changes in the service - Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls - Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit - Dontaudit net_admin capability for useradd_t domain - Allow systemd_localed_t and systemd_timedated_t create files in /etc with label locate_t BZ(1443723) - Make able deply overcloud via neutron_t to label nsfs as fs_t - Add fs_manage_configfs_lnk_files() interface- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit - ejabberd small fixes - Update targetd policy to accommodate changes in the service - Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls - Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit - Allow glusterd_t domain start ganesha service - Made few cosmetic changes in sssd SELinux module - Merge pull request #11 from lslebodn/sssd_kcm - Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options. - Allow keepalived_t domain read usermodehelper_t - Allow radius domain stream connec to postgresql - Merge pull request #8 from bowlofeggs/142-rawhide - Add fs_manage_configfs_lnk_files() interface- auth_use_nsswitch can call only domain not attribute - Dontaudit net_admin cap for winbind_t - Allow tlp_t domain to stream connect to system bus - Allow tomcat_t domain read pki_common_t files - Add interface pki_read_common_files() - Fix broken cermonger module - Fix broken apache module - Allow hypervkvp_t domain execute hostname - Dontaudit sssd_selinux_manager_t use of net_admin capability - Allow tomcat_t stream connect to pki_common_t - Dontaudit xguest_t's attempts to listen to its tcp_socket - Allow sssd_selinux_manager_t to ioctl init_t sockets - Improve ipa_cert_filetrans_named_content() interface to also allow caller domain manage ipa_cert_t type. - Allow pki_tomcat_t domain read /etc/passwd. - Allow tomcat_t domain read ipa_tmp_t files - Label new path for ipa-otpd - Allow radiusd_t domain stream connect to postgresql_t - Allow rhsmcertd_t to execute hostname_exec_t binaries. - Allow virtlogd to append nfs_t files when virt_use_nfs=1 - Allow httpd_t domain read also httpd_user_content_type lnk_files. - Allow httpd_t domain create /etc/httpd/alias/ipaseesion.key with label ipa_cert_t - Dontaudit _gkeyringd_t stream connect to system_dbusd_t - Label /var/www/html/nextcloud/data as httpd_sys_rw_content_t - Add interface ipa_filetrans_named_content() - Allow tomcat use nsswitch - Allow certmonger_t start/status generic services - Allow dirsrv read cgroup files. - Allow ganesha_t domain read/write infiniband devices. - Allow sendmail_t domain sysctl_net_t files - Allow targetd_t domain read network state and getattr on loop_control_device_t - Allow condor_schedd_t domain send mails. - Allow ntpd to creating sockets. BZ(1434395) - Alow certmonger to create own systemd unit files. - Add kill namespace capability to xdm_t domain - Revert "su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization." - Revert "Allow _su_t to create netlink_selinux_socket" - Allow _su_t to create netlink_selinux_socket - Allow unconfined_t to module_load any file - Allow staff to systemctl virt server when staff_use_svirt=1 - Allow unconfined_t create /tmp/ca.p12 file with ipa_tmp_t context - Allow netutils setpcap capability - Dontaudit leaked file descriptor happening in setfiles_t domain BZ(1388124)- fix #1380325, selinux-policy-sandbox always removing sandbox module on upgrade- Fix abrt module to reflect all changes in abrt release- Allow tlp_t domain to ioctl removable devices BZ(1436830) - Allow tlp_t domain domtrans into mount_t BZ(1442571) - Allow lircd_t to read/write to sysfs BZ(1442443) - Fix policy to reflect all changes in new IPA release - Allow virtlogd_t to creating tmp files with virt_tmp_t labels. - Allow sbd_t to read/write fixed disk devices - Add sys_ptrace capability to radiusd_t domain - Allow cockpit_session_t domain connects to ssh tcp ports. - Update tomcat policy to make working ipa install process - Allow pcp_pmcd_t net_admin capability. Allow pcp_pmcd_t read net sysctls Allow system_cronjob_t create /var/run/pcp with pcp_var_run_t - Fix all AVC denials during pkispawn of CA Resolves: rhbz#1436383 - Update pki interfaces and tomcat module - Allow sendmail to search network sysctls - Add interface gssd_noatsecure() - Add interface gssproxy_noatsecure() - Allow chronyd_t net_admin capability to allow support HW timestamping. - Update tomcat policy. - Allow certmonger to start haproxy service - Fix init Module - Make groupadd_t domain as system bus client BZ(1416963) - Make useradd_t domain as system bus client BZ(1442572) - Allow xdm_t to gettattr /dev/loop-control device BZ(1385090) - Dontaudit gdm-session-worker to view key unknown. BZ(1433191) - Allow init noatsecure for gssd and gssproxy - Allow staff user to read fwupd_cache_t files - Remove typo bugs - Remove /proc <> from fedora policy, it's no longer necessary- Merge pull request #4 from lslebodn/sssd_socket_activated - Remove /proc <> from fedora policy, it's no longer necessary - Allow iptables get list of kernel modules - Allow unconfined_domain_type to enable/disable transient unit - Add interfaces init_enable_transient_unit() and init_disable_transient_unit - Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd" - Label sysroot dir under ostree as root_t- Put tomcat_t back in unconfined domains for now. BZ(1436434)- Make fwupd_var_lib_t type mountpoint. BZ(1429341) - Remove tomcat_t domain from unconfined domains - Create new boolean: sanlock_enable_home_dirs() - Allow mdadm_t domain to read/write nvme_device_t - Remove httpd_user_*_content_t domains from user_home_type attribute. This tighten httpd policy and acces to user data will be more strinct, and also fix mutual influente between httpd_enable_homedirs and httpd_read_user_content - Add interface dev_rw_nvme - Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555)- Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555)- Allow vdagent domain to getattr cgroup filesystem - Allow abrt_dump_oops_t stream connect to sssd_t domain - Allow cyrus stream connect to gssproxy - Label /usr/libexec/cockpit-ssh as cockpit_session_exec_t and allow few rules - Allow colord_t to read systemd hwdb.bin file - Allow dirsrv_t to create /var/lock/dirsrv labeled as dirsrc_var_lock_t - Allow certmonger to manage /etc/krb5kdc_conf_t - Allow kdumpctl to getenforce - Allow ptp4l wake_alarm capability - Allow ganesha to chat with unconfined domains via dbus - Add nmbd_t capability2 block_suspend - Add domain transition from sosreport_t to iptables_t - Dontaudit init_t to mounton modules_object_t - Add interface files_dontaudit_mounton_modules_object - Allow xdm_t to execute files labeled as xdm_var_lib_t - Make mtrr_device_t mountpoint. - Fix path to /usr/lib64/erlang/erts-5.10.4/bin/epmd- Update fwupd policy - /usr/libexec/udisks2/udisksd should be labeled as devicekit_disk_exec_t - Update ganesha policy - Allow chronyd to read adjtime - Merge pull request #194 from hogarthj/certbot_policy - get the correct cert_t context on certbot certificates bz#1289778 - Label /dev/ss0 as gpfs_device_t- Allow abrt_t to send mails.- Add radius_use_jit boolean - Allow nfsd_t domain to create sysctls_rpc_t files - add the policy required for nextcloud - Allow can_load_kernmodule to load kernel modules. BZ(1426741) - Create kernel_create_rpc_sysctls() interface- Remove ganesha from gluster module and create own module for ganesha - FIx label for /usr/lib/libGLdispatch.so.0.0.0- Dontaudit xdm_t wake_alarm capability2 - Allow systemd_initctl_t to create and connect unix_dgram sockets - Allow ifconfig_t to mount/unmount nsfs_t filesystem - Add interfaces allowing mount/unmount nsfs_t filesystem - Label /usr/lib/libGLdispatch.so.0.0.0 as textrel_shlib_t BZ(1419944)- Allow syslog client to connect to kernel socket. BZ(1419946)- Allow shiftfs to use xattr SELinux labels - Fix ssh_server_template by add sshd_t to require section.- Merge pull request #187 from rhatdan/container-selinux - Allow rhsmcertd domain signull kernel. - Allow container-selinux to handle all policy for container processes - Fix label for nagios plugins in nagios file conxtext file - su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987 - Add SELinux support for systemd-initctl daemon - Add SELinux support for systemd-bootchart - su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987 - Add module_load permission to can_load_kernmodule - Add module_load permission to class system - Add the validate_trans access vector to the security class - Restore connecto permssions for init_t- Allow kdumpgui domain to read nvme device - Add amanda_tmpfs_t label. BZ(1243752) - Fix typo in sssd interface file - Allow sssd_t domain setpgid BZ(1411437) - Allow ifconfig_t domain read nsfs_t - Allow ping_t domain to load kernel modules. - Allow systemd to send user information back to pid1. BZ(1412750) - rawhide-base: Fix wrong type/attribute flavors in require blocks- Allow libvirt daemon to create /var/chace/libvirt dir. - Allow systemd using ProtectKernelTunables securit feature. BZ(1392161) - F26 Wide change: Coredumps enabled by default. Allowing inherits process limits to enable coredumps.BZ(1341829)- After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. For more info see: BZ(1403017) - Tighten security on containe types - Make working cracklib_password_check for MariaDB service - Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_t BZ(1410505)-Allow thumb domain sendto via dgram sockets. BZ(1398813) - Add condor_procd_t domain sys_ptrace cap_userns BZ(1411077) - Allow cobbler domain to create netlink_audit sockets BZ(1384600) - Allow networkmanager to manage networkmanager_var_lib_t lnk files BZ(1408626) - Add dhcpd_t domain fowner capability BZ(1409963) - Allow thumb to create netlink_kobject_uevent sockets. BZ(1410942) - Fix broken interfaces - Allow setfiles_t domain rw inherited kdumpctl tmp pipes BZ(1356456) - Allow user_t run systemctl --user BZ(1401625)- Add tlp_var_lib_t label for /var/lib/tlp directory BZ(1409977) - Allow tlp_t domain to read proc_net_t BZ(1403487) - Merge pull request #179 from rhatdan/virt1 - Allow tlp_t domain to read/write cpu microcode BZ(1403103) - Allow virt domain to use interited virtlogd domains fifo_file - Fixes for containers - Allow glusterd_t to bind on glusterd_port_t udp ports. - Update ctdbd_t policy to reflect all changes. - Allow ctdbd_t domain transition to rpcd_t- Allow pptp_t to read /dev/random BZ(1404248) - Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t - Allow systemd to stop glusterd_t domains. - Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base - Label /usr/sbin/sln as ldconfig_exec_t BZ(1378323) - Revert "Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs."- Label /usr/bin/rpcbind as rpcbind_exec_t - Dontaudit mozilla plugin rawip socket creation. BZ(1275961) - Merge pull request #174 from rhatdan/netlink- Label /usr/bin/rpcbind as rpcbind_exec_t. Label /usr/lib/systemd/systemd/rpcbind.service - Allot tlp domain to create unix_dgram sockets BZ(1401233) - Allow antivirus domain to create lnk_files in /tmp - Allow cupsd_t to create lnk_files in /tmp. BZ(1401634) - Allow svnserve_t domain to read /dev/random BZ(1401827) - Allow lircd to use nsswitch. BZ(1401375) - Allow hostname_t domain to manage cluster_tmp_t files- Fix some boolean descriptions. - Add fwupd_dbus_chat() interface - Allow tgtd_t domain wake_alarm - Merge pull request #172 from vinzent/allow_puppetagent_timedated - Dontaudit logrotate_t to getattr nsfs_t BZ(1399081) - Allow systemd_machined_t to start unit files labeled as init_var_run_t - Add init_manage_config_transient_files() interface - In Atomic /usr/local is a soft symlink to /var/usrlocal, so the default policy to apply bin_t on /usr/...bin doesn't work and binaries dumped here get mislabeled as var_t. - Allow systemd to raise rlimit to all domains.BZ(1365435) - Add interface domain_setrlimit_all_domains() interface - Allow staff_t user to chat with fwupd_t domain via dbus - Update logging_create_devlog_dev() interface to allow calling domain create also sock_file dev-log. BZ(1393774) - Allow systemd-networkd to read network state BZ(1400016) - Allow systemd-resolved bind to dns port. BZ(1400023) - Allow systemd create /dev/log in own mount-namespace. BZ(1383867) - Add interface fs_dontaudit_getattr_nsfs_files() - Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853)- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081) - Allow pmie daemon to send signal pcmd daemon BZ(1398078) - Allow spamd_t to manage /var/spool/mail. BZ(1398437) - Label /run/rpc.statd.lock as rpcd_lock_t and allow rpcd_t domain to manage it. BZ(1397254) - Merge pull request #171 from t-woerner/rawhide-contrib - Allow firewalld to getattr open search read modules_object_t:dir - Allow systemd create /dev/log in own mount-namespace. BZ(1383867) - Add interface fs_dontaudit_getattr_nsfs_files() - Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853) - Dontaudit systemd_journal sys_ptrace userns capability. BZ(1374187)- Adding policy for tlp - Add interface dev_manage_sysfs() - Allow ifconfig domain to manage tlp pid files.- Allow systemd_logind_t domain to communicate with devicekit_t domain via dbus bz(1393373)- Allow watching netflix using Firefox- nmbd_t needs net_admin capability like smbd - Add interface chronyd_manage_pid() Allow logrotate to manage chrony pids - Add wake_alarm capability2 to openct_t domain - Allow abrt_t to getattr on nsfs_t files. - Add cupsd_t domain wake_alarm capability. - Allow sblim_reposd_t domain to read cert_f files. - Allow abrt_dump_oops_t to drop capabilities. bz(1391040) - Revert "Allow abrt_dump_oops_t to drop capabilities. bz(1391040)" - Allow isnsd_t to accept tcp connections- Allow abrt_dump_oops_t to drop capabilities. bz(1391040) - Add named_t domain net_raw capability bz(1389240) - Allow geoclue to read system info. bz(1389320) - Make openfortivpn_t as init_deamon_domain. bz(1159899) - Allow nfsd domain to create nfsd_unit_file_t files. bz(1382487) - Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib - Add interace lldpad_relabel_tmpfs - Merge pull request #155 from rhatdan/sandbox_nfs - Add pscsd_t wake_alarm capability2 - Allow sandbox domains to mount fuse file systems - Add boolean to allow sandbox domains to mount nfs - Allow hypervvssd_t to read all dirs. - Allow isnsd_t to connect to isns_port_t - Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib - Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device. - Make tor_var_lib_t and tor_var_log_t as mountpoints. - Allow systemd-rfkill to write to /proc/kmsg bz(1388669) - Allow init_t to relabel /dev/shm/lldpad.state - Merge pull request #168 from rhatdan/docker - Label tcp 51954 as isns_port_t - Lots of new domains like OCID and RKT are user container processes- Add container_file_t into contexts/customizable_types.- Disable container_runtime_typebounds() due to typebounds issues which can not be resolved during build. - Disable unconfined_typebounds in sandbox.te due to entrypoint check which exceed for sandbox domains unconfined_t domain. - Disable unconfined_typebounds due to entrypoint check which exceed for sandbox domains unconfined_t domain. - Merge pull request #167 from rhatdan/container - Add transition rules for sandbox domains - container_typebounds() should be part of sandbox domain template - Fix broken container_* interfaces - unconfined_typebounds() should be part of sandbox domain template - Fixed unrecognized characters at sandboxX module - unconfined_typebounds() should be part of sandbox domain template - svirt_file_type is atribute no type. - Merge pull request #166 from rhatdan/container - Allow users to transition from unconfined_t to container types - Add dbus_stream_connect_system_dbusd() interface. - Merge pull request #152 from rhatdan/network_filetrans - Fix typo in filesystem module - Allow nss_plugin to resolve host names via the systemd-resolved. BZ(1383473)- Dontaudit leaked file descriptors for thumb. BZ(1383071) - Fix typo in cobbler SELinux module - Merge pull request #165 from rhatdan/container - Allow cockpit_ws_t to manage cockpit_lib_t dirs and files. BZ(1375156) - Allow cobblerd_t to delete dirs labeled as tftpdir_rw_t - Rename svirt_lxc_net_t to container_t - Rename docker.pp to container.pp, causes change in interface name - Allow httpd_t domain to list inotify filesystem. - Fix couple AVC to start roundup properly - Allow dovecot_t send signull to dovecot_deliver_t - Add sys_ptrace capability to pegasus domain - Allow firewalld to stream connect to NetworkManager. BZ(1380954) - rename docker intefaces to container - Merge pull request #164 from rhatdan/docker-base - Rename docker.pp to container.pp, causes change in interface name - Allow gvfs to read /dev/nvme* devices BZ(1380951)- Revert addition of systemd service for factory reset, since it is basically worse than what we had before. BZ(1290659)- Allow devicekit to chat with policykit via DBUS. BZ(1377113) - Add interface virt_rw_stream_sockets_svirt() BZ(1379314) - Allow xdm_t to read mount pid files. BZ(1377113) - Allow staff to rw svirt unix stream sockets. BZ(1379314) - Allow staff_t to read tmpfs files BZ(1378446)- Make tor_var_run_t as mountpoint. BZ(1368621) - Fix typo in ftpd SELinux module. - Allow cockpit-session to reset expired passwords BZ(1374262) - Allow ftp daemon to manage apache_user_content - Label /etc/sysconfig/oracleasm as oracleasm_conf_t - Allow oracleasm to rw inherited fixed disk device - Allow collectd to connect on unix_stream_socket - Add abrt_dump_oops_t kill user namespace capability. BZ(1376868) - Dontaudit systemd is mounting unlabeled dirs BZ(1367292) - Add interface files_dontaudit_mounton_isid()- Allow attach usb device to virtual machine BZ(1276873) - Dontaudit mozilla_plugin to sys_ptrace - Allow nut_upsdrvctl_t domain to read udev db BZ(1375636) - Fix typo - Allow geoclue to send msgs to syslog. BZ(1371818) - Allow abrt to read rpm_tmp_t dirs - Add interface rpm_read_tmp_files() - Remove labels for somr docker sandbox files for now. This needs to be reverted after fixes in docker-selinux - Update oracleasm SELinux module that can manage oracleasmfs_t blk files. Add dac_override cap to oracleasm_t domain. - Add few rules to pcp SELinux module to make ti able to start pcp_pmlogger service - Revert "label /var/lib/kubelet as svirt_sandbox_file_t" - Remove file context for /var/lib/kubelet. This filecontext is part of docker now - Add oracleasm_conf_t type and allow oracleasm_t to create /dev/oracleasm - Label /usr/share/pcp/lib/pmie as pmie_exec_t and /usr/share/pcp/lib/pmlogger as pmlogger_exec_t - Allow mdadm_t to getattr all device nodes - Dontaudit gkeyringd_domain to connect to system_dbusd_t - Add interface dbus_dontaudit_stream_connect_system_dbusd() - Allow guest-set-user-passwd to set users password. - Allow domains using kerberos to read also kerberos config dirs - Allow add new interface to new namespace BZ(1375124) - Allow systemd to relalbel files stored in /run/systemd/inaccessible/ - Add interface fs_getattr_tmpfs_blk_file() - Dontaudit domain to create any file in /proc. This is kernel bug. - Improve regexp for power_unit_file_t files. To catch just systemd power unit files. - Add new interface fs_getattr_oracleasmfs_fs() - Add interface fs_manage_oracleasm() - Label /dev/kfd as hsa_device_t - Update seutil_manage_file_contexts() interface that caller domain can also manage file_context_t dirs- Label /var/lib/docker/vfs as svirt_sandbox_file_t in virt SELinux module - Label /usr/bin/pappet as puppetagent_exec_t - Allow amanda to create dir in /var/lib/ with amanda_var_lib_t label - Allow run sulogin_t in range mls_systemlow-mls_systemhigh.- udisk2 module is part of devicekit module now - Fix file context for /etc/pki/pki-tomcat/ca/ - new interface oddjob_mkhomedir_entrypoint() - Allow mdadm to get attributes from all devices. - Label /etc/puppetlabs as puppet_etc_t. - quota: allow init to run quota tools - Add new domain ipa_ods_exporter_t BZ(1366640) - Create new interface opendnssec_stream_connect() - Allow VirtualBox to manage udev rules. - Allow systemd_resolved to send dbus msgs to userdomains - Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t - Label all files in /dev/oracleasmfs/ as oracleasmfs_t- Add new domain ipa_ods_exporter_t BZ(1366640) - Create new interface opendnssec_stream_connect() - Allow systemd-machined to communicate to lxc container using dbus - Dontaudit accountsd domain creating dirs in /root - Add new policy for Disk Manager called udisks2 - Dontaudit firewalld wants write to /root - Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_t - Allow certmonger to manage all systemd unit files - Allow ipa_helper_t stream connect to dirsrv_t domain - Update oracleasm SELinux module - label /var/lib/kubelet as svirt_sandbox_file_t - Allow systemd to create blk and chr files with correct label in /var/run/systemd/inaccessible BZ(1367280) - Label /usr/libexec/gsd-backlight-helper as xserver_exec_t. This allows also confined users to manage screen brightness - Add new userdom_dontaudit_manage_admin_dir() interface - Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t type- Add few interfaces to cloudform.if file - Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module - Allow krb5kdc_t to read krb4kdc_conf_t dirs. - Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run. - Make confined users working again - Fix hypervkvp module - Allow ipmievd domain to create lock files in /var/lock/subsys/ - Update policy for ipmievd daemon. Contain: Allowing reading sysfs, passwd,kernel modules Execuring bin_t,insmod_t - A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init. - Allow systemd to stop systemd-machined daemon. This allows stop virtual machines. - Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/- Fix lsm SELinux module - Dontaudit firewalld to create dirs in /root/ BZ(1340611) - Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_t - Allow fprintd and cluster domains to cummunicate via dbus BZ(1355774) - Allow cupsd_config_t domain to read cupsd_var_run_t sock_file. BZ(1361299) - Add sys_admin capability to sbd domain - Allow vdagent to comunnicate with systemd-logind via dbus - Allow lsmd_plugin_t domain to create fixed_disk device. - Allow opendnssec domain to create and manage own tmp dirs/files - Allow opendnssec domain to read system state - Allow systemd_logind stop system init_t - Add interface init_stop() - Add interface userdom_dontaudit_create_admin_dir() - Label /var/run/storaged as lvm_var_run_t. - Allow unconfineduser to run ipa_helper_t.- Allow cups_config_t domain also mange sock_files. BZ(1361299) - Add wake_alarm capability to fprintd domain BZ(1362430) - Allow firewalld_t to relabel net_conf_t files. BZ(1365178) - Allow nut_upsmon_t domain to chat with logind vie dbus about scheduleing a shutdown when UPS battery is low. BZ(1361802) - Allow virtual machines to use dri devices. This allows use openCL GPU calculations. BZ(1337333) - Allow crond and cronjob domains to creating mail_home_rw_t objects in admin_home_t BZ(1366173) - Dontaudit mock to write to generic certs. - Add labeling for corosync-qdevice and corosync-qnetd daemons, to run as cluster_t - Revert "Label corosync-qnetd and corosync-qdevice as corosync_t domain" - Merge pull request #144 from rhatdan/modemmanager - Allow modemmanager to write to systemd inhibit pipes - Label corosync-qnetd and corosync-qdevice as corosync_t domain - Allow ipa_helper to read network state - Label oddjob_reqiest as oddjob_exec_t - Add interface oddjob_run() - Allow modemmanager chat with systemd_logind via dbus - Allow NetworkManager chat with puppetagent via dbus - Allow NetworkManager chat with kdumpctl via dbus - Allow sbd send msgs to syslog Allow sbd create dgram sockets. Allow sbd to communicate with kernel via dgram socket Allow sbd r/w kernel sysctls. - Allow ipmievd_t domain to re-create ipmi devices Label /usr/libexec/openipmi-helper as ipmievd_exec_t - Allow rasdaemon to use tracefs filesystem - Fix typo bug in dirsrv policy - Some logrotate scripts run su and then su runs unix_chkpwd. Allow logrotate_t domain to check passwd. - Add ipc_lock capability to sssd domain. Allow sssd connect to http_cache_t - Allow dirsrv to read dirsrv_share_t content - Allow virtlogd_t to append svirt_image_t files. - Allow hypervkvp domain to read hugetlbfs dir/files. - Allow mdadm daemon to read nvme_device_t blk files - Allow systemd_resolved to connect on system bus. BZ(1366334) - Allow systemd to create netlink_route_socket and communicate with systemd_networkd BZ(1306344) - Allow systemd-modules-load to load kernel modules in early boot. BZ(1322625) - label tcp/udp port 853 as dns_port_t. BZ(1365609) - Merge pull request #145 from rhatdan/init - systemd is doing a gettattr on blk and chr devices in /run - Allow selinuxusers and unconfineduser to run oddjob_request - Allow sshd server to acces to Crypto Express 4 (CEX4) devices. - Fix typo in device interfaces - Add interfaces for managing ipmi devices - Add interfaces to allow mounting/umounting tracefs filesystem - Add interfaces to allow rw tracefs filesystem - Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base - Merge pull request #138 from rhatdan/userns - Allow iptables to creating netlink generic sockets. - Fix filecontext for systemd shared lib.- Fix filesystem inteface file, we don't have nsfs_fs_t type, just nsfs_t- collectd: update policy for 5.5 - Allow puppet_t transtition to shorewall_t - Grant certmonger "chown" capability - Boinc updates from Russell Coker. - Allow sshd setcap capability. This is needed due to latest changes in sshd. - Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd" - Revert "Fix typo in ssh policy" - Get attributes of generic ptys, from Russell Coker.- Dontaudit mock_build_t can list all ptys. - Allow ftpd_t to mamange userhome data without any boolean. - Add logrotate permissions for creating netlink selinux sockets. - Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data. - Label all VBox libraries stored in /var/lib/VBoxGuestAdditions/lib/ as textrel_shlib_t BZ(1356654) - Allow systemd gpt generator to run fstools BZ(1353585) - Label /usr/lib/systemd/libsystemd-shared-231.so as lib_t. BZ(1360716) - Allow gnome-keyring also manage user_tmp_t sockets. - Allow systemd to mounton /etc filesystem. BZ(1341753)- Allow lsmd_plugin_t to exec ldconfig. - Allow vnstatd domain to read /sys/class/net/ files - Remove duplicate allow rules in spamassassin SELinux module - Allow spamc_t and spamd_t domains create .spamassassin file in user homedirs - Allow ipa_dnskey domain to search cache dirs - Allow dogtag-ipa-ca-renew-agent-submit labeled as certmonger_t to create /var/log/ipa/renew.log file - Allow ipa-dnskey read system state. - Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1356245 - Add interface to write to nsfs inodes - Allow init_t domain to read rpm db. This is needed due dnf-upgrade process failing. BZ(1349721) - Allow systemd_modules_load_t to read /etc/modprobe.d/lockd.conf - sysadmin should be allowed to use docker.- Allow hypervkvp domain to run restorecon. - Allow firewalld to manage net_conf_t files - Remove double graphite-web context declaration - Fix typo in rhsmcertd SELinux policy - Allow logrotate read logs inside containers. - Allow sssd to getattr on fs_t - Allow opendnssec domain to manage bind chace files - Allow systemd to get status of systemd-logind daemon - Label more ndctl devices not just ndctl0- Allow systemd_logind_t to start init_t BZ(1355861) - Add init_start() interface - Allow sysadm user to run systemd-tmpfiles - Add interface systemd_tmpfiles_run- Allow lttng tools to block suspending - Allow creation of vpnaas in openstack - remove rules with compromised_kernel permission - Allow dnssec-trigger to chat with NetworkManager over DBUS BZ(1350100) - Allow virtual machines to rw infiniband devices. Resolves: rhbz#1210263 - Update makefile to support snapperd_contexts file - Remove compromize_kernel permission Remove unused mac_admin permission Add undefined system permission - Remove duplicate declaration of class service - Fix typo in access_vectors file - Merge branch 'rawhide-base-modules-load' into rawhide-base - Add new policy for systemd-modules-load - Add systemd access vectors. - Revert "Revert "Revert "Missed this version of exec_all""" - Revert "Revert "Missed this version of exec_all"" - Revert "Missed this version of exec_all" - Revert "Revert "Fix name of capability2 secure_firmware->compromise_kernel"" BZ(1351624) This reverts commit 3e0e7e70de481589440f3f79cccff08d6e62f644. - Revert "Fix name of capability2 secure_firmware->compromise_kernel" BZ(1351624) This reverts commit 7a0348a2d167a72c8ab8974a1b0fc33407f72c48. - Revert "Allow xserver to compromise_kernel access"BZ(1351624) - Revert "Allow anyone who can load a kernel module to compromise_kernel"BZ(1351624) - Revert "add ptrace_child access to process" (BZ1351624) - Add user namespace capability object classes. - Allow udev to manage systemd-hwdb files - Add interface systemd_hwdb_manage_config() - Fix paths to infiniband devices. This allows use more then two infiniband interfaces. - corecmd: Remove fcontext for /etc/sysconfig/libvirtd - iptables: add fcontext for nftables- Fix typo in brltty policy - Add new SELinux module sbd - Allow pcp dmcache metrics collection - Allow pkcs_slotd_t to create dir in /var/lock Add label pkcs_slotd_log_t - Allow openvpn to create sock files labeled as openvpn_var_run_t - Allow hypervkvp daemon to getattr on all filesystem types. - Allow firewalld to create net_conf_t files - Allow mock to use lvm - Allow mirromanager creating log files in /tmp - Allow vmtools_t to transition to rpm_script domain - Allow nsd daemon to manage nsd_conf_t dirs and files - Allow cluster to create dirs in /var/run labeled as cluster_var_run_t - Allow sssd read also sssd_conf_t dirs - Allow opensm daemon to rw infiniband_mgmt_device_t - Allow krb5kdc_t to communicate with sssd - Allow prosody to bind on prosody ports - Add dac_override caps for fail2ban-client Resolves: rhbz#1316678 - dontaudit read access for svirt_t on the file /var/db/nscd/group Resolves: rhbz#1301637 - Allow inetd child process to communicate via dbus with systemd-logind Resolves: rhbz#1333726 - Add label for brltty log file Resolves: rhbz#1328818 - Allow snort_t to communicate with sssd Resolves: rhbz#1284908 - Add interface lttng_sessiond_tmpfs_t() - Dontaudit su_role_template interface to getattr /proc/kcore Dontaudit su_role_template interface to getattr /dev/initctl - Add interface lvm_getattr_exec_files() - Make label for new infiniband_mgmt deivices - Add prosody ports Resolves: rhbz#1304664- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs. - Allow glusterd daemon to get systemd status - Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib - Merge pull request #135 from rhatdan/rawip_socket - Allow logrotate dbus-chat with system_logind daemon - Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid files - Add interface cron_read_pid_files() - Allow pcp_pmlogger to create unix dgram sockets - Add interface dirsrv_run() - Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t. - Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd() - Create label for openhpid log files. - Container processes need to be able to listen on rawip sockets - Label /var/lib/ganglia as httpd_var_lib_t - Allow firewalld_t to create entries in net_conf_t dirs. - Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals - Label /etc/dhcp/scripts dir as bin_t - Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.- Allow firewalld_t to create entries in net_conf_t dirs. - Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals - Allow rhsmcertd connect to port tcp 9090 - Label for /bin/mail(x) was removed but /usr/bin/mail(x) not. This path is also needed to remove. - Label /usr/libexec/mimedefang-wrapper as spamd_exec_t. - Add new boolean spamd_update_can_network. - Add proper label for /var/log/proftpd.log - Allow rhsmcertd connect to tcp netport_port_t - Fix SELinux context for /usr/share/mirrormanager/server/mirrormanager to Label all binaries under dir as mirrormanager_exec_t. - Allow prosody to bind to fac_restore tcp port. - Fix SELinux context for usr/share/mirrormanager/server/mirrormanager - Allow ninfod to read raw packets - Fix broken hostapd policy - Allow hostapd to create netlink_generic sockets. BZ(1343683) - Merge pull request #133 from vinzent/allow_puppet_transition_to_shorewall - Allow pegasus get attributes from qemu binary files. - Allow tuned to use policykit. This change is required by cockpit. - Allow conman_t to read dir with conman_unconfined_script_t binary files. - Allow pegasus to read /proc/sysinfo. - Allow puppet_t transtition to shorewall_t - Allow conman to kill conman_unconfined_script. - Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals. - Merge remote-tracking branch 'refs/remotes/origin/rawhide-base' into rawhide-base - Allow systemd to execute all init daemon executables. - Add init_exec_notrans_direct_init_entry() interface. - Label tcp ports:16379, 26379 as redis_port_t - Allow systemd to relabel /var and /var/lib directories during boot. - Add files_relabel_var_dirs() and files_relabel_var_dirs() interfaces. - Add files_relabelto_var_lib_dirs() interface. - Label tcp and udp port 5582 as fac_restore_port_t - Allow sysadm_t user to run postgresql-setup. - Allow sysadm_t user to dbus chat with oddjob_t. This allows confined admin run oddjob mkhomedirfor script. - Allow systemd-resolved to connect to llmnr tcp port. BZ(1344849) - Allow passwd_t also manage user_tmp_t dirs, this change is needed by gnome-keyringd- Allow conman to kill conman_unconfined_script. - Make conman_unconfined_script_t as init_system_domain. - Allow init dbus chat with apmd. - Patch /var/lib/rpm is symlink to /usr/share/rpm on Atomic, due to this change we need to label also /usr/share/rpm as rpm_var_lib_t. - Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t - Allow collectd_t to stream connect to postgresql. - Allow mysqld_safe to inherit rlimit information from mysqld - Allow ip netns to mounton root fs and unmount proc_t fs. - Allow sysadm_t to run newaliases command.- Allow svirt_sandbox_domains to r/w onload sockets - Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc. - Add interface sysnet_filetrans_named_net_conf() - Rawhide fails to boot, systemd-logind needs to config transient config files - User Namespace is requires create on process domains- Add hwloc-dump-hwdata SELinux policy - Add labels for mediawiki123 - Fix label for all fence_scsi_check scripts - Allow setcap for fenced - Allow glusterd domain read krb5_keytab_t files. - Allow tmpreaper_t to read/setattr all non_security_file_type dirs - Update refpolicy to handle hwloc - Fix typo in files_setattr_non_security_dirs. - Add interface files_setattr_non_security_dirs()- Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886) - Add nrpe_dontaudit_write_pipes() - Merge pull request #129 from rhatdan/onload - Add support for onloadfs - Merge pull request #127 from rhatdan/device-node - Additional access required for unconfined domains - Dontaudit ping attempts to write to nrpe unnamed pipes - Allow ifconfig_t to mounton also ifconfig_var_run_t dirs, not just files. Needed for: #ip netns add foo BZ(1340952)- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te - Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs - Allow gssproxy to get attributes on all filesystem object types. BZ(1333778) - Allow ipa_dnskey_t search httpd config files. - Dontaudit certmonger to write to etc_runtime_t - Update opendnssec_read_conf() interface to allow caller domain also read opendnssec_conf_t dirs. - Add interface ipa_delete_tmp() - Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t. - Allow systemd to remove ipa temp files during uinstalling ipa. BZ(1333106)- Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd BZ(1333106) - Add SELinux policy for opendnssec service. BZ(1333106)- Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t - Allow dnssec_trigger_t to create lnk_file labeled as dnssec_trigger_var_run_t. BZ(1335954) - Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus. - Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t. - Merge pull request #122 from NetworkManager/th/nm-dnsmasq-dbus - Merge pull request #125 from rhatdan/typebounds - Typebounds user domains - Allow systemd_resolved_t to check if ipv6 is disabled. - systemd added a new directory for unit files /run/systemd/transient. It should be labelled system_u:object_r:systemd_unit_file_t:s0, the same as /run/systemd/system, PID 1 will write units there. Resolves: #120 - Label /dev/xen/privcmd as xen_device_t. BZ(1334115)- Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t. - Allow zabbix to connect to postgresql port - Label /usr/libexec/openssh/sshd-keygen as sshd_keygen_exec_t. BZ(1335149) - Allow systemd to read efivarfs. Resolve: #121- Revert temporary fix: Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed- Label tcp port 8181 as intermapper_port_t. - Label /usr/libexec/storaged/storaged as lvm_exec_t to run storaged daemon in lvm_t SELinux domain. BZ(1333588) - Label tcp/udp port 2024 as xinuexpansion4_port_t - Label tcp port 7002 as afs_pt_port_t Label tcp/udp port 2023 as xinuexpansion3_port_t- Allow stunnel create log files. BZ(1333033) - Label dev/shm/squid-cf__metadata.shm as squid_tmpfs_t. BZ(1331574) - Allow stunnel sys_nice capability. Stunnel sched_* syscalls in some cases. BZ(1332287) - Label /usr/bin/ganesha.nfsd as glusterd_exec_t to run ganesha as glusterd_t. Allow glusterd_t stream connect to rpbind_t. Allow cluster_t to create symlink /var/lib/nfs labeled as var_lib_nfs_t. Add interface rpc_filetrans_var_lib_nfs_content() Add new boolean: rpcd_use_fusefs to allow rpcd daemon use fusefs. - Allow systemd-user-sessions daemon to mamange systemd_logind_var_run_t pid files. BZ(1331980) - Modify kernel_steam_connect() interface by adding getattr permission. BZ(1331927) - Label /usr/sbin/xrdp* files as bin_t BZ(1258453) - Allow rpm-ostree domain transition to install_t domain from init_t. rhbz#1330318- Allow snapperd sys_admin capability Allow snapperd to set scheduler. BZ(1323732) - Label named-pkcs11 binary as named_exec_t. BZ(1331316) - Revert "Add new permissions stop/start to class system. rhbz#1324453" - Fix typo in module compilation message- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs. - Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. BZ(1330895) - Allow KDM to get status about power services. This change allow kdm to be able do shutdown BZ(1330970) - Add mls support for some db classes- Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits. - Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content Resolves: rhbz#1330448 - Label /usr/lib/snapper/systemd-helper as snapperd_exec_t. rhbz#1323732 - Make virt_use_pcscd boolean off by default. - Create boolean to allow virtual machine use smartcards. rhbz#1029297 - Allow snapperd to relabel btrfs snapshot subvolume to snapperd_data_t. rhbz#1323754 - Allow mongod log to syslog. - Allow nsd daemon to create log file in /var/log as nsd_log_t - unlabeled_t can not be an entrypoint. - Modify interface den_read_nvme() to allow also read nvme_device_t block files. rhbz#1327909 - Add new permissions stop/start to class system. rhbz#1324453- Allow modemmanager to talk to logind - Dontaudit tor daemon needs net_admin capability. rhbz#1311788 - Allow GDM write to event devices. This rule is needed for GDM, because other display managers runs the X server as root, GDM instead runs the X server as the unprivileged user, within the user session. rhbz#1232042 - Xorg now writes content in users homedir.- rename several contrib modules according to their filenames - Add interface gnome_filetrans_cert_home_content() - By default container domains should not be allowed to create devices - Allow unconfined_t to create ~/.local/share/networkmanagement/certificates/ as home_cert_t instead of data_home_t. - Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used - Allow systemd gpt generator to read removable devices. BZ(1323458) - Allow systemd_gpt_generator_t sys_rawio capability. This access is needed to allow systemd gpt generator various device commands BZ(1323454)- Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075) - /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224) - Label all run tgtd files, not just socket files. - Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody. - Allow prosody to listen on port 5000 for mod_proxy65. BZ(1322815) - Allow targetd to read/write to /dev/mapper/control device. BZ(1241415) - Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t. - Allow systemd_resolved to read systemd_networkd run files. BZ(1322921) - New cgroup2 file system in Rawhide- Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415) - Allow colord to read /etc/udev/hwdb.bin. rhzb#1316514 - sandboxX.te: Allow sandbox domain to have entrypoint access only for executables and mountpoints. - Allow sandbox domain to have entrypoint access only for executables and mountpoints. - Allow bitlee to create bitlee_var_t dirs. - Allow CIM provider to read sssd public files. - Fix some broken interfaces in distro policy. - Allow power button to shutdown the laptop. - Allow lsm plugins to create named fixed disks. rhbz#1238066 - Allow hyperv domains to rw hyperv devices. rhbz#1241636 - Label /var/www/html(/.*)?/wp_backups(/.*)? as httpd_sys_rw_content_t. - Create conman_unconfined_script_t type for conman script stored in /use/share/conman/exec/ - Allow rsync_export_all_ro boolean to read also non_auth_dirs/files/symlinks. - Allow pmdaapache labeled as pcp_pmcd_t access to port 80 for apache diagnostics - Label nagios scripts as httpd_sys_script_exec_t. - Allow nsd_t to bind on nsf_control tcp port. Allow nsd_crond_t to read nsd pid. - Fix couple of cosmetic thing in new virtlogd_t policy. rhbz #1311576 - Merge pull request #104 from berrange/rawhide-contrib-virtlogd - Label /var/run/ecblp0 as cupsd_var_run_t due to this fifo_file is used by epson drivers. rhbz#1310336 - Dontaudit logrotate to setrlimit itself. rhbz#1309604 - Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface. - Allow pcp_pmie and pcp_pmlogger to read all domains state. - Allow systemd-gpt-generator to create and manage systemd gpt generator unit files. BZ(1319446) - Merge pull request #115 from rhatdan/nvidea - Label all nvidia binaries as xserver_exec_t - Add new systemd_hwdb_read_config() interface. rhbz#1316514 - Add back corecmd_read_all_executables() interface. - Call files_type() instead of file_type() for unlabeled_t. - Add files_entrypoint_all_mountpoint() interface. - Make unlabeled only as a file_type type. It is a type for fallback if there is an issue with labeling. - Add corecmd_entrypoint_all_executables() interface. - Create hyperv* devices and create rw interfaces for this devices. rhbz#1309361 - Add neverallow assertion for unlabaled_t to increase policy security. - Allow systemd-rfkill to create /var/lib/systemd/rfkill dir. rhbz#1319499 - Label 8952 tcp port as nsd_control. - Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface. - Revert "Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content." - Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content. - Allow pcp_pmie and pcp_pmlogger to read all domains state. - Make fwupd domain unconfined. We need to discuss solution related to using gpg. rhbz#1316717 - Merge pull request #108 from rhatdan/rkt - Merge pull request #109 from rhatdan/virt_sandbox - Add new interface to define virt_sandbox_network domains - Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port. - Fix typo in drbd policy - Remove declaration of empty booleans in virt policy. - Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs. - Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files. - Additional rules to make rkt work in enforcing mode - Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020 - Allow ipsec to use pam. rhbz#1317988 - Allow systemd-gpt-generator to read fixed_disk_device_t. rhbz#1314968 - Allow setrans daemon to read /proc/meminfo. - Merge pull request #107 from rhatdan/rkt-base - Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used. - Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t.- Label tcp port 5355 as llmnr-> Link-Local Multicast Name Resolution - Add support systemd-resolved.- Allow spice-vdagent to getattr on tmpfs_t filesystems Resolves: rhbz#1276251 - Allow sending dbus msgs between firewalld and system_cronjob domains. - Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols. rhbz#1315354 - Allow snapperd mounton permissions for snapperd_data_t. BZ(#1314972) - Add support for systemd-gpt-auto-generator. rhbz#1314968 - Add interface dev_read_nvme() to allow reading Non-Volatile Memory Host Controller devices. - Add support for systemd-hwdb daemon. rhbz#1306243- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba. - Merge pull request #105 from rhatdan/NO_NEW_PRIV - Fix new rkt policy - Remove some redundant rules. - Fix cosmetic issues in interface file. - Merge pull request #100 from rhatdan/rawhide-contrib - Add interface fs_setattr_cifs_dirs(). - Merge pull request #106 from rhatdan/NO_NEW_PRIV_BASE - Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) -Build file_contexts.bin file_context.local.bin file_context.homedir.bin during build phase. This fix issue in Fedora live images when selinux-policy-targeted is not installed but just unpackaged, since there's no .bin files, file_contexts is parsed in selabel_open(). Resolves: rhbz#1314372- Fix new rkt policy (Remove some redundant rules, Fix cosmetic issues in interface file) - Add policy for rkt services- Revert "Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019" - Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/ rhbz#1285019- Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759 - Allow keepalived to create netlink generic sockets. rhbz#1311756 - Allow modemmanager to read /etc/passwd file. - Label all files named /var/run/.*nologin.* as systemd_logind_var_run_t. - Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255 - Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019 - Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444 - Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319- Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy. - Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033 - Allow collectd setgid capability Resolves:#1310896 - Allow adcli running as sssd_t to write krb5.keytab file. - Allow abrt-hook-ccpp to getattr on all executables. BZ(1284304) - Allow kexec to read kernel module files in /usr/lib/modules. - Add httpd_log_t for /var/log/graphite-web rhbz#1306981 - Remove redudant rules and fix _admin interface. - Add SELinux policy for LTTng 2.x central tracing registry session daemon. - Allow create mongodb unix dgram sockets. rhbz#1306819 - Support for InnoDB Tablespace Encryption. - Dontaudit leaded file descriptors from firewalld - Add port for rkt services - Add support for the default lttng-sessiond port - tcp/5345. This port is used by LTTng 2.x central tracing registry session daemon.- Allow setroubleshoot_fixit_t to use temporary files- Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334 - Allow ulogd_t to create netlink_netfilter sockets. rhbz#1305426 - Create new type fwupd_cert_t Label /etc/pki/(fwupd|fwupd-metadata) dirs as fwupd_cert_t Allow fwupd_t domain to read fwupd_cert_t files|lnk_files rhbz#1303533 - Add interface to dontaudit leaked files from firewalld - fwupd needs to dbus chat with policykit - Allow fwupd domain transition to gpg domain. Fwupd signing firmware updates by gpg. rhbz#1303531 - Allow abrt_dump_oops_t to check permissions for a /usr/bin/Xorg. rhbz#1284967 - Allow prelink_cron_system_t domain set resource limits. BZ(1190364) - Allow pppd_t domain to create sockfiles in /var/run labeled as pppd_var_run_t label. BZ(1302666) - Fix wrong name for openqa_websockets tcp port. - Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106 - Add interface ssh_getattr_server_keys() interface. rhbz#1299106 - Added Label openqa for tcp port (9526) Added Label openqa-websockets for tcp port (9527) rhbz#1277312 - Add interface fs_getattr_nsfs_files() - Add interface xserver_exec(). - Revert "Allow all domains some process flags."BZ(1190364)- Allow openvswitch domain capability sys_rawio. - Revert "Allow NetworkManager create dhcpc pid files. BZ(1229755)" - Allow openvswitch to manage hugetlfs files and dirs. - Allow NetworkManager create dhcpc pid files. BZ(1229755) - Allow apcupsd to read kernel network state. BZ(1282003) - Label /sys/kernel/debug/tracing filesystem - Add fs_manage_hugetlbfs_files() interface. - Add sysnet_filetrans_dhcpc_pid() interface.- Label virtlogd binary as virtd_exec_t. BZ(1291940) - Allow iptables to read nsfs files. BZ(1296826)- Add fwupd policy for daemon to allow session software to update device firmware - Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930) - Allow systemd services to use PrivateNetwork feature - Add a type and genfscon for nsfs. - Fix SELinux context for rsyslog unit file. BZ(1284173)- Allow logrotate to systemctl rsyslog service. BZ(1284173) - Allow condor_master_t domain capability chown. BZ(1297048) - Allow chronyd to be dbus bus client. BZ(1297129) - Allow openvswitch read/write hugetlb filesystem. - Revert "Allow openvswitch read/write hugetlb filesystem." - Allow smbcontrol domain to send sigchld to ctdbd domain. - Allow openvswitch read/write hugetlb filesystem. - Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib - Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. BZ(1289930) - Allow keepalived to connect to 3306/tcp port - mysqld_port_t. - Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib - Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib - Merge pull request #86 from rhatdan/rawhide-contrib - Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs BZ (1293146) - Added interface logging_systemctl_syslogd - Label rsyslog unit file - Added policy for systemd-coredump service. Added domain transition from kernel_t to systemd_coredump_t. Allow syslogd_t domain to read/write tmpfs systemd-coredump files. Make new domain uconfined for now.- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085) - Revert "Allow arping running as netutils_t sys_module capability for removing tap devices." - Allow arping running as netutils_t sys_module capability for removing tap devices. - Add userdom_connectto_stream() interface. - Allow systemd-logind to read /run/utmp. BZ(#1278662) - Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085) - Revert "Allow arping running as netutils_t sys_module capability for removing tap devices." - Allow arping running as netutils_t sys_module capability for removing tap devices. - Add userdom_connectto_stream() interface. - Allow systemd-logind to read /run/utmp. BZ(#1278662)- Allow firewalld to create firewalld_var_run_t directory. BZ(1291243) - Add interface firewalld_read_pid_files() - Allow iptables to read firewalld pid files. BZ(1291243) - Allow the user cronjobs to run in their userdomain - Label ssdm binaries storedin /etc/sddm/ as bin_t. BZ(1288111) - Merge pull request #81 from rhatdan/rawhide-base - New access needed by systemd domains- Allow whack executed by sysadm SELinux user to access /var/run/pluto/pluto.ctl. It fixes "ipsec auto --status" executed by sysadm_t. - Add ipsec_read_pid() interface- Label /usr/sbin/lvmlockd binary file as lvm_exec_t. BZ(1287739) - Adding support for dbus communication between systemd-networkd and systemd-hostnamed. BZ(1279182) - Update init policy to have userdom_noatsecure_login_userdomain() and userdom_sigchld_login_userdomain() called for init_t. - init_t domain should be running without unconfined_domain attribute. - Add a new SELinux policy for /usr/lib/systemd/systemd-rfkill. - Update userdom_transition_login_userdomain() to have "sigchld" and "noatsecure" permissions. - systemd needs to access /dev/rfkill on early boot. - Allow dspam to read /etc/passwd- Set default value as true in boolean mozilla_plugin_can_network_connect. BZ(1286177)- Allow apcupsd sending mails about battery state. BZ(1274018) - Allow pcp_pmcd_t domain transition to lvm_t. BZ(1277779) - Merge pull request #68 from rhatdan/rawhide-contrib - Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048). #1248785 - Allow systemd-networkd to bind dhcpd ports if DHCP=yes in *.network conf file. BZ(#1280092) - systemd-tmpfiles performs operations on System V IPC objects which requires sys_admin capability. BZ(#1279269)- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048) - Allow abrt-hook-ccpp to change SELinux user identity for created objects. - Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern. - Allow setuid/setgid capabilities for abrt-hook-ccpp. - Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.conf. - Allow fenced node dbus msg when using foghorn witch configured foghorn, snmpd, and snmptrapd. - cockpit has grown content in /var/run directory - Add support for /dev/mptctl device used to check RAID status. - Allow systemd-hostnamed to communicate with dhcp via dbus. - systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments. - Add userdom_destroy_unpriv_user_shared_mem() interface. - Label /var/run/systemd/shutdown directory as systemd_logind_var_run_t to allow systemd-logind to access it if shutdown is invoked. - Access needed by systemd-machine to manage docker containers - Allow systemd-logind to read /run/utmp when shutdown is invoked.- Merge pull request #48 from lkundrak/contrib-openfortivpn - unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets.- The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system. - Since /dev/log is a symlink, we need to allow relabelto also symlink. This commit update logging_relabel_devlog_dev() interface to allow it. - systemd-user has pam_selinux support and needs to able to compute user security context if init_t is not unconfined domain.- Allow fail2ban-client to execute ldconfig. #1268715 - Add interface virt_sandbox_domain() - Use mmap_file_perms instead of exec_file_perms in setroubleshoot policy to shave off the execute_no_trans permission. Based on a github communication with Dominick Grift. -all userdom_dontaudit_user_getattr_tmp_sockets instead() of usedom_dontaudit_user_getattr_tmp_sockets(). - Rename usedom_dontaudit_user_getattr_tmp_sockets() to userdom_dontaudit_user_getattr_tmp_sockets(). - Remove auth_login_pgm_domain(init_t) which has been added by accident. - init_t needs to able to change SELinux identity because it is used as login_pgm domain because of systemd-user and PAM. It allows security_compute_user() returns a list of possible context and then a correct default label is returned by "selinux.get_default_context(sel_user,fromcon)" defined in the policy user config files. - Add interface auth_use_nsswitch() to systemd_domain_template. - Revert "auth_use_nsswitch can be used with attribute systemd_domain." - auth_use_nsswitch can be used with attribute systemd_domain. - ipsec: fix stringSwan charon-nm - docker is communicating with systemd-machined - Add missing systemd_dbus_chat_machined, needed by docker- Build including docker selinux interfaces.- Allow winbindd to send signull to kernel. BZ(#1269193) - Merge branch 'rawhide-contrib-chrony' into rawhide-contrib - Fixes for chrony version 2.2 BZ(#1259636) * Allow chrony chown capability * Allow sendto dgram_sockets to itself and to unconfined_t domains. - Merge branch 'rawhide-contrib-chrony' into rawhide-contrib - Add boolean allowing mysqld to connect to http port. #1262125 - Merge pull request #52 from 1dot75cm/rawhide-base - Allow systemd_hostnamed to read xenfs_t files. BZ(#1233877) - Fix attribute in corenetwork.if.in- Allow abrt_t to read sysctl_net_t files. BZ(#1194280) - Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib - Add abrt_stub interface. - Add support for new mock location - /usr/libexec/mock/mock. BZ(#1270972) - Allow usbmuxd to access /run/udev/data/+usb:*. BZ(#1269633) - Allow qemu-bridge-helper to read /dev/random and /dev/urandom. BZ(#1267217) - Allow sssd_t to manage samba var files/dirs to SSSD's GPO support which is enabled against an Active Directory domain. BZ(#1225200). - Add samba_manage_var_dirs() interface. - Allow pcp_pmlogger to exec bin_t BZ(#1258698) - Allow spamd to read system network state. BZ(1260234) - Allow fcoemon to create netlink scsitransport sockets BZ(#1260882) - Allow networkmanager to create networkmanager_var_lib_t files. BZ(1270201) - Allow systemd-networkd to read XEN state for Xen hypervisor. BZ(#1269916) - Add fs_read_xenfs_files() interface. - Allow systemd_machined_t to send dbus msgs to all users and read/write /dev/ptmx to make 'machinectl shell' working correctly. - Allow systemd running as init_t to override the default context for key creation. BZ(#1267850)- Allow pcp_pmlogger to read system state. BZ(1258699) - Allow cupsd to connect on socket. BZ(1258089) - Allow named to bind on ephemeral ports. BZ(#1259766) - Allow iscsid create netlink iscsid sockets. - We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes. - Allow NetworkManager_t and policykit_t read access to systemd-machined pid files. #1255305 - Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs. - Allow search dirs in sysfs types in kernel_read_security_state. - Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs.- Update modules_filetrans_named_content() to make sure we don't get modules_dep labeling by filename transitions. - Remove /usr/lib/modules/[^/]+/modules\..+ labeling - Add modutils_read_module_deps_files() which is called from files_read_kernel_modules() for module deps which are still labeled as modules_dep_t. - Remove modules_dep_t labeling for kernel module deps. depmod is a symlink to kmod which is labeled as insmod_exec_t which handles modules_object_t and there is no transition to modules_dep_t. Also some of these module deps are placed by cpio during install/update of kernel package.- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket. - Clean up pkcs11proxyd policy. - We need to require sandbox_web_type attribute in sandbox_x_domain_template(). - Revert "depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t." - depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t. - Update files_read_kernel_modules() to contain modutils_read_module_deps() calling because module deps labeling has been updated and it allows to avoid regressions. - Update modules_filetrans_named_content() interface to cover more modules.* files. - New policy for systemd-machined. #1255305 - In Rawhide/F24, we added pam_selinux.so support for systemd-users to have user sessions running under correct SELinux labeling. It also supports another new feature with systemd+dbus and we have sessions dbuses running with the correct labeling - unconfined_dbus_t for example. - Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution) - Merge pull request #42 from vmojzis/rawhide-base - Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables)- Add few rules related to new policy for pkcs11proxyd - Added new policy for pkcs11proxyd daemon - We need to require sandbox_web_type attribute in sandbox_x_domain_template(). - Dontaudit abrt_t to rw lvm_lock_t dir. - Allow abrt_d domain to write to kernel msg device. - Add interface lvm_dontaudit_rw_lock_dir() - Merge pull request #35 from lkundrak/lr-libreswan- Update config.tgz to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users. - Added support for permissive domains - Allow rpcbind_t domain to change file owner and group - rpm-ostree has a daemon mode now and need to speak to polkit/logind for authorization. BZ(#1264988) - Allow dnssec-trigger to send generic signal to Network-Manager. BZ(#1242578) - Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind. - Revert "Add apache_read_pid_files() interface" - Allow dirsrv-admin read httpd pid files. - Add apache_read_pid_files() interface - Add label for dirsrv-admin unit file. - Allow qpid daemon to connect on amqp tcp port. - Allow dirsrvadmin-script read /etc/passwd file Allow dirsrvadmin-script exec systemctl - Add labels for afs binaries: dafileserver, davolserver, salvageserver, dasalvager - Add lsmd_plugin_t sys_admin capability, Allow lsmd_plugin_t getattr from sysfs filesystem. - Allow rhsmcertd_t send signull to unconfined_service_t domains. - Revert "Allow pcp to read docker lib files." - Label /usr/libexec/dbus-1/dbus-daemon-launch-helper as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled. BZ(#1262993) - Allow pcp to read docker lib files. - Revert "init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so" - Add login_userdomain attribute also for unconfined_t. - Add userdom_login_userdomain() interface. - Label /etc/ipa/nssdb dir as cert_t - init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so - Add interface unconfined_server_signull() to allow domains send signull to unconfined_service_t - Call userdom_transition_login_userdomain() instead of userdom_transition() in init.te related to pam_selinux.so+systemd-users. - Add userdom_transition_login_userdomain() interface - Allow user domains with login_userdomain to have entrypoint access on init_exec. It is needed by pam_selinux.so call in systemd-users. BZ(#1263350) - Add init_entrypoint_exec() interface. - Allow init_t to have transition allow rule for userdomain if pam_selinux.so is used in /etc/pam.d/systemd-user. It ensures that systemd user sessions will run with correct userdomain types instead of init_t. BZ(#1263350)- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range. BZ(#1260272) - Allow user screen domains to list directorires in HOMEDIR wit user_home_t labeling. - Dontaudit fenced search gnome config - Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. BZ(#1259180) - Fix for watchdog_unconfined_exec_read_lnk_files, Add also dir search perms in watchdog_unconfined_exec_t. - Sanlock policy update. #1255307 - New sub-domain for sanlk-reset daemon - Fix labeling for fence_scsi_check script - Allow openhpid to read system state Aloow openhpid to connect to tcp http port. - Allow openhpid to read snmp var lib files. - Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe - Fix regexp in chronyd.fc file - systemd-logind needs to be able to act with /usr/lib/systemd/system/poweroff.target to allow shutdown system. BZ(#1260175) - Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS. - Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t - Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl- Allow passenger to getattr filesystem xattr - Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc." - Label mdadm.conf.anackbak as mdadm_conf_t file. - Allow dnssec-ttrigger to relabel net_conf_t files. BZ(1251765) - Allow dnssec-trigger to exec pidof. BZ(#1256737) - Allow blueman to create own tmp files in /tmp. (#1234647) - Add new audit_read access vector in capability2 class - Add "binder" security class and access vectors - Update netlink socket classes. - Allow getty to read network state. BZ(#1255177) - Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t.- Allow watchdog execute fenced python script. - Added inferface watchdog_unconfined_exec_read_lnk_files() - Allow pmweb daemon to exec shell. BZ(1256127) - Allow pmweb daemon to read system state. BZ(#1256128) - Add file transition that cermonger can create /run/ipa/renewal.lock with label ipa_var_run_t. - Revert "Revert default_range change in targeted policy" - Allow dhcpc_t domain transition to chronyd_t- Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080) - Allow NetworkManager send sigkill to dnssec-trigger. BZ(1251764) - Add interface dnssec_trigger_sigkill - Allow smsd use usb ttys. BZ(#1250536) - Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file. - Revert default_range change in targeted policy - Allow systemd-sysctl cap. sys_ptrace BZ(1253926)- Add ipmievd policy creaed by vmojzis@redhat.com - Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled. - Allow NetworkManager to write audit log messages - Add new policy for ipmievd (ipmitool). - mirrormanager needs to be application domain and cron_system_entry needs to be called in optional block. - Allow sandbox domain to be also /dev/mem writer - Fix neverallow assertion for sys_module capability for openvswitch. - kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t. - Fix neverallow assertion for sys_module capability. - Add more attributes for sandbox domains to avoid neverallow assertion issues. - Add neverallow asserition fixes related to storage. - Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS - Allow openhpid_t to read system state. - Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type. - Added labels for files provided by rh-nginx18 collection - Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db. - Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution. - Update files_manage_all_files to contain auth_reader_shadow and auth_writer_shadow tosatisfy neverallow assertions. - Update files_relabel_all_files() interface to contain auth_relabelto_shadow() interface to satisfy neverallow assertion. - seunshare domains needs to have set_curr_context attribute to resolve neverallow assertion issues. - Add dev_raw_memory_writer() interface - Add auth_reader_shadow() and auth_writer_shadow() interfaces - Add dev_raw_memory_reader() interface. - Add storage_rw_inherited_scsi_generic() interface. - Update files_relabel_non_auth_files() to contain seutil_relabelto_bin_policy() to make neverallow assertion working. - Update kernel_read_all_proc() interface to contain can_dump_kernel and can_receive_kernel_messages attributes to fix neverallow violated issue for proc_kcore_t and proc_kmsg_t. - Update storage_rw_inherited_fixed_disk_dev() interface to use proper attributes to fix neverallow violated issues caused by neverallow check during build process.- Allow samba_net_t to manage samba_var_t sock files. - Allow httpd daemon to manage httpd_var_lib_t lnk_files. - Allow collectd stream connect to pdns.(BZ #1191044) - Add interface pdns_stream_connect() - Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib - Allow chronyd exec systemctl - Merge pull request #30 from vmojzis/rawhide-contrib - Hsqldb policy upgrade -Allow sock_file management - Add inteface chronyd_signal Allow timemaster_t send generic signals to chronyd_t. - Hsqldb policy upgrade. -Disallow hsqldb_tmp_t link_file management - Hsqldb policy upgrade: -Remove tmp link_file transition -Add policy summary -Remove redundant parameter for "hsqldb_admin" interface - Label /var/run/chrony-helper dir as chronyd_var_run_t. - Allow lldpad_t to getattr tmpfs_t. Label /dev/shm/lldpad.* as lldapd_tmpfs_t - Fix label on /var/tmp/kiprop_0 - Add mountpoint dontaudit access check in rhsmcertd policy. - Allow pcp_domain to manage pcp_var_lib_t lnk_files. - Allow chronyd to execute mkdir command. - Allow chronyd_t to read dhcpc state. - Label /usr/libexec/chrony-helper as chronyd_exec_t - Allow openhpid liboa_soap plugin to read resolv.conf file. - Allow openhpid liboa_soap plugin to read generic certs. - Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device) - Allow logrotate to reload services. - Allow apcupsd_t to read /sys/devices - Allow kpropd to connect to kropd tcp port. - Allow systemd_networkd to send logs to syslog. - Added interface fs_dontaudit_write_configfs_dirs - Allow audisp client to read system state. - Label /var/run/xtables.lock as iptables_var_run_t. - Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde - Add interface to read/write watchdog device. - Add transition rule for iptables_var_lib_t- Allow chronyd to execute mkdir command. - Allow chronyd_t to read dhcpc state. - Label /usr/libexec/chrony-helper as chronyd_exec_t - Allow openhpid liboa_soap plugin to read resolv.conf file. - Allow openhpid liboa_soap plugin to read generic certs. - Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device) - Allow logrotate to reload services. - Allow apcupsd_t to read /sys/devices - Allow kpropd to connect to kropd tcp port. - Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user. - Allow snapperd to pass data (one way only) via pipe negotiated over dbus. - Add snapper_read_inherited_pipe() interface. - Add missing ";" in kerberos.te - Add support for /var/lib/kdcproxy and label it as krb5kdc_var_lib_t. It needs to be accessible by useradd_t. - Add support for /etc/sanlock which is writable by sanlock daemon. - Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t. - Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde - Add interface to read/write watchdog device. - Add transition rule for iptables_var_lib_t - Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet. - Revert "Allow grubby to manage and create /run/blkid with correct labeling" - Allow grubby to manage and create /run/blkid with correct labeling - Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling. - arping running as netutils_t needs to access /etc/ld.so.cache in MLS. - Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode. - Add systemd_exec_sysctl() and systemd_domtrans_sysctl() interfaces. - Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS. - Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users. - depmod runs as insmod_t and it needs to manage user tmp files which was allowed for depmod_t. It is needed by dracut command for SELinux restrictive policy (confined users, MLS).- firewalld needs to relabel own config files. BZ(#1250537) - Allow rhsmcertd to send signull to unconfined_service - Allow lsm_plugin_t to rw raw_fixed_disk. - Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device - Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files).- Add header for sslh.if file - Fix sslh_admin() interface - Clean up sslh.if - Fix typo in pdns.if - Allow qpid to create lnk_files in qpid_var_lib_t. - Allow httpd_suexec_t to read and write Apache stream sockets - Merge pull request #21 from hogarthj/rawhide-contrib - Allow virt_qemu_ga_t domtrans to passwd_t. - use read and manage files_patterns and the description for the admin interface - Merge pull request #17 from rubenk/pdns-policy - Allow redis to read kernel parameters. - Label /etc/rt dir as httpd_sys_rw_content_t BZ(#1185500) - Allow hostapd to manage sock file in /va/run/hostapd Add fsetid cap. for hostapd Add net_raw cap. for hostpad BZ(#1237343) - Allow bumblebee to seng kill signal to xserver - glusterd call pcs utility which calls find for cib.* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes. - Allow drbd to get attributes from filesystems. - Allow drbd to read configuration options used when loading modules. - fix the description for the write config files, add systemd administration support and fix a missing gen_require in the admin interface - Added Booleans: pcp_read_generic_logs. - Allow pcp_pmcd daemon to read postfix config files. Allow pcp_pmcd daemon to search postfix spool dirs. - Allow glusterd to communicate with cluster domains over stream socket. - fix copy paste error with writing the admin interface - fix up the regex in sslh.fc, add sslh_admin() interface - adding selinux policy files for sslh - Remove diplicate sftpd_write_ssh_home boolean rule. - Revert "Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs." - gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te - Allow glusterd to manage nfsd and rpcd services. - Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode. - kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp - kdbusfs should not be accessible for now. - Add support for /sys/fs/kdbus and allow login_pgm domain to access it. - Allow sysadm to administrate ldap environment and allow to bind ldap port to allow to setup an LDAP server (389ds). - Label /usr/sbin/chpasswd as passwd_exec_t. - Allow audisp_remote_t to read/write user domain pty. - Allow audisp_remote_t to start power unit files domain to allow halt system.- Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration. - Prepare selinux-policy package for SELinux store migration - gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te - Allow glusterd to manage nfsd and rpcd services. - Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs. - Add samba_manage_winbind_pid() interface - Allow networkmanager to communicate via dbus with systemd_hostanmed. - Allow stream connect logrotate to prosody. - Add prosody_stream_connect() interface. - httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t. - Allow prosody to create own tmp files/dirs. - Allow keepalived request kernel load module - kadmind should not read generic files in /usr - Allow kadmind_t access to /etc/krb5.keytab - Add more fixes to kerberos.te - Add labeling for /var/tmp/kadmin_0 and /var/tmp/kiprop_0 - Add lsmd_t to nsswitch_domain. - Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc. - Add fixes to pegasus_openlmi_domain - Allow Glance Scrubber to connect to commplex_main port - Allow RabbitMQ to connect to amqp port - Allow isnsd read access on the file /proc/net/unix - Allow qpidd access to /proc//net/psched - Allow openshift_initrc_t to communicate with firewalld over dbus. - Allow ctdbd_t send signull to samba_unconfined_net_t. - Add samba_signull_unconfined_net() - Add samba_signull_winbind() - Revert "Add interfaces winbind_signull(), samba_unconfined_net_signull()." - Fix ctdb policy - Label /var/db/ as system_db_t.- inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t - Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib.- Add samba_unconfined_script_exec_t to samba_admin header. - Add jabberd_lock_t label to jabberd_admin header. - Add rpm_var_run_t label to rpm_admin header. - Make all interfaces related to openshift_cache_t as deprecated. - Remove non exits nfsd_ro_t label. - Label /usr/afs/ as afs_files_t Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t Allow afs_bosserver_t read kerberos config - Fix *_admin intefaces where body is not consistent with header. - Allow networkmanager read rfcomm port. - Fix nova_domain_template interface, Fix typo bugs in nova policy - Create nova sublabels. - Merge all nova_* labels under one nova_t. - Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?" - Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files. - Fix label openstack-nova-metadata-api binary file - Allow nova_t to bind on geneve tcp port, and all udp ports - Label swift-container-reconciler binary as swift_t. - Allow glusterd to execute showmount in the showmount domain. - Allow NetworkManager_t send signull to dnssec_trigger_t. - Add support for openstack-nova-* packages. - Allow audisp-remote searching devpts. - Label 6080 tcp port as geneve- Update mta_filetrans_named_content() interface to cover more db files. - Revert "Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling." - Allow pcp domains to connect to own process using unix_stream_socket. - Typo in abrt.te - Allow abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly. - Add nagios_domtrans_unconfined_plugins() interface. - Add nagios_domtrans_unconfined_plugins() interface. - Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob. - Add support for oddjob based helper in FreeIPA. BZ(1238165) - Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ BZ(1240840) - Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879) - Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission. - Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types. - nrpe needs kill capability to make gluster moniterd nodes working. - Revert "Dontaudit ctbd_t sending signull to smbd_t." - Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t) - Allow prosody connect to postgresql port. - Fix logging_syslogd_run_nagios_plugins calling in logging.te - Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins. - Add support for oddjob based helper in FreeIPA. BZ(1238165) - Add new interfaces - Add fs_fusefs_entry_type() interface.- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879) - Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission. - Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types. - Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib - nrpe needs kill capability to make gluster moniterd nodes working. - Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t) - Allow prosody connect to postgresql port. - Add new interfaces - Add fs_fusefs_entry_type() interface.- Cleanup permissive domains.- Rename xodbc-connect port to xodbc_connect - Dontaudit apache to manage snmpd_var_lib_t files/dirs. BZ(1189214) - Add interface snmp_dontaudit_manage_snmp_var_lib_files(). - Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. BZ(1179809) - Dontaudit mozilla_plugin_t cap. sys_ptrace. BZ(1202043) - Allow iscsid write to fifo file kdumpctl_tmp_t. Appears when kdump generates the initramfs during the kernel boot. BZ(1181476) - Dontaudit chrome to read passwd file. BZ(1204307) - Allow firewalld exec ldconfig. BZ(1232748) - Allow dnssec_trigger_t read networkmanager conf files. BZ(1231798) - Allow in networkmanager_read_conf() also read NetworkManager_etc_rw_t files. BZ(1231798) - Allow NetworkManager write to sysfs. BZ(1234086) - Fix bogus line in logrotate.fc. - Add dontaudit interface for kdumpctl_tmp_t - Rename xodbc-connect port to xodbc_connect - Label tcp port 6632 as xodbc-connect port. BZ (1179809) - Label tcp port 6640 as ovsdb port. BZ (1179809)- Allow NetworkManager write to sysfs. BZ(1234086) - Fix bogus line in logrotate.fc. - Add dontaudit interface for kdumpctl_tmp_t - Use userdom_rw_user_tmp_files() instead of userdom_rw_user_tmpfs_files() in gluster.te - Add postgresql support for systemd unit files. - Fix missing bracket - Pull request by ssekidde. https://github.com/fedora-selinux/selinux-policy/pull/18 - Fixed obsoleted userdom_delete_user_tmpfs_files() inteface- Allow glusterd to interact with gluster tools running in a user domain - rpm_transition_script() is called from rpm_run. Update cloud-init rules. - Call rpm_transition_script() from rpm_run() interface. - Allow radvd has setuid and it requires dac_override. BZ(1224403) - Add glusterd_manage_lib_files() interface. - Allow samba_t net_admin capability to make CIFS mount working. - S30samba-start gluster hooks wants to search audit logs. Dontaudit it. - Reflect logrotate change which moves /var/lib/logrotate.status to /var/lib/logrotate/logrotate.status. BZ(1228531) - ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. BZ(1058822) - Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484) - Allow nagios to generate charts. - Allow glusterd to send generic signals to systemd_passwd_agent processes. - Allow glusterd to run init scripts. - Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain. - Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block. - Allow samba-net to access /var/lib/ctdbd dirs/files. - Allow glusterd to send a signal to smbd. - Make ctdbd as home manager to access also FUSE. - Allow glusterd to use geo-replication gluster tool. - Allow glusterd to execute ssh-keygen. - Allow glusterd to interact with cluster services. - Add rhcs_dbus_chat_cluster() - systemd-logind accesses /dev/shm. BZ(1230443) - Label gluster python hooks also as bin_t. - Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so. - Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password.- We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed. BZ(1228489)- Add ipsec_rw_inherited_pipes() interface. - Allow ibus-x11 running as xdm_t to connect uder session buses. We already allow to connect to userdomains over unix_stream_socket. - Label /usr/libexec/Xorg.wrap as xserver_exec_t. - Allow systemd-networkd to bind dhcpc ports if DHCP=yes in *.network conf file. - Add fixes for selinux userspace moving the policy store to /var/lib/selinux. - Remove optional else block for dhcp ping (needed by CIL) - Label all gluster hooks in /var/lib/gluster as bin_t. They are not created on the fly. - Access required to run with unconfine.pp disabled - Fix selinux_search_fs() interface. - Update selinux_search_fs(domain) rule to have ability to search /etc/selinuc/ to check if /etc/selinux/config exists. - Add seutil_search_config() interface. - Make ssh-keygen as nsswitch domain to access SSSD. - Label ctdb events scripts as bin_t. - Add support for /usr/sbin/lvmpolld. - Allow gvfsd-fuse running as xdm_t to use /run/user/42/gvfs as mountpoint. - Add support for ~/.local/share/networkmanagement/certificates and update filename transitions rules. - Allow login_pgm domains to access kernel keyring for nsswitch domains. - Allow hypervkvp to read /dev/urandom and read addition states/config files. - Add cgdcbxd policy. - Allow hypervkvp to execute arping in own domain and make it as nsswitch domain. - Add labeling for pacemaker.log. - Allow ntlm_auth running in winbind_helper_t to access /dev/urandom. - Allow lsmd plugin to connect to tcp/5989 by default. - Allow lsmd plugin to connect to tcp/5988 by default. - Allow setuid/setgid for selinux_child. - Allow radiusd to connect to radsec ports. - ALlow bind to read/write inherited ipsec pipes. - Allow fowner capability for sssd because of selinux_child handling. - Allow pki-tomcat relabel pki_tomcat_etc_rw_t. - Allow cluster domain to dbus chat with systemd-logind. - Allow tmpreaper_t to manage ntp log content - Allow openvswitch_t to communicate with sssd. - Allow isnsd_t to communicate with sssd. - Allow rwho_t to communicate with sssd. - Allow pkcs_slotd_t to communicate with sssd. - Add httpd_var_lib_t label for roundcubemail - Allow puppetagent_t to transfer firewalld messages over dbus. - Allow glusterd to have mknod capability. It creates a special file using mknod in a brick. - Update rules related to glusterd_brick_t. - Allow glusterd to execute lvm tools in the lvm_t target domain. - Allow glusterd to execute xfs_growfs in the target domain. - Allow sysctl to have running under hypervkvp_t domain. - Allow smartdnotify to use user terminals. - Allow pcp domains to create root.socket in /var/lip/pcp directroy. - Allow NM to execute dnssec-trigger-script in dnssec_trigger_t domain. - Allow rpcbind to create rpcbind.xdr as a temporary file. - Allow dnssec-trigger connections to the system DBUS. It uses libnm-glib Python bindings. - Allow hostapd net_admin capability. hostapd needs to able to set an interface flag. - rsync server can be setup to send mail - Make "ostree admin upgrade -r" command which suppose to upgrade the system and reboot working again. - Remove ctdbd_manage_var_files() interface which is not used and is declared for the wrong type. - Fix samba_load_libgfapi decl in samba.te. - Fix typo in nagios_run_sudo() boolean. - remove duplicate declaration from hypervkvp.te. - Move ctdd_domtrans() from ctdbd to gluster. - Allow smbd to access /var/lib/ctdb/persistent/secrets.tdb.0. - Glusterd wants to manage samba config files if they are setup together. - ALlow NM to do access check on /sys. - Allow NetworkManager to keep RFCOMM connection for Bluetooth DUN open . Based on fixes from Lubomir Rintel. - Allow NetworkManager nm-dispacher to read links. - Allow gluster hooks scripts to transition to ctdbd_t. - Allow glusterd to read/write samba config files. - Update mysqld rules related to mysqld log files. - Add fixes for hypervkvp realed to ifdown/ifup scripts. - Update netlink_route_socket for ptp4l. - Allow glusterd to connect to /var/run/dbus/system_bus_socket. - ALlow glusterd to have sys_ptrace capability. Needed by gluster+samba configuration. - Add new boolean samba_load_libgfapi to allow smbd load libgfapi from gluster. Allow smbd to read gluster config files by default. - Allow gluster to transition to smbd. It is needed for smbd+gluster configuration. - Allow glusterd to read /dev/random. - Update nagios_run_sudo boolean to allow run chkpwd. - Allow docker and container tools to control caps, don't rely on SELinux for now. Since there is no easy way for SELinux modification of policy as far as caps. docker run --cap-add will work now - Allow sosreport to dbus chat with NM. - Allow anaconda to run iscsid in own domain. BZ(1220948). - Allow rhsmcetd to use the ypbind service to access NIS services. - Add nagios_run_pnp4nagios and nagios_run_sudo booleans to allow run sudo from NRPE utils scripts and allow run nagios in conjunction with PNP4Nagios. - Allow ctdb to create rawip socket. - Allow ctdbd to bind smbd port. - Make ctdbd as userdom_home_reader. - Dontaudit chrome-sandbox write access its parent process information. BZ(1220958) - Allow net_admin cap for dnssec-trigger to make wifi reconnect working. - Add support for /var/lib/ipsilon dir and label it as httpd_var_lib_t. BZ(1186046) - Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd. - Add glusterd_filetrans_named_pid() interface. - Allow antivirus_t to read system state info. - Dontaudit use console for chrome-sandbox. - Add support for ~/.local/share/libvirt/images and for ~/.local/share/libvirt/boot. - Clamd needs to have fsetid capability. - Allow cinder-backup to dbus chat with systemd-logind. - Update httpd_use_openstack boolean to allow httpd to bind commplex_main_port and read keystone log files. - Allow gssd to access kernel keyring for login_pgm domains. - Add more fixes related to timemaster+ntp+ptp4l. - Allow docker sandbox domains to search all mountpoiunts - update winbind_t rules to allow IPC for winbind. - Add rpm_exec_t labeling for /usr/bin/dnf-automatic,/usr/bin/dnf-2 and /usr/bin/dnf-3. - Allow inet_gethost called by couchdb to access /proc/net/unix. - Allow eu-unstrip running under abrt_t to access /var/lib/pcp/pmdas/linux/pmda_linux.so - Label /usr/bin/yum-deprecated as rpm_exec_t.- Add missing typealiases in apache_content_template() for script domain/executable. - Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead. - Add support for new cobbler dir locations: - Add support for iprdbg logging files in /var/log. - Add relabel_user_home_dirs for use by docker_t- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd . - Add nagios_read_lib() interface. - Additional fix for mongod_unit_file_t in mongodb.te. - Fix decl of mongod_unit_file to mongod_unit_file_t. - Fix mongodb unit file declaration. - Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type. - Fix labeling for /usr/libexec/mysqld_safe-scl-helper. - Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons. - Allow sys_ptrace cap for sblim-gatherd caused by ps. - Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script. - Add support for mongod/mongos systemd unit files. - Allow dnssec-trigger to send sigchld to networkmanager - add interface networkmanager_sigchld - Add dnssec-trigger unit file Label dnssec-trigger script in libexec - Remove duplicate specification for /etc/localtime. - Add default labeling for /etc/localtime symlink.- Define ipa_var_run_t type - Allow certmonger to manage renewal.lock. BZ(1213256) - Add ipa_manage_pid_files interface. - Add rules for netlink_socket in iotop. - Allow iotop netlink socket. - cloudinit and rhsmcertd need to communicate with dbus - Allow apcupsd to use USBttys. BZ(1210960) - Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574) - Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user. - Allow syslogd_t to manage devlog_t lnk files. BZ(1210968)- Add more restriction on entrypoint for unconfined domains.- Allow abrtd to list home config. BZ(1199658) - Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250) - Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481) - Allow mock_t to use ptmx. BZ(1181333) - Allow dnssec_trigger_t to stream connect to networkmanager. - Allow dnssec_trigger_t to create resolv files labeled as net_conf_t - Fix labeling for keystone CGI scripts.- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013) - Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180) - Allow mongod to work with configured SSSD. - Add collectd net_raw capability. BZ(1194169) - Merge postfix spool types(maildrop,flush) to one postfix_spool_t - Allow dhcpd kill capability. - Make rwhod as nsswitch domain. - Add support for new fence agent fence_mpath which is executed by fence_node. - Fix cloudform policy.(m4 is case sensitive) - Allow networkmanager and cloud_init_t to dbus chat - Allow lsmd plugin to run with configured SSSD. - Allow bacula access to tape devices. - Allow sblim domain to read sysctls.. - Allow timemaster send a signal to ntpd. - Allow mysqld_t to use pam.It is needed by MariDB if auth_apm.so auth plugin is used. - two 'l' is enough. - Add labeling for systemd-time*.service unit files and allow systemd-timedated to access these unit files. - Allow polkit to dbus chat with xserver. (1207478) - Add lvm_stream_connect() interface. - Set label of /sys/kernel/debug- Allow kmscon to read system state. BZ (1206871) - Label ~/.abrt/ as abrt_etc_t. BZ(1199658) - Allow xdm_t to read colord_var_lib_t files. BZ(1201985)- Allow mysqld_t to use pam. BZ(1196104) - Added label mysqld_etc_t for /etc/my.cnf.d/ dir. BZ(1203989) - Allow fetchmail to read mail_spool_t. BZ(1200552) - Dontaudit blueman_t write to all mountpoints. BZ(1198272) - Allow all domains some process flags. - Merge branch 'rawhide-base' of github.com:selinux-policy/selinux-policy into rawhide-base - Turn on overlayfs labeling for testin, we need this backported to F22 and Rawhide. Eventually will need this in RHEL- build without docker- docker watches for content in the /etc directory - Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib - Fix abrt_filetrans_named_content() to create /var/tmp/abrt with the correct abrt_var_cache_t labeling. - Allow docker to communicate with openvswitch - Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib - Allow docker to relablefrom/to sockets and docker_log_t - Allow journald to set loginuid. BZ(1190498) - Add cap. sys_admin for passwd_t. BZ(1185191) - Allow abrt-hook-ccpp running as kernel_t to allow create /var/tmp/abrt with correct labeling.- Allow spamc read spamd_etc_t files. BZ(1199339). - Allow collectd to write to smnpd_var_lib_t dirs. BZ(1199278) - Allow abrt_watch_log_t read passwd file. BZ(1197396) - Allow abrt_watch_log_t to nsswitch_domain. BZ(1199659) - Allow cups to read colord_var_lib_t files. BZ(1199765)- Turn on rolekit in F23- Allow glusterd_t exec glusterd_var_lib_t files. BZ(1198406) - Add gluster_exec_lib interface. - Allow l2tpd to manage NetworkManager pid files - Allow firewalld_t relabelfrom firewalld_rw_etc_t. BZ(1195327) - Allow cyrus bind tcp berknet port. BZ(1198347) - Add nsswitch domain for more serviecs. - Allow abrt_dump_oops_t read /etc/passwd file. BZ(1197190) - Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling. - Make munin yum plugin as unconfined by default. - Allow bitlbee connections to the system DBUS. - Allow system apache scripts to send log messages. - Allow denyhosts execute iptables. BZ(1197371) - Allow brltty rw event device. BZ(1190349) - Allow cupsd config to execute ldconfig. BZ(1196608) - xdm_t now needs to manage user ttys - Allow ping_t read urand. BZ(1181831) - Add support for tcp/2005 port. - Allow setfiles domain to access files with admin_home_t. semanage -i /root/testfile. - In F23 we are running xserver as the user, need this to allow confined users to us X- Fix source filepath for moving html files.- Xserver needs to be transitioned to from confined users - Added logging_syslogd_pid_filetrans - xdm_t now talks to hostnamed - Label new strongswan binary swanctl and new unit file strongswan-swanctl.service. BZ(1193102) - Additional fix for labeleling /dev/log correctly. - cups chats with network manager - Allow parent domains to read/write fifo files in mozilla plugin - Allow spc_t to transition to svirt domains - Cleanup spc_t - docker needs more control over spc_t - pcp domains are executed out of cron- Allow audisp to connect to system DBUS for service. - Label /dev/log correctly. - Add interface init_read_var_lib_files(). - Allow abrt_dump_oops_t read /var/lib/systemd/, Allow abrt_dump_oops_t cap. chown,fsetid,fowner, BZ(1187017)- Label /usr/libexec/postgresql-ctl as postgresql_exec_t. BZ(1191004) - Remove automatcically running filetrans_named_content form sysnet_manage_config - Allow syslogd/journal to read netlink audit socket - Allow brltty ioctl on usb_device_t. BZ(1190349) - Make sure NetworkManager configures resolv.conf correctly- Allow cockpit_session_t to create tmp files - apmd needs sys_resource when shutting down the machine - Fix path label to resolv.conf under NetworkManager- Allow search all pid dirs when managing net_conf_t files.- Fix labels, improve sysnet_manage_config interface. - Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t. - Dontaudit network connections related to thumb_t. BZ(1187981) - Remove sysnet_filetrans_named_content from fail2ban- Fix labels on new location of resolv.conf - syslog is not writing to the audit socket - seunshare is doing getattr on unix_stream_sockets leaked into it - Allow sshd_t to manage gssd keyring - Allow apps that create net_conf_t content to create .resolv.conf.NetworkManager - Posgresql listens on port 9898 when running PCP (pgpool Control Port) - Allow svirt sandbox domains to read /proc/mtrr - Allow polipo_deamon connect to all ephemeral ports. BZ(1187723) - Allow dovecot domains to use sys_resouce - Allow sshd_t to manage gssd keyring - gpg_pinentry_t needs more access in f22- Allow docker to attach to the sandbox and user domains tun devices - Allow pingd to read /dev/urandom. BZ(1181831) - Allow virtd to list all mountpoints - Allow sblim-sfcb to search images - pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t. - Call correct macro in virt_read_content(). - Dontaudit couchdb search in gconf_home_t. BZ(1177717) - Allow docker_t to changes it rlimit - Allow neutron to read rpm DB. - Allow radius to connect/bind radsec ports - Allow pm-suspend running as virt_qemu_ga to read /var/log/pm-suspend.log. - Add devicekit_read_log_files(). - Allow virt_qemu_ga to dbus chat with rpm. - Allow netutils chown capability to make tcpdump working with -w. - Label /ostree/deploy/rhel-atomic-host/deploy directory as system_conf_t. - journald now reads the netlink audit socket - Add auditing support for ipsec.- Bump release- remove duplicate filename transition rules. - Call proper interface in sosreport.te. - Allow fetchmail to manage its keyring - Allow mail munin to create udp_sockets - Allow couchdb to sendto kernel unix domain sockets- Add /etc/selinux/targeted/contexts/openssh_contexts- Allow logrotate to read hawkey.log in /var/cache/dnf/ BZ(1163438) - Allow virt_qemu_ga_t to execute kmod. - Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean - Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs. - Add support for /usr/share/vdsm/daemonAdapter. - Docker has a new config/key file it writes to /etc/docker - Allow bacula to connect also to postgresql.- Allow admin SELinux users mounting / as private within a new mount namespace as root in MLS. - Fix miscfiles_manage_generic_cert_files() to allow manage link files - Allow pegasus_openlmi_storage_t use nsswitch. BZ(1172258) - Add support for /var/run/gluster. - Allow openvpn manage systemd_passwd_var_run_t files. BZ(1170085)- Add files_dontaudit_list_security_dirs() interface. - Added seutil_dontaudit_access_check_semanage_module_store interface. - Allow docker to create /root/.docker - Allow rlogind to use also rlogin ports - dontaudit list security dirs for samba domain - Dontaudit couchdb to list /var- Update to have all _systemctl() interface also init_reload_services() - Dontaudit access check on SELinux module store for sssd. - Label /var/lib/rpmrebuilddb/ as rpm_var_lib_t. BZ (1167946)- Allow reading of symlinks in /etc/puppet - Added TAGS to gitignore - I guess there can be content under /var/lib/lockdown #1167502 - Allow rhev-agentd to read /dev/.udev/db to make deploying hosted engine via iSCSI working. - Allow keystone to send a generic signal to own process. - Allow radius to bind tcp/1812 radius port. - Dontaudit list user_tmp files for system_mail_t - label virt-who as virtd_exec_t - Allow rhsmcertd to send a null signal to virt-who running as virtd_t - Add virt_signull() interface - Add missing alias for _content_rw_t - Allow .snapshots to be created in other directories, on all mountpoints - Allow spamd to access razor-agent.log - Add fixes for sfcb from libvirt-cim TestOnly bug. (#1152104) - Allow .snapshots to be created in other directories, on all mountpoints - Label tcp port 5280 as ejabberd port. BZ(1059930) - Make /usr/bin/vncserver running as unconfined_service_t - Label /etc/docker/certs.d as cert_t - Allow all systemd domains to search file systems- Allow NetworkManager stream connect on openvpn. BZ(1165110)- Allow networkmanager manage also openvpn sock pid files.- Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling. - Allow sendmail to create dead.letter. BZ(1165443) - Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active. - Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t. - Label sock file charon.vici as ipsec_var_run_t. BZ(1165065) - Add additional interfaces for load_policy/setfiles/read_lock related to access checks.- Allow bumblebee to use nsswitch. BZ(1155339) - Allow openvpn to stream connect to networkmanager. BZ(1164182) - Allow smbd to create HOMEDIRS is pam_oddjob_mkhomedir in MLS. - Allow cpuplug rw virtual memory sysctl. BZ (1077831) - Docker needs to write to sysfs, needs back port to F20,F21, RHEL7- Add kdump_rw_inherited_kdumpctl_tmp_pipes() - Added fixes related to linuxptp. BZ (1149693) - Label keystone cgi files as keystone_cgi_script_exec_t. BZ(1138424 - Dontaudit policykit_auth_t to access to user home dirs. BZ (1157256) - Fix seutil_dontaudit_access_check_load_policy() - Add dontaudit interfaces for audit_access in seutil - Label /etc/strongimcv as ipsec_conf_file_t.- Added interface userdom_dontaudit_manage_user_home_dirs - Fix unconfined_server_dbus_chat() interface. - Add unconfined_server_dbus_chat() inteface. - Allow login domains to create kernel keyring with different level. - Dontaudit policykit_auth_t to write to user home dirs. BZ (1157256) - Make tuned as unconfined domain. - Added support for linuxptp policy. BZ(1149693) - make zoneminder as dbus client by default. - Allow bluetooth read/write uhid devices. BZ (1161169) - Add fixes for hypervkvp daemon - Allow guest to connect to libvirt using unix_stream_socket. - Allow all bus client domains to dbus chat with unconfined_service_t. - Allow inetd service without own policy to run in inetd_child_t which is unconfined domain. - Make opensm as nsswitch domain to make it working with sssd. - Allow brctl to read meminfo. - Allow winbind-helper to execute ntlm_auth in the caller domain. - Make plymouthd as nsswitch domain to make it working with sssd. - Make drbd as nsswitch domain to make it working with sssd. - Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working. - Add support for /var/lib/sntp directory.- Add support for /dev/nvme controllerdevice nodes created by nvme driver. - Add 15672 as amqp_port_t - Allow wine domains to read user homedir content - Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc - Allow winbind to read usermodehelper - Allow telepathy domains to execute shells and bin_t - Allow gpgdomains to create netlink_kobject_uevent_sockets - Allow abrt to read software raid state. BZ (1157770) - Fix rhcs_signull_haproxy() interface. - Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability. - Allow snapperd to dbus chat with system cron jobs. - Allow nslcd to read /dev/urandom. - Allow dovecot to create user's home directory when they log into IMAP. - Label also logrotate.status.tmp as logrotate_var_lib_t. BZ(1158835) - Allow wine domains to read user homedir content - Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc- Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424) - Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld - Allow rabbitmq to read nfs state data. BZ(1122412) - Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t. - Add rolekit policy - ALlow rolekit domtrans to sssd_t. - Add kerberos_tmp_filetrans_kadmin() interface. - rolekit should be noaudit. - Add rolekit_manage_keys(). - Need to label rpmnew file correctly - Allow modemmanger to connectto itself- Allow couchdb read sysctl_fs_t files. BZ(1154327) - Allow osad to connect to jabber client port. BZ (1154242) - Allow mon_statd to send syslog msgs. BZ (1077821 - Allow apcupsd to get attributes of filesystems with xattrs- Allow systemd-networkd to be running as dhcp client. - Label /usr/bin/cockpit-bridge as shell_exec_t. - Add label for /var/run/systemd/resolve/resolv.conf. - ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t. - Allow systemd-networkd to be running as dhcp client. - Label /usr/bin/cockpit-bridge as shell_exec_t. - Add label for /var/run/systemd/resolve/resolv.conf. - ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t.- Dontaudit aicuu to search home config dir. BZ (#1104076) - couchdb is using erlang so it needs execmem privs - ALlow sanlock to send a signal to virtd_t. - Allow mondogdb to 'accept' accesses on the tcp_socket port. - Make sosreport as unconfined domain. - Allow nova-console to connect to mem_cache port. - Allow mandb to getattr on file systems - Allow read antivirus domain all kernel sysctls. - Allow lmsd_plugin to read passwd file. BZ(1093733) - Label /usr/share/corosync/corosync as cluster_exec_t. - ALlow sensord to getattr on sysfs. - automount policy is non-base module so it needs to be called in optional block. - Add auth_use_nsswitch for portreserve to make it working with sssd. - Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files. - Allow openvpn to execute systemd-passwd-agent in systemd_passwd_agent_t to make openvpn working with systemd. - Allow openvpn to access /sys/fs/cgroup dir. - Allow nova-scheduler to read certs - Add support for /var/lib/swiftdirectory. - Allow neutron connections to system dbus. - Allow mongodb to manage own log files. - Allow opensm_t to read/write /dev/infiniband/umad1. - Added policy for mon_statd and mon_procd services. BZ (1077821) - kernel_read_system_state needs to be called with type. Moved it to antivirus.if. - Allow dnssec_trigger_t to execute unbound-control in own domain. - Allow all RHCS services to read system state. - Added monitor device - Add interfaces for /dev/infiniband - Add infiniband_device_t for /dev/infiniband instead of fixed_disk_device_t type. - Add files_dontaudit_search_security_files() - Add selinuxuser_udp_server boolean - ALlow syslogd_t to create /var/log/cron with correct labeling - Add support for /etc/.updated and /var/.updated - Allow iptables read fail2ban logs. BZ (1147709) - ALlow ldconfig to read proc//net/sockstat.- Allow nova domains to getattr on all filesystems. - ALlow zebra for user/group look-ups. - Allow lsmd to search own plguins. - Allow sssd to read selinux config to add SELinux user mapping. - Allow swift to connect to all ephemeral ports by default. - Allow NetworkManager to create Bluetooth SDP sockets - Allow keepalived manage snmp var lib sock files. BZ(1102228) - Added policy for blrtty. BZ(1083162) - Allow rhsmcertd manage rpm db. BZ(#1134173) - Allow rhsmcertd send signull to setroubleshoot. BZ (#1134173) - Label /usr/libexec/rhsmd as rhsmcertd_exec_t - Fix broken interfaces - Added sendmail_domtrans_unconfined interface - Added support for cpuplug. BZ (#1077831) - Fix bug in drbd policy, BZ (#1134883) - Make keystone_cgi_script_t domain. BZ (#1138424) - fix dev_getattr_generic_usb_dev interface - Label 4101 tcp port as brlp port - Allow libreswan to connect to VPN via NM-libreswan. - Add userdom_manage_user_tmpfs_files interface- Allow all domains to read fonts - Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. BZ (#1147028) - Allow pki-tomcat to change SELinux object identity. - Allow radious to connect to apache ports to do OCSP check - Allow git cgi scripts to create content in /tmp - Allow cockpit-session to do GSSAPI logins.- Make sure /run/systemd/generator and system is labeled correctly on creation. - Additional access required by usbmuxd - Allow sensord read in /proc BZ(#1143799)- Allow du running in logwatch_t read hwdata. - Allow sys_admin capability for antivirus domians. - Use nagios_var_lib_t instead of nagios_lib_t in nagios.fc. - Add support for pnp4nagios. - Add missing labeling for /var/lib/cockpit. - Label resolv.conf as docker_share_t under docker so we can read within a container - Remove labeling for rabbitmqctl - setfscreate in pki.te is not capability class. - Allow virt domains to use virtd tap FDs until we get proper handling in libvirtd. - Allow wine domains to create cache dirs. - Allow newaliases to systemd inhibit pipes. - Add fixes for pki-tomcat scriptlet handling. - Allow user domains to manage all gnome home content - Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems - Allow usbmuxd chown capabilitiesllow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems- Label /usr/lib/erlang/erts.*/bin files as bin_t - Added changes related to rabbitmq daemon. - Fix labeling in couchdb policy - Allow rabbitmq bind on epmd port - Clean up rabbitmq policy - fix domtrans_rabbitmq interface - Added rabbitmq_beam_t and rabbitmq_epmd_t alias - Allow couchdb to getattr - Allow couchdb write to couchdb_conf files - Allow couchdb to create dgram_sockets - Added support for ejabberd- Back port workaround for #1134389 from F20. It needs to be removed from rawhide once we ship F21. - Since docker will now label volumes we can tighten the security of docker- Re-arange openshift_net_read_t rules. - Kernel is reporting random block_suspends, we should dontaudit these until the kernel is fixed in Rawhide - Allow jockey_t to use tmpfs files - Allow pppd to create sock_files in /var/run - Allow geoclue to stream connect to smart card service - Allow docker to read all of /proc - ALlow passeneger to read/write apache stream socket. - Dontaudit read init state for svirt_t. - Label /usr/sbin/unbound-control as named_exec_t (#1130510) - Add support for /var/lbi/cockpit directory. - Add support for ~/. speech-dispatcher. - Allow nmbd to read /proc/sys/kernel/core_pattern. - aLlow wine domains to create wine_home symlinks. - Allow policykit_auth_t access check and read usr config files. - Dontaudit access check on home_root_t for policykit-auth. - hv_vss_daemon wants to list /boot - update gpg_agent_env_file booelan to allow manage user tmp files for gpg-agent - Fix label for /usr/bin/courier/bin/sendmail - Allow munin services plugins to execute fail2ban-client in fail2ban_client_t domain. - Allow unconfined_r to access unconfined_service_t. - Add label for ~/.local/share/fonts - Add init_dontaudit_read_state() interface. - Add systemd_networkd_var_run_t labeling for /var/run/systemd/netif and allow systemd-networkd to manage it. - Allow udev_t mounton udev_var_run_t dirs #(1128618) - Add files_dontaudit_access_check_home_dir() inteface.- Allow unconfined_service_t to dbus chat with all dbus domains - Assign rabbitmq port. BZ#1135523 - Add new interface to allow creation of file with lib_t type - Allow init to read all config files - We want to remove openshift_t domains ability to look at /proc/net - I guess lockdown is a file not a directory - Label /var/bacula/ as bacula_store_t - Allow rhsmcertd to seng signull to sosreport. - Allow sending of snmp trap messages by radiusd. - remove redundant rule fron nova.te. - Add auth_use_nsswitch() for ctdbd. - call nova_vncproxy_t instead of vncproxy. - Allow nova-vncproxy to use varnishd port. - Fix rhnsd_manage_config() to allow manage also symlinks. - Allow bacula to create dirs/files in /tmp - Allow nova-api to use nsswitch. - Clean up nut policy. Allow nut domains to create temp files. Add nut_domain_template() template interface. - Allow usbmuxd connect to itself by stream socket. (#1135945) - I see no reason why unconfined_t should transition to crontab_t, this looks like old cruft - Allow nswrapper_32_64.nppdf.so to be created with the proper label - Assign rabbitmq port. BZ#1135523 - Dontaudit leaks of file descriptors from domains that transition to thumb_t - Fixes for usbmuxd, addition of /var/lib/lockdown, and allow it to use urand, dontaudit sys_resource - Allow unconfined_service_t to dbus chat with all dbus domains - Allow avahi_t communicate with pcp_pmproxy_t over dbus.(better way) - Allow avahi_t communicate with pcp_pmproxy_t over dbus.- Allow aide to read random number generator - Allow pppd to connect to http port. (#1128947) - sssd needs to be able write krb5.conf. - Labeli initial-setup as install_exec_t. - Allow domains to are allowed to mounton proc to mount on files as well as dirs- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t - Add a port definition for shellinaboxd - Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories - Allow thumb_t to read/write video devices - fail2ban 0.9 reads the journal by default. - Allow sandbox net domains to bind to rawip socket- Allow haproxy to read /dev/random and /dev/urandom. - Allow mdadm to seng signull kernel_t which is proces type of mdadm on early boot. - geoclue needs to connect to http and http_cache ports - Allow passenger to use unix_stream_sockets leaked into it, from httpd - Add SELinux policy for highly-available key value store for shared configuration. - drbd executes modinfo. - Add glance_api_can_network boolean since glance-api uses huge range port. - Fix glance_api_can_network() definition. - Allow smoltclient to connect on http_cache port. (#982199) - Allow userdomains to stream connect to pcscd for smart cards - Allow programs to use pam to search through user_tmp_t dires (/tmp/.X11-unix) - Added MLS fixes to support labeled socket activation which is going to be done by systemd - Add kernel_signull() interface. - sulogin_t executes plymouth commands - lvm needs to be able to accept connections on stream generic sockets- Rebuild for rpm bug 1131960- Allow ssytemd_logind_t to list tmpfs directories - Allow lvm_t to create undefined sockets - Allow passwd_t to read/write stream sockets - Allow docker lots more access. - Fix label for ports - Add support for arptables-{restore,save} and also labeling for /usr/lib/systemd/system/arptables.service. - Label tcp port 4194 as kubernetes port. - Additional access required for passenger_t - sandbox domains should be allowed to use libraries which require execmod - Allow qpid to read passwd files BZ (#1130086) - Remove cockpit port, it is now going to use websm port - Add getattr to the list of access to dontaudit on unix_stream_sockets - Allow sendmail to append dead.letter located in var/spool/nagios/dead.letter.- docker needs to be able to look at everything in /dev - Allow all processes to send themselves signals - Allow sysadm_t to create netlink_tcpdiag socket - sysadm_t should be allowed to communicate with networkmanager - These are required for bluejeans to work on a unconfined.pp disabled machine - docker needs setfcap - Allow svirt domains to manage chr files and blk files for mknod commands - Allow fail2ban to read audit logs - Allow cachefilesd_t to send itself signals - Allow smokeping cgi script to send syslog messages - Allow svirt sandbox domains to relabel content - Since apache content can be placed anywhere, we should just allow apache to search through any directory - These are required for bluejeans to work on a unconfined.pp disabled machin- shell_exec_t should not be in cockip.fc- Add additional fixes for abrt-dump-journal-oops which is now labeled as abrt_dump_oops_exec_t. - Allow denyhosts to enable synchronization which needs to connect to tcp/9911 port. - Allow nacl_helper_boo running in :chrome_sandbox_t to send SIGCHLD to chrome_sandbox_nacl_t. - Dontaudit write access on generic cert files. We don't audit also access check. - Add support for arptables. - Add labels and filenametrans rules for ostree repo directories which needs to be writable by subscription-manager.- fix license handling- Add new mozilla_plugin_bind_unreserved_ports boolean to allow mozilla plugin to use tcp/udp unreserved ports. There is a lot of plugins which binds ports without SELinux port type. We want to allow users to use these plugins properly using this boolean. (#1109681) - Allow smokeping cgi scripts to accept connection on httpd stream socket. - docker does a getattr on all file systems - Label all abort-dump programs - Allow alsa to create lock file to see if it fixes. - Add support for zabbix external scripts for which zabbix_script_t domain has been created. This domain is unconfined by default and user needs to run "semodule -d unconfined" to make system running without unconfined domains. The default location of these scripts is /usr/lib/zabbix/externalscripts. If a user change DATADIR in CONFIG_EXTERNALSCRIPTS then he needs to set labeling for this new location. - Add interface for journalctl_exec - Add labels also for glusterd sockets. - Change virt.te to match default docker capabilies - Add additional booleans for turning on mknod or all caps. - Also add interface to allow users to write policy that matches docker defaults - for capabilies. - Label dhcpd6 unit file. - Add support also for dhcp IPv6 services. - Added support for dhcrelay service - Additional access for bluejeans - docker needs more access, need back port to RHEL7 - Allow mdadm to connect to own socket created by mdadm running as kernel_t. - Fix pkcs, Remove pkcs_lock_filetrans and Add files_search_locks - Allow bacula manage bacula_log_t dirs - Allow pkcs_slotd_t read /etc/passwd, Label /var/lock/opencryptoki as pkcs_slotd_lock_t - Fix mistakes keystone and quantum - Label neutron var run dir - Label keystone var run dir - Fix bad labeling for /usr/s?bin/(oo|rhc)-restorer-wrapper.sh in openshift.fc. - Dontaudit attempts to access check cert dirs/files for sssd. - Allow sensord to send a signal. - Allow certmonger to stream connect to dirsrv to make ipa-server-install working. - Label zabbix_var_lib_t directories - Label conmans pid file as conman_var_run_t - Label also /var/run/glusterd.socket file as gluster_var_run_t - Fix policy for pkcsslotd from opencryptoki - Update cockpik policy from cockpit usptream. - Allow certmonger to exec ldconfig to make ipa-server-install working. - Added support for Naemon policy - Allow keepalived manage snmp files - Add setpgid process to mip6d - remove duplicate rule - Allow postfix_smtpd to stream connect to antivirus - Dontaudit list /tmp for icecast - Allow zabbix domains to access /proc//net/dev.- Allow zabbix domains to access /proc//net/dev. - Dontaudit list /tmp for icecast (#894387) - Allow postfix_smtpd to stream connect to antivirus (#1105889) - Add setpgid process to mip6d - Allow keepalived manage snmp files(#1053450) - Added support for Naemon policy (#1120789). - Allow certmonger to exec ldconfig to make ipa-server-install working. (#1122110) - Update cockpik policy from cockpit usptream.- Revert labeling back to /var/run/systemd/initctl/fifo - geoclue dbus chats with modemmanger - Bluejeans wants to connect to port 5000 - geoclue dbus chats with modemmange- Allow sysadm to dbus chat with systemd - Add logging_dontaudit_search_audit_logs() - Add new files_read_all_mountpoint_symlinks() - Fix labeling path from /var/run/systemd/initctl/fifo to /var/run/initctl/fifo. - Allow ndc to read random and urandom device (#1110397) - Allow zabbix to read system network state - Allow fprintd to execute usr_t/bin_t - Allow mailserver_domain domains to append dead.letter labeled as mail_home_t - Add glance_use_execmem boolean to have glance configured to use Ceph/rbd - Dontaudit search audit logs for fail2ban - Allow mailserver_domain domains to create mail home content with right labeling - Dontaudit svirt_sandbox_domain doing access checks on /proc - Fix files_pid_filetrans() calling in nut.te to reflect allow rules. - Use nut_domain attribute for files_pid_filetrans() for nut domains. - Allow sandbox domains read all mountpoint symlinks to make symlinked homedirs - Fix nut domains only have type transition on dirs in /run/nut directory. - Allow net_admin/net_raw capabilities for haproxy_t. haproxy uses setsockopt() - Clean up osad policy. Remove additional interfaces/rules- Allow systemd domains to check lvm status - Allow getty to execute plymouth.#1112870 - Allow sshd to send signal to chkpwd_t - initrctl fifo file has been renamed - Set proper labeling on /var/run/sddm - Fix labeling for cloud-init logs - Allow kexec to read kallsyms - Add rhcs_stream_connect_haproxy interface, Allow neutron stream connect to rhcs - Add fsetid caps for mandb. #1116165 - Allow all nut domains to read /dev/(u)?random. - Allow deltacloudd_t to read network state BZ #1116940 - Add support for KVM virtual machines to use NUMA pre-placement - Allow utilize winbind for authentication to AD - Allow chrome sandbox to use udp_sockets leaked in by its parent - Allow gfs_controld_t to getattr on all file systems - Allow logrotate to manage virt_cache - varnishd needs to have fsetid capability - Allow dovecot domains to send signal perms to themselves - Allow apache to manage pid sock files - Allow nut_upsmon_t to create sock_file in /run dir - Add capability sys_ptrace to stapserver - Mysql can execute scripts when run in a cluster to see if someone is listening on a socket, basically runs lsof - Added support for vdsm- If I can create a socket I need to be able to set the attributes - Add tcp/8775 port as neutron port - Add additional ports for swift ports - Added changes to fedora from bug bz#1082183 - Add support for tcp/6200 port - Allow collectd getattr access to configfs_t dir Fixes Bug 1115040 - Update neutron_manage_lib_files() interface - Allow glustered to connect to ephemeral ports - Allow apache to search ipa lib files by default - Allow neutron to domtrans to haproxy - Add rhcs_domtrans_haproxy() - Add support for openstack-glance-* unit files - Add initial support for /usr/bin/glance-scrubber - Allow swift to connect to keystone and memcache ports. - Fix labeling for /usr/lib/systemd/system/openstack-cinder-backup - Add policies for openstack-cinder - Add support for /usr/bin/nova-conductor - Add neutron_can_network boolean - Allow neutron to connet to neutron port - Allow glance domain to use syslog - Add support for /usr/bin/swift-object-expirer and label it as swift_exec_t- Allow swift to use tcp/6200 swift port - ALlow swift to search apache configs - Remove duplicate .fc entry for Grilo plugin bookmarks - Remove duplicate .fc entry for telepathy-gabble - Additional allow rules for docker sandbox processes - Allow keepalived connect to agentx port - Allow neutron-ns-metadata to connectto own unix stream socket - Add support for tcp/6200 port - Remove ability for confined users to run xinit - New tool for managing wireless /usr/sbin/iw- Add back MLS policy- Implement new spec file handling for *.pp modules which allows us to move a policy module out of the policy- Allow system_bus_types to use stream_sockets inherited from system_dbusd - Allow journalctl to call getpw - New access needed by dbus to talk to kernel stream - Label sm-notifypid files correctly - contrib: Add KMSCon policy module- Add mozilla_plugin_use_bluejeans boolean - Add additional interfaces needed by mozilla_plugin_use_bluejeans boolean- Allow staff_t to communicate and run docker - Fix *_ecryptfs_home_dirs booleans - Allow ldconfig_t to read/write inherited user tmp pipes - Allow storaged to dbus chat with lvm_t - Add support for storaged and storaged-lvm-helper. Labeled it as lvm_exec_t. - Use proper calling in ssh.te for userdom_home_manager attribute - Use userdom_home_manager_type() also for ssh_keygen_t - Allow locate to list directories without labels - Allow bitlbee to use tcp/7778 port - /etc/cron.daily/logrotate to execute fail2ban-client. - Allow keepalives to connect to SNMP port. Support to do SNMP stuff - Allow staff_t to communicate and run docker - Dontaudit search mgrepl/.local for cobblerd_t - Allow neutron to execute kmod in insmod_t - Allow neutron to execute udevadm in udev_t - Allow also fowner cap for varnishd - Allow keepalived to execute bin_t/shell_exec_t - rhsmcertd seems to need these accesses. We need this backported to RHEL7 and perhaps RHEL6 policy - Add cups_execmem boolean - Allow gear to manage gear service - New requires for gear to use systemctl and init var_run_t - Allow cups to execute its rw_etc_t files, for brothers printers - Add fixes to make munin and munin-cgi working. Allow munin-cgit to create files/dirs in /tmp, list munin conf dirs and manage munin logs. - Allow swift to execute bin_t - Allow swift to bind http_cache- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild- Add decl for cockip port - Allow sysadm_t to read all kernel proc - Allow logrotate to execute all executables - Allow lircd_t to use tty_device_t for use withmythtv - Make sure all zabbix files direcories in /var/log have the correct label - Allow bittlebee to create directories and files in /var/log with the correct label - Label /var/log/horizon as an apache log - Add squid directory in /var/run - Add transition rules to allow rabbitmq to create log files and var_lib files with the correct label - Wronly labeled avahi_var_lib_t as a pid file - Fix labels on rabbitmq_var_run_t on file/dir creation - Allow neutron to create sock files - Allow postfix domains to getattr on all file systems - Label swift-proxy-server as swift_exec_t - Tighten SELinux capabilities to match docker capabilities - Add fixes for squid which is configured to run with more than one worker. - Allow cockpit to bind to its port- geard seems to do a lot of relabeling - Allow system_mail_t to append to munin_var_lib_t - Allow mozilla_plugin to read alsa_rw_ content - Allow asterisk to connect to the apache ports - Dontaudit attempts to read fixed disk - Dontaudit search gconf_home_t - Allow rsync to create swift_server.lock with swift.log labeling - Add labeling for swift lock files - Use swift_virt_lock in swift.te - Allow openwsman to getattr on sblim_sfcbd executable - Fix sblim_stream_connect_sfcb() to contain also sblim_tmp_t - Allow openwsman_t to read/write sblim-sfcb shared mem - Allow openwsman to stream connec to sblim-sfcbd - Allow openwsman to create tmpfs files/dirs - dontaudit acces to rpm db if rpm_exec for swift_t and sblim_sfcbd_t - Allow sblim_sfcbd to execute shell - Allow swift to create lock file - Allow openwsman to use tcp/80 - Allow neutron to create also dirs in /tmp - Allow seunshare domains to getattr on all executables - Allow ssh-keygen to create temporary files/dirs needed by OpenStack - Allow named_filetrans_domain to create /run/netns - Allow ifconfig to create /run/netns- Add missing dyntransition for sandbox_x_domain- More rules for gears and openshift - Added iotop policy. Thanks William Brown - Allow spamc to read .pyzor located in /var/spool/spampd - Allow spamc to create home content with correct labeling - Allow logwatch_mail_t to create dead.letter with correct labelign - Add labeling for min-cloud-agent - Allow geoclue to read unix in proc. - Add support for /usr/local/Brother labeling. We removed /usr/local equiv. - add support for min-cloud-agent - Allow ulogd to request the kernel to load a module - remove unconfined_domain for openwsman_t - Add openwsman_tmp_t rules - Allow openwsman to execute chkpwd and make this domain as unconfined for F20. - Allow nova-scheduler to read passwd file - Allow neutron execute arping in neutron_t - Dontaudit logrotate executing systemctl command attempting to net_admin - Allow mozilla plugins to use /dev/sr0 - svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift files - Any app that executes systemctl will attempt a net_admin - Fix path to mmap_min_addr- Add gear fixes from dwalsh- selinux_unconfined_type should not be able to set booleans if the securemode is set - Update sandbox_transition() to call sandbox_dyntrasition(). #885288.- Fix labeling for /root/\.yubico - userdom_search_admin_dir() calling needs to be optional in kernel.te - Dontaudit leaked xserver_misc_device_t into plugins - Allow all domains to search through all base_file_types, this should be back ported to RHEL7 policy - Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains - Bootloader wants to look at init state - Add MCS/MLS Constraints to kernel keyring, also add MCS Constraints to ipc, sem.msgq, shm - init reads kdbump etc files - Add support for tcp/9697 - Fix labeling for /var/run/user//gvfs - Add support for us_cli ports - fix sysnet_use_ldap - Allow mysql to execute ifconfig if Red Hat OpenStack - ALlow stap-server to get attr on all fs - Fix mail_pool_t to mail_spool_t - Dontaudit leaked xserver_misc_device_t into plugins - Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains - Add new labeling for /var/spool/smtpd - Allow httpd_t to kill passenger - Allow apache cgi scripts to use inherited httpd_t unix_stream_sockets - Allow nova-scheduler to read passwd/utmp files - Additional rules required by openstack, needs backport to F20 and RHEL7 - Additional access required by docker - ALlow motion to use tcp/8082 port- Fix virt_use_samba boolean - Looks like all domains that use dbus libraries are now reading /dev/urand - Add glance_use_fusefs() boolean - Allow tgtd to read /proc/net/psched - Additional access required for gear management of openshift directories - Allow sys_ptrace for mock-build - Fix mock_read_lib_files() interface - Allow mock-build to write all inherited ttys and ptys - Allow spamd to create razor home dirs with correct labeling - Clean up sysnet_use_ldap() - systemd calling needs to be optional - Allow init_t to setattr/relabelfrom dhcp state files- mongod should not be a part of cloudforms.pp - Fix labeling in snapper.fc - Allow docker to read unconfined_t process state - geoclue dbus chats with NetworkManager - Add cockpit policy - Add interface to allow tools to check the processes state of bind/named - Allow myslqd to use the tram port for Galera/MariaDB- Allow init_t to setattr/relabelfrom dhcp state files - Allow dmesg to read hwdata and memory dev - Allow strongswan to create ipsec.secrets with correct labeling in /etc/strongswan - Dontaudit antivirus domains read access on all security files by default - Add missing alias for old amavis_etc_t type - Additional fixes for instack overcloud - Allow block_suspend cap for haproxy - Allow OpenStack to read mysqld_db links and connect to MySQL - Remove dup filename rules in gnome.te - Allow sys_chroot cap for httpd_t and setattr on httpd_log_t - Add labeling for /lib/systemd/system/thttpd.service - Allow iscsid to handle own unit files - Add iscsi_systemctl() - Allow mongod also create sock_file with correct labeling in /run - Allow aiccu stream connect to pcscd - Allow rabbitmq_beam to connect to httpd port - Allow httpd to send signull to apache script domains and don't audit leaks - Fix labeling in drbd.fc - Allow sssd to connect to the smbd port for handing logins using active directory, needs back port for rhel7 - Allow all freeipmi domains to read/write ipmi devices - Allow rabbitmq_epmd to manage rabbit_var_log_t files - Allow sblim_sfcbd to use also pegasus-https port - Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input - Add httpd_run_preupgrade boolean - Add interfaces to access preupgrade_data_t - Add preupgrade policy - Add labeling for puppet helper scriptsRename puppet_t to puppetagent_t and used it only for puppet agent which can be started by init. Also make it as unconfined_noaudit because there is no reason to confine it but we wantto avoid init_t.- Change hsperfdata_root to have as user_tmp_t - Allow rsyslog low-level network access - Fix use_nfs_home_dirs/use_samba_home_dirs for xdm_t to allow append .xsession-errors by lightdm - Allow conman to resolve DNS and use user ptys - update pegasus_openlmi_admin_t policy - nslcd wants chown capability - Dontaudit exec insmod in boinc policy- Add labels for /var/named/chroot_sdb/dev devices - Add support for strongimcv - Add additional fixes for yubikeys based on william@firstyear.id.au - Allow init_t run /sbin/augenrules - Remove dup decl for dev_unmount_sysfs_fs - Allow unpriv SELinux user to use sandbox - Fix ntp_filetrans_named_content for sntp-kod file - Add httpd_dbus_sssd boolean - Dontaudit exec insmod in boinc policy - Add dbus_filetrans_named_content_system() - We want to label only /usr/bin/start-puppet-master to avoid puppet agent running in puppet_t - varnishd wants chown capability - update ntp_filetrans_named_content() interface - Add additional fixes for neutron_t. #1083335 - Dontaudit sandbox_t getattr on proc_kcore_t - Allow pki_tomcat_t to read ipa lib files- Merge user_tmp_t and user_tmpfs_t together to have only user_tmp_t- Turn on gear_port_t - Add gear policy and remove permissive domains. - Add labels for ostree - Add SELinux awareness for NM - Label /usr/sbin/pwhistory_helper as updpwd_exec_t- update storage_filetrans_all_named_dev for sg* devices - Allow auditctl_t to getattr on all removeable devices - Allow nsswitch_domains to stream connect to nmbd - Allow rasdaemon to rw /dev/cpu//msr - fix /var/log/pki file spec - make bacula_t as auth_nsswitch domain - Allow certmonger to manage ipa lib files - Add support for /var/lib/ipa- Manage_service_perms should include enable and disable, need backport to RHEL7 - Allow also unpriv user to run vmtools - Allow secadm to read /dev/urandom and meminfo - Add userdom_tmp_role for secadm_t - Allow postgresql to read network state - Add a new file context for /var/named/chroot/run directory - Add booleans to allow docker processes to use nfs and samba - Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java running as pki_tomcat_t - Allow puppet stream connect to mysql - Fixed some rules related to puppet policy - Allow vmware-user-sui to use user ttys - Allow talk 2 users logged via console too - Additional avcs for docker when running tests - allow anaconda to dbus chat with systemd-localed - clean up rhcs.te - remove dup rules from haproxy.te - Add fixes for haproxy based on bperkins@redhat.com - Allow cmirrord to make dmsetup working - Allow NM to execute arping - Allow users to send messages through talk - update rtas_errd policy - Add support for /var/spool/rhsm/debug - Make virt_sandbox_use_audit as True by default - Allow svirt_sandbox_domains to ptrace themselves - Allow snmpd to getattr on removeable and fixed disks - Allow docker containers to manage /var/lib/docker content- Label sddm as xdm_exec_t to make KDE working again - Allow postgresql to read network state - Allow java running as pki_tomcat to read network sysctls - Fix cgroup.te to allow cgred to read cgconfig_etc_t - Allow beam.smp to use ephemeral ports - Allow winbind to use the nis to authenticate passwords- Allow collectd to talk to libvirt - Allow chrome_sandbox to use leaked unix_stream_sockets - Dontaudit leaks of sockets into chrome_sandbox_t - If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t - Run vmtools as unconfined domains - Allow snort to manage its log files - Allow systemd_cronjob_t to be entered via bin_t - Allow procman to list doveconf_etc_t - allow keyring daemon to create content in tmpfs directories - Add proper labelling for icedtea-web - vpnc is creating content in networkmanager var run directory - unconfined_service should be allowed to transition to rpm_script_t - Allow couchdb to listen on port 6984 - Dontaudit attempts by unpriv user domain to write to /run/mount directory, caused by running mount command - Allow systemd-logind to setup user tmpfs directories - Add additional fixes for systemd_networkd_t - Allow systemd-logind to manage user_tmpfs_t - Allow systemd-logind to mount /run/user/1000 to get gdm working- Add additional fixes for systemd_networkd_t - Allow systemd-logind to manage user_tmpfs_t - Allow systemd-logind to mount /run/user/1000 to get gdm working - Dontaudit attempts to setsched on the kernel_t threads - Allow munin mail plugins to read network systcl - Fix git_system_enable_homedirs boolean - Make cimtest script 03_defineVS.py of ComputerSystem group working - Make abrt-java-connector working - Allow net_admin cap for fence_virtd running as fenced_t - Allow vmtools_helper_t to execute bin_t - Add support for /usr/share/joomla- sshd to read network sysctls - Allow vmtools_helper_t to execute bin_t - Add support for /usr/share/joomla - /var/lib/containers should be labeled as openshift content for now - Allow docker domains to talk to the login programs, to allow a process to login into the container- Add install_t for anaconda- Allow init_t to stream connect to ipsec - Add /usr/lib/systemd/systemd-networkd policy - Add sysnet_manage_config_dirs() - Add support for /var/run/systemd/network and labeled it as net_conf_t - Allow unpriv SELinux users to dbus chat with firewalld - Add lvm_write_metadata() - Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type - Add support for /dev/vmcp and /dev/sclp - Add docker_connect_any boolean - Fix zabbix policy - Allow zabbix to send system log msgs - Allow pegasus_openlmi_storage_t to write lvm metadata - Updated pcp_bind_all_unreserved_ports - Allow numad to write scan_sleep_millisecs - Turn on entropyd_use_audio boolean by default - Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. - Allow lscpu running as rhsmcertd_t to read /proc/sysinfo- Allow numad to write scan_sleep_millisecs - Turn on entropyd_use_audio boolean by default - Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. - Allow lscpu running as rhsmcertd_t to read /proc/sysinfo - Allow numad to write scan_sleep_millisecs - Turn on entropyd_use_audio boolean by default - Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. - Allow lscpu running as rhsmcertd_t to read /proc/sysinfo - Fix label on irclogs in the homedir- Modify xdm_write_home to allow create files/links in /root with xdm_home_t - Add more fixes for https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights - Add xserver_dbus_chat() interface - Add sysnet_filetrans_named_content_ifconfig() interface - Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-ask - Turn on cron_userdomain_transition by default for now. Until we get a fix for #1063503 - Allow lscpu running as rhsmcertd_t to read sysinfo - Allow virt domains to read network state - Added pcp rules - Allow ctdbd to connect own ports - Fix samba_export_all_rw booleanto cover also non security dirs - Allow swift to exec rpm in swift_t and allow to create tmp files/dirs - Allow neutron to create /run/netns with correct labeling - Allow to run ip cmd in neutron_t domain - Allow rpm_script_t to dbus chat also with systemd-located - Fix ipa_stream_connect_otpd()- Allow block_suspend cap2 for systemd-logind and rw dri device - Add labeling for /usr/libexec/nm-libreswan-service - Allow locallogin to rw xdm key to make Virtual Terminal login providing smartcard pin working - Add xserver_rw_xdm_keys() - Allow rpm_script_t to dbus chat also with systemd-located - Fix ipa_stream_connect_otpd() - update lpd_manage_spool() interface - Allow krb5kdc to stream connect to ipa-otpd - Add ipa_stream_connect_otpd() interface - Allow vpnc to unlink NM pids - Add networkmanager_delete_pid_files() - Allow munin plugins to access unconfined plugins - update abrt_filetrans_named_content to cover /var/spool/debug - Label /var/spool/debug as abrt_var_cache_t - Allow rhsmcertd to connect to squid port - Make docker_transition_unconfined as optional boolean - Allow certmonger to list home dirs- Make docker as permissive domain- Allow bumblebeed to send signal to insmod - Dontaudit attempts by crond_t net_admin caused by journald - Allow the docker daemon to mounton tty_device_t - Add addtional snapper fixes to allo relabel file_t - Allow setattr for all mountpoints - Allow snapperd to write all dirs - Add support for /etc/sysconfig/snapper - Allow mozilla_plugin to getsession - Add labeling for thttpd - Allow sosreport to execute grub2-probe - Allow NM to manage hostname config file - Allow systemd_timedated_t to dbus chat with rpm_script_t - Allow lsmd plugins to connect to http/ssh/http_cache ports by default - Add lsmd_plugin_connect_any boolea - Add support for ipset - Add support for /dev/sclp_line0 - Add modutils_signal_insmod() - Add files_relabelto_all_mountpoints() interface - Allow the docker daemon to mounton tty_device_t - Allow all systemd domains to read /proc/1 - Login programs talking to journald are attempting to net_admin, add dontaudit - init is not gettar on processes as shutdown time - Add systemd_hostnamed_manage_config() interface - Make unconfined_service_t valid in enforcing - Remove transition for temp dirs created by init_t - gdm-simple-slave uses use setsockopt - Add lvm_read_metadata()- Make unconfined_service_t valid in enforcing - Remove transition for temp dirs created by init_t - gdm-simple-slave uses use setsockopt - Treat usermodehelper_t as a sysctl_type - xdm communicates with geo - Add lvm_read_metadata() - Allow rabbitmq_beam to connect to jabber_interserver_port - Allow logwatch_mail_t to transition to qmail_inject and queueu - Added new rules to pcp policy - Allow vmtools_helper_t to change role to system_r - Allow NM to dbus chat with vmtools- Add labeling for /usr/sbin/amavi - Colin asked for this program to be treated as cloud-init - Allow ftp services to manage xferlog_t - Fix vmtools policy to allow user roles to access vmtools_helper_t - Allow block_suspend cap2 for ipa-otpd - Allow certmonger to search home content - Allow pkcsslotd to read users state - Allow exim to use pam stack to check passwords - Add labeling for /usr/sbin/amavi - Colin asked for this program to be treated as cloud-init - Allow ftp services to manage xferlog_t - Fix vmtools policy to allow user roles to access vmtools_helper_t - Allow block_suspend cap2 for ipa-otpd - Allow certmonger to search home content - Allow pkcsslotd to read users state - Allow exim to use pam stack to check passwords- Add lvm_read_metadata() - Allow auditadm to search /var/log/audit dir - Add lvm_read_metadata() interface - Allow confined users to run vmtools helpers - Fix userdom_common_user_template() - Generic systemd unit scripts do write check on / - Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files - Add additional fixes needed for init_t and setup script running in generic unit files - Allow general users to create packet_sockets - added connlcli port - Add init_manage_transient_unit() interface - Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t - Fix userdomain.te to require passwd class - devicekit_power sends out a signal to all processes on the message bus when power is going down - Dontaudit rendom domains listing /proc and hittping system_map_t - Dontauit leaks of var_t into ifconfig_t - Allow domains that transition to ssh_t to manipulate its keyring - Define oracleasm_t as a device node - Change to handle /root as a symbolic link for os-tree - Allow sysadm_t to create packet_socket, also move some rules to attributes - Add label for openvswitch port - Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label. - Allow postfix_local to read .forward in pcp lib files - Allow pegasus_openlmi_storage_t to read lvm metadata - Add additional fixes for pegasus_openlmi_storage_t - Allow bumblebee to manage debugfs - Make bumblebee as unconfined domain - Allow snmp to read etc_aliases_t - Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem - Allow pegasus_openlmi_storage_t to read /proc/1/environ - Dontaudit read gconf files for cupsd_config_t - make vmtools as unconfined domain - Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig. - Allow collectd_t to use a mysql database - Allow ipa-otpd to perform DNS name resolution - Added new policy for keepalived - Allow openlmi-service provider to manage transitient units and allow stream connect to sssd - Add additional fixes new pscs-lite+polkit support - Add labeling for /run/krb5kdc - Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20 - Allow pcscd to read users proc info - Dontaudit smbd_t sending out random signuls - Add boolean to allow openshift domains to use nfs - Allow w3c_validator to create content in /tmp - zabbix_agent uses nsswitch - Allow procmail and dovecot to work together to deliver mail - Allow spamd to execute files in homedir if boolean turned on - Allow openvswitch to listen on port 6634 - Add net_admin capability in collectd policy - Fixed snapperd policy - Fixed bugsfor pcp policy - Allow dbus_system_domains to be started by init - Fixed some interfaces - Add kerberos_keytab_domain attribute - Fix snapperd_conf_t def- Dontaudit rendom domains listing /proc and hittping system_map_t - devicekit_power sends out a signal to all processes on the message bus when power is going down - Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true - systemd_tmpfiles_t needs to _setcheckreqprot - Add unconfined_server to be run by init_t when it executes files labeled bin_t, or usr_t, allow all domains to communicate with it - Fixed snapperd policy - Fixed broken interfaces - Should use rw_socket_perms rather then sock_file on a unix_stream_socket - Fixed bugsfor pcp policy - pcscd seems to be using policy kit and looking at domains proc data that transition to it - Allow dbus_system_domains to be started by init - Fixed some interfaces - Addopt corenet rules for unbound-anchor to rpm_script_t - Allow runuser to send send audit messages. - Allow postfix-local to search .forward in munin lib dirs - Allow udisks to connect to D-Bus - Allow spamd to connect to spamd port - Fix syntax error in snapper.te - Dontaudit osad to search gconf home files - Allow rhsmcertd to manage /etc/sysconf/rhn director - Fix pcp labeling to accept /usr/bin for all daemon binaries - Fix mcelog_read_log() interface - Allow iscsid to manage iscsi lib files - Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it. - Allow ABRT to read puppet certs - Allow virtd_lxc_t to specify the label of a socket - New version of docker requires more access- Addopt corenet rules for unbound-anchor to rpm_script_t - Allow runuser to send send audit messages. - Allow postfix-local to search .forward in munin lib dirs - Allow udisks to connect to D-Bus - Allow spamd to connect to spamd port - Fix syntax error in snapper.te - Dontaudit osad to search gconf home files - Allow rhsmcertd to manage /etc/sysconf/rhn director - Fix pcp labeling to accept /usr/bin for all daemon binaries - Fix mcelog_read_log() interface - Allow iscsid to manage iscsi lib files - Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it. - Make tuned_t as unconfined domain for RHEL7.0 - Allow ABRT to read puppet certs - Add sys_time capability for virt-ga - Allow gemu-ga to domtrans to hwclock_t - Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages - Fix some AVCs in pcp policy - Add to bacula capability setgid and setuid and allow to bind to bacula ports - Changed label from rhnsd_rw_conf_t to rhnsd_conf_t - Add access rhnsd and osad to /etc/sysconfig/rhn - drbdadm executes drbdmeta - Fixes needed for docker - Allow epmd to manage /var/log/rabbitmq/startup_err file - Allow beam.smp connect to amqp port - Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true - Allow init_t to manage pluto.ctl because of init_t instead of initrc_t - Allow systemd_tmpfiles_t to manage all non security files on the system - Added labels for bacula ports - Fix label on /dev/vfio/vfio - Add kernel_mounton_messages() interface - init wants to manage lock files for iscsi- Fix /dev/vfio/vfio labeling- Add kernel_mounton_messages() interface - init wants to manage lock files for iscsi - Add support for dey_sapi port - Fixes needed for docker - Allow epmd to manage /var/log/rabbitmq/startup_err file - Allow beam.smp connect to amqp port - drbdadm executes drbdmeta - Added osad policy - Allow postfix to deliver to procmail - Allow vmtools to execute /usr/bin/lsb_release - Allow geoclue to read /etc/passwd - Allow docker to write system net ctrls - Add support for rhnsd unit file - Add dbus_chat_session_bus() interface - Add dbus_stream_connect_session_bus() interface - Fix pcp.te - Fix logrotate_use_nfs boolean - Add lot of pcp fixes found in RHEL7 - fix labeling for pmie for pcp pkg - Change thumb_t to be allowed to chat/connect with session bus type - Add logrotate_use_nfs boolean - Allow setroubleshootd to read rpc sysctl- Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring - Allow geoclue to create temporary files/dirs in /tmp - Add httpd_dontaudit_search_dirs boolean - Add support for winbind.service - ALlow also fail2ban-client to read apache logs - Allow vmtools to getattr on all fs- Add net_admin also for systemd_passwd_agent_t - Allow Associate usermodehelper_t to sysfs filesystem - Allow gdm to create /var/gdm with correct labeling - Allow domains to append rkhunterl lib files. #1057982 - Allow systemd_tmpfiles_t net_admin to communicate with journald - update libs_filetrans_named_content() to have support for /usr/lib/debug directory - Adding a new service script to enable setcheckreqprot - Add interface to getattr on an isid_type for any type of file - Allow initrc_t domtrans to authconfig if unconfined is enabled - Add labeling for snapper.log - Allow tumbler to execute dbusd-daemon in thumb_t - Add dbus_exec_dbusd() - Add snapperd_data_t type - Add additional fixes for snapperd - FIx bad calling in samba.te - Allow smbd to create tmpfs - Allow rhsmcertd-worker send signull to rpm process - Allow net_admin capability and send system log msgs - Allow lldpad send dgram to NM - Add networkmanager_dgram_send() - rkhunter_var_lib_t is correct type - Allow openlmi-storage to read removable devices - Allow system cron jobs to manage rkhunter lib files - Add rkhunter_manage_lib_files() - Fix ftpd_use_fusefs boolean to allow manage also symlinks - Allow smbcontrob block_suspend cap2 - Allow slpd to read network and system state info - Allow NM domtrans to iscsid_t if iscsiadm is executed - Allow slapd to send a signal itself - Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA. - Fix plymouthd_create_log() interface - Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package - Allow postfix and cyrus-imapd to work out of box - Remove logwatch_can_sendmail which is no longer used - Allow fcoemon to talk with unpriv user domain using unix_stream_socket - snapperd is D-Bus service - Allow OpenLMI PowerManagement to call 'systemctl --force reboot'- Add haproxy_connect_any boolean - Allow haproxy also to use http cache port by default - Fix /usr/lib/firefox/plugin-container decl - Allow haproxy to work as simple HTTP proxy. HAProxy For TCP And HTTP Based Applications - Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t - Fix type in docker.te - Fix bs_filetrans_named_content() to have support for /usr/lib/debug directory - Adding a new service script to enable setcheckreqprot - Add interface to getattr on an isid_type for any type of file - Allow initrc_t domtrans to authconfig if unconfined is enabled type in docker.te - Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-container- init calling needs to be optional in domain.te - Allow docker and mount on devpts chr_file - Allow docker to transition to unconfined_t if boolean set - Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t - Fix type in docker.te - Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-container - Allow docker to use the network and build images - Allow docker to read selinux files for labeling, and mount on devpts chr_file - Allow domains that transition to svirt_sandbox to send it signals - Allow docker to transition to unconfined_t if boolean set- New access needed to allow docker + lxc +SELinux to work together - Allow apache to write to the owncloud data directory in /var/www/html... - Cleanup sandbox X AVC's - Allow consolekit to create log dir - Add support for icinga CGI scripts - Add support for icinga - Allow kdumpctl_t to create kdump lock file - Allow kdump to create lnk lock file - Allow ABRT write core_pattern - Allwo ABRT to read core_pattern - Add policy for Geoclue. Geoclue is a D-Bus service that provides location information - Allow nscd_t block_suspen capability - Allow unconfined domain types to manage own transient unit file - Allow systemd domains to handle transient init unit files - No longer need the rpm_script_roles line since rpm_transition_script now does this for us - Add/fix interfaces for usermodehelper_t - Add interfaces to handle transient - Fixes for new usermodehelper and proc_securit_t types, added to increase security on /proc and /sys file systems- Add cron unconfined role support for uncofined SELinux user - Call kernel_rw_usermodehelper_state() in init.te - Call corenet_udp_bind_all_ports() in milter.te - Allow fence_virtd to connect to zented port - Fix header for mirrormanager_admin() - Allow dkim-milter to bind udp ports - Allow milter domains to send signull itself - Allow block_suspend for yum running as mock_t - Allow beam.smp to manage couchdb files - Add couchdb_manage_files() - Add labeling for /var/log/php_errors.log - Allow bumblebee to stream connect to xserver - Allow bumblebee to send a signal to xserver - gnome-thumbnail to stream connect to bumblebee - Fix calling usermodehelper to use _state in interface name - Allow xkbcomp running as bumblebee_t to execute bin_t - Allow logrotate to read squid.conf - Additional rules to get docker and lxc to play well with SELinux - Call kernel_read_usermodhelper/kernel_rw_usermodhelper - Make rpm_transition_script accept a role - Added new policy for pcp - Allow bumbleed to connect to xserver port - Allow pegasus_openlmi_storage_t to read hwdata- Make rpm_transition_script accept a role - Clean up pcp.te - Added new policy for pcp - Allow bumbleed to connect to xserver port - Added support for named-sdb in bind policy - Allow NetworkManager to signal and sigkill init scripts - Allow pegasus_openlmi_storage_t to read hwdata - Fix rhcs_rw_cluster_tmpfs() - Allow fenced_t to bind on zented udp port - Fix mirrormanager_read_lib_files() - Allow mirromanager scripts running as httpd_t to manage mirrormanager pid files - Dontaudit read/write to init stream socket for lsmd_plugin_t - Allow automount to read nfs link files - Allow lsm plugins to read/write lsmd stream socket - Allow svirt_lxc domains to umount dockersocket filesytem - Allow gnome keyring domains to create gnome config dirs - Allow rpm scritplets to create /run/gather with correct labeling - Add sblim_filetrans_named_content() interface - Allow ctdb to create sock files in /var/run/ctdb - Add also labeling for /var/run/ctdb - Add missing labeling for /var/lib/ctdb - ALlow tuned to manage syslog.conf. Should be fixed in tuned. #1030446 - Dontaudit hypervkvp to search homedirs - Dontaudit hypervkvp to search admin homedirs - Allow hypervkvp to execute bin_t and ifconfig in the caller domain - Dontaudit xguest_t to read ABRT conf files - Add abrt_dontaudit_read_config() - Allow namespace-init to getattr on fs - Add thumb_role() also for xguest - Add filename transitions to create .spamassassin with correct labeling - Allow apache domain to read mirrormanager pid files - Allow domains to read/write shm and sem owned by mozilla_plugin_t - Allow alsactl to send a generic signal to kernel_t - Allow plymouthd to read run/udev/queue.bin - Allow sys_chroot for NM required by iodine service - Change glusterd to allow mounton all non security - Labeled ~/.nv/GLCache as being gstreamer output - Restrict the ability to set usermodehelpers and proc security settings. - Limit the ability to write to the files that configure kernel i - usermodehelpers and security-sensitive proc settings to the init domain. i - Permissive domains can also continue to set these values. - The current list is not exhaustive, just an initial set. - Not all of these files will exist on all kernels/devices. - Controlling access to certain kernel usermodehelpers, e.g. cgroup - release_agent, will require kernel changes to support and cannot be - addressed here. - Ideas come from Stephen Smalley and seandroid - Make rpm_transition_script accept a role - Make rpm_transition_script accept a role - Allow NetworkManager to signal and sigkill init scripts - Allow init_t to work on transitient and snapshot unit files - Add logging_manage_syslog_config() - Update sysnet_dns_name_resolve() to allow connect to dnssec port- Remove file_t from the system and realias it with unlabeled_t- Add gluster fixes - Remove ability to transition to unconfined_t from confined domains - Additional allow rules to get libvirt-lxc containers working with docker- passwd to create gnome-keyring passwd socket - systemd_systemctl needs sys_admin capability - Allow cobbler to search dhcp_etc_t directory - Allow sytemd_tmpfiles_t to delete all directories - allow sshd to write to all process levels in order to change passwd when running at a level - Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range - Allow apcuspd_t to status and start the power unit file - Allow udev to manage kdump unit file - Added new interface modutils_dontaudit_exec_insmod - Add labeling for /var/lib/servicelog/servicelog.db-journal - Allow init_t to create tmpfs_t lnk_file - Add label for ~/.cvsignore - Allow fprintd_t to send syslog messages - Add zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port - Allow mozilla plugin to chat with policykit, needed for spice - Allow gssprozy to change user and gid, as well as read user keyrings - Allow sandbox apps to attempt to set and get capabilties - Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly - allow modemmanger to read /dev/urand - Allow polipo to connect to http_cache_ports - Allow cron jobs to manage apache var lib content - Allow yppassword to manage the passwd_file_t - Allow showall_t to send itself signals - Allow cobbler to restart dhcpc, dnsmasq and bind services - Allow rsync_t to manage all non auth files - Allow certmonger to manage home cert files - Allow user_mail_domains to write certain files to the /root and ~/ directories - Allow apcuspd_t to status and start the power unit file - Allow cgroupdrulesengd to create content in cgoups directories - Add new access for mythtv - Allow irc_t to execute shell and bin-t files: - Allow smbd_t to signull cluster - Allow sssd to read systemd_login_var_run_t - Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t - Add label for /var/spool/cron.aquota.user - Allow sandbox_x domains to use work with the mozilla plugin semaphore - Added new policy for speech-dispatcher - Added dontaudit rule for insmod_exec_t in rasdaemon policy - Updated rasdaemon policy - Allow virt_domains to read cert files - Allow system_mail_t to transition to postfix_postdrop_t - Clean up mirrormanager policy - Allow subscription-manager running as sosreport_t to manage rhsmcertd - Remove ability to do mount/sys_admin by default in virt_sandbox domains - New rules required to run docker images within libivrt - Fixed bumblebee_admin() and mip6d_admin() - Add log support for sensord - Add label for ~/.cvsignore - Change mirrormanager to be run by cron - Add mirrormanager policy - Additional fixes for docker.te - Allow cobblerd to read/write undionly.kpxe located in /var/lib/tftpboot - Add tftp_write_rw_content/tftp_read_rw_content interfaces - Allow amanda to do backups over UDP- Allow freeipmi_ipmidetectd_t to use freeipmi port - Update freeipmi_domain_template() - Allow journalctl running as ABRT to read /run/log/journal - Allow NM to read dispatcher.d directory - Update freeipmi policy - Type transitions with a filename not allowed inside conditionals - Allow tor to bind to hplip port - Make new type to texlive files in homedir - Allow zabbix_agent to transition to dmidecode - Add rules for docker - Allow sosreport to send signull to unconfined_t - Add virt_noatsecure and virt_rlimitinh interfaces - Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipmi port - Add sysadm_u_default_contexts - Add logging_read_syslog_pid() - Fix userdom_manage_home_texlive() interface - Make new type to texlive files in homedir - Add filename transitions for /run and /lock links - Allow virtd to inherit rlimit information- DRM master and input event devices are used by the TakeDevice API - Clean up bumblebee policy - Update pegasus_openlmi_storage_t policy - opensm policy clean up - openwsman policy clean up - ninfod policy clean up - Allow conman to connect to freeipmi services and clean up conman policy - Allow conmand just bind on 7890 port - Add freeipmi_stream_connect() interface - Allow logwatch read madm.conf to support RAID setup - Add raid_read_conf_files() interface - Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling - add rpm_named_filetrans_log_files() interface - Added policy for conmand - Allow dkim-milter to create files/dirs in /tmp - update freeipmi policy - Add policy for freeipmi services - Added rdisc_admin and rdisc_systemctl interfaces - Fix aliases in pegasus.te - Allow chrome sandbox to read generic cache files in homedir - Dontaudit mandb searching all mountpoints - Make sure wine domains create .wine with the correct label - Add proper aliases for pegasus_openlmi_services_exec_t and pegasus_openlmi_services_t - Allow windbind the kill capability - DRM master and input event devices are used by the TakeDevice API - add dev_rw_inherited_dri() and dev_rw_inherited_input_dev() - Added support for default conman port - Add interfaces for ipmi devices - Make sure wine domains create .wine with the correct label - Allow manage dirs in kernel_manage_debugfs interface. - Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service - Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t - Fix userdom_confined_admin_template() - Add back exec_content boolean for secadm, logadm, auditadm - Fix files_filetrans_system_db_named_files() interface - Allow sulogin to getattr on /proc/kcore - Add filename transition also for servicelog.db-journal - Add files_dontaudit_access_check_root() - Add lvm_dontaudit_access_check_lock() interface - Allow mount to manage mount_var_run_t files/dirs- Add back fixes for gnome_role_template() - Label /usr/sbin/htcacheclean as httpd_exec_t - Add missing alias for pegasus_openlmi_service_exec_t - Added support for rdisc unit file - Added new policy for ninfod - Added new policy for openwsman - Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs - Allow runuser running as logrotate connections to system DBUS - Add connectto perm for NM unix stream socket - Allow watchdog to be executed from cron - Allow cloud_init to transition to rpm_script_t - Allow lsmd_plugin_t send system log messages - Label /var/log/up2date as rpm_log_t and allow sosreport to manage rpm log/pid/cache files which is a part of ABRT policy for sosreport running as abrt_t - Added new capabilities for mip6d policy - Label bcache devices as fixed_disk_device_t - Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service - label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t- Add lsmd_plugin_t for lsm plugins - Allow dovecot-deliver to search mountpoints - Add labeling for /etc/mdadm.conf - Allow opelmi admin providers to dbus chat with init_t - Allow sblim domain to read /dev/urandom and /dev/random - Add back exec_content boolean for secadm, logadm, auditadm - Allow sulogin to getattr on /proc/kcore- Add filename transition also for servicelog.db-journal - Add files_dontaudit_access_check_root() - Add lvm_dontaudit_access_check_lock() interface - Allow mount to manage mount_var_run_t files/dirs - Allow updapwd_t to ignore mls levels for writign shadow_t at a lower level - Make sure boot.log is created with the correct label - call logging_relabel_all_log_dirs() in systemd.te - Allow systemd_tmpfiles to relabel log directories - Allow staff_t to run frequency command - Allow staff_t to read xserver_log file - This reverts commit c0f9f125291f189271cbbca033f87131dab1e22f. - Label hsperfdata_root as tmp_t - Add plymouthd_create_log() - Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6 - Allow sssd to request the kernel loads modules - Allow gpg_agent to use ssh-add - Allow gpg_agent to use ssh-add - Dontaudit access check on /root for myslqd_safe_t - Add glusterd_brick_t files type - Allow ctdb to getattr on al filesystems - Allow abrt to stream connect to syslog - Allow dnsmasq to list dnsmasq.d directory - Watchdog opens the raw socket - Allow watchdog to read network state info - Dontaudit access check on lvm lock dir - Allow sosreport to send signull to setroubleshootd - Add setroubleshoot_signull() interface - Fix ldap_read_certs() interface - Allow sosreport all signal perms - Allow sosreport to run systemctl - Allow sosreport to dbus chat with rpm - Allow zabbix_agentd to read all domain state - Allow sblim_sfcbd_t to read from /dev/random and /dev/urandom - Allow smoltclient to execute ldconfig - Allow sosreport to request the kernel to load a module - Clean up rtas.if - Clean up docker.if - drop /var/lib/glpi/files labeling in cron.fc - Added new policy for rasdaemon - Add apache labeling for glpi - Allow pegasus to transition to dmidecode - Make sure boot.log is created with the correct label - Fix typo in openshift.te - remove dup bumblebee_systemctl() - Allow watchdog to read /etc/passwd - Allow condor domains to read/write condor_master udp_socket - Allow openshift_cron_t to append to openshift log files, label /var/log/openshift - Add back file_pid_filetrans for /var/run/dlm_controld - Allow smbd_t to use inherited tmpfs content - Allow mcelog to use the /dev/cpu device - sosreport runs rpcinfo - sosreport runs subscription-manager - Allow setpgid for sosreport - Allow browser plugins to connect to bumblebee - New policy for bumblebee and freqset - Add new policy for mip6d daemon - Add new policy for opensm daemon- Add back /dev/shm labeling- Fix gnome_role_template() interface- Add policy-rawhide-contrib-apache-content.patch to re-write apache_content_template() by dwalsh- Fix config.tgz to include lxc_contexts and systemd_contexts- Update to upstream- Fix passenger_stream_connect interface - setroubleshoot_fixit wants to read network state - Allow procmail_t to connect to dovecot stream sockets - Allow cimprovagt service providers to read network states - Add labeling for /var/run/mariadb - pwauth uses lastlog() to update system's lastlog - Allow account provider to read login records - Add support for texlive2013 - More fixes for user config files to make crond_t running in userdomain - Add back disable/reload/enable permissions for system class - Fix manage_service_perms macro - Allow passwd_t to connect to gnome keyring to change password - Update mls config files to have cronjobs in the user domains - Remove access checks that systemd does not actually do- Add support for yubikey in homedir - Add support for upd/3052 port - Allow apcupsd to use PowerChute Network Shutdown - Allow lsmd to execute various lsmplugins - Add labeling also for /etc/watchdog\.d where are watchdog scripts located too - Update gluster_export_all_rw boolean to allow relabel all base file types - Allow x86_energy_perf tool to modify the MSR - Fix /var/lib/dspam/data labeling- Add files_relabel_base_file_types() interface - Allow netlabel-config to read passwd - update gluster_export_all_rw boolean to allow relabel all base file types caused by lsetxattr() - Allow x86_energy_perf tool to modify the MSR - Fix /var/lib/dspam/data labeling - Allow pegasus to domtrans to mount_t - Add labeling for unconfined scripts in /usr/libexec/watchdog/scripts - Add support for unconfined watchdog scripts - Allow watchdog to manage own log files- Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory. - Label /etc/yum.repos.d as system_conf_t - Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t - Allow dac_override for sysadm_screen_t - Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file. - Allow netlabel-config to read meminfo - Add interface to allow docker to mounton file_t - Add new interface to exec unlabeled files - Allow lvm to use docker semaphores - Setup transitons for .xsessions-errors.old - Change labels of files in /var/lib/*/.ssh to transition properly - Allow staff_t and user_t to look at logs using journalctl - pluto wants to manage own log file - Allow pluto running as ipsec_t to create pluto.log - Fix alias decl in corenetwork.te.in - Add support for fuse.glusterfs - Allow dmidecode to read/write /run/lock/subsys/rhsmcertd - Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files. - Additional access for docker - Added more rules to sblim policy - Fix kdumpgui_run_bootloader boolean - Allow dspam to connect to lmtp port - Included sfcbd service into sblim policy - rhsmcertd wants to manaage /etc/pki/consumer dir - Add kdumpgui_run_bootloader boolean - Add support for /var/cache/watchdog - Remove virt_domain attribute for virt_qemu_ga_unconfined_t - Fixes for handling libvirt containes - Dontaudit attempts by mysql_safe to write content into / - Dontaudit attempts by system_mail to modify network config - Allow dspam to bind to lmtp ports - Add new policy to allow staff_t and user_t to look at logs using journalctl - Allow apache cgi scripts to list sysfs - Dontaudit attempts to write/delete user_tmp_t files - Allow all antivirus domains to manage also own log dirs - Allow pegasus_openlmi_services_t to stream connect to sssd_t- Add missing permission checks for nscd- Fix alias decl in corenetwork.te.in - Add support for fuse.glusterfs - Add file transition rules for content created by f5link - Rename quantum_port information to neutron - Allow all antivirus domains to manage also own log dirs - Rename quantum_port information to neutron - Allow pegasus_openlmi_services_t to stream connect to sssd_t- Allow sysadm_t to read login information - Allow systemd_tmpfiles to setattr on var_log_t directories - Udpdate Makefile to include systemd_contexts - Add systemd_contexts - Add fs_exec_hugetlbfs_files() interface - Add daemons_enable_cluster_mode boolean - Fix rsync_filetrans_named_content() - Add rhcs_read_cluster_pid_files() interface - Update rhcs.if with additional interfaces from RHEL6 - Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t - Allow glusterd_t to mounton glusterd_tmp_t - Allow glusterd to unmout al filesystems - Allow xenstored to read virt config - Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct label - Allow mozilla_plugin_t to mmap hugepages as an executable- Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp- Allow sshd_t to read openshift content, needs backport to RHEL6.5 - Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t - Make sur kdump lock is created with correct label if kdumpctl is executed - gnome interface calls should always be made within an optional_block - Allow syslogd_t to connect to the syslog_tls port - Add labeling for /var/run/charon.ctl socket - Add kdump_filetrans_named_content() - Allo setpgid for fenced_t - Allow setpgid and r/w cluster tmpfs for fenced_t - gnome calls should always be within optional blocks - wicd.pid should be labeled as networkmanager_var_run_t - Allow sys_resource for lldpad- Add rtas policy- Allow mailserver_domains to manage and transition to mailman data - Dontaudit attempts by mozilla plugin to relabel content, caused by using mv and cp commands - Allow mailserver_domains to manage and transition to mailman data - Allow svirt_domains to read sysctl_net_t - Allow thumb_t to use tmpfs inherited from the user - Allow mozilla_plugin to bind to the vnc port if running with spice - Add new attribute to discover confined_admins and assign confined admin to it - Fix zabbix to handle attributes in interfaces - Fix zabbix to read system states for all zabbix domains - Fix piranha_domain_template() - Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files. - Allow lldpad sys_rouserce cap due to #986870 - Allow dovecot-auth to read nologin - Allow openlmi-networking to read /proc/net/dev - Allow smsd_t to execute scripts created on the fly labeled as smsd_spool_t - Add zabbix_domain attribute for zabbix domains to treat them together - Add labels for zabbix-poxy-* (#1018221) - Update openlmi-storage policy to reflect #1015067 - Back port piranha tmpfs fixes from RHEL6 - Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop - Add postfix_rw_spool_maildrop_files interface - Call new userdom_admin_user_templat() also for sysadm_secadm.pp - Fix typo in userdom_admin_user_template() - Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey - Add new attribute to discover confined_admins - Fix labeling for /etc/strongswan/ipsec.d - systemd_logind seems to pass fd to anyone who dbus communicates with it - Dontaudit leaked write descriptor to dmesg- Fix gnome_read_generic_data_home_files() - allow openshift_cgroup_t to read/write inherited openshift file types - Remove httpd_cobbler_content * from cobbler_admin interface - Allow svirt sandbox domains to setattr on chr_file and blk_file svirt_sandbox_file_t, so sshd will work within a container - Allow httpd_t to read also git sys content symlinks - Allow init_t to read gnome home data - Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to really need it. - Allow virsh to execute systemctl - Fix for nagios_services plugins - add type defintion for ctdbd_var_t - Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file - Allow net_admin/netlink_socket all hyperv_domain domains - Add labeling for zarafa-search.log and zarafa-search.pid - Fix hypervkvp.te - Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. - Add hypervkvp_unit_file_t type - Fix logging policy - Allow syslog to bind to tls ports - Update labeling for /dev/cdc-wdm - Allow to su_domain to read init states - Allow init_t to read gnome home data - Make sure if systemd_logind creates nologin file with the correct label - Clean up ipsec.te- Add auth_exec_chkpwd interface - Fix port definition for ctdb ports - Allow systemd domains to read /dev/urand - Dontaudit attempts for mozilla_plugin to append to /dev/random - Add label for /var/run/charon.* - Add labeling for /usr/lib/systemd/system/lvm2.*dd policy for motion service - Fix for nagios_services plugins - Fix some bugs in zoneminder policy - add type defintion for ctdbd_var_t - Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file - Allow net_admin/netlink_socket all hyperv_domain domains - Add labeling for zarafa-search.log and zarafa-search.pid - glusterd binds to random unreserved ports - Additional allow rules found by testing glusterfs - apcupsd needs to send a message to all users on the system so needs to look them up - Fix the label on ~/.juniper_networks - Dontaudit attempts for mozilla_plugin to append to /dev/random - Allow polipo_daemon to connect to flash ports - Allow gssproxy_t to create replay caches - Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. - Add hypervkvp_unit_file_t type- init reload from systemd_localed_t - Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd - Allow systemd_localed_t to ask systemd to reload the locale. - Add systemd_runtime_unit_file_t type for unit files that systemd creates in memory - Allow readahead to read /dev/urand - Fix lots of avcs about tuned - Any file names xenstored in /var/log should be treated as xenstored_var_log_t - Allow tuned to inderact with hugepages - Allow condor domains to list etc rw dirs- Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. - Add hypervkvp_unit_file_t type - Add additional fixes forpegasus_openlmi_account_t - Allow mdadm to read /dev/urand - Allow pegasus_openlmi_storage_t to create mdadm.conf and write it - Add label/rules for /etc/mdadm.conf - Allow pegasus_openlmi_storage_t to transition to fsadm_t - Fixes for interface definition problems - Dontaudit dovecot-deliver to gettatr on all fs dirs - Allow domains to search data_home_t directories - Allow cobblerd to connect to mysql - Allow mdadm to r/w kdump lock files - Add support for kdump lock files - Label zarafa-search as zarafa-indexer - Openshift cgroup wants to read /etc/passwd - Add new sandbox domains for kvm - Allow mpd to interact with pulseaudio if mpd_enable_homedirs is turned on - Fix labeling for /usr/lib/systemd/system/lvm2.* - Add labeling for /usr/lib/systemd/system/lvm2.* - Fix typos to get a new build. We should not cover filename trans rules to prevent duplicate rules - Add sshd_keygen_t policy for sshd-keygen - Fix alsa_home_filetrans interface name and definition - Allow chown for ssh_keygen_t - Add fs_dontaudit_getattr_all_dirs() - Allow init_t to manage etc_aliases_t and read xserver_var_lib_t and chrony keys - Fix up patch to allow systemd to manage home content - Allow domains to send/recv unlabeled traffic if unlabelednet.pp is enabled - Allow getty to exec hostname to get info - Add systemd_home_t for ~/.local/share/systemd directory- Fix lxc labeling in config.tgz- Fix labeling for /usr/libexec/kde4/kcmdatetimehelper - Allow tuned to search all file system directories - Allow alsa_t to sys_nice, to get top performance for sound management - Add support for MySQL/PostgreSQL for amavis - Allow openvpn_t to manage openvpn_var_log_t files. - Allow dirsrv_t to create tmpfs_t directories - Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label - Dontaudit leaked unix_stream_sockets into gnome keyring - Allow telepathy domains to inhibit pipes on telepathy domains - Allow cloud-init to domtrans to rpm - Allow abrt daemon to manage abrt-watch tmp files - Allow abrt-upload-watcher to search /var/spool directory - Allow nsswitch domains to manage own process key - Fix labeling for mgetty.* logs - Allow systemd to dbus chat with upower - Allow ipsec to send signull to itself - Allow setgid cap for ipsec_t - Match upstream labeling- Do not build sanbox pkg on MLS- wine_tmp is no longer needed - Allow setroubleshoot to look at /proc - Allow telepathy domains to dbus with systemd logind - Fix handling of fifo files of rpm - Allow mozilla_plugin to transition to itself - Allow certwatch to write to cert_t directories - New abrt application - Allow NetworkManager to set the kernel scheduler - Make wine_domain shared by all wine domains - Allow mdadm_t to read images labeled svirt_image_t - Allow amanda to read /dev/urand - ALlow my_print_default to read /dev/urand - Allow mdadm to write to kdumpctl fifo files - Allow nslcd to send signull to itself - Allow yppasswd to read /dev/urandom - Fix zarafa_setrlimit - Add support for /var/lib/php/wsdlcache - Add zarafa_setrlimit boolean - Allow fetchmail to send mails - Add additional alias for user_tmp_t because wine_tmp_t is no longer used - More handling of ther kernel keyring required by kerberos - New privs needed for init_t when running without transition to initrc_t over bin_t, and without unconfined domain installed- Dontaudit attempts by sosreport to read shadow_t - Allow browser sandbox plugins to connect to cups to print - Add new label mpd_home_t - Label /srv/www/logs as httpd_log_t - Add support for /var/lib/php/wsdlcache - Add zarafa_setrlimit boolean - Allow fetchmail to send mails - Add labels for apache logs under miq package - Allow irc_t to use tcp sockets - fix labels in puppet.if - Allow tcsd to read utmp file - Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to access host keys - Define svirt_socket_t as a domain_type - Take away transition from init_t to initrc_t when executing bin_t, allow init_t to run chk_passwd_t - Fix label on pam_krb5 helper apps- Allow ldconfig to write to kdumpctl fifo files - allow neutron to connect to amqp ports - Allow kdump_manage_crash to list the kdump_crash_t directory - Allow glance-api to connect to amqp port - Allow virt_qemu_ga_t to read meminfo - Add antivirus_home_t type for antivirus date in HOMEDIRS - Allow mpd setcap which is needed by pulseaudio - Allow smbcontrol to create content in /var/lib/samba - Allow mozilla_exec_t to be used as a entrypoint to mozilla_domtrans_spec - Add additional labeling for qemu-ga/fsfreeze-hook.d scripts - amanda_exec_t needs to be executable file - Allow block_suspend cap for samba-net - Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t - Allow init_t to run crash utility - Treat usr_t just like bin_t for transitions and executions - Add port definition of pka_ca to port 829 for openshift - Allow selinux_store to use symlinks- Allow block_suspend cap for samba-net - Allow t-mission-control to manage gabble cache files - Allow nslcd to read /sys/devices/system/cpu - Allow selinux_store to use symlinks- Allow xdm_t to transition to itself - Call neutron interfaces instead of quantum - Allow init to change targed role to make uncofined services (xrdp which now has own systemd unit file) working. We want them to have in unconfined_t - Make sure directories in /run get created with the correct label - Make sure /root/.pki gets created with the right label - try to remove labeling for motion from zoneminder_exec_t to bin_t - Allow inetd_t to execute shell scripts - Allow cloud-init to read all domainstate - Fix to use quantum port - Add interface netowrkmanager_initrc_domtrans - Fix boinc_execmem - Allow t-mission-control to read gabble cache home - Add labeling for ~/.cache/telepathy/avatars/gabble - Allow memcache to read sysfs data - Cleanup antivirus policy and add additional fixes - Add boolean boinc_enable_execstack - Add support for couchdb in rabbitmq policy - Add interface couchdb_search_pid_dirs - Allow firewalld to read NM state - Allow systemd running as git_systemd to bind git port - Fix mozilla_plugin_rw_tmpfs_files()- Split out rlogin ports from inetd - Treat files labeld as usr_t like bin_t when it comes to transitions - Allow staff_t to read login config - Allow ipsec_t to read .google authenticator data - Allow systemd running as git_systemd to bind git port - Fix mozilla_plugin_rw_tmpfs_files() - Call the correct interface - corenet_udp_bind_ktalkd_port() - Allow all domains that can read gnome_config to read kde config - Allow sandbox domain to read/write mozilla_plugin_tmpfs_t so pulseaudio will work - Allow mdadm to getattr any file system - Allow a confined domain to executes mozilla_exec_t via dbus - Allow cupsd_lpd_t to bind to the printer port - Dontaudit attempts to bind to ports < 1024 when nis is turned on - Allow apache domain to connect to gssproxy socket - Allow rlogind to bind to the rlogin_port - Allow telnetd to bind to the telnetd_port - Allow ktalkd to bind to the ktalkd_port - Allow cvs to bind to the cvs_port- Cleanup related to init_domain()+inetd_domain fixes - Use just init_domain instead of init_daemon_domain in inetd_core_service_domain - svirt domains neeed to create kobject_uevint_sockets - Lots of new access required for sosreport - Allow tgtd_t to connect to isns ports - Allow init_t to transition to all inetd domains: - openct needs to be able to create netlink_object_uevent_sockets - Dontaudit leaks into ldconfig_t - Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls - Move kernel_stream_connect into all Xwindow using users - Dontaudit inherited lock files in ifconfig o dhcpc_t- Also sock_file trans rule is needed in lsm - Fix labeling for fetchmail pid files/dirs - Add additional fixes for abrt-upload-watch - Fix polipo.te - Fix transition rules in asterisk policy - Add fowner capability to networkmanager policy - Allow polipo to connect to tor ports - Cleanup lsmd.if - Cleanup openhpid policy - Fix kdump_read_crash() interface - Make more domains as init domain - Fix cupsd.te - Fix requires in rpm_rw_script_inherited_pipes - Fix interfaces in lsm.if - Allow munin service plugins to manage own tmpfs files/dirs - Allow virtd_t also relabel unix stream sockets for virt_image_type - Make ktalk as init domain - Fix to define ktalkd_unit_file_t correctly - Fix ktalk.fc - Add systemd support for talk-server - Allow glusterd to create sock_file in /run - Allow xdm_t to delete gkeyringd_tmp_t files on logout - Add fixes for hypervkvp policy - Add logwatch_can_sendmail boolean - Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb - Allow xdm_t to delete gkeyringd_tmp_t files on logout- Add selinux-policy-sandbox pkg0 - Allow rhsmcertd to read init state - Allow fsetid for pkcsslotd - Fix labeling for /usr/lib/systemd/system/pkcsslotd.service - Allow fetchmail to create own pid with correct labeling - Fix rhcs_domain_template() - Allow roles which can run mock to read mock lib files to view results - Allow rpcbind to use nsswitch - Fix lsm.if summary - Fix collectd_t can read /etc/passwd file - Label systemd unit files under dracut correctly - Add support for pam_mount to mount user's encrypted home When a user logs in and logs out using ssh - Add support for .Xauthority-n - Label umount.crypt as lvm_exec_t - Allow syslogd to search psad lib files - Allow ssh_t to use /dev/ptmx - Make sure /run/pluto dir is created with correct labeling - Allow syslog to run shell and bin_t commands - Allow ip to relabel tun_sockets - Allow mount to create directories in files under /run - Allow processes to use inherited fifo files- Add policy for lsmd - Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory - Update condor_master rules to allow read system state info and allow logging - Add labeling for /etc/condor and allow condor domain to write it (bug) - Allow condor domains to manage own logs - Allow glusterd to read domains state - Fix initial hypervkvp policy - Add policy for hypervkvpd - Fix redis.if summary- Allow boinc to connect to @/tmp/.X11-unix/X0 - Allow beam.smp to connect to tcp/5984 - Allow named to manage own log files - Add label for /usr/libexec/dcc/start-dccifd and domtrans to dccifd_t - Add virt_transition_userdomain boolean decl - Allow httpd_t to sendto unix_dgram sockets on its children - Allow nova domains to execute ifconfig - bluetooth wants to create fifo_files in /tmp - exim needs to be able to manage mailman data - Allow sysstat to getattr on all file systems - Looks like bluetoothd has moved - Allow collectd to send ping packets - Allow svirt_lxc domains to getpgid - Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff - Allow frpintd_t to read /dev/urandom - Allow asterisk_t to create sock_file in /var/run - Allow usbmuxd to use netlink_kobject - sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket - More cleanup of svirt_lxc policy - virtd_lxc_t now talks to dbus - Dontaudit leaked ptmx_t - Allow processes to use inherited fifo files - Allow openvpn_t to connect to squid ports - Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert() - Allow ssh_t to use /dev/ptmx - Make sure /run/pluto dir is created with correct labeling - Allow syslog to run shell and bin_t commands - Allow ip to relabel tun_sockets - Allow mount to create directories in files under /run - Allow processes to use inherited fifo files - Allow user roles to connect to the journal socket- selinux_set_enforce_mode needs to be used with type - Add append to the dontaudit for unix_stream_socket of xdm_t leak - Allow xdm_t to create symlinks in log direcotries - Allow login programs to read afs config - Label 10933 as a pop port, for dovecot - New policy to allow selinux_server.py to run as semanage_t as a dbus service - Add fixes to make netlabelctl working on MLS - AVCs required for running sepolicy gui as staff_t - Dontaudit attempts to read symlinks, sepolicy gui is likely to cause this type of AVC - New dbus server to be used with new gui - After modifying some files in /etc/mail, I saw this needed on the next boot - Loading a vm from /usr/tmp with virt-manager - Clean up oracleasm policy for Fedora - Add oracleasm policy written by rlopez@redhat.com - Make postfix_postdrop_t as mta_agent to allow domtrans to system mail if it is executed by apache - Add label for /var/crash - Allow fenced to domtrans to sanclok_t - Allow nagios to manage nagios spool files - Make tfptd as home_manager - Allow kdump to read kcore on MLS system - Allow mysqld-safe sys_nice/sys_resource caps - Allow apache to search automount tmp dirs if http_use_nfs is enabled - Allow crond to transition to named_t, for use with unbound - Allow crond to look at named_conf_t, for unbound - Allow mozilla_plugin_t to transition its home content - Allow dovecot_domain to read all system and network state - Allow httpd_user_script_t to call getpw - Allow semanage to read pid files - Dontaudit leaked file descriptors from user domain into thumb - Make PAM authentication working if it is enabled in ejabberd - Add fixes for rabbit to fix ##992920,#992931 - Allow glusterd to mount filesystems - Loading a vm from /usr/tmp with virt-manager - Trying to load a VM I got an AVC from devicekit_disk for loopcontrol device - Add fix for pand service - shorewall touches own log - Allow nrpe to list /var - Mozilla_plugin_roles can not be passed into lpd_run_lpr - Allow afs domains to read afs_config files - Allow login programs to read afs config - Allow virt_domain to read virt_var_run_t symlinks - Allow smokeping to send its process signals - Allow fetchmail to setuid - Add kdump_manage_crash() interface - Allow abrt domain to write abrt.socket- Add more aliases in pegasus.te - Add more fixes for *_admin interfaces - Add interface fixes - Allow nscd to stream connect to nmbd - Allow gnupg apps to write to pcscd socket - Add more fixes for openlmi provides. Fix naming and support for additionals - Allow fetchmail to resolve host names - Allow firewalld to interact also with lnk files labeled as firewalld_etc_rw_t - Add labeling for cmpiLMI_Fan-cimprovagt - Allow net_admin for glusterd - Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ - Add pegasus_openlmi_system_t - Fix puppet_domtrans_master() to make all puppet calling working in passenger.te - Fix corecmd_exec_chroot() - Fix logging_relabel_syslog_pid_socket interface - Fix typo in unconfineduser.te - Allow system_r to access unconfined_dbusd_t to run hp_chec- Allow xdm_t to act as a dbus client to itsel - Allow fetchmail to resolve host names - Allow gnupg apps to write to pcscd socket - Add labeling for cmpiLMI_Fan-cimprovagt - Allow net_admin for glusterd - Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ - Add pegasus_openlmi_system_t - Fix puppet_domtrans_master() to make all puppet calling working in passenger.te -httpd_t does access_check on certs- Add support for cmpiLMI_Service-cimprovagt - Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t - Label pycmpiLMI_Software-cimprovagt as rpm_exec_t - Add support for pycmpiLMI_Storage-cimprovagt - Add support for cmpiLMI_Networking-cimprovagt - Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working - Allow virtual machines and containers to run as user doains, needed for virt-sandbox - Allow buglist.cgi to read cpu info- Allow systemd-tmpfile to handle tmp content in print spool dir - Allow systemd-sysctl to send system log messages - Add support for RTP media ports and fmpro-internal - Make auditd working if audit is configured to perform SINGLE action on disk error - Add interfaces to handle systemd units - Make systemd-notify working if pcsd is used - Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t - Instead of having all unconfined domains get all of the named transition rules, - Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default. - Add definition for the salt ports - Allow xdm_t to create link files in xdm_var_run_t - Dontaudit reads of blk files or chr files leaked into ldconfig_t - Allow sys_chroot for useradd_t - Allow net_raw cap for ipsec_t - Allow sysadm_t to reload services - Add additional fixes to make strongswan working with a simple conf - Allow sysadm_t to enable/disable init_t services - Add additional glusterd perms - Allow apache to read lnk files in the /mnt directory - Allow glusterd to ask the kernel to load a module - Fix description of ftpd_use_fusefs boolean - Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process controls, but add them to svirt_lxc_net_t - Allow glusterds to request load a kernel module - Allow boinc to stream connect to xserver_t - Allow sblim domains to read /etc/passwd - Allow mdadm to read usb devices - Allow collectd to use ping plugin - Make foghorn working with SNMP - Allow sssd to read ldap certs - Allow haproxy to connect to RTP media ports - Add additional trans rules for aide_db - Add labeling for /usr/lib/pcsd/pcsd - Add labeling for /var/log/pcsd - Add support for pcs which is a corosync and pacemaker configuration tool- Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t - Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1 - Allow all domains that can domtrans to shutdown, to start the power services script to shutdown - consolekit needs to be able to shut down system - Move around interfaces - Remove nfsd_rw_t and nfsd_ro_t, they don't do anything - Add additional fixes for rabbitmq_beam to allow getattr on mountpoints - Allow gconf-defaults-m to read /etc/passwd - Fix pki_rw_tomcat_cert() interface to support lnk_files- Add support for gluster ports - Make sure that all keys located in /etc/ssh/ are labeled correctly - Make sure apcuspd lock files get created with the correct label - Use getcap in gluster.te - Fix gluster policy - add additional fixes to allow beam.smp to interact with couchdb files - Additional fix for #974149 - Allow gluster to user gluster ports - Allow glusterd to transition to rpcd_t and add additional fixes for #980683 - Allow tgtd working when accessing to the passthrough device - Fix labeling for mdadm unit files- Add mdadm fixes- Fix definition of sandbox.disabled to sandbox.pp.disabled- Allow mdamd to execute systemctl - Allow mdadm to read /dev/kvm - Allow ipsec_mgmt_t to read l2tpd pid content- Allow nsd_t to read /dev/urand - Allow mdadm_t to read framebuffer - Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t - Allow mozilla_plugin_config_t to create tmp files - Cleanup openvswitch policy - Allow mozilla plugin to getattr on all executables - Allow l2tpd_t to create fifo_files in /var/run - Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory - Allow mdadm to connecto its own unix_stream_socket - FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now. - Allow apache to access smokeping pid files - Allow rabbitmq_beam_t to getattr on all filesystems - Add systemd support for iodined - Allow nup_upsdrvctl_t to execute its entrypoint - Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch - add labeling for ~/.cache/libvirt-sandbox - Add interface to allow domains transitioned to by confined users to send sigchld to screen program - Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab - Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service - Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs. - Allow staff to getsched all domains, required to run htop - Add port definition for redis port - fix selinuxuser_use_ssh_chroot boolean- Add prosody policy written by Michael Scherer - Allow nagios plugins to read /sys info - ntpd needs to manage own log files - Add support for HOME_DIR/.IBMERS - Allow iptables commands to read firewalld config - Allow consolekit_t to read utmp - Fix filename transitions on .razor directory - Add additional fixes to make DSPAM with LDA working - Allow snort to read /etc/passwd - Allow fail2ban to communicate with firewalld over dbus - Dontaudit openshift_cgreoup_file_t read/write leaked dev - Allow nfsd to use mountd port - Call th proper interface - Allow openvswitch to read sys and execute plymouth - Allow tmpwatch to read /var/spool/cups/tmp - Add support for /usr/libexec/telepathy-rakia - Add systemd support for zoneminder - Allow mysql to create files/directories under /var/log/mysql - Allow zoneminder apache scripts to rw zoneminder tmpfs - Allow httpd to manage zoneminder lib files - Add zoneminder_run_sudo boolean to allow to start zoneminder - Allow zoneminder to send mails - gssproxy_t sock_file can be under /var/lib - Allow web domains to connect to whois port. - Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t. - We really need to add an interface to corenet to define what a web_client_domain is and - then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain. - Add labeling for cmpiLMI_LogicalFile-cimprovagt - Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules - Update policy rules for pegasus_openlmi_logicalfile_t - Add initial types for logicalfile/unconfined OpenLMI providers - mailmanctl needs to read own log - Allow logwatch manage own lock files - Allow nrpe to read meminfo - Allow httpd to read certs located in pki-ca - Add pki_read_tomcat_cert() interface - Add support for nagios openshift plugins - Add port definition for redis port - fix selinuxuser_use_ssh_chroot boolean- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean. - Allow bootloader to manage generic log files - Allow ftp to bind to port 989 - Fix label of new gear directory - Add support for new directory /var/lib/openshift/gears/ - Add openshift_manage_lib_dirs() - allow virtd domains to manage setrans_var_run_t - Allow useradd to manage all openshift content - Add support so that mozilla_plugin_t can use dri devices - Allow chronyd to change the scheduler - Allow apmd to shut downthe system - Devicekit_disk_t needs to manage /etc/fstab- Make DSPAM to act as a LDA working - Allow ntop to create netlink socket - Allow policykit to send a signal to policykit-auth - Allow stapserver to dbus chat with avahi/systemd-logind - Fix labeling on haproxy unit file - Clean up haproxy policy - A new policy for haproxy and placed it to rhcs.te - Add support for ldirectord and treat it with cluster_t - Make sure anaconda log dir is created with var_log_t- Allow lvm_t to create default targets for filesystem handling - Fix labeling for razor-lightdm binaries - Allow insmod_t to read any file labeled var_lib_t - Add policy for pesign - Activate policy for cmpiLMI_Account-cimprovagt - Allow isnsd syscall=listen - /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler - Allow ctdbd to use udp/4379 - gatherd wants sys_nice and setsched - Add support for texlive2012 - Allow NM to read file_t (usb stick with no labels used to transfer keys for example) - Allow cobbler to execute apache with domain transition- condor_collector uses tcp/9000 - Label /usr/sbin/virtlockd as virtd_exec_t for now - Allow cobbler to execute ldconfig - Allow NM to execute ssh - Allow mdadm to read /dev/crash - Allow antivirus domains to connect to snmp port - Make amavisd-snmp working correctly - Allow nfsd_t to mounton nfsd_fs_t - Add initial snapper policy - We still need to have consolekit policy - Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t - Dontaudit sandbox apps attempting to open user_devpts_t - Allow dirsrv to read network state - Fix pki_read_tomcat_lib_files - Add labeling for /usr/libexec/nm-ssh-service - Add label cert_t for /var/lib/ipa/pki-ca/publish - Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant - Allow nfsd_t to mounton nfsd_fs_t - Dontaudit sandbox apps attempting to open user_devpts_t - Allow passwd_t to change role to system_r from unconfined_r- Don't audit access checks by sandbox xserver on xdb var_lib - Allow ntop to read usbmon devices - Add labeling for new polcykit authorizor - Dontaudit access checks from fail2ban_client - Don't audit access checks by sandbox xserver on xdb var_lib - Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream - Fix labeling for all /usr/bim/razor-lightdm-* binaries - Add filename trans for /dev/md126p1- Make vdagent able to request loading kernel module - Add support for cloud-init make it as unconfined domain - Allow snmpd to run smartctl in fsadm_t domain - remove duplicate openshift_search_lib() interface - Allow mysqld to search openshift lib files - Allow openshift cgroup to interact with passedin file descriptors - Allow colord to list directories inthe users homedir - aide executes prelink to check files - Make sure cupsd_t creates content in /etc/cups with the correct label - Lest dontaudit apache read all domains, so passenger will not cause this avc - Allow gssd to connect to gssproxy - systemd-tmpfiles needs to be able to raise the level to fix labeling on /run/setrans in MLS - Allow systemd-tmpfiles to relabel also lock files - Allow useradd to add homdir in /var/lib/openshift - Allow setfiles and semanage to write output to /run/files- Add labeling for /dev/tgt - Dontaudit leak fd from firewalld for modprobe - Allow runuser running as rpm_script_t to create netlink_audit socket - Allow mdadm to read BIOS non-volatile RAM- accountservice watches when accounts come and go in wtmp - /usr/java/jre1.7.0_21/bin/java needs to create netlink socket - Add httpd_use_sasl boolean - Allow net_admin for tuned_t - iscsid needs sys_module to auto-load kernel modules - Allow blueman to read bluetooth conf - Add nova_manage_lib_files() interface - Fix mplayer_filetrans_home_content() - Add mplayer_filetrans_home_content() - mozilla_plugin_config_roles need to be able to access mozilla_plugin_config_t - Revert "Allow thumb_t to append inherited xdm stream socket" - Add iscsi_filetrans_named_content() interface - Allow to create .mplayer with the correct labeling for unconfined - Allow iscsiadmin to create lock file with the correct labeling- Allow wine to manage wine home content - Make amanda working with socket actiovation - Add labeling for /usr/sbin/iscsiadm - Add support for /var/run/gssproxy.sock - dnsmasq_t needs to read sysctl_net_t- Fix courier_domain_template() interface - Allow blueman to write ip_forward - Allow mongodb to connect to mongodb port - Allow mongodb to connect to mongodb port - Allow java to bind jobss_debug port - Fixes for *_admin interfaces - Allow iscsid auto-load kernel modules needed for proper iSCSI functionality - Need to assign attribute for courier_domain to all courier_domains - Fail2ban reads /etc/passwd - postfix_virtual will create new files in postfix_spool_t - abrt triggers sys_ptrace by running pidof - Label ~/abc as mozilla_home_t, since java apps as plugin want to create it - Add passenger fixes needed by foreman - Remove dup interfaces - Add additional interfaces for quantum - Add new interfaces for dnsmasq - Allow passenger to read localization and send signull to itself - Allow dnsmasq to stream connect to quantum - Add quantum_stream_connect() - Make sure that mcollective starts the service with the correct labeling - Add labels for ~/.manpath - Dontaudit attempts by svirt_t to getpw* calls - sandbox domains are trying to look at parent process data - Allow courior auth to create its pid file in /var/spool/courier subdir - Add fixes for beam to have it working with couchdb - Add labeling for /run/nm-xl2tpd.con - Allow apache to stream connect to thin - Add systemd support for amand - Make public types usable for fs mount points - Call correct mandb interface in domain.te - Allow iptables to r/w quantum inherited pipes and send sigchld - Allow ifconfig domtrans to iptables and execute ldconfig - Add labels for ~/.manpath - Allow systemd to read iscsi lib files - seunshare is trying to look at parent process data- Fix openshift_search_lib - Add support for abrt-uefioops-oops - Allow colord to getattr any file system - Allow chrome processes to look at each other - Allow sys_ptrace for abrt_t - Add new policy for gssproxy - Dontaudit leaked file descriptor writes from firewalld - openshift_net_type is interface not template - Dontaudit pppd to search gnome config - Update openshift_search_lib() interface - Add fs_list_pstorefs() - Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18 - Better labels for raspberry pi devices - Allow init to create devpts_t directory - Temporarily label rasbery pi devices as memory_device_t, needs back port to f18 - Allow sysadm_t to build kernels - Make sure mount creates /var/run/blkid with the correct label, needs back port to F18 - Allow userdomains to stream connect to gssproxy - Dontaudit leaked file descriptor writes from firewalld - Allow xserver to read /dev/urandom - Add additional fixes for ipsec-mgmt - Make SSHing into an Openshift Enterprise Node working- Add transition rules to unconfined domains and to sysadm_t to create /etc/adjtime - with the proper label. - Update files_filetrans_named_content() interface to get right labeling for pam.d conf files - Allow systemd-timedated to create adjtime - Add clock_create_adjtime() - Additional fix ifconfing for #966106 - Allow kernel_t to create boot.log with correct labeling - Remove unconfined_mplayer for which we don't have rules - Rename interfaces - Add userdom_manage_user_home_files/dirs interfaces - Fix files_dontaudit_read_all_non_security_files - Fix ipsec_manage_key_file() - Fix ipsec_filetrans_key_file() - Label /usr/bin/razor-lightdm-greeter as xdm_exec_t instead of spamc_exec_t - Fix labeling for ipse.secrets - Add interfaces for ipsec and labeling for ipsec.info and ipsec_setup.pid - Add files_dontaudit_read_all_non_security_files() interface - /var/log/syslog-ng should be labeled var_log_t - Make ifconfig_var_run_t a mountpoint - Add transition from ifconfig to dnsmasq - Allow ifconfig to execute bin_t/shell_exec_t - We want to have hwdb.bin labeled as etc_t - update logging_filetrans_named_content() interface - Allow systemd_timedate_t to manage /etc/adjtime - Allow NM to send signals to l2tpd - Update antivirus_can_scan_system boolean - Allow devicekit_disk_t to sys_config_tty - Run abrt-harvest programs as abrt_t, and allow abrt_t to list all filesystem directories - Make printing from vmware working - Allow php-cgi from php54 collection to access /var/lib/net-snmp/mib_indexes - Add virt_qemu_ga_data_t for qemu-ga - Make chrome and mozilla able to connect to same ports, add jboss_management_port_t to both - Fix typo in virt.te - Add virt_qemu_ga_unconfined_t for hook scripts - Make sure NetworkManager files get created with the correct label - Add mozilla_plugin_use_gps boolean - Fix cyrus to have support for net-snmp - Additional fixes for dnsmasq and quantum for #966106 - Add plymouthd_create_log() - remove httpd_use_oddjob for which we don't have rules - Add missing rules for httpd_can_network_connect_cobbler - Add missing cluster_use_execmem boolean - Call userdom_manage_all_user_home_type_files/dirs - Additional fix for ftp_home_dir - Fix ftp_home_dir boolean - Allow squit to recv/send client squid packet - Fix nut.te to have nut_domain attribute - Add support for ejabberd; TODO: revisit jabberd and rabbit policy - Fix amanda policy - Add more fixes for domains which use libusb - Make domains which use libusb working correctly - Allow l2tpd to create ipsec key files with correct labeling and manage them - Fix cobbler_manage_lib_files/cobbler_read_lib_files to cover also lnk files - Allow rabbitmq-beam to bind generic node - Allow l2tpd to read ipse-mgmt pid files - more fixes for l2tpd, NM and pppd from #967072- Dontaudit to getattr on dirs for dovecot-deliver - Allow raiudusd server connect to postgresql socket - Add kerberos support for radiusd - Allow saslauthd to connect to ldap port - Allow postfix to manage postfix_private_t files - Add chronyd support for #965457 - Fix labeling for HOME_DIR/\.icedtea - CHange squid and snmpd to be allowed also write own logs - Fix labeling for /usr/libexec/qemu-ga - Allow virtd_t to use virt_lock_t - Allow also sealert to read the policy from the kernel - qemu-ga needs to execute scripts in /usr/libexec/qemu-ga and to use /tmp content - Dontaudit listing of users homedir by sendmail Seems like a leak - Allow passenger to transition to puppet master - Allow apache to connect to mythtv - Add definition for mythtv ports- Add additional fixes for #948073 bug - Allow sge_execd_t to also connect to sge ports - Allow openshift_cron_t to manage openshift_var_lib_t sym links - Allow openshift_cron_t to manage openshift_var_lib_t sym links - Allow sge_execd to bind sge ports. Allow kill capability and reads cgroup files - Remove pulseaudio filetrans pulseaudio_manage_home_dirs which is a part of pulseaudio_manage_home_files - Add networkmanager_stream_connect() - Make gnome-abrt wokring with staff_t - Fix openshift_manage_lib_files() interface - mdadm runs ps command which seems to getattr on random log files - Allow mozilla_plugin_t to create pulseaudit_home_t directories - Allow qemu-ga to shutdown virtual hosts - Add labelling for cupsd-browsed - Add web browser plugins to connect to aol ports - Allow nm-dhcp-helper to stream connect to NM - Add port definition for sge ports- Make sure users and unconfined domains create .hushlogin with the correct label - Allow pegaus to chat with realmd over DBus - Allow cobblerd to read network state - Allow boicn-client to stat on /dev/input/mice - Allow certwatch to read net_config_t when it executes apache - Allow readahead to create /run/systemd and then create its own directory with the correct label- Transition directories and files when in a user_tmp_t directory - Change certwatch to domtrans to apache instead of just execute - Allow virsh_t to read xen lib files - update policy rules for pegasus_openlmi_account_t - Add support for svnserve_tmp_t - Activate account openlmi policy - pegasus_openlmi_domain_template needs also require pegasus_t - One more fix for policykit.te - Call fs_list_cgroups_dirs() in policykit.te - Allow nagios service plugin to read mysql config files - Add labeling for /var/svn - Fix chrome.te - Fix pegasus_openlmi_domain_template() interfaces - Fix dev_rw_vfio_dev definiton, allow virtd_t to read tmpfs_t symlinks - Fix location of google-chrome data - Add support for chome_sandbox to store content in the homedir - Allow policykit to watch for changes in cgroups file system - Add boolean to allow mozilla_plugin_t to use spice - Allow collectd to bind to udp port - Allow collected_t to read all of /proc - Should use netlink socket_perms - Should use netlink socket_perms - Allow glance domains to connect to apache ports - Allow apcupsd_t to manage its log files - Allow chrome objects to rw_inherited unix_stream_socket from callers - Allow staff_t to execute virtd_exec_t for running vms - nfsd_t needs to bind mountd port to make nfs-mountd.service working - Allow unbound net_admin capability because of setsockopt syscall - Fix fs_list_cgroup_dirs() - Label /usr/lib/nagios/plugins/utils.pm as bin_t - Remove uplicate definition of fs_read_cgroup_files() - Remove duplicate definition of fs_read_cgroup_files() - Add files_mountpoint_filetrans interface to be used by quotadb_t and snapperd - Additional interfaces needed to list and read cgroups config - Add port definition for collectd port - Add labels for /dev/ptp* - Allow staff_t to execute virtd_exec_t for running vms- Allow samba-net to also read realmd tmp files - Allow NUT to use serial ports - realmd can be started by systemctl now- Remove userdom_home_manager for xdm_t and move all rules to xserver.te directly - Add new xdm_write_home boolean to allow xdm_t to create files in HOME dirs with xdm_home_t - Allow postfix-showq to read/write unix.showq in /var/spool/postfix/pid - Allow virsh to read xen lock file - Allow qemu-ga to create files in /run with proper labeling - Allow glusterd to connect to own socket in /tmp - Allow glance-api to connect to http port to make glance image-create working - Allow keystonte_t to execute rpm- Fix realmd cache interfaces- Allow tcpd to execute leafnode - Allow samba-net to read realmd cache files - Dontaudit sys_tty_config for alsactl - Fix allow rules for postfix_var_run - Allow cobblerd to read /etc/passwd - Allow pegasus to read exports - Allow systemd-timedate to read xdm state - Allow mout to stream connect to rpcbind - Add labeling just for /usr/share/pki/ca-trust-source instead of /usr/share/pki- Allow thumbnails to share memory with apps which run thumbnails - Allow postfix-postqueue block_suspend - Add lib interfaces for smsd - Add support for nginx - Allow s2s running as jabberd_t to connect to jabber_interserver_port_t - Allow pki apache domain to create own tmp files and execute httpd_suexec - Allow procmail to manger user tmp files/dirs/lnk_files - Add virt_stream_connect_svirt() interface - Allow dovecot-auth to execute bin_t - Allow iscsid to request that kernel load a kernel module - Add labeling support for /var/lib/mod_security - Allow iw running as tuned_t to create netlink socket - Dontaudit sys_tty_config for thumb_t - Add labeling for nm-l2tp-service - Allow httpd running as certwatch_t to open tcp socket - Allow useradd to manager smsd lib files - Allow useradd_t to add homedirs in /var/lib - Fix typo in userdomain.te - Cleanup userdom_read_home_certs - Implement userdom_home_reader_certs_type to allow read certs also on encrypt /home with ecryptfs_t - Allow staff to stream connect to svirt_t to make gnome-boxes working- Allow lvm to create its own unit files - Label /var/lib/sepolgen as selinux_config_t - Add filetrans rules for tw devices - Add transition from cupsd_config_t to cupsd_t- Add filetrans rules for tw devices - Cleanup bad transition lines- Fix lockdev_manage_files() - Allow setroubleshootd to read var_lib_t to make email_alert working - Add lockdev_manage_files() - Call proper interface in virt.te - Allow gkeyring_domain to create /var/run/UID/config/dbus file - system dbus seems to be blocking suspend - Dontaudit attemps to sys_ptrace, which I believe gpsd does not need - When you enter a container from root, you generate avcs with a leaked file descriptor - Allow mpd getattr on file system directories - Make sure realmd creates content with the correct label - Allow systemd-tty-ask to write kmsg - Allow mgetty to use lockdev library for device locking - Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music - When you enter a container from root, you generate avcs with a leaked file descriptor - Make sure init.fc files are labeled correctly at creation - File name trans vconsole.conf - Fix labeling for nagios plugins - label shared libraries in /opt/google/chrome as testrel_shlib_t- Allow certmonger to dbus communicate with realmd - Make realmd working- Fix mozilla specification of homedir content - Allow certmonger to read network state - Allow tmpwatch to read tmp in /var/spool/{cups,lpd} - Label all nagios plugin as unconfined by default - Add httpd_serve_cobbler_files() - Allow mdadm to read /dev/sr0 and create tmp files - Allow certwatch to send mails - Fix labeling for nagios plugins - label shared libraries in /opt/google/chrome as testrel_shlib_t- Allow realmd to run ipa, really needs to be an unconfined_domain - Allow sandbox domains to use inherted terminals - Allow pscd to use devices labeled svirt_image_t in order to use cat cards. - Add label for new alsa pid - Alsa now uses a pid file and needs to setsched - Fix oracleasmfs_t definition - Add support for sshd_unit_file_t - Add oracleasmfs_t - Allow unlabeled_t files to be stored on unlabeled_t filesystems- Fix description of deny_ptrace boolean - Remove allow for execmod lib_t for now - Allow quantum to connect to keystone port - Allow nova-console to talk with mysql over unix stream socket - Allow dirsrv to stream connect to uuidd - thumb_t needs to be able to create ~/.cache if it does not exist - virtd needs to be able to sys_ptrace when starting and stoping containers- Allow alsa_t signal_perms, we probaly should search for any app that can execute something without transition and give it signal_perms... - Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets - Fix deny_ptrace boolean, certain ptrace leaked into the system - Allow winbind to manage kerberos_rcache_host - Allow spamd to create spamd_var_lib_t directories - Remove transition to mozilla_tmp_t by mozilla_t, to allow it to manage the users tmp dirs - Add mising nslcd_dontaudit_write_sock_file() interface - one more fix - Fix pki_read_tomcat_lib_files() interface - Allow certmonger to read pki-tomcat lib files - Allow certwatch to execute bin_t - Allow snmp to manage /var/lib/net-snmp files - Call snmp_manage_var_lib_files(fogorn_t) instead of snmp_manage_var_dirs - Fix vmware_role() interface - Fix cobbler_manage_lib_files() interface - Allow nagios check disk plugins to execute bin_t - Allow quantum to transition to openvswitch_t - Allow postdrop to stream connect to postfix-master - Allow quantum to stream connect to openvswitch - Add xserver_dontaudit_xdm_rw_stream_sockets() interface - Allow daemon to send dgrams to initrc_t - Allow kdm to start the power service to initiate a reboot or poweroff- Add mising nslcd_dontaudit_write_sock_file() interface - one more fix - Fix pki_read_tomcat_lib_files() interface - Allow certmonger to read pki-tomcat lib files - Allow certwatch to execute bin_t - Allow snmp to manage /var/lib/net-snmp files - Don't audit attempts to write to stream socket of nscld by thumbnailers - Allow git_system_t to read network state - Allow pegasas to execute mount command - Fix desc for drdb_admin - Fix condor_amin() - Interface fixes for uptime, vdagent, vnstatd - Fix labeling for moodle in /var/www/moodle/data - Add interface fixes - Allow bugzilla to read certs - /var/www/moodle needs to be writable by apache - Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest - Fix namespace_init_t to create content with proper labels, and allow it to manage all user content - Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean - Fixes for dlm_controld - Fix apache_read_sys_content_rw_dirs() interface - Allow logrotate to read /var/log/z-push dir - Fix sys_nice for cups_domain - Allow postfix_postdrop to acces postfix_public socket - Allow sched_setscheduler for cupsd_t - Add missing context for /usr/sbin/snmpd - Kernel_t needs mac_admin in order to support labeled NFS - Fix systemd_dontaudit_dbus_chat() interface - Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest - Allow consolehelper domain to write Xauth files in /root - Add port definition for osapi_compute port - Allow unconfined to create /etc/hostname with correct labeling - Add systemd_filetrans_named_hostname() interface- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean - Fixes for dlm_controld - Fix apache_read_sys_content_rw_dirs() interface - Allow logrotate to read /var/log/z-push dir - Allow postfix_postdrop to acces postfix_public socket - Allow sched_setscheduler for cupsd_t - Add missing context for /usr/sbin/snmpd - Allow consolehelper more access discovered by Tom London - Allow fsdaemon to send signull to all domain - Add port definition for osapi_compute port - Allow unconfined to create /etc/hostname with correct labeling - Add systemd_filetrans_named_hostname() interface- Fix file_contexts.subs to label /run/lock correctly- Try to label on controlC devices up to 30 correctly - Add mount_rw_pid_files() interface - Add additional mount/umount interfaces needed by mock - fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk - Fix tabs - Allow initrc_domain to search rgmanager lib files - Add more fixes which make mock working together with confined users * Allow mock_t to manage rpm files * Allow mock_t to read rpm log files * Allow mock to setattr on tmpfs, devpts * Allow mount/umount filesystems - Add rpm_read_log() interface - yum-cron runs rpm from within it. - Allow tuned to transition to dmidecode - Allow firewalld to do net_admin - Allow mock to unmont tmpfs_t - Fix virt_sigkill() interface - Add additional fixes for mock. Mainly caused by mount running in mock_t - Allow mock to write sysfs_t and mount pid files - Add mailman_domain to mailman_template() - Allow openvswitch to execute shell - Allow qpidd to use kerberos - Allow mailman to use fusefs, needs back port to RHEL6 - Allow apache and its scripts to use anon_inodefs - Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7 - Realmd needs to connect to samba ports, needs back port to F18 also - Allow colord to read /run/initial-setup- - Allow sanlock-helper to send sigkill to virtd which is registred to sanlock - Add virt_kill() interface - Add rgmanager_search_lib() interface - Allow wdmd to getattr on all filesystems. Back ported from RHEL6- Allow realmd to create tmp files - FIx ircssi_home_t type to irssi_home_t - Allow adcli running as realmd_t to connect to ldap port - Allow NetworkManager to transition to ipsec_t, for running strongswan - Make openshift_initrc_t an lxc_domain - Allow gssd to manage user_tmp_t files - Fix handling of irclogs in users homedir - Fix labeling for drupal an wp-content in subdirs of /var/www/html - Allow abrt to read utmp_t file - Fix openshift policy to transition lnk_file, sock-file an fifo_file when created in a tmpfs_t, needs back port to RHEL6 - fix labeling for (oo|rhc)-restorer-wrapper.sh - firewalld needs to be able to write to network sysctls - Fix mozilla_plugin_dontaudit_rw_sem() interface - Dontaudit generic ipc read/write to a mozilla_plugin for sandbox_x domains - Add mozilla_plugin_dontaudit_rw_sem() interface - Allow svirt_lxc_t to transition to openshift domains - Allow condor domains block_suspend and dac_override caps - Allow condor_master to read passd - Allow condor_master to read system state - Allow NetworkManager to transition to ipsec_t, for running strongswan - Lots of access required by lvm_t to created encrypted usb device - Allow xdm_t to dbus communicate with systemd_localed_t - Label strongswan content as ipsec_exec_mgmt_t for now - Allow users to dbus chat with systemd_localed - Fix handling of .xsession-errors in xserver.if, so kde will work - Might be a bug but we are seeing avc's about people status on init_t:service - Make sure we label content under /var/run/lock as <> - Allow daemon and systemprocesses to search init_var_run_t directory - Add boolean to allow xdm to write xauth data to the home directory - Allow mount to write keys for the unconfined domain - Add unconfined_write_keys() interface- Add labeling for /usr/share/pki - Allow programs that read var_run_t symlinks also read var_t symlinks - Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports - Fix labeling for /etc/dhcp directory - add missing systemd_stub_unit_file() interface - Add files_stub_var() interface - Add lables for cert_t directories - Make localectl set-x11-keymap working at all - Allow abrt to manage mock build environments to catch build problems. - Allow virt_domains to setsched for running gdb on itself - Allow thumb_t to execute user home content - Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000 - Allow certwatch to execut /usr/bin/httpd - Allow cgred to send signal perms to itself, needs back port to RHEL6 - Allow openshift_cron_t to look at quota - Allow cups_t to read inhered tmpfs_t from the kernel - Allow yppasswdd to use NIS - Tuned wants sys_rawio capability - Add ftpd_use_fusefs boolean - Allow dirsrvadmin_t to signal itself- Allow localectl to read /etc/X11/xorg.conf.d directory - Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors"" - Allow mount to transition to systemd_passwd_agent - Make sure abrt directories are labeled correctly - Allow commands that are going to read mount pid files to search mount_var_run_t - label /usr/bin/repoquery as rpm_exec_t - Allow automount to block suspend - Add abrt_filetrans_named_content so that abrt directories get labeled correctly - Allow virt domains to setrlimit and read file_context- Allow nagios to manage nagios spool files - /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6 - Add swift_alias.* policy files which contain typealiases for swift types - Add support for /run/lock/opencryptoki - Allow pkcsslotd chown capability - Allow pkcsslotd to read passwd - Add rsync_stub() interface - Allow systemd_timedate also manage gnome config homedirs - Label /usr/lib64/security/pam_krb5/pam_krb5_cchelper as bin_t - Fix filetrans rules for kdm creates .xsession-errors - Allow sytemd_tmpfiles to create wtmp file - Really should not label content under /var/lock, since it could have labels on it different from var_lock_t - Allow systemd to list all file system directories - Add some basic stub interfaces which will be used in PRODUCT policies- Fix log transition rule for cluster domains - Start to group all cluster log together - Dont use filename transition for POkemon Advanced Adventure until a new checkpolicy update - cups uses usbtty_device_t devices - These fixes were all required to build a MLS virtual Machine with single level desktops - Allow domains to transiton using httpd_exec_t - Allow svirt domains to manage kernel key rings - Allow setroubleshoot to execute ldconfig - Allow firewalld to read generate gnome data - Allow bluetooth to read machine-info - Allow boinc domain to send signal to itself - Fix gnome_filetrans_home_content() interface - Allow mozilla_plugins to list apache modules, for use with gxine - Fix labels for POkemon in the users homedir - Allow xguest to read mdstat - Dontaudit virt_domains getattr on /dev/* - These fixes were all required to build a MLS virtual Machine with single level desktops - Need to back port this to RHEL6 for openshift - Add tcp/8891 as milter port - Allow nsswitch domains to read sssd_var_lib_t files - Allow ping to read network state. - Fix typo - Add labels to /etc/X11/xorg.d and allow systemd-timestampd_t to manage them- Adopt swift changes from lhh@redhat.com - Add rhcs_manage_cluster_pid_files() interface - Allow screen domains to configure tty and setup sock_file in ~/.screen directory - ALlow setroubleshoot to read default_context_t, needed to backport to F18 - Label /etc/owncloud as being an apache writable directory - Allow sshd to stream connect to an lxc domain- Allow postgresql to manage rgmanager pid files - Allow postgresql to read ccs data - Allow systemd_domain to send dbus messages to policykit - Add labels for /etc/hostname and /etc/machine-info and allow systemd-hostnamed to create them - All systemd domains that create content are reading the file_context file and setfscreate - Systemd domains need to search through init_var_run_t - Allow sshd to communicate with libvirt to set containers labels - Add interface to manage pid files - Allow NetworkManger_t to read /etc/hostname - Dontaudit leaked locked files into openshift_domains - Add fixes for oo-cgroup-read - it nows creates tmp files - Allow gluster to manage all directories as well as files - Dontaudit chrome_sandbox_nacl_t using user terminals - Allow sysstat to manage its own log files - Allow virtual machines to setrlimit and send itself signals. - Add labeling for /var/run/hplip- Fix POSTIN scriptlet- Merge rgmanger, corosync,pacemaker,aisexec policies to cluster_t in rhcs.pp- Fix authconfig.py labeling - Make any domains that write homedir content do it correctly - Allow glusterd to read/write anyhwere on the file system by default - Be a little more liberal with the rsync log files - Fix iscsi_admin interface - Allow iscsid_t to read /dev/urand - Fix up iscsi domain for use with unit files - Add filename transition support for spamassassin policy - Allow web plugins to use badly formated libraries - Allow nmbd_t to create samba_var_t directories - Add filename transition support for spamassassin policy - Add filename transition support for tvtime - Fix alsa_home_filetrans_alsa_home() interface - Move all userdom_filetrans_home_content() calling out of booleans - Allow logrotote to getattr on all file sytems - Remove duplicate userdom_filetrans_home_content() calling - Allow kadmind to read /etc/passwd - Dontaudit append .xsession-errors file on ecryptfs for policykit-auth - Allow antivirus domain to manage antivirus db links - Allow logrotate to read /sys - Allow mandb to setattr on man dirs - Remove mozilla_plugin_enable_homedirs boolean - Fix ftp_home_dir boolean - homedir mozilla filetrans has been moved to userdom_home_manager - homedir telepathy filetrans has been moved to userdom_home_manager - Remove gnome_home_dir_filetrans() from gnome_role_gkeyringd() - Might want to eventually write a daemon on fusefsd. - Add policy fixes for sshd [net] child from plautrba@redhat.com - Tor uses a new port - Remove bin_t for authconfig.py - Fix so only one call to userdom_home_file_trans - Allow home_manager_types to create content with the correctl label - Fix all domains that write data into the homedir to do it with the correct label - Change the postgresql to use proper boolean names, which is causing httpd_t to - not get access to postgresql_var_run_t - Hostname needs to send syslog messages - Localectl needs to be able to send dbus signals to users - Make sure userdom_filetrans_type will create files/dirs with user_home_t labeling by default - Allow user_home_manger domains to create spam* homedir content with correct labeling - Allow user_home_manger domains to create HOMEDIR/.tvtime with correct labeling - Add missing miscfiles_setattr_man_pages() interface and for now comment some rules for userdom_filetrans_type to make build process working - Declare userdom_filetrans_type attribute - userdom_manage_home_role() needs to be called withoout usertype attribute because of userdom_filetrans_type attribute - fusefsd is mounding a fuse file system on /run/user/UID/gvfs- Man pages are now generated in the build process - Allow cgred to list inotifyfs filesystem- Allow gluster to get attrs on all fs - New access required for virt-sandbox - Allow dnsmasq to execute bin_t - Allow dnsmasq to create content in /var/run/NetworkManager - Fix openshift_initrc_signal() interface - Dontaudit openshift domains doing getattr on other domains - Allow consolehelper domain to communicate with session bus - Mock should not be transitioning to any other domains, we should keep mock_t as mock_t - Update virt_qemu_ga_t policy - Allow authconfig running from realmd to restart oddjob service - Add systemd support for oddjob - Add initial policy for realmd_consolehelper_t which if for authconfig executed by realmd - Add labeling for gnashpluginrc - Allow chrome_nacl to execute /dev/zero - Allow condor domains to read /proc - mozilla_plugin_t will getattr on /core if firefox crashes - Allow condor domains to read /etc/passwd - Allow dnsmasq to execute shell scripts, openstack requires this access - Fix glusterd labeling - Allow virtd_t to interact with the socket type - Allow nmbd_t to override dac if you turned on sharing all files - Allow tuned to created kobject_uevent socket - Allow guest user to run fusermount - Allow openshift to read /proc and locale - Allow realmd to dbus chat with rpm - Add new interface for virt - Remove depracated interfaces - Allow systemd_domains read access on etc, etc_runtime and usr files, also allow them to connect stream to syslog socket - /usr/share/munin/plugins/plugin.sh should be labeled as bin_t - Remove some more unconfined_t process transitions, that I don't believe are necessary - Stop transitioning uncofnined_t to checkpc - dmraid creates /var/lock/dmraid - Allow systemd_localed to creatre unix_dgram_sockets - Allow systemd_localed to write kernel messages. - Also cleanup systemd definition a little. - Fix userdom_restricted_xwindows_user_template() interface - Label any block devices or char devices under /dev/infiniband as fixed_disk_device_t - User accounts need to dbus chat with accountsd daemon - Gnome requires all users to be able to read /proc/1/- virsh now does a setexeccon call - Additional rules required by openshift domains - Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-service execute work - Allow spamd_update_t to search spamc_home_t - Avcs discovered by mounting an isci device under /mnt - Allow lspci running as logrotate to read pci.ids - Additional fix for networkmanager_read_pid_files() - Fix networkmanager_read_pid_files() interface - Allow all svirt domains to connect to svirt_socket_t - Allow virsh to set SELinux context for a process. - Allow tuned to create netlink_kobject_uevent_socket - Allow systemd-timestamp to set SELinux context - Add support for /var/lib/systemd/linger - Fix ssh_sysadm_login to be working on MLS as expected- Rename files_rw_inherited_tmp_files to files_rw_inherited_tmp_file - Add missing files_rw_inherited_tmp_files interface - Add additional interface for ecryptfs - ALlow nova-cert to connect to postgresql - Allow keystone to connect to postgresql - Allow all cups domains to getattr on filesystems - Allow pppd to send signull - Allow tuned to execute ldconfig - Allow gpg to read fips_enabled - Add additional fixes for ecryptfs - Allow httpd to work with posgresql - Allow keystone getsched and setsched- Allow gpg to read fips_enabled - Add support for /var/cache/realmd - Add support for /usr/sbin/blazer_usb and systemd support for nut - Add labeling for fenced_sanlock and allow sanclok transition to fenced_t - bitlbee wants to read own log file - Allow glance domain to send a signal itself - Allow xend_t to request that the kernel load a kernel module - Allow pacemaker to execute heartbeat lib files - cleanup new swift policy- Fix smartmontools - Fix userdom_restricted_xwindows_user_template() interface - Add xserver_xdm_ioctl_log() interface - Allow Xusers to ioctl lxdm.log to make lxdm working - Add MLS fixes to make MLS boot/log-in working - Add mls_socket_write_all_levels() also for syslogd - fsck.xfs needs to read passwd - Fix ntp_filetrans_named_content calling in init.te - Allow postgresql to create pg_log dir - Allow sshd to read rsync_data_t to make rsync working - Change ntp.conf to be labeled net_conf_t - Allow useradd to create homedirs in /run. ircd-ratbox does this and we should just allow it - Allow xdm_t to execute gstreamer home content - Allod initrc_t and unconfined domains, and sysadm_t to manage ntp - New policy for openstack swift domains - More access required for openshift_cron_t - Use cupsd_log_t instead of cupsd_var_log_t - rpm_script_roles should be used in rpm_run - Fix rpm_run() interface - Fix openshift_initrc_run() - Fix sssd_dontaudit_stream_connect() interface - Fix sssd_dontaudit_stream_connect() interface - Allow LDA's job to deliver mail to the mailbox - dontaudit block_suspend for mozilla_plugin_t - Allow l2tpd_t to all signal perms - Allow uuidgen to read /dev/random - Allow mozilla-plugin-config to read power_supply info - Implement cups_domain attribute for cups domains - We now need access to user terminals since we start by executing a command outside the tty - We now need access to user terminals since we start by executing a command outside the tty - svirt lxc containers want to execute userhelper apps, need these changes to allow this to happen - Add containment of openshift cron jobs - Allow system cron jobs to create tmp directories - Make userhelp_conf_t a config file - Change rpm to use rpm_script_roles - More fixes for rsync to make rsync wokring - Allow logwatch to domtrans to mdadm - Allow pacemaker to domtrans to ifconfig - Allow pacemaker to setattr on corosync.log - Add pacemaker_use_execmem for memcheck-amd64 command - Allow block_suspend capability - Allow create fifo_file in /tmp with pacemaker_tmp_t - Allow systat to getattr on fixed disk - Relabel /etc/ntp.conf to be net_conf_t - ntp_admin should create files in /etc with the correct label - Add interface to create ntp_conf_t files in /etc - Add additional labeling for quantum - Allow quantum to execute dnsmasq with transition- boinc_cliean wants also execmem as boinc projecs have - Allow sa-update to search admin home for /root/.spamassassin - Allow sa-update to search admin home for /root/.spamassassin - Allow antivirus domain to read net sysctl - Dontaudit attempts from thumb_t to connect to ssd - Dontaudit attempts by readahead to read sock_files - Dontaudit attempts by readahead to read sock_files - Create tmpfs file while running as wine as user_tmpfs_t - Dontaudit attempts by readahead to read sock_files - libmpg ships badly created librarie- Change ssh_use_pts to use macro and only inherited sshd_devpts_t - Allow confined users to read systemd_logind seat information - libmpg ships badly created libraries - Add support for strongswan.service - Add labeling for strongswan - Allow l2tpd_t to read network manager content in /run directory - Allow rsync to getattr any file in rsync_data_t - Add labeling and filename transition for .grl-podcasts- mount.glusterfs executes glusterfsd binary - Allow systemd_hostnamed_t to stream connect to systemd - Dontaudit any user doing a access check - Allow obex-data-server to request the kernel to load a module - Allow gpg-agent to manage gnome content (~/.cache/gpg-agent-info) - Allow gpg-agent to read /proc/sys/crypto/fips_enabled - Add new types for antivirus.pp policy module - Allow gnomesystemmm_t caps because of ioprio_set - Make sure if mozilla_plugin creates files while in permissive mode, they get created with the correct label, user_home_t - Allow gnomesystemmm_t caps because of ioprio_set - Allow NM rawip socket - files_relabel_non_security_files can not be used with boolean - Add interface to thumb_t dbus_chat to allow it to read remote process state - ALlow logrotate to domtrans to mdadm_t - kde gnomeclock wants to write content to /tmp- kde gnomeclock wants to write content to /tmp - /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde - Allow blueman_t to rwx zero_device_t, for some kind of jre - Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre - Ftp full access should be allowed to create directories as well as files - Add boolean to allow rsync_full_acces, so that an rsync server can write all - over the local machine - logrotate needs to rotate logs in openshift directories, needs back port to RHEL6 - Add missing vpnc_roles type line - Allow stapserver to write content in /tmp - Allow gnome keyring to create keyrings dir in ~/.local/share - Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on - Add interface to colord_t dbus_chat to allow it to read remote process state - Allow colord_t to read cupsd_t state - Add mate-thumbnail-font as thumnailer - Allow sectoolm to sys_ptrace since it is looking at other proceses /proc data. - Allow qpidd to list /tmp. Needed by ssl - Only allow init_t to transition to rsync_t domain, not initrc_t. This should be back ported to F17, F18 - - Added systemd support for ksmtuned - Added booleans ksmtuned_use_nfs ksmtuned_use_cifs - firewalld seems to be creating mmap files which it needs to execute in /run /tmp and /dev/shm. Would like to clean this up but for now we will allow - Looks like qpidd_t needs to read /dev/random - Lots of probing avc's caused by execugting gpg from staff_t - Dontaudit senmail triggering a net_admin avc - Change thumb_role to use thumb_run, not sure why we have a thumb_role, needs back port - Logwatch does access check on mdadm binary - Add raid_access_check_mdadm() iterface- Fix systemd_manage_unit_symlinks() interface - Call systemd_manage_unit_symlinks(() which is correct interface - Add filename transition for opasswd - Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock - Allow sytstemd-timedated to get status of init_t - Add new systemd policies for hostnamed and rename gnomeclock_t to systemd_timedate_t - colord needs to communicate with systemd and systemd_logind, also remove duplicate rules - Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock - Allow gpg_t to manage all gnome files - Stop using pcscd_read_pub_files - New rules for xguest, dontaudit attempts to dbus chat - Allow firewalld to create its mmap files in tmpfs and tmp directories - Allow firewalld to create its mmap files in tmpfs and tmp directories - run unbound-chkconf as named_t, so it can read dnssec - Colord is reading xdm process state, probably reads state of any apps that sends dbus message - Allow mdadm_t to change the kernel scheduler - mythtv policy - Update mandb_admin() interface - Allow dsspam to listen on own tpc_socket - seutil_filetrans_named_content needs to be optional - Allow sysadm_t to execute content in his homedir - Add attach_queue to tun_socket, new patch from Paul Moore - Change most of selinux configuration types to security_file_type. - Add filename transition rules for selinux configuration - ssh into a box with -X -Y requires ssh_use_ptys - Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on - Allow all unpriv userdomains to send dbus messages to hostnamed and timedated - New allow rules found by Tom London for systemd_hostnamed- Allow systemd-tmpfiles to relabel lpd spool files - Ad labeling for texlive bash scripts - Add xserver_filetrans_fonts_cache_home_content() interface - Remove duplicate rules from *.te - Add support for /var/lock/man-db.lock - Add support for /var/tmp/abrt(/.*)? - Add additional labeling for munin cgi scripts - Allow httpd_t to read munin conf files - Allow certwatch to read meminfo - Fix nscd_dontaudit_write_sock_file() interfac - Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t - llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling- Allow gnomeclock to talk to puppet over dbus - Allow numad access discovered by Dominic - Add support for HOME_DIR/.maildir - Fix attribute_role for mozilla_plugin_t domain to allow staff_r to access this domain - Allow udev to relabel udev_var_run_t lnk_files - New bin_t file in mcelog- Remove all mcs overrides and replace with t1 != mcs_constrained_types - Add attribute_role for iptables - mcs_process_set_categories needs to be called for type - Implement additional role_attribute statements - Sodo domain is attempting to get the additributes of proc_kcore_t - Unbound uses port 8953 - Allow svirt_t images to compromise_kernel when using pci-passthrough - Add label for dns lib files - Bluetooth aquires a dbus name - Remove redundant files_read_usr_file calling - Remove redundant files_read_etc_file calling - Fix mozilla_run_plugin() - Add role_attribute support for more domains- Mass merge with upstream- Bump the policy version to 28 to match selinux userspace - Rebuild versus latest libsepol- Add systemd_status_all_unit_files() interface - Add support for nshadow - Allow sysadm_t to administrate the postfix domains - Add interface to setattr on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Add systemd_status_all_unit_files() interface - Add support for nshadow - Allow sysadm_t to administrate the postfix domains - Add interface to setattr on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t sys_admin for use with afs logins - Add labeling for /var/named/chroot/etc/localtim- Allow setroubleshoot_fixit to execute rpm - zoneminder needs to connect to httpd ports where remote cameras are listening - Allow firewalld to execute content created in /run directory - Allow svirt_t to read generic certs - Dontaudit leaked ps content to mozilla plugin - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - init scripts are creating systemd_unit_file_t directories- systemd_logind_t is looking at all files under /run/user/apache - Allow systemd to manage all user tmp files - Add labeling for /var/named/chroot/etc/localtime - Allow netlabel_peer_t type to flow over netif_t and node_t, and only be hindered by MLS, need back port to RHEL6 - Keystone is now using a differnt port - Allow xdm_t to use usbmuxd daemon to control sound - Allow passwd daemon to execute gnome_exec_keyringd - Fix chrome_sandbox policy - Add labeling for /var/run/checkquorum-timer - More fixes for the dspam domain, needs back port to RHEL6 - More fixes for the dspam domain, needs back port to RHEL6 - sssd needs to connect to kerberos password port if a user changes his password - Lots of fixes from RHEL testing of dspam web - Allow chrome and mozilla_plugin to create msgq and semaphores - Fixes for dspam cgi scripts - Fixes for dspam cgi scripts - Allow confine users to ptrace screen - Backport virt_qemu_ga_t changes from RHEL - Fix labeling for dspam.cgi needed for RHEL6 - We need to back port this policy to RHEL6, for lxc domains - Dontaudit attempts to set sys_resource of logrotate - Allow corosync to read/write wdmd's tmpfs files - I see a ptrace of mozilla_plugin_t by staff_t, will allow without deny_ptrace being set - Allow cron jobs to read bind config for unbound - libvirt needs to inhibit systemd - kdumpctl needs to delete boot_t files - Fix duplicate gnome_config_filetrans - virtd_lxc_t is using /dev/fuse - Passenger needs to create a directory in /var/log, needs a backport to RHEL6 for openshift - apcupsd can be setup to listen to snmp trafic - Allow transition from kdumpgui to kdumpctl - Add fixes for munin CGI scripts - Allow deltacloud to connect to openstack at the keystone port - Allow domains that transition to svirt domains to be able to signal them - Fix file context of gstreamer in .cache directory - libvirt is communicating with logind - NetworkManager writes to the systemd inhibit pipe- Allow munin disk plugins to get attributes of all directories - Allow munin disk plugins to get attributes of all directorie - Allow logwatch to get attributes of all directories - Fix networkmanager_manage_lib() interface - Fix gnome_manage_config() to allow to manage sock_file - Fix virtual_domain_context - Add support for dynamic DNS for DHCPv6- Allow svirt to use netlink_route_socket which was a part of auth_use_nsswitch - Add additional labeling for /var/www/openshift/broker - Fix rhev policy - Allow openshift_initrc domain to dbus chat with systemd_logind - Allow httpd to getattr passenger log file if run_stickshift - Allow consolehelper-gtk to connect to xserver - Add labeling for the tmp-inst directory defined in pam_namespace.conf - Add lvm_metadata_t labeling for /etc/multipath- consoletype is no longer used- Add label for efivarfs - Allow certmonger to send signal to itself - Allow plugin-config to read own process status - Add more fixes for pacemaker - apache/drupal can run clamscan on uploaded content - Allow chrome_sandbox_nacl_t to read pid 1 content- Fix MCS Constraints to control ingres and egres controls on the network. - Change name of svirt_nokvm_t to svirt_tcg_t - Allow tuned to request the kernel to load kernel modules- Label /var/lib/pgsql/.ssh as ssh_home_t - Add labeling for /usr/bin/pg_ctl - Allow systemd-logind to manage keyring user tmp dirs - Add support for 7389/tcp port - gems seems to be placed in lots of places - Since xdm is running a full session, it seems to be trying to execute lots of executables via dbus - Add back tcp/8123 port as http_cache port - Add ovirt-guest-agent\.pid labeling - Allow xend to run scsi_id - Allow rhsmcertd-worker to read "physical_package_id" - Allow pki_tomcat to connect to ldap port - Allow lpr to read /usr/share/fonts - Allow open file from CD/DVD drive on domU - Allow munin services plugins to talk to SSSD - Allow all samba domains to create samba directory in var_t directories - Take away svirt_t ability to use nsswitch - Dontaudit attempts by openshift to read apache logs - Allow apache to create as well as append _ra_content_t - Dontaudit sendmail_t reading a leaked file descriptor - Add interface to have admin transition /etc/prelink.cache to the proper label - Add sntp support to ntp policy - Allow firewalld to dbus chat with devicekit_power - Allow tuned to call lsblk - Allow tor to read /proc/sys/kernel/random/uuid - Add tor_can_network_relay boolean- Add openshift_initrc_signal() interface - Fix typos - dspam port is treat as spamd_port_t - Allow setroubleshoot to getattr on all executables - Allow tuned to execute profiles scripts in /etc/tuned - Allow apache to create directories to store its log files - Allow all directories/files in /var/log starting with passenger to be labeled passenger_log_t - Looks like apache is sending sinal to openshift_initrc_t now,needs back port to RHEL6 - Allow Postfix to be configured to listen on TCP port 10026 for email from DSPAM - Add filename transition for /etc/tuned/active_profile - Allow condor_master to send mails - Allow condor_master to read submit.cf - Allow condor_master to create /tmp files/dirs - Allow condor_mater to send sigkill to other condor domains - Allow condor_procd sigkill capability - tuned-adm wants to talk with tuned daemon - Allow kadmind and krb5kdc to also list sssd_public_t - Allow accountsd to dbus chat with init - Fix git_read_generic_system_content_files() interface - pppd wants sys_nice by nmcli because of "syscall=sched_setscheduler" - Fix mozilla_plugin_can_network_connect to allow to connect to all ports - Label all munin plugins which are not covered by munin plugins policy as unconfined_munin_plugin_exec_t - dspam wants to search /var/spool for opendkim data - Revert "Add support for tcp/10026 port as dspam_port_t" - Turning on labeled networking requires additional access for netlabel_peer_t; these allow rules need to be back ported to RHEL6 - Allow all application domains to use fifo_files passed in from userdomains, also allow them to write to tmp_files inherited from userdomain - Allow systemd_tmpfiles_t to setattr on mandb_cache_t- consolekit.pp was not removed from the postinstall script- Add back consolekit policy - Silence bootloader trying to use inherited tty - Silence xdm_dbusd_t trying to execute telepathy apps - Fix shutdown avcs when machine has unconfined.pp disabled - The host and a virtual machine can share the same printer on a usb device - Change oddjob to transition to a ranged openshift_initr_exec_t when run from oddjob - Allow abrt_watch_log_t to execute bin_t - Allow chrome sandbox to write content in ~/.config/chromium - Dontaudit setattr on fontconfig dir for thumb_t - Allow lircd to request the kernel to load module - Make rsync as userdom_home_manager - Allow rsync to search automount filesystem - Add fixes for pacemaker- Add support for 4567/tcp port - Random fixes from Tuomo Soini - xdm wants to get init status - Allow programs to run in fips_mode - Add interface to allow the reading of all blk device nodes - Allow init to relabel rpcbind sock_file - Fix labeling for lastlog and faillog related to logrotate - ALlow aeolus_configserver to use TRAM port - Add fixes for aeolus_configserver - Allow snmpd to connect to snmp port - Allow spamd_update to create spamd_var_lib_t directories - Allow domains that can read sssd_public_t files to also list the directory - Remove miscfiles_read_localization, this is defined for all domains- Allow syslogd to request the kernel to load a module - Allow syslogd_t to read the network state information - Allow xdm_dbusd_t connect to the system DBUS - Add support for 7389/tcp port - Allow domains to read/write all inherited sockets - Allow staff_t to read kmsg - Add awstats_purge_apache_log boolean - Allow ksysguardproces to read /.config/Trolltech.conf - Allow passenger to create and append puppet log files - Add puppet_append_log and puppet_create_log interfaces - Add puppet_manage_log() interface - Allow tomcat domain to search tomcat_var_lib_t - Allow pki_tomcat_t to connect to pki_ca ports - Allow pegasus_t to have net_admin capability - Allow pegasus_t to write /sys/class/net//flags - Allow mailserver_delivery to manage mail_home_rw_t lnk_files - Allow fetchmail to create log files - Allow gnomeclock to manage home config in .kde - Allow bittlebee to read kernel sysctls - Allow logrotate to list /root- Fix userhelper_console_role_template() - Allow enabling Network Access Point service using blueman - Make vmware_host_t as unconfined domain - Allow authenticate users in webaccess via squid, using mysql as backend - Allow gathers to get various metrics on mounted file systems - Allow firewalld to read /etc/hosts - Fix cron_admin_role() to make sysadm cronjobs running in the sysadm_t instead of cronjob_t - Allow kdumpgui to read/write to zipl.conf - Commands needed to get mock to build from staff_t in enforcing mode - Allow mdadm_t to manage cgroup files - Allow all daemons and systemprocesses to use inherited initrc_tmp_t files - dontaudit ifconfig_t looking at fifo_files that are leaked to it - Add lableing for Quest Authentication System- Fix filetrans interface definitions - Dontaudit xdm_t to getattr on BOINC lib files - Add systemd_reload_all_services() interface - Dontaudit write access on /var/lib/net-snmp/mib_indexes - Only stop mcsuntrustedproc from relableing files - Allow accountsd to dbus chat with gdm - Allow realmd to getattr on all fs - Allow logrotate to reload all services - Add systemd unit file for radiusd - Allow winbind to create samba pid dir - Add labeling for /var/nmbd/unexpected - Allow chrome and mozilla plugin to connect to msnp ports- Fix storage_rw_inherited_fixed_disk_dev() to cover also blk_file - Dontaudit setfiles reading /dev/random - On initial boot gnomeclock is going to need to be set buy gdm - Fix tftp_read_content() interface - Random apps looking at kernel file systems - Testing virt with lxc requiers additional access for virsh_t - New allow rules requied for latest libvirt, libvirt talks directly to journald,lxc setup tool needs compromize_kernel,and we need ipc_lock in the container - Allow MPD to read /dev/radnom - Allow sandbox_web_type to read logind files which needs to read pulseaudio - Allow mozilla plugins to read /dev/hpet - Add labeling for /var/lib/zarafa-webap - Allow BOINC client to use an HTTP proxy for all connections - Allow rhsmertd to domain transition to dmidecod - Allow setroubleshootd to send D-Bus msg to ABRT- Define usbtty_device_t as a term_tty - Allow svnserve to accept a connection - Allow xend manage default virt_image_t type - Allow prelink_cron_system_t to overide user componant when executing cp - Add labeling for z-push - Gnomeclock sets the realtime clock - Openshift seems to be storing apache logs in /var/lib/openshift/.log/httpd - Allow lxc domains to use /dev/random and /dev/urandom- Add port defintion for tcp/9000 - Fix labeling for /usr/share/cluster/checkquorum to label also checkquorum.wdmd - Add rules and labeling for $HOME/cache/\.gstreamer-.* directory - Add support for CIM provider openlmi-networking which uses NetworkManager dbus API - Allow shorewall_t to create netlink_socket - Allow krb5admind to block suspend - Fix labels on /var/run/dlm_controld /var/log/dlm_controld - Allow krb5kdc to block suspend - gnomessytemmm_t needs to read /etc/passwd - Allow cgred to read all sysctls- Allow all domains to read /proc/sys/vm/overcommit_memory - Make proc_numa_t an MLS Trusted Object - Add /proc/numactl support for confined users - Allow ssh_t to connect to any port > 1023 - Add openvswitch domain - Pulseaudio tries to create directories in gnome_home_t directories - New ypbind pkg wants to search /var/run which is caused by sd_notify - Allow NM to read certs on NFS/CIFS using use_nfs_*, use_samba_* booleans - Allow sanlock to read /dev/random - Treat php-fpm with httpd_t - Allow domains that can read named_conf_t to be able to list the directories - Allow winbind to create sock files in /var/run/samba- Add smsd policy - Add support for OpenShift sbin labelin - Add boolean to allow virt to use rawip - Allow mozilla_plugin to read all file systems with noxattrs support - Allow kerberos to write on anon_inodefs fs - Additional access required by fenced - Add filename transitions for passwd.lock/group.lock - UPdate man pages - Create coolkey directory in /var/cache with the correct label- Fix label on /etc/group.lock - Allow gnomeclock to create lnk_file in /etc - label /root/.pki as a home_cert_t - Add interface to make sure rpcbind.sock is created with the correct label - Add definition for new directory /var/lib/os-probe and bootloader wants to read udev rules - opendkim should be a part of milter - Allow libvirt to set the kernel sched algorythm - Allow mongod to read sysfs_t - Add authconfig policy - Remove calls to miscfiles_read_localization all domains get this - Allow virsh_t to read /root/.pki/ content - Add label for log directory under /var/www/stickshift- Allow getty to setattr on usb ttys - Allow sshd to search all directories for sshd_home_t content - Allow staff domains to send dbus messages to kdumpgui - Fix labels on /etc/.pwd.lock and friends to be passwd_file_t - Dontaudit setfiles reading urand - Add files_dontaudit_list_tmp() for domains to which we added sys_nice/setsched - Allow staff_gkeyringd_t to read /home/$USER/.local/share/keyrings dir - Allow systemd-timedated to read /dev/urandom - Allow entropyd_t to read proc_t (meminfo) - Add unconfined munin plugin - Fix networkmanager_read_conf() interface - Allow blueman to list /tmp which is needed by sys_nic/setsched - Fix label of /etc/mail/aliasesdb-stamp - numad is searching cgroups - realmd is communicating with networkmanager using dbus - Lots of fixes to try to get kdump to work- Allow loging programs to dbus chat with realmd - Make apache_content_template calling as optional - realmd is using policy kit- Add new selinuxuser_use_ssh_chroot boolean - dbus needs to be able to read/write inherited fixed disk device_t passed through it - Cleanup netutils process allow rule - Dontaudit leaked fifo files from openshift to ping - sanlock needs to read mnt_t lnk files - Fail2ban needs to setsched and sys_nice- Change default label of all files in /var/run/rpcbind - Allow sandbox domains (java) to read hugetlbfs_t - Allow awstats cgi content to create tmp files and read apache log files - Allow setuid/setgid for cupsd-config - Allow setsched/sys_nice pro cupsd-config - Fix /etc/localtime sym link to be labeled locale_t - Allow sshd to search postgresql db t since this is a homedir - Allow xwindows users to chat with realmd - Allow unconfined domains to configure all files and null_device_t service- Adopt pki-selinux policy- pki is leaking which we dontaudit until a pki code fix - Allow setcap for arping - Update man pages - Add labeling for /usr/sbin/mcollectived - pki fixes - Allow smokeping to execute fping in the netutils_t domain- Allow mount to relabelfrom unlabeled file systems - systemd_logind wants to send and receive messages from devicekit disk over dbus to make connected mouse working - Add label to get bin files under libreoffice labeled correctly - Fix interface to allow executing of base_ro_file_type - Add fixes for realmd - Update pki policy - Add tftp_homedir boolean - Allow blueman sched_setscheduler - openshift user domains wants to r/w ssh tcp sockets- Additional requirements for disable unconfined module when booting - Fix label of systemd script files - semanage can use -F /dev/stdin to get input - syslog now uses kerberos keytabs - Allow xserver to compromise_kernel access - Allow nfsd to write to mount_var_run_t when running the mount command - Add filename transition rule for bin_t directories - Allow files to read usr_t lnk_files - dhcpc wants chown - Add support for new openshift labeling - Clean up for tunable+optional statements - Add labeling for /usr/sbin/mkhomedir_helper - Allow antivirus domain to managa amavis spool files - Allow rpcbind_t to read passwd - Allow pyzor running as spamc to manage amavis spool- Add interfaces to read kernel_t proc info - Missed this version of exec_all - Allow anyone who can load a kernel module to compromise kernel - Add oddjob_dbus_chat to openshift apache policy - Allow chrome_sandbox_nacl_t to send signals to itself - Add unit file support to usbmuxd_t - Allow all openshift domains to read sysfs info - Allow openshift domains to getattr on all domains- MLS fixes from Dan - Fix name of capability2 secure_firmware->compromise_kerne- Allow xdm to search all file systems - Add interface to allow the config of all files - Add rngd policy - Remove kgpg as a gpg_exec_t type - Allow plymouthd to block suspend - Allow systemd_dbus to config any file - Allow system_dbus_t to configure all services - Allow freshclam_t to read usr_files - varnishd requires execmem to load modules- Allow semanage to verify types - Allow sudo domain to execute user home files - Allow session_bus_type to transition to user_tmpfs_t - Add dontaudit caused by yum updates - Implement pki policy but not activated- tuned wants to getattr on all filesystems - tuned needs also setsched. The build is needed for test day- Add policy for qemu-qa - Allow razor to write own config files - Add an initial antivirus policy to collect all antivirus program - Allow qdisk to read usr_t - Add additional caps for vmware_host - Allow tmpfiles_t to setattr on mandb_cache_t - Dontaudit leaked files into mozilla_plugin_config_t - Allow wdmd to getattr on tmpfs - Allow realmd to use /dev/random - allow containers to send audit messages - Allow root mount any file via loop device with enforcing mls policy - Allow tmpfiles_t to setattr on mandb_cache_t - Allow tmpfiles_t to setattr on mandb_cache_t - Make userdom_dontaudit_write_all_ not allow open - Allow init scripts to read all unit files - Add support for saphostctrl ports- Add kernel_read_system_state to sandbox_client_t - Add some of the missing access to kdumpgui - Allow systemd_dbusd_t to status the init system - Allow vmnet-natd to request the kernel to load a module - Allow gsf-office-thum to append .cache/gdm/session.log - realmd wants to read .config/dconf/user - Firewalld wants sys_nice/setsched - Allow tmpreaper to delete mandb cache files - Firewalld wants sys_nice/setsched - Allow firewalld to perform a DNS name resolution - Allown winbind to read /usr/share/samba/codepages/lowcase.dat - Add support for HTTPProxy* in /etc/freshclam.conf - Fix authlogin_yubike boolean - Extend smbd_selinux man page to include samba booleans - Allow dhcpc to execute consoletype - Allow ping to use inherited tmp files created in init scripts - On full relabel with unconfined domain disabled, initrc was running some chcon's - Allow people who delete man pages to delete mandb cache files- Add missing permissive domains- Add new mandb policy - ALlow systemd-tmpfiles_t to relabel mandb_cache_t - Allow logrotate to start all unit files- Add fixes for ctbd - Allow nmbd to stream connect to ctbd - Make cglear_t as nsswitch_domain - Fix bogus in interfaces - Allow openshift to read/write postfix public pipe - Add postfix_manage_spool_maildrop_files() interface - stickshift paths have been renamed to openshift - gnome-settings-daemon wants to write to /run/systemd/inhibit/ pipes - Update man pages, adding ENTRYPOINTS- Add mei_device_t - Make sure gpg content in homedir created with correct label - Allow dmesg to write to abrt cache files - automount wants to search virtual memory sysctls - Add support for hplip logs stored in /var/log/hp/tmp - Add labeling for /etc/owncloud/config.php - Allow setroubleshoot to send analysys to syslogd-journal - Allow virsh_t to interact with new fenced daemon - Allow gpg to write to /etc/mail/spamassassiin directories - Make dovecot_deliver_t a mail server delivery type - Add label for /var/tmp/DNS25- Fixes for tomcat_domain template interface- Remove init_systemd and init_upstart boolean, Move init_daemon_domain and init_system_domain to use attributes - Add attribute to all base os types. Allow all domains to read all ro base OS types- Additional unit files to be defined as power unit files - Fix more boolean names- Fix boolean name so subs will continue to work- dbus needs to start getty unit files - Add interface to allow system_dbusd_t to start the poweroff service - xdm wants to exec telepathy apps - Allow users to send messages to systemdlogind - Additional rules needed for systemd and other boot apps - systemd wants to list /home and /boot - Allow gkeyringd to write dbus/conf file - realmd needs to read /dev/urand - Allow readahead to delete /.readahead if labeled root_t, might get created before policy is loaded- Fixes to safe more rules - Re-write tomcat_domain_template() - Fix passenger labeling - Allow all domains to read man pages - Add ephemeral_port_t to the 'generic' port interfaces - Fix the names of postgresql booleans- Stop using attributes form netlabel_peer and syslog, auth_use_nsswitch setsup netlabel_peer - Move netlable_peer check out of booleans - Remove call to recvfrom_netlabel for kerberos call - Remove use of attributes when calling syslog call - Move -miscfiles_read_localization to domain.te to save hundreds of allow rules - Allow all domains to read locale files. This eliminates around 1500 allow rules- Cleanup nis_use_ypbind_uncond interface - Allow rndc to block suspend - tuned needs to modify the schedule of the kernel - Allow svirt_t domains to read alsa configuration files - ighten security on irc domains and make sure they label content in homedir correctly - Add filetrans_home_content for irc files - Dontaudit all getattr access for devices and filesystems for sandbox domains - Allow stapserver to search cgroups directories - Allow all postfix domains to talk to spamd- Add interfaces to ignore setattr until kernel fixes this to be checked after the DAC check - Change pam_t to pam_timestamp_t - Add dovecot_domain attribute and allow this attribute block_suspend capability2 - Add sanlock_use_fusefs boolean - numad wants send/recieve msg - Allow rhnsd to send syslog msgs - Make piranha-pulse as initrc domain - Update openshift instances to dontaudit setattr until the kernel is fixed.- Fix auth_login_pgm_domain() interface to allow domains also managed user tmp dirs because of #856880 related to pam_systemd - Remove pam_selinux.8 which conflicts with man page owned by the pam package - Allow glance-api to talk to mysql - ABRT wants to read Xorg.0.log if if it detects problem with Xorg - Fix gstreamer filename trans. interface- Man page fixes by Dan Walsh- Allow postalias to read postfix config files - Allow man2html to read man pages - Allow rhev-agentd to search all mountpoints - Allow rhsmcertd to read /dev/random - Add tgtd_stream_connect() interface - Add cyrus_write_data() interface - Dontaudit attempts by sandboxX clients connectiing to the xserver_port_t - Add port definition for tcp/81 as http_port_t - Fix /dev/twa labeling - Allow systemd to read modules config- Merge openshift policy - Allow xauth to read /dev/urandom - systemd needs to relabel content in /run/systemd directories - Files unconfined should be able to perform all services on all files - Puppet tmp file can be leaked to all domains - Dontaudit rhsmcertd-worker to search /root/.local - Allow chown capability for zarafa domains - Allow system cronjobs to runcon into openshift domains - Allow virt_bridgehelper_t to manage content in the svirt_home_t labeled directories- nmbd wants to create /var/nmbd - Stop transitioning out of anaconda and firstboot, just causes AVC messages - Allow clamscan to read /etc files - Allow bcfg2 to bind cyphesis port - heartbeat should be run as rgmanager_t instead of corosync_t - Add labeling for /etc/openldap/certs - Add labeling for /opt/sartest directory - Make crontab_t as userdom home reader - Allow tmpreaper to list admin_home dir - Add defition for imap_0 replay cache file - Add support for gitolite3 - Allow virsh_t to send syslog messages - allow domains that can read samba content to be able to list the directories also - Add realmd_dbus_chat to allow all apps that use nsswitch to talk to realmd - Separate out sandbox from sandboxX policy so we can disable it by default - Run dmeventd as lvm_t - Mounting on any directory requires setattr and write permissions - Fix use_nfs_home_dirs() boolean - New labels for pam_krb5 - Allow init and initrc domains to sys_ptrace since this is needed to look at processes not owned by uid 0 - Add realmd_dbus_chat to allow all apps that use nsswitch to talk to realmd- Separate sandbox policy into sandbox and sandboxX, and disable sandbox by default on fresh installs - Allow domains that can read etc_t to read etc_runtime_t - Allow all domains to use inherited tmpfiles- Allow realmd to read resolv.conf - Add pegasus_cache_t type - Label /usr/sbin/fence_virtd as virsh_exec_t - Add policy for pkcsslotd - Add support for cpglockd - Allow polkit-agent-helper to read system-auth-ac - telepathy-idle wants to read gschemas.compiled - Allow plymouthd to getattr on fs_t - Add slpd policy - Allow ksysguardproces to read/write config_usr_t- Fix labeling substitution so rpm will label /lib/systemd content correctly- Add file name transitions for ttyACM0 - spice-vdagent(d)'s are going to log over to syslog - Add sensord policy - Add more fixes for passenger policy related to puppet - Allow wdmd to create wdmd_tmpfs_t - Fix labeling for /var/run/cachefilesd\.pid - Add thumb_tmpfs_t files type- Allow svirt domains to manage the network since this is containerized - Allow svirt_lxc_net_t to send audit messages- Make "snmpwalk -mREDHAT-CLUSTER-MIB ...." working - Allow dlm_controld to execute dlm_stonith labeled as bin_t - Allow GFS2 working on F17 - Abrt needs to execute dmesg - Allow jockey to list the contents of modeprobe.d - Add policy for lightsquid as squid_cron_t - Mailscanner is creating files and directories in /tmp - dmesg is now reading /dev/kmsg - Allow xserver to communicate with secure_firmware - Allow fsadm tools (fsck) to read /run/mount contnet - Allow sysadm types to read /dev/kmsg -- Allow postfix, sssd, rpcd to block_suspend - udev seems to need secure_firmware capability - Allow virtd to send dbus messages to firewalld so it can configure the firewall- Fix labeling of content in /run created by virsh_t - Allow condor domains to read kernel sysctls - Allow condor_master to connect to amqp - Allow thumb drives to create shared memory and semaphores - Allow abrt to read mozilla_plugin config files - Add labels for lightsquid - Default files in /opt and /usr that end in .cgi as httpd_sys_script_t, allow - dovecot_auth_t uses ldap for user auth - Allow domains that can read dhcp_etc_t to read lnk_files - Add more then one watchdog device - Allow useradd_t to manage etc_t files so it can rename it and edit them - Fix invalid class dir should be fifo_file - Move /run/blkid to fsadm and make sure labeling is correct- Fix bogus regex found by eparis - Fix manage run interface since lvm needs more access - syslogd is searching cgroups directory - Fixes to allow virt-sandbox-service to manage lxc var run content- Fix Boolean settings - Add new libjavascriptcoregtk as textrel_shlib_t - Allow xdm_t to create xdm_home_t directories - Additional access required for systemd - Dontaudit mozilla_plugin attempts to ipc_lock - Allow tmpreaper to delete unlabeled files - Eliminate screen_tmp_t and allow it to manage user_tmp_t - Dontaudit mozilla_plugin_config_t to append to leaked file descriptors - Allow web plugins to connect to the asterisk ports - Condor will recreate the lock directory if it does not exist - Oddjob mkhomedir needs to connectto user processes - Make oddjob_mkhomedir_t a userdom home manager- Put placeholder back in place for proper numbering of capabilities - Systemd also configures init scripts- Fix ecryptfs interfaces - Bootloader seems to be trolling around /dev/shm and /dev - init wants to create /etc/systemd/system-update.target.wants - Fix systemd_filetrans call to move it out of tunable - Fix up policy to work with systemd userspace manager - Add secure_firmware capability and remove bogus epolwakeup - Call seutil_*_login_config interfaces where should be needed - Allow rhsmcertd to send signal to itself - Allow thin domains to send signal to itself - Allow Chrome_ChildIO to read dosfs_t- Add role rules for realmd, sambagui- Add new type selinux_login_config_t for /etc/selinux//logins/ - Additional fixes for seutil_manage_module_store() - dbus_system_domain() should be used with optional_policy - Fix svirt to be allowed to use fusefs file system - Allow login programs to read /run/ data created by systemd_login - sssd wants to write /etc/selinux//logins/ for SELinux PAM module - Fix svirt to be allowed to use fusefs file system - Allow piranha domain to use nsswitch - Sanlock needs to send Kill Signals to non root processes - Pulseaudio wants to execute /run/user/PID/.orc- Fix saslauthd when it tries to read /etc/shadow - Label gnome-boxes as a virt homedir - Need to allow svirt_t ability to getattr on nfs_t file systems - Update sanlock policy to solve all AVC's - Change confined users can optionally manage virt content - Handle new directories under ~/.cache - Add block suspend to appropriate domains - More rules required for containers - Allow login programs to read /run/ data created by systemd_logind - Allow staff users to run svirt_t processes- Update to upstream- More fixes for systemd to make rawhide booting from Dan Walsh- Add systemd fixes to make rawhide booting- Add systemd_logind_inhibit_var_run_t attribute - Remove corenet_all_recvfrom_unlabeled() for non-contrib policies because we moved it to domain.if for all domain_type - Add interface for mysqld to dontaudit signull to all processes - Label new /var/run/journal directory correctly - Allow users to inhibit suspend via systemd - Add new type for the /var/run/inhibit directory - Add interface to send signull to systemd_login so avahi can send them - Allow systemd_passwd to send syslog messages - Remove corenet_all_recvfrom_unlabeled() calling fro policy files - Allow editparams.cgi running as httpd_bugzilla_script_t to read /etc/group - Allow smbd to read cluster config - Add additional labeling for passenger - Allow dbus to inhibit suspend via systemd - Allow avahi to send signull to systemd_login- Add interface to dontaudit getattr access on sysctls - Allow sshd to execute /bin/login - Looks like xdm is recreating the xdm directory in ~/.cache/ on login - Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jounald - Fix semanage to work with unconfined domain disabled on F18 - Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls - Virt seems to be using lock files - Dovecot seems to be searching directories of every mountpoint - Allow jockey to read random/urandom, execute shell and install third-party drivers - Add aditional params to allow cachedfiles to manage its content - gpg agent needs to read /dev/random - The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd wants to read and write - Add a bunch of dontaudit rules to quiet svirt_lxc domains - Additional perms needed to run svirt_lxc domains - Allow cgclear to read cgconfig - Allow sys_ptrace capability for snmp - Allow freshclam to read /proc - Allow procmail to manage /home/user/Maildir content - Allow NM to execute wpa_cli - Allow amavis to read clamd system state - Regenerate man pages- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- Add realmd and stapserver policies - Allow useradd to manage stap-server lib files - Tighten up capabilities for confined users - Label /etc/security/opasswd as shadow_t - Add label for /dev/ecryptfs - Allow condor_startd_t to start sshd with the ranged - Allow lpstat.cups to read fips_enabled file - Allow pyzor running as spamc_t to create /root/.pyzor directory - Add labelinf for amavisd-snmp init script - Add support for amavisd-snmp - Allow fprintd sigkill self - Allow xend (w/o libvirt) to start virtual machines - Allow aiccu to read /etc/passwd - Allow condor_startd to Make specified domain MCS trusted for setting any category set for the processes it executes - Add condor_startd_ranged_domtrans_to() interface - Add ssd_conf_t for /etc/sssd - accountsd needs to fchown some files/directories - Add ICACLient and zibrauserdata as mozilla_filetrans_home_content - SELinux reports afs_t needs dac_override to read /etc/mtab, even though everything works, adding dontaudit - Allow xend_t to read the /etc/passwd file- Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t - Add init_access_check() interface - Fix label on /usr/bin/pingus to not be labeled as ping_exec_t - Allow tcpdump to create a netlink_socket - Label newusers like useradd - Change xdm log files to be labeled xdm_log_t - Allow sshd_t with privsep to work in MLS - Allow freshclam to update databases thru HTTP proxy - Allow s-m-config to access check on systemd - Allow abrt to read public files by default - Fix amavis_create_pid_files() interface - Add labeling and filename transition for dbomatic.log - Allow system_dbusd_t to stream connect to bluetooth, and use its socket - Allow amavisd to execute fsav - Allow tuned to use sys_admin and sys_nice capabilities - Add php-fpm policy from Bryan - Add labeling for aeolus-configserver-thinwrapper - Allow thin domains to execute shell - Fix gnome_role_gkeyringd() interface description - Lot of interface fixes - Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files - Allow OpenMPI job to use kerberos - Make deltacloudd_t as nsswitch_domain - Allow xend_t to run lsscsi - Allow qemu-dm running as xend_t to create tun_socket - Add labeling for /opt/brother/Printers(.*/)?inf - Allow jockey-backend to read pyconfig-64.h labeled as usr_t - Fix clamscan_can_scan_system boolean - Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11- initrc is calling exportfs which is not confined so it attempts to read nfsd_files - Fixes for passenger running within openshift. - Add labeling for all tomcat6 dirs - Add support for tomcat6 - Allow cobblerd to read /etc/passwd - Allow jockey to read sysfs and and execute binaries with bin_t - Allow thum to use user terminals - Allow cgclear to read cgconfig config files - Fix bcf2g.fc - Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other domains - Allow dbomatic to execute ruby - abrt_watch_log should be abrt_domain - Allow mozilla_plugin to connect to gatekeeper port- add ptrace_child access to process - remove files_read_etc_files() calling from all policies which have auth_use_nsswith() - Allow boinc domains to manage boinc_lib_t lnk_files - Add support for boinc-client.service unit file - Add support for boinc.log - Allow mozilla_plugin execmod on mozilla home files if allow_ex - Allow dovecot_deliver_t to read dovecot_var_run_t - Allow ldconfig and insmod to manage kdumpctl tmp files - Move thin policy out from cloudform.pp and add a new thin poli - pacemaker needs to communicate with corosync streams - abrt is now started on demand by dbus - Allow certmonger to talk directly to Dogtag servers - Change labeling for /var/lib/cobbler/webui_sessions to httpd_c - Allow mozila_plugin to execute gstreamer home files - Allow useradd to delete all file types stored in the users hom - rhsmcertd reads the rpm database - Add support for lightdm- Add tomcat policy - Remove pyzor/razor policy - rhsmcertd reads the rpm database - Dontaudit thumb to setattr on xdm_tmp dir - Allow wicd to execute ldconfig in the networkmanager_t domain - Add /var/run/cherokee\.pid labeling - Allow mozilla_plugin to create mozilla_plugin_tmp_t lnk files too - Allow postfix-master to r/w pipes other postfix domains - Allow snort to create netlink_socket - Add kdumpctl policy - Allow firstboot to create tmp_t files/directories - /usr/bin/paster should not be labeled as piranha_exec_t - remove initrc_domain from tomcat - Allow ddclient to read /etc/passwd - Allow useradd to delete all file types stored in the users homedir - Allow ldconfig and insmod to manage kdumpctl tmp files - Firstboot should be just creating tmp_t dirs and xauth should be allowed to write to those - Transition xauth files within firstboot_tmp_t - Fix labeling of /run/media to match /media - Label all lxdm.log as xserver_log_t - Add port definition for mxi port - Allow local_login_t to execute tmux- apcupsd needs to read /etc/passwd - Sanlock allso sends sigkill - Allow glance_registry to connect to the mysqld port - Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl - Allow firefox plugins/flash to connect to port 1234 - Allow mozilla plugins to delete user_tmp_t files - Add transition name rule for printers.conf.O - Allow virt_lxc_t to read urand - Allow systemd_loigind to list gstreamer_home_dirs - Fix labeling for /usr/bin - Fixes for cloudform services * support FIPS - Allow polipo to work as web caching - Allow chfn to execute tmux- Add support for ecryptfs * ecryptfs does not support xattr * we need labeling for HOMEDIR - Add policy for (u)mount.ecryptfs* - Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage host cache - Allow dovecot to manage Maildir content, fix transitions to Maildir - Allow postfix_local to transition to dovecot_deliver - Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code - Cleanup interface definitions - Allow apmd to change with the logind daemon - Changes required for sanlock in rhel6 - Label /run/user/apache as httpd_tmp_t - Allow thumb to use lib_t as execmod if boolean turned on - Allow squid to create the squid directory in /var with the correct labe - Add a new policy for glusterd from Bryan Bickford (bbickfor@redhat.com) - Allow virtd to exec xend_exec_t without transition - Allow virtd_lxc_t to unmount all file systems- PolicyKit path has changed - Allow httpd connect to dirsrv socket - Allow tuned to write generic kernel sysctls - Dontaudit logwatch to gettr on /dev/dm-2 - Allow policykit-auth to manage kerberos files - Make condor_startd and rgmanager as initrc domain - Allow virsh to read /etc/passwd - Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs - xdm now needs to execute xsession_exec_t - Need labels for /var/lib/gdm - Fix files_filetrans_named_content() interface - Add new attribute - initrc_domain - Allow systemd_logind_t to signal, signull, sigkill all processes - Add filetrans rules for etc_runtime files- Rename boolean names to remove allow_- Mass merge with upstream * new policy topology to include contrib policy modules * we have now two base policy patches- Fix description of authlogin_nsswitch_use_ldap - Fix transition rule for rhsmcertd_t needed for RHEL7 - Allow useradd to list nfs state data - Allow openvpn to manage its log file and directory - We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly - Allow thumb to use nvidia devices - Allow local_login to create user_tmp_t files for kerberos - Pulseaudio needs to read systemd_login /var/run content - virt should only transition named system_conf_t config files - Allow munin to execute its plugins - Allow nagios system plugin to read /etc/passwd - Allow plugin to connect to soundd port - Fix httpd_passwd to be able to ask passwords - Radius servers can use ldap for backing store - Seems to need to mount on /var/lib for xguest polyinstatiation to work. - Allow systemd_logind to list the contents of gnome keyring - VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL - Add policy for isns-utils- Add policy for subversion daemon - Allow boinc to read passwd - Allow pads to read kernel network state - Fix man2html interface for sepolgen-ifgen - Remove extra /usr/lib/systemd/system/smb - Remove all /lib/systemd and replace with /usr/lib/systemd - Add policy for man2html - Fix the label of kerberos_home_t to krb5_home_t - Allow mozilla plugins to use Citrix - Allow tuned to read /proc/sys/kernel/nmi_watchdog - Allow tune /sys options via systemd's tmpfiles.d "w" type- Dontaudit lpr_t to read/write leaked mozilla tmp files - Add file name transition for .grl-podcasts directory - Allow corosync to read user tmp files - Allow fenced to create snmp lib dirs/files - More fixes for sge policy - Allow mozilla_plugin_t to execute any application - Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain - Allow mongod to read system state information - Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t - Allow polipo to manage polipo_cache dirs - Add jabbar_client port to mozilla_plugin_t - Cleanup procmail policy - system bus will pass around open file descriptors on files that do not have labels on them - Allow l2tpd_t to read system state - Allow tuned to run ls /dev - Allow sudo domains to read usr_t files - Add label to machine-id - Fix corecmd_read_bin_symlinks cut and paste error- Fix pulseaudio port definition - Add labeling for condor_starter - Allow chfn_t to creat user_tmp_files - Allow chfn_t to execute bin_t - Allow prelink_cron_system_t to getpw calls - Allow sudo domains to manage kerberos rcache files - Allow user_mail_domains to work with courie - Port definitions necessary for running jboss apps within openshift - Add support for openstack-nova-metadata-api - Add support for nova-console* - Add support for openstack-nova-xvpvncproxy - Fixes to make privsep+SELinux working if we try to use chage to change passwd - Fix auth_role() interface - Allow numad to read sysfs - Allow matahari-rpcd to execute shell - Add label for ~/.spicec - xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it - Devicekit_disk wants to read the logind sessions file when writing a cd - Add fixes for condor to make condor jobs working correctly - Change label of /var/log/rpmpkgs to cron_log_t - Access requires to allow systemd-tmpfiles --create to work. - Fix obex to be a user application started by the session bus. - Add additional filename trans rules for kerberos - Fix /var/run/heartbeat labeling - Allow apps that are managing rcache to file trans correctly - Allow openvpn to authenticate against ldap server - Containers need to listen to network starting and stopping events- Make systemd unit files less specific- Fix zarafa labeling - Allow guest_t to fix labeling - corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean - add lxc_contexts - Allow accountsd to read /proc - Allow restorecond to getattr on all file sytems - tmpwatch now calls getpw - Allow apache daemon to transition to pwauth domain - Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t - The obex socket seems to be a stream socket - dd label for /var/run/nologin- Allow jetty running as httpd_t to read hugetlbfs files - Allow sys_nice and setsched for rhsmcertd - Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports - Allow setfiles to append to xdm_tmp_t - Add labeling for /export as a usr_t directory - Add labels for .grl files created by gstreamer- Add labeling for /usr/share/jetty/bin/jetty.sh - Add jetty policy which contains file type definitios - Allow jockey to use its own fifo_file and make this the default for all domains - Allow mozilla_plugins to use spice (vnc_port/couchdb) - asterisk wants to read the network state - Blueman now uses /var/lib/blueman- Add label for nodejs_debug - Allow mozilla_plugin_t to create ~/.pki directory and content- Add clamscan_can_scan_system boolean - Allow mysqld to read kernel network state - Allow sshd to read/write condor lib files - Allow sshd to read/write condor-startd tcp socket - Fix description on httpd_graceful_shutdown - Allow glance_registry to communicate with mysql - dbus_system_domain is using systemd to lauch applications - add interfaces to allow domains to send kill signals to user mail agents - Remove unnessary access for svirt_lxc domains, add privs for virtd_lxc_t - Lots of new access required for secure containers - Corosync needs sys_admin capability - ALlow colord to create shm - .orc should be allowed to be created by any app that can create gstream home content, thumb_t to be specific - Add boolean to control whether or not mozilla plugins can create random content in the users homedir - Add new interface to allow domains to list msyql_db directories, needed for libra - shutdown has to be allowed to delete etc_runtime_t - Fail2ban needs to read /etc/passwd - Allow ldconfig to create /var/cache/ldconfig - Allow tgtd to read hardware state information - Allow collectd to create packet socket - Allow chronyd to send signal to itself - Allow collectd to read /dev/random - Allow collectd to send signal to itself - firewalld needs to execute restorecon - Allow restorecon and other login domains to execute restorecon- Allow logrotate to getattr on systemd unit files - Add support for tor systemd unit file - Allow apmd to create /var/run/pm-utils with the correct label - Allow l2tpd to send sigkill to pppd - Allow pppd to stream connect to l2tpd - Add label for scripts in /etc/gdm/ - Allow systemd_logind_t to ignore mcs constraints on sigkill - Fix files_filetrans_system_conf_named_files() interface - Add labels for /usr/share/wordpress/wp-includes/*.php - Allow cobbler to get SELinux mode and booleans- Add unconfined_execmem_exec_t as an alias to bin_t - Allow fenced to read snmp var lib files, also allow it to read usr_t - ontaudit access checks on all executables from mozilla_plugin - Allow all user domains to setexec, so that sshd will work properly if it call setexec(NULL) while running withing a user mode - Allow systemd_tmpfiles_t to getattr all pipes and sockets - Allow glance-registry to send system log messages - semanage needs to manage mock lib files/dirs- Add policy for abrt-watch-log - Add definitions for jboss_messaging ports - Allow systemd_tmpfiles to manage printer devices - Allow oddjob to use nsswitch - Fix labeling of log files for postgresql - Allow mozilla_plugin_t to execmem and execstack by default - Allow firewalld to execute shell - Fix /etc/wicd content files to get created with the correct label - Allow mcelog to exec shell - Add ~/.orc as a gstreamer_home_t - /var/spool/postfix/lib64 should be labeled lib_t - mpreaper should be able to list all file system labeled directories - Add support for apache to use openstack - Add labeling for /etc/zipl.conf and zipl binary - Turn on allow_execstack and turn off telepathy transition for final release- More access required for virt_qmf_t - Additional assess required for systemd-logind to support multi-seat - Allow mozilla_plugin to setrlimit - Revert changes to fuse file system to stop deadlock- Allow condor domains to connect to ephemeral ports - More fixes for condor policy - Allow keystone to stream connect to mysqld - Allow mozilla_plugin_t to read generic USB device to support GPS devices - Allow thum to file name transition gstreamer home content - Allow thum to read all non security files - Allow glance_api_t to connect to ephemeral ports - Allow nagios plugins to read /dev/urandom - Allow syslogd to search postfix spool to support postfix chroot env - Fix labeling for /var/spool/postfix/dev - Allow wdmd chown - Label .esd_auth as pulseaudio_home_t - Have no idea why keyring tries to write to /run/user/dwalsh/dconf/user, but we can dontaudit for now- Add support for clamd+systemd - Allow fresclam to execute systemctl to handle clamd - Change labeling for /usr/sbin/rpc.ypasswd.env - Allow yppaswd_t to execute yppaswd_exec_t - Allow yppaswd_t to read /etc/passwd - Gnomekeyring socket has been moved to /run/user/USER/ - Allow samba-net to connect to ldap port - Allow signal for vhostmd - allow mozilla_plugin_t to read user_home_t socket - New access required for secure Linux Containers - zfs now supports xattrs - Allow quantum to execute sudo and list sysfs - Allow init to dbus chat with the firewalld - Allow zebra to read /etc/passwd- Allow svirt_t to create content in the users homedir under ~/.libvirt - Fix label on /var/lib/heartbeat - Allow systemd_logind_t to send kill signals to all processes started by a user - Fuse now supports Xattr Support- upowered needs to setsched on the kernel - Allow mpd_t to manage log files - Allow xdm_t to create /var/run/systemd/multi-session-x - Add rules for missedfont.log to be used by thumb.fc - Additional access required for virt_qmf_t - Allow dhclient to dbus chat with the firewalld - Add label for lvmetad - Allow systemd_logind_t to remove userdomain sock_files - Allow cups to execute usr_t files - Fix labeling on nvidia shared libraries - wdmd_t needs access to sssd and /etc/passwd - Add boolean to allow ftp servers to run in passive mode - Allow namepspace_init_t to relabelto/from a different user system_u from the user the namespace_init running with - Fix using httpd_use_fusefs - Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it for chrome_sandbox- Rename rdate port to time port, and allow gnomeclock to connect to it - We no longer need to transition to ldconfig from rpm, rpm_script, or anaconda - /etc/auto.* should be labeled bin_t - Add httpd_use_fusefs boolean - Add fixes for heartbeat - Allow sshd_t to signal processes that it transitions to - Add condor policy - Allow svirt to create monitors in ~/.libvirt - Allow dovecot to domtrans sendmail to handle sieve scripts - Lot of fixes for cfengine- /var/run/postmaster.* labeling is no longer needed - Alllow drbdadmin to read /dev/urandom - l2tpd_t seems to use ptmx - group+ and passwd+ should be labeled as /etc/passwd - Zarafa-indexer is a socket- Ensure lastlog is labeled correctly - Allow accountsd to read /proc data about gdm - Add fixes for tuned - Add bcfg2 fixes which were discovered during RHEL6 testing - More fixes for gnome-keyring socket being moved - Run semanage as a unconfined domain, and allow initrc_t to create tmpfs_t sym links on shutdown - Fix description for files_dontaudit_read_security_files() interface- Add new policy and man page for bcfg2 - cgconfig needs to use getpw calls - Allow domains that communicate with the keyring to use cache_home_t instead of gkeyringd_tmpt - gnome-keyring wants to create a directory in cache_home_t - sanlock calls getpw- Add numad policy and numad man page - Add fixes for interface bugs discovered by SEWatch - Add /tmp support for squid - Add fix for #799102 * change default labeling for /var/run/slapd.* sockets - Make thumb_t as userdom_home_reader - label /var/lib/sss/mc same as pubconf, so getpw domains can read it - Allow smbspool running as cups_t to stream connect to nmbd - accounts needs to be able to execute passwd on behalf of users - Allow systemd_tmpfiles_t to delete boot flags - Allow dnssec_trigger to connect to apache ports - Allow gnome keyring to create sock_files in ~/.cache - google_authenticator is using .google_authenticator - sandbox running from within firefox is exposing more leaks - Dontaudit thumb to read/write /dev/card0 - Dontaudit getattr on init_exec_t for gnomeclock_t - Allow certmonger to do a transition to certmonger_unconfined_t - Allow dhcpc setsched which is caused by nmcli - Add rpm_exec_t for /usr/sbin/bcfg2 - system cronjobs are sending dbus messages to systemd_logind - Thumnailers read /dev/urand- Allow auditctl getcap - Allow vdagent to use libsystemd-login - Allow abrt-dump-oops to search /etc/abrt - Got these avc's while trying to print a boarding pass from firefox - Devicekit is now putting the media directory under /run/media - Allow thumbnailers to create content in ~/.thumbails directory - Add support for proL2TPd by Dominick Grift - Allow all domains to call getcap - wdmd seems to get a random chown capability check that it does not need - Allow vhostmd to read kernel sysctls- Allow chronyd to read unix - Allow hpfax to read /etc/passwd - Add support matahari vios-proxy-* apps and add virtd_exec_t label for them - Allow rpcd to read quota_db_t - Update to man pages to match latest policy - Fix bug in jockey interface for sepolgen-ifgen - Add initial svirt_prot_exec_t policy- More fixes for systemd from Dan Walsh- Add a new type for /etc/firewalld and allow firewalld to write to this directory - Add definition for ~/Maildir, and allow mail deliver domains to write there - Allow polipo to run from a cron job - Allow rtkit to schedule wine processes - Allow mozilla_plugin_t to acquire a bug, and allow it to transition gnome content in the home dir to the proper label - Allow users domains to send signals to consolehelper domains- More fixes for boinc policy - Allow polipo domain to create its own cache dir and pid file - Add systemctl support to httpd domain - Add systemctl support to polipo, allow NetworkManager to manage the service - Add policy for jockey-backend - Add support for motion daemon which is now covered by zoneminder policy - Allow colord to read/write motion tmpfs - Allow vnstat to search through var_lib_t directories - Stop transitioning to quota_t, from init an sysadm_t- Add svirt_lxc_file_t as a customizable type- Add additional fixes for icmp nagios plugin - Allow cron jobs to open fifo_files from cron, since service script opens /dev/stdin - Add certmonger_unconfined_exec_t - Make sure tap22 device is created with the correct label - Allow staff users to read systemd unit files - Merge in previously built policy - Arpwatch needs to be able to start netlink sockets in order to start - Allow cgred_t to sys_ptrace to look at other DAC Processes- Back port some of the access that was allowed in nsplugin_t - Add definitiona for couchdb ports - Allow nagios to use inherited users ttys - Add git support for mock - Allow inetd to use rdate port - Add own type for rdate port - Allow samba to act as a portmapper - Dontaudit chrome_sandbox attempts to getattr on chr_files in /dev - New fixes needed for samba4 - Allow apps that use lib_t to read lib_t symlinks- Add policy for nove-cert - Add labeling for nova-openstack systemd unit files - Add policy for keystoke- Fix man pages fro domains - Add man pages for SELinux users and roles - Add storage_dev_filetrans_named_fixed_disk() and use it for smartmon - Add policy for matahari-rpcd - nfsd executes mount command on restart - Matahari domains execute renice and setsched - Dontaudit leaked tty in mozilla_plugin_config - mailman is changing to a per instance naming - Add 7600 and 4447 as jboss_management ports - Add fixes for nagios event handlers - Label httpd.event as httpd_exec_t, it is an apache daemon- Add labeling for /var/spool/postfix/dev/log - NM reads sysctl.conf - Iscsi log file context specification fix - Allow mozilla plugins to send dbus messages to user domains that transition to it - Allow mysql to read the passwd file - Allow mozilla_plugin_t to create mozilla home dirs in user homedir - Allow deltacloud to read kernel sysctl - Allow postgresql_t to connectto itselfAllow postgresql_t to connectto itself - Allow postgresql_t to connectto itself - Add login_userdomain attribute for users which can log in using terminal- Allow sysadm_u to reach system_r by default #784011 - Allow nagios plugins to use inherited user terminals - Razor labeling is not used no longer - Add systemd support for matahari - Add port_types to man page, move booleans to the top, fix some english - Add support for matahari-sysconfig-console - Clean up matahari.fc - Fix matahari_admin() interfac - Add labels for/etc/ssh/ssh_host_*.pub keys- Allow ksysguardproces to send system log msgs - Allow boinc setpgid and signull - Allow xdm_t to sys_ptrace to run pidof command - Allow smtpd_t to manage spool files/directories and symbolic links - Add labeling for jetty - Needed changes to get unbound/dnssec to work with openswan- Add user_fonts_t alias xfs_tmp_t - Since depmod now runs as insmod_t we need to write to kernel_object_t - Allow firewalld to dbus chat with networkmanager - Allow qpidd to connect to matahari ports - policykit needs to read /proc for uses not owned by it - Allow systemctl apps to connecto the init stream- Turn on deny_ptrace boolean- Remove pam_selinux.8 man page. There was a conflict.- Add proxy class and read access for gssd_proxy - Separate out the sharing public content booleans - Allow certmonger to execute a script and send signals to apache and dirsrv to reload the certificate - Add label transition for gstream-0.10 and 12 - Add booleans to allow rsync to share nfs and cifs file sytems - chrome_sandbox wants to read the /proc/PID/exe file of the program that executed it - Fix filename transitions for cups files - Allow denyhosts to read "unix" - Add file name transition for locale.conf.new - Allow boinc projects to gconf config files - sssd needs to be able to increase the socket limit under certain loads - sge_execd needs to read /etc/passwd - Allow denyhost to check network state - NetworkManager needs to read sessions data - Allow denyhost to check network state - Allow xen to search virt images directories - Add label for /dev/megaraid_sas_ioctl_node - Add autogenerated man pages- Allow boinc project to getattr on fs - Allow init to execute initrc_state_t - rhev-agent package was rename to ovirt-guest-agent - If initrc_t creates /etc/local.conf then we need to make sure it is labeled correctly - sytemd writes content to /run/initramfs and executes it on shutdown - kdump_t needs to read /etc/mtab, should be back ported to F16 - udev needs to load kernel modules in early system boot- Need to add sys_ptrace back in since reading any content in /proc can cause these accesses - Add additional systemd interfaces which are needed fro *_admin interfaces - Fix bind_admin() interface- Allow firewalld to read urand - Alias java, execmem_mono to bin_t to allow third parties - Add label for kmod - /etc/redhat-lsb contains binaries - Add boolean to allow gitosis to send mail - Add filename transition also for "event20" - Allow systemd_tmpfiles_t to delete all file types - Allow collectd to ipc_lock- make consoletype_exec optional, so we can remove consoletype policy - remove unconfined_permisive.patch - Allow openvpn_t to inherit user home content and tmp content - Fix dnssec-trigger labeling - Turn on obex policy for staff_t - Pem files should not be secret - Add lots of rules to fix AVC's when playing with containers - Fix policy for dnssec - Label ask-passwd directories correctly for systemd- sshd fixes seem to be causing unconfined domains to dyntrans to themselves - fuse file system is now being mounted in /run/user - systemd_logind is sending signals to processes that are dbus messaging with it - Add support for winshadow port and allow iscsid to connect to this port - httpd should be allowed to bind to the http_port_t udp socket - zarafa_var_lib_t can be a lnk_file - A couple of new .xsession-errors files - Seems like user space and login programs need to read logind_sessions_files - Devicekit disk seems to be being launched by systemd - Cleanup handling of setfiles so most of rules in te file - Correct port number for dnssec - logcheck has the home dir set to its cache- Add policy for grindengine MPI jobs- Add new sysadm_secadm.pp module * contains secadm definition for sysadm_t - Move user_mail_domain access out of the interface into the te file - Allow httpd_t to create httpd_var_lib_t directories as well as files - Allow snmpd to connect to the ricci_modcluster stream - Allow firewalld to read /etc/passwd - Add auth_use_nsswitch for colord - Allow smartd to read network state - smartdnotify needs to read /etc/group- Allow gpg and gpg_agent to store sock_file in gpg_secret_t directory - lxdm startup scripts should be labeled bin_t, so confined users will work - mcstransd now creates a pid, needs back port to F16 - qpidd should be allowed to connect to the amqp port - Label devices 010-029 as usb devices - ypserv packager says ypserv does not use tmp_t so removing selinux policy types - Remove all ptrace commands that I believe are caused by the kernel/ps avcs - Add initial Obex policy - Add logging_syslogd_use_tty boolean - Add polipo_connect_all_unreserved bolean - Allow zabbix to connect to ftp port - Allow systemd-logind to be able to switch VTs - Allow apache to communicate with memcached through a sock_file- Fix file_context.subs_dist for now to work with pre usrmove- More /usr move fixes- Add zabbix_can_network boolean - Add httpd_can_connect_zabbix boolean - Prepare file context labeling for usrmove functions - Allow system cronjobs to read kernel network state - Add support for selinux_avcstat munin plugin - Treat hearbeat with corosync policy - Allow corosync to read and write to qpidd shared mem - mozilla_plugin is trying to run pulseaudio - Fixes for new sshd patch for running priv sep domains as the users context - Turn off dontaudit rules when turning on allow_ypbind - udev now reads /etc/modules.d directory- Turn on deny_ptrace boolean for the Rawhide run, so we can test this out - Cups exchanges dbus messages with init - udisk2 needs to send syslog messages - certwatch needs to read /etc/passwd- Add labeling for udisks2 - Allow fsadmin to communicate with the systemd process- Treat Bip with bitlbee policy * Bip is an IRC proxy - Add port definition for interwise port - Add support for ipa_memcached socket - systemd_jounald needs to getattr on all processes - mdadmin fixes * uses getpw - amavisd calls getpwnam() - denyhosts calls getpwall()- Setup labeling of /var/rsa and /var/lib/rsa to allow login programs to write there - bluetooth says they do not use /tmp and want to remove the type - Allow init to transition to colord - Mongod needs to read /proc/sys/vm/zone_reclaim_mode - Allow postfix_smtpd_t to connect to spamd - Add boolean to allow ftp to connect to all ports > 1023 - Allow sendmain to write to inherited dovecot tmp files - setroubleshoot needs to be able to execute rpm to see what version of packages- Merge systemd patch - systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online - Allow deltacloudd dac_override, setuid, setgid caps - Allow aisexec to execute shell - Add use_nfs_home_dirs boolean for ssh-keygen- Fixes to make rawhide boot in enforcing mode with latest systemd changes- Add labeling for /var/run/systemd/journal/syslog - libvirt sends signals to ifconfig - Allow domains that read logind session files to list them- Fixed destined form libvirt-sandbox - Allow apps that list sysfs to also read sympolicy links in this filesystem - Add ubac_constrained rules for chrome_sandbox - Need interface to allow domains to use tmpfs_t files created by the kernel, used by libra - Allow postgresql to be executed by the caller - Standardize interfaces of daemons - Add new labeling for mm-handler - Allow all matahari domains to read network state and etc_runtime_t files- New fix for seunshare, requires seunshare_domains to be able to mounton / - Allow systemctl running as logrotate_t to connect to private systemd socket - Allow tmpwatch to read meminfo - Allow rpc.svcgssd to read supported_krb5_enctype - Allow zarafa domains to read /dev/random and /dev/urandom - Allow snmpd to read dev_snmp6 - Allow procmail to talk with cyrus - Add fixes for check_disk and check_nagios plugins- default trans rules for Rawhide policy - Make sure sound_devices controlC* are labeled correctly on creation - sssd now needs sys_admin - Allow snmp to read all proc_type - Allow to setup users homedir with quota.group- Add httpd_can_connect_ldap() interface - apcupsd_t needs to use seriel ports connected to usb devices - Kde puts procmail mail directory under ~/.local/share - nfsd_t can trigger sys_rawio on tests that involve too many mountpoints, dontaudit for now - Add labeling for /sbin/iscsiuio- Add label for /var/lib/iscan/interpreter - Dont audit writes to leaked file descriptors or redirected output for nacl - NetworkManager needs to write to /sys/class/net/ib*/mode- Allow abrt to request the kernel to load a module - Make sure mozilla content is labeled correctly - Allow tgtd to read system state - More fixes for boinc * allow to resolve dns name * re-write boinc policy to use boinc_domain attribute - Allow munin services plugins to use NSCD services- Allow mozilla_plugin_t to manage mozilla_home_t - Allow ssh derived domain to execute ssh-keygen in the ssh_keygen_t domain - Add label for tumblerd- Fixes for xguest package- Fixes related to /bin, /sbin - Allow abrt to getattr on blk files - Add type for rhev-agent log file - Fix labeling for /dev/dmfm - Dontaudit wicd leaking - Allow systemd_logind_t to look at process info of apps that exchange dbus messages with it - Label /etc/locale.conf correctly - Allow user_mail_t to read /dev/random - Allow postfix-smtpd to read MIMEDefang - Add label for /var/log/suphp.log - Allow swat_t to connect and read/write nmbd_t sock_file - Allow systemd-tmpfiles to setattr for /run/user/gdm/dconf - Allow systemd-tmpfiles to change user identity in object contexts - More fixes for rhev_agentd_t consolehelper policy- Use fs_use_xattr for squashf - Fix procs_type interface - Dovecot has a new fifo_file /var/run/dovecot/stats-mail - Dovecot has a new fifo_file /var/run/stats-mail - Colord does not need to connect to network - Allow system_cronjob to dbus chat with NetworkManager - Puppet manages content, want to make sure it labels everything correctly- Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it - Allow all postfix domains to use the fifo_file - Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t - Allow apmd_t to read grub.cfg - Let firewallgui read the selinux config - Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp - Fix devicekit_manage_pid_files() interface - Allow squid to check the network state - Dontaudit colord getattr on file systems - Allow ping domains to read zabbix_tmp_t files- Allow mcelog_t to create dir and file in /var/run and label it correctly - Allow dbus to manage fusefs - Mount needs to read process state when mounting gluster file systems - Allow collectd-web to read collectd lib files - Allow daemons and system processes started by init to read/write the unix_stream_socket passed in from as stdin/stdout/stderr - Allow colord to get the attributes of tmpfs filesystem - Add sanlock_use_nfs and sanlock_use_samba booleans - Add bin_t label for /usr/lib/virtualbox/VBoxManage- Add ssh_dontaudit_search_home_dir - Changes to allow namespace_init_t to work - Add interface to allow exec of mongod, add port definition for mongod port, 27017 - Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t - Allow spamd and clamd to steam connect to each other - Add policy label for passwd.OLD - More fixes for postfix and postfix maildro - Add ftp support for mozilla plugins - Useradd now needs to manage policy since it calls libsemanage - Fix devicekit_manage_log_files() interface - Allow colord to execute ifconfig - Allow accountsd to read /sys - Allow mysqld-safe to execute shell - Allow openct to stream connect to pcscd - Add label for /var/run/nm-dns-dnsmasq\.conf - Allow networkmanager to chat with virtd_t- Pulseaudio changes - Merge patches- Merge patches back into git repository.- Remove allow_execmem boolean and replace with deny_execmem boolean- Turn back on allow_execmem boolean- Add more MCS fixes to make sandbox working - Make faillog MLS trusted to make sudo_$1_t working - Allow sandbox_web_client_t to read passwd_file_t - Add .mailrc file context - Remove execheap from openoffice domain - Allow chrome_sandbox_nacl_t to read cpu_info - Allow virtd to relabel generic usb which is need if USB device - Fixes for virt.if interfaces to consider chr_file as image file type- Remove Open Office policy - Remove execmem policy- MCS fixes - quota fixes- Remove transitions to consoletype- Make nvidia* to be labeled correctly - Fix abrt_manage_cache() interface - Make filetrans rules optional so base policy will build - Dontaudit chkpwd_t access to inherited TTYS - Make sure postfix content gets created with the correct label - Allow gnomeclock to read cgroup - Fixes for cloudform policy- Check in fixed for Chrome nacl support- Begin removing qemu_t domain, we really no longer need this domain. - systemd_passwd needs dac_overide to communicate with users TTY's - Allow svirt_lxc domains to send kill signals within their container- Remove qemu.pp again without causing a crash- Remove qemu.pp, everything should use svirt_t or stay in its current domain- Allow policykit to talk to the systemd via dbus - Move chrome_sandbox_nacl_t to permissive domains - Additional rules for chrome_sandbox_nacl- Change bootstrap name to nacl - Chrome still needs execmem - Missing role for chrome_sandbox_bootstrap - Add boolean to remove execmem and execstack from virtual machines - Dontaudit xdm_t doing an access_check on etc_t directories- Allow named to connect to dirsrv by default - add ldapmap1_0 as a krb5_host_rcache_t file - Google chrome developers asked me to add bootstrap policy for nacl stuff - Allow rhev_agentd_t to getattr on mountpoints - Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets- Fixes for cloudform policies which need to connect to random ports - Make sure if an admin creates modules content it creates them with the correct label - Add port 8953 as a dns port used by unbound - Fix file name transition for alsa and confined users- Turn on mock_t and thumb_t for unconfined domains- Policy update should not modify local contexts- Remove ada policy- Remove tzdata policy - Add labeling for udev - Add cloudform policy - Fixes for bootloader policy- Add policies for nova openstack- Add fixes for nova-stack policy- Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain - Allow init process to setrlimit on itself - Take away transition rules for users executing ssh-keygen - Allow setroubleshoot_fixit_t to read /dev/urand - Allow sshd to relbale tunnel sockets - Allow fail2ban domtrans to shorewall in the same way as with iptables - Add support for lnk files in the /var/lib/sssd directory - Allow system mail to connect to courier-authdaemon over an unix stream socket- Add passwd_file_t for /etc/ptmptmp- Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK) - Make corosync to be able to relabelto cluster lib fies - Allow samba domains to search /var/run/nmbd - Allow dirsrv to use pam - Allow thumb to call getuid - chrome less likely to get mmap_zero bug so removing dontaudit - gimp help-browser has built in javascript - Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t - Re-write glance policy- Move dontaudit sys_ptrace line from permissive.te to domain.te - Remove policy for hal, it no longer exists- Don't check md5 size or mtime on certain config files- Remove allow_ptrace and replace it with deny_ptrace, which will remove all ptrace from the system - Remove 2000 dontaudit rules between confined domains on transition and replace with single dontaudit domain domain:process { noatsecure siginh rlimitinh } ;- Fixes for bootloader policy - $1_gkeyringd_t needs to read $HOME/%USER/.local/share/keystore - Allow nsplugin to read /usr/share/config - Allow sa-update to update rules - Add use_fusefs_home_dirs for chroot ssh option - Fixes for grub2 - Update systemd_exec_systemctl() interface - Allow gpg to read the mail spool - More fixes for sa-update running out of cron job - Allow ipsec_mgmt_t to read hardware state information - Allow pptp_t to connect to unreserved_port_t - Dontaudit getattr on initctl in /dev from chfn - Dontaudit getattr on kernel_core from chfn - Add systemd_list_unit_dirs to systemd_exec_systemctl call - Fixes for collectd policy - CHange sysadm_t to create content as user_tmp_t under /tmp- Shrink size of policy through use of attributes for userdomain and apache- Allow virsh to read xenstored pid file - Backport corenetwork fixes from upstream - Do not audit attempts by thumb to search config_home_t dirs (~/.config) - label ~/.cache/telepathy/logger telepathy_logger_cache_home_t - allow thumb to read generic data home files (mime.type)- Allow nmbd to manage sock file in /var/run/nmbd - ricci_modservice send syslog msgs - Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly - Allow systemd_logind_t to manage /run/USER/dconf/user- Fix missing patch from F16- Allow logrotate setuid and setgid since logrotate is supposed to do it - Fixes for thumb policy by grift - Add new nfsd ports - Added fix to allow confined apps to execmod on chrome - Add labeling for additional vdsm directories - Allow Exim and Dovecot SASL - Add label for /var/run/nmbd - Add fixes to make virsh and xen working together - Colord executes ls - /var/spool/cron is now labeled as user_cron_spool_t- Stop complaining about leaked file descriptors during install- Remove java and mono module and merge into execmem- Fixes for thumb policy and passwd_file_t- Fixes caused by the labeling of /etc/passwd - Add thumb.patch to transition unconfined_t to thumb_t for Rawhide- Add support for Clustered Samba commands - Allow ricci_modrpm_t to send log msgs - move permissive virt_qmf_t from virt.te to permissivedomains.te - Allow ssh_t to use kernel keyrings - Add policy for libvirt-qmf and more fixes for linux containers - Initial Polipo - Sanlock needs to run ranged in order to kill svirt processes - Allow smbcontrol to stream connect to ctdbd- Add label for /etc/passwd- Change unconfined_domains to permissive for Rawhide - Add definition for the ephemeral_ports- Make mta_role() active - Allow asterisk to connect to jabber client port - Allow procmail to read utmp - Add NIS support for systemd_logind_t - Allow systemd_logind_t to manage /run/user/$USER/dconf dir which is labeled as config_home_t - Fix systemd_manage_unit_dirs() interface - Allow ssh_t to manage directories passed into it - init needs to be able to create and delete unit file directories - Fix typo in apache_exec_sys_script - Add ability for logrotate to transition to awstat domain- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state - Add SELinux support for ssh pre-auth net process in F17 - Add logging_syslogd_can_sendmail boolean- Add definition for ephemeral ports - Define user_tty_device_t as a customizable_type- Needs to require a new version of checkpolicy - Interface fixes- Allow sanlock to manage virt lib files - Add virt_use_sanlock booelan - ksmtuned is trying to resolve uids - Make sure .gvfs is labeled user_home_t in the users home directory - Sanlock sends kill signals and needs the kill capability - Allow mockbuild to work on nfs homedirs - Fix kerberos_manage_host_rcache() interface - Allow exim to read system state- Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files - We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t- Allow collectd to read hardware state information - Add loop_control_device_t - Allow mdadm to request kernel to load module - Allow domains that start other domains via systemctl to search unit dir - systemd_tmpfiles, needs to list any file systems mounted on /tmp - No one can explain why radius is listing the contents of /tmp, so we will dontaudit - If I can manage etc_runtime files, I should be able to read the links - Dontaudit hostname writing to mock library chr_files - Have gdm_t setup labeling correctly in users home dir - Label content unde /var/run/user/NAME/dconf as config_home_t - Allow sa-update to execute shell - Make ssh-keygen working with fips_enabled - Make mock work for staff_t user - Tighten security on mock_t- removing unconfined_notrans_t no longer necessary - Clean up handling of secure_mode_insmod and secure_mode_policyload - Remove unconfined_mount_t- Add exim_exec_t label for /usr/sbin/exim_tidydb - Call init_dontaudit_rw_stream_socket() interface in mta policy - sssd need to search /var/cache/krb5rcache directory - Allow corosync to relabel own tmp files - Allow zarafa domains to send system log messages - Allow ssh to do tunneling - Allow initrc scripts to sendto init_t unix_stream_socket - Changes to make sure dmsmasq and virt directories are labeled correctly - Changes needed to allow sysadm_t to manage systemd unit files - init is passing file descriptors to dbus and on to system daemons - Allow sulogin additional access Reported by dgrift and Jeremy Miller - Steve Grubb believes that wireshark does not need this access - Fix /var/run/initramfs to stop restorecon from looking at - pki needs another port - Add more labels for cluster scripts - Allow apps that manage cgroup_files to manage cgroup link files - Fix label on nfs-utils scripts directories - Allow gatherd to read /dev/rand and /dev/urand- pki needs another port - Add more labels for cluster scripts - Fix label on nfs-utils scripts directories - Fixes for cluster - Allow gatherd to read /dev/rand and /dev/urand - abrt leaks fifo files- Add glance policy - Allow mdadm setsched - /var/run/initramfs should not be relabeled with a restorecon run - memcache can be setup to override sys_resource - Allow httpd_t to read tetex data - Allow systemd_tmpfiles to delete kernel modules left in /tmp directory.- Allow Postfix to deliver to Dovecot LMTP socket - Ignore bogus sys_module for lldpad - Allow chrony and gpsd to send dgrams, gpsd needs to write to the real time clock - systemd_logind_t sets the attributes on usb devices - Allow hddtemp_t to read etc_t files - Add permissivedomains module - Move all permissive domains calls to permissivedomain.te - Allow pegasis to send kill signals to other UIDs- Allow insmod_t to use fds leaked from devicekit - dontaudit getattr between insmod_t and init_t unix_stream_sockets - Change sysctl unit file interfaces to use systemctl - Add support for chronyd unit file - Allow mozilla_plugin to read gnome_usr_config - Add policy for new gpsd - Allow cups to create kerberos rhost cache files - Add authlogin_filetrans_named_content, to unconfined_t to make sure shadow and other log files get labeled correctly- Make users_extra and seusers.final into config(noreplace) so semanage users and login does not get overwritten- Add policy for sa-update being run out of cron jobs - Add create perms to postgresql_manage_db - ntpd using a gps has to be able to read/write generic tty_device_t - If you disable unconfined and unconfineduser, rpm needs more privs to manage /dev - fix spec file - Remove qemu_domtrans_unconfined() interface - Make passenger working together with puppet - Add init_dontaudit_rw_stream_socket interface - Fixes for wordpress- Turn on allow_domain_fd_use boolean on F16 - Allow syslog to manage all log files - Add use_fusefs_home_dirs boolean for chrome - Make vdagent working with confined users - Add abrt_handle_event_t domain for ABRT event scripts - Labeled /usr/sbin/rhnreg_ks as rpm_exec_t and added changes related to this change - Allow httpd_git_script_t to read passwd data - Allow openvpn to set its process priority when the nice parameter is used- livecd fixes - spec file fixes- fetchmail can use kerberos - ksmtuned reads in shell programs - gnome_systemctl_t reads the process state of ntp - dnsmasq_t asks the kernel to load multiple kernel modules - Add rules for domains executing systemctl - Bogus text within fc file- Add cfengine policy- Add abrt_domain attribute - Allow corosync to manage cluster lib files - Allow corosync to connect to the system DBUS- Add sblim, uuidd policies - Allow kernel_t dyntrasition to init_t- init_t need setexec - More fixes of rules which cause an explosion in rules by Dan Walsh- Allow rcsmcertd to perform DNS name resolution - Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts - Allow tmux to run as screen - New policy for collectd - Allow gkeyring_t to interact with all user apps - Add rules to allow firstboot to run on machines with the unconfined.pp module removed- Allow systemd_logind to send dbus messages with users - allow accountsd to read wtmp file - Allow dhcpd to get and set capabilities- Fix oracledb_port definition - Allow mount to mounton the selinux file system - Allow users to list /var directories- systemd fixes- Add initial policy for abrt_dump_oops_t - xtables-multi wants to getattr of the proc fs - Smoltclient is connecting to abrt - Dontaudit leaked file descriptors to postdrop - Allow abrt_dump_oops to look at kernel sysctls - Abrt_dump_oops_t reads kernel ring buffer - Allow mysqld to request the kernel to load modules - systemd-login needs fowner - Allow postfix_cleanup_t to searh maildrop- Initial systemd_logind policy - Add policy for systemd_logger and additional proivs for systemd_logind - More fixes for systemd policies- Allow setsched for virsh - Systemd needs to impersonate cups, which means it needs to create tcp_sockets in cups_t domain, as well as manage spool directories - iptables: the various /sbin/ip6?tables.* are now symlinks for /sbin/xtables-multi- A lot of users are running yum -y update while in /root which is causing ldconfig to list the contents, adding dontaudit - Allow colord to interact with the users through the tmpfs file system - Since we changed the label on deferred, we need to allow postfix_qmgr_t to be able to create maildrop_t files - Add label for /var/log/mcelog - Allow asterisk to read /dev/random if it uses TLS - Allow colord to read ini files which are labeled as bin_t - Allow dirsrvadmin sys_resource and setrlimit to use ulimit - Systemd needs to be able to create sock_files for every label in /var/run directory, cupsd being the first. - Also lists /var and /var/spool directories - Add openl2tpd to l2tpd policy - qpidd is reading the sysfs file- Change usbmuxd_t to dontaudit attempts to read chr_file - Add mysld_safe_exec_t for libra domains to be able to start private mysql domains - Allow pppd to search /var/lock dir - Add rhsmcertd policy- Update to upstream- More fixes * http://git.fedorahosted.org/git/?p=selinux-policy.git- Fix spec file to not report Verify errors- Add dspam policy - Add lldpad policy - dovecot auth wants to search statfs #713555 - Allow systemd passwd apps to read init fifo_file - Allow prelink to use inherited terminals - Run cherokee in the httpd_t domain - Allow mcs constraints on node connections - Implement pyicqt policy - Fixes for zarafa policy - Allow cobblerd to send syslog messages- Add policy.26 to the payload - Remove olpc stuff - Remove policygentool- Fixes for zabbix - init script needs to be able to manage sanlock_var_run_... - Allow sandlock and wdmd to create /var/run directories... - mixclip.so has been compiled correctly - Fix passenger policy module name- Add mailscanner policy from dgrift - Allow chrome to optionally be transitioned to - Zabbix needs these rules when starting the zabbix_server_mysql - Implement a type for freedesktop openicc standard (~/.local/share/icc) - Allow system_dbusd_t to read inherited icc_data_home_t files. - Allow colord_t to read icc_data_home_t content. #706975 - Label stuff under /usr/lib/debug as if it was labeled under /- Fixes for sanlock policy - Fixes for colord policy - Other fixes * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log- Add rhev policy module to modules-targeted.conf- Lot of fixes * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log- Allow logrotate to execute systemctl - Allow nsplugin_t to getattr on gpmctl - Fix dev_getattr_all_chr_files() interface - Allow shorewall to use inherited terms - Allow userhelper to getattr all chr_file devices - sandbox domains should be able to getattr and dontaudit search of sysctl_kernel_t - Fix labeling for ABRT Retrace Server- Dontaudit sys_module for ifconfig - Make telepathy and gkeyringd daemon working with confined users - colord wants to read files in users homedir - Remote login should be creating user_tmp_t not its own tmp files- Fix label for /usr/share/munin/plugins/munin_* plugins - Add support for zarafa-indexer - Fix boolean description - Allow colord to getattr on /proc/scsi/scsi - Add label for /lib/upstart/init - Colord needs to list /mnt- Forard port changes from F15 for telepathy - NetworkManager should be allowed to use /dev/rfkill - Fix dontaudit messages to say Domain to not audit - Allow telepathy domains to read/write gnome_cache files - Allow telepathy domains to call getpw - Fixes for colord and vnstatd policy- Allow init_t getcap and setcap - Allow namespace_init_t to use nsswitch - aisexec will execute corosync - colord tries to read files off noxattr file systems - Allow init_t getcap and setcap- Add support for ABRT retrace server - Allow user_t and staff_t access to generic scsi to handle locally plugged in scanners - Allow telepath_msn_t to read /proc/PARENT/cmdline - ftpd needs kill capability - Allow telepath_msn_t to connect to sip port - keyring daemon does not work on nfs homedirs - Allow $1_sudo_t to read default SELinux context - Add label for tgtd sock file in /var/run/ - Add apache_exec_rotatelogs interface - allow all zaraha domains to signal themselves, server writes to /tmp - Allow syslog to read the process state - Add label for /usr/lib/chromium-browser/chrome - Remove the telepathy transition from unconfined_t - Dontaudit sandbox domains trying to mounton sandbox_file_t, this is caused by fuse mounts - Allow initrc_t domain to manage abrt pid files - Add support for AEOLUS project - Virt_admin should be allowed to manage images and processes - Allow plymountd to send signals to init - Change labeling of fping6- Add filename transitions- Fixes for zarafa policy - Add support for AEOLUS project - Change labeling of fping6 - Allow plymountd to send signals to init - Allow initrc_t domain to manage abrt pid files - Virt_admin should be allowed to manage images and processes- xdm_t needs getsession for switch user - Every app that used to exec init is now execing systemdctl - Allow squid to manage krb5_host_rcache_t files - Allow foghorn to connect to agentx port - Fixes for colord policy- Add Dan's patch to remove 64 bit variants - Allow colord to use unix_dgram_socket - Allow apps that search pids to read /var/run if it is a lnk_file - iscsid_t creates its own directory - Allow init to list var_lock_t dir - apm needs to verify user accounts auth_use_nsswitch - Add labeling for systemd unit files - Allow gnomeclok to enable ntpd service using systemctl - systemd_systemctl_t domain was added - Add label for matahari-broker.pid file - We want to remove untrustedmcsprocess from ability to read /proc/pid - Fixes for matahari policy - Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir - Allow sshd to transition to sysadm_t if ssh_sysadm_login is turned on- Fix typo- Add /var/run/lock /var/lock definition to file_contexts.subs - nslcd_t is looking for kerberos cc files - SSH_USE_STRONG_RNG is 1 which requires /dev/random - Fix auth_rw_faillog definition - Allow sysadm_t to set attributes on fixed disks - allow user domains to execute lsof and look at application sockets - prelink_cron job calls telinit -u if init is rewritten - Fixes to run qemu_t from staff_t- Fix label for /var/run/udev to udev_var_run_t - Mock needs to be able to read network state- Add file_contexts.subs to handle /run and /run/lock - Add other fixes relating to /run changes from F15 policy- Allow $1_sudo_t and $1_su_t open access to user terminals - Allow initrc_t to use generic terminals - Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs -systemd is going to be useing /run and /run/lock for early bootup files. - Fix some comments in rlogin.if - Add policy for KDE backlighthelper - sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems - sssd wants to read .k5login file in users homedir - setroubleshoot reads executables to see if they have TEXTREL - Add /var/spool/audit support for new version of audit - Remove kerberos_connect_524() interface calling - Combine kerberos_master_port_t and kerberos_port_t - systemd has setup /dev/kmsg as stderr for apps it executes - Need these access so that init can impersonate sockets on unix_dgram_socket- Remove some unconfined domains - Remove permissive domains - Add policy-term.patch from Dan- Fix multiple specification for boot.log - devicekit leaks file descriptors to setfiles_t - Change all all_nodes to generic_node and all_if to generic_if - Should not use deprecated interface - Switch from using all_nodes to generic_node and from all_if to generic_if - Add support for xfce4-notifyd - Fix file context to show several labels as SystemHigh - seunshare needs to be able to mounton nfs/cifs/fusefs homedirs - Add etc_runtime_t label for /etc/securetty - Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly - login.krb needs to be able to write user_tmp_t - dirsrv needs to bind to port 7390 for dogtag - Fix a bug in gpg policy - gpg sends audit messages - Allow qpid to manage matahari files- Initial policy for matahari - Add dev_read_watchdog - Allow clamd to connect clamd port - Add support for kcmdatetimehelper - Allow shutdown to setrlimit and sys_nice - Allow systemd_passwd to talk to /dev/log before udev or syslog is running - Purge chr_file and blk files on /tmp - Fixes for pads - Fixes for piranha-pulse - gpg_t needs to be able to encyprt anything owned by the user- mozilla_plugin_tmp_t needs to be treated as user tmp files - More dontaudits of writes from readahead - Dontaudit readahead_t file_type:dir write, to cover up kernel bug - systemd_tmpfiles needs to relabel faillog directory as well as the file - Allow hostname and consoletype to r/w inherited initrc_tmp_t files handline hostname >> /tmp/myhost- Add policykit fixes from Tim Waugh - dontaudit sandbox domains sandbox_file_t:dir mounton - Add new dontaudit rules for sysadm_dbusd_t - Change label for /var/run/faillock * other fixes which relate with this change- Update to upstream - Fixes for telepathy - Add port defition for ssdp port - add policy for /bin/systemd-notify from Dan - Mount command requires users read mount_var_run_t - colord needs to read konject_uevent_socket - User domains connect to the gkeyring socket - Add colord policy and allow user_t and staff_t to dbus chat with it - Add lvm_exec_t label for kpartx - Dontaudit reading the mail_spool_t link from sandbox -X - systemd is creating sockets in avahi_var_run and system_dbusd_var_run- gpg_t needs to talk to gnome-keyring - nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd - enforce MCS labeling on nodes - Allow arpwatch to read meminfo - Allow gnomeclock to send itself signals - init relabels /dev/.udev files on boot - gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_exec_t - nautilus checks access on /media directory before mounting usb sticks, dontaudit access_check on mnt_t - dnsmasq can run as a dbus service, needs acquire service - mysql_admin should be allowed to connect to mysql service - virt creates monitor sockets in the users home dir- Allow usbhid-ups to read hardware state information - systemd-tmpfiles has moved - Allo cgroup to sys_tty_config - For some reason prelink is attempting to read gconf settings - Add allow_daemons_use_tcp_wrapper boolean - Add label for ~/.cache/wocky to make telepathy work in enforcing mode - Add label for char devices /dev/dasd* - Fix for apache_role - Allow amavis to talk to nslcd - allow all sandbox to read selinux poilcy config files - Allow cluster domains to use the system bus and send each other dbus messages- Update to upstream- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Update to ref policy - cgred needs chown capability - Add /dev/crash crash_dev_t - systemd-readahead wants to use fanotify which means readahead_t needs sys_admin capability- New labeling for postfmulti #675654 - dontaudit xdm_t listing noxattr file systems - dovecot-auth needs to be able to connect to mysqld via the network as well as locally - shutdown is passed stdout to a xdm_log_t file - smartd creates a fixed disk device - dovecot_etc_t contains a lnk_file that domains need to read - mount needs to be able to read etc_runtim_t:lnk_file since in rawhide this is a link created at boot- syslog_t needs syslog capability - dirsrv needs to be able to create /var/lib/snmp - Fix labeling for dirsrv - Fix for dirsrv policy missing manage_dirs_pattern - corosync needs to delete clvm_tmpfs_t files - qdiskd needs to list hugetlbfs - Move setsched to sandbox_x_domain, so firefox can run without network access - Allow hddtemp to read removable devices - Adding syslog and read_policy permissions to policy * syslog Allow unconfined, sysadm_t, secadm_t, logadm_t * read_policy allow unconfined, sysadm_t, secadm_t, staff_t on Targeted allow sysadm_t (optionally), secadm_t on MLS - mdadm application will write into /sys/.../uevent whenever arrays are assembled or disassembled.- Add tcsd policy- ricci_modclusterd_t needs to bind to rpc ports 500-1023 - Allow dbus to use setrlimit to increase resoueces - Mozilla_plugin is leaking to sandbox - Allow confined users to connect to lircd over unix domain stream socket which allow to use remote control - Allow awstats to read squid logs - seunshare needs to manage tmp_t - apcupsd cgi scripts have a new directory- Fix xserver_dontaudit_read_xdm_pid - Change oracle_port_t to oracledb_port_t to prevent conflict with satellite - Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file. * These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t - Allow readahead to manage readahead pid dirs - Allow readahead to read all mcs levels - Allow mozilla_plugin_t to use nfs or samba homedirs- Allow nagios plugin to read /proc/meminfo - Fix for mozilla_plugin - Allow samba_net_t to create /etc/keytab - pppd_t setting up vpns needs to run unix_chkpwd, setsched its process and write wtmp_t - nslcd can read user credentials - Allow nsplugin to delete mozilla_plugin_tmpfs_t - abrt tries to create dir in rpm_var_lib_t - virt relabels fifo_files - sshd needs to manage content in fusefs homedir - mock manages link files in cache dir- nslcd needs setsched and to read /usr/tmp - Invalid call in likewise policy ends up creating a bogus role - Cannon puts content into /var/lib/bjlib that cups needs to be able to write - Allow screen to create screen_home_t in /root - dirsrv sends syslog messages - pinentry reads stuff in .kde directory - Add labels for .kde directory in homedir - Treat irpinit, iprupdate, iprdump services with raid policy- NetworkManager wants to read consolekit_var_run_t - Allow readahead to create /dev/.systemd/readahead - Remove permissive domains - Allow newrole to run namespace_init- Add sepgsql_contexts file- Update to upstream- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on - Add puppetmaster_use_db boolean - Fixes for zarafa policy - Fixes for gnomeclock poliy - Fix systemd-tmpfiles to use auth_use_nsswitch- gnomeclock executes a shell - Update for screen policy to handle pipe in homedir - Fixes for polyinstatiated homedir - Fixes for namespace policy and other fixes related to polyinstantiation - Add namespace policy - Allow dovecot-deliver transition to sendmail which is needed by sieve scripts - Fixes for init, psad policy which relate with confined users - Do not audit bootloader attempts to read devicekit pid files - Allow nagios service plugins to read /proc- Add firewalld policy - Allow vmware_host to read samba config - Kernel wants to read /proc Fix duplicate grub def in cobbler - Chrony sends mail, executes shell, uses fifo_file and reads /proc - devicekitdisk getattr all file systems - sambd daemon writes wtmp file - libvirt transitions to dmidecode- Add initial policy for system-setup-keyboard which is now daemon - Label /var/lock/subsys/shorewall as shorewall_lock_t - Allow users to communicate with the gpg_agent_t - Dontaudit mozilla_plugin_t using the inherited terminal - Allow sambagui to read files in /usr - webalizer manages squid log files - Allow unconfined domains to bind ports to raw_ip_sockets - Allow abrt to manage rpm logs when running yum - Need labels for /var/run/bittlebee - Label .ssh under amanda - Remove unused genrequires for virt_domain_template - Allow virt_domain to use fd inherited from virtd_t - Allow iptables to read shorewall config- Gnome apps list config_home_t - mpd creates lnk files in homedir - apache leaks write to mail apps on tmp files - /var/stockmaniac/templates_cache contains log files - Abrt list the connects of mount_tmp_t dirs - passwd agent reads files under /dev and reads utmp file - squid apache script connects to the squid port - fix name of plymouth log file - teamviewer is a wine app - allow dmesg to read system state - Stop labeling files under /var/lib/mock so restorecon will not go into this - nsplugin needs to read network state for google talk- Allow xdm and syslog to use /var/log/boot.log - Allow users to communicate with mozilla_plugin and kill it - Add labeling for ipv6 and dhcp- New labels for ghc http content - nsplugin_config needs to read urand, lvm now calls setfscreate to create dev - pm-suspend now creates log file for append access so we remove devicekit_wri - Change authlogin_use_sssd to authlogin_nsswitch_use_ldap - Fixes for greylist_milter policy- Update to upstream - Fixes for systemd policy - Fixes for passenger policy - Allow staff users to run mysqld in the staff_t domain, akonadi needs this - Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py - auth_use_nsswitch does not need avahi to read passwords,needed for resolving data - Dontaudit (xdm_t) gok attempting to list contents of /var/account - Telepathy domains need to read urand - Need interface to getattr all file classes in a mock library for setroubleshoot- Update selinux policy to handle new /usr/share/sandbox/start script- Update to upstream - Fix version of policy in spec file- Allow sandbox to run on nfs partitions, fixes for systemd_tmpfs - remove per sandbox domains devpts types - Allow dkim-milter sending signal to itself- Allow domains that transition to ping or traceroute, kill them - Allow user_t to conditionally transition to ping_t and traceroute_t - Add fixes to systemd- tools, including new labeling for systemd-fsck, systemd-cryptsetup- Turn on systemd policy - mozilla_plugin needs to read certs in the homedir. - Dontaudit leaked file descriptors from devicekit - Fix ircssi to use auth_use_nsswitch - Change to use interface without param in corenet to disable unlabelednet packets - Allow init to relabel sockets and fifo files in /dev - certmonger needs dac* capabilities to manage cert files not owned by root - dovecot needs fsetid to change group membership on mail - plymouthd removes /var/log/boot.log - systemd is creating symlinks in /dev - Change label on /etc/httpd/alias to be all cert_t- Fixes for clamscan and boinc policy - Add boinc_project_t setpgid - Allow alsa to create tmp files in /tmp- Push fixes to allow disabling of unlabeled_t packet access - Enable unlabelednet policy- Fixes for lvm to work with systemd- Fix the label for wicd log - plymouthd creates force-display-on-active-vt file - Allow avahi to request the kernel to load a module - Dontaudit hal leaks - Fix gnome_manage_data interface - Add new interface corenet_packet to define a type as being an packet_type. - Removed general access to packet_type from icecast and squid. - Allow mpd to read alsa config - Fix the label for wicd log - Add systemd policy- Fix gnome_manage_data interface - Dontaudit sys_ptrace capability for iscsid - Fixes for nagios plugin policy- Fix cron to run ranged when started by init - Fix devicekit to use log files - Dontaudit use of devicekit_var_run_t for fstools - Allow init to setattr on logfile directories - Allow hald to manage files in /var/run/pm-utils/ dir which is now labeled as devicekit_var_run_t- Fix up handling of dnsmasq_t creating /var/run/libvirt/network - Turn on sshd_forward_ports boolean by default - Allow sysadmin to dbus chat with rpm - Add interface for rw_tpm_dev - Allow cron to execute bin - fsadm needs to write sysfs - Dontaudit consoletype reading /var/run/pm-utils - Lots of new privs fro mozilla_plugin_t running java app, make mozilla_plugin - certmonger needs to manage dirsrv data - /var/run/pm-utils should be labeled as devicekit_var_run_t- fixes to allow /var/run and /var/lock as tmpfs - Allow chrome sandbox to connect to web ports - Allow dovecot to listem on lmtp and sieve ports - Allov ddclient to search sysctl_net_t - Transition back to original domain if you execute the shell- Remove duplicate declaration- Update to upstream - Cleanup for sandbox - Add attribute to be able to select sandbox types- Allow ddclient to fix file mode bits of ddclient conf file - init leaks file descriptors to daemons - Add labels for /etc/lirc/ and - Allow amavis_t to exec shell - Add label for gssd_tmp_t for /var/tmp/nfs_0- Put back in lircd_etc_t so policy will install- Turn on allow_postfix_local_write_mail_spool - Allow initrc_t to transition to shutdown_t - Allow logwatch and cron to mls_read_to_clearance for MLS boxes - Allow wm to send signull to all applications and receive them from users - lircd patch from field - Login programs have to read /etc/samba - New programs under /lib/systemd - Abrt needs to read config files- Update to upstream - Dontaudit leaked sockets from userdomains to user domains - Fixes for mcelog to handle scripts - Apply patch from Ruben Kerkhof - Allow syslog to search spool dirs- Allow nagios plugins to read usr files - Allow mysqld-safe to send system log messages - Fixes fpr ddclient policy - Fix sasl_admin interface - Allow apache to search zarafa config - Allow munin plugins to search /var/lib directory - Allow gpsd to read sysfs_t - Fix labels on /etc/mcelog/triggers to bin_t- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t - Allow saslauthd_t to create krb5_host_rcache_t files in /tmp - Fix xserver interface - Fix definition of /var/run/lxdm- Turn on mediawiki policy - kdump leaks kdump_etc_t to ifconfig, add dontaudit - uux needs to transition to uucpd_t - More init fixes relabels man,faillog - Remove maxima defs in libraries.fc - insmod needs to be able to create tmpfs_t files - ping needs setcap- Allow groupd transition to fenced domain when executes fence_node - Fixes for rchs policy - Allow mpd to be able to read samba/nfs files- Fix up corecommands.fc to match upstream - Make sure /lib/systemd/* is labeled init_exec_t - mount wants to setattr on all mountpoints - dovecot auth wants to read dovecot etc files - nscd daemon looks at the exe file of the comunicating daemon - openvpn wants to read utmp file - postfix apps now set sys_nice and lower limits - remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly - Also resolves nsswitch - Fix labels on /etc/hosts.* - Cleanup to make upsteam patch work - allow abrt to read etc_runtime_t- Add conflicts for dirsrv package- Update to upstream - Add vlock policy- Fix sandbox to work on nfs homedirs - Allow cdrecord to setrlimit - Allow mozilla_plugin to read xauth - Change label on systemd-logger to syslogd_exec_t - Install dirsrv policy from dirsrv package- Add virt_home_t, allow init to setattr on xserver_tmp_t and relabel it - Udev needs to stream connect to init and kernel - Add xdm_exec_bootloader boolean, which allows xdm to execute /sbin/grub and read files in /boot directory- Allow NetworkManager to read openvpn_etc_t - Dontaudit hplip to write of /usr dirs - Allow system_mail_t to create /root/dead.letter as mail_home_t - Add vdagent policy for spice agent daemon- Dontaudit sandbox sending sigkill to all user domains - Add policy for rssh_chroot_helper - Add missing flask definitions - Allow udev to relabelto removable_t - Fix label on /var/log/wicd.log - Transition to initrc_t from init when executing bin_t - Add audit_access permissions to file - Make removable_t a device_node - Fix label on /lib/systemd/*- Fixes for systemd to manage /var/run - Dontaudit leaks by firstboot- Allow chome to create netlink_route_socket - Add additional MATHLAB file context - Define nsplugin as an application_domain - Dontaudit sending signals from sandboxed domains to other domains - systemd requires init to build /tmp /var/auth and /var/lock dirs - mount wants to read devicekit_power /proc/ entries - mpd wants to connect to soundd port - Openoffice causes a setattr on a lib_t file for normal users, add dontaudit - Treat lib_t and textrel_shlib_t directories the same - Allow mount read access on virtual images- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs. - Allow devicekit_power to domtrans to mount - Allow dhcp to bind to udp ports > 1024 to do named stuff - Allow ssh_t to exec ssh_exec_t - Remove telepathy_butterfly_rw_tmp_files(), dev_read_printk() interfaces which are nolonger used - Fix clamav_append_log() intefaces - Fix 'psad_rw_fifo_file' interface- Allow cobblerd to list cobler appache content- Fixup for the latest version of upowed - Dontaudit sandbox sending SIGNULL to desktop apps- Update to upstream-Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access - dovecot-auth_t needs ipc_lock - gpm needs to use the user terminal - Allow system_mail_t to append ~/dead.letter - Allow NetworkManager to edit /etc/NetworkManager/NetworkManager.conf - Add pid file to vnstatd - Allow mount to communicate with gfs_controld - Dontaudit hal leaks in setfiles- Lots of fixes for systemd - systemd now executes readahead and tmpwatch type scripts - Needs to manage random seed- Allow smbd to use sys_admin - Remove duplicate file context for tcfmgr - Update to upstream- Fix fusefs handling - Do not allow sandbox to manage nsplugin_rw_t - Allow mozilla_plugin_t to connecto its parent - Allow init_t to connect to plymouthd running as kernel_t - Add mediawiki policy - dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs. - Disable transition from dbus_session_domain to telepathy for F14 - Allow boinc_project to use shm - Allow certmonger to search through directories that contain certs - Allow fail2ban the DAC Override so it can read log files owned by non root users- Start adding support for use_fusefs_home_dirs - Add /var/lib/syslog directory file context - Add /etc/localtime as locale file context- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user - Turn off iptables from unconfined user - Allow sudo to send signals to any domains the user could have transitioned to. - Passwd in single user mode needs to talk to console_device_t - Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio - locate tried to read a symbolic link, will dontaudit - New labels for telepathy-sunshine content in homedir - Google is storing other binaries under /opt/google/talkplugin - bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug - Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15 - modemmanger and bluetooth send dbus messages to devicekit_power - Samba needs to getquota on filesystems labeld samba_share_t- Dontaudit attempts by xdm_t to write to bin_t for kdm - Allow initrc_t to manage system_conf_t- Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory. - Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets - Allow confined users to read xdm_etc_t files - Allow xdm_t to transition to xauth_t for lxdm program- Rearrange firewallgui policy to be more easily updated to upstream, dontaudit search of /home - Allow clamd to send signals to itself - Allow mozilla_plugin_t to read user home content. And unlink pulseaudio shm. - Allow haze to connect to yahoo chat and messenger port tcp:5050. Bz #637339 - Allow guest to run ps command on its processes by allowing it to read /proc - Allow firewallgui to sys_rawio which seems to be required to setup masqerading - Allow all domains to search through default_t directories, in order to find differnet labels. For example people serring up /foo/bar to be share via samba. - Add label for /var/log/slim.log- Pull in cleanups from dgrift - Allow mozilla_plugin_t to execute mozilla_home_t - Allow rpc.quota to do quotamod- Cleanup policy via dgrift - Allow dovecot_deliver to append to inherited log files - Lots of fixes for consolehelper- Fix up Xguest policy- Add vnstat policy - allow libvirt to send audit messages - Allow chrome-sandbox to search nfs_t- Update to upstream- Add the ability to send audit messages to confined admin policies - Remove permissive domain from cmirrord and dontaudit sys_tty_config - Split out unconfined_domain() calls from other unconfined_ calls so we can d - virt needs to be able to read processes to clearance for MLS- Allow all domains that can use cgroups to search tmpfs_t directory - Allow init to send audit messages- Update to upstream- Allow mdadm_t to create files and sock files in /dev/md/- Add policy for ajaxterm- Handle /var/db/sudo - Allow pulseaudio to read alsa config - Allow init to send initrc_t dbus messagesAllow iptables to read shorewall tmp files Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr intd label vlc as an execmem_exec_t Lots of fixes for mozilla_plugin to run google vidio chat Allow telepath_msn to execute ldconfig and its own tmp files Fix labels on hugepages Allow mdadm to read files on /dev Remove permissive domains and change back to unconfined Allow freshclam to execute shell and bin_t Allow devicekit_power to transition to dhcpc Add boolean to allow icecast to connect to any port- Merge upstream fix of mmap_zero - Allow mount to write files in debugfs_t - Allow corosync to communicate with clvmd via tmpfs - Allow certmaster to read usr_t files - Allow dbus system services to search cgroup_t - Define rlogind_t as a login pgm- Allow mdadm_t to read/write hugetlbfs- Dominic Grift Cleanup - Miroslav Grepl policy for jabberd - Various fixes for mount/livecd and prelink- Merge with upstream- More access needed for devicekit - Add dbadm policy- Merge with upstream- Allow seunshare to fowner- Allow cron to look at user_cron_spool links - Lots of fixes for mozilla_plugin_t - Add sysv file system - Turn unconfined domains to permissive to find additional avcs- Update policy for mozilla_plugin_t- Allow clamscan to read proc_t - Allow mount_t to write to debufs_t dir - Dontaudit mount_t trying to write to security_t dir- Allow clamscan_t execmem if clamd_use_jit set - Add policy for firefox plugin-container- Fix /root/.forward definition- label dead.letter as mail_home_t- Allow login programs to search /cgroups- Fix cert handling- Fix devicekit_power bug - Allow policykit_auth_t more access.- Fix nis calls to allow bind to ports 512-1024 - Fix smartmon- Allow pcscd to read sysfs - systemd fixes - Fix wine_mmap_zero_ignore boolean- Apply Miroslav munin patch - Turn back on allow_execmem and allow_execmod booleans- Merge in fixes from dgrift repository- Update boinc policy - Fix sysstat policy to allow sys_admin - Change failsafe_context to unconfined_r:unconfined_t:s0- New paths for upstart- New permissions for syslog - New labels for /lib/upstart- Add mojomojo policy- Allow systemd to setsockcon on sockets to immitate other services- Remove debugfs label- Update to latest policy- Fix eclipse labeling from IBMSupportAssasstant packageing- Make boot with systemd in enforcing mode- Update to upstream- Add boolean to turn off port forwarding in sshd.- Add support for ebtables - Fixes for rhcs and corosync policy-Update to upstream-Update to upstream-Update to upstream- Add Zarafa policy- Cleanup of aiccu policy - initial mock policy- Lots of random fixes- Update to upstream- Update to upstream - Allow prelink script to signal itself - Cobbler fixes- Add xdm_var_run_t to xserver_stream_connect_xdm - Add cmorrord and mpd policy from Miroslav Grepl- Fix sshd creation of krb cc files for users to be user_tmp_t- Fixes for accountsdialog - Fixes for boinc- Fix label on /var/lib/dokwiki - Change permissive domains to enforcing - Fix libvirt policy to allow it to run on mls- Update to upstream- Allow procmail to execute scripts in the users home dir that are labeled home_bin_t - Fix /var/run/abrtd.lock label- Allow login programs to read krb5_home_t Resolves: 594833 - Add obsoletes for cachefilesfd-selinux package Resolves: #575084- Allow mount to r/w abrt fifo file - Allow svirt_t to getattr on hugetlbfs - Allow abrt to create a directory under /var/spool- Add labels for /sys - Allow sshd to getattr on shutdown - Fixes for munin - Allow sssd to use the kernel key ring - Allow tor to send syslog messages - Allow iptabels to read usr files - allow policykit to read all domains state- Fix path for /var/spool/abrt - Allow nfs_t as an entrypoint for http_sys_script_t - Add policy for piranha - Lots of fixes for sosreport- Allow xm_t to read network state and get and set capabilities - Allow policykit to getattr all processes - Allow denyhosts to connect to tcp port 9911 - Allow pyranha to use raw ip sockets and ptrace itself - Allow unconfined_execmem_t and gconfsd mechanism to dbus - Allow staff to kill ping process - Add additional MLS rules- Allow gdm to edit ~/.gconf dir Resolves: #590677 - Allow dovecot to create directories in /var/lib/dovecot Partially resolves 590224 - Allow avahi to dbus chat with NetworkManager - Fix cobbler labels - Dontaudit iceauth_t leaks - fix /var/lib/lxdm file context - Allow aiccu to use tun tap devices - Dontaudit shutdown using xserver.log- Fixes for sandbox_x_net_t to match access for sandbox_web_t ++ - Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory - Add dontaudit interface for bluetooth dbus - Add chronyd_read_keys, append_keys for initrc_t - Add log support for ksmtuned Resolves: #586663- Allow boinc to send mail- Allow initrc_t to remove dhcpc_state_t - Fix label on sa-update.cron - Allow dhcpc to restart chrony initrc - Don't allow sandbox to send signals to its parent processes - Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t Resolves: #589136- Fix location of oddjob_mkhomedir Resolves: #587385 - fix labeling on /root/.shosts and ~/.shosts - Allow ipsec_mgmt_t to manage net_conf_t Resolves: #586760- Dontaudit sandbox trying to connect to netlink sockets Resolves: #587609 - Add policy for piranha- Fixups for xguest policy - Fixes for running sandbox firefox- Allow ksmtuned to use terminals Resolves: #586663 - Allow lircd to write to generic usb devices- Allow sandbox_xserver to connectto unconfined stream Resolves: #585171- Allow initrc_t to read slapd_db_t Resolves: #585476 - Allow ipsec_mgmt to use unallocated devpts and to create /etc/resolv.conf Resolves: #585963- Allow rlogind_t to search /root for .rhosts Resolves: #582760 - Fix path for cached_var_t - Fix prelink paths /var/lib/prelink - Allow confined users to direct_dri - Allow mls lvm/cryptosetup to work- Allow virtd_t to manage firewall/iptables config Resolves: #573585- Fix label on /root/.rhosts Resolves: #582760 - Add labels for Picasa - Allow openvpn to read home certs - Allow plymouthd_t to use tty_device_t - Run ncftool as iptables_t - Allow mount to unmount unlabeled_t - Dontaudit hal leaks- Allow livecd to transition to mount- Update to upstream - Allow abrt to delete sosreport Resolves: #579998 - Allow snmp to setuid and gid Resolves: #582155 - Allow smartd to use generic scsi devices Resolves: #582145- Allow ipsec_t to create /etc/resolv.conf with the correct label - Fix reserved port destination - Allow autofs to transition to showmount - Stop crashing tuned- Add telepathysofiasip policy- Update to upstream - Fix label for /opt/google/chrome/chrome-sandbox - Allow modemmanager to dbus with policykit- Fix allow_httpd_mod_auth_pam to use auth_use_pam(httpd_t) - Allow accountsd to read shadow file - Allow apache to send audit messages when using pam - Allow asterisk to bind and connect to sip tcp ports - Fixes for dovecot 2.0 - Allow initrc_t to setattr on milter directories - Add procmail_home_t for .procmailrc file- Fixes for labels during install from livecd- Fix /cgroup file context - Fix broken afs use of unlabled_t - Allow getty to use the console for s390- Fix cgroup handling adding policy for /cgroup - Allow confined users to write to generic usb devices, if user_rw_noexattrfile boolean set- Merge patches from dgrift- Update upstream - Allow abrt to write to the /proc under any process- Fix ~/.fontconfig label - Add /root/.cert label - Allow reading of the fixed_file_disk_t:lnk_file if you can read file - Allow qemu_exec_t as an entrypoint to svirt_t- Update to upstream - Allow tmpreaper to delete sandbox sock files - Allow chrome-sandbox_t to use /dev/zero, and dontaudit getattr file systems - Fixes for gitosis - No transition on livecd to passwd or chfn - Fixes for denyhosts- Add label for /var/lib/upower - Allow logrotate to run sssd - dontaudit readahead on tmpfs blk files - Allow tmpreaper to setattr on sandbox files - Allow confined users to execute dos files - Allow sysadm_t to kill processes running within its clearance - Add accountsd policy - Fixes for corosync policy - Fixes from crontab policy - Allow svirt to manage svirt_image_t chr files - Fixes for qdisk policy - Fixes for sssd policy - Fixes for newrole policy- make libvirt work on an MLS platform- Add qpidd policy- Update to upstream- Allow boinc to read kernel sysctl - Fix snmp port definitions - Allow apache to read anon_inodefs- Allow shutdown dac_override- Add device_t as a file system - Fix sysfs association- Dontaudit ipsec_mgmt sys_ptrace - Allow at to mail its spool files - Allow nsplugin to search in .pulse directory- Update to upstream- Allow users to dbus chat with xdm - Allow users to r/w wireless_device_t - Dontaudit reading of process states by ipsec_mgmt- Fix openoffice from unconfined_t- Add shutdown policy so consolekit can shutdown system- Update to upstream- Update to upstream- Update to upstream - These are merges of my patches - Remove 389 labeling conflicts - Add MLS fixes found in RHEL6 testing - Allow pulseaudio to run as a service - Add label for mssql and allow apache to connect to this database port if boolean set - Dontaudit searches of debugfs mount point - Allow policykit_auth to send signals to itself - Allow modcluster to call getpwnam - Allow swat to signal winbind - Allow usbmux to run as a system role - Allow svirt to create and use devpts- Add MLS fixes found in RHEL6 testing - Allow domains to append to rpm_tmp_t - Add cachefilesfd policy - Dontaudit leaks when transitioning- Change allow_execstack and allow_execmem booleans to on - dontaudit acct using console - Add label for fping - Allow tmpreaper to delete sandbox_file_t - Fix wine dontaudit mmap_zero - Allow abrt to read var_t symlinks- Additional policy for rgmanager- Allow sshd to setattr on pseudo terms- Update to upstream- Allow policykit to send itself signals- Fix duplicate cobbler definition- Fix file context of /var/lib/avahi-autoipd- Merge with upstream- Allow sandbox to work with MLS- Make Chrome work with staff user- Add icecast policy - Cleanup spec file- Add mcelog policy- Lots of fixes found in F12- Fix rpm_dontaudit_leaks- Add getsched to hald_t - Add file context for Fedora/Redhat Directory Server- Allow abrt_helper to getattr on all filesystems - Add label for /opt/real/RealPlayer/plugins/oggfformat\.so- Add gstreamer_home_t for ~/.gstreamer- Update to upstream- Fix git- Turn on puppet policy - Update to dgrift git policy- Move users file to selection by spec file. - Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t- Update to upstream- Remove most of the permissive domains from F12.- Add cobbler policy from dgrift- add usbmon device - Add allow rulse for devicekit_disk- Lots of fixes found in F12, fixes from Tom London- Cleanups from dgrift- Add back xserver_manage_home_fonts- Dontaudit sandbox trying to read nscd and sssd- Update to upstream- Rename udisks-daemon back to devicekit_disk_t policy- Fixes for abrt calls- Add tgtd policy- Update to upstream release- Add asterisk policy back in - Update to upstream release 2.20091117- Update to upstream release 2.20091117- Fixup nut policy- Update to upstream- Allow vpnc request the kernel to load modules- Fix minimum policy installs - Allow udev and rpcbind to request the kernel to load modules- Add plymouth policy - Allow local_login to sys_admin- Allow cupsd_config to read user tmp - Allow snmpd_t to signal itself - Allow sysstat_t to makedir in sysstat_log_t- Update rhcs policy- Allow users to exec restorecond- Allow sendmail to request kernel modules load- Fix all kernel_request_load_module domains- Fix all kernel_request_load_module domains- Remove allow_exec* booleans for confined users. Only available for unconfined_t- More fixes for sandbox_web_t- Allow sshd to create .ssh directory and content- Fix request_module line to module_request- Fix sandbox policy to allow it to run under firefox. - Dont audit leaks.- Fixes for sandbox- Update to upstream - Dontaudit nsplugin search /root - Dontaudit nsplugin sys_nice- Fix label on /usr/bin/notepad, /usr/sbin/vboxadd-service - Remove policycoreutils-python requirement except for minimum- Fix devicekit_disk_t to getattr on all domains sockets and fifo_files - Conflicts seedit (You can not use selinux-policy-targeted and seedit at the same time.)- Add wordpress/wp-content/uploads label - Fixes for sandbox when run from staff_t- Update to upstream - Fixes for devicekit_disk- More fixes- Lots of fixes for initrc and other unconfined domains- Allow xserver to use netlink_kobject_uevent_socket- Fixes for sandbox- Dontaudit setroubleshootfix looking at /root directory- Update to upsteam- Allow gssd to send signals to users - Fix duplicate label for apache content- Update to upstream- Remove polkit_auth on upgrades- Add back in unconfined.pp and unconfineduser.pp - Add Sandbox unshare- Fixes for cdrecord, mdadm, and others- Add capability setting to dhcpc and gpm- Allow cronjobs to read exim_spool_t- Add ABRT policy- Fix system-config-services policy- Allow libvirt to change user componant of virt_domain- Allow cupsd_config_t to be started by dbus - Add smoltclient policy- Add policycoreutils-python to pre install- Make all unconfined_domains permissive so we can see what AVC's happen- Add pt_chown policy- Add kdump policy for Miroslav Grepl - Turn off execstack boolean- Turn on execstack on a temporary basis (#512845)- Allow nsplugin to connecto the session bus - Allow samba_net to write to coolkey data- Allow devicekit_disk to list inotify- Allow svirt images to create sock_file in svirt_var_run_t- Allow exim to getattr on mountpoints - Fixes for pulseaudio- Allow svirt_t to stream_connect to virtd_t- Allod hald_dccm_t to create sock_files in /tmp- More fixes from upstream- Fix polkit label - Remove hidebrokensymptoms for nss_ldap fix - Add modemmanager policy - Lots of merges from upstream - Begin removing textrel_shlib_t labels, from fixed libraries- Update to upstream- Allow certmaster to override dac permissions- Update to upstream- Fix context for VirtualBox- Update to upstream- Allow clamscan read amavis spool files- Fixes for xguest- fix multiple directory ownership of mandirs- Update to upstream- Add rules for rtkit-daemon- Update to upstream - Fix nlscd_stream_connect- Add rtkit policy- Allow rpcd_t to stream connect to rpcbind- Allow kpropd to create tmp files- Fix last duplicate /var/log/rpmpkgs- Update to upstream * add sssd- Update to upstream * cleanup- Update to upstream - Additional mail ports - Add virt_use_usb boolean for svirt- Fix mcs rules to include chr_file and blk_file- Add label for udev-acl- Additional rules for consolekit/udev, privoxy and various other fixes- New version for upstream- Allow NetworkManager to read inotifyfs- Allow setroubleshoot to run mlocate- Update to upstream- Add fish as a shell - Allow fprintd to list usbfs_t - Allow consolekit to search mountpoints - Add proper labeling for shorewall- New log file for vmware - Allow xdm to setattr on user_tmp_t- Upgrade to upstream- Allow fprintd to access sys_ptrace - Add sandbox policy- Add varnishd policy- Fixes for kpropd- Allow brctl to r/w tun_tap_device_t- Add /usr/share/selinux/packages- Allow rpcd_t to send signals to kernel threads- Fix upgrade for F10 to F11- Add policy for /var/lib/fprint-Remove duplicate line- Allow svirt to manage pci and other sysfs device data- Fix package selection handling- Fix /sbin/ip6tables-save context - Allod udev to transition to mount - Fix loading of mls policy file- Add shorewall policy- Additional rules for fprintd and sssd- Allow nsplugin to unix_read unix_write sem for unconfined_java- Fix uml files to be owned by users- Fix Upgrade path to install unconfineduser.pp when unocnfined package is 3.0.0 or less- Allow confined users to manage virt_content_t, since this is home dir content - Allow all domains to read rpm_script_tmp_t which is what shell creates on redirection- Fix labeling on /var/lib/misc/prelink* - Allow xserver to rw_shm_perms with all x_clients - Allow prelink to execute files in the users home directory- Allow initrc_t to delete dev_null - Allow readahead to configure auditing - Fix milter policy - Add /var/lib/readahead- Update to latest milter code from Paul Howarth- Additional perms for readahead- Allow pulseaudio to acquire_svc on session bus - Fix readahead labeling- Allow sysadm_t to run rpm directly - libvirt needs fowner- Allow sshd to read var_lib symlinks for freenx- Allow nsplugin unix_read and write on users shm and sem - Allow sysadm_t to execute su- Dontaudit attempts to getattr user_tmpfs_t by lvm - Allow nfs to share removable media- Add ability to run postdrop from confined users- Fixes for podsleuth- Turn off nsplugin transition - Remove Konsole leaked file descriptors for release- Allow cupsd_t to create link files in print_spool_t - Fix iscsi_stream_connect typo - Fix labeling on /etc/acpi/actions - Don't reinstall unconfine and unconfineuser on upgrade if they are not installed- Allow audioentroy to read etc files- Add fail2ban_var_lib_t - Fixes for devicekit_power_t- Separate out the ucnonfined user from the unconfined.pp package- Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t.- Upgrade to latest upstream - Allow devicekit_disk sys_rawio- Dontaudit binds to ports < 1024 for named - Upgrade to latest upstream- Allow podsleuth to use tmpfs files- Add customizable_types for svirt- Allow setroubelshoot exec* privs to prevent crash from bad libraries - add cpufreqselector- Dontaudit listing of /root directory for cron system jobs- Fix missing ld.so.cache label- Add label for ~/.forward and /root/.forward- Fixes for svirt- Fixes to allow svirt read iso files in homedir- Add xenner and wine fixes from mgrepl- Allow mdadm to read/write mls override- Change to svirt to only access svirt_image_t- Fix libvirt policy- Upgrade to latest upstream- Fixes for iscsid and sssd - More cleanups for upgrade from F10 to Rawhide.- Add pulseaudio, sssd policy - Allow networkmanager to exec udevadm- Add pulseaudio context- Upgrade to latest patches- Fixes for libvirt- Update to Latest upstream- Fix setrans.conf to show SystemLow for s0- Further confinement of qemu images via svirt- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild- Allow NetworkManager to manage /etc/NetworkManager/system-connections- add virtual_image_context and virtual_domain_context files- Allow rpcd_t to send signal to mount_t - Allow libvirtd to run ranged- Fix sysnet/net_conf_t- Fix squidGuard labeling- Re-add corenet_in_generic_if(unlabeled_t)* Tue Feb 10 2009 Dan Walsh 3.6.5-2 - Add git web policy- Add setrans contains from upstream- Do transitions outside of the booleans- Allow xdm to create user_tmp_t sockets for switch user to work- Fix staff_t domain- Grab remainder of network_peer_controls patch- More fixes for devicekit- Upgrade to latest upstream- Add boolean to disallow unconfined_t login- Add back transition from xguest to mozilla- Add virt_content_ro_t and labeling for isos directory- Fixes for wicd daemon- More mls/rpm fixes- Add policy to make dbus/nm-applet work- Remove polgen-ifgen from post and add trigger to policycoreutils-python- Add wm policy - Make mls work in graphics mode- Fixed for DeviceKit- Add devicekit policy- Update to upstream- Define openoffice as an x_domain- Fixes for reading xserver_tmp_t- Allow cups_pdf_t write to nfs_t- Remove audio_entropy policy- Update to upstream- Allow hal_acl_t to getattr/setattr fixed_disk- Change userdom_read_all_users_state to include reading symbolic links in /proc- Fix dbus reading /proc information- Add missing alias for home directory content- Fixes for IBM java location- Allow unconfined_r unconfined_java_t- Add cron_role back to user domains- Fix sudo setting of user keys- Allow iptables to talk to terminals - Fixes for policy kit - lots of fixes for booting.- Cleanup policy- Rebuild for Python 2.6- Fix labeling on /var/spool/rsyslog- Allow postgresl to bind to udp nodes- Allow lvm to dbus chat with hal - Allow rlogind to read nfs_t- Fix cyphesis file context- Allow hal/pm-utils to look at /var/run/video.rom - Add ulogd policy- Additional fixes for cyphesis - Fix certmaster file context - Add policy for system-config-samba - Allow hal to read /var/run/video.rom- Allow dhcpc to restart ypbind - Fixup labeling in /var/run- Add certmaster policy- Fix confined users - Allow xguest to read/write xguest_dbusd_t- Allow openoffice execstack/execmem privs- Allow mozilla to run with unconfined_execmem_t- Dontaudit domains trying to write to .xsession-errors- Allow nsplugin to look at autofs_t directory- Allow kerneloops to create tmp files- More alias for fastcgi- Remove mod_fcgid-selinux package- Fix dovecot access- Policy cleanup- Remove Multiple spec - Add include - Fix makefile to not call per_role_expansion- Fix labeling of libGL- Update to upstream- Update to upstream policy- Fixes for confined xwindows and xdm_t- Allow confined users and xdm to exec wm - Allow nsplugin to talk to fifo files on nfs- Allow NetworkManager to transition to avahi and iptables - Allow domains to search other domains keys, coverup kernel bug- Fix labeling for oracle- Allow nsplugin to comminicate with xdm_tmp_t sock_file- Change all user tmpfs_t files to be labeled user_tmpfs_t - Allow radiusd to create sock_files- Upgrade to upstream- Allow confined users to login with dbus- Fix transition to nsplugin- Add file context for /dev/mspblk.*- Fix transition to nsplugin '- Fix labeling on new pm*log - Allow ssh to bind to all nodes- Merge upstream changes - Add Xavier Toth patches- Add qemu_cache_t for /var/cache/libvirt- Remove gamin policy- Add tinyxs-max file system support- Update to upstream - New handling of init scripts- Allow pcsd to dbus - Add memcache policy- Allow audit dispatcher to kill his children- Update to upstream - Fix crontab use by unconfined user- Allow ifconfig_t to read dhcpc_state_t- Update to upstream- Update to upstream- Allow system-config-selinux to work with policykit- Fix novel labeling- Consolodate pyzor,spamassassin, razor into one security domain - Fix xdm requiring additional perms.- Fixes for logrotate, alsa- Eliminate vbetool duplicate entry- Fix xguest -> xguest_mozilla_t -> xguest_openiffice_t - Change dhclient to be able to red networkmanager_var_run- Update to latest refpolicy - Fix libsemanage initial install bug- Add inotify support to nscd- Allow unconfined_t to setfcap- Allow amanda to read tape - Allow prewikka cgi to use syslog, allow audisp_t to signal cgi - Add support for netware file systems- Allow ypbind apps to net_bind_service- Allow all system domains and application domains to append to any log file- Allow gdm to read rpm database - Allow nsplugin to read mplayer config files- Allow vpnc to run ifconfig- Allow confined users to use postgres - Allow system_mail_t to exec other mail clients - Label mogrel_rails as an apache server- Apply unconfined_execmem_exec_t to haskell programs- Fix prelude file context- allow hplip to talk dbus - Fix context on ~/.local dir- Prevent applications from reading x_device- Add /var/lib/selinux context- Update to upstream- Add livecd policy- Dontaudit search of admin_home for init_system_domain - Rewrite of xace interfaces - Lots of new fs_list_inotify - Allow livecd to transition to setfiles_mac- Begin XAce integration- Merge Upstream- Allow amanada to create data files- Fix initial install, semanage setup- Allow system_r for httpd_unconfined_script_t- Remove dmesg boolean - Allow user domains to read/write game data- Change unconfined_t to transition to unconfined_mono_t when running mono - Change XXX_mono_t to transition to XXX_t when executing bin_t files, so gnome-do will work- Remove old booleans from targeted-booleans.conf file- Add boolean to mmap_zero - allow tor setgid - Allow gnomeclock to set clock- Don't run crontab from unconfined_t- Change etc files to config files to allow users to read them- Lots of fixes for confined domains on NFS_t homedir- dontaudit mrtg reading /proc - Allow iscsi to signal itself - Allow gnomeclock sys_ptrace- Allow dhcpd to read kernel network state- Label /var/run/gdm correctly - Fix unconfined_u user creation- Allow transition from initrc_t to getty_t- Allow passwd to communicate with user sockets to change gnome-keyring- Fix initial install- Allow radvd to use fifo_file - dontaudit setfiles reading links - allow semanage sys_resource - add allow_httpd_mod_auth_ntlm_winbind boolean - Allow privhome apps including dovecot read on nfs and cifs home dirs if the boolean is set- Allow nsplugin to read /etc/mozpluggerrc, user_fonts - Allow syslog to manage innd logs. - Allow procmail to ioctl spamd_exec_t- Allow initrc_t to dbus chat with consolekit.- Additional access for nsplugin - Allow xdm setcap/getcap until pulseaudio is fixed- Allow mount to mkdir on tmpfs - Allow ifconfig to search debugfs- Fix file context for MATLAB - Fixes for xace- Allow stunnel to transition to inetd children domains - Make unconfined_dbusd_t an unconfined domain- Fixes for qemu/virtd- Fix bug in mozilla policy to allow xguest transition - This will fix the libsemanage.dbase_llist_query: could not find record value libsemanage.dbase_llist_query: could not query record value (No such file or directory) bug in xguest- Allow nsplugin to run acroread- Add cups_pdf policy - Add openoffice policy to run in xguest- prewika needs to contact mysql - Allow syslog to read system_map files- Change init_t to an unconfined_domain- Allow init to transition to initrc_t on shell exec. - Fix init to be able to sendto init_t. - Allow syslog to connect to mysql - Allow lvm to manage its own fifo_files - Allow bugzilla to use ldap - More mls fixes- fixes for init policy (#436988) - fix build- Additional changes for MLS policy- Fix initrc_context generation for MLS- Fixes for libvirt- Allow bitlebee to read locale_t- More xselinux rules- Change httpd_$1_script_r*_t to httpd_$1_content_r*_t- Prepare policy for beta release - Change some of the system domains back to unconfined - Turn on some of the booleans- Allow nsplugin_config execstack/execmem - Allow nsplugin_t to read alsa config - Change apache to use user content- Add cyphesis policy- Fix Makefile.devel to build mls modules - Fix qemu to be more specific on labeling- Update to upstream fixes- Allow staff to mounton user_home_t- Add xace support- Add fusectl file system- Fixes from yum-cron - Update to latest upstream- Fix userdom_list_user_files- Merge with upstream- Allow udev to send audit messages- Add additional login users interfaces - userdom_admin_login_user_template(staff)- More fixes for polkit- Eliminate transition from unconfined_t to qemu by default - Fixes for gpg- Update to upstream- Fixes for staff_t- Add policy for kerneloops - Add policy for gnomeclock- Fixes for libvirt- Fixes for nsplugin- More fixes for qemu- Additional ports for vnc and allow qemu and libvirt to search all directories- Update to upstream - Add libvirt policy - add qemu policy- Allow fail2ban to create a socket in /var/run- Allow allow_httpd_mod_auth_pam to work- Add audisp policy and prelude- Allow all user roles to executae samba net command- Allow usertypes to read/write noxattr file systems- Fix nsplugin to allow flashplugin to work in enforcing mode- Allow pam_selinux_permit to kill all processes- Allow ptrace or user processes by users of same type - Add boolean for transition to nsplugin- Allow nsplugin sys_nice, getsched, setsched- Allow login programs to talk dbus to oddjob- Add procmail_log support - Lots of fixes for munin- Allow setroubleshoot to read policy config and send audit messages- Allow users to execute all files in homedir, if boolean set - Allow mount to read samba config- Fixes for xguest to run java plugin- dontaudit pam_t and dbusd writing to user_home_t- Update gpg to allow reading of inotify- Change user and staff roles to work correctly with varied perms- Fix munin log, - Eliminate duplicate mozilla file context - fix wpa_supplicant spec- Fix role transition from unconfined_r to system_r when running rpm - Allow unconfined_domains to communicate with user dbus instances- Fixes for xguest- Let all uncofined domains communicate with dbus unconfined- Run rpm in system_r- Zero out customizable types- Fix definiton of admin_home_t- Fix munin file context- Allow cron to run unconfined apps- Modify default login to unconfined_u- Dontaudit dbus user client search of /root- Update to upstream- Fixes for polkit - Allow xserver to ptrace- Add polkit policy - Symplify userdom context, remove automatic per_role changes- Update to upstream - Allow httpd_sys_script_t to search users homedirs- Allow rpm_script to transition to unconfined_execmem_t- Remove user based home directory separation- Remove user specific crond_t- Merge with upstream - Allow xsever to read hwdata_t - Allow login programs to setkeycreate- Update to upstream- Update to upstream- Allow XServer to read /proc/self/cmdline - Fix unconfined cron jobs - Allow fetchmail to transition to procmail - Fixes for hald_mac - Allow system_mail to transition to exim - Allow tftpd to upload files - Allow xdm to manage unconfined_tmp - Allow udef to read alsa config - Fix xguest to be able to connect to sound port- Fixes for hald_mac - Treat unconfined_home_dir_t as a home dir - dontaudit rhgb writes to fonts and root- Fix dnsmasq - Allow rshd full login privs- Allow rshd to connect to ports > 1023- Fix vpn to bind to port 4500 - Allow ssh to create shm - Add Kismet policy- Allow rpm to chat with networkmanager- Fixes for ipsec and exim mail - Change default to unconfined user- Pass the UNK_PERMS param to makefile - Fix gdm location- Make alsa work- Fixes for consolekit and startx sessions- Dontaudit consoletype talking to unconfined_t- Remove homedir_template- Check asound.state- Fix exim policy- Allow tmpreadper to read man_t - Allow racoon to bind to all nodes - Fixes for finger print reader- Allow xdm to talk to input device (fingerprint reader) - Allow octave to run as java- Allow login programs to set ioctl on /proc- Allow nsswitch apps to read samba_var_t- Fix maxima- Eliminate rpm_t:fifo_file avcs - Fix dbus path for helper app- Fix service start stop terminal avc's- Allow also to search var_lib - New context for dbus launcher- Allow cupsd_config_t to read/write usb_device_t - Support for finger print reader, - Many fixes for clvmd - dbus starting networkmanager- Fix java and mono to run in xguest account- Fix to add xguest account when inititial install - Allow mono, java, wine to run in userdomains- Allow xserver to search devpts_t - Dontaudit ldconfig output to homedir- Remove hplip_etc_t change back to etc_t.- Allow cron to search nfs and samba homedirs- Allow NetworkManager to dbus chat with yum-updated- Allow xfs to bind to port 7100- Allow newalias/sendmail dac_override - Allow bind to bind to all udp ports- Turn off direct transition- Allow wine to run in system role- Fix java labeling- Define user_home_type as home_type- Allow sendmail to create etc_aliases_t- Allow login programs to read symlinks on homedirs- Update an readd modules- Cleanup spec file- Allow xserver to be started by unconfined process and talk to tty- Upgrade to upstream to grab postgressql changes- Add setransd for mls policy- Add ldconfig_cache_t- Allow sshd to write to proc_t for afs login- Allow xserver access to urand- allow dovecot to search mountpoints- Fix Makefile for building policy modules- Fix dhcpc startup of service- Fix dbus chat to not happen for xguest and guest users- Fix nagios cgi - allow squid to communicate with winbind- Fixes for ldconfig- Update from upstream- Add nasd support- Fix new usb devices and dmfm- Eliminate mount_ntfs_t policy, merge into mount_t- Allow xserver to write to ramfs mounted by rhgb- Add context for dbus machine id- Update with latest changes from upstream- Fix prelink to handle execmod- Add ntpd_key_t to handle secret data- Add anon_inodefs - Allow unpriv user exec pam_exec_t - Fix trigger- Allow cups to use generic usb - fix inetd to be able to run random apps (git)- Add proper contexts for rsyslogd- Fixes for xguest policy- Allow execution of gconf- Fix moilscanner update problem- Begin adding policy to separate setsebool from semanage - Fix xserver.if definition to not break sepolgen.if- Add new devices- Add brctl policy- Fix root login to include system_r- Allow prelink to read kernel sysctls- Default to user_u:system_r:unconfined_t- fix squid - Fix rpm running as uid- Fix syslog declaration- Allow avahi to access inotify - Remove a lot of bogus security_t:filesystem avcs- Remove ifdef strict policy from upstream- Remove ifdef strict to allow user_u to login- Fix for amands - Allow semanage to read pp files - Allow rhgb to read xdm_xserver_tmp- Allow kerberos servers to use ldap for backing store- allow alsactl to read kernel state- More fixes for alsactl - Transition from hal and modutils - Fixes for suspend resume. - insmod domtrans to alsactl - insmod writes to hal log- Allow unconfined_t to transition to NetworkManager_t - Fix netlabel policy- Update to latest from upstream- Update to latest from upstream- Update to latest from upstream- Allow pcscd_t to send itself signals- Fixes for unix_update - Fix logwatch to be able to search all dirs- Upstream bumped the version- Allow consolekit to syslog - Allow ntfs to work with hal- Allow iptables to read etc_runtime_t- MLS Fixes- Fix path of /etc/lvm/cache directory - Fixes for alsactl and pppd_t - Fixes for consolekit- Allow insmod_t to mount kvmfs_t filesystems- Rwho policy - Fixes for consolekit- fixes for fusefs- Fix samba_net to allow it to view samba_var_t- Update to upstream- Fix Sonypic backlight - Allow snmp to look at squid_conf_t- Fixes for pyzor, cyrus, consoletype on everything installs- Fix hald_acl_t to be able to getattr/setattr on usb devices - Dontaudit write to unconfined_pipes for load_policy- Allow bluetooth to read inotifyfs- Fixes for samba domain controller. - Allow ConsoleKit to look at ttys- Fix interface call- Allow syslog-ng to read /var - Allow locate to getattr on all filesystems - nscd needs setcap- Update to upstream- Allow samba to run groupadd- Update to upstream- Allow mdadm to access generic scsi devices- Fix labeling on udev.tbl dirs- Fixes for logwatch- Add fusermount and mount_ntfs policy- Update to upstream - Allow saslauthd to use kerberos keytabs- Fixes for samba_var_t- Allow networkmanager to setpgid - Fixes for hal_acl_t- Remove disable_trans booleans - hald_acl_t needs to talk to nscd- Fix prelink to be able to manage usr dirs.- Allow insmod to launch init scripts- Remove setsebool policy- Fix handling of unlabled_t packets- More of my patches from upstream- Update to latest from upstream - Add fail2ban policy- Update to remove security_t:filesystem getattr problems- Policy for consolekit- Update to latest from upstream- Revert Nemiver change - Set sudo as a corecmd so prelink will work, remove sudoedit mapping, since this will not work, it does not transition. - Allow samba to execute useradd- Upgrade to the latest from upstream- Add sepolgen support - Add bugzilla policy- Fix file context for nemiver- Remove include sym link- Allow mozilla, evolution and thunderbird to read dev_random. Resolves: #227002 - Allow spamd to connect to smtp port Resolves: #227184 - Fixes to make ypxfr work Resolves: #227237- Fix ssh_agent to be marked as an executable - Allow Hal to rw sound device- Fix spamassisin so crond can update spam files - Fixes to allow kpasswd to work - Fixes for bluetooth- Remove some targeted diffs in file context file- Fix squid cachemgr labeling- Add ability to generate webadm_t policy - Lots of new interfaces for httpd - Allow sshd to login as unconfined_t- Continue fixing, additional user domains- Begin adding user confinement to targeted policy- Fixes for prelink, ktalkd, netlabel- Allow prelink when run from rpm to create tmp files Resolves: #221865 - Remove file_context for exportfs Resolves: #221181 - Allow spamassassin to create ~/.spamassissin Resolves: #203290 - Allow ssh access to the krb tickets - Allow sshd to change passwd - Stop newrole -l from working on non securetty Resolves: #200110 - Fixes to run prelink in MLS machine Resolves: #221233 - Allow spamassassin to read var_lib_t dir Resolves: #219234- fix mplayer to work under strict policy - Allow iptables to use nscd Resolves: #220794- Add gconf policy and make it work with strict- Many fixes for strict policy and by extension mls.- Fix to allow ftp to bind to ports > 1024 Resolves: #219349- Allow semanage to exec it self. Label genhomedircon as semanage_exec_t Resolves: #219421 - Allow sysadm_lpr_t to manage other print spool jobs Resolves: #220080- allow automount to setgid Resolves: #219999- Allow cron to polyinstatiate - Fix creation of boot flags Resolves: #207433- Fixes for irqbalance Resolves: #219606- Fix vixie-cron to work on mls Resolves: #207433Resolves: #218978- Allow initrc to create files in /var directories Resolves: #219227- More fixes for MLS Resolves: #181566- More Fixes polyinstatiation Resolves: #216184- More Fixes polyinstatiation - Fix handling of keyrings Resolves: #216184- Fix polyinstatiation - Fix pcscd handling of terminal Resolves: #218149 Resolves: #218350- More fixes for quota Resolves: #212957- ncsd needs to use avahi sockets Resolves: #217640 Resolves: #218014- Allow login programs to polyinstatiate homedirs Resolves: #216184 - Allow quotacheck to create database files Resolves: #212957- Dontaudit appending hal_var_lib files Resolves: #217452 Resolves: #217571 Resolves: #217611 Resolves: #217640 Resolves: #217725- Fix context for helix players file_context #216942- Fix load_policy to be able to mls_write_down so it can talk to the terminal- Fixes for hwclock, clamav, ftp- Move to upstream version which accepted my patches- Fixes for nvidia driver- Allow semanage to signal mcstrans- Update to upstream- Allow modstorage to edit /etc/fstab file- Fix for qemu, /dev/- Fix path to realplayer.bin- Allow xen to connect to xen port- Allow cups to search samba_etc_t directory - Allow xend_t to list auto_mountpoints- Allow xen to search automount- Fix spec of jre files- Fix unconfined access to shadow file- Allow xend to create files in xen_image_t directories- Fixes for /var/lib/hal- Remove ability for sysadm_t to look at audit.log- Fix rpc_port_types - Add aide policy for mls- Merge with upstream- Lots of fixes for ricci- Allow xen to read/write fixed devices with a boolean - Allow apache to search /var/log- Fix policygentool specfile problem. - Allow apache to send signals to it's logging helpers. - Resolves: rhbz#212731- Add perms for swat- Add perms for swat- Allow daemons to dump core files to /- Fixes for ricci- Allow mount.nfs to work- Allow ricci-modstorage to look at lvm_etc_t- Fixes for ricci using saslauthd- Allow mountpoint on home_dir_t and home_t- Update xen to read nfs files- Allow noxattrfs to associate with other noxattrfs- Allow hal to use power_device_t- Allow procemail to look at autofs_t - Allow xen_image_t to work as a fixed device- Refupdate from upstream- Add lots of fixes for mls cups- Lots of fixes for ricci- Fix number of cats- Update to upstream- More iSCSI changes for #209854- Test ISCSI fixes for #209854- allow semodule to rmdir selinux_config_t dir- Fix boot_runtime_t problem on ppc. Should not be creating these files.- Fix context mounts on reboot - Fix ccs creation of directory in /var/log- Update for tallylog- Allow xend to rewrite dhcp conf files - Allow mgetty sys_admin capability- Make xentapctrl work- Don't transition unconfined_t to bootloader_t - Fix label in /dev/xen/blktap- Patch for labeled networking- Fix crond handling for mls- Update to upstream- Remove bluetooth-helper transition - Add selinux_validate for semanage - Require new version of libsemanage- Fix prelink- Fix rhgb- Fix setrans handling on MLS and useradd- Support for fuse - fix vigr- Fix dovecot, amanda - Fix mls- Allow java execheap for itanium- Update with upstream- mls fixes- Update from upstream- More fixes for mls - Revert change on automount transition to mount- Fix cron jobs to run under the correct context- Fixes to make pppd work- Multiple policy fixes - Change max categories to 1023- Fix transition on mcstransd- Add /dev/em8300 defs- Upgrade to upstream- Fix ppp connections from network manager- Add tty access to all domains boolean - Fix gnome-pty-helper context for ia64- Fixed typealias of firstboot_rw_t- Fix location of xel log files - Fix handling of sysadm_r -> rpm_exec_t- Fixes for autofs, lp- Update from upstream- Fixup for test6- Update to upstream- Update to upstream- Fix suspend to disk problems- Lots of fixes for restarting daemons at the console.- Fix audit line - Fix requires line- Upgrade to upstream- Fix install problems- Allow setroubleshoot to getattr on all dirs to gather RPM data- Set /usr/lib/ia32el/ia32x_loader to unconfined_execmem_exec_t for ia32 platform - Fix spec for /dev/adsp- Fix xen tty devices- Fixes for setroubleshoot- Update to upstream- Fixes for stunnel and postgresql - Update from upstream- Update from upstream - More java fixes- Change allow_execstack to default to on, for RHEL5 Beta. This is required because of a Java compiler problem. Hope to turn off for next beta- Misc fixes- More fixes for strict policy- Quiet down anaconda audit messages- Fix setroubleshootd- Update to the latest from upstream- More fixes for xen- Fix anaconda transitions- yet more xen rules- more xen rules- Fixes for Samba- Fixes for xen- Allow setroubleshootd to send mail- Add nagios policy- fixes for setroubleshoot- Added Paul Howarth patch to only load policy packages shipped with this package - Allow pidof from initrc to ptrace higher level domains - Allow firstboot to communicate with hal via dbus- Add policy for /var/run/ldapi- Fix setroubleshoot policy- Fixes for mls use of ssh - named has a new conf file- Fixes to make setroubleshoot work- Cups needs to be able to read domain state off of printer client- add boolean to allow zebra to write config files- setroubleshootd fixes- Allow prelink to read bin_t symlink - allow xfs to read random devices - Change gfs to support xattr- Remove spamassassin_can_network boolean- Update to upstream - Fix lpr domain for mls- Add setroubleshoot policy- Turn off auditallow on setting booleans- Multiple fixes- Update to upstream- Update to upstream - Add new class for kernel key ring- Update to upstream- Update to upstream- Break out selinux-devel package- Add ibmasmfs- Fix policygentool gen_requires- Update from Upstream- Fix spec of realplay- Update to upstream- Fix semanage- Allow useradd to create_home_dir in MLS environment- Update from upstream- Update from upstream- Add oprofilefs- Fix for hplip and Picasus- Update to upstream- Update to upstream- fixes for spamd- fixes for java, openldap and webalizer- Xen fixes- Upgrade to upstream- allow hal to read boot_t files - Upgrade to upstream- allow hal to read boot_t files- Update from upstream- Fixes for amavis- Update from upstream- Allow auditctl to search all directories- Add acquire service for mono.- Turn off allow_execmem boolean - Allow ftp dac_override when allowed to access users homedirs- Clean up spec file - Transition from unconfined_t to prelink_t- Allow execution of cvs command- Update to upstream- Update to upstream- Fix libjvm spec- Update to upstream- Add xm policy - Fix policygentool- Update to upstream - Fix postun to only disable selinux on full removal of the packages- Allow mono to chat with unconfined- Allow procmail to sendmail - Allow nfs to share dosfs- Update to latest from upstream - Allow selinux-policy to be removed and kernel not to crash- Update to latest from upstream - Add James Antill patch for xen - Many fixes for pegasus- Add unconfined_mount_t - Allow privoxy to connect to httpd_cache - fix cups labeleing on /var/cache/cups- Update to latest from upstream- Update to latest from upstream - Allow mono and unconfined to talk to initrc_t dbus objects- Change libraries.fc to stop shlib_t form overriding texrel_shlib_t- Fix samba creating dirs in homedir - Fix NFS so its booleans would work- Allow secadm_t ability to relabel all files - Allow ftp to search xferlog_t directories - Allow mysql to communicate with ldap - Allow rsync to bind to rsync_port_t- Fixed mailman with Postfix #183928 - Allowed semanage to create file_context files. - Allowed amanda_t to access inetd_t TCP sockets and allowed amanda_recover_t to bind to reserved ports. #149030 - Don't allow devpts_t to be associated with tmp_t. - Allow hald_t to stat all mountpoints. - Added boolean samba_share_nfs to allow smbd_t full access to NFS mounts. - Make mount run in mount_t domain from unconfined_t to prevent mislabeling of /etc/mtab. - Changed the file_contexts to not have a regex before the first ^/[a-z]/ whenever possible, makes restorecon slightly faster. - Correct the label of /etc/named.caching-nameserver.conf - Now label /usr/src/kernels/.+/lib(/.*)? as usr_t instead of /usr/src(/.*)?/lib(/.*)? - I don't think we need anything else under /usr/src hit by this. - Granted xen access to /boot, allowed mounting on xend_var_lib_t, and allowed xenstored_t rw access to the xen device node.- More textrel_shlib_t file path fixes - Add ada support- Get auditctl working in MLS policy- Add mono dbus support - Lots of file_context fixes for textrel_shlib_t in FC5 - Turn off execmem auditallow since they are filling log files- Update to upstream- Allow automount and dbus to read cert files- Fix ftp policy - Fix secadm running of auditctl- Update to upstream- Update to upstream- Fix policyhelp- Fix pam_console handling of usb_device - dontaudit logwatch reading /mnt dir- Update to upstream- Get transition rules to create policy.20 at SystemHigh- Allow secadmin to shutdown system - Allow sendmail to exec newalias- MLS Fixes dmidecode needs mls_file_read_up - add ypxfr_t - run init needs access to nscd - udev needs setuid - another xen log file - Dontaudit mount getattr proc_kcore_t- fix buildroot usage (#185391)- Get rid of mount/fsdisk scan of /dev messages - Additional fixes for suspend/resume- Fake make to rebuild enableaudit.pp- Get xen networking running.- Fixes for Xen - enableaudit should not be the same as base.pp - Allow ps to work for all process- more xen policy fixups- more xen fixage (#184393)- Fix blkid specification - Allow postfix to execute mailman_que- Blkid changes - Allow udev access to usb_device_t - Fix post script to create targeted policy config file- Allow lvm tools to create drevice dir- Add Xen support- Fixes for cups - Make cryptosetup work with hal- Load Policy needs translock- Fix cups html interface- Add hal changes suggested by Jeremy - add policyhelp to point at policy html pages- Additional fixes for nvidia and cups- Update to upstream - Merged my latest fixes - Fix cups policy to handle unix domain sockets- NSCD socket is in nscd_var_run_t needs to be able to search dir- Fixes Apache interface file- Fixes for new version of cups- Turn off polyinstatiate util after FC5- Fix problem with privoxy talking to Tor- Turn on polyinstatiation- Don't transition from unconfined_t to fsadm_t- Fix policy update model.- Update to upstream- Fix load_policy to work on MLS - Fix cron_rw_system_pipes for postfix_postdrop_t - Allow audotmount to run showmount- Fix swapon - allow httpd_sys_script_t to be entered via a shell - Allow httpd_sys_script_t to read eventpolfs- Update from upstream- allow cron to read apache files- Fix vpnc policy to work from NetworkManager- Update to upstream - Fix semoudle polcy- Update to upstream - fix sysconfig/selinux link- Add router port for zebra - Add imaze port for spamd - Fixes for amanda and java- Fix bluetooth handling of usb devices - Fix spamd reading of ~/ - fix nvidia spec- Update to upsteam- Add users_extra files- Update to upstream- Add semodule policy- Update from upstream- Fix for spamd to use razor port- Fixes for mcs - Turn on mount and fsadm for unconfined_t- Fixes for the -devel package- Fix for spamd to use ldap- Update to upstream- Update to upstream - Fix rhgb, and other Xorg startups- Update to upstream- Separate out role of secadm for mls- Add inotifyfs handling- Update to upstream - Put back in changes for pup/zen- Many changes for MLS - Turn on strict policy- Update to upstream- Update to upstream - Fixes for booting and logging in on MLS machine- Update to upstream - Turn off execheap execstack for unconfined users - Add mono/wine policy to allow execheap and execstack for them - Add execheap for Xdm policy- Update to upstream - Fixes to fetchmail,- Update to upstream- Fix for procmail/spamassasin - Update to upstream - Add rules to allow rpcd to work with unlabeled_networks.- Update to upstream - Fix ftp Man page- Update to upstream- fix pup transitions (#177262) - fix xen disks (#177599)- Update to upstream- More Fixes for hal and readahead- Fixes for hal and readahead- Update to upstream - Apply- Add wine and fix hal problems- Handle new location of hal scripts- Allow su to read /etc/mtab- Update to upstream- Fix "libsemanage.parse_module_headers: Data did not represent a module." problem- Allow load_policy to read /etc/mtab- Fix dovecot to allow dovecot_auth to look at /tmp- Allow restorecon to read unlabeled_t directories in order to fix labeling.- Add Logwatch policy- Fix /dev/ub[a-z] file context- Fix library specification - Give kudzu execmem privs- Fix hostname in targeted policy- Fix passwd command on mls- Lots of fixes to make mls policy work- Add dri libs to textrel_shlib_t - Add system_r role for java - Add unconfined_exec_t for vncserver - Allow slapd to use kerberos- Add man pages- Add enableaudit.pp- Fix mls policy- Update mls file from old version- Add sids back in - Rebuild with update checkpolicy- Fixes to allow automount to use portmap - Fixes to start kernel in s0-s15:c0.c255- Add java unconfined/execmem policy- Add file context for /var/cvs - Dontaudit webalizer search of homedir- Update from upstream- Clean up spec - range_transition crond to SystemHigh- Fixes for hal - Update to upstream- Turn back on execmem since we need it for java, firefox, ooffice - Allow gpm to stream socket to itself- fix requirements to be on the actual packages so that policy can get created properly at install time- Allow unconfined_t to execmod texrel_shlib_t- Update to upstream - Turn off allow_execmem and allow_execmod booleans - Add tcpd and automount policies- Add two new httpd booleans, turned off by default * httpd_can_network_relay * httpd_can_network_connect_db- Add ghost for policy.20- Update to upstream - Turn off boolean allow_execstack- Change setrans-mls to use new libsetrans - Add default_context rule for xdm- Change Requires to PreReg for requiring of policycoreutils on install- New upstream releaseAdd xdm policyUpdate from upstreamUpdate from upstreamUpdate from upstream- Also trigger to rebuild policy for versions up to 2.0.7.- No longer installing policy.20 file, anaconda handles the building of the app.- Fixes for dovecot and saslauthd- Cleanup pegasus and named - Fix spec file - Fix up passwd changing applications-Update to latest from upstream- Add rules for pegasus and avahi- Start building MLS Policy- Update to upstream- Turn on bash- Initial version/bin/sh  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwx3.14.3-139.el8_10     macro-expanderdevelMakefileexample.fcexample.ifexample.tehtmlNetworkManager.htmlNetworkManager_priv_helper.htmlNetworkManager_ssh.htmlRocky Linux release 8.10 (Green Obsidian).htmlabrt.htmlabrt_dump_oops.htmlabrt_handle_event.htmlabrt_helper.htmlabrt_retrace_coredump.htmlabrt_retrace_worker.htmlabrt_upload_watch.htmlabrt_watch_log.htmlaccountsd.htmlacct.htmladmin_crontab.htmlafs.htmlafs_bosserver.htmlafs_fsserver.htmlafs_kaserver.htmlafs_ptserver.htmlafs_vlserver.htmlaiccu.htmlaide.htmlajaxterm.htmlajaxterm_ssh.htmlalsa.htmlamanda.htmlamanda_recover.htmlamtu.htmlanaconda.htmlanon_sftpd.htmlantivirus.htmlapcupsd.htmlapcupsd_cgi_script.htmlapm.htmlapmd.htmlarpwatch.htmlasterisk.htmlaudisp.htmlaudisp_remote.htmlauditadm.htmlauditadm_screen.htmlauditadm_su.htmlauditadm_sudo.htmlauditctl.htmlauditd.htmlauthconfig.htmlautomount.htmlavahi.htmlawstats.htmlawstats_script.htmlbacula.htmlbacula_admin.htmlbacula_unconfined_script.htmlbcfg2.htmlbitlbee.htmlblkmapd.htmlblktap.htmlblueman.htmlbluetooth.htmlbluetooth_helper.htmlboinc.htmlboinc_project.htmlboltd.htmlbootloader.htmlbrctl.htmlbrltty.htmlbugzilla_script.htmlbumblebee.htmlcachefiles_kernel.htmlcachefilesd.htmlcalamaris.htmlcallweaver.htmlcanna.htmlcardmgr.htmlccs.htmlcdcc.htmlcdrecord.htmlcertmaster.htmlcertmonger.htmlcertmonger_unconfined.htmlcertwatch.htmlcfengine_execd.htmlcfengine_monitord.htmlcfengine_serverd.htmlcgclear.htmlcgconfig.htmlcgdcbxd.htmlcgred.htmlcheckpc.htmlcheckpolicy.htmlchfn.htmlchkpwd.htmlchrome_sandbox.htmlchrome_sandbox_nacl.htmlchronyc.htmlchronyd.htmlchroot_user.htmlcinder_api.htmlcinder_backup.htmlcinder_scheduler.htmlcinder_volume.htmlciped.htmlclogd.htmlcloud_init.htmlcluster.htmlclvmd.htmlcmirrord.htmlcobblerd.htmlcockpit_session.htmlcockpit_ws.htmlcollectd.htmlcollectd_script.htmlcolord.htmlcomsat.htmlcondor_collector.htmlcondor_master.htmlcondor_negotiator.htmlcondor_procd.htmlcondor_schedd.htmlcondor_startd.htmlcondor_startd_ssh.htmlconman.htmlconman_unconfined_script.htmlconntrackd.htmlconsolekit.htmlcontainer.htmlcouchdb.htmlcourier_authdaemon.htmlcourier_pcp.htmlcourier_pop.htmlcourier_sqwebmail.htmlcourier_tcpd.htmlcpucontrol.htmlcpufreqselector.htmlcpuplug.htmlcpuspeed.htmlcrack.htmlcrond.htmlcronjob.htmlcrontab.htmlctdbd.htmlcups_pdf.htmlcupsd.htmlcupsd_config.htmlcupsd_lpd.htmlcvs.htmlcvs_script.htmlcyphesis.htmlcyrus.htmldbadm.htmldbadm_sudo.htmldbskkd.htmldcc_client.htmldcc_dbclean.htmldccd.htmldccifd.htmldccm.htmldcerpcd.htmlddclient.htmldeltacloudd.htmldenyhosts.htmldevicekit.htmldevicekit_disk.htmldevicekit_power.htmldhcpc.htmldhcpd.htmldictd.htmldirsrv.htmldirsrv_snmp.htmldirsrvadmin.htmldirsrvadmin_script.htmldirsrvadmin_unconfined_script.htmldisk_munin_plugin.htmldkim_milter.htmldlm_controld.htmldmesg.htmldmidecode.htmldnsmasq.htmldnssec_trigger.htmldovecot.htmldovecot_auth.htmldovecot_deliver.htmldrbd.htmldspam.htmldspam_script.htmlentropyd.htmleventlogd.htmlevtchnd.htmlexim.htmlfail2ban.htmlfail2ban_client.htmlfcoemon.htmlfenced.htmlfetchmail.htmlfingerd.htmlfirewalld.htmlfirewallgui.htmlfirstboot.htmlfoghorn.htmlfprintd.htmlfreeipmi_bmc_watchdog.htmlfreeipmi_ipmidetectd.htmlfreeipmi_ipmiseld.htmlfreqset.htmlfsadm.htmlfsdaemon.htmlftpd.htmlftpdctl.htmlfwupd.htmlgames.htmlgames_srv.htmlgconfd.htmlgconfdefaultsm.htmlgdomap.htmlgeoclue.htmlgetty.htmlgfs_controld.htmlgit_script.htmlgit_session.htmlgit_system.htmlgitosis.htmlglance_api.htmlglance_registry.htmlglance_scrubber.htmlgnomesystemmm.htmlgpg.htmlgpg_agent.htmlgpg_helper.htmlgpg_pinentry.htmlgpg_web.htmlgpm.htmlgpsd.htmlgreylist_milter.htmlgroupadd.htmlgroupd.htmlgssd.htmlgssproxy.htmlguest.htmlhaproxy.htmlhddtemp.htmlhostapd.htmlhostname.htmlhsqldb.htmlhttpd.htmlhttpd_helper.htmlhttpd_passwd.htmlhttpd_php.htmlhttpd_rotatelogs.htmlhttpd_suexec.htmlhttpd_sys_script.htmlhttpd_unconfined_script.htmlhttpd_user_script.htmlhwclock.htmlhwloc_dhwd.htmlhypervkvp.htmlhypervvssd.htmlibacm.htmliceauth.htmlicecast.htmlifconfig.htmlinetd.htmlinetd_child.htmlinit.htmlinitrc.htmlinnd.htmlinsights_client.htmlinstall.htmliodined.htmliotop.htmlipmievd.htmlipmievd_helper.htmlipsec.htmlipsec_mgmt.htmliptables.htmlirc.htmlirqbalance.htmlirssi.htmliscsid.htmlisnsd.htmliwhd.htmljabberd.htmljabberd_router.htmljetty.htmljockey.htmljournalctl.htmlkadmind.htmlkdump.htmlkdumpctl.htmlkdumpgui.htmlkeepalived.htmlkeepalived_unconfined_script.htmlkernel.htmlkeyboardd.htmlkeystone.htmlkeystone_cgi_script.htmlkismet.htmlklogd.htmlkmod.htmlkmscon.htmlkpatch.htmlkpropd.htmlkrb5kdc.htmlksmtuned.htmlktalkd.htmll2tpd.htmlldconfig.htmllircd.htmllivecd.htmllldpad.htmlload_policy.htmlloadkeys.htmllocal_login.htmllocate.htmllockdev.htmllogadm.htmllogrotate.htmllogrotate_mail.htmllogwatch.htmllogwatch_mail.htmllpd.htmllpr.htmllsassd.htmllsmd.htmllsmd_plugin.htmllttng_sessiond.htmllvm.htmllwiod.htmllwregd.htmllwsmd.htmlmail_munin_plugin.htmlmailman_cgi.htmlmailman_mail.htmlmailman_queue.htmlman2html_script.htmlmandb.htmlmcelog.htmlmdadm.htmlmediawiki_script.htmlmemcached.htmlmencoder.htmlminidlna.htmlminissdpd.htmlmip6d.htmlmirrormanager.htmlmock.htmlmock_build.htmlmodemmanager.htmlmojomojo_script.htmlmon_procd.htmlmon_statd.htmlmongod.htmlmotion.htmlmount.htmlmount_ecryptfs.htmlmozilla.htmlmozilla_plugin.htmlmozilla_plugin_config.htmlmpd.htmlmplayer.htmlmrtg.htmlmscan.htmlmunin.htmlmunin_script.htmlmysqld.htmlmysqld_safe.htmlmysqlmanagerd.htmlmythtv_script.htmlnaemon.htmlnagios.htmlnagios_admin_plugin.htmlnagios_checkdisk_plugin.htmlnagios_eventhandler_plugin.htmlnagios_mail_plugin.htmlnagios_openshift_plugin.htmlnagios_script.htmlnagios_services_plugin.htmlnagios_system_plugin.htmlnagios_unconfined_plugin.htmlnamed.htmlnamespace_init.htmlncftool.htmlndc.htmlnetlabel_mgmt.htmlnetlogond.htmlnetutils.htmlneutron.htmlnewrole.htmlnfsd.htmlninfod.htmlnmbd.htmlnova.htmlnrpe.htmlnscd.htmlnsd.htmlnsd_crond.htmlnslcd.htmlntop.htmlntpd.htmlnumad.htmlnut_upsd.htmlnut_upsdrvctl.htmlnut_upsmon.htmlnutups_cgi_script.htmlnx_server.htmlnx_server_ssh.htmlobex.htmloddjob.htmloddjob_mkhomedir.htmlopafm.htmlopenct.htmlopendnssec.htmlopenfortivpn.htmlopenhpid.htmlopenshift.htmlopenshift_app.htmlopenshift_cgroup_read.htmlopenshift_cron.htmlopenshift_initrc.htmlopenshift_net_read.htmlopenshift_script.htmlopensm.htmlopenvpn.htmlopenvpn_unconfined_script.htmlopenvswitch.htmlopenwsman.htmloracleasm.htmlosad.htmlpads.htmlpam_console.htmlpam_timestamp.htmlpassenger.htmlpasswd.htmlpcp_plugin.htmlpcp_pmcd.htmlpcp_pmie.htmlpcp_pmlogger.htmlpcp_pmmgr.htmlpcp_pmproxy.htmlpcp_pmwebd.htmlpcscd.htmlpdns.htmlpdns_control.htmlpegasus.htmlpegasus_openlmi_account.htmlpegasus_openlmi_admin.htmlpegasus_openlmi_logicalfile.htmlpegasus_openlmi_services.htmlpegasus_openlmi_storage.htmlpegasus_openlmi_system.htmlpegasus_openlmi_unconfined.htmlpesign.htmlphc2sys.htmlping.htmlpingd.htmlpiranha_fos.htmlpiranha_lvs.htmlpiranha_pulse.htmlpiranha_web.htmlpkcs11proxyd.htmlpkcs_slotd.htmlpki_ra.htmlpki_tomcat.htmlpki_tomcat_script.htmlpki_tps.htmlplymouth.htmlplymouthd.htmlpodsleuth.htmlpolicykit.htmlpolicykit_auth.htmlpolicykit_grant.htmlpolicykit_resolve.htmlpolipo.htmlpolipo_session.htmlportmap.htmlportmap_helper.htmlportreserve.htmlpostfix_bounce.htmlpostfix_cleanup.htmlpostfix_local.htmlpostfix_map.htmlpostfix_master.htmlpostfix_pickup.htmlpostfix_pipe.htmlpostfix_postdrop.htmlpostfix_postqueue.htmlpostfix_qmgr.htmlpostfix_showq.htmlpostfix_smtp.htmlpostfix_smtpd.htmlpostfix_virtual.htmlpostgresql.htmlpostgrey.htmlpppd.htmlpptp.htmlprelink.htmlprelink_cron_system.htmlprelude.htmlprelude_audisp.htmlprelude_correlator.htmlprelude_lml.htmlpreupgrade.htmlprewikka_script.htmlprivoxy.htmlprocmail.htmlprosody.htmlpsad.htmlptal.htmlptchown.htmlptp4l.htmlpublicfile.htmlpulseaudio.htmlpuppetagent.htmlpuppetca.htmlpuppetmaster.htmlpwauth.htmlpyicqt.htmlqdiskd.htmlqemu_dm.htmlqmail_clean.htmlqmail_inject.htmlqmail_local.htmlqmail_lspawn.htmlqmail_queue.htmlqmail_remote.htmlqmail_rspawn.htmlqmail_send.htmlqmail_smtpd.htmlqmail_splogger.htmlqmail_start.htmlqmail_tcp_env.htmlqpidd.htmlquota.htmlquota_nld.htmlrabbitmq.htmlracoon.htmlradiusd.htmlradvd.htmlrasdaemon.htmlrdisc.htmlreadahead.htmlrealmd.htmlrealmd_consolehelper.htmlredis.htmlregex_milter.htmlremote_login.htmlrestorecond.htmlrhev_agentd.htmlrhev_agentd_consolehelper.htmlrhgb.htmlrhnsd.htmlrhsmcertd.htmlricci.htmlricci_modcluster.htmlricci_modclusterd.htmlricci_modlog.htmlricci_modrpm.htmlricci_modservice.htmlricci_modstorage.htmlrkt.htmlrlogind.htmlrngd.htmlrolekit.htmlroundup.htmlrpcbind.htmlrpcd.htmlrpm.htmlrpm_script.htmlrrdcached.htmlrshd.htmlrssh.htmlrssh_chroot_helper.htmlrsync.htmlrtas_errd.htmlrtkit_daemon.htmlrun_init.htmlrwho.htmlsamba_net.htmlsamba_unconfined_net.htmlsamba_unconfined_script.htmlsambagui.htmlsandbox.htmlsandbox_min.htmlsandbox_min_client.htmlsandbox_net.htmlsandbox_net_client.htmlsandbox_web.htmlsandbox_web_client.htmlsandbox_x.htmlsandbox_x_client.htmlsandbox_xserver.htmlsanlk_resetd.htmlsanlock.htmlsaslauthd.htmlsbd.htmlsblim_gatherd.htmlsblim_reposd.htmlsblim_sfcbd.htmlsecadm.htmlsecadm_screen.htmlsecadm_su.htmlsecadm_sudo.htmlsectoolm.htmlselinux_munin_plugin.htmlsemanage.htmlsendmail.htmlsensord.htmlsepgsql_ranged_proc.htmlsepgsql_trusted_proc.htmlservices_munin_plugin.htmlsetfiles.htmlsetfiles_mac.htmlsetkey.htmlsetrans.htmlsetroubleshoot_fixit.htmlsetroubleshootd.htmlsetsebool.htmlsftpd.htmlsge_execd.htmlsge_job.htmlsge_job_ssh.htmlsge_shepherd.htmlshorewall.htmlshowmount.htmlslapd.htmlslpd.htmlsmbcontrol.htmlsmbd.htmlsmbmount.htmlsmokeping.htmlsmokeping_cgi_script.htmlsmoltclient.htmlsmsd.htmlsnapperd.htmlsnmpd.htmlsnort.htmlsosreport.htmlsoundd.htmlspamass_milter.htmlspamc.htmlspamd.htmlspamd_update.htmlspeech_dispatcher.htmlsquid.htmlsquid_cron.htmlsquid_script.htmlsrvsvcd.htmlssh.htmlssh_keygen.htmlssh_keysign.htmlsshd.htmlsshd_keygen.htmlsshd_net.htmlsshd_sandbox.htmlsslh.htmlsssd.htmlsssd_selinux_manager.htmlstaff.htmlstaff_consolehelper.htmlstaff_dbusd.htmlstaff_gkeyringd.htmlstaff_screen.htmlstaff_seunshare.htmlstaff_ssh_agent.htmlstaff_sudo.htmlstaff_wine.htmlstapserver.htmlstratisd.htmlstunnel.htmlstyle.csssulogin.htmlsvc_multilog.htmlsvc_run.htmlsvc_start.htmlsvirt.htmlsvirt_kvm_net.htmlsvirt_qemu_net.htmlsvirt_socket.htmlsvirt_tcg.htmlsvnserve.htmlswat.htmlswift.htmlsysadm.htmlsysadm_dbusd.htmlsysadm_gkeyringd.htmlsysadm_passwd.htmlsysadm_screen.htmlsysadm_seunshare.htmlsysadm_ssh_agent.htmlsysadm_su.htmlsysadm_sudo.htmlsyslogd.htmlsyslogd_unconfined_script.htmlsysstat.htmlsystem_cronjob.htmlsystem_dbusd.htmlsystem_mail.htmlsystem_munin_plugin.htmlsystemd_bootchart.htmlsystemd_coredump.htmlsystemd_gpt_generator.htmlsystemd_hostnamed.htmlsystemd_hwdb.htmlsystemd_importd.htmlsystemd_initctl.htmlsystemd_journal_upload.htmlsystemd_localed.htmlsystemd_logger.htmlsystemd_logind.htmlsystemd_machined.htmlsystemd_modules_load.htmlsystemd_networkd.htmlsystemd_notify.htmlsystemd_passwd_agent.htmlsystemd_resolved.htmlsystemd_rfkill.htmlsystemd_sleep.htmlsystemd_socket_proxyd.htmlsystemd_sysctl.htmlsystemd_timedated.htmlsystemd_tmpfiles.htmltangd.htmltargetd.htmltcpd.htmltcsd.htmltelepathy_gabble.htmltelepathy_idle.htmltelepathy_logger.htmltelepathy_mission_control.htmltelepathy_msn.htmltelepathy_salut.htmltelepathy_sofiasip.htmltelepathy_stream_engine.htmltelepathy_sunshine.htmltelnetd.htmltftpd.htmltgtd.htmlthin.htmlthin_aeolus_configserver.htmlthumb.htmltimedatex.htmltimemaster.htmltlp.htmltmpreaper.htmltomcat.htmltor.htmltraceroute.htmltuned.htmltvtime.htmludev.htmlulogd.htmluml.htmluml_switch.htmlunconfined.htmlunconfined_cronjob.htmlunconfined_dbusd.htmlunconfined_mount.htmlunconfined_munin_plugin.htmlunconfined_sendmail.htmlunconfined_service.htmlupdfstab.htmlupdpwd.htmlusbmodules.htmlusbmuxd.htmluser.htmluser_dbusd.htmluser_gkeyringd.htmluser_mail.htmluser_screen.htmluser_seunshare.htmluser_ssh_agent.htmluser_wine.htmluseradd.htmlusernetctl.htmlutempter.htmluucpd.htmluuidd.htmluux.htmlvarnishd.htmlvarnishlog.htmlvdagent.htmlvhostmd.htmlvirsh.htmlvirsh_ssh.htmlvirt_bridgehelper.htmlvirt_qemu_ga.htmlvirt_qemu_ga_unconfined.htmlvirt_qmf.htmlvirtd.htmlvirtd_lxc.htmlvirtlogd.htmlvlock.htmlvmtools.htmlvmtools_helper.htmlvmtools_unconfined.htmlvmware.htmlvmware_host.htmlvnstat.htmlvnstatd.htmlvpnc.htmlw3c_validator_script.htmlwatchdog.htmlwatchdog_unconfined.htmlwdmd.htmlwebadm.htmlwebalizer.htmlwebalizer_script.htmlwinbind.htmlwinbind_helper.htmlwinbind_rpcd.htmlwine.htmlwireshark.htmlwpa_cli.htmlxauth.htmlxdm.htmlxdm_unconfined.htmlxenconsoled.htmlxend.htmlxenstored.htmlxguest.htmlxguest_dbusd.htmlxguest_gkeyringd.htmlxserver.htmlypbind.htmlyppasswdd.htmlypserv.htmlypxfr.htmlzabbix.htmlzabbix_agent.htmlzabbix_script.htmlzarafa_deliver.htmlzarafa_gateway.htmlzarafa_ical.htmlzarafa_indexer.htmlzarafa_monitor.htmlzarafa_server.htmlzarafa_spooler.htmlzebra.htmlzoneminder.htmlzoneminder_script.htmlzos_remote.htmlincludeMakefileadminadmin.xmlbootloader.ifconsoletype.ifdmesg.ifnetutils.ifsu.ifsudo.ifusermanage.ifappsapps.xmlseunshare.ifbuild.confcontribcontrib.xmlabrt.ifaccountsd.ifacct.ifada.ifafs.ifaiccu.ifaide.ifaisexec.ifajaxterm.ifalsa.ifamanda.ifamavis.ifamtu.ifanaconda.ifantivirus.ifapache.ifapcupsd.ifapm.ifapt.ifarpwatch.ifasterisk.ifauthbind.ifauthconfig.ifautomount.ifavahi.ifawstats.ifbackup.ifbacula.ifbcfg2.ifbind.ifbird.ifbitlbee.ifblkmapd.ifblueman.ifbluetooth.ifboinc.ifboltd.ifbrctl.ifbrltty.ifbugzilla.ifbumblebee.ifcachefilesd.ifcalamaris.ifcallweaver.ifcanna.ifccs.ifcdrecord.ifcertmaster.ifcertmonger.ifcertwatch.ifcfengine.ifcgdcbxd.ifcgroup.ifchrome.ifchronyd.ifcinder.ifcipe.ifclamav.ifclockspeed.ifclogd.ifcloudform.ifcmirrord.ifcobbler.ifcockpit.ifcollectd.ifcolord.ifcomsat.ifcondor.ifconman.ifconntrackd.ifconsolekit.ifcorosync.ifcouchdb.ifcourier.ifcpucontrol.ifcpufreqselector.ifcpuplug.ifcron.ifctdb.ifcups.ifcvs.ifcyphesis.ifcyrus.ifdaemontools.ifdante.ifdbadm.ifdbskk.ifdbus.ifdcc.ifddclient.ifddcprobe.ifdenyhosts.ifdevicekit.ifdhcp.ifdictd.ifdirmngr.ifdirsrv-admin.ifdirsrv.ifdistcc.ifdjbdns.ifdkim.ifdmidecode.ifdnsmasq.ifdnssec.ifdnssectrigger.ifdovecot.ifdpkg.ifdrbd.ifdspam.ifentropyd.ifetcd.ifevolution.ifexim.iffail2ban.iffcoe.iffetchmail.iffinger.iffirewalld.iffirewallgui.iffirstboot.iffprintd.iffreeipmi.iffreqset.ifftp.iffwupd.ifgames.ifgatekeeper.ifgdomap.ifgear.ifgeoclue.ifgift.ifgit.ifgitosis.ifglance.ifglusterd.ifgnome.ifgnomeclock.ifgpg.ifgpm.ifgpsd.ifgssproxy.ifguest.ifhadoop.ifhal.ifhddtemp.ifhostapd.ifhowl.ifhsqldb.ifhwloc.ifhypervkvp.ifi18n_input.ifibacm.ificecast.ififplugd.ifimaze.ifinetd.ifinn.ifinsights_client.ifiodine.ifiotop.ifipa.ifipmievd.ifirc.ifircd.ifirqbalance.ifiscsi.ifisns.ifjabber.ifjava.ifjetty.ifjockey.ifjournalctl.ifkde.ifkdump.ifkdumpgui.ifkeepalived.ifkerberos.ifkerneloops.ifkeyboardd.ifkeystone.ifkismet.ifkmscon.ifkpatch.ifksmtuned.ifktalk.ifkubernetes.ifkudzu.ifl2tp.ifldap.iflightsquid.iflikewise.iflinuxptp.iflircd.iflivecd.iflldpad.ifloadkeys.iflockdev.iflogrotate.iflogwatch.iflpd.iflsm.iflttng-tools.ifmailman.ifmailscanner.ifman2html.ifmandb.ifmcelog.ifmcollective.ifmediawiki.ifmemcached.ifmilter.ifminidlna.ifminissdpd.ifmip6d.ifmirrormanager.ifmock.ifmodemmanager.ifmojomojo.ifmon_statd.ifmongodb.ifmono.ifmonop.ifmotion.ifmozilla.ifmpd.ifmplayer.ifmrtg.ifmta.ifmunin.ifmysql.ifmythtv.ifnaemon.ifnagios.ifnamespace.ifncftool.ifnessus.ifnetworkmanager.ifninfod.ifnis.ifnova.ifnscd.ifnsd.ifnslcd.ifnsplugin.ifntop.ifntp.ifnumad.ifnut.ifnx.ifoav.ifobex.ifoddjob.ifoident.ifopafm.ifopenca.ifopenct.ifopendnssec.ifopenfortivpn.ifopenhpi.ifopenhpid.ifopenshift-origin.ifopenshift.ifopensm.ifopenvpn.ifopenvswitch.ifopenwsman.iforacleasm.ifosad.ifpacemaker.ifpads.ifpassenger.ifpcmcia.ifpcp.ifpcscd.ifpdns.ifpegasus.ifperdition.ifpesign.ifpingd.ifpiranha.ifpkcs.ifpkcs11proxyd.ifpki.ifplymouthd.ifpodsleuth.ifpolicykit.ifpolipo.ifportage.ifportmap.ifportreserve.ifportslave.ifpostfix.ifpostfixpolicyd.ifpostgrey.ifppp.ifprelink.ifprelude.ifprivoxy.ifprocmail.ifprosody.ifpsad.ifptchown.ifpublicfile.ifpulseaudio.ifpuppet.ifpwauth.ifpxe.ifpyzor.ifqemu.ifqmail.ifqpid.ifquantum.ifquota.ifrabbitmq.ifradius.ifradvd.ifraid.ifrasdaemon.ifrazor.ifrdisc.ifreadahead.ifrealmd.ifredis.ifremotelogin.ifresmgr.ifrgmanager.ifrhcs.ifrhev.ifrhgb.ifrhnsd.ifrhsmcertd.ifricci.ifrkhunter.ifrkt.ifrlogin.ifrngd.ifrolekit.ifroundup.ifrpc.ifrpcbind.ifrpm.ifrrdcached.ifrshd.ifrssh.ifrsync.ifrtas.ifrtkit.ifrwho.ifsamba.ifsambagui.ifsamhain.ifsandbox.ifsandboxX.ifsanlock.ifsasl.ifsbd.ifsblim.ifscreen.ifsectoolm.ifsendmail.ifsensord.ifsetroubleshoot.ifsge.ifshorewall.ifshutdown.ifslocate.ifslpd.ifslrnpull.ifsmartmon.ifsmokeping.ifsmoltclient.ifsmsd.ifsmstools.ifsnapper.ifsnmp.ifsnort.ifsosreport.ifsoundserver.ifspamassassin.ifspeech-dispatcher.ifspeedtouch.ifsquid.ifsslh.ifsssd.ifstapserver.ifstratisd.ifstunnel.ifsvnserve.ifswift.ifswift_alias.ifsxid.ifsysstat.iftangd.iftargetd.iftcpd.iftcsd.iftelepathy.iftelnet.iftftp.iftgtd.ifthin.ifthumb.ifthunderbird.iftimedatex.iftimidity.iftlp.iftmpreaper.iftomcat.iftor.iftransproxy.iftripwire.iftuned.iftvtime.iftzdata.ifucspitcp.ifudisks2.ifulogd.ifuml.ifupdfstab.ifuptime.ifusbmodules.ifusbmuxd.ifuserhelper.ifusernetctl.ifuucp.ifuuidd.ifuwimap.ifvarnishd.ifvbetool.ifvdagent.ifvhostmd.ifvirt.ifvlock.ifvmtools.ifvmware.ifvnstatd.ifvpn.ifw3c.ifwatchdog.ifwdmd.ifwebadm.ifwebalizer.ifwine.ifwireshark.ifwm.ifxen.ifxfs.ifxguest.ifxprint.ifxscreensaver.ifyam.ifzabbix.ifzarafa.ifzebra.ifzoneminder.ifzosremote.ifglobal_booleans.xmlglobal_tunables.xmlkernelkernel.xmlcorecommands.ifcorenetwork.ifdevices.ifdomain.iffiles.iffilesystem.ifkernel.ifmcs.ifmls.ifselinux.ifstorage.ifterminal.ifubac.ifunlabelednet.ifrolesroles.xmlauditadm.iflogadm.ifsecadm.ifstaff.ifsysadm.ifsysadm_secadm.ifunconfineduser.ifunprivuser.ifservicesservices.xmlpostgresql.ifssh.ifxserver.ifsupportall_perms.sptdivert.m4file_patterns.sptipc_patterns.sptloadable_module.sptmisc_macros.sptmisc_patterns.sptmls_mcs_macros.sptobj_perm_sets.sptpolicy.dtdsegenxml.pyundivert.m4systemsystem.xmlapplication.ifauthlogin.ifclock.iffstools.ifgetty.ifhostname.ifhotplug.ifinit.ifipsec.ifiptables.ifkdbus.iflibraries.iflocallogin.iflogging.iflvm.ifmiscfiles.ifmodutils.ifmount.ifnetlabel.ifselinuxutil.ifsetrans.ifsysnetwork.ifsystemd.ifudev.ifunconfined.ifuserdomain.ifpolicy.dtdpolicy.xmlinterface_info/usr/bin//usr/share/selinux//usr/share/selinux/devel//usr/share/selinux/devel/html//usr/share/selinux/devel/include//usr/share/selinux/devel/include/admin//usr/share/selinux/devel/include/apps//usr/share/selinux/devel/include/contrib//usr/share/selinux/devel/include/kernel//usr/share/selinux/devel/include/roles//usr/share/selinux/devel/include/services//usr/share/selinux/devel/include/support//usr/share/selinux/devel/include/system//var/lib/sepolgen/-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m32 -march=x86-64 -mtune=generic -mfpmath=sse -mstackrealign -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protectioncpioxz2noarch-redhat-linux-gnu  Bourne-Again shell script, ASCII text executable, with very long linesdirectoryASCII textSE Linux policy interface sourceSE Linux policy module sourceHTML document, ASCII textASCII text, with very long linesASCII text, with no line terminatorsC source, ASCII textPython script, ASCII text executableXML 1.0 document, ASCII textcannot open `/builddir/build/BUILDROOT/selinux-policy-3.14.3-139.el8_10.noarch/var/lib/sepolgen/interface_info' (No such file or directory)utf-8cce24930dd79849e37fc7d4d12e48e84147bbc4ce1255a9a82094cc3215e04b5?P7zXZ !#,C] b2u Q{LY)d=]±5G}BkoG ;0t\T*tEGEsAlof߫FT)?姹IXi E4g;Ϭ ?t^ Į6 8@н80]LyuLKYW؁%,&kMb  !7Om2~p(c*0Q&XQ45r]QbݤZdV̆!@w9B:2w Za^Faي=@wL"Ntΰhe\<|2ݵ#I~EBKd"9`g&=cWe{zɿXMI q~Eb}zHJJG:8k@\÷}B\ղIӪ`eƩ2J .;pPw `-qUIW,X`ǚYc̃L~<,%rLyUD"59Qheoˮ_ckIhߓlZ=gR~)U*exe0*ec|ޝ΋<m@Ғ<”ҤO)s/]V]!_k~d?(Q=鳱hES !Z-]2Y6|{<Ԏ"t=/6KSe\\NjC1UUFDu//#jVs-'Sy&(-1! z 3PjsFbUHi`lݦCAt-FHj&JSC}0"LOVS,"۱ "|'&3`.y-Ֆ-YH9K;LZdBn%蕘BPLq{ir]s[=%^oI`#+%XȻca%ӕZU y쟊U -|K0`BaN4R;tg9EfC8J,ApAg3#HuzOl$0oK$kp""6 hζA\EgӘ˚PYu5]jͧ=ݑ5Kx[,{y ѧ&(+/TA}Sfa+3 APޘg꟟ANs**%N&E9D 7%c,L!d冾$f$.7 P2RQ`F3('"dŝN28kن2#B#P lU *עq5m.bbImBšsTYqqHW9LrO=m+r,?Âwm 5pуVѐ`2HUmX?,\|]p⡉^3)P{˫C+ilʺI`|XzjC6xVp`] x%>.+3R{S0e D =IBOٲn`ʽyT/ZLͺ N cMX:_F%R7pLzWvEB{h@gU|{J6I#=es~Y37;0o7Ov}Ng%NW ށ"f՜N0 >^tۅA) )@@I@ Tf2z?`D_ʱ$N|HC2ZAKw\:s']BʊIے@iɶwERO e]1fZ 5рx1 xw<[a:G>!1]٢ui+2f3B)E"mW/(!"{Y<Q\w.*RM34b["@.t{0NkM0yD3<Wi~Z=j!-@LB@xs+I!C},G&5#bS&tu&EV}#wқ~rJfLUr#*)煎 ~nP܆Oq}#vR[Lt<0Vڤ/ y#0VN- ē85Puf<嵃0n.vYطմ֔q`q[" \kהּ߀7wyԩ9Y6X6C?$ՁTdPټU3վ<oBIQl[Rvv)-ݠ׸C,]nW)(DG_%an3'EK0wz#it]C^!_J%#tzw`T-r*U94׍y(ɶwX5/4ii@yBPTX,v4,].4͐vF 긱6i٪>@V<jcCI~RУcaB\gKG+XlBGn 2`3Z~cxݓv']h?^,6]ךl8 {&/6MTt$SО>]?W*iIi,0GXM3G\ڦdjr *8^Yk˝ M7pYRQb'{29g[\fyy,Zp etpf,4^c3hu+Xet?Ym߷?R:jh;ΝDcZO$vR1iIP Pj2l8ʪm=#%aM2'8z1͘D҄^,}vÙr1ALu2#+gM Pݿ/bRڞ;:)4"(esjBQr|6VώYhj:6o~MA1w8WYd2/Vtףzwe律֪ٖ𦖭u<} \=zGۍq.OPQMJPR#}9I7tH^F^<Xe5 =(xnv(^΅տ\kb/d"r3NLPd[v< F3ΐ@%g VarM5ڐsi UCpvm{X?wS=[7eej(mL@0_UiW p23$B) Q¦m ]2%;NH%IXqjf:ٵ.˰pBǧOd2qEƣxjI֡j5qEIbSՅzٓYV 費}sM4Ḿ uT.Lf |,4%Eڊށ]3* = IGeG[~9@`/d٤4kw\ $;_ -{/HrL ЬWlɸO_j64*&PiكDD1q7+(B:Rx,4BIİ"<6oa I4p iu*t2lj!'L!HGU`;8N8; #?Zz}!`9^fjoS;^MR%_|B)2IXFG[;iEGe'Yag1br],dގ?=ɣkꆯ"]\m]SB7m>/:BmK%zj[c[Ew-axi?e?.ǽB[:GFfDgoѩZD+":d5ib4\cx%LՎ0 6nF3X6w܊$#Q%@b &&xI$6-:t8L7 Q ~\jB¢xL%eXiTXê/e.ʰ(D/s`؎v=M2?.-8%{L d9kgv*=x()O_W:YqQ @ )\=nY<[4ĈLc(E iOUI-SERLT ZL+jQ4$2edLWWKhŕ|*dn]Č֍y !>>?+O5mM N-/GA_g "68gkHzG;Qv7,(_Jxe6|q†Wlج )BĐT+}j%T1K6~6L 3Rrtߣba4 %/Kh1uaH\(aȖ+\- >0_\|p4 rfT$b^d`5#ɵgP-rP5 އF/ a/fu!\)s" ;N(!Bhg"pn"xYCr};b*A&2Yl_0O*/a97*\'q:#sy3t2y,K S膣A36$ⲩ~-o|GΡUrMj P:ծa(L}r;"kNAG pl6*zASj VzM$4V/2Jf+>Eh=Cbn.ít-% zZyWE R za8 Щq>l>|Ic{+( ŏ&^#d=F3$!BS.`fn.Xh+ p5ۺ/V^66R;R2AN⺌R%UÙ1Ͼ G"a 3tC]qN%( _Z9zk1㨌bWFa]h$g|s@y"/DnkqtE3LzCiy'rמ k + 7ЅJ+/(rm1Qh7Xq#q+-+qX@iC" Tn~pd$#`glcكt({ 9@zjo*#$kY63sT/3u0u/,< $ =`zA e1Zƒ-FY-ZQ`@њq,^F)c ,sT*ӍcE[޳;yrzaNx+=B}bJl Uȅ~eiqh) P vo6!H<7_qljH =`%֖֥`nZ~Km7DN!,/J7=i;a}8"8*O%:\U~^R<{1΅<6rsM(b~h"wfтٺU9%\emÌ64 K*hshjƟN- ⒏_Qӈ?]/,Y+_!qjpiV%󻦉?,g_oN3 AJs^.R6&%HP zͧGw2upxncN#MB2JB,|}+I yEl9r5 o K r'E[TY;CĥP(#p=9| h|t4W =DpUX]e$toK2:~&bFwN$;0wwg;=÷FdJ*VRAjs._@4S/p^^ʅ5$M4Z dwɐnZr#JlmnQ_o&}j| 2YEl}WD6_)ZnS%UؕteR϶S uݎY$*e8B  ( O"q_+&VCv,j9ߏY] <јp( 56O#j0UQ?QJnS΍Cک rRDd%ٓ&xZ_f݉p 9B1۰Vo\T|5pͤ=.Te6dJmP&cGǍNW8Dk1<7ay+\r5ԴcUcj[o'*qrWީ-fWIVkA{,4BwPG i2Pk+~7o $^<)$C鏮-tCmk8n8iɻ.Ty̪vƟFѭ=T~tXQ][ݤ[l grԎe"fB|;7#;c B_SqAE &׷{&| ;D#e׍k:fK'zƓ׳hX܎8^FO6: WA5Q7^j.84{xϷwȎ@K YhSC8옶-V-G-f8DE~)do(PDcYH]cLJ喔ptlͦ|?y%Gm<1XScL,P,vĿWpv*漄?l>`Wzȳ đm+90vϐMp'n,(//1>a n- OqX.sՈ ~ONw|\s^:Y!kޕtn>CL^$xb80M9 Yj̗1qT!DOk+3{cXP诘 ,%V }}bu`9yF5r̼_/ƀPkBU@蚿wC("n{CCQZ\*"9 )sy>-ǚ[Z`o4RNnKT~lrR1߮S*  /f@SYUj._G<.Ӥph9.:r.Z̎v|]1Z̓IG #ujGe-5'$F{Q>QĀ49S 5!N⒚,Bu_He-ӳ&e&ʬ|h6c r$Gp2-}#H O6yP. q=`#Ƞ ⧃<<QbA 6F|WΡ:H tفDSNŸL:x"09Q34x4ڗ]"$"o"7tQU%"1ZO~AEI"5TæҒ}KɨAHN^w.08I-Ggt6-ҷe:W Oh{J:@($gm>M^xdhy *2K\j^Agl%# [nt>+Hq*2P'Fs m )Ϙ0,r52y< Žӹ!GUn).'Aqgyk 95ϔH>y뿸0i}=[r7vS$ٝ5Uw'>f]Rc akCIqR00Ӆ"Ħ5+yT`cā-8LqQ,?}{*$LIu>a.Eap"% 040~k^Vjbܽ) CeY|Z^}0xe%MIndQVDv/gDJFb)hNQU)GkN`O|ْ- f6kPX-w)-_%o8,pBLv r7e1r̅ibH:tٌ]`SΈ N x3A@*B=S 1!ࢯfc5L`D|F21hѥɋ۹7ִp)G[si DՄ?!MRMG"}EgP6.ݡ VQ~b6hXm @[mXBvXo8 $Il|!ZR*|}K0J[Q7h)|Bߦ_!?.&Ӷi\B߹-x3R71{-ۯ\nx_3L/A#T ,kgTpq߅FR qA6&7-"tiMuyczDaju]U]ԑŎ g2\гeXMEfI 7 HQ`h# kPٞr$N%8/ ^S7RQ>8kf+_80W4{GOx&J5k}t Nmd:V"׎ `촉 M_!˭PS pĞI tmnZy;L#Mw푐|ܒȨ77}A~jS@cߒ/C y6@I u*>ޏU{BB:p:*D =z|ïa]BlpYqnCc,%k@X 9a9|<5.IsNIn.>%vÜ`oiJPC Svm˾Kʐ]Lҗ68F1+ĩqd>J]@? >t`"~31Vtu (>x~NХ$%$9uĆ^g;oT}=:"'-&sN=*=&Ye!IP6K=lj\zʆiU$٪q=s0\ [G/驕ߕ@>}hP&D"-t$K[*$< m=?gTոy7 D0 Yg=/kŦ6VW@F- 3jltAj[ӌ5pQ ,߸cw:"< !Xݾ% 7plDgσXFJ~^.B2KEĒ2-c(JaD녰VپDC6G(NrSH(}Ț!ڦ0fN /e5$hYR:hwK>s,SM*Տ"1@.N,!цH6]qCRf:(tHaa+#aOa˟!λ.Nj/kE9=r1nHW(*,uKYu yX07Hl76Wt!2;vsѿ庤j0*G*i-T8c~;~4͎Б3CPBRiXPwl6 &j}q|;^B*ݡtR*-0YW޹1}rE9a늊 # Fzƙ`{,IV'+IgFJv汌 -1߁lQȧ?V!!h}yv(C8Y} jJ\1#Mx%|B|g-ەa|z~"+>DOY< c(Z&;=#7 y,WP$RD-A-L5qO!gƾA!.;RSycth7% ( n ϶D bb3?Yk,t9u֯V up~oTv3'_#NY^!2W!(ׁKCP򻜘gTUĢE_#EeNwN863^l:n ~4u&  *Sssx hVRgz.39Ֆ#?FH9^~P}=I &a1px(7p:5pcGU[jG%6HNd®jw!u)A^o u_[>=(M4_wW$u|a% !U߈ppP]j03 ;%e_%*%Bjв /*Z5^I7fh p4⣲KB'c^_A˸x*QQ$w[rb㓼l, +|ȟ舯="5XY?pK}Q/mjZbfnOzTQ):kxͦӮ,{܏Rd<[zv4)BZ @ 5cs qcHúAole Œ,abM5is"Jydjld=F ayc{6pci, .vmsnbP頩,bx{ꓖ??gW {NDbdbw_ +d"AH({'o;84.OF?Š| 5Q&Xѧשp,~W&_9I RzH>M[_wਜr^?1',Sgwy'6C򲢔}i h4dj!ZNLlG3s."g#4p5# <7b a.h#L8*rqj2Kʂi/ʊk)g 2"&!{ +!z5"JQ~L*]8:kЌr]F'/cA/6,Jሬ1Xٟ%!Iǜ(^ԁ|ùB?2SIݝ#ߏZ{?hy<ʚ[/6U@oib/-jBT'p똪cb3u5=1Qv7~O芁"JRZ? y t@"M lRXa1ٳ$Bg(qyTl09GC!QqSx3yR%/" @}KN yо?Iu!ӧ7wNys~r׭Y8 2eT*}u,̔ yL2I.x"w  L\\Iu,…0M3 ֘JiR!hiyKR&.^bp4ư@l|6vl$dR+~5>qxy4]>v‘IU^ ŐA&PX[f ,&)B(Wm1+CT'U?"5PUj_3WA6f!Xr?AT'wt_OC4!{Gw6]3r HcڞN1&v*h_zd 5ڏ8͸϶Oʆz""+._k1ͪ1@k Bv Sw?u¬ޓu|1FA[SI+,9垇EgRe$Zr4WRr2a8օ7X +#)myi1tQɲgv^oc WM?SML5c-l͞9Y! (Vc[xPQr!Z_:JKZԸ$'@~2P2p]/ቬ)׉#( Qb3,{0rDiE <.=Dot/]c+ܴk@-eo4X$5#Ҋ'&׏:BhÃ+Mdj6eDŽ*uћ7fⳀ2*s}B!ė{MP!I6)/Htcxf#WXo8Bsbb@ ,$ai?F-jW'C_%6yc! ."(Ku{_:9fbnYy`E\w߯t;gOi}9;2Ui"(u6);2R,!m"wK5\dr'j}Qq+SYj[96N3yF9GDpP5MHp[zg+aO6TEnJ_H٩i, Ebm;лE#eRL}vuP_ic8Vˍ$t q^`?Kv۲&L]*?8|uon6Aܓ!䨝c xݻ?O`;6KKK޸/ƑKfwN\$+iv"d??o.a2=g;.''_wV+{nBT1N^kl%mC 5yxZX6賍a={y(ƞ-Mn;Gl6ysC̖܀PWۇ*9:g}Ii%aw&>5R!yb,SqgE9ɑ5e,ۇz*ds_W#޾ n˴ofXc]_l)UUcX +;[jD]wun.Fwܨ-;_4JN޺, DJḋ\Л= "N }/peɻQƣ=\ qvM͆"ӟ Nr˲v(aF#P^WQ"`)&*B#z|ShbiL3wA7ĖDIғK $Nި7#k/O{N*g͘ E1HbIU~NZ'oVW uB^轸c)$m> ꦈN6dLC)q5ENY?3Ie,錐YNrҕ5Wgm$$O\ \`XyӳjbB,? ;i|QP է*Wj|9㔫dxwŴiV:o5~#ٺ ^^f[(2 .SF[NM?r^H4;3feZM,kϻd+q=H'!3pW 8#qۮU61"0o鑛GUsٰ jT }53"/IJuќ,a?בS~ǐjjEvkXQP ot*Fŋ74թE5M0hgY_H*v[mS\FUr' )+̱ 0vTbìg҉Cw% q8Bd>s`RYp Y㚹bߟ7 UahC⶷ΥPg>M_xUKQ)|>8%ڱWe"s{}),ڹ3VF#Ww+*X`1/6Nmbm 1I^ά=\u^֫ Az!s1ض_%۰26AB!2FnKP2::c[ U"  7d%LgIz&F%:naQ%, 'H捺0 2Vn6r+`T2;pBM)86[jwzm/EY|Bl]u a:?ʋXwgN(bl#,z+?Gmh g&_gy!2iw&wnQr?$#i xUbX+CIN`K\ĵE,U'1뜞A`Љ2-<Q1-@'4@YtNqX߄N]Yb y+ ߛtWuzWx"k{&2K3)7}`{%oiC\f`Q eMO1^4m;: iVҤ?)o7OcI8խt,\)g_R"hlqE374Ra$bT1BU8v VQ/% ~=,7 P?V=Ob^s ?=A)ZSaf̭'ÅuC O΀F?Uᠩn0Meِ=-{->c=Bɥ#oȤVUZ~,pwK:l9pؙ܎&~Қrm:K-ly;X^q\BcIwޚZ Ђ yFp9.Uea aӐ<~\^LWX^tߔT󲨉z `φHuT+7oV8w#8j )Yr$4!-x(EV$ʪd$#qN}PI Op$61 ,-Vޠtnk2-~!M1 HkFx&*FQ)Qu:0#!M$, |U7E "ZU(ݩ5pw)3ީ8pqHń yRYl*RC@2 7-BdU+[PxYAљ:aP'ZNMDkcAJ5س^$A9#d4{9?A׍ U>p8j{'S[gʣdp0R\lݾSAJBLIds]VaqƖygx~\PG] ;IF(4v@_MMpjANu>ܙP+ e&t*]** {I(R4ZWBV. dEMW*W=4a :?>5BYyr@@iNRJ165ǫS=-b˜xI Q/ bD?(+hZy+;cɝR~$^a9ߵג xil%^'ry(Ʉe2DX"MO>[ (#&WwW{=VfF8ZSK1$;FD`7A{+iOQo2V%-; Uc@68"?!3sYƖ%8qnB(0JBl׈L7np7|;P"SxFY.rjwKL}Tgn4 $a~Ri^%ԁU@<.u!P%Q%XA3Nx','H3?эvԌςi;=yneG3'NHp~m^)V6PqX>>m]|$n<, C2fQe+9E_yUcs0|VbwhƤ? a4xJFOoJ<.NQNq,n{|&-A]0PM+mzY|BШj 52"bmtܦD@K̛7VqQR3⍇Ƿ2$yR(:V{8pd"C$]?QKk sa0 4\Z$λ;8)\R)שٵ1d)<3"qYC/b갍f4B0\9YY1ӊ'( 钆_t%kG 1tE;ШQftzS_DLu;kg Rh Ȕ+,:F+97<ҁ96GuXY5o:p:0aɀ lxX> U&\~^MD8M 02л:1mכft-Ɍ;k9AFzy {"T>z5"B E@+x} >]ҩ"Hm5p:_tp%t U.I `޲=ʴpZlP{a7`6ʊ\%9oD#1 *N4mWњxK;zv܇64BL*K*dXsH:3e}G9޺ / =#Pv)*ID9$%B5ؔ2=<35v(hEnSAlݝxc/ T_o=eyhrNK[R򜲱;J>z( Q1PX94Bf1 V0ԂSM\TC >nI{ʹD;ȧu–%}o](Q)W aCnn1(]rSF+D}硿x0ʒe2kuKn>)&LRs]KwˠxAphw}M!p%%̝%ʿHl|P9;fxta6 4T|,jV,Ȕ+з ^'Zz]E.Fm~Ť ېnqLhƺ3N {vANUG:xF&fP95%ryiω%xKvԋ> [{X?H-:(wR4l8;P\?yP'R?53dEVc5B; aY9 l$ژbC(DLԥ3Ek|Fy\vv^F<)v_#Ƿ XPܶ\"G$IOTij󅓸bfGW Hk.dl@|/՛^j+jUBń1mD׼:}kE?BRϏlg6y``8B()nBYM```--oS,GS)4ǡ; Gl3 mýUorstGJ!PN![4(rngCcPg4VU57SroB jmRT5Py&OX:_7PNrTJv_gQۉ̰[b| @yo^{ TT#gk1˜Bt; /0DC Ρs2g%u65iMmG,\ 8Xp7YbqmB de%%Sikj<6qf>kп?.cvqW>YqϘOZX1=/ j( xXpr(6_nhϨME^ .Hg\{⾳oS&'F .4՜dD}K䶚eVp<rAL!-zڡdV= 7pB!?X  DEn;QǸ57%h_66fy/. g7F""|9 za[§; /J<aF'ҋF1HC8qݍДMGvw !t/s!aARg>|)XwD V&pCn%U 2^ƥ$ T,zO5z5EÂKށjܥY+pH*8ô*^BE`<0,ٛ:qSh{Oϟ&ZOa+Vj]<ؠ<_ +Ct͒S߅N}[ 6k0`y\+Ѭsh:E[ ^հfNAd(n~2uayFIҽޫ&,9'FOS ~L8΁ R BXRFAc$oLi:i)5Zi 7ҲF >Zy r ȒKlvsoh|:\ 3)40qaiQCmC3P]i@tmً~`B鯳nrh|(iԔ߰*6ݎZiyXk^sD5<:Y{޾%ͪÙWRRd7g]a  F?}6-^šnf3Hd~-mdv+M{gH+86ac|'iT EeNMP˖vo1/0pO@^ ;p(6'VҩԴxlbqKjg Fv3S<,i"l᧵EC l]'dwGO0Wv5r רO'y)ueU0& 6r|gY,8FnjeGL Y',͸-3,ةihAe^.*锸1ɔ_>1x;#} 1v37$`xyzr[ĭ|Ql]ƾwBe:|-2-ԥTcZ>?>TḖPdS4\v8d9?Z1ͥN.Mp\ 8bi jDL*HUyoRRB!ih|'P1CELC("6zOx>'wa߀Q&"؅qО P1O5s uB*FuG e'9H0nO.C |qPtlO~1}si푂h=^_GŨJETTGnD(.0˳vA6p0-ؕ+=t ǥ"d]Ebme^I2=eV z=7NM[~֍^HZ8kUT9kR8$mv!ԧw;TԚIFR}"|G+ĮԔUoۆ1&6< ԏG3Yu7itmėDδT}fL ,6Z8Zh5#W. zM'sJ{I6@󦆞#$B%C_4۹HCo7 "qFL[lA5\Tܪrcbp ͅu A}D͊l SËOp<(vlA Ɠۊ0jlؒ!ʅ:qkG,0 Twm- Qn*HݹwڞmMBMi:Mv0-TaɄkM=ؕǏ t:.A3r&',GQ\x wTNe*@ ׽"wƲMvwm0gj e mi*Gfi ZtHN.ݨ!L\+PiQre.Yjot͠2qp>63y>Bm(k@ 8L|kE~twhLk,+pP\b>(6nzH$7d4^s %"}!;zKXӮ4ـ%VU)jߕRVR0听&NXM&n}?Dn2q*f١~~ĩk Șq佛>] X{!UkÅy ȮUQ㲳MkcgxsW g@ q/o)*^0٧a=G~uʕ|UJTfQO9HI_ :g&`NaeHg4rSyݩʾL "5;QMNt1&j()-OH*q5]͒(xk{%!F-b1h+j&NvY棑 .Xsc )̇.͒^l(k|?W!?џ nՉrڱ qTBc7]OTm޵*YFۆ R3@Ơnj B?]{vr`o Z@0 Mp28QKlpDJt]SΗxoBѣdA[֭IBl}C1, -[ۡӐdO(EcDFruī a)T֬Ҷ{Aa) jkQhAwat#Z'Ǖbu,1UJ,XE@E(4w"7Y*jZp"7{>-.r!K5| `-s1a ^[Ca⪔W wP6G0}wv?7)'&3yK =gl %ߔo~^Τ(Jie-4څ,W}P }ĸGUwOd$`@Vc0%B])XfUu_g*bϞr6YuX 6VVTl/$d4e/) U,XxalEFg{J1}gT4!gٛ'yox |ӬPk6O[hu^ #=` k`'.yLoxW9dRy46WѯʱO?׏* M|Dx ihpiCn"wRz0PWLV+?|B8OnlG -6B[TqdJ'c*297F,MR\xM;[d%RRIM#gkUB@pDxRԝZqL޴ =)zD2e_g &wCy[0˼s<6"N>w̖4: u|4N22%)PrK¬꿧~&+/W\bnoS.q+NO^+gnkaG 6.i3hS2EnZ~{콵_"OذWRʓ ē^GJotB:1܈IhShWa8>.{Y@wR2|dE(?޽]$ּ-p㠥:)(Z CQ^M-N'22jɥ=Lr4jk`~fK:KF_l5"h[M:hG ߎ.1T{-Lm!Jy9׃A?g˩9 ;k";f?‰#T$Fa'6mN@mQDJt*@7_7@S握@X QWb kq0 WC0̺F&5am8+yFe~af]R[:W-\g Ǭv{ѿMd[5zʒ֌k:Կ򇂜9|7*[^ +XXeԤ͐C6#e}+Rݍ>S?b/ td:]K9[.@3Iӱ*iS %w J4:I%F ACN]4{#睷hV<*=&bdq1B"Қ8O%?wŠ]"%hȓVQgh.vm/_5`կ%g$g(Cidjb0 ItBX_킛65C(dW|{ԯŸخrvP8*APP#Hdn[73ϱJ(cl,;:u)2Iwc iD#~?Ċ Ż1.ͩQz .갈0PrgMxrP0L^F [z'n  mkMߎ^sp>4 j. E .0]ﻨ}݃cKl>/Sa$i7{9Y656 ۩fMCǡv{ h,4AMZ9P$/JQX Wz29[b!⼤b& 613GS$ 0o&DZV~6s>0[Bg&ݍ1:SBgh/3ϊfn-;c[e JaX_sD@VET:8{.;sj659PbCZ_k/^=_8]'ϹS]KhAeD?RARt`n -9C7& Z%U/. LQ9X{ Hd~$hBgr zC"YTdqIն+) ̆" {N 2kҫ0h'՝U >IqLG.q }.7,$k|o} pDOڷqA3gYt^ h 3Xt B=7V8ue8*vD={bZ}3A+< #!="k6,>ղ=?<2N4 y!d.F#aANc"~fXۮ@}a^'NEdAnM9_DׯxwfI,N7Va2]٭ ɣ_Jco'N7%~Oʽ_cѮfh eǬFIR5|6h۪.gI5 iP(9ʫsڭr%@=vo̖:V͏"/ 0 KI1“yZbQuMLKL.DZm Ь~N,a8DѣOH&93M?,2\r0f `THX|]%hQqiͧ#%^5[Iܽ }j$P:(Bdw` ׉Wjۉ|ǽ@)㥓MD{_C Ni4%?n?i:C ?nK2+Ŕ\Wye/~<-z?N2I6 tiɣjllnt' џ{/d&6ݹpt;`umP \TgԥDCOFXM(ľAc%h ͋"$6B:$wTjk!|GJ=؞仍D7ez3kHYUrSߍh n@n37?Z$4o <Ah;붤WrNd-u@ѽ'a:m#'94d 9}q Ovh,6vAW=N>i[-+oΝ1 ApF8{'4!&'ʜ?RIi6/ #X0~l&sW AbS!Eؿy.վfʨKˑCzXTEX`xfa>>7_NLk!p}z.pnKw3ɳ'gRʖKN dpԭ`"ݎI2d\2CЄC(X=[m,8o@6PO]ږ}:Gjʢ3g漏# * L ˂a?2'x, Yw' ehI+Bv⋔kWYU,k2ti]4d?E N[_P 6EہҨNURݺa L FDk< xcl &._-r0P>n4*)!&A۲aB2X耓]$tb8T?N[#;Tg8'0z3u`Ρ @yLMl1X'vpt\H.G0,PEhg] áJJoY(ʬR)kd? 2 +kfZuI_p>q$6TKr⍏%od fHYa-%~}O]l]W ][&o2n 0#m(n䱐=@-"!~`d9.~zQYux ^EVMj|妚wI5Pez1t+HUC]eDp}TrDS6oy`HH7!l9ǽ8 ]0~эM߷[2 =mպs.f“S]NfSP1P6V5R(vb(ɆĔx5~p&˩sѐw3cGqC78#%P @F?(-ͤ6يYޔij45/щ: | zJ#H4:VƹaCGFYC%REubQz&ssIt5k'=-Q[xT@-!^N[Tf!8ژ6<핻u65a ;q:_ϭ>z&BMAUu $7uJC3!k3:^ɊT@iTX:پZĨD`KH36 ,bkd΀%zΟmgPxܕ.e W&f@G3wI}^@2b;wbX yΎZ+Q DV381>"x|(uȂ&5Cn:5G7SRxP$فXaqra&d7U&^z̛M&Qw>R#Е7 h]}S;4XZIE_^QAEXDZ5ni"AnHHdQe֖rG件[qS|{qw{8g?yjԔqx`5K(V1~G4Xi1v|Y4wjwՠ#&NQfEη_j;;#E@8'5$YbY)i(TMMBN u ߓ(C8HIp*ߤ4N|N^?)%m~zݘey|MZTqϊ/ ŜȆ^umSAO6;p(D8e e ?`]P r LQg6k͋P 9la)qRߡ>. ;c8,\k>Q$rt̶a|3N3V_}Z&C+H놨N+Ђ{MX=dU ڟca g{{D^I]XȝxnqYncsL4,s\G)ٖU6:w<.;4GIa) TI©pkAJkZΙNͫ5rW^yQ.r'"#)[xMb&1 bdsT=6nyCr2 [zadJ[ed "]ѩ,(od sA$z釵}`$ql`)}jb܆Ap6«RVHp7eU^2 OV6Fq--f7LJ#c.'94DL[m.~':A({] (>P2<# -D`Ch5/'SV4S$W,X[io IX<)HyP | ]r'a`]-61ƻs$͖e%)&}Ϩc0,V.1vyyܺ˸[竫vZ@ [Xs)3FiA i slrwt#!1D We!DCmw|`RmC.0T4Td}`TSBm`1:d;WTC+|{mX8UDj`J*vx rRYsuujGXԬTѾy&WfZRՒ^ɢ/I0{ OJN?捉u0 tpj-#4VOazlԎ@+7(B8 `u6 مCifB؟${[5L7(6D&c-ƘYȡS__4ȱ&5񊕷s68Cs _>;8 1q'uL<ߏ2FcPHn+}'Y: rշ# (O07Ѯ4n.JVOmo.+]7IA$*,Y]`YJkKJv<===p3rx ;A'4HyИħ," zCku0c&x#6jjC>:d©=In./򌮮tnx1a-@}4Z^6\&9|1[5f` 1@|:[~1ZW3^&pUvYn@⛕. jڍEgj.L=}T(JwA+eI{TP钖ٯ q)ba-,m@ tK Ǻ A՞|#ٹ7?d[ߐ悆b)4RPkxa"}p$ns&D]9 Ȇ7v̒HY21r*<%J_ >{@6?~k1SL|H-1[MDDaZ\k@r/)PLO>{&jLC$'^ɵaDP*6-q(NHhJP uA$:\ȉ%7$ޛ B!Rq3us梴+$Cu` ]$>lE*ʌLU ]Foi)8 W%܆mXx&,l=t6D.xYlUH =,>gL[ v(P M9([ ?4B^u}h? 3YO|tzSWI?BO]]k?80(_?72ʨj9·\8@J3ޡ{&OIds!ud-"eBO96:G\-)P?,#Ba8ØA&x i.4OYJ'WfvŠ;<\S&'PI%D󽎘r~:U Xn>R&cwzGu[{m&Y>ځ7zGՒo92F oGY㞓 0q,X,G॔$AҰֹjUWh&L9Ŗnx4K28;5LѶ'G?3Md4t;BYHˤ)TTt*:g[ lD8$ =0&VM;~؈[CH-1|?梍uHǠ:o~l1%EgL `1/#[Kh7mNɂ6̼KИCRb{7CT͢:3Y?G䖺g5T3L~/Zj7MQ] VƎI\Jy {.#19Јj6j>ΦrVmP()I(2J,{РI J95(8qFTOW%o`-i9xCŷ=8VMPkhiWʛL%Z1]j"l2 g EKm_?#7GDLBQ̵$m``̆Mܸ"S6kqf?J4ZY-1oOD nr-_P7KY3L<+Ԙg{&akss 𑌬csGPiL,틷Г}ECko7"ض0ǁylWwWDiJAk~H a]c"x=@y:B}jacCj7()5V2*yGr!%Cnpa0"PB˽ n䂟jP2`j"@]Q[LR՚z]vS)!}Z+[V6\HP-ϩv`J=!dsgKm G o˓|/p +q2'/ j;d76Y ޥs9Y1晛K6tϱb{^^ĀJ]E;]ʵ97)P] +^3r/"+ak1^:|_v-ɭh5@/\ivzM96D`w%C 0?6PiUc^i, ٸbXL*Ud]^]ZE298j^.yOLFib,j3C!kBtuǼm@!,kv3 uKC"ʛD@0wNFf^1WJ3 + wJU5u3Zź9BRKӦ YVdqTn ="St࿿G)o94s&C߮ov%1DE:ɚ) )H4Ͽ/*4OVN>T[ nPA8$3R$\hREAJ`a&lBGh}vֱ;D _S.&B;i#uo8[.s9™KOpm?25ŚDKviT'4bջ;OśoL@J(@nOݎ"9 Kق8[[vN5IݤJho2&~Nq)E'ÕT^qkN&9v;W326d]&~bc _ l]D)1 8PG/`KJYEɑB{·uwR$pѺ3; :m6QpfS m!83{=rn$iޥsRe3+s͊?5F <+ifmv>RםtiP ̄&xfD.PR{B.Ua^ `2djjȁ9TX`6@P q {+DȰ{lPo ²]2>ӒZŊmBCeB:&Z_%hL5;RQ;%U-CP Pj~ /l$񥏈$`Zl{3q|3vh[3-˻]\Q*ph'IG̥[A PY%♢EfB+R)'æo#+nUBc$WaOu+߮; #h͐ti(ܫ,)`.d3_040% >=7axZΈf{U ?ï_bxNݚi,):/>?sQķ\p&!~NI<"J`&UЖ<ˆmA9-?0ŵĹX0CL4yV9ϥg XqLچ}-N!L qٕ7VÝ2k_~#l`LSKB a0 ~GhH*&l 3ƛT.}}ֶfoXfn7Ze Ig @ Q| A`*C`[YN8:Җ80.DaQzU@x6z3{d<-ڈI^NjuY8Cɍ2Q∋i>oΘ3JO,;I8揂<>B]Ϣa^=.Yk7\-2M!mZҲoCz>W\K 1Q\jpU~ lE0fݴuTMcuLwCL5XDo5 >QyXpms=m xVK|}Y?[×Eh#v4ҁa.%h$+~K6^'5svo:CBt&M;fD>s(l %ppb~)tm6&JŐR4.Q#J)5Q/&z%34f.967ªyIqs0?-ֆQ 1LC܃R8|]f^q;lH"#fjߜɔ amj>Ї >( McN_so:οH}%* sA]#.)jE!:VmfCmтΘタ=%vh%HE+|몬ѥR6Ǟ> z#+/`u'hz=0ɵT0)gYϾ髍b Y`2hpslN:sӷ$]BU,.gFJY8A]Zr>x}:Vĝ9h%"B00F Ӕ+9+6UƘP5Wppe/ ӆ\U1ik"UOV g7 深QNlHZÒC@ ׁШ)) |g`@y2AolVft*$uG6M..?oQY6[4`խ!Xwzur@?3B-k*WC^ t];ׁ~P|p]ꍘk,g< E#b<LteCjrlINAN;ό|hEpPïJ.24/i[\%&L+gં KbUX< ~{HVpyC:{C4:~y^˘EVFf/!ޞwc1[+@z`27<>ct+!oK  [>#c U F ۅ P*5k,Vh$KdSvNWliX`LBH"[h7f ;J֊{2(*!Bh4Qv5Gh}nSFqC7=vĊU79NЦۏ}D]t$MJ %/XV7&Xe7~8DcF`z-?tvE[N.8te쒎h҇Oh|}w:qE^U%S3ӹt'#R|a /p1.iŹuX]rYhpL,[fTD ۴l)#bRuHB#ػ:o}[ ɕnc֡FHQT-ZStC:L1t%}&krP[:zVٔ^Zav=f,R#xRl'OP5ipw'qΌ%= JSmh[:1[ciw3,R+Fd[eS0*LD{j6i8aF3D|!]Twomr&Qk6u2KĂor&BpN0 ǝR)&ABݍd_Gో5=60aJmo/W!hJ\+!;Z7e۽f ab ,Du[[_mtJb|͎8JG?w7g qaz"Rvv=jݲu }QDISMcS_?E(OzH֘,|g?v±,q_"%] a72)^1`ŒjEC^LD1[Lc= 4aAo4{i1/V)?c!(=C4=-VJ`}B]W-|x٢ Fs |I9N{]ɬlֈEQT һѸ0|ml\B>!OI/,Q qpI8=iPdH׿5g; b B9ι 9k^[֐![aE.xO+D k9K:M_Tj6"0Q^:u]C brRޞ ^`s\&uM v)OUt|L5Q/ bORI@ϪGrK۵^߇Zx걡13 s6uo:ebwx87j xF6f3JuiT'n"a|iZ>)eFIb e֤w+¶1:G.ZsEe;C˾`&ZDW7*=ͅ@U&~+M`ei@ْNYV (?ސ n6V<0=,QE8|JHJc;-%ݶg(cgO~H=oI Cvʙ,ڪ*0gQRլ w6td22m:POP~vZ&AM[c-wF2GMz,>8mA3P֧S+xX .%IRFNI"i8mH{`p}n+QPzHmɨyP"+&u[R.Yp.cwU{q.^1q,8VqSvxW Î{ 3ݹcoYe0YߢP[O5զVt4oW^oaX=PMw+*y\AzD[{Lsnc(M)J5V4o+nDu87z \_ ,T3146y]XpJq3`q~9z:q:T\l G~:jV/Cؑln4 NdKX~ǎ>3+l '-Z1't|H:u^Xm8gG#1_}my0ٷ=ۣhb=-ĥ5,JH5o`.hPAzl`ZbTb4߯:1p˽}dszRDvH~(Ĕ֑[BŮUJ@Ԭ[L "$۱AOq\P"Dy_'+|?kkk+mB\-̟>P .yKF((Y\nWi@V/p?2е$@͇P2Y;̐++k"J?ȗе1/uBo2TX;Ui%oal<j AȾOtf=HZқV}-&̟]lW,NyAA)|VDܼqc?jw #-Ԡ*Aܨ1)] y/RK.־0߅b ap'N'D I' <$haFAdуYzyUVEP}!_W=>.αޤZqXۧlVU\0pAO~mm;b[uSys#ؖw5z"񓠪/Dpa]!P++mweėDՒ{T+6#tr 8v;BF2RՌ/4 Flf/-C#*ykX|p.c'NILR̈́߬^.OWN"XժKjwn:r\^,GP8_:XK̿s6@L:afYU7lk[K4Nn=dc9 0&ZX"ȍLA*peST%WmAg゚_mO-U^P7.E1WV6uIu`М+y莐q ?8Z)Pt?e?'b4b:NmILr??/95°mDs\B TK\O DoSQckaf rl{?x[IAI Yyz09KTH#OBxzryj׵>Y9LD(ʷtF9'T)*B,G=:J k 0l]s"܋*-]mǨj%վZ3)A\iH? /ˠӾ9Ѵ3=RB72 DKRkrÖ{sxA$.EF2DBE9tR0'y<ǂ8s`-zoA,/2z p*|7vhNJ!x.!셢(u}+.~ظ Fj4-Ҭʾ9 ETZ@Tֲps;+9`a8P@ rhB\6/YC:Ru"~tܝsVPuoNҖPȸ_27[,0/5Y`/԰)aD8@|qbh&G_k-Uݘ<{tDex VXVdK+*g6Avh*aJ|sd#xl9^nL")xFtk榳i&{)J A;}YRYyaRX!&m$f1G&:ͽ'b]Q7rndҺRnnbL%䶐+Q״-h~{ ׵͑˩gU'V7HC Wb n/c%`z'0|Ĩ]ԖcPp8Jv ]1oO%rqE\ !u.{ y:)Mol)kQBykF9 WK5B۰2Tү/AeU֮(Z \; xt'^zG?N&k:<@w3~8ߌYg.Ż hޚH<BĒ\R%*s’eܫ(L PՕ]L\ڪHfbrFzI=m٘C hT ~uAw"OTC9w;LqP:NRWG%tlpM}gg-HR^u+~LWXF ck:Ԯ[0-\4B9њMAi+vќSch l.""xSqܓr9\'X'%3}f8^..u_Z9$U'=H6O#N*8 8_7H7c짰A\GFKo_'c.ĝQanľ/l"De?K^;%d=;QUf)eKo"n5I~DtU/ ¦TF? M`1TM i 7җw7/XܨKd,?,>"\W 轤u88^pѠrvϹemz'Ur,&hV9mFdgRáJPpOEF`7|f vmk-[nAy/g0 6=Izb^g)OT0&M$ԧAdc9*FIp7vA_Ԟpy>Úp)#܍w`'7i(DYjIP-K$ςH@oL%g s=wdˤ&r7lO= ۼ4? aŢ Ъhq\6j"4ә]2Cn]%lS9Aʊ6q<>KV\'JLE .8ݠ0l~m\Nql v^8RMFCĦ?h'@7(Ϣii{͏/@1>TA5 dTM)S-Ka Z,Մ|<MNPΉ*$45խ(8b~mbJX.ϪM*]bgcSg<%d,G' 𐏛$!< 8ZT0=9BI%^<م]p,Whc̅enil$5!XW3B?88(m<.ZCNڻ}ޥ%h}0ndB\^vJQf'N#hiG^YS}㘏!/k彳2jfMO֚3-߈Fj|HK:fҘfxh4K4[t._ Cg8يWfD&'N#Z{G$&'FW6bS t CIa $XIn͝CoSD%bNZmcvHjEu@s?#'5Zl\Ƅ/f +FK?YdPg-(.P>I\V4nЈ( H#fxҨyР[ .Wb;K7_ov%C$}MMUY Xس>!\>0tMOq4Ŧ?'W!]+x:1nK*C^Ӎ=ѫj5vK5wy oY[nM[`AT`zD3HvG+""2i'j\Zd EEجr UuzϗefyxFuXL8ivt_`T+,](7]&Q_F Jx'qJX?y h},B2"#0/@^Z䪀\UX>OYZL1 LZ n!p^ CBl6mç&GdE~ȥj^+Ev=4q| <  k;D*9Aˋog`,^?wT A:ӆ'U*wЦb>>S %Y@ =b=[©G!4_ e VRNZMGʤ!k$ϱ\qf!(,Yi'V֭q:$,yH,{!|+=A4L$m \U[|`Ԫ&7X| N5&4v?ˤc-)R'vnf`~F $  !ըY@B=4u"C"GhLi:ؐ-aD@eȶD|X|Aw*nS#~dvd{Yc}e=`鸿MOͨz(.nD.fhK:L36`OPE5+P ?u#*BX Lޑ uКYZL­ nLݚ0w~Rb|h[. WYQ}w{ATĵq<4oN6&^niQV~ cdi%rEhV݈+އaqhG22k" T,.(OMO)*˗F@3Ngu2\V.%PzvhzeP4x2YF35W A$][Qr"V.FLAU(#Wɇ+03 qʩFV$,' o3KU=C$#v ieC79WGlIΠ#1]v*O\ڟuY)uDQ$]]W>meCVC.ovʏPsOqVZ iDЂ﨧 >-/;>3Όo ?/!C5|/Hufɳ˥h)g o6/ѥӅh$|6XfROL3Kʼn aV=IK0hxer; Oɰ9=̗|ExOMaDy^ ªI'[aNjז}^~W]͖LhPh IP&ι[^,sonT W+̱rKfӣ6LA/lo`? u}"vQf8VZe51-7Ae9afGDF@Hmtwhn[7lL|bIC yN0],$Ȉ՟0v>fz_5Dn;BU pShiܯǔדc0nDB8&UA{%B~Κݝ21{9\=sFԚ7Ļ,μ*~:d )L 8A -qQ_CEw{9SD^կCiED(ҵ<3,p Y$Uӂ( '-RzOtW(ri(ӴO' 6وF)-^[M466]-VO_aOd&3S8jx0Y|^5|thDnt˷o2/u_p%lЌaۉ5%zpjp5!9cm^c< sگOFYg,e@D "|'7xhˍN~[ ̗ Q7EX HW?e!6Q$uR' Md GE!N*? S;4 KR+rGv%SG7@I=5&jJ  @WgBr;}titn$_'3ix%jo&0yb]Hܾ98^3H[ MJXp;jJ1x##@^*)LJb[ux'!CG6 ub{˾¶]%R 8ɕ<wUy-PpOpp+[u'( DG{kVӼdƪSmڏU[,1+`o' e@MUl4 !pj >fgނz4Up7ԠdiIHWVϬ]pc"N3aV7Iońn]+@xbS<0K_ \w'ZdQVWFh|7QSrG}U/kԼ\ ϔwCv jř UᎆOyoW" y3쌻áfam'~Vm;h7eob9Mv/v=a1s۾?Yg[3`^m@݁r$/=h!2|L}z5>jټ @ɪKE, m_Nj%NkEkU.Ǟ\kڻRRXкO$u9#/Vwb-,BƂSm+<{r:K1sIfa+p|!j$.W ywƻNt1R}毵Y5 Ard[#kbOpd摍B ,*( #rN;c~ę0 zx I@@ =ibfF(w3~4&E?i'zIُ=ğ…X$cbFB6BZ]u`)爊wFCI # ؑ\N3yk> IYW8eؚ_2ZnWh@oVOOߘ%ڴ8 8*ţ\gf<<`Tu8[Y(hm#P(<lZhU `KOv.dC +Ԉ6P^(ѭ$Tj<>` {,~݅f Ո@o{<ʥ'h]՚l [(e[* R-h'c)#3d;$q,U= Usz=O_e5ي4 >ᯁl:d-|v&K[ rw[c"xtm]U6Ԋ`^V@! kFݶ &±/qykd"ˠeN_t=:3@ ;8Vv( DWyT>6OÐd޴ .D_# LQLϭW3`A36-1 ls-l~}fQ pr'WTpvYZssSޅΉ=F,؟%}|$f?φW+ <1̘WgWfcUG8hSw]u:c%#Ƽ o[%@U*-p>ߘ>ܖôefƄHE~Q+^fX5;rU!8,Kb'la!1jh7>-C! Bx#4~yAP";+V9vy}--ٙoώnd/c%.QXO75ȊXmJ5,yW=HTrPS-<`1%T2@ uz\Խtê:lT3& VI~lOȎO *q,Pqgo6eoG(MR}ty[}L/uWG(}R )'46x> jFԪU| s.؜me ^Bdh{pK"ӕ ^ѧ!N|HfD()Ivd'ZE0x`e!$I>C^/A^MrY%' ΢eCG(r; <܁Vƛ]lU澝IB-`O&(7]@>cjѩj[L=ĨH P[%guY<^]aRJ[f+!x;W>6 xbB|uv{\T &sm藟q4:KXW;$KiD ,p a5u Cҭ;7HeIuvX9=&ŗ`)>2GBXng*XE"7? d-k82Pl>Nz] ;?oa. Lwy"=H:U҂Mu|k80~"$ygץZvjXӚԌKw5wO1.1&j 5r ~/V*#Od3M0Xq%$ZK#JދdUڇRs/Ue |Ŏ/ο\Pw{D:ݽ[k"`ٝ%1s) ˈ:L'ԘwH Yrx6Xl&89vBTqU;Q%b3-Z[ ]Qo:t^-1*{ն^)s=A=<1L~ۭ|Qy-/V(z4NJ\@z(ɌF-x}V +sPV}~tZ >[oO-xD6 onU=YT_̨L]I:fKjw:09@TfĄHgHTs{gr!Zi |4[,zUed0S’7ߐFɯHr>4>/7!sd ``>κs&JV woydڽ}_kW|rŢ$iQf#,0 J "Xmu4*,z#;cv% 7zʫTK_W}$,ve,Y& JG9s +t34_cE2xv*f N t}?)eӝVI][8+Awr#2_dyu*񻨅A-4k~ޱG}IL@(GO(/zqefx0]|Fp Jaō5c3M0}ψ:4 u rpqEDJ6ݦ{z'0hBZW?)Pzu?$y VD6|OU}I]:(-٦6yH螠TLm^38wFUioU8$Kr Y3jBٯS_BJ0=څڙ%OվXe=~!in] KFs 5='XS(+G-D(82b;*m\4V!]tJ)?ANu ˹DB5h}'DcBUSVt`ս%>]oØHжu|&Ӱ0:aef[ L<~K %`^NJpCOG^ ͛wΜjϷ>,#o=ZoAG\K쁽 ^;=n 1u%vTUt( F fn=*M1 nSqE?)/ نxDME g& yi}d9wP=1$Nb]^VBsU RqJe!;zEqlP32qToՔOkarZ:ڶAzfC؜lu 3 9:U06-I*,dh ֫G,s<B 4EGOKVQEMоL`:+f~DBiRcșk&|˜_sT<Ǥ^*9z'  uzK\)R(HGJLbۄ-z W[`w^J،ɍJ%n;8,53>#pkn\G8Vy;HX! zV$.6V{vk#A.u Z:e^j3{ vhd$Qtf#קpym9i8_ik൤멐zjpfU4]M$K V)(2_$R;Ȯ$EUz;#D*Q9Id>yK~ॏ8;+ŤƭXù0H$53o$r#뻪rRhs$APBc"1&Ol)ij>=cvg1WN#NM1{!5PB,W$P$AXV&lK%ҩ&,bi0"|Å;a$8۠|9ulgWE.d<2XW_{?>^V r/"(D(Km.+ A,W4|<,Jq /ӻ; h;x7wB`}vu%yq]L=.Ö Ku/<. _e合+@3['rI /Y2knEl<7PZ$:>y攂f]*xlOI< _@")G|HSŃm 7Hor8" 3'87?WGe{hfB3Z{#xPBK!vpuTҔw0+~]+ڟJB XiĘҠm{3HaoV|p n6̽K~yO5B\Z|[#ެK~Ũ>xc:/ LpM tƎ Q:k.ClOola| +WVi2-|A. h1Fզ7V۬7D 矱λgu o rGxx<I ;˚WXj.мѴ%'k,ƊC3X̻>AM3^Xun} jE0՝ +"1O3q,6_<_[+&.;Ĉ|h8|SQ<p= 68ib>G`[IAN6}]uKξǤc€+cd}k*ȐMzDn,I#]54R^pT@@>!zNdZtb׻*χpGœ Ci`5U=.eX$%ϲny#K/" YC6qd2֨Hb#`JHoq}BHRBJ)Ӆ#lmFoA]^EKαҊV3ff21'$Z.#v[F- Ix!!k 7S@I9n3Gr6Y9gƱ!1kRnՀ̳q2*-,U5x&/?@?/]VP[#{'QIS^-R#@gw]umy~v3m5Ļ&Zt;+8[e|WdyQ'%8xǢ۠\$#~uѶY-&&]"\^ٴ%sJUCw]d;Дф܀e1QۋtQ擈vFuw6}w2>pxVؤjcn}Z?r 4'L\G9(^TL;c)B#k &3Z+ %KJZr"a*us3P36tr0ìp9H~vp ?vӫ.w-kT˺l@=ت5i;JH޲FbS?zbjSXm4Ɣfi*Jvvء+5Hv7KUųW.Jˏ,vh/Pn} ^B"rU?RWCe"ڞTXur9Y8nhC4sŸÅ,HwڈI.@5醉&2R1G#5 =}pDk m+,[@>lwlQ˫;ܝć j以UQ^"g͂#-Ҡ[3ߌ,2(.0n5}2t÷.WniY}Ri$-~*ΙHM_ъ F$ԁ\G8r09nY y{G=;^J'|;'L-Y){`$8:Tή~3E6b˥ i kfsy_*ƩTuT<.IRfI.{\ :M1E!@>4p`QLqJ#f· !v"^=cT[V0oUf!@MxzЧ7Q„g"n< V]p(VX Y\~]* #HlN1fJZGjΚXgn:`(Sd 4Ia0w=oHsz!lbStq&; gQשv%K~C%(Nkrױ$9>DV`mbxcj㎍AT#οTjƥe CD{ j?}g΢^_O<=\AeQ$; hϚ!}܆ +=Rd~y6 I&{ ΟGmGUBɩ oJᕨTm!2~=Pw;IU6uPMcA T 2]II#Udpr%Jm a<~U: {쿵 YWh|0vN>`|H~DʠrMP_OvSڍ;=p\w+5<)m,vZ eG~9`jMۘ&E}džmfx_>'.o'(9v,M(>Xڑq>IM~#Oa5$m ȓT:G E,N3[ݎ-$$h[H@dK<!㹈qa౧g<7h<Ft,Uj겊YS&7 /u7Ⱦ2)6&osz27?^j Ɠ|ƨvNF!ߑi=?98~g{ӆ"cP`TW? [TtXk9L`z ܉rHclr=,rҋsTϫ߼F̠p{ٗG3yО 7RD>LׄP9չge1D7~U~/|%͖ߪ:HB5!{r(CC-NJ6ֿ真D#۲?^I@5.}dl`:' v@I T[2Q`~ĭKoپV#v6] Q wD۔T~]$_=S)ӝ@nJTF&͝{0鯨1|Z¥mzB mC iLJ ,E3p0"^ПmF_e\pH>PX=qUt1HV#S,I/M%W։OHF /ڡ`2z Nƅ?(0A]B65C5א?āqdfS2ǁ|6vq5+H^sTfUaX>3n՝M 5<"P.ϠR`GdG05Ϝ;dRUR: 2U41V Kuފ9$ǿf7z) h &o?Ll6ˁ/1UI"+'!u F:m*;_f3bs/wѰcpnATN^F p9$ʖ-cVmh$X7Vry<6fFo0Wu*I<ݫӈJCxDVnZ\`~$!d BlB3^rl6c=2)Y!xٔ}M{F1M5Lr\9SUW9K>mm 041|<@ުĶ&U8z'>MPa_FfOYֶӢb *[9eS'@i| RKe<~bf,ub>ⰀPc'?8$<{bNسZHDآGÊkD֕$ǵ߾@@Ү/7?9`1뷫|-ȻuW1myi7F雚lqhP;שMb(-.2^`\iK:yz%Ƥ٩Wn@::~ 3'kl6̈́+g0宓Y{2ltcj!t 'U;U.o0' Fh׀/kͿz@>va,s2<߄sĐ6RF7PGsjFĊ 4m9'32_AM;e%e 5g2 04cė`mKnJ4b@rws\A4}_ׄDpeo~2-Ue:d {4kB!5xgkn#°*e3҂1#A X=M t/or–՜:R/{jye? ΄ked?`!1 w|*$C~EB',c@=8Do:BC1=S#f]_O7>}ͱ_?qF&:u 0^CJHUpVU4LĬhxCKe~F+eUJȭRzf8E47L^͟3Sz=LNQbn)=;iFPKxH6rdyvi Ɖ+ Kn!\rS-C9f8yѨ=6MD\ k>i/,t*od!85`*0wfɧ"'Z0 ޼7l/u8, AenK+A0T?&0ӄeY]qH{p}ǐC5܌`/g;s{VФ>~|o&_68Xs0J/۾*+52ƻ f̈]^khF%5[xhIгВ~uH]rOܔ|itqAMIJx_[-W{`'80_w8^r8Q.Ǟd[ 6> DQ9~[iwMM48 HQ%!];v) K`͇6X|օ&sw5  sdko,T! oir[6J.5̧̐+uk>JSVi{r\+NߠL͗ǝltW9F܀j1pR6&8>gG9ˠWiD:WoOgٶ@^p\ mf&ki Qc-x4?]ݱga?Ux1]]Gx ^ ϴ6Yn]1hAڸ=~fӘAP,QC?|/gSc a2;6 Kt5(= ɭ~[JmGC2>Q:l?'zYkq963 ag]4/hW;bg6z(#P%yf#Ӯej4x#*És+&w\/˿,Ys̾}<R8й P2YCOi :6. #]Je|cK M)dӓ[q.OR}-[Ғqsg6M.HaPaҰՅ}% L-rgG1J?TԘGU%Ӡz(*r*(d㖳C0*@SD"0w*/[qƗ̮7lN/Fwae!w=zD#rmuD= }{ V-*.#sQ9|ےkZ Sgp7 g4/~S: rimWu5R뤚M'Ikldw R>ADz;FI;41ƚc:H Ԯ=1K9/KH¡Ǥ"7ڢI ӤCed + drDqTseCkmcC؋u\Gʶj1H!\ ēeS1![]ܿd.=VhdJr}y;Ճř7÷9Bց5XBTuBރ@XqY|-o9*.N/9[N]p[kJ1M\>+CJz4' xY(.)`:z^ⅻ*NPoERu2G#`katHv,p}+1/ bOBj0/ʐxr߲ ofPWCJ2"^0S,ݺi!!OK+1jgvb/:4h*3dYk_Uqw*lE%Pӊ)3>?>i/Wp$͊mӁeSg{!Oϖ@xTɋ|8 (3> OйZo)bTE9DO'Ef\[O1'PzGԗ ~XX]f"$='tgԪwծHη)~E$=,.î~H_תOq+ݰ9%* +? ďCNuRuvkg<9o@ 3| YY_rG= k; !tF `V+׭s 6Nl:46!C‘=WR Gg` ?i2C[]*aRD abG079nG !ٽ8)x8_̇[6V ]*;D}*8u<q%))#~nFD>>.i|Fz0 |.:<6[2nkRc|l 2b+j *S৹AU8D.`fU'>8 K$eIkGAbHvCaM;8$80'c2 6dܱU !lkTA$fF4tU?$]('O"{d+D,PEȑo 76XXsGPcuinrR`ĥ"зKv <:VA%j3ChVH3sTh Icl4ʌp+qgleJߡ W'=N)o :k$v1sG5`Xfq:Wd~9s l 8]4=>Ά"$xo/^ U|X yAbk*!dyi[PHld@d{=2? QߤIIiyZ`%WOYƤCR?)?OzĞ|eпEG} /6%|Q&Os<7zRS_Cyȸ9c ?jcXH<=|*O!`-Nyu ,Å:< ÜIs[s;Ap0Q1ղN{M@+C懗;NM/fcBYuPa> _ݮ7p:A.zQw޸W(f9'f%`vr!_e9ig)l;ӁfZ>aj}GyqPk8䯑iUEĞhS2J$y$EP-~F߽Ǥm_01]iba,u! @ahʽ'(1aɋ]qXV+X"ڜl䁮gpp -ª U遝 x|^=I*ڮ[#_o| Ts<:{H?O7y0}f o}>#;TÛw167"?*!, H!-ʶ03>V=Ro}i=t.>{&>^+.wE8 w'IkoBB59CYۓ8tܟ܊]5wjp :ڃ,ۅ01viXL0Ecw|'bFlWԿqٳGL"]VT7uM #7WqiwEY۞f^*h>cO瞴" 샺aaA"R!\?[U%)RGq3ΔwF*v#]oü/ypym:YڬPݏbwUZ͜h<{]2AAϵǾd ~h"=\[oQU](>I:nRؖ=cz$@0#B/3,&H1u3G֘MuPWX*/$a32;UxqO`X*/hJ](D+bTczRZ'^bƋn&{ܟϧ򂄖tR"ˎmt6esK;ȤT^=Ei1>.oӆ4uEGz]ԑ{&^~7Wj˭JmcUDי 3c-.N门K0"q ?~ n/>oy0xwT:Ka8*UF% EH7˸j1UJ l)+ztBiVya >f]B:ٽ]"ţb~Ŝ^%^,+[{ __ZVU#CZD';A0z57+#2[?D:{im(^M8A& w+iӝVj t*.L/: 6Qmȭj& w[#Pw61,}W)hL9^îK}wVV)\ GǠlXb;eIdG s%F s~̾&+I}^K<3w9^(ѣ_%lB]B|JYUJxfDJ sW)ӯgdEzQ2$p/|B@ǽ"Vh֭vdBX˭$*Q䅅Ah]Tp;/z:`+Z+D%M% I΀y2v|@nD3gMR鱏~e_4MWD-jxI啛>~湄Ot*\\/8e ݾʭHYYlɬп gyGx-4Ҍ̲')+ n6%/Lp$ݯ:B]PCKq8wԻЮ3yxώ1dW MXԃ `.\J`[{nn\D@N"f+iƒ./`;/ϑ6m`'„~"/rxA }J 맏z<I ĂBWj_ (sZ?bޫ$bHN?=>3K c/U/2([x؞ yxtjzOћcxDN!p?iukj`\!V/1S P2Pi p y!H7/EtiB6 qG@=J `fkI~L̶` t}2ܮ9g"*:EaV.`3v0x_5(tv7 02IJ&tv13b[ "p&JYzWX9= ]&?+D>mqi<%"gHA @R^J"Z?'H'V_`=rɰ9ug{.Db0$poG8PO\D&hza_XTcݐ^Q &ء>PX(ΚDh x@}zlXq5j\xAۨ"fTm %F*A i|'(UFE%C`~x7PZoPC:@A a(SucYBb'錑9Z/f}i1B$Qc7_q/NGڮQNΓ~{eﻆ,KG(hjEMg WkP3>3TnO5nWh@iIٮ3&yyCM+p9A;:.(=qpEwL i_C&@>E~E|9Q,ZJR»Fەr4SQ2|l-5vr)d~ 0OZ~L>`;n=r+(ƒ}1sy⾶e:r`Yۜŏ%9T z6E ^s/(KrbTkٻYC9άE A[A]dڟ/}XʸӽxIBO>@s"M @FТmh:eIӈKziR‰B[S)lK \7uїeGf!8HR{kZy|'/T2ӝ4ytj!2GmQڏRkEcP%o(#Lly <.9,\!|fm#V1zo**+04ƴT~>yY޴nG;Jրc#Dƌ~W7ݟqh6Kol/ &V8"<٣}(,/xig6#<|ѻlQVD/lj=a%X OzO&ϲwnys"x*"?р N[J0xg"AkRN*zO\"6W1"]}|KzkTdP~2q IHFW |,1Gqm0$Ǖuџ^'Ӽ O_ZM(%Vh5\~w4BOW(9K˅녮 IJ#*p^uV CG1|9x1>ro?U۱Վum۲'謦Pb8M2JMEqs7j]IzIBŒAsq燮uJ8\uHg4!⟻+:5^^I4Г ._$Ú;%p ]eƢnLc){YLS9$t[zz\+7cQ`媏 %G|%炙%QwOCrfnvFLG-u=6gQ})k>kӘ]Vw~XE[9:<1;6g=(}[dVDZ4meUA(=d`њI6W( &Gb~/3,ˋOo1?P^XFH|}WEPS]~r^ԧtyd>XcGW=3!@ip E_&9llkw t3$L'+FX:c&;5B.q \x0Z_.);/d6)'Ce_#. )WeQ#D|ΊŞvNnMz{ʹy+0^eF[&9mCLHU5FF1.g,(ӥQN%7-P_)tb~7ApVi[ {[>F QA?ܭP3 l95FWF/Q崋6jV3[\ai) w< Jx+L]Xe,DQ1c w+Le;ėc;E+K,G~u,Z9KTu^k ;Ppe]A8(f`WX$Rl67Y?rW).os\CpY0H) RtKuqV Ghn91-tkG.C&65ɑD̹DDb䖥ã!\8LQ!Of%&Äsί:^n$QたY1KG.c ˡv]hS ֢90>TFS•~(LL -D.]헝\OUs|p^J $Fd1r40lsGWp×Ν쉶mW=c??A+!%-ӏ E,j]%~WNL^|%3yhfZL򦅮:G[C yg)Ù[0:4;<#1ϛ$7nS+d$j裨k]CJIK&=nϰ8e ,$ tǟi+8uA㦰33GޢIT=,uDj`/|'j:L*. O!LXD@;r Kʊ4-6)'P.1g5[j wf|CVc5Dxũ(Nϼ'=0$*# Q1W"je IBÊu'6LUng|G=E1~II΢=rkQ:aM뵠Oc)2rR6~}Gatnۿ<,8RT}.;MHSʿ#_dmZ۵(Ҁ$9tNo$Z_%,vRA;Zgb괇x9碝<_rF~4c@aW=q y& b[yD7bﶛZSd odKrF645V9E(Zܛ=~qQߜ":0ڌbkKA;z-rBe65H2rV U.\ i4PhύN}p;yJv)#Ϝ܊Bc{ d6uדtCn sEyT{ϛcRĈSw {ịx0D5 dܲ/=dDʝ%bdIr *G4 8|c\hF`_vFZ}[*DNչNV$o ʲXeW'9% i S|W s/c 0:Pr!t xb>h=J>vv^2J5Kd VImIjL#+:tzb%E[?a:i'!„0nWEU Khbڀd*Y͍U뎻 jqc([3kV9)WZۗUMb+XAIQ r؇ w!\KTR XoԝSs?vއQӖ eaz`xgE*XU>|\@ǣ@=iO~N?nzL>o@_ 4MbQ^X,TĈ`:^4wD8_"4KEo?6dt9s׾K&nA|PƝFItLdhUҶK|h6OOU@[8?@1sY0Q$ԧS 7l}x3u.pAk%}eZjDwғ1=|'#Nu<$|ulG*Mr=:3X q򠬙\[\&ƀ-I-䦱ד )_TNoM%El[G(PmCv، ] fۊ6ΞDٷutsѲ-YJQ߰H+,o&v&m0"Aڄ1ƉHX 4z >{)fNT3.{T-sdB 8 Ol8#ik⧎;j onY{?u񗜒G:|< Lr8u3X'C0@a8!FUNnk9vGv^Pr[MTMԒFV~fI' B*-KIڴ\GR1Nxf!*M4 7m*의ʾၧ;D F*o]Lm49/վYG[=p}aP.8AMA@:C^ 'F)ds͛N7|ZP[c,ߏ_yTn'] ֻ}ubwF*nh[y΀)= `Z!WGezPzގ ew|sYydqmL&Ic{xN'WqaJ_G HNU )FXD#u #" j8zkdIGN!4j)sa鉟 D4"=X^?ę'Pd$@`ۍR1p Ü% Sw§P#F{̅`󧘩F*X2 "u浙lC%NӲ﵅>ӡ+(Mqk@x"uM+dGz$A$݀V?nNdۺܔAGX{1+9$IL"=W*R2n6%d W?akaQ'"#iUlƯvzPţb=?S.7<PEEMhKe+kV'tsV_~m2yek/'A @f04~ ?\IGfl; _Ij6?6w((m@fw\N6,̈́z*8!zPx; ?9xaa@ӊY`? >i.o(m:2PPLIXO~ۺ&6n`_kAöE$=Sͣ+U},R2d)<ѫ‮WW-[5+ JuT4l4p NPI^7;bPi3e2[ 3&? V˝YF_Vֈw 9wuwYw)T"RlՐWјST` g{]%^èkTTS5V^g*af)}AGl^vsàZ ^:b&LG<#dgbFn FXa,wX!ljS\oX‡YM46ҚjTy-2{:ϋR%Ƣ,l!϶yW LΈ8ǕEtIvNӘ5<+Df0+RmL@ݷg`S;2 e*0`j v;iDs-(hP'"{đ{1հ}_o0?T k43c*mA8)oԦ F:rv0K0",Bha+!wg@Ğ`2 y*~yjV%: JqR)bHUrJ "  *^0(l1QK'73رO <nU2jÐfX1ulH4$kQƗQ˥/z)Q%@h3BeMMR$ߏ$ ᕔh< N\]"GS|P > mHAX)B+Ձ;B0dbf3XӒkaތ߭,\wzG,܉%S•.^9Ԝq*= кH( #g#Z.<%x>TYZӾ?"\+YUd7$/1 93_!&"V] >.J.xQ!'@H6[,jg0(Hʃic1G)dRHK^4?z"^\<,4sퟎLS`= 1}.1-ؐߐ^Hbִm٣E-A<gvCxms /*U'EP1A iO" 3{A=RxtԠX1E8a.ꮸJq1ծfHX݆/kLRGLLUZoМP2r0Ng|V`IFJ{`ab~(hԃ-Xdrd D#]cY]O>nEF%G-Gh awwN* cv%݃ ͜)bqiI, y!.x"XIE?b&6dEd]ȩ 驍~Gтl_ik5̗ ҐDYU MGr2R t#msVTEQ}IAV]psCPX 6ΨJ2q"iֱٷYc8@zEY,ݾԨԏ;ݲ~yiuBo$vcVkMJN' ʷ-;lqT %PB+6OJAJܻC~Ɋ}ٵǯ⢠?~Kc@w"T ,Zc:+.吂S}Q뫐>!ԑɍ-@n6 B6n.8z{\A> wZ]Ƈ塏J(Uvz)qľC;urs)րd8Z )p~Z0וքG/p4B//Lu1qsj ɯfOxL]>N!(oyzJe <ٚhp)f7C_J"!M?b9AW y%q3xęF|%|J$3m1[D!Id~BI&h7,)\z>7Pη燍z Θ<:ktӢWY.!f>>VٌŤ d\kjWQ- qs;m4O DO1t{4|F &וJGhDmM!%8&#;Cz|}GnT 9_ԃ,ĴP:9mVsTUδk1'>}E60ƸuD'_ ;|;ݧ~ Eb 3/yPKꖷB::a vʤ! WR!exɇ\uL>Z IL뜍ɎSiW1̒B)_u)qmg1)z ٩FMK|j 3O׻6[cyS'LpxgI3z0+Q~%OeKa_tCù38 \8mC8<˲= 4fmdIBX9[ӔOxʖ@!LcT[YlVKkiސXp\y.qv!| 6)7j7F=j2c#ыB0JyDNGQ1'SZ XxtK%8zfuimbK <{/0+QKw,3װiއ\Pp! `B sdy'J o(% QU: azjkiZOڶbc-懼<`%v&w@N3a̵& l8-_f]=L7$F5)qpYu8펵]!`*czYŮH<(+ܬ NCll4ldpL9FguW! dǮ,No]W)NAr:6Qm縔MDɠceފ |2<Am7ږaaQIU~Ddt#ȼ0zp:=uN,ZD#sWHex񳮕#g6[V쓄 [:~> zlƼ/d4[JJfA:72, QM1rKae%~)֝_*i%XQv?&L)$}W[/X1;u*po)-*Xk;E~xm9vk:o ī0Ǟp L Y޺i $U- * [kT]"! 6뒳_ u ȯ"Nd%gRSS&ҲKE>N?R1/KaD,r[,Zt^ 궈k6W)c%6i"{IZ6i) Pȷ7H*KUbok@b=orcJvd :/; -?fFP :[kTO#eh۲\ZĚ4M]鰃6btXz;?~"z)>!qhվ"$ M$ڰ:eT hDޢX_RZSQYԌ5Z ~:xoQH|(3\:dOb<$JnoSϕd}IT #2a t%qTRPF܈+QV _)Go5p[.}ޜ/34~x+c~4o[I a3Ơ)jviƖXb 89dw1?ex2hZ48q|&j Msl,^F ?cbͻ ~=!k*%- /{xW?7{2?3bi:#,LG>$^CD UJBQH[(ib0_E$Xa!3Xg xIA=2t4@AF"4e[V`i9H'{$\}%B,ay`jVz9^ JC-A|0BZor51kE ~ʻVS"+J$=}IuS#u~pa0^:Fqqe&G*R!XJ/,\cÿGg KI4==ڀsv2@dN͠e),Վn&t z}vX:g=4U:_3 e*Ѷa)ZܛX VG3n@r|?C׾uPEiӞ(%1sȗt3A6ʮi>#V^-`>տCa~b1~]K bߏ6Pm %(]w^v20޼ h}g&ȩ^a硙#y:=N*r ^0A 3-SF;-.*]qڥ),؟FJ6ְ{E |;iH5d I}b<;5 c5vߴ˓"bԀ7t!>IBdz7y?EuϦ"tQ<|7YI$o R5W'w߼{t~yv/J,G|5NXqlfgDoAx)2 ڳgI")l `nwb|c5CTZ/whh_>j4u[M Q< 7.ɕœ^sf"p&Lf*K րx/p+`7c"ipHeԿ_HYƁ6jZ p9{^g4Ear,p#g-, T_sEO @eHDu☧#2(}^ڷD)g kC.lsnKyͯ|O贈䵤/KGmi1Om !&}/|4IʨQcB:rjH}~rw+Ot&`Bg"g&Zsz9@6TqbI?<=RmhjZ$rx` MnupofP`WSM{7-a!>Pl\9i֕k.`&n3O,+<PJo;IcO/D.h,e{P۫i|cdD: ` zrxʀ˻bu70їAZi$ŝNǭV kyYє }B Nݿ{L}5Aɉ-q٠E|{ !% b7k^:.v|=?Oki}v._ pq"XKK+{Pc.uQE"o}k+XQ>,ҙ瘝?q"Yh>)ڳڞ]PiPhn @sMIӜ=]crlZDK߫&U%K$i^p{-O = YqXJRSq-H trv7D".UKJ O Nm+|Ŧ^O_,ٝV%M0CbKeV}FiߴH݌-A IP֞%B5O& "FogtMbC.ئzȣOo&1sF)|zk zy^y=57h4 yv)hQ\PUP_|v$wgi4&B;N +H].oJ̪ٞQi23)XWXc;{3ݫ}{D Rɿ$S`&O 2]w.#E p yd*xCU)L2߮/|=* O-Z]m,4NһT#̂q.b@-2^,K@>mkqrz>Ѝ3Q7 jH*۹\;/l8cJ(~^.,6˾Wڹ7ũj:@"7J)Ѯpt{tvQaZ{}&גqLl dxֆ6itj)2̂&$TLsysY.B71! TD$4)³gVVybcDyO2MXڑˆqG&] $Ӝ;CXCAw ƪp\z/;RL -R)e7E(&z[C{ e]h3[zp,7 ex>>-wo>Qq,8 T'GPtwZ[&%\tl,Gob\bUJo!L|UkꍹeRG=QiD1Y8C+ђi^6…ܳS ]'vHzDT rs˚M5VIabl`4Iʧg,OKаkw _Y0$S놞>&?zS3=|%IVD.DrìհQEp_̑ ~e~V<LV_? ҐJ"HFbEK\lY|(φ3f9^jHst)c#"J92#@Ax7^~=Ϩ~YA{sUl}n}Us^SӦ+!3W O_o>'^h@KrkpVfD@Rݫ69xϥ_,{l EKq)aPݴmx4uŸxl`Onsٿ׷<dMM 6/f/ Ag%͊㼅^taӣYu2M9Uctes>)C;G\MjhMyJ4P'̇Z ;L,QԪMva9s dW@Y[H2a e y 5|r7Mr>ǣ-Xz2*|s7'!za6ӣr2}BnyDP֠&TOg;-Z$-=i*)zˀmmh,w$( (vfD.XsNjQ0ꟈcq\Џ>@o՚~Fi<XBVԂ;W63n؍YTpA)9t6'jvHќX}mI:iRуsWpNȟ.ti; 4w Ň0v1K@9>OVy}C+˃aEeC^ɉ*ղ W e1ᎺpJ `1,4؉j2y/5whxIw_k.g+ Pvjem˹>662K nQ=kg'UƦ (!;n,xgƢ?PEkaU SZEʗ]& ߘ}kઝǧ:">p*ivaM,E>b{B-$t&P-+<: D/U֯$-ŞDHJ%<ȥVoqbVPr `L + tr~҅NdPdfʧ*7z!p 28Yd _M/Y%e#g#HNE}p6.Ǻi! 9Ds ~" +F774C;PvRLPG㜰!\W"hFέ1U6)7oYX0R}1S#x>cs#hP M=E+4`翁s_Z<6[|!U 4Quyt}ȍipj5ñ}N:/? BZer'M(^N <7ؔv F+dB):y':!lOH 0,%W"޴5\\60Є ݷ'3\f *rr`` ( Qzzu*W55[=x_5c Q>̼\m7\ 0"߉\^SqfrQal+frN23Wwn(MѺ&4ذ=2i~a:)~&r /QQ(6~cEv >_lO 8Uұ '8}Ra ~63h KS'=^goPu_ǛKp*ͷe"FwVpC< dE<'ٙkL)_"$yHb^ǴS[np-rk~ք3w3q.a18xIz$8YJˑDZ>a+A(ӃM=B$7 1e@W^p:̗{ętX-9a%"2Ҿ AmXitkrt`k'/5ڥ_wi' :TrOu Ox1d3.jcm bo_ pDfh呅@*/Ǧ[+?~,U{੢2 ],ReNkB蘒Dۅ~ hd0RrrC*=Up5rN.Ի zoX;D]EiBaG4(|}̋ C:n8yxCi ʴ61#(+9$OQE&WIMDzsEkC S=W8N;wo۵*?!G px[:v˨)堑+Z 9}, Nįq$xu.'p.9 (p0V1q7͜,=? c@j^FPo"'qxZj/#F,`U&ߓрubD:XuogiyE?>؄è*g,\4Ac>=C ʶnq*@3WK_l<ſlImO6$]!2QU`JVh8D~!+IoVJv@c`t6@'PQ=NT,i)Tk$%_ r>K }>,Ȳɯw\m:n(wZWET~\;4{]Udq_F,N0)>&͚bE&ڱm{l]˳IH灢CwHtY ?|-Tn|4L#G=[huÉtwu0JRM]ذN2+5kpux~gk WP6%i9;&FgE[߮[2M`c/]d>prx^HPѪ"/b[[e AϸW( N>Oj5M-)wFӽt]H r.7KmuJ4_,9eN=ƎѲl"_czkZ PU1*Nxg%vq蕃_A놽iCZz_Vu'\3&+6y J7 ]F#O yg" S0-Az * &2p^*7h\}#虺E9/dUsGDV~(ܜOOI`15Ȓ~RTGq9"SgOU^a]Ym0k5O_[$t60(a $ƚ  j9k|ID&3UH wѢG ϒ]éCfF\^Cۉ *Ű@NMimzG}m{&OCGvdF(#8Br}ۤR$- :agTGRM1 RW:cGGJWS0_e::A7w$z͈"\ - ռG ST'^r)ZԴ;5ՏR݋1;j,9ay)!"G>ctD*q1%+ AV7vmۇ9|V:7|oA-Bn3g?v,FtkGMJ۝Q1`őE '뎩]rx k?6}'?0`+Dfzi/Y()oEuV1MJKG~n=*&ՙWiOlJ/e\DYLSΗ#kW2$E$l. "-df F*a"4Y3(%Ҕ2~jN$?M-**"#B2gc*':~ɴ[d8k(Ptel h.6LVǎhì(/9z>-6WHxm1"~SGUf:}a1H. $єF~#/:T9O$|1J~f#Mzqn{E6$lBEqȔ 1N8A8K(#mo*:Jd״Ճ^5"kckǹrD'wn?(R'<2mϸjܴ~md>a[k٭dHgٱ3ڤm=竡~b >]A zU׍]Ӽ _~IUr>s{-\La=q-ʜj(=w| d Z3!Fq]`[VqD~ PY(,֮wH@Z22͢v+HX{n iUQCta(TFt(Gf>D3!-)ͯ$bLږH\xHӟͳUc$4/1س"1EĉD`Auv#Jp?ӏE?Pyq0YeE^ _9w ɴ*A2nulGX'ngQ[K?OW1ش϶+Srd4$#y,ވCDq꼭y(8s9f8tדb?9MrPo|OX%t2 Vs) G 9ƞԈsviAsy-vpKV:~W)=_P?UcȉY=|m$u/fQ2荏 9C/\ź4V75>ın7+H!u1S{F@,SCwh#Ç1 5Zf.Mo }Lym1wXR) 8׷(~ڝ+/8fuP԰r  =rU?3)쑬/z ۼ_$[D ea޻<63MԺ<·{'҆l4<$ וԜ:qpq|Fn~4%&u\ zxb;#9S?j*іr\h@[u_@9&JxzglTfz1xWr=9`b|[^~F[(犇|(! 13e_)&v5XrGwdK]n? ci5~tez7 -“ !qKL*ɖ>p&W.b5EZP3Ue% mNKЂFߝ,'=TU_™DxJdW>bZ~LՎ&+->Ak`4D. s=s΂&W`s.H]wgV幣^ƐuP{(>09e48_S \$Q-<2.u'$iR̓]qyw~WCJ3cuBl{iu *҈%UhN^NBWuX/nJIsf# ya^@VGP.:r4cSA$oLҤ:o[O鿍2~rUχC9'7F )(TEV޻X5 q:F^DosZ+rʳ%)w즹^I|ڨT\L;BWs;o0ˌX^W:M@5IS017al.~g|Ȇ%'L\x݇}c/!iWHfUv|n-STø zVź z~13-d!4*^8#" WNc 곡3* !08lf4Z]}>dpJ/!oS$] yARc\`kT ]j=Jڟ&}y 8t)ܒQm|dt,&#i$QFf ,]4ٲiXx@4Je5ewgPeTs]‘r?F9[0!6sP|MmSݫcMQyAI@;cP**,}@vrQ"S6BhZXؠB +' uW2I<πGIT-*JBa%J>֒~;Kdn]ݼ%*(SV\:rC i_sTqHzQ0+'SvNeMѡ6Hn{ڇ9FP6-e_C%ɪM{1 a(-|g/NBhNeAf.\wNnA&Xnj\Z GItשs\LHrZ /Zr"9V2BB{P0Lڒ%k|)w'aF5v{2{ML5BSZQ$rƐf<J`;!aʑI5ICq*)R$ #eT 7Y+>"m6d(>w*Xm4n7lGm0-1RdAum2G-wHpW76ExYyq@]cYVaB8~PdĔa/Blj9%x۷!/N{At/$r8ZM:!VPɺT=sт&Q!i<fOA| E3`u}{aQ_{%oSٯiuɋ n#?0tJf+ (>?ںYE Q 0fev-{n74פv#n6?m,5ɗc>JLW i4I:ArJp XI)/IZ@H&ա %8;dHNe>pPTc 6w/xڋBWjĭ_GK߅>U ̩ê;2ڥdZSwq9֣>~ʒn ޻ߩlXi%С߳$+P@ pU_2 XB.oYGyRSS-$83I}یtγBwɹf^dpK&՘[H_mPaA*:u(-%-;zTف$mcXO&+=O6@="gvLb޹trmd ?rIcKv%Ryj-דQXkq{OFQG_&řÆ{4\'R|8!wf˼h:þo\V;;*Cs=:5.b:wۿJQ8K1h[/<]of-z3[۲2|QSNO f| _nUt^*,1 ,ܕW%Tl8H@ceg-Y/Kՙ[R5V yEe`*}lb*Ie5ˆe%!Gy&Qq?Tteltm˝zTo<qQ֠G(,lݮ/bGl܃K1{¡~ :-KVȅ ?;^$$טQ_љ(~89>7ܞ@b٧`.U;}cZ4+ ĶƉ(DO7J=#LҎ5$Iן/pM}ulZ?6x[HE IyC_{CĪpSψ+BgqiAԒb%;8[ b1^;f@sE@r: xW">^qRPL18,o`F|w)=x-60x9YcX~@XZvU]2/7a*Hl%q 0dRW.t&x:(h-ZfzpصJߥ8r ]>r8j̅[y:C˵?kD( gpq/8bN"@0ΙBl(5a,I^ 7G(g Mx~A4 GD7' ˬEqZ2k  'UOJl#ylVIig&>90ӅI.;(N b&˜9% Y^oA_6$ctMg (LXۣZ]z/-!1Y6ԶDcvE+Jte\jU$_]pQߥd4; ՙ2\ Ah(*X}ICr;C9Gn&P<LNxsJY}qtGd+ac.4U2L?, h,ZZp]3yɹb_lrT ڳF˦n!U%R,Fg-bHkeik-(@<2_2ylM!2A[MXIQOHlvmbGPƚ^t ~bӎUިXp@9\dU=\S))a".D(l/@\`~2]1e+w:#a{ ?Ya=vs͚×>ҋ Q{kFk~OT8J/;/8SeD ! =(67h>t|,KFP2s_PY:9\!49&PHvPHGaSݒ[l=>mm i tz?x-4^oly~7Bj읩fuιot "'V"P:{tQ( 0Wt[^{\"ШV`ZJ0/]YRMNL"}f0LcD2& W: ^6>]P*(jW) C^[/H%j`(6c2Yzng.,IkUJaBSA#k F ea>@?Qۡs\a331U1яVG{a QGqm>#gM1Z"n#OgVMPC[(+6Z $NϕwfoڣpO,j`mހCl3\J<,kh`Ӆ+G"6jWh֥0^ &Ou7& qcY{|)\Ōz#+_\.mmbІ%UZsooaxШi^o23ۿeu@s~ Bt7N yHWTτ>I7 O$lMn^w ٳ 9پM5#ۋs*X1מ -D2W8~߬J,.1v.Lu0@/sOUԕ)Cc5G Z*08 Its\V$a{a.c]]htݖM vjiF0#aW3TQԼgtuʧ+Dɧ+UOX8b^/uiaX[~ȅ+Y3Ƒ w8"%].pKuVE-z֡9|0Vut|>}vb1daATC| \@F$P4+UÐ0潚17rT3; KaO9B_a]tt4˲ӰԛV\aWkI$b;MWƢ c9C=m2pvM:x(|k?p)epgQ J82pu8̂~0[b!{s:( $Gi?9z{IhQ<) I wO)ϲ: `*߅Sl/K?`օ|S:s6ஷ'#=22>=<͡*!V$٦Ӑ*]8~r,5Jpn r#g:bhMD{RS; w@F,!6NJ6*neӜ;Pi˭ZL8Vd@Kg"B;pYWMp%O d b^ڂVuM4Bf5e@#^k y+ߖ<+a.K>{Dg[S7m;fys%[&B6koI k<hLPu+'cG'SOiϙ!-}ٕA/:[C_nʼn3>Y~$rҸ1`/ Dr@6ر^QKVK^,tJ<;0uèN1T+dg.z QB5A:UG{"?~BxOg y 0o@'L,w(%Lc~=i5 {_ 糈J*]!L]-PCI̊]rB뵦9hܓv,/yQu;[ƃ͂,GX_2K|[ +J,9QLȼphRb@Ix ,™Nʅp '܅j`- Gd8PiU^E J]57͎k+v3x"ly+@zCk咵KJ0"LRjejOiCFWR}9ߌ@ OuAkSq(gYϩQ 8:@!SQ8ma n%O"i}:U9P@"?иrs^a-yLJk*G F7ꔩԹƎR֣^p3lFJr=}w~/e9N(DMua.ugm*nʀrќFyOI՝>0Y6B&`F"֥& "vG=*vFT<8_txlϻN35ēU U>/4W&:pKȡ>Ϙl_3+,A[aů:%"4Ws'2]T\'*4uݯRZwĬd4XgYgD O${hs^ [BXzOmׯ2cʖLr,9%sN!*E45Ç'Q"cAKK-j3"2 #1Hp" w ։& 7c_^om'~ftY❒̓[vōr~X"N(oOhJ1mYHIVw/K([H-, >J~Hwbҹzb@́`܊/H7NZI H]dũc$pԉ"m-5@:H{E20BuUh/@Jɱ%--#9$KCwnA='#-[*S׬pIEKrð V.9y7nH4WpaBHwΆ/ ֊?C5pYdB2;ґ q*s(R0Ynxa"61.?z/ umGl؃7 .e6K>ШpyYpCL :+EW| _r#$5|^p#ToFF|`;.ܤp\,3ys>enXͳǯ+*W-_gHHER*\ "+kImK֬jXxD%0p⤼u jr Owxxzm_4{;nT/%# @y>a&qʦ ,b<'UZ7Bͽ=95ĝDׁH;+M"ê~c-cpG CiĤAGuXew. QLB>oM5#mit"U#\oZBa@^]+W1d&,>Ϟ4ߧc0?^&9H6z*K;ݓ(7 縩rѠV Wqޭvؕ/31[3ַϢu Q0;0P[^XDg1?>9SLcR`#څyu^к&7}"U!ZƧlTIeR½Į xǺ hp3_GPp l=(u.d+7^r,]o^ϕRqj-p ӪUJ(OeWJl. .'/Ey8]ϓ(`8TaYz_:ds)?'Z1u+`7 ެ_U[x-+/4_E c5צP.2n=A~)rdƭlIp9G1P@l&F03֡Wցb>I1{L*l(2w 6w{fheH 0PkVp{\8bQ5^`ȇ$77r49?|@RqmﹽTb\O;[By 3sT<Mnvzrk Z(lܕ4bP8|2L60:Osm4!mWf?|gI׵s;+&} 3 p@& /v.:TRGP=TƓ+T;-AJ:\,ɐ9 ioܞ%нiw%A /%زih@`~Mb2-6Մl[uaIOHMc ־;lGe;O2B-&qKBI\Mru*7Yڴ6ۇ(e@2$yͪ:?+8c(X&QYIS!; Њ_1ΤrsJީ9G1Ol`]BQ~Xxkeg\.-bU$|g LMoGd g`7% a"*OD#;jcTI&\ C-Eʿ +.OZ58.ɄpGo [{ $ZI:Uk07񮱒;G8wj6 }g\.8O)<@XbAn#ov UFi߁)i]%IJ*LeNRZ\”! k9y Fr*dF?^Sa ꄀN9a BO&'VVf@O3*HTlnΔjJ6\WA[c%!ڗʞv.1.|ftUrɈ8KvCZ5T.4 j<G90O]{/9OMn vJzƄ9I$Öj#ƐeX+i? d-F̤5%f,1~&6In{wǞ/Ҵ)T L1v% S]ILm g (/bpIcQz'Gs;- E{ k|O1KѰr8 we o9g'@PHGpŵ A2@Z)KBcO]S-~՜%ij`ln1餓m5%b5xӵ3>-:1VFhZgXmbT) ! fDl^uC_  x_ B)׎NTxr >*>|퐧Smu6҈O`sSI%D(u!Əq5Z"WJYHP/_V喀xj*\jUjɁ5'0re @tU[|1wu]}tRSZۡ h(*)<)  &,4hQ62OrD?뀺H - AT+ݏҶ*HrJ]TT Bz :EUM{'+#9jw-0)va$3%gˣ+р @o@TS{QgwQ;7K!7W=p-ar0ZePo UD (c*@N4B/BU:FrOn| b'exQ-{؀2U/5%Y6Ҹr6t._(VvMq32=t:Cλ2ENhdRZFJ҄_=m4K>ߑu+3r(23CsBCi8loudžF !ku(.,(ZW6 yxxWJ(L\$paFŀ 1d960kl.+8{ &rϛ] ? Bc[2cq'*f. ћe$ЗۓɠL7n=dL=7\ A.܇zZ7zZo!_vf=0d09TaiAdIYb (hE#_{B-$b0 ')X8}=c_^RPF =Oc;r[$YFQ2 G\],=N:K_3h{3ٝ焓OA4Y);5=g֏goP'tKue:7UL}23j34Q[{?N](5Lv2!P ֍i|4|;hn+YnM6h}Գ˓\nA׆aNV&~tnRt=6$-rݙjnoQE{VM28b!ɝm/+0+^ kT-2![skV,C}so\ no6,Ϛ߄D߁jBSšڠѩtn*O"s)]Y-h7ݕ9DgTĩM7 Fq*aQdqǽnƋA_Y+nNRn vGL=Fd.=4aڰ $#K{O;3Linco-M'hƋSjǗCef=8GRK\SߟНM)aqhӑ4m4uz%| ILUn OJ3WN{7.ْx۴fMbV}PPčqC9Q*\NvQ>!@54JIcKv"?Ns֯%zOwJ6ݳsRZAWh->1`ٳd*,`55@S$9gO~NH0>ӥ^4<' h'#ϐ0|1˯*q t~\0L&/6Ilf6VwMAUo-顠[SB-WA#1̩K4;"QyE#!CG|!>э\s*tYxnM67&_+ KZ'<\F=LڝRȖ_k@|u<`+IP egKP+R"jf DŽYkj M+Q3:6謗jUnF8RMΜk&n|tTG?3.AlNvnvFIc({UK>FAV_@Y_W#4= e+xߑ[$&!E޾ ԉ9"11iJ$0f KWR#|ӎ:zL3Ǻ„$@ 3ꏑnp.43dq7O4bWզ'"Bõw>3AveO6x]gIi4;7dCZ0o m$ HkX9(vIqٛj&9BqxqZI6sL_u rW|.P'"G'wp7+NNQO?[c#=oM^ kfAi=];> oby1^0 &|kd+ ZL䛰kc^|M<'E+VuC3ݡ=mM+6qmFײ ",rs6^KiVtBl {M ƑUorI0ţ>,P$s uiZ\qx 3c;ssia&{nO Lza=PeVxVm*]場)\ D0mMy^Sy4oof@2Reܚ9P]~&Ӟߞ8AP[9y E9 ƅs+4'YeHχ3I OB=~8b0TH句.'ywhn2*OBPgv\=4*-k6JF2ӻ oEL^&Ftt< Df~ܦJE1 7kxy2'TQB#.3XS Ab]Zp}8G{U* .!pP&`|q{w:@!ߤXO姷8zE&1pO>XZX9 Odt(r5.T^h-CjUdX] mD9v/-sm0F[NSE@ S׵)8k7^QhOjsfe B\lrn k1z+mL(G>9?Ʊ1sB9=4mޅD e[}Iɒ@GTX> -FN$%+湼_@UB|4,IyXgk 4EE\W1 #KgpcW}uz:0/")Od]ܐ2E׺{I$*D",q=LJ>55J`$DOndi@vVVwB"AX[C_j2GNyq fx{b*BӇf?';mZ U ![Go r! SZ=eZ˃F$ W} Il5ʡ510Q6qդ5Mê._ )[zů-'+P‰ ~!ˉGIoVd\aN,".,h!,, 9SV~h͸9rܬVB%ZIV)#fSui.e{0yhٛ<q"y5&4E yQM L ꏒזiTW'5R`ÇPcQ0Jhkk=DP5b|s` _;w0 1i3A̮h0vZ<ݝ%Ex'3`-_c)P7# g- AkPX-z͉ROCTn11z(3R_[*N$+,R雠ZUK4k;Ӈ~ɦG<((b{ʼnTS{1Ek9C(t4RXC}\2ѮH΁kv@mB/B0N#_~(昴J44=M$DWcWa2xdH\-=,1-ذr ;ȟ)J"ЉqǓ+}R'uBFzsW b )(VшV%1>}3(o + B񫬺_+t<#|(z>Rv<496c5n˔sv) Pj9O:4K;ܗSҪ.=oE; .j' 4nL@>b=4h<yt̡wۍIlt#>Ec5XTe[UB{J|g|~Bum'=mHNKz<_!ʙh͔0Ggc>JIs i"YMpqRXv?9D Ps{gpHmõzs/Aau-lX [ҴsPƞPRĬޠ[#يu:!>ZQ*?~5n|r 6#Q:N *OzJ7-ve3}ʱΖ-ۑzh{Ń_\@kY)b_WtDvbRk AUuKoCλߖ&Șfgwx;T顉ld'7,"yS]hZG j,[$moW]";ZiJzVy7?'dMgDV-:`]|?a*^ƛ1kS<8 @^>zl# > x_rAvYĺldB1o@Hk!`MYVSup,hxXE 2h<:r[[ <_=*k?`_|:eB6`bFM|!=gHH;b<*8 #dRz`v"ze$X#zUH[dY )55a͢I6 -H^ׇOҤ9['WI:th4]ܭ̤cI@QYues>9Z1TIu³QsAp9ohn8= * jWv}&2#Ȁ:^ʊ!3Jdj(wk mduZ^MJE6J BIa8TAQ.r-t'z[ U(r0V7*`TUIB p-$"-Io:e&<K Q4!n/(QG<4{&5+D0饱u1y)EUE+PXٍ1VEҀt8'M`M5j|пŴ:`/7HOIwf'qd0v[TZ5 dmq`ƌkD (A:?P1Gg {FHBnxvlV]VK#mM}čx+cLbX;nt؈;j<{$ &ZFω@/#:K~@\6GEWEaq[ct|XvB2 D>FiPREaEcX(Ido-T?cˤfw 6ަ PUWb#ȴ)cC@DH֒ꚚpQfIL%x,Hh0A's (}:/9&/h]I1 %3c'TLzٮe*L)}bI_9hƞB ;vΧcf݂/O)촥L0 Ԙr_qt^CX\:MTӾfG݃5 UN9R5.ЬX[a'?KS|x03:'"ݟr͋!B&׷E38'qg%l}+*z0 \dqZq 3ٙ,Ұ;\c i,v,(#sNW)f'Ar(A8:A?{v; 'L8 =cMPqhsT."BMё.{ӰFiW0v4⪧[[?m $[Xm]}t J^@KgDapɴC NգǞ0;Mmb2kH+p-kOIJ(w XD M.ERzoAZzt؏V[uPH5Ji(>%"{Ze4 'C٩:QSr _~A&Dy2rڎ=$]WQ!|PM̞Y^WVMkX6ԛn'k\3(LxKǰ'iE bt'[B,ɲR"oِ[*Ʀla/>ޥ4 ?$`_4ak+ (: ,@i0_>e7Ip{q M#-/-Q(76k#1ٞmr"`6@S,v}g0O&RrbdmcN&s_y1x<}$}-l '>Tקּ'#H;}PA$~'"d*) P98hjւ%Y,o r=뒞`WRp#҄[Ͷ}ɣPya盔0 _O-`9϶!H 1E!Wќf ˡ[F"^t++D;of oN'2ƉZɉ~ 74dTO{P^Cet;4ьEY&:.;2$eLpP5mM RN`('yI\ @ǢQ2qű.h0=+lS8[\ i(Byl8ihZtdjmz%F~~7upE#'=nK-"S9iG3ެ! $ÇQ0FW1}Ẃyu{!{Q`uD^:}"N"$y3;.X3yxCfKLÒwX-ƃ"UEoBM-բzhS :Ԁ%Lޕ]^^B!v%BKlX2=u[)zӢs z]lYƢ\- 1.X%qe;KDlyU@+g^xOag'ڷ\qa㗿iZQ'|{\T0]$ZDwղ pmJ&{ xB [Fp7>1<ǷLٱEa+ aM zLo^Z"Bl,2i0~t?D5*/Q=7uί^Q迋x^v gw(\>PXOFv(pi읽Qw\]#84.ˣ4uNWJ]Q쭰6j'%μlsy\f&?T:DEEm%vvG_q]]x*ɱI3@X^AoKl#CfUJtķ3%P{`Quъw-}H3j0bgDZuT ={%, ~Õ5݋ O~ROF̏(rTy\B@/Sm׳^jƢs¯`YaE;77TνNģJ]*dX+Đ7j]nk᮳E ̈RpjT,>71op l)][ IB4g _&K[y[wNuFu>1yEC=Gq,V:z4 =_$0^4HA&1F4d F-}vd4o#ܰy:A'Vs.B^}tN'¢aغ,0OݔR|/.Qb|rɤ`K[ҧӿ,&'n/,A*0Q*`M QO `d25fVRwT".̭^'wmX{׌QA#܄Hc"tcͶS֦6c9ոJJϱW`F!(,t-E/մў-{âeGU?j:#&4kYEpSdXYUQڰ?1f4%+\B)BUMa|O؀\/C$ >>dž\IbNY u)Y_[~cKe!1QtR4dILQUtʱgJY wqd7ab*I /f7,]IblSгA]Z줧t޸P=~#pix\,'Xejj#ɞws6~+aEߙIШ kчdCm-sD]G=Yq޺|IFzq>zX-nKl #wӕg-h%;NW]C2: *&2xa!]%$2}'mj,Fzw3;ZfI12s7їl,ݼQo46+TxF.C{Ĩ}F\'L)[^6h?%fEuu_,4ȵ)`nMH!ks 9cVm,x+4H:&ˮ$]3n43rزW:>=q#ɡr򯔗̮~+K.~B{g,u5  #-M.lScBr$B1'j" lA"52XЩ|Ϡ$ә7ܳ!\Os!DtؾL61x: a3 _'vAB),Ŧ-peO#?jgM΃Ap(㟬:Kf]YWR-A!˳MGSÛ5z:ƚ z|3U`$Z"qqm-A,QvW. S)jz0wb%S#ֿȸTMp_Kqt!pCBRF;ioiRȨ(if`Tr2) 7^_i-MFEeUSi͒hcZ^ [JKH.f rU֡(a41S09tjaR 2yN5|O1 i$o/ "03^i'^ FC:áǞ"c/GEX)KؽEVdxAۢ(J

fE9Ӌg <nU*^%2T78F ^~]uͶ,*J{o}s][:ꖁO<.&X5,bCp>݇6DR>Se &X[΀%wOz0ɫIqO^qm%\f' fJMLgE!F&! _s%ln~X^dn+rʿQ8ۣJ$ˈYx1U:xyO:ӟ' @vqJEe`e~Z=WZ]1R|_SwrfZk~J[8[#*͓8˫LR2hbK׷MϔxktBK b!aͲ{X&ټ¡wϸ,dR_wi8ՅCyӉ>b~C-)25CzIKדd'jusf}uΈ8ft& *!¼hA7ȏJ >tKwNc}*i$Rۑt^jkscG0)b5Xy47wwUNI3mw۴>#}=KO?[N5H8$*殏`d?^֡1)7p!-ye*1f8UE!1Su #yY*#mvGQ6׻sUǬ Z#}2JdٵY 3":NŞ}D8+AtUl翥XpIS4y9|񖜟fdj\Q ズЪUՃ!CC' }g(dFSS;4nWoɗUkһ#@Z{/&̷‰qyRO՜U#h} )^%p@@,=ZNMEI]ڵb"8Rip[zPGhoĿeؠp(yD(AJ`tb[cyd+% vu>^hDQ,yK)<dzPWԔw$=i ƒSfG2PQzߌ]y2Τ/48KI9ø#@MKN8m>tæBr4.;;wXMςe. |&Zf;L8p6$IaI5d8џ _|+,ŕ}-Oc-WuA!>hg ܮ2Qd-Ƶ0'A/ 'u襱+A}&] #dJSOޫ;3b;Vȍ\k1~k{4ECu2 ˎB,%%,PZo>JM:c?bAj̑D\4vr0cQ';<UQViqn]U991\Jx*ފΏ{Sȸp^‰}+4/VH٨F¨N23Vt lDM}QB(o0(DM#gcvd?t_%]|X{M?/xÔwxi~. ]P!K> ;1ȪD *?25> 5 UdD, +qEzJ>ε irR\B[ރqN:ܕܧs2N퉃 e 7TY 7Z\uEw8qmx.&)CCw0,,tŖ*DEEiZά[U kbk r[YSCV{r_{+Aub<ھHpQ-+g Ghٓ/)rTu5#F*ȏ8N.; 潊D2\pQx DQ[1&,9> & 4XHN@U-Egk5hTIyęvzjTxDjT)(ÃNlzˠ286`dϴPg/sn'٬Yq> wY32 i>~j8&Ā3>~/=".!7rbx!Ҿ7_5b=agً( (Qd YQ FK $i %>Aǚ_/eXBEX\K{]z$FuB  ~RWT*śke8y*>nM,g,D6>7ђ7V|/ 5|I:C~B . :C.k<ݹqm ~0HKSh7FGX3pNP@ũv 9s|50;Z."x`LN]+{yVZ 4jmrHJ"ױɯ<э3~b[U-= 兩:atZ`rí۞xH5ݏ:T:ݳ#_LPvj`jƎHjS.0͙xA؋]btǘ%9Tfly,oN,ⷽo h M^s~V */s N.,3{h :* &ZZXRX]pU5 GΉ#˪fHZ&0XhjvEr-De'J4ZZ=*k_#k@r{v@ja-^Ll|ŪCk0@(و]" HYV*+B ~ip E/N0Dy#&Gvq$b$IGlϕ~%=h|7F%xR.hoG˷AMfE-J\=R HX}?` NCgZ%|ƝsAfis^"K&BU _@v [q(SVqhP( JLjX 3ȅ? },sA+gڎ(=̵41l LI!q7XZ/(u.Ó7ģQ&k`i M66MnreV@[յ`ߝLR쑄S fjHЮtZ1w^F7Df0TD(?'& X}nOC-K:3{ 6r T낑|۞?܁nB [ GZ!%F\ {#'aN\uK'J{_GZzm InWA WOA A/234w6v/XVܶGy]X\Z[ GF!ɀj񰏰)/ιH )=2Zz6 c-(+ČWvGtxlhG` !S3co7]ba=D }h4LCA0}OO,OhkbL}} ؆gnzDaׯ.T&緊S_H?A%?+6w֬'0Y :K˗8(:ś9nAr0k[VV/?(Ke펼='l޷sͧ5r|(ݶpu2Lsq;E!5ÙJ@諴Pyw7ʻ)K;xʟYkN}# d1bBt]͹)ġɊٟiTzuHOU+t,ERp8w{ si$}} ;(+fgb/Dc2IgԫѸ{s*M#4Xhy0 49 ߋDIq8R^j~ A?oB P,t- eKW)2C[Gh{D{$5uw59zW98*nD2p:Q!GL*%w6 Z׼Ib6[sl2c=9'ʃe˸.]MU!ٴȈ09*2Ӻmj%W0w{ټP3K@+Ky$?Fۢ}kJUBF8 ֓ev#i_wϕ^7 G3yjHStċk*Brcd=l2s;k oވ+k&̵{#!Ee{m$+{(z(ı?&kDe(0d Gv|9.P}2m zgSO5<ُ RB^Z*Ulm<)n \.\.Ō^ 50$,*1-ԑ+CZ(l[a.#8oҬNiͧ<a2~T4J8x0*xqM_ G )I\Gd&;de{w8XA8XՉdmV8>L}.ydLn8[}B>^w0(n~]cDHyd**;Ш!i6%gW9ri:́(rg=Tis&^T1~38?؇z,1 F3!P\J0|^B*/GTX&tGʥ pmsֈ$'d翳s˵_/mLcNtwЏ1/) ؐ_oUUllOTvQ fmy k>&H%-nwIE-OD/| &龩Q;g5e`F[^$F!d?`m.9#do݌h^"0 U4R#/w Bvxw +JEswfGdt>y'0pC;oU4 {h̎J2[ڃIVd3 %cf4ۓШ^7JOp\zZYew2K3o2,\B,<^F nit@ 9U=!I(=Y@wj.$s]ھgJ~덅3wԶ;An8זM=KJEX3w|"e/ ]ęލY>MsّڥٴBa@N3_S-FAeer:iݛI 6C.G,y;HB:Zԙ#h[O]]YMR .uD$ 4y€P( %w3l闶1FvO"/ߔX# |\7yq7~qIĸ(ī ?=J1Ħ\*lH*Y^PVwRv83k2DlE 8)9xXԟf@~H1a0R(#]acKLêMOUNůf ӼͥwA .YV/*.ڢ_v7˷>w4w+_hV cJ@.5 䉷5$+k,bi=w=&=K;}E}㷆Se[z=I4 ȞF,+Yg=b$7F)Eo} oؖ,Ski@&(d=p{ØE JyVBI!m>y03BɁgAJ%Řx m,b"B;J B8Žbx%.*~[<ͱ,DgHu)TC;V6܆VmvfTOѷa~ߜU.+Fu,Cޔ;W_J=h':s P厢GV̇wDH=m &NZ (΁$^#d\DRE.1m*'h&)*kd WхTޱBέfHRhu}4H*ThՋ i0-^z ۖCN>W~#co#U96T>:u#*B^?fgD2 ?m-M<-xsaU|^Ӧ׃*F4yZ̎Nʅx -&~<*|am2k AH͂&zɵ" ݎ&`Ypfl~zu7ZK*.@N֎ Z4+Q/&Wi3\O:Cq]ǭtD rojNf-oݟwdp‘8M=S0D]jM)QV1i@2&f2;V*8qcxaS҂Flt0Z , e6ei^:M=MRy Zqf{@KEm2hp8:w^E]QHi[~[.WpO?դ8;9Ey?\`2,# l+˧-8&,k8A_Y+9pZ1}EѬoASFIWIlAďRZkaGRBX]K]q*iqWܦ=rȚȒwK.=wf{L$̥/[V&Ωޯ :}ʱxSK&8Sj_j]_?LF]NNbauۤ{$:.Q*<A}C؞oYG?BiҐr-SLk W(a35n@vx@_h1`E2%fpߴf ~(SCfBk٠q/Dօ7Ok|3b4flZ/%٫&y;s-IacfV?P_уd"J>cPvq:$gVpdD#3af 8()3)촦 ˭Kަq M~-՞1*XBHYގ')L񦺜 &4PA vאj߯lr \$! -Cn8\׿xF`qf2{[MDODƯ*r783[K{"S]ex6ieŻ׆1$ahed{ o\5:x>sm0œ6uJ!*CsCD,$XY6fv4ؠ$ŕSz6F >UM ,Q<2xZ<-?3co X&4BMO6cU~.wF 6C 4ʳY!%b7G"gV{M,-?-r8C2O.0ulh3;Ʒ6&v@amED}.4ƁIHaaؑV(xvu Իyߏa&=$?y6Ҧp+8v17~V>=j?ٯ?IB}Q2{pYRk@:k 0zF{rk+$HDOK/3RFO;r@yz{SOOUZfHHcCr!A`yC|,PcWf#' 8ݝvW6ucUk-6$cpB-tK)(?IJ2jTQW0 4_ѰTq+u?,u8\4"QfkF[g4*| Q l[&)0I3x\寂1 >J$-f)g$pK+B~,l$^ś1i55r\F+*a$R)%2h}7hŒrN2&u^Zv!0& 4?Ric8FY!]3({Lg.y%}Cv'aTd%Yʻ! |gd|LnYa u,Hwǃ9(5xޜ/>EHTɣ{KWq3!0p:<3vqn vdm5PYD<#BPb0_*[XM4wf8%+[\|}h-v2MW3ķ9.u?3nMʧ"fl̾e"+"j}UcQQeLVV?WصϽ#<4ԪsM1 $bƒI607%D6kUk@h"T08 X?vsQXHh(>kݧjU}tGLSL"manAsMʸ3-[Y$IJjh!\S k[bv*cɬK3$Q6͘Yf hs8ģZ'|b]zT^u؀ Pak}F7Čk''yJ3G0\XlbhlLjd)Iv:/2M=8F-?Ce+ qڼ,!0GLg8w:(?u@DB!B|9%̺uoHN>YZ5~}vCH|+ΆT34>P߁;|T)ZZo=pxu 1%^%;Z`EEZo&,9ziPsGbh 2l?@B-6y$O(vo~\ĠԷ9U)L~[LI^۹!IJ}cUIA˝FB@0xkUJuNe"\(|្$Sk tR];ZwTfK@;wAxY*:~T/9 칶_2fu5Il9Fe70in}k wYGfX8m$nSO'~#uvF4?@hmmQm4K;bS#8Ō枃!p GmS_ݾH4'!;1oሿkw,hQ;WT)~>А$[2oL7*3*25]8E[%H fۋz"pBN! pަz; yPnu`rfD'b1|EDnM-u(2(Ceiz3;'mcRCW z=GrV寧,3ԁy ]v%r6-A*:k.3~G*6qg?*v:BkɊh/:e[h5cDnNܣjJD*qy d cfRz_-TI7/t(..g|;j!#] OU<_!=}MfYB 8]\)Za2̞)#(p?[$r9JP im/AJN>%9l(aE'E/ 4/Gy!-Y$I/5‡gt?}уd~GY[&銩fBVI璐Hl|ďs.W"dڲ?:Pt/3S`;j/K(N`*i2QK=n߬61ym58{4mff/ wd(}O-Q&,F@:dNd;Bx\G ǐ>ИƱҘ.Cm!G ZZIL>2cB#0E<g|. T>C$mu/CU ws[yVBfY\e8SR=z Mڇ3}.F%\zڷ'8g'/sm5vd~P :v8v4a_iH,G,oc'HNkHO>$|A tX5!bF`sW\Os;snd5?Ƽwy6$,d?a9Jo%^4vS;%7Uy#(^s3"vr@y'd'$*Y 8IJ3Lo&;u BX1jȲXG`Z?L~-aM,OJ$rJZ wDeJx`l("G[KՌ46E uTߣ*$1q&0q9}4a&[x`[{7aM֬jZ\TL0ۻgmqν'3L)Byz0~c7cf*2?N_<lg%dG_U:1;NNAgrfl9m|΍0wEӍ _i%w@iR?OKWP }lk4:&њ,(Cs&D_sopEFgFQX4RqYӖ\&DK, 8-ɩW<^}t.ЧPɱ]K&{=mLcѳsöJ9i%k\g'fܧkq*rWu oR&2Z8Tl& 564u 㫛.y:ʗ9o^ #VE#)7 fY_2pԶLB# ƵAֶRaCSn )±e_+=^!{`|n_dm"8=v(|$fnĪ2Ej.nc/-/\_~quP8SvBgUo=s Ehٝ'9FFt#<+ݚOZTjkJؖm](/Enk*%1|F FJr hbO9JF˪!~ˢ13#fI<(iStU|"@ߵdV"WVdSfӪ OBfj,.9KxOdE:Kl -wiA1ކM(I}ʼ 7;.o5wvs<J 1~ ]3zP5ɹI~* gBBCk'VaqГ(d o ::zbmt`ꘙ,ܳWh17C;LYI#ĕ Q2]Alq\J5ooeO Vplv'AnKcZ._'4UryVyP/ݫ/&[ B,/Iy{j\pfvXYîcLVo[V44Exmq;gu0;#:käOں<6I=o^UO79`Ct-]F(Xы׿l`ӿy<Ɔ%"YeɧQ;9K(_2RHVRTDLŕ͕pRвdIcCwG;ɥ㴔]"eDs[|!Hhh C9){a*έ>..F˷ڤCY}%5kD&x^gV09̛igS^֚udTa~F"NRDR> ,Zi sFX\[B Ak' G46[iñS$1~}e6Fy@{ o.K"*TMoKb|N)x>JQ傶teTtFٵɖO2B<@0W Y1uw N=}H ⤔gr6L70A|( YpH] tYX~Y 8Q6D=uHN.N/@C LS1hvǷ70)xFNRT[6EJ`c߁;~wm^!X/0Ϳ>p8b]*g+ H2,B&iny|Q"-K)Շ-e5Gwp.}6|=UrǟPk}.RN3)< O5lF 7#%Ԑ}v+UmBzdV;7s&H,M7D0s~/UЮWH0 q3EG 'R(xb՟ bSO}1qlMLU!\2cu~Чa8b|zRrf:-$!dҶVdN9+`R>0"Of&N$:)!6PƊiߊuMF^κ`~ ?j;6_9eMؼ)z>N a͞X+I 2Ϳew.$?a(Ԥ^xZ82wsnΐ `'Jhm~A6\eN7ST6,4(I5PY&C,J@jLO5ElUHEtlv G") }.z\vIjv]h/^$B"e ijȗ-϶ƩʎYu~CA`M ;vmug"cX)sk&\xN&ߖx=Vm& A%F(]CT s+ hmevlw3ߵIvڶm%9VUEndQ+" q_jD./e-k+;gx<@ LάؘUɇ+XK%>ɟX5:Qx]PV$#V=vnR1! ot&ߒXEf3[od=21Pk#2SK .z"pۼF;eɫA Vu#5lFJ'`pZ0 p];z #]UarA;)çFjC*6 r_m{.蒰w8dQ49 'A Ef%rT,eyzUþȉxP6o6Lq^9 ځ`w9B qȏq+v;͂KfBnÛ0dDߪQٷ3VCtS 䭀OP~`+Pa,ÈS4:/ .{Z\=ì 6ۛVTИ T.U+[ne[{b֔+tܔãw>l\+a2"Jv`2ȳݎǺ~#R2An:XHJ;1V<_ efe>A;oMf EBKiz%7؋zQ))[j=a-~]I}%Q%7wte%T@|>|l+,~Qܙx0d}&oRk\s1 lU@DP̔^jv/X=|E =fL͝}I6?Td$4ҤòD0Y2<r 3YW.kcpPA9.#okAj \%<ͽu}'6/>N9:b]ڤ1W/DJ8t FjF粖b{ GˎltdjK-q^~?LN}6ԛ8à1@KIkۇC2Sm.d@,Q{e Uq E9k~RjRq5⁼}:*MsT4Njq"o"kM`cH{͸¨pyGBSp3+"bgb=9҉SG5^a콡c#Sɣ;(L" / *ۓI7yLeR/Z 6]1HSzY4f=LJGv~mq|HqsT]<*Zt0*H;A@~p/=~E SX'Ւרe*9`IIp @@TǩuB\-V %`yWͥ;Ez_<6ʝqV7,4߻\sVZ+DFVxSBah`+6C7o&xN&:7ZGX+-*C4EUBJC T09X[cQJbh+TxPSqYM)>fG{(;a'ն)[0_R0:̇-[._> D:^aYl0to裧, Ic;X1MR8Bͽ\ѷ^Us^zG}c^ەtW-'~ƃ(jnof?Ȥlsƍۺ5/߇Z8W6f"mS9+;>]51~B;ˮ!WzEҪW;̉F+ MN_t) "dUQruՃ'ā18ZTTJ*dCCȍ~gLp^ɸ2/Z+tںKpHPIy13GDI g TW '3Խf20Cay/2#iR/55E{zzo-}6)"{Yljj&9EEp]AXpLƻ.8hxRPG\ qE2 D|JTfŕ"t <\WS,G3 \{ߔ:Ph!xf)/G9_.3D0K!,:k(DdHn 2?pd뀃qųCE/´iS,^ ll!MX s.Zv:Yi]&1&i䘱uT,ʹ ['~ԝ/ -\3O KpP|i3lIvnn=%f2u+C|NEngI'kaM\>x$^*.ǟYrks]{ާgV̄%0iEzj'ۇ<<$sj2aT1g%;d/ ~̙_L1:a<o`џ0јf:#i) =QwKپ{yz9@ Tq:M"_sM7GK<a I/@ d0|Db4G3wD&H&Z6R#kkNyQ`e*Jk((nih #[~'j@}֮iNxΗܿ$d28/1A2Ps}Ēyc/T>^qxJyuђ} l7:xUמYY$-ϣO\VDLɸ/fcMyQU|{]]Uvca ؘ=D/#?ҧšPg/Tbr7 3 @t_E3Sim2LGʟy2/p_WD>\WIkpO~~j ~&"ZdbA,e%E 6_()N- L]q|H9kG5Ԩ8̅g{pQ6s㕤BRTӭ0-k^$?|D!Wz[_JaoH8'7(@Dʖf3qryРT$T]NE`3]3.}/ pW;駳3Bqv,률2@F}'VH)%Get Ohѥ( Q$yК4#n$g#+08Sa2^WL篊poSL@}=@smUˬpP8&6FHa N<ῑɘ͋ mVȔ-Eow'{0ŋ=(b\{LǬZk̐g,dQ:DիoL37s+c]T# |36^5A‘ȌR- GrxN*(_NaL4b=0Sa*"(.]'֎-6\U-w 0hH22ɻߡعܲvpN쪂va+;Oc|q&ס~U6iUSلS Hg/كtSZM#:} ~'#ŽνPdv'gAB36k+Tsy9:+ mlAk"c԰kp-ʙs{+ 1vdv[QMff3: ʔ%l#*#VHUUTRPhTp'ҕVXS1.&agܥ45Nv\s2b!ED>S8n:2DƲP?Z$nl[2k{eV1^/bjyF9PNypE_ǫEYN\Fdeim{˦u6U9 J^" l2\^FB +P!{,[Q4١9~Om,zx#ay WQؗܧ>DWnѻ$_Y$AS*ĀKm2PDgY󒂰eŗX.SԊϯ 0E}\Jcjh!G?`.0J,lW3Te@_*GZ A^W#>|%Bg:t̜^O(=F8PbButEo2 F#r&!OOhH.3yꗅ,d0 =h+HMh[cookvDìDF{P߂+?r Xn3m)nGWmk:p)OdAtˡ!:, sijG_:m~Cs[3$DRE8t?MS*?X?.4I!1 D ,ͷV3Qs) ZcbQf:܏s b:[ɩ8pJN޻2 +#VJF{pC=!nISJt,\ę2b^3T{Ww"4@AWF^q5gv6t3 #spCr9yxE!!/P zTu&IzA U̢kM6+ "xr-~=&AW\l 7?fJt{̓s\n@}[|E278>{ouv|S?~.֡c6ѓI2(P 2d  iVP-${eXVe BR#Q$mMڗ6O{OA#%d-1.1 E^GL|pY[a@Ѡk"$m?{"hKӂڵ/>coEVbƌi.+tDJCDhOŵȵrn!/Tk˽Wv3sg!s +(wHʢmtˢqm(x4sԠ|BNYC L+WVWkfK;ڍ}+9"n ^+0INdXLX#0g[؋+|x "Em_Jh48-D$پ"K3#OIm`/31߈Zyy0:X X>OWÆejTpsϮpݴ^>#n$;AKmJ6+4 mL(>QGSKKST ґȡe$&ZՂc1 ¼-{yd&~nP߹l s05 c+il&`%u:5iAx@[,tn2oLQ;x3/t>V˽e5w8E8rށ\%(R Ԗ@mg{@Liq#F^a)qs:+Fw<K"[ƪߪk,G>cUX0z6אE^)(8vҚaa&$"nܣsWWhSKwmاcL+@ Þz=npi7 RTL]2*.ڒZC1[#Dt(>*oO.*"y1SAhat%6pgNv/`N!ψ3|B*^_ # iZT0\SZJk BqJɭ7XQ@؈PPĺ2pXXf&>6%AsSy@TrJzϖUɺi%L->>׾)zgoȟMOc[dY|rmjvIeDdz‡Z|jCKݞHuK|ݏptlvRA57zdZ$YG".a%>?Tl /v,xQTSׄ;ltMZ܌B- V+g5`%]lH[,O]]G5^KM)߼`VjK#{ mS K]T`v$I"Uhql>PBRi✠m/%,y( GG2 E"U =eW2~$K-rMwQ _gbiX" }XP W`lBzkJwkԤgf%쏖MG:쎱HBoc_|goC5|dX.29f$m![ъuom>*̋v[r]]KT+'O]vM_.6pTȽMdx92 y/y8]`^a6֞Fe:YXjCpp҆ؽl͔SEYg݊14Qzs֠`pl,xI6X$`EHd2・1եs?dk:F ugp bHbs(ҥSR =2ۚp FMyј[vyaD-ڋaX"t~*zg4oAX\\]*녴Z<3*RE!DQLEj$1'T\#)]%EUv^cq$tx׫6^tc-2X;М b(Maq(`l)Ϳu*ՑĭːYiqM_t>SvHN9dZS(Al!l>6)ҸhT^17i_:ՆRB!RR *cy#\eLyeuwP Ψ2dP3$^6EP#0U b1Z=j~PE2kǒq@.7hp_,w{̾5+8}1 t&5=^:8iz}xJe,$>kc&vW6  ܭ.nkZd({^vy!Eqc;V5_17-"RJӒ֡c,>?}&̛r#72xU砽Q!"?>?ېv#+# n  bX^M6+cmh>J@GYU䥴|34>N_].!ڹ>D0 zZ<<ZĜhS2=qNNMHa 'uaWt1 zٞ<"QigcXt }DDG_; J27.ᗑVsd-{: lrxNЫ2魺WoP9%j@ [ͤL @,ORP ZPՃv:_gl9=YV8q<W#-CAwt΢߷% z|40k;V945P?C ~w3|NJTsd0:р,=5@_ƋaWZ\ӑ(z.#J%xFR[ϠSE\^8&di_۹j-߈qW瞳/y+Vt"{ǻ9|Ӽ۾/hG{CɸzR7-$Y='<n'`X9f 3ȨY xFt;hDaXXK˟Ҽ'Depg^ES&yOvp:e=RȄՏƺRkI산&1T԰JJ:G HT{9; '&ϛ>KgG'=ׇ.(7.E+׌ )T=zJP)0J:ϿS^_?w|w)Ppaiix=&*ǑK>0`$)VY^.zcҙѬOUKK](Ѣ|rv?6b&о(yU+~ݠ^N6Zt~9m_h b۾S y; ySh(ivGJK8XM ฐW,0v@]0%N'|a7St% IGN Ոr]Ĝ~ Yk/cdJ*/(IabO2OHo-Ds:(R\+C 肚gmGSGh.Gk''A-]fF2F4"o_h13+045mJ.JJoD<g]|)I姀eﰷ8Dڃ'13Z]޿:O+ :K%/+T0Qsu-6d!pИb`<˳vG%FkFcJ[MgUGQ}p{Zv1RƵb:٧H( 3Cn'|% p 5ͼ%5F[|Ӄ9ФJՠ5 tJ:TB `ʽ$W~_EOGNGЩ+Sj ߍyvר>ʶYw>|ʻ: ,fVFDeNfKxU}JO,;j؏@ U9: ً_:oW5$c`%ú&4ëu<:.z pzQD:|kΓ~NϤ;lM_J] "Ex0 EkVQ'X (qY D"{9q ^?+C/G&F#s<ϣeHb%P9 LmJ꾍Dr20 H\ez5os/:|6uf#dau5r ƨYo*z9'} 6)-y O-8!9C6=0!lrufy尻N +ᣖЮ!Vf:v\ xm"h|&P)1܍I U+U{[vV[>p1g-b\-|m~ekKNMfu65d, ^o(iyd[[q&x61*/&4I:(E؊lY}VRhg,C #r+*'AF9&{Ml@x: ;֛?"fFIXˌLU2aǃPY>+A'PUܳuq :i'F(F}eѴ ;R@$u燙;(lWx:c-\A:\nj CU[Y O]t2/G94M |lTBӂ9E:ћ+Z[|&ROb`u@ΫV`\kfoBJ)Nj̉k# Nfzíŧ'ၡQ~ɯVvh]gyF/ ׆?v(pL`FBE,wةY)VՅ]4:1t8mOvQ5:({xRʶNc^j1TD@9(EKDEؒc^%P F蘫lb5WMGM0QWvwm\㶀:nItt*=?7{"BΞGBlܮ ɎZBptFYw~-x2p%\/!!,iΚfFkJ5MfѸUI)V@5H_4N* ґRעH3Xס}+۫Wo4GLhjZ`'Hof%OGb=Yb i x@&]oLEN|?@&GraI5E Dt|8nhMCRΊq$%ٗ)"+;hO$ΚmUv @l):i󫄓ºc߹~62w2b@W#h*w6outi'2]0 )C*)R h3.#|$(%m(Lsr|mh'ذH7\bq{sm=)-ԟSe{|A$=pz&IȞdQA(kLы[kiG'ae*o)sWE/j.B};|!qW #$?36rrba?zke^ +llN7xꮈ}vI~M|l+VuhpL'Ehx`wGM:8 ~#Vިqۖ/gtCv4-7K9fգDrIHrn{;K@eIh7\[*&$55Ei o7&qnZoP):vHg3nWЎqQ?%[C¯2$Z=18vLtu-~=rup+9b *<c/ЬmTv[2gxDU֩19#3[$rA C Z+ eyYčb/a69EdkߵxGv(~RYCijWNx:%l7U $$Qy&OVP O e5p,}EKHx@۽N~Lo|-+&F|P6 >ԑ  l%^n 9:}k6Oc$ mPwsCK-`w[VpqcQ!c\A|úTG2{ L뙄&otdn7QX 015bߪL'h(DW>쓔 {v锤CrDjl0U=Xlv!.V"b~mR"06P/z@,3X)E0xN(<gPQ߉;"N;0UGP՞j[2yYۻPM*Y +EA4BtyȀDD, w+qSfDeYW ]0d,qsb,ԙFp'r%9|AXlA18Qqs PcT)oep}#,˫Ǒz%@SiW}m1Ap8JQDz<o3|B/ <\YkY, `,v al^|m୦NišBLۍkȕfn #>NH0p7d4d6FOˀqMFlJAM*uU`PyR{)`:o.qtVAx᧢O/[XRbRPQ[Djd50^ΆdaeEyEF|C۽_ӈ\# .F.fY@( d>|2/ ^s |/TzœF'j_ke=:Ͳ h!e>Š WWR5EX/)k2ls3UFo{).cD{7/$w4]ʠJC1adT. Qj&f9-ZŰkon{shb}Lupj0e?/(\?҄L4vJqwgZ?ߐjED$ʀ>#QDb͎&Jr#!shTHf5h|D(q/L2OXj㕖,}DCEl([ xa 6'd@`tGBx6a{PrbMwIAfplTI'x qxDSr|V:1CwB0HE, k@"H OE1McUtgp̂ Sϧ~$_pﶔj.w7|g!GWC03F K /*gB@^lrSVI4BD71ЖVq!g4>N$Jk|ZOpueNK&+4s0H>6ٖUℕ%+A e!{^wAYȇ*Y%VIV[Co5)m Ct>L67X,"e-\HU #`fz(cH+z_d>I3X=0ߕ )> @}R+6=C7 S0yowh#SܠsUNZt26žZ|l#f|YwU[~NOV_xKMúB'nZ6k<$C.閆-U UW%0r.h]U5R^cvAO^v(eIGޢ] Jư< [q)X A^h! =4&t [ƤV1"qꡥi2LAD5\k.qۖRÁy i~a ?k?Tր}'R$:]7M5 ל\SWlxQ0=<bϷŪ)-YlnTSflJ?;Kۤ0`-B2Ϲ) H>Qf\R$*u9hXĭLlI/VNu_?sKF,u8u)8|e?PjaN>|]8JWxW۽M.ܖ DyJ_%:r ktkw"}HCWղ'Å;=1 Od6.8yQͱ5#R"u`@`Cjw=pRhrI6KLxF.*1L3<ùxkS2]^4@FD<h6^K+v[>Qa"ޑnJmfwPb>˱i+8_2ᜨdt2LnR]Pa u#^CX'TPwa𘾭auWJSIr +O_GXUa,oEAE7 |w=OvIEGSbb1 a_4a>y"B.%p@|IIhSHzMۦ @AeŁZEW&R Eu59> p| )^=1 &xV8d ߫l?  r{ 5 2]7Ճ:gW앧kA}AhB^4h"S+v+_q9WaJ:b`Cm_IPao^sp_(U 5R>=܏ (TheOIWT1RxFNڽZ]G!y:c -8\קYїd'0^S1PI:7t+Ph~N 8y9QCpKrңynQryԽ>)Eb[2/vМZ Vcg+X-K { m|b[50VEj1V6"@k|1\lbf1spaǻl j1ײ ǹv }+՜n!qx_]Zӓ?u<_0Z2 b{hF"Ѫ80R! ;%ѢбuZ*<C-/].G 9Ir.[ WP$&n^`C܍ՐdO@{s3",%Y?/i'ul?͵XGFfrT%}¤U3]Bj'A@̈21 .@BQN()/*u+1Y$;#@r?|ɶ^ !3_=zޢŇ6@=橢9!q"rڠ MK'l@} q k.L1`^|Q k)zɊ1w%*T\y=Qrp&8\HOZ3ka'ZL?^G1 7cT?2Vs[71,Q5 eW$QG41Ov*۱C9/HzNګѰ|# 4i|.嬦(8[v JVaN%*po,B2 ,|aE]E4yвJj >$ )T*yA3I,:ebo*,j%gdEV^fbli:\ޛ yteņ'G4O7:zLCJ堕R\٭mrPCg\:DyޮSJ<]>m9W!yp*eG%Npy=I;vSݣ95|yƃ!bj#bQB*]gRq)ro9̲~Xb-⤥$ 3rB6V6(P* c+S\Vk} iܟѐ S딹wMBm\%oTĶ,j ~˾ea]Vغ Dx l:!p]4 f_;z{ R=6 pODn_g.n`:i('j*(.K(bjswo$@iM+q_s8_*Lۓm"*~{Ώw4$GF̑nH9py,Z)oʻMCߕ.MB+ r?OaHp!9G( >87q]*tX==-uL8@q|vsI` \Cr? 9xI̖]n5`AOF3VTe{>[Gp6J/Z=W_c ӭrCr/kJ~m %hW.%j9O0IBV7sЏPms4wgth zU?x׺j,MsWlvIwrV0e?akYqD E6?<TlbwSB[NQ; Kh oȈ ePL,~A!dxRd/k2t.kn(v1ʟoT|qOW._ad=I4J i*xO> Snдľ_A)ѱ-y=.]d1pLެ߆9dZtl dRS wPʩ䨱\K6dܕAĵDTj)13[+&}26~O¿\~ps-q$ePx)~V/]5t}N|T+ۻ`V%puURoI571/X95}֠@*]?ZAcژlb H$`Η-ZV\l&A]|ͷHQf}kD`{~x/!Өy>@y>3'0zN? x 7Ecf?ل}0QTNZX8hlLcw#e/S*A+ ʞL>6}Ⰷ4#49ٻsľ#럪^q1" /֩ ˛Kiqy(->o9a5EU p+OEGMn˂=A«}> 5^+yoztC[H>*)Cku\ϡF(*f6hd}-Qare"eA#5oﹼ*=χt),PKM%Qh4/ Dz> & ̚ x Xj2J|Vq1B KN[NOnd˴\}ԕu :Ie Yg*`lӞQܑ5̀؝t=3E(ߌqe'Eم_4BS1H268ǣɥH2]ro;cX t s8 )t<^A*9mXc ?׸soo!}97'? ,O"ŗgq`m(IR\Oup 6N\ X"X{5n2IBFyWbNVy(K %4RJ.@L7¿ʲp?Z 6HD}pQsqiQ 2:ިE^$OvYʓ:(Z`[c͌EYm1B'}k -=#e|d5a)u;S;9kf1r2Gr,{ `:2FA4=)Fpt0 |]|G( ω-jMl:ܼ^/jd8S " |氛؝0BlYrJTiHwܧyOO Osw3,7gu.MgżNXJyʣ⁊6uq˹cR[y'%rjt)1f{ReS] +~#`u> ]"Wœ#`x&o?'d9潑3bb < ʖ&-:< d](SF*}<#ޠ`uvxw}Tgel ybJux*3ِx([D^|ɍc+ue==#Hǎoϥn~PGuГ6CfL-jj@ #y6]/e^S,cInGgѷÿ%8Y#">=h~2p_d7dxD 0.~Qcqt[9>pa١t&5hTՊB=b%2-fvӋ!9a6ۂy1 ~'yঈ(nБN~ZG2:YmU|%X깆tFk(z(g vE9N={!Ae2oz3% >8-W9~M шkCZ&&sg~(AJ7XĬWsd[UYadsxnݍkYIU8iILZSD 9 43Nqq:D7C+ A’%3ءFӉA|2Hj0S2)zG-Gdf57sHqNfBvw2T֘GSIlAP$S7z ~!ۤCm&r:Hee]Dj ]&;}iGfqQ'l-+h^/'FÛCIPU=҆4vPCC7@N-CL*~ɉMə> ;4Ǒy%hm%"*jaǯWxϧHPm;vA} Β.C0.͚"J^/7 #mӑLm8RFК%E\kiާư pWn>u4:2P ۾@2^_${ʶ9 qx 3X0m0>BbV;dkڸb@m: T:Qp`}z2zLZ`k3SAXmkuϙnxsϭLU``. @s Q}j&d'ܐqbE!u7 g")C撜 '8:t=%fd6R*L[!x@el6~R!p8S@s||juqXvF)>4Q/@{~ dgvH>4eX²n3t1L272JPZ3K ^ߗF&(~ޅw۵\fAw3 6]FE-XxdoO>Krc6A b$&)TMvF*WAVo ijܰ$cO6\K}Կ0 bp^d]ycRHxR9vO_ m*Gd*Ȥ!NK \b>LC':h=+ML'38ˎ‰b^Ͱ4ٺ O/þ҉ua!26]SJ!Pt.aJwQ%"]/e]Cr>!ҷz{ Og'GoSꊖ^>f`#eFm~>mߘEƿ#@Đmn"xO;D,T_*b߳":;aLh#/y^( Ir/`lHO˥k>l+VFǏfN&"~\O5"Ћ?TqacpbDB3ߘ-Pv1jv3H:_)κ.C˨K:Ұ|tʫV9>1͊ej{x*= lg`X Jnɍ#oq_6^rW`goV.J >wZ\E [Gj-u$/%<{*@U 4vڎ1UWr"685GЀ5p~-9h BnU蠞{L'PyNQHmV[J*tn{'jM2 ̫5lڛ'$2rR ܮꍊd $}-9EWR>={Gup93Wy[$@>@Tv#vqh؜Tm?\{صMU]weQ7y )s~[S9o9f T{B\d߆>^!D0XnV6<\Ή.J | Ke]Gn>҅_sa&}  feR'#:9[L}̉5u`~l嬦8903FKu(f&ʄ"im+bF4z;sVmW۹^3Yc}ZZ,U?FFC?98j91 w 1fmy-K -6_,an[Nz?eӥ-MSF{Nt unTLTJ$cyŚ-ʬ>"fOCnTZr2EWaHoF3= ߇Ow헲mrטJb-yO6h%/7CjOzI #p^c=%I{!w_f\e¸Wټ*͢/ZޒH[3h?i2fE(jj^<ꎧx &85-z*c;~'T.⹕6#-aKl"n *l+hnb(Xfc[{kB`Z9My!&ՉyhEJ7xPYA4O_f.糞1I'$fffD:x[/Tq]_Ha:|mQM3l|}O&¦-$r% G5y^n 3c8Z\S1˰[ !y3hBA("R>!$옒?.6@9P0`F#|bMG:rN7eQ6:x:7w 4o`Geғ4Hmi8V@\'.>EݶAۥ  l0M!?q iu6y;2B>8~;ju̜]}yö 9<'ntCifAwrfJԺùSuKS3W^{Nuva|Q80n5xM֞&\ cq*}"vLQs*l>",l o͓X+~&[I°fziJeL`ԭ m,ڐ-k)htHx4CA*^l38ƝwXȻa-,.qE[`*q #!JWXO*C?G>x{r{Icצ0Q!W!WUPuo mgR[` p"&eGQl' zg$ӄ2|պ8bb&ZMj($뚪 eo"n;ro3iÄI~a*%in|I${Ww,kМsAC>VC> zL*]6ul^eHՒ/ 1r?*P3\ۡ8?$3m҃yԼذ^3ε Yj`خmR$ dKRK|"t0H\vOW/$vႯ~V*P}JM|GhߌB!O >x^::źGj \iCXʢ!ΦTDx"z\;vuFٿ3z@hcёjUЇL $C>׵Miw7KTӕqqУ2eQ@aۃBZ˰'@M%&3P@SJ촸\7ÃfBh>)4r#gY!uih{i~?cebX Vs~Us4V{_"g َǿSA[Y˃t\={&0]^-CQDzس0ν Z^x׍hќYcmrMP,_!v⒐c2w{SÎgymQ!)34$v_/x{~VZh,m|wA+@?Ϫu^|?.58wvS[GxPlOyNoS^xv|'^,w-)c|X%&gGF+Mlg AûDD֣74v;FX*_D);^;WTz)@}/WXO(DDga}yKM]9.gb> 7U/{yp/#󦷶r+/~>*d Ƅ.}Q:{)sd%]UiǒR5~ϩzaɄ|Laq]d' <`4ab |*AGw(?}ҮV܀I`9*s}IEx+o}VxgH*_ofw89$"Pċ>W <wI颩G -mLw(S/L9<6i8'K#//]&U6gL!8Sg@wQQ*.Wc',.941잹(mF5 f^kyG4khpXcQ֤b00uţ4Q^IVXg%(7 OBڝ2R7vk>F.L$`Jʮy3xwI"RP4cS_9A#ՙ!-OtջǑPHްC*\Yx+7wou|{bPVb2)E=_lV)a}l=K`Nl>1JV` &F!)A8tPJ36L ̻CΏƲ H~0;C|5A2땃l*d[L+0]x휎޲/~.4D' FN3z0xoű9h)QJm'F`$bJ 'q|[L܅⩦ ۹M%1#e^V:rJda5g+lDrih%%J8EL~ACon|um/t.NpeP8: Lܘ_r}kzJmÑ{%xΜQHUIۘ`En Nlg\GU4!JeD9ˢvvhUD,`u |d8aq,gqHs}4'yNvYo{WuRm>/ pqI\*z?\h$#NHk8GoQUw"5D8i|weyq_tNu~~X=)@ 0 SjBum\,+Gt䳭 "̙E-MPܳ;]{C0 |tSC:#֢z5`3#P]7(*'@o-m ]1*e4$BcBeIxQe}9+xJt>Lt2W`v&v_ {X$YTy XXn~6c >,Y\`v )#25<|$ QUa `#֨nOr7: FVvhsRc1dIPLӆ[` s_vlrDrv0۷:YJ*Z -K3jru&f(=O9jK& ̗&Kq!GDPM'oM>pJP Ll@C2jLn8N g_ugrJ)0Ճ!N Bp M@G) 6f:nߚ(/6Ld&k픅J޷jFk9wx<<PҘ .z?I|l6Xg! i֣֝C 2\)vCZL'%S̴#1Zh/P3MzA:G&n :Sk,K @.`koFN'(-?(~!ʽ9^6; -sяm8>nw")uR'<eؘgNO_þqegL/FEBDXwW)8[qYC8%q-F' М| );WmqM" S5RR 6MKuq-Ic#eZeZ!m'Cu2 (y;/dzםbHqFtyxTHdRuҿ1tjifpGZNk1wK[/b#SMۑvUmk~{>\ ]Ʌ4q0[7򧧜#%6h8X +G lSa)rɯc f1/a}&+R>P\=d߶qÝ\75Sw5W(9H[zz^ss\/^4`~A,$+϶a MdLݻ \,sBPrE,Pe}/9L-hq]wZT"\pƭ>@N>yhocuC*2A5Nn^(8ZHsvCT#ὕSǪi5xF {3'WQPȡ*QUmt%O܆D?"Φ:T~(  X309`Is Xқ@E1)T㼆~־,װs{ߛβڰm[ 79Wp{˕JPQc͵xt#Ȓ\'sBlG\XIQ#}]A^gjo/\Y+`N`h?I2Cޟ\ 3Rn d,%9]@)Ê1F9/Nqh+@ЗQoTD)2_OmF,MTs 9Tx->m_D 6.P!f94_v8ZndR b7W|Ot/  Dg ˬm*0 U8-;05,SD;#!>3p-{9[>t0qnK`QBrBfgccQP[wC*\  `Va!V! am:M;͆.6e/Q+%Ƶp?U;YB;3.b$)vf=g[9UKWh`Cn ա55RJ#G$k@_R{r[2yjdۭ}XI%9-B_JWM04ʐ~-kMIe֜cr 8k'AE%LHǹ&<$ҡ*yw; @^1}NgI)n뜕. } \q^ uq7XBeJNʢ픀Kg,e&E),(Q:i^1֛aMu=Cj!cQ,}es;uvLeH6e'abS 詤ae'%!esN8>y xf߄t>f3s- Ym>ӓ6Ψa㞇+iT=:rۏqWP>ާ]rWgtSn\kϩ ?>cvq@/dh9m敔ǘne|f[ jsvTW4[[RNk4tSz}9uETs;EQ"P8DYl FJMv4@H@`=Y d,VAscuJL]t3n|-RyWK[]beZ.fl$j74۲Eęבq1bN=UR5tv쟆mEs "#deÛ!fYRᔪ0sY_:?VG `n2>"tFws(8m*\uK#JSC.8Hj XOVjy-${5WGʧDF ZzFcO8G[R{5!QxLH!#gw>e 85BG% U8z3y\f#8vm-jmgbg$P66ZKIP3nR g~c6ZT$vK酳RTU,9றeG˕dnCߋx+D\T#]<9{&Ξcei0n/@.' y垚:n;nS<ƕ5pCmÞ!"=v,|֕ߑN!-c$GRM+i]>=O0KݬДB>7&7S.hť7t'g[ oig8My,U+' LREXZRVn`w@$«Bns{&YiBi٠K"4ZsQ@Ogf37zq>*&3*iSOiM@Zm{&5-س,SwPDAI: &0/bw`ooSkƧhqQm*pQCQY1f2Q]D>r;j([{ѡ[>mhM| C.X^t,$n 816ZCMڏťf/_.BKCr7mg5-Q|bt9%q8%[R$Ҝ|e),X D^HVL3K['EA8L!/ї$$-V9`\O,^ږI4 J$RfLpv[ h$u~| I 9g̍x&X|N-@ΰߒYE=qvQve@YIXI/T?!7[C%\Ű^8*qHz0( 1ꉿ!/vc7W9õ(.]I3m^9sE΢0Jj;Z)Qܽ51+0ʋޒņ"$j_Sr8wlcMwvK.z6HJUITtÍq78V"z\/b:P;"?TӘLQB+Q:GêOB>zD`·utΏ)Pt3jcwoOځOO(nRsyN¡ Þcy,YK8t**0A?IōNMW{l||8iTĈ{L'D2=a&9HW^np/]EWhPQk.M~؍Fag{ch~1YPT T[i䶀m|!͡ ibJ!biri*#kW7} ZBe[K؝'"Rm6C ;4}h2ϟVLO*Aq:QA{_6"ґuRaؓ] & bt}Q$Vů֐&AX!ՃV~?!A9=*,.| 8Fng4/D20S݄uNI˖^Uo& @ݡ *Պo,: JvEMPx13*& jTmx.V y5I-oeI_!PO.I"[xvCT!lmMM7nXl2gY6\CyZDĐM|8~v*iGuimKPz52knF`dЄ3&ppʼZflEs=:3shX^@[- oҋ,K%p`.R'Biasן^h\p%$Ȳ6W")sqX 4t6nJ&3 /!6Ʊcz^c)TtUULIQFMւudu-HTV5V2 6{HP!EDzuɶ RDƏUoKZG_j;1A'M4Zj?M6mQ`w}y#  g2;lqez.[qD3|rd$yz"evInt07ͅvccܺގ+'Tr{!ٶ O▟ HKBt˚fFSN=JXv(ν0,@@%U}>+)ƃ2 \aiߩeRD<+Ӗ' /3%5<s55= ү|~E'i$N?I-!;(UkX\ K2;I~ UQ 02*;bɴƻ"NM8~nHeJ7ՂɛheXq6H8½"*%h8ʶNٕ+fm2֕1ۭS2ʼ> Doy^hVJʞن8I [7a*#rnRTI1|db+V,V;ͪb75y` ^b϶(l{q.%' ($c1ZI+( LT~QSJH\Demi[qFDڐH3G{T6(p-H&+|J" R5Ǫ8V9ІoDwo_k9jp$(CLL=*/I0|=$)'M<˺ n2]91jMp{rwdz QQio8e]Y9pP7QBp{]5$ )Ъ"1v- F{@"|TÎlӭ?_1%LO¸ϨJF No^HQT2cF7HpŞWt^@yɵ@v -𽐚=F̸I:buqe\ q$^QQZVIdRKQ] ́JP2D[-b-Ԓaɍ ]̫oj+iyu%;[l3pid4SZe5dR'G-!yfF9:42df#ڣ7b,]3Q%1{"NZ)Jo%!~ǢϜC3ݵ1.2 c*3 za aWt_HgJy%rcN[P@=.;],6-VEq}JL\W_hp hb7<~jоJtӊ &=3/h)!m9 ɳLKwaMN'~Sڃ@LVx3MtŽ YtF[ٟ҉k 7О^p$UP$x jAyiOAbb֒LB0$lja3J5Ԑ˫Bk_n )6\xE*LBj20]L4_f.iW$6\Jx&mG@rh;nd|eFO"?u=%YfR_{72xd poJ8˩ȿt+USIZ:EaA{}{vЭx í^ .I?f,_E嘲~L /\BlW(Lo^%RA mqpKH:֍Ypi5: ųXY פ%PN z=m͡ӂnkw3.F5L0}xQLՃjJfnBIsJAB.] $mMyfFݖdwqDjidLܲmLԸ,93_u%Azx[^%؎qNG sT4.2$Q&K5Y({" }_;7UKLw nwց[!;gԲ0p[ ÷k}ʜ? kfdƎEcn?#M|| c]&z8oFʕ>ygz,La #pSm`+*e^C0&clnw WABQ:ptkSE&L)RL;(sg۵±zH+vS80rX2uGBK38wk+5C,qeh7\d{, x{ neo- |47|R8Ixy€D4W&wR0qy84=ex_O5u }Fu2"lG ᙅXNgwe |桯!iDb.IV``$uw{4Ô)j GH_3$ADE:>~YZF=FGLz1Nנ< ܙ*u`ɂ9M O6(fAy/_fo{j*_Z Go@jU)Qɭ*VE,%0iW| a_AGQf˶ERBW[׀o=o$Ϯn.u Ѫ-Z_nХUϱY@oƋeoYh\L)sy#H^Ŀ&2*N+e#HYzioʿyU(OAY `85~RT)E*jwOvˊ{{z^E1_Ѧtȑl{APWEnaN r9NPs)=1B|sIaBՇNsC&wx:iu>k.K޷wEҊ{|~RNo5h'h HXݗAy5'4#Y7li%3&.c:ED_vmRr9AzP-aRBM-ꟷ~ лh)a;zd"XKu~E{8{(5Ř4kckݒQe}#63?͎yUK H+~#Y /ĕn5~DyJg34w~k)a1fgve?V8jMhRndfRm}>EyVk\љa4t3TÂ$BCX(2$6~f1%C7Hو]l/iES 3dC+4p;wbL(88۷NOY3%^>ֈƢ|8x?HDD ' sc"a.ikξ OT"QgQ Y$c/k)rz/{--Qe+877)I ;h7 'Y+'IOYPT9fF;v𓊛z84 p@Z-_pD?M\mJr~!(R1䷵PӠBnb5lj{V&z!Gqeѫ?~+0PShBO<.jAM8cTqxfqEsm=:z29x~A7IX [xh}JX6#.?H{ؖ[v@b1$$.Wez3QC|b^JVSk /\6zoH-tnu3y,# ͷ9hTz? 6A?-P"L!q5HMo LM }lvmi~,}>AEJF ګUX"A]d+T†}y5d=Qn)KHF=-Itj.[Ӥ>4s#-\z L ![ Hi8Y_It(v5_= +C`FNjN2g踓ȇQ/weq0j,__߬avy1?h' ĸ{5B~*n 8&$s݆ j6^Q(0"^4og~;v0TY6V7c%: u@njVKE!#ؘ]N$ފy'i|>ao8؍"c%D]_ܶb(EVD:Jl[T<$Oˊg0p{>*kZ}&Zu-ʂp)!Ѹ0u*u?~sI>ӱ9VGon,uoU@Ldrsf D7{3YL9%J.YGu:,8ˊF84v1rtMjt_NA@x4Ԋrg0hWPWK}q&ߺWV<3HZA-h+5 )0LsHZl8 &xsī"m\ȵ<<*k>y j64 ~quǞ@hT_뵰0Kj+Kx @ |*W]xhɩ AX8E =|qH;|+2GIDRٙi2N F\US aZn#vjNNH'kc j(m[ k\i2&c .pf줜G: '$31_`s[ b~꧸W:e*V)l)q{@gRI;*AEdE}@g7IN) 1MMEߵ..iu4*k+`rj;"xu bSa<%EmI@b[a D24*|3T\c<잉Qjrz fɻF֢% wv^ШؔU-PĄ JF*V9տsy d% g)nzyM3c 6VD§UV<=%nw⎕sZ߃T5;Bbav+d{(ґ1G T"ج/(9Y8 p|VzŸGnVu}#&TL-޲!pسxϹ]y)dQ~4i4*Ɯ]裺P:\I%\Le\:U bIăgފ z4F0Lпߨ ~ɗ/z7k-8' l"1b2D TBs \8t!ghbhG_X^üM`/O6wvMh217>hwJiUT[@ "⾚&}toQGjl_3$F1GEv/琝­ juHl{ٓ1d%ދd1#>7Wnc/)QQKm\!/7acHCN42kn=mBܮ& 2aiOl+,Nzo(ez\S8dbeI4nsyWٯ`8F*F^RQeXQqZ*g.`(EĞ\]h:Y3i0@+J'o~aM2fa NBGi"2v[ 4ƲvxmP26 UZA<;y98^\> *Wl>V _D?h %`}gu$<m4oC\`W\5} 7Zʂe?m%muh!賈dᒓ}St1AS0>,ja=dTA<2-njxƟR!-0Sq?Rx/q/'Jڕz֤qL&kACA+T E@9W{F%"6)4Qs x%r{oAlHeXq髁1ۉC>} TS+O,@܌ NKX }V^<GܴpȝO7=kU3 (R?iGa42EvqT_>8:ڑ|"U6(-Eq%2-T8i>򻎚Gej VLE%فrX(=b[6 ؑtǤӆnh̋ʡa:*rM5?aig/` tm?u4 ~Cȯ NUoG:aQ2]᫣Lm<"*SمZuH[վm kܚ4=?!_/3¥t c2R.0}m'GMd@#|3 bj|xq5fusP;-Ig)`ʧ1ؕfN]ۗnx cnR~DsvNm9o>}Q~Ft[]ЂWI9853MPbv8T#R)BE/dgDchcfA)O83߈wѨ;BLEic\%ȼR+VDe6؈[_[t%rs KӸaLFGqE#*6 |!ެi!D1X `Cx*\Owi+@!tw h.QLȻVJnģZPcwM+\2"\A"ؓB*t-Ts̅7&9]Ѝ?8EIpdiV^-5tMCgƈ0Ue֡~o)[$u͒c;9!x Oi5dҪpJ X[` bg+;?mn$ RdGcvc$;:qT )]^㭋|`0?=Kz[VuL9SSxl һo=Z@>Zjiǰ! K&x𫛮:,1JA\:,n<"*f5d@p0"l3/؎AKX7X&g3ڦ|&2o9䶠N _Eªkx<62T;ZQkn;Z."iRL3 ߎLO[{x Wm k֛_/^ir@ܚ#t\D~kT.d_ #"Q{7tSB 7f6wͧ5喱dQe4Fda7b#VaJ El%/LTN_,꫗b@t?{C)|irxM$R ´f\~T%=G&DPZ%:M7+f^o^-", {gI/=pϼ*%@C]GE{.`zDGnoXþq+CEM  0LTeDKe@z+ zHŞsA8Ϲ J jH!<0Q $rzoIi@֬As.#N˂ :}>PL?qJ_V HP .?z xhĮxR34xfZ(mP*0rK/ `(1Khx[=]+𕎖 D[n̓/H^\PVDÅUURldF74yIy~JtXխ=dYj5Bx({DSŊVdΑuUI0?!Σct91+Bha+lj˴Q_~\P2g\vnDƠwutR+?}{+Έ9QW{x[Z4*l.wN30 s:0o;t8o'O"Z.' CNqS(24Mr-:dXhVai5f4G@Ax3L*ʪr"<<'ߴK(h[^Do/j 8m%'J ]bJ{15{Ņ#^b)!t`ϓ!k-&O1g'},C4 D 8_%Sv9x- Ney<ϵ&PtDYp՗ר@iԩ>b-F!29i0KP C=.seYhZF z+c-\+~lc!@/s./xmr%fvhCG9YEiIHB=P{7wQnwLfif̥k%=(Mjf W +kY}P6:E~#S-Uv*@g3.4>^\}7sl vGXH8dy`wGZ1?I/c$tM] l#x θM7v WhF5o-r6B G nj9V\0[k_1o$䡤Sw^ f݉bdBXK*zPǰedfZѮR*/={Xś=2Cᖖ>HRba|d۝Nt^ň[cnkfD% ̦-b'}=kkWRZH!?-3'0~`#)X?Ƭ~T_RlvYKd|OUi*~d.0E$㕀-LI>jǃ ?a_.-qe8/%bcCa PmzOcw5*Q$ʟ $Zۥ˄xW$8n9Z6Rv6(#84xfWmξ^$T j #Zp\cw0c4/AL񪚳QZYS€ v|f vFJ)$TlqN5?y k>^^7SACIbGN~D,hHFɫx6Ӥ}jI4J Bc:+٫_ >Cj[Oz셶-̎"&כKȄ3T RKByeF}\p`Jn$)h쐞䥫uM;]B|F{aTbs &-F(LvaIzi]HHZ]ѷ|$#ݼ(9Nஔ$s۾+i?]k+%c ]2ы D%\Edg`GZF A쾑B;q. e֭ \&ijyy5L2nQX HivaлG[ıʆdxYقѷ@g>ܱG4l+]S;:ޚ%_M4 &OA{rH֘&hk99 %+sjh*DȤ}po`|ŀsJ籴hiWDa0v.xwQ3¢cHK%߿(<i;fQ:뺥`pvf\t=Rn4pu\i-rlii@`&Gfp`TY5¹z[:Vqs3\sY2t e TK.#a{ 8hK?J~tc7SM~i*' ,WUBǎH{?m@|!t'J[@p/RO pT@yV¬T(k hQ2~pb,9Z)V;pNK%  *Z La@ݩfKDn`^o[؉4aioAI='6V@kJ&%'?e﯌Ec'H_1֩R!ܾNl!oV5BdgvV ?);RK"`-^h1uut+hШ$Yk0)ebַ̦buݎ%> a$$UBVTFoܝBrn(M2' gX&*'G u y517wt.vZ.MUP4%i#n,R5W9/j~^IG qQnϗʗy%JD|p8,f*5t;7mAsG.N' tt[:0l $Ӓ*߳?6!+=brեOF4=vʁٞw / 1X0/ J8Bv;$e س`C:TT#7Yf&JRHǧ Ae23bԘ8m9IbG<^xxS]{ȁbߚ~Ix Cˆ|p;z֪il8%:zpɥk֫-yxNX{L?eP Qe[C'Hb$@3-t0tRI7IBړl9ԴRؕONr[cxŬg":aĮµpAf J ~CMQE(˛{ԹҏͮsK* EV*J=ҥqfGnpZQ,@{nz.!M< x$(V-9vT%6&3 FKA>`Ton,OjvV$k/3pNm,T,[+,ү6*l80RlYwTy&S[45(lj-wۏg%CzGb~;z31sV Vy~|+WУ#I34_Rz|7 ٢5p"\!/ :ʨRj͹.MZFW[d6fSUV{5q㥟4멛[L.}R,w,s#KEԵᜋ!o2г;%CiC$)k`&x*:F'yg1瓦;Zv/Ao6{Jfpeu7qhA(>_U+~Q)-c0PPqˢ%꘹GbV$8H_/t 4'tL l޺Leݒ+Ƞw4` Q7FM!`Y?v2D_ Bv$?%2h&<&xk=X/+vqo@%6:mRLPʈtSUo3GfV_E Z5ŐVK~㫤=?ӳowj˂X~N<^XeI59pO|m!^OtB-eMu l4#Cupa$$j* nh\uqR|?rWUk64"%y]{+kK]2ܗ';޲'%3~wa^H@2 vQ+$(9)Jw yPX0-~FPcBJBVVҪּ q'ê5E.Q0Rˋ/thU %Hm!+c!N6'nnZ0,LS} Cs*] l(;EXKHq+w=s>aeۼK0o;Na\,xo {= #`O/sVPp4nJ#4NXݫ㫱)]rA N{⍘hhx$/>,~~l Qߙ[_k-vI޶P{8qa] WgsZ+BGw QP-w2 V 0B*GqrVUׯS\"u ]@+pT =~U%i6C`zr-HԹci% +>6{"se⡏ C E"2Ϋbha|6:)No6%^ZX{q"3C/few.BxY[5;_a4筁?;ƪ brd$U~.Tt,%@B⅞31Qs't@m?l?傚8 n: ȥŮ0?ݥ uDj0Db?U*yy$qӌ'O#qf:oĎ<3brkUc:=)7R f1~W~b-*om0? wg2I t4N,(LAyF<%4hu*ad<򗞓UTq $q5yT~RnXDR^ء׈*e+|ߗڅchdRTtg枥yxEbdHlƟIk!gP0F52#W79 ! LeRMŲ b|wS duojieaay7)@k-*HNZcbI-*1-IT~YPw:ۑbD SLS?E(h̹+q +4vOZ@X;y)>'HDlu`JSCx&axH{r'8IdoĐРu3Pp_J 0SOq+.ar('piUM,yfކvg!;@ Ob Jʪe"[\p)'!@t{^XMڊ뫒#1KtdF DC(|z5n? o-g!\ [U}tCq4מ۵*}5צPP[n'(LX"<@1ob.%L,wSCci7]W1]'.4$8bML&YIQCB{Zxʌ6 kv9 b=+3A,w,cTa#Gt؆ĝGv!O=0`ID/[ۃ*=}&zʹqʪT9Rv%FL2b2YWF]:* w;7CԹ@ަ h53N]aG NC&Y;i']cNksa3h>Nn P`났B#RŜL IBRP{㶎7i2,j##t.Ai?>rUHQSb}onn:/ԫk'k&\"[c @=}Ro+_aw  m^sȾ2~sTfTɴJ^AguDŽx6*yE/}K47A<9H]$AYi<}_Dfo؁}Y!C΅~ 6'!sLv855U>L\: # 5=/-9GƀM'sOb8cg۹PCHQlL1.+2S9PŽ<+)WW/?n;XT+1i@ȖBy(k{Ь' =|LQk^A'0c1<`nbۍ{XG},aMd+`n4iq@xSǟxaݖ-S8]M Ӟnn [ 7Gl<\C,_ڽXif8$V H ϋq[^-MWye|{\j{v8IHa,d,xX6Py:R~uAN|u+m >3!<>`m[9Mud ~{ɔ5)Q1ar/T9l%}2K1& 8@<* K9µzSe!@ }8^)ΊrS1 ^XόJ loU!AfǼ1;w~n :C]3+3|tGu^9S 0Q\z嘽$L)Xx›C) 6F(3x>VMULB^ @{ v*ۨx@PwQeAv%\e$˜+Ι(ijs&!r$ttzlD7Dǽb(~bM[pMC+[pZ0nѳ:+.-&aBQY@4Y`-s ;a@E|DL{"'>BB6d%,Ia` ڜ)cа!;yX]J0j3/rV~{M)$3 痟 Y w ya +^-sSNM+O4?|)ATkݥZfhlf-GRMC:{^kDU*Iq~P5oܠX"rWż<IT#S4(^ltx ָDuF!캠y +)!bI^ԊT_UEl:3^+B\lÒ!KwUhdٮ-Dv=$D[i< ót`;}Y@YWj-{|-k}L`ZQBSZ#i1=,U>*Y% СFbv4\bru7٣%A]CBG;4l-acn g"޼q{F_h[(M9t+nP$]tUnހCc}LY ȤT0:ckH&)?^7f^XΙ{d]6lǡPIv\3Lc~g=&?3ׁ=?hOCA-`lnvF&*MzIYEY{λnQ|X~fd LoW 2J)?ī'e[o%JP+nyܾ XN̅}0-c5${brE6)yrݚ F6Oj>MegdmZ'b]TI!ZnVVݥ#F9R.Mސ!>0#5c`\%~At(Tsa9Km^wv&t3ir*.K>mZT̙yNy%EIk儠%l8ٝ2+B˙[DqJaKSpx) Q)! CUr;@W$njBȆCYmrtjy85SyJ %fKc/rةpDMy 50~^Vv*pW—Rf/+2Ǟ.iMpglZqa5hO#+҉9Nh丈#?e-)"VM:Pƻji3wv b>D.I2'>mE=EP=K@rL3FČ*z:Q\7R cƷ4XC^,fys'WeR<^[?5ZEj</[ayHZmQ=orTEل eC2.l &1V/e)sx/;'c2TCP1b2yZyH[Uюɜ߼29w E_2&Ng">V6c8L)tAyli!w.kf-3^_gaqSK,!VmAS v6W(EڌF##>Փa?&m5[ZUȺ<]l0 m O2mªy!~E؃W?Xk4]97Df$stBV0ˆLŕѐ& pxb!UuLdƶۧhi4g\S:CNkvlj0:JCrQ(_:[ ^IJF #LZ# 3U~@]W>)bǜ;L gPIt o*gKmְqa 65-2BQ&e4GU`ult%Zcr8Smn슧+/t^#c.+ؗx h` P2I6(rVM0NSh6Vz<2?aļ2IDz[e_taI% `slyj `Jҧ1iE[_ eE,V t,9业UZ5X©3,VUjZR g*Gzh\ Ϩo LdhE7ϽL^?r-)挕UqH" xj$JU۳:틸 yarkC=N 9xVx]7_Q86duWY+\{\_JiH9j)[ 3Ee:;4xMjH_q[n >tVY>=Jx)i ":gUY՘v<ս ŴĞ>)G\D'w]e(j _Æ+7h=0tDj*758I钅 JF}lА@Ř撟b%dj4VϏ#H`AadKp`oP> d"lw$~HvMuɖJX}wvO"cPUm*=# „0U5J+k1z5$ >}tIN*V 6X'|Ci$X "¯DNdhߙu' =o.ijUC cb4FqG:_!cĞEW=\ |H6,Ja:07#~K Apt^O>-/t5䠞D`WITOrup,Ff_$pVmyHWYlTfY[<{CCC8{$R;C2a/-P{Xzv6nQ{4B6D8iC~jO^/G*i<[ʖ$t݊r_Ndyq׻1JLm+$dP[z葝i7z4DGB&wّ=} w#H:pr q~2A >7 +zvV[4NE)Fc+YbX;d/gvބB(}F)soH:pvm,2|  T@2@. B?Y?f_m 9'Ӱ dTrS׽(`hmxsHp\4ga颾5uKI?sƤ'@޶vUk¯ӤDMBLN, S%nSt.8Ei|ac)+ s#N`n8Smľ0g^~p'2B+&`uxbo$ j^X4Ox7],h8{+ex7PNk]nK:k$Wqi5`%Y@UЪjj.w\xbz[#5+I;>골K5(|n+$F7ֽDN'l`OvcO 1LI'6\{]x^$, ՞1"ъ%vp\#fO<8,; /ܠaUl_O $w,R>; 1ۢk.1Ƣ?GlkC;ǜ[Uj<@ĉy]4mP\p~nPI*:ܝw ڢ+oeyJU}H iDdy6"]65M! K@(v%!pL,Y{#5]39 >(yjMTJpjhCǓjvaޥklʨ6cRG]E{J/OO/FnJY㙙seR/Q8v0/F(]*^HF?6ݒ XyvPץ ѣԂ@=w[|QY60ȹGggcDž&2hUQW:p:ty\ B΍{?׈͂%|WsA:Uo8FYqY_a'񶾡/JoS*MmY8]E 0K|JN?ëf!b&,/K* Ϟn|B 3AIimJ5.J:h9IXs}ST,pxB7:AR# %-lzJFQe6kiv%{<%0 Pֵ8QG;!=ȳHuˊb|d돌o~R>(sTs >hc2_ $) _EC2Ĝԙސ46, }2˨6-sR!u)3(~zJoC .$)<հ^Dy65x4ɨl$qp7yՉL@S *{]ǾS6:86c ν.MųyK&x~ oWv? VĞی&.OBq>p4|OC06Sr?K!FG8Lv#sw2#"4 'dokG8qL?F;dN'e/<% ?-MJBBxq%A<=] &on \ZPi'n㓁B(Tq.}Z88Ym.I^<@0q S2d~$oJفs N]㒹yagc=Ep~K<o(]4>n<)&ނ$%}lb3LWlRb7i3oӌ=jg^pap>ypt_!l\6:4 Zu7igAHltZxc7~&YбP@VTCE6bbt" sGj'uuCя\Ekj:D3(LmE75o_O%lިZ`^TN@JcN5-.7%v(g|`4ِ wssš*[˧}9}ʽ%ʺ~|)$1LQq -Jɼ &Ah\ $X0աh&*cB+{3,JE;i(KHAp9g&)v-n%;ޕ\' +aXVI`` xtQ]-)9| j;̠= ox}ћէz*Ww.NJ;%N< gVҘX0/sKh`>23[)A!E4X2ږ\1n7Ԋ?7rSjvPhhP F̴{ÿsD4*/(E~鯽dd'c"#7Eׯ7&COoqBɫ u B;{ʳvʵ@Yx=>.'aPAc•.'[_4/-M7LjwR{lF+VGvF=EBht_lgN1M'(rmE~[X~UH>4_~-)Xy $ՐʣwlԣD31 .^N'yZ}O嚱 x%cm .oNpEC3{曩88jɾBa%!Yㄒ+]Nڃ-aSW_ʲpcL5JLA з uT(i_.iG-pt\s|3|cq?!?)odA3wGZ199?"D{6|oǝk-ád lI2$noǿƼ5;/s PwaWv=!~CXuo8{6qyDC6I*BݨMnIA.C'armE&93D?NG=l02#P*gD 5x4iZcsFZٍАg yfƋ_| 599{F?*!;/aIحj@cQ)򗵱dS<䅦%K&?P P.|Cv,H%t93+L%"I%ts]ܐ#EđAe %{ β qC:rdF*P' &IȌK0H˭ohbmf#. .< e:zIFaލaɈr8Mn2]/Psm8Z&GW0Z< CNGzj wj}@qg3197e!=,䚭o+(x6 ׉\jZ\jzEnrMG3TLX80nR(O(H:! Rre|f8r+p;N =pLlM+9uؿlQa:#3$i(6B fߐzUF{X6Pz<`*?@C?E #Gs, C7|1Akvֻd9EPvm=rqV( _Y||ۉfԜdc39"3W;-{#(]juER6ETѓ:oAFMf)b,!~L)k%+{5"#pwz@TcFr4\iD1-eCOEI_qVb%݄]6Nnl^5&Ƹ$Ԍҹ#؀,6AKSՔ'l /\P|e@#vh Tp8Xv qS@Ҹp8b (Fi3D\˟D' OY}S\ Lx1:-X%KW;fY5M sD{E8a~:D.HҔ"݃͠GXʧn4q9gaG;MSEh, ſY]D,MPi!]bu9_8LjIvLsJmP<[=3'(Seu't~ ] iOV!fc;bBrrدzkH*,wm k i&֥ZZ -FI e'|[9&nB[-KmBW:w{4z%4e3p}2|X'r'uy{Bg-[5}dEh]b=$|]fliB*U곾_f_(`2N嚻$>3F0.Rm+'4šq ᝁ241ZǂXߩe3Dz#`o\ QFENnڇd<+SQaL2?_B7ʐCI8yK0~Rj;?O^`MxC^iV<~Φ!!嵃m$ؠTbflbPj +*m#B;Y`{2OnF&zR4MLƣolRV (kÑ - R>d;_;X$Jc%x?A@*]W[CLyꡨ.iےBe&SoHyxZv] 7*4"JUO yL+|&qgcb3`>E왦-4 ]"ոzbRpP\Z sK^Ivݱ? 50^ZR><#3-Yik#I݊q ~h7E-B\|=_orȌܩa-p|F*Y~rbV{ e)$^q:aҾk+ԼFC%*c'. 4Hm $G'.`am-ƒ1>XN[eW(Ħ3; `!v$׺FfP2Kΰc$ StVuQ v S:qT~"1Jm Ԋb=BV0N8 )>I̛~sO@[KNZ7"Hޝ =H3(/@radss$tNqJ1#%8?q"/*l3,9REdB|ZU8;=J "usߍҊ~=>5=^qe$#F 'ъ%]RZr9n`pCDe-$+ȹIb.U-,A:sh-G$cr\ 9sx4Z hͷQ(,EDZB֠2ܹ k ޏ3lpHt!İĠ{aI5%pmFzִ%ϔ9)Hvό٫j4^%Er+R{(f-N8q8.Vƪ&䱼i ٩4DOLY$?mSJӚQ$ɤcI. Yt3A{]s}"v謕bl4y1ѣ ttD?kwjˀv97q&6NIؓIEJr3' ,>8kd:_bf eԚ<(GPkO= Boӥƅ7*=;-~,dա_)K8K?VjtN(XWեG#=-i [c #$lq :W&pi]cQ"w܂&1"g(;&VZ,{hVvݝZ"W\\HK#>d&r>QI$+gx1UXDŽd,CSx=e^ ,B. 77om&?mKodGn(3]b-쐾ZZ)OQupVFd"3I.FL!8KHUpG~"+M2[T/b9#兟%u>6qNJn%̭( )t)*҄ZSGL,-OF 3f:|y]%#&5ZyZc}HJ7NPJբ> lxH9<Ϸ)観jf"*mo4M`q#yґ_F% e?3::R0}G#1R%҉R{8m+0K SH4dq#alb, : #./#2ߋF{b0E(okByP 2lo-SFg>밥f⩩F1c(_:IAK Aq3;|YJd24jcwx /&]|9&c0q @.J @ZCarRݦ$9]6{{}6T'Malko"z\HuaGcbh߲--azy, ϔ ES ̼|,0wW*w+i-Ã05 75>kʗ!a}!6vCC2dC̝r }w\+il_Yfۋyǎbe!}8H=1SJ9#VEs{;G&IAكql)db9 m[|Hd| $ l:BAw>}8'@F]q;7ʱϗ> %B^\ }8m1"q@+~6B'.urYuX*T thiWIG~.v?:%lͼЖ~}}훤}sYe?ײQwW牚:ѯjzL1RXAk*ffv(yI[>G?e"V/&eytB3MB&0?͙"xgf?'RM'zzQ CM{OO Lm$ R~A"cX1|;0@z"kRQX,YWbB۷6)i*Q'.ilE[j7PNt~ bvR}C!=CV 4Yhjka' W xSQ:dr Z79=wB}UT*l9 1azHMQP^VRə!*ʣ(w~٠~7nds*A4䩻<ڈ0gm_i+J4mdOY+=-nSk׿%S)֕0Wu4vLq65Z?ӳ6%z-S1ehr[c7c=+a!h(o"ia6ot}.ߥ>m*` L&֦3g`R~u`bG80I6>X$brM Ѕq̃3b@IW|A*Ƿ\AVꪣw}ǨX-[v70$Rli"s^"2po@(9 ÞxWE vEM8'`хQkBmaD䉇{Q*>ӁOF$w.D5M0q⓺\͟{1'P~|JV{E6G~T)iq/Ph<% ؕHg0@')V<CG r ^]5@`?=f2ݸ(,Պ @$)vg#VF?W -*:j~ʠ o m%n;DG >,Q\m`}ٴ LJZh&Mpj3 d*pYs"<ڐpHAb񠀵QwWm̪rDڑ%(},} !{*tWb qTkN%a}C*,,ĉ+MOxC hD窤`Ww $U.|9F9uCRmס0e}VF:H"3߉r:a+/糵Aۭ&X琋&A)R{m94Gf8hcFmPUV^&Fo S>)l`WbX+:*#GCȽ̪ ĽO#,Xx*҈U%D"qN>e-ĴQ"0447{'9Q}_kO'V'dnH[fӝ!=)u~%?\q<=SrV.>ypevՂ3cX M ;3%O)l$/zoG]ud: 3>`J, C}vp]ZkzjpQ^LUٍjmkƮVM|)r DRZ~|xqWCtC)xXUDeޜ K硚T -жJ4Gҁf08Ay7cOXS]gd8-n#/λLgLC,wzhN%h̪h x;&yĐu Tq΀0&jXK US3Fhd$#'LjsY5QRxaMM'5ƃTWP1?ucwOߣ/N77{C=cA5RjJGs5egّ5$ge Bo8*x" 慾t%CTԕql̎؟cpK!|_k ڤ{mHp6ҭAb/.$*ls;vlB1_Ԙ3uѨf5My1WHESN8 EJ}rBa4Uf:I%_a>? I:Dצ?8exvs^@,odZƞ aP}}cH.Zٯ_yAg ЇyҡZ+;wD$v Tۺz~{_ш;߽cY:Rɥʡ̘OKdgO)Tg u\/SabsQu./ryWyi"cq  ddFkɠ-~]g`>oKQÔru"5kk:ƟNZHDKw\`=`A$lf=;hd9& uM;8PNh2~㈴!jDi: nnT-i!WʫA犻9:V{X$/ƞzZSS,*[\M=k )=GkZEo%g^CL F$2;?ёT 4ѭXb7fOxB%n 6[f/o/qX͊4>x 7:WJ-8 @;5p겮*k 0vN 'a>],zcs"Z>s#c7[K2yf2n[bUR xy`K1։%XR9U L.Ѷ9)!䯕;qͧF\' YvNJX]g71m3QJG㲋nx0 [̚t08{5D+V$%VM@`7hcz$if1܌)_:_x3qwK͢_0~j.z |C 3oPiRim -pZ޵,-% ~l]5<,dH$ '񨭾[nCx61!vmն"(S km3` B1) jW4ȅ*J t] 97[5m`(Ƣ7ǭ/e_dAjP# cfq X]R(ā +c#[p SP-,d{Xk5H EMC}@5c*YsLL|4:@{7ȹ#VI( [Fv!'l2zGВQx*W~*hWH̜+R)zh; 1Ѿ[%V6XkM4OQxC T@uNI(͞1gF+bۙŸ$ OW([DsQ㇮if䄬ps6$&LPBcH~@/.[?%scVu7#Є& NSۇ1FO .{,qh X|Lï5?gxe4="|L"EAJv"y*ruܸL&?Uf/c񈒈M{󺱵iه]<#JZXPӷb!|X OQgX"8l*U+yܫRT[<;vf2jS4гD( ꙕ 1i/2i_-lȵRܣ/`_-3(AO'^{egʏʞM gzl{h* e+;=OOEuM]!}A43w0 qKs3Z46睲BiHɽɠeK@ H5=cJYzb55p0S2M8;¬3%ӏk&jCHمofNFk3mWVETU6cUU)w|ɯ]+vX=o%}@ (9Ic}Cs.W"L @Nr.H.pFm) 63Sõ 6:6蹗?ǍQZs@ Y}~[~ 0FhtɃr5߈n 퐘xnD>nZ¯%#$_1 x/0Zр6/D-sV63xK%[>sF:o](Mh*Vuw6v1Cn{y|D7mCzQ3ŋi߅D4M?7 Ș s#1KitC4Cvȷa\֩ݐi)^5F*43bBM>˺=P(,f4LCwv6&<uw! xI^G>TN?vDZfl|l&LJ@8Afք{z?L#Y4(X!XbIʥ ^mb簎aA4T6\+,#:.VB8SRH8(θ%fE6I8zlW2akjk*|QK9 `4B>fs fT4 Q@P0Qg~'PQqUrDHo8?i'N_<9ut"ýcyVGh#mc׆|e8ɣ=Ծnd1 i6w+ 7*a!Vg@^sЄ=B둳9>|ezә# ,i=56X˷>) ˞c9IfaQxM>uqy("݁s= [2-+Wz7Gn Vuٿ3dMo~_pyGȉa[IɃŅ? ?Kmė{}Dpvt574~V'R%Jo Ag^M# 88-C@ۋbeuEoUyGM0%y#UJcp倴+yr|QA~Nq_wnw[0b_ul,h׆g&Udfwu}#2J./z%ƃsk{'# 2iW*Ȑ4AmR]Yj=|MJ,7b(4*|;QF[$ pkjT1R?A|?P9 ѭ^iTMT&G9mlaz`Qޭ hhx?ʏN ~w XTT*'{@}xScOw^~uG}=S{O&wb⢀P}-A2X^-bSZJXU'W-Rq5LI=(JV:N5%B8tڛ;Y=(3ƔWo͋q8$.*s@mfItnSLx*mHHB[7@2,uyƦ8q8MT{l\e_Z}jeXBqwR~U*r5I4~ :s >h2SEĸxq*1_ìΰwؓ?D;&ph2;dykqǍ=,\خHJcbK%J^a!ϑbL# ō-^L\t!kDoܭ!'PTh{^ϔ:SBeu1SZrJBsMۺ.iқrvkJ%6a?(g @'pȠt%Xl^V@a#pu6!#L=Ewkdsog1 i\AA&-(QF"M»Ԅh/}x>9FxNjNAsGq螇$ vVEn߅.BQ g#‘T7 /MaбB#C6Ѻ"媵] tH#zPspt{+_ǃu9I{.hh٦}ɀ 6[͒S?e!Iypц ^Ĩ [~_ÐR$j Z-KH d )ko5$iIr| hHeґguSigR$p2M0œju]5?25R96ߘK.}%!cm!vQM#ޮП-\Ǘ/"pr?"uBQE$ L.zvyB  d+C5|)-7@"%^gMKD+U3L!8|z@XKϾTRPyϓs`MB-6ѪǺc9#fv4a Si |5 =IO|0 `6/ۓ[=ƟS'EjىXyTVYWl@R\$Gx5FJM)wˏUOk2UL/Zbwx\ȋ'8fE U5 JĻZ+d0QaGoy䷙/AD(:%?+p( 7p65. B|Yy֞it|`"4{mѨ7c\U#qZ.'V;ixr ՞ILTDWkG%4-6zkt;zɥ6saoxƤȁos>;}yLcne hOljzL7_]qC@qWx:'At>NHڇE L{pM"/A wv'_rO9jFvcyz4*[i~-.ܳq}aڊV(wy"!hw[6: с Z. 6 { zōYjk;$4?3Y /Pd)v+d. g,80qdI}鏾!pSA{klS7vՕva)㳭#y`ȺhSxox1E0U2s33-VOk#+ݚh|$i5; MQ=pJVwa[̬؞Ok4BgayO]?%@*իvE]ZͰ<,J(n)EosJEWгՁC?ey|S pCJG)ʣCweXx L Eb3G8et&lדs5@5gڄeJs+#V, 8 ݎLu29)i1mVQ6̈zg=aJ%X;v3 F,g@ QI>஄]rpulY<7P;`I6>c QЉϏ&&zj* h˲({D`o|P41ogF3XY"0 }laAS]vDN|͚F3,yϽl }4Zml"0$[js@͍$$T֞¼щF_T1$<~Hj?]ރC[yHDUb͊KnLid*d6Y_|#\`V=14ff;HK0?9P `BrE@$G0Ȉ cm 1BV걻{`th 3#Eec @m2/e?o jN˄)v -raG"C-1oh?au?Rѯ2jZcm+GYf,|m[Vd {i^^bU|ZHuF?b 2jPad2ޔe @Ckƈ$ª2Gâv fl ;([k k#FHDK/)7sXʼCAmt-\FçC~LC$p05Cg-ˠs7L.k$pn و B#G%,ޭuפ{1]a9#+7PquY=PԎpS})ח/o1u׶;qA03!CYQ`# S  wvD*\tSu.> hi3 q<_] V?5o YSĶO:4xBQ ,[+߈L+)hVҰr5 U/a$oӃ67h08|HLW:򔝌o .i zsjbq)?#VmD!AʛDS4T Dldٳd; K^84!GH(}b /IaC isk8s_Zw\;:}/_7/pZ,u$".NIh!o8ԫ'Z*Oz;h1rO/-Qw o/cߘj-V3$MOIdX0$KE9T͂_f$vB:k0Mg?wq[hw:ݒ1̑[|DDl8$#))" t4sMFum&@yGP|e9f3D!ҹ$^t猻eO+ PΘp+ >Xz7B8[*"$/kZv_OƇ'me~Ee<-!TNŞ{EpCWjC~ h^Z*[/7 :xtq޿%|n?Z'jdYNOq#rNfG* SW"e"PJG[^V>>φ&yMbwUqt 6]jVƜ#|0Q!G6=~"̚A %il|D.L%=jFGhS!xcc_dBVH̩ 7[H]iW#-e,=7 1 JtAAyXW94Zemi' }`@!&CxJ>f|13+*YJlSѶ彇#[%$q աN DX.6R<\` Vkg9uCiIQ1btQ]a?/4YD_4u\En4 t$3?''J_>C½7.L,fbd 4yԒKU1Еۖ/ 9xzʠheh*RM:/RӌI;kR|272XVaV㟕*JQU|"V "׼Gͣl:w(Ƚ0jiuT}`vSm]55<kU16E ̴AЙ%ƛ&?bXLiZD7~P {08z'&S(:(ѵ`!=Gpl%IJy(qBh9(/GF?j2ܙK@Ph̙U2y*bB)ywToxqp@ZA2} W75/73Kzӭ3 $Vf u$?:rt03X-+k a?o{`;dXf 4Ul w@R^UH› ƚyVwzm9|t) s. {P\yXY@! ܮ'ApS>wۊ>ƥا); oL`'K3%jޛ3r,au"AjDm/'-VI}_ّ̠SrRnZJ~;qo?>'seG ˱d&L4 K[OIHKc%oQ=-h`@<|kQD>2Q]L&JTDR-e >tS\8^^b'tew:i4gȪvIÙ _!C @Rj$\Fc+\³FG;AH wW%a!`7 .s]͍NwΆ 7)*|;(7Mը)mTۏrfk̅:toNt}"yC /T-Oz>c}MVmxI1?@ =2М܏_,`5XZP{'T0.sÝ7 6R).RjnDF^0)D4m{#Ӝ;L'6I7 d/GRs q*96Pzz{qJ$+C 8YQGP5/iq>CaY Ûc3[2 fMY~~|).l 2X@sAVz{U~YP(m/%_ʐI Nf[=E =- @+td% yXJry9@?郲k8wGa†* VT-8kZ]6:/J9Kef/$G i֮_ YDw+$B'9w8(Zb6W0*N?$ Վa>CL>==6C6mN`cUH0FF ԃ(T ƕ9*i)[s "7/tAt;=vZ4$c&{217pP63+ISq'b!)]ъ._o# p(n|8XA}6<1W| n̉ɦcدI3 tļ) ,5 tʧoP m,6\F5\WCKqKq Vrԣkbp^M F_Z$v\,=619c Zh=b`S)]?psl9N,e$iP|kwb UҰ@KвNa/ T>ha_ڛI>f5*Gw`d͂m^JOa~sh9 ,]4"4a ܴKsg"GX |gal"ƥ!\Rz'~0%}@sjt#I$XtO jYS._jPA1EE貞Ob䔎~HZ#?W L꡷e?K˰9N[cUI)#l>ۮ jDRV̼.t"qNqptF@hxgc͛/Oғ}pL&ѥ*䊢7Q GQWڹMb 3kAcG=ܗd~6f]ݹ;4Ҹ(߀wl? 7w>oH%sZw3L^ԇ=͝nvU}~yAٟq1{:8b)w?WDe%Af;ږ#4 yALՉ8H.1s9 XQOoJv+h H4)Nmڏ=(AJwWp~0qf*U\H1uQHUe/xdeozf׉6y1FaA̻ctퟥ{ 7̽HI6HHa+ D,aW#o$awpÑ.xz H'H+,zD,({Ռ!־CZks`rk3PM117PXhM o)9Z<3 fQضp-ZƸ#/!L5TgSRX9@Ц:ThŜRSު)Eh'k*֥W #1V)G>>k jh$="ȡ;ydAouevmfˠm_^+`5ꩳngh; .>]ьPU-٨)x6:/T'2`G? MoEy6dLMf:L>1(`oRS$0%R!Q!▀'6W&@{ X8%1o`ZԚ(|%=?W0rn=9 #)u]IS{Qc$~q`EZ7*])\ex2J!<ӖH\#՗${P<ƴ . Lx}kΤ6f,lK 'ŴmfN.EXVN۾Dql>x)N#`W}G:iP((8!J$$ro<їack~wo۰~/xEF/F҇ 䝇xfR7tb2 NQ7">P](־Aliڑ(l 5FBrN `Qi}ixa;/X1 -xH虀 ֳH :wYm Oa}W ȝ*9v: fsU[.س0}6-* |7) \]tǯg_ Ĕ Vq`r\Rnr;^ƣ?Pw(lz*/O̚mվ۳8O^as;ڃe vlcEXn#46n@R 5=Xi3gfbwiF3HM^>i7 0VGES8x.)GFࠐ'.*X\aPDS\$ґ_I6[]~IC0jӯmƝ ӝ+ KZEݍ#XFL!(jSL mW҅@:֣sӀRɲZՙk6hƃ:=} d@߇gdgHӹ_8{AI޽tl-<}Ĵ)1""YvD-ivvƸDLTЖҖWke1oLuنa!;_]`;_*}Fi'FӢ/Y>#6I /3Hbx\m*FՓYJ rHQqEv`mVHrCE>^$f PlN9=pWn>JLjdrcM2AE|cl^?RmhEPIQlty(P3a#jSSWk{7Z7hq c$Vo͠o|ΐ1q3c`L@dGU,~!;p %+};;o HY$q@R"ۍR>mUѱ։mqM2祋T+ .`]Q2_X`%J)h3v_*|;sEKU!kft;gew.Ҍ /2X*p4|+5j]=(”ĈA̷+-iˍz2>Ph%!`7wt151%_*b 4zۊ:vGy&TWm2\zAGbTR8ǎ,^b\)R-mz4G]Cr^$iAEqNNNI{t/F4cQ̫rMdVo]Op^#)Vw^(;%(`BY)yc/aϫYݟzzFCTݥ7Q4H,]! ຦i]L7$8ʓڼi;2AqS,7X:h'sXCOM*h4Vȝ']yq*ur! )r,1{7z\QBũ/_T ػe%`vBI^}Vv;]dAPL ;!ö3lhӝZ.|@_7>4ذ .YtOy|&;1e!BԦTKRw<5DH{t^'C|,aںt S\#_DfS;Ekދ!eXA"N`~4 )}1p&,Ѡ:xO[SWWN6zN?"3EF +3p.jYNZgEƄ\.6,_gRǼROoB.<з#?`LI3#{@UNU;$5BPmL{yNą5<x8Ẓe*<fFf{`1m@[06Jش%=RoK(IFj9%@lwDhpQ5'ލ8wNs\ k";5D^6'9 [T[9p2uTT4<`埪S.: ۈ;*|Rm9qVrm o] Λ䒥O<G =J$.VE_te^n)?K!^MXtfucʉ=t@TsQ)3U|Y"ͣ4xeK) >m\ݏD8-C?aE!O4t{^!伎]d7Ћp܀CTǔJ(&mLr_IG7O;/dBfr6P#ס #TZ>Tydo-kd?n WTbgٝqDq_idŬeBB>q09yMkV:RO8eдBb p| fkNʷ-kxK$mLn~"EƔsūSLX 2Z0'Vd A9KQc(G4:qb߳TpI1!BsS#0azދzphrWA_wRwu](\:hZ=qT'4沽ꝶҭdάD. ÇV*UC|AJⰢ lAN0c ؈_ *B<2`zA%; 4o&uRiݹ=^}O&V?aB AE oiqu~I x,MLiJY\ ;G't`|•on62qj KbE|mՖU2V˴>I{cPZv%GOsr [Kv:Í~.63%w f'%kA8F{ K<|Z!bT'E17G*Gâw\B%0's3 AAyS}`ޛkÒ|=e EH$ S}8~ <)~KGem!]ˣJjyA 8xp7 jS*!R֮>Aֽ߭D'CኴDt`8Y6 -ܹ8AqbʔtYȦRTd%OVtJe4"x{M ,| Ш^c~hfjz<8jHx9Y$3_ @4ZVlRxf  7*4=;M0 pꪦ|TX ]Jk@r=EDqB:Yw!$?%pKc&#C!.^NJmW\rxUKz<_]*zB]D&C]FۗrAjW2jG3vߜvAކ'a{.OUDsSy6og99ܮe{͢Ǵ鎽{K'D@T4^%w%z7(`/E&xҩ=T,L:$o6FK$0T.AfKx%<'ʼnkfLk>!LVC+.>6O\YU?`&b7& |E!ѝi̾Zz 8hQA{mxhmrAcnJW:#SKwrlKrR4Nߜ{i@!YPgŃ 3kOeAm'yj@K ZTXL],65JyFd fFFi4`^҅IFBB9}BEc^休iYzoʞ|>;py/dk+=n {0Ȥ[nr8+yG4lG[Ҩ_ջ{_rM߳x-kͨg'r>E\Γx]@k@Mr` v|6sF@1+\!Dhiɳ`OkR)uTޅ }9/}-4ecyʙE#`.V\ 3V:X9A!<ыLxl9 zKQWǞVkb(d㪲@gh8J#ddx2MӼpY<ӏcez`en1lT^!i̦ٸkv= ʐ\<l+כF%(J=&-LjX<PD<o.wWɡ@۔kc)Mp'8zZgqgѫa\WfI}Ux1X.KӃ?%t}&r8[C¸-RZg& <Ai 2TyobR6?FttMn߮#Ybc}OFt]9EL^ lm"1Q5Rj_ޢ|=Wj,h^C^pݫ.Kf/;A6dugSeG?K,Dv2ķxCDJbj9mI4m.q.xȢ0,&aw>/} /Lgo2#'&b"S:>{RQVU˂l9 Xh~ G&s1%Ke=/9L tErkZ={[MըIG*G<|;Az843ʙ[q.ݓO>z7lWbؚ؂T`J>i_s^roK 8cNBF<qa)%-xշ1c3ncܳh}UO.i9Nr){o0OSc:ì*XҖ9ڛ]&'"w4qKO!7f,{0VC D@R;ci˺}HN'k5XxU}%@vܵH5{r Cؤ/ uҕV`3rW61R O s3CRxлaIW!0Mf#]rfmM1 >͝ }fFX"6? xI?M(G!)w5lfh9'O9Ic2*Q)Iƅ#8{ eeU*]Bw,J#Oۅ"V;$`Irr8?~>Z/I2qk+FbrR"æ֤r$Xre ޫ]Yg⢽$3zMD?ɵR9 v#ǟ-&$|kh 5Xoۭ=@$}Tȓ]ot*OXnuJa"~wd|/`I |q6Ipq˅}[qEl0MOQpf(8Թ!Px;ƨ.֧dz[yCEKX3#1o.䡹w&&TSMWx`yeYۘC`(,m*i*srwlԐԴ`]\ 9C (ޓ1rc G.-Apx6Zေ`YJݪ!:͸,mS!Пx@<>p{a,BtWao\@X߾ %{Ƅ-F? $r4򇌼=[j9WC=h!g*.tcw-pČ6=2G-:bߪCp̠zW4H13 :5Fpk:T X~G!GAy(0*K*񔲏>l(ևsԗVu]>2‰Esu 9 O3w\·& snP -!䡔Ymq#,+2qܽ> ;4`-"ji۽S_hmi2%L_?W_( p +x)&CDP1KNj|t_КVSNJ .Mb{_9F# [r@y:^G:tSrdwR˵Au{ &YȧFzB (g#k$Z#s./+P;}8X2Y{psĊv}ec/Uvk$"ͧ4;nإZZ<4'nY#|֊e ]ijԂi28×V~@(Gk!#(V^x $en #RA#k%JOҐ%'bTCXj$a4H/"`r\ag 2hQ&qG^d vƅt!iiE):} jjU06>Z-r1T~@6NinTm,~Yu,_c1vmGx<@%jn?$Unt1kՄU|*hbjGg E"sm`3(\}uaUV#<2Z=%+eݩHP-6NɮHGjT1tIduFxQ,,$_*%G&xob\{ oAttW'}2r%J{Pm`a8DAW ka {'n_zNOTP[k#RjLB-(Í; @TĽ H#ƽo ?کwka+G g"2//-P_A˜=32H'ug8 u~:k V/J 3#0CL4yDmS`,T]$ * O+ߺfYhuieT\X`81H  #zhю'lX߿w..ݜ yS%ƞ_t]gr9ގ{}rOT"[d3sfY1k9#M:,-ıA,hes@w[UԬGD )K (ž-)%f!$ h͓ 2;[;KpQlV>̾LJ5 >pbee3BvPj7R.-5daOs=;~5Giw? B%RP"efB}Q?(a]EQiy58NFq(Xl $z5)zoQ*&͐&d;GYrE?p; %^(0LQ6g{2~JBZO:ou$\JA属2 X'Fl&zBT{AM ؃_Hsh-mRfߊd͒E MϺOL/ LyKz.dy(,[¸|(6}ZL&'i `#og 5)^_|E<*dg2#q3[BD1uj'hI %D,d9a1yܣg7/J 8 f ]_҈1t;͈PB1 5qU"2z*cxL]qPazQUmu -:6cѤ*i23 Xfwh z߿:W NX*9|$V8VtNVUa:F`w<[4AJO_/e#cG ŠxwHc TEG@cb2lOxhH?RMeN{Z%ЅC`>)ŒXel ls 8H* Jz GzČ Л5vɋ^ g*A>m* ֗#10.{2\DeRzz14iH"_꧆ȵ醏#4f\ɧOڴjIZ FIR>{e),^4,`3Ciӷ`h2. xy5^zrRAmb*"h)HU!%[4NC(FS=So֎*zZ&ۮ6Q$4P(͸^%PZ :D<$13B@ )}Ci%.[n'\^ߴzd>"P1*<_⥃}20ҙX~]K '=癝/KWq}* + X|0FIZ QUs B=Mcj7$]7;ӑk_됯zܔH@%z %OBҌw Iၺ](5\dksJ̒/}f@Ya&$+NW;-6ZNCpXwB/CPgpv:ǤuQ|F ĭ/%X~F·z ʼnnK3~Xږ u@!1)~9ͺ]ȏѸ`$JiijW7-w^N.JA _G7B.Z]d^q fEDmI,>\_F}S0K˅2Ntdz{7tM\e )fQ1hN Ëy&저Z/4@<9%y4'ې M֌z{3Ovu蠦rc4+"y CJoz^[<764ܔjc܁PnS, X%̓8<TL$(S{;{#Ggm:pN_C"һc؉~wy?v`G7$8(pXY[ ûȨط6FH'r؃2vcl}[ FwX /ar2ɁU&k2¾vDQ1f%`;(5GQ/ yM'؃ GB*w F&g5Heƒx0yh 2vdgE60~<e @0dk/ taPj]kϡEk=}9t__L8uړ#ZQGY-6c hee!&4dD-#7hٌ@.vBTÜpz&og h׭qS_W4_`U5A-6"غϔQƟyoj2I)bS p͖ܜQK4X}!IJ`C4˘tW`p o6ɖi\<$~̊ 9W#fn }}"?Bt<6koBWY{pmm̀R-s H|&ۼ|Q!ΣEbjw彊nVӃa] ^3N4v 8#"t]Bt`xL)mO@:d Rj0fJ72!wIu3;C~Lc2*1bk]\KD^(U#8 +'ݺaTU j=u?U?]iF92Mpڮ!,o#ƕgd kX{1M3^ rlMX'S®׉л*jIpi>c[IV'%8 F1df%73\ c+]ʳĺh1K8ja"ҰdrbN'fTԨL1dDKgqޚ]쌿x0N!Į̴*z jP 6AvI3%nOl:hD7`ZO[ Dt f\5as%Gܾx~' l>LUx<aFl'Uϝtú(ݤCjxYT2=.Vs&E>5fh 2m+|V~L[QM&Ns4nGJ}vJBiKu.u `PmM``C8q8V_BKCM1`(8O4$#q;>ڗpЧv="[? Yױ'rOMyHfQȞ!G1$A>7_8_)6)71+1"=HU#,zRw"5A0:Ư(}Voi"Uqg07yC1es*p[νt?[}{  C70+㡻 nY,i{3*\(!5x%b=g.úC^v,2'N ]𪮕úe vߔͭbwLW~9F_xcs@)*]abrXRg*X;bVQc}T@BuNKjcuM*Z5hzyHÈ#{Gb50w(s48A;VCwTOdzqIr[_-%qH(e-w}FR|dwheR>~A:͉}{0"` krȟ`TX,N8` n WD UOmE2Ԧ#|$3)2xLp뺶 RMSoNWm |Kөl ha6ր ՓgȊbpMp͈+.dȈy6碅lB8D.zn aO̓~b=»׏k'4uj1rcҚ#߰caS)p WQz֨sh>?jի]3y*gI.omB "#׶_l@J['2RfL2'b g9(mX_A8ۜ/ >2\ΤF|6ok?IVy#^+mۂq]p]+4$/7E3mqooƒX%b1ތa>c(Pګ t#h4Gn~G~ ]Օh[|Z#0vXa|`ޯчq +yJAwHi⹪QC`G^9",LFO>,$d $]TdK\U%cjl}tYHp k5UtI(l o3aDeL؟OM$q}L3M-a`kdY)SY[o>-A>,s76 4g0<6 G%,ðL<'7*=BF16mC|8;. AJI{zGct2ie0 9EDdSFvI4z L ˭OEHƈpzo _(k2|ڏ&Ȟ+o}Ẇrnc4-"i)nBQ?A'"|LDeA (NW\I+iLhm&wΉH2BװmqoqȀûӎ)gR9r=uUd^ oH=!D 掻 ZV/B.ώo!~Xm |[LsKzl#W8 4)5~4j~GOɺ`?|-S?z3FDHW1WҘ/dhZܝM 1p(Q൤q,6r/d^vQh_ .# ļjY)+>N HɈ clshկGm\wmvnqCɖKQIyU-[HhaMDt^ :i1O&IP;2\ Yӝn؅{>:wZ5e[ x;uXif^0+rm<#՟Bv_0!aq'23.ۦ[Ub o|B@ h& r ]BTqF[`F!ЛHt_fI#Y}/.a !)s[rzsڟOk% QF]k>5tZU8- bѨf3XVY^id)q)0&vmvɆlTx2ϓʅUfC8XCØ^+5r20h4Mi >l\.@}iO"'gݦG[IeG#/p{~0߫mU+i4m6M,fUFݱ|R @] Y 7pM><@l^Z Ye98zW KRh:x7oKu>ʥLykMO˔ݰfQE#oCG~ F0őc䓗@33U.߰ֆnz<SA g83/Ǩ.*S:8zG]1t719.l=Iy/r 3޾#f}z Xx7HD1\I j^7` ZFAգxԱź6_BoFH>OW GnC&(96.Tyng&jM.Ѵ,o!I gg Tc)2KWz=Pa ܮO/"|\u]媕[M 1*ɨ#A}tM xC85iF|{1u}#^ѭPX&⼮Y H'bm-.%+ L>K2 g__MS[D@,ݬ&C^cּ!: Sp` /7_6|%קn=WaѶ>aF97-6Ej V?_fqs\02Uԧ%E5y985#S63Lj+Gkz2:@MG B! A,bPRg9sf_+8poN*³Ep)qdz3_7~5!lL6ޛZz( 6AC5xװwAǛ[ 3H?~x8:kp9F7ȃ ˆ_Ht?=ăQrYxiboDysFҪ)YȍjWbq0t ӐIuoӚ!5U֭1)ْh X7;"X>L2$1hZ=}ּYpG[l+;.PXhUDFE@d]- /Mgm!˓bV=Zτs^xԸɴluEB=x!_F_'USn 0I;zkjDΨ]r̄YkKp$J[5|l ,SQ V^5HOzxܶ@Z'Y{h6/d(Ph52XҀ\ =s]-钕Y; eN)<\iH6  }@Fѡxsr Sx@#=ei1Wlt̞٣ЗLi)D~Zⲑ6Bx(ՁkA!uS _۱CVB9bAXJk<.mS_ll;R V5J#YR¼f`+s*A?59oܖ=vBr{˷%2ɝtMbǾ0 ưop}7A4E_VsF^Dafgkit ?\wO)kDn@Awѱ6JFXѩ x'=Dy]ERlGEۈg%]l<ϥrwQAs<6S׏ =bR'ey/\{mNj8@sJ8}!K[>3캄R W 2 cw;3?CZ& Ck ym[zU g t|(M as0O6S F84#BC`x"]kێ"XqJ8'LWߖOLՉ!(AGUǚŔjah侗 ?`Gv,eHŌD\3NhfAs qOG0Py`IZZy_[/g;Ѿ8'5 ||x ,`i{%(v~a:!b;N<\߷v /]D I#Տc$m%31P\EC$+,Z.N-J5P4 ,:aeFxHWAhl89)R{¶LxB4hT<]?w 6_}(S?ޢ=Q23"!aY"Sß[r0`M7/e:3d%H`/KKZ}""G&)Im]0DDq&xZ[5b>71ǠӐLsRFAgjX繶+F9~ͥoM{ bI,1'4-q[}U.lks0hs<)7FNXlST5@|*[s[V*>L6*spc-g%8UMȹVk0(bN`0RiJTHj&?:<3m4d'hf8'7?؉KC5>Ćj#`8J ykF8v6-$ yu }!v3 Imi*9٧zT<ś1Wof|FZ_%BjRDbUο b*s_C0DfsGH^X8K=r~ JAŁ:;ng p4ӒN"P /}La ƨ:Z!;>L]\hKhLA:,˙ e{adYjЦlk gbg{T$/ 7TmW Gf;7f*|ʔ/DʠH \/})jֽ@1Y|6 x[sdJ.#*Պ; N{T$5u%q˘6;y\Fw 柫geڍd@4nBw@E|>H:.*T#8N,50! D+[U3ÕcAݴ~nny3;*5wq}.$QԕEO%5E_Ț\-)kBؓx34cEnGS" 75c u}JʥK{qqK0^o\YzIipz:M.Zt'˿BcğR GsZQ>׭<xlbL[` T G~og 2xdEW8w-6e8Ӽ3.K+a/pI&BWIj>̹.ٝ#cBݤq6  Tv0fӭ8?~M5!-#{Ev=#_S6,w{.wS&Q})&<~8ʏ? &|K/lHzV's&ym|oQowb3 ?$թ n#^j:"m*Ox]+% Sz+c*qQdM%ȇ Y{+Š!i'/iعW>*LC/ cc/!*YA5 Iچ5y),Jօ_vK/XoA~zl"%C%&Ju5|oaOV .k^ {b_mԇ^' T ZP) 6EϘpm.ĸ̈́9.qaէ8)]9qH]>arJ]42 lJzQxi8$s_9G|D ln)tB?A]p;Mjvٚow0sHaԁ]_Wuuy@n3hJÎ~> 帛)],-wP}Rm rc-|+Ks<}jˋQTٖB0 l#-$ qI-0G8)E C++GDҤOTvcjFdδiJup$)@l-ga;h}jˑ7U6bN3V;96]pe^.U{aDˮ-FĩJ#1KbA6!YJȹjh<@j^8~FC$ၵGriͿU>ԧ`]Go*Z=ʥro XC `c)ywc.ƷlOd7<Ɛ Ƶh:yh5CXxB_1p7a6Pa `smk]bYY2AK8/GPAnM. E#*dipՁ]1b2N4dyVwtn&E;^I]6®%Y0".,x,"̜Z4GJiK߱W߸.vЭ(?zW9Y* >T :&;3*3:Y iɯ NeW.ЙXG~;Sg94ů!QYߗH~K.}R6jaw`ciKFNa)ex\эY^$NZ_qs~r3K0G/),A0/3ŲumO/:7*E-7'u{ LirZ]wʛ W27.%>5$9FIR [^i-^gkemЙ#E9yvb3b$>;1u Pņcx]BS1~J#Q->`05w_T/ I~ q_5L}^ }k{̦_{vT]dqVK/UWۭڌS:<JWݘ{lװ>½Um̖=w2#PfP|"XB oÆЂ.!nEx6x%Dnagޕ)6i~Cy)6^w]uwډ܁Ӆã3]dD*:-p* wx u|i .>\[epfgR=ېoSo~%8`C?$;)WƦL@kWƵmucF$1ʐ9EcߨjD5EKcɶƨZhIkјT۪V f{`M%òy]%k6?|#GJ8u\FGSoD1WԨ6צ'V'{|fONCΈ³T2\ZfxS#u|}=!{4 ,ӼyGK47 Z+~9ɜ+VA5co.G +KJ Z0sRDoij6 $X`ruQ+FV ƌ᛬hb$"GyE: 3[wj LPB$C2o8cv/F^IF!C"kߢ0Ըn S/UJB>o:;!'!xi:{k,,jUr"i4ĐMlD <؃48iUW<%"n* 2q)sJ ynKNռM{VLQt/0ٳg_(5 ˴a,G*WigFZ7n/ETa4˩NV& k_|aӟeDMw=K˰&>.SD8#;%S{jIϙ=OU ]*OaxfL6̥4BJ8~]K=:^soBF^$rG!;Pmlnr%" G;rj^Di/u,CG,% خj։Q%t2=ܵfq}&>:>DI H&U:g4j>/wK9Khea0pddE(v+<:ӯI2"{W47AԆ5 c~=\C5_k/N7^Y6OoޠU5쁂G 8!q'+ e/W3ӰG8; WCR:VлD^Y)t'# :S|`ז 1,5Q6SQx{`ɚr& 9ȤděU5Nmk]Fq}_g9[٘\G!+KOӜT +E6_ AuZe!)sLgyQ<%.t/x8س<ޟ\c{5]~i:O1\ 0Z\#@(eF6`H݉VV;)S!&"'ܲ~*2zt$잕9=57Qpۨ b^qaB|/Kv`vͦ ưgzO/q'3 ±]}3/) vWzNsb/3O 8&馯Ц̓VtGoQ[/9ve:$ߴI?IXcR{|?;xYsfZT*n慬- }|K-Hu9?aUC_@+*D[!r*+"!&vKsl }.N8qӞK!**Qjg[چJ~M\sasl\VqSrs6Jj + HPCLk& .Vx3ો۱WЉ%˟Z^4c^L /X/^vǵq€}9M=[Y҂eU) nDq, G1 ^K/ STplӵNS`&rmnaMLѦy:~}_}z(EynrΜK# ߷[J ^Oc^a8)-L? c9%R.A!I(tg\]h3=TuƧPY(0Po3\4~niPĹR wb8$G^ 2u>Tw.;D) x`Z[7r,?>t0=nx~ӒnFh5YGHvPG&2]IlQ[i10+|B`ϟ}dgc2+܅S߫JmiJqbRaA^OrP[b?G2B~Rnl6o&, ?wތRJq2wѰ&41e[y He|x.1Eą[8 nwW-yűaB:R\ 79ɒo{}z~xn`v&SOfpAـuW$oazL5˶ 3Fe^O~qV P+aLc[Fu.ht]GUyU=ULPa;ϭYkh[UYy^͛JA/Ű)2&?X`T]|GJ6bbz( !5-C~/~΄,f7a 81v{V;-nμ ] X< ^O%}co/sTGS:a쁞 ''_V aTFYSmBR-h|4IφɿZT*^uKQRK `[QN.6 ^vj!WؙD5msz#jWiC;*VVްoXb$4ЭRއe?Z»6'{<)p@n9LRs jZRAu3J9zW (#D9cL$j泛<]|0!j#Vz~pp' sO6v ź&;qLTw//swK)gl/U;I͹bfɾ~S3wP؟mƷM{Ƒ"=qp )Yt>DSKRrP\h򅹚)0,&n'|0"nBp@,y6O|'Innʧ(p[&OBIWd)#Grj3Έ~̊o)ZkZDe0S~vSB;,T\we2U,m] Mm\p ^:ƓVb=6!KtXb{[8.jr> p5\8#1}.caqmH`(\K#:Ȇ)5Wk%=tLTwYDiUIoʬ6~an08G1]_:fX-J[xPx!|0KA-3t)itJ;و VSC}AnJP/fA8sf]\ -neksaP#Nc'>s-Dv[8Xu[M=h0US*o>͖:{om+UY  j{}Woo!' } oV,CN޹R E h#~VThK % au& Zz3?f?d5}xLi8mcCnt&q,{NRK 1MA"2r,ǭw^y[ܤdؙ-H6H [EK uF;WP?;Q6Y!C1~n oY&88-HP%t6C9] z~H0Ylh'PdkRyODk%D2ywd=@lA)!eXj 3z ni L (YQFCl1Mπ}L%m+EI fIKH6[)Pt NS7 npW+yq0p2u8gB^vY+u]u= QFM(ٿez,΀WFHUhԅgɩ'h>rY$yacW, a.f6(~JVfAl2_&aQ leK+ ZA+'_k}f5eTF](9"6GU f\w)gv|=uG,p?GuizO~y<4~D$s :SI{}d^:{Gzn+I.`n'0UM[:mx w^{X]:A6jN>VO^0e>Hl­@[as-d%_eVf~ڡal \͗e- \K2]4^o5ۮyN5:;Y w>D#iɈ${@C1`! Є]#'4cLR8˶ xr`Sv=$œcs )Ol6$-6?{|"y~k ,H23w^_K:ʝ Z˳/X{Ӗ^ȈBeץ7fJ}Z ñUoPD/ɮOQ;&p^Qz NTX7 {lX0#>[01S1K[&KƇC00+`-BAGH4vWRA@CXr)ǒء:o\,ZS;-{n!eVDWm.)~GJ;ZK~叓 v7+Mϛ)D bB4 z-iuNyφ\Y _?XH: @5 kYay'v^ gں`2mAir8Ti>irZ1\Ć ?o#:iEj*Tz0<3mLDkeF)z^?'y8i*TL%iƳݯ5I/D;T|S75# ALV^*O XQyL4mrs|U8]zzhh3K$4.k{އ4̊ ,4JC *.dB_܌JXVТ0bX#\+h9VGK7+03V%aWtB}|ɶ%Z:^~93EpiM0qW2G1 ~quiKc4 cIR-ŝA0vHIA_1luYTdq3VY&ǿ6 bhFc Ԩ[5:֘dį5bI;_v1-S^gK_K+=l XY((My%|!K PoUPr4ߊ!jJ9-o\;af]CmQ!D2O[ao/Mqt_o(iUc;ͪb-cKJ5 bbkmK>VeUZMltNjM -n 9YѾ=}'Hռ#..6 X#C;q:tMoM=d9ٗ|M|j*݄qxnS텱v"<[➍ak( [1dZh@zTHl<6PR'i}J!}+pW\(<'DJ IxO_tH[̓.WOOҶ^ѐŧl?nYK6%SSg„Ɗ-0\,hjPܣDG.桭C,$5R/w)Ѵ+/q3ߋ#f-: f9~{Jg~yҌ#*UQd$V1thÈ iJ-EA::=,LeTĐtw|eaD)8ZE ,Ok"LtmEs-נ:@)\Zc?ƒ)`>l؏.G?Λz<8'{Dӝ1^)9-hVcR>S!\&H?0[\J~i.kGG'*̬. X^pu%'5-r(@1]6fOW?~qf.4./F5߾gE}I\0+)ɹ}B/owx)+ɐBk-`@݂ī/Ptӓz ymlrG~4(Lv - VpT F%k y= PŞ3 1qR?%@H3I4XcPǛ/5Dd]~߃kz|^bkx9D}sʟ?)@ǽj57;5ByK{pa1(|/=ZۍX[n#[[Yv:}#2xtW#Hknsں48Q4&\)kǀZК ^~,+JV>JKsiaQ?s2dc̛$jn2<M϶J~`-בxN_By1pSHȉΙq%HMB/6*5߇rG,;;}$dne0wҲv_pئGn ߎ FEQz9vڼk {4,{P#>a;oֽӰߥ}u9"")w|!#|N@mjvn'4&|W,#V":#%;m{j$-S&=g6^˟eaa2T ͠F)SR]RJ* V8.:\8;wJQ v8grEkW5:cvb1T9EpT$8hOxy$joaQCuۧs(fΟVMe8x;XLG}C6x 4zuly};j[;lcV촍8 )z}n9g syb ^j總z!R68]*M6i[/ ꮨ a&x 7397v6&,^L^Wsy~?d} ZH̎l_7vJF/G#1yGpp3'g,4dP Aq6%^8~b?d>bQI#fKUt*͔3MbkD6 )5 ͽg͇@),UX}bggm;i__A T IA% LܫMh CSi~v a!zwm:]l(:9x1?Vu`A<NW͝o<7F TgKxLG M@}tc 7gYr7Wj 9¾ .ۣfsxވE8\{N7鷂 Rtjqc0~طkM>97y)g{9j/K *! JrvjTb;LCZ+\X_$d'A.Oi,[N/d:mb5WKFx"q\Fac#(ʆG/+ O CQ2STW(!w'-Xr f\7r *..k?_!ZPKLA|6ʋTXІHx4!$t: Fhd!Rl>\$WN`6O8ĆjVc'<$:_o0Iqv !/nIyﭯµVNݨ?(擅K:b;SE;߫-s o=i3~L5 a)qMy]{&L 1;fuQ'fNg"B0ٹ@ǡ<㾏,8 բ;|d CxFTFЕmeSٗXwP TP[yCOpN8guZE%Cº\v*Si״^X]TlN.@QqgOτǝOnƮhnURRhC_n ĺ|̥QQ3z$1'Fi9ȗK$\نI7TViVCS/zBھF>]yLjnv̥"+ݹث7O8FD7U@<%# 2r?e =S!C_p2 y7_8pn1 ?DG)&P"K\m7:0gAա\!o/ya\ПkӧqޱXްesTSpm>t@"Y*/Bi h­UշK~bG 2_&d8~)T) %nV.{RPAmQ:n9ZVȇqe29'a޹FᲐ u?iYY }ޏqk'l/OIPR mkDVԈLZB2c񙍀ۏ.Q_%MJB]X5f:a)U[`JZ u{OlikSکmi:eѕ*٥G &8FkkH$~SI7އ)D`O.`S̊B[:D_ʿHY䡚ŲZ4&#+{(jx?L yyX<ɍ /+a@;IK"DXجU 9=Q@n*c. ad=t$ThFP7,|ͭi>ʨ?'4>}:!3ȄU-b9[Sqb@r$v'/<3ogsD"qJ0w+*$g!/ŵ\%wYu)[1AlDfW`MeOCWTHaš\3 / !Ɵ-1Ɠ.wE\,.l "+/6ޠMyQ+>&T[d,WnXl{^#h>n= 7G7 n2hߧO*FCjL--.ӳzyUq}^&Ym>%krd(mcBKݕqUSOr:+4B>,g*nMYB=k,̓-+ HXqH* p2PޱʘhN6X|G)HlXOw)ῴU A 5Oq`sZmz1oea/R{U~S8%c;1nJ%~U02 $GNY=$`gl]$L2b@Mn]d\&1|דz)5zWWvY! 6/ "+Nl} &K/F!cg;u&)I(&{-˂ϊ_ȹ^A-M_[Tlbh6XZSJ}JR|:it`5V@ ޷BJŽҒ^.3 K[$Ŕ=0Md;1V+ަ p`P2߱Ԓ5WgPpNybs+ 3_7c[#*r8D1UZƜm30-`-;#5\%K>:'w!ψ)}'CGU ߫adٽD :IhIדBV3nDzaSdKBjs4W>mxVR(&&Lϩ!ԪHډR vڒ4Íl@q9gHAv|泈EPeYZe'ATt6,΢:9Ĥ1/:0ILh{@}2!bpcx.T ,71:C0CB{T槻kDwYu[3A :՗(qPӞC=XTRו07'Y`*wz18yƤ]/`pcn;HL."2 f?. 3{#D2LUc2"JY [ie5?q,='*sa<^>TD<2UBI*dΉ$+!vD`4wH`: 8~zz%Wy;āQuD:?Pu f=6  x޲)Wց5 W~!c+42ܫNWtxs>dZ)Xh/d=8RM up'Qٮh| BkMv({xwo1fcms瘟^Em2 2PBkD9US1uy 0U%qlFrKM]X|uMi;+«L#VDm/5 )jaJ>Js4/ ¯3$3viF iv#Ekf[[~*{BѣMl+ThMiMAH~4oא6yUԔe:m>S(VoXaVd@B;xP^/!Jb.9ffEE|w&(nƇ:PvDž/<I>mR >w륊]4fDž$$ r*w&ta?Wrv ts.eba%|R뽘DSh%IJPdzD\R!t;Q@7Yp/*=ϼBjw>!D7nC1KE_䩬6Gcݠ + ebYO8D0D=K;s%a1mł'DUz ֱk_%֣u.a+`멍{ʟͥύkS4Ҳ9O0qFK &QCAyrĔ/+ݚ:a[]^"s5!G`+:0e2Tp*,TVł?+hf7v,]8Iլfڪ:~=:%ֳZ&x\75JQ-h "qx0z^4-m5= F>HOR;䘯!S;,&0\?PIŦ ;wD8;j2Ix ?{sh'Tp +-˖9YcRḊNΜhl -R:$)1Y\e0M5S N\7dh ?%Feb \<:&ٷLѕ)T tmnfY3%!T-,?`=]ixvK}`an3Œr]`|_i+NJ &p`s ;*ơr%)ORxpPezFGL\^k9.0a?^"yiG믲Q>tQI+ >zKص~+n>iKJ]|pJ#aGq?UW 'լޒM$)m7`yv5 (P%|ֶw}1].xp M!12n=%H"z,^^^GiˣZVaORЙ32$JC_nl$Pkc a,^mv*/h8DTJ3tm fUL4(#KO ϩXɕ?Q/Sތsō"1_!"<~\-aUN %u^JD=XzOm-۴'w8#t!afڙxPGkēK gS9$G|~NW)?v1 Ic`T7mVͅrB_ʔ>4f0] Hr 6 ArZzl\rA!}dǺ׃"WaDx2\[MocBc[YfPpl3O12씘yWc⤺Ƥ\ȉC_х`(Eoe1[c>-ǤZ{}3L^ŃלY)EG+AE>3)0W@w,Wѡ{I7׮3/(Ne6ėըSHoaEM8QbH#7NI#=m*T*̼d1!@B2OrrhCXdM|r4yCnHhڔ*wL#G)$E so9շ o÷N#j&*~){b}:j_Wv D4I-$zw$B c{ZĦa#XBIW*PW%+.RL^G|cj94v1Wc0t؞倇 $ c+w *wLu[aSM8S%"x?4gЙKC2x>sqꉾQ=4}.kc 4ƜjUlqZy܇S.&WU<>i ~twFZ5 JnϕP8s^w0[)SK?Kt=6a tٞ#t8\o3 Qo00ҥ/U֠Ai5iRRX|7:@"9' @_I(^m|+/u{ap<7UY~bs{Dz&Z3~&G'9yh "R'?9I))D9R,=}0[)iH1#ܺPO@XGȄNg~c`4{%)]0"H+\`#)Z#;񞄘lu3lq 4$n}T]QYS3,G%ܷ'ª"s^ et۷,rPQE%¥TCÁ0(IU% |7S9.'|k9_2 Dzl̔YrMB0ͳ)-_/|(h32!yJo|=#|FU>=/JRgu&9#g/#˱83vq#NqIx4ڠ oLS4% :ftEm'CU4mN?qbM }M߰$cs$o`yo~vE'GhWz-t 2kytnaL6a̞m -,]jn@s$kc:sM. xfdu2LRÂE_0jV(F[9 (W?T_Y zcZjcu2VS\*mpGvXJTdZX \zi5B5J`2*GFb^Q,h4*F0nOhۙQ*\ ^\nm—BH^;?aEK2T|h .,RWl}ɐF2YKE j^g:Rkvdπcx <(@Yn/>/I@5g:R91`Qn8-2AX٩*msl8PMkz:uZ@Lf⊷ړ{$@"cbPhgG+B d跟dUDE-< /B44aį(8+`s"i-6A<8+īg)jv 64Հa:2t +2 S{im}[Q4i6t\-=Hʾ7.Zo][w5JVR&clzIu+ʚzưu}xdpp*@l )I ] j[82h췊d[&/|]2e* ꊞ'7-dⵯ8کq4XF.78;+jrƺ1dBQYIh^-vIwQERBvXg:7MJ&6]tVR˺*=F+)ZU~jh@z{(@ɎzR4!-6dV#Jh0m5S2.Qy gYT`MU{h{ .Ty`a!9ΰ hy˖kzqHzdkɰ2hcV287ACYKr{ ķ h7C()c/{#mpׄXܞ+aaf%4j.=Ӏ[߉9g:NUY6-eN&iTܡMk5uvU  6o!;FoRTIn7Ñ|l%t?,ZcP7M; b;j1M`܈!b?Dj-UX2{]mGh۵QWRm,:pO 4ʕ#׭OLu#+45`0ʕ/J[1X+X!3p3CP@*7\ro@oUHNY#/;'@H5<F[Bs{5Q<CD "=\=1!/Dm*'_˨.BFjp)+I= mk:NRiWyuGجNOpv֒m4/Qq{]*=N5 dJ;5 4@F#ъ:g`1bdϢJfĩe_h77->pkE,œ?e̿up!~e~;5oВY L)oѝ[KX F^7~ueOddk.r.) P⷟ZÀ+Nы͟ƍ@ȘT݊˴ !|h8>(z0r \_ i&謌| fvwJ yDB#r]_W)ow#7h#ZQ0LN\1i}4xJ`*SE =d;ZCoc[H0GG(>TEX|c)&S v0)N#LT޽\eF95y8[;DZTO+Yt>B/+< j1i~EViXvܠ!Z*k;Eb^2*þ/iN LhWߪM zX`vmnD+2%7i7Nsn4ų>q\2$ۥ-$#i^a`ն=rqe.ڪ`f|Qee@Cd&>J:?]m0n$YIEvj/0Z>G f~Fo6~a0M(` D|k+ uPD@GDu.ʠ(!v mOhxZVS3 9k:Ph!j0cF)I2?" G6$GBdi.X GI]6b,C|&T(\ִG(@':%UB׫G=- Esv-Czd2پi{y1)]v7@[k-!wDmnlU6T f-衠[|@vV9{2#D4{FFc,1#B?,J~g=ΡR]˗T06Ʋ_Z-Mk DԳ[B ~퉅s.DP@(b A޼jp$l I8:,scnǖ5i8"sȫ'l);+l܎t ӣu3/h4Z Yڏtsɤa_e摹Fqw4W<~`λ?z ˕%S)|DcC% 8:H> XUSEXG+ĺN>N2]M6+krQj8BȸwF;YnZ6=B;xʛ[ݰmr^/ITN=7=rg/wJ#ȅM@Oq )融Cv;YFvNԑQaDZ%SpMu B /L礩Mўcc5.ρC!L>QKܵrdYqB-2y{(K,<ƭZ\pim:Zcg (U##FTBiHQ}Nv|ߑ!e6W npR>"LE-rRPSDGIZP19 -``)9tp#+hG7]Kҳti܃y\ƄR6){?H:sO{s=:>99*q#/?NL;9Mo{ kxA&=pF=Z3y0OLZ܇uo'9]uwJz`tz#MY6~pxBGEhw}m$qZWA!m9[dYj/o3 Bb~u⿭q#H ^iJ 0թvӿ!Gk{Wckk Ϥ{,]g|@' 7BmffK0=r`s.^OqͶFo%̎ă[9h w6QJhG5B (zB>>KxWс;[™0V&]%\<L9F%348d#ED.4X~&~UGټȩ pz̰!}<a䨼n0<.Y'SG_Y{;EJGc ܩDc~s|sc}pUh9E tVnH?K0t- X%=Z*Ъl .P˖>vC9I[E9xi9_2|rKKz`]ۦ"Hg3ZS~򓎤nJəÛR=쩙[q MjA_-4pcA ٸqvaMgk>x g|YoѠvVcPU]SmRM 8p98㕳agTmʂnXWI7S9] ͰKy搴e|9Pfr1vA[ ׽Z7;{(uO_]^8F)xj4]聾PR.Uu97qtmy@MZq=p*s67&UpExbap7='5&M|bI[kķ )ͻtx' yV,; SrBmчw֪^P.lT~xe n=Y­Sqg3w~ *$Rb$ctfrn>>~rK.rF-LCY~y:72v(n$<Ҩ8-˼مWjITz,qt ;G'!r5/͎D3@?6V€8V,a!TQʈ>1ZI JU! \Z~g/B߳NPΩhW^m0f+*~Nr.G(рf)yy zʸ|<ӣJ !(?@[EQv0ݏ)&.ŐMJAE߂NXeZ㔞(cgr lΆH.y,4@W g>%UnP1mkiⷎ'?yq#dާ;m]Pw>oҞb@,h.ymh{#B hN=y8R'eQ@ BJr/\:|ꫳ !K+a qrL9踊PؑXYU=Un- *īnqm' _M:' 컒`1qٸmL*EWuጲ!Q5,/`ޖ,TS~HS`LR\ QSF" ``XIy4 #$~Oy hW4tyxNXU}YY4r0" XfSHB- s\Vcbb}_mچ~I M؇E٪>OĖ){ޏj! O~[uҺmK(o_i>ʬ3ڤ,J4CXu ;fk?(D*ZlP=°G~#XT89RC?`_KwC9"=QjLy4-o^ `xTKbm8} H @VN;2]iق^xSL ,3`ٗG-1/b9/}'U̓5ÔV=1X^|A)c( rCN:YgĴ_[|d5>0Sd0GC8vw2N2?Hii][+ &p<ߍQڃE5'w~86ΠQ;u6ι{ݦƺ:bJɕ}*o;PȋWR.RzfW̝[L E]sr2l O5" D,oQD$߭sז+)~}aN.-q({fJFXWJ]֌UU&z^kڣ E nirQ"R(6nsɫ5FDnGSKH[T}rY 'j%^C 'r@oe:ERu͟::^!sۥLd!8!^Hަșt7=/D*RWkW70sd x tP79dFpN<~uՆJ\ $}K^hۤ39BmI~d$rhp|8PGsrE [>tOtF@ЩM yh.N  e5AU%Q iĺC0/=+֝2C\Z gffl)4;Ǣ`Jt,wo&vڢ[t5(& r{l[E lS/B caŒKKOP,f !5y1{'ʸ+&(U>b;~ LoqM8C<5SJy"aw'K(g-Kv8Sv(|eX;))^iK+{•Ab-e/@b4"(`qAlj4ܦs[x܅nV f; d˽C G쎜#/`ї۪'@ W1c,]t{A~TA(6Ot4(!y (<ogA:3Aף$$Wofz؟ћT~C.gV#Y"o86XawXeMlM/CЇ \9vw% 8TӈqnzcmiO-q&e ݨei_`G xW>2ien޳!Mj%?"'N H>2G"%J!,vr5ʂ?*\nl%#0e㍘aO~m }@,O/;mO`-v0i4V-Swv!;}~+r0O-3bPbd꪿Kf:X}Ԑw bK(z Ǝ\M@ Sx-$E$pZ| `(eMBUxWov&tV==x,(fZB<\3p 0CƍrLn)sAA+\uylhC1>v_rT ;4fa&}PJ&nH|'ۡ-,Ԟbdx)#0~818$#.ݜbTUoVDV|V+G(S 8SbKAtDm8b=h@Vz4ۂ#Μr*є%^~~Vw]1L\:) k2\CsxWȑg⨄./~g bVjյd8R [!9 VP]11< 94M?zzVLF;\'աVж#g=D-6sQcDD 8&fUJsle2`<8wq2~XAɞ:A:/ݒ3xff6pqRtNҽԆ7b,lLF':PRZ]9Њɂv >*0 %zEOZ(&GK|꜊E'33W9󤪏TPݻ;MlPL\D+oy3 W8)"Npg[̯@KL-1PbDbKN5ܙs\͙3@YpX`QҺ ՏNaKun!v{66=ih@-fjP<8V>v/*ՒOZW L<+38g܂>FcayiUo@P$\o&p$^8$8޼t.=`ڛ-W޸ۚgX(ҮJVN\x L"'UBy'E% CD̙'sl6{D~%9 #j( [UvSu=سښkvs~iJab6|oK~\NF\A J).M\.E\ Ei%Gʙg JvHczy*|OkG:UMP5a(}p#fR3 "`lZTo)\)g+Goً}ogWla#`El4p mAy?6fd72EО\f<=EN&E\9ATgpFٷe(N.M]>Au}-s@ )id$~0[FƗo/d hbjQBMS.Yn\U4u>P²VS=gvH FrH` S1`EF?oM/1cN$}#cǻQ?bW-ܜT 3.^C-׽s݇yg2I6,΍ـ_P`r\UGy/8d.6gSB1/Q B8`'źZfQk=mM9uztC%& (!֩"Os}G|pp0VUdžD+@TWiN B =} OCw5Z95Q>;%L-W5!}NFgK^pM.e-)nPXbj R)aHJ7}5୸'s+xĩԟO[{4j}yEjX-Qh3kLyÊ}*1!ODF 8HStD2}?猆, @%@Y;hֶ1TȨ8z2"d1s k76 nI0]D:ɲ[m)J=(_C2񩎠+z͎U):\2ky ։u Ps(soծ=sQ(UfOX{ό,o^晡e'm +_BjH̵Fq:0ʪA' 詴Bf"W_]w7 6\MfKyA`]AiYe3Ö}|`/ܰ=ɒ@x[O5+ƗM%v ~ԦOBRk}qvXJ$&@ (MƯᑣeUEi>aEi0>ByD{Q%C92 k;7 2*vFJzIlT0yA+Dy 2}kK `hi5V~0m1DOiu3>l->kٌڋ_~t!4H4; ժ: HQNYV#i9ݓ-G' 3IƱ8fKQ7E"cô+"]Fv^wg!EGrt>m[,{qv\!r8=! z$?-?[4SX<muAh2zhE~m"JG--cS!ZbKh㫬ZXgjh'O[LuʿCQ>D@<"eQA-;k~!b1WTyxAw5Vf-Pc+*}n9̾j]+_@"kmxT@uGDA;XA_. b&jn,kR3VqF~j8&#C* Y yaCa@oL]ՔbQoF5wMrʠS}vupXZ-^۫r\svֲ~` ,n13ފ=A dNeiے3aLm +|쾕h ՚En^U[P |erI+9zy+IQ!d|And(rg?yG v0 #ԡZ Fa"le.%4SH.BfN tYبVrOzq$>tA`skfkC"jnԀv-5gr =md,K9*NL T]̿x!bWHyO?3yUE&ܨT\҇>F;sH'+>G9e:CVQqZ|p_YD[ozVn"̾-iZk#:8_gmo2-J\,!ϳ#NVK|j h# Z*+>K)ë"{IԞI<[oRb_5y=6wvLz̜dRjz#-r4=t$I;SNsp xtly{vip_Jq&E@CX%mKg2HXЂc;gi;ԗ4I)X?nѷ*Rr8(׊a' a)1X,bo29%LNY9~".T+/&̮䢈,X`prezn>C}Pgs|KPKKpj 5 SI ԇv`ŗ¼aDΫWh c5?U%QjTDŽ*tѾonիG\G[SwYKv˲>c`ijU2cfE45YcAcvP2[ج D+ P@hLO:^qds#&QYhM[KNRs/.Rw!AVĎScq/=[s qKM6&xAk}iޑ ?& ]Zxv" }Aȿ\-61ZiIm~hZ9 }~QLv&p32QG|Vs(wCDP.EIs-2\d HVA|JiviWHZZC{Jnۉާҍ%=Hgٹ}pk0s\= ~goO׬Q'#] |66}tENc .tL''먎I_Hg5 # %xqtR@_/.ӰҊ%ܿ z1ByXUt/g:1zvKɪEjQvc1}n 4"L͂V$"H'! <|Y Cfp\n#l :p̉F%\$bks[(~itNO.T+r3HnmD@MU]ArFwF: ',] @Y nňbM)yOw*|n;nJn/(BpJwJۼ4Y2>QhtJ),C&U9޻._+DUe #:yh&SY:k\)~c1i:-R"ꉹ$1c pH6}` !l /:;G/qٳ7pEo r >#k)|j;A$JbMGeUfx$gqYsϊ"gSI卆qLL:w@i+"8ڝ5T\ÊT+Hy(ġB\*}}{DtK 7Î !df?hJ/ŅZAkF n1 tgH3R:˵T-76<X!Z\^ne(uaݐ10WVN)t8P9 M^gxm9+G(W6ِK*%o .panRv2]ẏo#B@a r<Ljwf (MK4RTI- xpb%I(O1[DDVJ`$/)PoRi1r" DfIGRA$ ʖSM`k 驄Cnil=鲢;gF˗1TbRk b -Mx]ebM!HҪ.VE =wKd&Oi^|=ն o2 T,6J@T]9BݠW_`{Sl 3^0sTllBc~̕K~E6uQyO?ykUmxPGr#pJו] @Ɍ}tW`1=4Iezy!^lFN%zw]}uRId0FĻ=;0泧F S +zwS"~xJQ, j%ky |b uArU.@K\C2gAR;kMiGR0|gd&ƍO_I$˿8C4@Э+ckR jT~ mΐTf9_`}N~b@M1VEhiڍim(RρC73J8 wkxKol?PPH V !壚\c{v#Ө!IG)p IsHw~;WÒoqŮ<9p{&A8RJ5)Pǧ)<=V;6MW5vEs;Rkʤ &ZgU CnIS|u GPUrɫ$-*v?3GXH˭㨈(MA3ωWrPJ<z4췧FBnmHq 1.~y dK`h{zd2Dq=خ3RmŐVRs[h +2>]bHUe%%[q3"lF.́IX9.|1 |LD]d; 0 @Wq絚6. ]WY l &b (%H_!SQ'].+_Db+6F0EE Mzf pL&"&wZT/gӎWW5zW*Z·>T'Q]qKD\Ul_*avCkt =WFD_X߼t>d@E^D52xr^!F IhJ&i𭑱8l] ٶśY-DfjeXow9O{?_ey ~愾N['Y2QA(@ uƂ͟i͔@9$$Rg4\03H}֯F#fx{-{ZbvLSd ǨJ饏 ]^2< 3GTʅb jnIyY[F2zS뺩TLDrUxZ>00,3[(;`>4L?ş=08NȒӤ5{Zf!bI/e%֊BXG,͟ûi~VZYWm0Ш>$y@J.363/ׁ-o. %CAV+Gܧk4);~jRI,=E4LФ+cޣ1'E'Ð+n?SeGˁ&xVm(F*q9%jPdss([|?9h *P!*:6@ GƲKzNgBDo^oGkQL|{%YHKsN%&GI2 Ljȯ݁h51y+[B`FhUX<3i-Lo?- ,= 4 xf~cd*o=I(>z/͚3LrxK3Uk<>&cQ*'rjPB8Dk*'E :^.M|yOT"tp+7ؤxUP@ V7mqAA hZ_6 `==\D -4 RgUj}sIέ fF Itcޅ ~ \wݖ?q|QtI̱ļ'?K:O*Lu~D@zqIX=P@&T,o6fK/?7b# (  I.53B%*ր&ңە{IF! د, =AP#uH)wx(<%_sp ԑe$JW+iE|g< $M sȋm%jKR6L0QIWGH“'L; s8Ʋ{ 各%}=  ˽'0,|~:͒s!z`W|WL>ʢR!楱!aqQR0e`L3];4ڦp(2 _<zU8$Ԩ+0 ]kD$%Nz\o-=Zy LR+!N.2E;LނAZP)c_RZZ[a5 we9Z74UYᤠ:;,'SV? [)ۅW̵%%)-(? yk݋{#SҞ:E 9#bN/YDÀv,Ù,%MQSuRFA6UǥO>W?U%#mԈW-)[7Cb`L4ɿ@e gU$7ZMc3ͬI mp ⣁{L-I;fnm%%62 #BD vdaōAtU{QwC)D b)s?$@/hzarN\ШZ\{/Uyٝ+!Pȑ;B%ڐz"A\Dit(":;v3o?+.sDүb.҆&$G7gDQnksi>o2P gx  "}kSlں1lj 1uWÞv".A_t3Zӏ9"S"Jfo6Jnd Q2r8xsW/j\KpbݰjP/dA\=}h#< 8;Fh+uU٘tF@+-]E: V j+Ipr%Rgʍ?ãyr о. l+Api 1rh60-˝f RD"])IWoеr6+s)j"n*'KVEz[`ٷŇ."fEʱD/@ⲋԇ3%T3Ofh/wծnt?̚7ýpۂ]{N{Ť՞jQKNӉ%!5/|+(7sEsP 3SE rGoShzT0odעOΨ)lm:dƖw߰znKLu.ŻQo@kM>Ee.Q08/UIPMu6r?P}u=p@m)VVr_Rn[;@}*g[H61YTC#]Kؘۏf!i[7>3 [Ο^sH,52$ŖibgdohҤT%C t) FA 2qӼU9I89YGͻd*U=Q)1!X/JC+fWtVLf?hGZQBr=G:ufCN٢lQK< m R ~%QM0u$P/NJAGLUJI^񽋥*(z\uu jh/ˍqHvq,ęDHWV_4h?^4l9^ }5\@9&@TZ@Mv"-1تS 3P1p[5ˇaV]oT1E1PN\9Qoh讽uPt2\pIfjn|J&+nPm b.ܫX6)81S< zWh8oMI箽lScE.Q*|DwDc_45m==#)Ib[ܟ&'3Rw)]zr ah̩?-!rQ4ڞyʃ\xNXqߪU)Q?}wOflxCl܌W qrՐv9dQ5Cn?iqӏ {΂#5QQ'bO(פtгbg\8>KsP9";4^L)R;SL-6 ҇ly ˆ)!E ]d+)"[&1 [h}1]%γ8ߝ})?ɀ giÉbSya|s-BAY_TrL OW;*AyBzSR$z*,mt 87 ݥՋ!چHx [/5>U-pM3_>ӏv?jM~֪ -}7 dWI[rdEBJƍrC2Vmw2g,!A|%,{gB 2H_G?QpidžwgQ ]CSܐAxlX]mmh5$UȟIm*z`/dҴMyK3&dݛ0oOr5woq+ā̦pc6O-Uαoː==/,P0sN'fnD/Dh0&n:ư ?ii#u :琘TEqъC j EMz |?`:rWtYUd2UR{9aXQAOJ*}F䎄V*RYMr$pLm?Κ۱XP22P[Bi J 2H֛ĉZspZT2H4\ pz Hu\W+^~NOkt,<+1,!Lh['nLgp a?sWf̐3/ϕLx <w ֩[;x1#ÂxT=\y9+]1!@ 8ONzm\ t B1t2L0¹b3eI`7i]AKW%:;FkVy̋] -ʓaS"};sv0)'$OCԂAnƇ}h BO(ui5=ɯeܕ/?LXY4"qtfH㲵}Pz,NW,b+"Yirgt+$f5dyԃnJ!;*b$3tnW w'B]Zsq2> 킧4f|m c7IΒ^GuQE^:zeN.;w[)^6/iQSm3"tNn3-aD6E[tKu8excpOy"M4siՙ/ͤ#0G[n)̦iWd#♎h[R%KAVEOT*5JȘ/7ǿ'ti|o2^NSHgnI$_x?ztq5,^7K|aW Er|}6h?[dj@@';GO) zxys؝%I$7-l5 K 1&eV[d/mh^|KY0#ن絉TB65M{%8c j%J@C]%)c V϶c^nn"au-@OR,^2Rr 0@8hcNu>k_w9"1O}tDg9{h ~2O;fO\s.( W}]\&۰ 6?E Z~g|I/C U}yeSo,<+w)}k_JQZفpoTqsgXG*7ekA/UDQ稶: AF8wƛkqpm3ؖJ@/tU*=ɮ?OF5&g29m`?FwRΤ8ЂLWcI[@V#^Q{Kr mjT]0-WJJbN@%dʣ3ID %ùgI:eYj J$,OK+j*DP%~n*Y#_kct;&ѽłqGS`O[ɀ1)s= ۪\n= ?ŜNy70pVx.V<ѨywMu]aϳ";oݙɊEds#ߕgQR e% -nb:X$Say$pgk:wq p+lV dݗIJ1ߪ ]1gkӯlDf~CƶK tC Uˋ" 0 =wTZ>;8ݱ`@SmOUwzsxgsxޕђJp NkO9E1V!F8l3ZvxKo߾3!I>jGd<\dtI_kp}܏!Qb(\nj(i}˞yyHZ)3^,37S,e8F=f|Z2*+YR2'?D#¤wԊhBH)YO(P?cKp"fINdZdcJ1$8qK)8u~Qל*:g$JOF2Waesp@B唍{n9N_dtE"ּ$jҫAjWTWc=_I\m=|2vPٶ')$)G7vC4yr:`Yٔ$&v?(s\P{:RײQRfXipzx2jVENo1 ltOIbc#o|2y/y]GJJ $~`@S|`0pkRTa&/&*܆ٵmrw#z銵/7;sM ח,b_\j1(f)eU{aLzO:UIGH}B}J1:<8BI6kiLvfzD mJ F4lwr˫|lL DL'?-?fW{ƅc!=km.j,H+$8Jx}|ᦎ>yzYuo+ZLĊ̹ԗ lI+, 7f* `bECim0pA#"Nj 'Br睟Y>U},+Q&u7G$IdP3ڪ=SԪ4ٲ*3KAno\\jD'Mzq檚s6%;H ;K2-zݱ77$nh` Ѳ\;.ٝu3 ?xjeBėI׏k@:J? Cҷ$:xѺ)nUX|ҋ̾GӇ(FO1eYP`mZcbP8dukUآ X Մ `3esNO7, 8~s\@ V@1/MZ -Jv[E[RJ܏[Z}Gr^c;+4<6Ws[KR.O䁚\.^ַ\.4/5GSBߋ^hrN8^T,W:G@ygnSY gMEA/TY*lMM+u.he:y%ɍBW_ѪC3EKG/Ŏ lR3)4,ǥk:!/ucJau**wsGn+l:`F 4.݇ z弽MP@|ClfGBPԥy(g̥CNˉ&P]Id{=^츝quXQ!JPYoPFhhF(?g?bGa.f̰ x:w+,Hɚ| $8ޭI|!Ҿq~f21 L8 vC|.d\y %`n.i:q>0BZ7H%;J@1LJI*;1iv@u h{L#:7lf W y[ulSl?mȢV^ ))Ɲ=4*&fD,6) `=pew媉_Q긏 uIo܂pA+52yqHa~H -R$3݋mrX2 8@qE1u^·,#HFuh t;M35\ \ 0_}MLhaOnF]=V,70&_ Hf™9sY~Ң||t/}-Mюrp= fE{ɑUf=mtYYhM8 h~d`ƿ'[!7'.*EኲFm&ip )gǥum }rgUG1:/}{T: p_}]*}5Ea }TUd΅a&TPeF|{I=PT3[عN u+ l{V;%.%@s_R4/?ky 7m}4=YRՃQ3_ݟ"W.8,3/!ଂi)X\Po!D *{YEϺAb p XԫW)|(ìEWM h;Д)6=WL" ':BV&*ӓ5&슛>ؘBNE׷Ø\`؇d^v96VCҔN,䐞:_c̍".s!%Ue׼\v3rG(-A"tD>VUX *mm1c1NbyRdpZ[S^"~3G3@1X^5팱&T(H,%tC#&^d,[FH,!|n+!\ӥ5~'69(,ֳp/Ī̒Q;4dQogP<tߕ*>m+{0;OzbJ~c|xNⰦu5HSmn~,Z ؽ^IV~8i'rqeB kJN UJ (>8ˤFG2fpt#ܜLNCru:pd*4f۴?UC׋$Hz$BXP"}0^`0Z?"Y žDp#I=%-w g#.YGvʹƱ.>:"Zo,S&jͮªmwqM+W&s SI6>e^D%V [Q>UGF(\ ԛ䝼$*rFg })6M~7cJP$Kev1pT:5ȓ)-s] f#a>H^+_&BUu&kBMɲ2umuzC@f#Twcm08F)/Mf(JnLh'}̈j:^mnlMh?gBPKسR_Ll`&oARѡly0Jt$__n,GJzǑ=DO< 쟧e ʡʨR/5++Wȉ/^lvpT/m] *WB|fWGn^lՎMS@+[p0v&t^L~LF:f*3^#D-2'q: 6K\Y,@ -MlmЃ'?^wH:\GJ)ޠT"I}*7)4>@C V!fJYP?  E\!رXhT؃ p)2=Ɣ2iH'0 j/$Qj>6-=l(U_7M`ɮԘbCv!䝠$JEԵJAMaVnG}|7LbSvV&"uF-EʌUj_ ;\mG(p/X-7Pb,0|Кh1M);:-%Auܹ..!.MNyraU2½un ~ Y ͹9=^]#ƠX'^J^SWvp\8G3nSr,m&#{/H E~aީD"kh ,V ɱ[X} b$3̠}hY7*s3hOx6 ]ƒxpqqKR8`*ߢr㧆=l {7S|h&wP .H]OhhȺRtM:'1e lz=Wܴۋ򮄳1 =sio O<ȗvm&k9s''v:>9E /ϾT}'734-Wt62i5obje!$mNx_U=={3:5ʯu3g:tCk[5>uI^eXn~^*Y#G3/nӬ]?dcŤS>6cGX__&H"&dqK  /C+GȕXAjnz8a~F(c(CɭЈ1xU~%h^8/"*7܁)!+v ف +1ۺZ3jcAL2g~㮒JR,I^v 0"`g":}Ce M]W5G Z`M**}8X |qXH.3?TwـRj.؋|S@Hϲqh](F(u P Z"x#iSKw]FʺZIސ( ,X1#fԾdn%iGG϶a A䔡#! ! %%v-Ң:5vrE~dӣDʮqCYM: YS&U {(7qtu@U}TQi)1%e;N~9uZ'>TM:02;ѱ$ Q e)=L"ӐbQMXRBg "'}V ѽ6&,4cAAUц:2[Itvd*/Vn?MS'"UNCWf>/*E.1Ob+ȧFC!MVIE+24Q1މTsQA&pq1X;XB{o\hN%P}DRSD  w4ȹ] s8դ`^s3$ 8'21|w1A)R`)0~1@۟s\Vx{^C,谿-E'B'@Q=HZ g>ՔV*+bmHŕIH801 n'd2|A1jOc vMЌ(B~${(Bdf.,+*eEy1Hlz&I+eG3Kя8ʭ[{8,9Pjv0Ʈ.dM_C^D0$ /|2o44&B.A])Mm[^(i} nOksӄS]'ݗDGmݛPÉ5; QM!v*HvhA*.~ZݚuCEdI% :mJF=J#tny1C-iՇNLo ÌE-lvw|Qx$iȲtN4xXw^0BM|QMт4Ģ0RJnAx c+Iآ$ȶia/ѷUᏅ3T_D@5 \AQXG~ JuezcY0$.z~u> @~٭4Jbvoh=⭠4m%(ΐ! KY3Kb*ܚt TY׃-/[·ĤP!WIw}5;w_}_G35v{;(?:t's9$Z6UȍShD_gfL,[gozl4̸N:F>+#^%GYE@IX(|o]9HMIfFk :D6iWy>;; tNj]'̘h^.X7d".Ѿeg(>(mx"Q*#h0:I*Ų{9Wܫ[}6K+!;dn5DjBb\m5'Y) E:,[U]A #-,8LD *pɾ,tT"Aj(\fkLJ1O-9y3*\#X=eR ތ8FLU}uC*tRaEoWE I PNHf3TH!P?,;ųY*J.llzh xJl8v:),Ln4l_cԙBYRQVx=%I~4dԚnwϳs7e/!@T6t-nvധK%HMz@@~(UrjBb&A䚏z$;Qy }вo OnUXM+/ GϬV_H|{f^#utU>$?ZaJ< l>uAL%TY~V9+L+`z-D_#.=";©&iNH"ޕ)%im| A2k|"Vl~*W^&ܭxc^mBuo%67c_XPfÊ{5|o8kZ!3`&Dry؞8ŵ솄c]_[թG>`G+Fbm )}܋sj4˥zOoF /,[nޖ?zWhxSK;I"a :{ƴ6@X[[ڌ{zrt -7'Qi%Yݶ%6OsB|uASEWzk"`8x^1LB_-83]|hR83idDd & D;*GAa.~XL<Մ@y_T܀}ћхr,YgQZ#;*r OIEN ֎}R|"tqLoMƝT\roVsrZ3S|B26: iCnF&z:\#}@IR$k3הh깅Sguݿ{E/'uEc7(S"&b8<[,jIn Ls`ZBU@Kg Fj'*^gAP \IJ.d(2*֊LKI v΃V :T!Fˎ+vE_邭+ٴ[V\1/dPvՈQMvCiY$HQŌ=9=,:܊M э'$J-zЉ@r+򦍠.R40~p}}b7=Z jzk1t*{nH@DoG 3zh颼L4|ZUʢvX1A'=͆=$L?R z#D d$m-d~zjE5C_P)kYl!|h/Y89b^F_5Z^iWU P7HߡcբktY/P|/ٽ^1idevfKg_Μ$|| k2ϓظ*PAV6-3+'u43ۅn5!=u6=@_Ygp9T^ʎ,J×.S} 'w%N/EkU l֒ j9NO2 usRL|tK&х'Eyh._ډϷ=q'NYx~75k`y`GƁO~85h7jTP˲;Ґ"DlJm 3a8pЯ%!b0 T">cI-$M;f'hi~:tZ 8#ݘo-CIuL7kgϕ5-!LyuEj]יی@ҍ^]t-*{g ҙ~==6 (X1F$ Sw,ŨG=cb¥*xgR8&;tʈX7^vUh|,"t;^eI',Êd (-@ >j2}<'ɤ y,\~]4ǃӉZgڴ퉓*9oٟy[O {?gЮgv9).=Ď2Th?-f]qǏj7[C]vocvwmQa/NP2\ɀ?yugyu] BE7]RgQ3~~ViG̭aJ&l5?2 29@`EPc旞,H#( @_36ة>kؐMiъ\GxTl`V BVKrW.1~WkM&ui_ua+H^~͂p5gF~%-^q3lO˵D7)u6m0cQda= X~ie6yj_{cadi:ZlӔuDx#Q[ܬGKFA[?-P&l%[CWx7Gh`G0wh0YZsV^h6'pY>zLߑTq`DH'4*bzꯎ¾Cu-J֗ )+P@]*Lc7bdEPuSnTlch}pm!I6]4-xLj^VRBU譨 h+` &0B:3W!g+^=&)g[Kh9fm}'ݼ[LOJDNU;~eWazڲ. ⼮z})QM>y<4|  }TCnN7EuMC|U<Ƕ.ʡPO6r|EǠ-E->ltNb Ȏ4 Zڱ I1?HF2qGۉu]DZA3*~D9{,c-E^sH'fj%<}&c3gk?8]!(4ʒ(ZRGGX'Y۷ ]g=H}qt~E 9;D0T0 Aء1G9`?QV.JG#vB?29[WBNs VI ` pB41]uZ6)!]l%@,cD4g=[so~yZ6^1YϊbIaՠk.Lv{e|30ͭ$VQf\-08ojP\i3!>h}óM6$ 52?BE`e|S#xZ5+lCf LlAhsr}d Zeߓ r I)Kp<I[Q'ThlG^؄d2y4}#[Q(_Une_ҵ&ɟI4ԞφB@+?j j\t yQ|-.8gCjsEÙ{~--d;BhOZadW΂JBc H+ s^Rվ ] Qj6RMj4J(nT*M@ mVXt\Xmf8P+~b5Sy6v30} ]\Zi / WkK A)aɬf&^x-3J!H48 /^BUP|{wCECIz#*{7_4d~ ň"JRiglQchU>ǕocA…3KXJRd2!y5S@>V ߌSrvqN5#gͤl97=!i>N<cBg(j"3>~G>*hݱng[(0Uezja, Qtvk PhMXD6.ksȚu$^dYMa[;!T?6:k76 "O"uSGC{j;g$4;;,`F!zc0&aXjJAy!wyBquD}1bN`NŔhdTUL&kqT+L'{Q]U553 @'vV|}ߡp?1\oX[weWvYzqVzh|25xUo Q! OaۢPXeLRBWjAKW "m[Z[R#J-Y4P~(mB9|8,5v$lzE*4jae| `''iyy?B{7#^lжۑ`D ؏i4`TUud8>t \px缷*6c!u[dZuQ LZpm|mSILBdh)@ؚADva5{n,g/ Hv(3n8ǂ&.,e~1K@yzoà9@@W;A}OJ2%^]pyxˉFM~Pn>ɀdl֕p!}Vq;Yl@!1"r01WIІ-Ő4.2-~,+VPwr*bSPvɀ! ;mB @$oXlaDL |C'/€w!"dR&5T,ՕueR.M~7팖k,%qPbÄ(BR6zzh,$7&a< // Up'83T/jD [A X F-;̸ګ4 VW;%4Eao`cf\ k)b<fX8ifSֈxMAoHZfPks r, M@KK"?o2\6z|P[FrR=J׃`'悡t63 sA':o ǚ5݈k9c -bk]dqqW~agma%93Ӳ4)v+A̦.4sdǙDG_6$ _%"%VqnS< X}ji[WD7MPCr2`ZI#d+./a:(7骧XɰY}՝0G~O8oκ>Dhd]ExuR:NQ2fqg #G?qPҼ<J2<&U#} (h}KsAgZvb"|?T̵XU8OEޅx8,Wx[eXY495y> !| vt3*&^1&+s@&ZB CN#*vqlTmEXAd ?c: 2WynB#]ӢjJ#Jp{vt]8hl/U66EkR@@fg& hNADžȾv%7Xzaƙcq$U ΘI//[_ ^FEjVh^ReˁNl) ܠ:qST@8lۭ,cuXdk?xm/&!L;)Ȼ4,mK~u[ .$uS&MRLDJ J1i*j{v3M$N-1{ʒUP?'/mF."@O;~(`p*ۄ[B[ћJ点:@ ujc5+[$%;rЇ4<{X0r-=\5;ʕed!0,19oK?D} }];sP;B׈ s>9}vacxI~)&t7(]g'A}/P*ހB*]&e`b_)g4u<~cH'`c6_W[2DDǞkDU}J5ZOU2Ax{y z{ W0aЕǥ/-|dE>d t<}{/-8t ǝUcH!NsvڳUQ!hɳ^89"2ʯ?AXv寕64#h5 `T-wN0}qrFBSˀ(Ql)sb Jn-L9 UV. Q)f+_V9#m.8so`qYJ7%ÏK OG/ٚ7G`5%n`lxU|0[=ƭҤ'`qw6)&p]ɒKS$j4&Ӂ)iǠ D62Z2XʆQ,`4@?ur$V;!?tL-rv(@\%n5zTN`X+IіC2􍓌|^Ⱦ0 8JySȘ.dv# Rr#lg>m;1Px\vcK;x+MŬPևgjZMxmyfp|` K"Xk85"P n7tצ4@¢Zqh7ĿʩLV`Hbd݋.{ɍዀ`=+1Ƥ4mYj$E3t/uDĵ^v+A vyfӪd~C8y'-6}dќQd$P$l`;V_'*kgdB"=8:af#: %f5kь ;d@ 7%}=},*5:ovB횡p/v`[sɽ6VKGCҊXR!벯_RX?mZk8Qy+ʼU5{%H S.Ȳ-FB ^biȠFO9sߚU@׬u*r[2&Cιnb::shud{ؓQ09s@BmcǰliҦF%B/"<}ob@ C>xlMX}ԂJր: ‹ga7s CG`%79`3:\%o1RV&Dςq+b=ͯ3txWRMYr~KSq72:n(FM|:}VC7 N|k2u*fȡ9W tl|@Vڈ$^{r7SzxiHi.VGQ~ Tc܂]y$80,*%= m;ij"d6W-A.UZ:\{I rt@RRC0^*H/A j%<}{+cP lK$L ݞUYn =`S| T>VAG:-}#fMůmQo5.THϔPSVH)1Eytx l9(jW yy BY+3]Qje\*imvM{Ux7jYh_f:kN2Gen\ vO>FДT̶W&xaY{XLS_O.lKnQ/gc5|MtPk׍R 3r ދq,843 JYhtwK@Wּ"e_00~x|a}'v'HS M^Vgf h04QCMT,JZO%_7c;IiSiѻ5EٓDp3uPnz_y`&m!{L̯t$@$C4<>zBR9-OcBo,NGE汸DYpPCcNHa'2v |l)[vͅ8{gaLpF8\S IG2do;O`rۉG3z{a*Dϖ; =3t? g"Kǭ= S}b$]'#آyeR]1.ݫ/{=c;ދj9E:?8uAZv»6\fպFU0jrte&${br$+L#k`uGNԶ ryjO cKXzz.Qy!yap[ӭeD""xpy7 }yv-o>)IF?ykWQ$XLKB[\޹k"HoÆ_6L!a?:K0KExoBm <x*?iJ&5)Crjc\ueH+Q?lV$\ qX6:;:B^g)VMnؠ$+^mxWm3/Hlf ' e$r!f޼"u͚<9Pctn%nYB(%_:YE)=$Gv@b!1iA E_8/1/B()) ڂZ&L3x+ (}3$u,bC}Z%4+9ོxb<-/. ywb.-zKru=q];0)LyԽ GA0}SnHZ!:HJD=_^kt:9unu_D{,ّxw8;mv1%5,k^ƐpZNF*p,3Rr#m0G0ZuC7Fh- ҧN88]+e^o\! * HLn?6yt4SEeչ0WW(dp u,Xb )aKnv6n6i"pu8\f,`V'ǛPz/}P](Hֽ7GEEMI5x1XER G;ՍФjЋ13^O- svnI+/D${%,Swҏ߭8 ^v@J@؀-xD0^pϪJ9J߻KWXQ&$WBBm">8b$+_bo^VR#h'UzA ^sMjެ>;\>^x fċ_JQ**~UDԧy`p9$z:ZW?6bz_?np@ ($$mwGʒJJ=Datg[q (dIr8%s(=!O^ ?W~3^:Z1|ZWT?˛x:Nmaێ28ҪSg`~ 82]UOT7|V_S1ʦ=ܳۄ32QZ>^$>4 @mW&XI 3ei(kzЛyqN+Ѧ)~-p^B/Se\`,Ae;_,^?Dxk._3tk-*uQp8Dt{T n< ׭Ȋ)CP aڂ̄a\9=q#Q 1|lD5o [ ͭaѝX)n{.}SYWfSaclgv/5V`fPnZb{e!H]|6W0>iݮ]dzmޖṾj$O_o +`H3NsfB3:e`|C,BQ갍QjD\ ^ѻi5޻faz eU_on_eƛ3?K]eOa).KjbxҨPK *b-528gꁰ5+T0q@gq`FpY+Z27rJ*l.P+-c㏷X\뜍t ӗV;aWg:`rWcKn1sK9}* l-%۪IsPĠO0=>}WBN\PX/⛖I /M=KyxWo,z 厾px=|H\TU- Ysbпj~3lHGY(}ptxʍ6Xn"G_2^X&'2IaWn0Ι+}3zi~E^/4բɾf >bÏ^ΫNy񆶲 Gi[6Yq?qjC\rJw#/Wx\9)g`ioό-~($w@e.pr IwNTFHIqqt_`D3U/ϐZ:2!a7e<BCC lj[Dڝ Pbw!\a:,y>ܯZ?bPk@V6 aRr0<`0My}'%OwA͖Q1b?YH:VE**A>:Ɔٚ1yEeMNfΡ64ڶ=]Q!߹$_<cܝI}%}[YREw+]:s%"jϩq_]T9cB?ijlr9C@bdI$5` w IU641}d!9%-U"J0<\:qnK/> yD|$A[ c!sT(9R aG}'# I }TMmfްb㑖myc`Tn,{a%.wW*c8oj?G&`H*յ0JE UJ.D,u4ւ^o[XbXCШn>?_!fF}АŋIy - m z+OzYJ퍀 LzU۟Ƌyy/?¯_GrXC?&ò`bMYD*W_(1 d 5^ x: ӘVZo|0XwSj2PZѥDb"\JDdQ ҋiGG'M;-FW x ((e>iaFMzX-C~ %|>46Mq8V[]37U;A6#бS?tʎZáAW޼x7(hne;,pf3LӢVWRD~t6 9sS"a(;a,ġQ yN@]غԏ+UJ`5r-خ3lj *.'t\-l9˪(mTt+vM ' nЏR@iv`>2FÌg:Xi{.Kf嚺fsaEj&gl G)1c-0'^-V$C$GkF;Z6jN5}![Mˊ<͜ڪ%v~n0Q>1Hͭqp}ZMh;ޜ -7|$S%'y@u2[x 8]\-Mu = tUoXQүݾM uDYT@q~O 9)+?D'y싐 *+]˼UJ1 V6עg# c q[D+eB&TłyxUSC P'9 y? 8u(* 0 %&姞ex[S©ĩ2^[C#{-)jiB4/zNOT 0UAFIy,I[5 :a4?3dIQR[t]ᴈ\kS:x8 i W<Ӝ6>mQ /dձC,`XqAѷ0&t0ڏ^]|R_0C|Ϭ4O{k}ΐO>%#Lmɏ&#pOۍQ yfqq^[7aDҦCD^@5nWiL\$-mśζf:a(2xYsҾ P<H55%Fy.iwҤu_crtgꀞb*"FN4mVd ɴ(^"tMAaBLp{b/r?YScb-͎~&5gٮ ]"0E=⭝Hyqsal*0+T'AìW*Do]ſ3r"UVuXӜ =Һa .J6Iä~hkiAE:)\K4Ul* _p`3d\}hA$Ƙn z{fo7xcI|;}kKBG,t$&[\#l5ֶ/9p1s)Z['̷߲w+ft4Pgߛ @r7fѷ*O'$Vފ+ڵfnFɨoh^,oG%T]H$ o9ycF)iNy[>cQ<#<˲I54]Xzt v}\\$av0MϷqb2.~W#"-& AփPʊ_yn>z{+БiC_"!Y,oZ wǦ"p]^kz)zXOdTI3ՋU-y1~k*5ryW EK៉Ag9øMI,$E w6o픥dc ת=l>(G¤- 4kBE6^UZ ’9ϊGF_Z~~wkEO$ZVh!+d=BZ xp\_(Ʒd ~<܉ѫ; .8D6Q!$6O y|mv[D_y~F$aErrarQ<[VNP0V*[W,/d;iw:i"4; TGA_ [nNuEF SU#  =-<hgyD~[l:blLR:sߎ.Hk)ItkyNr)h %rD#Ʈ-Kk 9ӋIjð/`;}%Yx> Ǽ5e 71l/AGp0V{+r@?}b7 9P5mzGw@!*,qB$1ٳdŚ*aGYU͆,Hbkch"'qToB"HvF4mSO3fU:a13M) b oJiSa΀Q.MH0Z*_Vm48(qZ(sw7Qy%2l8E9/9c}EE\'оTfg~B-~"s+Y n=nVlgF؃2Wu-yj Y[>-ʿG:܌j˱LaT0RFC۸u"j83P1uF+ X3~VOƢ9p"hV(7:n _ȷU$:k !0_`m6 :'^Lۗ!Qdm T_$9XI5/ri=p+!brRUv8K7OJ}$}`ycr,KvK5 _ch4HjMۭ:_K :ŵ>l?E}sgꛀ` $U3 7sIyzf!jB Mc6 =ZN%x/>o Ct]?g4cyͳ 1Pvƛ/r%$bn{?T;\%,Y9Hcb{X [KgtbʜZ! D,z?M|Zd<\1lt5,0[-[-(Ƃ,xƎv3 cԾF ZOrHe ܷ2A94+l顆 1YgйʢYZx'i:fR,o qoz`OD@_^ą`XtYx1bD‐xGDa8C PїsT*!Y3‚\;(c{ax͡T4ۨQ7- #Svި1V&iޔ(iç2@e]w8.ztRQ Vzg3 ݟtQHspk]P5*XTtmRX_9V|f q`%lۗz[Vt<7'@l 3i8/V11ϭh3^@)IOkٽAN'ĖOJPI r I go@LX~mO|sMY;>~U~ڼH-~v7P5vr)|C, cfp/>0) Q&8;ybA;DQB@HQ]Ps "kW6&`v\RzBTB:͵Nj-L 硭:V6[EmiitYQ/3t iHKi-vvM]NU)f{Y LJQQd=RtKz&ҹxƽ"siUSeZ+f2gb Ӷ٠JBoR zC&= D>fG ejwhCQڗT 3{EZJI.fWna/>C1hr a@gWit\[,7!K,/B:s| uo`U kda9%:*o3ca3-tlumJJ=_"⓹qC5^Oo{,CIVA7DS\xc)Υ/$ßʑ6!4/^Yr!no|a~~*rVˆľ(ξp2|3|)߅q|Ug~Lqi,`ynخ Omk= 167E&ie12AUfGrSu;jG"/Z}DVk ]թfw* %s"~j0 \ HO5Z]]q #T, 3xAS^kqGП'X6bR qBbX dǗ3 `LxTbI")Swh¿Y^(pB`~Sg:H[8Eaj%Z<'*|2`IVZK]Y׮v|_{$ԩgn{{{e]r_}̣ N^m_%-&8hwE.Ӓ@Mx'gF%0D6ܬP2P ^#q% ߏChD ZgܦK}.JfOvYr9Q\z`0ކ+#jZS>e>ܕ4-sð2i7dKIWHNC;imi^i7ÂzS J=ínNGQrN :X.S iT'lğRН]pM5mվE6䇓 Bw!}b|Ec+dUtF!VlxT>ۼimQd@-g,'[ [W7'p#sK0bi[)8f ˷ҽNͣIXI7_28>JiU} ;ͻU# D3&R^CX܎9Js NG_Oe:kjҒ~2;sw%20ٮ |N$ dA FՆ-a{}T$!>pYپioGћ_p7S( k="۠6V{{R=")'\GQ~U&87辤3 a8fޒJu )}A,*v9Q\'|)F5Mkz:ؚ}}ohbg6EDT(p"-WŷߗLw}sf.Ww13*ɪZJJJ6EfFg< 6 Mxr]H5Z"|HcR=%ɧr2:jڝIm7unsH/EzX}"Dvnj{&m [r4ڴG쵠kg B{_OZKq)NA,f&Q_ljZ'ar;!77cImAy}J?)pÏ3`Q[#.] 쉴UTܟ `s ,.D%X=0} WJ,޲ TKzư9os*l Eofw5;J==:t" DcŞ>,6*o)j<@ʢrL͕ψL@"dZ/Ʋ,INƎ>__XL|? Da5HOJ5RS Onwp(YB0?Xdh5-<,.aJn'3SZ;D{(_u-=?0 h- ;2xBUǦ+̎ J ?:(fO$DҞ_WMwR ,,lNrpgv$ ,LQjs/`L_6t;܉u%$r٠T-d+ R"ϋ+Zm ?lnaqW02'pe秝LWAKcZ`I,[a.xq",i(0˜L=`u"A_Z]; 7fQ^ Rkz/Yg3 OUq >P21t4_3#)%XKV}K?:-L,+x<%xkC=хm6.dNlK2YC0YEi23Uo4o]U+JdCkfEM$ғhlFλrjUsKK*7~7]NQ#s\4?xZR:ȐCi*FLv6 O>aSg;uv|mưOO @|?ofw{(p ?2my:ri!J}2rG8gL;mCǝ&|X&SXm$C e#]켑A6jq5-!^]n-.]cä}=k!Ŭʥ3P?g\䆫ݭi|cXW= A^׀YWU:l},\x?<"鋵50A 榀dֵ/|E/'BTF0F*»UVWZPQ$ 9$PK i0'e]ɞ"+BP4ّ gn*! 7WO~zڵP&;g:ݽa~4*úts9mƐOUI%qQ$7+aS'g{˅!ͪ*=c,r5 ]lT%O95޻w"itn*o)i%hlkĽCm_'MV*L"w èrF` >#؊[=,'%1gݨpw]mK'\y5ؖL ^M@OfRcV 7 Nn"z Hd \Iw fיjJ'4PIK|H*ud!I^2X3?2T d5[N6C!R} x @GWt-mn+Y.JξF$KrgJ%CA2pEKQa<{WYuQk3L}@!wBd nOF&Js&^,]<-My$PqhV҆c,-#pO)wNeay";$s"k_IѠ+&ޒ#VWk;Tf=a6(vE }B8tY`HpǨ"ҖYjo 1d!Ϭnrd=$]%|pPn=_T/`l&*WleYv|M&8Q뙳s^L64--S)O߳9H^'eB)]V.]ތdg^1opBtlYL(1?ALM=3lMW/58@P4n<_Iۃ dK2r\zѵ!V7-xȲip8_ /?RNXZxMAbF''mG \Tg'%vOJT#es/ox..yK4fQw:\mL~3#xxSYS p=zlh8lgNT&(<4.6$UN>h(4<އ;ZBX̪}\r@&MN.' ty>*"mi]EVwxeV &t_ФM錧*TLEHMs5*h>dƵdH|H߼W@Cd5xS5 xG0K͉Y.t+wPҼgpWkl5[`xd:RC>lc,.4N,6$#Bh'8ՖA`7zX?\V2@jwRF4Fjc{CS3<:mc zH\jQ#Zr.B}C  !DB6XS7o ;WTOqCazb0-?Bb Tm~"N9i7ԂBriLG1' { *kjEYeK5HI?"#isx:,Xe}ݩ)$TZ0ҚA~6oʮV5|1K*;|+ǭ,""'-EAGd3KR&AV0YJⱤ]k9 7=N:h$_xd}< dA|#6 f-ׁ*܌b6",x`D+dy )ïw_ryZ pn 9-ok* DZex&-pK$  [&oR ~lu}?أqeۍ Cue&0- /L I @[ wH-̻'M,%btaB )Ve{ABH({79iBP7֯O*4BLan " T侮CBbx'\jpȶ?jn{ދd(G P:s{ˉۖP5e2]Qn&qVf릇ѐ6#QEPIìqHВ%02YN3 ځ\YSj։_G gxi[?jIF/YӼ lS؁ *0cm9 N[5{1qi(bSM#DV~/~*FKCx355 `y=]}0VtsIKZ8f>qi %ɹOҿ#^ XfY?+!,-#œ&"M9hO׵P[L>JIB[C,Neܠ$cp(P}8PCwT 0j̥QVPɡlWT&o6Xt~(/9 qɿֹ@YԤJ udӞ7hM+`{GC·)N [@l n}iG T; * *5d] uONg ױ(wgYRk`܍uPoΠ%O9r Ǐ #k'Orf^? GڌgXB}zԓaxDo.Zbֲ)`HS -sFK2|/z\ Xlٱذ3MpP,n{ VPds&u;#"5΃$Ϯ5U{LCŵ~}7Mvo(u?:?eOYsPWu D;)c2u~6/ F; ڐe]8vZ\WCeSZq@lR;gPr` ?/(IFB`v!%wKbD St!U=lKaDΗ{.uaml> d"a?zNtDP|R>sC霑d_E{g;;7ӂa(zAD9AN%~'G /㩷#͓i(OaP d4CO%6Ix{@t`1nt4JR݄w2׎8e0&ߚk穣Jzu>ZrK̝Օ-w7ɍ\jBݪj s6PԵd{tm&IZONzFHu {coNCξэ cT#akwcz34,M&uɘsprqtgѕ7W!/9ُё*2}VhiOdL8I6yHrϻ2ǂ0d7)Nm'7nVѰh{y#X8zW4F ' JXsÜ$#l[~D- 2@їM1mՏxE2;* R!nY!wFpAAl 3zG'bRͶΪ.GQgAgr2Cֆoɴ}NAٱ͋ 40{eLڨxDbٳmi}X`O$˚/9=!JyA25WtgXKutĤD8jf/P2#Vr$JkFtgKpnQ OD6ֲ[s]q/ȯo7>41Jި*<(#1IyT nߌ[C6LyDF^VLL#g!BXBڈLvRmt*0!tF0اv(LjEd]W`; 3o fl]I:7ZU yGfƘx{vomʟS 5l̇ 7߾dLsn6{!M2fh \d)OaȈI^!Ej3ggTrퟑbhpYkNXqYBk1GqSyخ\YclqGGX&iI zLH-$-oP^Ĝyuw?)vo4ą޲X?j7`1đNY||I(`齺)A~=:'>jwShVJec rq:O=xlZרH_R,tSmxQ"KQT<,WHB^Ao=,Q]^I060X5Z,cK;ab 1Bwݸ$e-zÂDeuI%8_棢P `i|N|.83wtC\I$dZkdyJ+mp0%ďGn*ŌomŎ`;Ijź+G䗄J6JN -aB$A"_(5Hhj 9Pz9OZ҉$}|gC]<8*7:~HWӘ'0h6Ӕx- qߚ'je_#J^)6oL=! Ya||^k-R| InٵdKca >NIK8jmloT;FE55JÅ"%R#>?RTjH(P֗ M 5JL/ְޱ!^4fdGjEdQ$l!mB?\ z7ZP2>,eWWC1k"V ŽOtd\SQ7Z] D[ٶ;9`ˆU^ˉ 4@'s+)4/8gy6YBRRdf$Wkf@B?u)hmg ʤBC$3{/ ZQkVb<yAׅRuoLIxjZdW ZӉô>'6.N: Z,, 6@zɓ&渇b1tf*cf"6A0+#/!7oӢF uPwjC˭n5sz=yJ"^[՚Ȋ:m@݌dnd9 ܄MI.(A 5!D?㓔`ųږƐDK\f#;ʯ4;<BlPFafam08) -B;˳"$KW__we۱fqWw6)B.ӷK'PBU QR12Kq) ,}cW{0r$CUHZD?W*EڋGs'OѦ>G8 x‰r,!Xl-m}Nx@%UTW) d HTBv\x<%-s^EƉvv%?W(S%_I?9X@S9KuHQSX3zvwܙɺ }xI7*x>psk/ {ب-'j3 `M[lfXҕ¡` &RMxI hi-,Y_qĭ? 6h m]{+Ư%OygUj1޿Ƨ%}A}Mz8'p{ ^nx翓@ lO蔌Y(GW$:ϗ-@ $ɿ)R0^xă.y]x'&Z |skJOn?`dLo^; 2-9Ǚ.HORaH5>Nxs mC7ȑWs[ Ry!Woܪhub| ]ǃ,u["DTdijbydi ;ƈZ:)01O%ɹˋ@ o{tCit&I=L(9Tr@{3bh SE\,~}ƪ %9}l&au"@3`#R樈{p͍#LppH7=Wj]XEBZ0%)~}-iLaɡ_V.~K׵ ]0˱^Wl9+\f]>XZfdUH@2ܩ5>*p+!ͽ;~$r-mab/:ͬ1mօG?[= WZ7I;%vEƏSu67F œqI( t'Z{U{SE,j;,NN(>b5b;@`ɝ˜0&zvMKtln0+:2yw\-^*d6V"?u>$4Nzc}WuWnMs;#d)όzx3yџ$E9Wc%M>6|8^bd25@YcF)HfВs?bLNV)=砑cyoST6G-C!DkDHI~jSEpɗYMc6- ۀvdvMw^8{=v\m|=TDX-8(x`] {E1PG?fDe=y]H]7Ģ>]܊NIa1/Ntd^ j*킾]jwf?F::V\UBǦg}'*z Vk-+K 73iIbK`1H`<&K+1t10:ro<ND,7aS()#%Wnw./pZYZѫr,,錂4Tt WtH&K|R4]ZŪp(%$h sy F3C,'X;+xLGcJSw7H F\mh:Yyϗ$G&1lĚ l4'5Ԕ݈MFE !4'tMK zZic=hM#C4U՚] }Ut &9tDHJ8̣AF '%^3݂@U˙lXvN-nXΎN"7Xub|SLOku4 3,;k1%X`hɪ; }%.>IjV,n?`!Y8 z2e?!JCxp? I}M%屌B՞e,0Xî )|?HLA64n-IRLccvp&H:S-1#Mے!aw !VKсҚe$n,b97ΎM?Rw HNs1VV~%G't Z7=y}կ%i%=%&yIT;xMetUb'o28ΤCQxGçi ݍ^-Ӯ%MK\LJ[ h!ŅrK+V -AeZsx7+%9Qx<:4S͠7/8 q/+q+ ӌ+'MQj6 ̽9g oȪG=B33Z! r?޴l/!eDq[[%5IZ {C?UG1cEo3D5@3:`v}?@:H 4ܐ1~jL `{ (P51L9! ](7e#/@UG:O*{`YxS Ѧ^aB:cA!:L>. GJ!Ӿ~V9 .[u׊  rӉp·4&[JYdѨXȝh=p>j. &=g:W [XBXyX\\ bp0a!*uKHhF-}!߽)L(٤j]:<=٣ԕѡjAjL!|9!ۚ߅bg$bZQIǵ<_ M/6mJ s#O` K׀J V~FXLeH47v 2(^^Q ׽"6䘑yO9F{s/8ƕcnӓOD4.X#5*AU5*y:ҹE6$AO]آzי*-fٷD(1U|GjlxD*ѻ20iQps|hPmi5c_y0oͽyln1(t띸vҽpb:Ħ}ju;U r=j'=k[ I/~1k JVcjDcVx03ɵz즈 vLC%?szXM@Y؂@\ÄxE? }hg#"gE\R\Y%u(ZFR1! cڏmt AY9!W g .$ំEu!ujQ>&s`?{|d8, \xQ|ڛC߲-os־)z rI]w '(Z*h) W4 v|ڝ'zxVp! *մu^fKzdn;F6hUpqz7O Y@D8 1ߧ?&nYt}FS9l9OBPh`sZ$%>Y<5^nUHh@ ջՃD=!_b xyh*߈z "fNkpGF >2,Iev ,}2&xy-cZ-9Ɛ)#`r2*xUFw~_0|WU+ʎqd;*eRRhFJ] Svc=2Ug;wz?aA-Ѝ7g>{*:x'3qq18 oE3hLpqH<\Ϝ v1!R@ btvVV;$/_~33 m7ȝTlѺ7$$i{E!()9Mt6U^ҧgePi)Pt4nZG1WbV6XoMD2 ҂=ßJ(%hu﷓ЊӛP"ٞn^F"GÍs f 2}P8'Wr&{mM0ފ7VVx %8PӅE_Ur8 "oa}ojB%++_b 7;Hd99~u_?sb,M:'PHZntNMKgZ !4s;Y[[n@%e'.UU#]CvؾжPu"p' (+Z 7"4s=m|"H)Y̅뤮YTgS֥Y/G-WƬ?p$spK t)}dW|qegEɷ-(zmgE'Z wIL2`KMX v;7+vKqv}71l ZK-u0󚤖>Rh['\!z GFf̴{9y NEߐnq@{uvD'k+ ƻN4>J xo $bX;6y5)=u :5ǔdo*9gQm3 ssM$2rARʔZ(>IxS%E.Gsex_鮘 K cN~וi[ǒdZm=m7Zb' C$,`PgYZ0~7R3jIA)3u9qfR@L/[x&r5pCFyQPBNޤ=ٓ\"5Xw+pLZacMmbWi T [` U΀[93*f$AZޥn9I~TGE` t;m(O)#Yܣo}kwk .Kr*LjwNtiKFm !b/h1XS݋J"d6뎥(Pvwy--+М&U?Ck4EPI%|Fv>ءϘcot.2Ų2BNI%7# GuR1 !oH/UHT?-wYXVijŢMieL]r@r6MB)h؜B$lh$ѨȪp~xp:*W?'$ Y3zg 5m|y*$C"ޜ݀3+<59u^z!< W|Kl 0CWظ߅?#4,Szj͵>ƫPN8nmbX τ4mo_$gN w/?,Ͳ"E6oLgWn1ct=Sn]#,<#:_ĵ_ d*XSa>c{u/0\},!c"./e9 Hs|'+i>'[FAh՚#ؖ+L}`K/1u*^ #~8=`/RfN?[QJsaEZz,; i֌DJtSjC2=_0OGП-Y.L >O/ w/}g?"m:4^.v*s6!"Wޱ:|-J\Yd7<_zƿOm CmXowkML m4P-crlb?._Y (ԬIeR,`xݑ%tAZX/|s_C+4ͩq} wCK5bO[<p:{ᱝ1kQW#^[Sl*gk@\ŎR2~v'L%3ψ ۈI-@Tt.H^%j%|L:0\{;6. K'fqggKђhfȶeff}zX A$ڇ\e,i7(0qze kla$ 6#?[wG˨ֹL*?!mGKaDJz#2$1x&8&N!0=XV#Ӄh P՜5۽xP8+kWx-o2 S#yNx o'\V!U$ڣb3`+t7Ԣ.p!ĺ$_ͅ4v+gR@,T6#X0H'f ):q 8Y~۰&,D&7+3$Jo;Y Lag| ˊ j.'v^}UF8BY~ۋ؀:7)"'J:E>{9(%yG[0F~|G6 @n/xIwHM1(F@\NT2/Nش6vT{A9}U"ī=W-+| fý3\C9J bE(Dd-[ XR2L_!h _ MT-q&RȮCd|=%n\ŪZ$2ݖ>oKcG;$/DZңmJ!,qHM Qb8 <9!m|R^i%+N:k{IBl!1WI%ɺM!_S9gYpu=><:'dHKA\Mn 2L ^Δm$rJ8?j "@F=i/QP"=[5`2m` ܢo*|O&σ5bҊK+*BfW,4/n& J8-L@잔3iBwZ33YZ׵ԾCNUE!=_YC0%"sdX;v:p>;+oEj>Y0_v'*I;|#EqSJ<|b}l!+њ|t|AFe>R*gFNHy,${jtQR+GEW#3c?z=kF jS-5K^ 8d$& dY.uPj>(4?mZ_sW70GyO{W"}(>P2]\vx\u@Bu.P塐N'!p}12Xq|B$`K tH9hXi ;BT*2!EΈIhLZ µ>ˁCҝ'7Y)Ja̭X?<5قnT,\֑m=mqO}MtG^*Nr 4?K,l>X/n7ұY@KSAź9sP)dB;W0Ptcm~%d}faP`P~VRs}2vO\t-<^^c7\GhwL]';a&4P2xI5voAV,!}E"**KXOD6v iG9L "RN(P7T6@T׶tre.'JV(2{E`~( aVGeJ_>+9_wdK cq@E{uf=~Ԃ ~"nC*_ ُ&< }"h7$6/}ZmrLB8+HI6ԭ(Z.K?Al3Kjj&JׯG[4f,Ka[ N-("=(jeP~4ږ%X̂gSpz39[^’DW, JF&U1M!ٵ't;`vGBs?Ry].rFӵSA$*Gދ 'rSO%tTjW6=Q%uYoDrHM(p H?+\)ibYHI>c]+$/qɤ? pskNM+s%`gl (H @R̳̄쫙@U"3ف /:^z/ e "lYNju(vC |Dx= L1ӄڎR1-gBڬo-2 uwcѶ9r dbbcNN[2= 7%?;"Kwep&?KeXP>yQK5}Մ*ǒ0A9d:7sS'z"Wqu jpAd[ xu`})k>1@ Va (9$vQ8 Fv|jG6jKENH9%BdžD/M0WvesOM/~\!XQa{(4 Bh0AqDNciuOTgM40 x r_WVLjRxk܄HcξaohdvR PN{8nL2jgQvJzp̑/V@7x%E{ 2aSe-yt|oleY_v'3xgːZu({^pit[)_K0U}V3~ODG=bFg}) _Idi;3 YNyEHPtL9^=AJ 丘-' &qXِny[Iʟ lh$vR]&- +obb8t)\sےsLŻ"_0!$[`?MKJaзF+^?1y;=%peWFW}mKoM!{sU!ODϿCxK2`vLӈme-}gLu[v sЧ [%A#g*vN |]%Y/Em%(JaQKf|jA;Ν/ C,]I7bLp3)OtG4o04n.#Sj#7'z/v Er$]5Y]JY粉) Tw'AR8}r֮~|wa/=Ы%ޛ<L"Ok6 On  2ħѲw¼x E1穕XLVh$}e-]CL$CgL :?؈$1>Y薿nQ0&.FBeRؐ@1KTtŁ ""iwUBKqS:W+8jh_ʵq^P : U+Y.{_ڛ.9.)" ~F泩ܱI u[3aņ^r(](#y$% I#R.EД櫉B9XME}_Yy>ϽvS\ȧ|mA dRU-k+OZ<"::?OuG7+G'F UaLn< Z"9$Pɜn(r0e{p?987/C WC̩` ԡd$SUAĩjάݹ?U?YmO{.FO`خ7habketdeld(  @'P63W{#x'Pz6sh )OyJb ްZ>vY׽IŋF.ǽʿoy`hS^Lk>|jvzVn?O5x=OLB]Q,}\:nAOP4HP2_g5CC!e'"y)ɄJ.-6.Mg(= ˸E'v+4<8Z$HbPGPXA_6]qikD1ʸW[ZtJA rs{BE.!Fb?Yz~Ql-gl?+h{op1ӖK2 _h:IU4t%Ғ>ݰT=1kJxeŘ&Zƈ^YEȒ (} Qp)_^?ɟ*iX\@UwZ!ߡf @yF*36OFôftFδT\r]*4KQni>bڽ) ìʃ?w}̓Z ӣ-\g5pI)DK+dku4 2z=(U {@HRG!O\) F'$RkðYps9&Ee keB2crQF_<Ͷ#=:G@RS^Vy&C=(43 ޴IoQuON$EC=8%ӧt;D4.~9Vjnk toPgĀ'2x\~tgV'}"Jّ\^u H~o9KEԀY`Wz\F"_+X4_(|cDK9X̱IsO'm8=TH|}^Yd5m=n%h¨vaCs>l(dTLk?sÂ_D1>I| E:sEKɁxMgS*YUBW'_I%g/)1_.5(Ϯ@J|ǨA_d=!׉v*a^=\J|(R~V_?WT Tu?ӏh)i,g<5[#~ypu7b =@~0EP%wx%]@kv"&'h,$>(9XEN]YH(]xM1, ^lRXam 熼m@LJuf sw0}4G eQdWVuh/a4AIN|@sI.y.L@`vgt8첶hIWRi# FouɯS{hp@bD(nhykIp;t(hP5*A&Al_+Q_) s#݊J{]?qfqNtv> 4KR>S|B [CmS L'K: fq%G$'r^4dc$>hL(ʪe6-vQ۹gEH{1Pv7Cu|ї8Qu~4X0pƨ0~ݘorړ0 @qץ\">@b֊<M6ߠ>WiPȊI>Q[)[wDQ*YL9*WЄC SB _[@-ed@<=if53sICܚ?%Hʭ^bwflLV(떧gDjX( c^-q/<BVe޷ e+dih IkEVRNLMYݷ$桰WS &+3 ٺ"zg,/4Y.Љu1pn7.O ɦV%?KSE2߱ũd|?ZLHZo3WQ6%<"%G27/_ -bĢÁB&؇MyK>ړZ86k@apM l {Ou㳾gh(SCRkB#E\,8 !؆ ((77/vx>j|MTkU5ݗR{F6呆BV=HB\dJ'gm?\=,(zަzEkʂk Q[W{-w{PݮSX'.Z?5eOgbIO x{IXl CC`sȅ٫ ]8I3v&~6As MA-=H\DĦ=Ɣ $r򕸐^*]>K/v[BE :2OiWQ35z9qBy*T1j&J)xlC;m_ D&&jWZ<{?ZqYj`cV*<D6^{j(WØÏϹ#srD0{F2&Bdc$Pu΁z J'?ڻGe蹅!5V?coH4a5d%#N>;wf//+S#ɗbq|#U\yՎ9ǡ޸=z]G*@oa4Yi1B! xhJ@:V)CЫTsD$\kn+{o5ӠTy։!UxWiׂOyF7K nSʂȰ( jZ]Pq>cD'afr#$6˥}?_ʦ)K$%7o|-ݚA:-2z΄HDoȨS*F=~ڽQcޙ}ͬUT ɸ:yeKyWYJM e7[7+wv_h+l [ڢKw8y!smIJ:8 |96Nb7Ewԋ;:K*,P9[kf_L!#VX$~w޵3 AJ|9X!7#Ӻ&>,W!/grBQ/d8~GεCd:7{G*W}8yWTb׻)"-])Ҋ-ggc=Yl/^3y5%6kzA\`h3mĞzPX3>`p`Fb/V?WTGX>~`; ?o@፩T.BIKV9xlހ]UI!-O E5jdrZYj1ʙ=E "*8Q3~r& dr"b2w;.3P-惞1g8PٱTBƐl.! JTR6] EŻa,Ac_Ϯe Ȃڣ{Doq@eAq^(e.-b mu|3grG~ja(EF(}̷h]8S/Z)a,ؚ9lԿMlv ֜ka=Xoi,uOK䑥),u)Ǿ50g 尯UG.@m^-x1 <. aZ^PhlhZuYe!Y]+FLuYXuPB&s .vՔC&=B,8 w9LY*Vǻ-Qn{rkrlGnXq?xe;=f)"u'o2-fL}RZHMH:Bâv#c $㔣J6*pƕ5)j/7<!K]iE< _ֲ~֌&bKK]t !]JA띆n@,N+9 aG|#uw~5>Uz`OVsY`:r G4F7|K_QsEž.;>{Ĩ_If[>#_M7DT]wPq*gVnGK;"kg6ILp# C%E݌j&ߨ@L*xb#xyxY)D`OQlRV IdM37@&"]&ReFgv?JX{a3=J1D%/<ˏsX w AL-NΔq"bPTjG;%?A_ 1pe)-xhE 2)!ֳh!- [imw{즠hRdd gMIMGQ~ʦ4k.bYy|4B8!xf﫷nA"uvO ٵg*+_ V{}|Wh.4kY_XG ?/mIQrҾ]L =X:N~tB2j#zd҈G@TӺRM]2l;Ё4=:5M<eRU>2-d1 0\GAɷh"ρόP9+WAkB#9<±qe[XAohAX pA:ayU!oMVNGR*[V*3TOJ}VvrFq (ٵEZp8;3M( Iem9Ո*}tdāCpւX62k)…fBk1 edIntə\PYS:7_UFzgbkaőzTUZTgW-\O+saKF-~~m)}aT2[ ׀~pӥt%RD-M!h4@5g^L#$٣u!~CLy%Mo9R7?27z\b,& ߢJXT>ǾRY/qJ*;mhc1 yu)uG\T8X? T: `0Lw]qj J1ҝ0qr&C3,H ώҠŦc}ўfP':eؖF=?Zǰ\=Ah|ܦ_v6~WmeIo*\O&"ۥN&ʳqXDM{QfepiYɲG.ըD[D_qr4R5]'Щe01,V> x*ľV2 #jgfIW$ƠaLilSoOMZIʃɯF::8 ҐԎ6PJAYeIyrAQЎBih n@"%D M99ia4R:IEqn‹j&saaKBnpI6Lq6V!.,nhآ@ghzsF -pӀ2РtK*ˍd2ɐ<uJk>t>ف1=VIk 6*v1d$뭙 K4*`؉c԰MD-o3Y)kEE+ndsN{eryɛN)z8>̇+]fC/Xa1+$Cvg|}G1jj|R_sH>eO[RPK0HZw`>k2Ĥ]^Tk|e² <γm |D' 5'6OL=S7ZbA<[{I$QYTg}9\T3E xb-~؋2ykE!~?bxߐXOrUakq]Εg4l<30= :M߅ut eF @9BK!ɷf4թuf׀t'3#6IhnaҸwvz@kv _uCО(1gX(Qu ЍDCMOe\)gjW_,AQA0ݹZ(hSQY= A/[ɄJ6 *)6}ũa?*HbJ. pJ-}kk', B6Q【Kp`7mV1|P}~wpAmP Z^S.i,<-3ہ>q@ r}w?Nł+Wz,/]W. qCIPxyxL^k1&j,oyO}l Lg x+$H(Q[ 5fkF'"!&|\w3XZ]x$a؋qk7 4)@]d{"~́9%΋D]7wG]+r] J`F &zF˾\pZCxߡ ْ'(KOBf`AILqboΠBsءj) ~bNDb=CW3uq> KD ekZ/ k36[; SR+'0$;G!pa2  )hP)ρ^g) =ӢUZc:^7=jXE qHcoLμ}u`NaD!f7=4"U@qBi|߾,_[%􈣖DSKfGyt.+ZJBXElh}ж‚EkpnVKu7Ky5MՑ5*]&S̡` 1 bd3Eӄ@w\ wG`SO49 EwӪ[]NdTbǶDWG=Ԃ/R8til.; íS|˄ioP?/hM:r#NCF5&RN^1gGڪ)qUmh:f,JϲjYxY3S _]m풰Vbdʼn # bFC06&UL6,`FÖbbtT(IoP} ݊>Y5J\u`J5NϷA'آ]eAN;SK`䃰0꓂vqzWjKBb)$eƞS0y0BiLWS{>6<]a€2v$YPZ}ӞR3+bD[ 9C`W!}cpcQqyzB258Ԯ>cRypD8rh14-c>+*~%IW^,>t".]jw/ O|pT/7U|:c kӜ{R0ȾFp4D">!\=lf۝}AbUT bX_Hb$ÂvS᜽|r %pl,jӃeOi.V4-"ֱ#CÜAhw/P=J2qlMWn] *8(@cyv 4;?F6a­y_?nx.-b#DNnUzS1A9MP6kCA'!G-La_7d%x\5aX19I} {{(Ѵ"|`=x&u*K}jpvl)dZ 0stݍj l㗬Ot{\lwTo?OPSi[DoLEmu}~p9H L6j5QJ1eU5j9OFȌŅWZX kMYP !|]%7z`X%um)o pHgIAC;Y2%}cSLeE)]kt*HF'݆1\U} >"1?D@qeCQu>0ҎnF9>"h@Fh^@n-;¢ XM4w=bl uI1mɗNJ3}"a~YQ zlj_To3A0/퉪TcQ*Ѽ<xSHw˱ EtIb*`&Ғmhe)C͎B3U\~x#-|pўZg)yvZGY$Fџ%0 d 5cg+ap:~ѡUK#3 L+„~]:xJ=ߗ2**&Qؼ2w"^LsR6g«])_;r,#RJ96W2N`D%EvXVY:0Jڂ7b=|1hI',J'fUrnqtA)P=P )fg@T6uИC?jfAg4e)8Ɨ8̱?B˧u*_>yUSpe­6r9Ƽ };ϷwŐGA(Spb/ʉɟ'j1Wacs'vH.'77N:y0;6ddB a(z̈yX߁ا _~rG!Kbvg0[Y SM-yM< 0P#"'*qE(5el> ϘgمcIu+KI໎t\O*תJw$_V8?rKӴ!r=R(ᜎ^ wL.Q {1c!m0,ad!`pGZJyĈ}j FJ21<,p7 J( *eQSBq&82 H=G):P *ʋO'XO;92aDI>bJ3? ?Hja~ ^.#y‘l7J9f% 2ʶagx=l*~d(c`B7|mԙH)V+l%3ܙ"mL~uܚ-kYò{ /z[(UۦžR~խIS k>?ˬٌ\:|s<Ix,}z9]k6RCGAvFE0pc ,>$vTWo&q ˗65 tw#/ ols4UBӷS}=;I^Er\J5*֢@>?@XJ`C۾ u{ /Vk"a\c<" .3Xv4r'p 'kU\2HeVsL~ !`Xiy'ur D(9w"9 y‰ :ЦU(T2MD!)*~}nMm[1j[JL<..J܆pSb/LGXW5=!W(#Nwt:,!߫cuVVҢt1Gmoon1mu1Qx{iI`_7UBH/J*_4#oyԦ\vH .0ailVzuZŕKZrI%Q{B i9\` E:rPg[1bQZV1 cC,\E!~0}a8D鯆\RK=9{p u/H%lȍ H`y)oXj=K{3ߤ2\bHٍ.2%SmM Ņ 4'D$K2~VB[XlW֪<%F.D@.!#xC+F_:QEEOi~N`8ͻRƟ2m.V<1ѹ\t7DING^&> 8[ҭM)qR(n1B5 *J{G%jKaQ 5L1P?hPtAXal^p%T$]mrGx̚j]_&1[7!x[z0r~VDMtDDWntԞFAHY׊l8#b-;F ;!/etUV5X1+%㉥Nf?9gQNKLbP_S mƶ]\ 6?o9w"ow-'/ϧn t^}%ۦ Cvn}kA(0g.ue_-7,d ^_ ]EjЧu٠<h*fY :z eEq1vٸ~.RҔ&K9[ ;Z8%jf%?)WkgSӿQZ_-qA"UuX7ؚ:R ,an6AoYuatau8ʂx"MfGtmΐH!{R9OM4>0ر$4i4"ЁslaGaufO͉Yٮ"UBAן9)O!@v.T3#}d߅iƜtPJi =qNiq# t.XCn)9i+e!,a=AO+f!ڿ8G7x'IQ[u;SS3|5V1U†껖$ r0(liy ő!LW{HǠؖ?F6IYL(Z%k}!UN3#ztMƖ?VQ! e{Y#N*,V=#I B/|2m.beDCxWՒkQ`Eb_po]*n{|*-OzN B>?`mj92዆@T,Ouȅ|TQF~Px*0M?ri);ЊF-J 1>Bn^<'3 }aݘnjgMCn~8ਸL@60Ct:ԘZ`3oL%; H9}p0nLSTǬBtGƆE)&,4mή7e[^,YG? 鼗-Pߏ{wJM5u0/ U=v$׿6&m"&ƽ9 O~xZ( {~ՑXAlg2t;eƀ9ث?Ӿƃwyh1 x{OpP{©Jr7QyO3S/K$~Ka1KF3q(uE9D8apd!8g=73^)*κw_`񏟜 GAມ)ZdNvr3Loۜҩ M'8W nP1 AnUu^|/H/:Qwׁ)`{*0SgbJ,r·n6}LMFb^aOBI9_f 0u z>ebu ^j shC ?,yFcUc:Mx2^ѷǎ"{Nd+ 61}/dF ?*IJ"~[W?-N%S""hhQLRZDڕ|!vwBM5%*q/琭EB>~6-ב(v.Є?rCْ/PVӌ# VU|7=εuKׂG!u<4DqfI~EK\ ݒQj6r!bNiV%Ngk׏cW~²L?S"W!d9U-~aS JE$("FbWNas4+rtcZCB&nVlXyK_?f68`E-'F#vnqrY! c۫K][+-qrrhA|eONf-YAnָnB]N̉z]LHnܰ{x,7lx](OhmW0Gt 3!Yv[>CJrFe7 >ǰ(rMזgC kc9c eWhgE5uzZ9ţ$ Uحp:= V>&Pzp.Y0,nv=ȅ uᾗr cpzb޷IAj,Er4O;nu>"G1rQ/kߕ6@WX$zj׈.]/6у'k=bH$V=pA 4 @QQߴп(h3 E,$j'ϳRxeu}>!s,7C5Z4@ue<.m7QꃊWPDfiwҌBy䘥ޡmH,ЋEls37ki{:BC^ |*0vL$F# lL$o̺ulNYi/4/Gzڎo<+@j&<ŏT 2¹Fg1Rv3vChI\g|ՀJΰq̷9~m)r OÎǬ Vs!NP@-#S@NˮV^"u&΅|ߧ '_ x[?'UYկ ԓS9C>,uPeƆȒ0&.6uc~yfbɤȁ__ 0˃'VY1kw(Ud0ծIhf?CO}WtBN3ӿԦ.QpԄZqdc}hʘJt7=Rlk 2HoȰc2s]Y$Qќl!7޿mIQ|nd"<.faYH`*{= 4C.:oHfg(N⦆I`5@ cUTGK0 eHGs=|瑂KIhN6D{۟c9~LtqiDlX!\AD?eC%ӑxX1=ov~1 g]de,$O^?H[}^[κ3њtT[ؐKs)MQ1H=:cDl˩SH +9l.%`D9Is莶uv ` Ёoå*ʊpT& ؖ2e(-dxW5l16C_M` +ʸx-.$/lx8nEt:p ?1Xȍ9]V`M^ Y:e#i?Pa,ǸL~¾fM`W'cp sj 3Ttx i`25E)1Rɬv)5c:^/v'8[}]6} b2RKϺ)u5%4)ÙXɿAp-1M­Xdω{e.˶8r~8\06op%mexF1"lkC̜C.6ˊIz"٨"!vH5ì1O9P}})K { a5by$ MLPer i,C触bRԥP(s4རڙgK<>tn6*EOסfH֝ hH06|y.YnM<0"øK|զl3i+%"tp4Y-}2cHpo]`NM_L"I2 ?xyJ5# mj\B4oM|ie%T) ﱑNuKh 8xրK-0UOZtfϑ=n6$yr{!655belkfMCv{^f)EvS˸H6L [?_4'rMM`{4~d/znbu`$n]˙&s7xt͹y ^tg^Iw}&j,jAّ@ĽHad!sh --2Um 9q{f;}_CY\QIok#˟4|-p}[oq3LĤQ6/i\gԞd$|pC2iSz( XEn5E)=n BIr#8_<8'4>j-bc"u?%e`/nh:pmf&oB,{žtWjoC F>/gr"\d9'O!"~ϸY֢+ bQS}\[gqKS{uzM+E~Zi ((#D& &Ȳ1DKcc0^W6q!iftSzh~R]i$|@nuR zwҘږMb|ȊN8`_fٟI" {;6T_S~Kv3&>/yښмK%m) 4u,(nO;MR:$BСg+Ȥp`,茷܆ԌV} kNrՔ[(\ܰ!:KajHNא7UX];!~#NJlȐ8իqB ,0gD<N.7J9tTt\x3<"жT{,i~>ahu $HWߢഏ/*HYZmϭ("# /[GDq5EjA ӤEg@CVhfdLddoO@HһÔ?`݌:2X0EIW;}ϸ$uU*$5 P2 x3VnI%=9ɗc=,^> ["++r_Ş؀,9ѵ ߵ|Bc4Ć?qۺL ?_< ,Nᶤ7K!PX*(*-K:~{^*u|lG0;nqoi&\TT .ݪLx.F,ig;/WHQnc'Z9<57 `[g T 9]ʊ 4:PjFQC@o |Q_C5 Ŧ!,A`-]Q,J^v{|: IU!ezñ\8e3A΃8#$Q;utq6ƿ^; @/QBSe '-DW ݍr8=fņQn$;|i$xA.QYJo#/1CaQp5e [MXc] X/4$^"u =7\Kq^҆՞p b~ ;VOL@*ƓepgHNR9i܉3nO ~sHdɩ| @:pU|ocOI !x Aas| 5ߔ{:#QƩcDݬb {5P3kFgn<"PfXRP*A> Q)2}RԄ߮ayс 5m@RL<, [=ڨz݌BuZvr +`ZYhľeNAţK8l%J;rG">Fa( cR k,s*B3ΡQcQE,FB浶VIEm3H'xt!}}AR3їj{`o-7Mlh"a4sIcDJՖԖ^SHL }džtjyU =bøsEBHw;fx<Jp;%{NJƣ9#'{BlHⱼnćSiЦytU(Q?5do}ϒ2ߢϪ@=n@K H^mrls:JS:eP2 |k&)gGLZd`3hlZl/ SVky۩kFQw`o)n$^%W(/]Ae^ jce4V 2PeEgK%2J80tzT/?O.3 XyLEɿ~v<~}JI@?UU{JR̼lC{JB0O$^@mgb߶9MTE@L>ݛ6S{ u/8a4Y9%Εز$ދS3L@n+uTk-qmUbLX7iaɌ bU >xc`ڧ\?NFyMJ,C'`V)lfZȳ~ . 6]DkJ/;\e rAe.\Ѝ\&;-gˢ tE;y†@M$>k5"γ8Xiɇ Cx&ޒ@|{3҃{Se>*`Z||_!\1*+7MFN0ER\zơ.[y\oNQ|! MBZ䲃]CgYLi&۟L_%r7.5#P[`IN-BOfO\lK}{OWg8Pa|l8=QS$˘T*]WW' 2nR#BGOb-v;}dMWwaN %Pcbs=H7(̏vI 夓N} ҵ7o!UI, 5i= bfԲ3qm fj B'@܀Og$g|ܙ,-`5<Э8{0iݛt~Xq;/dOA<9,+v* gρx[s[HWj'-=MGcS-G>+7 }NPL"CS(6YmΙ_@LE,($;}9$k?]*'v z2uJb&d,ߐ#L2E=Ǣ&}Zbq$CWc7Y`J8dg*$j.)?Wn%r*lL'u4nD~VTC?5n}#y 7wt"9 p~ %o^򨛰=s are>4^!JAGnOxDJωkbn5_0Gth뭁I?ږ5A'xd'mƱO#W;mbRnB#E.;c"`uXY/ >HcuĪCΡT{ yAi4dxO->3(i%$w@+ݽV|IwvxB$0uneҔM<`ʍ \5ȗr̔Ъw6Q˰ `؇'aˬ0^׳-qȏjO #MeU? ;xAA,g2@x<ĝ!0BkYAϜM`rS9xJ)B4>yABUOaQM[0J(y+?sB8E-abuDmrvsNy}덻MNo*Rmu4Q<)־JFcbzr35t%{z+u~ 4^7FZjmiMD{yKZD:lˬE7Vu/H3+Wuh&p\0(2%M_o1DÒ?qeг8C`9FBjpRӬn6HYD媈W;c, l`̒_'|4 dBAh,C଱_J_H̝7,1^\y%|J2wt*jd,LŦ/y7Rέc[M*$MlpC >ଡ]f˜YlYaVګ2'U)Qihʥ/& $L .n"f?dy]+ Qۆ+ y*aJ0L/WɣImU Ef\U@bo5 xHr{fK&GNn6A;<,sb$pnfۧXZj;v`|^il0m,7fEi'Ry}`hԭz1c9dՑˑXBUWRZOj@cƏ*hr6DUWgsU 5. Lh \l`vvn]Yt!e*=Y'J(;<N/z[ZP4=컭ZL|v2C=PA.oG\˺Uf^A:İgi /4ntH%M9(ԔJ J&}r{5]/FJGW+~Z1ge3.Q=0JM5S}%:G.!˦y}rqf~}b~_CTx\<4 {[L.I;-ؙ5 j>sHl /Q# L2ZBI4̒v^X 2T$+>84ŒXN"نjo{u)jӱIn I 2E"Xp~VRg7qZJk~[ˡiU+U,]embj&uԠ=V)Xio3cP-d?tT '_q"Dcd?,e*I7٩s# x #oAgjV鲮qe8=k>DŽZjhYУ_@Sxbv&J1U∧qGC6W%]d }v=J̴~jNoDž;փCVض ^O ?/ߞ%h6_'}0 3h ˫o KX{©?D1n^udu6F {XZm}sg]_B|5EP&Ƽ+̳0FypL"EU@Tk#1hiEquyw )nh,ؤ>4=mD:e0V:P^/;_s6ȣIc2}I $('*g̦CH{bΔcteƝL! `j< e 0lM\-:5,&J;EEߨq#rώJaG׉$$2U l\ K 0mw*xB9:gB,E>C1Ծqfʣ%?0)v2L;5jLxg͢˩1w/҉s5Y2 ,N|#pR o_,$8Vs1ֹO J7nτt$W3j,'K46W`Q\KfjC"JwF՛2 Z#@BEcljBjϵҙ8 tYs%z .̘RdA*gZN ?K \oeIѺGH;vI"|@&ُH#CذIiu\;,L垓(74kG s2H s3=RX,-S4* ~{rqQVk#qBtjC#g_Yb»/\¶&,9q؜x.}>9/|oLpGB1 ?1ِf%b SpS V/ ՙa\!wq$G8Ebb>򩼳h3"IGO~Ļ:G eg9$dzҪ'1TIzƲo=0N}Yo,r/s}AM1S~O*"`EPu'Sjox嫄KSU/,3YU}vGWnPE^&ξ9^ߍ L$6xپ}V|Lf& gݒX y\MS A^ %[d,VҞ[Vxvj8PLY}H3ϗSVlNz>y7||lZ.&=Q8_{_‡vʫUjF^^!]kք+*".Kܔ03lu~HHu4)f~O:)_lx~of?)Ǘfz K魙.mJ`KiRG7SͺͶl3=9S¢)\jhQUgͱ#B*6Et(Fۭ a͌ϡGI9+&}(~ 4`#F2MĢ\Jw~\OndO#u-7~qBeVA3~ct8LO00:hl~Fk1 K*i\9‰jfbJ魆%^<=8ل2W\HÑە(g1 29I|fv YaH粚3 cCk;y\I3wB^'|UJ[zz\J ѱ }ic |!qx/ ݚCvv6s߀0Qc ;Jۏ &mF"RX\ݻ:x豎P޽ZP̿uf:1x%!Q9% \VN mg)TpC!xA>#oSb+/!S?[Il2Lhoa/ɸ]$W˧l#[-EA\q[ H[xȣt;ĤaRfVVb%RJ-f5-rдa l%>fD"wv|1LTV;Baohmwl.>;Qn93O$w о[3-3J3V .+9%B1L7[iY`>8AUoM!B k IP,>,M?V3JͳUfVW-5W !ΓŒ +яBMK!Zn IZSjQ#b, qw7uvkEncjB}(d57E:ui."/mk>F\6ӒGeqXkx,č:Rg!Lh5y` ,wg(_,6P; ރRЯUSQ1ۭ̯BWIt*yS$hUqϴgT%o=9bS)i Ͷ*aWy! n*)6`#«K&VIÍ%f]p !xDz˄Fto4<.Z3<]s 7W$<m;qn9\1AejT-' jAp5} ћȶ K ME~*3B" S4"0.iH FB˰Lup?` )Õr1J^J Osq)pŐèxKMKO;*ԙ۰YUk-YhgL*teDkyaO@^Jwq>C Ra X{~$=Qj3JbJgD4Zm~4nw;#ϟsVDRrT{ 6 GԿ>'aYz1'0Ce7\3%XnFG r& =/A4BC;憬I[<"cV3dRw=pJ=tw#VH[K5J B}<7j- dZ;YdG)2$]G ϋ֏-:PH_}WpE\UtK&85/}}I3arM$%1Ce^!w ٓ)ȟ#DH>. d0 )U3tв{a^]`HQBfx 4A6gSKjA€2wA}C8?; FRϊUbS"70!3A#`V{wn36[ &p-1|~ӌYжN*R}V0q}Q%||R07SVS27c-2zn$-&,m|X#ao,NV{|HeLT>#A}Db{eO$aP"=ӏi '!3wRHs69\1ĂmhpUûlbcj.ܽbaC@zKɶ_V1^ip[يo)mRǐ^iw&仃&K8RM:iX!e>sSfc2ǎUVTⰘ8$cWO2E$1"2r[ϞT, HxF~߬f#:эr{5!(>>^(#), y>[,Cԧ. z\f$og͸ O+Y*B%'-OW4=ۢ~m:#jqu2>xSsQmXI[?5ڔoIr_,5DtK*PQv 'Z4jzab1RuQY\OET&C银ҫ >EpMiƍWDF @l)H . `ph@?V]yRh#^`<0x8/l1}(n5 =z푸vy26yKm(ݶy{e9m$푥(]e555";ava-v}q P,> vPH#BDVs#uBz$m&u9"/|4Zӽx,$-o@<-Q8oͦXԞ=<0ƮF* 9sAF T[I}ozJzZ-'4#0v|X,^ZG9iD1~s[)dÎ 'wJkc1 0 TIۦT.hZ6U6o81?{AU- Z$d%)'T׻ AE"Dt2FĎo^{N13[V\﯂-'vr Rl< ͎;|'8~ڶ&%l:P"IS|)Vs74RzۑuFc.ԣ蟩6V\ N[ԭ?^#XF-ה2ޟj_cd(U>ޯILeV{UeYLۄa=Ѐ!6~ VT~vh3RuZ ?+soJ+ouiqPG\?+Zȝv$NF7+p%Q5NU%L1\*!r^i<ȶق dymzZSn Qa\ HM*&˄ 0'{^ fiܖ?AQtdkSKO9V2>zd?[iKw~D.M$5yex/*n;*dA*qפwAf F3T)#uB :4Aen&n%\@ tR3s8QoPΠc+P‘o .i8;Jڳ JtTabK):MB]t:RFUj7rf3j`P~vKr@vٲf\(Y]ΠeBYedř.կ/tc 7`m%4 {(@C92֮Uh}=.*M9`}xu3~f4rL=b͖qh\9vqpswYTfs;v-@TJ\}z6\E|-zsum}z`fJo[A0Bx)Cy~< ԓ(QlA +.vHE<Y+cl=JZ !hKlA2/&DTRIXQu\"o9_Ti 6} !oN7cGL+h|*7Z7\bvz(I/L!~^0MCNj*-(`x*qlϷ㴣?^Ҭv6,ov3ZN%9..!Nsfkc@=n y0׿AZW^q-q ,CZOܕ~[nb9v)LQ J'jKlL)Ƚ3rlI,xq=0}k3Gw:CMfU`+,$ނ҅?2:P &J* 3 +:l zgzg4vո,?ԙ{n hW( $=Bk6_!1_ZC6>{je*Ǚ(=,bMGߟJEQ/cbt;zE#)@%#) ͽd'I}|Zes9=dkT\`yp3H1öly.hH9JdȠV xJXd4RWﻱP;|i;BV.wd; _r?V-\YsK6.8֬;+U`<\'(m J`'gU5jϛ]? z$$d;x sDx0-ϼ˱]٦$ T{:F gOӶ֗d2_,H~)U[9,f_ "ؚɞf7gij age3w`"A_jGpǿ㪓+1g#Ba2,_l@*IRK4+nrֲ Pڊ5PѮ{3iv=`.FJPSI氪f60jb?'b5E ;<$}?Fţ)Fa!Z6w:|t:DhtBͮ=I\?`YDp[8ܴj3=,2u Pj}K]P ["`D[}ccG@y{ydD k{U+m$E<&غ;zIyrOfO&o[ux|%Dݷ,cB-a綆*p-t,S7E6z)m3&-y5e Iuj"l!84 d%O0~dv_ahm;r:(jatl@`Kq X }>+oq{0Peձc͍q a[-~V"4DJ7ۘi T:?JY⯘'pޮFgێ$]o)ޔ4b$P]\tS:#6Ã^v& ~ 07]bʆMI֣ڮe>R!(,Gˁ!+0r7@X2vπv^RށIQ諦gRkxi16'Dd@mwc`^j.ܒկKnͩ@e- ˑZ34J7xRNGq[ eLy٧=޲)[p| #٫B xY:} ~츭/>X杝![j|+~ꧩJg`7<8`7mDv*+37)wy&Aݞษz܊?_0›:(x-*S_?y ˿^:/`ar˷tJ 1T+ hҡPR~1# E@_TSJCP]|VڞPx ]RJ~]]ZTUcH__݌ 6`H|7En;z݈-XDKwkUo;\sA}:揙$y(ܷG ҕ)FWv]*+4-6^f^sb'ish~dBМP'wR?k2LtM6B8h u8ax|Hef{9{ nj`rf'Q$/ ^אIҼ*YVX~v\.rpira['tIIXKi$*1Mּ=- W ~ wp)z9{7 #9>%^urBݠrA-2ٮ%=c%b{>z RB~1kf0\V#&JHh٫W" #eɸ'^-΁픚ϟ$ _2@2{Rqi/?`6)B JqC{\~aiCѩ|d7~t QB%NaK*h۞~yGmW¤:en2F`rJe`@ ›fH"f}W!oVE}i}?Sd>aJj>q?e`7!zw\sO/@>JKd_ 8EqQcLNjmwj3vϡn?tXߞ#mt뚔x NkM,KP^C=Q:>XhӇ}qe7ؠ,\p%BIUg<}ekh^Gs!cejyCi#Cl#2;|3Đ΀SFg벤ߑa+.9Dۻ;9x쳩$ F!S3%-v. !.\7N?9ʹNJcʃ4> d]FKE7qii[k$٢I"[懒I?wgwƥXS'N0wٳ65xn~ёizͶﰆ VyB{f]m˹bvM+ (HtŮwF :9f$M*Ð M4~dm="ݫ'h>5D!\ 6R$ym.{,ֱsф f#g7m\?c=d%F\YRsWl}@'wmůU+{5qk";Wox#@Ͷ(qo!8C (axU/ϕiZ<6a߅uM,h_+r%ykxU s% Ulޟxsf7.RUD 젗3ki(iըg ;MTcEh{jTj>Qn)ՠ;0do44%D4Gmopb;IWq̦eKfOWE4uΐExaRMsZ.pMI >;cv 7ȅpww(RQgʩ-69 صQ N݆!Ps%&He=s3@4$>nhTܱ6SϞk+&][Rt7ĪG-覿L#nh/3I<T #UEdW„N^٫ST֤#W p׊3lD'@#p&pp}Mj '^r6 GuqViNĤ%"[%OM>Ռ$'q3T20񏧾\ 2~r aP[5Ru8_{#6XQi hM baE'xD݅)fRLK!x~pjf/iN|j[eдTп@:wDy'4ϯFA7 D:~b0 Vp=ʩn8k.RsμuJ9pnA)LU/&Zu4`I{&&$/ #] "ZZF{L|QyY=ZSv SR:%rȩ+D3y]zb(l cU5(gy&=1ڂH!r!yЕ]۴NruD"' h9\"V]`Bm"6uO5sz2iT'j<#M=f*H {rͼeU:BWzzeVJuryqX}y]Mp%1޲J&#pX/1!V4ي=z&.)b_Ny27O sv٫!흀m,Ӂ`O ؙoF|KV&3ǒ@Yv VRb;8Bfɪ3<x솃6{,#N"` 4H9 %!M7^Rv:,'|_W': s45p2ˠtѣ;8p+g.-}.EOB +hsuݸe x%PFbC,lO1ecfʧ&.ت_6!e(7E8:R:" Z=Z}$ %9m`Jz W8n +PKo~(:Te~PeGҲ?zW1$v/T]lYfz^T=.z :K#$-5֝.cup&*dNN(R =iʢ7FS#!~ʤr碽ԬJ^4MrvqTuq)-<+|n/ArcPx؍"Ao]i<ثiZdx u-)QY-k`"GVDvhwS;/s'UO—26K.Hǫ |;ӫj[)aaJ]n}FЙh(~-@7]( ҠMT:2 M!"uRöKW Su<ҡՔ's@OVN#<u21;)|,^';zsRAT qF,jhͤ˜ո"4; ~'P+O,,3S*1Tx@ ׭HIxӿ*NIfܘ xBR/DT_ȞO #-fy`ltC9ZZ#H+jmrђLMz7%XM1y3ڼlnaH͟0p8(B?E 8r? U¨mb2YYd<RAᎡI^b ) T[f0#h=dr8XYk|#&yH^6xsdg|ؔQ߫!-jc\d\Z(UM3 A^ʧރOvZ?1Nvr_po viUCR> UkM~$ *DKtomɊ4ȰxU;[3gUI*`;WTɁ8< v# /kQ᧽inv1Hyy׻z»~8n*,Y,WZjsg ~AEf2d[z=OL\L34\ftفRw~x8=1JBCD]LnR=śXuS"icHϧ 1$5skPĽF~tnCn[Hl'Z5p@O\{,x"YA#.̜pFn*NPՕ(,rlW v7CtgX59N"ej^rsZtfgKwg?[X= .у$b VUoޣ0:o =Yk_*bg?0ii-9(cg($#e,?|a Ku̍F=\VҷN!ou#=ev.9?G--єwUM'N5/DNAr, _<2{[5KCK֢W ?c©u"9@ %iX, f~;ts]C_Dz^\+^JN&U~ߡڝDYPqoۑw.Є Ŷ$oђj]Bͳ%MP ,F_xZݧVwnB!&T\BBČx6clgJc'}C4<ϳ-ɰoٷYflblIaǑO!N!s&yi {@zs6BbvsìmXoGH|܈Q4cXH;}#sOU"hݡw<[jŤQBW2va'#597DMd"&zr9>)*-&$ɝ&3Dteh1%NdR5wݻ%FmW2E}h=/Wt=ؓ}&R{#+VZ/Uqd# &J@"|{|ߑZ=Ur'~N:bBdg)rx0VFA8{.]Z!U߼F WSGpcoc6}crɟC1#j)4 $bryMouP(Wp@)%b#GiRQ!k pvX6ߋʑ, Jw [HѠ«?F夻]ȈjZ5K~MQ9:RiqAړn+ƟwClc}blѬq<3b9x'9d\46?f2ҥt 6ΒȨ,8)ؔ82Д+0 x:w +>=j2)*ӎm .|srh 'AƤwz{:"iYmJ kDY*׳ xIo@,8ΠtLpyH .D0؂Tx>s}GC_eU.HD f11ڠnE0dX<0exnk)yى9._uœ @p,f#G2v#g ]%i+c}X7rH!Nƒ7y4hSs:ɓ)vvfݘr18) 4j/pDŽN͏XcBvcpJ};Mr؞y*fH1{X[(u+/jdN;f|fQCB$2K#BҝFDkhz94xt_ T@/[I0KbJ~/Y^5r0+*DUkMM_Gm {QF+Q=ژ?Y\)%&M$"2ƶb"f )A_ { @܈1 N555?SIŒ<BRc)D$2E+y+wMbA+kNTnlbH僵eOspȅI;!h0Z֭9B 8LU͊ g."խD1fY7쑪|Ї4:.=-R ٸu؅&"nv#O'J pҚN_qtԻ.ʒ6g>GtH)VA\moH ʀbX|k\:~Em~\ w<:)hK0j<,p֏Rt!ȵBX/ze|u3,<.GI Ϧ4n6sW'x{% /=1Yt45 n!*e9㑺0% BK ]̲]mIܜLAKޠ7Oadj|CWҖaknG7 }P3M㳾lI-Bz5 !ayp0{\&:oy3BTfW4,-$.Ҽk5i6*?"=3}eR QƧh%TWyD]"8gQ!eb|£=I dJOT{.o\^sOQ#dR#4ƪ@6K@iQ l&' znXЉfQwST jΔ):)ގ.*SA6S!Jd~L;/20IP< +!O(?֗ dw^h(8 :l{J,c'IFY`ao:#Jv;3ȒڌIB9o{/'Hg9;{dH$trZt),L@hP;ͲYLJJ'2u}_H`04GMg+E PKZ䰣Ӯ{]9א`|(% '-gvg6}VS<Tks 9jdژ7r-=9''MiO|r0z܄t`)vB9] omb/jͲ7ZDCv;1l繱<UaE5-L'*`P8s`+ߞHcUljdzZz9j*\mqDsPAnJA`R ̮57Ō[f,n+^YUX)/xHv/W=o5Cx኉p?ԆNEgs۸\bT-Ҭ`slzڤg̲.9g6>MH$Ww+ seDB2gSxtV+Nh!"XF@'t$Aev _nK# ;/DƢ4.ў {.PIS\ySA._cψ7=HȐ^Oa;X}jQ B?h a1.ek}2ftZ=wl=aP 6Y\%UOü@16R;ư/ _,w@DɔSպA5ÀDVb *^2CHnXQk.c>Ff2VwYNiy;Mae˜\+B-.0G6K#ANNiEgi؆p^DzBf E"cUfhuOnךGXRCkhuEV(^P+Y }N+hK]90"aKJ/U9֯z+u8VAE/|h\0__/.tKWa:ZQk>N&BOɌ!nӅ4ɪ9 ?8<>Y^NMs$G sGs"diN  Hޟ.3}1ho)ܱW"ˍ蓾@{#{ kʶVu19?zXi}@6 zk-D^U/ ɣH(cA#t$_ߺJ;kI q(%) bdYN{u^Xf^Ull,.L5QQCDCITk6$|2<96"%MD ]b#@A7"T:dEp"(ugSѺKgO2\[Hzl9$ќ̗w((K4"wٓWBpYfI9o2Iӻ=>$3Q25@ Lʃ5?SǞ^I>hCK@>޲2Lg{?;SUk;7; fܠYTky& X^OSAѩSyeИZ^+OpHvO1J<\ZL3Vb8qkF@4GH>#W묿cOlLD2YM}3"e(Ѳsq#pZjv]Dov{R"T$>v6"%w45W嵚XM}ZƏz!(G> k^НK3Fi3YӴq QfRAq-s5f LoRrH6vXDMWo.OX h2$ zymU:͚A@LΒ/I:(sX+UTq&onzQ.x^ݷ9DR>1~xOy\/#Yv1d;P9f>;asaOn2c,!&ա@އk^LxCV+J]зvXPH, nrW;'h`q1{nu5"lzk ; —.t=H^˚}YHm` ݂F maX+Zsʀgx$RƲ1c>Gӆi.LrccF=;5* .(shv3 p*:c<`}-1^vtJ\2>)$;c g!D?&ʨ`mخϟ=v@ j l]/V hZ99,) Qc op?xC[;QŽGtfMa Ғkycu4/[ۂm͆[V=DB2W*(g^Qc!Fg-Ui0i~ !vr rXED,5584RDF$e6Q `2i*Cb3ϗ{51z_wէAgX[H:ϧ..jpLfXngrx:(Ε>IVjS,K$zFea变Ht2/y2Cs6ڢ./"4켋ɭ_Ow^$S Cվ[~4uq2rtfۡgr&N4LXʆ'ށ݊On2RM'vP3?䋵oq(Fu{5$_vn%08W֠~Q:/ vyh~D~'b-"w2K)rBem82X Gw'3klx0[@6?z ٍK^ 0JE󦮑_%eۍ7To#xfW3f,ͦCoܕ0z2 Pa?Z3~jy)DLir[ J~Gt>-$ XKl:bړ8ZY|En[Y@o=:Y5ĖҔ@ud2&^c t|L~= imy /Gن(gTE₼8. ŎND_Ό y3gx$ļ=mIM^w^ELպOnȡQ\>=TQ;c _]>/^ÃX9dKR[u2ÚݳA/V5?9c 4ф~Qj_T(їY;Lשfc"{涴-hR[@>+?qvvG@95{PjZ=0eQ[, +"qݜ⊡IYy-. Y'SZrNa=yZB\Ur".ssGkŭ3;S&ELN>VU;@.Xl]F)N:2pWxy:pKbH#-_Aa8R. ƺX6\Ho$F>/ Ik0}mdKf7nĢúsHBZWʰk9yYT svI A!i@\U8Hw_S76nƽ=ȡE⁅X>EGMN_D fA vH\ |;;܉?;3 <܅a^ZUE )=) *a?9^bRT~`U@QL֍kVd{xImne({^iF5 N7Yo+?ciSv.JK!QK]\N}ۤ"N7R wJ3i+&L?4\v%:ZNhS 6GהMƜ%*M,DI⪽@Ng`(hyJ*:s+uނ܀SnCTiLsy|v4)׏K(VexbHWQ ~t6Q xIyԛֲC<[({l6ۛn7|_ XEh`VkʬM?cx?UP恼ItPXծj'-, we] 7qHJ$%S)] O)pZ"+_"%_`B)x|Uu)-}ʐyObV&Եe 3 `%56%DY1KXǖ+Le#pjYI'W6\M5 uO2eox?LPWi1q'>鞣)ͬqVChsӓ'+GO=kmL%Vl'a M9A kYu"Fw9[!o51ggȡQnt QV,= ' ˴ A֊}@dLke|~6HZs2u˵v*fy>f{A+-Wgc,DRt@ 0bH7Be%*6Wd^#5J(0݉{pXXR4>_!.n|yI{::[vK +d,&ݣ)fi!O\}-EQFsXaL`Hi!~w3n.&Q!Q"c1VH28X|k frůkDz}.0K3{x] @0y]_̧|k=}q]1\lA @PgwѰU<ƪYnd1N{x+_L(Y6`TJ=lJ"-lk@)KqSQdE>ż\žb eKhzgxAqsn £4~C HxfKDa1V_V9U⹛џg~Xs}4LE8.s {Uy&l Ap2nP^! H7 R^yLuH)چx=Հy]B*NglZHm&_c!dKh. '"$'>Gqn2vTB+ἵ zfQ5fPOH^uר= /P@ *t]'/ U̒,f%(UZ?GL 2¦?L1{di>RTàl8D":'aZ.\ml!~뮿,n Х U׶BȾ|(0t%9Z a\=qjҖݛa^A,g &E 3F>'!+zOʒ0\)d: cd@alXC2 zs[~ )Szع%ɪ T7w >=[72fkhP{ mz(l(xfVؘp1ˆ6%\+=C`v܈mL>Æ@yi4*+߬M2^0m՞cTRW Ԑ9eUwһ?te[%} ZaH梅KBq3@MqCӵX0t*`X_]s12G HzVhKU1(JԨ7Ð:[\M6(S> zB!0L qPSذ䗅X?Ezd7Mf- Z0i#u Y#\"v2OӨY,'ICJ)~\Rd4_ɿlyN;m2xƴ" 9)FP}i[97%s7n<5㑆w:   [EA?qpVʊȮsi(x\΁?mr({sпJg#Adg1H,]\딏G{eASܚ§Tvvr26 1;Y{A|{[+ƉFwʔnQwS)II9;J319f/x$d/qqȇѝ7r v1;Iwi]f\~zD[Sk6QH3ajسb/yS1Q0Pfz A'# 2@%۪ l-G P+qA 8^t w$knRUR+XD/.i{n8a,ފԩ>=ֺSW*^/{KZlKƟWB3oj0';}_hPi&'뒓._!!7~ώ01+$ @Y"!)*v͏k9>.Z*7<]LTul<-D6X5 'sG c6:"lT/%PJ@C-]U*!ikթN8I_@rіhG`j MΈj\B-%`+51ۄLhv\<h1o it[,C̐cħ$>BbtJlq'ɠC#K⺙3%cbZY*[ HtP^\8ki fq79EFŃ]͝3@A q61,kzW2.$䃏s(]-^qfLՙ J36hvqI[\eɠ?_GOjN."1s1{JJྃVHyL*ey$74"!ZWN]G3EO y/t7%??OX&z\5<¦ke.&qIӈ"|1_b}\ ďZ!c謹>RYgް-_P%P! W L+A䣎zV|BǢ۷sU>yE.ݡ0?-bFMӇ8P]hn\$s@DZM+;MfN`(g&}MjyYQ *v~XֽM͔5pV]N nm)$e TM)=qaz=zÈ̔a^ፀcn`En Y>gp|f;u MF1_X1.=N,[*Bg~U ;1g~x }9yڅ͓om^'?+ƱDI2F6J6ю]=m*F6ögKP-?@VS)(\5&w)^D|ɺ_[:V\V]%`Sٛ_7< ߃L[[H1##zGZqDV`#(;V j.g!,G14lqxy&?%vL^'TC-TwϬHȧ-ӰaU=4vyR)?Ne8c-;2l7 l ̼Agfu(oL6O*>6e( juX2_m YIjmySy!JtJ z7QJ*i/=q`mDOdȂ HKm ː"a٘˦ 9{أ$hjl/ X+њ(=Cx'ǜQG`=^إ}ճ󴖀=BU0투M[^d6 cL+[)nE*< !, ;%-k,K-!>¹DKdٙnH  bcԾZb77gߥ'O$aG69biZh ).6zU/+hHX oe+NI8~`'з8t"ߘ.+`=)nhWjOa_[{(\`yL\ʓR8>:iwܟʧ Wo(ɔ@nr Z.\W1.=̭q66\a}KHVѧ?%LI׉,:V}$Bn3fzWnɓ⁶'z5wM<'tm%nĤ(j wgk )$-sImOa®|ֺ%?S&LdTZVNe(.0 ^34Ne4sw8OFwRhoR[g٦Vn W3pr4crD Q{-2-ۂ5v3s_N l/@X&/P㌁N-$/8,f~m!"T:WePbHLD'ݓϓqUa"ydR;"@54J|FjInT|dǦ;.0? w_q8l~HU{E )D!ussb@6bB?: d_nmz _%FX kl#yQ(k?]Ib;&x)f_#/jt,O dy5@i븦 Ox1?Aؤ>6&# e˃b:y趬 h܄5Qo#Q\.Ƈa*2X n|:uڇӛ*mB )jDL4Z}'[R~UJ}:˴u0 !!sJT%F㤓{ 9.Xy'' {⥗ɮ"&#|ˣ@.i'LbXO߸?NdzuQqoPTv -װ $NmGxj9BBxUfZ$O9;ۊ֟)8+_jʨa9r3^Rc֦*{c(<6pMЅǏz&CV{4&H%[C[btsşX8Yr%tex5c? 1Df'3&я[S{!٩~)&=(=P`ssW1 "y줽n8sς(<:>k"}2e-Tyh~~"(SG k˺vfXH&6Ӽ=a_?f</5\lG=6ʰR ʫ@/СP?ٯu7Sgc|]FÝ16n6K],H=hC:) d'rݬUqqdxKI}8:g~rh{KW&=N.\H=rQ pia} R'ot:,8ڨÙPg&Bu ~Kxd6%J!qsuMНgۙRRE<jm7&šzf2\c?|SuCf'ٖ?g`e4Mq#Xcosl*, 1e@gφW ;딸GL}z#~rr/l Nl=& 7z!Ֆ9QhƖV>r]?]. i&Q}N?Z*Az8M3?![Ń/~`ҌԆ|?)7ݛr֤:1e`ajΠ愖'}Tp v O(3Wb Z|B]Z -Pڰ[1bY&Ցڟ%T\\w+F.L. <uƿ#)̉r,6 QjF]*Nb&x/C=3BݐQWҁTȌ3=mMDy=b#6ϭam@!φuy%/gb%V X6k vQnܖ(-'}|~, K_Q"ӹ53 )ڪzbcmd[Ut"03N|PAMjPbn)n4/pA*RV`4ׇ1ۼw-ap:Zx!ī:[YO N iYє4aMaHA)q.tAb s* d 22/'S53fØ{}P 1'}9_&D.-$!zs&fP'cizpGv$:d` #&|]dunX歊û=8yŦ[?mv{3Xe`t- z^dL`^ X-- ;f0Skl_ZSj wicd=vޕU WVvsጨ~Geqޢ[.-z\ `ygi2ÛC DyV"RoF##ߴJIЫ}VxjDTjMTߒؾ7dE+OD;|+BwsBN&D@ ū 1]:huʬm ž_-\8x0dӚPbSqy$`kc?ZOXFLۛH;0pιtK(z}Z`(;لriS u\ﶭ!55̠Ayg'oRZC|f9D5U[dNY@q=wvR@t순Lt,62#!8"c=\q3nagY B}Z؅w<0](MQO^P!9OErsc N(8YK1 ҏ1[8Z]KN#6`F?*GWw."&PlR9(z3 ʑ7B|bc:j vBTs:nPИVG5*r'ϲ-M@vUGB=W`=xw;g:wJ omx1ƶjsȷDOVߡ9~V3>=ljaSQFH^EM$.3!xMy>E!$ps3gk+>PϭihQQΔ 9&@k8G\oJኝ%$10ux [uxFdiĈVah?k =#^F.iE6{(@yTl9G&@PV!+/ft#W9 ֠w8?Q=~Z$/d‰*^NyK2C qW|1=<*n[oM!5Aшt%eڣ 9y1zE> ># 2}9zv+$46*%`[n+C['3ɴr]Bԗ6BM}Y5 AoZ^3F֝'C [p`eօV;gO:*jwq}f tldՕ d88}qy('2+7]zrYyW`6+F5F^`_Ӗ\y cB˅+R eeL;dƝ&OQp-V7}=_q@ xӲL3Vԩ3[ǥ C@j,Qkk暓s%;Qdv[ PLEVwu*X Bxk͢᪩|c̯ň#C} zHlH#7HCl1#R#A ]恻5V]]mEl;)4t,UI镞 Nux/8saȱz_5Gw:dнS͒.MT2OyI#?NA'7^{ݚ@dj CY砄Bfia&|HDr< 13{gW j%>] Pc)΄D?lԏZbdAG6vZφJx W8tȄ8 *츻;Lh,Ŕjc#;2!'3`Kǒt3*\F9Xt9M|sa܃E2Gxg 1A+d} ,w~!̡M B_6U<%DO`=\ z%lTJ72>^|YVXk*stxPaCnx%"@Xm{*i&^D̋ 0䬉:|l+ 3t)ީF a6)>$LXL%r9;@m߽^K , #=Q#C|2ZϏN!q>}2ccd%s믘<=\w&6V|Ӯ(`!'B¥vP;n܇\)R;*3\Q#OsHbW Rpq?o`)erJI,>P,ʇF"lM,aѺxL\ZmaxզtXZ_B7IpݘZsWیĚ$S"8I[iu.#K5Q50`{'T DMS@y8JH Ycɠ#Od&N:6v ǩla@]80{ؿR"3z?CjSoAqO*$ڤ*.SB x⳰u/@f/*q#ݺ}6+fqyU {C$騭s7tlzl^;7(@Wd\۠4S\/ӝ RDo1XPu 7s"3Su̜*.ݨMц7FAfʉlkWfG%G#ٶroDF˹ F_xXuMBѐbiCS|K=Mj*~Lw>0S-ռ0/``4e͍Lwu ,Blꉨ:9)˱|qԐ2~]m^ KwZ*\>ww2tpL3#%q..df|H7cĭV, N%]:;C-?|@EoˀJ ƗAxDي9ȼ*2c u4tm7+B5 q5{8gs otyl;O5,`*wg X>\H ˪WIOvfg5T-׶IBOHFTp U.zmv , %pD:.p &-RKr1`xZeZe ^neii=ۦ bs!@ X%;XD ҲJ[X#^a4O_9 /(4<8XcG^vkBʉ8+q8"9y}jV}g̰>ĩ(!p1J֘hQuM }~? 0>zqu;HMF<1OUQa3^Ʀ&\Y,Ϟd^G J6[& 1Mh?ةs\baHeM Ky7xNgNߏG1Aeo-[J 6K:pHGN{wC$0zaVQq:$+d`RXzB,?BPWc yEK&+%M΁'BL8OF%!Q }ukGv? ĖKN;o.JMI\EDV}E?RS' S&iAR.F xA0KY$goP%Xcu?%Gx~={_n.v_s̤xVZ;'&h spޡZ|5,F? J4Jˏ1Nuӎ8bЈm-ı!ë>ȘUpӌ)ݘcQkgey:>gpFo+ʻKfRu2^p*?Tx-sKOӒ?E`W~ר {;Zs>¯) k&z7|hj׃ڲJ9_7ǖ;O{[X+]YK!\wBTjɲ9E6ݿlA^ž v]h%?ޔ'N>DiDs3RwDlcZVcfTObgc(KgS/Gש>AWX,, {h2;F3aa H175{Hw]>ЛߘT49ԽRh.)#l,\ Cj~'-Ȫd`k69+\jIzfcjcI'N%ufIQxFpJP'f-`eO'=j~uBjbϮ!~m2ڦB[Q`??긬GzXI#GJ^!X).ƻg=!|0Di`PMQ{mώ{\R 룤 ?|D]ג &%uGe[z㋨-;lX$HZZuS(^,p8ii61/_ k1XMI AZYxKA,#(u,Vs]/8ϗFKM~TDdAzοeLND2J[SpmD@t96 ⪤8T,b+ z]5i1fYrDME:[`VeRn$?3.F"굮,xYwlZS_ذcg Sa`ϸ9ÜJ\xUBegmA*nťM)ϙܑ7V6 sի[k0(Ȭ|%q%k13gN+ZmԐt%9kW~G';FT);7r;l1\LZlmUiRIڻeT+Wph-`R{Tri(v97`5CdkPl [}]Q0;zS{FL5/ o-`@&##H &x~lTҠݗbC?*FV-`"IE!e[7ڨ\.<Ѡ+Hwޕ"?M &6~ 4B 'lkc{N3^1)"1(/W2oW  ~Bc|_]:ɢ R,Y @eVN ˩9AyI>~JTu X4V..\8ph_ogҬ.AR7/C0wKSV>z)DD< #וr+;~no{I-Uh2~Dž=ӪAmRM{n$CmL _0_15WWNJA QCA-+gPlI9N?Dgʞ84+qM9Dn܃_ҵ /kI>؋/BNP}A.BȨIgi=6czg-,56T pzjCq4o4MK?)ltQVTmC]rp b=GkgDB`+m(b.a8p+2fF~˪O áZԧ4zɐ)LvZ?e 3& ^|A;Asjw-U%#.%< d#/؎"PNKVކDQj M%9+P2L.ڠf>o@b "`a/\.[j}2CQ:b}c Pu9I\J'HMTsF5E% MbEe2D)Za:r_ȗT?&Nm+FTKԻs)Y77`FüWJ3a!'SK6rLƩ\wvcF>Db2Ta4ݱ -7̍+Zda:zzn&qnZ?[kDj+nD[ שAedlZ:|Ag0Ўod/Ʊ7򐸱^721v0M5oζ`a_# B5ɁŤM5Ӧh_#3 gnB&L G0ʵvTiui?g5 ;5l-8Rn|9d#b_`{uЙۍ';#_x*#] Mx/_^lNˈ H-%sHB*p!SyDq(e==msA)r@:;>;PfQZؿ ]`K +>"6 1o.~_I>t)OMmd )-)@.5&'%oP4Ԫ0>*ECyۄ7q<{:࢖(Ţ';ĝINF\uF~G+c=%^_ qrb~ :U bԽbdRӻi73σSk^H0 k|K iM$X,Z1/(B3[s ~v iD,5^V$!$ ¡)$?@dhA$FWfڮM*sS=9eٯX)U^V34 ;uO}l{ꢯg{J!_q{QI&gE/Q/uVjC)k]0 'U.o21eG q r30YR G?,͗ N]q|X`P_sǻ? 2#c`(14lG;}h`Yiy708M Dmuv:|>|5(ؗ#AQ1ߝgܷ@ʳ?Khhm4M.zFANԛ`[#8% ހRp9-+([`LF@)CSY&2X?@nڿ]GTˡ GG䃘u-Ԫ̗PI*t'{𹲦ȩi/dA5sq&?-=U??];t+v!T=H31WK ,Zf vJ^ʓ/ -dKL5 Z`w!6V2ufɜfIl3^o~z$u.3 xf Y%5v{1LKEs6QU!I(V>Ah30Hq|K7}cìE;'/kh/tqn[j[Q.C[诶(Z`8T\^[ X(I>Ut0dWaB!zZh\]!Sgu%VF.%"c1VDNրD"BX@p A42ҥΐBsǟݮ.6%bxK>(eX~CD/ڤ{jYVXB> 3`@ا[>Y2x掚N\鷜l%V》VoMv_ Z\C\^-N窦I9`ٳ|qvUIaL@d_s^Ȕvvh9%'tOְ(^V{Y:W١܂0 ?Z f/ª17',e/.LhwSmV%,:|%Cn>$0L;:W=DS*\.schlIػuuaIVBBnye6,MB& J| `g7@$R[k>WYZ>L8gq I պ'/-Eّ&;If12AIMDa m=(K4efDi3]+icCg -,ǜQ"2MDg)^Ţxp!ĵ!'M:iKk\9@:>Mh|[4HԟƠvƛ+UDc ;YgUDb4R*1>O -C%hxx@Ouq-H&Qx1+_R"2=JJ(&qUwf.ćec?,J{SpCaHB)Xt!,h;Mģ͸ܹȡOD| ~ӫ $״WjZUyf%Hm '8E)Vߢ%,rTOa髑a(9~",-e!,!NjJ]gO"$}-`wo<Ľ+Q"BvAΏ"[-Bn:o?]xE0jZ粸?Le ;o:ҽX VB'FDf[i4\m}$j2nquGdMlgd;7t~]SR\Se9,GgiZcO; žV0o2'ZB@@lӭk |C;Om?f? (F+__rfg~ 6uq[" %Oq#uuAF1O&s*()YN|ZnuaFLdߖ9h+tmr(s~y&Q_jm`U~o#ϜS&6Mf\5 72z%  u?Z !AE& 2AzI,[P*AeFO*qPZm6;m,y?eX_(GC6/|oSSY*J'I]M>oPۚ#(mxDfɨE+p H9,OBȸ3|n̝4v=g"k +`Õ6b/1+1GO{uU&Xòp2D[Zy\TϴJS4@ZDj]Z2{>q~l$=7 ۲Qu?@8[H7Y^)^;̈Pqrz+J9Ga@R p>!_T);d!۽ "Pva1l1Ƹ|,5C7"].{QA% [cftQ pش8uP QiESb/ÅGm;`<*x]Fǘ: {tՐCV0+'~ID]W/3C ;wy gE%s Yf )=v=$>Pɳϋ]5P­gaLr־e^Q~&\Tgi@4CmXc\R ȅ-ł@K!LA2v"C*$'KtȒdráh*H0q_@1|o56 tLj5C.848u8,l[1(^5f'QI1Q exwuaA/q9FH*R):qej{$h54\z=kdPi݇nbɍɠ{B2=:[j 7%~3\>bnWH ~glM\T?I=I+;mu E TQ78 >mQ=>~cr~\\lUes} T;\ 18%5YoYy]OdHr@ WƠ̲mx\m׀"vA^ b$_IFܦobyH4w8ʻD_mۅqZ̬FRVH/%!P/ƒ@8F]E/Ԧ@HwfbBEgE5 zZOΏ{UUkbG)x ,y(7> Od0K]CE@'ПkKP4/=x5@E 4"+u {^m:aq9kVfÀ> Ev_$? w }#Xfh <, e_9]2ꏎc6A(,=n',4ڂAJ[LgNChy{8Hԑq)oĪƎ̿x2-OYetw2gnWIw|: 2?tSvx\"n;eju6)p-6j(C? JFم5vt5q Bf"CFU+kZp+ I5M2P ;A€P&,3veorV  μ8+!CaYljapzu%[pn jSڅR4buI}r cщ{VorDR'׮~LgDʳ]/{( 1)2g% $=C67R:7r׳98@(ЈS0xPbj. 0UB;a3kdiJ%)B5M7<EUc!n?!uư=/K};ЛV C+$z>Qj W_J[Ժ/q]%D5jՔѮ DlvWzڊXfٰJ: Ѡm0456O+洨{<㯬m"ILh/xvǝl ~QC Yá5LX19v^ڥmIǰGGbyQaiO\hbNt GztVl;}WX2_}5E^fh -wgDz 6', h=-{E,:}J[VRڛeςW^X4UhC=3LLuD= {y5ߥ~˙34wUsx?xDqavSF3aj[)N(L)+sbF*hVfC. q",ru26Zl "OQ޴Z LveZ5^ $",sM$e@; !{sgΐ%~#J)ΕfUҮK]tha="XT /)wG$[܉=J3ڛD܇X*_U./oCm.c$e O"%EV%ÙiBʞ7@KF`nt g^hJg3LO1m^Q5C7RoLHT&aꨐ3%0"_WCm%`2Qx=WtNC4.pu߉7N NjlL@Ll,TfLQP#jSj "`+;)I5Ay 5Rsڬ5ϪTa4T7AdVьfF$b ,"gx L-%aūQF{Å_ְ&Xvey"?!wHi!a>ҭ۾$Tt,ʼnmB٘QOi EѢ`BTxbP\J11<&) i3{1Aй,²_L%7y&S#ډgb܎^4ȀY'QS!v>(rթMJ?tk+  <˝48 n+ZpL(ʔ*߇)Y!UJ;6w-=lߨ3F֭Iu7&F&iU FBf,i/J~"ޱ=Z3)?qp7btPr;5k?_9FFݡ&b*5$ϑ- D]~o Jml,OGᠰ8_)u8Z GLJ (W|#ȉ=ffdt `rjݮrۚBxy+ئR;! `Lx+u/y. TE꾿r)Q#AZI"o 6 vh eH`/TEEdÓѴ%N> hhB}[E3/+M"_>YUvxT}!c`bqf<;&Â:CTR;C$9V3m0מx6rҷȚCe xОKe?y [n_Ng7SϿ{܎jz¾Te,&OtFl4(>9'YQ;1`&FߗQ/tP*rw#Vs| _bd3`ݒq"97}Py{_5y :'Y0Wѱއ,z\I39x,t]U X"^o&}5~Uk(=KV*\9'(iY0ZXEgtGmߏwρwZoSp-l7\|=J@5Qz>,)bl{~f<_zVHhos"=e9<ծ D|{ [}Iau{X^mGRW휉^/1^Tjn+!/AEq{HXĦo͂UsO b Cṕ>`=XIv a _mE)NѨSY>Lmo۽fFiW%-mx^xeh.Cך(Ĵ7MqAMI6mIkzlz[WqB]2ةg;mD7=I k:b]g JTY㻥>cЗ/ϼC_0(ϖ1։c R YEeF ŕ2e=]G ~(F@~p׼ g|qmi_'J6k`~Q$ݫJ7OEtmf?U:d w|6|E'Pv͚K&Aɨఔ k˒IuSF {WB?? _ITKIF3tCfIP+Yk.2,0-XsIUTDGfb@&Gx(kA4:^7)zZڑ$ܷn{ez ̦5!+k^JW8P=.2׼ʽw]zqX0O1bә{o퉟9!({ta2ng,'j,CJ s.v/}]־Nj r{ +N6if!`5-܏68y'#LSV_OOaټXD<_$B8鎈T|F?^{*e h"6)/C`wlaT3#K2Ƀ5aGNjv=i3h~Cb32ʊ" `Cpl=bǠ{C +|,uZjȷ&1ĂJVlzrG|36xRMlt@ygSHA pW9aPhݎݡsҤhE!vBj :E#H=p> gVaO%{OyLAAv4rh)})EfNGnf|wAA(9o<9)UÛJv$ l|/Zs^[~`&"ƚC*K $޴ÐݩEx!:ě~:=ZDq\m{RݿIAUܿE,D-}1"4Ntž-o4c$8¸,#a&Ɉ¬{wx|=Vof-ő/8*[+Ň֬Y8~R.x}g\n* rk tvڙ=xz갣Rېizj@jNpR l]>l%&`ڕ&:QAtegpB4ͥPKLDK3Ù%H`4>7L/f <+x'[ .T'7u(3Iln ~1ņ\"iѨ@LMeqԌ0|F߰SҲg 24}EgX}r"\z/:o_r~~#_e dWq-F!&d)_So3W6W9e]ϻAVzQ(O rEnBn`=ݺtq8әL*'pn m\!tvlEߤmb͈QQp-P^"c^Jυ#< 2SRB Ԍz0qyw־9o|1k׎ipZڗx)rRNg*yT]w#y[Ev \v !I.Nª~ci8cq' +,UykM[g瘋Kor`n>x)_uѺ-֚%3#97M<"ES&*D]9g)6‹ϗ_ZJRjh#EGғs$B [9t?}#@ ɰZ^c7#]#<^eC6E ^W`CoZ3Ia ft3ΆC16Pv3U MupH5EWl-t5À ~v'R`;ՁHLy2 a`7 o% ,UZHӜ |7wzRsSġh9עD<$.ڙÍOyLpιnsoMZOePAxs7?*jޘ4W'/ /G)O#FCC4}OI[Xdʅw^/:1`?<>TTۡ=ҵ6c2C‹v~wPM #~%0ZrTa f0@Op[CvFX1e9FbTk۩8~UC?"Qqjhvzjf>}z}5oJoY|FrB)\kѪj CD TVg(}Pg+]rr~LmAH*4ݞvL>nPSb&C)4BFtQZmw Z3\qϨb^ ?j( 4aH cڗviӻOK0?ZBmQ\ѹtFF+;%Q+꼹뙆B`fC O##-?xfD1hF e\l-4SOaq#O Q%:'f>KȎie+d}s9E4PZ8V9ɔ{kzg$2y԰cO:M\2$냎U k٧)[Ák‚8RTⅠ(]p@ֆ'煉$nJn#@R>=>6̿R3$}VHiNr>#eC4n`H*'WҦvn*.-)~Tt kF,[2e4H*Y~wS"!dW'*b116!j<%_ƧQgKzRC㩛Q9vo0gH–P)"vPLҊL7)q^4W`Ϫ=gz\Sn@٤[7׫C|Q.U4/|$z2 :zv 4tį*8yV!ʘsMtIC2b)%ÝٜH} tk{m NR7 VPQiN™ 62kR"'^@ُ0f9F$~|F+yDE~Q4П)ej.vgqB&x Y_2RwfϱLhv}܋ZV^NNX?xOݞvPL%%UUpOӌ5\GPlZ2QJ0zT]gg~r7cgn_._2{\y("`e5c;=-s7ORcU݉ۙ&Jo纠\|/fث ճeBMxx:q\]0ыE(C 1i4|G+\qL ~Yc48x4ZNN̽K$jtti'4&>%cE}EK,;ؕ&dT{g۵BXCɵ۽AրTÚw0JMJ2]LR4 O8J= 2E+]:?>Cż+|KijL۝ȣQ^hu'5G(@oQMhaԧg/2g4/ݵfѲDWr`j5@үcOEG`ѵK-Z; v_aQFMT OR{5k7AT;XL$T62K)6{藐cVl72= =KC¾ Es+I|S0=t~͍*3@!53n-Z q8΋>OmK}K`^VP^ ױ1V𐟗׭  n5:㪢IX!PUU-G ͕Wu1y}$x+?̫}j́okL1HO|fO.M PxYR.qswn'CJ⟤{ʴJI|LKh;.?.g5Uԧ9$jusr}IBzۺG)8U}4vԴCU)שL!wI7yg 5*H*68o# IߓiD߿6e旆+͔۝Acx2<ޙ&<+%EEIWד|YyntFn ;ѧnb>OM ZM IBƣ3 rkf^3ks|[~)>9e`)q{DlOc=0W*A?r'LmlNi7c yIW&vkv]V֧l( Gv햯?jѱ8?Ra\ ZD"7bzny4 jjکa hCC(S\.Q=A WoKHU )[?Scn&zTp_lMȝDӆaMfо9QGXצ1WO4UqOn6ZN7V)/Yi@Ӭ^LԖW=e&I eZsQ ;!4$f78]r;d>#Xv)9a38kDfCAu$igx*~ {a(S{gV[3M>lyTf]޼T4 gduyVj(/q?1| uE4D闵 ޗpj^ #e_W3ÝP%ιqA>G]zpJ`nbhwy>N?}< XDX9 +9+C<,*C#EW;%ms4yx^睛)RQrYIvDFj׭ j`?2Zkòwi* 0 ]f s!]81xP?ӧUiߏ0i8H )0N~n#C 6 $::8\ ygȉ T< ;1Ab3Ձ2sԮfXx=/r &ySw&>A jbznxNG8lPȱ+Y-Ea KULw[ΐC?l[Dqyb w}_y:)NI4l3z,O ƺSާ+{XrtZ["{ (_d! $aʾ\PBO] 6ԫ@A8xv"k]xt#kYC[CۣvY8ZpjdR$bJ$bjַhy]O [ۦ`TKQ Yw`VI5K}$LHQ-PXJDJ'yqH}v@V;,vuE @kknYC:&A)?]r~]i"T~E˷nPpug7yLta 8>YĞJQ9#V~*{hCe{`q]!KF{TC{6[ww5! s2 ";DTq' . {k]p 6Y[AG|-4K2'60-bfHz֗}6S,~#Wy"_Z$]JD\c|(ؖA ̃9$Ǒ-w h Y@67iO궾\` bvj CA{ỵ֝N-)g/;`tZE`ށ7y2,vj]ۢ~Фʱ~}Lt1O-u.o󯙘XێQooCᅮ/kc{x s,[{3n\%"a*$Oŝ4?Rn^YhjK[1 =5viCo*XUh"s&`Ylټ.^tY"yA.\ O^Gq/$~u 휊`<9?]GgSqQrИ~}P0Mo9@) >L"u fNىWy~Bo:=Wjpq:ӖGQmO!͹TvupgLD/I6 2b 2XGvr'^zxިge0]# |yR{(BA(&;x|@&/ ȕ'AEuYYo{#O< h>ovȤ>lS20$e R#Z]2^)%9b?S.i4O#dy˃2M3U5@Aa$xF\zKG,218OX.iz<К ۾7 kT-# bk!o½ -\z")Af~n(E7BΖhv7K~s0Y0PoJYY|àT`ԀբͿrKgH.4h~827dEQMO4߾Ue.kVVin<@k= L˄Pū iɕr-$< cpK[ тups~lgFYiȞ{/D_PD8sQ|U+1.Dj8x(EF"DCڴ)Q iM'y?"ȫ]!4|161p=lZ%0Ob\&WPY6Tb,Iˠ+L n{y4Nm93L{D,oB06N˔W(|Yݯ[@Šz$pS?8˅+;(SR  9دo7Sv^9Gjܫv*Q+P(x'e7cEb[c̷yzA=iޯDhSh 9ZLi)^\ZAB:V 8x` ~"JqTLWGDpu83g>]~*,S\'IdrϤ=l-94rQ<̆MB 723dXqmM;I[kuVv.-X`^T+|j6^'S*@,Qe* x!a94]i?< aʝ UK4J:"rg28W~;"YO#R&?m-Tzu3o"P&XDP_͚m}ǭ}ӵys#K}v> swC9eA#*XBhi8|REט/TdBA&ni˰L<,oWo"mIpJ;*pgzLAl }*N RP MzzX#m.W )뜽ǟ lh8հdoe|))UL2$e.%ŚluÖ_5ǿ˨h@ ߜW-XGnG_J:˞>s4S^!lXuy ; pZ՟`W~fy8}2yz0k>ѿs耕*150M?d1,vZ~pC@s|/Ǩ-Dvfˮb&]Y2ݛcK )*#bȃ7 *?a3.4Uh&@RkhXY`p~,ǞKƒzڥ&-i/5)nʘm]~#+f^=Jqi֒m+Dν yƮ#V.'q ;1Ny&G 8J# 3o#!IN',?7s ՖSLM>Kw{3,z<{cfL3d*ܣ֑F4*--a7~CB:"pʊ-S vDfMׯCC޾w>TmS[KsaĀӈJ1;Zdr(7]=Q=ӝ`5++(g苩)"q*^kQ3ѥⷼYҋ# ɮl#Y?um3R\ǑjB@i]~/5/(U$ U֏^.zPk@9=yA0 'T~DH k3Az 4@9Y%aCڑ e XőtMI^Ķ?,}۔J| *1E yZBEzbuYxiGMN'=8pR;N>,L@1qal7W>\]=-{Ӛa8?6৘J!BSƘO,/qw@H01 RQl:V¡jnPk\0H8A5h-TЬ3Pɴx3VRל8僙eymTk+GJb𡠯nIFCJC[_k+.}v0KK>oڌls81. >Fj NF`XSX?-j!Jq-LDYp2J*͡v0],)ov4*c<-;Ndj$1?9?GC'`? Urn1d\=}k`>vl59أ溿-g*6x3:ZCfOFK9o =.99qכq2mD5݅Oӓ7 kjoDJvޣeqÛ=B$ ~Šex9aNј60V;/6D`Km6 [Hy]K̎@ƎTفOOޟd@_!D7 V C7ߌ2>Xc[_Xrtp$_JY162E1S MQN\ JJMPl1 H - W|"#!9 Z1Ln׭QH1_۔ʉ`p?,JtN|,WK|vXfP1 Г:)ʛ=3HFkѹq~*6Ra7)ؐ-̾ϐ*O&xW_jCL~k]ɗZ1ݻQՀ06$ۀyƘ2S :M{jB?L/ƒE?$FFS$Nd`=Of [':d[o$_ɀE{c/ d7U:>oR} )8~EAԛ e?7$CBZ9sbSߗ&6suzАF-%Ć]"^W3}\bLC]$|aLTg5"]WDkY_^7ͺ@I!:J6".|>"Nj9}`SiQ%>]VujJϙ/MmVojoA> E&55ƛCec% HG'E.%/Xjh* -gkزC(^B7n炑 `>U|xvF>h=~t|ۜ'g~eR%ٙ} &x=+sD #?w&l'.1*At|Fo-".u/ʘ RaezUBfq/,E c\jiQ2JH,cbR>gBǧΦcg8x)\SR~j\2xF %`ĎnI[l5Aw0UOXؚgƕ,5[L RNCnN]8mjѢTkNGӶҹ~&-"7\9rgo¶YO!G=Zxv=%^ƖAŧ^ǎT >iV hܯPUp!hn?>ހdO0gǴV4wUI yp iGQAȜd1ϩlW&:2bO=[?v*}X" c觇nz;5bz6q53fFػ_];0 R/"ظqU F3g5%ּQ̮OF" H`WxI?ػ6W;^63*>JAƸeT}PPL'͜#plstQfq:BrmVd業&; orN{ɋt :>?P6"@ L]+1Mv*So+Mti>Ԭ kˠDWJX_N_#FBUڶagH7n4:8Ydb8QWf!T:Ցl^U`K 1Gvʶ~xdEȝv-Ƶg+:f4- P|#؜ '5%'d7Eұlg൫tϐ/pԜ7Ą3lP_F$'%GɪNTdd:|V cyNS]]c3 &j.Ն"yaضYy?r"%P!@,kݮ4k#- uc T7:U#o=j olA;-~bxɲ҄}";{PФ"H%ʨ*6DJY!wO`슜;\~|Daa! Fn Ak. Jc\:<&D=X@[m-o^uLv4ŧK\7UA.8F{FÂY` XYCiɊ!JOTYI=Tq((5H7;kRf+*_'F$Љ`~L Y %ĝ)ӮedDA`jfwDe|q&6a6KPk1L :| :C.w7Թ<+(% TZ5e7%H:@ɰFw.9y!BEK y'2VIEk7K)z HlBbuQ -EG 'VTҢu7'#.N.9Ǧ)_7E"K'=K"o,x \?Vc:n gF #s14? ъ_dG"|,uaMf+H;k"@o{bIO**AǧI79c=t"b˹[pG_x:-{{4Zh=UUC"O6[*˵f P}<@WKe?VdpX/7^Epsܧ2cݰ5\v Lݜ B-;P5k5Z,!ƇSd oR8Qqnw%A:71M#4[?0.}K6͌7LcT{ҒWvV=}|*_dMLǘD*nX7Op3- ;H-|SoP.}zۋn mudIѾE 3)*B ;M:q MrAEڲD+B] n &Fd.nhD-RU\+ ;:_`X}8 0c+ &NS\5zc[!\Jn'PLZ293KitM)sdLQ Řb-ie^uYEQ7j)ŢL{ulqp@s_^7jS]HmvMn"1' ,WvA ]yO >DUj#}<º% g@C;%0㋈&s3dӏoaAR=NV0npPS-{M=?82>YK уӜ MLQD B(lЬo;{6'CDoI[_+fWUe/jN֣KTU8d維bM4H$TMrif߿c'k,>yj49jB L4AW+e=V.@-*ry{{:ۮϩjCOg:Aُk8Ϟ :Pf18 BT+<#Ϫwwt9-DhPê352NoTA+ V\ _^fM+j:2[HgM VdDLjxkV?WTM&{4:2$h$I?elK60rēM*S(Q❢GrxfwLO)~tJaҁ5aِr"ti.ہW)I."1Pee!VR9Ľ'PԕLoV"'#a@>&Z|iFJg"(]bN4mjI\p_wLi%W6ώMُP?;y)Gl?cZHT>蔏K{[Pvɂmdܷƻ8:\1ל'Ky \գQ$򈻬 ϓxm &A#C̈́~!FL ئ.~<TҦRHڢEw#PKVK.I#:՘&:A1ሣ3b؀¸c$-@k!FFf]Y(u^y@۾@kWH)%vp9axIKw|h.9'0CII q6g7zZF)v$hAh 'L+əDJʌzzH۔oκƨui5{bc-:jw.IpcӮ\uL BvV mo/}%\a ug.%=̶rTX71WXZBM2n,gXro_{,I{0IlbqJ?r޺|A{m;cmI9%#'>#bDdq>uM^RR桲wWKaS:xVK'i׃a/!K5"~f8aʵv-Q o^by[w*~8Z>en3V?%?;gkUb9S!f@_ۖb| uϳʄ̋|_Y\08Hx`;Doߧp<  h&G k)ӞUIa hݝY=h+ yH6 jUrʡ|_z>;Ud4W *1z7"ɯ!a'/bcLa0+`"|wN͞DFwCSB,6RO>I/xX"IWE'?bsXzw0iBԭTIXyjM\H,*n]=L̛UNi*t-zsJ{ԇyi Uu T-go$ć+߽ɑk.-sFV@146E+KmU/o*<ם K ЏI)Lx|AÊh=wTm5ňkZk{-'Yp!5 RO m^6tJ 5z*4i)r4n%r^T𼈴 d׽|{"{&9e p_sbT;X %oNTZy({[b@=CZreLO%D>In\~!yOK%'@Z:ݣOZ?ym61lit":yGMNCgy( e3:*Q}tW8}/B8F -*%x̿UB gZ88CͦJg.=i죾CU^/|1d)|.JǽA9+,m`7?/4/ N&Ω@= hGR;^Tvp&PvI=zC:@ccܢgW3 ,ZU ײPXIY1c$O w S>jӁv `b?fՄu?v;k.{(=k(")zҵxs7Tҍ>ĵKP'rN49wޝpZxDQ\ZCE#. ĀB r*HWUv_ԿeV>J!H\U5 URJ5j_lCXw1q#V94;?`YwBHIvB-2?Mt(sG5'BtmS\~`^;oqƊk<2Z#tymi4-Z՞t1C#+S|`I[0yȇWhd>ĸ$rdVU\ Ќyq]X R17pXs!9%NeݱYU;uI𱉺+yh;pg {mK65uH& w.hqw-8sW|y۞Dy.׳ (R5-ߺc@rRLlM_JƨLl#`oM~TA7ȍ\o1kYIcwh XGKrv⏘nPe|qSm YtڋʘqlFE+g]_=]EPw2|( ŬZk>rhtӖ+D\w7sEnC~*oRU(^&M4J^ӣdȱ[qaO{#TD9be~%xD*p=oc<5lqdUDɶ)h?N釡6J륎,5Ѳ8v^;$zZ7t3+z.[B-:|L5 \Z)zw[4 >d. (B٬>7$ӚYN6^FZW?$˿BE=2{+l Ь٣G}xgF$uBƟ z#O9i>lͦvcch UшMFd}h_ȧ9YU GL\eJ#ߊ}r:rjc@qyXgM!%D<NPrQ^#C,cPs\IćVkS9IYspI'4ZIO6,Zp[hKOV:h2$fE_oύb橪 L0h+zsЁϜ&2-urb{ї5X^!lH60n8P%BKWB .* +𸃙SwQaX[-xd_O;MĤ1Տ׿d"4Cw󕨽2ZCGF\-4kÙc<w/vVrZ^ҏLvŔ+U$>~.6%IgN (&X[Wa[(X]tr/G^X ٣SCTsMQ%ø*z |hDs)w³>#MET?AR6gu>{Yyoyo# t)~u047'P;AŖzj\]Q/WDx@zP+T㴢\:r^l-XE6>PgSx(U:MQ=)1jۅF6%`J1%vwz12i7z]%}# ffH7gji]RPE7G͗*d %hFّŒH)[ϓrQ8ZFdJw;+چ99Ў}ϗPQ6ny@s5"2d &$Z=MJPo4Lr>ԣYf[/`&DR{Ɗ^P4;1MyYoϛC4>p1R٢nN=H|,%ߜs Eun"T:xsH + Y6z lN$;϶d{Cy PF >}j'? .X+!:*Ŵfζ-{2㐯m}oH\Ȭ>ثDDk+qx@=XhblY Fs3_~ƩjBFwƚuK /D`Z0[KzupFV1>~|h4BfR/.Nr2yڰ)oME(8Exh&!oyR\5bIՈʶjsoN̎4@E"#~=`x%@'Da1ͨ]򽏨epZ:? a1Y]M %ɞZb z Vo{E}y[-ּ_EA^0N8p9KLg N=-fP5! XUȱֳCƈ6̅4R4{(o zδ,!}P@}n[] Cs\'W"XZ'LMSOO`Svҽv$"y|$oڽ6Dx{Գ-~$$j ;T=j@6CKX w΃ODV q &, hI fRjJgx Ya0ͼ'lVVK/jn,]$#1ztYMP8rx|Dј[Bي["_DXO͊`gU(9KRàF3*8bkp`l ےyDf&Lg` 8>85u7*4ٗ,i~ 5zͻ$PZ5Pi0،Q4j^9Xsx2^Bۼm~GJl |չN^D)};Ɔj; L kA^. p6T a)ad#!O]E[AA|P>r=X? /ƹafWjiV%fm?x7&%HnjŹޢ.n s/OWbKh5O`[BfLRoqC[,Sm FΧG{K*XѺ|%{kț(T~!sTŮNp,¡/^e^Eߢ<[:&-kH];w9|z[Nzºγ2qBKLxҲF\JkJ10)(󺻆yKwGse0%Tr-a[eXoqM4Y5bo^]i W=Gr$jqFz"H5Pbxh_o)f gF4G|3&<2s[\ĉ_p{m;MO7pAw oV"svxNhb `Il+mhsF],t}`!췊ϵc..GϊQJ{&SZ2Koa? {cp01L!]fVC`.b$9"|x`$3[}X Xb@lj$ /=Wp* eI>plO>);Oya!>JRԬ=Vj4pŀ޽%W h1ϥ[FaQ,3mx^K#I)bN ɆRV7Zޓ!&&џnH C5ڭ2!)U^P#릥cVHNp2*Vg)Ff0P-+IA|bՍ "شC})+mD.<@-Vvɇ ˊt֯+<%[:%g|vJ2¦v#oq).o&L3Z׮XX1"o^ۃ{F3/ȬYpe~30i1)U[d&__2`Jrclp{e2PۣfM-y͐ ¨ئ|{ 3QwzKf70vhݖۈ˓>iX夢"G66A?=ʎVyFȸAm:0ԷjwU2mcwDH ็DHocKhi[$ԋh(p"p2,@%.k*ݤ 8 :rV^*&4c"O.eCWRtRPݽp ʖRx)p &|XUۊvF {Xy?;Cڋ5g yjs-G$ ;їp5%Ɉ"'B2*ۡ+R5a!Q,`wql*SD8+޴Omj$#wNgCʌ8FŠ0(BTƓrpƄV7t<+mۅ5%ׯ9F¹6C̘GXjj QO '!"?ߤ"hp.!++l32j/vP;K"ex^)w?4l7On/+e?r='@1Y|ι |9|Zk$^ iro@X{g#@ 8U2`3ϯ\C:|VB~;s]aUpݺV@: X<׏#O䙫;|RϺ;"PӪ&^TD5"; RUz׷2^3ثkI$f (1f([ IC6%}eP|?@ $X3HC[X`Mbq" I) f'LVuihrod}7p$v pri^D5DJ=GKI +Ȍ{u4WmWvY1:QY()!Kc*NhcQƕT4d.`{\ c;:Ǚѕ@Z0(k s&%wSVr4 "ު'U}43131y` ՔԊ2$Y?u\ 6BK⍪VEN}.9c?uomFHX%lդD))Mz2k#Q 6\$`v>iWw T ʛyV.v2O *=7H3mqOz^"~~mf-+5H SNj `98k <5YYj!F.̲Q*I?imlQG%Ay׋'iRY9J,I{,`%"4%S85 B' `%+=땦VR٧B>J^"`IXHyxp/PͅһVϰRn(2cɤ(7Ns`RIΩtWփ D"#8n٣ y`ODͦ7t5(rEe׹PR1^P; P:5&ID=fJFEhQ[$]eLs:&ݡ<DX2bٚWZK^UUKCMp'V,`ld| 9FPIu8?$PK5Sy04Qx#>@ V^CzX:е`\Ϧw:٨@d+!zVi) tNQlVXh[)j2=]qNH[<98PTPѧ-BE#D /أxKj{ _/] ڝTE81D6KdDY vRv´%f pp32Û|CI.Xse$yAod8oGCnr+H[R9S*i$g 6nFfCYh7a[kQ2 5OdǗ®֕ Ĺ58}Ǡ9ylm}Q܀wлqtyk KAPԔ`&˝}]Bc}GLL"\7 ._?zR%\zuPnXyCNw_ϵXv 7J347sl'˲]rBŦfr,[^굾/'`$_}X\Ԅ 1R,B{8V(9 }$L'y ǃ!T9vMC y~erU џצVl+XYf`nVXX(F!"5-nOo͒1X]V/%;=Tc@(_p9>[^nh}6-$ 5QEFl㈫}\/"ČJMt%u@pȧ8wbmhCPS7Ce%QL~C..nQQ N1˴@,9{@lElFodcNg;x#|r v݅x#$(#%.ZV++ƢjjT"ݾb4BW ]BTg_:N݄K/aoϾ䙂vk!j]Lp`HW5ʴߙxSΫ99NHW;y*7Kڛ{7!0$}x6H&ڃH^SjL2B^q*,%1(I`ϤJ߬óM h 'GOɜ7wAËZ g9Qt@.L:p̻]jX@e/XHDF} MsU]ӎI?~r"J'[ܛ9:!ØQo)% %x4)#y +Q.A\t5vxb }on<6涣]\ϞRgEJb@;c NɞiBY_ ?e_Kb&jˤ_*';;AVvg6&RهOP@V_+Ul`KcgKm*^, HAuADOE븕 :I)SGzH-&E|XB=Z~&(M0,@^{vڻB&/Ġ9K (6(n(@;.f 2f#EQx",fdiF/P{E#@}Ĉl\MɈFgĕ";gXlnUhI I&7ߠPb]ԛ,oR8?aһ׆'r/@OMFKq;q2Qfuq۟vmJIґi>,@wAAeInmKTx!ߤ~3|4"P 5+,%妑/ 115wT:H[&&FbYzJ&ﬕ^;kJ{YϘ!-1Srl+a)>(IumK/L_IAt&3x5]O>xBap$jZ)CaSb1F~N1w¨Aeݡh x.s>&2!XKQ\0*Er6$#QJ.WmO>jt'P+*?O伻>F^ ޛbhB"hH1avI "̠Sl^& R `&QeybXEic0Vׇ 6* .ZHC\8d%#Bvy <`HYo'WKV ɓ`wIkF"n rr"AM"MA#LuX-^2~SE4,m.1JW3x}- 8WEnW!Vޓ 3JIY2Db%yc-;ҙ r?,Fp=ӌ HaB.? .]fޞWCl//i8n w H(_PrnO H'yP?Pj!k/Ua4&tq SQ@!^co->]/Pjkv*vXIYHq -I Tβ{b!Q1Fmtjp br!.bP]}nr(3<A+<%AW0`tv?뵃_:ƖyDu4O\:5[:FTU@UEIkn9bZӿ`V` Qy?&r)f`c5l~|I,#^6dii0>%GzpTF+$:liI;$c,yt悮Xp,;֭Hz٩\x}.P:0Yx\CJ3 #??ra<8eRh튣u<~P%t~~`U8( /Gl<ݞkl~DmVܱQ|zLsa^]3H)f.Sɡk6^<ћr gȷ tVYbVڟ"?[K m{,_%꽲H!?5mRLBδJLK3l7)Z+Xt)NJ(#`k# gh/ZI@m{6II"H I/ Aۍ5rHRd`ܤ`!<j`͚tI0wk ʧWڍG\zȥeR9s{F!E}tas#p|#o N;W9 #MHO8fjn(n{k>Õ<†bż8zimt4kx(c /*EF2-pk2]&#].!`́\cپ*&kYudR5ϊ[+RN?Us*@-w>N^ ¤KZ X0UƆQ%1we_cSN!&FyG-hδl2cj˧18+ pf898~Lc Umm0LJzf3(LD\-Jƒ&!:5f"DoqgvZBE!Nklʪ˔H~~!s /Гi(/uE(ʅTwlm!ksȖ%W+DY{zGod.he}"dU"r,<d?.֋LF'# Ľb6Qc F.5DzݺxMB<_@Spp! /IMb%pÍ KObo"?祚ԳS+{v1XOd+b~^oK )Z q?3xY4,hSnŪ_@Ylv3[)mJNGEJce-~>@J[`c> lf/uAe5'#s)CLw=9clZ4+*l?-45n^{Wt0s㹁4wu> f1lΡ4]^%rCzרac ׶4ţo ~^zU I)ߐ`,{/ }YcTUF4/9mEN1t) ˥祕4N3X+g}eϼV+yaIj,Y)]fpV }|FV]D@X;IXGtfm]a|sS. MEϪ";_ Nk׈ n?ȏOwIQ7 ~LcbBS.\!o2΅nv1{?T~udǝLljmP0 0uZ.'7Ec|TVŐLOI`(C 53qJg/.3琋{1W;u1&5$)dR;ͷ0uVhA#-W5oͩd[a"Dt+m*ӬZfw 9JXS4^DBMk<۳˓H]6XjX G^uQ:DHmE }7qł(v+Ha)<ލsѵR9|y5B%`0%8Ymkgl1&~9s<6h41u7q0xK=mC]ɢɬֵ"b.kG dTG;#+4SMچ Я>/OoQ.i1mc ؝T⨚Sv#^׽Jֵ orFb./6e%X=adU ՏN ^ϻhzwb0+pGO[l'R(w`SK"Ra |9#ࡕdQB<# %⹠dKT!+3cjH5~2"AjWVr(||,WcCS]+U!ު9r>>k wFFѨ,xbMVrhK ј†}_$y)To}0Aڇ ~nSoEh<5 Vy4< ,\W"9;iܔ\\4eZ0^4 0kka~$&1_ebs۱)y(?*i0Vxe-E~J3܏y9QIFc o5_Jh3LM;c~b- 3qpvo򮙓pi/mev5pxI8x-N ف D$C jDh$CLΫY}rkkQ#mM'' JcZ~у4I7GDyr}5,T)'!}rI$Xm6dNfXV`OrNsm\ڇYn7RRe0+ڗuo W2ڷ4VZ1!ze3k ǥi(GCr\_D$@ۿ<=P'ҟ¯:^iRk(lE^{KܝP"i1d8 .=;R)H&kneסa[m\/ =R_L?':#e'NYtL)ܙFoV gW;LPk) `Z 4K|@4g%d5gD֢K>)-{_+b} a]R6-W{jsސRK74ݭeOP-ՐQER˟(odC±YK+n^LUpͦu~qNA&>ʣKAEWA-RBa ImDxZC;5A>80YZ3oe2竊:K)D ɸTնR)~G|cXIL똪^^Wa%hk|0!0:/ }3_I#b\ n fFg5o\`4Ǝ lOb|_RL 8z9Tc[)yAF9>A=KFEV\$,p#7GF>Y4J|9%0 hLhz y"Lsȅ, Aۗߑ͋ q<@ Ml7Q4)Nھ1yŽ`C샶\@*aZAX>m*Y;8|.C} z K'|8 oR:ߨӕHwsS~+@nUPI‡b(}2y\;1XR*tChפ n@JW$U@z;WA,e f"pxJげi:; "[tڲ:bu 6ꔳ"=~|EwoVYMp䬓݅0R#] NRq%OZ8\ 5JX`4'NJ53G"hmϣ%`G.O+xu7 =Go#42xF3p+X@yfgtowWzSK"{oxuz~^ ར7y;-\X8_l`3KJ!\qgT=/!6#GR@ 0k= ~+ɇ\}aL䆦-T{,5ߙAW;[KP-BRK }tpqm]K9.n9v!-o apZQÔH**q(y[sK=u^T^y9 z* Ph?AIJ!Z- O˥ˇvrTK\Yr eEa39ƝuC)BȖ ~ b o0_-#1g(~_Jg)ƃ)A"l%Y}~p Dx|hYPoNt Qޥs,4=_0*ms=7[cgV?+Na u |k(ªKԊn_j?1.~v kclɈnv;njA0v=|]5w~| {|G#Cj;i6 &Ih`) !j鴧*@bR#Ѭ 3*jW3i)¥s[v~$e{ưAa[gIx.>87P)OҤ4Fmvm to~T"N=.Nz*03ͼ͐[JgɎNO`7Cį0sI[H<yhޚ\_ߍӖ<ժ_ XQP ^b`@bj̷pʯ;O۶8s:ax V|=?9;ޕ(pSs@${;ĥ=g%ۓT;^il8CfNJ)i/}H:=ǹ7'euB8[Hg_vr8`5ؾ-o HlieByIv%JMSjO0H6ƪ[}K+6;J%>]vDCQQaE^M?ŚvmXf.Ԑwev7 9idM[QSVFef(x 7˶[3~}dwM JX4,YzQ#UƣE}EO P.Nqcw紟̒9Qx_Sx:G&>8D;>["sueΞ ͘1faCZ3B:{:Ǧ+;kًӞu{>N3 j %cXyc϶ Mc=φSXrsc݊1hSLp"R{ENm9(l R&ko>}k0s8xJvښݡ?OzjdGy`4ϸQ؊%YCC$?҄t֗)?>AH1>K#f4S`U5-wDvG ِ!}v/N1R{6Zb~-wz.щ0ZuȪ.Z͐2;D[[WE[>k/ qB0 ym-d=O:'RMH\vת`'i,-1N ORxvѣI@t2&vOjH'C:kpaHK鹋ˏ$(ʱmbPN.7G(5{/P/?k~xaS}~H|N $=QZzLMG>G4*-z!a${Gi_Q^+/;uĪd޴*l-c%`xUϹ{ឰ 9k(14eHIP}T\qbz/LC8s۽4NE9{9ň jJFBfdWb%Z@JV6y5ka-sw̛2ssI'. $g׾ſU}TBkpήa\TE3 nz7ٴM@AZ`FA3+i)~c׎j嫅VOŭ\:3r "c'[,Ib@F|Ҋ&7zX%_UKD#>983̄SS(oeQv5 +j_D[}RL:ؘ c_a`.l'f7X(7. HѵY^EG+o$LPACy(6-KY0l; <\ȟ>X)V͉kJE& ;䗪u9aTȸ!0U!u{&)F9x{s9=ʜHi=Uyx2S-^j zH<l=HQ8#| qj UXbCLK0C4Y@Y|* j{ @{t>|:Ԙa 9̵i,Tʽɪ,OڡbKڿzV?LrK Т3&~>Q6w7/Z\M]?1{_(-n8H79 y4ɼ6aӁbgfAu+G/Sڠ[hӣ"N%MRtEʔBX Fx`Qck8RaeO;`0,@6Mi;U#!{'~Vtg A0dRgEYbpqܠ=eKCufӠuU®\rd7mZ`/cCB{caN\ٖ@X?㫮_ .Өp?'p'V%Jr.|7L+UZ.g [q 3DI̬:PvB`5![v']QD̅?0đy[N5NѲĩ4`e\n{hl32Vޡ*B=2JҌ*Qr;Gl[ Y&#*%%35z*bskDP:Ƌzh n#͹;fS*H'Ohr zvؗKlBڅ9I]LV'g$*kٜ8qH.YuJɡ&^אxpsTgx3kVa1;q2 >BȂ(#L8NJc D_wQ¯/|B"3KY2n3מ966$7@֨d-HZ^JP$fߪG,LaEӿZȑz(ծ5>X}QXs6x1t)Dq|vzDq+{72:MW>K>=b'-T9RxflbZ.4yU}/1L#]eP"&}uiwha r\8n# 9KƯOEM} rjgF0^( j;$A Lp<; {V1"XMr=Ǚ0 kLhC,88<l3^F| ,4$|oT7L)AUF8S:e?1Q O$+96]Dƌ;b_GY^8Si^PcLJ U4T\SI* ϾQcl(HAdfT͘J~+\v=)Ol._>t({{C}ŽENg7H\r d~9o? aKڞut^fn^ gF} EH5@F%MQJڈz_h$r^ХH8ñqjĜ}Wmߜ:ƶPIu9|FSqjtj( ZbtDx~dw#⸪&bѭܒ]TU_娵=H{Tll ?VMPE, k[>]5*ȑ]C3!E|026H[:*xq?*o㈉Gl@݃L9BLc090$h?-CWqznE@҅]m7BW$M\0JjI"b퇩`+4b;g-6C2s&FRyJuݳ+</M6 |u鐙p4Lj;I8bw';wrHIpS.,HDS.@J-sN/aN9#c(3)rRqpP/i8Kp/*U96IHbBw]%/ոYDj4^X\RdZՅcPF%wRd>kCc^tG}_1 "BfGx'_k =\}WâȈp:ݜr!I2iaajבM` D~F-Uq? /F>g} r7q;> 2'Bڟn*Fu^UIK*B5AޮZrC}ܼi%GYHOn=+sVwCa[.;d[ͷSrxlb{KD}MXP#+y_kݠ ?#ܳ<'14{?9Yvf ڹi9Yh8əYJ|DF+V%ڸ4-=h4$JL7ihX0T {p&Ҳfx!"܇"6ʃDc) |x69.3Gl/X.nqKX;id2h\=!fqߞ ٞTޣОk>A|D؍V2"T?z ùX Oix?)&B#LF7Ddyԟa޸ gG`DT~d!w)Gq%uԻť]Rg_3J4ByT{41}~/ȁvRf_Q$:UmϢ@Q='~+ 1e!b\SPWU3 ӵxR Ebb9vtyq 1P[c,}w& W,ᤅE>LޜՂY+P_HqiEG~zRiqķܳxCL\ !M~ДoW۔G~J@Ne,W$UH`Җ;%{k~5&S;2/I^J8A($?O*M~?G%L[2Ԡ 4灷b-i[j"-9eU\Y,oR,[7~\e IZP!Sĕ{l+]( {?OzCpS 1H8ݎ_JOhp>AkRTQ- QԤX2|zsU3u+Ւ;) 3_vE.H޸nJ2H f ҰJ^`hIH7.`UU8opG2MuWkܳo8RhN wQdh_آGd1rV.CX%稀 OC9DAl9gJPDufw4:@w0TW ԩaT%b ߫E{ƞ)3IkD_˱6x3KkXk.Wu WI.ڲDpTQgqBͻJ!ccq;xӋ< ?d QzI۱ md!Kc؝31UXqצc\OaiPvآjsz>;vQz(?Z&V&^Pmr7SG7Q]ܔ*8!e.c*t+]TTm[`SR{Ep»1 nm*:D}rzvCJaY˶ұ4aʰڳ#\tƸ6qr5QZ2ufu+qI6C3 )~ BIMqhz7 M _u)eA%A0uPi^j~H2bΠ怼AݵJW*[d;)Λo_yj7 KD|$KCjvZ%=s9Ѩr̮Ȑ)w@S]q|%_f W9MAhcy[(>#7hjrCt񘌤ŽIx9jTBю$ze|JeyhƈVUW5%~7U̶[ͮyk O!nU<;35]:,۱um+K`|,+$"L9H<]8m-?AFk52 iT}mY[[ʛa 3Qz6uyZl5 edP{^*Е)L*#2nŹsWRFIs~{KGthl]( a\9AP?[Ve97[\N`+7KϮ4GқcwEzP _=(KOϥ^BURrglw3#\_RIO_ lL^O&}X+nMgGβCx׿Qapat!!IZ:"zl,p+:"t\r sf@SXmO WN-eB@ aύv9GH.Q8:B=]QNBHT[-lf thjSyzYTHz

BM3 n @"6xiEE`+!X*T&Zj/k\g.mc E".RlMjpMY]'^)WI_o8 4z[~8142ܞnƝIJ"5%SR<P^ ]B #B}S<+/$}ԡ^[āFk'ewԨ20~ĭe-֚=*晩cNzm5:XC>-;b{ jPWdfj(#kсMCaq.Nڳ5ڥN+ v+6s$ &V.1LA/\?QՑ̘82ΗبUÎ@- ɿOAηI. Z&4t\M' =xYrk]ťjn!8bB0{XuLFM ){<9(y"5bԍ䘩_H/+Il FVұdLҮ""}n!`hDvb;G(-Ph :}'8}.}#oEN3Ť\^~H1(f[T$"7(!O&P&0-ʦ@h*&iV! ^Iro b4蘸48<c~ vOy~)6)7 H9p|h+O qX8VI5YZN=5ͺZ:"5i&ͭ;Zχ%B. lm}o_cCӸ9EA]@/Kڅ; H$*ɱ:,Ӡ}y+˖}}XD^bhuDQug).|fΗaKq*% r."1bܘAPKBH_>~#-Lw)NUIҤF,;dI78zl4fs;u[Uޭ%rmP쬝yI'jݲ \TE΅=^tV6`U ^Ő A #\T?-M`:(;Rdi@U/Uy%-Ne,'(6ޙѸ.&D]}t'ot\Ssx@~ ^Aw8U PJ>%EbQV&Z (yU1wXe֑݆ K}oĕOl穴*43p a"̵P{Շ) |vZN7 |]c(Lyg씣f-vXN+KS LA@Zt~?5 "5ka'S7`-'HPN! 8³|q"|]nOyaVjJX/-` D7k 6T8j6p36E!T.٢(#DDh!=BiǬqo\H'Y!"k}vFU[dv)FBG5Ԅ<+,W/܇9"i|h]6}Cx!0e[ GE0;7, :8E?JIAEAݟ?m45;+XT8!F=4%N:~ &h)..O2鮷P=KʛlTv$;פҠ+ɻ# (=JN0NH'i;RԸW>ud ^DBۭ>Z\(Il_-SZ q݋禆7+mf6Ye_Dضdh1ЬMJKJCxtRG<=D`o[$C EjdAu3i>e;A w LbX~GIg<>kĝ}) Y`!d A/ls)4W&(lg'X%Q^Ta?B8_* du-ʍ4&%FL<ڳ"IX#rSI\E67猽P/SmNXk4>&ulNԃ$؎rrlR/!0+ww{ .p]EaV2WCB3mG7:Ts/*$:} m2sOOտI:7(\z5 _ tӅFa/IݺkQz2"=`#zGހEmlZ,R>Y VA Cg5 2rd$xf!&z;ǥf3h0J{ ?L"a/eZyUtbV_l쁋L4R/xv>#0gv1 o館VSKp5ڲNe)La4F%̢$5C8I2iO~1"A l*# 3,߶]v+qڢp!gla>Mo@B20>- rAIKn Y[wp>̧s)UJiZY񶫿AʱbX$3mg mTՐJ C# }͋+K$wT r ETy U!G^F`,@"^e˼B(hn>B߫׭L JI^|r|lnM'3%AsYqZ߮֝Yշn|K놽m |?"#KJ~ESSX"wގp~'~~*$QNipt82N=Zy}%bq7/ly-aӫVE"̘6t׆M\.TmU/l7j Gai )1 i`ucK5gx^&)A[Y}CRX hu֞!|xz&e.YV#iP4b@*.'wʓY(% Nůx)Kʹ߯EO cY5]K 砀{_ۢ*/a 本4S6Kx ǖ)r V!O mb-gm[J%ìofvx2~O܋@6\hm@ΩbM)'C*oR EQ8r*F}(A& _[mT&<'գ×b}=6&A:LF)kggOyBRvF-tw.xSR 󬪈ܒ~eP犼kG 5yN+FP/ b+U]Z#+Ӧ-i`V m׮9j-*.~6;whS lu-0qya $-ն4:1 3Aeo>k^jk:IATk86G?uxGc8,5 լ2!tQ)چĉńnrh\c3/^ux~4s9D0Ӯm=(|%nLWK `D5,-L\ :E/r}:玫B3H:b0vLjI :"Zb"ܜ4߷'bΊ+k?җ OzAd<8E?˶8gJqуheoH4>@*XPt]]Nf_) .CXpq狼X.a/XT.1QY*L3tUW\-wR}yn Yl.LLmcj ^O`]$s_un#Ϙ;sCȎtHF2tT RПʤsδԄŅ"uji=1^H8"%@ 'a,~u/pu8iF(rt@QI+{)<>$qaU+bw+X(eЈ 'h0V;ws$hGLB Ó`ybquˊBD=WdEk/׉7F* tH? v$TGe`=PJժ& `"-cT#R-pvx7Ft -O(q7-z;)2JYXAJ^L@%D4Ş] l1^pdOS9[ Ͽ&7i| #՜, Tk qL6yV?]!^;it- 3ݩdIJfhz_{BHVAo(spҐλنaO"=0Qx-,-j7kIyWO]iMT`8S2xWUUtT=JP[}myۨo_26- Yt'l?] ??CP* ﴶUv `uMl (-ȷ\! ئ`}3Qm€,Un;#+d*Ȯ#1ͫ&vjfp Qe;!@'+~E&JBhi Tˈ0+PcW-k=@q2B9qH:#h 6BrIz['N E3RAXE0ׯ)ReE3Ԗbsu\4a `;T=3YmX=L#Enj5@@:P3;l\%cls$+VB㡘.3k]}g~NzQW;kku@//J2ev4$M Tm/F["bNcoHG=;c` ?m?tg>+i\?3k5&Y֝;̵O^ Ȱ)*8`;Y/- >ϽFE)K*yvW0 9/c'ݿ} wL>twE!0cT ?m%YtWv'br@71mNv[f?L Y|X/FleZĔ ƅ愪memM,6ˬgF0ݍPTQ mVBjWeB,z7e_\IWKF.Bnd 7me#Ndh}}ѕ8yG)ݢ%89HR?$gӑe>]%.=Z͵h&QMAr`"!ZxeI%FQc,iE 7,j7ӡ;(:px.n6KR~U!VNr˳Va2Tch(bZX 3[ψ54]!~ )B4n/mX8 K.n}_-9^r,[ZSV`0l"q 6)ERׯpSΦ_3`1a"#KA=+6bzRڊ"y[[mӵ~!)4%oǫ {^ f!+2_qyЏ/fu`Mҟ~mdtau\-#E{͝e?MaU95Ie (8 mAnB2?XN->ɶ}2MM# B.\as/Z'|L3f|Yj5,b)[P13BHz}&RLC|J^w ͺY1i .UEcÓ%Q&z᳴Z'2_ЏD:ݞr/T^'2P :*~CWT%`<^ #|E‚Wm(nt9 3Oә`3D>VGnGݿFH>OXQ@lv׫H္Ǧ: [a]Dk='ZET5_p\N|X᤬A "riX{E_/1&1 !*?b#魲\Sϝ9^3HGx)eDy.  d3FR [WPf`Ƨ,J/wf)Si;C;lrU'~<Ё o$|ѹifI>A^)Kؙ-CZN1Q2 eߦ1y'Xsb\"wk4Pbc%u.,I؛P`,czeQg<"Jщ{qŋ06A_&i mQ5`$m0Ķ&GEÓʩvqJ~uHPʿdyQmE:fW MAC嚐.Y`/UD5qٰ\ ;OSQ//ˤr@0'( hVFjt:LU4>MzҬM\"{D5`fE:Wּ/6SԜkXi6>Hݔ|WT -|C|wLzFiV-`qPƄdg}{C|F}VvN ,)`Կ1H%6j#f}O&)ׇ(X2 aR̅6ILcHnU8`c ױ|7d",u@&Tj)z:loy@_>f0xFT^qLxZv?~)>l) VFdλ ș$a@u9Qcɀ; `1q2~@{5TS 6IeF:nr6؅g{ۃy=E@U!mYldI}6H\L=;H;f{f(?780\dJ&{i 3jwxb(21='TT)<4ijc>u&*fOwre4U`껜~Ј٥7!N2 m`t=m<_wb|P>-|!fy,/M.f͘Bk0r7+V؝v5*][Xmpf|`ƩϪm'}"Ee1yfL'3ȧoOJ6([y9lY$,T<uQ`N8 Tvw;sErk`qCv4x5xrZq52O]ix-:.3u։'}~;˓o]Ҟ0lVǞDaF}3qD'oSLYK(c5|^Oazs <U>MrPj%6QMdc%|.fq^Fď`G(V퐤̱K/Jlm)J s&ᙵ.ct+m[el8ԄtXmxevdϗ$0H$4VԆ<8clf~IY}.Qlk;!3gPĴwKGI[J"? .5U씜/(B\Q"]Hs-<:^Z?/"ǧӨYkMJ5EtP~H"CھEߒPymHBL犕X(r_5j_ !`Oe:NӡjsOGW9HITJ;T~'.~ Q(N$q=F+Y'$yǰ 9>X9a7e?k@Nw#xfSG6c\Mop`n:*oo߉^l[ӂ': 2i; Sv[A{ړOI~,CZ!|a *(KqX]FsHp$<-JKK\Dž{G^XzY(f* ߐ!@ߥHaPCeD͜}gF`Us9#Ie nVܗZ i6P| |'-ZpD{T#8FQgLu)^!*6qdy-F#7\A2k)Aұ&5l %.y;6MwQC\0 b̀EIT|s+4kI/Z):(@Qb9ENQ:kMfiʹaP3scxD,b3n5 Ŏ+`o>PX轿 kмI%o[Ǫ4=qS.P1tCc>DZVy9G‡P+?R423gYM+5c${m-Bf^bۍ" ~.p 2@jJ o=2c vux)c.vI&1GR1sC3mޔ>K}TS1@[HmG.ǠuC:_܌]-}Bk!nl^uk}ɕc%3>dwH^d-O)!xw8 DWG#1UOT=fm8bZJ sp ДSK~Uwݾ% `?V rX'e;XɆ{اb/gBrg0鈊A,5-If AV>7-Y"]= qAbFbl[Z1~D$Gi hnWy*Gkt;D]=sȘ*D!0 N&⮱h/](vX+/& ފ}dަƟmpX俹_vmxTgUp%< 0 Bp hj 2͖Ǥ ޶FP) U{w7i)e k ն!S=Pʨ"OR*@ϳeu(0nP9oI6͓p "`gGWtd-oqs}?!)3JIeۤsv18P0HC.cqa7 XtPS*&pʩLHޘ"_l߁eޏ|rJ #K|6>s {਩Kr bXptEH@$ՌȁBv b>4gܘMV>I2H c @ԈE4GM#`5#mFv[oIg-{#Zi>i8W_rHB Fl\AV0*P/gy4GlΞTyՂ>Ri6C1;{WVUv0Դe4RZzBD4'?I,AG羚IEHe/ GYMZ7{W‹FZ &wӆL j1u(PNEVܐ]#c&d0A `g'ʘn1x}BE{nؤ&K.C4oWAu/wWDJw(_>M|<ƹ6(&Y1+Cٲ= c/˵MJ⟱i#.{RS/քT@qRY!R{[ m~]W.=XAX:0;A_8Q@X{Y黉N2UA)tsX#vYԐj E/Y=^_GV%wbС^r.#3>?joFr[8pE:65!^:Lokf|(VYJ(HmpJClD+=$3s%"+/_Y Ep$4rs\/ rI`oDC=&Q#D,0@wL*ss$GuϵQ6j_ɫzFYT+{0Hx:!~دQPO@l#œ6p Jz*B*(z&yNɬ6܇}՜Jv !eRzyW"JIٙM5OzV(8X@&dala"{gxߏDy?v>?5똝/2g7ݗoM9=kҮNm`I@I (R~\=6;6 ;7:YnZW3]zrm.iˁ"uk'To Ic>QCtUbe,2,EUȝi2@|&`6Vn BL>_8:-vO9yҝC,<ڷD_X?l0RBv&է7/rc Nq#0 7ʥɌd1L"\ω^RSMsUID%,&DՂ"ۓYb/Z]}w}QPQ2;PZFml.SHkh9T~H%dUP9?dPKGxpL,`>TW=B›JmK W˩#3XoCxp݅lW(~m#::*B(Aڙk)=f4fJrS^C rkd[Qڔ;HNgu9?#p&+4gnzzy'mY xK-WB/I!K(N,77b AF1LYw'9zt3ЄV6%F͑|bQm=̙n{|\,h'PRs[C1AY''lYP@ rNe8ziQbFR;AplO3'\oV(T)`;L"QRU*prD r=Q4V> !HwG2q%7P-5tk.fW2\B5%@& 0#-A)P!f9F' [b݈bʳ/xy^2A?oy.brqf4IL~:ۨH̀szFsw'$G?xtZ!݈"2iM[ޭ~W55܀fbQlexHkT<0K[j :U14ޣUI]|窜 ,s# e,WH'1u(Dj!#dq,\fsMK J]ݶWeNo0 Ģ^P흽.9ҥMݓSSv߉ qʣZ1 >" Ƴ@ -J#ݲWmC È#эx|! zPUe 떮exXʪN1P-eX#`^m:jA"G#]vN"[n?3ARP^Eȿƿ{',cf o1l.Ÿ?1 WU/sܩ.KT?T qW;]hEߕ4f@zO|ipTfgߣrjqߚwwgχl`ĿxS$PAtkv4y/bW5 Td&Z &!9P %^s˓J `6C<#dW9+o-NaMDP@ֿB 92Lm=UY;Nf;y'r='WH kp?ҽ˦WiX40#hTmaC nrKiȵ t+mN((0P0m^B)r{V }(,ٕoŁ;+IC0 /&d QϜݰY,F1/ DjlB![B*;i[/͌:Xg,?M00$eNhd(}}5anc`Ų)ihV~De2 )d6󹱕p[0x-~&ɽ|bQM?xsi&3_w9g "P`CZeY %yB0IWgInP-pj# Tc$ s\pns7S' (Q =#-T LJO j7Dqm+h!lgkqk#qY5Mv(M)+ !"k?X” Ah9IhX0^~'ߺd|Z5{0nl\Msgi!!-s> Hs]LOuXoi։ UX=ǫW/v4J',\L9)o!c2 ϕS9~ltO$Kk)F |L9kf4훵%]%!ĺ~A;J .F(T(efhMR,xCKɡ e}yBGk 46+FDMAC?ʼlt>TOe)uU}V; ?RPndCAy<#⢦uZGF˨z(vvۗQ"KdSh47./mgu{byU@}TA)d!ώaYW'H=v^<[Wz]2J{KI.!ՆɬjիkTdorQR/ ^J~^l󓳁Fnp{!a>9N:i}N4b`T> tgŭh`nh*t~H eX&7cXr✼)>ك8*ҝ'=\60+ *t"mFj:p8/(,v~8}q 劎y-J9x܆x߈<$"&@? 7nplcZ>.FE`u&`S~Syy|p0ÞMoqm7F8k&`hAL艭oAo̮Ywn-HژץRhq$Gބć__Yz/9JUj]l_ 7v%uPm Kì@RH!_:ᮘ)#~2P6nMTvxfP4GE)Wr`}lƖ=]~8e pf6an刺TlwQۚJڝWp">K$,jo7 u\t .'aH Z= #_/WbO2;m rMeRh\^[K>Ti=V W1m]F9V4˫@!&F@@6zc_x I^ZfDH2q#:A;$o=Aa;BZF=@aj*HCƢg1c =xtdlZKaM YKZK/bg;71|Y$=PfQ*M<6umcSoA+騩}h'x %f) $ Y19r[t5l/kf !QS^yU ?ubO~E %(̰"pmUvd0b؃˻{' {v&50F%nen| K!5!PpRC2`ek]XM2F*6ۥ#i+k)*RkX &1K4ۅ>E͖Q8[iOfa E@69,8梃hY8xIUSz<&_w{q-<-V'^j+Bl(DJƣZ53iADnSfEFd>imӇk`Uw8])] !{7Zv0vws.\*37T #T@Y'-!/V{wLUyKOKn'0\ NQSʸL$b.rŧ`#s݉I$SK޽4)aXФ_z V)j'M|>> i$ o^0y9iS>toDwxt rnòC]'P= ;=^xRϊN/NZOB#;ΥZ.-*ͅK &z,H(\xތ%@~T^($oeĖ~o˰.ePemH=yY3Dz{%c#FVMOIk$=tOwwkq6%ߌ'{/:nn1??@~`ȋ@weda1BY߫Y_%jpLjy͵3%‚6/ #iPjӨˊ4*%ΒǺ!G"s=,+Nispc^USx|Xp{:!7)Wj&^rQ$$@{hZK#"p^SFBۥiW8яZ#&#]P5ol\ƬG> V %ґN &Z-VO0\.S@QX]a`aRjZ! q`R/quߟ1T{nhkRʀ\Th@@'iJndsط@,QǕ{X짷~4l^ˎ>>T83;mCTAsry2۴mz(@6wpMӰ5Xqs0hUjJ <Ճ%c1$-j%p e‡O1g3t[Ukb%՛84}1z8j J|_f?5Wɓʾ2yjXC#"z+x`ȥb؊g&w+y{C)d{-$x+b0{+dsdzA**q"-U}[!4t#Q@AL\hyJtڃrWsCMS2G]% R˨}h @AmScWs0 a%3Yq7$y4K{Ky [C.fI͝PQMYP}jBg.\tAIL-$ g!8? (+j-h~_U镾|ּc|β}{k/꘻de&>UbyXAkJ%$1yY\'V^؂~&+c.dl͗~/!]5/oITdcF@+hZ.7O\׹'7? 7cyW& H4^Oa$p^2'MqGXijIIG%п§U9d^УՏIxЀvhl Z($n*3yݲIs)t$6pJeLy e9 bk=ԅ c:sUg|'e`'K58=ުGN[P?ii-]?s$p7,^f[(Fph^ДOYx&] 09>#uI4k8<;s3l*'h#Urj柘}w-zFCV;-M(ru9WfDQMByCt7xC2L7T.IUJZ}&k>.#*qV#(o^+&jD늎:TAf^7!^@ \𞰝sbP Y|_ Y>ROhȃl p( Y@QH^A1:J%*Ql< Ns=pUu< (_ _ x]ΘMb') q{-£P^r1㌭t ?5~1S)%KK 7A{ݳ㒬18l OoVS&Ѫ7 6]3.%d (䳶Tΰ  #V9P3e]u]~t9upY1]{>< 4emݾrclj V(*y0k' @:R]T CR/\ʖz:3+tD8.R(Aii~፣/JP.QA:o*0W-xṘCޭ4+G%NkT'!Ce@ Upq[$m}&3 $Ӝ~aփ` $`6S?5qX*ui;ZE&0L@W5W8XjIEX=<OS=i$ JkfwkX1+_ycAЇ`?ZʮB@J=XlwA vDv?xf]^=)Kt!-}:!Z}R'LMa$̂:P<˒Arv{n!8o[@Ds}`8[7&Wd1me%L ._yiFNbF{'^RóYƿG|Sƺ QbK Mi%bؔ8XIa7DٛA8o}-ki22Cr4`[lMJԩŖPϓS撂_O+c_VYO6J{qU!̑8v ?EQ*'`J=:o~Pr05~KJ˙~H?6*8N&*r ZX)UvvK[آKEa%ô~ 2iߵ-M#82+cF¸~ͽIiD g'c1A[0dLm#,*("RLޜpz+Z y+Cә Wl[ESD䡶ot0AW_l `d;- ɘ9浇Liutԕog kK&.ҢM/a~(?V^lAViL~p TjwGS){Ǜeo !,Ϲ]QtU(+ooXr (9YG~ÈK]9b.oLr`O7ě^ ]؈/>P|ɄQ{|7SGBSm7G}k>q&D` n"ס/#لd`v_;';{ Eәg㝤.2M SDPrn . #U![Ѻ_`:kM)" %b"!}~1 akhT"W;ܩdm'< _s8qTĘ– n_+$9X~8Y I}J~RB 7oGDqФN_FObŸ06}%=D(Dg@]L2o9Uz$,~%ۛP yC.jDg3C]|9d}&$ EmB1_!31>\=J,ծ}ՃhMoMib7O!(Zh9xIJ&rT$^G\ FGOArü'R8ɥSR@RhP<=p > k[i5u$` x: ơi^(3|)+d+HAP dP0}RU#RRf3՗AQ+ .ގڵ `u8,O-5jDɵe O`Bw$e+5\x67cf6M6\DF'Mz7v,riP?6ƈtiID"{'wd-W`<7iߥ2,@!ًuPB~8TBJ(.#{34^ TlvauTwTy `Q _K{n<: D*3lN0+5Y$AٯL]5B^_MĘWDc̢Rpb@Ñ ~7هw@NFcIcx( OxLa1p%<Ȫ^]=o,U'KMyNfbcѿEcfojBƄ~S v6.,HmS.0S,T֘>X1zw]T :2IH=~ѰzzFdx2ZT#i+ 6SCʩQ Zѹ?r8;8LՅMיRa׿4ĵbo_O\UH(䷽1-d5c?Q貊e Z?_0,Ì8\E"mUZ_f ! tLj$%*RSuK`iR aNjly%={' >o''B3o=TZ0xjkl2Ɲu$G!d!O\s}Ȯ CvU-u2Ic>M\w)l&ԅ^ H2{AQ Uw+Y;e1KII8*Y.{~ֆg 2}xtHB<h&N0vB!_qpxV@|.47!zAmy(?n0p0!}G׭aQivFb/~Uynp}3P%"a\cɁl!,Nߋ|-D@TDYV@kE8 tUth.ƌRl]'ݢkShK G/V6BTC&\L0 ?1&uf(,MJ쿋Fu-[,F` u12¦J56M] E7a"8/9~ P~m$q,?А>V1; R]G J=೙P 5W$!Ks@y2 ]+Iweҹ ߲t i"у^8CgK_pgrm6c# |}޽:68niP'Tmj!+ T~ 2 ÛϹy=|w !V!7k 0fwqȚ#+Ggz?9{78 o"P#7RgJne]۫'J{U^I$y2Vm!$f,D{q#H/Բ7H\I+:1W_Q?3hՃ+_~ۈtIoH B!sl o2zoٞ+BCO-R ‡!>rmd3 ~~Zdx yY3S\NF_kVa[VG) 9d~*rY'|3&&H!#\B9Vl8=ˊBYtQnhvl$v&a@{@ lq_.e aọJZ1jeeQLqM H7cZVgT!-qFVd| MNȓnQnX6s|j}%Tw-d2ø@@a QcpG. ܬE5I4+:vx0/pn z'uKS^Pˏx(7C/߱9]b;e{Bll,q.^oZx!FF ^WLsy'󻅊FU,^|E !SKH)(HrJɹ/.>jnV4=J"!_xQ>ݶ5H\|瞒׸{gt<4^/EltJ13JZ"Ȇx[%Y4QHFQ~d!WL s6M-GwBDCTqvE^p=Yu3/Kt١do<3' `p.gcHeb*TsCNӟ:~ANT Nz$NM빵=t !%cISC?Gn*`/ W g'4wO"e%/dntŢc=?~ћWH-ճK`:dm<]p2R9ZKGsݣQwpag" ~|_1\X$r5,D"7-JH46|Mj W5vdG+ich *Ib@toFV lY'; rS~tȌ#@P5)l UM; ഼#xkP+\,זXVB<*k)A# tw1qqMgnv)m &\=cdOXavf[KbɟaMD(XT;ǤK܃ٚ* =Ap0sR>| K 5wcrj3E0*kP[/oS ϴDv̨.ԪƆ@k a-?4ϲlHF9[^@ H[,>B@9D.΃` ˨:VqO>6Gx1OyW.qvEPKQiKcrKEV\%CZ+\ey.hg;dD=>#v5P8 $^K0̫DC!DX?ـT?>ȠZï0={_;ֺlzK7M/ʫq*92z|@-EB!JvjC(8$=:dkmA-FH+wMn$w5UF>M%0hoRoV\ImeDIf@쇀>ʬCwY AEwGsgQ.zU/7CN 6e7Ewi)F`>2l~Y8!#5;μ%w}zri:|&1lV+S,q,{2Il~LJZj`q'?[jFGMիՔ9ڞswth}g.+D8,oلO 3c=5b?mI6b6ԜR5DoVpDgFr~ fE'w&I-069M.#c:tr,m)0#GxP,dBE&h1d3X"̛5dZ27'Q{\%|rUi T j ̎GL$5t"ld^JtlPn|>hAjpbs#Q-c(vF29_`,sTa&P 7y!IBς( Rd͘D:鯧ƚk߀Sp{g/\ڵҍ {4$Zқ @ Mé4Ϙ"Ǭ>^vYst)Iy'f6Ou :FCZ#n&D7͗1{@06b$ZKs(A0J"_qK2$ WKHR+>yx5'k'l@`B$uqT ٳkv^؊)B$>ۍbiH2iǿE 첬ӹ_NjQvza8e$[;C%\f  M;sD. O-]+s {d%k,О}>-Na^^W@3 3Cn#6edPNz ڂ`JOb><<tzJEʞf#`e8/>Ej܉MqE:"F,nPc٠isW*{ia"eM"QIbdtW$elE.n(N6ڟ#XZTNyIc ?fu"ߓf^JHK\JKj'5a4&G%y6F p-Q(4yH'rȚB3i;rYTHx@) TjϏ=]d^W4)T]f0{"\Gd@piu K}:c:c 5-T1&i [Rfہ^ʢgvANkf&by$vҁJf^A8;.p.z }1B1j}Xdanc %PU$Rw!}ω_~SRȳe K bEt)d&6Dš @l:Y3@Wc/jIOK4ccmȉv 3!q ~e@{c7׉Z mIʾxHב.kz8$I'_\aI)sJΪīr`u1N&Wن%1w?m#zrO0G{9$c,8 .#_D1j"C("쵁 'vv kэ"xQ \4qE +JkVnDpl28+.#c?>P1X5k>[ 'Y ˾1攭JZf+Y1$9SתEIS;95Jmvm(MFf}ґ0ֽW %XxPEi&{WAKCeo鸵$| Z B-v۳K0%vN%ўS- [*ɿ8tG vtѝu|4/ZQwBrC1=(mT"*㨒LT|iN^iAtX-^˘D?OuJ2ij:;N )ڜZ|=+hZ-7r-WvHs|uZ.HD,"cRt_1anyJ)v'<mgAC p*L, $Umd{U(1њ&ڈ{>'D\sr{<; W+[*6F|amHչ=q&RvK.o'sQ6-+8lQtV*>•(@bۂT(#3OE\p\Ͷ4{yGX <T%[icKZo,f'"(XzOj;R4R}X檡RF%ӎ$~99=P.jDA7Qe .e;`1΃*y@BPg9*>WHk Џ<[!^rb-B}d >qZVa|YtΤ\10VI1{;H4JZHՕfTS _v`ĥ/P~Np{^=&i+$?:s"cb._ :ufgT+*O|n["V;}d/u&Ls`inYM RڲTrF]>1Wp8r!ӕq8楫S0;ҽy/Gӗ0UuPէհoyl]GZKf gݪD^=d'}Hu pCЏ@ֹZaC$Dmx볢ngrͻؙEIK xkn윷? zuan$K{E$`2hel0 콄 9@׋xwTOrbW-T9 =Z_-Hs7]`&oEȸs0s7шD6H.Q(O^ !s>iB-g vH`)u" %+R0>1 8.Cz!TYe_L:PG{h혹r)u③cg"x~)5`Wc6'Td!.:شR { lȡD&1{q>m N=u&dYΛAy} x`Q'_ }7:ש9/!ud0;tC`%U;G4Qx'6ng:;7D_9(zh Bp1#Bm6ZIe(\]&;[B$ʦ86NBa=!n|%ϖ3|bnimӹ[ڕ:ǿLwY4jhX U26(F؃Z9xhDVJK3:*1}c^NYΪXH TuO5 7[{&8{iduHQ?qeyyAry T ё?p}.*3:,lY`Nz9u +0}\DU(}\4hgbZ|/x]pJ涰[<԰V1.Iy9/R%k bzߛGx-lycPZ D?:H: 8c@: d))=>w;CPHoB @ >E8"*Oԓ%IZ!2RF7u¸o5O _ JTeFt~\w LFeyJH}'AaqaWzqP# 5:э`0dzi@b´urΪW NXU2 DŢcy>  }/[ .x~Jɡʓ)'eIp  (S+M1x%O8AZ=(#gÔ>z|9uY'Hu @^ꢚ<½k3ԄC5\K^aZ_8,  YX< Ng8]SB[OI<,t`<2lz{R2~B*G?g~Dw6MKh*ZRQ w'O)#g{Kr!&IF;ޛn,}h>2s4œGaD٣5Po9zӪ+'D o3t$`+Eʝ> @΍=ެ>@y''w<-4RUVIdq20~ p\?HژyRP];bzApۊH$ 1ܜhlzSUpa y˃!W0|j`4vvm=:+KPIH'¯@ѯ"WOKz WZm|fr|ӝK/?brju\ 7pP}Xk'W19w1yHiPфN\鱌$7y>~']gOrExTL]]>HWTN7:g?dZoՠR[C<)Q-٫8Zs3BpQL+dD1 q}rE/t)`Y3̳f0|;0P9 mDj\I[z[J{AW X (D}/L ITWB3u=F' ~Ht+kDt{ijUq Vxs^ "}-X3PU/?|پ3Ai l-&?V_ȱL`=ܹN" G/LCk2IpN'h?U`e%8}wePd E6:!+?K30Ch)+sevwv(Rb.0+i|lEn#eԱϞRNRlIҏMc͞&b6Z 9\1XWE0'DNZ=YiV[BؗD]p b+k^ ɍ "k~xbo7!#CħBzbxt092/7OD;u;p9[6>;3KܓYn#d8<ȥ2l[sI_[o!3.K6hit5m j 8)WB%# AR0j_'Mo~)`,o)w ]I.dQ*~zW~n=6|@=6EMaD>_oVOf֗(- 9R7oNVǾ%}2H b^]8D>k[ 艹}_nJlX_yfv_L~w 06,&O:=M0ҵZ1η$+6LlL^^9PṜ䆊&Mɞk#,.VPTJ](Э=z#n8T#j)KƵ~d*T#ޝ\ " BHfdFa%[nS#Z|ѿ +`G)kόr~#ȭ)S)q'BFFabu/%hc3IdE0?BSBK\PRgF*Ge.aVOm0^qLj5$.MrʔmP7уfLRMKa%'͊ Uҋ_iNڋ+B>懽a;2YЙ*UqVӌ(fw"sNx] &,_e[YDvUl@c2ѻ&t@4cs<~4p IN[i@_b3aL2jsߴ)jҚnb K8hԀJå߃ok~u~a0p &xŕ5y z.$lmO#,XjrFDIw aF/eҺV4+7pCgxw.:K&F|bC94/pFݱSwW7; `GD{H1#&qӛU@ 2,)$Z>ҶfEL7$ZWC=T1мV&x!#^Qq3=rPl;|Q5-jHi{}.n.wx@ tzgj/mԮU0N լ y)g b !GlQm'lpEO!|tnp{̸Ɯ48%r]I%[\P;%kq-0.̕jO1sHL72SX3Qʵrh":'bf V5KhaD"3&HuL/|;g/B1~M컵+:LI,[j"ʎBB K@oR%SZc?]J6 R'iOtg9sb3i;qhK)ЈN:uF`f>Ro;3mX 6CGφ`ƮicL£_m"SM~]@';]% m;f/H2UD;/|-*tm;r;"(aNjp_=iԈ1pxMPzdlpV,x1mRMQYh/Βq_ˎh.ʳLRlSG3X+g8P"CpjȞzVd\f^F\Te!OI-Z//gyS^ g){UщP X#Yp ٧񦾑xfs)L`*1 DGւ@PgڇNЯ2q0MGǏ0/L+?u|^)7 *zKQBj?d2 $Xdp.b~# ]Ӎ`*|VvV/TCh''U\5.7A)XJu,B_xƓ>TPrt٧%o[ 2ͪ$*~i[#ke~956 qL6Zdg򈼰zAtbT;X8+4}w @F_!3 {N"6Y*n۽b kN uAMÛV%.Bf,"vW11izY EB㻈5< ɬ˱7TБ 7dZeADt8 ԼH2(UH/\u8\ ~ಥ9%gPa˪i*#K$=,q„Zlڰ扖~2ڟC03Pot9uUJfv~nf @;.nobA\QLhMu:6ame :&_+xd'e` ѰTN >T5s{ (:YEb譍=8%S`7ohI ^$U!Ik8QUi 3S]f-O"Y\&؎ԫL@Δ$Sj)IhX"9;ӑ]"$cRnp" )*vqƝ{@'cG-LJŌ]t9;&/|ju{RU.vro[(T@w5 B Wx_04ng.!yȝ_G,ppLj4j4z\Ȯ⺴8 TrM`=E)WW@*s'4wdDK&s]u~s( nQj .) e B|dadPe`AW~"GwdS (@!DE@@ZFc׆C\2$tdp^ MN ImH DsnSk]s\4=,Y<5t N 4u*6<'\Ć!Ɠt/kpS&`7xOO27O DVQBK̞CB 銳"m\:cʨIJ *&Y&OB|t~?]̛`p9GՒ8=ĕ襲I5w!!WvA9VxzO;yjך>xd` F;Bڪzd^-ӟT. ھ:+EPk/8&a5ͅsi7{Z2 }L״喱A^S׊PrUͨ[Ѧtg*K#5 0z@6)"D7I7~u-}͠E "ls?XBoʤiC.N0׸D;oI)]ad7xƴ' Gi;$;ynk LTC+U;(9bWc˘hcXf*":o8@I} Daf >]E9hgi1$VO!){ӓF/&"`TKD j17rBЭރ-ཙ2^kڻdR De;/BeXx5O #QxLKDh:,3k\s|f({[YfVWS^*xqqocI[ (CIurn<5b}fxWϚzxsMIyp, B-DV-éLJ^;7,]jjD,TbZtXRfM-K yl7 ZX Ut=00 N&E ]g,N kːd m!Ltrv`4)z,g;|]nJ>kΣ?gk1v8 &#W_@ S)v5L@N FK(* f Adfy\EْԄgt9 '# L)M^ILTNga!V7@iˆDyFلWCTZkM{Q5o/2eK/fYptdW #CHƏۆ(bۋseA?OxfʪH!QG޲b2sqְSF'Z{׈Xp +RD^(YpuP[!eni8xGIndV]fS2y!M]9{rYհʂX^8E2Wc laf./eF©Cl0!7 L&栐ͨl?6h%3v{bK b9 81$df "n/_J% b}jU"D|/JPWL捍 #`f =YIsg)זjZbQguNUT6@-ݞ7i]i$%)ne?K_ v2S9h 7w)wn$"jVMl2IrZDpR2s" dIY\n˳m+_LCE))$?}OM2 TlODc ϥ5t̞ ,󀌿k&CpP" k 1W] <^. ։ *'շ\q eGTU9tnd)?#t<FoBu]_)`Iqlu*A Ev9-L68=XX_>ME΋ 5ϔi}U(p` j0T4,/Ko(GE,bADD@ =&.!1Z3(hCYjm7rnڌ'iAѸ0~+_I:mK (!Ąbܽ}u*ZWun.HNO%<}0"V5g>f*T/]iɎЇ\FZMGqϥOo013rG:EU󙪛s<ʷ(:eDG-ffvE.VӃW+ szlRXJ󐶯̺Ė_?=cD hM۴L3sPx%A>ML5A+I[?+O^oU̲ R[l\J|ޕYWQwjy$A T&ކ++ڃa:/vs66l {-7 &zn7XC\WL^)ǦW2<>A} FRIdEgfޫ 9hT&S؁Nz=]NZp| n;G`2 '/imUW4SN纶piBhⷩTNҩS%Q"!ɮ Zy~cݰ.IZ> CS2xB\hprYQI8j1o'01I &ǵ=gX;TLLD>!Љ%dx(zYlxL1Icfm cu5aAJ[u})0_)&NM[n8p9 J3{z%yӯط `֪J]f;<`y?p>#֬hD*&8FXTKOZN':C>@H2"ATyL@Q[2HSg凟oC$^Wմ~nELRuΨM~\:wQ7eo/^?f6Ow pŀKkxDG,!. K8Wq\4ԇ‹KX6iM$gUI| 0ͻW-&0vR#`8a߬|;-<-a>Ĩe iƎױ@)`pyAfLFwA e~F;;mG7(31oH3E\CV9Z);8% Ҡ)0߫f%n-oeڑYz&S }e]@]|VήԌUxMhxSc{=|4 -L4o UeaO^ՎHpj8jչ\SR "%6rHwag&Nr02YYN堻3if{LZ+ C(F d#޸tt^WAIAVjT#[DF@jظ.4#R=_ );@h.:zS²*"X4C*[9{ \p]6-.Ks"s}Wiܦk/g44T\ eYso)U[CR+=ar1`}na1}%hPK}%ܓzL.ϾMΔ.mE$Օ& >o~ʂ&?xA($ P0 }fV /Φ d1,\zsV|1?cM5PE@58_EGk>4w*Q+c(&_\:VVS] qo4p耆A 1Wcej"op/OD<6Oq9F[ yHk2ڨL]U[!~{ijL@pc<HJ)~q*|>SoVs:AvTծBýa4Kj,Ks}b)ef5!O=Z?a\4R<@/|?u~!d}S$\hꪗ()~f$ES9Bby!늞w/)@C'4W-~G5029K%1#8x&8OL!HrN4 w˸1Ag]5P v1׵ޜUL05q95Qnl9. 8dرO BAGy5;.G0LƇ\hձ;69ig0`& 4_SX8f5i+ 6fe*X?!Á"P bunp7m#(_Ǻ8%w,N[Imq`2PB1m)Iy\AYp5:9'C Rx."%S#9@% U]G.eI幑d;Q96*R`ġASh\JPVv:4(N~tM `uǯ3ZZbi0'E|- cއtk" x'J U{]g=HhW(5WZو̨2؊ı  ż28q4]>E+Ų5R F?XK GUcj. @Wy7щYz'ߺ ZމL x^/.jk9dct"?&X63VŒ#HSt~LF&$9Ern>1B }eY GN8i˭SJ6-U=(߼T$h%.MΧH&v@r LsLp5{:n$GٹSA[bs~:KY3d-^6]p1TlmNhs=|d>Ԯ=`[|}T!7WÒGÇ/.[vUfx}3/r\1PY('oz Af w-,4&ՉPy+]1`DS%ml;4]߶ JR?jBPV1otFit]_?.b(+OXLƋ?ފ7o.~(!h[5/e+"Nua2{K#}̣>&?c?_y󑬭X@չRxpZu CǷxOolG0nGx\`?5@A"v`BȜP=nM}&lNܙ-s.3ߛAƝޥ(Qr-.<\\=3fL=04ֆ%A)՟D;5wUއc6hOH& 'OyБUfZ1{ L $;'|$%$<  AP:e-f/P 7:qc< ap|:/to%oI)M>W+yԂ;L{"lt%ujC#O?1<s0-Ɩ g:z/wEx`04P1z 6m*/ߞXP i pSa WHB8j&qN1X>~+ZO\]y AM 2(̘i۴>./Pv3d(o:d=>9q,yȅ<ʿP[ifuVr΄=$в_./pFAȆw'JSTas۝R1yƧnh4J)n 6@ V\A؂Z\K 5=ovr`r `*}c_6B{uTYHts/48#c0S..}S?wIKsLIʖ镣{ӨYǻnC1} `XT+K=|ϯD#/@B˞ 6v-ی}01{ ފl_f`\o%CaAIغq05J!3 гE^RmJv{M`(wJď=R)r )b/x>T~1Y[p5!(c_ @T|77v$dVUG:6O<ߧOAI E!?!2q2\8=vK]RMK=L2rzmd*'4 "h D3ϳe?c@YB#,֑>sc\I:8tg: H?T: A!['Wqyus6Z kTr-YS)%`lblaEcP$% ptΞ˨\[^a$ [XX׸s}nJƴD;'tU$\Ygl|!}6pnWk@n 6U-8a: gD!da<0):TNpf^Q-` }=O;r}ԎW9rȺ'^*!mlB3ǨE ZR{ U*oǤݝ>2Kcx $KF3@LzMh.W;#N ,}ҹJy;\"E)o퇦U:EEʺ dQ"Mo'Pq?oWHaFvq-7y] )H_(F:l9S00m9۩81VLI0-5Y򴈌u*Lj@XgE@F7F5x O~&/?g7 ;hcxLiuM m]}zJ/ rXBFhz3+.=6,M.*(1.{:8O&/C ۠n*!n?^ON:y"U0_mx9JL2G@R-%л :XÚnbi~b˺00yl d+)YG>W37Ѽ aI=#Ux!}R2OAKz^ԶZH+RM딍o֥q/=3k^Nbo~_{4(3xv6y/Gǝ^?cd9都]) D;kml5G@;> D9s|1GE,Erբ٠2h& 'ϐWp<җYy<e=V^s[pq~{He 2rj,$/I7)VO`L<#RY_: okwX:'"6ԉLB4<'(z gd+0 _.umCG/'$Ҵ=UL¬gs v\1\ 4b]9YЋq,ڬ!}& u2fǿ] rk f*vE,G~{jڃ_I~98EwCb?4峭,>Hr`ϓ2VOyҘw51+ۉXI(1 UYN>8S7Oޡ[kVkuoDzZE_5䬟9 \J{^`s:ҏ–G%f :Z:>7þlFsZ4 <"1}œ|z2?u;to!zqXϚ#q{zok@ U{];n,Hem((~Uhp.Bܢ^U09Uh( Sx3q@@-(+LIgqryjVr*74wCЍ:VS)(5(>Rd߶V%-#_Ѓ9!pnV ;'- Ҋ/6V_8"?`FB=td8:%ޏ޺Ƀ@х8r@&d[(1Gcu[O77& w+i3߱=둬ΟP clkAQdVf@i^Kﭵ27 C:j~Ǟ&C(/ezrgcs0t"`fM% m7LN69k9jEwۑHEDhEtXDdD#5m ˾ ɠʖ(-gNgTiVKnÞ`-jB>uJrR&/eZs;^5՞\m (*ibNx 6++x kӯGB!jޞ080)lVOuc("冔\G^ Ԁ%M}3fNf w_7F^4.KY8X˰7mƜ!vc=IsWC)"}⊰zHI`MvEf)6Dߑ3K70=yf-Q~h.Gքa?o">8QW3ť(+&p$Ii%lg#,_W mNS'P1>B 9F6< u"0u ոuH?m Ŀe13Jg.X0|E:DmF3v?9sK I8l[}H6eqo&H;\x8t;9$'7|R\+=gӯZn&ZPrD% ">t$ $Ŵ"؃y#Ϻq9|JlfF \T99c9dɔXҮFR= aS3x:< I.=TVyzd$DA5~MʱdPwhoz[«rrUT=lU4_R8_r->:6ȳԡT ҎZ KθL+xQ)6 \p!| zG.Yw(wèԴv1gR PV!-a1%qEADBJ&y|{iuh^èyЮQ{M|t} YͱzӅya41bEFؾ%ۨMӋr*JbEtnch68v* 3. kiw u,31 Xl}ڎb}~NQ_=kT9 .8# خ>įD Bj >{Op-M(~ zB-4VN 'ra$=D3@ҳ$=f#CvNieifK()_hRx|xJT*Oa@=T>`g9͆x;풁:DY>ԣ}3я:QWW&ofQd%fF8 .ڬ?J_H;=_f:>J82, a6^a)+ɦ/Ux T(lǖ) .ks,g +s6P|鑵Nl<Ϩ+xET 0DZ.[v4y~1ս .OqL5Ҙ+,^oLjB_ 08j|NSHɩL|Saiʚ%'q:^Q*%IXW<kAt\,9@YG6%U\yw3g2u="av-jxOd/BX=I[MA<-қXkFFI$ce=׵h9Rؑ6xnyp~%u4K=ן4x/=ћˍer]2S'mĎz,#ŷP,DZ=fƧNedNT\<=xK.wzضB8sMur>\ϹaɷkVzDق3rv!Coڅ`?,yxgL^)EQcC8UKZ?mV%P/f Fs,[ka )|XoV9s8|8Ԝ 2>C2u)^Y!jO%7l!5:MUf"x}؍A2/FAWbs2ͣGsV3Ǒpyjׅj_?׳U4ww[ r6|ew[ݽg핌M[LRZ,[-^#4UDm.N{Ynhu ?7AuJ=7!QM;OPp#-؍E,ޟ@@dffbT /I@BU YD 3=)?ZXƥD$oX7i2ivxJى,ğJA *a%JKPY\c1w|~tJ߇ɏV J hFk0OKsC,]/oJB db͏DÚQEo'3X̏B ǀHhpIRN Ak ǑRc7+^t9+F65?#WV'Zz,jtrk$FXE) o}PGuȦTɥNIa굡r>ߟnBG$wS<䧔<:Z/"Qp{V XJ5_q`UT =sD2iVhdg>i/Pg&}ըu.Gkd Pϙ Az MW1p,B0c  c̮d`GH` q)3t ?V-dF^×^˽.Ѣuv ia*''uNg.9<I=PC1Dpr HpF e\MZk)xǬ=+J\jNPCc8jY g˖q)DAH:#7ž} Z:=l;ͅfXi4 Aבc!s?st(F9HÇ<͓%8r̸GHܳ K2 4> ْT/- niQM!X{_{ T3k .wRvz3Q `R~}Ң(+Zӛ.@2x3Z?( IΣmLd}kE*SoGW-O`#p%R17j$hkp财&Vj2T쨴<"chULj={ dy7rLu@Y){D!+A2hz+)4ԉ/'wGu*b3M) JRܡ\vsI)*0/ܦMz8fQ-rg*.jAЏa7AL*šf wAכ K;g^y$;HaJ; | '-u#5~OWgQp'09 (_֘B>DsSl=.P,m ~GTX:As] R`Df;%I+)!s:X?o"Z*~^ 2r'67Gm5M*\ACX6@^ mO]qɠfэ!ο?_~pk=Tc"+vv_}m! Rxt/v ^̧sm$LW  ם _AJG?ێmOQLJ{P,("-%ղd'53 f>/굮comܿ/O_gb,R{ I}`+N\ãVh{ƾ3sVH{Sס [`[ k$& S7^j.@#~)B,k{x+IWC9KͧEp֔juvLݙYT8I>Av}' Otp'gAD2W vRkH#z;#7ΊC OdvC)k5gA>RuA 6V1h g/ |rHN ^ M`;8=iE8ZHfK]$L\F S9~lecLT*;'0ioey6I=&_bT>, &_?HY1M?$kCۏ`,Ɍ 7LR17?tGϾprLKhu49u7a]ՊpOZYC7L_2*^X tӅ.+VĿ"8ima%s6̞2"x:O5RW`&llLBQ;CqkhRd~˴c(E-̯əQ35l#S"tirĂ2n L#4zn|`b;B&1cGF4qoՇ[䐞f<hHHY 9r*pbWYePo\k zS8մa9 0Z!m0>aQ4FSJ ꅠA\ L݄̚yLpdxuӎ|WI>mQ#[ dK؞4A= ?ڮ:sp V"qޠ_b7ET2Qn؉Hrob5fʍ-0 37v x]ٿ_צHlzGqSc7ze &do(b$A+w$M;2ei. 'EᲯ5 !- fw*kunRA$rXB|iƯP@;2 \_v %u(y)J扸In5ڀ5iFYacFz=B|lvODhQ 6ۉkO;"Ǩd|uh]<!PA ]񫷩v ~oZm%R>~EX-&s8, oJ[]˺uYtG{ ,:TL5U:Es=~N|lpl0$rLѷs&AboAصU{g`\ CpYk||2i#xbrH扬M4M#`o՗*nu;/< . EX g4E߬ܠw%2Ta]2 b4)'0(媩M`@-({鄱͊zJi4Ň[l0LmJӯXD{&xk ,rYJxpi+u6i%mⅷb`L@X`| bZknX/( Q2FAfPu ̕*q5-&&h@K>'DC5 C?YIw jsH1.*t"BIv]eh1 t]庺s(\h{BI[L?ȳѿl"ckuTLбr*' G"@yï]`󞱾o \yVDlp>y :x)\1rQ(i7V`a#XUg*Ac~05!H2ۋh fz~9O*9r$(yB +[!%0u .[ʀR~%jJ"|/NV ljoWg:O.`II" P*.Pb:;Nhi 繝d{25. ^ӅaSW4 ՘i&XlI" AGG }g0WgUqgܥE߭e!f-,(fɫ jzVKb&[HkT="0بblt\F84| tCWJ(!a^ŵVGZڼilj~!BΈka)i+<&i]vO%_ʭ`Ė 6nMglA߉nTMnXIp E=_(wm*NRw|z̤4N{?C%eU!uA]-Y͏]IJS 5YYLv$y Lyxk|f^Ghi1)k )5 Z1QBZ  T~$3 8['5~L|xUXcڃVpA iMq,Oء7hdɶT_hDzP9?)3]HuDt>cwn, yp%N׮;dp_e ֎JA= ^ 3h@2؉Zx?vf% :=Fk|1S(7z]8VetvCS?3eI } Y{i:R'&[!ߥe" 7N|ׂٔn!44j}.l+9W>tK^Br$BpJ]p2!q﵃32IZⱍ rq?M*v("AX"l^6 {w\Y6#Žz'RPF0[")`Ws(\ M7̜.utb7[7 {MZ>#0Lfa)nwe}~TWi\z6wm8oraࢪp W(f\>9m{hh &-$(ϛ-=LeUmwJz=hdl1J(Vxj2J6-SdEJhmLޞ/w ܜ $^N?%'#L !~H;L +⫋o%HkF@z4(L,g#j5ִyt {Zcs\ڱ1;"U]p$K3dFcK,rwi3T8?teʐh^?dQ~ U=-]RI)*giRu i8+U< lٞ6gܺ^%ç֐doҕ&6K= Gnճ(IĥAEY6g 4qf]C x\ar1E"07! :g ޖtPa"$o^vZ|KDwFo-z[{ev˱"~/$\ DY9RGA|5H-g,L;;tÔ{K5JP qL`F~@Et̩‰DE%6s\bGvIhqYX@]w a\?Φyma^7;;ˇ15R%  E{he Zi=T8().T-"^&$ƸbKCi|F14U wGÓZwQEMU4 z1Җ< ? i`Atn dnF0#_sxrtRa9P41W IK壽+$awceq$9j \0hssvE'Ku @"?͡ȥle7|~KIڝkwxg+Sm]׬Ej^!8 *aBH L:izD LF$o8і)3Zwb AgvA4ܐ˔0 r'fwc">|T/hf{gI( -b5}d2vvɢUO*^kb3Cᰖ58W Gƈ8i4Iz6" f; PSy~Yeq03i{x٬4DoX[sMۈu"A$BB[!< #|Nr1[pQ()ӄ57(&}w[P=_Ð:֩0ψL-wtEp 1yg|l]#fIWi5L *`ijHٱWKle`XIE: h#F 9)̳md b4fxIz,iE}Jy 42oHRzÝvUR ݃V"b5 =%< Ձ0֔Wg9:V[ fg\j,4O`[HFzZkᄙhhC6EФ`@_bE{p`smG2713jt5 F_=JeϸPB,eC7zӮn@sS܋L*Ftr"M>S"SXOn y`,,ec-\.-z=[8H " cPNx3Bdnȸi4}Pe"5xet]!:a֡,vDCNjYk"6}I8dݙ kՕoUp2Me]CXP%;.hm.Z厯j|`o _X4,z~hNS0 >!iA~^JKiyB]@u%7 ̬"ɛ:1H+/LH1n|ֺ\*G<.*zmDt7?]au͑8cAaQ :]@H҄9x7޼NUF+]c(ULpi ]I /S]ExZ5(ٻ?(YXzzTM)m@)l".};}g?ӹD[4?4Hh.VI0.T &F_{]6~Z) )z3C{l){ L<U0㘻>WRRV$~L5a1+.n5i]w\w- vI^|wWd@,$!jmhϾ0޵\oO?[S/`G3N<[.q2yY {F'bx,7(H("r<(iD Us@>><_*ܤcDљTm0MYߴv(0|O>覨k Du⪉hx$Z V!>{n8x?KI;<t4ۘILauߛ)^wZUoǷ4vl朗mS+{Ax)cNA韄ԁvѲ&<.;A?9Lq Z;MXT11% ^H^F"|LFv{Cv6~ƭjFXYrZ7""R f*bUoNLsZR )0Bͣՠڶ.^(ZKD N1\&s PPu٘v ̂#q7,d޳PfRŝAhƨ[<'.K)t\0q'BFW裶}02-M 3J}1cAAo@ 3SҮE_$i+ t& "g7M&5z=Gk;G!@#ٕ95 zKgr9YW[/#sk.˄:t*Cp_Bn{{VߢG6 lb{0jy=NT.d 9|1'V;=HBl%9<[<PC)t`K%Є%> k9g^յw͔"dxW9 _V3~A!_ɚ| '3R9 3wO3B4OBat"e⭧P}]˓c[^\N$b8A WV&hަ}%&Jgˍm[ꭴ-144cO/@ļitZ%Qo<&!tgQ5caGj6njj2GHka2H[9B [o^#]yii11Boϖ.*].M@#Z bp2@y#W+-_b'*iGvȜR&wGqƉ$'j;Dv)]*YtKELܬmjBlSA\8ImɷELVv\qZ>Z`/#$YXR`g&j 5 !i&`QH \nv>2s;/"n_j o&󲎿*0≘9NJ"!rQIr~:t<Ӻ/{Iو&Kr-KVXYFyk2zew-t+4ԤYh.mBѴ]A[L7gMVtm ODR"kxУDS'5el(7fn[UǬl7fJ1a{GSZ l ,*xEXqN}S"~{F,=Ԓ("-Gd]LXu1dhbٕCo-I9v3 <G<߶"<{ݏNr<:+4Wn*G`ICBYl|T'@:-|Pw#р[YʤLyCⰘtj Z.J_Zپjb_,OQXzRi٣'T%+Ddz{ߏe Ti74X}/ړ)Q]$0= ^ڛUP+I>̂iا1LRg|rTy,;RcZ` K8rfn,M8 mxhZ :^#oHI,y.K%^T$RՍ EꝌ.poZUۄJTulWP-2q gseK~sqK׫FI!D,[ƴ\ z1`;HWHLm~$mϴeqLg0w2(  %QBQn5\^\%IUFERgh[sA*<<zunKR.~q"Na]I&F{Qepas?|IAs@j{=!nMCm6:ȗ@lʹ:&D5HulA1$|JJ:S:iGa9?=;U^WӃw^T'S=-oH.PCIod$1ڳK\&^x ӞPиNK?2/Z4tBF[xŰz?#*M`  K+hDZ*~&T$0gu}֓z>;~$>ZC'Kq: e#jpF`miAC7I |d|㿙b z+zLbuu%=ճh/ltQvw ؊ȟ5**1 Eg ~cD`Pwa3m]5vI׬|~\;b-S,yl߅MM-QI5Lቢq,d3h;1`ۉU.P| XͅR:Vؗ?vq}GqݡӼd]y+kAKؚ3aB)룝p7Ë>Oj@ &~ u Me_Fi(nw G ]"QuZ 2{(@^C9aλ?l>=ͺbF:DX;3 k(7yfK$}GyU&{ ţOԚK!{h}\O0`:w;1u #1f &A>giO6'o_:^ʍ[Hh=`b6bڵ\bU<M4=53C7!"(,3(;ಏcbYh _6M0(i3ǫsHP$M Ɔ{J޾4W|>(`~+`ݷr}@!c%}3S(d"P^p 3^  *،i+x(Q2| kE̛k6Yy~Fmj?y9; cx@oXY 5m9( h@{R{e8.^I K }֖py1>؜2!o[T Y|A| N*{P`dzX`5k@}[z /;hэ W[Uɶ n) D؋ 'IVǧ,q2y[B88TZDqh"Un[<-S]zVA4ꚬc/:',f-&&#ȸ_|"[P d0=*5fd7N Bm?L$RV2Rvˢ"_qcp%ߜ; 4) w4/ skzᅥZeFWj]vCleY5w"OFI)}e.՜S崂>Lx`5p >w)dzʦes1yhA)aZh\X|3nLnk-tXY282,2gDK}Gs0zM֙>=p݃z <@&Ekz'r=mI³r|fA('iMAzÀ3x҄Mݿ`DK8:wW!2)-"E13^``)CZrO sQɈn0>UvMz٬UruNhxϷל ]1ޅO#!O;z.o[[qU_WMVM٣a_ |򞻚<*X2>X?5i96'G Lᱹ/>@? ' (0 p sgErnSF6^tX0>"D鶂zx{-g*g{1B*IJq9EfjL8H8d!DX)Χ|:Բ0IZ]$* S') GJw-QXυy>SePM2q\T 3 ڜ&̗()郃X99G: ka!&^-Ĭfb'mZy|ǡ{GM"/2`FVuOU ֛Y.\gI"iMتRndVz* E|ORݓY@D)Z2r#I  xo^Api Q:Q+C)L+-"rZhs~(t4yR-dw©qViq mNj 4"1z墹*ޠ.AExf`a1*2]7+Ci8tSK"QZqS;CqKQR ec%Ru^wziHRji39JU}c#q@6|hOϬH" /Q"4{F"a"=%w *:tS+pjJPy]Yhb>ƓׯMBFבşG|9@/G#g "|:ɝ[޽vB~Wh;Xn᪻B8^q`α-<]H@o|S-?[dMrx1u5#Lqbb-Gf5nunZŹO6w4^0!`yfv M0` Ju " cˬ)tcKzdVpßcVz=D/6GŻ1rPtI WwKdIIa!E7aHkh_r(1<>UzWS0DWG;jɦ:  t$xNfśMdfPCW- :P2gx׍ndpS&Lmm 3,# Fί}ld5'U޶S  )Y 2&Aa UFXB{9OO E$PP#oVO*vS0L4AھMq!ʚN?=}TiO=sP='۵*K~Bޗx0E;6 n -@cP"X4]bB݂4ZBuM,?9k*LqL\DHt_k@%30-G dAr {1Y_J!EM>XskSQ!W-2kIKeDilճ0)=@?JbUpU YㄓC?Ud4฾c(yδ#r_'iE Du˳Y\>)<>ЖwQ=%`ZjX?M%5 k5R%:PEyq2MަAG8-)f НƌjLXIzjl e\C\E ֩< 8jQ`4+Mp憒-; %<_Sud꯯-6wD)pNօ YJAc7,\AqdfZ~fa}T!㨬h|Đ˺AnUeR/9L,@1̰km?ԣ֩"=8=)xF!_rƽȯDrw/'H3Hw?9!HgN+Q:t-i7U$x[tKP y tVxML)g>*/݅눫H/P&^WV++h+yȋ_If^ jeEG^ XO&ݍF( 7gmd=_SpLsI>ݗ9Dke{7ʍ6!/ӠMt& i%C);=0lt1&wgFYC#$`Q0̷/ [ornMHX~5C MrQnrh$,F"U!6 ^N'(ݖSc0gC2Te'p9:hug?&3I!dtD /,06l,; 1oɈ4bTk͜.T$+CAq:Eb"k!=˾7]fϱx |u ?oAW-X+\X'*$2 % ,jdw_|l)y?-=Z1(j4*43lFI#[Ⱥ{va>p uVxp~2 ++ѻg+‰ߌ@q7[0O&tBڦ1-F|6uY՟}Pbڏ:ռUk{"ms]~z yGr_sĚb2:Bܦ- Y'愸;XY.Ǝ]**(3,-Ǥ`vxxQ_e>w-+kŵJ/`gh,%Dפ0t^ 0L̄e|h@y3Z.CۧಜXWRTեznFl. Ύf)\\|něq{̏(M>9_}dn7aős(#s 2qvv:ǟ_o.㢈8wBf1t>+v-ᛍK"*M-p3~vqXNXBS~}#~LW"(ݩP kd{/UA'u9R$a3t_&_$m/׵՚d E+ 7s d H7;8;{-q#gSEm$bd tyq5@ӺMܒq_(S _?ُ9 b8 }iNMmfg:.9״49|B*>U8T dý?-zEiQhuûb'T'bJI^6}X5ɍHw`}?T l]i qhcl!an@쥤zj髆8;8({!L0[]5cdܔyy\DEt ṋWcquP(z =KjQ،ciyejZE[ѵ/eXdwr#b%=UL '2xbH=4z^#Jts\a%POsţ?>5ebf`̪Dù C;dV:%.ʼn nd絧‹RIN>谖`? t8TDŽ=kCr/'fRd FT.JLM&zŤ"Nǐ, G vWp N{۟VV&FbDE;0 OZ>ܻwnI*Eii_&mD(*bhRK вqnAA 7@ovK;u7Kq&al)*xJPz>7mzX֣v@7ltcixW)@fmqV5Ri{dOn٧N8g~:vypj$sC\pނlPR&h*/oDռXg b_{M濆_+ {-z,@#'K %EVs85ړs",{ 0&ɮ,fO=2u+/JN/֫KJK;k=L.w }39X>ƘzA#CfG3D[bvdɏl.,=f%!5IO1p[/$m[{fVY'/+v.3%4 a@+LB4.>g;=L,!^2Za h,%!=4N+P<6|.wT* n(H'pgZئG2p cIXA;Q$R*.Q+6obm ӵp\x̶*̭B!ָ 6&}jtR,Lrqc/N1y&񒣺>dp e=.Ɓ*K:-ܸ z)JՇGď޹;K`D51/2ujDq9;f6Y&-w(; m ]guaa㎻,{ RǑK"ƴEl ۜ>0DEsπ;M7 EЕX"#+K0[}C:Ct= (R@"p?,[ )U0f+6oA ƚe|ξ?NޅC0󔩽+@K}N'l`E`#r'Q ŻDpCtqb%ADk8/:|IvOUFO!R}sَs5/A_f'26߆\hĘ;cx,-%J1i Q]斯Жzb$Sd $&}m KWфu>H ]U K"ub]tŵ!^9B 3WZ)>V"hE^上GW`K2״..L2[؅T.L&n߻z!PMkɁX>I|-i]nc?u.VG]HmW+ H vr2,MLo7fHW'2Dq\Il֫i"lТmᇄX̫ !:Q{}xv X7۷+Mމ?ԥp8:stM vzVښ`Mfr` 7Jw5'Ӽm^{'}(RV/7#3di/LgI7|TY:^ovUtJA4Ńhmjaedgkk2gK(IwL+Z- +"aE?|\5 A 0Xq"rSU5R kt(~n +$281=ŤwF}y}3;} .&_Ȧ1ቾ:2aV)nF\V/u!Oj |*cD(4yl5N/pZr̪n YbKCJjBW)<_Һa ~۟ c]R|T5eL{F礚b` /ssTGۉnp^]ߒa= 9ūkK&2P%MI+fp^(-LC8?h0S 9= :91A4U \vQ&xn,_|c-X$HZ E-k \$zºB+i9ZL2o|{ 7A}NhO<}qceikj@:+WBO io>"QF+|f.%DZv,yDЯ6'\b۳JT5oFnq"k; %z4\m0Fn%?猫H`;/q,ݻ3E>vhbies4a/ڛZw48hiO/YIf [DKkOv2P Ko! ~~|}? Y899mgy9SC/uʨ"i{gpf% R.8Z6ju=']L%yZ v@(4N|. j;Ol2f@ aHATh44^[A 3i?ݷ]я*en:Q3V$b .>uYL;lUʖ%+M2B}7ǩOE5p?~2ϡq^V?|)tmfTldq찬$1P^iR5:We<>C?˪m;Z_1J" NMHF NVq/h̉\(@a1IR-vM'NS=9téо3 +x>Y8Y?N9]MrG%әH](&jhVWq@ӿ= ll=EΑN<%mÅP UYNր Pjp!ݧnMǍ&FCAlPZ TјaXt|cjEux k;qwM.p& xOivr="SSn@`hped|cVwD~ y3?d$ON3΅LufxZt yٓn8hD(q4?X~/IIz8x? FH>{1)s$DN{]{Hv1r@**VI-zq 09"h,9 ,⋯r%N})!hڐB(yb.fZ' ^AP6+G;MsǾ³c(.m'zិnKx fH4  Gج9 rVMh/$| qPܵ mg=, $84;flV1wxV5qrIx"߾'a:'}M/B0΁4`RJ'>K3ݕ@L rI=oR8yLHU{1l8|`;]9v;_[''4X`lfׁ-%-_UT*'9B] %.Ls5nٚ1ofjĚ⺜H`W&/kc]ՀW,P} ^q#S!eK;\TuYgXpL NGM} r%KLIʭ?=II#7e5OOmAuZCݿg؈`J0.d`y^~]dfYs_Sƃ0?hUY~ڨ7Ÿv1xr5ʼox’_cK~i?0,wnSBnY\m ߲Rb1+ty U&ޟg~,zk}[n@b͋Z2]-N zͰyFG<)s.oιEdaB(\YT.ݩ:"|Bfm /l(=|NtFA|U)+&7ir;W"[&NWpݪ2 OxHw WwUm>p^oqG3WI)"njݾ|lVS!*bKtA>%NG夂]2Z2!_v>bW =`\"%;X75E{"~T%t>ܘS%] Lb\Pk:Mk_*5ae.Yu]oTT4y2)ǿp.IENk.*("=Ƚ%Pȝ 9֡vd1SJwiȕa֡lۙӭkâu: T} Fj,"u\DVNv+܆MX#NP8XS;ES,x4ry92\}r24(l;Yh)i B-,Zጓ(E%==kIfН8hm`ђEaG|v8+16Vyx<#cJ|0#ar[ʩ': `U5A Upol}еǟwqVC(4ǬrXvpHzqou(lp)Z%ap(BYNXt {6CT5s#$*Nu#u "Ńx:bbSE_x"IN,(ZNlqsWBsb}}{\I@~ZQa4]7YIZ?`6?y9`~d?O\ʦErgppͲklE#CmH J:]\a rs^[*|R0W v~)&IKdbfFtXO|AΖ!emkWZ pvH h;-R: ywƊ%ksξ  F&E$q2t>)#e%kvH˭hT4g!~f|!y0 jRM&O—Ccv‡0igۨMţ6:4ʢY۱O {S94jMy*rk`9hRʊw}k`_r@ $X9[O5 OjX"2瞫P>t(gHGl?)(Rig)`ue-Ul& ZRh[k*KUd+(r[wKDQsRS4Ɯ_Rk~W$'p&q&/VLiԍrˎcF>[ |Hjbaj2I^03*;X H#x<{v_bpDEKzf=A}wV5R  U/`.2™]F6oa(pܑ3c&)PiNj zZƎb)'zh.A-'EBȂ:4+Jk^aKN*.̖rZԍYzω}C;I$,X*=\d^/3]v%|HЬLH8sR\i!>? M## >|2eܦ">2/0AX0#\[IFD> !SL n:)DA˃ɚ湒ńw j:zt w""&PbhzH pÅZ, xJk:أ8uJGr8s&R͢Fڶє3?bg,E6In,.NAEly~5O"#,1Ё=UeFgV9ryZ8㪽%yԞ;$*$DZvcʓ mcrpg8#>5 j0iȇyvOj4IFuJﻂ۾;'Ab $nV+{ xlxIGˠJa#K CJ~ )uT8%<"3&?z|-K9[ۃ칩Bc#r\R3|Hx'+:DMo_B-qkV+ vB]GDy0r:OL`O(5g":[f9E;g` &8=4~1$o^xOncߣ~9\i1Jb{ kԖ+ȏ_s-uX}en"Pt^QdP!=gLʢțX5 2 軪Zr5uoN*J1tOBp_1\!;3^ms}k169M- `8R,6$M_"Óg֫%MMP,.*ws"OF%XWeIizl]KzƫOW0Q WLgd]vM_CUaGl6+woJ63FͿ=3}8 TpAl968=  06b3db/k}} =οDzXUET> e$6Fl<;jnnG2B~W Z Þ\O= yL_97B=9 ynhCz;[tL6Vw~_0|^-Y‡ R_M3sG \,г',,dǞ+'Ŭ٥DoJr5824BfN,&l!deHǀ?m bp!sS)WW?0& ;Sx%(:|Li_?uj߇*5k)n5 KxG3:d(K+)'^o" PokϘuK6@Ŝu3<2WLYRZn7|{.9n^B9`S!>] 8x*h280"%]~VzHӶrt]񃝛 B'y'g}1h!{` 9͌'7 |,nOocuU:]W}[πbQӯiirjׄb.;nY IşhU[2ʼnp>l9aD$놳ϐ_#r.Wb/ZDuGq&,!!e/=|3LW[ KC4ץ4e}9nJԢdw[/ˬด(Ri& oT.DrY/vruLt6x8-x 85BڲKԞ"k>A52lK6[9xTgWl:&Zwu FOk]$Byqd=ˆP>Ff?D$(puT[̮F#.$ }햸SC '+4J]D~AjM߈i;&(E}{R~ פ0߇zr㒻*RrGDfI}Coa0 &"Ybؼ6BH`g'f.,/n@q 5B@WrSȸ{toƺkzʲr2 u#zK1 OrXb85Ujɩ@&)¸q@<h"BaXexR,P?}cSt9 ΊR?e⤍3tvP꩕OVX]$ov뢥d\fœ{:Q@-.snx!Y귮1ժ8_%wNj:IAtAQwhIq7y~?14vO5[g"ʞMc 6x^x*?%t޳tQ#=4AG]R+n"`gve*Fb-85|A!w{fmZ$ D-yAq}0\*294#%ujTс|l`Sbt&?S  QyH*tp@Jƃ&9}jBbiH8Ou%]FC*WwHZ7aHf3\B}H7բg$h6 pFg=UoՅ~{yk %S@睤aǦ]^gg®rZ0r]+wSƮ~_8mwAp:̓*e-sSb+?Cҗquq>! i˳5 E=ƇN >XFDfj3Kts'4zA,:Ї2_oUۯ.9a)y/n>As9̈́w$QqzaVKd$=P'OOޅͯx p28]5"'P<[O6E&0cBS_ea_: |{t{Z vyIt⽀\f޷#Fnx_\_+7XQ/#6ɰc> << {`?h:{|"X סl` #{i?pr1 _cWmҝCCVg()rG?!=V/Tى6~o!Em:裕bWxIBSI>9~Dv6Jѓ(e;骩wcA6辙S̬ݮc3F)/#~ʣ'$9Ug1 F3 tЌ 3ZyG(fɭ+ ?ǖq孖YUM `p2Ha\I23P%G 8zW-8oߓ2cv^IusvCgQًW>Yy{q+iP\BV_(>_/oc jYn:e;(eߓ_qv:2pz8RSk@Wx oN=cAWqå:;}b"+bmиWJ7d\[[;WmzQ-&?q<IJ>xg`ɞB"=dC YLV xjY$84_JKFB1{Ie tk@e W*'I{5U>ݔ~cε`4Fnm??o~ۖ:E׈̇ZuZL_EB>Ssm1 h3U)~vYl%%JI$p)t(Jak}ן$g +祸0WyYA+5|a`oop]oesDWTi/`rgWBw<%p/:]cy0^=s/Exs)*t^eƀgQJ0ˈ${]VmZR5ocI[nU+  m.>/c I5Ԛ#nO\[l׶No)˾Kq#Suއx3oHf+ZSưH $ jC#C^Eh o?tE$p4J]N 8nVvH8\L#c) 3pk}OB a¸ݥk6U.Fr:a>y4 Kә=A_.BD*WgɤntoIM1 TBJ뭩QAr6#oq]:J:0cq~^a8ߗkٚJGX :>ፀdOdl%cF%izvLP0 p}Z7@ȷ[80x4ƵBҒWP\ȿ>YeoM6f'co jGuƝ?ۯv6}%S~%KGݘoc%W^2<J:ql9FT=߉|]h 1!2 BzNC_X \na"@GOzur??ϵs䷁nsfw9iWuscuʮ,? *͉@(w[I(wDKv7IX0f;yq`u[dql%i$5rϠn(n\ڟD&)H{ heAcha;6^⌐>IBwK=cb8O)2ivs_6>&j0bT!Jk~ GcTg}R獅\ouq|㭹98_uEəfE~f\`;o_n0#A$rmz4 v$´JXF( r\YyߩQ8c#c[!0m0SA{CqiGib[Za#x;f}"CqVrnXeA'Rh` Ȁf竊m4bq,_V<"\cT8'9ў?/ mn5vhiJsu0t(*+Q"½bȟҽ-+F*4=M=9` 8GpkJ:>6Uwy%( ,6/pOwF,ΑJtoz2~&cRY ݵIGCOpw7``5.bfE6%U c*#b#c GǐV^A_'Nf'vG/m iy.k1IIDhzM<׸?)[x|@K-rsri< qK]iy }H`-b4tk=a@S63:mh-SmͅͰ\z ">Rwmq}32~NnVeVmpg?<U#W;Ks(Ơ<}rrgu,;gb; ә8P%%2r,=Aizm{@ ?m\`!mߎ}IԴC^`NP"v[ *;+8+uC.wD/%1שhY9L7҅.|3SV} k`nUQMr48h*k &B Z G bb.VHoO} )Zt=:VQ3-[,!x𩘡Ga|S呩:榠LBk$rFԹaݓ}nJ0=ϭgqmNtRTT@*^xd-2ʐ脓4Yic/;,{Ls > ^aQĢQaV_#ߡB/Y>8ē&52@퍆 Ղ^?Sg4Lm?~2jEgv%R?f(g|6JwBY@*w Qr1|s}S薔Ӛ *kbV`; iINO [Pu⏮|g 0)M24Tv9)#9HXȅ1 %怽5 ͟Mّ7 ArKf5Ր@8\ڳ%AGu'2jruE*xVsy9Ɩ0Mf ;"VK'K W^1Vm^X[U,?X;Ay#݈HYQY&0=in!azX]8i ~;L"AG8jGC)fd>Oyhu$jO1N*H"kQeXY֘0F6>=6lVz a&_;B:Elbƿs0ȆmmN0<[$VuWB G~TR$o1T ËWm!CU Nh&E.: v(|EwɅtB\(lRhoUAgSp+# M94#>i5ͯ<ىC}۴VDh6kցi9*NOE<Lcϵٗb譥}5UO(+;{S`ϻL [ZZ!M΂&1B8wG=IqƜv20k՟H3#boL} A9KA,6Vqğ+9Y/zWccCWa4ZWRT\xs_O Bm yEՖ< aT#C*N-~~ JM+Ȋ *ͻc}9+pZFNZ%5[mQ'[6pWɳ ڬqZWfͯ%NgԔ `ɂ0E0='ƚ?㟶lcgMl;zq A-q4Եެ`GEpÊm3f1Im#wj.Z^] t:VtDvOwr"w]_1Ю p#֙֒R4cSυ~I N{Py06TXriu=WE66M^uy`դ\}Nr]$ʼn-.HapjkRVMzr)8^ͼ>Ŗ1ÿںP*_9-~5b>MND\kێc`y4zPM%|S>FtO2,QV@3 -֓QͷrNh ty&wpc7ecmCeH h^XTY Ҋ8K0ok؎r3^ܨ"^@pʡ]G;FOxbkw5:6z:OWyިkc^\40o%Upa 6+C呙I9K>iޚRIi&8ZH uCF{wJ+r 8EmQզ L O3a÷/QZ1lJ#攌WKS§79-9څ=h*Ojh&UʱZΖіw.e3}V/z(? W7pL/gg<8q_͆kN>+e?v~N3 _ńAArmDElġǭTzf3^3'ٿ~5qTW(XOARv |Z7TX%c 2Dڴ]$n񏤗sǪm'dI> ٥44e92ʦ_MpHXq7GJqrL 2&oY;:?1\Yzf >SK!v {Ca1N֮pJLШahxF_ umjNVrM 3HফǸQdwM86 B6zjlVw]`r H`Ƥ'I<2ml.mTDx]fB.6&ׯ)RE}N~Yek "e-2xqM{x4=F[S")1\v~ƟBu pK8muF4Efb /d  ! Ƈ87Ex΋Xatq\Jm6S&Zܦr9s+2h-3bL1+97ƥc `M"5+Nv{:UsUyL1Dj"_cAPZW:rik Gc qgz\ElqY2i,NFW+fȡ6bc|Q VIʒLI–bFNc] ( `L-1qx9/Ie BAKJݲO]b4"B roM;<ʓHEsSnȾ a90>-警3[FB zScVׯ_p=+$"';o~p#Xx7O7-gxV3w] /sjL9 7A᫞YU[R$Ujof έtlI X{GE}fG 9`uQU~]*k`9Ĉ"͔4&R{:l>p.c>=^R;q2AbE)Ŏ;R I@vf{:C  +)ji?6ˠmb;vq(eQ'[O He9ݱsC^G?7#x8`Hćg>Y9uD- }H)'qG?ݭU[ՀvN_4gaBg>Z=B0~_1m*gQ-qj EcA1, Q#C߫;aׅI& הe }c=sJei}х%"rԥwd$Nт̢Gel3? f,h7 ;n⧴V}4@L(3V3,5Qi#}>>f}4ȠބDW:^ZmQ僋[c˛0^opY$MeQ$r "T?f8( A@*YmI]T4 XM*o_ H R8na33\z^[c'9o!>ϙ{Še% W+2sZ\rzgjR@2Oz&dѺyP,+*棊|E'F{n+-IR|y\#[uj;`'*S 7CUYrSPEj5 Y7!zDsKG2 jᤳ6R aI [ͨ\"N\;|ZH0n(vK, ܳ{=7(Bq R"*/ҷӳCZ Z 8Y 4Us C0{?etxI®mdOauc,9B01-_IRz@g@8#crj-%g~vtܳehL3-9Ym8+\RV2˳p/Z 7` 8:iaH~-S- }: @Q 䯝; CE+ktWu3& rA%p( пIq4P+)!V̦ H| SǭH=hQ4n"ܻ3+4`8J֧|7M*l]&qNQupM4pxt#oKMiO2<ɵ(CLE7H521kz4f][-NnST`Ooo?O$@H9*UnkI?.[y 6bn 4jTNu.p跌vuI(ĵ#dBfzS1$!~13ͭc5(Pr~u3rxbUI$i!F,+}"_Zri$k*ènNFGd"Ě69hQ/ -aF:ӘInuVnnuMlEQ0;: T`Gm\V3o㢗efط wԔ"}AgN$9[j#?@?"rLƐAa.bs۳wk1$ Ge[ Q1[lr8 k]^Ad\U TJ͸kڨg 6{;*Y>EJc[)3%ˠ$yԋSv垏Swfn͓r8NUaӗ{D V)P>_RֻȐA&XL60yk_rC@bjupLs7{3T\ Qg$U%IPxtK A"k h۹ 0YC 2+LbNCOr;ocj Ղ&ȱ)J9co"w#*YO zѿ.mw-beV7[悬"LUAJ#/VMUO%%u |܅9A[db0 J/w&]}k^is@CZ 8dSGi ӓb)`:RR jqxpe!i4aB-S9Sݭ`0 _ PeDfn\du&%E3%ǩz>dUa!bn}uCS@8t)skwCęp!goM[,ű:$9*m}LF1.-;#x|!~1@Db-q.K2rr howA[V7lbvcQ@9Uc#]HFkZ" !gSd$;/A@R2{ٵZ Plyǎ~kq5ɞQ/{iAB!?<6V@jQd^)ۇڻZ-O{hFgrΜ8(G$W@ TZ+(1 ZILLqG`Rm)iqAkSX3ʀ"(,W2X*T$N(0o8J!?fQ>2ңIœG#?5/˺G J(ϽU; (-q;&NDbv U 4qD]&?d&Yz嫸p 8iEw1-d;r- ~wh"ֹIϬܐԙcX#euZcㇰނ!I8s`Y׶t:̝(2` ztc4l;yNiBZ Ireo?Mm'O\E$dBb,Uéfy37T%Z$c,\* WQ7mNtTRG,Mg tBWBYGiPBfyއQ _'*{4vcPxY#oݛLPG>wY٭ N{ q3>1µK귶|'#u fcgˎ= \ iUW-@{+fX#l߯pkrʕʙ)lѤвsar e3}nw,bD8P Y}v p'GS#N[qhA5qT?˧Q.Hi7uIӘPm/Ɓr1PCSjB0_5O6Eq%BI$%UΨvQf7Ka d,@%FzŏAbfF8Hha B) $dv4"!7kf3F`XH@nޢ mϸQږǽCYP|Hkn1q%'Z_1{!XvHFRhq2^U 졀e 8"L~*1>î!lnhI9<;>C堀޼@jS ( + &Y%I; UkXRfrsM6aմ5M$%hNz*z:/\Z(&QZ_(+PUL;< Թq %.H5 jĽ$D,!@*52U^Oˡs?r1? A;!~_ Nz L x5a$Q,mN\2wFW̡ܽ,qLf6@"aaRL6K0vjD6 qJs)+0|9 +~=b0#tjƗn6{Z_߿rFʰ{7/ӉKtRzҙM"Cs1&tD(ⶸࡎg\Ó>JDO׻K|ܖiMlK00>y=,G!{xZn4Q-m8h*ڝ_aG5ѭxloՙLBK@=f.\)^ǹ1$ [9hfYuDCV̓/[-N^ ͯb/mki:hQ/u*3RQO !Ӈ Ș 5M$R) .i2Lš.@gbf\),ndPY b>1ާRk?i0;8bu:[ pV0n@L%!`KE6g"+BZ 66/&ANxOoi\lH9 mM~N>֏Y68̬#s^7QC{ %bqSFD$@+/̂wuro῔|;ΞؼD7- 4"_1,?=gyII+ -DvW¢`q B%x9vbB( mxE3y-kh7wjiL049Ydl[Ӣ^$OҐŧm)Y 1Ja>jFRj gR@0g"jVG>WMfu1I<#l՘GY %MT-üp<ԣ8ҾOV|y k#=GhܸG /=h[S 861if o}!EaOncʰkYÄtcHKn?9< wyQ *EuDVLEiчp10Bӳ)N/QZ1s5*3Y>G0nB4FwTl.CnJj|KFt\W8}ʮ6|e3$C849i~VGu[}!I{uG3s0&jjo-[ Ot& ;r7[Pdï߳\ KL;xz ϔ=xpZ#I|4,"کODÌT0~W~"kDne0ְ?K&TAdNJ(<ٺc!>{"Ÿq=K5>e6VB6loTw9mS_;t2gQ qdEsYEލ[nDP<ʅ$VHJMu1G'+=a--p$-4'kj;GƅJ͝L{Z&nSK z_QSiD"qlK֯.TYRX?ԘGp8K"D7qB,iV~US/%B!d4 hH@w[Lw& =~)o]od l= $Q$8Ȃ?9 ,sw 󕱩3:=@n9^&K}mukh`+]bHYM4e1>yHD'Lm&5=M> {3lif(E0K7ݖnVG{)z/v;uj Jt]Uxu)H{RD?V60`pS+C6qxW6k9>74aΦ1k%W78.7?"*E/:^ԁ?LQRTINѡ-f/u<'[g;{\ 4Hl*zխ)NP}̾ COפb`K#,x9(?Qr9չd 6V s"=9BoQnǽX5!\B')*X.IJ(D=6y}m5N]EǹNm#噺"~ga5`s]#"2ÊiQ4e(hVJ-\6RͫJ3-WAm.ZݽOYJb?LuRchįnk7R|Ggo|HIk4LDLns@GDkFNͷH$ωB~b~WM+Itk\ "Хsf]cͅw (m<.N!6 R԰ˡ?lh@30O+>ԑDF`5ѮGj߀6e")_3 =ʹ7yqhd${o E!WO!\dրԢ(9`qQ)9&(b};J+1 i|\ǭ'6DP**{I,r4S~m_k ,%ȳ|)l:iQTl[nۓY-A菎  \LAkry+NLɇ=iYGX{=ݠæ;]cPw=vU#N$"ŸUalT@5- Sw XV(۸|>*ZZŕ? $WC"7|%@yķ'>F!s.dF|Uo?SF :)$|]4DĒ`JN>RߎFqpFrߕzψ3T9 #`g wV0Icq}ɬk<9W)InZi)90ȹW)xwl9B W=j8ԷaXRs;V$R䜮$3xؿTB,e$V,H!ƋeC\0 &hP:IT# uDAWY>8 cEl4no`ǠS7K{}ۄ*̗67M7z]cԐO OUɽF0EYq5#8JI-OZ^C =}G` 3lҨ~F Ǘh …?p+zI=l;@N*#Dc0:S%"9;ekC{dEHXFcO:x]L>OTQ{DVZlVz;gk=Ŭ.ĕ|umу0B&I_麌@CcGClFމ,^хs|IL ˏ })g17'a"Ⅻ,tm{HQYQ,B2ݷ:R,q~ "Yu3v?/'",k:|x}s[$ ZvK26 oaݲ)d!Ń4<|6-gϴ;d$x5JXZD@|bй8z ETJ+M~'=Y/S۲*gbr*(GZM$HʻL*,@@wDY26%Pkoۭ$RyI!wUd6aPmS%29(F-;9t- 1.ݪo ,);}@Dr ̵{RenvsiʛNۋJS!3FTnՕEY8F P~j㓣reL;; PUzĿYE]B+j+XDxXI%BcYRS@W<&-/ L#Mz$eNBIzԵ&ghip 6vD])4_4!>%=0x[*ia bx?_C}KkꇺKv$( PZ -Nu<J1ĜBXS*2%fHFnU 1} R5Yx=">|a|{/'d{6< :gnn5(0JkN Ly e@Hlc95?7@8 WY8HLA;ྃΩ pkg&G|`p[Z CA};:+eDTJ2%fo+*r^|FH;dr X.j33 ԣ ! #M Wm}O |jr`zNCT<^75cvϸd.!M>&!ƉG*2 88;b77{@==h76jӵv7tM1%,8Uz5--LA6I_:Buܗ dR;ut w>zOƌς߃~VK=G,"_nZhd'X#)ȷܙ_PS/ā샟gaٞ74UmfVMKULAG:ȇa9lZ3zUݰaMG/f-gљkK} CC)eni[YߎjbLPmOO$h$A2JNK2b'Mhn]_ᦐDW ppC;QG2\6am`֦{YI〖U d2ol!-nlA=$GoS;A$wfɽƒGrG\tS؞,GNp~q9mm5x>UT/$u/DĚwؼ~kPzD,Jbٞ_Pƃ o_uMB$nn [Q9Hv[wC0]X68=mOv}xTps8%šZ&PK MMBQ{Pġ^iM%KLeFOj^]tX^c:}$5%:ЮK-nqR>Z1 (B5 o~e+ v**%&F\⼜9vaݸ)_ Η4P* [G!W[Wpb :KnN=ڢ$\O8c:fҨGãͤ?84W_]_vmv.С$@^Ґm;XZcS΄|Z4iMNdUdoWwhf >ڟ6Ԟ GC QXi@e'}hr%?WʻF4V,zt!MQf sO;|. `"ћv-$Dq_s \nVϗ3ʍm|ekYf3|@_ݳ)gd4/&+a1V~r[3Z[)ʨ'mpzy bbbŵ5PUkz]-Ie8D ')%aI.yDc.+31PN\X˚d{삧#Zb "#v{4ʻ ! Px1衬k^N}FMpvBQp:w%ŪcZ%7B3غMIx$WRe ;h*q{nW.%q˴ܹ]M 9]R6Wĺ=%VqEoyAdf^dJ4l(6D"rAY1Vnmld4wAP([-{Ms)XAF6L=}Ek q?kAm]k,̕MY[ a *2H -QQZ@!_S(H,: \Iy}RDg5%fWS7_wSSOR2_1u= ]?(1Tm` ܼł -ƫX87AVE=U><叺掜P.nt<]-)3& 4b3 IN(֍|7R( cq"+YZV^^Zyȶ!< ;izaGGScޮrCm?#i'Ck⬛lB~Q-/$W$_󛜌~P}AEْ_gX Ѷ ̉f |j80 ŇKxh<܍Ld '܏ ḿ`癛8$m֓:"+xv)d`RkۗrU}a(_Wn;(6g<\+ ܔZC0s'!Et1;|08ݸapQ87DWߠf$ZȣRD~C}w2 \"]_!Bp4F6oج,8_?&w~ ʦK : G [&[ZQ̷RQP$TAKEV"ӨQҩ%)0~Uމ2 e(OYFM[ɕb̈́m"DDͳ532CPCrm\ݵп';˴[ǹYMOw L(SMIig,iThnxM.>} J$-ɸN_WU;CWNV`F.Y"BI02#UbGnֆZ@Qu=xw29]aOTd^4/7U{j/~S"ɮ*]0[? {H"7+uGR`͏6;vM"8({ѱo:+Av}Bh, TKIxJ*Ƿ44hg$>C8H_e1+lV)QmZeQ㖈VƏtjM7cTH_>奟/<)7 <yft :9 K&9{.N[e.GWe.=(qɎ7+:㓫 .W lm eM#b12Vu}im ۑ˰5ꑦP@XK67AIv» ܕ7wXMMuT屨Tѯ'Ux.>wZ)^SikD`5(֥}t,nD`ZTc SC|zTH#D;:Ԭ3E (QNx(`˕)UcYDB*s9tמrf$&KsՔHowZV'V QPóp)lOμvT6A??J.Ş4&.z;xZv$72wǸC^n[ 9M0gVrrnK^zݫkşe yC%=FCh,5ﭽǗR8X⥎.goDI;bvȘ$@?~cC6tx= I n\R膨 RI~DCbr'bclmrBh~u4~(d9)a2m(Yt4c Rai0^XoiyH$2ߜoΠǏ?BA7>m OEoTY(08X[I}(kReж]̟[G劸y{ޑKa N(!&η1D# +:huK*әP%{QW2_x*(VP,!BԂ&`[,)xem\KjQ M`?#ŕVhyf6/a,3Nhw񒁵!ssz9 LHBZ\`\|0Cr?DpѧFcsot /rdPG:$u ?R> c5!ɃLZzFSI3]5K8 cvp3s,yE*Z&+k<'JD6-kD5Ns}5,D 亽SٛOp|9eU m=PcJ'jR/4T壽Jq_Vg3vҩ):A":09wnEcq0>] 4}S Cz6j^hc̎{P- :2g Xv%JI=v$ |*I}@o6oD3 |R{#f?MY}f5>dOM |S##%(P9dWA8 2"Z1mVy;ƅp {үNszO' 3\A̒gO^R7AFbdpXs8.fuܝ;}jh$$ ,–a#}iWVAPu)UnY쥒 u N+%A$"uK]MZzǫkdR\L\d+W( +x _pKDMXp%])d0wrs0\" 1YGj ݖ3'L.J>343ʄ gفx]¾d]duɪy>euV-L z-aztxs,D膉5t*7vKY Ntvʲ y7`#_xL觛M(!d)_w(4n_T3O=^q~{^c‰JL+iڱ]^V*}RNU H9x}H+.gwU2z'~(XSI<ط{l$`pLGZ/>6 rҮ%!4%uP.U.قc*j*Q~cɵ"Q3Wky|?0eH&yxs x?()j(_!euw\evq{oGቢ8QA;ҮiR U e]7H .?C]}YO510nvDy Ń6]~)1c5x;,Xwq]DuxC-y7Jfw b11pk$+"1 \&fW={q}6Ra-3{UdƁH؝@zOZ{ φp=}f#A'Ș͉v1c^,|~@9*L^xT'oqc9J6OhkDa;=(W}ֆ,GٖH'[,??CY~Glv t@=h*=#ZĹpҪ>9vF 0R^}f(l 2My2y>4(Dv$˴&VsHbi,Yw֘;ZFuɯ16SumSsY̻BցSVbKyc}2,5* =Z X-9ȤSg5A{eӡVtECիEjk8r z&rf{s9ϤiyU[xͳy2&/FҵUWUXn!vjWzdeI!aGp q7@j6 M{0A[OT]MD[)ssf=LG#g|c^sg3Y48x-J{[@ޔ^Br /nYvE㐑;1}(J5$=`YUTI#Kx.JǓwϘ'7v69['s1;`4Y-3*P*JR Pm%J9GY\J2LBζmXᦷ{LNJأMa*m$֚KTbįզnNevvwJUT'r[K]Y OQL tvlSw]"#/c6y sD[#mQށ,E[GCއurs%yv[FX&汙$(Ar8IB'>-K' K"6T!K,\E ns3K-ΫJY q7ӻ'fzA]C̓+Ef6<%<r'Rcv.%+y#4F4PbZ,BIi:x!B(z ;)ⳟP RufoIRCIݶk9D v_ 0j$?n~#{W atktMTEԝm9 Q L7oKt@U9얗853;}5k%~DXf܂m;ٙm5A#{W0i /D>pc+;sL$%hY|j'XbzHNTA4l8yhj-g!|&"ЧIyϗiu`(ryI.*\\VQ-@/0R][_,P[)yeʁ{B{$S%z#ÓV/dT|&V*/ ~xҐwB0[Z6ozB[7 "bOk7[%8&&#dlJj@9 x᪊75F2W`5vǑ2.) W̸s>hs B=c&Bހ~`=y< +[˖v)Wp<䖸XիTf`5N"IcR;ʫ:snlG+2ցd5 /GH\ɊEu ]N5M~]u"Q`𳌸_ԲeT0A*~?sGUy*m DƪۓV˪aZPq:=-oѰϲeLa4`9TH,c 5x˜{|khtM}!qdWTH|VvC܄Kq<%yA/-v|@m9Oi\bS,%0G_@םCf7I<܍~,m?ũu3L)Ԡ$ANɮC /A+zH`Z5n>N9EG X[94|Ǔ.; G "_[|Pxz@W|۲D q,#~rŶ%%D[Bu.4Aa+e3ey+dE?t!O~·a`x36mGBߛs\jt7גؗV@>GT>87fKmJWn"\%R &=lX٘K)˰Wmg" OO =rrejeQRF2gTSŐtɠzWT$Nnm&ыa'ܷHFPPFk \.7W$Jmmۚ)2$so D!yQnk^}-k9~LsU,F#q)?\[2%G =pջ%uˆqO]-n2ZL (_%gay +/s;ٞ?\ W9 p\;OWv]ZgEk ^T{0g*2Y seۼKc16anGċ[>_Hn'{pDgR8C#ZwKdvIvy`Vam]ȁ1IDT2]a˱!o[p"nwEi|m~) #|G% KIM5g/y#*Q2y2}&h W(jT5>֚X~`FU,.iZڛяk2a ؃#CPaCvt 6Vǵ3U/`ǷSU:bq"TaH̠6\eKm1z߸7Mu[iH1A}]{՝F$C xgޡ3.ώ(~^eu@ Q[Bs|$װ6g{7>axL4֛_bbǞze$B+04eTXSrO3MMӂ)"Pd.^h9ihm$CϚx˓ͪ܄N\*c}v*M8mq ,-׍Dl`%΄Ƽܰ(W,B"$/̈́`X G΅?zFTBg!5Y'Z&S1RbetA*bV.W{``$%jgҾk*Esp8(ȿq:p#4W,1pƏg ޢ~)vk7k)O(n&~>#'5]+K('kXa:{49$§wªRdAp\4U|)sKJwg(y\c{Aַ $4%i|#ϛf tz. ,!S6Q$lTqXj @2sga9a @08xdv"uHw :m4+Se?@#_0P:4kKKr`="Əs1D2%?r!Ϡ yt!m5Bu +.4'M,̈!%2WɊpvcK5fU@W4%W[ ӟ.+(Xգ0V$JIHQIyq6y%(=KH۳8ؚ i땵b}_%%M(?,^ХԳ4`)t|ZX1iy!7*d܃ 㺰y mGR`g@M "|sPI E*rFLtaڻT}9䚫bB73vب' `^>7!hYpl t]9?Nߖ7g:7Z@rEonJ:R=kbL mAQ1PqEB|l}.9Q$\cq-GW& v1kpH~W\jٛKH}c"jg@/-@8 Nh 5+*ݖLO'~R/d? {3!&ZY ":uDR қWzi>ڊܮ&'(_bDL>y,mOWViD%o?Pc& lT^kII 19)H4 ( RFRr"\nEnE,ӋGXbg t!iۣ)Ұí'_ަ;|(N j)YYaUw\nI[(rsG+ ,a?l*E2zmp+vUӞ w*JҨ/;YY'締ۺ!2F1kp7RK#Ub@Xϓhn4>0H0l{xGIԿNb)Zju=!~KQR?͢;nǮk`unMp&MI`v WFl")GrVCͯ`'6 CY@ MӗTSp:3 sju18n {,ԔGz~ƍ hg o>07z汷kX> ?,TVI xSb3N֤ 'uHV6 p"_llEeg$EWK)S %!; XOC%)YGtMd}J虑os,kWPDTqcTntZV"mUEq+y3}6WHSW{AJ@)m=),K0h5Z FA".N0.=s?|Rpc&9Mhݢ[̩|iVG> $G7`-wUim{,tvCj zUM7@]cܪ<-.v9&>t:Q)SR+Y[>P{ 8vx(|w`o*x/1ۏ-imHxÿ|_Z G,E5 ft8y4}Wk<HF萱zBVޅ_(DDC;&`+_V2+d}Xi!N]6}5@ hDKhʮd;4ۈx Cd]Go"ZD9"[R>{̄`mZ3z\|Naa:V&-e3y1)d}KL]N՗bvm 0G E쟬 n3pG&E2V̄ SHDC=ңLJU%A0ܛoq(x}Ll ?]u~600l:?ߖ3K@x3YJz"09 w'{@.#jKc&t1h"9{'4;FX悶v)~쑫Qa삁}E< N43Ek@z¾)j-VWvHY%mrKPؔPVEx  ޏa=2-~mo196){ⰱF w|ȩ)Nѫ`,Dˎ-ŰCAm%Xb^^XAJ i X@xEgW7oȮx,H7p@H TE蒰֌%IB61F:_B狐 1HT)^X49i^rE`^ *,?@Dr^Ƥ<0 b yF'l4E iZvP0Wi%`ԢnC8_"@O{e%n\!ZSh#ZQ$m^_ *V RmpX`ϟzl2 H%C:映EMέ29C{@|`!m2;|B#U$tݔ+)/5 º ]JUV%0-D5 ť݃Dsn-P׃}n-(D_S`U/mTcrӗ!ڀƜNXY8?s{q>q5\[ϔkbN/M"~K#bȝLhh>4r,TːE2 r|DX' X\ Pp%s$[436ÍD!q=qI8f "<PKC]_.|V#Ň rEuJrTrID6:O[@nZG+&q8jgQ^™lMgP/ }m=YFs#1t::ֿ7^wCT#W ū[ɛ,ʛEڮ2\vmsL 6xtHE!tj8xKݕɡݮM+]+-SzrܽB@/j˭6PA F͋tnI>dD"ǜRAe; 6&ZfgX4EuUy&܎ ' 턦s1TڣaY>$ak=$?S1d81jEtjC'v >w^F?&o];:iz&};^`U*y:P=)n@#0ݗki8T)Bw Q#>Z鿫WTqIT~ iG-bSH*RJ2`Du@5R6g"og2na%* P '<65[.pÆ4:8ac]c,~ѱSCƖшsޮ?g[gf!re}FO?u/Oe a) nӭL8FxRI(Fٰh8` ȷ xt̟ByÛ<ݒj;EaSG풽tbKI_>dήQ_ntVL|!a$35p-]o4?*>SyӿhU#ʭ"Qs") E wb,,ırS\$$O$MlEU{>6TLB>{\$͓Zk9BiǯO}+.H*9mG9e4ewIqmG4uTQT*v2kᛝK}BWi4{%2V`]ơHEGDGX= Y.<}s$Sy\@Ms8D*:Nh#e3 ٚP1])bК|ʥB}{9״-A;#>>>k ױ`5b?!"'.8|rJ8[(;@F& sG%UqwE\+rVZeR7: /H8G=ma|DĚܨS+=h> _10CcHuz4_l&DIEM. [V1nsrWҮC]=;i׿=1d=9/Ls[ף*2oRpM&-6kU]QȫYk_VQg`>)nr!ӎ رm\i}?{UFlM VB=Mq/خ< `dT4Jn0Gfn Tq4oTu_L0b9بIKie⏞ıF tcx{^Anļ;,D$oF-v*#W5_|کA\j ~5rsN,4?yCQddQ5ŕE shSJǞ.CXiUXe7{6ė}FI`枬k|ܞt1jJȓ ˊ{T~ mY>@+MÀSͫU [E5cn>RZQb %y9}jesOﴠpES!D(=Fq-Nnz8AώĤs+LS~`?04N%?Rs˲v+ DMmԉjaxK4D7juAC'DE؛fWG9>՗T&&Z׌m2`A"⍌y +-xƉ5\jdGZ7aGDgx5RÒ"yu}F=41 JE.dh=-GXdӀg_S%|4N02c:mrumTu݊oy&adðܜ F!bҴHk|eԚ 宲E#6:\c~3ėGZ=C=x7WE}C}'Pi]Զ,1K0FCtLlD+|%`NlU_A,M'vWf9 iUQj.qߺ ᝢ[Z-=)KNme@e[qM6">#j?N{&rYC0p98Y$5$d[ ReFAP;\@?*J rm@|0=AZRx`7yGڋGoޯ=ꧯoEմZMNvyfOp,bZkP{ѫ$pD/1C @SMpM:V"==s/8Im/k>+wI+3 >7a ݹW."@ځg7}BX;{f~4G=mLj,AHދmq0L~rA7Wc*_e~ș7Y^RےNU'TPrWٙ<Խ(߭"Z8V+݌uŧUZdr*1k2V{l6Okj:WL1ο;n6^ VE߆Dy)s8{k[[BgnXц'1|PN2{J ^_lǏ<%Wmh.0b Oo&)ɮM}‰qPIu^32j~C@w cG;nq_n~U֍p^ԙiϚ-1jdD Yp&(^πSʄT:|66/-f(; c)g&UQj* _ZPVvE4ς|3 '8K tf?,.f һ$H?V[TF<愭 Z2pAl1ޘ>G;bo[l^\ӯ~01VNv ð]D$PTT 9B%ǗnəŋЁ?=ۻfA7&nY0tqeO:KԆnf7d{T 9,$)h]*u0!l-;/l4y7k y>!]+gl iHg U[H(&e qb9|~ى-NlG&C3i{FC8Ff4'3TI7y]z!~wb@^p9k2m= ds2IR] 0t28ݨw*^!>ɪw"A?U%{,Kk=BdbJ>1Tp/WOV?a 3$0t f|4r~ x=D_y)dn,G u x,ΫR\ἂc"?T:GKA'R(eD|tâ+T`$!Ajz;h A:xS%S =o= g!}~Oɶ,hMZ /c|GʷG=xp$mHdQ>?nd[]Q=v&Z*Kאi?hw?=pRgBN., Z~A=l }DE^nQU2fD vXLR7Sݢ x9q#aJkvQ*l< jQB+QØ#r/XaC|;U#6BI~Tmh3I `<*9=KpqI ;臱~o`cTq`0! wOl޼|%PHJOЯ=IؐM1!L`)mIO^M󂞛x9_XzϩKғ5k^tZ[j&RR4CKpV"RNo=FQ]_ 7K whOT'J\sD`=E /'vׄFz:tŴcgx uvw""7mv"}TkJ\9 .AIMI\Pr^Iv-W%;tYAsG3-ApQ88FiτՔO0M;S#2 c"dpzK4Q(KTw(n(;TJsE9 a<9TmUigB@Y'{_5jj ӛfm<`=%.~P(D'*yU:f$ڝM }`sFc7&x;u6!C) E`>t;td `n]$uyJ}0ld3̢cF\l:ٝ b&0~^H,Ŭ ڰÄ_@źz9wMֹBbiBrw <c4wr@Z+1q!_V`[u+`sʼ_ʯ<,7tK?[P Ńb? jL{(~z%H aLXd|ץX%F&7~``{"ǝ4>\Rl ¼Do͆+T%PLjGgc0;PDn4re^*-ш-&FĸrB; `ȅ>,&e`'qX2OٙwD #.$#zs}Y3ͩ mt-F޴ 9AQZ26'I-f虣b&ZOx/M?`oH賦l YS-ʆ4,0q{1h9$⃇.&_W>NaN#,TZ!Û rv}hn<@MyiFo:~Q$%λ)ߚ๵Y!AVɀQz'ᴁ@"K3 -ϮBj A'Y\Z}0s?gCJLX$0NPx+9&9DZv/͋+ZD57M71R+'m+PZAz+jp)K=r~ L=[^(5+Gv8=Dՠ`:է+rRfĚI8J[t7h@_j8sB2qm,YCch%ֿ!M݂- Fv$_:Nrw{b.YK&X)}=/*D! +S}| xL/S 'Br8laO&N!qq&RVqlv}%c66uKUf`vhcQjl z|qgdD.TՔ7ڼ\P'0ߠy7<&61xSJBhz_NmܺLnp=b(Aݮ_wRW]O`{X{#\R<QZ^*{%i˫۠Wd:r^X%?32mlY#pT+_oY2+ % 3vWXMEμ1D,k]ʏƶzW>AojwF_3Tu:kbmU@M$ѻ$xy^LFх4%8{ F׏Mb䦒e$s}i$NaTw\X*q_ ,rxӉiVaX_\KF=3 Y7ke?!_qBPl-޵D~(85 f]kIk`zr@"HU1\MSTǠM1!lMxM>Έ76dWi+tfhӡtrBAjhQ;(Py>Rk8cr}//`^Y)2Q-)ןo ܼ'n *E>F-."[E\%8r ucIf^A|y? =V gl H P)D$ݔ ,&c'*pU5^Lb4:kExuǘ/CիTr,2\&:Id4rPCWs,O,*\߳"Yri!ۊ '`76(mb>J4)>@9}2D7[Re$K˰{gaP?x ,t L틶.Vޏ/'\ǡT4IW)a;RE|?y¶Ƅ/l{ / ^ w''w:Yq +gYR\XZGܸc3B>muMX|UtTcED0]+I0+rԁX"+{avd1Hθ}xNmiv~v*N 覝"Ƞ I@jTo#k}.T^KTTGt6'#27C޼8҈x[Pq3 pyǜy镽$7t @͜8&soL]VW1/M Hؠ:P݀gCP5XGe!+$V̲-<|U@<nT,*Z Eij&; ' Kԃ/cnT1ש@i|CQd7)pDR QU!7FDهǰsxQSC}ʼn#o.o!"igN̼Y0wRoz]1 zݖ(0 t@m?UG_% ya].QNli81ܲT3zmU .aLHҠa:YyG2AA(Sh~t]:˩#Î};b\'ǃe0Q$yf +ث_3mH؁ 1,?OS't-NvS"%f[ n&wYɽ#;~{Dof#xk4e1ԙ>jy]8efv pky F8/G;~WXGqi r9>8O{ KV"겷R"̓\QVB!|醵-RО1>yqf!W32d'^,5~_yY^N喊uGcݎ3bfXv ogP\ j~!=#jةT n_I:;R@}4`X)\U~!Ɉ&Ůx"U!V(d|[}`({^}!Ό):`>yλR-*fW)k,'(,욚7'oĆ["?QHuB4i^-ݮNbŊ.XR/3h;%Hv hN ).pQgAAjDNu>Vpi(v=wN1g*N/,NDat5UBuQ/P MrmjOrʕk -{100ϒ 2~B&Q2m7_bKMtr#y M5$C2%e:#hX j%,RSrδ8T h-ƬL [vXhOxMS&Y~.ElJLcr~?y+-ky*(&N8 7/j`9^9Ǿ3g=̑^l ["_,9txR~[dAMqVF ˹FbDr F+Rni|9xwۓ(B78ہl._K/-q_Ps}o5+Ht9]߷vcGȣeo#|mHk A5ɓXᆼUfLlRUN")}5&En/?|կm¥>qٞWM\`62GZH X鷗tXڦKX\n  B^ K] ȼ {m 6 ctRq6l {{pVo9CFFkx4*64=63>gU]VX-ڑKErJkXѱ{c2}.&#^5aW9U8G/f _ ANMxb Z5_b33l+9TLyAEoJ!OY:O]ʘ=ES Iw|M~E+ xLk39_.T;KYҐazL~^n.Ľ^{cߚtB'DVKL/=nZ [+1ZI:uk'ozG5H "koFC Hp(R 5[q=ܟi =Zp` vJiPwkgA(A@)گA+~kW]r3TNMN+9)]r[$8~cUŮ asXEm"jpyMx P=9*yɨEԒx7q# Ɖk8MYF(y^&B'oTJrx#cK*;fzpREXT@&vZugdBGv]b(eȣb NwKۑlY_󸶔!Eo3֏. R3$봭>qS$ns O ϓ@)`3+c#u7#仿a6ڟEabekj+1%\5-Ű>_*9ۡY)*]D}p /.t5TEidnf#b\!Rl-F|Y gM5"dDe,b%rl9S[Lx;+Jר.=ȉHja468 UESa ydKFi4HrxH-)yԼCKrb$ut;^\[O {k9 Vk{|pSXDli0@k%&V'˱/VhڕD'7[vs`ro^(?Ov*⾌b$ 8q(@iM{:MBR֐ϩ{`,Io*bBkBKcPgv gγ;p^%l*5CH 32積<\ԥ3DQ 1J&:=-8q) oD5-1+J']"NcnkuYӌuICz ˴S\U!z|CY#j]{du} }A Rj$pdGjj[*dկtM-G;njvY?8߶II]ix4z\@koʔ89QYgྦྷoB]w-̥G/ AV4ZkH"+ee፻"-dr#z> aD2[L q^]1:-lL3k tW|f 2|4Wo c8RqСrKhz6td.aA֍2z +G;-{a2r.Қ0xu% Meg8qA7rVg1 ߘ;X7Wޙ*-bdz%,YJt>15h7/i jq?8ZPJވ=zU |GdowH\rWrN#ZYzD%W X6 9 zfEQF3%;7޹+Wޅ=rs*#ÓvfeHr+OYIT~y/Tp-ta,c gݤſ^! Dz|L$IVLAl"5~*kݙ9FCpڹ$bhuؒp8HD Vu@$#Q~Xũ͏|QnHbhhq$7$yPkjc}/m)'@K1 m1;-x؈Ar"2~PBufH)Z|9ʘYٿ1Q~`o*}`" e-?Eg>ϒAb)Ayi6z̍`PJE›zփA'>u#8P1Rɚ׹\ Ĵ'Y4s֘6(:/롗sϵk\q5{D, 54 6 8MȡJ!gcZ):MDOᕳy1-j@2\yɳ5Ƞ;VRYUxrZj¸FR _jV%ж<{?l+HEKI߯' #Z!tUE"^xOlI]gI9\VXՏvFя;fF_\c>2hXmX J<\?lCtLrzI^J~ZXX>,Sa1rĥde9d␿KRMO\.v8;Zpҗj`FP`KBY(ԺfV*'R~3jL8l?\:Z2 2Fxm[FohzeE[* g,֊g[jvO:.%7Ec}Q&#iudl={ Dmbl"|kHc ߴƟ!^-$L)"cCG=8܎c[i@X…zz~qN9֬&D rX!Us"ԽX =&N^͔^8!/XY_[8BvGqLe PH V,#7<ײ9o/`wJ#z5nbFhшDmƬ'R*8-B2yrB7b Cģ{1g6Z%q7?CP Ʊ]@* u#b|O>~`d? ƉኔxY{Qp8t ^ipͅ Ѣ=3΀q!00e(z ‡ ̳dZf!,,rC+WbX yjlmLN>'~uF7\ 릩3ㆇ0*} 7қ,42 OitxQgfx?gf>r<״9gkgX@tY`j*gC֚-bSb(..ިuqt_J]UvG?D4'G <GZq\ w4G!S`m!8io24,INq ~#I,={I)욼't lpN׌;scxJ9 RW#)[-v}Lh4sȏBxȇŤf ʖjfri+J&c$H=6Z$&th)`zaGyʠ͛uJ\0 7 - Pͼ-a SaRK7*>V]$Ӌg=&q>9ZG44ۤCi=I/Em%a3ű{64X)U G7JDtބ>>/0x|Z~ `]U«[ίվҷu.P+0m T6{psiT Oq̧'E"X#:UvuhhoϠ5{ L@ 9X(&wGw85ё u)5~ȲvK`GKMfe&t0N߇DVC[h۪"Wf6/Jbl򴑑eHcyXsmc9D,QK z '$h,>+"w;t~!4CÂ1^h#\{,Z4;Qi]W&Jx0+dqqߘ>4`Ć"3,o0pta3s7Y/ry&˞G'w1HOX^h먀jV5'vFx}7C`oFÛu?Ħs!?f>̠^HK&s%b֤?`0$|"|W پ;5, aԓvF]31QuÂw+\E|X뾌>eR$ڟO ^Hւ }AUygYo^d\ =@͑*McXeb[5k;4¯ZW18\e .RGm"Vi06qߵ MFbnW{"Os~kGʻ,sȖ܁\ ( "\H_ L v !P\CE 8z|S,}ic>Khjd@t ;:`Fօ6u0-|dlPXlCC]lzLyij)'ɑ "(SxL[mUj#H:-^}@Qyz g(EoB\tQ|k{X1l:ط?-<Ri>'MzM?tv(9um E'[17:?|_B U[E|jjPI`pKZAnMbf)#FMy\ƈhk(>CD ڢh8L, =|z%d?jX. SvC'>no W", F1`ROv@܏QoHM!1?y;[{͡'4(;tAQYi ovO!$P]^@-iOK5$-zs}aL 0%rÌ:n4~TyӤ-?]~y0 x2Q2<=^̪7խ-!f"]p)-Kk7p(ҕF lݡ~ yWp ,mGAh)Lx*P.-N NJ[jr# g Ъ hKd!1wm%s5 Z;0od,UiEqbɶ>Gzv]|i֖a"CHXa( +8XSE)$^[Mj+h7zŨ8{IJO`@7wWF)CUO?h:f ,sDS؝+l5 ݠ'OWgrb u0 ugzB]m3B5#4#N fn^Z5NR\5B'{dŢb1Ŀ&Gɩ\+, Wp ]}]DUR.×rB+UFm,F&}5e\uADX!<RaݒwG_Ƀ&ߗH+ɥ  #n%iƺf3{a<ח `qS?v%Q#lpO"Lz[+EsAڋ\ !{Hhz%|" I֝2ԋ? U +k-SOB,.*p420Fw۬ueZJÜ!Oj$xC;TiKլD5šCl/?/uh+Qa#BCwz dMum={|+0N_ʥO>;1;$iRL;jWM/Nʑc= ndYv)=zW%xHS%V$Ӊ{|Vafܐ ^DxMSWn7xsD;2L>-6/`DIƂD%;x|ޘ\_@;9F9za˽ʏpkӾaV)&BO!u3r; ,~giYzu=&?Icy5{Y|B$«Ak3ӿMWJֶWBHim01>irg5H G'1qY51 NBe迒x )e*R[jrcb *Q: EҺjYt# &5BPư?|I3  }Vj"Ҫ //*]z^W,Q2X)_u9 fb3t#[WgۍFp7f/-(u1eI2]V.X3^ 8ް*Y]I. $^d#Q52D|q9D8/E+ip쮎an_-%%q _r[?^܇6< zU& %uڧlaeԀmT >Dzuɋ Q|7|+@ YV)!W Χ8)/OZ 2]^#$ۀ8/$cL\AGOxω=<^*BQfHO.i-#uaS߶Hl&~wn{Dd*\oO| -Hhl]w@E%e͕xyS6yvdf#c!,U tcR粡KB nV*%zb:?ƔY 9/3T挭`_@ ~8f,cՆhS=,z+Qs_)C J&{v=,th>;2"ja_QLz}y(+Qw#]p7 ( oe7o6 N1kgX-'cK`wb R!ѱX,Vys-KQ9񀙂˛kmlݍHڔZF Rz@ ]j BōmjH01]W~8'(P"tx1Oeb-g\T9>I-^ۖ}r'@zoᆿE> ):# eu^]$UJ9ť|È#AWgHkr|_u gwK0+ Y[VdJTtW%k{&G:57 c 7Tddv>ؙ#_:+ !w7gAj2hJřM)bKewBaKS.\gKϐ }0ˑ#Fx$HKW:y"a"^+T! )HҬv:s 6 qs_/ȲRag.dU|ⷆ^UMAA8B}Ɔ̥ yhoH2ډk2r҇Qz^\e';rB9M=JѤg2eݙ3kWHESz7<ߏ DRoB; m_| +˪EW%D[ ӖԨ7ظw*ёU8%Q Ql%_8e{+Hȯk}t)pRsdn%Q9#8A)>xA_(mj` =-q L+; ZSN/l+IjGA?_@.q9F'A-lTH{%.njfWpYU8uFf|t1HJ8%,@h)E9p8'2-UBlj; .ϳx$S-a'CJ^J.,I(jЉTxT:z5<Q)ɯ9by74nʌdӉ~`.9bJyB4/'|YDq|ˈ~f}:*S-h_`σO !OL[jX:I)0RޤxABj7?|ӹF.+m{!#w\t7H qݩɼNdTՊ\3ϪJ?v~ؖii$ߎ4K,BPTr4x+hԕm @ӕd̻}6r80~^J ð`|*Y$5~7ihI-x 9uX|&ZTƳ%>!]H@݊F8O8c6B GLE})S>}ȕo[& I5,Nx@ \+H/La#f%,#$D|& T F|ڎlf -; 4R7N}0,īȊʆՖ\zx/m;V!uGwj]@Yb%0;ɩ{|v *je_SW P_Y/pWFZz`;-M1ѩfna Ng -,whTCfa~ 7>h'%h ]+aOkI~],3ʓ)\z Y 4%mq§ݦ\@*p1+ˈ6B+~DknZА9CX9dm%eA5v\ z< J|GƧyngV(;^ ~)zrP pA& 찇u*ʒ\9+6bvNcp0P Q{W51CI*kd7 -xkuK8hùi@jj [n#hqG P㞺4|- ra1aA9HewNТqOY+]i,4#lکs&wGޅ&$r&&<ϗ&)NQ(n_s9#3u&aV$@o KbʑLiي=t3w:htSz(z&ʵݧ:sMպ j(uLGHZYsJx seW1\ɕ² ٟ^̼dⷰI/fT~J??DӡP9g|aM-\F]F gWwl9a N6C[ʬgwҶvϸ{M/M* Xrխ<a9뢍-$HEY,[NaJ 3l8 D\ڹbq|T+\cх]*ۢmM'ex f녕`_~ 6I*' vˡ|!4T XK9qOvy̔`ϲc-ah{%r6h|Ɍ .(~6LX~MԞbIbNOQ}hms~4ϙyY7z1ͷ%$OX8_"wTdcZVpë<[*jlo3 v;zo4]s R 1-zWTBⷮ bA]lC}ӽH:31RL3QxDsIIvnt(^hnW4؛ڎtv0v>.h3ȱGxAFMGr/LlcE5hQJ]̇ڟh=sW"^2oo%Oq*ޛ-=ӝD:%kh%/Mђ  $ƁKzҼdž?=GS(]~Ozi*&rŽ!h؏b3 hA@f6dT.\˿ϔ)OQ ^'C+٠]j*w ciLȠӿ)X%O2USv#vPLRmt cc!ى 7Jay/[c0^֕xJxp]l?l FZ%K5m?t-*Mfӄ4a!QKR tFZNg"*H|v|fɇZGGS,:*7C]'߭ՆUk1A|MQn-V{䣵՛f*71&b {+ᱯUN[tK֭edϲRuFV1K.hҝ2]˓lC{[Ѿ~s}E;'yBo*7E y 낭?Wd &B~iGGak~[e᧪&B]In Ch?}G$**,.q?RnYxك_VXOF:GnxvJH} Fj'5C75|Fŕ0=sYϊ ͫ9+?AOd{&bo9 \B+K FuŒMyp!H!`P\izsY C?Vݫ\'m%z0*啻yz7R(([ |.enjBVT@TinCM1ZzwcAOڣW% 6i: a]XWrEODN;ؚ*6-O[Fw2eIEW*c5!!3b[5*fiR9Z$vIOPA \_DQ : {DWYhqu.\=,=0M?Po̟?1ł emi fʤ6g[ug9*}`ux}u:Ŋ5Ib]*m,iHp ;7VwiEaN~(a;.'/z4CDpP__,-Ɣuwt#+ృدAC%7}+c.\vKK$܍ zi՘(GujU?yaG +ەPHv(]XYWB_%Z$OizK^jV|@=Dہ}%y>tڔ arDm|I}u!aK h V 7SOcE-8LDǟwΆ nj(pKQC[,/p#RqN(9Q4T< ̀<oa~8od័^d f^B&pn)R,:&꧂ Co3+ł7 #DɐE×hCV;w-d5CJ 9;>'3SJ vnS*UbpU tK8[,1j?l Hݲq}za x O+ۺt_8؀kB^ g:*A3ͪl l}I+c6F Xͅ?b^w7@RE);n8j&]닐o@n"QH%Ȅm0 _:T4qQBVŅ0thl9quHX?: t@T5af,<ap fΊ:7hjѤMB0zhKA9$m1,X*1~"yBzd=od!Ojӿ0-r~QLw]< 7nAQG >6wD sd !ZH7 +9f f%C(1͋13]*!y~tM/q/Ht͎1V"d]>rG3umB DQm`&\(mn ۥ\̏FzyX>y1s1n&{,pO%Bʲ%$. }ض_Cјo U PTlcSЃ C\ilmcoʟ'@$77Dy csM=~3KG`mTN/ďCu$HŔ>l㺪)1Hv9?Yx'j vGp+{lV%2 \]L2.GP[j=̝N?Ƿ2hh%Ɵskec0,^^seb@XYb~*Us۸Zj~E_I^] 76i]^p&nK(Is:>-șoka#AM] K\Tx ]tdKh^pO)v)Wj> `ZdpSj(Pe!R%RSuqIjlY>z"- qJsn%-D̮*gJ@ovC DC9nr_Sbyxk7ıCuGP˰|$ƞYV)h1i"k8)T.-HHbEKߥ6)NNt* \X!VMcZ-m_Ef2`MEe[I(\twjO7_=X~ NAZ?BZ(H`x7:u4AxK/F\xfT·8[z&-p?4"wg-QX\AUvw9O4%l'M\b+owoY*ݔ\W.c%cbc'Z 2 %H&MLQ`<&q#wֲ ǻ7!R(&B|*d'fL`}Y UL !=b˟H5g4K NDk =Lfar@,OUKKфqT aZ,Piqu_Kd"!s>kxSj& @JN)JO2֫9ThQtɱૈ`~NAߑ3d)_ќGo2 @Ͳ͹2j(ápt1 7CΖ΃pg릈er(6^x^.,(nA@&F(Ze|CY  *?/l V#/DU$Gp&^1J\Fp{U[\]ͅxJFw̲ŮQ8ed晖rCBB9˶Y^%ˑ@ds+}#:r@YCLMVAyCi/Jp,LFoAfp˲W{p$BR4G6wα88]yPt޳m+l70;PC>ǣM|?d_P&J|d_H/ʢٖ]-Oe41t /pւ\O"S)t #$PC[%ebп}(EDAShdr$|L#6MMLCVҝ_'`'Pσ4'iď#s5)Fk"̒4BjJ+ ]ȮO'ҭV$<M&bw1l A"/r}Lh*j\\3>eA̼KO h&+p.^ A?.yPQqkG?Ngb.ObotF#j@]~+pA5h[Q285ڒGRQFEYPȺࡂ:/Grv_YRda;,e[ɝYK"O I;C+/DR3 .@-ou#w)+52:@ zFU|V*bKr*Vt00beƾO|tTxS`D"M!_&0"'ZoQZ`fywoVAYR,噧uMiWh{5Ra戚_p`n%@ q6 PbE؁ EW>cܼ@7@0k9oȽ+QljY=n z'oP>dBep}0C"+N', Й{P笐l-a{OEY!O $Q9iw05+BKk ֭y**Ip%wyL=軷5)˰O$ }}T[sQ-uè|zƤ0pi7gV0}WğnW֓.A@Sk5S~̍Lft.[ ~<#}`T6^}ۗK嵕8:V&W6Vt,{;$+﯁6$OR)7;33[%pA#Sg!pFm3oQ*ya|s}ƒM-6 Ź}M<񕩪sRa~O%No9{(k6oYB]ia '%еc|J0"YN<6Ҡ eFو)*Am8d*k'3D<曛FM!ɸ{5"pP!nJ]P[ rӎ!Gl'P(;'Ѝ$ SOAjc"S˾{Sr{?24{@HI? bI/ě=4tl.!J`/}2V'`F B| +/*dxygg9Bst|Zt .5dWy ׬|(hۘ&um:)ୀm#RSORQN-fjx#YoTbVG;gn' ,Kp98*,}gxi{*8Үsy{3k}N#]%/k},Yݧ+74[f۱-.m[HޒS{V'3<:R5 GY[Z*rrS(چ#M)eW4_2d>3 e:C3ηuRAXLkNH"$LnbK<h@ֶDA҈heN98۝JQ!7ɾ`5 ܿ̐?.^괪˖3Y;&7v!i☚3o0hm)sNs­*.>1PfM]?ftf#L !?>SӍN{ͻ= d[:ϴC3ﳩEA:DREW'Ք}e cx$A=D}8>y*'Zcփc^l4)+=~#HւXVrRp&tx6LQpsPSb#d##.*٤# ԨU+HymT!Q't܇|h^AfBFg?:p5BL _ce=gE.>߭&4q=i^55=p^ZYD 9b֟B"Z#t1nzl(]ː9d<9_p۫</כPV@*@H~FjȌE~:\$Fњ+Z܊}đc9JS^qH|Dj@jL.f_nWϒʃBZ$GN-m/)'dH MB N{HfJ=.Dw+Qsk%xx}^".ˡ|:JBL saQ+ՙ>pM9b JiVjF\y }ܨXZA// "BEuC,G>~kWDI/0C^<fwoH?m~7ߠ 4vs"8$*A4Bs^ { CNE57 Gx`=4,$ 3 y. &*EP0NOJK8l?slc V*Yy#ƒ Y-|lr^3鼮O9bʹʏ۠%䩌Tbr6\7e=Ćn`^DՈc 8d"naQ;猾XJ>zh!0箨fj8x.9Ođ&?YrG?tkSZQLLyZ_S;PAߩ[YB<8G?G$"О. t+qh_ Ǵ~*gGcNV~m9ljT@rDak4 +iAwʇ9PZJ_Zc6jS>M1D`mnrp /ZGTY,-6~"=3G,09u7`pujIb6y;B:pz:ɔ;*8䜾8 6IJ +$Nb0 5+|% Mf+!KYקCؗg1/F{"$+=vNLv8SσUXbM&xeV{ r W3)3@0aG!5׵ ,o1Ù*[\0N;Pѵ~x珎ݞ$u8 0yv\X_sO!f[q:y pҍ5LΦUACQT.`At?a ޖLmػ;/ج7kǠnÚnl]=tl]R쁊YRȗ7ܡJaًt!4NMh15Z;DMNs3@xM ׍t,s譁6Q8J՜=1 1v-x9 }i38.4mkA3b_|o\zU#moǍ~BUpKLT5HaXS[D ]/wHߓbF~.V(YqG.*Y1nt*Ӳy$<."Scd3f Nh >/W 6\MpMsLY㲙9xrϢ3?! O-eȽL-yZ6(8` 7{Kզu  A#K5೦.+X,L5j;( %r¨}bPiUPbJ: YÕAOgs)+FaUFfֶ\C9 M Ի0nA@`yOHtSi-7Mh-b Ųg1`5m}xK$܉\",Bވ-r}Lf56&F2kpy. - Z~Xdk3G/8v-^6-܈E,x\4ҚD. N177:Vbog) C{ L;޶ B7cE~nWMTʛ-X]g9& :1 dOH`bϥ-GIpnwީR>-8a @y&ێ1F2I-ɼJOԻ0WAsxS%2hIœ 0p#+4+l.N+F!=wcx[f] 9߯cp=gk3"u#IrMC% Zl?ZKhUW(|FS+<37: d~ ] &7O5?g&V3p^=Y#[Jfm*)_% >VVڼb`r8өBBl)Qϼ5o0-HjaPa}txb[|%-ꥱbAuB*雨hy !4*$8#M͇~49)s!46WY/J!@vm1pUuTgez`?ƌq[Alg&+4g6<-2*YTɘI;gxCIS|!h&*fq߻&0|i6zu2*g1C8͢Hr-<]]%p6 cŲ9_Ů7"cꊯ  #Az C>טi*R$2H˧ ].*ԒBtښx.޿`_K-JЄ85xPЩad:"pÛ_% n\ N N開u?wO^a"oΊHUSq(U)W35.]MѾ' F< -Lt0_Cq]TsPRicod2h)hh`4U`+BGJ</Y^WBi%Ie>4^Ŝmp"pZ @YD"T(zu[glBض6c`m*S]Q =ӕl&)Gr\/9׌6Q) `8Fk] ;ׯYz'6a+xbx5ELvbC8@Y.\ .W,VMAFn=CzԸEFW9'2ה}|v.i,8}ݚ l&,R |>)9`lDt6-Qwpot.}ЄE.C 2Vk)RGPkV!6 L4_q֍.qi!~/.ѭ[c!I\Sۥ┕X)VKH 3fC*f5eǰ6^ӧ,OJ/D`X=vvf䞶JGrO0ʱ.fOS^"-28n,5 `lE&f*}B ʚG恽ZoܵZ ˖ :PJM^ddN,w&x\YGf¾t}8rۙ!uUCU>;]6烿=)9E9;PMqx n1bE9qtobh{%u=(&MLlպ:­jS=kX_I.Cc%:0,`E(CQ0]EaT ˆNbo}$oX.ځyRv4`K䢬`a)0̣ r$;nvDz/}/ 1r`,/'bٙ 7H`\ )$Oq QLO6P]lPeZΖF?X| FKwhj̙._y}2lusMaQR5ɷA1/v Q6Λ,&S@1 ۫nJɼsm >0ZkvEu"SBPi;Iyf}@jbߊ%_QoWNU}:g‘0T9E2ޭk:? 2wti+ΧF8~Y*# 6L9HuRDaXq jTaw,K]5f-豻7$Fw։ 4J$5|? (nk;ۢ 3"hp+8e"|]rHܔ[uB\zVﹶ51F+5нQe귴h][xq}lz-قI,!OX# L]h9C|g;-8Try_S褠٤{_G)YL8Ѹi,;K'mohz'mj9&cѮ8fZ_Tk* ($OT.ʍ}1effIJVez8xhVqsw|ȓ,s1mqn1g]EF7`GێC|y1fB>gu;/& v?:e}{]ףF+ԦsgLC# Oܵ?঩.Z<47 4ΎK bh;3\Tte]hFdxb没πRٴ2TE霏"ʓx[[q2$Eeޭ4zp'bD )ϧI#j,6 pKҍ>; VgC]Lq$*oq9R0͂GG,0Qxbu l\NR=U 3gjף9ze:'TBu"681>іYJ _Dwί$biأ\í2Ɩ|;"K\ } soGJa吐&dÎ waҖr*@^S rNZov|!5&xckUMT3Z 7GÂe#IM:ˤbƧKmu5\0ll&x^f r&2{LnُwDP M\CLQ?~o4!'Z ${jG,'oQoG%̈́)rW7A qz)yt`*,dZl~q!zсS2{NCNVm [l˄^BõOw oPŀPBM|vo |,9`! }θ~lߪj_Yx܈:dеL a8$=λlzJuq*:72n.)R?zU??yPT9 N%" [O4 O$dePw$ ;yn4艉QVw= b\7„2;9anp`J*Y`1|Y'A9SL㚵Ω,~Ғ  w\s^0Mɥ?A"NĻjћ(!guGlo'Ƌ;Vh6R@1^+;x c`B dVHy1W#a͆Ɋ7ԣE,w>g6Y3']y-g#d۶]@1 KwHs-ޜ ~؃8lK2YJKз!t< t#HJh8Xr%ؑ܌xy}ۉS[*O$apb:q0zmR0fZ~q}fpPNatɻ*dc3Rto:X#⿔|kf3! % N5d0J߇6SWN&(*4j`)?DdE ż~; R{uO4[vzUq)]hr,X0\ʱ_jrl35бL t4 ?=<|4?CŒ5"REI*K1}>  Қ uA|Qj 헥@!}ʳgQL{*#2U$?.$LM_͍X!&s1ߘbt#c>!bn}s)3men>m%9c̱c_mŕȑ$u~!b9LG`Hkrh0;SOP1#ǂ}%B? LyD_v{&;o9FS,Ǚ;ӓk,۫oSV<8l/\u|cո)_W,[PD+S7<Y1d;]@Zv 9PQ Pڿv@; n=OW,2HѶ}X-y<ޝ*OD 2϶>(GR`حQP"+\"5/9H⬮\|v erx0l߶pOD&WVr%r|+>{3ΰoVtl/VVUV;si{pNETRWFiBN9EU26غ2Kkυ% WD'Q/H)Юp۸| g|;ь$UqFQuLiJus&Y8p&_q[N < ]>D߹˕aA~Mc3[%LB"XŬpNkH]Z<81 nWN $rE}, TӁ>p.䯪fXyY%bjj)oFhdA'>ID,7!+h &]۶U*%ȭ/d`6_9T [w +c|jC\VQZdž8 1+JR7C( B_n]Vol;q6"=(:qu+Di{P!bm._z?:YGqx,]mt"oʇjJ`«PAJy8Uh'lwϤk·6;JEJ֜** 'B:φ kfE$RMo/XS[z@YYMU6!lO_9JvS&(EuvCI%iz'~ q7Aa6BbR1oZ| n>L@2 EtNJD43ھݓ}ʀ{4)7 d5ES Q.() `4} G fL,)<G3M.Rjo%z*'hDTWWq+Bv{!0t& /YJe`/ءp7\tqHCWR@iDsph'EɸzB:ZK-Fp{hacJ94W.{^k}Лd{_X\_-_^ӆ/v5.a0 Pe8f$J~#Kȧ?•ʂ=CMn5A en3]>\1nf]5m{=o#Z]j'DSP"/""Вl! 7|6{=lr@dJGr]@ưo;N] (R'}2DѤgɢGu,j}Oʻe~7@jC<RW2Ʀ 6-Cw^Bn)O.D>gV>(}('rCuX]鎆ًH[(hhM%P5tXpl7"l#ZF"~q}).8S]-mJ<۹SxIb]LfX05҅)x7<2FM:%JC飉{$Ae%Β@I H笠fV 1M*iB`(RPMt,:3jJ~<}+R?+ʝW;1f gq]iI;!W6:Q:}F߇yO+*&uoO/7DYIHV W[ %`\yˢ@eOf+]0}utזQ Whَ)P7B$S?yǽyFR9W_E&pa6Tz$))&&DA 0"bRgkҨ%3[ڕ#/o՗[vh;'1'Q ЎNXCַAveꛥ#\C)wVNC^M)O,XhѻQ& /'P &@-;QfMv1,$Gqhτ`m:`Ru~%ʭ( 2 > D%l?etk"_|Fgs,0?S5(:ڥ5eFZ7.1jD_/fyEuFK1```c)F}XPk\c¨NQ9rS]3W=hfF7Esjy{LehR(`n @A]@[e0LY;_W'a+۵# DG.WЌX èv6s,>XY]f"&$wp a4I,) bBOl#z+SoI#] 8:z*]m-"Q2_+˜3as y+A8_;7{!R_O3GL9q8D:+όD. HjN@bVBl/OiY{JB3FU\vR[&ĒH'-L+y/BF6xK/f +m~mFƁ] Ş[JS;U-T6¤hv]RK.+ ^F%VZH_(j"V+Vg1T( ҦDZk^f- Zo+2M$^͟eauPc Ⱦ^?ANE@WM5< !VBd8.fF2 E"g0<D IUnm'Әw|tG1EF+bG6PWN>㷏,NJ,׮7eg`SIy|l޼.6ub4aa+%ثk3@RY)Z+uΤ8sה.QϜ;?랭҃aHW;' #!]LA RbAatˤGkoRv5ݾ}fg)CjBxl@jm/MtnS?pH: !KvF Xҩ=pdWCOKu)lgDFcVgVdIdFʖ(x=*dDt?s0HϺH)RBq^EJ6r`뵪QL~QzC6 %$K>x)9EJiR'`՘F1uoM/PMq|:gJEk:E99ugՆn g9 LL-S$\k7kEQnp(%.V#䆑K3?yBQ2e6H PgȐy2ht/ڔUӽ M^<>o2?ċ[ߦNqQrugam1#'*BVq䴱߽ A/LIz&X#'O!@l=!o Vhp=eI缰4KW-S,\w4ZrYŐ g p0,wEL6.ZSl-7#J[r(rwfWQherEK;0tz'z6(gIjjुVf91Ra&|vEɉPߋhzu Cv/lDps^LFA]n b$c X @&mhaJ)4 +V/@se<Ĕ[[mpsy.wСLv+̭H(;A{ldSu}.kaN$6Z3*)Ƙ>wYӶ7M]+.ak.&\m;* "{;23:|닼iL{33VIYه*&](Dկ 6)& ~槌&*Gu |~UQW/y0b6[9'/LV@r{.y4N2= ,ѴNڗcH{(ϟX`ʒlV8yiGdqi6*\P3 >oؐREwrj:B.B}:~?Rqwȩ/=}*/3>\S'?;%p վ"Rܸa, nj. t]Ä֗QIkC>"Q\f"ݖ55{53{v̚ 8\,*Oȓ &?@՘I6w cR}cGSko=*wYY1 %\y B= xa)1ýK:0ŻTK_s$ 1Zvw+ ;FX.~ЁѺ*jQ$^WŢ 7Z a0zskڗ%25A$G?Fh cT-HC(MnyA,j{+՛%5i>s1~EŌP.YCysڽ0G՞UZ C71JGe(T|Ơ!eJȷ;.! ΂XNir_){ܠLU-Z>D7q.~eV/鐸QJ09˙'^(8DפŽ;_%cqdTo7e!wJSgk>Zcj $B]6ׂԌIq4鯍2 G?.]/B6&0\6VWȧ"x9_OrýTܙ8֮v-n;!8KF6Iq]u/1eI#ŽW7;mh1iV,&FX`fKr+KANҗyŭ+-f .CX(]i?ur~[K'e<Dfe'4ēϊ+2ExƇ{ekz!n2$ܰ>~+9N殁U7^\%W0^_Έ{ʞ8^Eڰ ؞ǺbeU<8iU0aqcVw剟p9x704"!Ge֤A$Иj7eM@&Lf\|`8yFDi$ M9dߔPn&mjȆ>SP ohNgi=Q L<+wAf,IJKb44}(dt]w !ʤH( -~Ҽ֮ @F_3}Khɑ4I: d@<&WRX`/PR<^V|vJp=̾L¯ .ͫ 4Cpҥf<ȵ.$ nnLP wE?[ܚԥ"ԓA1g'xϖ}p&zki\9FeF=$zz㪇wZ)eMll=;LڱV,+#؇zQ\hA6 )S|du3?kύOHzpnˋ0>ƛ+lFLuH^f.~?Xtq'4N{5KI'&94+{0 YjiHGp|&B:cx~h0ʠAMN*f/C&LȴxnV'S΃ivMJ}~Bs3Uz_QOTkfE75և,tM^2Lq~T/<>֪9~6 >2hTR'hs~Vr(X~2JctG$I!Ql;>N5n={qjSgvx[M 1"$d9 c^t Ҡr,ᒽߐ ([Y96)/1fe10/ةI^^m5T"U? ZdYM*)*xR bC)n[R.gu8)SvzOWU|革$0I)IGr!~S[aM̹iwP=5+9R^{]};t}},jqqKTe01Xt$8 p|Y+Xo<.ukc.Mr?(Lev0cQéeħfmqiż˒;Hj?qKgԻY4,sck"rXd͑+]{vFqBwj!H/STM3zUˈZr;w #y&3Dgy(Њ`Ro* e9>Y-^ !=ĥVc-ZKPiΤ6זd9EvEmfi3{秣Z -hΩ…\ %r>փqi5ov@bD1zQ3)L5 >L7/6U [KPcVģ% bo"\ԪB:9u|L|Q)pd5'ޯ}>6CڗWf 5bAھl.B?TR V]W7۽*Dh)ngE{x E8~E9v.nH0_E@s,7q8 !}׆zSSH ?_LEe_")"k_61ӄ2ͽNk*G T :k͍{LKx bӋd#Ȝ%p} %(EN5+KsT 4[ u^g~#3J2!5C;Z2QWfwY:Tw%\Bymn5Y'7^;ZxevNo/ [S CGcSE@ |w@gI{ҋy&NR.ɡo]OpL g6IPGՀ `_78ɮ6+` Nʢi@s`nUcn+8:\q[|pPgJ-_ԎOr:Z')FWøcX(6va2ؖ!-9m8s+ ;RHgK]ݷ"ؗW$hHs$^ҁTB$#5)r*R\x-ȍ@P46Փ?ͱb@.dKKq 檄(E-"2 ڔu~i̧>?:fR ~oTqyiP@ [:Wת ƻ Y-FDJ4UdQGei {N %X,}"K=V_/dz6EQ&&4k1H7o3$^Aش~(AIֽ6jO,f(')I*3Vްb[y[ s J(.քB}BM0jDL;]J hn\~ץB.qg1j K/R#֪c27S3zx[{G/xu/$``x276U?w ZQICWPH,ˠ{ ŕ;H\ _8>lk^ڞcJ P,6'6|txDh Tǁx>6,>@k+X,tYD}VPWh6kOɤi (YF(wZK5e1ِķě-7uu|kI¢4iRE }RG#,޲L2ݶ)"]֏7x4TywQI^ϟ |8mʢR㊛YƜ$Q:yR֫lp gJf_ BkW3%jK8씒=%ͺ:~EK/!%{WrqoZ'ӘxP,%׋^l:}ˡ|[?saujAI|yLU˺LOf664Q;Mjb-˵A8:S*6yM kZ3KKʝtFtĕr*J -KydL 5ls}i](zCw+)Aٸ'l ]z+xo1ON~VB<e%HiKJ54m4o 9b,hQ8o޴dIװ_e$%?cOh,^6Vv`rD: mr}c]Poo r^ޗ׈6UZLh1pܦy#`Yf )R[t<1ZJo$n#morB˅CS9_)@@APhd øY}X7Z1@l]+՝8ʥ6zg)+.(,2*ؽz/.!jUSB.Y"K{!7[) J_R'Si^"Q͚'TЧADF%Hf &Dk!tnVۗAXmlf]i"*2 =v{L=+AYAB0W2Z i}Q騣j S9UOܑ)#r:!]XA%?rJ%hN8rHך4(hRp ҈hu#S%sb< y^kVS3 TqkݜZD䵹QKN4;mHc:-燫 &d0LQ\UZCN<ɀ)%̘a6>sr`Ù(x`II ̶B'%BQDmJ|17}xRpS'"[x/j FX~Qs&%/Cq2 HuX4:YNTomZ7@UI^ 4;2§u-5HHSL!4]1wC)g۠ `Y?Oꚭ1 cqh078 zdCGNN"dwGCk]b@EM,12B+v|Sf?|hJSM֔{Mj|B0|oQH w=#]^Djh^ Ȋ!Ga׾|,UǢxCz2e1: DYۻ_QrV:I%H4@.Ivqwi/6Ye[?ǀ|]ؗ>O\ A397^3g#IǸ#_N7#@bqu.HJß)$?~ګ/ n@ B3@g3]mǘLD„pǢO)eTCVDG̘2_-`%׾]h:rNܳ3C)0 \f S}~صoMI$Ɯ \ 1:Z X x9W/h9A/<8#kv8^  YϊNP<@Vv0d:N,=mŰyrW("9ݟ{mQ{ZqNM䍟C vbfgnP9e3V =|1ޝt+U%wheq@J%iw/aX"|}zlYuS T$y0\xf 60Bڹ*q $q)HU/N[B~iCXkjnݑO0ۮ.Ȕ\wY`|^pe)?ZNj9)å(çT'fHmM.}"Z1xa aQhAz* Hy\*W[e-4P4W d?MIC`([2JH%*N[aN""ߘo!fzHU8Q+ >ۻݧ9#w{HkInK8T![EJXd]f!~!hG^3Rr/ ZPUV[nc^1Tg3vKhpݭ|1@gb Fh~ 9 M:4XlcֲVz'!!;}ppaCa_>ۜ {}3CKV0ț^ߩj>k\ FZܼT2/GgK_x# ^~]f3NJ-65G"N(rŘ/UɗͨJ+>4w1yk!)Bv&nց6^MMf@=4khH{yͩ+j13mCpY}?CǙֻ{GS SYH]k :{3;sˤ$Vq_Jb]?bR]r wk¯ԛSIaxWXs:)8ݤ13ɧ'T5! <8:KZBgMe1p 9~)fp@N$hf^ s>{C.]T =Ro ʼ#֪Lzl rsU?t1g_L^.{u pPKXhCܩaOv\g'q'eg?r6dLQY aX2{:á &Nm] ~>:\YdF"[4]jTfǀ +~h`<.|\X|Gb Md-d.͆ G\ZV9c$m!tuU,oԉE3;7 *ȪVO0_]EK@RkE8klUO2PuSCa'YRV=e06jvn.a= 87%ѹr|o.Éi|6!)|盒].";ņ::ToQ@TuV" !7uu3@’}Y22 a4i'8gI8(kKI bM9>$R*FwxƔ,g$7Z5 nӸ%}' ӯ>h2Q H)\r=jQ29;1ugmOa |F>^dC駑%PW=s궊˿(# MQ0߅n{ $M9_7J2gn_}j[f^@g{[5G'?ˈH9ق9T# 켓b1K-%z׫S7q8zm:]LjaJqL,9qg<)c/̢\_7x?\ oz%ʯϨ#ƚˏD= 45H2UhO !NU6՘ޟr2T?WUSl#\ƷorʱND$MNu6Hf",SGd)_] .gqp HW- 0DZ>t{‰:7F Ӎ}){ilɟ&m̔I 2c۬t T:ݛF)T3f%_QHC$ 5[09Ix-M;QW+A cl=41rc3=jwЎ(ȐǔT5ԅ_2 z}s7! *_S!c-k5, %hjqxhuThfEMs{l4"T jfT?g!2KgtgIpLVR7tOY3q4zO"^G\v!78{wbML%:9Š\d2W9Ew2=1TU뵪v3t1hp*Pe\e7%_.Eau88evN}ʶPH8Y?S}_,)QfR_0CGY8YO9P :|s?.Ƙo?_Y=#^+~>=[d2gнQƒA2O4.$VFE\@̾]u3ȐO #c(RȄ(yKM 2)ür<@.b YXUuUjtGCDFc9nZdMY /V u|.2K|}` faN)ښ3 #ņ'xڽ5EXs7κ^Ŏ`-՞]k =g4%i-cYgE}3إZD/6'@ѳ8 fԚELm_Ȁ~=z+1(J,&Tq ƙ:yB6dʂw)ևl[K#TPPD1q /;zY8 _5Yb%sembkF6-o8J+gQ$>e8 7}~g+2IlFcEvާK҇2YԀ=vIˑ2b|aemABl-.T4G#\-hHoŢ}' 2w+]{62T67yÑ5x]YM+ #xVL/|~;y !g,vg!sM4g*5HEJ|7%G˲?|YQ.3y))P@Eڌ+gi&3>6e&ƔQJVx*d( .K JI N3;ToDx06)Psƥl!uˌRvt-i2@b=zߊ !r,`%2LmjUMIֹ[+<ڀ,'îaoKhϛ!9Me|oLԓn%lw}?5^&2ʚܕA4ʋTG7'8riMZWkMFD{O[:M=Oc?BW4֦8F4У*}}l"|w8$xYqb\Ѽ"/Z?x|A(RJCB2z&h 2K^kta5бK}G|6bӆ mۛڷ>8],?92]G]eDz _jمn}#kTغ멈c:2"˕}!ިf.v6C.-!`X@\bp]gT)& /1\E]њKv#-FvnԮgKQׯJaR46uG>ٵӽSƺ x+[0L;j= Nr rK~dNֆJh' kÁEa95Ho"#Yȟ Gq0Ǘ* Y ''6qgjʬ`Koyk}"xݻ7հ7@jK(G7d0_@R:X .jPG"Q`g /dyo7`xq}jɸf^R7Qsĺܖ-"X?93k,DnVc#Ct4lɀTPy' V7Ffh8D̝e] AԲpjirragkH`rDOjpF?ޗXPT=y+F"JσEIU+2b劢 nE:iqqruC#Xh̫4l'Ue9+a ܜS vE\# Ԍv)XM(Y~6@ w'ː[tzoX|!X9T<`y :fWsJjeKs5oGW`U.Yٷ"_/["S=ka)X0b^*-M= ԑl'hco[I܆ (ޏƢoXС ?l2K먚uh zx*JZAGd Vb a2;rMpgά*lW$iZfbdpANXY =OxBuĐ7K~.Hj.ۘ5o;KlDrԶM-U;D*&Nt÷C dl0mCWMJnQTm_H:]l*?F2rz0CGi$+EW tڅ}t0b!Ok[ Y{I^Vo_f./L~n` {Ʈ1HDޛA?:=K&cGuR>i-VXT0M4T$gܰ"=2 S4R;⸚f>*0dq11F?T{F /~|~5=c O-u9z?DT GD؉5uyw"Hh…B)kE0tEue^oKRwxw @WQ֮ߢ94@n`ч|Q84vi,;rD_xux8fW,H0EyBPm,8`jfM:ƲS/%H|I73F&u+ %dOfq"orҔ{ES o {[Cdb^XqChybzӍMg \$}xy;UpW%{% )7P#op#+ L3N$qq?j ~%I3BBB:KST\A9P,Nf 2&^Z07l}1rPO` 2!gskY\A /42 j-V\/}5fTÄp3 :8هn^ :46y廗m?ls_̻x~y2A+KQcUaXk N}F';V暬x3(Teh?>E/1XՄ@e`O4; ғmE :Y.-ZlI%]_uFjMA vQ6@rXз,9^gaٔ%@\˵A:V 80z\]1 PIw.Mg)G݂΢  9SmߠtEM hƛ/c 1ÖviqD39C dU6VbLSvTk-^J2/DMlYÁI+De=:)ДCK4jR6!X(HS0vK UJB/xν[vLVyfw1gvCV =hQz074;)jUbUմO+Ěd.VN2"AYN ?.ÔDHIGw;s͑,pIlǷCl$sKnƟ\A);Rʊ @] _1O<tƊ>rSkvD۞Ue ЛNp:>qWC6LBMl4cw"Wu><)kܘRڄ ݩA5芟[bzpG Q:b[ḉ؄QS3&‡bfק!Vc9<LcXيx0ERqH.%v#8@#GЂ>+wf]-7O]2zxzp#dCyF@ JO 2N;i{` e` W7IiJN|A/#65 %8jJhH_sg 1O'MbZiʪ$khNkFgKbO"cIl?$' ۳u 5{r_&'d~YÆ)kk—jz <G$"X~q?ey]Q&&&D[w6ql}ƌSdkƠ8 +Su/Z$,u80i&;p>g/-rqFy*xgCpm"Tz:iWkO"@{roN`*p͇d5. (=Nl%ժhZ;yFd,Nacޛ.p f^H,j#Ǿs,%4ku9Z3%bGYbs9%5<v3d )8T A?7*ƭ0]ӐbmOy`1"z% >xAmEkRD,; Ŕg*<ζ w%7s w!:-%9')?%Uf3W_. /헢]Ұ2,z7\Fd&fH `Cl䑌 ʊ1Y|4)!ipO. W+LBhoɤ le)Ϗ.kw:s'}wJ:. uG."0ҳo1=Nص̓S_0[N d5ԏ HtBe;c5ݕ+ 8BN4u37߶PvܴIF #6U.j9ÙmFʃJ/2;H΂O{}HgOt؄٧ZYz厤K %devmwxƏbV]ֶ 6=&蕘~B.%0Hyբ2Ǟ"yԳ&Zb P~H3LHp*(|ŜR%D+"ky;?L%EiIR#)^3+0m7o!zf%|X~;߀Ppr$xwsj* N#\ߎM=dLzS:J Sїl{cͤfa7-B~E{ڄDZ#&QobyQq~ ww}i5_bDb[@}M#l@jm]MЎ| "FtB; }:ܠ&:`";=b^[ Ṳ.I+H2P+劧["~690%0Wz]|E:z @M"!}˔~7d 63!0Ž1Fc?W@|SE+@εm24 }4D+AnhdXDǢl,˿""Ůo-Q 7r@ ## R̭.a~SRT'C6M Byϴj}+.${!]Qi" ٯ=^>⬥ qw2/jk@FD\0-www7dfa}K -zhsAs; Dg@`uaג.LgtG3CvwDl(-e'U A\VCs:/:`V1c:hv >b *VC6i71ߴ2 ([LXTlh ^$LJ{f;b Mp X[Y; Ր,GYZĝG6H.-~m(aF[º6'm㵤y :֢ٓ2SldqYpt د[ Υ>4sIRqzOfmvTCu{Y)Wcgv,مq8_M=,o1h7U6r,!I@D:NS2si MG} a,\?_[sP|7ĸ7I? {yx[[*BWBZ!`d[qķaڔUtJ~ QZY69M Zd#Z(#[ޕ珴x /$n"mL8*PEt)PgIVyѯ;[mpSP6'coBiò24)3zbbbba+)=__#=1JR!pcPvՕHDzۓ6mEa6ӟ+lP~?Y6n7"͊%Ox䜬[/Xo"D';sFWQ.${<"P1iqC Ӳxrޜ3J>7d'-mE';>qc8Fy H[E\ X$zpxʺ*riC`i^ mm*_9.gc!%{ LBMzRp;Np/m٘zN ]i.gNJ7Pߘrxx9 A\D^O@92?o+FDKFs@kJN RHV C.z=)z<"&?Q*8f:y~7=굸Ln1:Qܷb-]DEO/[KOwUVoSZ^)T*T?X :߿Wٷ>tr!eKJ&>6 h}J 7 u %5b~b\xږwR: [9ǚ¯ IB~oQ/Rڑ)* . T;[ h=.S(Xњ]735>]5sN&">%6 l- 1t8?H"9|&X'Z9&q bOoY jP`k46>B7Bϙ9F>t=4 me6;:ɽټ~!H"ތ1uiZ#2R+dƁ'mO4k>e!|R$ȒGs7bg6c3K@Kٽ&|^ʈ Zxd51sfԳBlMFc\?H4c qHl?(^a6 !w,0]Yp5g\:Z޾(]Խ3VcWlHԢ$?jfp4 _=]0<)'jga ܀\}yְG=N?f);SBO1bw92ZM=ֿF}|8@՜Ps%. G[Xq>P(l,l:&KzW@Ct~tS7a'L֗K-̇i@~v'c@99:]H.w)aLܗw+ӄsW*()VrM˂ >`?"{ZT_N07S7Տ.N3DFCm{D T1Kr7j 9XL1Ȳ@.aiZn ޳r?os`EYU!_yar8TEkLrL͉YtI`o&ʼnFƙ` eÄ+P PODFyTY4INJFvE#m4S d{6YE:G FBB4Tip1@v}]^xol}كCC%$ CMV@~偯\J>,# OsL~F>Ʒm ՔN}{%'`VI=YL޲ u> Ko& r 1W6ezPyxٳ1EթjټFn)Čؿ\RmBF@?[&|]v憆72~u*,SpV QzU}y4%݃%]υljdBI/@`nחR+zXJMPyJUe!U N f!@~a͛-ȇ.H=vz?zZdw?5Ɓ-/zw2Ύ+i''NDg J(iЃV/=lq@NZsi輧Xſ[Qؗ^A_ECD1F ѻ2&1X=Ӆ=M6atR6lL 5*2T,C1ESn&@탸(/9"hb`lOF1v@i>3Hʕu%bKX[TQ?4 bl:˞輶= ~S+jcabG4P@KnI3>H()xC{Jd7)#;U+M'LQ|}EL:+L(a`'YFlf ip-́&Sӡ0½SpKMN;Ge]|W ص36qf0y/{8ng.2E?+O$?&2OF6 nxFn"*X&jՆv4 C[7+G:@MaSЇW \ 7Nx$km @c6 ^x V-On?kw%3N]LN쭞{`PQ1dᮛOՅbIZjg@ޮ 8'pr|e]Y{`Æ恳Cs+ VMYe:M:}P y6eck[̓lF,2W$2(}44普?宗6R=-%M'Y_@M,(>oj;(_cD$Q٦S. ۝qg.a}!v`r]qtފVSsܳp ?12H )*GсuqGMncs܆#2K/u6EX#OI6N-S=)ufOQQbLrr )_6k':20;k7![,O>}hC*ЌOF26̴FXFU!6>؂Z~|"IwSۄVQj 0jMŗU~ő?WɔuW&sXzSHZ,U[=BnICȝL M CIAp-W*淞Ɲ14M9-nV9/Q_QJZȽDŽ}Upޜ`iKx1;&Y|PP+EP>R! rx؊Cq.LO ,x8O|wihT{bb|∓}.ݫL~B9I eb2Hƕޚh|E$Yі<٤Gnv_* f\ekZO*(Y Mǔ:{xHS7d_H ޞq˥<7pМ˒AI3^Gqa_d0@2wYPS`c̥Uyyh TѮg]Ͻ<K _o{gBpЗBF2%1 >/9\#՞2c$$*K?6^P[ϓhZ2my$}[fjr%'qQo i-?R%MXJ׿Qdy0$s׶[,|܏4ɝ:yIOZ`d􋺦3wQbZTH ) 9ka'jO<*Xg5,!hSHYCUy ar?#rWu6dfI (cl A? dX&Kq~5~"h\6tܽv ֥HīLpEx`x,OY%KQT4:|,!]7QCP zʠa=xϥ奂*:]K:JKDM2e-| ނDk TTQ}1&F}y_:<zP;)2T9gim/|Զx c~ָI ?D\{|@a7]_(]t|fn3?" 33waSrُ7K51]S-距i([^-`P#ptI`RfNQ /uU)ȑln|>{Lqn0N?tp"F˦"D#SFwX|T͇j,z^=lJt,7֎>aҎbenEf@7Hd|Գ?PAɅaZ4T,hLHҳ`T^TmA9}Ej&Z~X8"sb Bnl4r JtP?t N7>''I9K0kc읠s5ZwvS"‘HgKA p:uM @e]vs[SZOϿ\$# }]RY#R@W:{;S}SM(zB ,=I1.θMo nl%\N4.U![+5 v f *" Nߗ5fԭb'od/of~\͎c_ MbߋPE:u 8[-"z,"Cp4&E^ |J# N*o"FH`R5)`s4%!w߻^HKUxU^8eE?|Dp;jj1W0p~+="Vj[gDpq.5wv~)W<݀09 +u5Xog0[h"Pqǡ lH$~Be7#?SO5WV2=!1/V$$ h]$ig4'}i)FhQ]7rvIvZA:Y@alZvsV8& ~{-x'˃mPO&+ۚMhAkr O&2rё?3Ҝk-{IIů3M=p=QJ\akD)_WZyMJ@t>_p_\ ͅ-QxZdMsTl-wo~TE}dgVee?; O#>pOF0+6?\;:5fB?'Wʼ4B`(o (6Y,i_\7q|)eŗ.}N!*_{H5^(}_"L` yu+W.NrH P&viC/b7@=&CVx׃pB'GQ?d ݃}vE50TիJњw h} .JJð(_aʊ3Gqax{=.͓*]<˄{] s b模8!>CʅP:xs\iMX8OpWj[BP9 dM8@ *"Ԩy$ Cr QH0k؃.RFPy(XȉMiۥPǴ[v3*u=StJ:˸"ްId*|UH֙B.{QyynmW,OKHu" xȭy_([;O{i 쪘/+!\.k݁1o| *8Z'%DePKhYoe)5PBph]yXA| ~yfuҠ=}"f+>>-@Bi І0eےy~S T>g &8*_ IwtEz4.?nU5v mp#+;Wθ#*uCc4l$?Iem.*A` u|jPATY`uQDMt$}e'|[w%-0j=EI(?x{kh !yvG[~YxU6A|+kA9GYDN-{Ib{e4Js`5Xʛ8-unzCY'j)mŻǠ:JÐYOO9[DLfOŘmy"xLa3 €w7xkRYqZ=D|,GfÀكS~; 5j{/_4pmHBrḳv0TzF ֜; U0E h@ u0M+`1s} ,jϲNx AsJIQ(5s% j;k?=7VhfZ̘VEV4kRx+lېi au%weYexÏ$}E<|]3H :덻Ƥ6o7<—45aM> LlLAHJj{ZЭ3Fe&WaQZX|Aavݦxz&PDHNWlV%rfM<GR(3IOݑn10XAi T>ccLsfØT g_X(QTq!f(4ns)YjdZ;nRqh^ZQ~?P5zpvסD?_PO_,fÓ M6BQ'G E.<uu9ث,/QV޵lf;%pPFN!svT2W847m^aNs W `o㖢#-wxbH1@R4obw#d&uL(gt b"uW]_hu6;dmH.1w)1Y2+2YYfzK&ѶUaW4%E<\J]bu ~rkJTd*^r/[dq'ÃnYB AFt{5i,w^C2aW uurbU/C#,e-0}43 G R 9X~~i8hlq$n#\vȥ;r\v݀]k|m1- ssYQP v}ӯKrjZO G)7Xxo/c&aEylFQp,;7AP_Xxfj Znp_YQq<\SF=িrڨʬ(R=8\@<֪HlҀlҚ'-ڧꠛUZҶE&oTڞQWw ӼUFh*Ȉ}v%]aE?ǕQ"3hbE7$vyvt:¢SoIO'~ͳ-:rSp`A&Y9`Q'Ee!QXjvIrVK˷Q%$ Sr < NV&ޑDfA,U iitT.hL҉ݾVRHwE큧N>5) &J/kp yʴ,wr^Fk;"I?nP|"i++Lu{+3ܕ> 5]긁F*.ιՋ+ji<=3{^U)8a<4Ql8:uhabl"W_VlM@] RhɠpJ| tp@!3zAS X wVuW]Y7 k]@UuTBͥ*&l *Nm 1z,||Dy Boތ*]>?5jXt\^n7 `z57MV5Z|ŝ$ OY6B }|ӣyJDTҿn8kgb,/ zZ0<m792i$,H?2ڕKa#XEA)e6_hCO5Cj6M]QЭ#s{hvʼSNJ(qtKaT'`b6Q[lۮAVmNfWNHD&-q}7ੜ8B@Ba$HB{GF鴠wj(n au2Ua%.c;1B^A3]^ lduL|L @a3Ch#l`6vk\i5|wr *䗹| xv#6ZՈPBy(( D#=: ƛ+52 HwӠ;ZR-3z @p4bgɩSFԥ$Rc 8uZ7c*t]6/zI*a2"xUGLdUY.B",4[iEc.KP)"'$-.АZ2 Ȳ'a E.l%YzfPn!ws `AחK&kTwjoА8;Lq1S|](K1gTSitF.6+b~C=OGPtHZ(E$~4UԷz"㽊y5 JqL(lѵV 1nwcY/{u`Ԯs6ɇk<]| #h/3Bet3ڲ{v㿼Bl "PPPKCn7e. + RFKe}o5-D9&)* mq5F Q~6fd>7xDw="3ɴƧd{qEkZ/?m2CY}([ӟj7#OOQk6)/1-˟ҏA^i aÝ*Q=Bڟvh0C$;OF*YKY GN΂QM_S0`wn(Z콸-($I"mZHX־)mW9FNh;#8HŦ$4u?ZO0fAcDYӾ N @A^/pvFB={I|{c;y[kZ{0ך斤R"CЦYl%b %h#y0R9S y6JB*I@pJл&ӄQ|w6w[6O#PRWtv4 EUl2bޠ'Z/CùVW`3u*6$pCo2p}[4~x QMjTXHj6&Z,ڴÛn;?m8s uj]|XR70I2ES7Ŝ/}^)}1id$9yp,42tșAޮgs9cM>.^wWI=2r}{$*!+N]GYDF#d CA <;'I N ZeAk~9+-6{u&Sv@`/II8>50IW ,#xDF$gZXe<'aj@EL7Ծ_W=e/Մd:p--Eq+ ?λIVC^lXw07qBg'WV->N}A 9,V7uMydc~dΟ0׏'&]rn'ǜ7,0)}Npa:yrZA#}i85]mQLtV<"aIbR4}PC oM4O~ z!x5:]ܛS5 ֡-ًSnWWSvf62CDuz3h=g‘B"rpHڈe\فZn8)뎅1mi!9Nl3Jx̳zPLœD1  S=v&$ VTYnnO'F$D$4.ߨ@DM2-f?ZFCm+\m:ΩB|U̯& 2lJAŦe1F;7e}=sw=8࣓VX5mh:p76> Ԗ>UpP`=wC6k =$B`ۖ͞.pDUMOaxAELTl2 [FQs{;s9OX hT! [F"a-H?$XJ ԅy?yd>.x&ciO%D#˳#zAkjfOpb .K5T_DJDQu o4'x_Yچ_@;r|,e o)o8zB`]''nR $s-:(6$E+F< :fX-C{K \"ܦ]xD6y9?l1t6+VoU&G曉xʙs7@TOL{+Ԏa/]^UFCCA/ioaPT.߄qtS+DC叅ߍ1+('}0X-Dk<1 eRpزWJ(La/mx$jbť|J_}nL$@ >ՍHk't5]qI66)9HtWLj^g.* ]uoM!t?^$U͇%Dt03KGˈ(]&_NsOayV RX;sz{?F,J|TZ]3 ˂5̒FrMe;-3SNQCb%Vl$_].훤~^W.UEh3Ո w*Ě2 Gr*k5 T^-`wx b]t%joW|X& UC:Vt65! (h@tKІR# dN単Ms00ySN絛vnd:Rvz mz39xpNѳRm,l[#T<þĽI\~Gx]2,|tNTE+R+E,SzkĈ~YԹ'w}n[\fX_Stz򔚇}Y|5z%W;1y sɪr1B'zZzp%4A+6fm?&qFX@&zk vp0d !‘l; Oo /~IZ,E@%/wσw6'3ΰ`ό[xbA4rKy}]#\!F-5Z6G ^6.'\<^Hl7;pc'ўඔۘNr}a|QⰳlrNT@[6R4icr|D4c+lJzL;\ uhć8٤(X5ypr3M4EsJQ?nEo/r)Uf͚q75mn6s{,q/i(k 8A"3Zvi`S,ەCPR61+9~pCr,^EBoQ0: (3[*"6旐TBo#NfnSPFH Z%Ӏu.*Tv`/":;0LW)" :I|Ud{W5 i3VcΦ{A)VL@lWYi!]%]~;jm|ޠz,Ӎ]`1`Xܶn?' n2R ٖSN#yM z\{;!N1%b[Z xyĸ>jFnҤΙ5Վne m5靬$F{}>. M'M-DheH+e\<͠(g4Eh}˻OBwLBڝa v^KZ$Q21VUv n, #|7|HQ([^Q4L]ػ&N@>UӸ"Fe`ڗs jEq/ۭ%c=3zM* GΧ҈! HoLɍB eI(rUY YT-BP"1mE7D 9@׮[e2d5XIی'^I8j`@B$ٜjvc'L8f`VTC.[woر?F: J?i@d =ANBoH9L !,.QٴisG>M\ $|>4ӆ M!!@Ax1Hnrq< Sw7jQܭo od4*nvIb꼆QQvFRc,W!`2b񜞱 Z/ye 8K$(L8 ?Y(ØID %/BRYe2Ib G@t0+bdDGPit1gq;1Bb\뻇*LY 8t4h93ԡYcбVWZ{1+ುX>)QU8G4gϰ _HoHAl<φt@?,1ͨ#ɳ@̉L9(#a`Kʇ'{ș^+[#I=,u5M؞עf&3nrhf*qm~1[qK'{۫ʼ?/0Cq8 xB"~c }+B:;~ωWQx;oJ9-{ [4qԻ6l~ X?WκB) 5'MA/ζ@].gVy2v3L,(dBi[ulVEn<3dl}q70Ui~jl}b\?Foa`PksYBo 9m٥0_gko~t.f137 % '9-ځ@T;BÁX-#)wf <3E&]Z)T7L@V+bF:7K Q,pQcg(GT IO;hd*5I"HYN(8xbNxBfIQ F@P%)jRzL1pX 1]:cP\䴿, ˆ߱CԹl;1]Bj$2U-IWܭ[zvEu,Jq9tSX=mIcK#7/@Sƈ3J,5N/i/J%@T.&5hR 9w(Y {Z|!KSPDDV]{0TYǟsj^ϋII}*aJO8d4DVf8WSmnJ;8h}c:R > !Y2ъ n8 mysfaKO)h( %>@0A`=#(K3ϖV&cEâ@!`s/#^ aPB`ђq!׌yO_(! ȐxON55WS 0s<9|DvV!&$'%8'~zf ¯cM2CL0X뱡{'}_Я63c:ykat)gQP+=oZeJMSݛC?Je$b}7J$j%ǴRJT`Z7dI#%c߉G E/>^pe=|XŋN5Ms/T&.eG-vʯ;2`ny~*eB;'m[zL;T _XA㒷>k&I d~a82r/PP,i V.TkW .}Ocf_J $)KĢd!&S >#0/6[Y!'_TiRvSu<>9Ck/N!fͣn檦%ɗr ¨W;M\f3D߬ 7Fk9bb`r SY ?nޞPSn ŕXJ$}sۛS[ W%8pXt'6ڑᖤsSs7gS9wǰTQWT $ t <9jW<6PVJg,t`gx;H86TbBYe֮bu*$qsW_ȆOO>N/%}l*۝.%L];?)U59>^heL?d :|\pk=LV3j8-$r듁<VDf \vk7<c/tES!Ql+ƊW]qj VRy ı˯WJRȠXW=M&|(_ߋ@$z^6H1Ornb(ej>ifc&7,chmHR]qnơsH, #„Gw #Q^_5Cc! 3I漜zvǞ&"ԘR@D}ȧ'y}Q}G{ܠH,6hWVtdiWø8R;E\_ K3bT+X|0fnlsJ8Qup+Xn|}gO:CBDq.^n $r_miYujz%br̛u˓&:WJVRc%ozV@ǦSCaM֢7oM?jo.1:Y`0 Y|ʯ6Jv_g\^_I%o4ـrc8\^PS`gHfm O& ~džUPBLK=Pt :qNZY0X Ys^G/6Y*(&ۭ=$HQ@Zo madde`HZT'_B'c}/ (i~:8Z2A U{L|x_!Wu],+59]>~@;V:ss5׽Dm=:NPuL.ӈ W Gcq'&Y.*`#  ^p5DrWL0[^\'áW D7Zkۚ)ơdm.jJyAi(0VU1t!1hPsS;'^{S;vUVٓT_ V󇅓B5pB6LTTp0h=t!՞KacRxNC>,m*IK?B#VK"q O&<ۼUwXdgOyqGVEy(k~ONm{7yX.PX0џ4\=x"CmgjG#2Ň}gX2$G,bzjeZ+~-u0$!*wX Ý;_!mDʷGQmCˌ/W1z"'ŵjtw&쟽sAMb{bTMܒ{|fժ Tmn/wMRƛu=xK칎o1Yܒ{61 g/1nqd~M{@wժKy(y hp o?MVZE9Pֱ.z8ʖb^ ؽL5`!x+nC4@UFHߘΈh9rg}K1[ώ1ﴏTF|B_Ad7_lI얇-,/`}\vq?!@[{0& Цm ӉU$Ǻ;+~5k4{,;B@Dԛfi% @F%{ȉֿlG{4yjǮ Ι\PsQC4JD죊 Ĵl-th y(,RR%>fa R7<4Mz'7z枔)b!,Z4d'V #*fwT 1Ww-A NZF`IHˇj0\б.+6^$5Kvp}̙LJ)tyQz@5%M5UT:=e&_ݑc iNļyU؅ucvS n@Ԡؐ:H Z6ԫ>4L:B|Y WI`C Vs]IOݍ.Dt e< qzm@@"=KƁBbbK4}ʠ]W+WWvjSHsKԶև 0`8&_p?ܶJƦSF _bY{ j$783E RN4zA' RBßS4n+ kJ[P;3fJA B__%Ԓ`ܗMS/rmmz ĴZMRRZ?\1xck=x M&D@yf4fvF:sK*7eYsTH3WmzǏفei|m&iK[')T=o H]1|Uj%(&M # 7zi#)eW=Ӂ- R;'aRb4H9@3:'^*XK4%kܹU˽p4s:s?GlnZTY%VD,?nW^r& /3ɫ ~X6G^&ËGk`ɳ4$o,}Zw4eI~׽0zwΊ *y&RIk<>rLQ3g݊PaZ'.ߕl7aQ/ٖSլ#vl9 0ű4#9XeZ 8Z7:FSh@=2Dc-#x)هz1x_hhU0KT~Ki QwUs y7RcGl?_l/?(yüIFj{G-2-%怀i)9*!fe%$Gq߳{ec 8Y2HZ:&`jŃdP Q)M; MD1?h )75lPmyB1&YiXѳfՓb{yLV+#F>*m/G ap7bJx8+@!{[@49 a7INE5OLПVhk V"-v8wt.9[E,VJe5נp#&쟅#Kd[{Fjy3kq&WG=nuT$onsT'0L^M7EˤarU]4ڦN9G:"=<,9=#+qLh,G]{j+إ)@8؄ك) ƓR\Zx1iMնWTAB ܨY553 P3rP#łxk= ۲ cQ  J4Ae!?IDf1*gXT1wjAYv fymi6EPpK6c̴;(Sﵦ8٫|" SM=߂j:*Wpe/Շ$\фw龴fÙIïaJPsY~YRIi~ɩ7St:5&&%Q[Bj |q73:h..FV]TM to1 N)EA4o{:xjλ a'#&v KK c=^R;+'Dgd; v x]i(Vcnן)|mJG|bthWZu[Eb~ejcSFV=0m01xƀ[=eؖh?ֶXjQϼix2a[FO3_~ Z:Xp*D"Р9%oEg! 0IZRsG䬎ۭVgd+ga7(pEK(d,BIhaAEk{V덀f~tu9OضQ_QmZzwp3ɶ 1 E~Qr:/#o@D$w\ R;Kb䂾_'{ch+|^ܓR83r ]{ݎrΗrͫl"VGpamFAۓZ"W rZۭUtbs1l<]}{iUM"2$BC'MN47O]л"aL2q? Q{ȈMu谩.6KZcA2'E,<x7̄t(*Ya0.P@^A:#nUT)F4jpp%hC;.7XRuK;rٌ8>VD @J`P^o}ՎO+E7p; [.$/;EOn1MH!Rud|_TɈ%z?U읎A.(Ѝ )a4脦.z&pOLMUzrkĹЁ1e!]x+jdd:Ak𯎜-nq/}$(Wd̥$!*#}i;>J (ůO@M5EtLמxsbXZ3\LcJh̶45!=4"b<"/gT~܍Goy#eOt|J,BxJ-]ɳ麅_<3c\ȶ'Hǔ )U?_5w$J:GL+hLݙ&B0? $Ο~Ap:dXW%~ʴc+n0^81 E|N+6]Y g)Rg̰Ynx}Y7NO>DZ_HLs֒%Xb R339ED? 45UD##.mrXK8A Es`xade]̠&/jnb߳2O0<޼:-f+;|&GC󂀀D,yK xoR?*5LV@-Ms;^?YÚHH|dYP-\B#7i+LgC32?Hc1u }-<@ P6{(O}`Kשd?Tw 5]u>Kr"[xɒs`7T(%J]aC.5lq'̹rj}i t+Yc&&!zL,7 y_׵cQ<,Oo[Y6 1Jst=}qrJ^?5Vc58?V`F+p-Ͱ8&5HV\?jOQU(B ʝY!aorޢYtնhB_k"UgZx! '9ann`jyw,ED}B@:Erl*>3y:|r D\R>'&Kۦ?bIRCs*U.>+OROwpW{ۃvUUnQZs;, ?~KgmqH p >Lcgͷ)ܘ5Zj&d۳ B+ 1Hjjy{ξ袨rZtrڔe0@Jc^>F%0a?v=|%@:؍.;?/5ii:b^n!Ox̖u_29;†5.>5?Ɛ:/l, X}wT6bEkYŸ1DʶB;k_(e;Ohݼ[loB#)m H[5Jᐒv L;~(*qU([W?L9'[fh^iV<В.ȜlQ7Du?6Je 1E"V8]r:fY^~ 8|8O*W'xpU&a, ;z8:$T%F_y뼚 :JQsxn9(l|ӤuҾ4lS})c !Y[3fu<7NJF 'fa7W1{;`SI묅h0)G˸ad+y7u|.p~A jJ4 3CƸ+3id{hrY2J?aNfތ_#\hCN(Dh8dglSlceq/e+#^=]յiv>Ω=PDH7K- =e-~{E~2<32M߸!Om",0c:+s齋P39'r1{/vV}e8UWa7T\]u!ov#?iLl g^H3ж2L7xK!89b7~}{ɓ̚ Ju^HwD~6jW ͽ?@y7kvkK: ~jS>^N7 Y").Y!7j x72GoVOgr~MER]s,|4JJN1.o~T)1|?aF%rZ0nnvKmcڗ)MIKV]NgpfE"3b yU}8 DWVŝlt foVzT%SjhmmQgQw]f5fUzYXqNeG&r6t~]t6|ULIT΁hm$R"Ռt.]2 .R-NuVjl)Ɓ~0"Het(I!8҉G iH= 5٬?GVéZroMCm +ai!oXCqsڹebY+Lnw+ƫji:a_4#A{5zUSg[TN SۀZI^G]zzxLW2cNm Wp/3Qy%D*AcCޒz)헼U}}+?c^x%h$>\x \ҷr](Owz8[ bqmt1Gڐ3S p pa~3 Ī<]R/@"&W >]w^Xw oj)u%ln۳3,‚ZL jYW=Cv3"6o]<'add 6sjU 10xmM \IIGuQ_1Jx]\N9o ȁ4S2uN?~J汭cn/tڡl+J'凾e-"CSc}D[ 2ל0ozMQPCh 1]wKe;1Ŧű'& !((m;_}WbI,!B^x?Zmgoa/G#~cULWQQ֥VlO/N*hk/m K۫P7^3L2J܆O#Ŕ!x d|F/Y $˘BIB3c*b |adHǭ'0cӮ"e䉮PzL Cg?=~cam <~,'T.~;f럮6|P 2]$GRW:Hg$ZЄ"WW|/a G5oX$CG֥A=SYoSVKZͳoAΗ.ëª ΜB-<3^XrisZ1P BJELѹwhGUe$?GQ\Mt-?gcm!ܾyYy;iq#Gca@uUR"ߠ#.K 0gTH&j?Y9iK57gqŘG2%LBf-d7XG(_}1gqmbM)YUF@W sY4d(,Kba~qPSVQ:ttFJj j`L)|c'XzGvkBZ)zv'>C>hWPпĺWA<>5"Vվ)N.Y)ZJ5qrÀ}g9T]ӤBgHSlW v0\ K&":{ 3K`ϬwޯX{ ⊬#Qpl >x[ D`$nZKNu6ջPǿxȟg*2JV&sE[hX2tMӇ%1 d0IOAaZK G}QA 4h%aOHk>;?}AGG b@Sh;_PSY"?#BHGZUǁo^iK2}\ˡ^yGC"Mp’u#DMeVk[% YC#'sE\u>5L>/#TSuIad NvFs"-kH k[]XF -}7TiY%mv;'~q+f\*~-ZK8/×D#ɲ߁cs P Xr1egx؅nxL&q>"t爛~SYW E2x3İSWt٠玨|fTKvnłDE!P@ Eq<-R/*85>@lyYe_},2 <9Qv( }>|zj:o|b εL9f|1z]ײ|B+wYd%\94g2<o/Qۂ6f`NT0[KGס(9C3!2πK[¹OR&+$]~n Ý;Mݗȃ` vH}'?lc&bMU& "fDyltFKw^HWN'J -wc']˨^A4|!0B?ن:QTmo%^b*n?*LHpeN{u.E _z =~SF>Afäo@pס^Yq| i1| EQ^3Vho"XxYmRHn$6 L/lQn6ܫd) ,TN&?cq w`~=#o L w˶+UX>7pVnE#W%}n4&y6*(rz顬^d߽aɸs`dlds]y_$_fJ^aRpu?<hKpݿ=P&]i <3De\c#"7l>oeA1쓀8>ѧ r9WffʩP!@:hLA< "'7MVyIr0?wFL)ƛ}U!3q!M@%K0uJ Ml :w_Ea3F_kstSARM=sL&cakrx3eby6FZW'w(zYX ddCo͕>AI(nfgF1$vs3l[8: dPƲ5\&OͱD:d6Ch| tcM~byX@5q)z )sV4ɐ+?*y`-N}ڈ'L0ZS۽}{9 0gWi`e\EHfN:-u#ѧ2iUSn=_79)ˮ<)߼=p*o{|N9gar>l:v!ރ9? ŽH5W@*/P1Uom`ןtᇶ@ԭa 3+/F͠ ܌KlD;bvZ!`J) 1F&X,Ғ2F;䅣7.Ԑ95ڪ}箞?+ ̀][a3D/Mag p+eV><5b("DF!D J)hvtцD oE,NRH|co 2ntP@:%4>v;b*Hc% BFFLzzS{ Gk +6j#o@ae$JKEt~,*\ FzK 5=4mreƒd8 sQRvq?V GU q@R(.BGi)MjUBc?UۣZTg~7S4pdO5#SƔ;)8}3hVmCgSՏ{G\zxD9Mt^Un䨚J( yMA)dz5 ?9_b,<~:1>:S+ʟ1?bAƨ3ACLxl}Ñt%aŧoOTy [ ;Q&N5"͟lVH^   20*K փ9ц@k?KPXCue]fZSj]/WF!;i;/jV# ԣtQuOZ?F5M-ޣޫ%őVXrO7WɪchuѦ5m/f!7,ѿ#ht ­Hh$w4w/sUM<[f!{`Ě0"2B\Ht\MJ:tr%<[^Aɵv-bmçnE%PtCB!:. FvAazĶZӥzt,Oca_xr:ϯՐ;-w (J'V}*i*!;9 4R-د?]A|5+.[ Al r`A". b*UId-AAѾ,࿭iod n "yP͘Jwg1}MB4u6'~G<4VQ L=F`7:z)柡YxZ::!Ug4 5 m46TV8g?pdds,kɉا2{ўвޏPtےJlvp \2 ?'2le X`-\QV,'?}߱1L*3X]pIŇ7{e)+c^I`RW~LM 0`G&ȿ<vG08[LjYYvGW#: $'z+; ӹi\?AM[vC7sC!DJZLV4x޸.ww?r0NɁAlMH[) ^4轱%.-ii%a>U%lvʪ{Z߷!xn/$콘"|!&+⪨@Qܧ2a&h'tp_8 |P@N1@CѓwU!lڙ1W#fDMDVYͶ w=c=at3emBaRTN>盕 f;N)[+ d86oXq RbxUTZr\Hӛĭ3ZyN7tHAVml0SYy`$2fw@/\kMbfgd]-eނ5:GYoTpvw9 }1RwDU]؏f*d?Q柨(04jNer%z) Rf-ȡd_T!_ ǀe*eڔ@I\^ vig ]fc1SGg}KjgI{t.͕m(zKĕۊvnRt{ze[m#2r$@p(98Gi`/^κλU6 m- {v1؎p/4'CNJwqp{~Y6D$ϔTI37Uʧ\ P N fq0\>[,FPA CتAn ]!= Kl &oPXEi3r8;JFKǸhi/#0.ɳ@ ~H(Ph0oVmw/r9n0aj0\f۟V߀T+t"g\!|a>8eOo%f#ӝ>9x2opcL /y* M^ԎN`WfwY"5PI#*H=A0wTp=ZƧMG8pLB;,]"9G ;qlm$'ؓ}-ٱc}MWlR)^j>qԕ(|p ʩ26WQqMH6tU@D[9w~ƍj9xDDzx/ _0ȿEOH-N:caW{ٗʛ.A8ô>UåvӕP٩oYo& >9.U:c`g3]G"> S^(on|@idxbTSjlMj! tv )T͠U^hfuMbJ,q.؜W7d+=HD5qykݫkb`idf9`+Y=DE <OVUE`Z2H'$v oG6ӈN2|rؠ HB~`2sQbtqx+!K[Qe{v7HRuf}(ǭ,0[S+\ɍT4GeW1 Kcv:sw>fNf8ù"2gp䪊YCG)LŗDž$ .nE$MT é]e?' MOǑCy W=pp|AѠ*@uF4%ɺ*HnBoix9qݥ'<WtۍqQ~ɔ'\zٿ'leH9aa}s|vðIzZŵR6(9{-2H(%k]cQ{朧ٲYb㳢Zckr V[L Uǻy, GKt8_D`Pk -<4yd&PQDmkeTǵ͐oxP꬝.k,T±EL1ӀH3s o䃐rl-~Q\jaKch=* -#e #wA'%eT>uj-vt2]E+sptSW)g,#|02KDotQi1zl^1SO^6MMY(^Ǩ#+WX 6*heHi"ˁ/`'ocoԘ&nr)IoLMc%22FL#''I/x+LP'FcHz[ö#Ѳf+56)bμ_ʱH]lx ީѡ٤-\ݔ;Y3/$FX z̾bnB&'=H9B1IG`֒zab+<ϼI6BCu~&~3Vv '6;1u:}j.$h[)f;}yΒ>'gϱXؒz ,%ZAtLdohҘ%FV ?ҒG\Pp]c}Вwy=ZGpJ>5;W&8D6 u3g4Ύ.r7Z}9ETBWxU(N,_:/q$Hdr/]~E)#$VӾ~I@?BݰP?G^H !EFP8C S!/V/aL\"e^bc IE f۸]96tT,@Wcӧ4eiJv|-mkXf.yzc&v;NEL] uD_xaKvš+/]_Bh1GƏ]?^NE[aȺE4#ܨٷqlhġ{myzL7ߠR"N0zg/([c%0Hμzt(h`f}9%=,ղeʷOR ]XZ^?s($#ӈW'xӜ]+VK!~> Y u"lYc=2GKszQ jkDS^T$ut',uUStd> UT;Aqo%Gpi0Ե__uDJU@% %l~̣DH\QFȱ]wBގ ;? R 5.m>YۓUTԘlxrlqK/bj">L& "@'/o^KAzM׵wNL$11P_&d%hbΕl!/XUDw/O4jGgOb|wtq2v{0qnk_l\fל7`Z® 1P˘+6#֍efr@*ڢdmHB5y`R"cgLNZy !USP@c- 19NaVDUpžAbM4b%>7 3ܗ>hJ3zuxȟLptbmZ}=>%gV+hSxVKoj'nV.-aԬ-&IgyVޛwępC`X],k4z)vbO 9z;+ ́8'g`LL%et~شZWWNB&eOC\$eD"x%*`'AL .M-,$R+<3ES 0o)odJ!^fҼє5ӿl th 0FZxd@$3~lMKM:͇n9^J?5`R8#SY+;KzЦ2& xř5nvN+b]A`be%G'$w [ H4A-"{/٧{@ d&d}=t;Đv4wo,)],xp<x,WѸ =42׋ 2 o)$ OeN,sC+(SzF/] `5kdJ>dՅ:AX$0#Ld"kb{& ]> Cm^p$Q񌄈Ids ܔ .h}_}!kBC^І3nTk3,'Iwe~#`01AC/$h9bS~(5 =E\@-CE"0N _0|ցsl*/tv[D9*_heK9x\-!Ƭ+M*%-^C HCm`涄R~ 'v6"q]V̩+<҅'COIs<ܢey 3f0q,n oPnis-((%`&wt7S@tp= £#*ܰG-~%_'CضcTҊ$ec \O`Ǫ`p̎'CNK@5_zRpfVj|FD.%Omo~,L8PzAj]KLϘYj۲}$SLzQfBI.%Ok[fc*QOS]$-- VB)M˵/}^cTܮ'2la!0oC N^ 9BԎF-jsp4S:Pojf#~ 4  `pˋy d5) _KC}Tǥ@W$A^0 `c\ Kݼ' i+iӺEbLmN%|Gh "&K'Xx"m D"LJޓCJE/ .!9sYpRի7뜻KSAAj@"~@Ko T\x=^rp%~i3|? V |uh6[!"vdI䢎Ol/R*]kPOWi PvkxỮD O,OG:1dh#K}Bm.*xM~LUo1$ZUQ]Sp]O<  <`m=0q`t8vHW Y tP᝞Sp4_feUpT*|i=ާ,OF%Pu&saL E@-39WorA+rv};W}9fe4~R6#fich$[qLAY;YV眺+ T"KH)}0[-5!·@tA͸Ll+5j턢ލj)GJ*pLs85&]Ջ& Z/yFtTHľrRUB@-:_ZS˽QK;]b%!V~1԰)r- L\4WVk:Q*Ksz On@Nւ]az}WbE܊dtj/n&ua m䊈R9G!:t7x̊|{ PReqHenq/D+OL/tw:TҹzNa/'OX*3مqǭE<|_@8LT/Nq,^Fb JL BX$V,}\!?i!Р 3-ҪRHåʒk d9rSMc4wTQȚDU< ݹMwZ< Wvh]oߔs"?<ƲN5x-U>ۑM8L^iX mݔps7€KYa=*n=aܹ6v&%iLJmZo*fXhD!MML^@>Cpx}V;[gM|L/1ۿڹy6G O{ lBO♡ڜ6_KHUGϯBQ%5G6axrf@ow)-LQSR2e ޲$5 V!lzmfZ&~C:k(|Fr@ſ|'")oY"}Mئ$dӧd緛#Dh5 lHT2 OotIݦs>8+z{#H]ݸ>z301ȰFX?y gX_q3Q%޿ܹ޿t,2^`y%O==Pwqj'>r(.+c[CK H%I`'tb{0|ncpx.5FX/B'ё>3ێwݱ3V)Dplٟ6WHrZ#%(yYPWq1N22w3|Po ޝ~r}~"':w cAW!76Y"òM Z WvTQ2aclNRs\6վp^0UE Xx%D/YRG*(ؓP9%Ȝ=i+=.hQpѰ"ׂLў Vc@O|fg,KS /~][sZIss iŧF~&HH:954O7x"n6=xj5<h8P):ɧ8i0h08V>N {AeTmcck 6! eWfE~YB9bo}K|R@r;-@:0>ݸĨasz 20*5 !bd?u |SU[ xu9u2WRmO$U+!rZ~/X5rlXsjlɳх_w5IG~ܝVzGݻ艢)Ä A Ũ-qB'].X5.)FpSRIiBFZ s' Ҁ*TAA{QIje)S#9g 1cXG =gN@-quS5.*m qQja68E$k zhN㠩s2Cj4EX dYqYg1)nv> '#VW Ponoi:vCy,9@kЯ֌=Nxz\^Z%Yqiu !:+[B!h?dl9Zbj~ š>`Ѝ c;uL1=X8`lno(aqCM p #**-kzhL)Ӻ _J5bȡ[18 x0 ϓ0l­l.` 'u8^6/"`Ϳ2@Zb`DD@t\hK􆀕΅efBo*3+BCqN0d&irmXcIUG-*γ䔜)=kq.f-¤6d._UR~jE/#!Og#V= 4y`Ix§LOKZ% Ղ{2ï(_gX+gNnyfKu֜r/"p lma[ QHnDQ.?)[*eesj81˫ϴtqQ&?3 9eټV\Amp ~D?ޞ/[/7, ɂʫϰw򑺔TIb{XB:Ө^\<%I N)XfW"MT% S>|l+2SQP0ډ $ \'sTQ^T.9i&/M%& *C2j*Myrf&̄kPUyI|/ʞ]ۚ I v")c Ih|;ǚGk oSqjSxMCp#F !7 =GhT֡ ^ʑ bކ4l ш -XѬd͈v #_H(<4͐ѓ `HBxGx_Ҟן Ȱq-x#,PgHrM8$6:8^ Ɯ0Y+r9eNE)к0IMa\L fRd.#JgR7 PKڊ#zabGv榈 n{!`w9mkR-Flwe{]iK.-h84!FxSʵ<=Ch CCrԠw9Ct!vN+Nd74m|A]AQ¿'kIpOy|J#Ў"kċd2vQq:,zaFK`>V?渘OoO[iݠrY4X;)$G2y5=a26GK++>[NE_ðZ;~}Щ(RJ'Dt/- =zV'ʊ ]}Wk(A$JI~k}TbQenyf#ԯ9,>yքMb<!01p#la=X(*> ɟ~Y 0eߞdф@GwN+U9sb_f< ̃.7+%2ќ i[!('\6D陶9kIqxʹ}[td13* ͗4mrMh֛7⵬%Q AUz4FAG4W<*$5+6>ta6(Nr8mŞ~`7>QKd葒F68sM àSkԘ*‘ M"TPB7/FJf 8JU.@ZW"'#@ЉQRXjKKi K' 6"5z>!}o[%î0mq|G9X8bDa*!}&_<}"ᤵa ;rP q=_3sr-3\ Tc} arЀ,|$`lA8]4Ĝ7Me-Dm:|H=zTr\6QMkC/UPqx?Fw+o;" 0hG."O:OCw\ mQb0K6٧_|c~`E)_b>Gp+OࣘG(jJ=#T<({Nn%: ,RϽ\m ?k?RO'0kR}t)6z)e7eq*h|-=\!Y<\9مi,X!ϺSmѭ-Px53kN^hؐPX(<N^AWxv)=G-I:֎ NoYVKT\9r(k "|{q$Sd&@JbY"3F p[k<D2IkGA:3cvT$x0Z04xqn+ H 7jX9 G(I#22ǹ"PKuHSOdl? zYOh3o,p^up9Rtpi)%zk(^ _Src"H)ks2X$EXf +Khɟ[N% {\MӱRAL)!e #1*HѪۃŌ@ 7[DFo![7^-3VeB9 aY0yj]kP)O[8$7C+z÷Rn͘2hj]Gl.4%*VG>H䵵袶@D ZVf;"õ#" VfAeۗ4Ʋ؇qa<}x"SMӍVF5 BUi tH`슒ыVp3csIeYihO?( Wgi;A@K)]7ޙ9C 'bcŒGL] <~=[.jwC2%BF! |.0c90zZk'9HCkWc>\PV9+R1ÔɞԽӭ(OE m"xR#GDfsZ)!8rHg8.`5wbax*#`2옮o^AucljeTX)#ZQ^a5\H;XLuZ/" @)N\bQ\+:h7r7D" ѦG@avsb#fdo+=&ФX[/nj~ѫt˃<~nJuĮQ4Ḟt~eTlchp_.ŕ֚l]jnXv8ÈR!UHtx$gqs3,޲‹ٶS>cqk•уzU Y$Sփ8Iwz.K"n24dtZ_dM&ss<>Sg]b+Li=5wۣR<|rECiԀ'<sT i8#@XG+Gn3L νˊeg`!2J^|NK, 3al|Kȏ$u׸;K w{e?ز_yE~ǟ#k<#~7Ǵ<,M7#\\\4ou6wztĊ@_\a8>܈ MCpG']!ZwrM%|Ci2[Zd󆳉b) by]%M\ϚR*]IoDs:4-IF#Aee=attL;bthPP tҳ̖)9Y"+?b ^\S%KB_ `_YdYtlK#dV9(ғ^ͼ~HuȂ8zjsײԦ) wgݡKBGBiK茡 vk\I2_!P%Qg1B%wm>A ѼԔ_!*BrGLwJyO2A^Khob sS%1գ!յ) (3SF[9B0\"!#Iu,ozS7_n^&°4 NhNEjEOC6ґ~^814,[?'Tk\Z_L@ΚO;şgVP! cG;=}dy v/ukgX%t޿e D ]g*s`M1|n$Eq= X 6? KܰuƊ\:%rrMCg8YTؒjښd>[ZuP$591 :m_GL樄e<8?}߄ $cvw!G0 )3R/oZ ]9 ~Dam|Xnm !bGa/ ɑ:e}튥} ~F#F9c5( _U]ԂtNmB'.к\ۡ\+ԟX* eוՠl6Jl.stesSJ`ґA] E}Pdb@|)G[|d 襚"؊2C*SQ^"30?-ɗoW5!s@V1'А|ݰ~:hcd/ۡQpat?Qꤏ[!*h|u]]8_kskT|1ڔ o u%μb dO|q/~,QQ <3i kg2 TASڏ|# 4 5RT uHT7QsщĒa"FASKȪwUue7PehS"tT(Ҙ6!>zO${0(کOF6'| !a \+:pV1[6r´ cq\b"ݕYՒBphme1ӕŜ3U|1WhFi&OmekL?䳨vxͰ5o ptl?/MvP fAr *9)R0e{==MlBDPZlEH؉=cEB]rkfZ\2iwU$_me' 8dV^ZC'-d5O˯&ISF./VuߟoYvC :雪be>!՞V\ZVQ/8V_-M*/^q 2L]U&ϋm@t( &_%  j]'a,lKoMi%5/a*>\nR@'vneE*|"W; fD٣]-+ P\}IQ^gO^Eo <96z<w[oXVCu樢oq]}M%8-&kL:oIbp:-QCB'UK\qĤ*S3~_bf it!TF 1U#+%wϲ%,Pk?hQt8霍w|9 7.X" L:4(^HN3Ja4r|da.%o-W 7.<ҟ=\-0O0"ok@ t[M1ڐMi!"^s׎¹6ؽ# &h0.[gl #Jy;c;7u:g./vRy-ak {]Y>0SyiS*M;@P>eTR$( #% »G݀!p*qxԈ<++>\uyѾJއ7DPT\ Kj Xw<3)ʉCW -a2%WPҨ\Fb{KvKXQEF-دyTȇ@R:,hNReI%SMbRp!׏6+K^ CLJ!77՟F(C!VRx ЂOVPw#Į<$&j±۞޺bA_qr{DpK>Xko|c hc:3@;gz97=DTT`m%{c '-sfbh`4鷍`Jյ9j%a?;U (xxVd yI6]ʪ.iQ(ݯֲdI9TeAXsy.f>9K^4wj(V`UN{sCJUկ`^s{|э:|Z3u*D`E gwPX<{a0'D tl<ۍ^JߏuZK[R{PR"TyژL)PsTx3Wtx4OqUSxEc ;tY(7㹍f5'Uɡn$KZh> 6yHɗnXw 6A_&4:; ݓ!l8Yl?yak3A397,n$'L3{¼ZsI#N- i@w [~L[lB\7mS  XnLYb]D7.92L>?J[H6Qzxn뼪3UeQ<&Pw5R;4> g=R#==I;Zw:"*`2klU4;mKubv$z&9|yijîCgpb}.߆lz Q"lԞdKVUĿ,j _Vq2SF|l.nl uƣK4OU# u!N M&cy}cT :JG&͊s 2}{nJ(,〻HzAQW%7DFN`( 2KeGq(HRv^Q4(|8> ylJuy)C2Q⪾J ~X'Mm׎141Z\?feB9ź<4}\xQ,ɠGkhFwԔYcy yʿ%8fkpH6ҸSE\ _F%xk:ȠÚpYoFصґ .m^."25t$E,/G/"^.;'h8cogMGzuGU%f#{fYFE lG)|^-~x;p_쑛Ҹ3/=mR)&=? K1y6#2^J֠7_'WD'232qO&ٽ-| g+C]y No:8aߣ^1'Mk<*m4C#᳿ekjЏXeeC6Nhsז)L谠'~o(l6Eug q4ҷA-Խ$ (&@sP9 |KJ;Ӥ—QQ~f(  $QF>XOTT哭3Vh=kDbצs(pgKj9{ QD$Bd#l_'V?9*갻Oo_HZŖLd(_Y0b۝nq vscΌj=;!}`/y-o$>kVvj1]>']rVu A.-]c=4aWHTYUAVZόcK{[}Z\IuPOUZ˸V{NAMf=!V̈́f s~A6Ds#96.\1g2j>1^6}x /.v0h,;j(UEd /&:ĸ|:C4zIr$8_tӨ4J3y5(֮*b${{/o(w`<,X|Uد+G0Zf 'WO+o(lp؁*)8"!, b'd)9^ #GAsY;7fPK+L<K_"#[2swk:*PKq9d}y W]|L9@_:sOFa@tT4C3%gXozoEcJ&L i8 T~st5қ%1]Lq)x1=L=DPu=|M'I?Ad pE!Էӳ6vV\_kW9!dU^3 Ntl;U '9q~Z(V/KWBNHǠ OK"޹\^| 3:@jB.vVI/ğ^ %EEO[Pai_ۦ }]QYK5ʂ89j_ѕ8QIչuR21FouFBlŗ \zN?G@h1E!GҊT hL8?6!AJY~%cAvMȜJ8d Ih-`b=f}sl0;v~!*XQ  +\7FW(Bz(nm@1cs۬%o|v)E.ѓ%艦}SiaZ*`[VƇGCN$lƱk(?X e@t>E h df_ z_h֡d`}s=9-]dq{3ǾR [BU5nHyެ>O;u+tTM@=Kq1RK[C\܆~*j:r:5^1o%h0QH7k i?frCr-,Z,(j:1[VKu /l76vřb%l(?2/IʶFfOMWLټiM @ڤ\浃 X@_ }Z! (}/yv.ѻ(=}Ql=crϼvb0nR & T^U*u 4sZNbwlaMrKNiƗ_ !RBH1V:,cdOQeFabyx>EPPKfbԽ3K_ ǜqJ!9$( t@9dUQs8*yo+8J&O>,%(%7N .Yr2P)^.듘(L_,ju!yˍ-W`LRyNڽS] ;{ƌlypԍX4 l ʛYQOr/l"7p;W__aty['ڟ4 SPp{Dd7ܻbt)M~Ӣ|6>dVaWg( =o{OpfEXLFяZƊ} t\3`T^2ϩ}09Y̫>Ew[f́rFeFfy$4-bY+*1"K3Ő }UwUKRNpa'v̼3&VXsc7C4F+:DqN(=$ ueu7Ddy H:l9*<@.ѮI*-4lB^^,po1M㓿ڇja1F3P\&H7tG(q!%eY@uBFzm|yUZ^j KC,QJN+ CciR;BwY%FȣHT8h쵧l8fvŸD~#hytcQ B^;<<7i^oB%"% Z  RJY@ R]2ͺ1],9:r+lM4on{S,&:qM#uC7^k㱚<9^JTB[o9~37! B`WriTkY[=qR ?C%IYHO9' gy}Zzl!,1~,E>.4 ͠30qqY|u>a`^b͋b+G@EpzhM5FP1ƈ ~_h?gk}.pdBW;c,̒A~fи;1ܖvw,Eؠ`R;CzQD3hC'´3 زm:H?unXcpdbW1x۵V'wٛ&"hP:{}[r]0ԋ"h Mk.l%mV|}v+ >mRx?yڑhJ [5A=a!z5"&]HifkuAf]]=;:/%<#댫LY~['$8#?ũa,W'!)$2 圦\Y- ڼvϮ")8jQHK`o/A BɱMɄZDܲv OfHE!sR+m2zcoKV'bQ?7?{.QT 3_p&]A_VcVSbC#>|1,I 8%%e|cLde)CU,VIp>RK[X:)!-j0`*-fpMK'\Wr xaXggv:UmQf5k!G+׿c/y@}UI oMTÆfwODP.ˮ: Z's@_-O2%@μ"`797+rd=g8y'y-x9ruYWVܸ mAd5yWP9b{s#ʇ}#8pQ1XJU:8ۚpLǬH9\ˋ3wg.>??\ء tvxEz[al 0AʎC9q$DJ olIt-^'#EL͊T0wu[Ko~rʅ~~Zw瘞Mf9ۭN߬|Ei9NnFWCHήHVWn1x>\gKF8i1^?.W,x88Nj|D9 Bɲ CY&iaΤ`w3IHoIx vQ`)?mbr!˓&b7"d;W4J1C>6&ۿX%NiJҸ/fŔFM-Y%)C6_M59:+9C#4[+U|O sӓ|EcfЊ6bXeyU\RxZ1$2޼, "'R|_>?>72XU1[\C!¨+Ę9ӻg ^fK@O9N/\q;Ts>`@J#N4Ǫ̔K䘛M(u]U_( d-9(ou}SUѫ,X!@>90pyky"WTOQ`&z.X( %/blAO2I(ՙĉdn$J *{$>$QOXz,1flٰс EJǷ9{Y#fnnQ,.u`bQN-6ǫφR"6^knL}p -f^$°5-*6KM8=嚳D{pCM|4"لUjItz~l!L#LConԬl"X?vNJ {*c۞׿Eʋ`}5töοqCʋyc5Ǜ,=/Զܣo p[&JuMW#Τdw.kTs4IړE22KD /;43*QeTꚧgrԨ iV@Kwǩ]F GcbV%wK*,Kl^>1 ҥJ%_ݱ.[lci/NsrDPCj'512O*yYQ=}b?ڈ*1aE_q9Xڗ.S7yN c2hNB13":DQD_9S.kG?^53+Y@՟6qR Һ-cS/BK`*ջw64ը-{JB% ,t$eʴ8CQ`lwpA{L $Gϩ" @F,3zތSk³h$7B_&IG0o63mN=vY!ӍJ>UWfp{BH`^h\4_dgG7 WZz=''U=J>q;::` w{AItEpG8nt8;h Z=-*uj3cT5cb nڰ_k.@\R;XaZJt ]lyɄD-gEp4Ko|wܮ:1`M&">Qƿz!]$RᄻT6ݬ/0"YFJ%?h-T$͸hIo{TTMf:PDte#n~68!. yq*r4^{'[lL fTA; 7^=.rK#Uƞ]?I;R껬/BǮf>i玡I>O"_sE5kR ϧJ=XOXlkz$b"x@&9M[ŽQ < *N ')(naJ4U'nQDr+Îܧ\կ(j__]o[4 !?Q5eFWtUHʬ]+Ͷ@p9fU&~lJPL/NpNL@D7FчlAA*$VġL!53xx,ȋ4I=l8 *B݋s&Q^W"Wj`)y"Qnyr[ER4- &"R6gdC" dl<2?nBH-`UU%ut6Ks 3@xq8eCfzǣbF#ңBO_$w;׾^<_j{C | O*#W"W:=þGzDdBD6yIe,*50e39y,J8ÅmE9SϾ=d&g0V2 'ƪkdX>D,__4W?<jjPj`G0u7S~Ai_8D^O҆#ѿ2L?̪ &!*E"i8fEՐ]1q'I_NXִxqqcΓĖR[9վ5QLyQ̀U&=݀\:r׊bXcXb@{M핣璀Qӌ~[ra`V;yHJ !$ԋb"%M&Z3Jpy\-<ܛdCtgd\ͫh@@Rծ~w[Lh \| Nj/!(Cv%JQWdR1 Gnh7K\))q~q:wl#jݭ=|$[k{*:vmҤKW@'Wi'ݫ],z>3>3ڐ0 qFxq'4uO$kg7oM#?y~G5P?=sHyCQm&(A .NZ_*l^SƓ@K'-Q`_l%k"ƴukJb5rH<*NmS\۫L֊k^%;gP oAc6_tݱ>~O$~IhM'[k0N9h){9bMmFB-y"uևHߘG7Ī ;a0!{j` V$pcZC`/vpϥʕB>ypze{i< Na*tLz8I"z%)"e8_x]o3+%`wUl!`PZLVo/NE=ϬnW0 tԟ)a\\[krޏfVض-d4܃3WydB 1bSW Au'.{eZ޽+3&PK:Ǖ53+84\plm1 62O%y*+#k"N)@>7 QMوbœ!/e0;v$Jz@jܞ;;N:E6:@i_ѱ\-q38諣sEUb]4=d2طZXeyr`eMUQj{'NO>0)"rP86i~=HAh 0c]&c} 7)nZ\nr74Ng!'N\ xU` HQ'0~?O,࿁"9YnUCk|[O8!+*3g\me1Y]?‹N;g~K7=.M1ȃ7h)/~qR&>4roYXcw!{ݕ@{4hNr2Kfћ=͟aX%W/rn-A*oñ뛿6tuPDH%͡Ƃe7wGvhf| nJ\@^<%6<%v}RJ>=Rnٌ@F2p$m˯Xט-2Y򤘸 Gr2|jɕ6a06@8',y;%(W'Wi_(${}eG9x=єM;L 7'᣷C{E'BvVkýx8s`Zexa/NW]}3iD}f{꾷t3Cp4^e[ˡFrP/w풊/ %cN6N nѯ}@],p1P-ii/,| jS>a5Ls 369'?ܰGVP}Znչ,Nb G-_w! gSɋ-%Q3IBYV*eeiFcDtykNhmxɰT\}{2:5y<ͺK]_%IN[,==[2[VBvȪ BV.d2*\x;r!zΦ2__&?31/}9ƾo.ϊ/=R1ySp#[SCd!ZNĘs>_Μ? ;, c$s1gEe{خnZ.0رzyyTk+kuZphU;RI熙J`f*cAa 2.+s=Ci4Yr@'*GwK Lp}M^ݺ.₾SNgG^n߃QeAJTУSY7 Ou8Ŕy!"|96LPD$,8Ǹ4S]߰k/ΟBeFuxFU{s! Q<@O8U~^͙\'}ȁnH QgԮ'k(WaXF:AkK;G#;ԴnqΒF|dyV*B| WU+xuI%2UhmS+&ӶqjթX$8ist/6`:]b~#\(H-_L ٗ6*մMH9Q>5zh~a3;)xqͱfxm'\FY-v})TÐ*~_saB2% kK']${Oa)H%4!uuKH 78ZdY_RG l/.-#ȳQ_c5)@_.=IeK4jrIa-ep(P3p` 2n'oO5!j;h;y|Aq+Fw};vr!uN8uDO Qǥ#)$hZ|?eu ̓R Tb{)f:BlLɀ<9jFR{]Sg]=-0J'P 6h|X4X.+\݌v> į 2c Y"L}$:֝~?4V8yۃ܊rrř)@:𓯸dW?4!=twlXEDc'xGhlɡ+Y8g/ nRb| ;t+[W3wit‚Gћ1AzAz__ C%npB0ۍSC.cPzŦ)3'63k"YTdA'vCW}%,xh}>H\rG̹zJm7%2B29dꭾ.h^qɴ.I[\ZV`@h"({39)Vxg,F( M5XTTz2oBh-jt<LˆطsbA-' MV[4`IY؇%@CUj@saZDq7 w&d"`zYlP(\㳬70+嵳c{ )6u/O69%"+lߔ&l%ZXo: O2pZHt=ڑ =fSxV ɳ>pE=uN4xS\)~Hle >BH| ,&F!COVXYSo$'PYzXf^4-+e uuP5_{!/̨N }(,vgM._ ]{:Pqh-(Eb.Gm=3(Җ,yGmfd= ;`rT%q^+MjᇤP_gjNu/HFSK0~hA*hgS'>6ԨXavZY`˷PyOgI=>/ I M6g~T_ɢS8'[~W|fD6K=Ov#BDhBGq<؇̦]v<_d啮iY#Msĉ?2bmP1WLtektB\|~LSLV*lʲvxI?E!SAB?+HuĠwCG Y4 =e*г郿gu33q䜧1K58`plW~ђ/EQy/Kx..~*jK@_&]l!՛]e)3sZiI\Q5'kVENݴ8!g[iKGVN@!kVYW6*gʏN@":kVa8< I}k2xY?@țte~77.@>ZØ Pa5mL>v,* 2C$te#~d *&!e Ը/. s({|>w’z42."lMQ#93S̑v$sII0y5Z.PU7 ]4BCcʐYA'4w)vyPcIc#ܢx-ډxFMa%gXmSlŨ/ tIyksߒW(t(~s20d]'lH7zGG%"4b1}w1~\SL6dfZjĉ*osf kst6 &hdJ(ѫ]sP䧐(ssrB/aN0wqW&/9W3F e`\G2b)^?!ԍ(kQ] 4ܱ˧V> d|˦/N/+B;7>6t_*DEF,<[D&+JAL'ݛn鲆ٻW;^r9E&2O_X)xv[Lt , /h.'iLck4 3!=+\!ʪ!^DүZO8M }HoYL^oXXX<3vj$x0 *˓Kx8|P&K5ro=ɐ? M-o, eT0d1}˂=:dU+iV@D~'8>qH AD INe^֪UNr<Q{ j;'3>]Li{ "7q#mr7 9鿏|?~4IǁVgۂʨMU\=eԖEr JgKH`KM—d '?#K0=;"rPnlIDRfʨiV'VRjըw a}hX smK??RΌ 3]"y 苷pdL"A?ǸA nZXjaO0MICh!߆cM>j9ppu>s?'Uf Đv')ŏJTk[Pi,]g[SO2&؂;כȸ8;O(w" q]RL֮Y.&Ôw@^A(>`q`s?Ae ^!rkgKK4Kuj!N֓,JezV]sjƒ 8TKy%1EBWLWޢ( 8'd6u;]F.0ShzCU\7Тɀч(Di*ZJQ C\OŠ`rqc|o\Gǵ<,}燅Y Q֯yoWg<}9Sv7L4F7<W)ZhvHNYfq$ hìG񹶡|'E=ĒP'g\\ᓯUsy΂ iWh=piFٺHոZ#@uEp%Zj[ ӯA~eɎ_[)%+;XvX,ʾJpBn1}̍ax1x&/wy#(Vpe@XӅ֏`ՏE9bh";GꢲeI٬qyW؁!["j^e ՐͶ|Rڸ_k1=5/.XlVϩ4ճR]Up;(};7w/9#aĭ2@cTZo a3}-+/UDr$a>b Ld;B%U_a^ه+ J-:7{{Yp j)u|0JI "\ y s/ϓ [ǥ) !|ɣ>Jq~zyj<e܇f% цјFҖ+Ǣ8{cV,2?><H#U zH|z4;xDKƘ:2M_|Ib`${ܲOgmWl+'>B?,LfaQ7p%ݿ(JEfPdܱ-~A&֘Qg#߫gjʿl{a0Q.NdG9˩jb{I sl Yg-sSRU[V{= 1Vc,(45?[DP9I_cQ"edu"uV<4뱄sh8?c9W-q7#֗bV YQFΚDV?Ĺsۢtn~G}My-zMwSbE-ʲ~\.O~a`Aa߃ mvaK4DʎO>UҐo;$XݓYT|ܷߝo3G* JpЬoOmED7t DlY2ϒʤ0i]'IJ(9Fv\q TKxΊhh $/i#NlH ` t5 Ć'<`1]ft_^m<Bl;^g Ow!ZayɋΝm  "_`p0cum/CfYv N]^yM:xX$7`PS@S|zy@^΋xmSnRMrOoȼ9 PgYs_/(溋"% X!2y|-3y MϋJc :,ÍiKGG)/ࡦdP^5b[蛟VE]^y]VOV;/q0[n_S2+{ S:ؤ-T(䃝^ =o ͡ʌGAO h[G)ed.GH/ 7! 8̤+=AizPA|ky!2YX'_?mbf,~뮡OrTI.*5+wc b0-\^mf .W!i B啛r#:l5HI%vn1A<7L"H3"n1wEq /GV g zhlkHTM8Y?1B b-O50GʛBf(S'Ѩ?S{&LS̀RJt 쾧,A\/j -Z{o=nٲK28`tVk'X^^7Bo*Q27YtBR)wgAkixӒa(eLtfB?jpOxk3UDc$d.IfVaƙ|^iv |lVzZܳe0ov B> dA%D蟃'=m'@5e\Pւ;gC>WWCy#_A0L:JnZhɿqj¸d#m3,k(*~u-I]%K6:Im$t*BWƆJSy=|U3D9 h>onD)]`C*`iwL%]̙r–mRo:eilN )hCJ߅ߤvx49/޿8]wኊH|u~qM`YH IʂtUgR[zR;}c]Qv@Q 21<1EB$EY`2ZLdάu}'"VY7uY௧b:G0l YTnAk-HM*$bgi!:]Mpb vx" ,%mwm{*yJo}5d_ضd٥NH{}N+Q@{*FT.b4:בCBL2=ye~!74l{Hȿla#Xc6$^X ZW'e+,h-H576 }tr7βfb 5Sz~M+rvnu,oqs8iE!ApN-u"@o]L%R3Zj{D>&8Ej6 & n- w >ֵ1S3)}Tԫ,pj*)]h eugXD'ɂ`TmHSA8KwvmzqBxw!_$ {\]GV. 4h(!#? %=wGnmJfZhkP%w>"/$nK3Bkj\}Jy ,>)RD0vQUa/v+-iS͠z4Ɩgf|@]u~RcCJTk跁X0􏉙@8+=j@,TKfj&tOPmrF=2U9m,TkչC1+E&ȮaӊCoѵ+]܂,S0m}3E_'q>vřKaV,Ļ2CCP~v҈ ~+[6`tPMwS-v=7!s0.z5:Y$`G>ŔG6AL][C$:[>o,_G2!$wL+{!A`<;Jjf*]ggfp_crXjP[P"?TϨc%1fpxmrJmf8t>9QLiO!kׂA7"3h~,/I͡Mu$rL:Y!X }ľ$SPt(}#*V cDGv#:!xAanI`s̵2S2&yԶd=6b+X[}U-bE&CNZ;[$SaPJKސ`'M4R!eAWs#!PQQ {ש'䉩b7t\~Vim;J4R[HlV^ZZ Uuء !X׀~5Z+GfF #CkM[((n6pT9GnŭfMm{^k0&[Sxsӳ\se"[ N*sf'Fa+w!FX@?<'-%ەrIyA:r]d\?9uv ,"9Gκыoi¦ea/?~ln٥YW5 PP0x!PA88ˢ[%qj/>Tyc'[X Pm#3`3/KKjDYߺZO:K@q:mtҥ/e$&9?F g$s5[c ¤d-_EίX!ӥQIˉǺh@||}QA7Zw/~0$&Bd O߻; q݊6!>㉁0k9z2+eEO?7.\1SS]:$ ,vb`G0èeQTT'sjGІ5I΀ʢ2]D.,&i.7^`|Ǖv,alLl^9Uad=OiL1rcU<?[5mvXoHl=My(ogˎ\"V gQ j_DAn!%vZIQM[\8,L?)rɐLu毀8aZ7/ O(,zchJнDN n ^@᭳K5t8 ߔ1X"02OAO#k3hGv|$~&4-Zb#2Q\⭾Ё:oyabC:3}G2/{ZW m]+uhdN~U4uI@Hqlq$q wŻHa|懭hyl/PTtX];Szv7 jX4"H SlnHd$V.N$1Wjm,~8 >C X76nLuTZscQMY]Hi 0H} RpDihS _RhqmGBU5)}V`Lɧ(X(dR/HsA *3MJW#m.{l(~{H p" 8%h˼A;٣J YLZ6>z%h2|OpL b hb#ᓽ<}*p7T5 NEKPb!DfçjM B˜ @G4hgdAS P~^p0F;O ĥC/v%]s-`x-K\ϲl[Jx9YQ_ߟf'9ĄA ڌ&G!~ "<bFB=y|^8}f1s˧$m tp0Xi&SQ=hNgXަsK=oXbZ)F? ,I =n}k,&;8ԳzHGcLu#A[@OБe{^H&U1r^RVj.: y" YlPWuVrx /E`͟ Hy^ATیBA]мGPw;~C kV9zCFK~/ FNAa֡7 =nW3 P /xqy_%r,,E5fKx6U]D jp^OMrRr:Yƙ"DWUTUͺZ ̫yM ? ΧCڽ5^2ԗ4we}Zc`$ϧ 8ۘSvW!JG/ߍAVĠՑ=(l7ޥ!5tȹjh)dޤp#Y΋Q߷JfE !]Hy+l}%dn- juU(OzoMWjr9lt,խ_f9m#-C ~֘j;e`ۿ_ʍrj+C"tȆfE}IUl̍. 3ZbjA`c"So`zmR'fZ1p\|v~S-xr{tR M?4~m"6P!gIWaMWZ'ZRYv]A.p:9ś;`uŢ#y"kBA>GAKi|`lG2G-BY%2AVw)Ú֒{CH!7T4uJcb:caם\V `=]υi"Ƭd>u+(V[:ޘM79:0fՎ[K(A**G٧bT[ B tp}ӐYxy0s\ڢc(a 'B^I y]T!mIⲒOù霏Iuv872֥ ;,{wx,1BJsPYلx8qbf~qiܠ~zԭ[?)d.y6,-4YOt uΐ޷ebHYC>3it\t6>$Y;"@ pUt^6ƨ.j.L.W[c@jpOh8HC><[h/h+E1#>MQ4?)wG{ vشӹZEK5 3 D11њIZ{k.n{IJSQ}Β@tSqRRt5FyðB8aA\<|ud}1=FBpkw@Bаi^݌o`i1Ƀ;vŷY9ݓ~KT lDPUIRܓm`OydƺiP/Q)x ű" / 0t1˫Ȋ2;wkbN s?9Z ph`B!?9!5] |EY=*s w1ګ!LvQ)s>{ZnKyעrtOuR^ hbB5._$,p88Wȏݒbn^?H ZJrh{E =gxdg;j- $l冰-كNs@4o6.^vSN `fv̈)zŽ҂5.JiP2%F߾(u4NCCq<'}:^m:8mX/&=c-USzׁ G9v!i,r# 3f1d9E!HV ua<ZS{8PvGbL% A:$,`[RX}PKMj9H_\,%Tp,$LFꐣȅQ:9(~9h@CKPH dftTĎrQ_`fUXrkvA MK#rN+V]=_[!TPbsm7MRlǕn*L}@'ty }fcK({~$TZHLXs{Of~N.~Q°fyc%L Fe禑Aѫ$769oo$Ɇx^Ϣz tVK.mNaݝvsK *R-676@YFYɆ*r7gˎ8LFpЂ 3i̛ OzQ:`C>Ʉ4ֹ^=yÒB| M Ͱ|ZmψdKςT\DvMmd fj q'ʞRf|l) O!NX0:)[8O_T(vQޞ[2?sbssS{/ء  As^0J Sa/t(kK{L*= }goX߭& +C6vHh\lѲ7n[M3%uHU αQl J^ž]\6\ 3XR{XBƁr]~>؉ȣ1'W+IWV-g@ "+벅G*G'Ƣ\dJŞ w3lYjq.Fu_u36tUs;7N[5Pͼ n_턚BeTa7ϊ%֐9 IleW{<72nWilQ[I"/#2-.e(VX+,3: lN-@ u ޥj[ HvNx_T͛Ư90 =ۿ(̊aH: T@a$DGɳHoH腨O#_O1y!$׀w>/ W`\7 TtC^ ^*a6YP|R Z }_B{ɛyCMyIʏ'sDW_j)**n$FȨw@jՋQ^j.XM0ya C:qa86^A*#\M֐taxݸUQOzz+|F@kS(DԜm ShQ @MBOlLO3Ocd.+%5f0g~@D9!JyaCϵq6x)wz#sm''?-]}MM!D_orR݄}?-L Wؘ$mگK*+xf%r(n_r+`1e E&_r&tEגVr/b2]awݧFBex3ͣz1RVV [SRt͎Pe좹oaRWZJV"uwO}V[zJf?U}(H="|Z/` 6ťD+Vx|xax8~jCh̤S3un[|.-}:rs@[+o 8 141cVYMͩ?l_(J5 K6d W.ge-n^tI'oT7Ͷxpw Z0̠anbg,UThPZ?n7p4i|E6tzv+<ܝ[eDqad!4mW3e_j$;! j t`!e~`04}x7y lSn- %2]5J+_оԑNv6]\,8y-<1J.ˍTsBOQn^@c᧳rZMeC(~&duh26RbR~LշW34ife!o+?CӍOX|WQ69$共@[h7efڮ#wQlK`9N$JN`(3wA05f [C46ܽOˆ 'xm?M;(wjC" UZ ʃ_B~5s9 6Yt Vu oro9Mm7n97adsD5!c$$cZ|^#w8J]Ek|[ '2j_<@N/R;m)!kWBg3*qcfjclV2@4>í/h1.tшTd RV)棴[D<6_X+2lqv7͞/OZ錴{opJMiKfU)U=X#K&Ռt(z)C Og# '\c<㐼i}}@pFqF+OQ/Nu=pĉϭ0]96 BKbXJ;{^"9ݮQ9BAukGEmىJ΃ŀJ+[F -΀#Iy궗'S#HN^h1A( NR/@%ݲHsm(eJŸUR5 L0Zb K\Eهe> +<&rM7E/_[^ni6+m_%UIfD=o<n-0sR(kf_pPp3h+=Y_n1BJG׹\4zeS^#~$"$v\Jf<`پlԬ dzPM ޖiK>9B^&<{$B6(*a{W{vq9I|6 oof5wO+6Oeq= @ul`X~DXgxg}$ L4US슏 `V3zn[;HcaHX1|ZtfBie`@4%W>˂PƗO#)f|T|n x/:Vzziwa8Fw9l"2Ip xH!u\w|  ?V譑<< (t3`fwՠ~JvMo̟?4ʐ%;;rVt] 0P:3r* z1+聊t5q/Z4Bvń+to`/fE'nrrB8q%N=OɴU!d GDOcE5gV6([!g lRژR Sevk#ȮI >UM w&ߙeI\Z[PU&,OLIݪZΫNԷ(,W[ 넯_Z28K2kSϾ<(U8ش7;kY/Ƭ h4${G;g-\u.Mf *dUeSC/" $]G)2Qj=x?IA*hExI K[k[d>ߕW/hZvZC-T^ټ /ZNgΠor(&X$qZ KGa>/C9ҧl[2#'"둃ŷݔ|Yxl3C˝sҷRǀ]Cy N"GOjz-2-ָ,E341s`J8ArPϭCqJWG|7[qr?Wh֣-Q eck䰆 l&[JХwuSYJ#"8 )\Yw*[}Ehb؂Eʟ+֨{Ϭ-?J-'hXfNݾ5)8 ^dΉU5wf]la<ól*֓@eEN.r"sɌZ9A0Xp)j`,4!.m1aՇ{qꨅp\TĬr!Pql>v[%f@MH2]h8}j"d%Ic)fWy.`p('mH$˹5:Z` ߒ:v47G{;Sk:6MNJjqPeՀ])K>m+V:yĨ۞ߠMx5 Ժk~vZiR,&bLЧ硃*q0#;&?~3 T5DvNniw;iWvV-|7뒀iErH\(NPzیv.]ᔜ#b^) 4,]pB-6B߳2?(#[ٝ¦9‚׷s#J8r^ՏnZ9Ay Þ?L)¯ݐڮ9^7d\%"&4@t$E&xf6%`;|p4fd!Rv;( }̢j7& `@w'֓et ` |-VJ%:[0O*է [97^аG͹d a&D2ZMApfK?DWNIJ J+yh)㻟+G(J-+v?om`^B<VFX]1%/4"#b6c`aMY}' [̊EKXeq C[11?rî A A "P%4K^4l2 u JpΟeqۭ(BRQ%~>wR(sdU 2Ad-fjȼ{g 7wCUHh(3@wL>d, & 61`p;ÉA&T]us [!Td{ʁu-p'`(ZWdm X{L#@Iy;^w&9EEumH@_Z/KwxnQFX{*)]w -7IR&3"tğso8\'R"`hfx"9lDvN 7ZʔJicj/55B%k^$87Wΰ7y6x[X:{dM7s&oA>#/$i)+e|pl^(?h)fJ[ txDQ6+ R{i{0n#$GN(|Px!*9mh5܃'5Ϝn0$2%{[L_*7G%FR G?i6SQ-dq3x0#׍vuljbbz *}mXp=A-lZB0u3{cdC7\KD{sKVN3 Nf9d3Alai^>US=x:=e8)z'kEB'_eVg{-skىcO]N}ڤ#xٮSVs;P+ڲ ;UX["z7q5pÙ,Q]>7p1 %.n{҂tSVuPuND]jrxS85?vuyצ*Q\Ңw[b9;7w W%&>=$3*&aaӌ 4:H/EsR׍հڇB*DL%'6 EJ:.frb7 |$ƫ)1H{-:?|yDrcLMƼU4NU۞nif Fȇ`&@H(dװIu5D4 :xg$F^ =Kk~(9~נ5d\r}wώ9&OwƠpDJҦݦ%=C|ºQ~CDoY9 } \,ȍڔE6N# ,, [aÄU?`dΆJ7T\<*>D,"&%zZ"'㤖wuҢ7Ptf)lμU\֭ґW|IɵM$fU]uЗ2쫧ֿ90 ?ٯ] u:1 UQ5HUr|LVB";O94T1?o{mh"߉٢ԍs0*@᳟R.q]G&(Ja7ouͥj5*_̻t( M_2suRz0R9*^$\7 f=u],#+ʎA$Ie#o/9@Q‬/uu}ΰd))p =y66yYs_A^Ez#`؝F~ow.+ UvK&WxF _YY,]Eg˷)jǫxI G{1]ŗ[z(\Bgj,@Mވ&:¹{a&zbHۢg[j5 ml⥍ D"< !/Hg57)e@;u˻3zs_V"J<Kaq|Cm+;;1ȏ˰Btibz䪰K1%ku![3׌7L, >" [] ?E! ml4ށd[}{Vt,WoQSۖK3َWt CZgHՀO`lx;=W\ ?Zg (M?3TJqYj?!+dĈ pDk|65n F,H % 5#ٙDvH{XWD- @h [*$dHՑKR ::fx~*HIدጥ ͭ!`~wNдCFH_o̽\\#:S_>6);1{whfٵƔ??xcBVQLLJMAGTH'?lUcNOy(I-[3+Ş^S\رa 2V SF7]L^#P)Y3%,SaF| v7##>]e>y=91!(@/0[3X L(9$E>KO]|BV5ӓ$U̟r lM]@٠!Gh-pnBcoW5̪>c}2GȮz>,On{BBa.䞞^X"V= n s˧?+@>YPO.Er($>vdfHY辊 KUfaDix r&YL_ ,~Թqސܮɺd7H-kPa\ۈˉ,]) Zw}$9vn$p~@ mԖlj b{C>?a͐ =ODS0Zz̤oÅ7WAYsLz0<2 p+5v8L9 -(Ù.Zoyckr[fߪGKL{h̹# 88fArTsb8FJktl~$6 UH! uA xj|$ w`CevцO:bI}I'!QwB'7uogYǟ*&?XWJQe\i ~ %8e=xKtR{[ םMJ[×9eB9Τi#s{Ijޓu"<󙈾AjkB<7f@AZFbB^#r8|C #,ܑrG 5#pzh\+QIc{TES `"Cmz(z` 0Cc C8j7+=Đ,Zc/DG0B v3 r/pADȲV[iܱP*bImb0KTػe3!Fz..ډe `QHvglxDZvJ/>krX.nwLܓ; |c!c8qwxpH?͖~֢Wn >@lRXֱh|dTO;B׸<{FiP<J,^GS g:$fRRU2 nЭ+?]z܀ Gpٵ3{I3+r`&:.Eگ n6&PMZfqVce{f ҲwWT6 vXFLJydzYGP3+(* #Z r/ː|HOx1|gԗmf) M:$m+ m34 >zVёq]R4c*|$VUZoF${d3I1sBKs +S+\=MyKw2$>c| %X@|/N<^w}߁Z.wYղX5Y]N}1U8N@" u}mtR {sgy+,lmUւ.\j9H5n/i`R}Mt{ުRI㥻-:y@PNof .Q-{m|q׸ȟ^.uS'o^ƂWTf&*ەeQ;G>]Y-u{[nu+?} Q׮K[דϟWXb>[\*@6P͂O(O^ ʒKUoX(.ThLJ ė cfa?^bP74\60TF?q9~,$m+Whmѿn6'MdV>bҼZ'A}C䘚ߜ^V"cRMVGWЈ9b2nGϗs4_0p,:7 /mIr4×#ps72J F&eDf0GDt2i-tD#, ֓&a63B:-om9zO|}ONL%w.R u/ *Yn?3 YGcac*"'zO ?8/QJߪݯ=[iC^%5ʸC)#|at\O6P1_ 9E0@>_\U0"9YWCˎ+#4iS+6Zv7L2ȖL=D 9qc~v -k Quaʮ/@jbX՚i g3p Jc#^ Tָ>QkL$;Uy<жm jh ްeDb\ a#qt(9ڼ;/~7Ǐo6-"&YM+|zu(z'st3Wx ĸ*]gePxy|&+/v,WA./`Rt? VB<f9.%r׫bҍ6ܒ~s`¢a" *tg[h461!NL҆h}Gf[ U* )_J3 :Lwm)D%:7sƓ>qvEmN@9.8b[Gɒϖ>H gxѸ?#OxC[6 R'#{|^ά*qLZ{EaXMtCs:]P\4 -L]=:&qkN -zo8%7BN/%"6qT]8vjwC`"qڤ>ee~l( k@kدPvgub-I^FS0O)zQǩI]/vʷW $6n@RSwgͻreO@ *f<:<іL q%I'L޼Zmsͣ[a 5*t10MNK_=NvIFۇ/FwnϻdH^{3G'TqmݹKWqf S"QzbА;P`="KfqPIE+ I,IL-kKExswHUV>ޟd;m& uIGA<S!LP/"5^'ĵ¢G! 9&Xz%XET&.iua!>:mz*)!~Z dE;"z،c VL/p@OJܧeVq-NRTݞnCH{ \z u uqR|ś SXIkpo\RӲXl N'daYWYXo,aoS @ͫժhT,$5&b9n_ts@y)^0'K :ABW)MHnu[< vWWYi1WEQ7qS2tXU$G5@:Z;d$1$yi+g/|sYG𿻴X }56! HsQۓ.7Z+j`UM];}%B1.J`F.7'Ns Yd[Q2B 9@W }Z1G0 R1ADd ;dx=Y5^T/FxT_XQJds!01W=n;ӀCmcJ^$r{Dl[Зi 00R`쀺bpur &,cV6!tܘ.$ѱ7E>m:!䌧wt> 8Q*A~.?ݶ` l BA@{ݗJQպe[_1u .}Z~n(Z,᝻縩QGrBh 4yA1%@w`sBሆt0W Vrқ70: +Ruu{chrS3NKilFe#hbՇֳ<e^f'|*)R];v,Ri$^faC*a^14dؑX jb/Wsg\qLW`DwIڐ䛦UA!vsD"$sYgv;*T+[gWtK# kE*B& /-@75n펖E3;jx6 b15V䊣By,ge&C⏠\ cHwNt%3#gG%pw2P nέf+FܜϊcMQŤn\e~OdˤyrC,.Ucj^n/$ v&{2l˲E561AbnZ|;|lBntwɥ.矍 !2g@ UokVoea2ά0&DyViSq{fa={Z(!/Ν!UlT!mD*P$mS˶גb# -0뎎'-D5L]qmhUҦa m{QM=ܑf7"D$6w/6-=mx!e ,?sA5RY.n@:TLn [.st%9Yr_­{ޒTXi"rwUj4 $vg٩z\UKԢ?荲(})QȶꭺDU՝ JZp@@eZcg QL^ VdlqIloϸۗGҰe8?t6ː dĉ؏{-v+1_amHvb78"Iv@UuqLAaP|)?-N#k,JWh9ܰR6 c'RD{bO fr! d9Ϊ%S1-_bo1uνI n"%ſ8iu2WZ.{)i.CoE#m%[W?mvUy/ly~+ZqD긤^TT&s;[PV{*FPV}Z}iήKai/Ҍvdyƚ .*-:+uVPcE$,H$hw>$y.ADX <9A~Ma=7I K%Y0gL`ɉⵎ+~½ O&' 03z&UQ$!&LfbQք%Cƙh{B BCX) s!CQxYLK!b_b|a9pbtaRh㫒 B )ͫ)s@\M+3^.ը4{x:pyh!m76*3MzTѣOױ7*|pT 5ai OLߺ3_gLZ t{&o"N>OA@8v"0 dICp›n WVڍAK":e+"`6R,wsae,. #[zrҞ9z_$ A+J(]"Ɉt*7Q/@~+5H_-v@M IraHVEҩ~ x6% ~PܝI_1KPbʅ+nYނ\>52&q:' ͎_Cg> y w $-zs&B^"+AȲI}kUZ茥8ULeOLܵH XFp0xk#OerCY6vl:m>"2+Yox\˱>OR2) Dkvy7Z#'U~kg!.qC79@/vz$ԻCN}.::Sf Zn=om:ڷg(;R|b",`2 LNemf}xC:c]_fyJJ]Ns,o2vʟ MfG `:N& 7Gqs;R`adݾy|:aDhtDț\Hn6qѾQ-7w8'p{G^qSo6)TyZ II% $c"%DXh%~Ǜ1Ր'.dR~2 NJ9my&Zs!ܛrP-_= *@D_h>Rr-wIOBXQAd\Ba xx}ԐAa^ܬНũS`U L,[$`G*"_MW᭠/9Cꊙ9-M +ٸD yC #02A* UTS[ AIpI^mL($ k1 ֐܀J]x`=|qھt )P5^ QJt1jD ^({%/~tk# ߕKó(1Jg}4ГO**Kih&'솏)6JH@r>E^ClOwȝmuZAaWHKڙe+! 33CI p-?!\Ҟd| [sI>H!߬儛uc!w] ?;݊/.I.C hR: qt^ک-r.ͰBrHjE0P])/g\OSmnefmr"͇\֭FeK^lUDžh:z_q͂euH(`6NfFPdc C 6UdUZJ 7h3AoZ +̉th|ݎQ,;d>I8Gļn3^<-.aΚBZWos|o7ǣzȑl3C ʹ%+5tF{JD+/-+W o}t7z{,=DztZfx%g&"&K#oٿ9|rLoku jEE 3֋OOZJO0+rE}L23}W6f$5R,s;uq7bUjBUm>#Kxi$luMfVҧBHRsEBf]S%AZQyD_;h bp9Vp00w]:$W9fZEβ26׮[qŖ(#B_Twѹ*܅`*j S97CN>bm&2u* -[O\MO/ zS}/50'?YEk$a,uZӸ{hyv756:Ҝ[jLk@G厫2R8\rC2Qo~\ˇI=@^!%d> 7bU*.ʢ.FR}.E#S͗4/Yo|ۄr^ײ+YU4֧?9kvب#Ji>g__#̕ ۢ|Ep5tBhYOp7Xo?CC uëu܍Z49^ks{c_?U,qx3"BD#u~ d ת>ܑ`/Fa); r:y_!}L8˔+NwQeuNPE&=_f Oelg( TLN' ~9OlSXQe,R@j Q_'51DYC.(U 1ZgKܾA]q:"`{d*] $ *NTa/"G3&ü/O-Q|pkZNlJtXe뺡oP]BԍLWQ@O@Wc jQ6su' 溡q'G4J3| vc3c`G@XDYΦќ n(A_/$s}v[()Wq1|tg)tEsIKa(aaCp *?YIVl /=:hȿ{8*;*:L-ZrwпXbX(kl-_j4$=#Bk| ѹ5߃cmsAUwT^l/@.s,_]z m7/V?`%˽VoLKt ֡MT4k y'N%{c\ѫlNW bwDS r']ORph8 UD`r7qK5G)_bat$(Q%ԆE2=fYvٯ.5#%i/*A|]'x]%)60zCF%4q|ĕ33F+ z7#:MnΠ\ XN]O d^3 .ķV/늡#ywP2*8X,(Q\ΚT2 ހ+FBz)lw"w>QXNXh}FPwbhq -i>[5$3W@eY:Oc#ذ͠ XxPVw|nz}>>p=>^v-s{\7\^٢pd :4vd-C˼mˇE$bw({YlfG4 P!TNγX8 ^L鱉y/e G D{rѱ-hI%~M>4iK4 Kܶ7\Ɨ6x(7\$!L.%o2zsH6ok$,&!_xWO6|;9K<{K!d KX pid5 n;zYz_gZyJnI˿$e!vӎ8xlN.zg3.BGq1yDfC͟]I"߃pjѪjď`4) +X2>;'C#t/UKuL)C!ʒv N]1xSz6@0 ݔ@ŏːkr%{5z1/}6: *> *BT|ybnIˑƐvѦႄ6Fؚ,h($#_śb sN[P<tY9tʙ7 >^FA*IY< JdqLe~UYJ(;q݋o'eF[xͮLZ/l2ѵZ+.a*#Iv0;(+Ʒn-"|fm:ۿ1z^^@LD>3k2VEzXx)8zSs}[zbf{{,ulZXu=V%i‡pUGCk0$"94w s{?g~φ!aN 6kaJ}EV /rD;uتɞ!.ZWˍH-"$h+*>OXVzigX<4^V|<_;* *xՙUanSkUӰ?l/!fb8;D;,?U9D"T΄}W(9Cªv$2G̎(]r vגxi:mVTbHM\^=#呙PB s=1<5BOvO pfZ-BNO[BBrRw;M+=U BFK@æ*s=~lcP"Wcn5 gm<+k4-<·lq83 ]6/ cRx*y9ld=oЌuP2Qu B:1HD&]#"FMi\d_>3dr9"SO(#/qkXH !Yݻﻡrd7 +mCh섇%QE6_Nm$r6<$~tH W6,m7-V8Ҏ"0}>-$q7Gh'Mg Us?ͪb /]#!5"u"C}t~9?̏ 4i BuelG8ӡo~cmZH-y*{ ,{$?cM(4y:yC}r5&v0.̌C0nbĞ=6.`XCHoQ|P:{.TF;*5M G,r)9 N:ݚXQHQ:0^dX];4}k|\4tVSx)̢\r~c/zA%d7X[W,c`  󯣗7tBy&YDi-dfk '_;Il HHF!2gٔ 'H(=an2|Lp4_3 $EOYLg^{ެxRfhm}{{K٭(@nV;, ./hӄCluAd9&۴8D1] iY~jԄK@fH: $td]r>H~\ SR!L`UV0aLVipA(ҵ&N=Ӎp&nT0#00pIkJTnkbUt$g3cޏ@.'VLw= )xqCAd&pj#`1|s D1i ?t"vB{EYv5CbV\z݆Ea"`1æU틽gU"^T1yOkc7фܨ1PC+G*F;e}n"I=|ͭ*1ﺪlDdK}SHXCSiq߶9[FSl}Y9cFʷ<[r"< CMK2+$αi_`pֵf(mk9 ʠ ޺r0: VT iMu.!ʂ9:C;mRǤ9/  BMr;u=vyI FtH|7"&x/Bs6 1r uXzjxKΦg~ +0BUd2w]arh7X YHz.qlWt#Ch@'[ѳߛwJ^C(bwqƿFZ-L}ҞMBoBi #rɯS.[U @C\uAZg@ 9OX¤-_a,A ktFd wBVűGυwQrj pOũbRW6%P;mc2&MДw粸|^;V+b+:^=wC=mQVKiHr`5귑 |C*"O HrlIyc{˛:XUm[S KP›OJӽvM?յݷ+8QBI ]<g׋rKA6ThHdTRxގ"|{ 2qNU-6- )n(8HqŶBȺWf L'ӡ 1ƥK/AkO9ʤmlfTd&@dR5Aް/GyoWD=Ȼm2"6Vl+xc:Oy3}Z؅M"C=  nxоt~=j iAd&^EHw "aD4Z⹬ȡlXz/aI1gtKi5ƉOG#dSjvYː^sklKM#㢱{[`Ld(ƪf` S8`n}=ࣇV5h:8gwdsQWˡt3N鉃'v}8e &MRh]ÞW2$(7rԤeI.3`||hAeC)}ąs L(S%x4>(x{!%wN+"!'/k5Ĭz0iqSӦB$h6%Wkf[ *+\]ÀyXY}arSzZO0iNѲu+l J4-7@ **;@v=DX}{f9!ЗkȜhQr ыA?yP鰇~;/a)4!;5% P!d8m8_+.Qfʘs0PK@ߜiBѨL 3W=JIg6APNmtU4LʏAvJRw1fgj6IWKbWye{6+a939&̼:ņ,9p מ ۅ9#f1rwG9R:$JtWV/z7d5VVkN;捺//"Swcw_t,@cj8͙\p$+(5as*QDn: )n!A.G_ȇP.]AG"CkV,dyf!&7wK}d7%cQ "g`'j nv ͖Lj74Be~UuϜ.9¼'bqY~dvio(S#2tȵگh>շ;B!{OU 0/p;Ɯ")?VD1N 6d鷥%9 G7ZZu< ΄h9fSSxI yC@F`yIVU6v<(b@iN1:+ >PdkZOA-oaB.xi~ò Lͼ:5=kC Ւu|LPal:"ąܪ1yh[LӮ~O]^b|h\u&&5tM䔏u|cѹgrsxZhŇg2X+՞uRyT|ѵϳ%|Bh3F9e։⸑%_5zDDOlCJZWPP6{nhQk6WWNL[p\)3@5S%b4ϭx;#3rym*JX61{PSLԄA|92+/QjkiZLHZUt>(|62jBɁ3+MDuLig0 Pƞ2Gj v@Ptv'j1Y BA/OuIT"ө[}[MC8: HhSjz}6Ka:.HM* l4QP' +րxrdLM9ceKY UiW:Ln ,8"ət 4f ×8oΑ!'X+(hWٗr+%?#ax:%R8GKiLF'*M׺iڸ,5 41JVmjt88lͥq.H+ U'XF<2z A9^)'qHfDwe&D ` V́_ zFmlYT?UQnBTϪ3ZHUcǑG>ܥ+TY;b^.Xa̬|%k>h1 %zt0q_xՇvCT'Y>w.-%q8qѳlPp V qj2 YhhkPed}2w2`yp} 4E~W8_IET,9 _=a8M;9#G.]==~ؘ(͛ȣĕ&]E]gJlHyE ^#U Q$+s|, sh=5 xc⬷N]z@mB۱iJiG!~e_Qe5H-wD]r1(o^'ghf+-0p'gc9 l@ w\kuhҌW2gD w9YKO͐t?şpA0c_xVx9ʛQ=Y2VO P5=HrlSt _ϴ=%S_}{OD,4IQ5&w$JJ听$&jdn{F_[}T%;+ӰWbܼ.A+& 37"ёfrDjwN!qWdriSz\y F_JVu5F~DbXtĩ #M!G/Br/RAFk)} _[{mDfNG{LkV^1CB(:ų$6$Z ڎt81|ʱsBJv_}eq^7w&Em`c;Qs25n S3eWCg`>ɚ9CVq1~xfzor¸ãl/{kUG[Yao8uz316R=XHLjԋa~Ūld0/~EB(+ jlcIxtHL([b"ŠNZMA%ȭ V0q<e=DG=# b0Šͳ+"wTx~bp.*qIwgM賫ac"xL"2I1>Yă6V@#8~%Hր] wh_-\mPPP\ՎQ雉jRyuZv`jDk䚄dxn+]nsmocoJC͞z飩c&I4N|^j$'ph;Z_TVF DIlJqd¶o?!AY]e9Hxn\C5CTU/l6\ ܊&|`MEՇTx;TԵGfivty09=ņI. ۇ.jNf.\*A,-dاE,B3{Uod{:mbڔGK q/駂\(!SƌD?!$)H'tA~R¹ĵ@x5ZyFY*p! .w,w ,}>|2L(]Y޾mӿW矻a ϨPA)z[a3y9db&Q•S԰R;5bЁM4hsPQMs1P7q, гH3Ci qZ5 ]\Q21k%>hFi[l8w;!sp :?C888o}lp*rA:h=&FO7N$)]ʯfw03bSJyVnS قӛI+g7~z|Ǜ)ϻ# s!YsH*8Sn.k|׊EXb ŧ͵N+Yx898_Q:4̈BO+ u[4+ A$PZNϝSœq 8 =1߳n~Wt? qdbVvQTmFp(Xt>lnr-*+g*nNy~V\ƮT"$h[~KD> \.J$9S/䱭Ov,cce %ȡZk!)UuI\yl`tD, ġاXt.GVgQs?}K6\? Obi1JH3]1)y׃ucWNNYDJ|;>f%1St%ߟ<7!}u \nz&l^*TUW"9|Bk@fI߆: j1ä = Ē&'_UZhۃo%Rc؝3D D:3bx** kW_M?*"Qs㻌LHV Sh\1 ~ym{CbSQ=&tirL^옷i6ĚW6bmr}o^ sCy$4aJۀ.\J4 \:MX}7d-I$%;jC{QUuaxGNu A TtvBf;1HC9Hzf#R0qųD#IE-țBѼZ_SOaiQڊ؏iBONoyhS1G"Տb%(;˦RL04?6CiQkKfj#@Fſ^ jNGe&,Vo`ZiD@,|oO`Ʊ}bG]Cr 9,42і$6\d1ZXܓ}?ȘCq.{~a@!ev8o%☿KFc&r'HH),qXn z}'` / YPMё9Vp*aW n*K~֐yT_ AGܸ9RЬn-J?n}RqJn'a)@e-Re DjoD1edxi6|@V%ODz-VNqCYl-_W x`:/?t Tdi}5# Lc9ehH 4j\‘g T_($7FrC/. :nV-^EɼGF" LtqyﯧdJX!eqg膤&D ِ8"Ab(SkoIఘE([̈́ ${]mزJ0aA^" uՐie>E6u-,b]Ml&.[xfCi~<]R}` gPv f;-jaO.E| P%c =yŞ=cv3mWdƥI*uQDܣ 5 2~쉭YpN"L L҄HRNW6I9Tz>և Su^t6Cs'E`$*D,x)иoZ2˞e 93sYa9t\[̓螶c39=ي>eK]}&d҉Rﶌ c/ 丣ty` `aЖ(t/Ģ~{]]lkuBD~M>~-+w_`wXӄGy[Dvوwqڄ^k=%=֌7/ahջljT4 갞CVgf,ym }_Y9^`X]U(6Bͨ1)ZD}]j)ARSH"c5f";V}`%-YJ[9ϲTnHM ,;!_.A_X"3y:C~Ɩ;PE9_bv]Gm&ӫZ逶GT&၏DwgG䶈l,ta7z3=$ɖ?Lh~0O_ ,R,Vo|!|s]eT=WILY?#xЉt_~"j>549<>xx~ e?JRίn^J1a6Q&DKX '8)lj.d7£7rHҤ >6Gr=A2 oXcXCim-H-= Soo\@7Qںa-]2#6n!P `j.^-qj[oxbJ"ڑD oTy"':2$.=SNp3v S]4^U?00k\@8Ew|Az}^7EQF$YK׵3|}SgcYl<J0~2 JICߜ Am{͘(UUoKQ+h$ #Ԫ["`w,pauC%'=HkBOu]^ QVɝ>?yR_}\eZ ތ*7uDc7rwd kPM*Px5}C'q^ܼ,(܏wYIlLIԴuX`v1\& nbt5N+X ?Y:_22TOH0\y2E//KfZYwsl3jI؝`vU~əcч[u :,ad2#z FX09TݲFG!R(b G#ꍥB_?<*k'fw~AwɽZV1V:lR,'!}{ݕ ICy Ξsk0H 뽯oP^صk=f@s3QjO 8|$%HSΓ ⩞bBCԳ|ֻ"/TD'mPl.~<{ z| C=^Lˮr_2v&k5rD6,c;G!ÿ ́9,4K cUn6 kHV$+l0߳1 㠍H_ͲgHDQY!Y u&:Vt]x(k"l u޾\nMX$3G?<;o \&7c: TNQ$fl>A@F掮|n56vJ)=[6Qx%tvdf̹1dC%-y(# `($ndP\*Ӈi%]-ZKǨjpYOE7sʦf&:MS&iF>\9\2L Tާq͊  !j,JMEV@uh?n<6fntP.uƲ e2s26sכl^GZgEϝrE| Yi@k=lTsr[a8N*AAE~hvyIn62(.!ŢxbIVؘo NwX^X}@;!XTY_^1_%M:-_fqPK%SN3l|ȜDUTc+Ki:65:Oo雱<+Gd.{"[ jj>wFCGsP,KȁIuI|HgTYNkqֈ7;?0F3tfbHUu?H_}fCX{[(#q}@igTɈH-u9.ٳ+gGGP\˹j=Y[6$0Waf; yL#q.)<`ULE+ئOTgMd\Vd cߪ%Fۡ9Ӗq:5eSq"wfSm6rPI9+3sF[&/+:BQ^Afٿ7pO˜O0@Xw@ a}DhZURzoH$ CPvGfS ggS2քʭ`]Å/#|X76 dha{n&tL L 9fhmO\EZE;sc(F`pVl+Wڔ"b^AUb1A{x΅-R]0[~=ѝ2gFCԵ;'T:*fZe=ʰ|M Uղ\B0Xi?ܖŎ~2pvIX%6 2fwy V@V )@5;ؐ@}Լ}:x'Nx_v\K M!HW>}`=d!'1C]3F`9wۓwIPF%T\ɀ2Mi)oJuY[wT֕K{ChkOp{ɘ&'9\'D[Ačdߘq +RBvy fT >FèM'P bKI2{U 5w0q qP% ?uvCk6 oB$ tͽe% 80|kZdy7! [.Ў׋գ !t^GDE7fK&m$ih,w,[0I;3N*b'G +O#sShUgav:M P:6RVƊ٠'~RUH\įcG0Ӿ&܆qaV OM'5&2iv;Tܻd_]) apT@W4n+X J=%h, C)B1]7tDz%.NQe&|$ĂZio"qW_iGN;*יg=ڄA |j1fȘo6o%E\JĮbg`s -`)Gg04hV%If_bW+wlǗChc2b`C#{WլC~NJ ,0yQ'L!36)(54E`K`Min[M%CFdsIcٽpc7`gWP8 pv({:|ç*p(.9K/ o_v|t.S{J~7aOfee&W ;g)BhN"zT`4:4s Z_ѹ3V>`]1[%dt#jgD1oz'۩ jtX5w =! a0V[tb"|%?0zl;R.ԋxuc#3=.WIinF9A߱g +UϐJhB78kΡ#Y4C((h{{0cRQlD60}d T(B_+0yf (w4dew/y)zMR? A Q>Nl/&XGd7Ce|caL.h9|XwGNZd} *bdj XCqG0Ͼt%-lx"^43U|os90`o?ٽB^"qf}e5NDB$qv38|b'FZs zz\ jPE+gKD>COZ➡K>Nq"g8 %MRNj4la6ݧl*+tF{l#IfQ^shMTrZϻ4FFL41gqQ}jt2罵Ax1k[nmղI}ٴ$57 h̻8+hPrS+&|jp. RSSh%w=z Qi+UwZ?KiuaDHVlM>dPpl=Fz+;.LK + ޼bztxP TpS#<(sfu.5&r58-r%hx#N&`1<x_ gUbh93|~rb ɧMj%egkJFd&yQ6 _/6ya^v>I:]M&щtifKmMlns@7݁|7@4ff;[ò}@CMemv >N/\ͮ21XƆ |vg8$:v.Y6f2+6dk.FlHw@<,3sX@j߹jppBr|X #Ag^Q@©(IO辜ޏ5xu>$YmFز.%)!!RXrYn{/"u1y L0;Xn%9$ lBhC~uHWb9vD=̀6W5"NitCc?m|x1OlO#j/cV:|pd4)܃<^Ž˴!X)\zp%H96CXf=r oڈlܟV, ׂ+#²D,>6ܐ>_nH$;2H Q+J 9 z]@c06~1 7j(llND$/quaVN|_כiICC_+nwt/zn'HT2+B{lpQ vt#^Xb @n\* `/(LU(:H9e{0_D!78!H']獃q4)Kn-rPWRJN_5`%%J3Q P$c2Q 2(זЊ*iC*Yt &ؠKG S퍎%镆 GlXsJ<’)*(ti^+ Jtw"\ 3`.w}FM@LMLgzωRRzKx ݮe̲9pumGa/AP.<X>JPEH;(=^'IAa2HvvF; el<֦0!hR\4K6 kɳ59M x46Lul4Bhbxׇ2TpWNvpPZW4!?rhG5E\y Aǂ@=ڸ]((1I~縀7b _pƍ!+C2Q[o<Ec81_z`pۻ[hw` VriJ<7U06'ݝniX1z YrnЫ W}l+4ւq3_SCPS/ 4W@Ŝ2o$RXG|W@<7o46f22f|^C d@@ݙosQq,AUH *-\%/4{㺪'^8N} (P߀yTdAĶE=UmW fo X{ǯĠi`j9YCT9MSĻhàL":eA.ǹӾvᶽ~ x4Do´ih#5 L*⒕Rp *0Q \ ''7-ּ!L`<-};sTx/©e(ªVܝº|P!mD3 crI4n޾oY9'ҡ8 |y7N`HYӖ P{/ġ夔Z2yGAj$c7#<,Sgk?C)DòLK2TRZNGnc"O"+/x ^ON""@LxqGMsg2J}a.E-x蚠i<շw?eCVg:n;X4s7`%wX[Z}拾- SP\IɦM3 )n0O'X 尠O߆863`;fc@܅kՓAWk%k&5AiӅ-n^>" t!Ysx mZZJH 75RYyI4'46hfyXVg2Y[=Q> m'.hڂ@@uPUV:'MaUDrGRtfF_ ōʆQHgG+}[{<2w/AdKMFʄ(4{@?7&=p_ ĤIcCJ@6 8qq+S ړͤ!SD%|DP[ŷiEDm gEg(oin(/86`bjfđAF`%:ZFSΟ[k"]R&`jǫ$е3~E |%8-ӚTY~C+X*Ih >g/1i~Б.yˮqKʐ .Jrz?WMϑ:n3=2Z t?0X+QRS<3 ?߫ G 'Q*Lo*pz3s#P)D lk08;ݩ%z8>PnEF\oYr^"Pюh8#tuvTVO/=- )sPa  L+1%@|$rUQw OnN"\ta: xPV4Mׄ% ޞphEQQ{;WB(S'vlj lN!U/V4 txMlyMnb-=6+ohaЊ@RJJ@M*1CFKSGcn3ֆ8.[b˥:uPf3P!ecd#BXw1?Hd i$8.!X )!}yPd~?tgZŔv1iUSzyn@6/"PP+QQ)7GEI1 jˬ' o7Qw S*ntņT:B'f엘5!n$H B+Uʐ@+* v(ŸL̔%lm7k .%lh.#NT-T8›Wƻ -J9o[V\-$u*TUzNIʐ{fyK 99"ȟkTh8m18e4S)LrGD'sٽv Pä{>݁p_)*|hV-朼 oT /q!1ϣs!5,dzqK 2,).:!'`t>c$3Q*`w7TIk\x? (̤ހ&QItiDvgVaQ1}Z'D+ 3WZѮ? Hޱn? hΐԧ3C+.S1{j_B3:ע142fj4sul#R􃜟 a8/$O/VNN?غ`Y13<쳥"RX?Xak@N^ѡet>_\~>j£ɇkbn!Pu/pfcE`K'&pRJ⍶˨HOOkJ3سaޛ ? F&ui@Z!0ksiFOR`S=l;o \p?B'k#O`eYO-}; )$̿t&8ڒrF\Fc tY 9-t<1^:`D8QjI ATH6/FPa؄D}u \sMNp+AV.GX]{ŅBU^ |&gbև0\ū/|e0 zv?1xd,#߷87>\CE  S F"U'ä N7g?!I~ ;\ur~Ǜe1g/̱cv=%)hREhvȀ/82&Yg&x[ Ju^hsO:n1C {Q&B)w0GL( Ύ4¸H +em˿<&rTa09gܓ˭K d*AqhDx̃|+ܒ;t!C>.`ʔu>|Ҧ"Ev,ؤ*t{l8rb^sm$70;84lz}]_g+~$ch-Ŷ+.)D:MG{r+`H\kvrUFUhUWPVLVEπp/zhϐSM_eztY=VKiRGIy]xVȮuت<(LLbU%\O("˸3^* sOQrfw64n} %ʙoPik腳łb{0՛%c bL0=y*Êonqy/FENRu1i"?wϸ\Arnpek]"Z5MS ,L'_k{;uേjٹ n̗ Kv?9+fjU҆Rίp#o`yƃ_ٰOxq;{ITkmsź* Iۀ$Mu%VxZơ.9ij:$x,N3 .{Gͽ3T%ƹb2Q`k<ȶjv,ӭsYJ괢g nh=>0\ٌކ?xhvvxYj-뫥ȸMkx(03$yx|qm;s1S?iAu^VgXt@IΕ,Ka :3!0NK64 ȂLBsQ C 2#sœĖIӘ~i. UOڞ*(0&:3^^.^3G|^f5:-J#,N&E\c\;*5kHu.h ]%r0rh(>̡cXWlr%aȞcrSF(V# g0(DHwJr(`F#gZ fA)_">OZ-^V (H2^UMsn+R(VJc$F3Hi~FVo軃a}Emq6g(YxQV/͉`ID$;HJR#؋*G|6vs4q$ZDdIjK"ek,M%)Z~"k8Jj[Q[w#ܵ004B3UG%}L Ue3 -4 t]j,3 UQCO?=v-o UѨd\(}~g-?tpKZ yc29eiScPmW:Z_3o)`vJaj,z\+L꜁$y* 胖C%yE;5)mMdr]^u\ 3X!_rh oq0Igq#U8B]{Wnpkqs#@+iт3~;QJ$2W£!xsd͂4hkޔ%ܧ; ځbQ&8JwX"Ôe nOC"-rHGD48Ul˨ ,,/C6 0܁ۆ  x)j;ϛ&WQ]K{'l9EX_&p M5mX: `VT<+!8fڬx<]>T]Ub!ޒ+T;J,d, @IvF:ŞVc:s0lN;<*^z="kS4O9ܴE6GS6_DZ83P",M2)8`6!U[b~6JX=0o,h{~a\%ftH ;1sԵW[pHÛ4~fA "gVXUo2*i2i_8V=P >/̠5:mF#!m@Uʤ@C}Z.<15)>_p>hxmT">_ M$?0&?C!%mXtZ_w=f6Ä 3_`ι v+D ˯4g,Ιλ8 8}[QlMݴ&,{ƟO,ԛs)l#B8Muͣ[ țH}XBĸRb{Ӂ pնN3N]\G'gAY?=ӌ.{8&HGE^o6>ZDHF[ίM͉2Pd4Q07ϔɂ"G9%EsAw%U|9S?U-i\&,kϏ%N5DH*hefU?},#5VВG.^/(zlsfuF%-j%lի2ɏpzĻ8ܐqWE&$֡C3Y\, . z~ 3yH,3)[!i [͕5w]?B{/'9w|,v h4ȧ_\1_"m 4]u^)\T%L2HOpץu@% 8JxKYq\c#~C1" ~$(zagfd:L.if #/W1x!˱j^Nr}hmQr(?BlVc G^.^O܂NJ5"it{ל`b)|W[H|/T*eDJ,̤`u-XM} " 'k>IUk*ԏ.A+(+BQS8Ӕ]K67l/Zj&YIl›YjGt;9mV)Dh,ioR & 0z<"Oß:'mxBp`5| $r P֛T^CΏҌJ`\BI"j>y) =uV80Y%֫ ' Ս nCzP}DXْwe{Swgm3.q}QdLkuoLY>9LJ]}(V4+V)v5ړ "$^.{*FB[)K 1Ĺ0}Y*#_5bבֿjtZ1V__u)9E`[N \\e}fb]/JLJP7vfWa~Lޓ)y_ԗ&-Án,~Wܐb@M`,ExLv.J!@r%%' ͻw!&eald).mXsA 0WỈؓf0'V0%~,1G䒋N(ZAi'i_q.λ͎j 9)CV 2 &0eD#^;GS`ƥ to|nT^1tgEUr4fK? a;elV 0c`BD4uV͙? &J !s>˜u߫f;Gb1fN>&6/mϵSt c 1I 4.JynՏҐvSiھH6 +kh}_Ų17 e]HZ&fb#WV#e0)Le_ (!@4qq !fWuxЅȏhcIHOG\9'hJYW5g͜R6Bvov$R7|3CЄ) Y{0 Dcf멜4Ys а(]lܘH@wU76u++@յa>v\ꄦduTq낏 3Ws5?YqNo WdS kγgLUe[cdpF&]KMILԒ wzxN^?㆗9# qp ;I4rD$ţ1IeN#pH7܊ =rG f _2L6/Ggrj 2[aC?POMeEߛq0@FC+p2^f$ i;0Vs H:8?7UO(RC-)2pAѥ tNWT J& &>Dq}k ^ؘS^̘ҪˡڴӼi#Y`EZ'dfE) 4<(`\tݐN?bCZ|#6<,W|ጸ.foS!d~v,HYIU2xC;,~/eQB@ǨA9*`Xy 9wg[p1"a2>}a\u ^g_'I N0h|Ru5m }xMk"1/Nj;n~yhLeU 6hXlԛ6/„L1c#׎ô0Bb*2<x*s̑/ԏjQpPB`U mkO\)1ݞ,#vAe9 rMʊ)oOV>p4UG$*Y "W×; Aͽ9uSڅ )?gY{{ %CgqJ@I;h0Gq%pׂ3o/D˥ղ.;-H_23%OQfV>28z޾ǚL' $r{'$?:x^İGn1~Q[JPgYkUJ4 ފhZRGoeYZ=AnJΛK "ouUЪ[~mtAHN?R,%s^$ `=]PF?Q_S׸Cz[ZG.5*`ۋy:@Xc>LSs&CgY}lgݑ'hY)OasnS>^8Ak"7"0P_Yy *9v^1x5II.-Cd#I_eȷ0yd |~hcoDMiv *x-7 vx^GI h_-ޟ'="(𱁿B2P:C) x|'eb+K鉖^1#d fmc^AX3-+  EtEb@ϡH$ FLWƛC` rtZҾsQZM)r*Jb5"ȶ=(W4;Dkh'yB`~1A4.D|;!"T<ê6*F p{Q An*9(аC~۾q rw5&# ʅ<m謹ҳδ꨺}Ye2%.̝3P.}|pݱ(0 dBj3Bδ9$usb&?>7k=m@ulOWoA !WXI?)KهѹL._WKD!DuxLq6R}y_%#:Qv䛿b1>=^,AnO;riMMG*r\d'srH?5ě %(c$y.'$MzC|_>BQ2&5]×Zg?B.ܘlFDFWmp w6\z3M B$쳽]0 Eā2r#o8ܝsYB찓crAp*{6B0 .ucfro8Dd"T`OA P7F #ĸ[mqH YerAAkra>UZfm^,x>+@j$RF!mS[AC5ӂCcVtQsZ3} ~'i0%vX) ۡ)3|,:fZAS0ⵖ,;^xZ, G@л%lȁ#| HJq(F͸kYd=ڋmȘ:@rI{o&Nj_rйc.@NM!pt;19*",gePCcc9Wv 5%L8d ;dĪ(uB&{',k3UTmDEZIkaS@#}bY Xgȑ=#܍LQwobPeVq"p rѓqBI1^<3얍6`z5q<9>=RmsK#ؖ5<ͪe[!iYN,e×Yڇbe #k./I dr߁>띒-tґYa ̄+pSzɳ\E见z%J"!HI߻.W;P]15<aPLm10XtrOG4FZD=d|;k(ns$_={ }-Qҙ٩Et_+LByM2^~P?sX>&^uю$Q1vǝӪ\J7Q;J|X{qf1 <_r-h_Eg!KZ[(fdbfӪ|UTc|wAc|6i,q3TO!G UŦw4>}oE]F]QV*,?|y밚s?Cj%Ȃ4RDB~_* $ٹhgoGݾXx~:"m;ґSG7jW4AHn\ g5gjpr_2Ͽ˭7̯ y`8 }W1UClâDdciZ6ӻyMT̗Kdp\~>=V+h|Sci)ٞIV. N;?@-f&zL29[kSBm]]ڍ>p0 R}qS(?oCm bi7U&`O$dr;A:!\0%WwMþ]:)Ka>Bgb4`8.y`\3~ d) hLR\hOaK[atJG: a_`#Vݙ8 aGuefy($z%".gSq18wW* yb xJXX}_^}iO"Ql%5]o`]@>E-|nI6׉'*[(t^9~tn fze__u&P$MvB6I, rS<=HnnA%kSWrQW7|XG3ISRC[UҰGt4z81;;AUd$.3d o 7#-q8l~1ߞ9NM~^sr#jkdm)MāiYt 7W`ye^a{'cdmFMAT] gwԒ_Mtpq`jc~~O%V\) :!2+4YM >dvG}UU$DjEӤeیÄN i2ѸOqf>k YfIs#5xyy͜7D~-w7:”uEƖ` 2.5&K LSJ;jlлtEW]&+0<-R kHnt־pͶS{ JeZJG.m 냨 U׽+cͯuToљEH q$+~wugLEw3@܄,X8K5?,{ KnZ\љ` TNX<UfKvؐ=%Yv*3EޜVb?uv7 1 a3eʡQ6mN)&ܤ>{?ZI{N֡==&"&%s>Sq#E=6+g\ y(Y-Kz'횳ईÚ+3ƸF4HuI 9&Qu"yDg& 鸹3!Rs1w C@URkay{x3EwP|Fu$#tSz`^**J\)#J|Q -ÙPMrXkԬ2uKz{m#xT.S &Q}7*h 2^0w F?sN`W;7NeAЇyv$,fa$8 ",پ)6`*ş8ț󾺓H=jᛛƞV̭=W+O>[;}a"#e-6p|?xo ii!OgpR[4w#m@OJ]qrb5̨;Z 3 b4톟i5MSC^ NK!h}H@@'^iYZIڀНH1c[vYini6?kIRYލc KL}w^hK*E\[K& =@7ǿv~8BSTͬ%}2q'ns]{7"WA[:ސz7YaNc\0͐|r6Hİ,a(o #2t8vtGq46F埜ط`BL?.à:s;;=U=9Ӎ '[lh*kE<10 ;&n\ˬ+,c Zփ@R`ݗ&ѐvY/4szfxB*y~D~"̞(h܃r̃ȣr m{݇I,n?cg I6{z2"e6WCRW S}>I[~/$V^xT(?1A-ji #̦gFglTp(.q^|.ֶڒ])nT 1ǯ:U?&׷J C_0;~Wu.Mʋ3%mXzT<$f|~49+?1o]L􈰘FI'c=ed{yߎAiIG 6 3HVMZ/ɖ7Ѹw.R'K]pꄴqI~GNy[ےy/@dHy*6i|\+7A eg"O8^2x[tz5`q#ae:XZ+jvƐm =U7m) 1Qs')iW]"t& *fyW ,G7rHKkwi S9V.I5A]) %.V0I\w?qL]ԴxZ?Usbmy☻[碱ll.oN"鯝Dõn{4ubJË/ ޥfz}.*&^xWMTcn+78Ĩ"MF&1+i$Y#$iZt–\^wdG#D.obn/.J] [,HfS Y חeDpgFn(ȿN5')Swn< K?Υ&,toNn畍xoXSjzKJ t *e0٪n#+lV.{+!Ap-l")[otQH24^n/2;> S)86!-;F9Ii Bg{9f?jh wc|  0P6@N M$P>L[I L6Gy*^ qE)Tb`4l3!zhI GU!n ChN͠kfMǧ*gKhB,ȭXbO`oƿ^DȽlx$Uѷ72;Z ȤRJ*~r Mh;>"n*Nׇ+GrMW5twT @>?u[$$qmʿ;V}rka@zϛfH3v}AիivA'%M# ж2J@lfoت}hdwȜDc{m-mJoplf %<)>=ž'!\̟$bjP8am7|tϠK-zǤN, V\8m%q)2b3QbK8bm:F3=(hQ0!g~$?GqȠ;`mTFQye xr<;=Is]PNj qI"lw8-126\ Λ#N\HO 2{[Ls>-4$Ԭ-gt%yfoP, Y%+ orUKoރS޳@jLեTI.p%_;(BE̼lf ^i?kIMH ^E+Uzw8 䏢jC@yZq,>+[# N:Mǐq D>T͂UOj,!1Ћ>"{0WRO '#4 ZI u!L=KXPvU֎18m0ci"a %fjL^c$Kr(|7g\ jHsaoLVM\q;-* CʆiGs}w'Ryb 6[K@/!"âIޒ㠹inڃ04rS(=XG|ɨWQDCWZL kp`ŤJ`ͅP=X/i#z%Y // b5"ݯyVyBKrY)髍u*p~"u4 >NY{?D]g6`SyO':Rit!-md"yzS_-nژA1i%~A9ю[ZM>iIuc3Mwp!%!M}̽}FhԵ +7)4*"rhILr8k ؔ7 `qWk=bVIp0CA{evHxnx9;g%ߥ,Q <߸pNzdBlQ 0)v;js4,ra Я)G1XP!98\s.6\V^&40*lK]>kIʽ~~JӛpE^\3+n9{\wfp{c_*'?-W_cĎ.(R:fH?3-Uѫ7 n-I_8Il zQ MK:I1n|4_v lxRO׻i-jS6pc|mڏ|ZU .9+o1jI/'(?,d: K4> z9쾁%?Sہ+: &\6宜jYX4t|eΌ*/qOA-3;I|\@d&#o\ -V$f+&; ! k:?֧VoG6,n0u8Uw,IXzY]ܩ*B< K=t[YvԖ XEq X)j7m\2xy]ѻ b7%zMfW()[$Ɵ!O7V\n }P)jmNZy|!*K֛>B%l+.ƆRKSJKZ)N.Є 8Xyn(\gHvCXb2cȁ?3:l~S;Ԅ':`ai6=ehٍCCr` *H"4}5+tNNԺ6*%^FRDYغEaQPȴ&y*+cleggB^*[d!Bvsܘ#JNf<͚S0KٶM[8XП'`[^?bS&_E6͋;H1[7: yk$) J?ǦxIop-;w)|ns۽ZZ 6~ie1gr`5me0z$.a #"Fc@?if_:(%-?AKJlPJQᦷ2H(|5TYW0w8`jQ [24<'|:I TII\VߙM}prFrwӹobYBÙ'|L7~.M&mtdA0pdiΏV0qGH"hPZ7\w'#9 qw#[6T}C5tvc`W[O_az@ f(^Ay{Jz+nN5|QITjSu@GEfF dfHX[,WxqOT{2U`ݖ*A-7gCs%׸մLR2BۚanM-&JCLmDKr,̉,k@I rZZ.?/S)1NYӁ8 {O?,#J)o$aN[ =w;)s7w Sj*#ɑD!*N\PNݷ)z$0*xdBxO螂<X_?)B(Riߚl'~dD=d6NQdbV.[0 4î1mۘFJ~{<3yp*BbE|:NUhJYUpp GF%ŏ jX+RD(h]YпJcIiFQJ +SRQlY}#D+2?_QEm':0."yBTu1s#s8x ΄3\>^~Lm,Frf,\)㤝j둮+g[ƶ5!MBo+̿,1&l Je w{Z Ѻ{W=a >TI|@YZF^w6Ele@K%~jx hoOLfk `.HHT$#  pb)AAթQ `jv7kŐ*\-Ivq H8|0R?R?X5<>+1U!Ux{(3J9 M.6vABb۬݀}Oi7Ud԰蓕ęM`ks~\=(uWv/% ͶZP۰(6OK%DщЎ% &/,S8uûF `2WyI.ϹF'gk38m.2h:*-@:}v>u_s@ɗ Ztd*fنM*A)±}W0+!+taѼn< \Q ރm|<2'\Y)-uuO`㤻C5>f٤ȱ7H_Y% -ջV&_o5:px d'wS=8QD4d[ $MR]3vf(`8PX/. vknu"d앉u^RI ?kÚ̟S43?L0jēW9S[YM>'^=j&:'vJ V XZXt5AoMwsPoGItyk)2}qz@2IeX7)ISdg{TnV + o*P3؍n @,T87=[?FqW]-rR ܕѯa?.[i%^DEyF g(g0_G3/#<꒦>q>CZQkfy+('Af"Bݷa+8J\'^ K{aA|wdwvhf0~q"MR=QCOmY*ab Vex`!Ew^$wOE /kHvrۇ_^0F8o3 XK68+%BHL١J2`&o"/EN{`v{HW.6:z4UςKOr=AM\ɑ;Gz0mYy)*N$'o %7Js]{ i'I{e[=_8N-6 heMv4ryԣ3#i_Rxsʔ#nhۑ[h 21&e>@Vhud~9+||_s#w7yenoR@xq`!ׇq>̹rC I)]+㊾N8[8z&b)&NխO܋;q2KhrOtTsB֊q}O[DϠYC*+\(y H+".V2"kY>/}zuNuVɶ_iAm )0ZWZ:ы@r*S$V@moK@` 2qDE33ݝ-&ew!kT-`CGmTIQKLjA__'ʍ -m,]gEd OxRKLZJd?VA~~H@l 4 v|k&E04Cq@?ꪁK!bUN|ʯT=.A2LikN0v@Q\8{\hʠ,m6D `kJ)npZh!Œ^}--LLr|ǘP>d%1l"f.IEI! ߀ewBXZŋ,(,vBEBVѽZJēz;"KOv"Vs8sgNqxXd[sJ!7K?dE0KxS\G"{2UV/zfĦekeu\ V)MBfuܩ8ZeS`Yf-#y߈nq=Z`Y9qfi߾3kRnPCg)/D^WSQc u yND]AGؚR:_2 @ZmQDXbjj3]4\{Q-^tQ5Gwep+H_5&uDO'[xwyƣave~Ҿ'L%:wl%Yr$'VthN[VZ l?4ԇU0H3bp0%EQ1y)i x :Dе#/i-vX_6O)>rEd ! @)vsF pQˠrH>+(2j|hB"eўgTAYyz0lnswR9z-Zi깽}ۦ?m 8isg:,quDDer+ۀ i,P'n'8npN h@F|Nd>*-U^o{:c6FV-o|6V{><\r@3P\LsD&e[:Z+A[/s-9#m؍_Wel۞l(v_~VqZ`N`HU$(|#9nuKx*vf]A3?39*T8*;3os =zU ;~0iq,oEyjPҠI;?U3)I=(ƒ^7AL qP?lz9YHzF╨O``IC:I7|3ևbKwf%cAџ)`Kϭw̡쵔FRKPW/U Ϛ6:Kࢁvҁ\cq4 tf]xV,bX9 W_}vxcϳdZZ0Syͪ!; K ``4hHA9M;mI=TDƬA(uuL / ĕ3~\!N"vLR8flc!,=*9E *7 6yڋfujviu85w1A~sBZc?#0ݳK :LQ܀ t2 W5(BS9f0JCg-9^ZF2>LIJ_pU=>;ѥ͆=@_|)'yF!qPPUgovHB.G*\V?|>5[̔ 44?R5N_DUX0~zt@=V(qgx쒞_5*΀Nd[`B@}NǠ˕@3K~Bb'\sik%U(3Q ?!#;b{MZIV]mk׋hzJ[^;',q ö0#=#G ?7XMx U[9l=4J`5č'*| 1Gq`c|p8d ^bvRL`(Ϝ4Io^XwqM%q ynP!e8}0wń/Hₛw9[^U?q6;h_%݄=ȤI[UWPk8K[b{K89y!NA !΋$z6G7~?%}IGY3#9 0t0WNܥ`+Ye['meh̭G {`FnuT3U}-mtFv"n PogaK'B+)Z 9fz/R|j-egp{ryb}vp4wJ{/8}kǂKJ5,f݊brzy/gw{4/(w{>G_m?0u3i1cz#_7H~9,yO]ϐky1|ȏ;|2]yd; tWw ߃}"D{I?uxϊn]\I.}4Bj93amR luCfREV$"jr5]z#jMؔLϖߕw?Y "3Az@)_w9^ZG«y{Y.w VaLQA ofa؃=~]hh KCg88gNSwaО՛@9bi;;>X%p:ي>6C yP[4Ţm BQhڗm&rU0S;&Z0 8@U̢>t%7o% \>~kerۮIRvoLɗBg͝E+\v.` (0G))H}N:Oqc4.搦!9! lCUvΠ_ݣ"g _|/F/e Uk^ۘVn{"N~i,q#S0C׺z+2 j-@bhc(;Q#8œvU |s9QBY9nHp4Β#zK5.ZH[uL-N-ծ&U\ې"i rȾaEg<23 p<&cevQk2챗O "ė-`v4aWPna4+Zo HSX8]fs/N:-d%6gtۢ HYObI ({j3fV I8QApu@pRM;J>I8׹in"PDА`=]CPPLśJ;M +j9`$ EZW- 2%z,(wBYFԘU4XsM&J S'~ڿQRj~Ad~IN<Z'48=sI{5,8˵NFC&xtVOM/_Lv9؀|P4R`z*9YsL؅iA@lo4^0;*ޅ_+ Af >Dk][3k[ȡgCI* tC-kiR-hY9YFlq72,!VSa=f\*֕N\;59Y<# JOu|`rU\1QRpS;ibۘ957OAq2~6I{%)J.A/M+: +R۩}Ҁebgm#pޯ67;/L3CY(UC%0d?eӼ54(6Aw~YZMGL-V*lsVN ?=`<.Xap +/ @` EXG>*`!G+?` q0kWi m>+,p2X^`7,<)w )Sar8ܓ#C3=\Ůtx':U{O$MK+6=Er>7Kϛ oMq@VV < &cwLmW"_~$S'ଥKTX4CzQZ5(7ݤGKЙ7F( GbiZ8>wZ~u6d$yᝳZHcc70caG/p!3EOZVQ *}ϳ>Fpc>À ]fg~$ƬLtً- qC`hZ(SzaM"cTks|CףVfJ[D=k"Laj2zMn`g/KbS= 3mw $~rN^Y(.ڗvMKt}eI v.ʞ_<; ]2}jd;wuvAG9)w2reT.Ν/dYO+|Sg(y!V"7oԕ+˕޵Yb'moVpQ u mPԬ^,9|jX'{,x@QA~wi=uLxB[Rq#N!i".`0pLǨ) gΛ"֐Qg'[ 4Dxgf-*~\;=GN=K.D֜z ?2%GB#$i:x Wr8%[T`(;HAYMVESVkO!u{/9Aczpnx/zh.8%.ʐ])6*̜͹C MߋuQv'ƜG0.ۑ>ɡ3Rnd PcJIe{P <;wx4vtGivuOjM8\OHy4V+?cԶs$X)zt0$*Jg-t"16ёy&"t U;Ch-f]C qV;McYh+p9M~"bg&G.}ZB_@C01{+ ~t_^pK-/2~sJXjD \4"i?N=˭ W+_G"8qęh.9Lm89a8hW6]#֛ۛQoztEᏛ{VXYϿGpbbSߨn5A6i^+,0d~-d8E3s(\ wvqsB޺?%$$q&pbTlJ͑G 8]oO8Ii'پkf/-pYKڎEtk3xr tfGi_kWӲDyt/u_ÇUVҽci{4dr ßf\ydD"41zL&Q$e 4%CP J.B,iK, ۹)M5˥Csc7ij2ӝ qFN*Mc<: ^,|1,h6n*[˫]E#ZL0LO9ɥ1) Pg>b"wT:z~K@t*#/4ȥ:!=~3ζY<Ƃf|cۂkEMBil}=NzEW +Mm 1Rߍ3_ Y~Nܗ\BMl;=1k -Q5vZƮRWc3`88]aA)+#I'̔F4ٲuFGth`*.1!`Dč&!~XJ9FLVy"g` Dqpty69)$Ci +&.׿ٲľ #GvxzIrSX0ʪ9 'b9>~$yP@:ۏd"Y:dz!J\޼_.7Gb/e %> '; P`9=gS4VzNCQˉBTY]$ yУejcN %ZݎTg# ̵rĥ= {K`=jy0~t-ľcߴ anFYobxS}Wrj9(cR-ُ)g!41B}N}'܂@6GFhdM)e žODQx)}Z/-7ux ^m֯7{Adk UT@ ^^Qb7SԬV`J9LTqMKƨcaS3"rPp=\ ?~jVֻ*D2aa}q[00עdz}r4cb| jx4K9?6c=vf"2Ψd~B,zҒU-ed)-9^uiClKIWlɑimŝj|ř]eɘQ.ű١]P2ie2c'6!Lm~VMp a!\?z[6G=b$2[R >ݛef[{VY}tNRh'՞C~V#SZ`'_FC9\_FWW/)~pZLoLYlT'S>4 ]ӵn#(J8c1jVqo\fx滃4%x%84@Vuؚ) O/8 ǰdkd4 i ְpT/Æ -䏑l-ѢT!}F 4Bw]~ӅNkzS/ow-&m4=S+5l}xne+ g@H|*F/^WGs)4zAY\mأCDUκd]/2kL$kVȃ{,`!oYzƁ :Ϻ〺U=N2&HbI)YlychLÈ/6.Et 9ٜ%ze- ﵱ~ҙf=D[<h4\ (#sHN :UK9z0u~h$Sx_ ollN4;$iByid.;@N~,D)ЌxIzmJAꋭB iёA1ߣX߶1)cJ|SA`[/qpˏ$:m #GW\r'P^S{V̄|B-JJ<79fو' ̄hרp+n\FUwc|Yu >vᙠ1CD$y_OWtp@A*GQ)1l㩇`gI*7~th•W'栴K$?[E 3c $ sr΍2oCPnǭ_}Qхrh4K95w#}f > K %G+@ku^JRFu͐h xRvsfPh7c۔K}A=+<4k=1}>PաȝJɒ[Jg7}D5Z6{IyS B4~fኌ) `\K=}ЏΓ$NAF7~]Yu&!X y'S/ k azIvp|&y±Р ~_]s$;!׮P)FcTv㍙}NW.LŶ!C7 Ջ~'U=fX~` buO6HםvdK3rxպ`O1t&P/E yZHGg\`ĝBKFuR'UnQݏ~$L]pb.6x5;SH4mxYʺ0!nB~9 ;*v]R8)qb^R- ڦ[ >Id<_)X#'49e{0ڻ&62drFI3vD?S-3wǘ G3DS$Ɵ0w אjuRD3"PSUS5Xٺ%~5|y>R~ \\5i4ǩ i!L3_HwzVWY;aRBz-B(v޹NEbRDRRoyjV>"A`gj{;_:&՟VQ{r.f 6>"[Ücaވ Xj1 Gkf':4Hi{ aƕC~i_gyS›SZ'r0$%%p~a-yji^Q7m?l¢鑆m1^{'#J2RG6}|Y+:~Ư/]u>GKu|mV Saa6: l/L?uEsxn>ͳCIRԿws"̌ə.eNčl‚,zD~9 X|QJG0jK疪0\gn>(jP''LAl75H|u|Л&glx9hXcܲ~y+_9(5wzo,yc$^& `_Nq+,PC^3J`F#w9r*e #%⊫.6tJ%MnzVA{/ .dOfoZAq49Ϥχ 5Ns PRolw<ў4vlqY_<|9ţhfuҺ0 oQb{5n'ن77s_,VQB E7.՘{$ 8T̶< jwV4M#FS`LjeD Zjm d}Pa8b6OjkGΙiDО Fl$47 ފ -_ ۢ a.odpkWcl>,3ޡr'&r ˩<*_juSZC%T8CP"i+ƅnH>V*W5uLXt 8r1]@ᬤ$ EIhzz63gƖ[Ew,uyA#RʺdJ)e$?ޕAC5F{:VpA|#LNVEj "~OSIXkniߤJ4Y흥p\MSAYgK4n!O@vӸ\WQ/|<.DϾ-Q2* t^M Lr|zRaKXVLwQt)*@(8->!(e/H &I]\{iV]cUɗf.R).S ]ٴGZ"D,a%"9 !*LB~U+z3\n :Uy2hf*D-7bV?H[hpWms;g0ifyரo2xk&\\O"VafY$?U%z "2Z^cYݹ2a}KX3՜gE(Kb}VkԶQP|e %C|8`˹-BN,ڋ(oE%Ð{}U -'#paXjurjJ]Hjk1d(Knvn")R?xG|إB\E98O`S7^j;<zk,'?FH_3 j9|JC/% W0 BŎ܌pcV]^2{* 6tJfT @vYM Zx}l, AjR NGʸ)l@h+R*0)@GtÇ M¦__-N4f{XgCU@lHƨЂO4j }%6=Pa8[ǧeanK܏š&4|jH)إ40}鷺i2 Ld#^i:EK);ǍE2R iDnQ0ˀU7$…љbBXDK/qPFi聸߾TvVnH΁ '/@kZO_7 d#cGMxz6hF&[)Te9noMm0Yv5sKPr݊m0A/,32U;L6˯К fŐ?:`0E7n AoSQY<qP5G鿆}}??`V+i~;GFEj Q8n$~C8qC{dmju5M/o14K&O^(H=[PP9aT+;7rk\loQ~r ]7~rDAZ_ﲾr 63e!9=ԅ-A z~jsG$qЯ!YC}>}LA)HbcUe 2_]BQS,-gAQ,M=ҤVx&b_{SstV6x"4 g9IB9w h3y/na.'s47y۴pd;;GJ6A6,0F_urSgɭlg$r8; Q|C I@M#xaa+<]J]9;_v(7sA15\]}•ӥ6E^,6HzuvIwlTEB. Nl : `U.U̧0 DNKl[luƫt"\ #'s3vQ<ba_ϲW+p]ȯDKAY  '-T+V:صـOt%rgd_+j)|kŬ&?J),!-O qT3BciaP: ?^]GNѳ) ea!1fT4ğ U.۳hb@R~mXp6S[셮:"kIl%,BZHw,oczOcPu/v߰ɨ>H_!V~S1 ^CȇFmp1za~ Y@d`ڭ,!>&$8]3;Pw_;lvsI.;acpW%O{g0".1a CjĵV&5!KͰy-bؖ=]9~!/Ne)hYn{+h!v LS >s"cPGFzTEEyAVSG~ ./T!\0p 7yL]FC& V=_/d 'n8=QVODQih#ZpKӂ0'~풉՟gB /AbN#_}Oyy^_!;*S·f!!g*3޹YF>*r-+u}mX^Hx؎($_`&gvk륅1p9F!3nSԍky3*<|ds 9J 3p{ фG㧅MZ|TpM/>lmYlr}2(ܚͱHImُV!޽c64cC(jv }=Q%!MV?4/M=`f;>f=_^ 4vDG+Ppy >%ޫ>݀cIpOj5%M}d{ :_.\US3˒w+K'/{X9kش(՗#A?gci!K!N>%Gykw&ā swq²43e$YgGCt\hv}7fWb(Yvm'X[%@#8eV%( 8c⸖f5M $DG#'.oVOU~a@E6~a$U2V>@D 9~MuD#c( w1e2oF^ ,0@'rЉw%ިTh6;Ͽp};]"&ZܹGSkF?6x5*ɹVtRQun8a'G9A*9i?}$Y@Gh` .;#p:]JƧcc\5I9Mz7[cMuLIKf-~]o5, Ε\R@͎ĄpIZLy.NOCg8c$?$EAȖ&Z&L,S M|c.$i< %u&}30WAMy1&$$UiQJ(;xVRS\3"szk =:}";.x덥sqYJRh=` `,^JKڋPFٞ} zn~*p0;z:&vtd$T̥iMTw_zJ-ZؚG;1=kBEhH\3΃OTt*B?ݖJ-@,4 7`$GcZZۖɊ+}*<]I ɐ-`uxނƑk2-݌YRtZr˛=S[s<]XCV YB_bL=/C =mU A4Pk$yr n)-E"sYet^h'0; Ʈ}o+yxK∍ G&Y})5,Or- ڕ;O܆YꘀݭDϻrdԦ/&V[ c9;Yʴ,'?C|lzK)It I#gsOrҏ8#o;D幥FV7<4aG?1?6>3;hPXtaQm?|f5Ob{w$*] cƕG Io|܌yd3: 4{}2[ %%R!}_5U lՆjwnuR՚Ƀa47clRex m:Z!¶HGuc斱Xrœ^nyX8r|,Id^wP"p^`Ăzj8E@MNKD8=m4>d \pGbkQʟZ#M Gi nj%^PC~: d_%6" 'Lh`H(1A\0iu_AÎ]>\De{$Vwy3ĪrZ=B6/)MlD@OJ#.?')F4׼l[j _e*C%0QjC>ֹ}"+")tߚvb* lr%#5q^4jL@-f*UXjx`@H (?WW YxM44qb3\YMhL)ɶm Nv hl&Q^Qr֐}V DQ8 *S2(*#{'D̆^/p'"KUd fhVhn8U${ Wu3~UL=s3}Piyw@Y@Bbwɩ E_"*%T pKnY-Mm,K9hL@:fMd)ȯC;U=dٌ+/>j_9k¸Nk3 ˁHSJ5GB0c m SR>u5*>ՃL-ĭWsv⼵sIܢ*t8Ӣf*5r2UۛI@2c y~Pۏ+SBV{u'5)2!/@h/R917)f Q")\;u5B+z =P0Zyx[i'>mb`k)(b~a@1ʛ[a3Eo8e4[00\hyrf)|- ؒ#?{o2boOm YT=ص5vV m1p?\~q@Vj̍Bӥ4wS͡屦k!eurJŕ>%xF3H RmSM#qgQĉEgή8rw\3nFAsu~0^^i}5 kPym1a0j+TK/(tv%~@Gqߺ 0="(z?}IcC^LD% }-t&̫t쮽؅j4PDZE6<9pCJ4,675Qڔsۼ[dJݫD"UenN\Ybܽ;QK8{0[Rv#ǪaS&{$%oGxqāDQ$i6Ķ m`>+ `ǪDlx8ZYZ)܄vJ~E,t|B{WA/Gᮝ}ccySr5gm?m1{ʤ"PMN#23T^ U=Lk]M&2,ezxiȥ Zlit ʬ/uRỽj Yc$h_w+:"XO81Kpނ!6녈aohu{:B ZqN5r Xf)x;n&ϼDηp / #o +N7xB5э"dA Z(#棪8dK?s6!ėj,G-RFh >!/.\p/5gۭ)֔F)%@4PhĆ 3M)y !^lZuߒ¿{r2w(Ϊ]IlԬSIge7? ;f 2@M Mƛ*:#Ҝ@o]G[d"*_*qC`,\m.|Xs?pЮ䯖.v4=L C~˚ȸ U3]iHv`vpR2G h o}K*O5idFZ`ί'5N22鵰¯q J}購 nCKQVuwJ_5@n^T H/@ϿAmx?Am eqk@==tW.=dۆ/`LP8扴FnG `njJn13 $zb4ayvXTk$X-Y(c4RZy_/Bͦt/Ô&WPWg#iX}V܀7OIJB]X8U)I" CC,B{٪:],xFe>y9ĮD1.pȧ3xDg/H? )nږ"[*j.'FIҹZnmv:,B3.hkKrrӝ&ӝXiNeF 0290INB)$6M%=̃>uo̔-a"$Pw,ty!B-df% Y{=z4ff_p/_q8saWH̞u{L&-ǞqLnv-M{ץкL pWz_]%%Y O`K X -AX̮9 R'x36qM`b֣]!"~ߎ`j{]5^NSBI3 kf,pY4ujeW% kVv*P|}}u e͛uyɗ,Q=]2N8- aal_ k['?s{+qnGڳ93BQQrӥqPs M1h(P\'ߍ2mWdG@ZdOP~Egͣ__@eEB#Tg=Tc^N~B{^N2FkKE x$ ۷@Rr1(V⏷ 4Q9DL%0=2:TUxx[caFJԶQhi A6VNϡÄLRpR?[PBԵ0)_W2j|'W+/i|ѹ^M| oy^EqV[,ɹ[emP!mCxiYT-u\2u. \dU γrdR.L:}GQRWo\Ĺ#jtlE(5T i$=ʗκ:aݢ-OG<?qÈqn~( `+[+5C R;s|\quCn:kFW^L.kKΤ 7ҭş_5;q q09]V rym qBpkh_]7V]c9gpȿػ+ 6nQ_@U<̺$,Z{3;HaNz<ç7GޠZ>AAeMޥ.V1PJ=o  jxzcjxy%#Dsp߮м08/0 F/$:P6Mh4ƝY&9:P&QN4GVgkB~vg%7WAܫN&o=4Xb U>Ci"蟳6PQ!=`Ke3u3඲f47Ǟܞ䀈O4HSfydt":UɒCRRWH:/xb=ҦO``g?q\ 7'-=eOXbiʿ^18tg~O8vyւNeK-@/o>ArA3ww([-d^#T59^ sު8@T E{mD"Jjnַ2H2ؾuP.6{T欄#4iN.ۂ!NL0%>L+O"W?e,C'GpDk9-c{F~ƐS'C00 a6HOHOYC8ÒoLoGgzAZ cȓ:GOQЊ nՈ};1`? ;CW2'e H1dn|׿mv8(zc Z Jjv'hgfa;nvRR8ym Z(E_4D@U=;*jqG osTIi/+z`$m<ҮEXT6$x*#%ODd}eHѥTJ_YD750_YHOW]jp`AϦdLݑ\$(v-}oIy#mMXioCbsrSH3%#o_9`ؑWH`~ë5B-݌\l̊J{3#!}˻x ;A9ItH)]1INI0TLuVVCDp(Ƌ_=v.EbrziK1>!p 1,]"3 {J)^'|'fj3bAI*jjmd*Sʢ I@1o`Gn3;ȥ5,^=J8<g{jI˜48ddWנU3H̙PۓL l]ý\Hh}jMZ)yN=SY$y(z;vP[/'mDGbUkV W<[*lAg)ԣmuq/PŘNhO f7X7H> 6no9?V?w*ѦSVPȻ_EBr IMoG}{y6h@ oױ6fGUkx" q78:לqY&\S\)< |Ygmȿ^U2ff}Ш8y91ȣ$TK /˵%-I5J"n89gЄM\94z7_)Zv".Xޔy'%96T|4cѫ恶y`M񶯕zyC#^t?hjۻr0N:79[`֍GrtGLr41ߊň1l˖>pi2Ju.}Q=Zj֧%bj\k\5]8!"+!ul CcCjTrbNw(;okj.QVY@,SGnYCY E(bcA' 6׍!dӞ |ʡbMb891~1sy(ݚ@G3- rb1?hiV,F8[ʩWnm2-s;FdIt!oQ^w׿|ߺp kbwXB*4sZ\AfQ\,h"f(.*y0rc(qc9 GLek6\ɩeG\xl w"%C7yo0bMq#(&,bsROG )ӿDFa.10ouV<S1=z|JI_uF%ԍgǁvXX~h)P-sή[ uȶƙ =|68w-ɯ𱅬Vtj sX"kxtqPzkzuomr4&޷2z:r#R8zɱ 0r˜ qW~Dm; d_m ҈!GE.awY N㾙׻zC#'10FM'7nz6ں!9h5moE˿7,PύN^d:c?[v] ՖL˸#_Hn~ :QW;#,c;"ٟO9\3؁Mm+2sF4A;j^)x+ JJKz8u-M oydONïzp,/փ:eI= GwlVK5; r j% ,P=q/V]OĭfEbNoutwn^lvPu \p/5.IdBܖDȭ/mq֍{ L0no2N,X%%tUWviF_ALqN4gc/T>$s_ɔ,,^՟"'yAW=Ǿb[t)8@" ))L>{XBa|(7f5 ? P#l,1dӂڥI>!Yʦu+<+@K(2= I ܿ U|}OC ݭodnbI8\ Cɶ*(WMw"j?p D=qgh=$VQ;U_I!#~E~ ի[T va lJq,/+kG=p܉ Ԃ} ȦCNlF$w&2 9{TMeN٨vUP3֤Aڞz8,n,Gu i7^ 5όq]-BYý 'MqVz-l1 8<-kgkQKjLh>=,)B%CpSn񴚢KJ;o5xFf3\oN24OZIVǁt 8nA9/V-Ѓ446[3@ l[z'~U0;uq+..j&\[Mj*c%U4:0 Y=#\R{8׊*DS9UĦ9EuF$\ؗId5*g'"{$nFu%OŶdE~*zk55eO01gb7oHCfo&bw NճL1ynVEYsCNW8?e1+YR7xiXNչ>Arȸ50KP+{! Kq!T -n7h] W!u|K/nLMeR2sM "+_e 흹 ˩d΃i}GLH'i ֠!Rk)+*MIfc`f!Bn4q^^[HV Lw\'c 7&{ߐ[}NknZ3w1,Rh`XbSe+ńv*>āҚK^z,ݪzx㼗'lH|p#+ޏD*xc`DZwM6E#w9!3!^bLRZ-wGsnkC]Rߩ=rɜM#(DK0]T7tLӅ{'_RTI'c|7kbx;f/Jď@ppiu my:Q;pFLd&SBqz ˡYMIfn`i^og6FyaUF *|AѴ:H F+o@RZCeﵵGib7&UR刚XƆooӃwZUpi $GQM7IEt=$D!sk7SYM`:~^K.n :: ʪ[Yd2?\}?4kfGM,){rl˜MTc5U^2I? ] ,卖\,xD~F ?Xq3R[]SY )ɞ !(wt:DSSլZƫÔ֬ 7({'f{OFs,ۍ)Zn/@tQ.#ݺoX=`l܅Ò/pzd}eFamIzDXy**Øĵku̓`/pHp*ѵ$}~ ;.k*x9!WTI]sV_DS0]ͧ3AS/x-8Ge(&]@M2`D@ሺn+PIX} AS((?ʂ5+#\y_J%ۜȤ\=b` 6 OG2;J[:-t9 r˙휗d0^% P.T˟l-ܒNc>O:(Ԡ59΁%Y!5UfMVhRLm4 Owz/CӪTcCkn.lb#<9: o;n>Ho tȐQVx Ȫ4 pqCQDZ4A [lk[נ (vcbvR6Zj;c7&# ; L4 %%'(ђx O[4LdHr%TQ(< 6lvzn0'0ٛU7FV>I^pdGm0 eTT"B2z癿H84d !?6kWB;&Ǒw $K`xG!g-w+\>2d^^-UF*MAwyr\Zɘ!R‹cxNHó4spsOoÍ6ުj55+V}|s<5u<7gJ ^ߌ@W?Nۨ8:o=exB W#q $1FG_#@S>],V$)faZ :n>%J b NM~EG" ay1M dRX'(5K Eb뫱%=ߊ"rGvM>2|UT/d hzis$X?bsbE{rpf$Bz  3&p\:|T^+D13M>(d^[T~w T{Mw,yՏ,iMiaq ZOф=)uF~?b!aJ׆x%RK3&d+:UK h胃q֖<V<ǰ#ٻ6² +F<ǿYUR,v>>}TKRפp@ Ms ^"y0a9]h\#<93&j=8  g K:-d`!? x؈%LƼswBe%5H).1cFv/)o='Yc ;ƝΎvpF¿5+$" E0&[;ً9 LKx-oqZ3 F&yowdJa7l0u,f[d<3QTe=FR}:"^J(Ԑ!䬋P(lsd^'OXJF"F&zkzbͮ0\ڛ~\F">FYiG1Uaͅ*>p4@'I=(SU`b857|%EC7kD39Ġ R73~Ubi3?cgì@b+blybB#X,Q lv^Z#4aRXJ9| qLDE;lnpN2}HQS8X|6_Q™sX9^6`f:X\It+O$>'-wBH~y?IZs7pG|}H3>#;?Rk뼽{)<4ގ,oVefۮ3i_#޶LJWixY,~Biqb$LkMe6|gֈ }%$ "&fNuLf=4 Ȉ|mVoK- ZPMy3AϞ% ; k-!:8Anw&JWh>R%Y )1‚Jp窘[uKt˿Vu+Ϻ>G$zOrT.px|9T=_Wd"?12&*zv坚b q/쎿A행cHq2!j2{mryZ^Z4Pٍ(~#n_G:kePtrPCs)<Nֿ/pjn9 kVgXsto.-B>k_d|G!@7gJP tFiP_S/|T,S-\p 4>2γ*;dK"s3%2c^!`.S{߽$9.>I&4ܞdTy{V*=XD(|=,3tdP~KU614t?;xhv 0>oi[o!l g%4"|>\xcT]Wku} KQmII?hmJcs]yQJ6XoʮZ'w3Jг8oas^Qtyǚ7A2Ar.^8_mP'K ƛp,&W}5C'תŒ?ɧ[Von?o`sh> ʊ$Tއ[G}"e9-z~AhZ*DAƈ-7*!_k`(^pa y?C(k|G]$ΆN?4M20G_KtW+|>* K(2ΐ:*ACփ?SS5rh\ Y45=J zӍ4bS[d.^pAnAWgs* ΁PڪM)rێpםi֬}#.Xa8Y0F-=COz) ԼT }@kup$n6(~ێ$2uy鳟z8֕dlE[kK)b$ZN -t^]bxqye*IVkt)!6 Wftí h STP+H WLn(HJCysw[ɵ¤rI&n;QAtjk5=ɂ<{r3̋^;wߧgJ}=|]IYqdwmɴxx.$3>jR6r=-pLe=ĝ1Vȿ\%")PK΀|֋lV`;cXP.+M`gҾl/yZ O-pPGiVVi({a`'@1}$j?D{HWZU\Ja_OD Rݒv9pe$$兾Go:j0 on4} lxǬ}n/~!%Շ6ˬtNΧVo j;zEE i70Bi!)ME8uzʟ͠p3 iYD3C0_+uC=3>o6kn=؄]ؘPO"aS1䲓 ߩE$9,jD 6^tEEQ)9V0hPEO,3Z9u _~Ŏ)o]EI]ﲃlXTgℚ3KٚQhe$1Dn`+3!E}ft&.ybeן\SD( ;Y'q{B>c@ԏU )aN*536. F9BCVhI{I'/0RY꟦SPivж b}f4; TU FTIH蓶ʱf`#6I3h7wU3Zu~Ku,_k|m,~'i7!5.Rde0NaS2=nϟ> BdC&"K!tq_or&hj0l((.2#/\j@ۅ=$- Xs:j1S% 3ql {0쳮X> 6&m/mfvmDѪ|"iHwXeN=ՠ*Wv0U.SNS@K< ]U@ch|[vN qEf%Y[@_%nCV}7 @dsSVtu vh8U&۳(Vme^a8tNPE>ѷICL~q^A!J+:YHvil̯ A:s[cg{U3jCִ*Mmjm&;|R4~i{:L!q5鐿Ɗ_OaBHLğ>b˽@_W8z+/`n o':Ì=G*xؼ8.N7($uWaNfԅ #tm)eb/Yy)9[R[#!,bSy@Q^\cڧn(Dx i)'m֫OR!Sd'q%reS@ FWB٘w:}`ђrlZ<}UGZ5-n4|CJ+6 kTTᕵ+vGE}Եg5Im({Б^vnX9h-|-$3L#"PHŴ oks{, ܬq^2W̹ |vO!-y'I@D+ZFƯl@|(jc?*=Ҁ'$HmaJD-mvvĖʹ=V%~~k#g7`D\O\λ?hF\P!6[#%t>%4vNNh. 嚩~̘_Z3ʛ򫜢J1{y5ALᐇ.x|$>8޾׻2MhaՏ3qϺՏ~1jHY;~.S .*[9?eT 5;x>˿~_+n4E\pMt?ngcuˎ:`A RƬ..|l] ½cKhSMHzdMڽ%P?\Xk.&M[Ň." Kޟ8.*wa2pS~Oؿ%VPLlv7ܭ󷝅Yi. SY d1@6'ȆG,dϐ/qNߠn >.sIĬ G)TW9$:h5b֖;̏#}뾵;.e,x4;D-^啬:{wOLFhAZ~(O7W\sVqk'/Ћm-rt[7 ]Uȴ]]@>y0}}侒W~͚*wJ6OUSطЀ,7aNz_5b ki3* sJPUF(B2jכ1]WS#@DB5d#,Rq]w: lL}B#޵3}Jx[.V'm%UBY.r5Hڳ8L-v о5i,(qp?kJB5򫞜*SЯё,Fl;,`-Y5DK>+"rE cNamn} ֕e0Xǻ[E NY(ǍTadu+P82w3ُc.?5 j*1%*e_i(K`KQ-;lF+!X,74]"#m:DJPGg[!ȈJ Oyj9 NB]83}yRW{{ o" פ!k }le$A$AG{lml|0;Qj8{.IE~_7${!=dr(UwjdV߳tUҷ5թ2*"t5;nLh )r%:tnpc}cDI~y{-`0, _BG+ ʬϛ(4TS!ڐa2J2B#~ @'tO"Ey {`(M&2 =sdBp rqeetL3I琙'aћfrdi8^4,>!"ZM݂]j MƜ DA)#JK*DT/`bpi}U^ĸy<ȩ72|0%ԃC4ji nMH"Gŀ,U|! D>;Y%7-zǞԒKp7t,_GQ5 eok" )OfW>-5y2@oPB N1X-l67_NזUsÛP,.=ط-n24cL_¢[bY(,]SÁ_Ư g8Oc.,;qc=5osM٬1&<h &ZuS}:Ĵ#$ ݨFJgc߈"vQ_ hvghVQ|6id +v'uŴmk˛ sP|\U N?;mCX5pg7 ł7}Cm%:pSJQ%Hڧ(: 1yO| )$<L.0u`$ C W hͫ-BV.WYaGgjg?NYr_6+Whӌl{}D>(h tmFwwː$\vŞWDv\n;QşB+KMo xԼ,4Sz ̒Z6:1=#Ɲ )~‰9;FO\EH{҉<,*n 9/zq{>X;fbki!#aUC %}X69ߌbi2gjѷIrIL5"c٤9,ޓRט2R0۹y* ^,U'CꌋSu]-vOCJWEv/yrUID do`GmkLVI 1ܬEZ~,$[LX>Ľ#DR>ɔ=|/Zrs7M^=w9྿W?f[bZìQ&[[v%"İSv2F]zvU; nSVljm #o $nڡ%`gSN%+{u(H}|Fq_Bn ԣ,KRāvPw`g6}Pbѽr4Guu|Ì+fL='`MFSL-nݠ's-E͓?KܥɎ]!(ʡrj!F2ҵ}u2'BH>V]͍=$5Zc-2w 0Qfsh:&YdBmr9F/ȦuFBnuS*b(\@'G,#P&!|u%3TH{BҽlD5K}4Ʈ&Hm*Kk~ I_ױS3!] v"Y]el7q6Oq5,{O WWN 6%gwH+Wr_\AWcBOQ Yg>"evs皥-)(4xYhV!s^ԬY FO8U%Zɽ{nmG CI}NtsaM,VȚunkV$A!usG!$MY6*XwU* ZlN A ߨvL1D.4+d | t+Q C;vNGUQ{Fm[&rr;%qɽmP͚'?\/a'7O YgQ$~w! ?6eBQ5:!PT7 1l`"|Jk _@Ats[#Vf*z/4;~ib8^ aLuiOCi Z9cմS!O(t-kוeaqf_++.k?Zc5XҘ2vqGléviS& ,(wWC5 c6~<=j+h'67_<4c-IP'}@f%#XE1QڸópJhN*չ~lCܽ}_}|{247`oˑ[+H}.KyC g;A:o7M3kYnʩĩ6 J+m38ȖrZ2V4tN!oOAmr$ÆmHVE$+iwcY K\ѓqW$WP $deV7oWz#QY@S&| jt.oF/_2_䳻mҝRYlb(z<>NR Bk~Ta!  0& %hVQʨhSZ!ne .SKHma/\yOn")(Q)U27`" .=8nɎ}{wC?eHRP}ܜqy1ȩB֬4Lн> |sգ {Fve6*Q1+Z@v"{F귝g E&( s` ݭՄι\UYN(;[]QV{[ +dɥ-gtƜEza!/qv4sM;/Yآ wa`Ӵu\0IsKC$6Ҋ {nE,">ao^Ozjلg*Jyb\ GR͸'VB$[@Ҋ4>5ŧ#MczHkm,)߈KdN[ y;|ux"qUTN#?99ޒ<ʗ˧7mE]۰1\Z& j6;2ۼ{R{\~:2[Y3y1+]"$WUJ utͭΩR;>Z?€ݭ=ZA^u}=zM7$M ruhȱ XMlNU ᥀"w&^Vȡ:$U,(!9WYe{Nz0\}wA;]]A2U%Iq=7Ns}ƺe{V}*J'P+e@Ky #I x]9IRYh)ET9[{t]'o>Q?+QXn;e.I[]JeVA7B+ˡ%l@"k0[p}pI :0(d"ezj0`ʢsHOⱈh*OCn/m\DxF:8L7YĆTbj^ {(ڛ`282)Ռ8'ITȶ,͉, BADfCN3&S{e~vKkx' n>c}>nFKCgbXPٯ:ȘL77L9O*b% P`Iar⪑ npI<pI8W8\4X wQL7\MMG{oě׮#[ i؛ak[}*dJed#_g|m߯'B୘+36s< c,QZ.d6zcGT -h_bWEZd-S>HW|V^~i"% ؘ ofK..vO3fYYy?6;MS <|jS['ݥmBuRH!)Fñ>(/x TtrZ1}(_lbN/@ s},쥮~"Q>]Xy+ofLagX*=^BvY 7@?1O/ta!aV-$?5Gс+B<a c#r!J7F+ g7{yc ՗Nt,5ъO(f&F\buB)PX ^<:]%z..7Qxʺ^phz:f?&GkxVݲZ$cd۔U}lAMP}IT¿0g@ဧʳƤ5m>lqb*lHRO/?@h-@_A_?yXt>C iG(/qGΔ,T0~.tɏ/~ M3S>amTC60Tm^ɓ $&(㝴~zT|59_Y WPjYxAdX jӓ߷r yq<2Z7G$ɀfw s" "l(j,=r\NuSvZaI%?v^\w+ϫ~ARRu9LpEKe `tiwJjħ|e(@J7ׁzzizɩMa7('ztd\ÒGF^I୵ ޳E ^1o=涝̈ .ShJLw^/uޣ3;nOe񉥊#^sو%@li:KPwu~@o!xV~FX)Eg,C<*.w̌JGG1O*"*!=@Ҭci,8ާU: .bq|t 8wsjs?j5q-X";,rO?QX^Srb}mؠMN/+ RR1ltRl,XMڦf/7У"c?՜S:Yk֝s9@<?u15X47> lּ>_3=/l}HṢyTxZWLYux{GxLs rN8 3|PF#oTGcؘ'`"y:(KDScy+OJPF9AdpZHMi38Wk:0@Ċ,z&AI쩔=BBZ;η2a CV1V^\,(x'{`fX^sfM_uG\ jڴ2\Ǿnt@]2=C] }UZƁϿvs =י2 ҏ%JVC/|Ȣjf'Y%y%r,tV*U"w*H0Xh}l]~d ^MͮQV ; utT}H#XDARncDS~RzвLؾ ¦)Y!\Z P_M-Mnnl\Tp[NQ/9B!1/ׇʝ6` ZՋc)g88 ۜ&AA,U=w?_k҆&솦X&?؍`6s9#o3$` 4RE56E )0h힒lv9߈Lɹ[("`^ G)/N9 }G#aO^Úw{9GZvFB@q4/RMڕV }>| DemMwߎ 7^9w?W@%_1JCWny?PAOBn%5ɱ̈́- HN;^o=flIq+qsh H؜ p6 A] 'guy?I2ppGĭ@?fF%ۉBFϦzq}mz!`Хk0S?W3*Kވ%GJ챽zr !?u"e?.Ԧ˥Vllb6pT;(ZrCA9P?YV`h!h?'0'6硈 ctHt X0͜a@(ޞiW&٬[T/ds\ 9T%I>[%Igr&҄N.@Ns0_CP,Dwuѵ'ڽvMBrn9IgY`k[z@MWzoYdwJ5rtrwwkIBE`Kرe֏rW>BWG(cXKfM+p5 %lυ|4gYZ6 wls&Km:ʐE_h-v=AM.H1u]p9圥33TT"PK&8j;:㎅sՈNGfAH0wZ 'd 9}6zLXW`~,_&$ HYXb:yId;*'nQMM\o(<(K} ʂy9SLmU=]>lQT QT\UL.ź >䲄'>&dg/>j ̳F*Cz DMhq)aX5T7j9Ki_&FkOlTw_¾31"*ҎH;PۄԙN!"7_gM7Ub!e.RLnO_s0bcܢ(Q%pjuu7|?9"uDEna#1 !teh"4h\J]/;do9["T0gbykh敲|boृ)8('flT]-ʕbjvz9<me &}kZ8^zFlw$nbB?GO_YN"arsPB KI#bdܤ+u#-mkhAUBdJ;kF X: p\ "!qKb<ב c0] p} T qi빩> ~i+<\[ᖟ-fBO=:@]<|N\P` #X9D!I!שTMT=$mrq"/h2J6fC! QZcs`7pYUܾHMb&|*fI }>#K6rW:1&jc&X4Al|COmNKIm9T^r{.l?_:hFXPL]q`J} a$>0ƵQT<]T H z, uO3|8L0@{L,gaA^&ٔq34uq%6ijWBh\wӖ̛7؎O }g+$G4}a[a3M~f NX4ՊINe%Tj}0]wEs'btOdݩzUFKR⤍V_sI@ l7uE 1 mJ[K{%fLRGK*L"ڙ9Y&e-=w `<dʊ4c0XwfE?9ĬZWcsZ# ӺrP݈WvS;>ڧ {ES))]'Щ%I#™^vaҧȎ3rnkrR"uP"ĖIrPvg_7Ssڶ_P~9__>]?|hl8 ASr՘.H:!X=ܕD1={w0p?(3] O 5|Ui!uO"q/Ԍ:!.=s˴"EchbZ]1PԬIM88oªPib+ HI﹀w ,onq~vQͣ4㪞@=  rnwBxP7`i* rhEx8}. G/ PQ3+aW]Y,2 ;{ء4q0aCRi8rCoӱzhIS(é=BOK ֌TR,7,n8Ah Y :q-Q 7]o{"0z=Oh_!M訷SQԧ:m?F?(18OgtjуIT}4^Ħm›pҡOK w<4diZ';Ce1^(l&iU*](FNڸRαLܦ{j0):"vĪo綵Nۈw94@o9̝̐NнYnNۃcfO @-@s1f˰ij&6- l]r~)5J8B;?9#~HWv-(<+ vz:$`AHa^#IKa?HO,epQH>f'XTu1K˟ߥpOF4)7Us ,Klzſq6bTrg*II3" ]lSO{]SVZ^f߱LCql 8vǑRM#<oKᐶwYƑ&=FPon]YZuC '['+H;(u4[T1)k-f+%4Us1a<6d gjyPYʭ)-\` 4qڀܮ,>Yuaxp>p B"V,Glrp=Syr}ߴQ4zo\~^ywIuEy(7LQ M=_i' eZ;S 9` tؕ&[w$E @DFs:Y]JQ=րѾthߔK+H(e[b*ⵗwuc^Q6{%J;4?lϺ8al}ǣƖ,1 XVGN}%/>k_@9K6mN QKJ),C-~eH&s&6JF3^]URHL&d5Kp#Cm0Ծ:Wtc#{.-rRkQDׄOеV~_{5CBrSx̭"GQok,;VWebjK!_'Yþ&'Is3]<4]9S'D+ .bt-L^ ̮[s>{zPG3# vP${jaJ $&XK\"mm`op2{ZB] 0 +=ϣw9w~*VDBE~@z:Kί }g6b)Sz{\{b<`/~(`ſ<ԘhꄠQ_j)K8kR=i^HM @Ԟ"Mr{gldPcB1@h EqjLõm$Z yQL 9OV$orx|&!,6Ish%Ê} ATw $QD/وAi̭5לu^C!ETAmB[ɒN[ c&aU@,fH BV'n)"y9*6a dƹI*D xErs)? ȝ3]}¼ \u7!<+,.F}f)bYl=@H&Fy5#] Ȣ' j/c ,ǥ?Z(ꀍ:7m`&ij҃vw\%yWqq׉l0]S<&f,;NFgx|AP+.91'ףSCx+z~ˬjWgg*x}' ,=Vvϑ;M2m6&π&2UPZ]3 ;xw?[na6/d,*c~Ny!w| uw#ոkg]?$H:;C<`~ ] eȜyVjlmՐ-'\eF 빡*w_ׯ|;wJlo+SͿi}uuu!6X?8~XuFAFAl({{ޗ"覶RHߨpG1Bп~b?Os>",'u@mDq}3 :|?pvǟ8f O)CA|{g>WhGID$ FV:-ڪ5OM#;i:y[hO,LKߒ0KSHGM4`jZnVc0xur 6>Df ̩-ɴ>]n1^9K*Tz;5#,(GA}G+FVq @iz d'ge"㹹j OgQďkr}[҆{!xD2hx,MEoT/H$ } S$hhZ2[JrZy(*NdZE ՙEu P d 洚(TYi9<L@[CT[ت(g뜳8JYֵe/*M_vA6"M] aS®gF` >&͈(¹Hc[wY+R K2ScY览u)_~ѾJil8y7jId  {_o#Gǩ$T$7 M3;;>&ַdH Vt&|?Dқ)~) vr + ǮV:wuEB݊Bo(l0U9!ັy[.jlK@`|o$ {N?Ycńvf.+|]6b-FwsZxE^/bp}20o9f]܀%*B n9Cw?_zlUޮT6;C6W{J/4=f3E aYxX}EG҂ i=\;/{nsqeqf Oj_4$bIiT;%6$]xMBi3F &#ؠ 7}xfR0 t1ϛӎţFd%pF9G>r<[o$^:Xr0dvsPpf\vU~  vM41:]VṷN ݰeBYB@!H|+·fu>uX?qܳ.N_\{Tup2ԄəD` 2?-')fg IA +6\sKc:`6~=}E##B )`踻VMrVKhXk}iO0PBJrom+`mn>)ۨP"[f ,D쎊ůWs"a|'̦gx ?ϳb"5K"R!P*[^Is3 ϔ~0H_X{?$4{/$2ԯ&s.EjP@Z gK4)q7{(븧~PA}3}x$6pWUS%iMD yeP ;v,(xoߠA=G6J(̂ԂFq6 øC-L$6o6frC !'N#׸UZbkj`Bi[m{/pP}=+M>FG )NWie֣=&GaJmͪq#[[ݣXۓP6&y(씉%F3Δ&`,ܽ| O ٝ5}] [7 A$*}5Bұ |E$m:Us&lie?vm*UuPR CW46b3d_IZ?oW0`1%r9#q15;W beC i](K)=6`;DM8MkûWtb|Kzq-t{~.{wUq0nvLC!d8: ylAr +oMmO1*'ܱwFԕyPL@Wߊse<ƞ|/=3_g3d{9Qn'%D0y nZw'"z(j>Z02k3*#_0qm3icABdaaA\:^#kcai3|eB3[*nbZ>R6BxIvuo +%໗ #pGslXBph IëLٚ1g/J /B6o\2#2~D#F-('W1]=!ȤO4b laq]!7GA{g:gSդ,8!hdvGdh#ߪD/2g-𷉐9e_GN+nG{ndڿ$Y29zK `a{,X[Mw/9nbU¶_RUz~J vQm|AIPx3Ӵ?"٬ڒGp:Mr>NMW{1cFz&Db!o)[Zck`ܫwMY*ZB.ƺϋHGV?zϦfD7[3a;쉒meO2Z)G#XשB@$P]H<&t=z$VQ령 )Eƴ|KR0ltϊa w)kؙTQ9վSW,[w !hIظAl7N8ͬ;l(ٹQ{6σ=IJQ'rplRqFbצ9<:5A#N@ r/{@=iU (+ -zC eF**6 B7RtV Q!';`DR/f|FE;%ӂЅ ^qs34'/;l6ɰ@ )A7N`4; 26fR['(X1T`hC|C]&QQǝ\Y|$1^ɴѺCgkg/ˣIv9$ 5[K$^K5'봸)F&:U0_Sޫ={CyЭkAʘ!?eiQ4-7&U*DEv۱02Py;=ٺUX̧@^/:'B[O%M 0O(v֛ *!Voh5P_ϛUxzQ.6WH.'v@R]c(ܭO'dvhbxt]Cx;{Ri2bpT9IR3yae9ث-|gڣ悕J :-vu7|BB}k*^,Lj%)^NPgy,HR'jf^ ǏUȄ)Yo&], v &ѧ'Ii_jo%C>-"*O>m2L}b!"S7 r._HB AqΟyD*!CbʍgawPvG. a|B u^60Tl/8J`,FfQZ;!4iILtxŇ0LSxTjU2l/T"أfY'ԡu!l#:ȜdM{a{ȋtl6Y ]:NpPPR<{5WgfBHc\#Cp8;jv~=E0`gh&FfeNj֭ k]2pѬ [%:v!h=NUbSV*l /@gzWSh;aRvyq:tIm t xqU_0^Ke׼NSr%ŖvѲ@z !<R˚TBȞp=`]"j'VC4T 䬺ԢLN2sxXt '^r Eve5`rVCF* KFNF;#ﻜݳ,gv4IhiAۍ3.^)p}a0T~ y0I @W.S'bo++/Hq03ۈLYVwi!F0d$ rbbT-]FPSH/񏇣|=]ʠStT|%QO:X2|4ff:CճS:7؜'kf(81 J+aLgH a>78AOZGQ^|jf`z>5SFDmqOΊ%NFSI+P\ 1(_Euh9؜=,Qq=G A(?^NC<ֶu;pyTh|Fxݴ? )J fk56ɿV'seA? oHZX 6Q3kV1 \0cVQRte62r!j.A|=[QAR`vPv$mbt3H'7~4mkA s?,ЏbF!P;.ݰ2ƿt,/E2{^v {.6d`3R]QY޴+4}aHP9RbXƑiX~!ЄRR!XVSNkI!F~CҶޅ, kC{ތRdk5uKJԲr%˚f15tC6S~$w*N$mЬ^HfAF'+|+ȁF85iF)"6{漀ʼ;JZG?'JL܉f]+?9[{3ѕxԲ4o$lx@W/ l wyV-$!OK(}q6ߞg+czk 89`ETz@Dٱ߈2xGs{Ʋ[ Yh,XH_#!9@.FIl a~bcn΂862K5Ǫ/*q'MY㒵X^wط 2IxmQ MfTX(zsu3ܠ`634[[X 0+/I} V 55q}blp74Uu uĶqN_^_v%f`1KthC}y1ZvZ6K6ɋot첟AA~b'0gh8 ^jqq*EC Mݒ>U;u!-?wK2*Q2uld|!:N8qq&WHZkˆ 1-6$|#i $;\ Y}rLTmxeXR8(8xfƤ__8yλk~3Ǻ#b3ߙ|^2;Xt v!No`B]-ر5P0yi_%&h<"3MqDN9ClseDNfNa ,;?{BU*cWp'uY;WiB:$\-HqM6>\讽JA*]ϒI(W6@n䊢`ED;A7g%U.cQAXiPV ]^{ ,ۏf;ʙd:Ta 7rL-壋p5O= mJɋ$?D߬Ĉﳑ]$yY-+c =m(w 4$HTqm229@{?_>=uS=ww*8r[YdKL(\`8_#r*l1S&lOɱ rmŻk7(L]F(Q4A +-_-68+S,ߒm6wVTggC!Yyӡ,j_@]1TsTp~19Avxlu/fb=o9 ri(VUM_RɺŁr> ߫09F<4bTTPR,wL9Si)&/}ㇹ~M7~EMV b<)}X:ؽS. UO]ZE 2Ȱ~jo.scq th3.yҋV3dj0}Ɯ]> r?w ({dh'0 tB;~]=~6zcQwU ۉܜPRy30  8iuS'-> =gN?Sn׻Wc3Rٲ};g@;YU`gHaE -8c #ABJ #UѠ Џ;@˲Տ[L۪\.SU$vZڂ4nM·p'[&E 8O5=Q+o'4QHd*w稅&#$zcSּx͹(%,irڡvu%"󄴾(?Xx"eDss |#("yt.0Zp|o,~E j,1xdȀEY+V^A]ٵ$'Mpu sGZ  zcGl;ken/O&^zrRs+R zg7DY7 N>taޒw#ɉْxcN+/zD/"=)Ylu.̐!U~-]œc( &~&7Yx_6.Y+I`HZ,xyB ćM5&/e^'|1f#&`Ap[7CmZ jI'6_(JB7 2q63hR~~\8ōivƂ549( .1`F3[s<לny)VIR*K9b9MDKqrea#Cp-.SC|ěA:P`\w N4B(ϒ|L*Nwcl>"W@o: SUo,bhZ,u-_M41&Z|Ȏ44}{O²ӭOx+UZIؤvrW|o`pc_S:f쳨 Z%'S:cǏ|R>{!!.jmzAʨ%)mMk`l[5Mt i06ba7;!D-. *mKx[D`Z¥澵"f4Jskre=vSSqwI&Fݱ?.?UL1XTwSU*$"KdC'#JIٴ1z|>nuhKNfcYn#n:A犗X%O\0۩d(x?G^G).b@EViu ԊRۓީ9snB@]m<@mA# @pZ.\ejϿQ s> 26 }:K"g%swb$.0I:' &15[#7$6vZp ;XohU1tǦ{[J%K >|{`q4Q?tL (Qкh5`:Lbۈ~J7ɦz`q.@vK-{).yYRhX)nRPc OۄZB_PlxZ=G0 -PT{ɳ#S jr ,s9a.Ѧ4GO%|B.fUuwfjp|ӝmcά o@xU܉Cԕli/l3"ha(t} >ʑßcLxDxa$7jc@]t%mHޛw9a<;.W$ (]lP-^0܄ȶRj*R㉸[/e|tѿKbx_ۚu N68𧦼~R fY\LGո{tq9 Z0[L >i9[B%QiíQd^Ϗ&kQ~X_@>(Oٍ :([T/u8eeuַ*j<;w+#U>Q MN;I"-,wOni@?Y$47zl8apB.yve˛Q2ے= s'6B;a.FG<׿kFd'ߒ`vdthn k߆!@?₅*~(ķΫk8>B.ke_Ix_mn:օRٚO,Fc;΄ԓجicQ|UArrm~gt4ӄ0*g)+5zE^ɗ&0EH'9@<@,fp@|c '߫?Z^.|?L*ޖZ&ffڮ~ts `#n#9W r5%b .J.Fyn$z; ~S-+ dumc˓g={y3 Ӎ=x2"P CTc `M "yħff_d^!- zm|; Mi/? IcēG{t$=f6$ؘ̽6g >fG3=Y^TVH| {̝NN̠26_ǽ[Z25.  GޮDuqɞBѫq)[FTS|rZX9^@N.D!+WMIp%bgR!hjLp+%J-G~FAo"aM3gLO(XL9ZMN,͹)qX$>İz痂MXwJu~rS[pL*QUN69f/dB7 S(@W!AQkuhg:•[]tդ,oh-:MλV,}v; ^d3/kOfsɤi#" #LQWs?ݾ_ ;u6A˘rJUOa䯹f{NV狦g߲qİ.kqw5ԑt,'gAJӮ7>V Ѥ}ʸՊ>u>4I_cҞ.䎞"6zRٔ9pes8o=. G =%P>?O}d[-aD$P~Ym~N8 x˵ϹPu.kAJ9"X=ǂd^QT!nݱlhLzQ,uym V.@=A =6Gv0Z ojH h}y%?i& #ʲ`a͢e +I:AS3''. tūYVxYQ:mG< NiBjb*xF*8nqy9yVM[9eYu;Lzkh";!}?U\㨏됡֭ ^pK fl iLՐ +05[ '{ą8WNbD~Mdq;?17E9oꏝja&IS(U }W= ; ϼcUkK7</bc6gJ>?XƇ{1C&mL`3 c8c/Fs""U"f#S͆y%6EhaEIw$kJ+&nQ7HAn=jM/l2 3uB]G{'V,%V짨n39^ >8=cb#@2*C苸ko ܁ qj7s͆)_DWdo%p\ όV iiT=9>,x6cqR9,d*ZOrk y-y@ߑʓ?+)AG$ ȊK ѫB,E!K+6.XQLFs2AF(tlMM3~ƤR_:_Sut{`j]L+'9cz" oTjRrs k62+/=Ơz¢^Vk n*rErWki#pD/ߦpO=#ʸjv}]։54NX>6/yp+h0B5b%\y0pu}Ku~Z/4a1rjRJ$sK3CWr`˻E~{Ҿ3z꣰fK(!IQg)yR> 3-w&U[)v'R}8yfׂ[90hQ3W#0 e tP0Z=2@;: _R9)7yXŠp?'/F[Ȁ/zKAԓZXxbqC]a|f&4\.+ҷ9&]u w1qQ}{REDsky>6F4a}\}nb%U,a7_)V_xq:awJ ^%Q34. j@a7% Xe_KPǭ 0.f`m¥x5 .695Dͫ¤q#h(ܤ߈F_iPߨ\ " 4r !dS_ z&|8/>$OB:}%Ӈl" ;t}8k~Hz C@AMtȨMb(> É2:ܶQk-E@ĂlMA) @{)L^/u(^aJ~Geʍtb}W剗<@c;|:ģtŀX'hԫO_,ԋyvI?d@BoqSi&J:^,0sr=yS"4Շq(}v(jbaH@OGdFf#Sӟ+Ī{&d0yUlv(Ksۉ&/𭆾#I` Kk>܃flz"86-%16S t߈`[޵5#  ɞjQJ#$6TV\%yȺ<_$vHj? O\9``k|71l@O 1:sн:t>H3i}^Uν,)lJQ~ʟ7քSaCʘjݝ K6{Ez5 'Kk{jl- cdc˞0FׯwqbǑ{PeXA3r7jvkD#_:-ζ-tsbt<yx#iՒSm pn(_طT=9J 3D;dAZ&7~$"Nj ŏ;*"a~$ĥ얔t]Dm.;~e"ȣ[<|nå͝:RI {g. ,F={y˔7ۤZd,r]x$znA;2)4mk. #~-)@h=6FZɿ~B֊UJ.CY6ʨW\|2şj(7Oߣƿa*rjID פ}oMC ?!|B;a'* Sm9poe(H{n-Ԣpūtr=zByf3 -)CoC^OU~b wJB"Yv)nք'\9?/Ug$+; ZW"yM cVHLm' rOtρj"m4Ns츥eN:Ɛ@Ž3fe7cDvGAF7^ob@g37]êI%`)#)#^>ϼg@Y)u**IiqF˞ ӵMvYyD<'WY>Y!z+ҔLq q;m5UV1K6tbT+Q33 ;+K@NRᅈ6PT\: Zh ,S]@;#R+h/TxЀڬR1If2DmȒ= Z-N6nF>v6fJ iQ! 'tFJpYkOyKVWG>jjZ!^IOSqb" :fTNP#/ʄT7+"l$!(i8Te< $Χ5#:/r, <x#dg|`N %ok|n+f9}wB;4 aƏy)cʴL@s%p3B94JC/7 r[$ }ѭl,C7|.$`D'G Uu]ebO/+aÙ8u}[*\cty,#`e5߲G]R^\>Sm'Ji)ڙY8X?{ Ns\:v߿a/a4S}1rF׻Hd{Kݴ\a`˛{XHFmø sdu>Y_w$]red[A^=$ְcV]Eq7yh."iV'TdxyW/coԉK;VR"£^Z|!hcALb=ZҞ 7)5 TLU׻n6dJ, 7 Q5 z:3 3; &.Ul'SZM %Lب`BrFLJԷ#_PgA= sa35^ Ek{.2Q-+qT=j8Ofwu& mmxa5;a9k8(ֽ<>Hq"q@*z0JRoӻ  eP+ͨ@;&:\qLB%hjew܉톦G6Sǔ3TLY~v,$uǿ$z_kKnZB\tͦGJOEpD cViʖoaH1-m |^~]xR6$B)E2iE]ÓCB$ޱpNzV)̆]!}ـu<d+? y!Pr3c^N?؂U3ܝ;" N$SJXa.Ez 5l@9fpw-~~2g0rdH7{mĦ($lTcsP>SߛEA0w+Zq\5ƽϷ'dx`3<|b3#UY0ga>Q3Ts gY:qaQg Ľ)uȵ̕c~B8ܛ]fαo/hH/6t-v. Qm2?u+έhBUUSȏ.3`MtYZ%{ꕖ%zƣt›Xv3X2I&3UXCdAn O7)c}grk"u7䧀n6q\nd;GQA޹?bvEN})kSɮXcg_ :>S.=&)wo|6٭)K9DxJ˼GaeX<p<\N~ TG'5v?d,m. ZUU QPc;{6ɷ(6u:2[c#nJ'߹.D j&q)ϼX18a !>8gP|kY9 09dg=@KR-Zl~}d e"ܳzc /S4b؝ )j۩΍ؒlGm4k__pPnqhpu-CiR . d`R' qW]/jqN^lqscRҩey4oq$JrbxF.iJ 5葃r2sti ZF/AűMmH܂0!lƸZ-ӘhVZPR?;6~q M91nJc}9ޟ亶DI \iqKhڌ޹EqFbx_?#wLZРˢWOrR'< ixe ܏a(4As{]5s,F{Wɥ$Tw˺.`5waz66BzAfP tfrHY\Q n- 7E-TO%Wc"^yP5s5z T W)hX\i9eM;na)2ٿHOOFM4syL' 't%L{M UCN1e{!ÿLZCe:ļ;^=:/ȕ%Zߺk$9b-81 )5ehK#jGq7+vW*_$!'T|\ J(؈Uy " {ShGȨ9*c#PT{_F׌F-zF(>QݜVFMWO}`:ش˲d#z ;ZDś$ܹ 7(!D79]5ރ3s+ a)舰Q 4B fMkL Z-ToemoH nv;zjm^(?o6ܳ&`A憳a6Z-qa}OtU,+"^7 CS*9meUOէ/E%%LL3'R&{neҝܹr*)n k6BM!+T(16QltV9 O}<~`7J9Ns"~^}>`/QKт7&b|BҐE7VS{ # dPqLbp:b8h 7i; G8Oxh -Se۳*:|$dc]bm9ۦIB@F LY.@<)(1SyLE=Կp(-;( go)FG5ihZ5UڅRV"G L~]䦗KSݹ7d=rvg;PYnwĝڨ|-{ mTQ;J'O.pcIk~Z^v5:7걘?x;"}%vり~0{ ~ )dʿUm ɀWM\ qyƪ|"櫮S Y g%:a [x E{ } NjE;3&Rr E(S&yk宄NѺK aȑ$DuoR025$*Y肄DV~ @D;ԣ蟟 =ҭ>q{A9r?TWDKXqnk+Ÿ`5 "J_zs>=X XK i5bjF"^V,?]ͶŠ.n#ap:$1 0NDP*$s޿b7&UU0: G͘n Rcӽ7nz5ٜ?ıfL͔Rk$TPcTT^%{?0J-嵏-3I'34{<e'Ή6v-X1*,-YW[Q64˥<(GE>^|B )~{|PJd{J4U6U-\C׫7'L޽4xH5+Q9<ڧ.qNgCch&HqIiޚ;f!+`= x1;ZZ!/l cRe?D}wU3k}xB]ߠ)1@m>jyeZͿY8WXcЧxpԭ:r~Y;>X@w߰oTFowT$Ͷ8m PmJ/}DX+"ɛU6\RjYAo75Fr >L`ߏm)˵ ;/ӍM@6J|opKȃ6i9цPj{4vUKl#CE0#s pg,j<<X*,uiz;4<-jZ X2 wLŀbX笱Dj >[_q8j+%M VLh4XUF 쇛~Xe2zzA2D3?k3ȣ. yKPa*YׅX< %?S{x, ba,P ΢T>9b,rJL ?En??n=dn鶚e?`S3b3!*KFzʊn^(dzvCP$5\&CX6@71]*g$RiNT7./Uk\֢?+[c4Ρb1Kʵ]]hiCv=zg=ק\2=zE rG7?o*KS 6_U#{xԪNw;vlVLG[*=N} h{Х]oo@֡GG<\؆.}h2M};S=r7w?I@["ɟ(ɞ4kJ8"FtbAϼL<^P>k6~U68E͆ɷ"]-ׁ'b|8=רRs5XI [ZG@494|&A;ӊLv Հa+Ǔ sd 4&Fi KX dW6q9' d}iԅ? jl~(,0fwa W@"ϞዳW^fckΓxoԂ7%'"4.EWȱU70nM5._!ALVle&$ov6 fw#:l" .RSVuQs( ;T*P~LW)kiYF.Sh+2rJj0|P&+z,2D5w8 ȶ7!=+"??FOΝI~;+Nu_ h;wa69f)e-w @m܄*z ԲQiQ@߅k3~ΥH(ZC|tPea" :Kb '7i~n^'$N/F:BKwm".ȚCF"f_ !'E*yTTE&ڈn`14c3=!7"`.zZ ]c, FO7ޓvF(@`{U8UPTRE~X83 ʢN9jwhp% Hӡ&kE1د0mRI…J/{xtlxN#v>S{o+ p?3\'C#6˲,oOy8G%8ɍ>/H@2'ڿDn` hsˋ<~hϥ.1䑧Ȇ4+F"p1rئ[VFĝZ ؉|=RAߕkfη:D۽cXWu;,|p9Ja>0X f"ͨz+ ';IbkH g" ht =pCHP\ȅ#( e=';P?II'E%gݡhcuYaɬ0T";ͺH9uq UMi `h9tp)|vmnhI\0*1N|Ikt|}EI mQi&4pu89v9iݼ#2̢VgP@%+@mmHhiӖp_D ͖454$ml!ڪyEO;%T4%4Qu 5}qRCjp`y7M [|@%eG1ia: CT7=[B Tl&ᡥ38arPY19ϙשS j'R0s X40ɴE+K w#b BS o% @L J [{Klvx_bpVI_y2@ $o,uc6cyQ k_oP761E`W,#/ݙ&@ߴ=A) Bdy5yFcgM]1~EI?/mn^*H΁G,N 1jC\}SП=‚zK* $dI=wǽ|*&;$U{}\UU='_X+u%%>Qj`և`CÒ]TDӫ9Afa3F1=bXN5i&0"Fiv D,7$ &fsQK弟- o19 iNj)fe PJ*IIULC/n鲨 y++-On[5.c4KgPf AX9LƏNX)}Ӫ YKW6C'{zݬ CeluenTG'j\Y{H#7~ }r/f0O\o[^~1燎T% jl_D T<$Zd$Ȳ5$9%|TBˢ T^+s۬f\,*/LkBW"LtTĚKP +)Dij{́AոdJN7{(*vƼ0RzS>aU~$j% &o< !FrM~z)5Ȋw­Jd P\0ߗ`,U,6^[%!>GX'EavI{q0SKזU.ŢXBR"H#<$EO{.C50,^a| 1{aR!k \ү#Ryd^n|8⋘IV<-q[1S`?Ko<u@®Q*|,sJDw8p֜ yӓzM{/癯gB[jw=.F,x`.jߚ`|Ehf!f8H\JҪr-iS)ZoMq˒Elz htbqt420,G$ ,"xUSKP"un)Ӏ`vu^0*Cs# cu[R*4>b0dd(Fc3/B&aM}NeʦX(oF rhw03lj(B̢PR^i̇D &RU ʢH.+#MsS8NiLvr6Øa^l͝bɎv-f*ӏ5AouD֮~Ig^=_77s̜ 5Z,],YSg 󠔄fOiL>Τ߿z+l$U }6(mCc//ݝCE&2Ϻ3 5a`_E3]?F!.uI** QD2+iif3΅q!t ʑL znw;$@"W<ɌhF[ iiTFv0k\R:-21' |MΐѧY utmZ˴;j!lX*Ava$#.5Ο$&\؊D"bߛR%}ԥyhg|#I)MX~7-+cŧ_ ~%!Xa`BYIOjr0INU]3 9.۱> Htwc?%vDAb9; UdAswߪ(bHXZq\C՗qg+;ĝTع8Q^VQ}nA}e^E2}=weeԛ0Йj1utQJӜ,7W2Sx)D!MUϥҩfs\ݹG7j9Qs6(;>jöDžz{mSmG$s(H2Y<ԴFTp+_tz I&iJ` 6?G%Wlл+Pn9 5;j@7nձuؘAN?W0 C~nN: -& dRjR(рż,KאNծLT5.F*!fҋE +F|n|Okm /Ց6Ч/jzPy Za૦kU&.a-a>SEHlD!8,%pɋ~)^ -Z)st"Y,*pܐuʕW+l:=Q෽h#С9_D!B1`YR YPF{x#'z|-: 9 3=jZk,g a]y(C\%IN>4̙x#;)5?f@"P^w2 ;dYps J_y7ߎ}XؼHLt5?h D[uz 5!*݃<~!gZ-A[wD+s u xL'Kj_dWu̵p5}0}Z}lG.~> j#H6Jr_Z;[y&kf Kc.`L4V`&˥ueW~89W(_>DQ9>aϱعɅ9h}̟xλ#h#Ғx'Fo1^}guI' 'ɦ&%Ғ?k~\5imuد0h\'vQ|&zMWCm3qfTA4w$}ӿʾE3 ^<HYS.LLN0ӺPs:r,T/9ρ( ;p !_[ -,se"j<Ɍ_s#,öj. ovjh10A((iih[7>`O^x\ì oM5ذ2NXLupy[ڰoyif`^K ԫ>$% $tσTW9\ –qY aX] xIV62b̻GϏ И6]+ȶƖ~|Ѕ2oyi Q"y0?ۼve>LutFc(e:ty֡tzoYڈ{7$=|  cE촡>V~' |靅Cv%^'c6cklUBdzT3t@r8˕6&tQXțKuOq[}K2҈u֩uo -X_",{ ^l !6n3j"?SQה.RΓP !Ջٰ>i3:7%ڂHVe5#(.͹_)N1HFH(@.-.,Ԙ[+c|L(/hpax dgJr,26 ;%2jM_@͊UWtb(9[<a*YT谉eo5TpA". L $L 5ia#QhsQ*U(: ƧЦas ̂8 HKKD{MH!މ='z ?jH΄2"Uvde;톞wv)Fcqñk{rvܬ\:C\JO\hmkB@Z\GlwI&;\#nqyjp譶k&2k;D+n˵lgZ3mU q)|{_G7 ]xLbf/ϱ%J ʾ2f4ɩ?Yo~ 'j I3 Vbp X^[9)qaÁ傐) qН@D# eQxLw1 +!k{.0v3)+<2k- i @s$|kC.-cu,#uKQv  Rk-s|,3ס͊ukK\/'T80]$bW!W(] l(څ!ٛ \9tDY\Yd'e O6^}o"WRM~knVzdNB| )Pǣsvuc aSa>ɻ;k2 #e0`\y2=%PGߩs>Vyx|zGƥQcU4RF#-?t|ח9ų$ix[j#pír /B'|F}ǬָJ) 3anNJP |; < Bx=xu)GX.B[& <]4w*o)O03}`R*|Aᢧ}L7X%Uf 63>q~т@nRU=4B}0&IrV)*[6bH hJT'zl#3]"x]&İ^:OFOTgb|s".bYsXw+!ȉ)p1h +XF_7Mȍ4́?1N]~sEIy2їU@c+Bd! %O~!Sm]$䆱_%_yyٍ/pUd'u$!ض)MI*`FTYH ߌ) (JH`QTV|6>De"~Y W`JȥTr퀻6Mm>R|,g,`6Y\Lyv Szo00CQ}Y'Gh Q~Aڑ-BQd4_hMD-Ɵ]xQDzxkCwjΕhݧ1N`F%KUc +[`LFcyPo,{yps DG! _S^>~X'F X'3cg6Tߌ5hq!`Rdt0vv5PX|3@]dv M&vnNbJ`) E]a pKy-zNSjN"=V} #zpP\H!Uox@s:[8Y/|)hMao)L櫘$=@݄AŞ KP0CJ;N_$a'XΪ^GwLkƀPxG!*ԣ@)r\6I3%3deᙺxdJ+Q!:`yÐm6&YHpᴥRV=fX!Z[ n,yCY"!ֈ"8۔luAZB rD9g*0-ݼL3S ڠ<ҁnzbiddGޟfh R<ۣŒ H +h-Do<~e;pB7̗P(vtWp#?XCxϗgZw,;jТ!G6b{@g DYmf0Bt5{+<_8yc[9zs9=p+Yk+C)&6F ("$+Ѳ#pP۔Be&Ej$l/#2X1+hN)U%9 TEud; tS3oz{F]$#ՎhLK/CfIuӜhICޡf}dMcbCԊ Mekӭ+&] }୭e^bաHPMuUH_&_Ğxy|}ֲ m0α2WoGaADPG +0af×”k<*YJ쐓 +lW<;nGg\We؟axΏa6e9m?+Mېi 3YtA) 1ۣ%Ҫow(KMﮌ`VA> :WzdDGo$ ;LYdChםu\_0q;_Y&<4IqS|!]#iu9V mƕl'6fNFt=Jk`onkਫ਼!Nsk;jx溷Pw?Ck{|x k-Vei f c`7+_16/Їn?CPhil8 2-Yvw65=BIҩAÝegPQ'j/c ֕ح=_ ՉmE։q5qY5+GMw/0h^cj*,BFWգ P:O"k1E\uzsjk=tވ-*axWa  f*o%BHc,5́[_0$q_)cIM#X d2LztDͧ@B\"bˇVmѰ2+.aUok{$;`ϟUA7\0d B^ #BTſ#0~^-l놀n|̌seUʼcqPNp#"` B!>ֽ复6v@2AiNrVip{ QYxz$Tz`qFe-񽼁_ ٌ|3[kB/?lzʸGEi 9$ca WRoo=sW-cCDfRu{z Kvb(Vsن:Xb ]GD-zYD|@v/cInHʂ[VC?ߦ6AF$,ۘLeBP(,5u7a6%+JGR>#:ϫ_akp=!Xd)-hl9MJ>c11b܈C3ڑX({&+[ssi.+1!:gk)n(ql?, I>it9$O_CYRmeapU>S>#Z&1ck VHqRנp?yNm(42ǝ0R}Df^+^ʐ{ 8H) E^w'eh~g,,lNYIPW n'am+PTM]D0վ;1bNwPŋ_0Hs[@)¾Q@Й5( P݂`oCH pZj8<- SiZՑmAC)7k9նΆIBN("?jC-J-@٤'}g\+d|%rDd >(5t񒟆!hkxXP/  LvUtlSF}T_NZ J 8f[E9//\h|¹'E&ll99g)X~M@v' a]fq?TMvт~_<1s=J_Ӵ;=Ю$Y_?W?Gg*"P@Hi̠^UZA=Sǐ,qFQLDlJunwi%d7 k7%;Y莝+@eST(̩aw2DQj_Yrjٰ'}Up> HfeDk{BOC 9wG?~,sE1i> j`N=:O~$xmi9"dzͤR8YAA}#UGDTs|PvJ{j[p;_椪ۀ Ԣܥ^M$؎rh$a8 r;Q_Nd!G`aw|ioqŹ0Ց8'/VWQ]Y_8 u iM>y&7f@ r~RhruHӟvZ`OUoؗqE΄pJ۫떶p@4 Q2W20~S>d/_eRQ*jx9]o$ZwcS=;ck'BBW|bCFf.+[~u9 5tm`kG#^`Ղj 덠:agGZڡ:.gL=0&Pp#s3MRUiL2?81='; }_yC,|r]W]i<=m|t#6jPqqWj]9cPj=ښ^OSEtefe{] y~/󘐾}M`Z;2п5.e)3"FC`_$1JJ~3o)'/b'h+V-jESbDBwA2MNma}LCD:v0:FFW5䆚+&j'IV݅`V- 4AeT?p tZKSNG+/H@qڰtP΀5Q>`a?ƫD˚ϥP'e !jH,Cşć[?D~AeO(9`nv >ke>.FhŞ& 7k-.x4_T{F[QV;r"mxiMfX* ^o=Zg]Pujɇ(o9A0(QDn]U[D3*ȨF@vxLbSo4G]nP3X!`)[iW #R$XYsr bBm)TdȺ2ͥjHCOr5T5?$jo%9Y0Ø+ I{X [FdmE 6Q J{{tٴaDw\n%kQeѶmY &[7l;~z0>~/Wp6y6kZ8GJK|yyIx5M ~/ `=%3'G=qU (li`Fէ{5hW0OvfGd`j[Oy CR>_) 6MWpt ©Iaz`@6'pEJ(r+>H10Iי1o {Cэ.dhb8s'2nv'BzaV).X)A%:Ř!Skq5m,;Yw#NIa0u6dzTZ} DD kh*XFv Y*Ӭ$\pRSs)W;e.oj4P_4]Zc֪#L/%_Wd)GfO&\DRٻQ־ݹYnPԟg~f, ӡvGIa AJH_L#! Y#;I@.3F+g&mtXV{Amƴg(v DoA ٣ݖ*HgFtʍAXO>6IއU*0j X0qk']L=7_$%,&q= \CK$Y $SgBԷl[~ wR'cupnDYifodZ܌qqe?? iCYt&}CxLYJ@b?z͒yE U|ݼHBXms#[Pv}B5W)[zF} z ŗZo7L~ʹpD%d߳^Zt WRj&Jwh6&RVi{:rFY2AN+? |ydؑ-@b',-5yHs<~ɦ.Ro#^pZ:UJR[93%s,D `h М1{2:y6;%[]{%!;B >&YP یVxfo7;؍MM%PiM)2UAuU3& .rScsb.[^BY淵K 8X3{y;!0g:\[7NJ \q'aKcU&΄ʓ^O(u oo!!HѼLjbrFdMgo+֋Zyra|^uT]R{)BӠIclkkEϾbCS>(Z@Ǽp^dNdos 4XaFT 3s Se)cxGV1ppĮDy^ kr,Yig`rTQvcS=N }IaR?Zr-cG?TTFLogSrׁr׏l>ǮIuo[䔽2g& -?rL_U|*Ql1W*Px ƺ}fiCOaG_6(y:=U!52,$ĿP 5(7ms3Xε۱9Dڂ0X68DFȈ{F?jh"?kWyAqVU4a>3U* wj]=Jy]ӹBz#g(=Z+ᄪlQ7_R->[XF7QTm@Gĭ6-r87ߴqřfu`۩6?>7eEp) [҅3R1;CG!ӵ0B6]a;2WNx%/g\b =3AO2|G@>=6 PץT%API֋9þ>** w _jtg4Y8YٚkVY؉Fn `+/T#ǝ,K@OomcTYE1 m:z-{b7 WlPvuNh/"pVIHN StGӟx MvDS3[ cP! *n.jA*5qmmNfeQg=ؔ|) 1ulOSnf4Q^b?9XBRfF I)!_#@^kohgCPedg=E\* !iA2E'eA(Ǽ m=B|)rb0uɪ9jNR63 xc鳧2Dfcǩ +' Kg!4HRx@V]5-y#'JF?H,ƶ%b@2VYw b J}Db,σ3 (k9t3Ơ>YP/?yL5<(kX2Ba+|a\Ҳ @z4R(ViI.9IvGq1]{8 :+]3^Nk. PܼSyRPV9 {317گRRҜp@osآ-M5 ~)xX=ų+7D3ѳFd cG N<bo?Q41e,JY튏ZF"k8Scԅ&3[sTs+Ak̈*sQZv< D4qβknu5,xY,w1"׎Pk9o>w׿">x Wt (օzjW^R+['i TA+I9iEMU5es Oa[sNbP1nD*?T|X< :sV۳'b%cgb\(ﭴ^;:16 847;r[3$ȄǷPU{-cʆbso=clJ 0oZH7|0 %\鵟d8Ew;g4wZ'2u<bk2nOҐ66ᰞ{VРq &Yt x3ZWPTf665uZʌ1SM V-H"V=aMR/KÚ{61lsJu6]oو;O UzzӉQ֔4"XsOQ^*}/~ZEhPz߿]V U;LL 0߱X5i0JY7|%}ٶُ$4$:rtث=xn#>dmw, A8*!Z)&Y?L*>3PI_hO(2L;Ǡp\zIB3ê epoOHSanmN-ȩ,8.JsnB&8&otQq;V|TmEβwÉ-ÉKUS^_ܹv @h\;_!1ZH4H fgO(A~u{sk-nvQ vї{~¾5H*0s#&dpF(dS0Q̌m7 RVlxMi/P8`Se Yj޳@U, o͡բ7Vrsmy;?Vޏ)vh}D%ڸ6*룥[hRU$$ߝ!gc^FxzԾo*o~,He#}MK@P:{=~6\^@3T;}[ 5t@_pzJĿ1t/{t!Dϔ*"'*%'3NfsOKuTA¾e?*, >R}Y%i+2.N=7P:^ Œk[>6]@{֓y|GF ;Ȕ5 SF i ɆMzdqImA3ll>ch?A?fg:@s5YEF]-R/HykF-7]ӪJĺU$?僮_;?uo74WȦ`iF+wjQȕHG.OR -GMtwMt/ْ 1>5IG^2R7bP,O?YWvBm#V(p*gLeʽ~!ؾ T-br N%+5Mf ʞLԄmx^i/r ̔_eO4iys)99V%E3E6u[ zQ_=2mG2ᡐTgV Jo/˾hy!Ӫ M<>X1^>C(fdD,(J35C@2 Xtt"8~jգI Q:)AJ>Fd";3@QL`ƲYQnXw^62$8c '7t/U>IF2V5kKʹJmÁ_ݱÍՎIQyk{.2zuW؍mczJ<>.Ai"} JQK#wNfp+,EL_B5$eY 6RI"Q#)$JZ]mI})~(%lSz:]Rd͌54IkI'L*Bi$BbѶv4Ra#JQ '  gWEֹe M@d㢴- Y! zN>O{&i+?o-7Pw2Ͻ-WA :qj޻l MCPH͢@׈mmlA7D 9y=]cy&ʼnlPUgN':ڈ{YS' hP QelrcAAՊXGReWÿvޚgCO,Jm  ʹ6?SBwaؑF- Z.~ޙz'+-cj|@#ݹxy@I w,Du. ]^ɕxEK'kȯsmO/c&"4 E;LAVbЙ6Lx}I n<R WBb4`Y%SMN&s4QYR?'}3. Bvju SVO׼:ZL |QDJ+g)hPon4l/iZ3[%8MVΎZc]e錐elٰ(Sנ׭n8r/Ve53Jeu|ú_TM7+d9~` wD@c:py;)9 yB Qr@30S=SL<ąFo@Ȋ-[S-rLjvTE6v1ihި+M TyBZ"R%y#YH%`d|AR1 c x!Kb=IJDw?f>A=2ftd{Є}X?E=xPL+e.D߶5>[LI k}D[l])] Й49-CwI ˉU="j]y`C:^ y9θk)`*!>j@.8g'=k"XSḂD<˛Xz)W\* \gmr6{%jyuݻ)27qꛊ O1Q*:JIwN>Bͪ7+傼o!xȞ.T5tnx9NQ;m*~5ceJʙ5"0_k fş1 kCZ0f|1oq1Jv֗R ry#_/4|Xh݃\&:bh [e{}zA/g Bv][|dE S3/`6ʂb\"kf侤3mk{'澊W }18?s 'kE5`GHh L$ '3=DfF6Oh׾m P곁Է,jȄ*kTWxٗb,3N}Cl]&s}w ?w˶H+FQb}Uf} 9.'lIfUy`1M/W0GgzB5YynǶ}PS%aCJ;Ny̛R@b~/݆T3û'QjNM1g(;P_́4g\!,v诒B0HCu\:+ JI88[ÆO|"psd,)x@;vC7MV60l25~4|vLVl^cU!z&`Ũ"?.R"F.~/#WUd6gHyu/ZԶvzl=ׁX~vh N 'xg c ]7:b`U1N]ȿSܦOhDvQA]f0ˏwemq<g_=pT66tۯA4\W<2 m!ph1z91N&8 j_HC:^ rO[.^%A*-BxivݣPQazkyum Tsa%l kCk֎-O"6^C? jt: e}'~JzJNW(6y!x=D2Ay_Q+,O@`#7Db:fY#8 %o]LՒWY!3VTn;n!ې8Ug|6V䶭k!SdډTl&Oȃ;q+A-I !/29PiV Ə~m@1}'zn8Ω^O@-ffJmE0$\ʭm')C 1s]86mmVYm"@ SKon;Z0)拦ZID7@ N!O0[t_-k=F;6؂ itb,~*Wk% T/ #-p廿HmE ڐƧqqtK6}Dnњm>%K4zU> LN>H*^9X\]ber|&1oG9ъfԹ37({d螆Akybv՗c&\A,ZܧgA>\Db!9uݟ:DFqfg -k<MDތ жn@rڌpN`(]85%H4ם%;Ah'w`gzEDX5VJy?9EAZ`U(_Hb^mݯ!rӓXKEhc/[kͨ"G@";uoȽB<+^|,Vl_3N//"2Qg4HY9IKCwd+Ef yF_ LcJd@"gba{b0܀u0$ nDs=-s^"Ok K;$o T6C\2p[-4b7k@!CZ6\/|o )\U{CL~ם f7Ǔh(|iS^! ?W!;uK'2~?TA m":џ,SI'#VQhj dY^*vzǾ*f=i>!?oOQ-<-9:$s肾ws_>|;QVw|>U&96zT "vc*6Xsm! 3%#ŕhg %rN-شt~A`93 \-Sys;|4^2?=VU\`5( wUr8i0grN=(A>`@vq5ywx;DѱV܂j7Ї5to{TIǭgɛi(<<9`6TdzI E0xL7ZmAt $j-5ջ=2Q ВTȩLi:Ym/.ןi^@.TfBrvf?AW*t#ds'5v*%ciIq=HQ:' >vITB 3HG#‡vуrk4 (<[ʜ@~qBD`g̨hC'eg1}k돜74%)ƗbuJ}E>xiH+ym!Hm'\PkW&}-85Ve~{ZO gv}Sz 6C4MAH=c_]'t,\VL, #z=DFG`9+ht*=op Eƥ|]NWz(jc^[0vi@ H| 'h>E7ɖ&vVrIBF1а)YY@ݟaH Z^/C!F |RgSBfgs#G/ LU~Je9In:mNz&@ffz?IIU)܈m?ZԉtJ Y/L,&\P_NneGrݓKMP3 x9I;i0sI1螕pJ<#`Ub2/^OS@~}W~ KGoboy{:2H,J~vV3sEq*G^v̮ JyuO% * Nի~"-!Z)_3KnȨo^4ƴV>MHڷWz¸>RWHdIS>st\;"k' uX8/ J-Dz⑸ZACxt֞)*& '$oBT|ӗ-X'\f 됻Em~[ֿ28Њ:M\.c7=*2HHF[JTJW2R4IK)څj}b>"y5H+2yd J, @;ֆ R:PYꑘ{bb=*b 5^F]cn윚}?\I;VI\2^nͳqPg|BCSazŭLR491zɮ}mZw+`«[m FPr1{FѕIDSaoJ/f 揞^A="nwq:!#:~+D14w=0+Sa'~%%} 2/ ?i!3\Upc^/?گf1K*Z,͞]R(b-;ܑXh݇Z~+G:hvb~fH?ח80^r"Uݛ+iU]TzsGvcMv.wvlod9.z*9 Y H&D.Jsu~Ԇj!S[ SۄEh# ^Fg3S8Oђ#- Qܵ&1P z fS{?W#"wXу[U^MCb/o\޻)(}RЄ TYlSFGSn5iQꐔHvdCY+C~dD'F<2{`ʮE9w=D#b^XZ|GE.~e7 +-:5Ƃ$}3Zv3]=R[ <.HVat*SNIoG?v<* "J *Hkn0) <T@ѱGf=ZXzPZ ZBs2T>֌nĎf6ʔS6~қА})o煭\QoEh,ڼ4K&e(+z1/_LҢ))c 8aq@ 9'^GkD}x %93Q=Oz 1$PJ+<-&qy;@(LjVFWX#eɏ̞QeB ȑK]U)kͬDžt& XNxi߬,E-ֿI d(ܕU:qNk kh Z<! ١Ԭ >_y~_%:'֕JNU_|vvڕՀMQoi{e qA gۭF5KΜqF&[=,1V2gj'b} $=`Yq9Wz_l*yjE¬WmSqu&)?&@^ 1GnXޤtlS8Y[$^i>ysck[X7p,F1Zh<MO?5]VW#r~9?b/(8 u'BBc&-mi+S>;E@{; giAAN wu"ܜK;8t\9,I."(DZMPwS^kZ2) Rf% @ qWv0}Yc~dI]r7+#S. ='QSu$h@sH3oic뤦IzJpA#jPs,䢀 ?Gi LX]vkDj{rA.aʇs)j&Oqj: u}hh+tK7rW#D u׍^@Ȉ/^PDiKRbZk3lI _vD(j'uQvud %5(]inSȹ,K$JBG"+Y&FBѮ :j~=\4R#n˻9ҿe~Z+k]XeH,CN(V%'*HXʹ4Q$ sL"[y+]}Nz=( LXjqF ֓yW>=5[MuEy()*uo7QOs&|S}Uo;9ѱaUշl7Pim3kgGgbt' ]7fa>֊?Y;;bEMe|+HF5{~O=J<ƄY *Z&*yDq#4hU쀝`~6,Senb7,|jcuF2* 0$3n}jZyI̷T;7Mˆ 8]F]%Z%.<82rx:$p{mi Gf #_[5]i0] Oz7wY;*̏%!̿686|^fTn5}jzz?*-JJȞROM(*"*%넙.A كE󶄨<_5_kYv7v|2AISM0Ců&{':z}V!T:v139%N3DaBr#.ķl(l{deg"6mKWG fbsE0|٭@*᠇9{D=Ύ}hF{wvyw]q!7B^T?/ѰxB!d+1!r{:*ׄ!DPy|Y@LBqze O:|F.K nQ#6>S(MxSP߇1ο'QluE-1|`4SOZ1InWj^z[>$r'sӋjȌ*ݲAX W3 R`Q*~,m_a'ysfQ|,VnVamEl@&-0[Jf%t 8u!-]- a s͓ YCiQe1[ճ'LͰv <6x ͧuJXM6R_[,p{R "TP]$ȧo@:ZV=@{:"榁0±l@[Qͽ~3*Ef9yݝ7Ƽ|]F1ol4g1G#f:BDjSJ9`9C~6zb'e_vtVVT1Lhݳ)j<') o{=xݿ Z_FpQ%ڏ@5R+U>Kk3CB_bl[XPC/PWoS18! c΋ŷU}@8S4@ U?x/@'q˃.v\LD}֠?M1}~] ̫w yV0fअMEHXKY9O4j-.vj,bF:'v#:fWT}/FKOb0y@+FYz$٬z%qQGECOcL:!ϋ}̼ J|$nܢӚԸ9Ɛ1H#&}S>!HIHaBh]R+4m3ǡ$&Lҍ!Ü&q]۴2,{҄裤opU֍&FY#~NYG0o쾛TڿA~hjh(CJW1;᳔YB`h@aNĄWRS@~:)TraO[#dn`+xV +{'/Ջ XaD6O%5)S޺g?-P1Wً"U{zFҤ)7"H8j Wy &尫\6 0Hzsk.eMp`iܡa6bEdjBLU%L"WvHZʹ3oOJq)ѕWydoE@gؓHVk gnò>? Pg C Z U<(APpRy⁶HD-Y8&Eʛ (XI-liN5) E"c9{{26ƘwɵK\"ٌJO̎wHiB5t0]Ԑu}x  v-*޲_InZq~d3~e~g6KfgFojHCCr+v\hd*nު[ N$ƣ49X`wPFۜQ؛Dq&ЩڊLQ) X߰4eEqB|W'SQ 96w:Z[>"x(ZA^Lv.9yE&y0@KC*%+7cĮ̚MP*U' ך89qx Bh֥usk+V(Bp,”[e"#ShE范aݹ(jч ɕ闡aSwG5Mm\EM~ßh.kzxV ),^}S(>nɥ٭(߶gPbU Nbm{^ D50CH9~HB^zXRkj`'ը8V5y8펖E6hd\:#˿| \pjM` *eiFZ#oKקal"TS2~5bY-i6Fۗ%S6HpͼȨ| zs \DU8oMbcRBp/kXX "X+ S[L7uC9&矾P,TDP)^y߆Щ K H$$_k-G[)V&˝IiC4P[t!^Ao8ݍ01WF>ݦɜ~\l9/"y V67kjD9=w&'bgN]1bCm:_'PhwCE 7{0o+53&KULe.P|P'fLFzs{aR[UZ& o_¦ธ㍢mIc/ro1b }Jh{q!l}?N^Z7^۲.U&y+,Mx$oSMooxRv<7w{8/ .Hgπ=VE>KLl]6b=‹p =SH%Zyk:] V^e$jUP4eGP&0"nг+#xN9Zŕ{f5hg]2T14oASeJPeЉ3^Ct0>w@Ss)MW/r|]a(s=?0o<qc<]. DW>^bt]G7Oa8i>//.BWXѪ̪Pmc."AS &#$T $Pɐsp٧m`Q(J"tٶah.0˗Pˆ/::#VXL[<C!F¨7Z=[U/ Bt@=ei6`oZrɆE5Ξ6nv&7ZQ*T2svx ylc|AMk}n_ )CtDVv]4Soa^oıS:<;)'?0q9t{H*:!^=jk?dj4tK* V;ꌗH- u5RQPpo~4CӇ@PS K|"?#ru?fSB ]`*MBp9u6$a9:O=qxZX>o_l YNP;87y 0*2H1J ^^|y9Em jn"5T;x 7ig r;Q"X݌qqρ%WO1b+50,\&*>GZ1PdC1=e"-րSPFR'zh 0۴4%l& aKcon^R6B:+_»'/`^?9פ38"aou耽Ww R'G5w/ovHFBT\^nvݢҐEL3ct#q |OXhd*z/&xw :]ζG> T疞ČkU_XI3=DT~}MxM!en+e(hw71>ѶΔsiUB eԘ{٘-ղsx"1@/˷To[t❀ !u~J~wM)þ…w],e!+\"rTMm:Zteq ֩VA\~շvS27kWq|!9zW`>ej{,ڮ1]1q\-x !.KG sm_9>"s D(., ͺS?e`H$3-?'[)n d1O 8c DD_,9(JIz?+X QC i9#hzPEwY6; KOIBf`:lV%t 4Mpq.W)0kqk4 %"mw_g{jS*'6ڿM%fYltBRe\!4%0 3-`yl>N{ 9w?bSw!"9#w[Z42E; wo }\@L: T`P[B#+l<`jԀ .Ӫ A4/o w҅fUs1K,=1 OlR 0-*; '[6YRچAh Dcoa<e}yjD_ Y!0J9?1P.?aB|5n TT?bzN1!`9BT6b6eNoKln%??0⛫{;Q{rm,mrJ]oME̋77~3Ð!1+?mQ_j;:j:Ck1Rk.[ n96sUQ 16FJ ~D ($#嶆o++36X,t iga^T>>b7xדV5xX1j)LNaH%9#y)0 {f!@yoXRmۈ}E$hCp46ɬ-+GzGCRt.ƿByQQHݳ1;>-!޳_(.\O3]T,dD6{K ##BT%/K/W \!=A~_iQpJ1>K?!o;Mj>*Ӽ2OЊJ"HmgVhCLZ;2]i;i]!7dQGR"&d?1pe;ߑhWX@f%? \76\xX>pDoEi ݓT$Ǩr\]~ju^K#oJ80;GfP)1Oq՝Qla_ DYl+($z$WΉAx`O_/\rߵRuhNAB*c{nh/eU8OkbSUr;[#T=[ͬ(Ktu-gS"1K930xB>oLͅ܁$Pz\(ջgfV*<P@Vl&&"SE;g`j_PLG$ɀ{J[۳m  2'qxN;n]2Z D4/37P9@)Z6AҫkzӢ-&ׁV(L<""O*ܗ<;깶#͌7+XS" t23WNvSG`OyC+whOc2pN%XJ (IZBv4rx[*^ũ:XM9NT];d.w]`~N<%}LũBY)"ח@F @ԋޗ}!FGO`d'h@k_g5"DٓFg8FB鰥X&ro^W>Y%!v\ircr%Kr?~ꚩC[l<̙Z\1%ݺ1vJXs'xX@1s+59_5CrwV_uuQwq6xE3Lh+n%o3\SFs;J#l qΝVO|cDocuNR'S.'(Ae(Qfa4W0i^[~,uzQ0C` tይ>ZdƳ]pwMMNCրuѦ9C'VćpIALK mRq2.+A^doOZ%E{.ux)0&C|(4٫Gԅ.bK;ӷJw6RGNvM,h_mt!X˫}X6}|řrZҜmpV\8+/)¶mz5rO#,Qfh"?nvwMQy<$Y59weX*[QҕԈ&N>=I"kspN) 7졺(/*.. R IdEZm]+u5A XبfͽI͈`eyP k:Q%c@`9l\ ,Bk T4ٵW$32t$pv:S!-7>Yws!Sbv$2 O/^HSߨPX d7qej8.ȠrCZQ|M^3]?\ÚLoL37h<͵A؆lST:jxQ| D6-Jw{wU;'t|I$r{ eŠl; cHUkkSE; yu3mϠ?;6DQ(i.,{@@̱y☪s u^FOA@ck#WpVhCfw=? OuTLiy{~5zGq6W&β:dzNVc  N-b41 Ɠm {GHQPtp{|Rܛ ӭBZȃ;= lC*bE~z P{Ztb!&: ؄~g {e|/c+a5@☃pb/<%qxAAHAߌJI waBBI‘34`p* j FD;Mi^"39O[j%* x)LW|l'\WwmQ$[yN+8cĥe=WiQa/_ϣ[YF:^wT{%=yHk -y3$-Fم[w"W6,vNƬw 줔ɐТ-ឺF[q|sL#=m CxJ8%w>, Vyi>rQ_L HA6涸-TqNO1|DuR5+'LLV 9RN c9[:08ibncbf*$g4e@SƲ/aQ 014rz}`꟞hOUh" :5ʚM[Si-ldp9HDHt~mJb:)|<h¼(0/1 Gu؍16Ĝx1'c& Du~rmb;W6*'Q0FY*:tl݊0̓$68fPPSQx-3?7scάS!FP#E/D%B$ A4R#hr.W"ROu*3nP`ϵQ/ǧ}Z8A^ŪԂJ4!9Q7=pn^IHRЉ4*|=G,`vXDaM=\ZbKߖ·N&2EHqH*u,s ('Ud| `~p^'֚3sLz<5B֑ |v.[?G]:Dǫ`Z.)cAz5T\WHy6R9 9#j )]Ɖc&m{3X޽Yآ4C %zfS!62e&AN$e:gsalsYjLA9XKrlB|86Z0?᳊&1+s`Hb͚1a cS޻Дn'08 pB9PD~SQ /" u ] @p6xgX MA\cGW d8}W\"L&z|չ@@34֒FnGSa,Xa !Πxbi_?:IA<%' ?E: k@'{e4&Z!$7QyC!΋qD0b{"$5,ƪrC\딝CƧLޖ{0EbB5GU'YhoCB`/a{Z`)`K#G^Bp盨F _ȷ\ګ3o+y'!Ph_?yWFeg&a\XD:H?WDrefqSULA`'D&9I"ՉQm7T"ܗ bRUY7͉޲:j#/BĂvȣ#/sR#) D6`}yE&Y0.3UJѨˬR0tLSV C*Bs)ʌTLǺޏWB^s2Rӈ٣c&ּ4n&UjfIZ$/@uekHTԔDd\;O%ZiZk7ƕXMLnw4&k[_<.b B( XN'ŚԿZف7H($S-d6rb"ԪX M}"ٙûp9PBm{.]~LSK|)C;$jNZB݌1 I(( (B]CU6zqH+ VӶ\ۜ|(S&r0lx}=އ5K>Oaԯ y n2 `:xaY~V0˸Cr*cŇGZ̯ 85U%DmUi+#Eb?v\<0;Q5E[Cp,*&WA 1@sd/5/vNV|W,įjâO:GRqx9f7 %w AU`TbꌇoMc`"┣d ÐgxF:xFxz$ @]3TV&/` }> \LRxQ Χp erJZgdߗ<DSޚF Iԑ%ܸ-T:ӶR8)(wͨ\)jKjc|.Ѕn) (r#OWtϒS TwP'ҷ{b=e%ǒ/N3 z_2yWj){sx=e$b`= oC9cz8UL] 䆼eB%8U/i:8 %tb N#ΖŨ&[drےf /^J>y>ߣ|Zy"1Qs@J eHȔzTC%N1+ J.28F ^T-mפiwǦcH0٤Qnk{xoC6:ȲLa8E+sN▔ːQX9-Z*b^!z 4" $@(+5'$)ϓ8 f/ C+~۱bǿfRo>fat UaťIMο&C0aF(dp3P]-rXM%4u]< i$K+h^yFvZ+7b.9+EW :J 4SQU qC$=NыoNpc/8oE#9X'Io@R[URe ?5uo+NT nyOBpp ¢e=BS Y)nRpUdn{&_Nt^ØR(3ir4f9ܘkQ\ĂnP6d{SQͅ 1G"3Ye9dwBfkg/ Q+Oxuf0UЭ hIE| ڊRJ/֕.o ruߵ. 6.ⴽ[Ad0k|˔#XQ7Ǟ>;U^.KzRF9ȏ^sCߩ[ 7iT y"(X/[A،zNn7ļݧfkLϑ``jxel Qqw&|϶NPVx.Ftt`Fzϡ0MR;$z._茧΍% QOD'Wf&a1B} >-Fd&=9%!OYGVXeց \F+W`u<$ụj|^:dAf.\dSv['p;r_k d>lk$xWgPO0ҥJ6{r]=yPp{+E^yFg ^xV,i΂qNt׌w}J_ i'1͆@b^%_y+kE8l#qwBivja\; P՜Cs`e#~0zO@ܤS_淚׈g[d:0G=cXHwphRv:,箈.>P,-R+b!{(Nqt5r?ŻnpW$j ע݋pͰ~۵"GM, sjx`nKG,W&$>&-4ZadF[rD^+ۜE`ߣQ̤ښP9bHhae040ʣSpptTV5幕kСViTН;lgxfrzW աE]Ge~R-,ۤ O  *vJ&A8("X=4bƇ]+yׇTBĈgItD^l|繣SP1?qσΤ$w / ZzJVɪZK.У6TϤ4o@ ?ƹ{Fu[`Ms56"00,/X?q.W?ѥ(Y[ ܶ2{EYB^\X~0w 䑐H,_p̻39g>(3 l#kSy P.&zڌTJ򧬁K,ۋFy % @Pzy/„6}˳ladIA81x+zBR{^?J Fc(Th5K};L[cqFםӃK6޲3\'Q6NʃSvX9r 7'F°9b%_Û@{şb.hk*erE;E$PpZm3q]'n3_S<Ke+uaz-~%7E'?MCuP24شgjrBa`J 0mxI1u&n` W^z '=F[M>URyZ6)ZFK%!;~ڳW;nr|˺0 Vf1[5zTgƄW[;|m7H"})h9{tue-|46ݍbUWzHdVU´e쪸Yc=YzBЇn@DD4T9zX8ɧ6 5RíyX8GNN|-ͫ&=TLc W3Gvr¹^ՋG-M`-#SjF"/x*=쵧QAb _I KU L>kim3 @O~ڬ C -SՎ<6su BtQ)`9[)`Pӱ ,E ?3j$ZPRC̡nImrzڀr IȺU$ 7R?<ߨjxZkyϭ sO#9Op3w,)~ͅZn}ǏLw8 HsY.]RS3?Ş7hD5OLYYE)C›S`ȴ+9MmFn6jn!|Olg˥I |Ñ8 :¤>z잀X.23V-gycF@i+3<#O\MZ؈BWI,A{*'^߭r)*4~5&PWZ׆M qx0M(=]\3UD~T+~ x"hU0i: mmAp@9j{ G꩹N zc-Q KA(oH~τx N:c\P}΃o6'k:0rR90GQnn3Y@aO7+W+_GIg#, `2Ym] ?˩MoX4l縙kgin6RP p;F5W{ES'($Ս#ۜP[<ڄU+hBg8i.zFfY8<}Ou^rdQ]egQ5ͷ.P<\ʋ]vjD|ɥ\ۿ z~|m @ &ߘ @I GKxgc13QaC9FfgD #WW؞lSI=u4Jk6 Tw Z9оESݡ|`ߤN6|ؼ&IČ3=tp8V[F}Tђ6A+œȹyӅqlc>ޅgZȻ`?QUyox`< @2 :4sN:z!QkT3^fhàC:`h}woAJ~O"CH.ЍV1›i{TuvO[ry9@B~zjC,e"%OۺD嬑myw~KM5x+ YsQI0N@(Q:HCN~+g)7ЙDen@2v8%34 Q/':ѮU@vzk9 NHYU2x_mĀ (*ݶM#p3,<֟)16 Q);xv&Ű Mp9 `~h%IK{څZucCa:ɔBpA2]_TAy6y` E&3ٌ1^}>FXϻ;LHH5^D"3{bSQښ˥hHa;X!GI7Kі3:39߮rm'kJAT f{Z7s ejFQisU%8WsqSak`B+Xw6 e˜#_B֔&zbv/ *hԁh n6ެvJGdmq5l޳DɓU4о+ϩ5ɩvjYJtJeuCW+kA0%U#3#"^+ۡl;xCF9e,cWL\Wvd:dRIMV8󟊹x--4 Eߣ ˰5lz(C$˰t`bGU/z.`*=J,lĎ4M5&ѸֈY ]'(|j\;;J rURAZH땒5R֘cV(C81(b6mJA9F 3ZBgAb/Z.r(CH;+0#˦0{ 嵐{% |fY#@.DK񜮅FD X־Q|!<.Tu#E xl? 2nFdTO (_@|_9TIo9ΥxͲ˫ߙ\p#J)F_;-}7 2}²YUC<@AucVH}q#nqQ=ҕ[lS-69$ۜZ3Aʤ7E:Wt47Aei oSywビ КNzhYN̷m;Kգʷ]㦶bަPI3>[¼ {"Q$w437()Cȥ g#w[a0^.ʄ:a^<,iAieD-Pkkכ=`JPL$~SǣfGfƜId@9[ĚÖ3Vt(b9obMT/uhH HXlR` XIyQ4Ti xq{TF66׶1~>AT ;眽6?L+<Ĉ'ZZ!T 6!->:G/{O%fEJB,NY]4Mvׂf_L0~᫘G722$#E-(Ɛ1+&+g<_Gȋ}&Ld祵8щ&Kqveާu+5)'_?==Ͼksdj: ut-&3̦_,o-?$HTzD8&/p˺- QN1Lr`RK̆Te%6|$-ԉ}xeTj@n< 룜W'Q\ 4!Iz@7o^jen b;ap -1Glb,CU7yUy 4GD5fx^B| kA{/`>n+`9L+ \zV+Ωȯ,GMI Rs4I!q"`fav_`X /uu&Gx@sVn:ܩOe#wz~ ƜD 9W)\=OFɴsj9Y5!H>Ҡ |@ʆda @J?4٢ɬ̲P5{1J@I1W h09vb,4ڭkX3ӖO 'TQ+ ,(0#Q- o@pVD~̪6yM'O2+J%*eS"_@Jz\ISru%sYZR3& {(sFyk6V7'_fʀF)ǀ;^=ZcX0穉_a-^ C_[Q{m3FPʳe'o0<sJiCqs064/ bYA/~3CE @LvaZj-D*]YZja}ޝY!f6Fƙ5~ILRH`|emwD)X͎?*u ZB zw}|9#70CTӡHK8ik˝.i3GE:\CiǕ94lLd^>%Łtvdlo}*F@u6cMѺl2f)qί`} Sa`P>~ُCMH{W#.P/o[Qf̭0iO F5~ s⟔"\sai\Eed"ZZ" #6$C5M(Ԛ$B"rhn,u#]2<:.2ڣ%tsp)Ԋ@fÁw쥠]SvE!qm.9H1B}+@_J?z>b2eD 7H)~!)]}S|?9>xZ`o+TU@Ei.n(&i!"#3Ţs51sMTHźϪ^$5RyP; ^YfeЗO $zea; dӄ)MtQP?` 96T, L!&^)+|Iڣ |D zshrݛp*zeƋDZDK$1# %D-PXdd-?/KφCv !!\w AĒQ]ݎGɕh*؉Yke;Wݑ=I_?t@7-Ewƿhl[ZAF 镞lbc'dŃ*ָynPӊC"ˀgs,mC(Tr%TCOnpܛ1z5]yԂYr-(ըIUf.s98Fl^T?ԡ6hܓ'Ov$Ͻzo Ы&|I}Mlg c8k1I:jϣ cMRңȽŲ^-ŶHKrL[1ZB#ED՝Q: '"Inf_TF0Bqr&R Z/0'Om-2i/ZKI+ސ' s}3~XC|jkChU$NS`L۬lk@= ";wV.j2K&߅]7C1LuqHhx$ɥEئIB@"ArF"O:i gGzw(ӌs$O֤U@uf;vΤ7 Q}F$_h3L}-j_>zCUęߨ"6>V8yvlP|4lęq\2ŨnDo'9aeZBXXv`|Ś,Bx Õg"Ӷ˨s "?VQ/<MrLS8KZŒ$FR";ȜepttIf.* p>DŭCn\qvzcQ]lu>,U s<gs)q!+єn: bQmuEͨv`YY_nBA6ϔ`pHkjJ[< -~;/h6պkݮ me˰s`1 OYM*^ ,BwpGrݜke{4\VH՞x1N~s!{.>w|Ձl֥}gaߥ goG1,k}I-SeĈ\@)F{ 7-ъ/PMXf&̗(z=E]"+WzS#Vv5D>ϩf"뾀l 9C'NVgܿt 5x8wN4@2RCV ύ.:ȈZZwe˜ZtT߯-KC6GDm761ZFEb=ǿd\Meت#7syէ{Oǃ!p MĬC\c l< .kLCzU0C7[%X)fsKeocaܭjy[!T YnQ^N^9]᭑(uZF)ux&/WX}jн,Ԁ}~9aIC.?-u6.}F% I~qyJndT?q9 x @x}g;at[_r')M[ Q e`6(r"R>rZ9(_VwZ<73'֜Q tҢW&'ZK3XhU U)CnXA(eS6b2﬚{x)ؾl-qQ~Js?F.r\ ߚcȒ@< misUCv;{Qrz~w[ކA]aov_#Lk9ow o[;ڃ[MV+XF@]QӆOUi( KʸN7Cj|gz1P#2BJt}ū2b-NfjusU P\.ߟgL|FȎY;^ϦpThp5ńcTSN?Tc^QX:ժURmD6 Ny?C[*x[ B@D MD?K~ND, rv"{7q(/%J3eB7CV|婍F8"d*>>죊+h&)dB?Rg!Ƨm)Bo;,A u OCRkdJ#q U P(ye>E7"a.8b7%[C504A-S-j#+OeVk=_drOV/RNqҘVANφeF-M EZ! w\Y_Lon@㩧dӳJF{:-ǟ|\fET2oAY[3H^, x3ڍ?Jl6D.0{H8+)-#7C_i=3u޺gsɹ "p蘢$# 3%.#Vlh~mqJMCb=_ LWSgOuq\iM.y$]KN/n&wS2\7scE' vnO坎1:եrDQ\eq܎)d ""+[1@<>{µ4f_jDh \~+@G]P sfu>|-s6)FqCљzDǩ7V':DIgg325V)v#P)˼x@{SlQ(R͸bi@[R]zuնWо8ƛID_lJ/#lD2o ash5G~0<[>L1"wU6Cb^qؖEwh%7Pc1od%mlqe,)iGrt; xq6e&C|I-HKuGOLi&駰hIPsd{qB~jbAXj>\ [,x,9и ?)ڿθSrjN IiLm1*W.`?~*Ro{P/ݰ1 {';kR9/avY59pCKl1'19Mw di0jL#<=*aX`$V3 S9 QXF?NbQ YBI1X5C_|\~zUʸt/~٫y dw%0CW.Ҝ E/J~QCNH.eqۊ-zpmbNue%h.=Ui/66g"~3-&dV4.@ k6z$ ޠg:cÌe$⥒ajIdjpl{ufB͏4f_M~OJSI]e):~84vց\aPX^)I1[`ƴc@ېΒ1R* l-zUӂy"gGgEw ͬ;hrF7Ul[K1Q|K ĭdFJzؕAV9hÅ3>ez$N5ftF;iNj!6XOR X1_hNE,D$> JMq.A"+"J?KЀft**INc0Y[A1̿_*J Rv)Xxm3]ϕe WTs|7JNJE8(i&e궟O6v5@}JrqxPf` 2WTw@j KeX [|Y=V)j12SE%-Yq+` E̦6 d3X9,>\z'fXV#r∜w[Z&,ccy{}ԀPR/,#IHot!k!c4sh -z)lҼ~(wicѳ=;vN]GtB`kg$ ~aRi;h2?mb>=- rsCR`ك`C܃՗~U)m KkxL$,Zj,nИhZ5`6 HcnS"bw<330XM$̿5]5 QvV=&07/cu۲ Ȩӹ ,?"#1bGt|.Z_:O٩n>}\րޞiPŮ7U>_tOKjQ*UoQתNl #|{ڔ|h')!Ќ,j~"c DC"= =`&fs^Iy cTwPYօpHح^ ^SFI9fXI&FJY OÍDML4q;3zψXQɑCVo+r}$Αk6v} !(q8#JHa{Iݽ=_<ǍDR!CQ[4k-6a8(upYa^hgGҊ(\,Jm.,Y秸:PQ `SpsetO 'a0| Iqx).XHȿeZp[DȀ |^w!on;؇#<0.Ho2ک'@A{l}-], s'DL4Kk)E>g/]\a<]C[v^XZ\Wa!9nZ ӴM*0x}n`ЛR>:rKM\漵t+qؠ`i,ۦbAcN8 uڰ JyQC'Ggǎu_y80ZgF~c%5:Af8Z zPd} ^^V\-Ee_GTc"Q[t{x%>%T<㛱Zq h`T;|,a M2$-c4V*.1ΖgXΣQԢ.|A}k4)\:]x9 QWk>XH5 iNtnt|_Vtg-_9tRט^b=!7P\U} C0J_pO#mc psKBvMqs̞fw8+zpV3ErQI5pM~!TZmq\r d)o`=(\<ئׄWVDAIR? )c؂"l*fNr[Rљm~L+Җ-ap)@?էvmd;jF֡AUzy?moU}*ѾŞxK]Cj%3>$^A [A"A]AO`N.Q17CvV!f:ٕ*ESF-=iQe#'( K4jjWG\@ 5R{A**W~ 7]<04ބ20~9{Y ELkN?"*ӔH>_*,ӳc^;衏rLmcC.r:3pP4OO7q $FZzWPщ=FD a24睟 9t7I-ΦKv\fohn' cz! n%^ >a$_5LG'#?|3#1EHCBZ-1& 뉇/™~zuZL }FM8I?f ˼^`me il:G*jjޏO[3։IaH@Qkf͞UBxl4֣ƌaȂg"jBT~!(@zɏې/F-k#j"FCAqBN6ǩ^z|gG4Ҧ DSX|^h+, 3і^W@l5E< lȹCӺ6 r}q Td {)g4~5q'Bk4;pEJ{1% οCʇDsdx+Ḱ*\׼˽^ kD]vSo#2ygQ5xT e$ir?T9.z _#W @,i1UU)u>PF]`KlcTBkWu^TJ7pѹrLayvji[s0i$GV:WlXpgkptu=;(Z:/-1)h% 14)IctsT%m| ې]5L P%~P a#FO+0#EIY}>ZقߝJ与֗a?Y=Bv*pvj2y\cyTqXBqIe)葚ͰRyC*T 'yg,Ku<"?2/=dNN Ϛ\̲vc_Go,v"|E0-:cT8 F`ҀK.SSkYEhb _}"mbb =h$\J1gpN" {o#[PCJ*{_MEb tH**=& ٪Da,5)_|%6'sF 1FiO9yK5tBI(o>;+o1hzr=l(P`5'XO=}8c?fjV)}jk* ﬘ܷb@'`8xLŇOUPUU?GsPr)"'\Y 3s}b=-}r ]wơƸȠ*܀ܩdY <+GEXVmUVcViSGb?۟'pZ'I3}ZYSٽDOgm DZ2͟dl,GZ?h~qP=q8/-j]ƛR3[qPJ0eIC`S&TB&Aaty"rZbBRl8i)H@pYOB2Oѻ.$:r2 ` ?.qljjW#}Pt{{x{rj.r!;ۈsK]n;h6ƾ=itgG޼``uIRLi1suʍf.Au?re4Բ;C_=iuHڣ:3fWC =!a0X UrPǢ/_4?LW͐{s hDV8NJ Rֺu^XfƉ6VFB4TYh"WvXe ^[.7K6NǑQGIM_mc7gW[nX3zLQe/ 764񭅴0.'7if1>u9ICU׳Rv0C2&t̫?qoݩ$ھv '<>r~> ҙk<9G.ֳ񄊡,L\#刺R d \HrΪ.j,)8}>bdkIGxj~`S;&QG4cb iRt[1`tB@8.,sWᑆ'gFBJ_HaRᝨ-;Y)Ŏ9:֔+-˺M˼wFR8a;+=9[f y[4 s&n %( &j Q=NpqID E|3Ou+!^hj]>oiUXQu9ūLJSVL*ǮV7oB&S@ "eQT!(LCΨ:1,*ED>]C5M-rX LB DWnW@JŴiNJhAr7b1d&pI.be61ƺiî OZ.$יt9M-2#wyy6F}eV!-|=k#PYt2#״$$js]{ No=[遍h-?z-'fҌ @tQpAP$AS݀\x5Kbu+\-=mA0L>P|mV]Z|aqJo yZ߿m5AX,']UV %̩_l9j?5zFNȈ m!.Tȳ|+jtB}2t I%R`["wh[ExR-yED_U'>e.'* iPDh芐q=E1hѿK }DFwmE'ӁmKH`ͫ+ݺkj@CJF :׎۶IalWe"4KNw{<"$ XNp_J2A\ڞ<*fQ PSwsҕY-+fpuVگe΀&YS*KEȭ:>+rgUHC rIP $ߡV$l|TqWN]߹~ӦcAģ./*弄&$+ <..}NEr`Ε|(%qa$R2hQ (#﵂P5#RQ҄)-SKТ\8$īriPd tTTj*SPzVR%J Z,|3#<7Cnu۞q?R04  n'zWq~Yo\>_-鯨qv"e"Y;}A85VR"uln:T }  Wj0,Wg($'?x(8#JIuE1_>JQ0fbҌXbH xrPp AjL?`5# V ;[Cw[n:v"~fybF{jh)z<<߲SS ?# VGoLY^P6=_[\iz' cb ;G_\}d3 iW+yb[NpMLQ?e|JC13ϣfGn7y.~lGagm[ihU#iÿ́MɊ2ۢ+džTSouјY D~ ϳ2w;X4vS!I~cws%nm5;E#g? AHa i`wLqw%QԖvl5JGdÄaP&'gPք,Lj9{3+6 &։Ȫ˙_sr^(820'Q62JdWƞ : H{1ҫ.I &q,S.,dm6wפyݹ8ƨ[.,%sN7A2$]x^O&\E~cq-&*eЙE9ɍm{}9)Iº%=xs9@ " x=cze-C]+9C}颛[-#߫-G dNi7B$6I DEL'9deZAʕE% u/M̓I|p.Fe0p:UΙ/]ٛ J\r+֛|M'։Pmf[u~E@Ph/2flИ:eZ*5pRoܲ ]^r=Y۲L0L /dþkbO=lHϫw?n7Tt2j=QQ[QSCL5sJ,P> $ZgYgv^3AAtf'b߽Cqmܬ# Up@{USnJJ{N&6yy uh]&R}ۼTa Dmd5fs}s+vā Sq HKrV#Mʾ [9L=pouvf/7Ucg_iznc/3o m;W7^xkl 3A0QlY2Gjq%ۗqex\nŮ%>^a!Ӣ]{]֡5eu( u*Ϙ$ |i~};bW:մ\죈701V'\?&/. یhe *d|KQ>+DJMLm-SߣA(%9-p9>HG4Lt"s|ȭ–>km[lĔ!y ;b`iCqRRI>Rd6;@3>$%qX@;]7׊N{!f!=;Mo#{YXKHRV8 {`2m8Ʌ?wcm:H!;J 8OCZ|([{w#jnŰ$oѬRpv\\4!fvKsZkd' SCbf LJ\}$#'t&}[wЭBp$PS;6WnaȪij2y *uEW ݫ|LJ&u5︗1 n z}/~ ֛] l3ToSҊ;j?/)i$-y٫:OvTMEd,js<S *h,gZ@9NojB]9 jnZs&B gȗze>-[ٽ% @* ;݅ süڴCbkAE}ttɶU峀F*`cD|b4>P`截>afW j tjR;Bԅ#Ý/ };f1m;Nf xhoIioną墅Cz;Ec|Hch)|-  Sx"6?8څbNO\9X$[iˮ ZYb4ѽ-cl1MNNCIee79+HGRY{"+."=r Ff]:}]vz=(?6kRt`mvuk5I)?XK>g]D@&Eb~uK/c=!?-_Mz!Y,p'QpHo߰a#m&]s :^dQŋIqOAq_t;qChjjzqMRH8.tG^\9K1ls%;{k3Y/-7٣L )t.W6ʾ0ч8`<ͨ'Қ+ X=Rޒk9˺ f]KIJv4 G%U+Ksɍ,/w&G֡%ƺ,f<`YL`^Oà0s-NR盕cXMW~LL92f\4f2TF=7F/Ykw;{A! 34Ӎ ILͥJ4 xOTcHNEKx"Vc|=ˠ2CBf*i8H:<ɻ?Bd 9:ǁvX^Ӓ׋CEYYB$P Bomm1.n)NfFڿ+ܪ^gĕ ^u56lxp-*4&0x`=jćLiF3E 돠hq$%PrH*"GKsLYJSRW+ j韽8p1 BOS^0n }D ⤣B1~'~Pf{Yfzv7 ^| +~Jot}tn8pW~(<Ңeq5f)&pK\65v׆͓4ް*!,Cf; ,1ZMT\҇8aUA5A!GO9eVhUpcM\2GLl~^?iGlW(wdBqј|>$mK4FEvT hf)DZ>fHZd$B:4AzT Mk-5((,.<H4>=<ʹ%zo bӮ'QMl*U7KR*!$.iSn'g%S̲z(qQ*(4 *sgEsD7Wuc]esyi"_o,'&y}3@ jJf gEm F%K%h ȋ`P7e84bBJRrL_>ى_sr]ĝ)?m 6a]<"7 x5O}hy6yDr+5$= !*<13)ΡBorXsJ/zΕc {Ѱsk$<u~č9OԁS.yd5m#w> J:e϶|"d!ǠGE YmZ7V??~Q D@>M[XN E6 P跐bvg&R-Ifђ}5H(ec+*ms*VAq/cՌ[yqK$'PpW:Nήн`账*HZm|Z["H}^>~^Ekp}}ub J^!a܏4bnt ND;Ni>[WZ6T.5zi3i/9-9)A d;Q)lbǼKjoha^Ft1tYj[  }lNn!FQ54oVP]Q4#YkdJMI&C`:|%ƣP;Zh ۇ|?Q6͎QF67DCT;(:AIg7Zd!ɸK X3ZSvڌg/Q5R`!vujrUo^U4gIX,S CWt^Ŕ)I :s  QAt?0ȅ `7&p}M6;Gؠ{Eq4J (OCl^@v28HN(tٰ׌zpVpܳ։v䛬zǙ?9HE}O] Pڒ댞E-xOFXGktxXn+OFwNB5i2-LmwI˿csCR1zQp%]Ǩ߶>({yg_ql\΋ey{2 + %z #jA^C&wv9(Hq f(2#s G$[\X#4. X(gӹ%x)|\ߐTӖT 6;MsP`!t\Gxؗw,KۘW9 ߈C CSTc, 7pJgD.WgAX!'IPUM7~!kŏEN`5jɰV{P_2~1`4|C"Ad%OHj^lQTy@<݀o!a B>5Sa _8OgG %llb<[˃<`^QnC#-wSMh%ObV< U{a[3y$^~=', qSߔ#>dh?W0U5)* $hھjj-29%P,,9+힒C90OAȟ_M DF9`.p)(e>NٵrX5ς|_Mɱoi<>>+p\De@s(Jwb HSp>Ti%,s?F3_m+30#Mvvj@gOn=3md*! ak&lDD$Ɓ`B7׺>?c^p⏑< 6՞0mB}5KX/kږ2P (#1]u++f8BRbP}g|`0(S^̿?9-kvȏ׫RK>5QO1޴r8DW@NP̈6SS+\䀔]k(hxwEΝ8i!jKM6WuN tnr6gO~?g&tۮ[bR)<o7ƒ*vfCݜo})nSIp"fr97n][iı)CjrT;_@8Ey8*1pD hTN~3 :x\ȾY%Ɇq?t̓$߰lvhk?.IئS{Q 7LgH6Xw D `װɺbT5janz}Rj8@P0U >-Q2ݼu]ux&,NP艢+ ~ 3pf.w"jbgx;60M*e\*馦~HIAc3QR<ÞF),U2PM)|o5E/|tsy?+M[E◅',LX4)k_ܥ_㦏,kc,1eS<=@} ʭ1Gy@ŋxQ^T>XB2Y;glQog|׳OAΠ *zu Vݶ1-ȇj=,Bp H0cCu< Nw V$ў8fpf`LLh< },HY<]B6#-~$YT)e*e8el͝ljt?`xNmRhf5&1ڛe\)7{`ڄ% ֬I戥 5+~'2 |˓ I9gC⁁J N?>{ hSK>=<bZ1*6iC.D-&~ҐH'l8ioJvJeX;SkWs.(ʯLn%A∆AR?H B`.Q{D{WԜ9S KETI!֙>v%s:?NzP ! _cf`oUEJ< ٺCkv g<}w{ Z+cA'G!XM'\j2$CVi'{F|l80!øs%5L/e-Gyc F>8?bM.?ܛ߻tjc/U"4}WL8-V= 9bOS>;W'q} z=ΥQX ֘<%^fYUEAݢQf'I,ڒ;rV/()pkɘ g[7F ? ?pXm8!f"5͉e۱ Y]x4]/01R"vۛ#E6%Bs3u`S!v-.1?'ОR]R_&x'Z#Kڂ@tSfk62\y*[R"(k9#xԗs}zm~#O<|G8 r=ee]%t%i`pP:Ƣ.qrG?:<~TNbqGW[ ] p?{5;4*UrN.-Rfg5D}Տ>⟢~PNgwh(c0"X<ٿf؂#ޭ8ݓ+NK>w\aNd*HƂ\l%']NV>HI)QCXK;aKX#fI$a0S t sڣ4j^K(|ݿw*hSxi2 q|{SR?Xg} xͨpS㷫ƚ*if(Q#i LAwOBI'CJk ^I,tafp\|JIey`4^U)` ԍ"/m7Y Ki;6XIFj ɾfxwh']k S ˾\`AScR$[ryԝ~X~V\R p5bm ?P 20[4Mu5Fm&0,-^'a 5z Y_ՍMk=`p E> !/XUʯgF^ǬAq@ s2'nI]nIPؓ5]HT[l]lYw7ň_ؒ3 "#FK|al靡5E)Tz; *Ji&򺒂Ih|i D5th8s@8w\=xsXjNXp, -7 ! )j5l7ps9c5|C52R鄨}(q_kJ2 {F&,hbVz$a`A .BfȲeی_5AM8P _.Gu$:w:Cs0PLTΓ' BdR[bͱZms=IClC2R16:rFs%τ/Qj"XOg:r{c f[flQvPOa66wlP_{4ƽɺvj))Έv@ q8=RBrZ2~j~7 thih71}+Ē]vX t״DF:_[y2/r$ yi>/s1YPt4|ቕS8\a ,؁E2BfO%[諈әht$y&gJxIqar~֧E~L\3yNlH)L|6ZAWۘD]q4rK3Rv\M+ X52~!ik gxU `'0=ErvnD¼Jxl>z Wܗ{CuBj\;ibj:"X9iue3Jl9n_9ĩz6-HcܼL~)~yŒ5" Jn`0t.VO.Yt:Vlт' ݂2tr#+ \'M,60]b 4zJ@ i@v}`(x-nؖg#\F^Sz +&4uͱ0j\}vóTe6],#32nv_ALGފAѧ,>JT D%jqO͜TYQ]cB3sv#k¢"ЩmZVa*0^+,~{jb2HCna_5) , 'cgq24!,^B7o}iHg|&!G4ԥHh86I{[`LCu-~lv\JđmIx*N%)7$48#\Io25RNJ%?٠tj G!KrGl:X(st6> Z!f'ߗh*e=>$νvH& xnV[G+iHw,b9ZEsÀŖIGo jmWjxckUř5\Lp9nk6g"pGѵZ/ e Vc~M+tBNuXq o~u5.y4pozuK xO G[1=gZ0 ]QB:^1%W0HV{ P5 %J}V/C9HGHQK{PedWtYf Q=YpFe2ePG}p4NK^ h/-`]ר 8TxO^$N_xK;y]RR:t|EfOz>i,>W onsw6L{EShS0:pU<;clOZ|{]o5ɗƱ(F8 4!DBR(v獃SB:}b'X-b)]g^e.\XܕxN`]x͓ gwIEò&o[7a4JдM gF)WjB g , _d%lQ 1tpRz ˁMO G($sQIƻ֫^dURn0(tRʺ_LLL_e~24(P 'UikE2n>bP־}-F^^Կ^p7Zg^`[oEG_I؊vꖟ&yWc_s66ŝN)Y5^]`7/vwP@D? ֓\+nԠtrI(_/h88:qUFdB(5Ad}rkN(0Z9(."H zb. :0̆IQ5!wEԃ E&(Zn.3sOnÇei{dP>^S4?o0"\[ p8:T\> g ]hvI=4FG\.}Lx3[ t*TJ Jf3-A&Ea|@wKJ}|<@03?:/ɓ_ζ蓂Ͷ/y>؋\J5rfV8e!6pPCq&ԣ"Z^[HW0,gR'cC.qg  ?P_:W" *'0[UܿƘ(_ q%Op:NYXyS;Tr/0wXiB7 2~Jna!{l!+ IZwD ~Y{dHkOйVQNݺݯBgPt@|Dy+v +-  y`Wgpx^MQ3%2UeAO8GNIFHe,JD(V矋#QWӻ_/&Lcc ۘU9ԟVI, /boToNWV"%=&&wgm60Ia萚V_^eߢd1C%Fڝ/w*|?$"К>bCHE 4fO;nl|c.[s!?+DA.3љhtLwF(ES?a*DKg'5Cŧ/JPi k3sǢ?YGXô w_m[NEu[ hm':*/N8^ 1TGyiG^; V351&Mm٩lwuWb'_ȰJKTb}CE'|iXzkŝ|TW1 'HFRUӱ_FLsj^uWU״=jq5LsSqVd*4M|$UQVZ`R N 'AQt,UDUJBx s968,7/I^dզS~q[pZ_~3Z}dvGIѫoO2xs3h爼7L ״7郱_^W#3r^7lB\9Q=1lP&- oQP-R5HD:hc !f[6Ԉ("nm*Q>J]S@g!F_Fe1#cR+@G[UE ;Q^KPCaO^ySПIrJI%чˣ>jep)'i) *\4ǜo֡G/H݊[l/[a}@-!l+ ;糿Eov]O?S6hީt7?O;-0*~dEA5iD:ɨJvcn+ K0sZr@E˙A4+T(nwI<,yDsa0L?߉ϋ'8Q3y;fG킼.ȝ^ waf сUt'xޗ֣d eT`ٮX{C0h4Q7\Jr ٓMG?Oɲp=&Ne[rJPgbq7r+0#"Ijsb-㧶@% !>y޳mSbr3[Jx"0nvZ/MU9VFs%^a fyY9E1xW<6(3FO{1׍q "ttZыEspmDc7c W{6`KYjOuQo H L*Q# .JdHRa0%$3EsY};O+ո5`t9"iwPiWh2Z{i&f82i$E=i[baP9 y4B܈A䢿2cűssl~tBnG,+Ik![u4'RIe+fh߀AWI#%?D{6NJ| S-0 }w#@$_) 4{2#]cDzB 6G%B|дhy=qɯ’yXwV%,^n3~>3zx_'JZ=n?9s G5ẗ́qϥ6H:9!d,<ˮxn]$,O()~ls~VcGtɬ' G e4JnW *jܱϜ3鴄+M!1]WN7*;Rx55~o͖bu%='M=q!DI P/`IN@>=?3Xԡ&ӨU'D/ruĦj<]K>yx!;ԅ)V||wɪ}XaL~vc)3 ֺ˺b.FRZq9hqw3L4z-ѿ 5|Dq,eȩQ-9܊:Oߎ%QR, ' ȟW6 2y_, eХ3&?; GўC,눯TOu-S$6-I҆=*h\p*QzxQB ^9a??z%.C}s#bKs$ӫM4DQ wyIV5|SSKĚQ|#b ?vvX`"Hn#**A-fO^!g]zxjh%scjNPJ/$֐lC]ՒTXNm+ w݁MERY)4NIɨp 5aw|m[9PʻC[Cy~$,1n sZz_# qgUrAz?Rx-mcYQ^`Ɵhѓ,L>0t s.9vu[Mp\A܎J"F5 e}x`?\6tE ̅I}}mFL"̈EҤ MgY VGIR[K:ipQoNE ؘT)ӴYh-?PX=O9M66mƬwg>͵+[f~h ·M661eLTMiҕ,>Lq79@AÁ?Qb9Gf̶ziӞCePi\P{ ? e?F ?}L:#- Z%RT ËJ9Yx]4M|>I $e+f>634Cu1l=7Tç6ٚw{0 \ޛƾD)HR/nm| =R-Keδ i+bLaͪ8blRgwCYأpe!aFw_T;[g>,Z:I,$>릗^gkEe [KѴvI%;_"5!!l' 3\e2!VԘw .ѫ}]jR zgۛe0[LW U93>Ŗǩ50MӣV=λXNAOԅs Ǝ*bGc,G'G:i,>tf$?_:6F+}`+KE(Ρ㕮`q(ET/qGrr0( f,v2t8;]Nl[gY"XNNnБtYBk9d&u'a%o)(oѷA/eSn"=Wf¼e;i52x:bj]&Pt5jz ۮ, xC}Y>"5݉ABs8c# 1"%s8 TbW∂UE؜AB-) Bwb&sfC;f7p`0Wy.yD(2 7U כnTI&", oӓqdgvMTzON$%DmTrلǁ#[5ptdd|ǐ)zEuo[h_1jactݏh D#Ǭ/vƳX? GlsjtעAKa_5Ue wO<=kS[ek˧xD;lyL&c\6DRvifݾЗ )~C] =S@P&|ӌ=Rcd= O {ז,E͔8 ni;I[~DR:~Q(ѵ %.;;aSs}nb kKH&ߊ.Lܱ?lcy[>|xf\/~urI:ăْ8,ydeQ`\(whQ3unOmX]l^e(AncY :e'ZQ.v*`ct:VLuKQUDv\0>*]S3Dk2~|MzS,QBT4&. Wuޜ ފNq?`8:w1'wsCpv: Ρ%eM}\6e `ÎgDp(fy4VZɎd݂DrpչPžCvsWzykonU~PR='Ӯ5MҮ41Rx =pveXVMt0d _l UmcV/Q9S \'m!6 N)?(t eI}T~+akiNhZZ-%܈ BnDpiG-$¼pJ)+.TNL c`|O$$ѵ[yj 6bCcĎغ]ZS>4{A1 r64tGnx g0}A.1JHPݜ:vz@ɶ hdVna1Gn%=`3ۻ{]ixM=vE|}R+sKa';uՔPSQ )ak_<4t*BK ‹L5:,J`3׉\s2`ovOLFpfřvUtGkt{cB"\6|FkNϼ2i;4Vg+7K4=Je)~_h wpf/Fk0nYp`L VFjCg7,& \ V2g%{Kxy6WRnj|DvR1R#NKoJX/y[Ki"-δ_yhE/Y&g'јYef%4|<mf.1܀E><RRL˾|2o*. Oפ{fj p\5>s*fv "^_F *zLKEЂX;;%2ꆓYR^T~x0Z])\}բؑ]X9yʕ3Az: (KȧtUhA~'3*_&_հtt nܬNֳBޠY9Ɲ;M-qaw@5ըS(>}z.=>z,uj jeQS&R4ы)Bp۸hS;?jڲ3D #<]FӅeYE |9`w&@vZssc$Qa-BBuȼK;)S[y0}.!YwU#4N-H3Bpwج͆ud$::ebdĸFWTӆ}OM$>47EhZgG)4$2VSrY.nRY*4'9ĸcV\s!M8"Xg9$-|}>%2V)K@|=+b$bff`M'_@8l=sӄF:M*c|9 gJOSwUr5(QX\!AY_zJdnE9Ob,?u<ĺi5 kJDm(Ps C>xdsʋ?mh$Z{+w MCM*Pu.i {ĕzap0[( jzgtH_D%,#u=9hb4T;T5(ܒ$ n{^z{]Gp>bzXrkh/X׷O=awg2to:jJLq !>@>ѣynFn}o8'l/ +}+ɲcv< rF{E{xI>OvGDF>^zx{@`8$` ^f:rQLn9mJ5p:F23Dmпo=̵$ؗ#3f|Qџ3F!u=/}yy,lI}>S%6~LmP1ÕA^ 5lC/?57űB;~8_߷Ua`Nʌ, 6ɝHaƛ# {ɒ }+ڤB4lзs0V `氲:ѯ'_Mn8V |A p a9?Y ,+T)%,}ÿ䚮  "!+6>4G 2sB %M1^)mY=Y۳C} '(N>rW 3wz0)h+[`b?q 8lMAQa-% }p.MAq`By裟9bWrWΟ|GFái9S]P4i1*bsTsfCj鼀SWpA+܍( k 69x]+]f#!="\1I0a|g/QE8 gSypT]9hTFiQl7w$U^f]ah2pBƤ8sHA *la:.r~u pxcAT+pBXFW76F=lIch|MWV>'T}<+`kHcDs.(wCBN:,f.= / 1pDW xZhVLزzu*'ދNX QiZV?M&֓28s{؛ʵ;"\CLy=OúK[o?o;kSfJ?Y>J|vb?KUʊi\6}e wnH xii&uEAqJWG_~~w2N>[VFPΎlUh2gȘP7!Ry1.E^^cfuQ_w~%Mҝ{ߔ%duvnr =d;3י6v&آ885 Q9rj]at,:4^WH\MX{"7A~Tه<-s[.79Z#q=|;dԫGmtߧ6t-2li- "t!ؽWSM" &m3.je,104W}@.Vkڧ|qx^?ew4&Mi2+ }Oo[Q)h مU%dkXЦ.#}UF';AD}(&V>W9BHҠi0H'4?9PM9^;'L t6EۅsF,SUyK2kybj34W%-IcqNcPk}>P7D_5hjKW^VtO>N< GT.aSk̽\Ƶ}.[7'˰!PY`ޕhZ:lοǎBw%Y :v|C>oa^F&ʜr TJ&zzpa㍼Q1}2OJۤUJ63ݛhe^+s"Zc< d;eLcֳe|u.Et ~yP9NŔ{&\l6Da!xa(Cz=%N*[u k)"#M>W.C~ 'ķ*hgM9֩5[Tɢ05/[o֗j{s jTޣHd.&KCϴ!Y0o/]vql]0!<~{ ]%#Rp  rBt|2<LPC {5:}Rm Bދܾo0Tt8&xr|YxpߝۧK&)铴eV9m! ϤhD9 3=/|XN *YG[QNsQM Ɠ+9E(yޤ.wRmlCӻiB}eO=~6i@Բ&n=t>*E9'y""@\q! ƻx8i|HV|mAFY=vl (kteY_svm)W>z>l8p i!j12fкQ<5j6w맚%: nwU<ſyPS{G!c,:F] udsHd̽axZ@MZh]Ƌ+8K|E'X"<~d2yt)ɃMIxѿnnU΍DؤЃbmD jUMl2!k̖2,5t2D|dx6ڽL ɐ 73 zB6 an2H}8]Cwדke,K۷dKODZ)$޲&;%~COz u*р3U $o7T<˷=Pr8+ M^b_NNun UwM&Թ@i޸jlYFY-? ]oG+QS wՆ$-SGt+x~wXCدFCAS=y>c9pҋqKJ; ~Ibĕ^*"Gc [tQ:'j#BB#9Wmӟ#HIv|iyu``!ЊxOA&Oj.=)N6Ը}~)r5X$Ru?uא7+ {Rc "_&Ŀ-O$1+>uo~̘7le$zt/4l8ۙiw3m,H4uEāֻF][:YI|vz.‘k^ɗAUkԶae@!H Xq 0|*bfl7 5Ρ *z*\ISGbK~y+fr-jB$ܘ7 w$ <bTHV[kIGl( 84Uud-}2YU>|bB\W OG\Y#RO*5Q.PY 53g"iYR G =O5I2FݐO{YN[G$V74ŊVB*bvHv\i,59^4aQYlIE Rx[ p'y+SEe)Ѡ/'YJh55,\1ޝmW\$UcKܴ~ɧzB oYe?I~:=bJ3H=ܺ>ˀK~=)靡ޱa#Jg~V.ʬwZX]>AX̷[ȊT:؞>R+E4Bۺh$&Ȁ M\i2"|ګb&\ccxªK֯`apLkq|7YCG i&;00mKs}qxuJ:R&o[CX(DPUs2oiS#JXFvQGNHڍ/xNҍqrQ_suAal%i;IeuR²uJn{eeY%8WuHf~tX}F]=2' ޻hi."0  A~%kkLitڄw! YPX Aoh+VutErۓYPhY?YSQPO9*ȟ凷gx亦G'd?0|yiK%++)7z8+Ox" nQ5,wfݶDVh64` n> yԁ  X0-~p_<Ɗy5Rbiᾍ_>OӫY}B;A_L,+ [1wu8YtGg}qهj=֞\g-eЄ/+~!e'NA/:.sr s⑹|Ϝ']q  o A$܋SѼ? ԝu4p7X%DoL\%k:' n.׉c c'͈cbk,fEO{lIJ}{ԉbPbl$#"_+@y1D5s:yWm_O0Ru˪K-[/Ы)ϡ I(Tp X@b'+"ߠu0 l5h[W$>;!gY<"Bl[? NU(#[(L0|]6/fIO߮}5-Fj|8Α~трǧpAW ޼"bwC#*;%(mG`˥j'胎qU=R-RGMvKOCԊ7onWQ,jhB i),x[N "y{[Ep[*E A+LdemXrʵE{nu%'ъg*;dM<q'~;7Ő!o5=fMw J)Ï6EqJ]SK~7OU[4:)5jTh_h9Tտd&8!AcR `Hr3F,oTK3AB92zmt&!t\ FO2ˀ 9-ُ s+RWT:^UrK+-ME7\ W,ֶ* 1@`<֑5FLrrFN::t_}v=u&v4]O_y6^qr׀_ -Ea"~4w/z,Bڌ;\Vc0N_숦oRJ߼3u9>1=ԴWc=f4F6S80:z8nq,0;MlTt:ʳByU3{W242ߥ[fCqtJSTFk]i ^?i(pјwb'\v-{bث|)H zX1Mw+x;|r|D2@F6켃V؎mԚY`TUD":y|vEtE=`<.Of6Ú lB,G8p;+*ŦV hT1}whnE k}քS0Oh3 _?Z@8}%YEX  8;+r p_H6b21bq')g9=eb(ei;(94 Ѥ=ML?2x$ LW,#o/TJ:Nl9D%D ߥ650u"?(4BG\cEnĈ4H2ۑx?$>ךkUN~D5mLwv^aIɩ9z~fj~R BKn \#zXHV!لQQ29<]';8 G2V+sc)g_?`CS o`g!2.{Y]\Kk1ĨtWB@ԓlXm>f( <?ThEkV%>ytzGkkgԮ9,&$nD 8b|vļ)@(jhPW`pcH:XoٖӭDXlW'.ڪ#2Zz~PR{WXJ[wDfj$`G(m0Nt3FA?!Ztqf h!b1؇,ߺ.'-GƷXuD$EE2r)wV9 SzבƙS2{m?ԁvImMkQ;?@DSH-́\e_/oCX_.~_?QfVqF DخH]} cJN0#>zhg'T\2Ӹ&#]&r J3n h= =FZuӭ%2gƼ D;Yk݉mZ!V︁VcasRmog@~4\/H- yLDT1CEq>]FHfҴ^68C 7 aˍRM%<)zg>M r-Gɷ1povXbR 74V `'7Zd:h)hkUj]*鯝@7_&U`[6 6%h= Fpp޵e#|HG,Rq5:zˢvQ2(%'\F7/V> P*}IZ9O126ڍSf66S햌Y֍[Yo(#8>6ȶ]-ՕI&an:V}uGu@U+iu|U5Y] h/hֵoA+$` ӣ?@%a+1«߰v=_Qv3'Zபb~1N6={+w`(snP_dGdk{Gq^&ѐiδG_bN4U, yw]'gv6 }"U4yWF, a,:Ύez/\MX'F] 4q^%.EX)H ~یo<}+>ZR =mHI~1_(ҷAM=nYѫw +АdM)3;\ Bu!/*PS6>(*d.0;'K"(JZͺڎF}b.Th78FZhb6}1&h5X[mҊ IG PzK6,hBtjuiڃ !NSvs[q@# 93-YnK;  }@|xKjnl߾k.݇9RĐuiMzL%Jd3v3ƕ,e& gpvYs8 fWIP,Ⱙ41Z0o @n=,{cي/33@ 2t01#K[4%~tGLd}cbh[ADb,qDu,q8d% Y5pVAiCѸ~f)wbNhG|Ol}iH\VcG t9DǛ4B ǩJhi`2Dv?A8ҵ˜|g@U&i4,oj%>q~Yy'yүԧ}1/T Đ8yK\}*#z5H?+/[R9\z֟)hÔQ{RR"Zg5*\AY1'X(q͉WI;Vڊ3w@ϫ}͐y $Yi[ %B&)5hĮ EQl:gԬ3ef^9q?b}4& Ɩ}?jے &rf'a#Kj1YiQ޺$Ƅrqz_"}19iq KRmG'397X& :oyl b{9tc鋙bE _9h 0v')WFحi&ć*#103w+ q&Ί%b2CS%z:ֵ;\cԎwQߓ;J*G|S~]洢*;_/hT@!irq9km iPZ:5Q.BosUY6[pC3)P o_t3ۚ\0be$tAg[=\t D@/찗i|N㑨/k56V+bapnP{&2|M(ΐih)x$b0]MRH>D 2^ȢFEl;%lP5j,CsuAT{.Ia}֛^PwNw)ZdƿEU/k0pw-0b$G#Fy:|:m,G Q0.}HņK[w)R?d.b{ƑT7\B ).K.o|F H#d3&ax8Dڅ3.XvN'0 {8 [Qgky!i2zz *{'Q} w1-ʏQ 1D5×#kn񗅾WK2>R~JI{fqWX#+~)'`NI/wf KtDi&hT@j{In#,e{T(U*k nvYkE<OCHo;Mn1sŎ@tbP!E޹mpcQ0,J髆[4I\Ya)CkpRΝҡhwzn=]gh>/"~s]Ǻ.#R"=e{8?')'Yw) @Ih;-J7'-Eu1:/ e&gs` df#VtLť%pf;rֶޭvѤ::`PT>ÄFvs`f~6*f_OTXK =y9B脑{tÙF=h33ե& .RTﷳ?Ow+5m3gS&YWZNU4) }cdpД6dߣubZU,g=o~q*¢BU9=h\o;@}@ sli3sI͉:SBź6+)>ObCerW&,q P ,{X:VpDrNQ)jxYj`:GCC: #8Yu}ͭTVVd+ HH8+oA>`1G^޴59ӘH83 Fi)CFNqr ('R8djᓩUğ)69y O?EJ #Z貄rF@FuӀZe:Uo= }a*-7sr}\Tϸ}jp9 51ap bSzwùt#f=`!B G$gsKtc|$((MPQ X,V˅< Mڽ5q4E}I(޺Weu0'Y"22yt©Q41:<5v|Dz91E<ax4[ P>8iNN?8!ϾOhԀT,☊U&b xKnq97=h6/qW5Xc*i,{Fx3`J8ؼ>J&J* ]/GwIq@݌(‘wb!U(%)zw*5\7e/YC+FmGꞥnrlձߏ䣧'|?ޖxkk\֖Q^; |wswDŽ`89}wp.TzjȷGY9߭}޻vBog^:Opv?7ސ1_m:Y&&E^0{ 9fnj+IcQ[|.G/mR1Sl(}n56 sB!oJ^Zn[gbJKy[d`6e:k;r6]k/N;*jM<&Kgw1ԮcWҡ~ ,4~JA~1Є Gb VuS˫*=Ŭ9?{T.8+Z &81`+6vRA.*.zz_fd.OA]^ RZcX;r `bZX4st^jl飕HoL9,_ޠ\!9cر UΜ6~+j?.?*_ T;zdqhԚ o{귣c07_*ґ^⾦=ғbDGMdәtkF|ZZ/cDt: e! U(Ki@ )\+*-t7`ើ-5n.[3jm .7׼@0 X| ǣ5`0}X/ycv[m[ I`-Ơ Ldzc};YG\,bD4[O.y=Rōc|V^բ,['Duo `q*ltcQDoy!.䫛~ޝV]O-E+TXv7x?+(lρ&hjKf뵑D3k͆˄25Ϗnw'ӺTV ]HkAа%ðF&ZiQ8<6Y/ARmu+թ4/wz4 #QW%Ջ^}5Y2<(1m No"N&36V*=ѳXvŐ?"zVkV0/RedAH;VTB pIn~KlؗMvyTu@h>"dC\xL߱BNф,`ƱjsPD:3$2wV2vҡOC((+y9_gZ)-jQaf~p{F}SEDj'-)JL}-ӂwndݤf )YKngv rh:≮5{wS9Dx 8sTr H^zH3+T6|虣9X;il\‰3g %?ckf\ҢsIWEĩJ5);ӁUQ>R/KObl.ޅ }"CGy WEqHż9S81EoּA83\wʵ(ЄhQbTQvP!5Ysr[C`L- ,!9NaΎe.08iUqm_,G{Vk)%uaG6ЧA)"9(wH1mF=@GҵsHO՜ J UF4u]xي$8$EY Y&GBơZ ,3 jhɱp^[u\k\74?g"O4AQ=ݽ0n_h|*x9aQYK ydջc2m͟²15k{Ach{ #h@xaqG#!#H z *i0a* qJV@Bz8rFM^zfMR+pNЈJĜ/ p︙ȏ;=V.dq6eK>=K-6ޚ OeDَ[ƘO`*Y^Ff5u-!+cEN,SMkqLvOQF~8*힨]Q?vdWrTY8$kAc&'aTƵMB^YbwC H;_S\CgɎpybxQV-Џrgy>Y) uBUlY)FcT7i0텻GD+Ā/5ةV޽_Y&Y ^z$UO@蒇+}56cݤY<҆fg lN @MwSb)1IW0:Sć 'EurucJsCGakoqL3܃ /bԞ.;Y=7~6EF~2ngUɰhRw'Zvd$~d }XĻj߭%¼;a uwTUd5Tm$FrÇ+~'mdo\q}Ѹi*/Z0kLJN\\gpræ]7ؤ Cn^Rx (bY&5]tduc}8mID(#!`PGivI nJ;؟-QJ ˧@0 |bbQ<0.S!vR#e$iiWP$(Zn4SjX E w<GC#iFQU ZPu4]rdxĭhxy[Zw DI$ݍP#E%kFsg7t[|ie{C4{)opj|'iEk nİX secph Ёek)Yx}AR:Vur,PXF/)E.5,vS˲5تXzr9);]~,7U4jʵ& $$I7VnO ˕M`L+s&>Ӗ_Tt%J߲팮`%=1_bWG-ez)~Xo$`1)FգusMMa[*#(,qO 7G*X~.=3A+‘܆m3x³ݍd-pAl'Kq$"`q {Zsfml3rʍ$\vVffxpRv4$) W J横 ;BKXUoNwH#7`-t2 fr^LDB!, _E:C;AIit\Dt~.bL%"nzne}u|vJ\Q%;Nҕ ],BxŌR %z/Q-}32r+O>t!寬3ygt!މ6q^`DԎ9t]tPh7S/kХ= uY'%<-dPʭd"*ܐCHE1D*1zWBvoMT< aoKmj۹`c5O n)1L ƴ3/u-Ԇ Zבq`)C(9#o[81\`k;I^Ruo}NŨѴRBB :'quVB#{H=Cze;c쏎,mtS>ჺ.) j6awCG l)e^+wmoz!/,Td=^΄FXtۛ}ֳXO#m-Ech-l6\z$'9yP^@P*W+{@ s/F͍piMY#Umt:onإOrOzyBpFF;2H-RxyT;qv|ΝQ˿> *AƦ5+L1D`m"V?%EdrوgZ=L?Rk/kB+SOyXwNc.4Sɍ;N|IjG{_$jw4~'di_ϰAGWӼYn+<ҳh/ 31XYNu15 ʟ_zO (ԔkFv?!O[L>+}M3ed9N*#p*{U8gLg- jGf4EXnp\ K)ZQ{ [G+aA&N qgO ~p=| 8I,wȓsXEnڦ 2$J#-9gl~I+)4!칊ġ}lV (/!}% G#C |ۅ:j҃lDC cPJc@.< 1)z-08m$L4k\1JhdSq}R&!HQvēTN{@d٥Foݔb%rϦgbӖc(bbӮJ%(o@˟P8+)cQIr\t FAy#2,J#$x +'{#y~(~.; />IvGX+:ȤWngg#3jXZ8?XCtIY_&jY#vo( !|1!#ե!7;; S&o=sqo(Oq)k5F歘K0byl,anf1K 'Q]}?9T7aMG~Fcu~ =\@9 A q]R^i]-KLWxvV?*[- KGdQF(3l{@fa+:Fmuq#G.Lk#ģJUU[oxuLZݢe,9etS 'dTYXG''w,~ìپ^FxwЋ}*2mG),OpsL{cI ->Yl,V{ͱ). 7x8"2 ̩Zl|ҠZل,O#3M9V32%Kmc-}.y ple7h#ӷi'/o pa0䄻*CLb)0LHo7cehJ>Pv K2[JR`J`]!FAm%g2wB)\ey!3( 2ך= ۲U7"YR !젎&  br<58n4i6&#yL,\s5ϞohָЭwAmLLKJpA^:$)t97f*.Q/XK&do;et𢯭{^|̖ 0JO;{:gy|La3AUQ5{/-XѸkCVG퀮MN#\ ɧ_&C$i)nb?(9_ח q>Zd ō: 7CU[CxͶm u4u)+&e&T Tôr2$쩪uT #:twFTq}R.">5qA>#OJ]9{KLs[x.fL?\Ƈrsojo ]J` rQd#j NAԉ (5I2sMMmUt4?>n&{5fq9vHuF`yw.yFL&7 O=|D(1neV:8oc~R `(WWb.qo'(*JݭoJ{Âu*Ȣ <]8L, /m*7 Ua SaKeGj<{.Oիb8_E #IN5ZeFX5v֮|*$AP'c=ioKf 3ԮǛ;=Z#vla ]#lY(kVErut/ᒍ矕m;K0WAR<73/aYFa[[I!h)rhXQ~*mW Rf-yu=K8Cfєu£,eJbK3sFw] iw`Q5y+qqEtXOm$c:uE:O8RirAъHZ@=X#މ̗jvu[xz\Y[};훪sL{DVo_ڙvsLD0.U=A5@qN"8sΰZT{ØTh\?c.[{UYJd\;:}ʔ_6fwG{m0p!yϹ~ӛ{V3iUiNm NSw^;M ="5q&zB*cM%M%񒴢*岫()MmFY=iv44}6N'v:n҄`1 ƛ=@DNb?>(X?jJ5~H.ZÈ2|iqa݂zq*` bƯciWJ>u?XXFOnU!knihI%4nE!{GrQ`ԣ4y. O frܛVQ h@~*Oo~ƍktG]iqМ;qQ1>n-pq>c3UAIVyz.m0Y1qMN,F&>=/j4"FtSQ/h 5Ѭ0S#C$;Z&/_FSyTI)*m9w8m3G+Dޅj Q 6ikuVPl}3c&>^aGUϖ\7dfwV;g ?ryGF>8C:! 1)D)#0絮}0sĔKm~_[#w3g' )>nQ0cvL#66qOn ^+ ϡWos=+nj([:~$Zja)0[Ba\FfƂĜw {QL.>J+_:b=Lm?eE< IY=Po|kC>QzH)^S t(gqQճF&~A=UVWeOYBA Ԇ)?ciGuP̗K%v%pƜ+O~[vƧ3$#ᡥsUv ;m#A!3"ސ/o|؁Tv.ڜ趘6WooUBq;PQrE-O}ߨW˦A% _}7 }ϟIq(0fM;[$ ᣿#o}m0eB#-셑WBO@%z'E 7 Mc:ә|&FwvϢ6 @Q֠Z[S!3XU<* <7Kx>Tu/MQ+QfHյ9a2}4\ю:H,9jQHR/Yn ]J>h&a\1']AF0XLdrqx|z K0r&nI#Ex0п*ӪH4]v/T#feD'<;Oc< |1gx亞-HW+8THXZrVġdktd;4WHv3Og覈\9uhSrw锡1.?ʗ`]shImSx>|F5^ _tOLIoS$@sMpڹC(B2I 8IMؘ>z^ꤤ@QM7mFNT41䗁OՈD̞K@ᛄ07̡#s$EGWXTP^դ4I>+"h懥PNHYr^ߖre9UoEq!WշU3=>+nZXp= 9v#_xS4pݛmZDZᫎp-Ƅ/wpco7X>C1ǨXDp9qOp园N\n8Ǜ _<84}6 :i7#P dQޢmANtS*zK;8SY9jpF%L fw3 WDq0ey"/`tW y~?8"53yR[q$} o'd3q)i-\E{׿WyJ5õgNP8{rlhh2o[Ѝ&[Aب3#H$O״ad(CALiOnZ#f[/tFSAhScc{8>|朐a~,NھXD@-ؗ9w'g8JM2lTMo.F^.>?]1{pdߧ.#4eԚAfgR1}^rCB%*@6 C`ӊlWApռ(YjO 45Y1#`QAf)8Il eCM9"BU.uSfyy /Bھ&U0/o^B-mj{U|,VfeB/ֆپk.a4ҫjL.scdHe6p$} ._"O$M /60ƓUZ؂.;͂\uu @:Km"C[ʯ)'{W3C~=KF,3kav)[?_/"](ds"@l81Nn8HVh,@lKGRfw"7-9\:!h k F'&00Sލ-2圝cYԎ0)/>o|LrJNJTPRn[Ո1\p{[|%ccw'ۅN; ;3b6U0gxT#)"ou(ɀRM8(zK K "rdfsWˢ{T% =;F]n\uTQ5/7kf3<Ҏ䝥AsC֤kJB kH1/Aѣbo!s&d|ghjbfjY$}iumebe=$,p Dg;۟5T{ft2 :f //f@K_!SN~i)Ӓ);{ؚ5!`xu7v=KJGq;:\~D@B$l؊Z/&B6n#/<{ ?Ҥʇ >и S?BI@,4'ZSv0YuW;0Rdf ^S rw؋?2&*\Q9*sA3^N!k y4~W*~ Y0g aOZ 6bS{3_6e48 1S8wirT(+f1l&a$S [DĪ`&td ,(:Mp@gz%OUcTH7U 'J qxb\sbxU_}^rdd>YʁdniUkQs;pէ>qq$ h&e? Bޘ r4cucmk mT2# (IO]$r!:5[P>J_me˝}Xdh1&u(,[Tf\*+V#%B%a>Zete@m0W>:5]< WUiߛg'CWr(}E#ߧ%Pb7#uV$Y#] !Kqf|5B0uh. yիnz vG3C5G8Eދf}Ŷy93&KbI<‚(hM]4F?7sVؑ7S݊gf6p:^?*dŜD:1i.T35  *,;eJF:o=p"/T,_b`,T@y G$+!۫n  ,fq/ITު|O>iIqd.Ƌ8Z9cRPs$=z-EeE t2-fz$;t۳Rx,`xt(9dr+ pǃ6(ս\KJP^4R,7k͔}Tu[2.4ȤSML)-cOiO:j?Gtr ZT~9~V]AJ7P]E _#+h+,m s=?W8mQíe}%/>KEŸn4b\@cYVgn Z+3xZWDzB屑wdYe30B! ϫj]<@?r f-y@09:0 H$gʄ &FSMJ¸dY\iCG_, /Ý1Ұ)>Mk ;>LC\ &2oSHZW:fbygN|%-8$+r*v{Ӊo=r0 &UG@y^wwS/Hm;oqΌ15nHqz 9J V^'Xꍦ%62q8զ-&Eאy&HWRF2ڋUd1 5+=0X1ݠaN8_EHMܥm9?Jtz&_rc DVG#KSFe,T,́ޫx JeOCR)J4ѾOVV4;)pq/#|f-,kaKߟX/)2g c[C[Kb?1$UyUW$mo90 lS׮HI+Lvq*FsE&n9VpViCVE)6%ݿo$kUaa(/HFcpyَŸv(SטgogGt*N826$y{yqq^YV4](yۯԵZL;M u^ݗTIY1 ""Dqӵ)XfϏ Udf0E F^+O2j͖*q}D]h2K,lT=vxZttKzȮ,hЮW1 6A#{Ŗbt gkdw d$xݚvW.U\M!VWBìTbSZHM[PB.917g[LUƃ8¥I}N8@Q`tK :D=>-i^ݭtH`ֹ`:i)sugSgڔO;pk 5 J"̈́ غa4f +.945]'xf[֕APQAFC9 EfhBSѥ-KC3 z=uZK0uqJ~"vF,9sd{8| 2q5Jۋ.DE|Raxx:bf_n)rYzj/%6:BUvY|Ug͢bG\J_+Hc9!||f|4r+EGr6L BRYSo}ySKbrOS.̻ZAz ۱l?e ~3@_ZcB~Jaip'gd_Em8줴nFtl'nZ%.*zT쀺NOQ=fa\HbL0G@9뱟:n(ɣoSVp:r U7߼TQJTxBW@|,=}#PCoB}-ݡs?8Y!LJB1Mg/6߭#F =%$ ~g<?ZD,Stߥ DPNFoŴ:?}jчߚ/aUmdG?x+H.LIӍ7`)4|=Z4준=wD oH{7/S)m'["Q*Wc]$afvS00ڼDCyI6٩D ہcCv !̅(J3 <%}[dQS&hKJʪ}ɂt o<-'(O>{g]v1:.rGPLr cPtUoyǤ°9 6h #8: )&( tRP{,ʸ2\RkgrGN ڛ2Jeei;3qM$͔n=}4$M| &݅y/B%Z=KO[ R_d-nT]_dlvRۛpaC"2<:c:~\Kz.|60r\2nz+O gi7kiOuvRT)F۶(8LYZM'ȶíWؒ{}. 9Zrz|r~'F6O_KљhާnK$H O 7Y#ezigwPZPt1[#,:aO'.fVxM+dl\<ͩ &I7P)kҋHcp4}9(_@;Yqj6`Tf/ 3s9}%wŸ#:Pܟ:oGt%$xeio+hБ-rlso^ "^jNas@2_*l [a9I?[G-m+ysD)6lOšB5ь gMq2pmȄXP5bb q݊{ K1U϶,el<:_]%~;݁2bӇ>02zC@uw. ѵ#_/gR"G ׹#a_?K#:BY+"?ќ5(߀?Wi3Чb"&! JR>W:VA_.v)A3¨^N 햆>xZ ߆Z8UzF4e0KEu`*!n@)/;l]:H#ǣ%a >>NIXH3po4Z=cFNW|DlLhDUD,YR9)'-SDOvӂcuc=V}Ou'J#rA*1$pD^ۊೝ" z7Î̭+ɣ?#7pq>͏AXk'SndH=?xl2ĒK-tnnZ } `VYC´dQ*Vk -|n%6\X-&h\4?rn#m/֪uWl7brtR(QÍtQX:h͒D6xufA|G $.W@_Bs0^X]üpOMQdWha)4 |G۰w j0S}+ֵ ?Ƕ_XcJcBS[=G{"mD =G 7 Zn2fa:7SQx3."I쾷>hjf$a dphZJ-]Dx"Yx{򹪻-Wʞ2\L{<}_ S| =HFIis\;a7UCi9wÊovGjKGvж4[p& i\f hܙe {E%󙔁Dfl.36%93EXU(103wf^!ƽy_ܲm,3;\nn,SOủ( POmy@C3C-;[a9\D0_K/8UTPS/hxVJqsL+k`>h'.fd{ڽߣY\Ćdi9x,5#_<{ߌ~/A,BJ~.N)nk (`ţ??%\ž{[fSKr@MI&h{$dTf〢j3mJA-/~OV#Ú;m@*;BWDk%Y)*d_:3j$1AExTa~AӴ9T]ex4ee;S*ѯԿ/K|7I\c-sr7EU4}l[M}ܩR?O4!_ᜋ_qV8pJ*OZ\yZIT7@7ԡP&"M6kҐ8k$j_x.TcLb0}5LyY<=\cD":KeM9mZw?/NNc]`Hf""XK%SؽԤV,AKwìV˯}1nUEEWncIks!mq8ZR2_B8"(Kl苔C>%{)!SLŅDZbM=KdNգb!FGa=kf.y+U0M}։XF^7&x4 pG-Ic3&N°`GHY5' jR |^Q* a`0bx A՗OI2k|iD1=v.*Iܞz&șx#˃RmsǬ|b@ピp sS t.y+r"٤Y@qO axѸ\2Ȱsj;_T Pp#k A#)ò]Zh=f+H *,66f^ %ZTkT$‚hzkq~2P:9|U.jyS6Vϱ8].ϟ2PI͖UMze2Z5n*`ZnZj$F֜z*7  DSEajFl0?(mŽڬ`KZuA9C$^EUjI *RUdxbPṡ!7…CsJ+iChIqZ s 'PTSW݉wtMۆɾ.?ĈA dF$1RS#NIIJ63 LC4|QlV9*Њh6pm7]1 蝼JP9#RH,b#uݡ Hh~F3.vwz`IejXUލM<7Ch=#&+5`P1F[ 89w7e8EO23m ܷraSu}R~mMX1'*.I]۔Ա馔\E=G 0۩hzYlϓ6tYD='EL"$ڭ&{^49@D}1UuI"۸6Fd \ut^b k*7%v@LAGÍw؟_Z3w8Ok=-,sf ֔ 3=Vz4Ea=-2ߐebEWо4 !4j+Tygj˜)(3}sCj\׼ѺW{X'ENA ˔f^XszsX9Z(b&.s㼾]Tąd,mحY:VܛB<vqZ> ˘|؂kʹIiMe @%3tP!:Hhp$A־ӊrki\uC'_ t%M SVZz .GՕ܀orewkg02Ap5PA~# 6 9ɒIIoIv$c\LOо[?(])hte!3*3 d r9?1IU0_+"6Mh+`^zv9kmϋbb%z@ I_b\9j/( yΜ*&aiSQ4`y(1djr_)P yƆrk&4.M/oiwrC#>aڡ*ŞY6 E%NcJDG!NĂxrus V,*}lqkYN=9) Gn[hADiεr/(U7Sl]%dhd.d)=rQ^궍荵ɲlꅿ|#-N=&10WBS$0`ɪ{r&*?"pE!j<ꆣatP3wCg)(aQUV9ۗܛ=3<'~GKHwcby3FVܕ*{1gRR.Y`gO]Cm0މ/S95Q5i.暚oiScvpp6~7*-%J U eGcjl} n%<KϞ0(ZFO,H05#r>(ZB_&gZn_A[y.uf OX/&0_H$߷$iG?x/qݷ: akߩ5,} NdC;r!nkTE<&ak쟾emnƿ0|)BXniޞƕUJXQGvbW*sI*EEYT'^4qV : /q7nīi;MmuBiz -Ҵ:c\ xO(l;cS@^o ƒ^,F9Iȳ!J !^v%ෞMևsoˆs6"Y9P&:9Q_T}&?縔rnH5'o5t. 'Zu:qmcTK:w`p8DzJٱ_q7NG#^Bءl v2Dh7@-9c tqWs)~q UdM7Tgc=']Nc^ U|oKQJ飷idt;6e SrּR$.]hDrUOb{FV;H] 滋\5i\CZ3I4PPCuST8MO2v‰59-ޙ ;SE@ OEcva'lܗbS 1%\#5.=Ǻ&X@hP59âRjL!okRM)!>=lkɍ1@9,4U$:+htE" D4PMhU&dh; b`qN5@3I. 4U ȞjULjyئIK ]A&#YAnqʭ k`[S_Ri6 'xlo#'P&"8vlrҖOY{Mcz˳Jϥ,U>ī9'm:6\N_#P_XUp*@Mz߅mWٝJ8bCkM/?LJks^exDwTAf29D_,8U#z0}ev"qhJk$ܔh8 6={ jLG 8ql==* f]ɛ$Rv["ޤ@J>:h-r~|$XUdb+pC!7(b)2`k*٣LEuMPg;%BFH1[!o]M(`J"3$> Z!L 5u߽Sz[s+-̆::bxҎ&zT oy*GcP'՘,~8WN7jg$`>O"rME87$XSL/8}b 9R 9n5gs]s w>ȁPE3lM{_` ӎm f±yxaC(:O=_bMXm'+;t"!D fnpTflgCQ4H |o+-#3k?TK¢cjRs{㭒a]d(rH$7Ʊ7njJ(3R{h6SOkd] dzԒB{P?;*,#.M[8H 2!t%5=IxH0TFT2?5?WO HDUX3SqlXTXWk>^[q LUtQ}\Vo{pp7BfM:l"\NPQ&~l?#~Sw(%o\o3.G vuIn4EF02k8$0uXXk /.L9D9,^Ϯ- ?5ʤ٧|4kTj%YX"wy%5錧Rq@΀^_r1l5yw\ v}bOKI5Ln2,Q]+%9x}|9.@Y/ :wZ`.*bKϢ%)4"0K]T=x[zdV|fy1K8&)j+ :`Tχ/.hJ,iQ{4Flڗ[ໍŦՊMҺBaecڳD.57g2٧]84=^lU`*6 6Km;D/\Jzf4ơ\R1T:)Qy2bVnƦzd/syuN=wY8J k vAnqQ 5L:ߟ`] ]3 2L P}^zVW9C؍S|ؤ?T<%k47ns1~Sq_Q/1דΧ!ߢꥦqTܥcvziمs(+pTxgObfI0}k0Kz=ڽ?YR'4AWtOv#?!/QwH@5ؤX*w0* [kDiΉz9GTL+g"]w3Mo-/6,]*|OL\1&r(j} *Yeѷf}ȶ[=!]U䚛ؼ/Vun:*|kq/Ɩs$WI,Y{;/J_^ߤ ,Dbn"B IR^ X/nSC`?͠Y¦uQ\Ar+w;Bw[0NPPw`An׼]}^+^ԞMM), 0_[$产j?0qfGGP9&ز02^1=C$? z fA̧6z!e/ x"DX3m:zBv?֖ 7S8?f7!tXQp@ʑ?ѲDKkG_mM58̝{\pwÚ[>RdOF,yZ#~ sfgXU}ۨMUAT' 9m4s4T.pDMels(uLu}CRjy6ِ+"*&u[I/Do܋>o < jq^V.2mvBhO7\3/;Ir0C B#fŜVHݩٓ?pc6N.v~>$mGbP_ҩFol"9~8&ޟnZ2ov`z[ķqFH57sX%wxeh[=En+h6'm&@CO u&pL'%vU}l5x0vo,`C , Ρ\ixɏyΎ Apt(k-nkv5I򺞖? E LL1vqht J2;'MQaʏyJnmՉ$)Q7'k@ :vM>4Fzڲ\7ئ-u#8g-u3{ 2lW&[:Vw4hzT#l:@ @Fn@vϭPjU1oBkgǁ曕m^噞5So:.4b^6&} n= \/Y}RbjΣ cbMuZX{(T:u==s:N8%MD^/2~HV(ەVc85ۿw%kq֝|bٟ藅/w^+^(xo7X,ď |d3Np`6굴$l(*7,jZ<X]1 c$|LVO/(]?wj8NcE gaPZ?p8?W~1Nc+\ґQq܈j޸ M45TBIstJ曬yzг8K̖БIbW cN~>/ݽɻ ?d j2$',ftw.b|aPH>ɝ_[BٳxGr/m{{u2vn޲tJ1r3 C hބ35R_٣Giܝ(8zE]'^Yv<)P$ퟷǚg0±"%Нa/7R3zԒ` i:l'%3-W8i )LrK0r:o#WI 7f>}mhڛ]cl3HAlh@&˞BOG DzYו9C]Ǎc˚06O=$EPt]0Dޤk GU%fnc5I iհk;ˌk-}61b_8APķ5s+d bS:\tH;){|6 {t0|&%${=-{J:&cBN z #4R+[:S`xtݕ1~0ꞌC؂=;X(rs}K~\>e-0ޯNmL,疵-o=pkZӜI-w9 {j.C}dQEoz-*.'lhe1Ή8g5o]34AKa 6:,5,;]2\H1:i ZLhw~L2Ϋ1\n^ט}6W1:UľhQ2 ._C \>EakcyPD~| ɭ+u $z;eSw6]c-e)Z|ˈ= 秌vcHJBAI]D oJ ji:R^JeqZߡ /fiրM@xM4X(p";צ/&h \\&3E獖)]ތC8ޭ0X1̱#^ Zqu6.px g3QCP{k|K,mqo_ n@'w"!܀k]$681J'A1_ήT~гm7͕UEIY\] Uq ϩ +I~ ^Q]7 :Z?9vz[z@z~dK"pA)?*fHݖ[O,8xx/C Gz`Фw?*Pe339,ْ:HH.qDx+Ѝ#_pŏ!gz3l]fu5ܔs01܌1OHi Qz>c8[8\I@vA${H'XC\'Ɇ7*0[WTׄQ$€2̧`8P \|܊`,+(t܍ڔQ22^Qe*,<;vE^,Lpƛ1ժ= :PBWk ??/}[12Rwԕ_`O`km5ŧ!bˈk4 +\]>7)ۣ\=ʛsR*8@,wU Z QG8i ċ{c "TˀJ2ZD")54@Co׹fթ:wpy,5"Gh8MjwH +Z5+ rrd^#(ʌn9vDXv54`cgRV1)}FLt|a0oV*⼮4Lދ";^3ƨLy:bIKqM  rM57@~>L/uEԈu5gvT!z=~쫧d\QFs%kO6B8@HnI3ΦPrɴ\3f,if`n Qۢ1FD}~BLgq3KtbƢqD(<⅒#y tuY^Ygtn9!MuUq9 `]3>--l ' [ؕF}@ՠ9=ktBAgI2&y`bzH^=jx|QZ=K&f}ϭ(7>gG+R#6UL_%W 9}G:cX߉1u/1))ufO7 C3\x` io~qRݠKME + AM2)X2FyJj Of(Cl%F۠ol'V Sv`h菠Xu7d|5ЗҸiuC[rXE)A(\( 5Vcn*@э._Mqƀue]xT`3iD=O]m ޢvagDAhNY0\o`}k >VXV<+LB':fZ|Ms"P^I2i~D^-6V$P-(Oc3 dщd~) VarJJɵ,'COv2o;(41_3QRp'])#ms!S|`(cB(gyY+>ۋٶe\Tؠl+D_s.+$k.FVU}YmjVrwE:Pb-tiIrQ1+E5ed\ȡB1a2Lٚ^Kެ?q@+AE1v4@@FM'Ta0W}$< H: >[~̯GȪs(NK-sqJ2RT֫KfݹS&#]'f&X,Ji_:g*k0X"qTr0޻!N**;!P5 bPz?=9'G5؍':f&]%aľ1r5mOE,0"k~؅Eh(3c:FtqDVY>96&7geTD,ُ0Ʒm/-R#lC`?ੑ4 ltH 1F1 }}XfЗ51^oXy3d Yg̴ %Ήbv4eP ^}au=3<pBM^eQ_#&}c0`\^_]d0-H 6Bm0"<>ZhmN1^AH$EsgdϞ;D7nOi#/L#uꈓd^ףXefQʡSVҡMen\vЃ3s tǼ][߉RW\kLh.&<͙,]5c[B×3 G/E5gI d2AB6 Yp5;岗Hsh?+sm|:+ k J$B),qL`DtpkmEGtY^yh7 ƞ3` dèpm>#|*<?=_Feݖ-/V9RB2Z>&,O%Үna9x/>ޕ[aQSeEhWl! ||D`9-L(N18F)."2Y]VGY&mt $|mf/*-41xg`+e2ێ")X|@ ?yxz'k+n}4rU <2a$!_'#^rLW6 ɻ;1]_Tnyd!E2=6+4.)@݂h垉x[ĬM?}}gQql28Vz;ٴERTAm?Qpw*?NU?qѠ&w{c-`5$-1pQ7j k<-b6vdsQ` rQc]@ZtЌt1 "zE/vm )iÈ$ڵʠ b%/;c;bVRN9XsٱtI,f9 %1Lj'5h;&@g[ik[#2wt^|GxnGMJf%mOG.vӊ c9'Bj=JĒCD7|HL.^fAXo@}FWFqP3nHګ8-m]1 DZ!9AUv*тC9T/5ۛN }-pz|X8m@.icp ٮWI5%o`.n֪j~[}eZh~/3Ndk;(ɧ>W7绂J|(,Ssmd'lÐ[mv8)eY{{4hM&O^: Dמ)H<-}cyz(ʂv״5ٚiY z*6^%{kɀW4"BJj}hQǑ2Ӳu>'bּ,}uu*NE"E=v9[YͶfaTfЩ9ձeMW' d gW!㒢$q ^CQft l))YUJ$ o=z+]ʋ쩿2߂_X0B(gMr#H%A.Pۻ=븚D#u;FTbU<彩JAGy݋ %9K$$Wjdf2fHv/Hp3Hq Ճ 2EJ[dL A0JA8p*êgN9'%P>`|1rpYmБy#mba8}`+sÒb*Ywt+Z_ V*gBWt1ީ/=w^<4,`we\m䛃ޖlhH3A돣fjSؙ-?- K}Jc~Mv65Vpm>ΐ$eOkdGTŗ۸xVqB`UF֟-FE\ˢ*YޝIcu#tt-mK:Yk!/Z?QG|ˊZgDCӲb_&&ig"%3rIwݴ}q>&/7G y|!~)YDPn: >=?Mu HS@3́Rcú'HݶWu?P4pLyu-EUMϷ).8j}`"rS$`7[}_k,+ɿQ^΢qM2U,E/~t fyBl6FY/GG['yu]tL\d'},:,msJHʜAtX/[<'6ⴡ! 7`p]7C?D)Ń,@p Fq2M(rҎ\<UM0r U`y~̀mFYhȷ֑x:#ltykAߞRzʹS,R 7 N`k)}Ż?YQ5[x;15cs{2O xv~>/ ZˊIYfK"ҸNJk{ Ƒ %I;v^نQС+,Dj(ZYs>]#:@v* p$*L5-pQ_;2qQ<ԏ嵁!WM.@oW/+1wLÿ VD|ϓN|@w:eەs.~MlҘJdA>CpgB?a^hS*V6OS#k01baEg C/bBJ100U${:,LvFYsCLI-deՀ<1=dGPiP05לҿs>VbXi?a|tA9ӑ1qV7 @HV/pWj]qAz3@ Y#.wȣ=,F\0dZF uTHS;2 ߕOsME Rw0s~8Kqr8tIz|/%"d 9/+6%J(/EVIJlCѴRR߱olC_3a?[DH8Пj6#k'bP>KB 2bH9ȠYx#dpOƸi#/Дd 5@80UI3:ՖΐMj6%%0m Ʋ%ksw]ҔCJo(ǗkZImP3VG37hbwVa`͹sAeL$'IrZ!ϝT H8&I|ʂ:XԹ7{-^ӛ4>)Q8}"7Ժ `[qttA1g`E.c !<MRAd9Jd{1N{]N)9fIj,jnuzUvyAag!7 DPWD2hExj(&ZfQ^7OZx7l:$#$ X?C@:땐/swkVI!%cm+S K]fEIùy6y$5`4sc=[{B&[\bs%~0꒛]+)XVqax젧a1X0V+M` `mMdiO}aLG!ML+|(_ BJo8MԲBOdѲ~@PTB~ki!N܂(d f8>febX|s@S+lcZA>v/-iMp /q.PQ6Wjl+F#x-G'21XU҇UQR|JP|_گHlxlm-uf< Rsa0$%ڬ˘[اn _\uڮSo2/Po": B<UK\zKPύV!BiV1?O8W3ХkX^HXyH8Qd֋і/hj~Q by'-mKdUFerrw4voYT?( Q5enR+g _N-Y%Nr#6d}vܷ N%5/y}cQ(/,~k%ӎa; =W%pS0ȄN$@,ml%jqKHOLY-{0eˡ']^EVXivy{ݢV-F55@aR)({$%SL'c[O [BA7P;*10uYT0,]$"yRlg;ҙo%UKLSbN%h+FBy[\LߕkST|BhHEw%O4Vu ߝ\!h~ޤ\Iu*s&)'CQ9\Pvhj+W?"o xCvJ{bRhSUխ]MuJ 8LH,c@}.$ʚ`J%BGP9z~}4z L9 wf8(G8c( ' rC?4op_-mn{Y /x-#٘ŵ\ˤGG%N> $rvum[b1QU[.|uCAGqhG0}C϶""~+#F[T{EO@ i&(c%xkzMJb*M oC1ih׌ qۖa˛1Sͧ|73Q1UFA!B@"VISV'4B3{$AVїQJDzP䭫_ZC]woX|$J02sDLs]L^BE4=ӓ:/x#al]_`^1 ^c4G1M@6Ykv,s3b͟?P|vÊ ]1`>ٹ׼79=3Ȥldpum}x7҆?_67iN3O/,jORLIJ[49#>c C:Te=!%-L& "AxUَS пl]G/oq:v};je$V Ҵ<ɴJPtqymc95짺_41~E2I(!ρvܕã^n:}֑鯈LKwΣ/&锃A dgW07ГP(zs9m/?@{@7374'?3m"fv\F~!k)*mebň"C˶,~#ytsGzɝ58й|Q:}?c2VE;h_ )M:N_8L: H/HB`V  +L(HZ֒kBJ79d /&Vx'@ԯ"]KD3/tҥ6;iQCkzbCPg$ٜmS4k 1C+HeeyC1d qPMҦlqwE`һesy~T\CzL0I{^$XsaC\klm+Y&A :LsU6DjK,lHPFDܠvq,3-^XC1|FגxBiGO߻wK=oJΏZtՉYKPU!|%$BsaTQUfV8U_wE{!Ns5P#M9DC چuL#ԗ*jx;7 .>r_׫EO[}:קTp'>䋵8F[-/kj&'Z=o r]YÜI^X%F~Z΄hԘP%^Ehg (6թmA?(q/3Ht"(Zke4DuvR;\R-Nr[^giˤ0\eTXPj-Mҗ% "$9xZ GSGZ't9a, R_RpoW `[auȥU[+]4N(xXSvf]~=( ]h F`xJQqܫi DJJ@U?'n @[S `nһXhQBnh՜۲HF %\O;^Gw|i&^?R٪15Q3a$gX%腚w+ܡo&x<.6ǘo8ni)l8.'L:*QJ3l .60{vpM:!~o b-bYv{laƗ! vB' atMGJ=Z[^%y/$7 1窣 &7)x5b;^*3TNoWneVLz6s^obЬ6X˫= 1;&bH`K%]H&A1W @2]6J7#b="]vGR>9dS-}Wk"9 $WAw]_PsJngo,7(Дi^@+ÈoEvnkS5BG0oOƽ\<>;klv4߆w6\T;A%f89>p޲iNqS'pLɩ8+P*2wT9N v%jM`nto a\VYfxO0Pee?,UhzҒ/'[>0ȍWw/`vV%$uښb4Bg\+|0,0ה!]x\!}2ʘClF.PXwC!_pD8䪚.gUۓ|@Dm*\fn2Q7m]:d*Wg*Q&?aRG@#1.u꽅3DE@GE^C'DJJx%,:e&"h}rGh~gZ(v<[YDitZnhav-]w"uj<w ST#fALu<!ڎp6 6oPӏͿ4snvP^a|g91MhB.UoNʳ߫L-C`ӸB/\!Z#03#v^YUO%C臡#Ҩ ~hp0)ڑfB`c3a\-:*=Vj3̆J sjy./h(0 ?R#b*&O~3erWQmr>; s6f8ޓ7d+\ w,n!;1W&S$X5M 7Ax_K)t FR1uIwyp5ɽOĉbX1#- d%J;(mͶst:+bcllVI{:NѮ'G<F)*lD8#5oeBAB#cNÒV-fD}At,Q~I^&AUjUoFfo*ڨ~Qi?U+V8&$Dj y>,5/B8!Ō? o @„F"~i~(/#=p5mdۊoH}ը 쉶_b5WITYHp]Ž;PxCj>3l2()Oi ig zY.9bD9x6S2snϑQCd[ɉZ˝5Cu6ZWEbRbs`Gɮ`>7 (ReB}65H]i^nꢫq3Y+e>N7tz9ZdP;uхX   ~Q ĞSf2W2JV-T6nAկP/Tb*yko, {  MhWr@u MKuX_n$PdWtsH,| k! s~^x*@L迱Y%cF/FC-ɤ|=;<=_}AuY {m[6(]Z$P-{FZ* G<9\Pd{9Xa;SM[Z}IƲMv%kzͱWo÷[jZ@`/o"0{N 59]ɪ=BIdpu>D0lS))FZi2daЊ|2y*FƱ-`OQ`فJ_ߏ21lNoWvKRQcL'2"~${VQ(8[jpΓ[7d{Z2e7&ӱke&}xkvWxQmP5M qGeWO49}v= ?IiBthLTiWR(bɹ] h27ilS(_t{lpw<^:  %Z%O/",~sC֖i&_nP,O廊 ,"Ob}3O:Ñ~k=T̡  z?b@cb1U'˨ewۅ/yJZ4d08j*D_՟9Bu k0Qqu[IS:еfOfj/JFVKYZ:q|Qkޘ5K$ϝFe2Mݿ,_ ܪnlz@ZXƹp]B x A&I(+]ERq燠SoʕԕW..ax90N!hz9wy)F 2na2.')NkjM.i/}ٽisP=} ܛY:' ! 4)8DmXQcFQq=YEOS[s%E6@&{ RzuPUͩ~zrZLV'oOwn6#{!hAisBhLGе}eyC,?,NZ@ƿx|Ly/'w:[[&)T5sOω ?>]FV T7snB/"^ za%x@=ni1PKl_4Oh=<@㈙"0$@;ZPx FaHK݇9ne ) \+ hSyM1WR TRp{,8 IL1}8;fe{kZ!RiYS?nucpPQ;ƶچ iA,E1"ʾCbe^TIEylƯ-Mk=άa"\LKVnU)[{!^bx6e]BҺy ڑ6 RydiRMD7B78;r Sežei\Ґ8DOq %C2.hyȿ ?qR=.n{6 ;>cf6^e2ܫQh9'4u/-Å"rϬ@:^ަR I{2s^c]wx#?ߡm9I*Y' ?ڎJd `[}~ ~FDq^7SL ~<:6 Mp*HJ  |EEO7 +&^n#u ]W#8U6F֪~ 9D6?16{%WUH/gN.^KlX^4]3FCBU1_7z5r""D7>ߛq#ဳuHf}O}5+JG0;/&2!<R&|РH;ʎ,L d1'1f46Cݵb|J%iC zYr6uFBӑ N4a5"]stJŋHOZӌ|! XUY\;xl`&+ÏQp4" x]u,MtNyML,hJyyտCj@z;VB]Z`03;.oӥrpʵ"*`KAU>窨B8jLYDW\NL˻1^e+]R֐]ug^),b0-eda# ֓-m$s32'u$Ud1AܵMUK;}YKD@j zdgg|qT'\r@]e)vnpMEF R|^B*C?xM顼RAa*H;[2lzϯw {s>@7U2zV0m?_Ft鋉kVRw.=vi$OBBD|ѲasWwqzS-< ) 5_y=Tk1:0z:&8t&bs[H;1mК(ج/:c5 ŎO)oYMrgo&D<sBV;Z2p-mnNZ FTКL44q#cfwG 4BfɇmJwT0 ljpYfUTX8ZZmɫI=gpۡ)z7BSL ټ`U<塳7[sc ]:^O͏ :\1Y}[$&u:CyPCF28͇`y g8rTĸM" X{ *‰O3*z<\B@Uʼ/IY`ӇhkR.*gJ.?z7zK>G)ѡbd}8>wH\/UIYZBFS%'fÞnXBGcmkm^bg 3`Kfc˨&" 6>})H0,.-Gedژzݶ@bjpw;d=!qڏ9?dRre̞2IFI;B=m + ^״I*Lhe}l_Y] M92|""ǁF&0/Vۣ{Ӫht @M'$?,:Ȑ# PBc |0[鶨_zee3Vǔ=@ SnE2'MAmxB|[f ᬏE}i4uqvG1EgNztf_*,ϲYѻtޛY7j$4bl9[KJP|p2Nٽq&qt [!0d=!_S|kVc`]qxqo)LqqS~t 9/H:Ê0q0XpU}Nj S%ꢋo`YDz3,fO 6b?6 >mgՇ[6ݒ' {IdR(=,yv5 2!' yGr/9B' 96(w0LpAL.hKCH `B^2WN#v9j}IXHZ?f\ CA4"Mc D@GݑX25sIA'vDb?$F$~:9{0LXâ|kD:J[j?~6[23՛iL0 f2 '/at #8@2$FW[yl L!I] aMP)jFLk#Uj^s_rAfQscI1f w۾B\&ar64 c}W$UE..- #*!vqp,#Mw/ LRWE#`0H ښm0&=Xe^]X9~ 59.FMnh2 ~zgl`$'8FpNm*LL1 ⯝?D5"иhDsIf7S9Y`h/io쾋z>ݓSvUi9gA0Ena9dq^`?+o*f8p#Tsܻe?!V b'51M+{Nc Yv>MS8u=jɞ%JMR%aK?V(rwNI7Pi/;aGǓl F4fE (_]feŅ y%O esɱ2,d'_S02\ v@۞ gyguR/gZ{O$dZ|됆gt|>w:1SlY4t}wSijcZh]tZ8ȸ %^bI>jU,PF!vYZêY=+@ PyR} yG:+"!gseRqi)L$x`pهD0T5Mj^7N Hy.'P,p |qs}SNJGݗE*| (c8+z6[&"?0^Z+FjX @jLlzON0ʮOCҷ Y +z# 嗈m2^p )MO旸X{uҀI Tj:Y__I#dn|.7_ZF^\yF܆*!G0MxH"CZ^1F)#X7*vL|u#tM RxK`M?M8\b}*9(lfB:]tj "N-+׈ h_s?+caB|Hvb(m\h@KY(f-NVk.%,F^ھ-U٬rgP. ܒⰫ!y^"^'1?ZW NHH'9"zɉ}mu.D&^iZQп]~m FXz߄=v_A\A[ 8쌏°d%́N#0|rH]Vڝo@|yGw퍀z{ ٥3R RU<,)d';;o+r㬭k^gz<'Ev"`GwDV^0x_Gm!.eOb݇M)D$Eq{:)xgJQTQRp!%2kNSD}FQPuWN|g$)./oBSԕ\ #ami]:=/n_h9!iؘD4) AZc8T. vĽk~Ǹ]gi?GS BRI#N,R͇+gБ(B4 v#Fzȱ/zU&nWQñ,Pga(Dǒ/Wpݣ^9)~4\'cm!oSR*O5nW {jȯbz:#YxcI}uYPh}WJ{qy{-Z1WDT0q }1~bvPÁHS85.lmB o1UJPǀ\ mxWǴ'VZ͕VXke]hY$`\lSX[>P$;s|¼( PP!vj_ ,=$/i^5|y`=$M0:q6P]tcd3cP;aKd[6?4 >#̗}rsBX )%(VqR0 Qg{e #^H6L2wR3/aCJ1Ųʲ17}黓]f2~<5| J@ސ1 Δbiٛsd!Na+O pA_^v4Lp}nCgwW.b-#s_$$%BԤ|,RC?! `P"؇=n#?%&7l|jК =jfڛLNSm] AS ϊbZ H^\>eeg*f=Z1Z DLTq1h9jM4,îv_D̴1r6ي{.` Z e;scZ _CrInӤUq^u 4ܝvޕꔨZ brLr1M}+ؗnf^)ȟ}Tm[˳n7U_jb%" %m?ch ]O-JWb&`OD^JvS#l1>5v< 2Հz(K$*dUWv =V^Q巚1ݤ>\iǖUΒ3]rD_%熄PFW VBA#1,!FaLyP ѕ!ґlT,dbVwp{zAp#R>zLvR~@Xvi(iQqK_uq~9v󟕙@sM]q!p}sL4CjyB,`;WԏT3ạ=wni{"?xR<~exMd^G׎gL><_h [+W*CH0m=S5ư3j+/tX3œ6$5v J~{ϯs ͤGV7Rp)ma%'3m: R!o=7!,̉FzBK,7ΣWHX5$Z?!9h"T!@rIiXJCex~Of)uWJjDpƥh0_vGh`-^0`uzdOX[W9K_1ռٔ(=űl9V9-K%|N.LzQv#"*EvjuxG~,uwU?ѳ^MTi\鄂̂x7uuJ,L,ĶNb(.X-SL#" Wt-$p@0LFҷ"^ %[)H3pнhɈ4O2C<{v4xRtI"BNx1(v w;]KZ9z+F~sXs&kԖeE{+O%` (~cy#18=?wv(5;#r`.8:.>ʖG]=CC}<9P)b9(Ag#q,NiCb++ۂ Ⱦ VH"tlGâcZmxy+qm|hYz(3d*Y7ݶQY,1~Kn{`4+pgp $.B\M)VcD(bejD){p пPY-犣MշY }=! qߎڷ)+ SIZ ^?-AAp.emIDEjiI*: l&zB=$zalE:P|0ssKf"\ejNGjw'4F"TƔ:'frUFV:f#T+r?^S*N`kȶ~u=zӔ"9ljWDLʌsBl8mS2 _ Xޣ \.$𖵳/B4$j*nAzRۨ09?6NFΤ}0\c揖=vp!aS# Cީvܫ Br?ri;27k|k]-Of0m|V[ f(`MF! 0wnp5Fo&^6qVs!7lRlAO32BI)AQ-GwxN7h!Wn2\ !Xd]U$[^qh|kLY $פ*FUarZ7i޹h Pzc4&X_ pk@K} H4896X"Lq @TTxloUHFjH:@.ik0 X5]_6wk6 Dk "2ZhK9N2lϘ17Aa)tA)~Ngq5 #|}Otp Q$|diuh]uQ֥*貗RڠճaJ_Ҵ dƉx)~ Z0yɹHgb9)nj-ЦFq-h-6",E_XWk<ˤvu)]׼J5}+Q.mEN^nBW$ՄYA^Q3*O*+A%.Ƹ/#h%ZJ&ĶGn۸b}Tsc7ėtܦ !7aqejdÓajOnPuݼZg {xU7'&bd)(ֺUdҪ O4BƅQN+y<nzD % :E8R0p M>N5ߦDha^ClWYN񳭎?i)(|~yK@<%bf,m΢T hHoSkJo2H^D= տW1nzNs1ޓb`a&gP2nKWHUQ|C瑙q2a~<8Zfu-0W") RDԾەAHAK\l)ʨi mJr&ezH́bea$Ǚ Q"s7#aEPmK: l%*5doޙX}yt;a8"|bh'EĪ8lNE4Wfw%V?vi5SceZ:6WiexZ ěWG׍ qF,ܪ2Ifb7N;IImt *#ptY?Akٸt)!ΥaI:%8o[c&Q"ݹ  ;-27j|&cmSLE* Ќs :&f:,[2K,F..]k]r={^POyl(BݵCˀvzh_n8atBӸJg@LK=N2|Ӭ3azy৥BNC RAN5Bo2je')! D7X! N鮯ozogQ[iHHўA޿ Bb8-YOvQ(PS3íT sD"t0ى&#IUSr rp/4 Ө=LһA& ;#89c7+#9f.ۄr yJ%7ޅ H3%"&/=?JpTѾU"Y VCyUjybU̾{=1+?S)l _{.Ę)3Ҷ6pz#`šNrB2p G"L=:L@U'W+ۗeac(ɸr^UbRx+G+_0/EyT7*F\?fIг3BeA:}К⃢&m>=}ftn Ao*pH_C8$:KZBՔ^C֐}SrAKmg~9eJ8&x=^Q@m5=Ӵo2$)_azSTL:гZ/XhQ떶=֞߻YCߙ?`[BDASZra Mb;? W7%T'(MliЍ]aɃ~&b2/ Mbz1e@;B|"z_ζ;H#Zb_oDdStI<~bE#!ѧb%) %<{VxauRGfO74+q p2H}7l_ʺyeB"eEWJFIJѾ2rբ@=,ml'ugo: !%I2ex;Lht>E}'Xհ?f//"Y=X!e0WPԸr b 9?q26N ҎQAXݓQ#3&s kfkJ~lt=Zư]eBmihJ"fIgƚ­Y%JYV=f .&S5z>/rC%}ETJ3ʦ+.BOK!\Ed1\yRU>%X;,ⴥX2l.|c:2] a}fA(q"`brEt\ (EV[!Pb s5ƆԬCmK-OkO\9LV#3.ٕ0~X,8̋Gz*|d Ǻ"*gtϸm_w^KDX =hd&Mܗ+}kCHqPуA#/pQ C+]θ{Yp-fɕIO1-}s75*eH]B!0ŦJ"/)Ĩ>yq/Z_L} yM R #efYϲsek݅TDϙbN圆g?y/͘w.EMb;YLEXM(%-輜;`kcӪioeHgH޿TG K'.mVr,7lЁm WktV-gRi zCuސvqU/nߪIze~Jz'.^4Mwao,Y*.&$jk,G@;hS(>9LD\$)L:G_ZraVć>)-zyBfdpn,w-‹\ϦZA+WGOv͟=\~{ܶDu{]'?Ćc ]Cv&jZ: hMBqs ު-{'6n9Z̉b᠞TtƙwcomهlRgGf-RU  *fDVnfgkHe&)_EFZfF| &tw(Ts5m,e9lZ5ץH,Q7b܆B/{kK:.lzXqaN_ۏW)?`]tFoP@əBIzZώثߐpOJFDӟ5}a \pjc()O*tdgC(31!U>e $\y ̶ިb jia`P.u%UdB&H^Q G0jQ74SZN3YaT=:CoR1u5 dw#6n DM)mŇ\7L^1 cA*K+},uG'ub3eF&xCy$ݍX[o0{AVry0)dz椌M; | ;?YIH,_x5%nq`G5!Go 䦖"HNF:j_>V9s'Z-6﵌}oUf)ăۛGo+HzzKD˂p=:.+ t,$'%iGx71j#1J8)i5+E!8 ɒ)-Iјs`0vyY܃XTmEh=a"<{g;-P""Pw?Sܠ颺]p0$26M(Z)k\.,%CSQtF213οi.Oygɏ)g":*cqTf{~%;w%HQg ґyŬ7cµa'+Fkxu$N:jS[o` va`dhe HI ?|XuhȄM(o|tPۊrՆn=40h+3EZg}W!i=Nsfq;(d»﹥ |[r` mwĊ4_玺t^C~yTTۑF{,6MkVÈNxJDkpáv0'aZ.}eʑ'0QL jwQ/P(de*?`d)V7QFv /Å_Ms9x%]@*Uσ0<a0(_`ffAR TtJg P!mK2|ǟƋDz]aSIyE0b]=;Y qhu^O`؊KzrpL_UDjTK >Be)/kZh\L~iS_ی~?5!t7;7Ь.d4cfڏ'*4XeΪsBeǸ>Hiz &&(cz}l)V eYEpۀj\hڱN*N^ Ͷ=HYqMfnJgZG1=|90 Kz5hq^ 3N,rU]0Lν>kI8`"%Ooy]pWW3*TrÛ-g(`qA _䇦)&g!옮%~ji Oo&O!cp *_C}C"Z%[%H]S|_-Nu6ׯ_7^OmE *6e3}]:^(az)HgF^H` . Yξhk9։b̰vdR",6SA?K~hGvOd,#ħFqҘxp;76~) P~&V@^VT@O%3ݡ@Yir`JdnG5Aiy"]ōawz6Bpo9vHAdN6 l5ޮfַz!_Yy{=51tWܫ\EdeaBʴ;\G,y̦2l?A2ሚnNm%\*G(%<&"2 R#R*2b˗~ǀ"#fE=U/qh&M7C0zLWcдfXd̠:;F>S};v$l Lk'N!eZe=3Leznt $Zyy+ bAo f=T3]WiH4H|Qyӈ1jk}LaܡZ#>d4t:'U;ύ KRAf34}Oe`C?$``P ^GV*[mtlҹVuўx4_>K]j.%ZDD[RܛYg[HplsU B~x[@ ښ*z-"l"6s-w) >йecX9gԃO`pHN@0{{TJ~y0H,O5ysFZAŬZ yo.=#s>*Qڥr\>- e+PzY)eMk+f;+$blxOiX\3hƈ6![cOK> rQ5hM%st+-8GfC '`/>_OJ۾=m*';w%];1G4\7#ZN_xT=l|;u^t̻_ HqM8K IslN86Bcr;R!F.ל%̵Sy* vmdhuy0u6=$򗅄 cIw 1DL^tyːGÄlaGtN/"% <8%_b:(v|D"6(@>Lp[-J:Z ?bDM/ Nzo:Ux.z{B-)xGx#%q? UЛ^<'rhi&11/xZ- 9VM4KJz ^W[K@R5a.X30qt+ițj֤~gM;!?;38L ^]5рZ7ТyD}qNd5d2jJeҋChB[Y 9>1$h腎Kmј *p+(:. #o{sQ1<})\]u÷,$ʐ2S2Y$pjtZ#`Jl8A;)D{ ӓX#ѨjcXtyHOkЋO \g!}RH1uX˧Qʀlt5LUv<Ok!D, mq8vc#dMsO:*KxNӛH9S$?iM>MvnP]M?FjKt_h艂xɨoCGߐLR:LodQ Óg\'9k-k Еqmdgt>@28Vc*4 sz{?tzstOT88jlFςX5=8]gsMXiv~)S3%Ѫ=*%p bW_c6lbn 7,ga8TDh"1; js?GC Bȥou,<8̈<[+-g?%ƕ2n,Gj]_c0癝dL.hU)0(A?k^uЁu]68z۞d4Us.0k{ZFk/OXSʵ4QQ+Q&)*_߽ntDj|^ ʪV>(ǒ`WaOqhVb7>DY"8ٌ]9"Z[+J}zd |\0z-|W@fyG|#An{ihUma}OnĪ gDZsh'P0\Lkh2FaY!I >!aW>'[Vo}.SV^PM%yI /u/`-%/u:K ڿrJԮnQB2BbjL2= 'o}F/꧌oRqt@)p`;[! 0ه&+# {*?&orL0cPfi].̳vb10 aeDHzbH|K %Qj%[A.I6oTLgY:fxEPUz[I(uSL+rB9UiOOqCj{h 0мMZ/|_kU`{첅_ DaV1w0s6[lz:wT`d]VսΜ"qqa8lNžc2NJ1ƽ07"W1:-siQkl#4baM3K0U($݋txtFBdtdὝ͌L "_f|⪥{R;-&Rk/Y$p s7V_?&?u W\_Pt 9u . uǗӟ24Iıb5 @@W 3Nd)yX( ؄tBf˟S}q`$P)Oak"^N!clZP7(:T;Cf@C\& phpഢT= P1mpK-6_J@h"ˑg_JGj7 >ItCg4j[w\+oy<4hOk]`$:a{rB)nǞ%r{{x\]U [^nL,8/[˜T[pfccTST` jb::@ƻvs`2>kԞ(oGl918VP-0#nVidžuRzv$;'y*Ĝ娊$)/#H<} jf/@]d&Z_dp{O5LNq8GYz({ڰ6IMdeB';k{㊳Tʮl >}m5wpu 8/vʚ A/} I|z:Z~= B#s-XjUSl'h OޡCG/'~&%_eqhW+@1+.%t3: {yT62O*)db7ۅJaCw,vF=A 9*s*/eY{Atk#P"ȭbcDor.{Jr<ShP*y3c"˓X(x4t,RZ#ff>-O]\4> ɵmpjP)ςn%Nq$Z!1 Z9c*/ˡ HߺLnH'45y\j[ OimաݙMF$pT$ֆ,+FVS**+E=1$;.[ 8B-7~r9"" ,"q!â Xh3^>MjǙx2 {CyzD`l* +PH픛z%W0EG ͸I3y#U㠦2&o4z/jaD!YgbaecuP{> Q52ͤFGBE1quo$ k~|Ud_:"YhY9ղG/ :3ŦteO29*j{9]k\$-{t!Yq#io2AyF{Di =jF(㝽8K'"`"VJ8r0={e9ekcD7)nUCi"u! WNtq̈́-W!*é),ΈPE_ >wN-|p6"C $:,8nm)c8- $uG,/wEˠ\@'d܅nXu:pc6˺ gzS4F`]Fj9h/qT7d Vsp$ߓw! ʠYgdKlUiA~SxWK{ȉ2]ǚ:iH_yhb+ SIZABB6^ATuq9S8!`5?2 l,1BT%{:`zahF[w=$-#/ܢNlςbtp3.Ib*7-pԤc!dկU+f1X'YnY^?[<=ElmVfq0t/S‚j,[2O|)p}.Z >rpk cj$>'2$ThW0K*&簲~-[ =jgڍJ_FZUkU@7⊼ %6:UF1T'}d[ԼFeS oWKpx*w@fz+\鯹s.00"IBhE#~w`5?OĜ&ra^$zvhSbۤH^B@tUdE !yA#苜$eg`Bߖ&~ϧ杫OfYf;e#8n <*3!P:/ d m$梧[%wܒt×%ze" 3݂#G*3GHՒlHzu/OAV a_JGɄpLamۍBk!O[J4OɹFp6HV}=]v?*z\sf5׾$>y;&O-SJ9ՈBS,?=R$ O.~xJ6 - O>yȣ9gd8psM9_^Dl-p%|Fw[m 0f/.o鬅>LY0Mʧ^4|"U9VZԾL%sr,SA|SAvRE3|15X:HZE乾"Y* { ρT0xKɠsq5}e-HE#j-YM 2:zV$¢\m{=xI [~H E y2l -"ȥS7MLVK]Hh=ٳꝛ18zoBL@Es)G=|WA(n 67ڵMHB{1!.̨OFZg4K($ט% PRgIlNooUB f|hV=T4A,zMق'"/*![i17XA8| )H8YN{^ȹU\ Ar$1q:VÁԢQ ۙ;pFFklC6~c_<F>˽[}ɳV" {4I @oP2ˍp*{z3/1 KGy6oBBcӱ(U4<}B|Cw1lDZq1TS鲔 %p3#zЩw6GTePkjs)8si"FI ]6+plBƯ]Z*+,/;}F䍛 $BÁ)rp!BQ$ ePTd|+1$n6g-N\ 6+:+0*$ wXΒbD}uH~ K=?m ϴNNI%G8d0{#y5[Pb kScfҵHm(v<%Or(w* _r~\1+'3bR@ (ŌU^XguRXY@J6{K ׶pybNl3aBke2>o Wf1v`TpN$M7#7bSMAJ7*DKArobͲG2t npk^\'my( `7MDR|Gt]ͼ%AR:ُjgwFT<8us%@ЦK̹0%jB;;O& p'j1îcOF_ڢx3Q|K6ykW ׄķn,VA8XUvEdq{_mZJ,67|1ӗV&/ϣ3;Ic cҢ >$0qC|/0fb{o~X@w mZ zrf[rfCݴ8`Ro9h<.ˈ#ީ;EV uݱz=rv^@,%k5=̷ڞTi=k6q2[}b2lu&V,Je%hN,&qD,̆Q II1áSp޴ydLˌH o_yN@ߍ_aCb6B%;h6ne6 ijZAU|m&&MyrΦ]#>l6<0l𸝡 jw|ZdD}z]t%o\'s;5|GI^vm5>Z,VT.Yd[{Pa4o1 оu6vL+@ןė(V)bA‘cewmy~xko iAs-W!'ys:|n|O~AR1N Tx<*@("֞`ӗ/v| 5yd`q89@߀iEp5'$662 6xD]1nN;$Vj7+<Ǫh` enTήBuIV7|q2SPH/KzQ֥K+g&QC:[f#R>Aiѥ(;rabʬQ- 'lI|E~l.xB9V|8 T`. }._64ߺ|s^Rp< ^$\q13.YM5 SV_b"6=7hLæ]JSCd/N7DanI=% 2 >1M}s=QltEH놛w3VB@ q( M| nP!sy3 %Wkl2<:yQ軺d7x̣/¸)͔~XDqK~VQFpKmoֻA}qG+?EQ'dm/O>pI( *ghvø*kxnx bB]NfM  -S.}H؂d+s G_yH{!Y*b1ӁCaw^blօC! p[IW˪;b$Kh S0[PJ t@L t[V-\@^LO#q~=a"5c]unTk(x `Q ^pxyTxpb,b4 Ն.2GJ) ΰ J9B/O2o+!i*{,(P.=_]|*^ B~{QEҽkZamS+$$5?q߂DtDpN+waH[j ͜ũ/)tH!0ŔQ喗VSxהCL?=S #q#t/p0^s&gЩLKUD|H+n/Be-]E%80t]ތoZ̈ޱL~.oiucѤT;hȻxBg%38>5] Z .<RXC>+ǯya9W@kgْ%A%b2_p3}0.*+;|ƟsT^~^(|CNN1TՕG"U#@_ MWaKevwXC]RǏ" )Dy.b* }/_/ ,y=sb>P,g%\KNrB~;&hqz9•P_9;h#0I\s6\E;\epр 4P7%-37⤎k9ZݢC,!bygR Eƴ0= rOƍ;-LTz&kgٲ`:FnW!EGv"&k1jK pnXݕŀMX0qr?Ym>,6c"jΓ۲]`_vSN !~\Uo#U=> n=aM~UCO}vwEI!::v+n`aߵh{>+!7o7#4v+T/4?u '$!fTbKܹ̩감<zLЗ&xII RqdA65TbjO2ۼ,Ldaz€u3qn'+E;wk3=U4Kd|O\VE P j Teiɥ#ꂵ!qZICϩl/`%_3i9~^k=}w1P:_j7"ʋE.>K.SE{CG݁n@!\>fj%L@zUu\g+LI/Ҍw 4bG ]:UPY"A#Zf-2M@5QDGںZ xC:ZRRD7ʫ9FAK6+KpҞ|"_W?S7$hɏCk}"Uy'aM*+0dq&qUʢIIޚ ]vy,t*zLF$ib^nq]!{S|iyKdO fAr~?-?-聼TǟVv8i;KƦyL~T/L&q147[g!?Ȍj^=~t;wW Nb?-w ٯ)O`E6EJ3;wTʀlw(jU5DݘģI<`]01OA5fBT[psրe,'vL1{]WУt%ٷn `nҙ$L3JIÂSd (DѴ Ҍ>)%"&åxB+H L#@Xxj Pȷf Gt䊬?})a*֦M8BO(w l=.5$2ǚhs as.AЦP`jʧQ:<v;l+C۱B59gcc_ qw|ەi|TH`Y4؎| 7}@HQ.T\( =q^,TyZW%b6S;6GEW;(4ㆷ9} e {&%,@:n<@XgAѪ8k|U.͢soUs#Y y()(8sI9}@1ͤ5-~6+v0 <[Aa48m9i&vlF7x?{Py.3t rzv .t I6Z+<9Agʛ06wKtɄ^q#f&\|mI^!kpѝh;a gO$MLqnp̈́d) %#^,#VW쪌JJ $n\ )tuahWHC#G->l)$䁺;|b´_qN!Ʒ yJY-7pcxd6!;2*4J=6ze\fZlE{4Y.ឯY?""03EA7]@-fF7xP)W$&*=e4Fs~mIƀXΡ&̆/i9qA.B#a}Juw)dIRk c.HBLWKP67p|Z{$KRq46͌\K\lntYbr½u`zY)Ut^KWbB54Q:\Ќ,uw S5ɌAD0OP4LV.LSKiZł~]ӆV# PF(t,0T ,=[̾W"g%Yv́e!t4DIԠnM2YUcEiT}7Sgrƅ]?ם>5?iھ+V#ׯ `i*'@zw_ ػV옂2ᑃէZ2vZN|RYMo w3#\LEohS~qu/*m߰;:CR(5/ByI1Jrbڒai,'?e#`>5zÍH,q=*!Ct'`8qW霉hId\" 8W}%Q|Qj>adS;ڏ\ޞj`(dPނ^L/`B0;^?5ÇjU 9&bÙ1"<_ vL,bf8! HqE%ΫT:m>5`w,_%<o R~nlk L2_qk9yjxv4B.5O^ծ.рaDZ"-_gS<ۢ|]9A`F!w8-!"a\ &nK,ByŁfy]gl'UdZQg3&偳_r(KK;%yzA 3=/z;^)g[Ϯ\xS8=5}*b@?Mk=iᘵ}deã֯k^٤ ^ 2"+32RQ` ]oi0Ÿfs>J)\m4 ˔:|m mH)R摾 ?NJ>3$+IC9ض%+ykcD6F޵/ЁSIc<6)GsSD; eӗzh >~,TrI.9Bт2e Z IA=/tCbIe jKl}o)5Gk@eO R+|jy0E]Q1"*+%KD Eu7=k~HKzZ9kH2e3SĒ᚜$V ÐX qD3[ˬNG1Ln &UxgOV׏E8Evf~ 0 k1r[,5-~`|}(^jǗacE8B}./f&A},;wt0whTz, :YSՈӢcllyA Uny9o2g"(Yrmv 4ZpJUŮHcu>&I'2>s(] 0 p3/ *7,yB@L> l$q_P׋19"wq;̻ClQdz5(b̓5Qӄg(C@zaE k4{UWȕ#F*=II꒙75;2 3X1v!=I AtT-I$0.%D dDVAHFzzG-}g1A֗)l_M2`~p³^06 h:rT0,ޡ%lMS}^)?q*Ş5ȶq*vݱ->|%:R ޱ/|I0  nf]u|g9|kh M۰c,1╾(9;a6*#1KGqb QD^Ga$)C3~JP@g>۫[`RK^gGy'Ml#b^~6(WkH6wBe ,Dz)(H8D\jO`ZsJ.cNqF$pɓ%bǶH2 WO8{%Vҋ; {:7+:yŬG{tZMytD\=קXwH g2Ǭy#<1P/ '-ɛwL]VyPpۧI F!Y2Cy 2`a \ ۑ fN\pL#rÊ;xȀT~:8$>wS ܺB e2!Soj J0壺G}[Szcm^[-ʤ.ݣ'Jf㈀'|;H@d٧ ˃G*Y]!q fB 6ⴠ>d n2մvcfb֦q,f-VMWH>m6$aI5˴GnjۤS65pΥRj) gԄi][Wz-^}$xS>=n#g_*HQ#ݹ6"n$)RU*L:{)ܙ]=W"Ztf2NGdfdA-#7xf#j!tIczo5wߗS|Wq Q4f̡I'D|y(.[ CF_f><:XACK_9my9hȏ8a&L!JQ)ع-ruK^gɾ޽꺈 YPt G5ucWe Fdlim!1?w$eDu/~wdA@6|_r řPl.Y^-kq2kWM2 EmDx(0i%: @q#Mn0V`R=l Ϭ39RQgTm>TBDQ7Aе߮w m Ѧܣ^jBI#n' -x#Fl)wGrJ00 h))J4R<x i$z. +B#_ݤpfλNy% X[9]Vg6G9q+k6}LꥣBgl+ i%>&:Ϧh^X y҇)1Nev7*fand~su]@uP3'WTT5WULLZJn6iL?L]-uX.N-(2Wc fb:͂\MJ!ȇ \Fl%%mƎ7fN4UŸ*S[q‰Aߛfh#ɼ\Ե#&K9֛5DI"'H$sJ,xcN?G``9JN ;N*nNbw6~`usC,u~1q+ :Widk=j@(ۂIFQ8AJ.CT.-KkqAaQZC8?f]y[+ʖ!qޠRVK꾠3(v=y_b>w_ P`Ck2DZpp 2'ZepÎw\1#6>;KS/.߁r#>gW Jk@FHhDr;i.SW> ̷[t$o ?\Wf=q|aY;.tBOl5+½p.ΰ8z-u_i/Ca3s0ÏJ*J5\@ھ+{DL\&(3cs.Ѽvgȡ$ :zX[c]#T !{Dgyғ]ǑTaY([ˌT & _z~KSx#.t2'AYgJ(Uʢc‹&&Ǡ z4-%ί8$ۥm8&Hàݩd}7\!\ecCMEGmvEoyLBr!\ PS/0Oڵ]Tb[oZ$\'vRH?zCa/qpQoFDzg~j0WoK>lkZ~uxt +NǶ͐ț<{˒(L?u]NdIsY $*0|?hIC;yFsܤҢɽJ >o1, se%!ȵ"dp 5vxfWҝ^9RO-XSCw[.R%vfVHa!1D8Nw*9!a 8xœ=߶fNʫNT<(OJ~sYSUBY0-/Q=cdr"Wͣ PV3MGhSe mw uƸcғ)o9\sOpr;3* @ M杝a92?2kr?]'k̙LyYx/ "<0L*63=3DiC`yadxƎ$6/۸dy۪) esY 2u(#5cIY#i:>7 {Vgoab};7h)Թm}_nKk1T)1x8,mfC)/(oZ acQWP(Cz>by QkۼB|.:VIWmZYk`2KWИ־VeXzcJ.ot6%KP6nI;(ٖDN 7X IY>_ГV̾P,/WOYNKRl*9_N%ژ$"oy*7TF:Hy~=p qa-Kư $Q8nCCȎO5V>`jOczdHgmݯ-4\/SJ ?_-|#3 LJQNIC)zGe,ȒYyjUJ;Œ:/"fEJs3\d@%φAVKS)CNG$!xҨV̐)+9trIѹȾ<1Sۛ4eO^}3껌s?m砠~MNGcRBe矣E>8R[6\\RZGױ/qòxr {0kmhqN5#\gWy8kT@I+tw ~qjod̬LODʤhgy7 /+'wH.k*R$>M,IhϮKs@S)ıi붧Nr:UW8OrZ<~EV 2>xhT{V$7ڴ a*hƨѻU. reidy=}"wF*nъqCVA>27nl \[8"҇rL   `Q:ͬLuq-u++(?(ݩIEǹ56^@) ͿކY)uO L e9 c= qJ@a郅R\4Ae㓣G>  ?{[iGtꋔDoˬdԤi.VNa%ӣSiW}\?2Ʀ2q$e\& ƴ7ZKwy:Jc~CV)eff+C.Txd0dap7dD%erGqj΋[@65UE6tWN;—T`0idGUR'ƅŻ =r! )N8K L,$!]ܣv [@ejeOQs$WĂo..{lt.賯3 m9Zxe .Ϣ!RO5n}Kg  oQ']ne-y\ȀP:soshWt֧Ta7g6rܛ~p|!ɌRuMPv=s//^.'z8_ VK畞 A|Th,qʉ ;2v1J}|!HɪWRR‰4zxۧӭ-"h†#FK7,@PA0+4OĊ~|zaJDWwZ.ODCĪ΄DQG:Ds#c:wpUFu\<ۍIrZ!]h1"xŤ#3 ?$=۞/f? UI3:"(6όJ5@GK8rfex[2r+R\m=jڇ7Yv_m8We^Y:]1 tJl선إ'&§>b>J25C%Xםe 9"*nS-+jl‘(,]} J&XoJuY!LȄtb]d /_`.WR(B2nS*+eMPV*rȪ+^Py`O4Q7llB,rM0` g~Flp8Izl9(.>zS,Nu+vbK òKAK18@8qL߭f)!Orop$#TB`C",V/?m T@@3(n1=ˋJ 郏 ݭ%Ə\ZSFmZ:>A'`B=$hi Z i9#KNo|1G /@&X[p<1a3 uqi/DMFƃ&.d Ͻf'݇Ҧzbga3a%7u韕*ӏ=mPj*[uaC3F+ȧsL" jY= -ѕtĺ[E Cϫ~iXqU`b4y\luج%zAn}D'7YM'^ljm شUc} Cp^7G-o9~ԁ>!s`V?tau<|w^jvYCjQ:rmb9'D"L= 1,9^d3\.cx+^z"tmŮQ!6r[7}G[<FK'1]duۨ 8HݫCln4 eeq w&H[<*ʡ*}Cfv=JW__&lz> m")ψM^3O9٪h9:!c69NjXK[+T. ZT2K!0&q,C澅Q5 P.#b-:plp0zY\PgʎRE]yEԛdzˆȔzF4P ggyȰYm$Ix"6Dxvs% SyZ)a+z.:, ԪeEzYtNGK"5Jt)*ң4",wk uc]5p:G:Iz9ʵ9yţɨ&#Ko$n_ԍ kd }O?Q ke8O >ơ=b~cqiC&(Rl^c<4Yk|9SФ}'! 2~ 3I|;*0vd0f [UݷªIT*~Ax;t58ԣ ѱA&^:ݖ/dl bj:߈\lܕr83Ϸ& U%d[MǕΟ;ԳAIŒ¹RYT|7 -q'&6ޢͩ!m˴Vb/p Z74ONe?R1CnYDXB!0H ͇ni0bmAO1xfŜ+j* 4ƚ$5p_V1 VPSV3lBAx͇]!, Ét`v{9r4kRSH""ԔIgQtOvoZB>xE8̏&"G0j 1wZ±=lS27,a")d_Hx7z LXZ?hWU-Aygʅ)y6, +V@En3kTLnIG`X v麳d8iD?1 o[,4"ƱNt亽gqYDE\hUZTdOIm>yfT6 `-;D#x§5{MuRB_rs&Um㺵F0cw 0& "$1}+6w%u G5eʋ nL ( ݽ;h"iVN9bUTIij1M{-VЀ%{c%%-G;*?]e3 질zԆsx$x9PArj!$AO[._Ww {QѪ)kDe5`v5Zԏ/E2i-zVĒ[BĂ̈́-&C(lA8켂کjLUM"^3ǚk.klΤ&:r7+Em6I,85 RӂdPX(M[qd&.O%7/旐 KXMB^ 2T9xN`LfL;Zg_+'5҇뇐]IQӉN;;>_I/+Zfn'l@qBf66Q_Y-BbY? Лg+F]lbǽm<)ׅχYI/ LƱ{}qkIJ nuD4fUa_@0Ѿlm ۥvyޯޚa2rBzjWHbpSl#R Pp"^ghr5ҢjTOXu+D BGOt0V{ @U -$ݫ~)2Ū$Б)tKVٞ4>s7 ˍV=c(틞͛UrrA 涼۰dGFZ^T7yI .Q_dgvgü4%/(k?r$ts5!ݦ[eo{Dp=Ֆ p@_c9ճQzA6yܑ70i]w&68u.]1 r6+qywk@aWT 61("dl1UTHK!2Vb4Vm*} qr#-,`nh=#a\kd=^b3*/O`);x݁o2rC#IF+q`6Tٶ I[3*斟⽿y殎d9 dk^c 6gKt;;lxv23œS$ +5>Wb9OZpFGrPkhd~|]Dj?%ٗȉ,mcVaxn ¨@¥z.QmbwYj:3s E?@WFFu<+]@uhn$miĮtX/%~0MT玪_K32<:1Zws1ǯ=Q|-UYbC8/"Bҁm ~z'QVu1$c̮ډdIT&-ķ~_@@geUb 98ĦCVGսg9L^{59ޟSIcEn}u#D+Y@y-"cf8LZc4 &--~.2SO"מlbY.e*[^N o)Ά"Y}8@=W᥏w64*]zDRDw~E&>½ JR-[*T2lkԊae;*߉7`pW*A?+:d혉,WY+&ϐN̍yAkb9 CJz@3ǹTaUɍQ G {b?{'оzΠ6I:=zgF/DRJ滲cRFN 5<*f38yRb^n aSc L~hdR1C}Nƣӯ9McR pvod xA` U6(ʺ#8~x@ :ǫjRu17c|&J tDYɐiIv#|}n%]PHSX]ߤ!~>81}|`?]8jkXz 0hhiiI]VA~Q9-pQ1aaC7@֕gS9$ *|1F6zCr肒K/5$ۙx`|K@TpEI =s{gǎc=(DAdWQI%Xi$n]v g}I 3 ֑m^qFsgv!RK]x렿y iB<xa1́ƕz^l-OhdB)1xy"WT Y^2M'TF E &qY:%x kl`@6<*[eI>=T+KlZdZh?L㰡>nQS&& ~ _+nR`ژJwBG 0T3ÎǛs-Q 4 |! ` <ݴ|7EvSVe.uE/gz1rү˲zI-Q!--у0(?y: WNP=kk /(9ӆ* Ϗ l4B Kjg#ig1цJ Vq,|ײ R ㎳}R7E`_ ,l$J= 4NvĹE硚l`ܵib- A/FzU'uI^"{|A6at -,<'%}}BC,djWbzB E Tu5W>zz  .>= Jx:69@{ZYqH (MyYD<wpEY1OX"7.8Ln7;qz[\j}0Jj"3mLSA:=l1=F*Q㲣 }.u!"N.brL_WsqW=1E=CS;8hgi'^t_!E:5F&I"4ʲ${/Hv͏o{$) ~hk<)X hӠ2ud)`W5`GLv]uꞠEqyO"D!Uv)K}dXH 5,܁ZX*qP4t75,AϮI,F(v .=d'2fl$VHL?\Ԗ)v)϶1V%,Ր-OP)&,! ysl7׀*Ŀ%5 5ri*F هOV~3ۼ7^ C7 6NRՋ4WA򤤭TZ@Ϭר ƍkHVw~'SnV%mZd:ռF } k %+smN|/ _ab*G:WWz,ESc (hJncQs_XI@ڃD4Q?4Ҽqm¥-"([#,[K}*F$0VH׸Xv%"JC>.2xMe{y] WZEU$վegc=MVySn>29mLtPPk/'_R)D ʳqL]Q>.Lgv>2hݡի:ѯi {%"8Ċ 鎁]ܖjGvjoByRn_6M~mDžbU|җPB=aV<&"~LfY1`>V2פJ6$Buk .n$nE2ܘ >ު0x<&׋7d]#i+=_ PCV`Il}9Ii0Ftr PLsnM g*B$:@*kI ʟ{N#"cjZ$S(g㩪_x'.uFp-ҁ_y;eQR`-e,<ARk|M5^=!=CUMoz}τ6ɲB8ejf3#Y ,'čq-H EtOlN}T!2/+vf}DɈ7B A9`o=~2KGoVq,V ݭRĤ9L] -b\C%VI o^QV, ԭު8y} ~$4 (r* Khf u ݅0<˱HrW;/;{8uSĶcIeT$a<7A%&aD_cZjuk<4CpV&Qc.BSnj]g5</51(+:N(8| |F h@nGq,WOc%YAߢc.)_a#O+#鎿za%qꘈ DnB3Xxqc0 ۬ǽV?.Df@Nt˟)Ybqiyq* iV+bw|GFJt3Q ,X >95|ߥӢwȟ}~*^/š$靼GywhC1nve(1SeJJn&NϐbJTâ{9}'\v4hz>,a@Ȋ͔x(*6@f-ItWtK2Doei;APe龀hfעhAnslȔKOk}Tjfd/S&"+;`?cͽ}_%b)v Esz! G0 =AwO6t Vxӆj݈2إF@rS\Vz[կ5g3j8\öG'"ֲ%AFM?s3MD,}cH ^謩z#a߷Hf6 E:4@cvJGT3RIEkA [ĬE Ks<] 8% FZ?۬m~;g?tXImuj1eKYRoK*қ qZ*5}oX`çǻS:Lto+Qrނ5f1Uk]~Y`gH w9̤yDuv G8RõHqTmY%`mxq(bA5j Ҋp:Gu|y6au4]7 j2^~QD<<6`#U<#'5KMYX<m :{ìOrf#э&oEQ:d$cagDkWycY16&=p~+ ACXpI Tw҈XG͆niʳ+ˇ棅ZJP4G\J:'~ zF֥>ۃ:|1?3o.[lYc:}m 1mƒTA;o12 yրnGOъ)]Uɻ嫵YczpMvlP,Lޢ(Lp۔1/XHHױDWzkN>&ƚm兣S3vPl1\='|C"H/h陣BɈeF/KAw gǵ>bLӊr_l%o,-AS"w%0| u)!Lf?7 |ۙs)"S*cXj, 4:^o_p0>5dM("%Zoo*RDP/p̌fTN …\Ts3 FP- 5}h \RIa}A3&l jCԦ^T M 0z6{iq븻 φ @L5Y6)I=ư q=>tT.$)B6jp[ oR\A!x@[˸nU_ȯ jwyd%Ez Rt]HE Lʂ&Q+y]Ȋ,ҍ |W-(a"/L4x9" %L^Р? H/U};Haje+O(tE`;K5.Ae5(uBKK.DL2J^V={0nV`o=Li'\i$/T^bgahB=GP;}S<fEmZN(ky10ML Z- 65q~yxoyg-ThDO&ϵRΠ$ A$s կf_{r^GMi &xvVjbw"_ U2? uO׊iZmTfq0)coFQ< Pm0c~3_C وi].MiZCD3|s_`޾迀C{h$vJ-WXh B4TCMů1?aw.] biDn2M,^H8o8j%[ʋjZ̙=sKm- =pT{Be287F_MT YC$I,μ-gZpӿcJ#Ea `Mvo/;d&k;5`>gXs,VhjޠAͰR^eV zR M#8肭{}VKcRAT`~ ?ɖ@.ݳw>B/WX'G|:]Aa :W>dPiNs&f#ZA Β%a_uglt)*>^f3ki_5\N|qgb{~d;ZXmf-F< RYCQ%\SG~1ӺP%/3B6Wbypt9gN PJP% \r)liPka :tt*5JzӨ9^Y/=;iٓv1 ybK"{oVr%-7LriHi~u;W$%n@SpKnb mK D*u:5#\96T* |t gLqԅ,J25?<)EG3OZ6`~Q!8)ar6Qh?):?MdrRx_ Հ葐Rtf^_2q5X8 SÝC*a=Z\bwGe$$[syme5UEQ!5 Eb=&t W9{:.,&}1) ǚnH=bMgo{A@۳u ZpSarwҾ؃w os;G_ON lgd}sS{p L qXO5;Ly%?9JS؀Jzf'#ىۿ5mTKg+٨M?I| 'qwəA-x vowD##҇C)e;؋yG%ggV)ÚWO*h}%Xa [/)]G<tEj~>("f"2hN&^ȑ\]n~N%IuA.\(WeEu&,-sٷ+ N!ڹ *fFcq!Ɨ"gy 18G160:8!H:N " F.rob[qf^HWnsڜoY6;› xލaTF;P ҃$Y_rĮ?n_ t P՚cs)9?ouʹAjd|d VU= M#u<<[hIXY-'\nmmTekʴJ&)7 pkӢPJ#.l2\xe-¤*>.6 <z)W&\>& A̿9.}pÚhʊv:KV"ECA^Cd+QHީ!eIM{~l(ù^}n<@HYjN3WFA3DtK6WYJm%a5Pp=pNo` @uQDtpY3+[Qɜy] =A/Zv 8=0+(%wNdFVjR wr1 }[ "iz)ը+*y;f$F4F;RP/тxۄa؆dZEJH3IyR|.B=uM,*isNTq:mPPN(p9V$,ZB& E7n'^z}W0dcm']@E=l)p}}((GqE:6w|a8"-.ꎢDMo&`F(!* *GJ?"{뒪ttH#@1gTifMy 0W0\Q>g+{2)a7!w$Vس$:(q>hHiNO^|e uYbjN0M{Tz?z*4 m9fZ ,UZβͳP:ZKbwUV(K2u &7Pm"ݏ=\SG(08.l8m3jc1` ÅJ:ゑh%Z{pk9S9dCr߂}m!B%0'18l-T ay^D2E >GX UrS}d[ $.{ܱ} &:r}J:;#b1@yzEj2\)iJˎ1'uۚC_j|i{6}n[_dGkֿ^:1`mZIr7H@t=2-X`()UU`S=K5p\^!p=q3x(R}Ƴ$fÆȯdAS2,ÜCtq&bWYe&h4u1_po mpd$7dQc" ~wsvre^~8vp2LCĀf֌cb@^69`>"o$yerX ӰTX)İvKBZp'?`jeLkHo[յŭcK#5Us~-ev-t_,Za: yHc?v9iQ"0ձe=̳T~t7=֊BńwkH2:|i|t{Հy!Cגu5i']/cP4e,t쓩7ZrEP/4}ihTzJI7ǠkSKmdLf{A/RP@ Æm(Ne-E u$U5]5DrC1mi U|vlLzhv&x:|9q &񲴫/mDnڲanϯrx\T'j0ǸYZ29*ҍץh0}B* ټc /C\2@!Jɐ @ |RI|b2НEm\#KAE3xeqפ8/ (i3[A!>/?ku |@&,d-(EKIGFYk%7q‡o.awCR2]uq"&}wyi27vfrPr#qR$Ő[ );7aEx8b:/dչ T' 4 ]lXR?`7)Ԍ*5z 4V+8^247PRL=e,vOo)9p)Br܃s7B LD:L:0Mmn5 IC@fy0N&0z8EovRnD ڦA#o叅KDV81 vЙjXlW\ӎƩ|sL{ô$#=~4M n?b^{:K!a޻ a*G 0􃂗tto +p]6!)CaH?f nA*&W+DUN;1s35h*تVk ,|jn a`n˩TaF7`yu3 Bi;x\NZ=/!&,b6>VF\n'7\2f_=U֔cz"+E!'wWh0g x0qfZc$ۦ} f~q>Y@ u#ϡYʢ|c"3FOR| AETWzmļnR_TrQ)='*) Fv})V\E(Mi=٣MeXW}V~Ecfg59}S)0Ȉ26p g,9P)L2,\Cso"vJ** 8N4w-Q GP,vP7}w>&w?E5'\4b^ P H{L~,^>>qw% -'͎Лeo ^W e (WwLuڂ,#2G Ĭ9B'Mm dh˵ ~OxSK٢j8ݹH;/n$LO ovn;({6IZd uAhIbkGm/S8oe{' %8&7{Hdu^e:uu}cH72 mffȓh+l;p>R>_G!,͑vUOs /v#iU8F =: YZ