container-selinux-2:2.124.0-1.module_el8.2.0+305+5e198a41 >  A ^#U]B~ect'z6UgD@ӭ~>wfE^RآЋkd! 4 P FX2*Nܰ]=-z%[N͞3x#C?yĠ`{=(9K?&cB\eq| A ',o!*8:.E /M̝NhNLqqJwv9S7lD#audp}$̪<\tVi6 k=?ir $xd{Zp~] B:6Go`9P8i}WfOE(7"UG] 7?U|x-dn%o,"5{$b}Ɛ jn wC;ޯ-+e5ָ#hΨ/ ];0VY!zj!AƷdBݴ 9WSr&Ф6Et"iJ<952764b86e5af7f52f74b435c6dff8b7a5d74f30e9f022ced5cfadd79373cd1e0f372dffb2cc51bbf842ee5b6584c65b0923960eW^#U]_!2 s 5KV?p7$SF_GyFPSbWbǂUr|k|dtD^\bghz,wU;Y[h'NŽVģf8u9Iȵvgk[|uZh?7W2uKl4`y6f1r" jI'r`uHH?xpPM8(EaZIU@Z5Nl15B".U U=|W9rPV 9j餎܇{*ʜOѓ.rOT.r_XjH lkr>q0 )9N XꚂTWM(ݟ}egc0i+"";}N Gm)\R)"}a} zWw*#G<dpgL;R•`erb AiʏSxA >pF>?>d< @ h 6<Ck    @     0 X     T T( 8 L9 L:L=8>8@8"B8*G8LH8lI8X8Y8Z9[9 \98]9X^9b:|d;e;f;l;t;u;v< > >>T>XCcontainer-selinux2.124.01.module_el8.2.0+305+5e198a41SELinux policies for container runtimesSELinux policy modules for use with container runtimes.^l|aarch64-02.mbox.centos.orgCentOSCentOSGPLv2CentOS Buildsys Unspecifiedhttps://github.com/containers/container-selinuxlinuxnoarch . /etc/selinux/config _policytype=targeted if [ -z "${_policytype}" ]; then _policytype="targeted" fi if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then [ -f /var/lib/rpm-state/file_contexts.pre ] || cp -f /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts /var/lib/rpm-state/file_contexts.pre fi# Install all modules in a single transaction if [ $1 -eq 1 ]; then /usr/sbin/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 fi export MODULES=""; for x in container; do MODULES+=/usr/share/selinux/packages/$x.pp.bz2; MODULES+=" "; done; /usr/sbin/semodule -n -s targeted -r container 2> /dev/null /usr/sbin/semodule -n -s targeted -d docker 2> /dev/null /usr/sbin/semodule -n -s targeted -d gear 2> /dev/null . /etc/selinux/config _policytype=targeted if [ -z "${_policytype}" ]; then _policytype="targeted" fi if [ "${SELINUXTYPE}" = "${_policytype}" ]; then /usr/sbin/semodule -n -s ${_policytype} -X 200 -i $MODULES /usr/sbin/selinuxenabled && /usr/sbin/load_policy || : fi . /etc/selinux/config sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types matchpathcon -qV /var/lib/containers || restorecon -R /var/lib/containers &> /dev/null || :if [ $1 -eq 0 ]; then . /etc/selinux/config _policytype=targeted if [ -z "${_policytype}" ]; then _policytype="targeted" fi if [ $1 -eq 0 ]; then if [ "${SELINUXTYPE}" = "${_policytype}" ]; then /usr/sbin/semodule -n -X 200 -s ${_policytype} -r container docker &> /dev/null || : /usr/sbin/selinuxenabled && /usr/sbin/load_policy || : fi fi fi)L[A큤AAA큤A큤^l|]#^l|^l|^l|]#^l|^l|0389dab4c8de315b75e65f20f4e606a015aac29056e561d6f7cb6aa588f431a9d40cc7015bcd8e803bcadea70e0bc08be172983ecd62b40e2225c5d2ed2e62657e9271487391bd37a57faf26a25d7d856b4ce82146b33a33561c0d9e86e8e077rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootcontainer-selinux-2.124.0-1.module_el8.2.0+305+5e198a41.src.rpmcontainer-selinuxdocker-engine-selinuxdocker-selinux         /bin/sh/bin/sh/bin/sh/bin/shlibselinux-utilspolicycoreutilspolicycoreutils-python-utilsrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)sedselinux-policyselinux-policy-baseselinux-policy-targeted2.5-113.0.4-14.6.0-14.0-15.2-13.14.3-9.el83.14.3-9.el83.14.3-9.el84.14.2]@]B]]@]|@]@]X]W]R@]@\M[[ͻ[[@[[Xf@[L[K7@["X[@[@[[[Z@Z?ZZZ%Z%Z@Z - 2:2.124.0-1Jindrich Novy - 2:2.123.0-2Jindrich Novy - 2:2.123.0-1Jindrich Novy - 2:2.122.0-1Jindrich Novy - 2:2.119.0-3.gita233788Jindrich Novy - 2:2.119.0-2Jindrich Novy - 2:2.119.0-1Jindrich Novy - 2:2.116-1Jindrich Novy - 2:2.107-2Lokesh Mandvekar - 2:2.107-1Lokesh Mandvekar - 2:2.89-1.git2521d0dLokesh Mandvekar - 2:2.75-1.git99e2cfdLokesh Mandvekar - 2:2.74-1Frantisek Kluknavsky - 2:2.73-3Frantisek Kluknavsky - 2:2.73-2Dan Walsh - 2.69-3Dan Walsh - 2.69-2Dan Walsh - 2.68-1Dan Walsh - 2.67-1Dan Walsh - 2.66-1Dan Walsh - 2.64-1Dan Walsh - 2.62-1Dan Walsh - 2.61-1Dan Walsh - 2.60-1Dan Walsh - 2.58-2Dan Walsh - 2.58-1Dan Walsh - 2.57-1Dan Walsh - 2.56-1Dan Walsh - 2.55-1Dan Walsh - 2.52-1Dan Walsh - 2.51-1Dan Walsh - 2.50-1Dan Walsh - 2.49-1Dan Walsh - 2.48-1Dan Walsh - 2.41-1Dan Walsh - 2.40-1Dan Walsh - 2.39-1Dan Walsh - 2.38-1Dan Walsh - 2.37-1Dan Walsh - 2.36-1Dan Walsh - 2.35-1Dan Walsh - 2.34-1Dan Walsh - 2.33-1Dan Walsh - 2.32-1Dan Walsh - 2.31-1Dan Walsh - 2.29-1Dan Walsh - 2.28-1Dan Walsh - 2.27-1Dan Walsh - 2.24-1Dan Walsh - 2.23-1Dan Walsh - 2.22-1Troy Dawson - 2.21-3Fedora Release Engineering - 2:2.21-2Dan Walsh - 2.21-1Dan Walsh - 2.20-2Dan Walsh - 2.20-1Lokesh Mandvekar - 2:2.19-2.1Dan Walsh - 2:2.19-1Lokesh Mandvekar - 2:2.15-1.1Dan Walsh - 2:2.10-2.1Dan Walsh - 2:2.10-1Lokesh Mandvekar - 2:2.9-4Lokesh Mandvekar - 2:2.9-3Lokesh Mandvekar - 2:2.9-2Lokesh Mandvekar - 2:2.8-2Lokesh Mandvekar - 2:2.7-1Lokesh Mandvekar - 2:2.4-2Dan Walsh - 2:2.4-1Dan Walsh - 2:2.3-1Lokesh Mandvekar - 2:2.2-4Jonathan Lebon - 2:2.2-3Lokesh Mandvekar - 2:2.2-2Lokesh Mandvekar - 2:2.2-1Lokesh Mandvekar - 2:2.0-2Lokesh Mandvekar - 2:2.0-1Lokesh Mandvekar - 2:1.12.4-29- update to 2.124.0 - Related: RHELPLAN-25139- implement spec file refactoring by Zdenek Pytela, namely: Change the uninstall command in the %postun section of the specfile to use the . /etc/selinux/config _policytype= if [ -z "${_policytype}" ]; then _policytype="targeted" fi if [ $1 -eq 0 ]; then if [ "${SELINUXTYPE}" = "${_policytype}" ]; then /usr/sbin/semodule -n -X 200 -s ${_policytype} -r macro which uses priority 200. &> /dev/null || : /usr/sbin/selinuxenabled && /usr/sbin/load_policy || : fi fi Change the install command in the %post section if the specfile to use the . /etc/selinux/config _policytype= if [ -z "${_policytype}" ]; then _policytype="targeted" fi if [ "${SELINUXTYPE}" = "${_policytype}" ]; then /usr/sbin/semodule -n -s ${_policytype} -X 200 -i macro. /usr/sbin/selinuxenabled && /usr/sbin/load_policy || : fi Replace relabel commands with using the . /etc/selinux/config _policytype= if [ -z "${_policytype}" ]; then _policytype="targeted" fi if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then [ -f /var/lib/rpm-state/file_contexts.pre ] || cp -f /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts /var/lib/rpm-state/file_contexts.pre fi . /etc/selinux/config _policytype= if [ -z "${_policytype}" ]; then _policytype="targeted" fi if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then if [ -f /var/lib/rpm-state/file_contexts.pre ]; then /usr/sbin/fixfiles -C /var/lib/rpm-state/file_contexts.pre restore &> /dev/null rm -f /var/lib/rpm-state/file_contexts.pre fi fi Change formatting so that the lines are vertically aligned in the %postun section. (https://github.com/containers/container-selinux/pull/85) - Related: RHELPLAN-25139- update to 2.123.0 - Related: RHELPLAN-25139- update to 2.122.0 - Related: RHELPLAN-25139- update to master container-selinux - bug 1769469 - Related: RHELPLAN-25139- fix post scriptlet - fail if semodule fails - bug 1729272 - Related: RHELPLAN-25139- update to 2.119.0 - Related: RHELPLAN-25139- update to 2.116 Resolves: #1748519- Use at least selinux policy 3.14.3-9.el8, Resolves: #1728700- Resolves: #1720654 - rebase to v2.107- bump to v2.89- bump to v2.75 - built commit 99e2cfd- Resolves: #1641655 - bump to v2.74 - built commit a62c2db- tweak macro for fedora - applies to rhel8 as well- moved changelog entries: - Define spc_t as a container_domain, so that container_runtime will transition to spc_t even when setup with nosuid. - Allow container_runtimes to setattr on callers fifo_files - Fix restorecon to not error on missing directory- Make sure we pull in the latest selinux-policy- Add map support to container-selinux for RHEL 7.5 - Dontudit attempts to write to kernel_sysctl_t- Add label for /var/lib/origin - Add customizable_file_t to customizable_types- Add policy for container_logreader_t- Allow dnsmasq to dbus chat with spc_t- Allow containers to create all socket classes- Label overlay directories under /var/lib/containers/ correctly- Allow spc_t to load kernel modules from inside of container- Allow containers to list cgroup directories - Transition for unconfined_service_t to container_runtime_t when executing container_runtime_exec_t.- Run restorecon /usr/bin/podman in postinstall- Add labels to allow podman to be run from a systemd unit file- Set the version of SELinux policy required to the latest to fix build issues.- Allow container_runtime_t to transition to spc_t over unlabeled filesAllow iptables to read container state Dontaudit attempts from containers to write to /proc/self Allow spc_t to change attributes on container_runtime_t fifo files- Add better support for writing custom selinux policy for customer container domains.- Allow shell_exec_t as a container_runtime_t entrypoint- Allow bin_t as a container_runtime_t entrypoint- Add support for MLS running container runtimes - Add missing allow rules for running systemd in a container- Update policy to match master branch - Remove typebounds and replace with nnp_transition and nosuid_transition calls- Add support to nnp_transition for container domains - Eliminates need for typebounds.- Allow container_runtime_t to use user ttys - Fixes bounds check for container_t- Allow container runtimes to use interited terminals. This helps satisfy the bounds check of container_t versus container_runtime_t.- Allow container runtimes to mmap container_file_t devices - Add labeling for rhel push plugin- Allow containers to use inherited ttys - Allow ostree to handle labels under /var/lib/containers/ostree- Allow containers to relabelto/from all file types to container_file_t- Allow container to map chr_files labeled container_file_t- Dontaudit container processes getattr on kernel file systems- Allow containers to read /etc/resolv.conf and /etc/hosts if volume - mounted into container.- Make sure users creating content in /var/lib with right labels- Allow the container runtime to dbus chat with dnsmasq - add dontaudit rules for container trying to write to /proc- Add support for lxcd - Add support for labeling of tmpfs storage created within a container.- Allow a container to umount a container_file_t filesystem- Allow container runtimes to work with the netfilter sockets - Allow container_file_t to be an entrypoint for VM's - Allow spc_t domains to transition to svirt_t- Make sure container_runtime_t has all access of container_t- Allow container runtimes to create sockets in tmp dirs- Add additonal support for crio labeling.- Fixup spec file conditionals- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild- Allow containers to execmod on container_share_t files.- Relabel runc and crio executables- Allow container processes to getsession- update release tag to isolate from 7.3- Fix mcs transition problem on stdin/stdout/stderr - Add labels for CRI-O - Allow containers to use tunnel sockets- Resolves: #1451289 - rebase to v2.15 - built @origin/RHEL-1.12 commit 583ca40- Make sure we have a late enough version of policycoreutils- Update to the latest container-selinux patch from upstream - Label files under /usr/libexec/lxc as container_runtime_exec_t - Give container_t access to XFRM sockets - Allow spc_t to dbus chat with init system - Allow containers to read cgroup configuration mounted into a container- Resolves: #1425574 - built commit 79a6d70- Resolves: #1420591 - built @origin/RHEL-1.12 commit 8f876c4- built @origin/RHEL-1.12 commit 33cb78b-- built origin/RHEL-1.12 commit 21dd37b- correct version-release in changelog entries- Add typebounds statement for container_t from container_runtime_t - We should only label runc not runc*- Fix labeling on /usr/bin/runc.* - Add sandbox_net_domain access to container.te - Remove containers ability to look at /etc content- use upstream's RHEL-1.12 branch, commit 56c32da for CentOS 7- properly disable docker module in %post- depend on selinux-policy-targeted - relabel docker-latest* files as well- bump to v2.2 - additional labeling for ocid- install policy at level 200 - From: Dan Walsh - Resolves: #1406517 - bump to v2.0 (first upload to Fedora as a standalone package) - include projectatomic/RHEL-1.12 branch commit for building on centos/rhel- new package (separated from docker)/bin/sh/bin/sh/bin/shcontainer-selinuxdocker-selinux2:2.124.0-1.module_el8.2.0+305+5e198a412:2.124.0-1.module_el8.2.0+305+5e198a412:2.124.0-1.module_el8.2.0+305+5e198a41 2:1.12.5-142:1.12.4-28container-selinuxREADME.mddevelincludeservicescontainer.ifpackagescontainer.pp.bz2/usr/share/doc//usr/share/doc/container-selinux//usr/share/selinux//usr/share/selinux/devel//usr/share/selinux/devel/include//usr/share/selinux/devel/include/services//usr/share/selinux/packages/-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -fasynchronous-unwind-tables -fstack-clash-protectioncpioxz2noarch-redhat-linux-gnudirectoryUTF-8 Unicode textSE Linux policy interface source . /etc/selinux/config _policytype=targeted if [ -z "${_policytype}" ]; then _policytype="targeted" fi if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then if [ -f /var/lib/rpm-state/file_contexts.pre ]; then /usr/sbin/fixfiles -C /var/lib/rpm-state/file_contexts.pre restore &> /dev/null rm -f /var/lib/rpm-state/file_contexts.pre fi fi #define license tag if not already defined/bin/shutf-83178676a246f85db806633eda28eaf5780397acbd36f05051d58b1fbeab1b755container-tools:rhel8:8020020200507003530:0d58ad57?7zXZ !#,c] b2u jӫ`(xy`EYˋWg;va> XT@ FF {Pe^LANOWǩ/ߘ !âNOٮ`> 4pV kIEL\k[bU.% KcMY+ݑA`$D/gTFh3{̗< yh|b}`J/}@RY\7 O_39*7ՑCm;*]zo* M,%Ëü8}#W>1GvkHg ~"_蚚F.,~QkđX?y]I:K ٢'3ՠ ,G/0Fr._TPTOAI;#B#LҍCn |!U|%f !{IfCYCёn)ju_-L#ۅw@v.^O͓؉%alv[]7j~JS|.ЧhpfZsGaFHO1MLp;umOΏ&w$~8fg.]BfapVnF_u1-KxyvHd\uT_:R8*40d>d$'cGW;M2W@RYk ZK,cL&0 E"ۃ0<y b̽ ޯ+݋ s0^ J#ȝR6pi><iSfYm!\-m`ԕʌX_W"Y[8Irc ߿'Vk%ѢL$j(LNubJe&)0Iwjo2A<@[Fx2k}{uWť]3MS)iX~)cB}(]4* 򘗡X *:BK&;L!ζK~$7L HC:s޸w$ .,6(I7{]?# #kRQZFn\1"̀V*F x<+F2߾Az#2"V6rMi0Ŭ4hS}rFn$ yE_ }p8w~b;K;c ӪT,e7MmqIMj(@LhLŞVD- kk87Em%3SgA0DK|ʜږ*:{͡fiXEjeQ} /.y$t ]=GJWePJP,A~:5 ۋLca-p@ϧR¨x7dMV-ӋWӦ|=Xuc DvAȀSU򬣰;GsK[ Vo60f~!:q+Ȁ$XR#JhJk"ʚʢɖ_tvYB+r(8 GuGZiԷ}툼TcpbVM+Hf\7=Mq1HL R\d)K(J?kKFB`hOe R:_$fLp8swQaf@=gguA(o!t(n8Gjn{fT@i˲\3rvrEebUZ,SJ۞9L6ut@} vX DQ{@yɥҠԝoINvXȰ , d%! %!@(ֱz [\4Cf`%w5~hM)ݟ뀄9BXJy/p0傣mQ$|pQ!P2F>hͿ9nlRp~胷V^^ԣ,1,&ѝDzG]6nd-Rƙu?L7 4t-f2(V fs>Z>[FDGƺYbT5=鏍Po]=Oo!$ ~17'ب9P|4mW._4(4"hB䥾gV06p^/d84*Mp/e~Q+V%e (R94 Nu0B+,JxjXr{ AD{EY }rvgW]Lp=.\;JacЎ?4UJS05'΅9]>2:qƙpcz"qK()ƌ?)zRV{;Bޥp;N0BgP%*CX-Tƪ53Ao"8 I0L>SZۂUJ!@nXH?TW-z0Ru,3#*86}aFXN\vqBW»q8ؑR0^rJAށu{ttSA$%-T>6$VZ`}dPH oVAƩ8Ҧ7-G>%-TOUV<#t42u,W?o\F-eގ`wT,@aA8ʿJͬM"(ֆDsidܽgYV @A`4fBA4=WFxl2=\  ]M#66խl$ @'H}O]󻾼4幡%vr r&,5)IIqteA_gzS$tyL}nRv p3^ OeBFv.7u7G'`Bʵ(Y=7IU=K9Cĩ׍&6.Ya!VBU+']xJ^ ܧUKI6JO0( vk+ulO"5=QYu=Ȇ;t?拪\3AS]@vX#b/Sv2EoPSj]bn)Ow+8/E7haau;\۫I?ۀqqT0B;WYDXud1 Im#c#9X1S_\c\&)N#;G q~I' E.y"GHP̭%YssêB_7X]XFTL>V/4qƃmd错OѪ [* QF[dXH>i^Ԛ&_c z, k .F[ iLD7 uB<Z%}:Py `D|*nM&XQ ]CQ7% VU:RbYp~5ߜe8CFdA-]C|A;r0k~—(Fo6Dx0;usH ɻڳ!=v!x 3 ̋Ngi!'6JڻOQE1TiI5 p-דC oW^4FQ ծ+bh#"Ѳq)k(O{d]oL?bJgZ@ ZfqqŻ> C% '; EWBzԕ8{mcy3"noVlWc7._p&ZnĴ/?Z+FY;$*zIV}T5;Osz*=w[K@f\@̘ldXӡ}A"Vi*R!e{2:'ILĮ5tn&dTGE|씇:]J!RLIWJ"1\Aʃ8OցqT=nYh3FQLϹ$}!Ƙ%{2W 7.T #1{yY]>@"nDwr[5B,FkpWQnyQ(w=1=r@ɂBpIiBS^k;ec7液D1[>Thbp(pࣕxVCfj9FT/ƼMEW}8L'H~׼kiK0߾@Z{*cKVj5^HQv#oY6u0*d~ BKK$+)`ʅ=ۧ5#H*V&-'n(Clο♪*.T "jei6@)-aϢzJn0#V rLo-^秈&W~1OM-;"ߍ )q{Qh|14bPuxiJ9pw65-aC$[bzp"h-ȵG-.t}8tp5x{ā檮U^mxO9 ;Z|,J U W%^$G|Sw~U CNJ1]0Ϋqڊ&:QYöD;<6 K-3LLEձt7ү%ۋckG9Y'赳p/Bs04b 4aę{#ZzLOXG7_# RW-G .Uv;~"e7H#) TŚiӗpcџ7Q ҀX"֯{B飍L|3Z_7ȯ<'Qw!fذu|hJҫMNwķB^kecPP zVAWc-96l?ژpN}6Ǹрܤ9*YDOc mK,o'=;wB4cG5N.j b iODX8%vԷ5N+.CGXZ"V5d1#ğr Uڶ7{Kq vH,5DK τpITfP~l^>;?7AQ<7ͻYTL(B_ 2 93zl: 6?K9- 5̩qȌˀCJBO@6E1L'#핹6v @;[P (C5_W-JApyY{;ɸN\{0c1_sN9} ) Dȋy>nz#GOќ @cI], :%9 wAI}?`n+x:b>zXi}`ذ&@Qs;*^㑕and\^Sw_b+,t P}}D|IX2B,]xDvSpx2lͥvD"<9fZN%| I@tVϠ'n[gIx) 7%!aZ"յDI o DM@s23wbD IBr]Gn{ lUT%?cf C)Y(zxrdfXkb%xv e^Πgv->kتO5(e!Q:*շϼCңL=K/-|jafSƕ WYZsЎN0Se+3 #Z?1g!o4,"hF}**t| g:yn}^{ %#/go0AAKP@|w'x.1%OzYq8(k anʙ=¯b[=epλ6` l[a41aduryX? T,G4mְP +Un^2CY!|}YUґۥ@υ bDޮZݱ.R@C8լ ςA%39"F#Wf(Hؑ`1qսdΧ?Y %&>襥>/k:AֹO;~ RqomMƅGrWcU)CS[T/@6gӝUW"ؚF&0Fh; VH c/X[ Kg`+:ʫ볢$6 "' yZ%@!yWc)P "vpח]eT9goQ$#ifTCd'i$~iD&f}ş/(ɏ(dQ&՞塒 /9SDIXZ܉uLY7рQ.0+2u(zv9܇ MĪ=zd - x3XB:E# cU3{A+;_B4)L:NĀpRViuunG/n4gX9"y6g`_p-R]]Iw7"x/V#P _řrL yGJۭ_$*s7 G3݄xA juy1 +'-;n:_Y9Rq^fiLRs^fvp+]xWCRߛGVg +gI? q-Q"C76gU:VZ^ ;+#\&&\=,Wx@gV#M#kLg=1&WR4,{-.8#;$ " /cL:יB/v_ؽ^2)wk˜?S`bL)RŊ5GC;%fi::eI-ƅ) ݼOiDS]ǕAdJkw]%VJ[>⻀jVnƆ=a`lІk Y_OΟ/5X/Y tv,/ڶ-k)WKk ^b,9۶Ly >Nt!mƺ=2O]~5AZ_I nGE +6TЭ{~f}{K%IY3ؼ=b)9sCgt_DtÄyn⮡6Ee6  ,tQFy%l69iI}•ix yI2fT5/t `)dR9FϢ`$ӮWN*ON {A yϸ5Zh5ĝQ-4z|@<Ie yF箫|h,r"4YoyJK@byvًC;)dtɛ,"y0#uيUW0Wxf! &Z(fKAM؊iU躸^;fܚS< ^mt..\*SnE?OQӅJ\HYb^+OdWCV<Y0S]*cyR( "d`@qBS" e)h%\6B,1߰@=DR;;b|W JFؘ@'S.'_ R(>+cCaL4A7 Y3ٕA%4wp@g"0@/䌝g^u(R"t|rLzsZ<`⬫"@IVhRF3GfxIObO6>uhXHӭi>^|$tdJz/wiJur5d#0j0SНwLJ!. lX~d V|})Ȉ,v{ 7+3%ICtjڄa;;] xVۥ?aPtM P؈'NS]?'CY|ZjBX|)GC ]5KB/=Bd{L{\2]`t֢'gת"mf|:tWםc/QanYCgl:$#,%LzN j Q8&vk#ɀT?/xhgPtP6\G@y=6%#_!ӫʿ9x]|&֔/L1X_z#U['@эLlr:QQ;H*, yk+'w$'uJn$B\,7t uUxUq1Brkb:0pn؏W Ha{l]Jƭ5o,#G?@V$q!U͚E8H^J<{ژ<~V.#߆0EZ23_2|~D?ڼQZζVA\խ M<`,_|IU蟝 U-O,Ȏt<3K" Ljo1B ?>83.,*h~F0ڛa&I5s\*2:W!@oݗL%Ǚn}Z%}]X>|q޹BD1;㒛%h[ )"TW~ KrcRSBىb194%8J%j 1H|ʗ}s̾1]9"_i2l85bGDw wh(I=i/|5*tTd(SΎfcP[%'?ЧP*LFG^鮲ve.J.?~fXJJ0rO<ϜyqXp=I!Y'B\ Ԅ_69Eoi5fxOFN:vyj' _RLy;k FsFv" $]'DH[N"l.$H 993"MkɺirڿȷgWRn{Ϲ/!p(^%.K|:_ ss^E2StAtt_݄ʡ}sf0ȅYg">izKjw;̥\B> >I+:g2FxHrxX^W-?]:좑3U`'mKf) }jڕ` T"( _9X#rU\@7b@ROBZ8gt.y7 =6]qRM,p@;,J 6Y!dέpCFmՏTbFmS'نHb;i2 ǸɽKT᦬0ɾܯ<8n؞#B"$ &e8e v"ػ($:.G9- ٵbYeӏ̔ \A`Aۮwb#D9/{*"D^ncύSLxWjLxEG˳kyYK!j1GtLڼY"E}'„Ksk?}NX fiG?C&BEfEWRb b #P.Dm uDԁk޴D6x@!V}/x_2;ny˂򫀃iJfs9qudǢVgucwl8P蟋5{ `U ?f~A  DTYǴWxQ!5 F7Xsw>-.O9,b -%̵p}e@юTn{kcI;/^8"gob,Z,%澝!%9G~1ǟBE,5]f}ImIë+_*5SLi5xTKUjLgOz+w'͛+ -2W1563o4 S\AKGD9<|肳h 1,*|a‰ZFxRanI`Xa ;i {9yS 疂+cm;jn>1CI"BvﶲBn/k:ҟf)XT:fﬗGTgu @YPBXͰ^쯼M;])`di!8e ΙWrjf2mV 6&%[z4amNP"emBĹ?6&*VƹF?U0go ‚fU؜QtH2P ~7%j:o>k2(dާi"UBgz_hBݎs (.UMebŸ~37 7P:2  Yɸȫ[Ql.ڏjI?ΔAӁ5(03FۨC͵0lcGO]T~?* xii N c[Q`N$c(jL !Rc\JtTX2M*Ffs9xoD$iiqJ ;'Dy8 Hf(,*@ޚPrNy}{Kq|nmp?H:D1FuL5>FON]|ۆ怯j6į=Eb4.sPByn2xY [?^ Lt̷֩ 8-267pPsQΪ>}NN(7m\mzY)dĽcvaf a}yӦzCgp8mC3c s FAKP"wJj~6i^6\e[b{z5c98sAcܲ4 ؛m+CdDNDPOuKg_P"D=\ ]tԐaUP8kΈa "^V7bKQ h)eJ;LSCQۆ|W@F!lxyӘѝ '>1T 'ՕûiID;i{KedhVl}lBtcdHp=DjեbGN; @rv}3%{ k0/X-;Sdtc1ͦ7 dBU!wx/>sI 7[ L#Z?sVLfX]2׈Cm%CP :ͨz+ܓ؟0zpP{`q3(~' Pz:-\ 2q=f^ޔ$(҂٧J˯;#dx56y~ 4 KZ6lI 6g&ݻSiU)\(/26ҐB }i_KO-l/Rf-i̗cʸ> X⛮9t[ؾ GuJCkN\AC,T=};P|tˇkHOJ:4\Рt) s+Y^ L*cUp`QV&cRL=۾Bz{)I IJZ$&z[f-ֺQu7,{Ss{ԷZ>L&-R#liVUy5*X~E-a_y;^QJX>_7kY4`Cr(}` J= ֐wwGEJܲ'Oec7?FkCbit#H zUK6*zh.s>q`'MpDyIYRElm_طj5K|SOث-Nj }DPm'4 }TԢmX#oOHH 2HHkeҎW_D:jd[RO F+'KF_ u])/AiUStnOx5qVjAY~9G0JcxO\P5̒Sv}lf=bӸg󞶥./[4u3H&%6xmtR Mb@s+. 097,PsigX^CӲSE T0":lwE=-<ISNp2HߕY,^"K՝qxiHoY/w'/` kn'{i7 }BGSѸzآۥ;^ئ{-޼_y;gi|R&^g3xF IZv%c:rʒNSq_Q:Fqݏh7Ɂcyl` o +&ՕY*fc[RՅS8e7&mC2t(B$Yx{xO]LRMRtgIdc¡D\7.S[};VSRKC-LUg`Mjf_UU< ٜlQݞՖ>?*4lj$ucmW"QKP $ʴ#AsuMfcΣ1;M9-%1 = (>gS_\WEN_97j6H2r"[ص'݋hˆ/2 U@n59gu\`o"&<ޠDjmQa f3mH1AdaNOsv.NeU[e78@͜;wn#9O 1]/<q\ 5.-ƛmm|ؚ`=\,^?dYP?aHUli0s 7L`HjjyN0MN7+q!\G\#g*:H&.vʾI]q4qo5aGADƘp/W| rVz 2ߝ7AKzPDҨ.qD /7mӁ닇ag tי,R<{\`j}QrDݢIqH܉ԴTQH50GThK2sx6/%C~ׄx 7UPdE?3pu=<)nYϩjy0*_}g`5'kL>@􂞧1DՄ'qYãTRپifzlxAcQ0Pd%Ro!\nC]wW0l:8*9MN$)Ti 10LqŦw~h?QX\(:Bd Usz;y-^<_E/@]j3+mijZ֬΢[#x b-W?fK0sĎ^U58=_.arNmo0j](Riߪ#?JmݣC$kզRMkuE!Ŵ\H0g4H~|0 y~8FT!aHg0Ԗ7MU\f#!bpX.D&#)}&UxAs.XUX#aWem438/S)eBTN :3ٛLٽiLyNp6lu) 1YvDe-_='Ť5=!Fo _๫B {E@,֓:??8 L=c?6= sP!ګ-@vӣ3O@Ai`}̀1 @ib lo~[ӭ1 `**=v¹WzO_W?D)%1_)=m r8.rSw2P/˅5 m0px;ʣЏ=**O< ^'= z!pK:R}Vi (Q6E7Ί.&N1槾=)iݮ Ȁx@''U\TH2~R;ܚ~ؒʌRKrEv^Uy~U $jHf=$^j eK7=͜U wjj^u89~[ $ze9}Sc t "kFO8<.ߟ(j%i_UK{#V<yh4U )7*eqB%ާʏfȒNab?#"H^N>n>^1F^P+B~/a eX/zЏ3ݐ~ӹ8l'ǀ?|.qB۸,Wh>EF9MkA>Hӥ{mI?bffoM\F.5-+s@*8ri0PCJEoX04Q at{ y&)/%H-1͚< S~ ;[7 XAgU5@VHpZMo> ?LYZ5_bns{rx;o=>:M$RܪicPZAk:FhB gԂ՜FU6.ӻzZ2xlxZەj0yfчk<6QƶVyHsjBO* '.@w>>hP WƄgeӺ $o;ѿZ㬭.BuΣFXRCk҆ w ؟-i8~j5% 32㩍"Z` ?.BWLhC(X06ehMF u"o5T%Ӱמc/2.:6Z9[= |E'9=y_/!Mݭ݃VqtqRZm@ >5%`\wAEn^P'#.CBԮ;H-OF~4dK! 돎naJv&?G9.ߨ?9v @UtqiiduJ!޵RHϗRq %`A'sD2[J9&&2Bua]U3%lZ45aXxn?ߪ(>@Ye\F|型G@W"W?^VB` fz0 a6( ~(dV.ϴL&2[^[XQbL|:`8f]T\> v *dipnAR75E84W`qKv3i"V]}<%g EF2:= H۱rǒad޵҃5<'̪*f OP R Jf;\6+KCYkug JWdyG"5썪iኯR(4nK=/L=Ϙ*VYo[h\wy8 i{>T.8N#Os6$wDHa d?L[y0Wmh.Xkn{HEZ. e9BN-Le$NK%M98ZIJQ 3sS4s 25ƬG6!@φ)nWCvO1| Q<0P'@S@[eVHxȈwʞw=J΋[.Uϴf/]#Dd%La_,)vwe|dS0Ѿ\o{cNrܷQEj؋9 '  ]Oi6 tFHD=FU%@ B2JSZ2j`(a&gK6GnDoh/~ Kw؆=nv̱84->Rz,Q>Q_awLJ]H ^H%'7->U?ҧ W!ƻZ'sM)sSļ0]5FSUwH=_ls9|l4z'w]Zt&yyJ pѻ6V{GL7/" l8Bz˝.qʶIZ]LwNuh,2zڽY^3 (v#}$ZcԐ64V#}[b8[D^nQKJ1{s#S~և4d0)ṙQy/e=[3*1k"by0Wta49ҁDl84搾ب ]pAr a}62 Y>nObjSU^n)b5S|.cu|K+~9*ା]J1nB6m2O=^c@'W!DlK`g$|g Ai"VBf>+4m}JdV{]Zֆׄ!d,zo)N GX$]|/}g ;gE nh|}vDr\*|Gvu HߥVy܃+5FI9U ׊3mei 0Wu{]Ys4<&*Po//[$E>l; < A˴h4>jv7o =>r31D&dc,x3oE?5xІ K&N_.v {<07!_ }69al"feRTDRw*Q:é=pQj W:V%.lJ-e:͕O SWQq<*sfB[q/f=aKCVv-u EpŶ?nj~-qYrSP^+2~joc9rynG{MY'b5ņbac9 jςZx|Nqx<ԙ. 7@hب..w\*ׄtS -fV#:k%E+M>A&fma!Z*vJɟd?[RSyG OPW~. jl2jr.X"LP {:d6#x M_ Hg :HjGml L@d3 ;`>b[΀ _) p@LBŔX~onTt3%R?8@|FT́Wvz[o*7G4rp%_A/cZbrjԒ/PƖ8kcSsBTx=ձNƌՇ&)U: 9"!c>*ZtٸXQhX`ɹΈ]mPMb'](:t| l3)rL=q]oQ`IttˢFfUL krΑ!ZdxN&nWsAi/hy$"A ";MxQ17(Kf ǔZr$cn|\\ z@6s{')ZR^i$2~X8BMgf5 +nr\S-5CF ?A?'T$(͠\7*RVDOK{X(3LT3Rt|EhJ݋w *tjGnt/yNQD, sT ,Ӗ|v 8v3 Gv2(H4ģ?xt_l-pqyw;@N3ElREEgxt붒`uL93 BɌsnQ`'*6'x"ZNCFmE4&Fƻ_|.P` n( ,\]l"ze γ =ݖbiZ0w2qzAe'-, bw'˙ ԫv /K{.!viTU¶5/2g8ޅs*93mKx_$ }DGIŽ` 문 Beҁ~V A˃?}!+IMಠ-E2)х%G9Axڿj9Y {(]n *-LO*eewo p,75x'OWYBNx .y`Z"wxMpƼbQTOTͨ~qt m3-g@0ϡh"ϢWvc8L.}\vfјgTLL19h=ں,dge`#G5`e0/r sRΚc% S:&v[~2-6a%D#~AHY2\Enٛ Lt f'9/@s3pXD{jgyTO  nPU*9S0P͚,s 0ugpM #P6>cJUXhv &*풸98]WVjOd*^$'Tx;e?`}ai "$9dk,aԾ&?>V:ُM)`/Yݽ+~p̤޳~u*3AQO&v㢲@# H5GCZÉuׁļSz&̧WED}Ke/Zdјd2VB39y `~w4ƺoH}ۘ:P+@J%-rݵ .2e#,SԜjBr@m+S0sm*%X<Bg92KI%;1OH)a3TGIs:Rf5ɫo#zЪݐ\a77[KATus!ؤ [7H`h/:>#RԆCYRmӷa-k~EMG?[ Mt _ Z֜ X+Wc jG)U1$~ |u72Z_bD).+`Y} ^>~)]UӤV{"7xbvyX8ϜXEPL@hdA#Jr>}|yuB%H R^:_u:fF ȫ;OJuՁ{U!qtfk?8A=T{##A\W@>\HR~HpƜI@[ԢyF N!\Z^sTk5.K0~ۗEH%+~mA8֎J\@?׭h57&[zֈ{^Ii2*%/o)Sc)!y1ID[O$^p2*( GlheʽЍY?.Dt7ޏ)xa]BX96?awmGC{y*=q~ VXD;[Z3@Zd{3:`'N4X8+HQWlFh}Vrq=1Z$̨R;q`;te>.µ@~'rsR"wmQ WHpu&,Tfɓq} Q)wQy>uS) CC5 GP9\16,,P==^ k@~rl{8pSb(I~ZNѯē=Rao ٜ'Js }͗j방j˙kݶ>Iwg6H0 -W\utKf%r ք{6F}lWjv3RE e%Zp\Y(cxRVgiuiqenB/fu(4WE?fLg|J t}8:^4+[ŮU7įA$!M+5ľe˗^ڄhc,^ }JhugݪU4@)sm+wE'lĚ|J91ne:F&YSL"fC :!J*n o?* > kM 77#;rȱn+6/i39=Fw=Yoy6WD?!z!abN}fLhYu__1Xjw;Yb޸, rVBЛ@Sˇz_0]lMϼx,gl&%1Yg0q%k%r e˜jMtDu̙lޖ cU0Ca{&1V5x٩&{ v~g;a}%s$9|Oir5 YZ