selinux-policy-devel-3.13.1-229.el7$> TT)m3#Nn^>9 K? Kd & ;lp  PLL !L +L @L ,L xLL$LL <  (H8Px90x:"Rx> deG dpLH yLI LX Y \ 0L] `L^  b d xe }f l t Lu Lv  w !hLx 6L KCselinux-policy-devel3.13.1229.el7SELinux policy develSELinux policy development and man page package[ܣx86-01.bsys.centos.orgoCentOSGPLv2+CentOS BuildSystem System Environment/Basehttp://oss.tresys.com/repos/refpolicy/linuxnoarchselinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null exit 0p R^q'"-%$#5-3z+*I[+b$"""/H(7?#3J2*G"&'KH>()O63>)j&0h&H// =/:*8"-%FX n'4$7-#3jMw0>w09!B4%48*K66m3-4('<W -* .&.z.^-2.&3&l!*%Q$$FA":4955K*)-:pP9o/UG6.@)>-(252115<$?R.@C.;E&7e+4 7Fl%4^1a.OH$.>6 7=b,t2615w5O4 ?;5RQ#/@~!$q06(4N6j4 "-&h7%=$6zO,I,g#1/(076E+~47,8JC95F%3 Q%!-S;Q5'-&5%8,+7.aA;HBjHS6,1o"40)/`5Q 9?i6./&95754,!1}'$4.38A-()+CG%0./-4>679,C:p/#0r" J> +w$2; E{*yF`*c/0v>7l)4QQ+01 0)-y8.' 0Y8e>g'<6(:60+(yBG".K')\.k=6@,6_a).I947Gn*I}/2'*q!{2 &&.*.LN(C$#-3U)I*FP1996V9<7 28BF/<260'(#@_-.K:`6&SW.&,9! &3XP0@z;1E31d$)00313|01(12RV'&6^.'0'22D"2D)f2D)f2!(+J-=C7..*h0xI!& ./.'[EE>h0(-&'W/.U;0AG0J,$/b=8Ez2 M)B'(7$6<=677\6S6SS''g37K)&0hN3!Y1I_ /(()4& $p%/BQ58f'$#!r#BZ--I0;;0TBM)H#0& $%./KJ+6J2r.- 4.2-03-@V55.1.5-7.]/7j$S5i6,549q,,X-J*,+=F0="274:..BCs>*A25G?//-18O%0i'2u(-*(})+!+y() +%$\%B=BW#-'8?9.$:04490#"M.^(Fy27.'q)IIK S =s + *U/V("3^w-:q6A큤A큤A큤A큤A큤A큤A큤A큤A큤A큤A큤[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ3[ܣ3[ܣ3[ܣ3[ܣ3[ܣ4[ܣ4[ܣ4[ܣ4[ܣ4[ܣ4[ܣ4[ܣ4[ܣ4[ܣ4[ܣ5[ܣ5[ܣ5[ܣ5[ܣ5[ܣ5[ܣ5[ܣ5[ܣ5[ܣ5[ܣ5[ܣ6[ܣ6[ܣ6[ܣ6[ܣ6[ܣ6[ܣ6[ܣ6[ܣ6[ܣ7[ܣ7[ܣ[ܣ7[ܣ7[ܣ7[ܣ7[ܣ7[ܣ7[ܣ7[ܣ7[ܣ8[ܣ8[ܣ@[ܣ@[ܣ@[ܣ@[ܣ@[ܣ@[ܣA[ܣA[ܣA[ܣA[ܣA[ܣA[ܣA[ܣA[ܣA[ܣA[ܣB[ܣ8[ܣ8[ܣ8[ܣ8[ܣ8[ܣ8[ܣ8[ܣ8[ܣ8[ܣ9[ܣ9[ܣ9[ܣ9[ܣ9[ܣ9[ܣ9[ܣ9[ܣ9[ܣ9[ܣ:[ܣ:[ܣ:[ܣ:[ܣ:[ܣ:[ܣ:[ܣ:[ܣ:[ܣ:[ܣ;[ܣ;[ܣ;[ܣ;[ܣ;[ܣ;[ܣ;[ܣ;[ܣ;[ܣ;[ܣ<[ܣ<[ܣ<[ܣ<[ܣ<[ܣ<[ܣ<[ܣ<[ܣ<[ܣ=[ܣ=[ܣ=[ܣ=[ܣ=[ܣ=[ܣ=[ܣ=[ܣ=[ܣ=[ܣ>[ܣ>[ܣ>[ܣ>[ܣ>[ܣ>[ܣ>[ܣ>[ܣ>[ܣ>[ܣ?[ܣ?[ܣ?[ܣ?[ܣ?[ܣ?[ܣ?[ܣ?[ܣ?[ܣ?[ܣ@[ܣ@[ܣ@[ܣ@[ܣ[ܣB[ܣB[ܣB[ܣB[ܣB[ܣC[ܣC[ܣC[ܣC[ܣC[ܣC[ܣC[ܣC[ܣC[ܣC[ܣD[ܣD[ܣD[ܣD[ܣD[ܣD[ܣD[ܣD[ܣD[ܣE[ܣE[ܣE[ܣE[ܣE[ܣE[ܣE[ܣE[ܣE[ܣE[ܣF[ܣF[ܣB[ܣB[ܣB[ܣB[ܣI[ܣI[ܣI[ܣI[ܣI[ܣI[ܣI[ܣI[ܣJ[ܣJ[ܣJ[ܣJ[ܣJ[ܣJ[ܣJ[ܣJ[ܣJ[ܣK[ܣK[ܣF[ܣF[ܣF[ܣF[ܣF[ܣF[ܣF[ܣF[ܣG[ܣG[ܣG[ܣG[ܣG[ܣG[ܣG[ܣG[ܣG[ܣH[ܣH[ܣH[ܣH[ܣH[ܣH[ܣH[ܣH[ܣH[ܣH[ܣI[ܣI[ܣ[ܣM[ܣM[ܣN[ܣN[ܣN[ܣN[ܣN[ܣN[ܣN[ܣN[ܣO[ܣO[ܣO[ܣO[ܣO[ܣO[ܣO[ܣK[ܣK[ܣK[ܣ[ܣK[ܣK[ܣK[ܣK[ܣL[ܣL[ܣL[ܣL[ܣL[ܣL[ܣL[ܣL[ܣL[ܣL[ܣM[ܣM[ܣM[ܣM[ܣM[ܣM[ܣM[ܣM[ܣQ[ܣQ[ܣQ[ܣQ[ܣO[ܣO[ܣO[ܣP[ܣP[ܣP[ܣP[ܣP[ܣP[ܣP[ܣP[ܣP[ܣP[ܣQ[ܣQ[ܣQ[ܣQ[ܣU[ܣU[ܣU[ܣV[ܣV[ܣV[ܣV[ܣV[ܣV[ܣV[ܣ[ܣV[ܣV[ܣV[ܣW[ܣW[ܣW[ܣW[ܣW[ܣW[ܣW[ܣW[ܣW[ܣW[ܣX[ܣQ[ܣQ[ܣR[ܣR[ܣR[ܣR[ܣR[ܣR[ܣR[ܣR[ܣR[ܣR[ܣS[ܣS[ܣS[ܣS[ܣS[ܣS[ܣS[ܣS[ܣS[ܣS[ܣS[ܣT[ܣT[ܣT[ܣT[ܣT[ܣT[ܣT[ܣT[ܣU[ܣU[ܣU[ܣU[ܣU[ܣU[ܣU[ܣZ[ܣZ[ܣZ[ܣZ[ܣZ[ܣZ[ܣZ[ܣZ[ܣ[[ܣ[[ܣ[[ܣ[[ܣ[[ܣ[[ܣ[[ܣ[[ܣ[[ܣ[[ܣ\[ܣ\[ܣ\[ܣ\[ܣ\[ܣ\[ܣ\[ܣ\[ܣ\[ܣ\[ܣ][ܣ][ܣ][ܣ][ܣ][ܣ][ܣ][ܣ[ܣ][ܣX[ܣX[ܣX[ܣX[ܣX[ܣX[ܣX[ܣX[ܣX[ܣY[ܣY[ܣY[ܣY[ܣY[ܣY[ܣY[ܣY[ܣY[ܣZ[ܣZ[ܣ_[ܣ_[ܣ_[ܣ_[ܣ_[ܣ_[ܣ`[ܣ`[ܣ`[ܣ`[ܣ`[ܣ`[ܣ`[ܣ`[ܣ`[ܣ`[ܣa[ܣa[ܣa[ܣa[ܣa[ܣa[ܣa[ܣa[ܣa[ܣa[ܣb[ܣb[ܣb[ܣb[ܣb[ܣb[ܣb[ܣb[ܣb[ܣc[ܣc[ܣc[ܣc[ܣc[ܣc[ܣc[ܣc[ܣc[ܣc[ܣd[ܣd[ܣd[ܣd[ܣd[ܣd[ܣd[ܣd[ܣd[ܣd[ܣd[ܣe[ܣe[ܣe[ܣe[ܣe[ܣe[ܣe[ܣe[ܣe[ܣf[ܣf[ܣf[ܣf[ܣf[ܣf[ܣf[ܣf[ܣf[ܣf[ܣg[ܣg[ܣg[ܣg[ܣg[ܣg[ܣg[ܣg[ܣg[ܣg[ܣ][ܣ][ܣ^[ܣ^[ܣ^[ܣ^[ܣ^[ܣ^[ܣ^[ܣ^[ܣ^[ܣ^[ܣ^[ܣ_[ܣ_[ܣ_[ܣ_[ܣt[ܣt[ܣu[ܣu[ܣu[ܣu[ܣu[ܣu[ܣu[ܣu[ܣu[ܣu[ܣv[ܣv[ܣv[ܣv[ܣv[ܣv[ܣv[ܣv[ܣv[ܣv[ܣw[ܣw[ܣw[ܣw[ܣw[ܣw[ܣw[ܣw[ܣw[ܣx[ܣx[ܣx[ܣx[ܣx[ܣx[ܣx[ܣx[ܣx[ܣh[ܣh[ܣh[ܣh[ܣh[ܣh[ܣh[ܣh[ܣh[ܣh[ܣi[ܣi[ܣi[ܣi[ܣi[ܣi[ܣi[ܣi[ܣi[ܣi[ܣj[ܣ[ܣj[ܣj[ܣj[ܣj[ܣj[ܣj[ܣj[ܣj[ܣj[ܣj[ܣk[ܣk[ܣk[ܣk[ܣk[ܣk[ܣk[ܣk[ܣk[ܣk[ܣl[ܣl[ܣl[ܣl[ܣl[ܣl[ܣl[ܣl[ܣl[ܣl[ܣm[ܣm[ܣm[ܣm[ܣm[ܣm[ܣm[ܣm[ܣm[ܣm[ܣn[ܣn[ܣn[ܣn[ܣn[ܣn[ܣn[ܣn[ܣn[ܣn[ܣo[ܣo[ܣo[ܣo[ܣo[ܣo[ܣo[ܣo[ܣ[ܣo[ܣo[ܣp[ܣp[ܣp[ܣp[ܣp[ܣp[ܣp[ܣp[ܣ[ܣp[ܣp[ܣq[ܣq[ܣq[ܣq[ܣq[ܣq[ܣq[ܣq[ܣq[ܣq[ܣ[ܣq[ܣr[ܣr[ܣr[ܣr[ܣr[ܣr[ܣr[ܣr[ܣr[ܣr[ܣs[ܣs[ܣs[ܣs[ܣs[ܣs[ܣs[ܣs[ܣs[ܣs[ܣt[ܣt[ܣt[ܣt[ܣt[ܣt[ܣt[ܣ{[ܣ{[ܣ{[ܣ{[ܣ|[ܣ|[ܣ|[ܣ|[ܣ|[ܣ|[ܣ|[ܣ|[ܣ|[ܣ|[ܣ}[ܣ}[ܣ}[ܣ}[ܣ}[ܣ}[ܣ}[ܣ}[ܣ}[ܣ}[ܣ~[ܣ~[ܣ~[ܣx[ܣy[ܣy[ܣy[ܣ[ܣy[ܣy[ܣy[ܣy[ܣy[ܣy[ܣy[ܣy[ܣz[ܣz[ܣz[ܣ[ܣz[ܣz[ܣz[ܣz[ܣz[ܣz[ܣz[ܣ{[ܣ{[ܣ{[ܣ{[ܣ{[ܣ{[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ~[ܣ~[ܣ~[ܣ~[ܣ[ܣ~[ܣ~[ܣ~[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣ[ܣcd065e896d7eb11e238a05b9102359ea370ec75b27785a81935c985899ed2df6846bbdba1149ef9edd39c6f18d37f29e5ed9cb3670521f142ed6d7d2bf9f2b8342d2c3aa4d008aad3243fd00e4723033e27e253289356cdf2cf9ec46135a8327bceb4f36b0f077b7a232a94e214b3b0a5a85152e4d89c193f92ddaba3ede1ad6915c7f0c40a42fcee66915b7919b7fae619955cd17057621da5c0f19f0ee9d7c65c48928f5604bdd11775bf81abaf0b290e2fdf432e32566536267f193c8ebb59ae6e76cc7a5666b1b93ebb2ccb79acdb617da95b341c710a44a57fa17dae2554e42e537c7ed16eb8266f0fd30d9431df7ae9448ceca366380b79a309e4f8cc916a80c6600d621875d1e77969107addccf67caafb898f570f2f3acc0d592d6acf3fbe4b6421c388361ca2548f73beae836eacd46bf701b743aaee22dcc014ccd30fa3d24f35cf1178eb518b3b86697061b3dc1b11446ab5d4cf42a88e182eb36eb63fdc15b61e40edfb0b642312a4ac5055172d1ac368cd355f6226b2ac9b30aed36231f704a8fc43b491b52994ca63f2420e959a7e7b68c16b5949def7be1a03d1459e04beb93eb7ee8027d810066004a48befe6eb1a6363db87f65c8d5689fbc7d877df480ce102a1bfd7692aafd1735af81bcc30a531b08c7c4d0c6e59c607e878e6755349714cd96635168a5891fdc1927dcf41ade440aaf86129294512fdc6c81bff5a32bf2f53acaf23436d8a00b6d0aa719fe4aac12f7207cb0cf1de3cf26828fba61b4997521ada45cc63505ae859eb1ab8b2bd7cff5eda31467b10041e6303483b23e554a5d023b8377ef4cd4ea18264e7ebe83d10edc3af0e4c96b5b0f845ae53539e8b0f0d9144133c40f88197be4087ede536e918538c8d0f11674a789de4efdc5ff1925b79b82862906836ebddaafe1eb76ed2c2ba4755fe170fa5a257cf160d3783b71ed8a95fb5a7321dd5c51b87e10736c82b24900f1f8e55b71bddb79abef8761376ceed7f00f390d53439a43cdecb26cb4a58ef37a9d84b2bfd401494ee4d31e37b03f625b18b0ecd0947c00ebfe86f552e42af0fbdd53a45070c82b528d05c56a2b10f21dda3b5568a87aee2388f1374849a37b6466a607dfa67093af12922ccd5bdf8765a9851c8f89a6aba033f46031a036c6d304822c34e6c0f1f59d06c55cf2c3ce628c0abcae4e0018fe306211674e3050ffdff0f5b3d5c0ed3f0af78b740b86077e97dfb4422a6a690418d8159199c2f2adbbc1a1092bbcd083e0d13a276fa0ed4a00a90f811d5d99c9bb23c82e2613234bcc5b069925559a9803de69b75eabc51cc8a0e25e468d9ec016527cf4f6b3d0b856dc965fb93b67857dbebfb4d7f8ab0f6939ea31183c94d91149023a737b59b9ffa6c8e2fc06ea8a7a72e674173f8dcef90363308fa8751ca52ddec1b50ecfdca0a324cdbdfd4f6920453997f0d6843a2bed7a1494152cc7368b60dbd4446df29e6988597034e735ec2ec9febc9f4570dbf7b7a342dd3aaf490ba496a97f6e4da61846934093bd1d7e5da9fc0f3885d838dc212f38de163f9718b9d6f3af2466cce51d0f9456c0a68dde2eff024c5bd24885e59ca444294d5e51936636dbd68f7f41d7608cf64db98293643c0843379264114fce171744a1c868cf2811793e256b093db59376c908c9e4fad3e00d0cc485d310aa213c722490b589717ad67600840712845583760612651eb1eb4bf356910153ac18d51f8b66780a9d0c0f1304a0c41c1b37f93150dc087c34515b72f27ad0500605e170de215ececa3c3345555fe8e7eea3bd9f1228c90b16c6aa8e8c75675ac4bae01f35df1063f7ab70e2e453bf4531404aaddc92e38b775651d3b08a27020b3b0953c94bb865edbbe014205afe1035bfefb9dfa1dea526cb8b1ad6754b2f161b5185b3957633aec2449d58c9b78a5e20ed829ed8b4e9c656168314b4c7613a0748dae70c37745adfc09e2e4219ad5b59ac87ec91973da7de40eb0d0f756d6ddb8c470f5cfa7b1e1758faf811e2bdb0f88ae6caee22d944e7319050a9f94a11b21c5d60cd3a12d6210f80300a4322a782aac2eba68c677df511924e8d61c02dd6d11888ea876f6eab042507c63cf6c6c99970ba85e5f02effdf44a1029b1ee84586849c79b0bed5437c51ee84d9aa7510c7eecc08e4c2344e129abadd4bedde2819ff543cf7c61d827a1c645928573b8713bdb080fee05950ebcfc43edc478c817b58ca2d4cd981e30c43e5ab592f621560e6fb2092a289af474e6073377b418b6021892c2e360e4bcc0827e44106e4bdc30bd65c0bc172d600997ea5ff4e55a980dd4facfda875c5bc37d78a4e1532a731be8c10257ed9e9744cf786a99fafa055bbf0e88fb342736b6af37d45f5c22d84101af564ac20e1702a03605ea31fe821857266661a3477295b76b89206d1a332c67c1a0f427d3fef73b64f37e78189906bb90090eab9e5c6d42c82c20caedc48708a8b187498cff767ee003edb29c385c28d61680a165867101e254eb0ff1def59d3bf618fce5d0c862d499c8838840606e35514481db6c201b99f3280b48b54cfcb7a046f369aedf0809b495ab26564b6c08021eb05fd69639200c316d5b6e7493b5235a89fd8fb821aa0da1b91ddf4cb2aa54fcdf0f50eb524f10825480ae7e6c82b90bba208fa1af9b4d565d3fd6fcfb6df826d7b5ff247ff943c2b6c488c67bf7d8c26f0d9aaf219d6b8c3a4488c53f9ba44e39f3d4eacd7d3dfcd076eed2bf6cfb48a89b76866c7def61cf3c8731d8967e1726b257025544ae9fe8c369ea929b2381cd458015f83ce5d87458ed4d198ee28e97c5fca3811ce9a3e7d2bfd29a572df29696de906b87b0dc6cb86f3b5a54ef99516a32c4e10ccdded98676eeb37ffe95af6d38244532f45896e3471b58f8469d4866e4eff042a4741d5d6801ca82e11724b92fa6fb13e43ab6d8598664922150ef551aa24262ef616a1c00f96baeccb0e1f86300d30255eff469ee7908dd2cc15f3a7678c6d06631ae8d43f2127f6fb5aafa4288fe3de0b841f7e3035125aae9e2efb2e01f3ce328878a0b18b5aedf82409a1ef4caec53ed81cb03f93c2689ecb025e1745ba5810323b01220f34724b00e406f40b52bd363fbee20535ab47cb80a9a22e8afe67eff6a72d7935487e173b00f17df91bb6e196790ed6123d5d84df4d6678c7178b6b88c4bd9dddfe217a89a2d6a506db3b8f430f9fa51d202f9b669d1bf6144582bbba5d38b22dbf66729eda222a01f3bf09053d5402a92afe4ffd751b074805c71402cdb751fd07bafb14285b6cb42b605c9e90ef51a2ba6b1dabff8627223d6ead5c78a1469e8573ca0d2bb071b3c9b418b389c1865d3e95d5fbe96cbc2806286c20fd7657faf3ae478a31b2d06e9826d7b4b9ab0565195510686eae270cbc0c779a86ed9dd82f30e24fe515069d2be1f5cff425adbfcfbc709f97de62ade00eec1235563f9b18b20bb37a938a96f78a5948b54b52d79f81766611fbe2af5fd5cc6aa0207735954c644e5cbced346b0f44b61f9c14227cdef6b4e5a500cb20e483fec2da8bd106ba6f54d0b5c012c0fd7511bf0fc5c551716683a734e7de5f6c21028d6cb3ad24739dcad4a726c284d2c35dfdbb787679be2935d18635f2a58618a8b4f647f63317d2d13a97edb3302694d51aac07699d7013877929b35ad65d00095463df7379802490bb846b7fd0a916065924e3ce228ba9f65986294f867217ebc1886a997fd36047d540200ab8a4fde7c9bb8d563bf6547b8456bb1e1e6d00b7790fdee17986d3ceb621b14ed87aef6ec65bd6987119ecea4c7fbfdeb0547f80690720bfce435fa500a19bacc7549ce5e80a0f35fbe946246ccce3dd6cd564e0c1dba2b1b003dd66f3d3e24364de0db9bc28a8523aab933c4b1efe2270b3262394f6aeb4d61dafee19f95209efd191709c6070e6c0b386aaf239aa25f0a7b2e3f7aa991a54ef9f49488ddf90f9b8d202d1ccdc72c35f9e516e951531bff4ca347b74067735b269f1e30e10c176634076e62c8794d66256333b2a575d895d27f4cd8c2ff00250791e4837ab87a207a8c47a17b2c239a9f57185ba25f280e5a57cbae67082e0f69f5bb6d5b54ff03b087e9c278df4f41bf8a9bd65ea12fb0ff01438348b2154eb236f9eff3c0503eb130c9a28798b7a86eb0831b6ed682b95e4747ca13842e857f95c123645cbf4b6e9c5afe494f1bf7e1ae5f6f0488a3ffc3348232d47fa8a2d26d9321a34c895ca9415092d146e517d6fb6c6c1944aa36733a98a8752d5488b14ccb4813208b8a7fe495e396d2a78714cca270e8f9c5b792f05303420798a8bbe7c4da40acf92f16c7bd2c33fc1fe7be909b388e80afb64aa317bbc37cd94beea3a78ce037a174f40ccc116263600ab8fa5eb15b180463a46d09281145c05c1e492cab49dec5f07e9ea0a406ce44e404ef9086414317a9d2fc48d304c89e89fa2caa747649315180881de15e1478a01ad816f35c5c9015bade8f00b6a775adba3018bf6bfd35c28d393becb959d9d6a63d42bb84ab4f618ef920e5115506ef8df91a08f70c93050600a24e2a63e681cc9c338f6f3a75ff279f7a6c08eebccff14f1a5b6b9de902f5eeede66f3e86dfa1635fe0fd1b19c8fd3e3ce14bc01f09d28d54a48b04f7e0257ee038826c58b37dc83dd2795ade0f7eecf1f6473bc395eec726e5babec9c77ca39fb12c6867d940b4f8e77da935558a59f3498105a649b7cb0975a2008a7650abbd01aa42136ad70b69b44858d6c08e5ae40b1bcb94c7faa00ef305f3826b35f185110c3f8054720a6afc6cf9150643678c0a962f4d94b86ddd9b658843a4039e1c0aac5c0a8285db228f2bf56ad9df7576014c2575eb72bee11104922f29466fdec3c60368695aae70873f374af612b4e4a8857174cc81c78a77fc34d5e215da6d1b9e9d9caa862ef58600a7ac9909bf0e6dcdb8516d21b8a42fd7dbb43fce68b9121824ad60bff3f6252cb491aa525f2cd327c44a1ddbb47af9ba565f59fca4aebf8634b2e20a22fc27c2d052d8b9214e033bf9f282b26ad76ca9481b71ffbaedd0e5fcffc1e542df47f4dc2ccf8be9f900394a640b852663c6eadd767164defab71bfcc9ad0c8ecde219c33acf470df0cd268caf068e9a2a7c2443266fd8d0ec9d3c68597d19f1300e96bb6a4ae5efeb51bb7640fb46b5b1e969c599f3e56e0f83bd0dbe6f3d5047c968c5421e2756c0d198e55d4f03a1eaac82710ca1c0cbd4538cf6c211d318386213aa339d17dbe429f4e6744c1ec366c393633ff700b57a42f07b1079ce93d777841812cb34b2fc260d7d9e23037aafd45b378163eda06d5e0f000cdb82071261a74e61abfed4871b4b34bcac8fabc559a88f899bf2b9f65536de3f85e6f4d4ec32f3d25240e7de3d5f0edf1e50ad07fc0848951b6c47de495be9f25afe5168505052d3a5b4f2760174f4a559fb17633f906c14aa7ce9317d32bf1ed202e36e367754e3ba0a2fcaed0cb8e047396f9d4d88b5c7c7f5c4d32e2383eaabafd4789b4950145d2efa4f85405c8ac4610da8af68dc2f141cc21542ecffbb9f49cca5973c54d93e9d5dfa1bfd1ebea0f67a50127a7247903344f28636c754bea7f36280aaf191d45039598da92ce031f6b35a64a20f9b2061d54f514259b424e51eaeecd6df55cc94159cebbbaf9fd8a04e98d2d87a778c9572181cbcfe7d2a1fa6aff0e5894b5f3fe5cc6fbdb2a6ff900ccc73ceb58d3fe8b8ad2f8392d86cedd77b3177a61e58e2cb002a59bc6f60794c026f0911136318f8d92929b742bbec5dd02e9736bdbb4b5a73ddc1593b0020f3349746c10ac8bef306e4984a75aec0f82455c1b88f7cfd64b6f25d676f5ee541d010008fb37de69e3b4871c164bca20eae44428fbdd70d64aaf5ccffdb61ebd342e895147f7b80ac5e0946bf8ce3eaeb7a45b081e0c752f6299fe1e871d6465c10181832aebef81d3c98708520a441968f01e686ad5af213d6a53ac2a3facaede4b2e3d9aa7d3231e71378452c0627a5ceef29f8602917e8b0aae0e109f932cbff7ea1f69b4af4486547a4b17086d9a2013d02f0a6e1c0ca572dbd74c1089cd320d1ba1c2c3d4ef007d7702b61282e0c11c2f7572c7246b85b20315a239014fa7a62d0b74ec594df49b9a413723b1983ee42afdfd87d6cb735ca6aff20e12cddcbfd315451497c0051db66987db63f77926d0698920b429990995ff588573cb0d9f8b485d9c754e365fa875ce354f5616fcd62d58ac44c3211c2936b8f49d6b26ba3a02a23d13cc9dbb0fd2bf927cbe5b5c3931253d74d1e67497ea505c46f9aa6b8deb869d813b0e460fdc60908a5cfae2ff9f7155ace8b9f3f4206445f77e2bd3a6ee661b62fe211a754bff3de93493e9d4fb4f9bb98892f4f34fd418abb1e8cab50f7998d12d8465560182d0e8eeb64843952ec46b6104bd95edaa6613d829ff23c7169dc454a8863ed22acdc5fefdc37d83cd97271bd93bdd9dc4c947f27a9590fdaae3af7056433c11d0c4e9dc2f08b932f102805bf6bcfc2dd0e3ce4f3232a78e5554334d41d24402410b84fd946cf2c7be6f4ba61474b859c4e8b79f438011ce9be3cfc829c48b46da72cb6e2fc990a827ff8fecd107f77856e66899a9606ed4dd64c634a1577182c935049c04dfefbbe18271bfd3cf4efbc8218e804f1d4edbdbde8b88ba5a0e1e223d15dbefd756b390825d13af35fdbed371830a46c4a85bd772bd7485b454a14ad65e0711931509d323d3c5703bad083bac63ab3eda34f76af528a0bd466eb71a7e3c0492830dd6662a1026603b3847f1a845da1c53041dcbadbda8caf916a698271cb6418492b1360927f30466a17135d70d9ff586f9e5829358c9b78028c15d8f7ae1007ca8205e9646e1cef9b585cafb42b1bbcf251932a3ddd9c812e84b210c111b38f53661745c77af7f86ca584566478e22d2a2032d18dbef41af6309ab26265233bf6e561dcba0906af32a7f64a551d5113fc92b33fa99a16e790951a27af67bf7781dc94a220dc35e649a156c5ffd7c55ae7bab08bd792da7cdf23b978def5a71c0af5d12d16787956b7710390c67349d49d76f71720b578caa97734c7816a0160b92e65dbe302926751d4a2ca19a138b1a8509842e4fe695e924a6b69333d1c02327bbb80386069f0d279d17a155dbf48d306e12295a4cebbd6af27919c398b06ed94d9e8a3b285d8bc2dffc020038b0cc01704506cd73776e03f60f24c3ae619ef9b6441a4eec3c1f27df426ebdb5b6304e217228fd418cb68cf0b51174a56715b59984e6e2d0589378223ae72d07c4b4fcabf92661c69f08b7731e4e26bf8dd790ddf185527d327e9c2579742afd5ae94365e36e49ec04eeec88d3a3ec1b9bbfd6c819005c42dbdff157923ab7a725989f87b61c37321c9389d647f3c5a843e6d0ea167a7a8f6a79cdac03e10b18b5bb5778d597395eaf791d3c3dd9a1c3a8414bb6d84a2ef0feaea0cc8318dbc4a6ca9435fcb66c367853fa3fc4c05625efd09db7274b8c62dea915b4a24bac4b777f25ffb5e6a3e79c184cae11bd53d5f528f7b9c97282754e15c52d1b3f73814d315f984ffa6218ba3e16b5a946521934232da2ccc340a59d64c119a67de4f35176f6c97cc7fed93ac95ea1a7b7f49ad20791a16730f698ef5907e4a2c028ceeedfc33f8fbb1c64ca7e1303632ff130cf6687cfdc7f4b384e4f862c374013e5ab6f638d2875f3fe5943744bbcfca84f5087ab63317f041e350dd285a71d27b03d78525f4164000246911723efe2aa35f62323ed325053ae7869bc326d4ef3eecd6b9e1403c24bf5e44b6105a0ab59c50ea95db13d1a78b23019883b993cf130dbb22164dab4a8c649a2cdee8890c42acc046051025f14fe586aa236116d2921066f410a140edcd5df100e9091e62a10d35a8581a5cccec188bbccfdb204b9eaf3b8937b12e26b0108f6a3a2dd7a15cc079f3db7cff0330e2e85412e64d4b95a7bb77c66bba8ba85ec0a969168e099b44801c134f1b26101f329413b9e2c94cd4bea16c663026120afad4964749a77ea2a41656776f2023750f12691c3a4fd94c9282e4bb0f19e66e71fddd0aeae086f9c90174ec07568c1543bff431486ff6e7b73c9325b47ef008794c46e59b1809692db83ef397feb57884b6543c670d728b7c72fd9aa9c95eb147c3f4c4b2f91f39eb4d503f9efc48f70a145ca044a6fb89f0b397837450fc1e4433139d4db8d97a12012d2ea57d2cdaf399804c770c25b339f16cbe8463ef247e61e4deac8f5277fd5b17236ed7b74bfb6db8aa97b6c465a98bb2c394443135740d7017e1005c92f3ddd72bbab51af5247c8f6fa90cbb23841d5d2cc184569a4e872ad1dda5b8dae4596c49595911117bb506a72c46a187191e4da2de55ed743dd3faaad5dedb18fffe47f00c8a0ad0e5c2e53b17363bfa2cca3663466c465e9b7410fa747b8703ac60bb96ca7a68d42d704115b9951ee06c8a906d18e972102c7f1d9e9fd49fd3bbd5b5c7804e470a7bcfc9183cdbea1e67daba961f61c0325fd59363e2146a3f306812f2b156a264f7fd96ba230e5806c91dcd951943c46ebea8d2aa5e947f79a993a9023536e4b8bff128bba0248545b4c3a165ed46ef3951cc2a23e7225599ad8535f2837c42bcdb03a047a19a96bc2093ce74d8a9690e7466670a2b543aec31ab20acdb4bd6cabbb38520ba4368afe6f98cfbdfb9f9ff2a2c110a1d98568722fa7a631f7eae4c05e7ced8a2fe2b7774f50dfaa532aac808dfd0dfc51b79a8414e72212c4a545e5666514d0fb62775abc3e0f8595e66f647d520651592a6d10e1df15ac531626091231ed9d7fe0ae66cf9a4ac4485788f83cea1f3f6a883049e9a288d46f08b47c45bf76c5fb0a0219cd27f79417902bc9be2a2e8ddbfc7868505fe43283753ed4210cacd65255ffb5881b5de015dce175ae8de380ceb4f662d5fff049679b28c32a6d9b4b0d2f6e4054a5dd164116b3a30a5c63f70c12481b7786754056e89be0bad6493e36a566d6f0e1a2c9ee1ef548c6928faf146664174151c70c90e05f97c70d2c29d04d6e136b6e91bbd03eab81f77a513f9c823ffaf894fcc7e6b304661393bde16c38808f590899acab69da4ba9081955e6218e557c6682f6eb3c57f210de07c5860116752a4641ce872dbbe0900434883e91622df4a28b32193e1247005e1e29f50625b1be3f83dc00dcd7a95469ec3523e0b27c1455d773555f4339502354e54212b7c8da3ca175b68b8c95320c2a51f3ebac160788911534befffb4210f366563c8f5f8c54100d925676680580cf5ae262898b84139348ed6648487a39bf0ac53c05f081ebd0ecef4a7e96d1711ff2fbbdce37f0831a3d7db7f55e839b26bde6fcf6068287f4b0144984dc0ecc9453d1d20339e294ed46a3e321102bb257554a069483a412403e811686f3d06feb61bd00eb5376fc30f97f7342bd2ece61034f808239f5d767408c4be2115c1a5300d0506dad754040206887b3a08f0dc06da8cd09441e25a99e633dde302d24dd70ab9b6f96ef8599ee8f4ad3875a67648d0a21981b5f5a9ced41e70557efb1c5dc1969b01527bcb84c16675e084bd27f9be40623eda2096794c4b02cc5f2ec2bdd7443bfa4a9a71e44288cc26b4d4b1275dfc04274a32752e40a8217ba7bc09bb61f5ccb2fe1871be04ab574e31f1ace95a2880b2588a4090bc1335b70186385ea2e23378a17cb2ff9565b254c4797a2e7ddf24202513d16efe8dfd86f6ff76781900f1d602d1d054305c130336b0bbf0a9f4e3ab7468fe037fd7ded4df3a44b967de14eccf7aad0f3f90ab8751eba73f36b3608237cbb7020bc8fbc99244f37fcfc8dfad5c0f5f9793eaee604b75e0ddf698fe12f8d851aaeea0aed3502b46bd2279a3084cf512ca635317d84f6679bebf300bb05f7c8594d328b55f161a2934a51276bea596efecbb149e8901bfaf4a7a27ac25896a5a21d6530be133a464316cc7701fa89e517dd7102cf9680878c669d1c967f3fffde5d5a0e0760c72cb3b362cc0e82902b843ad50984bc6f91526db8bfdad172d9478138ef02f5184fb96416fb383d1604cf25f499cea5ea4be1569829205cf6c181db14b4867a0b372255a3ea880e2a5eb81ed561bafe583aa8cc83e58fb19b261099c734135067744161aa50ab282951389901296a551288e486f38d8c662db1184e9d976a03a72e288d031d1be858d038fda0bb6bc43b466e089e0cc8b3cb1b549bcecea44723eec0d1cbd947b9be7d6faa86434c7f3130422b37f33c0cf323e1f0db6308e0bdfa96c6121ee3046359acb3bfe68c84ea3648cf4fd99f91a3e5dd916b7307e8be63b41dfe7d1ac5e0da27143e696c2c90a54217069768111d455c227e95867d237b56ebf2bba985b8a7aa0352d51504ef84c4629a65a07a3a03d5f52d063e4607fdf0a8c73e9221862d675ebdd05117685e0f1976e80dbf421149508d9ab98afa7980ea9d61c53bf53114935fd74ffdca54f497120f7ca52360de73f27bb222141cd493c5d3bfe8c098111186a796bf95daa982c897cc5f0edb902f3f40053b440ad3d4fd8ddc7febb9ac4322f6036c21bfc768e320dfe6f86fad5c0f9e03b64d62c0ce4d0ad95f9d2d896f159db2107bd159d897e299d82f54ecb73cfc17ed003a014e167a29170b34dc1f7d2dee7feec038b6db7aef552ee530568c24fc03fc0a6c5a6316d66331eb696391106b2807bd46d92c7831a4f5be940d178e0c1367c7990932d9d299504f4324bb7d9ca1763bb5d41a1acac371bb0e4da33baa57125756d31fc9118b7df581fcac23614cf1a5b48fe6d61a29b06d1a16494a1578c2a1a2856793fe7cdc788c717211f375d6158cdaa80a8e3838e1394a991f36b1ae94f1b87f93a0d813cde62544cef427a8b95c504e0a4c0866eff0a8757dfecc3af62cdb1c7d9c4943bd16d8661545429460b32918f79fd4e67d8664e2e1831ffc85289520e6fd535a4e9088e67e1bbca869e096f23f60cdb83fcbff21c986533fd6bcb9e8716b62bc5e4a72de987751dc8b521ec6df5c12660e9bd79dcfc661ab2f34e31818756b9223d92a904ae9458927d6ab067d5abc0ff19b1271d7d9afd5d8fffb48bde82d94b1f7b3406bc25c0fb79d1e2c7e05689ab518e861f026420f25a3f28e902aeb4fae7762b5f00eb7e1a0096daa320af3bfd3fc2c5a85687326e1a68b59f1c75b6416ab1cdc266368bdd45397fcb97e6668c6e6da0e957cfa7ff7f98c1ec38c7ddc2837bd0ad52c6b0e38186b89f995ce44c6cb5601e99ac17865dbd42ad2da696db5ad82daf95dd6f40cb6d5763d435650541b60031bcd5612462eea3bbc81cc8715b3511f7dba841f93acda33cb844300675ab7b43bd7e6d44f105dc10deff6d1073f282b5fef07ef16255029baa1f5b2d3279f010ea11082bca767c16890cec823d833a26504bbfa1f420e6e9e518e37cdc4563ae62321f2135178d0352a8ae55deedb8436a5b0d834ecddd19344c2abd9a32c85794e5120c2399d392f80842ebb6e31d9c89b6cc7683f2ef43de153758cb323efad371209de72ba2428f2c10b1e7ba846319d2484a51e0e812d733a579e395e43d84ef21ae7bc33405592fe5979c9d679b8f804ba8981aff44e44bac4d6a198adf92a9f087cae0b8e7104eae0121869e4713308205db79724ba9a638ea4de48e974932f2078dd77fcb885739c1a1cd82c07c31ab342219440727394a0d4f4841c27014967108c70f877204005e798d9a7de1512c9c69f4513f9d36288af9daca5cca6a409ba044cd2b2e9a0ad904f588feea7c635299b2c340b440b4e8ab71fc332da9b8cccc2a036faf31cfce1c51004c08bc59e965ec70ce1834ab3acf134cda3af3e60fc18f956e0ef86539ea9feeb72d4c86c673732dc339dafc0eac55af1c2482dcad76b3e4edeb892654d30cd8bb5920c7a58110e93631beb40da7139d434ee84f0aaa0aebd14d1ddc40ae4f6fea86defa05d274c9213ce14902a7ed17ff3dece4ca93bb1557500840b765fc86dfad1b3c1b33a9367b8bfef621fdedbd2fea85ff03508776a58c28b5a027b05a4b29f5a71cb454459daf2105b4204133c01ff4e7d6d37b722c66cbe73dcdba98ed01f5742311588baed094dbfff24b450d68637207936ff68a04555e94fc46c91422d60abd6b35cbce6dc9cf1262678c1751159d4b435a92cb35ee13d4842c642ff01b10b5006e582436e6018b8d3de56df28fd0e2ab21d4c3d9ffd746bf9ec38c43e752117e1549aed2dbe61d306b901855510f28a8be5382cc27cc6eb3a1027358d189e32044276c6e6c36b2c29e2504f4461af8284f718305848347b741704c7328998a76198300ec3efaa920f5a4fb27a0c068b5317d766f490377ec3b3a2cf1563ddd4faa232c5fc7dc8a4e998166a51a9a517367ce1185124405cbaaf1cc47f589b0287a2a9bcadef6493b1beb44df0806ec7ca09e5e2bc2663495f8d63fd09a5451aa8fc831e7ca0adfe582079d2a5a886113c09435efdab47fa27a0e73248a54f21e7686021cf15e7fe1788f774d8a3a9959a0b6d8ada2c10ce9a0c33e7e14646c55fa0aa1ab9895f21082f87b2b0f32bf946152e0616a6fb91f5faed7d337eb9547979d4c631f5b05ba51f3e1f94db5652c51b7aafc9d3264ff17705990d4b0af5c1e68de73ff01955a38b913adb6003fb575a406f63a85cc3308956a7b0ea0211824f8b6802bea4be17dd9084baab228f247d1e57b8ae9b52c97ff08ddbb7bca67cff7f60c90d7d60df9448e0cc071440521882536d3a61070591cf0b9c4eb6b5c0cc69259bbd0af51696ce356aa0c139874fa09f68e553743f6047cd215884cd0951c379f845e16b476dc082fb60dc828a0008190432138c41aedc4c627a5889a957b513d1922b42ab6d6423b8cd38e04e74f90a2b7d170127b174c225964698da1a7beb5459135d3708c3d355b4f82dc09ce33e2b7820173eba99da7c0a15dc8b372055d712f618cc77ec78a3a0fbe52fa04419fa60644d12ae1fe05d30600f9db447243fe5291532273fdab93cee3b9564900489750de010668dcdac0df57c7618eee918ff508e348eb71aa1211eb047ebc47bba9f14194c17aefecc2cbe17adf17fe71afd0a66261f6324725774c7207af62dc34b9cc88a70a8054b9faa1c4b6d21fd133ea2d668c6183d02c5fb87a805c2ea6824cc6a18f5975cc6c57f51ab17e031a4d9c87fba55f33ed2505c595743e8e578a6424d198bd7780c6b8335d976ee84283d3fbcf5fa9ac09b5b3dd475705aade6b4a06169c36361667dd369646339ba0883286cb76637273af49fc2d69e8dd222f00f5e13ef6c4b7b283aec59982f18a4f502a03320cf6af5244dd3e3dc5e9639f920b38d896e3c0136562c093b38c9963f672b0c66500d9fbf745ffbf960f06a520b0d54b0154992cf223d2e8e1898b3a8d568fd28fb6c8b3e3e8fb7b0ae6697743bd3c5c80a77efd22eed2c52f0a832dd4b15a37c1ccdc4268d7438e95d717b454f3e10c9d2e16549efaadbe925d2ad84c3e3191b45ca897d4994e4703f98996c740dca7d96a434e177b6002ceb4d790c02481cb5283014ab18b2dc9957af921ae2bcb46ae277134aebed250cdcc45165df1e3d6abda3c3fb7862779384d2d91702d86360d1273133dfe358b5041e68501eed374c93ea14cab8d6e01fc960198ec64c2763e79eb46a4822ab9761f2601d54982be5cbcd1d5b094cce888ccc5c8ecfcf5cdcfb4419d648eedbe7036a7131f089d6aa8ec31891f428025d1066cbcf3776a863e9b1b256cfa593f972cd2e301b7774a6fe61bbff3a4c2f6151175c740ae77f5d337f6596922f0c933bde6e35acbcd072511d0528901bd0dd6e640e07ca75630fc2f58d003a2c41ad47866d17af1205ddb5e7d89a00a41f08d9fdfa3d6d88feff8363dade8335eb321bb5b15c1960652edef1c60ae50f1b7ea7c660062c23791a2a54734a32aed74efcf5f2c7415f4b5f452205f853b7ffa110865e4e5b4c852338c82b5d05dca52b2f29045eac6966a274cd92bc1866c7818dfd7588b084501cba66cba192e072ea875e7eba44ed64f2ad3943bdd7143378cbf7d42afb12f56aebef9cd37c27976257eaa803e7fa21e97ab7c3b41b3bbfac29a38ca541746e542ba4a7be4af4175fccb1d3aab7ad7f54d80998551d10c553a80fe200415595e793e6d6b686d5dbe1506769b425aa1e0d16d0a73edb1a0645d900df4bf11738bdd9f6b06d101ed1b48fb818cd5d7243a2118e29c214d6c23297ae792ae0b335f7ac5e67ec98d5691b839911bb648cff80b8dfe930f6bfc6df27bafd14af914ba4471da5def7b91216a738f3c7b675304d33eda470c21824f5a4a3b3bf9dbcf5c5da5598d7ec77f7cb800b387213efe6a78643d18dc054b6e8261f9c14dc02be1227054ceebb73979fe7ed3436fc83a55e8211c3b15bdc3b2749e562def68eae42613171a1ef302bd9da3139ce1cd043515db2fec8dc635bb035f380751c578954487eba60787e8a7b5efb52afd67fec6f889bb775b844b8a0b5e69acc9d074e33016a756c9c0f5aad6c7b72edca0782b08982b8c0c0c6c009953a1e50fd0ab01fa4e2f809ce791684b64f5217f57ce239090dd218b82828b6d50a990d4b103d63117b0d6a8bf03b53728645090bef1f8b29076a11d0a2f9c5f9a0e10de23e65cd11fb48bb35a2e91950dc2a5b4b8a863d033d769cd96f6fb9707b8e746825dc6afdd36024dd0166b8287ec44b1d8c7c27eeb5c98a1f72a7a05e2bf08e01b6054d681b27573a697af495ffe8427895f3efb20beeac196819b4670b9907564dfc39ef5c77e5db2c8f23f88eeccbc0ac1fbf3579fe1d261053a6774f2bc5c942568c897aedbe0f4ebcf55ef8fc03bdce1aa932555b23f88abf167503598ac8fcb45d7bcca06bc942bd40be6590def73184389aab5c485f277cc4aa88481d842c8fc03ca0af4b48e1d8c2095925726965d186205a7d1b01f137a2e6382e6d534eda652d279ef8146310c4dba8750845ae4d3ba0d0d778093583682f8619005a3416bbcde5f5673fb8556f94b19494a3454e5d31f99ca73500dccbff3bb215a949a4cfa6bd86f820eb26a855632d62919495cf98557317f8dd3a086bc4975dc7e6dd339344a373a43dd2c0f2e63d48344f800bedbfbcf8d43fc228253dad2cfb758780b505b57bab4fb4462f33b00789bc61e429073230b6015dab6496a623174e3d99f45b32a54a800c7612cdfc708dcb626547b919124033b13477b0e297b1e3e9e8f2720f35755dac20529f00c6a4bc0e5e276e54b637fd44e511f54d939f795c53d19c4e6bdaf15d74a7183fab72812ff5b363a79ac36e0615ae2c1daccf27e3161d8fa289656b24a23271f193815f9e2c73a5969ea42e242478ecfbd14ddb6e532e6d9b818a71c5e20be56075cb04a579e9add6b4b5e036a78d1e1f6b99fd84e1bc830c1374055f6d05123718f0b108198561c2816ff7d39bbd826b2c94e7e63f1cf5396c483c36a2558b17026646ab2465715ba7b358f86beb6ebec9ff2a657910ebf3afbdbf6854a69dff58785546f274ae5929d21d83e7da5e0f16bcc20f7e51b27542223c7155d64468538291535e7ee029ed56a5359a02c64d03061bc8ae204e7700647285bc4cc2ac6f23e9494497df26571fba19a045939f7626979d7ed2eedb025b0fe2e73abb10435d695fdb5ee0021d4bfcb98d86d74036ab20600e633c76eea65d1c9e1be9428ac159a77398f146f3f9f2a5a2f5675088c83d1545d32fedf062d287fffaebf1f6b9e8a84539ad9767ddc566398f235efabccbe7d1ae181b127acb771de2214382c6b53068575a53e77352896e7484b2084fbdb312d0490d774224149250dd45af95c2803305b4ba7cd15821e078a9e99b6bd0578d7c4b8d2f894d8fbcd5ebaf4c47327276478e1314afa8944c85fd98bda964f39465b1eddc42e836a530f57f904cc2ad8239dd996161ef5cd4da752425a08481991e41761c679795cba32fa3031a02b2c7891d671f6390b370cb49bd6b0784baaa62d0b46ff3018f646d71cc72e9d4cb1b869c52c9ea02308d3d8e6fd352b8641c0c1937bb1aba08da5afa240ba020d20252cfe0b9acc9a423946c039f79d4a7840ec96955186e8526bc85826c2e4ecf9ea8638238561ec1f66956240623d656da25343842fe21ed6624149774058808d82f59ad320b087e2015a1130f33786b7014c97800684004ce31a6f0c3bd598d94a1046a033faea405ddc1b8590e0deaa0eda849d32ed2dc0f7091b45f1f2e5c8d7d526915069229d52b53453d90f0a2aba1dfe62f08da7b119cb84d8f026d20dd1cd21e90368a496835dd5ddd5a2b2c243e2a549c1a5387bfdc980caef7c7563dc05144794211a11fecde7b52981a1e7ad1a2f7f0d06af5942166490c3d946265f2e7838ccb8b0c804593ebb927bbf633870dcd31af15a49905f3bdc2f68aa12478de968668880d574a325419ddfb737b97913c996e1711e837084c937ff4cb8da87b92b5aa4b9c85df8af1ac5ca6a71e05a0591f99fc3a196471a239aaca9c9b69349fee3cc3b4b60ce0f47a533020871e525641153e72ba0942f361e763f8d5e40b5144b0ccec1fb33f2dd5dd93c8cf334c86fcf6d24e69ee51ad26c336dd700e6e981f46e598bcfece414648fae70c47294df6480ef95e7674e330e1f58e8a38db495b1ac5303daaf29ce0786b96f6c3eda717b134148fa2622830b6bbfe19e7f09bcac0170b92c6c5b983981b77e198db095b9e854f6a79065d021cf9d7c222e4b029f448f0c49f5df9d95be384a2331ad7d45dece4e329ff7273e921ef986b15b39c3d5882d9063604803ed2a9573475face5ed4015e416938699be095f6eed4ec208edad17fb3c7d513025e6caff92f8369800857faecdebbe3800f3fe645e61bcfdaf3760df020a6828a4194926bb8af9606e24a1dd5d97319fc3ecb8354f67d96d51011e7db1c3cb6c8a7ab3d41eb39add48e46e40c2220ac7e001b52a7db32323d088be6307c52814b033f0d8548b562cacbd737bdb76e5c1914678f593280ddddfdf11e981f814595ec2ab64f6aff1a554edf953151fa64dcd4fecf426d958d8eca2b0ad0511534dd86efc37d3cf866e78e784f2927aa3e59346ed4f7de713a8dc448b92ebde5f8be94b3456f5182f57eecf4b8cd654d1548136e867757ad31cb4c96fed57181640ae7a1beed48fde0b053c5bf95679df6f937269d2001f4f6cb6e21b5d394a28b36bf9d2a8bf3597a13c6adc8880ac37d27ac88c4d5f257ceaaafa56e86d8e52ea14c6b6d2cf0538558d9949a4b5b8fb3ead0e6f01fb66e9ce80abb6ae5588bf9ad52353e60053ae6a1de5c8eab1b551cfd8c2af67d371cd9b67b7b1a4aff28d407ba7bbbe3c32ab8427d89b32b602a2d97bdbcec4c159435e4e88eb71bd48f9e7329be13e1715c359dc4f08de27b62e44f35c69535742c6b0c560f20ca02351f115ca688ea540be107211f32017de0712782f3679c618eef6f39663529108eff73ad06d5f3aa5b5fbd5781c827387257e6d051f6d6de1b3ed5c2a911b3c4be74e1e10e0dba682aee9639ea6515ff8e36b33bdbeee64302eeb358b8abf0183f3fe6fa1170760537b03f4349c53b9857e101e9433e89b2fe8a57b9e45c9402763f96744add09b8abef37cdeacd31ddb247627f8443065e2782cbe232cb93447a9ad88b4e673f76c1d9c562e199f6249e49d85d2daec32420a258f8b2d71c005f5fab54999a0930c8fe9c95afd66192cc83fcf690f307455bd8f8470db77499840cc4507a415f3e2263949a453f4c571745d9047f1d10e7a082ecf85ac896e149a9b3f2d07a13778d1f7dd4d76434c804fe7856903023e8bd14a836c5dbddbcd1a9ab6520e166aca838cbf4335600231f559d63a205262ea6478bd158eb310c05d6763f4a6a4a75436f8d296199216044ef0e2d260fb7a274494f01201ec951e05d5537eeb5c0beb38e70ba2ab4aab8a053b24e56d059c8cd1f417818ea32233db70c12de7099ec4b3efe7d0718e8e0e417a8014e95b0d08f07e98408bd3373d9ed327497891ceb853202a8c637c5bd373f80b9cc0f3cec811ae80e72f23e3e9caf99b178f5c1336712a43dc37d92830b694c8c1920b4d68fc25ea896893138c4b499202e2028a80ea88501bfa2c6eca8bb55bbe11cce1d16b8d3cb4c75e844080ed3447cd98d027c566111fa6a720e9258b0731bf4805664102fa1958a493986f73bc948a496e05c5c5a86bac1510139d5ab0eb07fea779e1a0b6f816685cf170f970418c534a6fe7ccdeadb6ab8fae1b500d34b17913547fdb5187916154248e8c6541e59afaa0fba43bf7b763b9eb2ac1c1d84e5f8636d5cc8134ef65c59a34bcaedbc241467ed267d0f69606466d24ef01c430c3bcfedc56bce4e5d3ddb3653b5f608d736ed70212781ae7a1181bc8f137c1fbb2cc2d09738dbee1ad635d17310dcc342d07e8fb7e9baaeca656e11bd65b8c2f15381acff30b7fe5b705af3fbbade9bdb50fd3fbb4c184e8c9bb12097221ffdfbf5758cddd8cdffd0ce8a1b01c93634058169c312de5bcfd9cce8aae94f70e73e81db9d4b4e5b4bf9aa90c5669fbf8730671c21b28e2f60393d7dadfd0a5836f559664ea65c3e2799a2aee248db0deb4015d897a515431782cea7337ba6e101e228e241bf86a69826d8a9c9e3220cb493fd287768a390806a80f14edbcc2e7a77b7241b14141f2a2edf4773424901ba77645ef08eaffe3ab2ace8eb9c126a3304051167fca1cc5084925f7f9e6fba42ba900f67224d7d1583458f53f581b74fd06c4e2c911b795b48c9c6d430ba882c11dc24e7bfefe28fd3cf9bad53ad95890b5baa69407ee94267132a16ba1ee25ca47cf1a54717f08b51b5cd42c5e0b9947f498091d7272c1a1e8c10c5a7d7c872fa5217c16f1dfa860c3b1d998d48f14370f7ec14b286cbc209e93e0fe5775e5c2f09c0e69794b5ee89ca4b0a089edc9212132b12ddb6d2e21e14c2ed626a67ed483a818fc9a5667420e95f80b390b9708c03529ebdd0bef2883772611795cf68920817cea83307f64d978e3800645732941179dd7cef365c48636391ca73618a98f95f43274e31189bd10dd742e1675f2fb5ea3383b7ffd7d3c88d40e93dc009ec5303a93ae670866857b8eb1b32f06fe3d7ebb96c327a5bae8d60ea3f831333ed3e30c9828d4a2342004ff42cfb2bba9748a6883c66bb1dbb7db6e6cbb2e30cbbd8719cbfbca115c5d4ee609899725a241309412261e7837236b8b077396a841903e3d47be705265f22f06a41bf0b23bf9ac33e05535750860b25b74595b78db123b8436014dbcb89815b986fc636fa6194c5c17131637d8164b8d3ee56aaed297b63da098d7778c87d7ddbe99d0a70b1f314a3ad78110f27a621e23d1ec3e0a95860792605ae3c00c77192bcff3f8131c070629e569abc6af3e25ee6734c1ed599bf37b926ad4db202cacd026546d64baabf5bb53491252f9ebc61d73386cde2f7fc44fc058b33b1d576f4c34be565f32da5068c4adad3fa29a74f9895b0efc67cc5f03ca0b301af42848643c146f427ee16621648ca131e9805478454ba78d2ac59dce315cb49cf407a04724ad9f48b6ddd2278f2910797a1ca7c33db00b90f13662eb067f45cd32e6acff72ab987b186840922f645810c043cb17e5a54e04c8d0ec3b6d158cdb9502d171acf5f19a578113edb35bdf385a24707185a6f9428c01a1112ce3a75f2b662be62a7db97a4754bf50d2391a444625b713f1e841f9071393d882675ef124555b1840e370a1f7d6a7ba5e53417d13eec5de9e74da2ef53ba049760f73eaa0335ae7ea4bdd2551e56b6b6a7afe703335c5afd2fe5d0fdf91420baef0ee9581661f158f34abfb05facb7d82cc96891f1bfc5bd3ce0ab5aa2321418b9450fe88c3e12c93caefadbb4f2d8d40ce9ab899829e6142eff892804b3d21c678d5589a768b6d68e03bd45b4e4a8c427f33065787a1e1d2c3f367c851860d5743cea38b0ed0fff2cab6f0f1738d1b03374101cb54d1e91cbc9dfc4c7864974c6b79e4cf80fd74b059e3ca346f35158a820ddbb9f50fbe54ce5c34a2935562ea03a99d1ee674bf1f65b0ca85a2cb8d874081551be6f9c5649f010d659ec6da24b67ebf2ed83d75f9d2ccfee9ad67f32e7b196e43115ed7cb81c58571289fedfe753e223ed6b5ef0d4300eba2851596d60593205f5a88e2ad603bcee4b49dff8f21042ff8c96b25fac2c88fd5c79583503a09c34376490bbfb26509105e243765910a1870e726f8d994cf1da671d9bad3cbe8af43738a1917e98c700a2916ce395bb9653a6c2ac5313f09d83f868126f0981c7b1734af8bb3106c4a08d5c492ee999c8f6e0108d02982951f130caf508af61f5b55f98bca51e96119cb2561ee4c1525f63adba0b19b24f6d290ec7652f8e9da3c122d61c7433443f25bd6fcb841c1c9e6cd0ff2e24a377d71eae2623180ea9b4cbd73c376b9d593ff7c4b21a4292e83bf8aed8af45a37b896471b5f87e57ad5a4cb663e5d0a181976b413df1063563486202da11d6a433f72a6fd9a49c49d35d245927b73055fe8119850a917f98322cba49ac6cf1068a7d73f18dd1bf813d6192931fb2dd684df9d2440898ae02e3be1fed1dc883447206f3cf78cbe5cd009fa75cc95a6ce931f8e9d76d450d08c6a40d9088ec2fa93209d31bb62394997bcc31dce1db6fc770d0b49b2ea57bcb67054df6aeffef048bb3eeba69a18065c6fb7c7359e3cbba78ae82ceada88ccb7968d2ce506c130347c6e0f2a8b4439c6d5bf84fc57e1996e03358f6bac8ff19a093192ea2fd87d5b8fda90255266a187d6ac4acb6f6c5fa6a1ecd06ab40b1ce02e5b24bf2ca0aa80e7de3cf32ab336e71f8cbfc4543286a807a35f53d47e6bddd2128f46c69ff64da1300eb7310a824eb5f0cc9a1f67d5142240aa8f0e832967b1a267685b93207161d6d62eb5bb54cc5ee6ac52f6652787c2fc51623d37bc24872279b853fe0f2ae594177a12e85d13888f0bbd93e548626f75fd0d6cb435d2975c98ce698f13ca99408b24a3f142347139eb12af7178d0fed25afbbac26ed280e821d224d60c03d2613281d3f77b00e6e2cb1f54a51513438f724745795100d7234dd8326c05adc970e0ee5ed197e9b09321d0a58a8804e236898f73072ed657973d550d4ebcbc15fa61bcda47ef743a6a707b2806f08d5f6f277f5802537d79ebd70e2972b27e56efa87df7df1ae4b9ad19dc0b6f7a7a29ec856ca8bee902600abedf17970ede9f9ef318cf2ae1c8aa5f2d003871a2022de3f109f90f2917425de718c0f8449a2a497f95cf75a3edeb3b430f165b451c6df2707ca744176f8835b8265185bddff559b3bbc3526db1c1abdac7198725ffa70b1b39d57d976b002ff14281a84d27d318e59ff901452383a7cd02d4cb5e0e1e7b86a496592ab441eb3807a6bb732c38c8cd0aedf246c8267f520ee9b22c41c928659b782755e8336f34e0a3a58bbcd630f84daaf2ea411599b24b8cc5890d5e0ac50242f455e2bf05e0e3354819d38c14aa67af1dc19b7011b1ea068c05368719f5356c2dac644a2999fdfb4a33ccdabdfa6a724c71d9d019e4fa56492e5730deef886fefe3f56a71bc261dfa51b0c6d2539431b84ba8be09da83e64b0a79541cbcf603f6e97c2553409b688201504e41ecf336205b5eb3ea9583d8a7b95ffb111681636135320af6dcef32bb6c32106282ee2681308f76eb3c8064c9b082c356055d301347839207a1ab4674b003288aec662e0fa262a3bab606655af6771f710204c049b85fee33d6670c7734d9a90790c84b3e3f18707b7b0308a48540c0c109d8bba89635f1cd6026e669523ad77456c96efba5400360fc227821bf0393c1b0ba99f7ca501f7204178087bb958449a6d3afcfd4aca84d5681638da2fee6fda804a2422fbb9a4268bcf890cc9fb74f98464bacc7d2623512cc009a1f918de13f9422398142ddb6040f0879214fcbcc1937eb81e11c9f4389a8c9b2b19817eab43657f9aec91095ef0cb08c8508af77300fed00b6f21952ae3b6be3024cfa30dc71ef1fe467e77d2b394483fcc916150ef9581835db763132b2dabbf2d480e588dfb10d61aaa562866c99b5b79a178028f82569250e52dce60833a3d875abff0e20777256e7e030d93e27336a6fe68bd44eeb1c4da1d703f0bce141321e29fc7a44b29744f8692d09e052b8ac693dc23bcbc2405727f29321e89f27f89bf82e8d2c9d24557f22e7ec5c6bdb0f2a0733e643de5fb8373d027b849928b69eeca1c1000c13e228b20f767d46a3a63598b95fbd05fc63540d7dfffd32930fb24a20bf16f8c06065edbd9be61ca778d528ea8b6d282ed88586cc09fa8595c89402db1040c6e3eb49cdaca0aac5c6719f3ae3b35508b1ed93e0f87c2790d80c30a6519101d8e513bb0d4d67709e928f8cdb3b37925fb1062cda8a6986778064cca1c2f99850cbf3a250435e64bfe4462521f52c973a78f671e66db84cc6fa775a7b1b0474186f6438c834163dc1b389081d1a63411340bc1526c8d68c349f48c4e65ddb2c1e8caed46af820c5307450fdf52334de3fe38c440444fad3c86a8781f89a740697a859555ecf143f4a0ad98a1936e7ea2d64b59e3bec510b364d272c983aeae4239fbfced327997f6487d1e74680305f8c6f8172aa11ab3bb49345277600720bc04eda8a63bd583be0107085b25e4d46c370093c6882a92747d2c9a47acfa293150643df43fb00fa68f4d7ae7f8f1b233b74ee672936adfb8430fce7161135defae7e2f9fb942bddcb33af840a2a2a770ba03a0d3222887ac958f709ce2f788d61e221c925742f4c04f70fa03fff4fdeae934b5f16e59368672d16a2e847ca5f8f5703e601c7d893e1aee529a7107b601213b72087fbb1ba99147352e3d5332571c0e3466eb9bffc504e6d0ebae9f323e348eb04860bb453aa26c9d007670e90c6c49c296d91691ad1fb25ff31ce4f8322a3ddc26c7f00d0a6a8c424364ba9a6f3a647582bc5415cbc4464ea07abfd49fd6b4e9c164c3b9ae20b8c1bc2cadd825b46988f695a77ff09ec51fe389e1c23fdc8227ea30631a5da79d306c29de6179d1cda7853344bdca96edc74155d7fa13504692f7731ebc7d2853204259858de8e86133ab21454f5097f72177da5d3a0b99409ff9cedccc138668b48eabf0aefff650baee43fbefe184a2dcafeb2ffe4035c30d0bdc9ed9fba2bc77c43e42afa79815e13f8de36b64622301e686977df89ac90bf0303e235b0fd69f4b4c7e2513dc7fb7950606dab7e142f97e490a09c4d59d614d9e65b86833203500ff6bd97ec0c88c876898150a6a4a86f40c6ea512a14493e37ad8af5ead9ad5a851992c4b314dc71456c78090e75e63aa7ee0942ee4857fe71c9b6f9197a7fed6eeb15aa0694b58f1840e7859765d946ac5ba2a5cbafeffa2e3f8423dd1ee72aae3633079daa987d5246ace04aaa55ac45375da65c88e8638a92296423df5c3df17ceda370636623d303f829690d3035f15551b55a73c00f802767617e39b83eedf03c1670c0da9f5f4de16441dec0712679dabce491cad833f5a509b39a5e1ed3460ed38be7c18423c760bfe575f9fc3c3e2a5a73ac5534982370ef0ac463604134524c0dd7ef727897632741472896491e39beb6dc202b837bb98ec63013abfd96435b44dd510b26bde936cbed75efe4f48f5aac5cb3979f4ed14bfbb5971610d6ec53e3e977d948ae5ab1d239a899ef860f94fdb69a6203989aae5a9d38f89ed59d05aaa232086dd14fe1b4e6205eaefa0a2a2de94b4b291abc5e37a794a50133adefdaf84b638e6cffd37faa50cb154979756a0e39c0c91da5aa05c4b7c32f188d57b9b12b60f9211dffcac82e1a49aa84e6eb0c8e8d256fb7ef768a0dd11c27b45a3ad1e854f1ba07aa69ae141796847f55ae6f14a03f0276af89026556b1cdd04c6f495c072720c89ba3416464ac2eadc499131620ce9a21e8d158be0c4cd1498333e12671751bce4c269d2c7eea918fbc622d26ddf98c9ba0fcf2ff1771d4d4596d930da70c19686c8faeb113d02c05d987156cbe7a37315fe7e927abaff018af711d403b67394df9188c006174c7d09202dbb012201616f08f5e351f09ad8a92e41da334cac6715d4f290910008b25bbd62e9033113cb78ece2ce3066d26082d2dd4e3284d593d7e89ecee973dab8afb9212f07f3cda55c154a4c7bc32aa5295d3f4d063b1c31ca26b89e2da735aae92ce00a6f9e90c9038a86985aa5baada92e73141f598e85dde66434bd63816752566b429cf35998989b288ea5d0dc910f322fd2c25e1939092d460960bdc21d604a8fb1c86c5ed2c0d2afa9ed89e86d0f3cf798d6624e9e1cea3c05125464c594135dc9bad5566ae74f0ca3dbb838bf200ac551225e2bca5cb5377ea5f7158aedd6c3b09c5d486476716416d4052c55ddacaeadbdc7ac439be6746c2ca4259f402ec763319626c0c71c1d61e0db4c76d28fcd789fd2f129b2a892b32fa5a42df1030ddc86e42d60491e1b7d8a6ec57df91688a9320da4f8e81f999bb4e0812f32f23900b72d37b57ac69a40d2c7980e119e22d6ba183d96e8621fb324a94c6999200d06fca954e2438c124835707346d75aef1813da8f3367295c8294f528cb7943e2036d7ddfa09a75ee0a54ed4f18951b0bb456603821ebd09d536feeea8b8112862e59356d18406754706ee017c7aa1b44063aa92dc029489f9fb5ff0c0fe34ce17b7f180c42b88c62e7925c444149353874e0fd4f3e8280ad85a57a9ff1fefb11ec1503c132f87fa5375eb1d849f3a6a6f4c0c036afe99889e9d312099e29037d4145234960ce074841153f283ee5ed4c9b2d61033130b71570517bc33e9c8187d4c0c5a64261a65df5bf4f5141474f2d09350eea780c781eb423a301bbe9a0f77a94ed6a436a24c1a67f5a3ec38e0e7040940111a4f20b4c05b68818b93acdfa4a041f532c3a40bf32075217be5750683dfd9c0ded0c3595b1dd1fc55bf14d9d0f44e2a3c43cdf9ed15445c43c2860ba327e85caa6a26641b709249020cc42f3455c7be0126eeb9a5ebf47df792d3b843d789fc6f4a0e04dc7791dfa7475142d1b753ef3bf5758f645aa1a9bdd3b61b4872f1b827502aa39b51162ea92061985a0c091c10bbd4f0cf1d6c4a05e17761eab1d65deca49a1d38bcc0771c8e91f25f68c42319d9db6a7ad65a06444b9caa89973ba3467f5242885fe1f67569ea225ba2954e6a137979177f06440ad58d837e13ad23c4ff95a291ac2505fa7490134e01ba9e01ae6874b59bd600b59ec676d87ffddd8d8e64ee516473407e16c0dcf3d332df28ed7d7275a82993d6db7f32cd7df810b4bda123c776401aba642d46efdda60b1b2d1ddd20c281cb3b9b5050bb1b67ee9d11a8b374199cd53b42e54358a4582b0be7892f3fa542875e3ab3b1b19ecaa69451d2f7d3197269ceffa03906f3699037ca7fdc13b2241b7eaa8ba4ebc64aa12c616d9ece76184c526527cf980b8f9b76d4d1f5cd1cc4d88aff35ef84914ba63a68fcf9be4b1f5e78a53be31f33ab0115ccd9313f18c8d733d11097d386e8d33ff194af35c3de718379aeb248dc679e6a01f9d423aab6a08bf4b9c5a70ddbfe0bc1203adc5bc4da3b760d24e1831bc587a0c3c6f8833b0b4f5fa8477fde8e076b762191fc5507f6b16ff5cda79e7f5d8e5e26e0ab06bca01a540723093eb78d3f8c9aa1850b21c1692d8686d5c49ca16829e82c2c72262c52ac6d19aada2d574ec1e76930474c9321e4a353c79054e6758dd0dc89993772c1dcda73cfaab526e5488beaeea90b9f9a5a418911083ccf1c8efd6d378bfd7ac9c904f3e3ec70d920c4a267155fbf2cf6adb9856a6d63a58c356e2c0fe92696958f11d7260d3bc3499c6b7e326dc7e3f57e308d6653ec8206a96962a609b6088772d25b9bed51bb31ba632d5b9d784d54946780e0d8e6e4556cf722831ade11af9d58d09657ad95e8368a2d1e65a99f95a741b296f19e32115c696fb5cac2899d8e2d0b8c07dd4a9e5fa7c147d48180f21ed2d95e1c51d7438d7f708a34b50522e6bdeb631cc8c590742899d496647e903f129f87afcca0e6c8f60bfb3febf781d3899be8296c586594d292d601e541a3e6f34ef521bfdbd985272cc8c130570c67437ca3a3db288ed2f0e3a3545dc97748f68e50f4e7560b2a04b12e4daa96455cce578ebf31283f7b7f564f5c354f9d47ca2b9c8fbc476251be45ca69f610a3461046ce1fc1b582680ca8609027191a9893e4eb9e80528139ec28f149c5a10eb5434cbb1543723fd2a327b857ed26cd3867969ebf0adfbdf921881572b8a72d9ea39291f7cff1f758a77705913bc55856a45455346bb2d2bf0951ba90f31ee11d9083be74a86a37ec95a3489e272cd0868825386e4ff1695c48ade6f22a4e22397f0e4ffc5afdc2cf77e0f261bcb0d9c0da7409eed6bf74c3d9ad451aa57c681e603eb0e970e5aa57b19b46771e82b016e094f4a54239ce293af652ed772441fe3c9bca3bc1a824360cdbc04f2b85c993698baa354878654f390ed08d5e88a266b3f7dd0631b575d2f103b393347d9056abdea5b7edeb4ab7a4c87a5e6bde65c1b17317b77802409559433a7daf4d2bf03ef3a00ad8ae801166e649c2705d4d1dde2ce09945bf370259809469899f52093ec8f87f51197190c8afa88848a283a63330e0c1ab25e7b226705b6c5dcef050b43db4c297b0cb6ff8af210d272be75085b3429910de49336369a8f96da018787284697d93053c05c96ecb3c38b8a867218c6845b01876884a514d9b232be430cbe0e77d470524e161630c917ae69b4df27c9b27bfc7a232481e9bd885e7fc8b944bd5ff8b66e48f735e1c3ecd84c0e3b4deb61925b92c494efaa1fba50d6ab39525ca5a1a6c608fc5493729034a8345f2938c0e549f1e6288b74758268617ab447012981e386986743a09f228274e4363a42714e715e7bb87edf0e909d6ea40a03d36e47250599a9ff2a7c58159f83cec0723254d757154d92a14806ebad401d10282de61bc236f485346f4b0c3b300cf47cbe4447044f539df8e7bc18afd3a79f2527a84d2c1132af9dbcd01ebe67fe7dde913acdfc63b867efbe3da655b57348a428536342cb28dfc9753019f9801c71c5391b921482bee854cb04539e9ac701fdab55edbc7287a0570b3bfe15812069ee9ecc4f3b4ebac60e71406068be491eee814d3e03451f58f746da3d42ea8512b24284564f7563f618a597aca6d98d8864af565f877b035291c2129e409cf299f9ef142a2fd4e5d017668043926ed4488bfde4f3113e0bb5d205051882ee3846b5e82dcc09c14d6a7e61ad2104db679ef950335c10be273095c22d79ba0d0dfd7bd986389f05fbb03edba994d86de2e9c928194f2c486d6a0ff172b3794efe083bf113002de2730c9a399b82441dd58819d4f8401b0f4865eb8ff10718a57ef241db45ecd2730a0cf3d9b89c1655ad1ef48e9cb572683e1b0c376ace86193ea98c38cc0fd233592190006a907be003fbb3ba79bd385432964aadf238edd99a4db4f8b9fe8c89143bc5a7ad3a5a498b8059280a5e54a2e3272d0949c7a2d8c45dc8b2e9a27018f1109fa148155e8e519ed244052cba422106894386db24a670e78a3037ffbdfcf4a0411fd649ec8fb5848ebcb552a7a01f6aec0b53d51be9237c7cddffcb21f79473812c5ece3eb30e1c5c1666da4f22bde45741c36bc92dcf52bd75b92b9a7a2e883b7b36fd5bc269a8bdd4d7a9eb6b66fd6788f8e00ccab4d09f52886d0a4d80e11c1ef256679baa43deac458e1a2a0063d653bbaf00a484c6f1c6422d574922b731a20ee81275475302c9ae81a90c55d8f2f570d10ee7bbce64872c21deefb92229ed371ea871e1599ba524f8f13dc419ad1572be9c83b9d12c3ea871402004f39a5052cfb758d1273b7ff58ac58af3554647fb05cf493c8723a497e8d3ee579004072dac5ecb4c294c3c6a7aff9d3f6a73534292b52df645f06dd96c7a917b8e387c61e05b3038e69e5f8a21c4c086d41ce49d400ab0e96b71fcadc7ec2d372a80f24e5b83e67f91c48c630093f1de9c7c2d4d0ad5c1b44788d491f7babc25ae173ace84b4467d1e13d728bc8a3a841cf76c74fcfe2bd975ffc2e5466acf315ecbdf50e1d425b9494468ea2c7302cf333640bcc308cad7a1fa6e8af52624ec088a71784611267534d87085eaaea5f8dd5e1acc09d0aaffdbfdc8a93177a171570c81b5434d9e965a6a0de2c4ecaf7aeaf5002604e4a053bdedd5234f15e4f3280bf109dab5e3b24852238d9cfad19e1f5fc87d126677bd22000d3563980ed927c55f7544ce2dd3f3fcd7eaeef2926fbc6850ef22195aee8a614aaafc164416bcb69781835b8b6da4f194d813e00d62bb2f7c9668fc5cf359641e6fffa56ed01b9ab900b05bb64e1555ec2f01295a51c25a0852e9a9832393825f8834e6161f339bab95b7f0054cd297b6036aa5a066f41d007ec2662a5544c40be6143de552cca1cb5d0eeda28ebc2edef2d8d39149f4be8e8e07375bb10c8f8fd0a2825dbd81075af3d466848997a9581780cfc0cc3593c461de2ce0a2044a77f2b23e17d6ba6195113eb4810679def1be4ce38327305123a78c9b297de40970ffd62b1929cc105163cc19669480b25bfb142810d6cf7485b34e514dcab822a31d66a1dc96e865b3785446323117f55145387171ca7e8c065d9f9d6feee00b05bde3e2e193cc573e686c9f91a1a2ebae7a91fd8255d7086887d16f3c28faa8de39abd2986691474c5f20719190c3a105953c49bc70da06ce5290148ace35dac65a39534cee8eed967448ddf124069d45d7e2aa3ed4d88b1e2ffaefcf023268c209946255b60b11a9246617008120a62ea34da5302a028cf8c535a4598d90a6379754cb7a961e1aad4b0ff6aaedf404378fcb6a801528775bf7c6cab9d1b4d8bb7fe0c565ce4d9c276d8013bd876216c1fcb483b2ca73ab0f2bfb82b39725001243ab52483060297e9ac78cb9a8a62d8a4b05e0a9e366391ce67f31fd0f846d786927e4de28caa2bd5d798939846796c31450e689aaae2d3045df41e2d62b02009f06590dee0c0ae5ad6762167246915f313d039f9b641f5aa3e31eea9e4d7c5fbe92e377dd265d10ac505cffbf723f3162ddaac0f76f91fda2c8ec9e09a33da23c77cd98e1669f3d8132f893b5563f275f9ed50b2c812f32515f50698a2097ab44355018c058f4b363a59121fa93c61c7c21cec278358f96ebc39b604bf20cc8b5c05fc4d07124ab80acc748956698971f2a822ffec85d0452b98fb92b99ec7ddc22deafdf70874ffb0f5ce002c71bdd8a69bfcc6aa6570749af22d63903acf9c8b9d21872ddf31c72404c9fe3ba3acbac06d245259e2a1735842101008f8651e6d32a9ff6c8701f5299a8d43a42532f4720b31fc0d7d8fc4b1f6ee30bb44bddcaae5160c3e2f71136fda9e51ea143a0ec4c28dcee4743ab347c74e2237e0a68e955e12d858229c73a89de5e0be0b0230eba8eb701e5a684a509ed7df06c8dd4534b2d7bd14ee2deb3cbd95e258d15f585aa08c52192405f784f3aaf80ef566ea95feef80f60828114957496c737ad2592f4278b2ee9e9adee4e9c82b718185d7d14c471c088755363ad5350ee1dc9b645577dc727ce60a470175841bdbae6e7b8664f15a0b376744c5da71b9fad030eface47e621faa7d59558cdf8e49aed4616e9b71579b75bae828a96c00675e15d5116fceab1e0eb8ad7f276b2d211735cff3b487a381a8aa25d119f87774264a637b536230fd7b56ff7f232e679e98aa319137e50c002f6639eb35c934fd4780c414f47e07c806573bc55751026c3d1020d603f1dc1223fc51d609e00d836a27d75ca3b795e7e7e6850c5b229335c30f56d5ea4a4159afc8f0eee096c2465166b9070c13441f8c9c1ab79ccd576c1995e6ae3aad61c68c3f1a01b6be38e58097826cfd2b3ddc8e1831aa3a35260ad450d5e99bd34685c5a93e6baadef8cfba7ec86d2118e18cb48d0c88b724243364181c2a7e4c88216ad843f770f5c60d26a694c38177d6eea038af5d0de1cff17c2e3d469541cef0340bea7274f25ec3d85a94684e628b9ab5d9ef01e6a62b9dcb14f55e1af9cdcbb34703a81b3b301d539aaf7306319edc63b1e6ee8e9bd0b406b9695566f06c8acbbcd0b91514b2cf01e91c825f21030f5445e3c695221389a7b1d0e4813ffcba9b83b889cc8eb174182b2a37ee013f83f8ec98ad32afdf6fc52a7ec4f0145cb574712463ef45ee2b52a4b6d6e04c62acca725e2bb84e73f48351587a8e7207ba6285343f8b55e50e9fb530cc3a7f21bb173350ba33a3dd424697d05dc8375fb27ee565bbb8e6fff1d8a38dadf63b2a7413a62c162652e42a32921070c44f0a280fd5fb1c70e4cb89d51b85ee3ed9fd8042bc62d9ee8393b92bcfe6c4a38b1f06ea4594a20d5e9464f2eead2d3f3c6a7fd191ccc377ec98513c85b8d2f871f5f83a8c04d12d422a048780f2a3a2706b236ffb2ef120b988783c900bc83257b3ff12408d44ad73c786ea1e747c4e2aba1b42bdb45dba9b5587083cdea9cd2a13c6835d7dd2461e0112f8afb39ece9a659b8b20197e2463b4108c980deea556ad036fde53916d2c6ddde7211b28b0985b61d091d7112aa86d1a8aa0ec39482a850b2b69afff86c0de9928798f4d1afaa8da7539d7643f7393bc51b26c52f48248cd255c37d2c6b014c8f728f96b4a0756fe0f15c98142fa58df94a8837e28b0e0f14e40e414dd59ddd36f9da8baa6d23356ce83c2654c28a32b2994dca638977cd1dd5d7a3089403c5209b4c5dfa8d7ca036348ad0b65bbc88a031fb4bb70e6311484e2443020253b779696298ac82a5dd4fe5515a4b7616b4767e721673105e2b802bdba6480bd5347c6bac326c56279bf9422e00010ba3ee2c4b5546078c689b0200b650beb1f4df9a74f9a924acf2addf5f6a452667a17b8d005d324dee74cf40c62e021371581a3682f6e061aea2eb183ba4dc0438e0c8a52e98e9d5050e948f497a141338bc1fd3b8960ba2513722c705a183a7bd1ebe56bb6c0d4fae495fd2359c4776eea064541178ae17dce31661be4d96268ab34e1f12df23c47fb9dddcd3b87bc30f48de708e1d2c70f90001ca808d6a7b8a1f1d0712f8d73be084c713152fdffd15db15b89a909b4993ab88944caa6147003c5ddd21ceab57c9b6c3c73191eab4a4e570d0e40e1cf66470ca9789e45bf45e3298116b87826753aac5a2ba6f3259701c4c87729ae99149b25acaa53ad07fe349a3953fb59f25f471621c9a538c588bda8c09524537354dca6954bdf03a9e6a595bea8c3b79bb8ddf5bd586c541b353308b47b47038bf2deeed9188450944c80790c6c91cc0e61cd50d017e8fbedebe30cb504d810cb630a4a25d9fc925da6ac0b2adcdee31a3c6f6d67a18e186d3eabfc4b0ce06c664ab388d810a7d754e761e719d2958640f9b3ffc6596d2254f0cb87890ec0ce4bb9e651134ca0ddbdd74e8903e8caff8070e1a23164741335371d36f1b86471ede8d1c28f0530218f1ce756e8028f95f482c76d193adf579a06f102f2e30e7f4d317f17fc075404c5b9e1fa6c99a65667f6d140f1c6243ca98a8719c45c0e2e4f069e494003c77c3e2104ebbc171bc849d886618690e50cc203578feff362a5063de1faf18c5dd67b43a43b3d301043a6c7d1e5d2f4046f94940e4637d29fedabc6b33d05aa00b116b14d90887fb2a294134bf08d2b7405f1ca3d6245d319d24acaa173d04670c2a4ad7d756ac5e562b7dc439a94f94169d810d212463cbb689070025804c98340730a4f9922c76a2ea6cc22b071b2c3d84cbbfac7c7a735665188207fb6f0163644e44d287c125a8da97bc79ced190e1d5e0f69f26547b5521400ff6ef99b8f5a9a0c60b78aac09d58501e163a2449ef0e575aeb4e6efe1a3111bd0cf91bbddebce521e28f216cfb95755c88d73c28ba8409fbc79d8b62a9f8ea50b1d03918437231d96b1a7afe2adfead5c0d6376f768d732bdbce2648556b02aabbf3aec23c7f47c8502c4f48be0fc76053bb2ec687a04ead4ab458fd8c4e59ea00fc23b837eeaaade6db7a7ab26afea14d63184b6d3b8f9450122c436f477bc2bd55929900998fb8a3b2ee8582e116d622da2f6b9ff0ff0e622d1d1b3d2b83e992f2dbf8254b5717a392e975d695dc0830be53d0c4f4694a19535692b7d39eacc25fd72305e2ee88c69431dfc27ad4ad7ab00696e6b2b0de616bae9476b65c815dccaaa298ce8656797d466d243fde36ca639985f9b145ae283ebefa42dc62cb4b47a76b1599096cc7e607ee558bfaafe9b493ec98a0df7525e024cb4964017a61e3d8d22cfbb899f8cfd0a4153555495bf28266a9befffcff035592ea2a4db4aa589e61423c1deb0c1df1fe19e3fed52584ad2906c65aacce82188444d464660a8fc18ae980ac199b804b02dd2efdac733cb6fbffe612066c97c9ba4518c7d036ca9214b9609218e443ac05794d192790a039f9bcdcfe1cdb8d639b478d8aceeb6e7fa34d59777ce5c7b9cbf6713e458c7ff18b27a6ce7051076e96bf82670e587ee21a675b538525da87ec3287e1b3c2ed26b02e20771eb04bb6e5e68a2d40894e5a0f790fba7c31c21be1dad7bc460d3a3a1ab9821084fd37c3d5c2a763decb2bcb815beaad56159bfdd0b1d4760b5a3900c467bfa8b80f43a67eb4c67b7dc79119efc067e69cfac3eb459961e45a1b826b5f492cf1e8f9575594e7257372f2e502fc932898df7dc987428fb2b08796f99bfdd1b36cfb4759efde6a724a97753135b8518189d3c22f4a33f2a92ed247a227a13bb9b752f7cca23e727498b3a7a88c0fd19693ae5705245390a68d21250c7ac82dd44b95a995f74ff84d24330b5274fdfeb908e2af15d116245c593a62a176878c2ddd15b16d2f3f2b20824071e678cb846bfd101a7fa9376d92958c792a87d1ae1c62c5ea4ee7467315d42dc5c52c60d52eeccab6e98f4560543273f9edbbad6349cb5f2f49debdab4dd357ba73474de823f98a73f201e445c9f6697ff9a57dad6114a3d1180caf2d73abdfc02d7e548c1fffd0764811985730e3147ff20e1ca4e31c48de1c40251093fb5125ca9a41144a58526e9949b902b87fe55212cca5975d3550dad0f3d94b44bcddf188abf517b9099e198eeab2c063fa582fa9d35e0bce019ca349bb00c224069e4567ccbd69a4ddbc70491b9315273a6e5117da32047899b04ecb39c670c931786c1227802ee7c7cf34923fb37defd0e459993b22c8d1da224d806ff5cc1450f203baa3377520bfdcad14ecdcf64eb6e26ad978ffef251f4d58c68c7b1fbaf802bd20ccfb00463c8a2d0c964a31c2535361f900a138572bad3ea1a6ed430fa7146954d899e5291948c4b7a7426ded2e537ff6a83de7300c2027dfbf8bf0b00b51a7ee1bedec395988eb07cc27a0e1e2209d7f732180dbd605ec0e27a294d6aa6e464110b9691328731e2acfee6556aeca08794cd04d67f3d4ab9fa23c95b29ade519ef08b0ebcb3775ef725d8c8bcfd3e27964035760a8cf318e3dafc752c846c4583807424ff7127269344e4d93992d57d07e4f1312f29f4f0626a562fab0e07d45cc45d495f0c1ceb343d77c0c05ccaf7d94084342f4b77249a9ca79934346dfd35a5dd01d28cba20a995583329abc54f0510f7e40f1f8667f2c96fb2429c1ef87ec6e8f7f6f4d6f7e947856ddb3d9f869e5b7ee0725c5de60a197cb4136235e52a2a7c2c59ac236fcf164877cdde0c5eea64b277373462fa57a6fbb94d8502536ec9238d06d01ca8af0a5b18af4b823d0349eada953aa05a26ef7a17e96f36cbc46027bed96850653f373d797aa7e4d73d12e2e901ab9ca108d444ed9a53dce57ce6c38121792f5ea476b73d87e4034bd2dfe911841a9b981010558c210192985113b61e568d91c7de51e9e05a4ce1617fb9b9e40e711f861c1ee0c30785509b1f63fb3e61a87d3edf622ed17d2e4d0907b809470e0452690ff71684b9778d081fddb764fea61ac717f701f058026232b99d1a9c67670e55d4a605717ae38a1025440b43c083d802ee8948ec9d87656279cfd7b9fe300f0ec6ba24f29a8655b2aafcb51c9b7228d0843fe29841c7291a0b9027e998e7016deb637c100ecfdb36ec131b9a35fdd3901c8a6bf5d4d310a8e7fd92822356151d82832c9dda0a700bfc77a930f932bc4e6b0919139b1b00db9221a3cf15eeae2169a1ddd9a96c0b33ddb738e2a0242409a2cbf538b1efd33daf609b9788a526e389ee72e6407ea57767404a290b0716face155adaeb712f21d6154475705f0ab45b63df430bb8cba6a3b1f44780922688b650c470c27a19a3645861a8988ab52c7d92240690262ae6b814a7bb40b90f3ec2e45003def71c17727668fa9b352b85ed73ebbb8332c3235cebdb8f72b3e5689dbf0eda38f688ffb5276f4f04edff70134b07deac43847bcbe5ed38a565bebd4440de90d589b2eee7f70635604b01da31e4874e43da7de78967e2dd084ac057eb99fbebeb241fb509e6c91fd34c846ca57a74e7e2fcf871bc69bf9883e96639fdbcc9fca04b3dab7a577cb002aed0039918786de514d7d9adaf3554399ded8667508d28c291d26de9e7e6e023c55842c9a1c7393873eda0f0e5c8c6fddf879b4143bb0f7cd963fa873b1c84c809a36f427ae0ce656fd7449e923d3b19ff4555a235528544e6c5465543eb893b3c8db285c63030ae3afdcf4c42298b789313ca3b7fe1af4a1367571c5f63b7edd33f25d9b515d01b20a65441142df4d6a142bac73e3c62c7b7f8082f897996ed3fdeaee6ab6e3d18475121efa7ab9ad9be656e3002f5a1b87b5ca9a6dad69887a66c6839cbfbc3eab144dca78c1055cba3d8542c680808a3a564f0d473b9cbff9d3c1b28cb9441ab02a3a3442f8d60999b06de1e7b3d42ec871c267ae51cad4b55d6500628ef3c48fda5c78b373099d444ab52ce3b2d762ca22dc6129c1c2cf56eaa01012ed18b4628e5dc3c1598860d3182e1df8bc8fbefdb94d305814811091e576639906bea697f8da2a4de8d91540a710879bfbae37031dae8d9da691e977bf076717b1772a1dc35b95dc0e1658fdc5f1ee8c89c33df6145bfa8987b1b62a6942b42f66e8512331cde0e43d88cf72bd432631583599336ff99744b6f821fbbee462c25eea079136d29f73e82298af8ccd5fb09a06bc5e14a6915820f4371516b9cfff351941197392530d6e2a58dfe9c91261743db4f27b6506b1c7bb40cc564b38897a053e61b17582ab1afd3d45b6f65f5e8023d103f2beaaad510119b3b30b455aed277cd1dcc51ee2a14dcd01674978490a077f12a08f87f0141747952f9265289c39dcd27ed7c0b6d68bc13daa72ccd0af9287dac44ad592c940e29e8f9b940de80b4bf5087094c09dd50eade72266123a05ba6d3069d3743dd249ab7a5b7b474eca1de0fb96650eadad966eb6a7c9a70c90331d94e9afda7cf67de2cf392d7284c8e31cd4395a9a8f2d5f544b98985264009a2ca392a9078943e8aaa30f3bd9e9fe9d50d0098916b317fbd583823e1f392f8a6ceda4ef7171510b87f8b6e114f1aeb6e20a796c24c23a2d8d15e82381142ab8527e788a4279cc6ec07daeffcdee83ce53567f47a97c417556207f94558fc441ab5d375ce3713569d16cccec48a9b3b79c2ac78329cf3f4e688f1dfa324afa293d81d8b025d46a6777761c282334907990c11a09eb2d6ef197af86ab235597caa646b62dc1625f0a1b8f4fe170a3bddf4a3e51a11203c10d847a91a79c38a92f7001169d728891ffabb74eefb69323743429e0c25e0e106150b4b26b046cc7f8bf8d1b1fa92fec4d220d582799daa825ce05239270b7badc03da6d888cffe11e8d2cff63ae7d828f6dc9368c4f158f9aff0a24db77615f9d5171e7ec2a0a34dfdeeef31dc3a081fc1ac35db35d2a6a3a4f0adf8ffb9b87ab5a0e5ffae6b4150cdd82df8c72b7041c5f52f3b6e7b3d34e1de8c9a285da76705a97a449d82401d56d1ad28ac8f0776db89d78cb5e21254272692a8b791d27a598969ff37a19f87305228a4a00ea33c96353f62403c7d74ad43bea8620b3babf90cad8b245d9671e2b2c1cc205991d6dabda7d69afd8fa00a4e6ad739bfc3f41b06655ff08714f37d29b990edb8703155d4668327fb793e9b7887cfc415d9010cc5a6e60a7a45a59266bfbbf535bd40245b5a67b4735da1c0196540dc75772d26bf7f30158c5a13e08290f884205214801ea111af740d78a96ae8ca08b7cf140f1b191f3b18e113caed749f028fba134ad73cf2bdcb04daae205a4dde467db8bfa9b303dd6665cc8383a2169fd6f00294d84d97894d8cc7a07fc7dc73064d4acaa673b779a7131f7d6c807f3f22778f32506ba4c2a033398f5e48b498355e1cdc1ebcca02e38d70d92ff073b6f04f259a67ec1a31f995ec2d496c4e72ad956319a9c1642ef49d50841a406bde0d97ed844839926509c72af3a56edb402b65f1b2cb083ce906f3f375dd4077ce4a3ca8473e9f5142509a6ab0895ae1cbfe9cc35d68b001f5363335fbf7b6e445961e6075bafdc35f3d1fe6bc4e16b2fee7eb4769c7d173936a79dd94f9e7b456a02066013d59da2cea0c1f8d84150fbdf88851c3fad4aa37be00e60f41bac80accd90526b784c272a4688a0107796d57490437f7de82ba719219dccf0a34cafe30ee5890edaa68abca37af7817d31a96cbabe9ed658414d1a6fc4617b85e936bdab54adef67a7c0d3337a3c010010df3690d1214dc275c702f794f80bb47d1aae6754e58d5eb689579ec8e47549cd88033e474ff48eb15b1cd5addbc6e50ac54c56e4bfcbda3a8a0381a8762336519a4d6f787cb464d0182ef803f5c70eff5a69f3ef5c173c749f502e29a863228a03ad49afa84a7bad6b818d7d25c0419f544f42ec2d5f56930b6fe3820a82518945ed9d03c99a3ec9383542f6ada9d114df5adbd67a24bd25d42ddb8e6b21c820786b6a3e836c8e11880096c88a76e6b3465b2d61fb111456da58dcbccf7b19b300c88db34699a9ca265599305c22a780e0e1bed18fec6aa777cbd0e9969533401615f79cacfe402f11629b8122175a8367c1d105de7f6a1cb88225f778cb322e41f990c6409fe24b6ef4b37780c99d8068089bb3a4b778ec63c80f6f8d03343ef3770f288c724cbb375f1262bcf9def4c6cf0f1b44438ba89a2e02cd44f22143e05e69a393c69eadde7cf16d49be3af9d557b0be1597fcb7a681dd73bafa132de4a34ca6486127234bd0ab6c050df98cf6b0f111f7500652ca14cab4a41fa2d18f1c664626ba70f874a8365ea64d1e1e8a257a1d313a6b652cf6db617dcd22d74378159ef1ce25258c76e1e676aad0722a01e30db706e67788d558e44bd0fb600b177d88096f96dacfd78b5105fab1d3a7aaf3821f9b6c39569a4ebc38fb30d472f257823c495e9417539f0cdef91c7a5b0091ee7c195e0268af5ef300a5c9fe1406579ecdcb0915397d14f82ed2bc55f8de4e5abcecdfbc41f9e80a83a072d01418a2a544f718ec3d4f6332d1bb2aebb00c6ca66b9999e6bd2bc490523859f0db1dea63779b9f1f84d52cbf3e7dcede8214080c6b54916f512426bc9447266897ad4078118867e0d6746cd99378ff539066b246ecd123bcb3597c4acc172ea13c1e260468fe12b1696ba737e1984e9b593f774c3db1696be6964319b9f9388707bae3ee0858528e3658741dc271e80974045f3ccdcf5c271fa4458e81023f42761c5eb37375dea4e4d4d8b1de0b4724631cb35b0043e7ac67c4edf767115670eaf50370af4cd2637de6c760e5750b8bda3c5351c16a9a5ebc02e2ea24cd10e9fe31deaf0e250d869f933642bcb9da2dd7ae6d92e3c3242c2ca4908bb60f19d68897616973b67dd1f1b037c460f7181782191858f2003a4146daa41901058972d7baf5088dd5f89f294ddf5d0b6af191f36df14250213469c2735942e825ae6d36406817d2ec872e739cc1cb9f0bee817e95e37bb38c24b9bab958654afa1a38dc4c3155c37d1310f014a5860de0637d0a48d23331bf8afc9f5cef164c130ca4a472b360b92d4552f083d6ffc381f8b033bcc0550c42ea706ca15026f0d4171c06e6e3ed636e2d7cfa92856ef967342076d612e419457b0667c8087f01ebfea10184cb54e7c6df803d8878fc04ec7e45e1705072d1a554a5ead50980fc7dc0443a2f51f64bb73fa10f183be1e8c4368441ddb9cc5c47845c02ab67194a7f27a109036ef7c44c33ea236f799350705cf63fa5a8ed6d8075b8d483c41a589c4ef7efb716cf495f839a1f22ae433f35d4c5abbe7bbcec3a78ad021babf3e0b9ff84130557125622e93b0795670617a426fa536430d1dc22c79ef99b0474f5fc4a7812efe5c9e2e9f1a23edfed2340ce460b118525836600127c410d977d7f2e9a89a6b571289479ee50ec969a026d8054077f783ac7038fc45f1d7972c01d4ff6811fb44dbad8a5de90b39b8a8c055e25ba81b4839725ae5f33875d468fa381a5866ebfa41f21cf2bcd32c0a3e171ca4cd5ee36fda6a7de9f0c630430e796fcae444eddb481d8c61f7c1c1a6b6b6df269eb1c69ddb5d6e2c4bde345e22546ca393c69f48b4d52019f1cd025393fb97d193b53654aa6bf784c660040145a5d5da90092751a9294b526d087323a04313b76cbe6447ab73707f48abe7628a2d8e2b0a5de8dc8e7d4baf10cf6fb714170a8d0e808f9b00d1e3796967ea69bbf899bb84605751b423872250ad5e61d0162613a0876f1c0aa27c7c9dc629bc9ef8fdbcd6abcd26fcdf55e0bb080028cb3de1e3785a3320ee1652bc1a553fde8f73da96ace4c55e5d140bc4211918ed8694dcc5d974ff47276c8c157260e9099cb8042fc9f9a258a6a107023ad1f91a1cef61a74521564bee71c2c055606b183fb3e5f02c21d21f45d8c3dceb63edb8779d4e54668ea48b3d283b141db2e76e2cd4f4f609d47125519bb969771a27a129d82b326cce960126a21be34bcc01bbbda81dbdfc70e2cf40f79d3c7da6f29603a5e52e7f968c8bfc4709adfad10b5d2901740c54625168f306997e9ff6a4dd6b3089030fea08c28cf13a58a35e43883a9feaa5b6552041142f20a916a2b4bb0c0892a4ccf1a8707b3bd537b359cd86f831c655102f69601746ba8a29cd9a089cc3796df03360f77c6727dfe70cf7bd1ee97bd070a1b8ff7798ba8dc2e1ca6f09c1ac987da350d1929136cd346b5347b4aa00aa08b1707ffd7ed550b167233ae883db4791025d4d3f0893cae53d0ee29569290f29b0f73b691f05895c9a2c40357ea89b2fdebe78c41e14f014919d17cbe67b0fe6fa854d65c7a2fa0804dd88d8638caa595e49d2bcb1eb6bb45aa447c4f6ff29d308b7785fa01213a796bf7f61237c38b7d6fa76cb760315659cb37e2c88a9cfa7d48353a5e160709aa599f17ab5076cf9010a1aff139e7d908e73c96c1eeda61568730981f77f749455f6d4efa787d9fd40630cae5ce4d302f7cb502afb8a092b1a0447db8c42d95be45ad25ca5db36cd0f24768173e21b968e7f38503c70bfe56101b8152b3e1a32d922a58fe48f8fa01802d578ffce70178b29fcd877d58d2062a166933fc33d52c611c44d98beefc7a2ddfab7b17a455cabf8acab61554a4c1e649c4d228fea931d30314849cb63eea6684d5410dc66d24fa96739949aa615777b13a0849df0f9b95023bfb065c29379f515d4eb24965f0da79ebfa7af2b3852ee22611953769bc08b0df17def102abf69d9e9d2ab0854760e6ee324c6d35d804f0069d65636227f3004c20e2b74a1666b877e0701f933590c14a0693251fb7588d16d011de7e13d98b07a9935ef81774938d1f8dfb137ef0804e32d54efb3566ef86664a6b8d78d19ff938ca4e067e6c9bd56a635ba2884c97a074fd7e5d32a98c6ac2563323e1d7b40da5cc1f7a66385ef4badc4fb28ea729d6a406b13db81f59251659084f059081828fbc0a287f21a7481d8dbacdb4cd8714741779ce7f0b10d23bffed168fe6f15298797240be1ab25efd139f8f6663e275121659798aa25963f01fb9366b0eea86b68b02f48c74ddfd8f7d326a5bcdd419a78d76dc27507ab0aa42971abb2fb8f1b624d62e13980139cfdec46acd5a48fcfc5b86a5e940a9849b14c16368fbd87c5fb40b8f410d515fd63ddfc55c529e5871a4988f6b1478222f54769ccbe8ee2f3b735fa774ab209ee535a968e7f5c73ae0b5de7c384522f475b368931a1de116ed780a373343da60ddf436d33d075b54dc44383d1b526a931061cebb55f946b2b415547f11343fb2be1233678bcf7d349560ff71b11f5ea8eef27435e40088394228db93f8063dea3693be95fa1569f3b3c91b8b67f0b77d4a7523cf67d842d97ff491ac1842f40f10eacde168aec22d2d14732daa332ab4a4c30248538e83dd7afd1ee5d712876feaf7825829e2e7eedfa51679ab1d7c340f9d40420378b49fc3fc42f72a9a0ef50bf647469bdcf7149a89c14818c0ea9b5fee05682c065ca8a9032bb556e10a0a2e7d508f1d60276b6a8186759960374cfed62f261cbbe8b3e77cb01b01c412d961c16cbbff5ec6c655a18f3d99b0b8ba2b4aa9480d626d4534cf488116b5b194add0074a593366f9f4c8ab554393017f7dbcff227adc4f71578342e2d84814a1c949f6d51703ab19ba4460a1548b29a5b52b5214a1bed29e9cc43e8b0590aa3070424a755fbeff2c6ce21c722042d196d7192681845c6f898923b56e5f3a7370eaa6dde6d978e89f788d512a80fc498c33ff338ec7f0c3c600de2bb10c1afe00f096a9ae8df2b5e49cab7828c8b23e925e8b46f8ae63e024d51c5cce6b972e070373aad3419669fce258a3be7b3bbeee648a0c7caae41e311bdc63f25a49691a192ed222014d0071e3d7c64e3592feb0806efb75f5e4af2e6fed4d7d0bd43c4a7c60c815cd80ea50fcf42c7e4f1db51cf0abc3e13f4bf91a41a4fc3dc846fd52471628de83030a44e40e76462c6e3bc2cc3561cfc80134e7d03d955e9d64080cb8010b54d350db79d3f32b95068a570ea03232c72c60631d150f317724b11b487dc910d98e2cb9460ddd235a8dc716278e888689c0d5f78ab3b58c904794b17c4bb64d3d6f28dac34b8a9ee8a1dc6f6bfd1c2e413e4b24ccd3543f6eb8e1b962cf0657bead354f86f08fb83acf0f2d15cdb76cebfbe9efddee249045cc81f0360110d2c9c77265cacf1808e1c01c426620d8e9353ff01078bb31d4e49983b38764b57ede033442be57fe2e7eddbafccba9c67435feef3aa6476bb9f59c22a7186659791f24ea5aa27ff0350e301a756fec499d85eb9faf9d230b40f3982dce8192896f6fae40e80b9e7ea12c5f4d0a31070bfca4ab36898d33f2d5f351ce8cf7e17db47b09b29b6646db4334883c7dead3bc7d0ee01dcae538c3d49b1714f3c113d06102aef49d645173306c4f207ec6eac2475bc8fa26926eaab8daa466e6c34ab10668fa741b86b382e92b2214397f748cd625ba2b58e697d0180c69fda71d034cc0670d4abb988426bd872fd41b642ecbfb6be68dfa4f340707a6b6409871faa6e3067219f101d3cb77ddfff917e482730104661cceb733c1c8990e16b5508a890bb1f9e8d2487295eee1701bcac5abc493de597d5d9cba5cd5af580949919869f4f652c32fabbfa516fd7e11158d2757bcdf0f755df173d3f8a550f91664ee1fbfd1fe2e59ae2715ff9aeea4f6e5041aa73aea79be007519d9e80f3fc68f329869d7f478fe0119f2111f54df2cf7b560fb1b47165ffc114f5cbe2c2859c07c3564d638cf9c85c5b84afdc9e5adc2978b62752b13878a63ee99c68d6b79db08bcbe71bd7d43beac5e3096a2c6a472c0df4bce2087fe04ae6fc39eff4ea505292100fa2e449a20358a447dac2e932e04d7d18ffdbd3f64116e120f3aae0392e635702f6ab8282c7bedeee6904bc2880bd57531f848c8fa136e125585af4a7a7f206ae99a126a67330b01e99d67b16e0f0f06f556418d3eaebac9ecaf854ac4e450620e22a388b25ae4efdcae411eda11fb962a74e49e12de23e88b8e6e8c72121502ca28ab80ec0a5022692b0cc5062a8d2bf2cfc2be101cb922d31a3bb9f5171d85a0a03cc4c51d0a2ce10fea4c1355bb710ada6ec0f11b69a74187f2b1c63f9ba776ee670eedb92f052f1e90992332cd3d3da29b248ecc997d73887e3ff12e12feb5b1939f61c73c0709582ba97883728722837edd1db6f102788d29df604047d15a1852a5dd7fc7c74f30d392c0a8534255713cca7653257ce25fdeced943975bb6ba8593235be0f4f199d174f7843c720ccc6baf0215e17be990c8d2c9236224392020c2760c7d5610f539f02f2d083e892d69f78c18e755a0f356d6c90a8306674d83c32907c66a654183ed03d261ae20ddc26354f38aa3bdf0760380fc09bd7f12b225901dcc213c71318e05bbebd80f524cf5061ec623cf5bc895b4a6077976a7ddfb9c0cd3fa783259354b6a2d9f284552ed221b78d0b55e8eae65c02003e58fb60c50bff4d44d5bbf786a3f5cbd49c3cc914fc3c602d082d7557c3f7ab7ace38536e001bcf52eb0ef80154322b310e2ea795fe7333d0ba333dc1a7a853d0b9825e34ff5cc055917311b257cf36bf141a2decab2f2adcb50466bd0432e09ff47d854ff60e1443cc6d6dacc027bc112c705ab3b6d6c3de3ef5ce27d4d129fdb066237160be102dc61a8690c459a52b319c974404180caf42f8620ff20f9681d46a8953f4291f3de9ff279d00cb82789f9f3390a83d0f9d38050aec674c5c92bff62cf37d43b50905fbfac7db15ec9b8771850627e1f9e770c312d2138fe017e607b8c1642c6193e31f193b69ffac55c595da60862d4d14c2cfe9a6558b3398ed59bc10b4a1822dd6fb02884f6d44ccefd2acae2137921c5c0e61af9b6845095b45d27820b326e1306ee3ae43d05624e3e2bb39362187700f383b59c51594cb7ae9af7a6e004d2ae29e9ed089968a55efcaa2f352623448f5c54666a6b57111956291dcd7f5a4d181bca27e3145020dc777335c526de9ec2d3451247e2f3f3002408fb776a822a58c313e8616d49869e70d2e7926ab78c4f2c95e286db19b74770a15064005f43ccac5d10198033f1a16ef1b73e2fd166acebec28a489847a9ec8537747b5c83997872a38527282e648560e37180d3acab42a72ecac8dc39a281f1c19b64c8c71eb8535c29c8f8b60a4aaad677de1e20a0f21a524e0bb3e1e91926c4021f3070eb5de9d98a8df57c41452f66e5ce73d7900307c01ee5e45201abbbf8f49bfeafe78720bb61856e7752389ff5d32b760488343be6f700a1c9e55fd535ec4584387630c08a2a48f89f1e7efab7c9de516fa1771def7e4dbac84f8db1de0015aafbd1f2d74e64e65fe58fc43a3615066166868d9ced78ed3b6fe08ffc3b415fd98b5ce70858187beba7852b7dc6579163cf9c1121397fb5abb17febc0e3c0acb838d464681e2ffd6d72819fba2d563207621ce08ee5421e74da75fed5eb0c36720ac7bf257418746f2b2c0c9be338ced8a733833fbeee05906259c4d26b6769ed477ba6133cee26d58d44738fbdaeb8df99a70d00195f6aa67023b00fa611d4d09cabe9af0010edd6aab27dc4e4815cdd63292e5edb1a572dbf1c307cc0127d6ae1a2edfd548dfbcf3360079f6cb5de7778ead94d8ea779f40a51468df59c9f68f9b642929d27db1b62b28faa2f28889ef015c1b547c2a7fa8b98ceff4c4e721b8d7caac45aec0866c1e62eda03a822517e99d42a6a679d36aea470b4ae2a2f97fef10c28943ea9861b09ba728bb660b6bbe5b2f052c88b744bf24caaae05561feb1a5735f213b9bd71892f0188050dd475e72c9740ae547d17dba345b4fafa7aa952bd9e0639a2d3566ee4e9ad19515d523d2e4f36d26ff1e7ef1b609eb3b126823314ba667be6d09e7c435b4d6e68e5a8f1345e55f2a71d50b8b8b105b87c9be2458431d77b36ccd6f89235c8512dbb2d57f8c59f560879332543b473d0d19165422d731c2350156be4658e3d17ab99a5e2816e0bfeb8868a7cb38627522e5d2d86b7307a41f3ad81341c03ca0d7e571b4dbebf47d47a90638207314b6b00686d4427b56330750f0121d400e9d590df382d206d0d812187260693fd726374ab708767b3ff731a9774e56647d00e850b4e31e47f422588d47691d26fae2c91a9cec647376c3061b1a41f12ad3ea960b18424e474d5462a6b43b3b083d7b8eb3cd3e3fb8ad176138ee32c53af44e90cf24ac6d1b3f3a0fc446c2b2d7211c2136b646c59ef7a8ac5a4faf92f201651879cab5905e6c5ad9b39ee8b357259ac5051ca342f48cb3b5f641e6cd4b740095645d8343e36752b1b57a0f6e303a6a7cf32fc24a3870bc0e3897e96712d82a1225701f8be67aac7299b091e2048947f23a93c985b761fb16454f89dd5cc893f1fa3aa7bd95015c9da68d57bcc35ea31bf25d69551683c6931093b2aadd0f37ed9acf6a408ed91f11101f562a2e2c5f16fdecc66dda489676775b1a2d62b09fe66ff297ccccf99f5aaf8488601f66f11b9cfdd0d91241fed97d3c0088963cfbe070f039e5fcac771780e6b2b245be54f17cfe37e425c0de47acc34e25519300a8afff1f835d63680fd56064190b99b6b0c723e7411d0b183ec38d0aae036bab9785586d3d50a0d062a3038681769da5820da23528c36df7f3c9a828fb0adb085adbe1892570135b9fcb61d795502f612507a641afe9b2b2b93310408eab6a1a581f107de5cf9998413d3c68d6243afa58f2dff4bbb6a97c5c6cfb5f9dc23aa7393ff18ceadaf4bbc3deb8791ab6744ce12d16f90fff60c7d88ad8a30b82042edb1fb6c6411d873e295d3e86ff5ccb94ca3ae8bd5f6b6f6baef56ff9d9f00356a9eaabc41f2f05d94fb7ec0f69329e3ec74e0900a2d326d76e99ea7707e1ce2b7c9e6a3f47ee0d8ab2d7f8cc651eb5cbaa2c6b617062a51b3ac075fadbea8b53d0b781e9091901c608a42fa6a2fb46fa13663a7273defe1808c6027a20202a7fecf228e09b6dc2cc97221bfd0ac131d90c33861c5b993c7248555c7a15c9d90fe9a3214a0d3d43efaf8cff196df2dd4d116b18330f422f44364c29c0198437378bdc402c079cf7f67027fa945b4782c2a06ec557cc466964d2bf2cf0ec14ebdfe615cfb1133491ccc415e202f1ab98e3c738ea119238f3ccc569ff46181e0b82c4db4e1d997566979b1005abebc940acb548ae12b96ad19af931e1cad7869c80dd8228e000126b3b93d629afb1aa9f487a25701d6ee99e4cf2f5b9f207f73e11763352830ec4e195996180fc56c5d84d0615352894cf5b67f2b1e91974da5e501a8b09f090edde5e77c5366c947b3a2746ce229b5754f6427e403fcb271e487fccf3d74e0fe67009ce4d32c4fc1808882f1d4b65436887c30ac2a06f8c8c8f48d1dc75e1446f6e02f13305f0ac1c859912dab3370f14e7959902351550bd14b3d5b84eacd3998c630db20e49958f0d8366044fc900284d5e8db58504fbd6975535a2ee1ead79b6cc88bc6831f661b1fee9d97dcd7f598338c12befa546a75c7bc86c784b367da4df13f70a59c5bf9933e95654b7701b41963d33993a9e0f46e7281411e4e7a3b97906fca7bb82652c94025930124c911c6dd1333e8f7340448aa6fbaa75ba9380a049b41bb86262d4921453133dcce9bd98da9878ff74c6a6ae2b40dd06c1d8a963ad52aef1b26f73e9c57fd52286f2bc6ce8df8781d3c4c68912a05deaf4ef510089374b5a3ea63672190ae97c9a0c79dbd339b36ca5abfece9fbcffc1a6564735f8e5b7ea9ee50b7aa3feee252816e206a7ce1ba545a90f74a20711c831a4554a7c53288733fecbbbf9f48d272d6b65926e6491c7204b34f76048735d6256dc1a9ed16a62193ef707a785456133801b11691fdd576103235c6ba2978ab05ae19878ccadc36f9574c97ce3a5bc3aab4ed3070dbb7ebfae002d7ea4c48794deab0502b6dbe03c1a49ee52728fd3ec92389993e7464e8d8040e60b211d75bcec5adb4a19ca20af1f2232c652fc25159e12e858f3d07f08910093953401a8f70c11236df7992bc2e113e51b20b22a2296639fa6133b6015f802d66852bb2b4b698f1e8a81a76e67687d0b8508a371a3cfb18254265d57413dd9aaae3742eaa265f3456bf9dbdfb08fdf6b477a6a10fdad90e7a3355697aec35bf22a8f84b655ed7fb307d0489142c045faaa914e81c608e59c6f88b82749d9567c46aca74b4e1978b741a44795d277cf7243127e1597f2e5a3ae676b42c162909e2acf12f010fb756d886355f41a24888a64d5dd10af3515f3001e6911908bc84e293c988afbdabb7d440a2ec3de96ec06b56b4b9701e95e5ca10b6589c2733c81269da2cfc17b3d47fa89dd30503200099ee675147c9e6f97da5e3a7856a4decc4b8c165c4ef804f41c533835ac27e46741496675a2431086b71971f0d40370dbbb119242adaf4e729ddf8d1e04b69a669486aff6a0ee039a66c9961c66e0d6d5f78f3a1fff5432c41265936aea1995776862f892861c937f5904d376a339dbf99a02cc9cff84c27f206c5afe488c953a574c797e99f22b5c917e5fd1a90f3c17a4868d0688696a13dc911ff02f1ad4b6203e9d92f77bbe78470dca7c72009d61b3df1e7871b60921a0d54a6ebcaa148260672a3aedff2f9764f8197d9a0b6c934cceb6820a41476eb1b6a9110af53bb182dbf95046145f6bdf102b1cfa86a5afa8b08e603fc927f0460fa9563545c88d7ca5916dfdb5c9b6c767d520679e66bf673ec64502185615b13d9a131fa4651e5c8b40eaa278c771c4fef3acc35ef76d167f79eb68279911984ac9da9e54eb431dd2340ca6c72e04c2da65412db02aaa3246250c507eb8ff42c1d25b629f9340317ce8b71eee0aa0c015b2b905cfa739bcb9db63c6779cbf2a576a132b4028bf070686f89adfaa5ca91fade9b6f6b4df65a63848c502d2d24b94201e4713ecd2aafce1b7eb28ae4f96ab46476eefc5392d6ba2fe7220eb3458363b121c138d122a188c3dc60454f7ef6fbe7479cf56d1a20347d7960a7330ee392fbb02e0d5b59f7881035d8439568b8f438c0d91f38b1467eb4194f28f7a1558882f831aa7bf0679b0059c10180c66abaff9d238887a05ff23493cb18235efb163adc0a06a2c8099bbda391161ad30f52ab2c7627ab44e1ec88fcbfa08277e4418a7a2286601e56877d6269595c4885c64ea809e9c121caa5532d4aaeadb9e9e6651be49f25470bb0dee83448cd59ad75f4cdcdf2d6c3346d6065ca27b286622eb28fee3ce4399894dfbd1846725fad67fa2b818870e0aad72f9499e1fc776431e6fa6a6858f5c6f1f0b56126e8f912a126053d445f27429a596842da82b1c3b8308ffab9ca5d5c88a2d39b0f44968b0ab67222c6b93f8cafda69183c62918e96bd5d949173c140d1f7d0d256ab50c9fcdc61c725a4a1e1f4639c8363ea53abc87a8b8696a1b8dfd51814f19a6bbc18f5c567ee8d89e0a85879c50fc1ac149cba1e9453d5d262d272c3a76a0e254872e1f54e8fa6da6c8d2220605305dc398214609f1e31edd55c8185c46fc00880f28beba2b50b042b26b20d8fd7f26fd662142b0440addcbd3a64e6ee99bb583676f96927d779481a0647ae6a8cc059d35daea794868326bdb485de1940b2a0c5b90489666a5ad85e2a4c336c730d0cc6280111fd237f90c67e4f6815889ffd803bd9cce441ac59e2aadd6e546f9ac17507798d056b2a421d381866b954c30d33a932a629b67e2745913efa188f9bbce163bb69ed44d12c9167c406883793d6e073e31f74637aa4a17c5c1e67bc663294b8f573ebade9b593b1f720c74cc001f07f29d1168caf61ed84f913f70cfa5c6ebbade99e2d4a5a9b2a872a1b1fc75c65337ddb01ea09c027bb0ab8c5bb00cfe363edbbcaaccd3b997cf926dd2ccdc64d98cdaa4389d8e3c46a789810929302c1e8d10c233932e1144928018bde47eaef06a82746533c7a4b9f1b8253c9bdc89e63f7feb3bc7ccc9aee795df2fafc139fc21ea9013ba3a3c248747fa68bb7210b8557073f3fd7cfbcb3a57eab551aead27af9f716c1d528efcf4723c5755ddd767ba5543f9a7b1c112d10174ee53670c3efa51b94b73a0922dd298c2ae4bc7585bafc8404413f0042165cdf82fc68e9466646ef85d2a9b52bf523fe8094b7dd275c84288aa10f6fe14c5dd5f3e8b2e30e2f182083b5a1f4b0072bb58e0004fb9868578a1e1fcb8be370bfec6c5b2d0318eef1e9bb50ab89fd834ab0e625af5527a5e6f82f8a3a405eff949692ed2338cb902ca715293b77dadec10b53bf024f432daa9e080dd7f2810c25b850e8c2e0b405d1375275fa5e832390fdc7373e6977f682b358897fdf88ccd4f323356b80cc556eba9346d54c0472b377c06d453348058467141f388a523f6ee723496005e37bbb98d321df49a1884bc3561c19198cc35f2ff429ea6efe3161f569f92e1da035ff641f28c04a0a8052136df82f8b0447529ae3e27f8a58912e545514146409666760f5425a3225a4c26c143794808a9cba3f10821c3a9a6a419e06c57f5a6dff47370620808ab3cfdb8f2aeaa4c2eeb90405d1ac832bcc1a55bbffa814c3471d27765a5ed6edb3566edd96e20e6f108402df41b49faf48b75484ce9d37936b2f26672e80731901740049f18de88bd5eb2f58dc4afdd7a8f9198992edbed64c2602373c57e2c06bfddc03177ac292e562cbab5e054acd21318a4a10a4805330476c9099e3d7660d79a3b2b8be3c14d05fe246eb1c9964761289d097f71472a6beaa0127023697956632f8ba77250559a15ce9e7f270e6eb1edb62586cfc31cd4fcbed345891201cb9f2834761f84bd88f6ab147e6b3f1ff90139f9c6c4fcca9dca67f6f4474b102eb1d4765f13ddda3746d54e44bdd32806a9a8a179baf0f8d75593777e79ad9eb9a370db4ce21cf5fc496d6e521ddd7f2e86d2fce6bcd92f1dd8028592154f1a8734fedac7795d4c039d5ebd66d4ac8475a137ed935f20c7fad6ec11db1f86058949a36165489f84d9cda1b1bc1d4e247187d32e953e61716bb585c1d0454f7b965292fae8b22536dd70cab60356d1dbd744f7011c840ea57f5b80a17340138bbef39b38a34631fcb4ae8d262656ab1557b3d74e09da980adc68b54c5eb56ba9716374b1522367425691f578ca5d4cfdf22220b7694610d9eff4fad493158fdef22d1c936252b49153004e8c5ae8b53fc55dfc7aee6769d559dc6d0a439d4d709b116e3abb4ead94bc8cda7b0bd12c0a96a151ff242377453f06983beb82d144028101cfc7cb7b12abe9a1ce9de7f714f1c7c24357c98d11145b5a768f01b6e6f2bfa3da6a825728ec4d1186fb56378be287c83bb728ac1f2e844241a0d5cc98b9aab6996b7ecc14b7b499624b294b767111b76681e3bd0002113c7e3206caed1bbaadf9f536c32c97ba20607bd2711ce7fad2a83149529b060620ac3c8be317fcc60c721d23665f16c9e7eb87b8e591da318ca5d60a8cd6c7acc1d3c2d7a06e4483f0186f62e2ba305649189c5e53605892ca44ea79e249bc821f3e82e1c1583e7aadb19f0c574c2e138adaa6efbd425980613fbab36ff49733b6179e15246bc89971830913c0c225e6fd33bab45f351768e60d9016b5dbe6c9f4cce77d160878dc2a27e19edca99840bc821a66df08234e37b482e1cae6644af512098d2495c11ecb228a57c43ec86768f732eaa843d810a0faa286e1fbe63bdc46bf9e852e349d15c0a170c8fffabd3dc7839f6a8190b7184ec66bf453b4eb894885d61e9e21438073e1729f784790935607c7cfded186c2a6b134916d591421f72aef18288cd68f97f0998c659a81d73526766309ac0300415da7b642dfe8ba7e3c9c37af67b4893f119f69985e1e16f4bfc24a1dbb04462575658584d7a752252839e0787f818f41901f5080e1d52f35e165003d5c0f8281cca9a45dc44769f5665d33df75ff7ed753aecec1308e456ddfee4dfb559bb6fb36cfa647b5777228cee24821962f8350ed090a538f12a50724188e273c645315f4da6267f040104edf9029bbb4da1884407f8437f5d1665d870885f1bfcc6b28d3f367465ef32dae8fdb43ffbdeaee77e4193482563fcd3d841e2003850e5a4adfab4a1dab93d42a9d707cc91f5b78382bd068555baee3664a461831989b94c420c1bfc0b53e8e4a1b26a67764ff9d721bd676265bfd2d76548d3ee2aff5fa8c6f28673111195dd8108568c5baeb5928123cc3c1b07c07cfdfb5d1b71a90bc96b083b75ada40678238949c508ba6ce3af28e601b3ff5c087f63876b575fd2eb7323053775f5487a6dabf336946eda37230d3afe6a75e16af37a9193bf5ed51d5efbe577c4527d4cf0d0b8fa8a5f15c3a0c86b2984c2fa556522afdc5cf3989be38b3f1489a775cc80126f4d1a8441834285954db30d2035e886940aa2254c6a7fa3587c874574b47e8979ae0986eb3088e01a1a670b2d7b5f7f042960fea80d5a4b7db00cdcb715765d11897aac6584687657e883a35e36f6bb2e461ef2ffbb4694e11a41c08e8059b623f10c48f63c62fb5a371680dbcbaefc2f43d32e52de3db301729a1b604cf905eaf28e369efd2b04c8a6bb11d60be37de8897e2fd350db4d073e1e0ecdc8d430eadbcce1c2f9483546647d3dbd75abeb905506182853505c63ed3e3fc8bb6c544a55ec2358f987e91434db7b3b17e514d2f48f7319c7ef30eff72cab9a0852645eadbe45f34bd141f5de7b6dd367854ba7fd6658e0ab2ee66dd20f2bbf921f3cc5a0563ec062df41b6c9a4aadd81c262a9683ed1f5beed2cb04acb8ed18581103daeee290630e04d67226f6ac86d5c680cd7cf4c79256d383aad62adb72a01eec6d9f098d5ce17185b645b64c52293358623fcb8c77479dceacd1f35821b2e43b825223eadade6c6fb97aa9226edb450e9c188133f2b5ab21b3600f488f34a18db510c4fb0c894345fc280833c53bb2bcc559bc70effc2b5eca18b6d2a609fba4f8f44f77c93b8ef7d642011a633d790ec454d67642a944ad1d2aa5e96bc51819452dbfd7177f3dd9e1579be6ac226caa88435614d0c29b519def4c5f36f85425bdaf8dbf6e858cd02aca16c6c9d82a0f18c5090080164047f2e975e9ffeac708d3a2b8be97695b2736897676ed49b9dfda9c890da00b0cb6da8a832264cdb48d8779e719246a6a830fd4033094135fd6b9e636240a4e0349526f4536b5bd4b736cdfcd46a88de2344fa8db7a39fceb5b724a9376f7e51aa417f1a10baf63cf530a4e759c4be80b251ee82cb392bbd7183039d952a0d4d1ed64f506d9efe23b37f970187481518b39553343e89b89c2f6dcce66804b8d45e1d55ec1dc36cc679e462ef0170344a83a53bc23044a873d608da8320ac65e235db368ec238efc73a0203508252577fec225b42f66ed7935d065051184cc0371494b774893d57f30bcfbd03c7ab000091123fb60fa23dc7977917000d8e9ddab549cbf957485e17c342807ad67edd3919d1d5c4c847c8eb7c6fb1b6b756bbcaac63bd1cdc9f8d96cc9f91fdca6af5f66e6ddb2355d6387d4229529bedffda6fe0a77c0907cdfcf445c8c720eff421ee021081d34d0b73b54b3d84781a1ada9dc628a4b59f6253f1a3cff7e82c31014abdfb9015711302df5363c688e3232679cfe23c0b273f68c0e161f6548b405e8177ccef5ee92b215d98cc128ec7997bc8f7197c143accb3c720c1f4ed2e331130e4a70df1d89d4ac6bfc50c642cc8cc1b05040cae31594015470b104163e85a9f519ec28427b47a3a8a0b92dac1276436acbb54bac573e9b83af6955baa5e254871e2e681ac5f42219834da9a5411d59f497c6df3a89b46399e8060121f44b73ac189060dcfdc7e66f426462aeb94eb0d7a16135d140ece4e04fab9f317cd83c2da92777bb26d75957c8d170caff2d1572dee417551be25c2b0446cb6bbccead36a25e3a2f523bc9b6fe3537b3fe0aa0918ff2e90d41ab5d8203c9701bc04cc8b426fbb2b25601df442b472e6b5d3c2dde368e1329c36b3915b82af2137dbe48a5ab8cf13af4b255dbd31ea11473575a63c08ff3d36ed69a0982b7e2faf71b27cc091d7944b25c30144c6f1e98e0ff646ca67f3c1eab89ff4d3cfbdcf15e475bdc50b64f802fd83ffc56f99177e399c256d93b6fe616073e922ccea2b52f01db24cf9a25027550a18797dd34c98ab8b8392c4552de764709256efaf78ad4b8bfc02b1a584fd52817f2c16f6d26828f8fe32f5863cd938c5d2c7cab425f6c614225dbc671e97634e210c017fa39c3f630c22a6c1ac6673903e55c2f09c09aad4dabb76072ce6ae8beaf03e48c627465dda54afd436d47f007c5b1c7b52cf55830d6a3dbcd561bac52be9e131182f46854ba40f55c86c7935413f3c9ebaed553f9b9fafb964f0c5a03ee454b8a21bcef78881b1dcd9e4f0944f5e0dee6770f7d32e058739d6a63eb6e264ada03dc9a30d0b1db52bb8d96dc1f7c6265fd93ec0da79c5898fbf9ebb3dc1bb2ffe8ad5eb8ab90e70f448d5fe3fad48c56d1bfcd93dd5b11f413eaeb15c0056ce58e6652cffa6da783774a82e27db165d9d836346f72747d8c8d85f9487e22f9fdd22afb05e33f35a5cf7168954bcfb11617d30de40fa8ad3c2f8f52d1728c2fcf55f6d1ebbd74086b553b14dd513b6350e3a768b8678ca52b18189a5b85564134db150477a016b7824e73e59449451b33fddc3fca5183dc7d9a198d69544c402d09a96e837c02247e4a6130d6eed2a9f2b30c3f738c35d70c85248c3b057359ed5ea1cd52b3d75eb9d54174e6a28ee2c6111a86baa9775f96a245abd0122b84590b748d11e36778668804478853cc95a6b177be3e89ad0d4dd55cf07353cb8977d3bd98060e117840d167f0db84d406970401cb2938b18074c16b36f9fd560d2658a28f3aee83ffb01f39fd96972dbcddd32018d34891143f8288664e979993eba480034fdab02115f30ad476c5814c52236c0351dce3f0dadbe16ad102d558e58e46f4de316d601f1eb8559fd6e7fa0da2edaa56f5a01fe1666e4700cbc5dc1ef9f7674f1fa53a82de533f9084a762ef55562b17634c10f12f1430c0c7be8aa9798546cd20c5eff8408a3cb350afaddd7ee636cd8ec151e393db773f5bbd9e176a34373d86ef942dd0d79b9e271371ed04fc6bee281bbcbc2cb0964bfde1e396a4c18625e8e24c29951cbdc14718e6d5109b0c08565d7735b9bca70a223539dda13c5e09eedc6ac0cfbf99a4807070785cf8dcebbab95d7a05ef72583571f7cf3444111c2d7cf6631862d9975944aad75d7121705fae35559fcc29c10be0ef7945100115b9f3c54195f6ba9878e79c64132a7fe77767413faf8cbbecf2ff69e85ec340b5692343cbd35c12b18aabc308b5d49214f95c8abe9237658b6f43919438f0789c7154d639c21103181eb034aea16574d9b6b961ebaa798d75ac2904f37e5a683dbb687f10e0818620bbadd332c64b26e0a1f4c6f64cfe00b35e9c5c8265032b1bb6ba5b13d924d0d200a10249cf5b69919d56f2f8ee7d0400c4ebf7153181646511f2519b3bca740aec21d724ced7aa4b820ab901cdfea9c89112d9e50021c63c6707ad027f5ca0be19cb4de574ebbafd938b3e9570d8be400d97da0ee86ba610153c7075ffa8b175ef3946454d98d904b82ce7ca96ff4cbac78721ac8c31f05fbb8e42c55b32556888450385e3540e73d58af2f6078582f2e941d213a237de856139ef5954f8af94fa85a9ece6f4b649d63fb0284a9c4fd576ad72a86371c8e8b2f43c27ce93027d0c7593926a6d69e87ea5795b61888c1aa80f605d1ba68fb1af27697f8a409f800b9405fc44a2b70c283d640d237b73b444da8326e7171c2f699e87c63a02d79cc10e62da48ed2f97597ab3c57c2944b11186e1df36974cc03a7c87606755b499406d36a35de4966e5a983e8cf04168af815d21fe1af84864fdbc6fc0b1a881b7f266d8cf96c7b67bd124bb3c785236d119466f2ff51edef931037f4fda1951cc8518579c4fd97d9e6e43c8848d5ec133e47a9aa5bc6f49295e63884fcb22e77fc54e4941241b888a31aa59e107b714f37d474deb8b9a62bd3a6e3867e6b8a972ffcbdd03d0c48345a50b025da83de2dd8136643c674915030edcdde1db0742a3f69d8dcbe5f87362de6cad7bb3b395799a1c98d7ab4b909d19699256f2e028fa054ce49aa8645a150c2dcf0ebbabd87f87c14285b7475ea9fb1a2b772092d94e4a2332122b14c958c48dc2d147d4f797e5cbb1ade04c953f37555803900b7091ad9c274db66dba1ad056534beb09ff8030ec81d88848d7089d787aaaf897a74f9f91692557e5b306cbc359b986356bdfe5682a624c554dc42f3e521c76711beaa01733ba252670a55910720d4e62e0d294f49c7a5be941ab31619b07f28784a8196105c38585c29fbdfdf32b29c9dff18edb10cd5d176199bbec3d9c4b2eb6a5ee2867b255ad92ba3774d2356ce55e4ffee3c5cf8fceed59dda03fa9cda4bd1fc8f7005e2d9b67b2b729af552856a2d69a43380d8e3582bf5a0844ad15b75115a79b3c343c898164ca54480b7c4111b33949585bd30e2e660344012ad27a9e85fdf6ce509e07ea1ad1d81816db8e485d029101155c57641e2839a65c77e5eb43ccd16f81f626bd74c084bacde9e7716266b39a463ab4a1f2055fbdc00c20ea10db76139a5b90e106bfa4a51f41d475c303d094b6aa0303775b834388fee4d6677e18deecb5eaf8c3d591d3cb4c956ae34c7c60fe071f5d3f19cab9a59dd9423c6e88af1fa1223501da07cc214b18724ec1c587951ba0b1dc970bda7dc0ef804fdefebadee0965e023312ab274d01ff551753dc0b7afc85e10b68a9f56428cc2267fab541213b3fbf509cab4daefa4c984e8b1480724e2e399e42086c67fecda7789d5c380e0f257e6e475c63c832aa4b17c31f83ba5d7ca5db9fdc57d4dbc9e8affaad3b65d1b3c4bf0b75df9f602ac32d1ea696219afb6952a294f4b540cce84a33242e065c609afa4e97d83aed8fbc70e410bb4ac1e64656c713f72378bfbae088c13d3e8e1fadbd2f5cfa1718d26c9376cb66449aecd642d476cdd411ab79511ea6608cfc1686b83d4ea4a0f8f197a759b62753860ab0c47b8caa719338d29ee89c6953ed4beebf5685b8b2ba9eb59fcefa66329670c5fe2ca4435c41b5ec4bddd9a69aa5727f8c7026cc337e7f5ea2b85d3e6eadf65d1da59921e9601684cbd6db98176793a8a778e4f97171b0a271463c772de46a0436964b32a57a00ff7e9b78ca13c743767b460bedf3a1d701196e2a87424a7fcdfaf115afcf9476b7992addc11bf5dd4485153818ddfe711c3fc14fb30aa9336100044e5a37d30d6d246459a6c6c38a28b0ee36c5f4ded811a115f23d4853e71cfbc48617fc8d469baeafc65234b2284f93d2a41953de6549f9c41b571867bbb6ff418332d3cbcc109f85d59203bc4d222a70ef70373f65e9cf0780289af7a3d8d168265f3864c5d2e933bacfa2424be11948b89596109584ca6e8ee0144c3d99a82cfab8846844f118601ab906b0b44730d79c9169db3822060b3fe635b51c060ba336c774dd1a5612319c004cd5a626743a468607a7cce9fd29ece8b85e868444b17ce733e80d2eae2e43585ed707a50ce1b2a2173dceff5f35b4dfeb79a69e18ae83d3f8445f0dd7f896096bd7e10383a59f95db4cd85ed6e54ca1cf899e13cd8fcf8d894fdde52f8598fb1581db8f2da9bd57d644127db11aec8803135259c6cad21a3a8cb51b86f5832f74d2d7da4c00ad6e04975e7986d4d7f5182ad6ac51225ea5bf595012f4da7a714ff27a654cbc5614843c848aaa8d1e71be240742e0225408d964430303d332924cf588f4c0bfb75f32c2907095476f00465ce5377a0864ea08f2916a2194b915e61d9829ba0af574d7d8d4fc61be6557c49d9b1893796a674dcd4a2d0ab1540da21721f9ba2889d40d11d15a03f47fb9b4758fb5d396fc3ef09dd2eb17340651bbd4d4d302171b64a5d134a14c2f5761d69baf6e087645f1569ae3c9430bd62569a771c3c9d386357852630d14d59bccaae73e88e79fd335da885dbc26e317a560e886b46237a9bf974c90f17e8d1a3193eb8f6a8a4085fe6afcfc6625155f230cf95e28b02b2aa25a07dd2b9402a7e11a026050b95f200b7f559706d39de6ea5c6a3290939e06c2dca3293634d1380cbea8776653dcd705517ec2d729f81f6402d57a065a801fad2f4c318f858e12657835c6477ac3168ca4094abd3e684a49eecb3f72361e2950d32c7279a81d3d6a36479bb03f1ac6bfca0e129b096f3fc11b1a31322a3603bdbcf5f25ef6983aabfde61dbbfb31aebf6a6438c0de64b0fb58146993c8339ed1575816a6db7850ad758ee3d1b493442e12deb80ae936380c081a69dfbe7b86cbb28d5c225733e9c7e7674418cc7696f6bc482688210a51cea3c76ba11c21c21d75191c1f92f2834c1a9f9c6d1be9ad98508e7b4876621c126d0a3b9432e15f6aef3241bebfc3cb8f2dab4b96f97a61ee2e7312845d3614d817793f6c40190d7b17ef2b7bfc8ce665fc927dfd178722fa98d37e58d5c3ea763893f1f46390b9e412bb7b986e6f26e6b4998a7b7252bee2a919d92a4f63bcbccf52f7a4236cac4964dce74ba8572e8481de412bb53a0ec1667d3f64526bce5b1d39b5a49449f20a6d274d55e60b0c722a8c3606a1aed9a73738d634bd51a4b4be81283351fabfe38d8bc07b96495b56be9c69adf49958224936770455c97be2e895476df55af2d69e308a5b1f898d2d60896055b8f95f99cda6c961be77245025b3aae7411644fea5d5ed7c0f9fb6a9d48af4287b4be060236cee349ec67d4e94f6da473e30d4d406d95c62c1e7814aafe12b62e4ebfa9b4421b156a67e6743bb98d4bd17da6eec1e5a6591e5b6215675d6704257ca0cd1f71717e12fb61f365c8309df3e3e7646cf2ca5bf8fbb0e602e769c5510b11bbf114744ee38b80e0200a059a64daa7b699ea04851f976a7ac131cc0e2da1375524def3476375b4c4fc0e8e9e114f8873394b2ae418d4bff3bb202b523d2b7c897bbbac4f2af74dd5887ca6f5bfdc6a379332dd8f0a6a3b5792c1f1921642c1498dc23802f39f4e43e8f51f3415daa93f1985ad00c9e8768cad571d2016f57b05337882a38ad9f4470d205b1eb895de995fe90369bf0b6c0d73c5923465938cf6750d0a46ef63875d8eb0958c48459bae7ed3d0e6f1a4ff0c876e86f23f199e98d6fc6810cc76de5161e8c5d2e502ef34cdae2115a05ce7760248fbf9d29f89d80de97a7c4ce37d6999ed4c65057c55aa5b6295e0897474a4abd86b58a630b5519e24a96a9c36481adf71efc31aec6227002d4c5671641c259859e515e84034740a8fa2decd0cf594aca7cde73ea9f6beecbfbdac88cac419f91c685e36f599e7419d1b68ee540daf765f2281a336d8d5994334420ccf21ac60cde19a49d0df073a40445ecdd194aecde7a0c42d2d896a031477712bf49b2967b5d1a24f133bb7553be28f71887bbc6f8b53795a1b06c323fab7840c85c24e06f6df3f449c39f7f4cfbc5e74ab0b6f54dd85d46be27789f44508d7a4e0294ddb7a972022adef1feb4bbf80b6acb41388b29f99d86196551e89be73d3fda6fbd1cca14dcc0044a97c9e1430600238a4ed27cb144440da1d6273ec8750b8d8035c7924a123c47777a396502a8ab6b7b98c93fe28a08d8377a606e099c8ad9f42dcac63554b356a129a9e9573fcfb207b27baa436c6d4ddb4f8580d914a1263461e304db5e0815f7dd9b755db529032597b77050aa6c653afe3f7d7eac9e3df2d52b926639aa3f51d8cd5471da36ecf408bd859ce900e439901bd20c3c1bf000f6e62cd234e5fa295118a5b5f55100702fdafd43a7398894f4a3dd4f74889d27294143d5f3609d97ac3323c6f3d6ecbe990dcb5d975358f54153f286e78c8cfbc76cf3e2540614252d267ac9327d13fde8abc4b282014be61a11450aa26626c478ccab01c380f39cea9dc5d67501ab68b06bdcd6440d7ece6f784539530afbb27edb7b1a83bf6576ec304ad3538edd4a02e1fe9ff821eda6d9c8f6eb4ebad0d80fc45576ab4426f0b390ce9fb42312c23430d040d85efa8cde8e1a3c47a082d33cbea897edf90b00820032156816c8cc1218b9cbc41108f910a9a072afb6d94c20b5daa083a8c6f1e49570a82b779b06e91e01eeec67ad5fcc586401c91030a8300014a92973e2b4653816cfd1866ebe6a07b7b9050176f3f0fd7deb7094b96dca67a7fab85f80275b5616414ba3d11bed295420cb62860d5a01fe557eba85cab0dfbdd4ed1d7f30cdc0540690d7bfc99ff1e5915e91fd99a5b94d2d26eaabe72c2e727cb88748e83899ee6f2f6efac8eb7d66b7578fa17671b4b70ebdf40a36ec697ece2a6d2b170bd083c0efd515b81acdf56c750064571d635ad50165f1e98519b12655820ef9393b33d71e037d8ae46f6e9ac84b732b21008111b16796ea62181f264aaa19c362b426516c97bbdbbf0b0da0e47f805847067261b62d7d699124645c6a6a983565815e6de4fbc31263380b6dc811fa9d4c1ed15690b2dc7c1afa5a4a810ee69bb8759c898287630273ba24ee35f314790e09d865d2e82dcacb1ed2ef7614e2bd9aaaf2c7b1fd1cac6b3b56058d33a13e5d998b5cec54b5968271a32ce79f80118678f2978011bbaa86de2c5579e966ae17c6dd435279303fcb2d1cfdffafded27c921d1feea042f83e96f01bff7fc98215044eff87f28e65559c9b030a0676eac25552b5961084f162e8bb638d52c81b091ddbdaaf684c6f1cce30ff4c8c60f55148aed8bc5894c22114a2f37c483bd9d9eb809a483f918cd901f9c48251f8dcb19f35d61bf1105ec96e66f22601575a5abeedfd08dc5ec6669790c3b47e557d391adfb259ee0c86566ea1c4a93ad18003cb35a752e91df73a688cd65b92b754071ce3f6328f76c6d6f455eae1c4cd80e2b05cc183e1dadcd83deab48dcf62d191e0f69e1ea30f050b80640b70c4fd455fbd6649d36f54adb32a85ed69d81552ddf2e2878f85120b57279c645236986f1affba9e034017145436f7519e5681fa5b9940890979fb54be43bbf05d958cdf22beffeb2bb7ecfb3dcaf8a0ae07601a0fc97d4d7bc9a7dc9c8221005d958cdf22beffeb2bb7ecfb3dcaf8a0ae07601a0fc97d4d7bc9a7dc9c822103edab1ff7eb6bf33f108e9ac1a08eb16c954b88a844e3119adf5950b44014eb611cb6f5cf19bc18ac0560bff08c21e5a715d9e488ed7b90715ddbb518fd57060e234489f88176e66bd858291d9de7054c6bdcedbb9f19ebedfab02d238b3dad79ac6a853e324ff7c5e92f5e9bbbfcda63466ec3e8a17fd9b3247f183465e93ca372fd5afc77f0d7f38658bb86153e8c7472376a5d735412237aea47881eb714ad1ffba188101427d74509d8786310f1e0793a251f31819283664626cbb6286bcdd109bc3de5bef59a8492c6f849e7cf1c2a665d6b5844e749d36a714fc4eb8f652fe79b889ef808d2d515a143bd50327674d18780056158238e627e37eaf784b4505976a7c3561f4c11d3d6507b4c18b802110be70e1266ecd65aa25fca9510137f5d6822f4308c7525d307bc5aa18c4a8cd6450e22a5d3ff8ec4fd0e0db96029b188fe909be6889a961ab6d53b11520bc8ef965b7387b554bd7c482b02b0f4f80d00110a008aff7aed1c6d66dfb2edfa2605d155c2d97a1c2877fd1bf4d770e6708988dc83ba66d6a40a20293dfee564ed40c41d5e541c2997e512019841b0b19fb878199014dea84874d11e319609135d4251944a93718a1549871f86355fe0d12397a1e4e4db62d46514798e653a11b107fa6d6cbd7c1d4a8795f849809cbf723c6b3654d1ff2ac20fe4e91db0ffb8387d06864cabae9e45d13b197ef3dcccc6b0296da09999c1156c66710e48fad121d7a7eb3f20a9281c83c7715e7f759dd2b11d8da24b078973a81d23f56a3cd370391c47ad7ea923f5233254b2c62a41ea39a3c45f364074338dbc792fc2c11e46cd8506f84eec2d00b8b7cd076d84a54a4e74dfb2af63dad0b61ff21f4f95994201c284fe8f586948c544ff57e966e81d01c4e3d56cb060111b09771b67ad0ce7c76f75907623f84b05a05d45611f5bc55eab02c151e601843afc2885ab9824b294c7d32e6352066793e8ccf6663071d70e16fed8696139a12f8dc737261cc47235f1f6043d92c85ee5f87b03e8429e9657bb9f64a21db6c7e0cca7c1f3ff6a65af73bbecb35b1a93de7ddc539df9a5eb5dc9143c8d61b9b80d5cf522b829938f539a301cd22e79e52f6213df15534953e17076aff00521a5402e73915fd843905ff5a92e6db5564e3ddd38febf2dc5e8b6c7840d556c9d7eed953dea0cf43b01fecc45edfa2a8e9b2cfb89d9914c4b70c4fd455fbd6649d36f54adb32a85ed69d81552ddf2e2878f85120b57279c6df6010f421b495d8f08d34e5855353addd29d9dfce3d14618ababcf1211fb906@rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootselinux-policy-3.13.1-229.el7.src.rpmselinux-policy-devel       /bin/sh/usr/bin/makecheckpolicym4policycoreutils-develrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PartialHardlinkSets)rpmlib(PayloadFilesHavePrefix)selinux-policyrpmlib(PayloadIsXz)2.5-82.5-243.0.4-14.6.0-14.0.4-14.0-13.13.1-229.el75.2-14.11.3[t[#@[@[@[[h@[[[9@[@[}P@[{[{[z@[m~@[i[i[i[dC[`O@[]@[Y[6@[3|@[2*["X[d@[[ [ L@[[[@[ZmZȲZZH@Z@ZZz@Zz@ZyZ_:ZWQZV@Z.s@Z)-@Z%8ZZ @ZZNZNYYA@YYW@YW@YYY@Y@Ycl@YP@YJ_YI@YBvY9<@Y6@Y5GY1S@Y0Y.@Y-^Y, @Y, @Y%uYYY@Y@Y@Y.YXQ@XXX@X@X@XXX@XۡXP@XXg@Xg@X~@X@XƉXCXCXX @XXXBXXXs{@XY@XWXRXRXOXJXAb@X@X)@X#X!@XWWSW_@W_@Wv@W;W@WίWW:WQW@WW@W@WW~W@WW~D@W{@Ws@WrfWj}WbW^@WYZ@WYZ@WUeWM|WBW9@W9@W1@W(W V@V@V@V޾V2V@V_VVCV@VZV @VqV }@V }@VBUUU@U@UpUUUUoUoU5@UUȒ@UĝUUWUU@UUK@UUU'Ua@U~@UzUv@UT@U@Tr@T@T@T7TTTC@T@TTT}Tto@TsTk4T`T[bTWn@T?@T>aT6xT6xT@S@SSDSg}@SB@S>S;S:@S9XS5d@S4S2@S0@S,)S*@S)S)S&S&S"@S!S L@SSS@SSc@SSnS @S SK@RRR@RRJ@Ra@RRR&R&RRR=RʚRR@R@R@Rv@Rv@R@RR@R R@R@R|@Rz/@Rz/@RsRpRnQRi RfhR_@R_@R[R[RSRNRNRL RIgRB@RB@R:@R1R-@R-@R(r@R' R%@R7RRNRR@Q@QQdQQ@QQޞ@Q@QکQکQ@QzQQ4Q@@Q@QKQQ@Q@Q@Q@QQ@QQQQ@Q@QQQ@Qzl@Qw@QvwQo@Qo@QnQm=@QkQfQb@Q`@Q^QZ@QQQIQGQ@j@Q9Q8@Q4Q0@Q-@Q& @Q$QQ@QQ@Q @Qh@QsPP@P@PP@P[PP!@P8@PO@P @Pf@PPqP @PP7@P@PPPYP@P@PPPM@PPd@P@PoP{@P{@P@PP5@P@P~P}L@Px@PvPvPuc@Puc@Pr@Pmz@Pmz@Pmz@Pj@Pd?Pd?Pb@PaPaP[@PXb@PWPS@PQPO'PM@PIP@@P>@P8@P7lP2&P2&P,P,P*=P(@P#@P#@P!@P!@P@PkPw@Pw@PP

@NNU@NNl@N@N@NåN@NNNN@NNN@N@NGNGNGN@N@NNS@NS@N^N^N @N @NNj@Nj@NN$@NN@N/N@N@NFNFN@NNN@N@N@N]Ni@Ni@Ni@N|tNyNx@Ns:@NoENoENiNf @N^"@N\N[@NTNS@NS@NC@NBrN:N98@N7N6@N2N.@N*N)f@N(N%qN$ @N@N7@N e@NpNpM@M@Md@Md@MM{@M@M۝M@M@M‘@M@M@M@My@My@M3@M@M@MMM@MMMMTMx@Mx@Mv@MlMbSM[@MRMQ0@MQ0@MJMGMGMA^@M>@M9u@M6@M5M4/@M4/@M0:M,F@M$]@M@M9MMMMM\@M M M@L!L!L@LL@L@L@LOLOL[@L@L@Lr@L L,@L,@Lډ@L7LLLNL@LΫLeL|L@LB@LB@LB@L@LMLL@LdLL{L*@L@L5LLA@LLLL@LcL@L@L@LzL)@L|L|L|L{@LvW@LvW@Ls@Ls@LrbLrbLmLk@LjyLe3Lc@La?@LZLYV@LXLN@LN@LMxLMxLI@LH2LF@LEL=L=L=L;L7@L LT@L@LL@L@L0LLGL@K^K^KKKj@K$@KKK@K@KK@K]K޺K@KtK#@KKՀ@K:@KK͗@KŮ@K\K\K @KKKKK9@KK@KK@K@KKKKrKK~@K,K,K,K@KK8@KKK@KK@KqKqK}+K{@K{@KuBKs@KqN@KjKie@Kf@Ka|@K`*K]KXAKTM@KPXKEKEKEKD{@KC)KA@K;@K2@K0K/c@K+nK*@K(K"4@KK>K>K>JJęJH@JH@JJJ_@J@JjJjJ@Jv@Jv@Jv@Jv@J$J@JJ0@J@J@JG@JG@J@JJ@J@J@JJJ#J@JJJ@J:J@JJQJ@J J J|@JzJyt@Jyt@Jx"JrJrJq@Jn@Jn@JmJhPJeJ\s@JW-@JT@JS8JKOJI@JCfJCfJB@J@J@J?r@J<@J;}J:,@J7@J67J2C@J0J/@J,@J%@JJB@JJMJ J dJ@J@JJ@J*@J*@II@IIA@IIII@I@IIIX@IX@IX@II@I@IcIIo@Io@IzI)@I@IܑI@@II@I@I@IԨIд@I̿In@I3I3I@II@I@IV@IIaIIm@I@I'@II2III@IIIIIIII@III@I1I@III~@I}Iy@Ix_Iw@IuItk@Itk@Io%@Ik0IeIcGIa@I`IVIO@IJ;@IHIAI>]I= @I7@I6tI3I-I@III9@I9@II IP@I@IIg@Ig@HHH@HrH~@H,H@HCHHH @H @Hf@Hf@H@H+H@H׈H׈H7@HBH@HǶH@HH|@HHH@H{@H)HHL@H@H@H@HnH}H|@Ht@HsVHr@Hl@HkmHgy@HcH`H_@H^>HRa@HQHQHO@HFHFH$@DX@DU@DN@DN@DLDH@DGwDGwDDD@@D?D?D;@D;@D:HD:HD2_D1@D1@D-D+@D+@D'D!<@D!<@D!<@DDD@D@D@DDDDDD@D@D@D@D uD $@D D @D @DDDFC@C@C@C@CCCCCR@CCCCC@Ci@CC@C@CtC@C@CC:@CECCC @C @CعCعCعCعCC@C-C-C-C@C@CCǖ@C@CáCáCP@CP@C[C @C @CCg@Cg@CCC!@C~@C,C@CCCCC@CC@C@C@CZCZC @C @CCCf@Cf@Cf@CC@CqCqC @C @C @CCC}@C7@C7@C7@CBCBCYC@C@CC}@CqCqLukas Vrabec - 3.13.1-229Lukas Vrabec - 3.13.1-228Lukas Vrabec - 3.13.1-227Lukas Vrabec - 3.13.1-226Lukas Vrabec - 3.13.1-225Lukas Vrabec - 3.13.1-224Lukas Vrabec - 3.13.1-223Lukas Vrabec - 3.13.1-222Lukas Vrabec - 3.13.1-221Lukas Vrabec - 3.13.1-220Lukas Vrabec - 3.13.1-219Lukas Vrabec - 3.13.1-218Lukas Vrabec - 3.13.1-217Lukas Vrabec - 3.13.1-216Lukas Vrabec - 3.13.1-215Lukas Vrabec - 3.13.1-214Lukas Vrabec - 3.13.1-213Lukas Vrabec - 3.13.1-212Lukas Vrabec - 3.13.1-211Lukas Vrabec - 3.13.1-210Lukas Vrabec - 3.13.1-209Lukas Vrabec - 3.13.1-208Lukas Vrabec - 3.13.1-207Lukas Vrabec - 3.13.1-206Lukas Vrabec - 3.13.1-205Lukas Vrabec - 3.13.1-204Lukas Vrabec - 3.13.1-203Lukas Vrabec - 3.13.1-202Lukas Vrabec - 3.13.1-201Lukas Vrabec - 3.13.1-200Lukas Vrabec - 3.13.1-199Lukas Vrabec - 3.13.1-198Lukas Vrabec - 3.13.1-197Lukas Vrabec - 3.13.1-196Lukas Vrabec - 3.13.1-195Lukas Vrabec - 3.13.1-194Lukas Vrabec - 3.13.1-193Lukas Vrabec - 3.13.1-192Lukas Vrabec - 3.13.1-191Lukas Vrabec - 3.13.1-190Lukas Vrabec - 3.13.1-189Lukas Vrabec - 3.13.1-188Lukas Vrabec - 3.13.1-187Lukas Vrabec - 3.13.1-186Lukas Vrabec - 3.13.1-185Lukas Vrabec - 3.13.1-184Lukas Vrabec - 3.13.1-183Lukas Vrabec - 3.13.1-182Lukas Vrabec - 3.13.1-181Lukas Vrabec - 3.13.1-180Lukas Vrabec - 3.13.1-179Lukas Vrabec - 3.13.1-178Lukas Vrabec - 3.13.1-177Lukas Vrabec - 3.13.1-176Lukas Vrabec - 3.13.1-175Lukas Vrabec - 3.13.1-174Lukas Vrabec - 3.13.1-173Lukas Vrabec - 3.13.1-172Lukas Vrabec - 3.13.1-171Lukas Vrabec - 3.13.1-170Lukas Vrabec - 3.13.1-169Lukas Vrabec - 3.13.1-168Lukas Vrabec - 3.13.1-167Lukas Vrabec - 3.13.1-166Lukas Vrabec - 3.13.1-165Lukas Vrabec - 3.13.1-164Lukas Vrabec - 3.13.1-163Lukas Vrabec - 3.13.1-162Lukas Vrabec - 3.13.1-161Lukas Vrabec - 3.13.1-160Lukas Vrabec - 3.13.1-159Lukas Vrabec - 3.13.1-158Lukas Vrabec - 3.13.1-157Lukas Vrabec - 3.13.1-156Lukas Vrabec - 3.13.1-155Lukas Vrabec - 3.13.1-154Lukas Vrabec - 3.13.1-153Lukas Vrabec - 3.13.1-152Lukas Vrabec - 3.13.1-151Lukas Vrabec - 3.13.1-150Lukas Vrabec - 3.13.1-149Lukas Vrabec - 3.13.1-148Lukas Vrabec - 3.13.1-147Lukas Vrabec - 3.13.1-146Lukas Vrabec - 3.13.1-145Lukas Vrabec - 3.13.1-144Lukas Vrabec - 3.13.1-143Lukas Vrabec - 3.13.1-142Lukas Vrabec - 3.13.1-141Lukas Vrabec - 3.13.1-140Lukas Vrabec - 3.13.1-139Lukas Vrabec - 3.13.1-138Lukas Vrabec - 3.13.1-137Lukas Vrabec - 3.13.1-136Lukas Vrabec - 3.13.1-135Lukas Vrabec - 3.13.1-134Lukas Vrabec - 3.13.1-133Lukas Vrabec - 3.13.1-132Lukas Vrabec - 3.13.1-131Lukas Vrabec - 3.13.1-130Lukas Vrabec - 3.13.1-129Lukas Vrabec - 3.13.1-128Lukas Vrabec - 3.13.1-127Lukas Vrabec - 3.13.1-126Lukas Vrabec - 3.13.1-125Lukas Vrabec - 3.13.1-124Lukas Vrabec - 3.13.1-123Lukas Vrabec - 3.13.1-122Lukas Vrabec - 3.13.1-120Lukas Vrabec - 3.13.1-119Lukas Vrabec - 3.13.1-118Lukas Vrabec - 3.13.1-117Lukas Vrabec - 3.13.1-116Lukas Vrabec - 3.13.1-115Lukas Vrabec - 3.13.1-114Lukas Vrabec - 3.13.1-113Lukas Vrabec - 3.13.1-112Lukas Vrabec - 3.13.1-111Lukas Vrabec - 3.13.1-110Lukas Vrabec - 3.13.1-109Lukas Vrabec - 3.13.1-108Lukas Vrabec - 3.13.1-107Lukas Vrabec - 3.13.1-106Miroslav Grepl - 3.13.1-105Lukas Vrabec - 3.13.1-104Lukas Vrabec - 3.13.1-103Dan Walsh - 3.13.1-102Lukas Vrabec - 3.13.1-101Lukas Vrabec - 3.13.1-100Lukas Vrabec - 3.13.1-99Lukas Vrabec - 3.13.1-98Lukas Vrabec - 3.13.1-97Lukas Vrabec - 3.13.1-96Lukas Vrabec - 3.13.1-95Lukas Vrabec - 3.13.1-94Lukas Vrabec - 3.13.1-93Lukas Vrabec - 3.13.1-92Lukas Vrabec - 3.13.1-91Lukas Vrabec - 3.13.1-90Lukas Vrabec - 3.13.1-89Lukas Vrabec - 3.13.1-88Lukas Vrabec - 3.13.1-87Lukas Vrabec - 3.13.1-86Lukas Vrabec - 3.13.1-85Lukas Vrabec - 3.13.1-84Lukas Vrabec - 3.13.1-83Lukas Vrabec - 3.13.1-82Lukas Vrabec - 3.13.1-81Lukas Vrabec - 3.13.1-80Petr Lautrbach - 3.13.1-79Lukas Vrabec - 3.13.1-78Lukas Vrabec - 3.13.1-77Lukas Vrabec - 3.13.1-76Lukas Vrabec - 3.13.1-75Lukas Vrabec - 3.13.1-74Lukas Vrabec - 3.13.1-73Lukas Vrabec - 3.13.1-72Lukas Vrabec - 3.13.1-71Lukas Vrabec - 3.13.1-70Lukas Vrabec - 3.13.1-69Lukas Vrabec - 3.13.1-68Lukas Vrabec - 3.13.1-67Petr Lautrbach - 3.13.1-66Lukas Vrabec 3.13.1-65Lukas Vrabec 3.13.1-64Lukas Vrabec 3.13.1-63Lukas Vrabec 3.13.1-62Lukas Vrabec 3.13.1-61Miroslav Grepl 3.13.1-60Miroslav Grepl 3.13.1-59Lukas Vrabec 3.13.1-58Lukas Vrabec 3.13.1-57Miroslav Grepl 3.13.1-56Lukas Vrabec 3.13.1-55Lukas Vrabec 3.13.1-54Lukas Vrabec 3.13.1-53Lukas Vrabec 3.13.1-52Miroslav Grepl 3.13.1-51Lukas Vrabec 3.13.1-50Lukas Vrabec 3.13.1-49Lukas Vrabec 3.13.1-48Lukas Vrabec 3.13.1-47Lukas Vrabec 3.13.1-46Lukas Vrabec 3.13.1-45Lukas Vrabec 3.13.1-44Lukas Vrabec 3.13.1-43Lukas Vrabec 3.13.1-42Lukas Vrabec 3.13.1-41Lukas Vrabec 3.13.1-40Miroslav Grepl 3.13.1-39Lukas Vrabec 3.13.1-38Lukas Vrabec 3.13.1-37Lukas Vrabec 3.13.1-36Lukas Vrabec 3.13.1-35Lukas Vrabec 3.13.1-34Lukas Vrabec 3.13.1-33Lukas Vrabec 3.13.1-32Miroslav Grepl 3.13.1-31Miroslav Grepl 3.13.1-30Miroslav Grepl 3.13.1-29Miroslav Grepl 3.13.1-28Miroslav Grepl 3.13.1-27Miroslav Grepl 3.13.1-26Miroslav Grepl 3.13.1-25Miroslav Grepl 3.13.1-24Miroslav Grepl 3.13.1-23Miroslav Grepl 3.13.1-22Miroslav Grepl 3.13.1-21Miroslav Grepl 3.13.1-20Miroslav Grepl 3.13.1-19Miroslav Grepl 3.13.1-18Miroslav Grepl 3.13.1-17Miroslav Grepl 3.13.1-16Miroslav Grepl 3.13.1-15Miroslav Grepl 3.13.1-14Miroslav Grepl 3.13.1-13Miroslav Grepl 3.13.1-12Miroslav Grepl 3.13.1-11Miroslav Grepl 3.13.1-10Miroslav Grepl 3.13.1-9Miroslav Grepl 3.13.1-8Miroslav Grepl 3.13.1-7Miroslav Grepl 3.13.1-6Miroslav Grepl 3.13.1-5Miroslav Grepl 3.13.1-4Miroslav Grepl 3.13.1-3Miroslav Grepl 3.13.1-2Miroslav Grepl 3.13.1-1Miroslav Grepl 3.12.1-156Miroslav Grepl 3.12.1-155Miroslav Grepl 3.12.1-154Miroslav Grepl 3.12.1-153Miroslav Grepl 3.12.1-152Miroslav Grepl 3.12.1-151Miroslav Grepl 3.12.1-149Miroslav Grepl 3.12.1-149Miroslav Grepl 3.12.1-148Miroslav Grepl 3.12.1-147Miroslav Grepl 3.12.1-146Miroslav Grepl 3.12.1-145Miroslav Grepl 3.12.1-144Lukas Vrabec 3.12.1-143Miroslav Grepl 3.12.1-142Miroslav Grepl 3.12.1-141Miroslav Grepl 3.12.1-140Miroslav Grepl 3.12.1-139Lukas Vrabec 3.12.1-138Miroslav Grepl 3.12.1-137Miroslav Grepl 3.12.1-136Miroslav Grepl 3.12.1-135Miroslav Grepl 3.12.1-134Miroslav Grepl 3.12.1-133Miroslav Grepl 3.12.1-132Miroslav Grepl 3.12.1-131Miroslav Grepl 3.12.1-130Miroslav Grepl 3.12.1-129Miroslav Grepl 3.12.1-128Miroslav Grepl 3.12.1-127Miroslav Grepl 3.12.1-126Miroslav Grepl 3.12.1-125Miroslav Grepl 3.12.1-124Miroslav Grepl 3.12.1-123Miroslav Grepl 3.12.1-122Miroslav Grepl 3.12.1-121Miroslav Grepl 3.12.1-120Miroslav Grepl 3.12.1-119Miroslav Grepl 3.12.1-118Miroslav Grepl 3.12.1-117Miroslav Grepl 3.12.1-116Miroslav Grepl 3.12.1-115Miroslav Grepl 3.12.1-114Miroslav Grepl 3.12.1-113Miroslav Grepl 3.12.1-112Miroslav Grepl 3.12.1-111Miroslav Grepl 3.12.1-110Miroslav Grepl 3.12.1-109Miroslav Grepl 3.12.1-108Miroslav Grepl 3.12.1-107Dan Walsh 3.12.1-106Miroslav Grepl 3.12.1-105Miroslav Grepl 3.12.1-104Miroslav Grepl 3.12.1-103Miroslav Grepl 3.12.1-102Miroslav Grepl 3.12.1-101Miroslav Grepl 3.12.1-100Miroslav Grepl 3.12.1-99Miroslav Grepl 3.12.1-98Miroslav Grepl 3.12.1-97Miroslav Grepl 3.12.1-96Miroslav Grepl 3.12.1-95Miroslav Grepl 3.12.1-94Miroslav Grepl 3.12.1-94Miroslav Grepl 3.12.1-93Miroslav Grepl 3.12.1-92Miroslav Grepl 3.12.1-91Miroslav Grepl 3.12.1-90Miroslav Grepl 3.12.1-89Miroslav Grepl 3.12.1-88Miroslav Grepl 3.12.1-87Miroslav Grepl 3.12.1-86Miroslav Grepl 3.12.1-85Miroslav Grepl 3.12.1-84Miroslav Grepl 3.12.1-83Miroslav Grepl 3.12.1-82Miroslav Grepl 3.12.1-81Miroslav Grepl 3.12.1-80Miroslav Grepl 3.12.1-79Miroslav Grepl 3.12.1-78Miroslav Grepl 3.12.1-77Miroslav Grepl 3.12.1-76Miroslav Grepl 3.12.1-75Miroslav Grepl 3.12.1-74Miroslav Grepl 3.12.1-73Miroslav Grepl 3.12.1-72Miroslav Grepl 3.12.1-71Miroslav Grepl 3.12.1-70Miroslav Grepl 3.12.1-69Miroslav Grepl 3.12.1-68Miroslav Grepl 3.12.1-67Miroslav Grepl 3.12.1-66Miroslav Grepl 3.12.1-65Miroslav Grepl 3.12.1-64Miroslav Grepl 3.12.1-63Miroslav Grepl 3.12.1-62Miroslav Grepl 3.12.1-61Miroslav Grepl 3.12.1-60Miroslav Grepl 3.12.1-59Miroslav Grepl 3.12.1-58Miroslav Grepl 3.12.1-57Miroslav Grepl 3.12.1-56Miroslav Grepl 3.12.1-55Miroslav Grepl 3.12.1-54Miroslav Grepl 3.12.1-53Miroslav Grepl 3.12.1-52Miroslav Grepl 3.12.1-51Miroslav Grepl 3.12.1-50Miroslav Grepl 3.12.1-49Miroslav Grepl 3.12.1-48Miroslav Grepl 3.12.1-47Miroslav Grepl 3.12.1-46Miroslav Grepl 3.12.1-45Miroslav Grepl 3.12.1-44Miroslav Grepl 3.12.1-43Miroslav Grepl 3.12.1-42Miroslav Grepl 3.12.1-41Miroslav Grepl 3.12.1-40Miroslav Grepl 3.12.1-39Miroslav Grepl 3.12.1-38Miroslav Grepl 3.12.1-37Miroslav Grepl 3.12.1-36Miroslav Grepl 3.12.1-35Miroslav Grepl 3.12.1-34Miroslav Grepl 3.12.1-33Miroslav Grepl 3.12.1-32Miroslav Grepl 3.12.1-31Miroslav Grepl 3.12.1-30Miroslav Grepl 3.12.1-29Dan Walsh 3.12.1-28Dan Walsh 3.12.1-27Miroslav Grepl 3.12.1-26Miroslav Grepl 3.12.1-25Miroslav Grepl 3.12.1-24Miroslav Grepl 3.12.1-23Miroslav Grepl 3.12.1-22Miroslav Grepl 3.12.1-21Miroslav Grepl 3.12.1-20Miroslav Grepl 3.12.1-19Miroslav Grepl 3.12.1-18Miroslav Grepl 3.12.1-17Miroslav Grepl 3.12.1-16Miroslav Grepl 3.12.1-15Miroslav Grepl 3.12.1-14Miroslav Grepl 3.12.1-13Miroslav Grepl 3.12.1-12Miroslav Grepl 3.12.1-11Miroslav Grepl 3.12.1-10Miroslav Grepl 3.12.1-9Miroslav Grepl 3.12.1-8Miroslav Grepl 3.12.1-7Miroslav Grepl 3.12.1-6Miroslav Grepl 3.12.1-5Miroslav Grepl 3.12.1-4Miroslav Grepl 3.12.1-3Miroslav Grepl 3.12.1-2Miroslav Grepl 3.12.1-1Dan Walsh 3.11.1-69.1Miroslav Grepl 3.11.1-69Miroslav Grepl 3.11.1-68Miroslav Grepl 3.11.1-67Miroslav Grepl 3.11.1-66Miroslav Grepl 3.11.1-65Miroslav Grepl 3.11.1-64Miroslav Grepl 3.11.1-63Miroslav Grepl 3.11.1-62Miroslav Grepl 3.11.1-61Miroslav Grepl 3.11.1-60Miroslav Grepl 3.11.1-59Miroslav Grepl 3.11.1-58Miroslav Grepl 3.11.1-57Miroslav Grepl 3.11.1-56Miroslav Grepl 3.11.1-55Miroslav Grepl 3.11.1-54Miroslav Grepl 3.11.1-53Miroslav Grepl 3.11.1-52Miroslav Grepl 3.11.1-51Miroslav Grepl 3.11.1-50Miroslav Grepl 3.11.1-49Miroslav Grepl 3.11.1-48Miroslav Grepl 3.11.1-47Miroslav Grepl 3.11.1-46Miroslav Grepl 3.11.1-45Miroslav Grepl 3.11.1-44Miroslav Grepl 3.11.1-43Miroslav Grepl 3.11.1-42Miroslav Grepl 3.11.1-41Miroslav Grepl 3.11.1-40Miroslav Grepl 3.11.1-39Miroslav Grepl 3.11.1-38Miroslav Grepl 3.11.1-37Miroslav Grepl 3.11.1-36Miroslav Grepl 3.11.1-35Miroslav Grepl 3.11.1-34Miroslav Grepl 3.11.1-33Miroslav Grepl 3.11.1-32Miroslav Grepl 3.11.1-31Miroslav Grepl 3.11.1-30Miroslav Grepl 3.11.1-29Miroslav Grepl 3.11.1-28Miroslav Grepl 3.11.1-27Miroslav Grepl 3.11.1-26Miroslav Grepl 3.11.1-25Miroslav Grepl 3.11.1-24Miroslav Grepl 3.11.1-23Miroslav Grepl 3.11.1-22Miroslav Grepl 3.11.1-21Miroslav Grepl 3.11.1-20Miroslav Grepl 3.11.1-19Miroslav Grepl 3.11.1-18Miroslav Grepl 3.11.1-17Miroslav Grepl 3.11.1-16Dan Walsh 3.11.1-15Miroslav Grepl 3.11.1-14Dan Walsh 3.11.1-13Miroslav Grepl 3.11.1-12Miroslav Grepl 3.11.1-11Miroslav Grepl 3.11.1-10Dan Walsh 3.11.1-9Dan Walsh 3.11.1-8Dan Walsh 3.11.1-7Dan Walsh 3.11.1-6Miroslav Grepl 3.11.1-5Miroslav Grepl 3.11.1-4Miroslav Grepl 3.11.1-3Miroslav Grepl 3.11.1-2Miroslav Grepl 3.11.1-1Miroslav Grepl 3.11.1-0Miroslav Grepl 3.11.0-15Miroslav Grepl 3.11.0-14Miroslav Grepl 3.11.0-13Miroslav Grepl 3.11.0-12Fedora Release Engineering - 3.11.0-11Miroslav Grepl 3.11.0-10Miroslav Grepl 3.11.0-9Miroslav Grepl 3.11.0-8Miroslav Grepl 3.11.0-7Miroslav Grepl 3.11.0-6Miroslav Grepl 3.11.0-5Miroslav Grepl 3.11.0-4Miroslav Grepl 3.11.0-3Miroslav Grepl 3.11.0-2Miroslav Grepl 3.11.0-1Miroslav Grepl 3.10.0-128Miroslav Grepl 3.10.0-127Miroslav Grepl 3.10.0-126Miroslav Grepl 3.10.0-125Miroslav Grepl 3.10.0-124Miroslav Grepl 3.10.0-123Miroslav Grepl 3.10.0-122Miroslav Grepl 3.10.0-121Miroslav Grepl 3.10.0-120Miroslav Grepl 3.10.0-119Miroslav Grepl 3.10.0-118Miroslav Grepl 3.10.0-117Miroslav Grepl 3.10.0-116Miroslav Grepl 3.10.0-115Miroslav Grepl 3.10.0-114Miroslav Grepl 3.10.0-113Miroslav Grepl 3.10.0-112Miroslav Grepl 3.10.0-111Miroslav Grepl 3.10.0-110Miroslav Grepl 3.10.0-109Miroslav Grepl 3.10.0-108Miroslav Grepl 3.10.0-107Miroslav Grepl 3.10.0-106Miroslav Grepl 3.10.0-105Miroslav Grepl 3.10.0-104Miroslav Grepl 3.10.0-103Miroslav Grepl 3.10.0-102Miroslav Grepl 3.10.0-101Miroslav Grepl 3.10.0-100Miroslav Grepl 3.10.0-99Miroslav Grepl 3.10.0-98Miroslav Grepl 3.10.0-97Miroslav Grepl 3.10.0-96Miroslav Grepl 3.10.0-95Miroslav Grepl 3.10.0-94Miroslav Grepl 3.10.0-93Miroslav Grepl 3.10.0-92Miroslav Grepl 3.10.0-91Miroslav Grepl 3.10.0-90Miroslav Grepl 3.10.0-89Miroslav Grepl 3.10.0-88Miroslav Grepl 3.10.0-87Miroslav Grepl 3.10.0-86Miroslav Grepl 3.10.0-85Miroslav Grepl 3.10.0-84Miroslav Grepl 3.10.0-83Miroslav Grepl 3.10.0-82Dan Walsh 3.10.0-81.2Miroslav Grepl 3.10.0-81Miroslav Grepl 3.10.0-80Miroslav Grepl 3.10.0-79Miroslav Grepl 3.10.0-78Miroslav Grepl 3.10.0-77Miroslav Grepl 3.10.0-76Miroslav Grepl 3.10.0-75Dan Walsh 3.10.0-74.2Miroslav Grepl 3.10.0-74Miroslav Grepl 3.10.0-73Miroslav Grepl 3.10.0-72Miroslav Grepl 3.10.0-71Miroslav Grepl 3.10.0-70Miroslav Grepl 3.10.0-69Miroslav Grepl 3.10.0-68Miroslav Grepl 3.10.0-67Miroslav Grepl 3.10.0-66Miroslav Grepl 3.10.0-65Miroslav Grepl 3.10.0-64Miroslav Grepl 3.10.0-63Miroslav Grepl 3.10.0-59Miroslav Grepl 3.10.0-58Dan Walsh 3.10.0-57Dan Walsh 3.10.0-56Dan Walsh 3.10.0-55.2Dan Walsh 3.10.0-55.1Miroslav Grepl 3.10.0-55Dan Walsh 3.10.0-54.1Miroslav Grepl 3.10.0-54Dan Walsh 3.10.0-53.1Miroslav Grepl 3.10.0-53Miroslav Grepl 3.10.0-52Miroslav Grepl 3.10.0-51Dan Walsh 3.10.0-50.2Dan Walsh 3.10.0-50.1Miroslav Grepl 3.10.0-50Miroslav Grepl 3.10.0-49Miroslav Grepl 3.10.0-48Miroslav Grepl 3.10.0-47Dan Walsh 3.10.0-46.1Miroslav Grepl 3.10.0-46Dan Walsh 3.10.0-45.1Miroslav Grepl 3.10.0-45Miroslav Grepl 3.10.0-43Miroslav Grepl 3.10.0-42Miroslav Grepl 3.10.0-41Dan Walsh 3.10.0-40.2Miroslav Grepl 3.10.0-40Dan Walsh 3.10.0-39.3Dan Walsh 3.10.0-39.2Dan Walsh 3.10.0-39.1Miroslav Grepl 3.10.0-39Dan Walsh 3.10.0-38.1Miroslav Grepl 3.10.0-38Miroslav Grepl 3.10.0-37Dan Walsh 3.10.0-36.1Miroslav Grepl 3.10.0-36Dan Walsh 3.10.0-35Dan Walsh 3.10.0-34.7Dan Walsh 3.10.0-34.6Dan Walsh 3.10.0-34.4Miroslav Grepl 3.10.0-34.3Dan Walsh 3.10.0-34.2Dan Walsh 3.10.0-34.1Miroslav Grepl 3.10.0-34Miroslav Grepl 3.10.0-33Dan Walsh 3.10.0-31.1Miroslav Grepl 3.10.0-31Miroslav Grepl 3.10.0-29Miroslav Grepl 3.10.0-28Miroslav Grepl 3.10.0-27Miroslav Grepl 3.10.0-26Miroslav Grepl 3.10.0-25Miroslav Grepl 3.10.0-24Miroslav Grepl 3.10.0-23Miroslav Grepl 3.10.0-22Miroslav Grepl 3.10.0-21Dan Walsh 3.10.0-20Miroslav Grepl 3.10.0-19Miroslav Grepl 3.10.0-18Miroslav Grepl 3.10.0-17Miroslav Grepl 3.10.0-16Miroslav Grepl 3.10.0-14Miroslav Grepl 3.10.0-13Miroslav Grepl 3.10.0-12Miroslav Grepl 3.10.0-11Miroslav Grepl 3.10.0-10Miroslav Grepl 3.10.0-9Miroslav Grepl 3.10.0-8Miroslav Grepl 3.10.0-7Miroslav Grepl 3.10.0-6Miroslav Grepl 3.10.0-5Miroslav Grepl 3.10.0-4Miroslav Grepl 3.10.0-3Miroslav Grepl 3.10.0-2Miroslav Grepl 3.10.0-1Miroslav Grepl 3.9.16-30Dan Walsh 3.9.16-29.1Miroslav Grepl 3.9.16-29Dan Walsh 3.9.16-28.1Miroslav Grepl 3.9.16-27Miroslav Grepl 3.9.16-26Miroslav Grepl 3.9.16-25Miroslav Grepl 3.9.16-24Miroslav Grepl 3.9.16-23Miroslav Grepl 3.9.16-22Miroslav Grepl 3.9.16-21Miroslav Grepl 3.9.16-20Miroslav Grepl 3.9.16-19Miroslav Grepl 3.9.16-18Miroslav Grepl 3.9.16-17Dan Walsh 3.9.16-16.1Miroslav Grepl 3.9.16-16Miroslav Grepl 3.9.16-15Miroslav Grepl 3.9.16-14Miroslav Grepl 3.9.16-13Miroslav Grepl 3.9.16-12Miroslav Grepl 3.9.16-11Miroslav Grepl 3.9.16-10Miroslav Grepl 3.9.16-7Miroslav Grepl 3.9.16-6Miroslav Grepl 3.9.16-5Miroslav Grepl 3.9.16-4Miroslav Grepl 3.9.16-3Miroslav Grepl 3.9.16-2Miroslav Grepl 3.9.16-1Miroslav Grepl 3.9.15-5Miroslav Grepl 3.9.15-2Miroslav Grepl 3.9.15-1Fedora Release Engineering - 3.9.14-2Dan Walsh 3.9.14-1Miroslav Grepl 3.9.13-10Miroslav Grepl 3.9.13-9Dan Walsh 3.9.13-8Miroslav Grepl 3.9.13-7Miroslav Grepl 3.9.13-6Miroslav Grepl 3.9.13-5Miroslav Grepl 3.9.13-4Miroslav Grepl 3.9.13-3Miroslav Grepl 3.9.13-2Miroslav Grepl 3.9.13-1Miroslav Grepl 3.9.12-8Miroslav Grepl 3.9.12-7Miroslav Grepl 3.9.12-6Miroslav Grepl 3.9.12-5Dan Walsh 3.9.12-4Dan Walsh 3.9.12-3Dan Walsh 3.9.12-2Miroslav Grepl 3.9.12-1Dan Walsh 3.9.11-2Miroslav Grepl 3.9.11-1Miroslav Grepl 3.9.10-13Dan Walsh 3.9.10-12Miroslav Grepl 3.9.10-11Miroslav Grepl 3.9.10-10Miroslav Grepl 3.9.10-9Miroslav Grepl 3.9.10-8Miroslav Grepl 3.9.10-7Miroslav Grepl 3.9.10-6Miroslav Grepl 3.9.10-5Dan Walsh 3.9.10-4Miroslav Grepl 3.9.10-3Miroslav Grepl 3.9.10-2Miroslav Grepl 3.9.10-1Miroslav Grepl 3.9.9-4Dan Walsh 3.9.9-3Miroslav Grepl 3.9.9-2Miroslav Grepl 3.9.9-1Miroslav Grepl 3.9.8-7Dan Walsh 3.9.8-6Miroslav Grepl 3.9.8-5Miroslav Grepl 3.9.8-4Dan Walsh 3.9.8-3Dan Walsh 3.9.8-2Dan Walsh 3.9.8-1Dan Walsh 3.9.7-10Dan Walsh 3.9.7-9Dan Walsh 3.9.7-8Dan Walsh 3.9.7-7Dan Walsh 3.9.7-6Dan Walsh 3.9.7-5Dan Walsh 3.9.7-4Dan Walsh 3.9.7-3Dan Walsh 3.9.7-2Dan Walsh 3.9.7-1Dan Walsh 3.9.6-3Dan Walsh 3.9.6-2Dan Walsh 3.9.6-1Dan Walsh 3.9.5-11Dan Walsh 3.9.5-10Dan Walsh 3.9.5-9Dan Walsh 3.9.5-8Dan Walsh 3.9.5-7Dan Walsh 3.9.5-6Dan Walsh 3.9.5-5Dan Walsh 3.9.5-4Dan Walsh 3.9.5-3Dan Walsh 3.9.5-2Dan Walsh 3.9.5-1Dan Walsh 3.9.4-3Dan Walsh 3.9.4-2Dan Walsh 3.9.4-1Dan Walsh 3.9.3-4Dan Walsh 3.9.3-3Dan Walsh 3.9.3-2Dan Walsh 3.9.3-1Dan Walsh 3.9.2-1Dan Walsh 3.9.1-3Dan Walsh 3.9.1-2Dan Walsh 3.9.1-1Dan Walsh 3.9.0-2Dan Walsh 3.9.0-1Dan Walsh 3.8.8-21Dan Walsh 3.8.8-20Dan Walsh 3.8.8-19Dan Walsh 3.8.8-18Dan Walsh 3.8.8-17Dan Walsh 3.8.8-16Dan Walsh 3.8.8-15Dan Walsh 3.8.8-14Dan Walsh 3.8.8-13Dan Walsh 3.8.8-12Dan Walsh 3.8.8-11Dan Walsh 3.8.8-10Dan Walsh 3.8.8-9Dan Walsh 3.8.8-8Dan Walsh 3.8.8-7Dan Walsh 3.8.8-6Dan Walsh 3.8.8-5Dan Walsh 3.8.8-4Dan Walsh 3.8.8-3Dan Walsh 3.8.8-2Dan Walsh 3.8.8-1Dan Walsh 3.8.7-3Dan Walsh 3.8.7-2Dan Walsh 3.8.7-1Dan Walsh 3.8.6-3Miroslav Grepl 3.8.6-2Dan Walsh 3.8.6-1Dan Walsh 3.8.5-1Dan Walsh 3.8.4-1Dan Walsh 3.8.3-4Dan Walsh 3.8.3-3Dan Walsh 3.8.3-2Dan Walsh 3.8.3-1Dan Walsh 3.8.2-1Dan Walsh 3.8.1-5Dan Walsh 3.8.1-4Dan Walsh 3.8.1-3Dan Walsh 3.8.1-2Dan Walsh 3.8.1-1Dan Walsh 3.7.19-22Dan Walsh 3.7.19-21Dan Walsh 3.7.19-20Dan Walsh 3.7.19-19Dan Walsh 3.7.19-17Dan Walsh 3.7.19-16Dan Walsh 3.7.19-15Dan Walsh 3.7.19-14Dan Walsh 3.7.19-13Dan Walsh 3.7.19-12Dan Walsh 3.7.19-11Dan Walsh 3.7.19-10Dan Walsh 3.7.19-9Dan Walsh 3.7.19-8Dan Walsh 3.7.19-7Dan Walsh 3.7.19-6Dan Walsh 3.7.19-5Dan Walsh 3.7.19-4Dan Walsh 3.7.19-3Dan Walsh 3.7.19-2Dan Walsh 3.7.19-1Dan Walsh 3.7.18-3Dan Walsh 3.7.18-2Dan Walsh 3.7.18-1Dan Walsh 3.7.17-6Dan Walsh 3.7.17-5Dan Walsh 3.7.17-4Dan Walsh 3.7.17-3Dan Walsh 3.7.17-2Dan Walsh 3.7.17-1Dan Walsh 3.7.16-2Dan Walsh 3.7.16-1Dan Walsh 3.7.15-4Dan Walsh 3.7.15-3Dan Walsh 3.7.15-2Dan Walsh 3.7.15-1Dan Walsh 3.7.14-5Dan Walsh 3.7.14-4Dan Walsh 3.7.14-3Dan Walsh 3.7.14-2Dan Walsh 3.7.14-1Dan Walsh 3.7.13-4Dan Walsh 3.7.13-3Dan Walsh 3.7.13-2Dan Walsh 3.7.13-1Dan Walsh 3.7.12-1Dan Walsh 3.7.11-1Dan Walsh 3.7.10-5Dan Walsh 3.7.10-4Dan Walsh 3.7.10-3Dan Walsh 3.7.10-2Dan Walsh 3.7.10-1Dan Walsh 3.7.9-4Dan Walsh 3.7.9-3Dan Walsh 3.7.9-2Dan Walsh 3.7.9-1Dan Walsh 3.7.8-11Dan Walsh 3.7.8-9Dan Walsh 3.7.8-8Dan Walsh 3.7.8-7Dan Walsh 3.7.8-6Dan Walsh 3.7.8-5Dan Walsh 3.7.8-4Dan Walsh 3.7.8-3Dan Walsh 3.7.8-2Dan Walsh 3.7.8-1Dan Walsh 3.7.7-3Dan Walsh 3.7.7-2Dan Walsh 3.7.7-1Dan Walsh 3.7.6-1Dan Walsh 3.7.5-8Dan Walsh 3.7.5-7Dan Walsh 3.7.5-6Dan Walsh 3.7.5-5Dan Walsh 3.7.5-4Dan Walsh 3.7.5-3Dan Walsh 3.7.5-2Dan Walsh 3.7.5-1Dan Walsh 3.7.4-4Dan Walsh 3.7.4-3Dan Walsh 3.7.4-2Dan Walsh 3.7.4-1Dan Walsh 3.7.3-1Dan Walsh 3.7.1-1Dan Walsh 3.6.33-2Dan Walsh 3.6.33-1Dan Walsh 3.6.32-17Dan Walsh 3.6.32-16Dan Walsh 3.6.32-15Dan Walsh 3.6.32-13Dan Walsh 3.6.32-12Dan Walsh 3.6.32-11Dan Walsh 3.6.32-10Dan Walsh 3.6.32-9Dan Walsh 3.6.32-8Dan Walsh 3.6.32-7Dan Walsh 3.6.32-6Dan Walsh 3.6.32-5Dan Walsh 3.6.32-4Dan Walsh 3.6.32-3Dan Walsh 3.6.32-2Dan Walsh 3.6.32-1Dan Walsh 3.6.31-5Dan Walsh 3.6.31-4Dan Walsh 3.6.31-3Dan Walsh 3.6.31-2Dan Walsh 3.6.30-6Dan Walsh 3.6.30-5Dan Walsh 3.6.30-4Dan Walsh 3.6.30-3Dan Walsh 3.6.30-2Dan Walsh 3.6.30-1Dan Walsh 3.6.29-2Dan Walsh 3.6.29-1Dan Walsh 3.6.28-9Dan Walsh 3.6.28-8Dan Walsh 3.6.28-7Dan Walsh 3.6.28-6Dan Walsh 3.6.28-5Dan Walsh 3.6.28-4Dan Walsh 3.6.28-3Dan Walsh 3.6.28-2Dan Walsh 3.6.28-1Dan Walsh 3.6.27-1Dan Walsh 3.6.26-11Dan Walsh 3.6.26-10Dan Walsh 3.6.26-9Bill Nottingham 3.6.26-8Dan Walsh 3.6.26-7Dan Walsh 3.6.26-6Dan Walsh 3.6.26-5Dan Walsh 3.6.26-4Dan Walsh 3.6.26-3Dan Walsh 3.6.26-2Dan Walsh 3.6.26-1Dan Walsh 3.6.25-1Dan Walsh 3.6.24-1Dan Walsh 3.6.23-2Dan Walsh 3.6.23-1Dan Walsh 3.6.22-3Dan Walsh 3.6.22-1Dan Walsh 3.6.21-4Dan Walsh 3.6.21-3Tom "spot" Callaway 3.6.21-2Dan Walsh 3.6.21-1Dan Walsh 3.6.20-2Dan Walsh 3.6.20-1Dan Walsh 3.6.19-5Dan Walsh 3.6.19-4Dan Walsh 3.6.19-3Dan Walsh 3.6.19-2Dan Walsh 3.6.19-1Dan Walsh 3.6.18-1Dan Walsh 3.6.17-1Dan Walsh 3.6.16-4Dan Walsh 3.6.16-3Dan Walsh 3.6.16-2Dan Walsh 3.6.16-1Dan Walsh 3.6.14-3Dan Walsh 3.6.14-2Dan Walsh 3.6.14-1Dan Walsh 3.6.13-3Dan Walsh 3.6.13-2Dan Walsh 3.6.13-1Dan Walsh 3.6.12-39Dan Walsh 3.6.12-38Dan Walsh 3.6.12-37Dan Walsh 3.6.12-36Dan Walsh 3.6.12-35Dan Walsh 3.6.12-34Dan Walsh 3.6.12-33Dan Walsh 3.6.12-31Dan Walsh 3.6.12-30Dan Walsh 3.6.12-29Dan Walsh 3.6.12-28Dan Walsh 3.6.12-27Dan Walsh 3.6.12-26Dan Walsh 3.6.12-25Dan Walsh 3.6.12-24Dan Walsh 3.6.12-23Dan Walsh 3.6.12-22Dan Walsh 3.6.12-21Dan Walsh 3.6.12-20Dan Walsh 3.6.12-19Dan Walsh 3.6.12-16Dan Walsh 3.6.12-15Dan Walsh 3.6.12-14Dan Walsh 3.6.12-13Dan Walsh 3.6.12-12Dan Walsh 3.6.12-11Dan Walsh 3.6.12-10Dan Walsh 3.6.12-9Dan Walsh 3.6.12-8Dan Walsh 3.6.12-7Dan Walsh 3.6.12-6Dan Walsh 3.6.12-5Dan Walsh 3.6.12-4Dan Walsh 3.6.12-3Dan Walsh 3.6.12-2Dan Walsh 3.6.12-1Dan Walsh 3.6.11-1Dan Walsh 3.6.10-9Dan Walsh 3.6.10-8Dan Walsh 3.6.10-7Dan Walsh 3.6.10-6Dan Walsh 3.6.10-5Dan Walsh 3.6.10-4Dan Walsh 3.6.10-3Dan Walsh 3.6.10-2Dan Walsh 3.6.10-1Dan Walsh 3.6.9-4Dan Walsh 3.6.9-3Dan Walsh 3.6.9-2Dan Walsh 3.6.9-1Dan Walsh 3.6.8-4Dan Walsh 3.6.8-3Dan Walsh 3.6.8-2Dan Walsh 3.6.8-1Dan Walsh 3.6.7-2Dan Walsh 3.6.7-1Dan Walsh 3.6.6-9Dan Walsh 3.6.6-8Fedora Release Engineering - 3.6.6-7Dan Walsh 3.6.6-6Dan Walsh 3.6.6-5Dan Walsh 3.6.6-4Dan Walsh 3.6.6-3Dan Walsh 3.6.6-2Dan Walsh 3.6.6-1Dan Walsh 3.6.5-3Dan Walsh 3.6.5-1Dan Walsh 3.6.4-6Dan Walsh 3.6.4-5Dan Walsh 3.6.4-4Dan Walsh 3.6.4-3Dan Walsh 3.6.4-2Dan Walsh 3.6.4-1Dan Walsh 3.6.3-13Dan Walsh 3.6.3-12Dan Walsh 3.6.3-11Dan Walsh 3.6.3-10Dan Walsh 3.6.3-9Dan Walsh 3.6.3-8Dan Walsh 3.6.3-7Dan Walsh 3.6.3-6Dan Walsh 3.6.3-3Dan Walsh 3.6.3-2Dan Walsh 3.6.3-1Dan Walsh 3.6.2-5Dan Walsh 3.6.2-4Dan Walsh 3.6.2-3Dan Walsh 3.6.2-2Dan Walsh 3.6.2-1Dan Walsh 3.6.1-15Dan Walsh 3.6.1-14Dan Walsh 3.6.1-13Dan Walsh 3.6.1-12Dan Walsh 3.6.1-11Dan Walsh 3.6.1-10Dan Walsh 3.6.1-9Dan Walsh 3.6.1-8Dan Walsh 3.6.1-7Dan Walsh 3.6.1-4Ignacio Vazquez-Abrams - 3.6.1-2Dan Walsh 3.5.13-19Dan Walsh 3.5.13-18Dan Walsh 3.5.13-17Dan Walsh 3.5.13-16Dan Walsh 3.5.13-15Dan Walsh 3.5.13-14Dan Walsh 3.5.13-13Dan Walsh 3.5.13-12Dan Walsh 3.5.13-11Dan Walsh 3.5.13-9Dan Walsh 3.5.13-8Dan Walsh 3.5.13-7Dan Walsh 3.5.13-6Dan Walsh 3.5.13-5Dan Walsh 3.5.13-4Dan Walsh 3.5.13-3Dan Walsh 3.5.13-2Dan Walsh 3.5.13-1Dan Walsh 3.5.12-3Dan Walsh 3.5.12-2Dan Walsh 3.5.12-1Dan Walsh 3.5.11-1Dan Walsh 3.5.10-3Dan Walsh 3.5.10-2Dan Walsh 3.5.10-1Dan Walsh 3.5.9-4Dan Walsh 3.5.9-3Dan Walsh 3.5.9-2Dan Walsh 3.5.9-1Dan Walsh 3.5.8-7Dan Walsh 3.5.8-6Dan Walsh 3.5.8-5Dan Walsh 3.5.8-4Dan Walsh 3.5.8-3Dan Walsh 3.5.8-1Dan Walsh 3.5.7-2Dan Walsh 3.5.7-1Dan Walsh 3.5.6-2Dan Walsh 3.5.6-1Dan Walsh 3.5.5-4Dan Walsh 3.5.5-3Dan Walsh 3.5.5-2Dan Walsh 3.5.4-2Dan Walsh 3.5.4-1Dan Walsh 3.5.3-1Dan Walsh 3.5.2-2Dan Walsh 3.5.1-5Dan Walsh 3.5.1-4Dan Walsh 3.5.1-3Dan Walsh 3.5.1-2Dan Walsh 3.5.1-1Dan Walsh 3.5.0-1Dan Walsh 3.4.2-14Dan Walsh 3.4.2-13Dan Walsh 3.4.2-12Dan Walsh 3.4.2-11Dan Walsh 3.4.2-10Dan Walsh 3.4.2-9Dan Walsh 3.4.2-8Dan Walsh 3.4.2-7Dan Walsh 3.4.2-6Dan Walsh 3.4.2-5Dan Walsh 3.4.2-4Dan Walsh 3.4.2-3Dan Walsh 3.4.2-2Dan Walsh 3.4.2-1Dan Walsh 3.4.1-5Dan Walsh 3.4.1-3Dan Walsh 3.4.1-2Dan Walsh 3.4.1-1Dan Walsh 3.3.1-48Dan Walsh 3.3.1-47Dan Walsh 3.3.1-46Dan Walsh 3.3.1-45Dan Walsh 3.3.1-44Dan Walsh 3.3.1-43Dan Walsh 3.3.1-42Dan Walsh 3.3.1-41Dan Walsh 3.3.1-39Dan Walsh 3.3.1-37Dan Walsh 3.3.1-36Dan Walsh 3.3.1-33Dan Walsh 3.3.1-32Dan Walsh 3.3.1-31Dan Walsh 3.3.1-30Dan Walsh 3.3.1-29Dan Walsh 3.3.1-28Dan Walsh 3.3.1-27Dan Walsh 3.3.1-26Dan Walsh 3.3.1-25Dan Walsh 3.3.1-24Dan Walsh 3.3.1-23Dan Walsh 3.3.1-22Dan Walsh 3.3.1-21Dan Walsh 3.3.1-20Dan Walsh 3.3.1-19Dan Walsh 3.3.1-18Dan Walsh 3.3.1-17Dan Walsh 3.3.1-16Dan Walsh 3.3.1-15Bill Nottingham 3.3.1-14Dan Walsh 3.3.1-13Dan Walsh 3.3.1-12Dan Walsh 3.3.1-11Dan Walsh 3.3.1-10Dan Walsh 3.3.1-9Dan Walsh 3.3.1-8Dan Walsh 3.3.1-6Dan Walsh 3.3.1-5Dan Walsh 3.3.1-4Dan Walsh 3.3.1-2Dan Walsh 3.3.1-1Dan Walsh 3.3.0-2Dan Walsh 3.3.0-1Dan Walsh 3.2.9-2Dan Walsh 3.2.9-1Dan Walsh 3.2.8-2Dan Walsh 3.2.8-1Dan Walsh 3.2.7-6Dan Walsh 3.2.7-5Dan Walsh 3.2.7-3Dan Walsh 3.2.7-2Dan Walsh 3.2.7-1Dan Walsh 3.2.6-7Dan Walsh 3.2.6-6Dan Walsh 3.2.6-5Dan Walsh 3.2.6-4Dan Walsh 3.2.6-3Dan Walsh 3.2.6-2Dan Walsh 3.2.6-1Dan Walsh 3.2.5-25Dan Walsh 3.2.5-24Dan Walsh 3.2.5-22Dan Walsh 3.2.5-21Dan Walsh 3.2.5-20Dan Walsh 3.2.5-19Dan Walsh 3.2.5-18Dan Walsh 3.2.5-17Dan Walsh 3.2.5-16Dan Walsh 3.2.5-15Dan Walsh 3.2.5-14Dan Walsh 3.2.5-13Dan Walsh 3.2.5-12Dan Walsh 3.2.5-11Dan Walsh 3.2.5-10Dan Walsh 3.2.5-9Dan Walsh 3.2.5-8Dan Walsh 3.2.5-7Dan Walsh 3.2.5-6Dan Walsh 3.2.5-5Dan Walsh 3.2.5-4Dan Walsh 3.2.5-3Dan Walsh 3.2.5-2Dan Walsh 3.2.5-1Dan Walsh 3.2.4-5Dan Walsh 3.2.4-4Dan Walsh 3.2.4-3Dan Walsh 3.2.4-1Dan Walsh 3.2.4-1Dan Walsh 3.2.3-2Dan Walsh 3.2.3-1Dan Walsh 3.2.2-1Dan Walsh 3.2.1-3Dan Walsh 3.2.1-1Dan Walsh 3.1.2-2Dan Walsh 3.1.2-1Dan Walsh 3.1.1-1Dan Walsh 3.1.0-1Dan Walsh 3.0.8-30Dan Walsh 3.0.8-28Dan Walsh 3.0.8-27Dan Walsh 3.0.8-26Dan Walsh 3.0.8-25Dan Walsh 3.0.8-24Dan Walsh 3.0.8-23Dan Walsh 3.0.8-22Dan Walsh 3.0.8-21Dan Walsh 3.0.8-20Dan Walsh 3.0.8-19Dan Walsh 3.0.8-18Dan Walsh 3.0.8-17Dan Walsh 3.0.8-16Dan Walsh 3.0.8-15Dan Walsh 3.0.8-14Dan Walsh 3.0.8-13Dan Walsh 3.0.8-12Dan Walsh 3.0.8-11Dan Walsh 3.0.8-10Dan Walsh 3.0.8-9Dan Walsh 3.0.8-8Dan Walsh 3.0.8-7Dan Walsh 3.0.8-5Dan Walsh 3.0.8-4Dan Walsh 3.0.8-3Dan Walsh 3.0.8-2Dan Walsh 3.0.8-1Dan Walsh 3.0.7-10Dan Walsh 3.0.7-9Dan Walsh 3.0.7-8Dan Walsh 3.0.7-7Dan Walsh 3.0.7-6Dan Walsh 3.0.7-5Dan Walsh 3.0.7-4Dan Walsh 3.0.7-3Dan Walsh 3.0.7-2Dan Walsh 3.0.7-1Dan Walsh 3.0.6-3Dan Walsh 3.0.6-2Dan Walsh 3.0.6-1Dan Walsh 3.0.5-11Dan Walsh 3.0.5-10Dan Walsh 3.0.5-9Dan Walsh 3.0.5-8Dan Walsh 3.0.5-7Dan Walsh 3.0.5-6Dan Walsh 3.0.5-5Dan Walsh 3.0.5-4Dan Walsh 3.0.5-3Dan Walsh 3.0.5-2Dan Walsh 3.0.5-1Dan Walsh 3.0.4-6Dan Walsh 3.0.4-5Dan Walsh 3.0.4-4Dan Walsh 3.0.4-3Dan Walsh 3.0.4-2Dan Walsh 3.0.4-1Dan Walsh 3.0.3-6Dan Walsh 3.0.3-5Dan Walsh 3.0.3-4Dan Walsh 3.0.3-3Dan Walsh 3.0.3-2Dan Walsh 3.0.3-1Dan Walsh 3.0.2-9Dan Walsh 3.0.2-8Dan Walsh 3.0.2-7Dan Walsh 3.0.2-5Dan Walsh 3.0.2-4Dan Walsh 3.0.2-3Dan Walsh 3.0.2-2Dan Walsh 3.0.1-5Dan Walsh 3.0.1-4Dan Walsh 3.0.1-3Dan Walsh 3.0.1-2Dan Walsh 3.0.1-1Dan Walsh 2.6.5-3Dan Walsh 2.6.5-2Dan Walsh 2.6.4-7Dan Walsh 2.6.4-6Dan Walsh 2.6.4-5Dan Walsh 2.6.4-2Dan Walsh 2.6.4-1Dan Walsh 2.6.3-1Dan Walsh 2.6.2-1Dan Walsh 2.6.1-4Dan Walsh 2.6.1-2Dan Walsh 2.6.1-1Dan Walsh 2.5.12-12Dan Walsh 2.5.12-11Dan Walsh 2.5.12-10Dan Walsh 2.5.12-8Dan Walsh 2.5.12-5Dan Walsh 2.5.12-4Dan Walsh 2.5.12-3Dan Walsh 2.5.12-2Dan Walsh 2.5.12-1Dan Walsh 2.5.11-8Dan Walsh 2.5.11-7Dan Walsh 2.5.11-6Dan Walsh 2.5.11-5Dan Walsh 2.5.11-4Dan Walsh 2.5.11-3Dan Walsh 2.5.11-2Dan Walsh 2.5.11-1Dan Walsh 2.5.10-2Dan Walsh 2.5.10-1Dan Walsh 2.5.9-6Dan Walsh 2.5.9-5Dan Walsh 2.5.9-4Dan Walsh 2.5.9-3Dan Walsh 2.5.9-2Dan Walsh 2.5.8-8Dan Walsh 2.5.8-7Dan Walsh 2.5.8-6Dan Walsh 2.5.8-5Dan Walsh 2.5.8-4Dan Walsh 2.5.8-3Dan Walsh 2.5.8-2Dan Walsh 2.5.8-1Dan Walsh 2.5.7-1Dan Walsh 2.5.6-1Dan Walsh 2.5.5-2Dan Walsh 2.5.5-1Dan Walsh 2.5.4-2Dan Walsh 2.5.4-1Dan Walsh 2.5.3-3Dan Walsh 2.5.3-2Dan Walsh 2.5.3-1Dan Walsh 2.5.2-6Dan Walsh 2.5.2-5Dan Walsh 2.5.2-4Dan Walsh 2.5.2-3Dan Walsh 2.5.2-2Dan Walsh 2.5.2-1Dan Walsh 2.5.1-5Dan Walsh 2.5.1-4Dan Walsh 2.5.1-2Dan Walsh 2.5.1-1Dan Walsh 2.4.6-20Dan Walsh 2.4.6-19Dan Walsh 2.4.6-18Dan Walsh 2.4.6-17Dan Walsh 2.4.6-16Dan Walsh 2.4.6-15Dan Walsh 2.4.6-14Dan Walsh 2.4.6-13Dan Walsh 2.4.6-12Dan Walsh 2.4.6-11Dan Walsh 2.4.6-10Dan Walsh 2.4.6-9Dan Walsh 2.4.6-8Dan Walsh 2.4.6-7Dan Walsh 2.4.6-6Dan Walsh 2.4.6-5Dan Walsh 2.4.6-4Dan Walsh 2.4.6-3Dan Walsh 2.4.6-1Dan Walsh 2.4.5-4Dan Walsh 2.4.5-3Dan Walsh 2.4.5-2Dan Walsh 2.4.5-1Dan Walsh 2.4.4-2Dan Walsh 2.4.4-2Dan Walsh 2.4.4-1Dan Walsh 2.4.3-13Dan Walsh 2.4.3-12Dan Walsh 2.4.3-11Dan Walsh 2.4.3-10Dan Walsh 2.4.3-9Dan Walsh 2.4.3-8Dan Walsh 2.4.3-7Dan Walsh 2.4.3-6Dan Walsh 2.4.3-5Dan Walsh 2.4.3-4Dan Walsh 2.4.3-3Dan Walsh 2.4.3-2Dan Walsh 2.4.3-1Dan Walsh 2.4.2-8Dan Walsh 2.4.2-7James Antill 2.4.2-6Dan Walsh 2.4.2-5Dan Walsh 2.4.2-4Dan Walsh 2.4.2-3Dan Walsh 2.4.2-2Dan Walsh 2.4.2-1Dan Walsh 2.4.1-5Dan Walsh 2.4.1-4Dan Walsh 2.4.1-3Dan Walsh 2.4.1-2Dan Walsh 2.4-4Dan Walsh 2.4-3Dan Walsh 2.4-2Dan Walsh 2.4-1Dan Walsh 2.3.19-4Dan Walsh 2.3.19-3Dan Walsh 2.3.19-2Dan Walsh 2.3.19-1James Antill 2.3.18-10James Antill 2.3.18-9Dan Walsh 2.3.18-8Dan Walsh 2.3.18-7Dan Walsh 2.3.18-6Dan Walsh 2.3.18-5Dan Walsh 2.3.18-4Dan Walsh 2.3.18-3Dan Walsh 2.3.18-2Dan Walsh 2.3.18-1Dan Walsh 2.3.17-2Dan Walsh 2.3.17-1Dan Walsh 2.3.16-9Dan Walsh 2.3.16-8Dan Walsh 2.3.16-7Dan Walsh 2.3.16-6Dan Walsh 2.3.16-5Dan Walsh 2.3.16-4Dan Walsh 2.3.16-2Dan Walsh 2.3.16-1Dan Walsh 2.3.15-2Dan Walsh 2.3.15-1Dan Walsh 2.3.14-8Dan Walsh 2.3.14-7Dan Walsh 2.3.14-6Dan Walsh 2.3.14-4Dan Walsh 2.3.14-3Dan Walsh 2.3.14-2Dan Walsh 2.3.14-1Dan Walsh 2.3.13-6Dan Walsh 2.3.13-5Dan Walsh 2.3.13-4Dan Walsh 2.3.13-3Dan Walsh 2.3.13-2Dan Walsh 2.3.13-1Dan Walsh 2.3.12-2Dan Walsh 2.3.12-1Dan Walsh 2.3.11-1Dan Walsh 2.3.10-7Dan Walsh 2.3.10-6Dan Walsh 2.3.10-3Dan Walsh 2.3.10-1Dan Walsh 2.3.9-6Dan Walsh 2.3.9-5Dan Walsh 2.3.9-4Dan Walsh 2.3.9-3Dan Walsh 2.3.9-2Dan Walsh 2.3.9-1Dan Walsh 2.3.8-2Dan Walsh 2.3.7-1Dan Walsh 2.3.6-4Dan Walsh 2.3.6-3Dan Walsh 2.3.6-2Dan Walsh 2.3.6-1Dan Walsh 2.3.5-1Dan Walsh 2.3.4-1Dan Walsh 2.3.3-20Dan Walsh 2.3.3-19Dan Walsh 2.3.3-18Dan Walsh 2.3.3-17Dan Walsh 2.3.3-16Dan Walsh 2.3.3-15Dan Walsh 2.3.3-14Dan Walsh 2.3.3-13Dan Walsh 2.3.3-12Dan Walsh 2.3.3-11Dan Walsh 2.3.3-10Dan Walsh 2.3.3-9Dan Walsh 2.3.3-8Dan Walsh 2.3.3-7Dan Walsh 2.3.3-6Dan Walsh 2.3.3-5Dan Walsh 2.3.3-4Dan Walsh 2.3.3-3Dan Walsh 2.3.3-2Dan Walsh 2.3.3-1Dan Walsh 2.3.2-4Dan Walsh 2.3.2-3Dan Walsh 2.3.2-2Dan Walsh 2.3.2-1Dan Walsh 2.3.1-1Dan Walsh 2.2.49-1Dan Walsh 2.2.48-1Dan Walsh 2.2.47-5Dan Walsh 2.2.47-4Dan Walsh 2.2.47-3Dan Walsh 2.2.47-1Dan Walsh 2.2.46-2Dan Walsh 2.2.46-1Dan Walsh 2.2.45-3Dan Walsh 2.2.45-2Dan Walsh 2.2.45-1Dan Walsh 2.2.44-1Dan Walsh 2.2.43-4Dan Walsh 2.2.43-3Dan Walsh 2.2.43-2Dan Walsh 2.2.43-1Dan Walsh 2.2.42-4Dan Walsh 2.2.42-3Dan Walsh 2.2.42-2Dan Walsh 2.2.42-1Dan Walsh 2.2.41-1Dan Walsh 2.2.40-2Dan Walsh 2.2.40-1Dan Walsh 2.2.39-2Dan Walsh 2.2.39-1Dan Walsh 2.2.38-6Dan Walsh 2.2.38-5Dan Walsh 2.2.38-4Dan Walsh 2.2.38-3Dan Walsh 2.2.38-2Dan Walsh 2.2.38-1Dan Walsh 2.2.37-1Dan Walsh 2.2.36-2Dan Walsh 2.2.36-1James Antill 2.2.35-2Dan Walsh 2.2.35-1Dan Walsh 2.2.34-3Dan Walsh 2.2.34-2Dan Walsh 2.2.34-1Dan Walsh 2.2.33-1Dan Walsh 2.2.32-2Dan Walsh 2.2.32-1Dan Walsh 2.2.31-1Dan Walsh 2.2.30-2Dan Walsh 2.2.30-1Dan Walsh 2.2.29-6Russell Coker 2.2.29-5Dan Walsh 2.2.29-4Dan Walsh 2.2.29-3Dan Walsh 2.2.29-2Dan Walsh 2.2.29-1Dan Walsh 2.2.28-3Dan Walsh 2.2.28-2Dan Walsh 2.2.28-1Dan Walsh 2.2.27-1Dan Walsh 2.2.25-3Dan Walsh 2.2.25-2Dan Walsh 2.2.24-1Dan Walsh 2.2.23-19Dan Walsh 2.2.23-18Dan Walsh 2.2.23-17Karsten Hopp 2.2.23-16Dan Walsh 2.2.23-15Dan Walsh 2.2.23-14Dan Walsh 2.2.23-13Dan Walsh 2.2.23-12Jeremy Katz - 2.2.23-11Jeremy Katz - 2.2.23-10Dan Walsh 2.2.23-9Dan Walsh 2.2.23-8Dan Walsh 2.2.23-7Dan Walsh 2.2.23-5Dan Walsh 2.2.23-4Dan Walsh 2.2.23-3Dan Walsh 2.2.23-2Dan Walsh 2.2.23-1Dan Walsh 2.2.22-2Dan Walsh 2.2.22-1Dan Walsh 2.2.21-9Dan Walsh 2.2.21-8Dan Walsh 2.2.21-7Dan Walsh 2.2.21-6Dan Walsh 2.2.21-5Dan Walsh 2.2.21-4Dan Walsh 2.2.21-3Dan Walsh 2.2.21-2Dan Walsh 2.2.21-1Dan Walsh 2.2.20-1Dan Walsh 2.2.19-2Dan Walsh 2.2.19-1Dan Walsh 2.2.18-2Dan Walsh 2.2.18-1Dan Walsh 2.2.17-2Dan Walsh 2.2.16-1Dan Walsh 2.2.15-4Dan Walsh 2.2.15-3Dan Walsh 2.2.15-1Dan Walsh 2.2.14-2Dan Walsh 2.2.14-1Dan Walsh 2.2.13-1Dan Walsh 2.2.12-1Dan Walsh 2.2.11-2Dan Walsh 2.2.11-1Dan Walsh 2.2.10-1Dan Walsh 2.2.9-2Dan Walsh 2.2.9-1Dan Walsh 2.2.8-2Dan Walsh 2.2.7-1Dan Walsh 2.2.6-3Dan Walsh 2.2.6-2Dan Walsh 2.2.6-1Dan Walsh 2.2.5-1Dan Walsh 2.2.4-1Dan Walsh 2.2.3-1Dan Walsh 2.2.2-1Dan Walsh 2.2.1-1Dan Walsh 2.1.13-1Dan Walsh 2.1.12-3Dan Walsh 2.1.11-1Dan Walsh 2.1.10-1Jeremy Katz - 2.1.9-2Dan Walsh 2.1.9-1Dan Walsh 2.1.8-3Dan Walsh 2.1.8-2Dan Walsh 2.1.8-1Dan Walsh 2.1.7-4Dan Walsh 2.1.7-3Dan Walsh 2.1.7-2Dan Walsh 2.1.7-1Dan Walsh 2.1.6-24Dan Walsh 2.1.6-23Dan Walsh 2.1.6-22Dan Walsh 2.1.6-21Dan Walsh 2.1.6-20Dan Walsh 2.1.6-18Dan Walsh 2.1.6-17Dan Walsh 2.1.6-16Dan Walsh 2.1.6-15Dan Walsh 2.1.6-14Dan Walsh 2.1.6-13Dan Walsh 2.1.6-11Dan Walsh 2.1.6-10Dan Walsh 2.1.6-9Dan Walsh 2.1.6-8Dan Walsh 2.1.6-5Dan Walsh 2.1.6-4Dan Walsh 2.1.6-3Dan Walsh 2.1.6-2Dan Walsh 2.1.6-1Dan Walsh 2.1.4-2Dan Walsh 2.1.4-1Dan Walsh 2.1.3-1Jeremy Katz - 2.1.2-3Dan Walsh 2.1.2-2Dan Walsh 2.1.2-1Dan Walsh 2.1.1-3Dan Walsh 2.1.1-2Dan Walsh 2.1.1-1Dan Walsh 2.1.0-3Dan Walsh 2.1.0-2.Dan Walsh 2.1.0-1.Dan Walsh 2.0.11-2.Dan Walsh 2.0.11-1.Dan Walsh 2.0.9-1.Dan Walsh 2.0.8-1.Dan Walsh 2.0.7-3Dan Walsh 2.0.7-2Dan Walsh 2.0.6-2Dan Walsh 2.0.5-4Dan Walsh 2.0.5-1Dan Walsh 2.0.4-1Dan Walsh 2.0.2-2Dan Walsh 2.0.2-1Dan Walsh 2.0.1-2Dan Walsh 2.0.1-1- Allow neutron domain to read/write /var/run/utmp Resolves: rhbz#1630318- Allow tomcat_domain to read /dev/random Resolves: rhbz#1631666 - Allow neutron_t domain to use pam Resolves: rhbz#1630318- Add interface apache_read_tmp_dirs() - Allow dirsrvadmin_script_t domain to list httpd_tmp_t dirs Resolves: rhbz#1622602- Allow tomcat servers to manage usr_t files Resolves: rhbz#1625678 - Dontaudit tomcat serves to append to /dev/random device Resolves: rhbz#1625678 - Allow sys_nice capability to mysqld_t domain - Allow dirsrvadmin_script_t domain to read httpd tmp files Resolves: rhbz#1622602 - Allow syslogd_t domain to manage cert_t files Resolves: rhbz#1615995- Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs Resolves: rhbz#1627114 - Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_t Resolves: rhbz#1567753- Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs. Resolves: rhbz#1625678 - Allow chronyd_t domain to read virt_var_lib_t files - Allow virtual machines to use dri devices. This allows use openCL GPU calculations. BZ(1337333) Resolves: rhbz#1625613 - Allow tomcat services create link file in /tmp Resolves: rhbz#1624289 - Add boolean: domain_can_mmap_files. Resolves: rhbz#1460322- Make working SELinux sandbox with Wayland. Resolves: rhbz#1624308 - Allow svirt_t domain to mmap svirt_image_t block files Resolves: rhbz#1624224 - Add caps dac_read_search and dav_override to pesign_t domain - Allow iscsid_t domain to mmap userio chr files Resolves: rhbz#1623589 - Add boolean: domain_can_mmap_files. Resolves: rhbz#1460322 - Add execute_no_trans permission to mmap_exec_file_perms pattern - Allow sudodomain to search caller domain proc info - Allow xdm_t domain to mmap and read cert_t files - Replace optional policy blocks to make dbus interfaces effective Resolves: rhbz#1624414 - Add interface dev_map_userio_dev()- Allow readhead_t domain to mmap own pid files Resolves: rhbz#1614169- Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket - Allow httpd_t domain to mmap tmp files Resolves: rhbz#1608355 - Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files - Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks - Label /dev/tpmrm[0-9]* as tpm_device_t - Allow semanage_t domain mmap usr_t files Resolves: rhbz#1622607 - Update dev_filetrans_all_named_dev() to allow create event22-30 character files with label event_device_t- Allow nagios_script_t domain to mmap nagios_log_t files Resolves: rhbz#1620013 - Allow nagios_script_t domain to mmap nagios_spool_t files Resolves: rhbz#1620013 - Update userdom_security_admin() and userdom_security_admin_template() to allow use auditctl Resolves: rhbz#1622197 - Update selinux_validate_context() interface to allow caller domain to mmap security_t files Resolves: rhbz#1622061- Allow virtd_t domain to create netlink_socket - Allow rpm_t domain to write to audit - Allow rpm domain to mmap rpm_var_lib_t files Resolves: rhbz#1619785 - Allow nagios_script_t domain to mmap nagios_etc_t files Resolves: rhbz#1620013 - Update nscd_socket_use() to allow caller domain to stream connect to nscd_t Resolves: rhbz#1460715 - Allow secadm_t domain to mmap audit config and log files - Allow insmod_t domain to read iptables pid files - Allow systemd to mounton /etc Resolves: rhbz#1619785- Allow kdumpctl_t domain to getattr fixed disk device in mls Resolves: rhbz#1615342 - Allow initrc_domain to mmap all binaries labeled as systemprocess_entry Resolves: rhbz#1615342- Allow virtlogd to execute itself Resolves: rhbz#1598392- Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files Resolves: rhbz#1615342 - Allow kdumpctl to write to files on all levels Resolves: rhbz#1615342 - Fix typo in radius policy Resolves: rhbz#1619197 - Allow httpd_t domain to mmap httpd_config_t files Resolves: rhbz#1615894 - Add interface dbus_acquire_svc_system_dbusd() - Allow sanlock_t domain to connectto to unix_stream_socket Resolves: rhbz#1614965 - Update nfsd_t policy because of ganesha features Resolves: rhbz#1511489 - Allow conman to getattr devpts_t Resolves: rhbz#1377915 - Allow tomcat_domain to connect to smtp ports Resolves: rhbz#1253502 - Allow tomcat_t domain to mmap tomcat_var_lib_t files Resolves: rhbz#1618519 - Allow slapd_t domain to mmap slapd_var_run_t files Resolves: rhbz#1615319 - Allow nagios_t domain to mmap nagios_log_t files Resolves: rhbz#1618675 - Allow nagios to exec itself and mmap nagios spool files BZ(1559683) - Allow nagios to mmap nagios config files BZ(1559683) - Allow kpropd_t domain to mmap krb5kdc_principal_t files Resolves: rhbz#1619252 - Update syslogd policy to make working elasticsearch - Label tcp and udp ports 9200 as wap_wsp_port - Allow few domains to rw inherited kdumpctl tmp pipes Resolves: rhbz#1615342- Allow systemd_dbusd_t domain read/write to nvme devices Resolves: rhbz#1614236 - Allow mysqld_safe_t do execute itself - Allow smbd_t domain to chat via dbus with avahi daemon Resolves: rhbz#1600157 - cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t Resolves: rhbz#1452595 - Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645) Resolves: rhbz#1452444 - Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain Resolves: rhbz#1384769 - Add alias httpd__script_t to _script_t to make sepolicy generate working Resolves: rhbz#1271324 - Allow kprop_t domain to read network state Resolves: rhbz#1600705 - Allow sysadm_t domain to accept socket Resolves: rhbz#1557299 - Allow sshd_t domain to mmap user_tmp_t files Resolves: rhbz#1613437- Allow sshd_t domain to mmap user_tmp_t files Resolves: rhbz#1613437- Allow kprop_t domain to read network state Resolves: rhbz#1600705- Allow kpropd domain to exec itself Resolves: rhbz#1600705 - Allow ipmievd_t to mmap kernel modules BZ(1552535) - Allow hsqldb_t domain to mmap own temp files Resolves: rhbz#1612143 - Allow hsqldb_t domain to read cgroup files Resolves: rhbz#1612143 - Allow rngd_t domain to read generic certs Resolves: rhbz#1612456 - Allow innd_t domain to mmap own var_lib_t files Resolves: rhbz#1600591 - Update screen_role_temaplate interface Resolves: rhbz#1384769 - Allow cupsd_t to create cupsd_etc_t dirs Resolves: rhbz#1452595 - Allow chronyd_t domain to mmap own tmpfs files Resolves: rhbz#1596563 - Allow cyrus domain to mmap own var_lib_t and var_run files Resolves: rhbz#1610374 - Allow sysadm_t domain to create rawip sockets Resolves: rhbz#1571591 - Allow sysadm_t domain to listen on socket Resolves: rhbz#1557299 - Update sudo_role_template() to allow caller domain also setattr generic ptys Resolves: rhbz#1564470 - Allow netutils_t domain to create bluetooth sockets Resolves: rhbz#1600586- Allow innd_t domain to mmap own var_lib_t files Resolves: rhbz#1600591 - Update screen_role_temaplate interface Resolves: rhbz#1384769 - Allow cupsd_t to create cupsd_etc_t dirs Resolves: rhbz#1452595 - Allow chronyd_t domain to mmap own tmpfs files Resolves: rhbz#1596563 - Allow cyrus domain to mmap own var_lib_t and var_run files Resolves: rhbz#1610374 - Allow sysadm_t domain to create rawip sockets Resolves: rhbz#1571591 - Allow sysadm_t domain to listen on socket Resolves: rhbz#1557299 - Update sudo_role_template() to allow caller domain also setattr generic ptys Resolves: rhbz#1564470 - Allow netutils_t domain to create bluetooth sockets Resolves: rhbz#1600586- Allow virtlogd_t domain to chat via dbus with systemd_logind Resolves: rhbz#1593740- Allow sblim_sfcbd_t domain to mmap own tmpfs files Resolves: rhbz#1609384 - Update logging_manage_all_logs() interface to allow caller domain map all logfiles Resolves: rhbz#1592028- Dontaudit oracleasm_t domain to request sys_admin capability - Allow iscsid_t domain to load kernel module Resolves: rhbz#1589295 - Update rhcs contexts to reflects the latest fenced changes - Allow httpd_t domain to rw user_tmp_t files Resolves: rhbz#1608355 - /usr/libexec/udisks2/udisksd should be labeled as devicekit_disk_exec_t Resolves: rhbz#1521063 - Allow tangd_t dac_read_search Resolves: rhbz#1607810 - Allow glusterd_t domain to mmap user_tmp_t files - Allow mongodb_t domain to mmap own var_lib_t files Resolves: rhbz#1607729 - Allow iscsid_t domain to mmap sysfs_t files Resolves: rhbz#1602508 - Allow tomcat_domain to search cgroup dirs Resolves: rhbz#1600188 - Allow httpd_t domain to mmap own cache files Resolves: rhbz#1603505 - Allow cupsd_t domain to mmap cupsd_etc_t files Resolves: rhbz#1599694 - Allow kadmind_t domain to mmap krb5kdc_principal_t Resolves: rhbz#1601004 - Allow virtlogd_t domain to read virt_etc_t link files Resolves: rhbz#1598593 - Allow dirsrv_t domain to read crack db Resolves: rhbz#1599726 - Dontaudit pegasus_t to require sys_admin capability Resolves: rhbz#1374570 - Allow mysqld_t domain to exec mysqld_exec_t binary files - Allow abrt_t odmain to read rhsmcertd lib files Resolves: rhbz#1601389 - Allow winbind_t domain to request kernel module loads Resolves: rhbz#1599236 - Allow gpsd_t domain to getsession and mmap own tmpfs files Resolves: rhbz#1598388 - Allow smbd_t send to nmbd_t via dgram sockets BZ(1563791) Resolves: rhbz#1600157 - Allow tomcat_domain to read cgroup_t files Resolves: rhbz#1601151 - Allow varnishlog_t domain to mmap varnishd_var_lib_t files Resolves: rhbz#1600704 - Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415) Resolves: rhbz#1600692 - Fix ntp SELinux module - Allow innd_t domain to mmap news_spool_t files Resolves: rhbz#1600591 - Allow haproxy daemon to reexec itself. BZ(1447800) Resolves: rhbz#1600578 - Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t Resolves: rhbz#1559859 - Allow pkcs_slotd_t domain to mmap own tmpfs files Resolves: rhbz#1600434 - Allow fenced_t domain to reboot Resolves: rhbz#1293384 - Allow bluetooth_t domain listen on bluetooth sockets BZ(1549247) Resolves: rhbz#1557299 - Allow lircd to use nsswitch. BZ(1401375) - Allow targetd_t domain mmap lvm config files Resolves: rhbz#1546671 - Allow amanda_t domain to read network system state Resolves: rhbz#1452444 - Allow abrt_t domain to read rhsmcertd logs Resolves: rhbz#1492059 - Allow application_domain_type also mmap inherited user temp files BZ(1552765) Resolves: rhbz#1608421 - Allow ipsec_t domain to read l2tpd pid files Resolves: rhbz#1607994 - Allow systemd_tmpfiles_t do mmap system db files - Improve domain_transition_pattern to allow mmap entrypoint bin file. Resolves: rhbz#1460322 - Allow nsswitch_domain to mmap passwd_file_t files BZ(1518655) Resolves: rhbz#1600528 - Dontaudit syslogd to watching top llevel dirs when imfile module is enabled Resolves: rhbz#1601928 - Allow ipsec_t can exec ipsec_exec_t Resolves: rhbz#1600684 - Allow netutils_t domain to mmap usmmon device Resolves: rhbz#1600586 - Allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t BZ(1483655) - Allow userdomain sudo domains to use generic ptys Resolves: rhbz#1564470 - Allow traceroute to create icmp packets Resolves: rhbz#1548350 - Allow systemd domain to mmap lvm config files BZ(1594584) - Add new interface lvm_map_config - refpolicy: Update for kernel sctp support Resolves: rhbz#1597111 Add additional entries to support the kernel SCTP implementation introduced in kernel 4.16- Update oddjob_domtrans_mkhomedir() interface to allow caller domain also mmap oddjob_mkhomedir_exec_t files Resolves: rhbz#1596306 - Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files Resolves: rhbz#1589257 - Allow radiusd_t domain to read network sysctls Resolves: rhbz#1516233 - Allow chronyc_t domain to use nscd shm Resolves: rhbz#1596563 - Label /var/lib/tomcats dir as tomcat_var_lib_t Resolves: rhbz#1596367 - Allow lsmd_t domain to mmap lsmd_plugin_exec_t files Resolves: rhbz#bea0c8174 - Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_t Resolves: rhbz#1596509 - Update seutil_exec_loadpolicy() interface to allow caller domain to mmap load_policy_exec_t files Resolves: rhbz#1596072 - Allow xdm_t to read systemd hwdb Resolves: rhbz#1596720 - Allow dhcpc_t domain to mmap files labeled as ping_exec_t Resolves: rhbz#1596065- Allow tangd_t domain to create tcp sockets Resolves: rhbz#1595775 - Update postfix policy to allow postfix_master_t domain to mmap all postfix* binaries Resolves: rhbz#1595328 - Allow amanda_t domain to have setgid capability Resolves: rhbz#1452444 - Update usermanage_domtrans_useradd() to allow caller domain to mmap useradd_exec_t files Resolves: rhbz#1595667- Allow abrt_watch_log_t domain to mmap binaries with label abrt_dump_oops_exec_t Resolves: rhbz#1591191 - Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label Resolves: rhbz#1452595 - Allow abrt_t domain to write to rhsmcertd pid files Resolves: rhbz#1492059 - Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control Resolves: rhbz#1463470 - Add vhostmd_t domain to read/write to svirt images Resolves: rhbz#1465276 - Dontaudit action when abrt-hook-ccpp is writing to nscd sockets Resolves: rhbz#1460715 - Update openvswitch policy Resolves: rhbz#1594729 - Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files Resolves: rhbz#1583084 - Allow sssd_t and slpad_t domains to mmap generic certs Resolves: rhbz#1592016 Resolves: rhbz#1592019 - Allow oddjob_t domain to mmap binary files as oddjob_mkhomedir_exec_t files Resolves: rhbz#1592022 - Update dbus_system_domain() interface to allow system_dbusd_t domain to mmap binary file from second parameter Resolves: rhbz#1583080 - Allow chronyc_t domain use inherited user ttys Resolves: rhbz#1593267 - Allow stapserver_t domain to mmap own tmp files Resolves: rhbz#1593122 - Allow sssd_t domain to mmap files labeled as sssd_selinux_manager_exec_t Resolves: rhbz#1592026 - Update policy for ypserv_t domain Resolves: rhbz#1592032 - Allow abrt_dump_oops_t domain to mmap all non security files Resolves: rhbz#1593728 - Allow svirt_t domain mmap svirt_image_t files Resolves: rhbz#1592688 - Allow virtlogd_t domain to write inhibit systemd pipes. Resolves: rhbz#1593740 - Allow sysadm_t and staff_t domains to use sudo io logging Resolves: rhbz#1564470 - Allow sysadm_t domain create sctp sockets Resolves: rhbz#1571591 - Update mount_domtrans() interface to allow caller domain mmap mount_exec_t Resolves: rhbz#1592025 - Allow dhcpc_t to mmap all binaries with label hostname_exec_t, ifconfig_exec_t and netutils_exec_t Resolves: rhbz#1594661- Fix typo in logwatch interface file - Allow spamd_t to manage logwatch_cache_t files/dirs - Allow dnsmasw_t domain to create own tmp files and manage mnt files - Allow fail2ban_client_t to inherit rlimit information from parent process Resolves: rhbz#1513100 - Allow nscd_t to read kernel sysctls Resolves: rhbz#1512852 - Label /var/log/conman.d as conman_log_t Resolves: rhbz#1538363 - Add dac_override capability to tor_t domain Resolves: rhbz#1540711 - Allow certmonger_t to readwrite to user_tmp_t dirs Resolves: rhbz#1543382 - Allow abrt_upload_watch_t domain to read general certs Resolves: rhbz#1545098 - Update postfix_domtrans_master() interface to allow caller domain also mmap postfix_master_exec_t binary Resolves: rhbz#1583087 - Allow postfix_domain to mmap postfix_qmgr_exec_t binaries Resolves: rhbz#1583088 - Allow postfix_domain to mmap postfix_pickup_exec_t binaries Resolves: rhbz#1583091 - Allow chornyd_t read phc2sys_t shared memory Resolves: rhbz#1578883 - Allow virt_qemu_ga_t read utmp Resolves: rhbz#1571202 - Add several allow rules for pesign policy: Resolves: rhbz#1468744 - Allow pesign domain to read /dev/random - Allow pesign domain to create netlink_kobject_uevent_t sockets - Allow pesign domain create own tmp files - Add setgid and setuid capabilities to mysqlfd_safe_t domain Resolves: rhbz#1474440 - Add tomcat_can_network_connect_db boolean Resolves: rhbz#1477948 - Update virt_use_sanlock() boolean to read sanlock state Resolves: rhbz#1448799 - Add sanlock_read_state() interface - Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026) Resolves: rhbz#1563423 - Update abrt_domtrans and abrt_exec() interfaces to allow caller domain to mmap binary file Resolves:rhbz#1583080 - Update nscd_domtrans and nscd_exec interfaces to allow caller domain also mmap nscd binaries Resolves: rhbz#1583086 - Update snapperd_domtrans() interface to allow caller domain to mmap snapperd_exec_t file Resolves: rhbz#1583802 - Allow zoneminder_t to getattr of fs_t Resolves: rhbz#1585328 - Fix denials during ipa-server-install process on F27+ Resolves: rhbz#1586029 - Allow ipa_dnskey_t to exec ipa_dnskey_exec_t files Resolves: rhbz#1586033 - Allow rhsmcertd_t domain to send signull to postgresql_t domain Resolves: rhbz#1588119 - Allow policykit_t domain to dbus chat with dhcpc_t Resolves: rhbz#1364513 - Adding new boolean keepalived_connect_any() Resolves: rhbz#1443473 - Allow amanda to create own amanda_tmpfs_t files Resolves: rhbz#1452444 - Add amanda_tmpfs_t label. BZ(1243752) - Allow gdomap_t domain to connect to qdomap_port_t Resolves: rhbz#1551944 - Fix typos in sge - Fix typo in openvswitch policy - /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type - Allow sshd_keygen_t to execute plymouthd Resolves: rhbz#1583531 - Update seutil_domtrans_setfiles() interface to allow caller domain to do mmap on setfiles_exec_t binary Resolves: rhbz#1583090 - Allow systemd_networkd_t create and relabel tun sockets Resolves: rhbz#1583830 - Allow map audisp_exec_t files fordomains executing this binary Resolves: rhbz#1586042 - Add new interface postgresql_signull() - Add fs_read_xenfs_files() interface.- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type - Allow dac override capability to mandb_t domain BZ(1529399) Resolves: rhbz#1423361 - Allow inetd_child process to chat via dbus with abrt Resolves: rhbz#1428805 - Allow zabbix_agent_t domain to connect to redis_port_t Resolves: rhbz#1418860 - Allow rhsmcertd_t domain to read xenfs_t files Resolves: rhbz#1405870 - Allow zabbix_agent_t to run zabbix scripts Resolves: rhbz#1380697 - Allow rabbitmq_t domain to create own tmp files/dirs Resolves: rhbz#1546897 - Allow policykit_t mmap policykit_auth_exec_t files Resolves: rhbz#1583082 - Allow ipmievd_t domain to read general certs Resolves: rhbz#1514591 - Add sys_ptrace capability to pcp_pmie_t domain - Allow squid domain to exec ldconfig Resolves: rhbz#1532017 - Make working gpg agent in gpg_agent_t domain Resolves: rhbz#1535109 - Update gpg SELinux policy module - Allow kexec to read kernel module files in /usr/lib/modules. Resolves: rhbz#1536690 - Allow mailman_domain to read system network state Resolves: rhbz#1413510 - Allow mailman_mail_t domain to search for apache configs Resolves: rhbz#1413510 - Allow openvswitch_t domain to read neutron state and read/write fixed disk devices Resolves: rhbz#1499208 - Allow antivirus_domain to read all domain system state Resolves: rhbz#1560986 - Allow targetd_t domain to red gconf_home_t files/dirs Resolves: rhbz#1546671 - Allow freeipmi domain to map sysfs_t files Resolves: rhbz#1575918 - Label /usr/libexec/bluetooth/obexd as obexd_exec_t Resolves: rhbz#1351750 - Update rhcs SELinux module Resolves: rhbz#1589257 - Allow iscsid_t domain mmap kernel modules Resolves: rhbz#1589295 - Allow iscsid_t domain mmap own tmp files Resolves: rhbz#1589295 - Update iscsid_domtrans() interface to allow mmap iscsid_exec_t binary Resolves: rhbz#1589295 - Update nscd_socket_use interface to allow caller domain also mmap nscd_var_run_t files. Resolves: rhbz#1589271 - Allow nscd_t domain to mmap system_db_t files Resolves: rhbz#1589271 - Add interface nagios_unconfined_signull() - Allow lircd_t domain read sssd public files Add setgid capability to lircd_t domain Resolves: rhbz#1550700 - Add missing requires - Allow tomcat domain sends email Resolves: rhbz#1585184 - Allow memcached_t domain nnp_transition becuase of systemd security features BZ(1514867) Resolves: rhbz#1585714 - Allow kdump_t domain to map /boot files Resolves: rhbz#1588884 - Fix typo in netutils policy - Allow confined users get AFS tokens Resolves: rhbz#1417671 - Allow sysadm_t domain to chat via dbus Resolves: rhbz#1582146 - Associate sysctl_kernel_t type with filesystem attribute - Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets Resolves: rhbz#1557299 - Allow user_t and staff_t domains create netlink tcpdiag sockets Resolves: rhbz#1557281 - Add interface dev_map_sysfs - Allow xdm_t domain to execute xdm_var_lib_t files Resolves: rhbz#1589139 - Allow syslogd_t domain to send signull to nagios_unconfined_plugin_t Resolves: rhbz#1569344 - Label /dev/vhost-vsock char device as vhost_device_t - Add files_map_boot_files() interface Resolves: rhbz#1588884 - Update traceroute_t domain to allow create dccp sockets Resolves: rhbz#1548350- Update ctdb domain to support gNFS setup Resolves: rhbz#1576818 - Allow authconfig_t dbus chat with policykit Resolves: rhbz#1551241 - Allow lircd_t domain to read passwd_file_t Resolves: rhbz:#1550700 - Allow lircd_t domain to read system state Resolves: rhbz#1550700 - Allow smbcontrol_t to mmap samba_var_t files and allow winbind create sockets BZ(1559795) Resolves: rhbz#1574521 - Allow tangd_t domain read certs Resolves: rhbz#1509055 - Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db is turned on Resolves: rhbz:#1579219 - Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp Resolves: rhbz#1574418 - Allow ctdb_t domain modify ctdb_exec_t files Resolves: rhbz#1572584 - Allow chrome_sandbox_t to mmap tmp files Resolves: rhbz#1574392 - Allow ulogd_t to create netlink_netfilter sockets. Resolves: rhbz#1575924 - Update ulogd SELinux security policy - Allow rhsmcertd_t domain send signull to apache processes Resolves: rhbz#1576555 - Allow freeipmi domain to read sysfs_t files Resolves: rhbz#1575918 - Allow smbcontrol_t to create dirs with samba_var_t label Resolves: rhbz#1574521 - Allow swnserve_t domain to stream connect to sasl domain Resolves: rhbz#1574537 - Allow SELinux users (except guest and xguest) to using bluetooth sockets Resolves: rhbz#1557299 - Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets Resolves: rhbz#1557299 - Fix broken sysadm SELinux module Resolves: rhbz#1557311 - Allow user_t and staff_t domains create netlink tcpdiag sockets Resolves: rhbz#1557281 - Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file Resolves: rhbz#1583089 - Allow systemd_networkd_t to read/write tun tap devices Resolves: rhbz#1583830 - Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set Resolves: rhbz#1583771 - Allow audisp_t domain to mmap audisp_exec_t binary Resolves: rhbz#1583551 - Fix duplicates in sysadm.te file Resolves: rhbz#1307183 - Allow sysadm_u use xdm Resolves: rhbz#1307183 - Fix typo in sysnetwork.if file Resolves: rhbz#1581551- Fix duplicates in sysadm.te file Resolves: rhbz#1307183- Allow sysadm_u use xdm Resolves: rhbz#1307183- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db is turned on Resolves: rhbz:#1579219 - Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp Resolves: rhbz#1574418 - Allow chrome_sandbox_t to mmap tmp files Resolves: rhbz#1574392 - Allow ulogd_t to create netlink_netfilter sockets. Resolves: rhbz#1575924 - Update ulogd SELinux security policy - Allow rhsmcertd_t domain send signull to apache processes Resolves: rhbz#1576555 - Allow freeipmi domain to read sysfs_t files Resolves: rhbz#1575918 - Allow smbcontrol_t to create dirs with samba_var_t label Resolves: rhbz#1574521 - Allow swnserve_t domain to stream connect to sasl domain Resolves: rhbz#1574537 - Fix typo in sysnetwork.if file Resolves: rhbz#1581551- Fix typo in sysnetwork.if file Resolves: rhbz#1581551- Improve procmail_domtrans() to allow mmaping procmail_exec_t - Allow hypervvssd_t domain to read fixed disk devices Resolves: rhbz#1581225 - Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries Resolves: rhbz#1581551 - Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary Resolves: rhbz#1581551 - Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries Resolves: rhbz#1581551 - Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries. Resolves: rhbz#1581551 - Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface- Add dbus_stream_connect_system_dbusd() interface. - Allow pegasus_t domain to mount tracefs_t filesystem Resolves:rhbz#1374570 - Allow psad_t domain to read all domains state Resolves: rhbz#1558439 - Add net_raw capability to named_t domain BZ(1545586) - Allow tomcat_t domain to connect to mongod_t tcp port Resolves:rhbz#1539748 - Allow dovecot and postfix to connect to systemd stream sockets Resolves: rhbz#1368642 - Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t Resolves:rhbz#1351750 - Rename tang policy to tangd - Add interface systemd_rfkill_domtrans() - Allow users staff and sysadm to run wireshark on own domain Resolves:rhbz#1546362 - Allow systemd-bootchart to create own tmpfs files Resolves:rhbz#1510412- Rename tang policy to tangd - Allow virtd_t domain to relabel virt_var_lib_t files Resolves: rhbz#1558121 - Allow logrotate_t domain to stop services via systemd Resolves: rhbz#1527522 - Add tang policy Resolves: rhbz#1509055 - Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t Resolves: rhbz#1559859 - Improve snapperd SELinux policy Resolves: rhbz#1365555 - Allow snapperd_t daemon to create unlabeled dirs. Resolves: rhbz#1365555 - We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence Resolves: rhbz#1271324 - Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP Resolves: rhbz#1503835 - Add new Boolean tomcat_use_execmem Resolves: rhbz#1565226 - Allow domain transition from logrotate_t to chronyc_t Resolves: rhbz#1568281 - Allow nfsd_t domain to read/write sysctl fs files Resolves: rhbz#1516593 - Allow conman to read system state Resolves: rhbz#1377915 - Allow lircd_t to exec shell and add capabilities dac_read_search and dac_override Resolves: rhbz#1550700 - Allow usbmuxd to access /run/udev/data/+usb:*. Resolves: rhbz#1521054 - Allow abrt_t domain to manage kdump crash files Resolves: rhbz#1491585 - Allow systemd to use virtio console Resolves: rhbz#1558121 - Allow transition from sysadm role into mdadm_t domain. Resolves: rhbz#1551568 - Label /dev/op_panel and /dev/opal-prd as opal_device_t Resolves: rhbz#1537618 - Label /run/ebtables.lock as iptables_var_run_t Resolves: rhbz#1511437 - Allow udev_t domain to manage udev_rules_t char files. Resolves: rhbz#1545094 - Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin. Resolves: rhbz#1567753 - Fix filesystem inteface file, we don't have nsfs_fs_t type, just nsfs_t Resolves: rhbz#1547700 - Allow iptables_t domain to create dirs in etc_t with system_conf_t labels- Add new boolean redis_enable_notify() Resolves: rhbz#1421326 - Label /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t Resolves: rhbz#1549514 - Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/ Resolves: rbhz#1463593 - Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t Resolves: rbhz#1463593- Backport several changes for snapperdfrom Fedora Rawhide Resolves: rhbz#1556798 - Allow snapperd_t to set priority for kernel processes Resolves: rhbz#1556798 - Make ganesha nfs server. Resolves: rhbz#1511489 - Allow vxfs filesystem to use SELinux labels Resolves: rhbz#1482880 - Add map permission to selinux-policy Resolves: rhbz#1460322- Label /usr/libexec/dbus-1/dbus-daemon-launch-helper as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled. Resolves: rhbz#1546721- Allow openvswitch_t stream connect svirt_t Resolves: rhbz#1540702- Allow openvswitch domain to manage svirt_tmp_t sock files Resolves: rhbz#1540702 - Fix broken systemd_tmpfiles_run() interface- Allow dirsrv_t domain to create tmp link files Resolves: rhbz#1536011 - Label /usr/sbin/ldap-agent as dirsrv_snmp_exec_t Resolves: rhbz#1428568 - Allow ipsec_mgmt_t execute ifconfig_exec_t binaries - Allow ipsec_mgmt_t nnp domain transition to ifconfig_t Resolves: rhbz#1539416- Allow svirt_domain to create socket files in /tmp with label svirt_tmp_t Resolves: rhbz#1540702 - Allow keepalived_t domain getattr proc filesystem Resolves: rhbz#1477542 - Rename svirt_sandbox_file_t to container_file_t and svirt_lxc_net_t to container_t Resolves: rhbz#1538544 - Allow ipsec_t nnp transistions to domains ipsec_mgmt_t and ifconfig_t Resolves: rhbz:#1539416 - Allow systemd_logind_t domain to bind on dhcpd_port_t,pki_ca_port_t,flash_port_t Resolves: rhbz#1479350- Allow openvswitch_t domain to read cpuid, write to sysfs files and creating openvswitch_tmp_t sockets Resolves: rhbz#1535196 - Add new interface ppp_filetrans_named_content() Resolves: rhbz#1530601 - Allow keepalived_t read sysctl_net_t files Resolves: rhbz#1477542 - Allow puppetmaster_t domtran to puppetagent_t Resolves: rhbz#1376893 - Allow kdump_t domain to read kernel ring buffer Resolves: rhbz#1540004 - Allow ipsec_t domain to exec ifconfig_exec_t binaries. Resolves: rhbz#1539416 - Allow unconfined_domain_typ to create pppd_lock_t directory in /var/lock Resolves: rhbz#1530601 - Allow updpwd_t domain to create files in /etc with shadow_t label Resolves: rhbz#1412838 - Allow iptables sysctl load list support with SELinux enforced Resolves: rhbz#1535572- Allow virt_domains to acces infiniband pkeys. Resolves: rhbz#1533183 - Label /usr/libexec/ipsec/addconn as ipsec_exec_t to run this script as ipsec_t instead of init_t Resolves: rhbz#1535133 - Allow audisp_remote_t domain write to files on all levels Resolves: rhbz#1534924- Allow vmtools_t domain creating vmware_log_t files Resolves: rhbz#1507048 - Allow openvswitch_t domain to acces infiniband devices Resolves: rhbz#1532705- Allow chronyc_t domain to manage chronyd_keys_t files. Resolves: rhbz#1530525 - Make virtlog_t domain system dbus client Resolves: rhbz#1481109 - Update openvswitch SELinux module Resolves: rhbz#1482682 - Allow virtd_t to create also sock_files with label virt_var_run_t Resolves: rhbz#1484075- Allow domains that manage logfiles to man logdirs Resolves: rhbz#1523811- Label /dev/drm_dp_aux* as xserver_misc_device_t Resolves: rhbz#1520897 - Allow sysadm_t to run puppet_exec_t binaries as puppet_t Resolves: rhbz#1255745- Allow tomcat_t to manage pki_tomcat pid files Resolves: rhbz#1478371 - networkmanager: allow talking to openvswitch Resolves: rhbz#1517247 - Allow networkmanager_t and opensm_t to manage subned endports for IPoIB VLANs Resolves: rhbz#1517895 - Allow domains networkmanager_t and opensm_t to control IPoIB VLANs Resolves: rhbz#1517744 - Fix typo in guest interface file Resolves: rhbz#1468254 - Allow isnsd_t domain to accept tcp connections. Resolves: rhbz#1390208- Allow getty to use usbttys Resolves: rhbz#1514235- Allow ldap_t domain to manage also slapd_tmp_t lnk files Resolves: rhbz#1510883 - Allow cluster_t domain creating bundles directory with label var_log_t instead of cluster_var_log_t Resolves: rhbz:#1508360 - Add dac_read_search and dac_override capabilities to ganesha Resolves: rhbz#1483451- Add dependency for policycoreutils-2.5.18 becuase of new cgroup_seclabel policy capability Resolves: rhbz#1510145- Allow jabber domains to connect to postgresql ports Resolves: rhbz#1438489 - Dontaudit accountsd domain creating dirs in /root Resolves: rhbz#1456760 - Dontaudit slapd_t to block suspend system Resolves: rhbz: #1479759 - Allow spamc_t to stream connect to cyrus. Resolves: rhbz#1382955 - allow imapd to read /proc/net/unix file Resolves: rhbz#1393030 - Allow passenger to connect to mysqld_port_t Resolves: rhbz#1433464- Allow chronyc_t domain to use user_ptys Resolves: rhbz#1470150 - allow ptp4l to read /proc/net/unix file - Allow conmand to use usb ttys. Resolves: rhbz#1505121 - Label all files /var/log/opensm.* as opensm_log_t because opensm creating new log files with name opensm-subnet.lst Resolves: rhbz#1505845 - Allow chronyd daemon to execute chronyc. Resolves: rhbz#1508486 - Allow firewalld exec ldconfig. Resolves: rhbz#1375576 - Allow mozilla_plugin_t domain to dbus chat with devicekit Resolves: rhbz#1460477 - Dontaudit leaked logwatch pipes Resolves: rhbz#1450119 - Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon. Resolves: rhbz#1507048 - Allow httpd_t domain to execute hugetlbfs_t files Resolves: rhbz#1507682 - Allow nfsd_t domain to read configfs_t files/dirs Resolves: rhbz#1439442 - Hide all allow rules with ptrace inside deny_ptrace boolean Resolves: rhbz#1421075 - Allow tgtd_t domain to read generic certs Resolves: rhbz#1438532 - Allow ptp4l to send msgs via dgram socket to unprivileged user domains Resolves: rhbz#1429853 - Allow dirsrv_snmp_t to use inherited user ptys and read system state Resolves: rhbz#1428568 - Allow glusterd_t domain to create own tmpfs dirs/files Resolves: rhbz#1411310 - Allow keepalived stream connect to snmp Resolves: rhbz#1401556 - After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy Resolves: rhbz#1507089- Allow pegasus_openlmi_services_t to read generic certs Resolves: rhbz#1462292 - Allow ganesha_t domain to read random device Resolves: rhbz#1494382 - Allow zabbix_t domain to change its resource limits Resolves: rhbz:#1504074 - Add new boolean nagios_use_nfs Resolves: rhbz#1504826 - Allow system_mail_t to search network sysctls Resolves: rhbz#1505779 - Add samba_manage_var_dirs() interface - Fix typo bug in virt filecontext file - Allow nagios_script_t to read nagios_spool_t files Resolves: rhbz#1426824 - Allow samba to manage var dirs/files Resolves: rhbz#1415088 - Allow sbd_t to create own sbd_tmpfs_t dirs/files Resolves: rhbz#1380795 - Allow firewalld and networkmanager to chat with hypervkvp via dbus Resolves: rhbz#1377276 - Allow dmidecode to read rhsmcert_log_t files Resolves: rhbz#1300799 - Allow mail system to connect mariadb sockets. Resolves: rhbz#1368642 - Allow logrotate_t to change passwd and reloead services Resolves: rhbz#1450789 - Allow mail system to connect mariadb sockets. Resolves: rhbz#1368642 - Allow logrotate_t to change passwd and reloead services Resolves: rhbz#1450789 - Allow pegasus_openlmi_services_t to read generic certs Resolves: rhbz#1462292 - Allow ganesha_t domain to read random device Resolves: rhbz#1494382 - Allow zabbix_t domain to change its resource limits Resolves: rhbz:#1504074 - Add new boolean nagios_use_nfs Resolves: rhbz#1504826 - Allow system_mail_t to search network sysctls Resolves: rhbz#1505779 - Add samba_manage_var_dirs() interface - Fix typo bug in virt filecontext file - Allow nagios_script_t to read nagios_spool_t files Resolves: rhbz#1426824 - Allow samba to manage var dirs/files Resolves: rhbz#1415088 - Allow sbd_t to create own sbd_tmpfs_t dirs/files Resolves: rhbz#1380795 - Allow firewalld and networkmanager to chat with hypervkvp via dbus Resolves: rhbz#1377276 - Allow dmidecode to read rhsmcert_log_t files Resolves: rhbz#1300799 - Allow mail system to connect mariadb sockets. Resolves: rhbz#1368642 - Allow logrotate_t to change passwd and reloead services Resolves: rhbz#1450789 - Allow chronyd_t do request kernel module and block_suspend capability Resolves: rhbz#1350765 - Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label Resolves: rhbz#1447278 - Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables Resolves: rhbz#1491994 - Allow svnserve to use kerberos Resolves: rhbz#1475271 - Allow conman to use ptmx. Add conman_use_nfs boolean Resolves: rhbz#1377915 - Add nnp transition for services using: NoNewPrivileges systemd security feature Resolves: rhbz#1311430 - Add SELinux support for chronyc Resolves: rhbz#1470150 - Add dac_read_search capability to openvswitch_t domain Resolves: rhbz#1501336 - Allow svnserve to manage own svnserve_log_t files/dirs Resolves: rhbz#1480741 - Allow keepalived_t to search network sysctls Resolves: rhbz#1477542 - Allow puppetagent_t domain dbus chat with rhsmcertd_t domain Resolves: rhbz#1446777 - Add dccp_socket into socker_class_set subset Resolves: rhbz#1459941 - Allow iptables_t to run setfiles to restore context on system Resolves: rhbz#1489118 - Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_t Resolves: rhbz:#1411400 - Make nnp transition Active Resolves: rhbz#1480518 - Label tcp 51954 as isns_port_t Resolves: rhbz#1390208 - Add dac_read_search capability chkpwd_t Resolves: rhbz#1376991 - Add support for running certbot(letsencrypt) in crontab Resolves: rhbz#1447278 - Add init_nnp_daemon_domain interface - Allow xdm_t to gettattr /dev/loop-control device Resolves: rhbz#1462925 - Allow nnp trasintion for unconfined_service_t Resolves: rhbz#1311430 - Allow unpriv user domains and unconfined_service_t to use chronyc Resolves: rhbz#1470150 - Allow iptables to exec plymouth. Resolves: rhbz#1480374 - Fix typo in fs_unmount_tracefs interface. Resolves: rhbz#1371057 - Label postgresql-check-db-dir as postgresql_exec_t Resolves: rhbz#1490956- We should not ship selinux-policy with permissivedomains enabled. Resolves: rhbz#1494172 - Fix order of installing selinux-policy-sandbox, because of depedencied in sandbox module, selinux-policy-targeted needs to be installed before selinux-policy-sandbox Resolves: rhbz#1492606- Allow tomcat to setsched Resolves: rhbz#1492730 - Fix rules blocking ipa-server upgrade process Resolves: rhbz#1478371 - Add new boolean tomcat_read_rpm_db() Resolves: rhbz#1477887 - Allow tomcat to connect on mysqld tcp ports - Add ctdbd_t domain sys_source capability and allow setrlimit Resolves: rhbz#1491235 - Fix keepalived SELinux module - Allow automount domain to manage mount pid files Resolves: rhbz#1482381 - Allow stunnel_t domain setsched Resolves: rhbz#1479383 - Add keepalived domain setpgid capability Resolves: rhbz#1486638 - Allow tomcat domain to connect to mssql port Resolves: rhbz#1484572 - Remove snapperd_t from unconfined domaines Resolves: rhbz#1365555 - Fix typo bug in apache module Resolves: rhbz#1397311 - Dontaudit that system_mail_t is trying to read /root/ files Resolves: rhbz#1147945 - Make working webadm_t userdomain Resolves: rhbz#1323792 - Allow redis domain to execute shell scripts. Resolves: rhbz#1421326 - Allow system_cronjob_t to create redhat-access-insights.log with var_log_t Resolves: rhbz#1473303 - Add couple capabilities to keepalived domain and allow get attributes of all domains Resolves: rhbz#1429327 - Allow dmidecode read rhsmcertd lock files Resolves: rhbz#1300799 - Add new interface rhsmcertd_rw_lock_files() Resolves: rhbz#1300799 - Label all plymouthd archives as plymouthd_var_log_t Resolves: rhbz#1478323 - Allow cloud_init_t to dbus chat with systemd_timedated_t Resolves: rhbz#1440730 - Allow logrotate_t to write to kmsg Resolves: rhbz#1397744 - Add capability kill to rhsmcertd_t Resolves: rhbz#1398338 - Disable mysqld_safe_t secure mode environment cleansing. Resolves: rhbz#1464063 - Allow winbind to manage smbd_tmp_t files Resolves: rhbz#1475566 - Dontaudit that system_mail_t is trying to read /root/ files Resolves: rhbz#1147945 - Make working webadm_t userdomain Resolves: rhbz#1323792 - Allow redis domain to execute shell scripts. Resolves: rhbz#1421326 - Allow system_cronjob_t to create redhat-access-insights.log with var_log_t Resolves: rhbz#1473303 - Add couple capabilities to keepalived domain and allow get attributes of all domains Resolves: rhbz#1429327 - Allow dmidecode read rhsmcertd lock files Resolves: rhbz#1300799 - Add new interface rhsmcertd_rw_lock_files() Resolves: rhbz#1300799 - Label all plymouthd archives as plymouthd_var_log_t Resolves: rhbz#1478323 - Allow cloud_init_t to dbus chat with systemd_timedated_t Resolves: rhbz#1440730 - Allow logrotate_t to write to kmsg Resolves: rhbz#1397744 - Add capability kill to rhsmcertd_t Resolves: rhbz#1398338 - Disable mysqld_safe_t secure mode environment cleansing. Resolves: rhbz#1464063 - Allow winbind to manage smbd_tmp_t files Resolves: rhbz#1475566 - Add interface systemd_tmpfiles_run - End of file cannot be in comment - Allow systemd-logind to use ypbind Resolves: rhbz#1479350 - Add creating opasswd file with shadow_t SELinux label in auth_manage_shadow() interface Resolves: rhbz#1412838 - Allow sysctl_irq_t assciate with proc_t Resolves: rhbz#1485909 - Enable cgourp sec labeling Resolves: rhbz#1485947 - Add cgroup_seclabel policycap. Resolves: rhbz#1485947 - Allow sshd_t domain to send signull to xdm_t processes Resolves: rhbz#1448959 - Allow updpwd_t domain auth file name trans Resolves: rhbz#1412838 - Allow sysadm user to run systemd-tmpfiles Resolves: rbhz#1325364 - Add support labeling for vmci and vsock device Resolves: rhbz#1451358 - Add userdom_dontaudit_manage_admin_files() interface Resolves: rhbz#1323792 - Allow iptables_t domain to read files with modules_conf_t label Resolves: rhbz#1373220 - init: Add NoNewPerms support for systemd. Resolves: rhbz#1480518 - Add nnp_nosuid_transition policycap and related class/perm definitions. Resolves: rhbz#1480518 - refpolicy: Infiniband pkeys and endports Resolves: rhbz#1464484- Allow certmonger using systemctl on pki_tomcat unit files Resolves: rhbz#1481388- Allow targetd_t to create own tmp files. - Dontaudit targetd_t to exec rpm binary file. Resolves: rhbz#1373860 Resolves: rhbz#1424621- Add few rules to make working targetd daemon with SELinux Resolves: rhbz#1373860 - Allow ipmievd_t domain to load kernel modules Resolves: rhbz#1441081 - Allow logrotate to reload transient systemd unit Resolves: rhbz#1440515 - Add certwatch_t domain dac_override and dac_read_search capabilities Resolves: rhbz#1422000 - Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain Resolves: rhbz#1412072 - Allow nscd_t domain to search network sysctls Resolves: rhbz#1432361 - Allow iscsid_t domain to read mount pid files Resolves: rhbz#1482097 - Allow ksmtuned_t domain manage sysfs_t files/dirs Resolves: rhbz#1413865 - Allow keepalived_t domain domtrans into iptables_t Resolves: rhbz#1477719 - Allow rshd_t domain reads net sysctls Resolves: rhbz#1477908 - Add interface seutil_dontaudit_read_module_store() - Update interface lvm_rw_pipes() by adding also open permission - Label /dev/clp device as vfio_device_t Resolves: rhbz#1477624 - Allow ifconfig_t domain unmount fs_t Resolves: rhbz#1477445 - Label /dev/gpiochip* devices as gpio_device_t Resolves: rhbz#1477618 - Add interface dev_manage_sysfs() Resolves: rhbz#1474989- Label /usr/libexec/sudo/sesh as shell_exec_t Resolves: rhbz#1480791- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc Resolves: rhbz#1470735- Allow llpdad send dgram to libvirt Resolves: rhbz#1472722- Add new boolean gluster_use_execmem Resolves: rhbz#1469027 - Allow cluster_t and glusterd_t domains to dbus chat with ganesha service Resolves: rhbz#1468581- Dontaudit staff_t user read admin_home_t files. Resolves: rhbz#1290633- Allow couple rules needed to start targetd daemon with SELinux in enforcing mode Resolves: rhbz#1424621 - Add interface lvm_manage_metadata Resolves: rhbz#1424621- Allow sssd_t to read realmd lib files. Resolves: rhbz#1436689 - Add permission open to files_read_inherited_tmp_files() interface Resolves: rhbz#1290633 Resolves: rhbz#1457106- Allow unconfined_t user all user namespace capabilties. Resolves: rhbz#1461488- Allow httpd_t to read realmd_var_lib_t files Resolves: rhbz#1436689- Allow named_t to bind on udp 4321 port Resolves: rhbz#1312972 - Allow systemd-sysctl cap. sys_ptrace Resolves: rhbz#1458999- Allow pki_tomcat_t execute ldconfig. Resolves: rhbz#1436689- Allow iscsi domain load kernel module. Resolves: rhbz#1457874 - Allow keepalived domain connect to squid tcp port Resolves: rhbz#1457455 - Allow krb5kdc_t domain read realmd lib files. Resolves: rhbz#1436689 - xdm_t should view kernel keys Resolves: rhbz#1432645- Allow tomcat to connect on all unreserved ports - Allow ganesha to connect to all rpc ports Resolves: rhbz#1448090 - Update ganesha with another fixes. Resolves: rhbz#1448090 - Update rpc_read_nfs_state_data() interface to allow read also lnk_files. Resolves: rhbz#1448090 - virt_use_glusterd boolean should be in optional block Update ganesha module to allow create tmp files Resolves: rhbz#1448090 - Hide broken symptoms when machine is configured with network bounding.- Add new boolean virt_use_glusterd Resolves: rhbz#1455994 - Add capability sys_boot for sbd_t domain - Allow sbd_t domain to create rpc sysctls. Resolves: rhbz#1455631 - Allow ganesha_t domain to manage glusterd_var_run_t pid files. Resolves: rhbz#1448090- Create new interface: glusterd_read_lib_files() - Allow ganesha read glusterd lib files. - Allow ganesha read network sysctls Resolves: rhbz#1448090- Add few allow rules to ganesha module Resolves: rhbz#1448090 - Allow condor_master_t to read sysctls. Resolves: rhbz#1277506 - Add dac_override cap to ctdbd_t domain Resolves: rhbz#1435708 - Label 8750 tcp/udp port as dey_keyneg_port_t Resolves: rhbz#1448090- Add ganesha_use_fusefs boolean. Resolves: rhbz#1448090- Allow httpd_t reading kerberos kdc config files Resolves: rhbz#1452215 - Allow tomcat_t domain connect to ibm_dt_2 tcp port. Resolves: rhbz#1447436 - Allow stream connect to initrc_t domains Resolves: rhbz#1447436 - Allow dnsmasq_t domain to read systemd-resolved pid files. Resolves: rhbz#1453114 - Allow tomcat domain name_bind on tcp bctp_port_t Resolves: rhbz#1451757 - Allow smbd_t domain generate debugging files under /var/run/gluster. These files are created through the libgfapi.so library that provides integration of a GlusterFS client in the Samba (vfs_glusterfs) process. Resolves: rhbz#1447669 - Allow condor_master_t write to sysctl_net_t Resolves: rhbz#1277506 - Allow nagios check disk plugin read /sys/kernel/config/ Resolves: rhbz#1277718 - Allow pcp_pmie_t domain execute systemctl binary Resolves: rhbz#1271998 - Allow nagios to connect to stream sockets. Allow nagios start httpd via systemctl Resolves: rhbz#1247635 - Label tcp/udp port 1792 as ibm_dt_2_port_t Resolves: rhbz#1447436 - Add interface fs_read_configfs_dirs() - Add interface fs_read_configfs_files() - Fix systemd_resolved_read_pid interface - Add interface systemd_resolved_read_pid() Resolves: rhbz#1453114 - Allow sshd_net_t domain read/write into crypto devices Resolves: rhbz#1452759 - Label 8999 tcp/udp as bctp_port_t Resolves: rhbz#1451757- nmbd_t needs net_admin capability like smbd Resolves: rhbz#1431859 - Dontaudit net_admin capability for domains postfix_master_t and postfix_qmgr_t Resolves: rhbz#1431859 - Allow rngd domain read sysfs_t Resolves: rhbz#1451735 - Add interface pki_manage_common_files() Resolves: rhbz#1447436 - Allow tomcat_t domain to manage pki_common_t files and dirs Resolves: rhbz#1447436 - Use stricter fc rules for sssd sockets in /var/run Resolves: rhbz#1448060 - Allow certmonger reads httpd_config_t files Resolves: rhbz#1436689 - Allow keepalived_t domain creating netlink_netfilter_socket. Resolves: rhbz#1451684 - Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files. Resolves: rhbz#1451318 - Make able deply overcloud via neutron_t to label nsfs as fs_t Resolves: rhbz#1373321- Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files. Resolves: rhbz#1451318 - Allow sssd_t domain creating sock files labeled as sssd_var_run_t in /var/run/ Resolves: rhbz#1448056 Resolves: rhbz#1448060 - Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls Resolves: rhbz#1450819 - Make able deply overcloud via neutron_t to label nsfs as fs_t Resolves: rhbz#1373321 - Allow netutils setpcap capability Resolves:1444438- Update targetd policy to accommodate changes in the service Resolves: rhbz#1424621 - Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls Resolves: rhbz#1450819 - Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options. Resolves: rhbz#1415841 - Allow radius domain stream connec to postgresql Resolves: rhbz#1446145 - Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit Resolves: rhbz#1449977 - Allow glusterd_t domain start ganesha service Resolves: rhbz#1448090 - Made few cosmetic changes in sssd SELinux module Resolves: rhbz#1448060 - sssd-kcm should not run as unconfined_service_t BZ(1447411) Resolves: rhbz#1448060 - Add sssd_secrets labeling Also add named_filetrans interface to make sure all labels are correct Resolves: rhbz#1448056 - Allow keepalived_t domain read usermodehelper_t Resolves: rhbz#1449769 - Allow tomcat_t domain read pki_common_t files Resolves: rhbz#1447436 - Add interface pki_read_common_files() Resolves: rhbz#1447436- Allow hypervkvp_t domain execute hostname Resolves: rhbz#1449064 - Dontaudit sssd_selinux_manager_t use of net_admin capability Resolves: rhbz#1444955 - Allow tomcat_t stream connect to pki_common_t Resolves: rhbz#1447436 - Dontaudit xguest_t's attempts to listen to its tcp_socket - Allow sssd_selinux_manager_t to ioctl init_t sockets Resolves: rhbz#1436689 - Allow _su_t to create netlink_selinux_socket Resolves rhbz#1146987 - Allow unconfined_t to module_load any file Resolves rhbz#1442994- Improve ipa_cert_filetrans_named_content() interface to also allow caller domain manage ipa_cert_t type. Resolves: rhbz#1436689- Allow pki_tomcat_t domain read /etc/passwd. Resolves: rhbz#1436689 - Allow tomcat_t domain read ipa_tmp_t files Resolves: rhbz#1436689 - Label new path for ipa-otpd Resolves: rhbz#1446353 - Allow radiusd_t domain stream connect to postgresql_t Resolves: rhbz#1446145 - Allow rhsmcertd_t to execute hostname_exec_t binaries. Resolves: rhbz#1445494 - Allow virtlogd to append nfs_t files when virt_use_nfs=1 Resolves: rhbz#1402561- Update tomcat policy to adjust for removing unconfined_domain attr. Resolves: rhbz#1432083 - Allow httpd_t domain read also httpd_user_content_type lnk_files. Resolves: rhbz#1383621 - Allow httpd_t domain create /etc/httpd/alias/ipaseesion.key with label ipa_cert_t Resolves: rhbz#1436689 - Dontaudit _gkeyringd_t stream connect to system_dbusd_t Resolves: rhbz#1052880 - Label /var/www/html/nextcloud/data as httpd_sys_rw_content_t Resolves: rhbz#1425530 - Add interface ipa_filetrans_named_content() Resolves: rhbz#1432115 - Allow tomcat use nsswitch Resolves: rhbz#1436689 - Allow certmonger_t start/status generic services Resolves: rhbz#1436689 - Allow dirsrv read cgroup files. Resolves: rhbz#1436689 - Allow ganesha_t domain read/write infiniband devices. Resolves: rhbz#1383784 - Allow sendmail_t domain sysctl_net_t files Resolves: rhbz#1369376 - Allow targetd_t domain read network state and getattr on loop_control_device_t Resolves: rhbz#1373860 - Allow condor_schedd_t domain send mails. Resolves: rhbz#1277506 - Alow certmonger to create own systemd unit files. Resolves: rhbz#1436689 - Allow staff to systemctl virt server when staff_use_svirt=1 Resolves: rhbz#1415841 - Allow unconfined_t create /tmp/ca.p12 file with ipa_tmp_t context Resolves: rhbz#1432115 - Label /sysroot/ostree/deploy/rhel-atomic-host/* as root_t Resolves: rhbz#1428112- Alow certmonger to create own systemd unit files. Resolves: rhbz#1436689- Hide broken symptoms when using kernel 3.10.0-514+ with network bonding. Postfix_picup_t domain requires NET_ADMIN capability which is not really needed. Resolves: rhbz#1431859 - Fix policy to reflect all changes in new IPA release Resolves: rhbz#1432115 Resolves: rhbz#1436689- Allow sbd_t to read/write fixed disk devices Resolves: rhbz#1440165 - Add sys_ptrace capability to radiusd_t domain Resolves: rhbz#1426641 - Allow cockpit_session_t domain connects to ssh tcp ports. Resolves: rhbz#1413509- Update tomcat policy to make working ipa install process Resolves: rhbz#1436689- Allow pcp_pmcd_t net_admin capability. - Allow pcp_pmcd_t read net sysctls - Allow system_cronjob_t create /var/run/pcp with pcp_var_run_t Resolves: rhbz#1336211- Fix all AVC denials during pkispawn of CA Resolves: rhbz#1436383 - Update pki interfaces and tomcat module Resolves: rhbz#1436689- Update pki interfaces and tomcat module Resolves: rhbz#1436689- Dontaudit firewalld wants write to /root Resolves: rhbz#1438708 - Dontaudit firewalld to create dirs in /root/ Resolves: rhbz#1438708 - Allow sendmail to search network sysctls Resolves: rhbz#1369376 - Add interface gssd_noatsecure() Resolves: rhbz#1438036 - Add interface gssproxy_noatsecure() Resolves: rhbz#1438036 - Dontaudit pcp_pmlogger_t search for xserver logs. Allow pcp_pmlogger_t to send signals to unconfined doamins Allow pcp_pmlogger_t to send logs to journals Resolves: rhbz#1379371 - Allow chronyd_t net_admin capability to allow support HW timestamping. Resolves: rhbz#1416015 - Update tomcat policy Resolves: rhbz#1436689 Resolves: rhbz#1436383 - Allow certmonger to start haproxy service Resolves: rhbz#1349394 - Allow init noatsecure for gssd and gssproxy Resolves: rhbz#1438036- geoclue wants to dbus chat with avahi Resolves: rhbz#1434286 - Allow iptables get list of kernel modules Resolves: rhbz#1367520 - Allow unconfined_domain_type to enable/disable transient unit Resolves: rhbz#1337041 - Add interfaces init_enable_transient_unit() and init_disable_transient_unit - Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd" Resolves: rhbz#1435264 - Label sysroot dir under ostree as root_t Resolves: rhbz#1428112- Remove ganesha_t domain from permissive domains. Resolves: rhbz#1436988- Allow named_t domain bind on several udp ports Resolves: rhbz#1312972 - Update nscd_use() interface Resolves: rhbz#1281716 - Allow radius_t domain ptrace Resolves: rhbz#1426641 - Update nagios to allos exec systemctl Resolves: rhbz#1247635 - Update pcp SELinux module to reflect all pcp changes Resolves: rhbz#1271998 - Label /var/lib/ssl_db as squid_cache_t Label /etc/squid/ssl_db as squid_cache_t Resolves: rhbz#1325527 - Allow pcp_pmcd_t domain search for network sysctl Allow pcp_pmcd_t domain sys_ptrace capability Resolves: rhbz#1336211- Allow drbd load modules Resolves: rhbz#1134883 - Revert "Add sys_module capability for drbd Resolves: rhbz#1134883" - Allow stapserver list kernel modules Resolves: rhbz#1325976 - Update targetd policy Resolves: rhbz#1373860 - Add sys_admin capability to amanda Resolves: rhbz#1371561 - Allow hypervvssd_t to read all dirs. Resolves: rhbz#1331309 - Label /run/haproxy.sock socket as haproxy_var_run_t Resolves: rhbz#1386233 - Allow oddjob_mkhomedir_t to mamange autofs_t dirs. Resolves: rhbz#1408819 - Allow tomcat to connect on http_cache_port_t Resolves: rhbz#1432083 - Allow geoclue to send msgs to syslog. Resolves: rhbz#1434286 - Allow condor_master_t domain capability chown. Resolves: rhbz#1277506 - Update mta_filetrans_named_content() interface to allow calling domain create files labeled as etc_aliases_t in dir labeled as etc_mail_t. Resolves: rhbz#1167468 - Allow nova domain search for httpd configuration. Resolves: rhbz#1190761 - Add sys_module capability for drbd Resolves: rhbz#1134883 - Allow user_u users stream connect to dirsrv, Allow sysadm_u and staff_u users to manage dirsrv files Resolves: rhbz#1286474 - Allow systemd_networkd_t communicate with systemd_networkd_t via dbus Resolves: rhbz#1278010- Add haproxy_t domain fowner capability Resolves: rhbz#1386233 - Allow domain transition from ntpd_t to hwclock_t domains Resolves: rhbz#1375624 - Allow cockpit_session_t setrlimit and sys_resource Resolves: rhbz#1402316 - Dontaudit svirt_t read state of libvirtd domain Resolves: rhbz#1426106 - Update httpd and gssproxy modules to reflects latest changes in freeipa Resolves: rhbz#1432115 - Allow iptables read modules_conf_t Resolves: rhbz#1367520- Remove tomcat_t domain from unconfined domains Resolves: rhbz#1432083 - Create new boolean: sanlock_enable_home_dirs() Resolves: rhbz#1432783 - Allow mdadm_t domain to read/write nvme_device_t Resolves: rhbz#1431617 - Remove httpd_user_*_content_t domains from user_home_type attribute. This tighten httpd policy and acces to user data will be more strinct, and also fix mutual influente between httpd_enable_homedirs and httpd_read_user_content Resolves: rhbz#1383621 - Dontaudit domain to create any file in /proc. This is kernel bug. Resolves: rhbz#1412679 - Add interface dev_rw_nvme Resolves: rhbz#1431617- Allow gssproxy to get attributes on all filesystem object types. Resolves: rhbz#1430295 - Allow ganesha to chat with unconfined domains via dbus Resolves: rhbz#1426554 - add the policy required for nextcloud Resolves: rhbz#1425530 - Add nmbd_t capability2 block_suspend Resolves: rhbz#1425357 - Label /var/run/chrony as chronyd_var_run_t Resolves: rhbz#1416015 - Add domain transition from sosreport_t to iptables_t Resolves: rhbz#1359789 - Fix path to /usr/lib64/erlang/erts-5.10.4/bin/epmd Resolves: rhbz:#1332803- Update rpm macros Resolves: rhbz#1380854- Add handling booleans via selinux-policy macros in custom policy spec files. Resolves: rhbz#1380854- Allow openvswitch to load kernel modules Resolves: rhbz#1405479- Allow openvswitch read script state. Resolves: rhbz#1405479- Update ganesha policy Resolves: rhbz#1426554 Resolves: rhbz#1383784 - Allow chronyd to read adjtime Resolves: rhbz#1416015 - Fixes for chrony version 2.2 Resolves: rhbz#1416015 - Add interface virt_rw_stream_sockets_svirt() Resolves: rhbz#1415841 - Label /dev/ss0 as gpfs_device_t Resolves: rhbz#1383784 - Allow staff to rw svirt unix stream sockets. Resolves: rhbz#1415841 - Label /rhev/data-center/mnt as mnt_t Resolves: rhbz#1408275 - Associate sysctl_rpc_t with proc filesystems Resolves: rhbz#1350927 - Add new boolean: domain_can_write_kmsg Resolves: rhbz#1415715- Allow rhsmcertd_t dbus chat with system_cronjob_t Resolves: rhbz#1405341 - Allow openvswitch exec hostname and readinitrc_t files Resolves: rhbz#1405479 - Improve SELinux context for mysql_db_t objects. Resolves: rhbz#1391521 - Allow postfix_postdrop to communicate with postfix_master via pipe. Resolves: rhbz#1379736 - Add radius_use_jit boolean Resolves: rhbz#1426205 - Label /var/lock/subsys/iptables as iptables_lock_t Resolves: rhbz#1405441 - Label /usr/lib64/erlang/erts-5.10.4/bin/epmd as lib_t Resolves: rhbz#1332803 - Allow can_load_kernmodule to load kernel modules. Resolves: rhbz#1423427 Resolves: rhbz#1424621- Allow nfsd_t domain to create sysctls_rpc_t files Resolves: rhbz#1405304 - Allow openvswitch to create netlink generic sockets. Resolves: rhbz#1397974 - Create kernel_create_rpc_sysctls() interface Resolves: rhbz#1405304- Allow nfsd_t domain rw sysctl_rpc_t dirs Resolves: rhbz#1405304 - Allow cgdcbxd_t to manage cgroup files. Resolves: rhbz#1358493 - Allow cmirrord_t domain to create netlink_connector sockets Resolves: rhbz#1412670 - Allow fcoemon to create netlink scsitransport sockets Resolves: rhbz#1362496 - Allow quota_nld_t create netlink_generic sockets Resolves: rhbz#1358679 - Allow cgred_t create netlink_connector sockets Resolves: rhbz#1376357 - Add dhcpd_t domain fowner capability Resolves: rhbz#1358485 - Allow acpid to attempt to connect to the Linux kernel via generic netlink socket. Resolves: rhbz#1358478 - Rename docker module to container module Resolves: rhbz#1386916 - Allow setflies to mount tracefs Resolves: rhbz#1376357 - Allow iptables to read nsfs files. Resolves: rhbz#1411316 - Allow systemd_bootchart_t domain create dgram sockets. Resolves: rhbz#1365953 - Rename docker interfaces to container Resolves: rhbz#1386916- Allow initrc_t domain to run rhel-autorelabel script properly during boot process Resolves: rhbz#1379722 - Allow systemd_initctl_t to create and connect unix_dgram sockets Resolves: rhbz#1365947 - Allow ifconfig_t to mount/unmount nsfs_t filesystem Resolves: rhbz#1349814 - Add interfaces allowing mount/unmount nsfs_t filesystem Resolves: rhbz#1349814- Add interface init_stream_connectto() Resolves:rhbz#1365947 - Allow rhsmcertd domain signull kernel. Resolves: rhbz#1379781 - Allow kdumpgui domain to read nvme device - Allow insmod_t to load kernel modules Resolves: rhbz#1421598 - Add interface files_load_kernel_modules() Resolves: rhbz#1421598 - Add SELinux support for systemd-initctl daemon Resolves:rhbz#1365947 - Add SELinux support for systemd-bootchart Resolves: rhbz#1365953- Allow firewalld to getattr open search read modules_object_t:dir Resolves: rhbz#1418391 - Fix label for nagios plugins in nagios file conxtext file Resolves: rhbz#1277718 - Add sys_ptrace capability to pegasus domain Resolves: rhbz#1381238 - Allow sssd_t domain setpgid Resolves:rhbz#1416780 - After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. Resolves: rhbz#1350927 - Allow kdumpgui domain to read nvme device Resolves: rhbz#1415084 - su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987 - Add user namespace capability object classes. Resolves: rhbz#1368057 - Add module_load permission to class system Resolves:rhbz#1368057 - Add the validate_trans access vector to the security class Resolves: rhbz#1368057 - Add "binder" security class and access vectors Resolves: rhbz#1368057 - Allow ifconfig_t domain read nsfs_t Resolves: rhbz#1349814 - Allow ping_t domain to load kernel modules. Resolves: rhbz#1388363- Allow systemd container to read/write usermodehelperstate Resolves: rhbz#1403254 - Label udp ports in range 24007-24027 as gluster_port_t Resolves: rhbz#1404152- Allow glusterd_t to bind on glusterd_port_t udp ports. Resolves: rhbz#1404152 - Revert: Allow glusterd_t to bind on med_tlp port.- Allow glusterd_t to bind on med_tlp port. Resolves: rhbz#1404152 - Update ctdbd_t policy to reflect all changes. Resolves: rhbz#1402451 - Label tcp port 24009 as med_tlp_port_t Resolves: rhbz#1404152 - Issue appears during update directly from RHEL-7.0 to RHEL-7.3 or above. Modules pkcsslotd and vbetools missing in selinux-policy package for RHEL-7.3 which causing warnings during SELinux policy store migration process. Following patch fixes issue by skipping pkcsslotd and vbetools modules migration.- Allow ctdbd_t domain transition to rpcd_t Resolves:rhbz#1402451- Fixes for containers Allow containers to attempt to write to unix_sysctls. Allow cotainers to use the FD's leaked to them from parent processes. Resolves: rhbz#1403254- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t Resolves: rhbz#1404152 - Allow systemd to stop glusterd_t domains. Resolves: rhbz#1400493- Make working CTDB:NFS: CTDB failover from selinux-policy POV Resolves: rhbz#1402451- Add kdump_t domain sys_admin capability Resolves: rhbz#1375963- Allow puppetagent_t to access timedated dbus. Use the systemd_dbus_chat_timedated interface to allow puppetagent_t the access. Resolves: rhbz#1399250- Update systemd on RHEL-7.2 box to version from RHEL-7.3 and then as a separate yum command update the selinux policy systemd will start generating USER_AVC denials and will start returning "Access Denied" errors to DBus clients Resolves: rhbz#1393505- Allow cluster_t communicate to fprintd_t via dbus Resolves: rhbz#1349798- Fix error message during update from RHEL-7.2 to RHEL-7.3, when /usr/sbin/semanage command is not installed and selinux-policy-migrate-local-changes.sh script is executed in %post install phase of selinux-policy package Resolves: rhbz#1392010- Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device. Resolves: rhbz#1384488 - Allow glusterd to get attributes on /sys/kernel/config directory. Resolves: rhbz#1384483- Use selinux-policy-migrate-local-changes.sh instead of migrateStore* macros - Add selinux-policy-migrate-local-changes service Resolves: rhbz#1381588- Allow sssd_selinux_manager_t to manage also dir class. Resolves: rhbz#1368097 - Add interface seutil_manage_default_contexts_dirs() Resolves: rhbz#1368097- Add virt_sandbox_use_nfs -> virt_use_nfs boolean substitution. Resolves: rhbz#1355783- Allow pcp_pmcd_t domain transition to lvm_t Add capability kill and sys_ptrace to pcp_pmlogger_t Resolves: rhbz#1309883- Allow ftp daemon to manage apache_user_content Resolves: rhbz#1097775 - Label /etc/sysconfig/oracleasm as oracleasm_conf_t Resolves: rhbz#1331383 - Allow oracleasm to rw inherited fixed disk device Resolves: rhbz#1331383 - Allow collectd to connect on unix_stream_socket Resolves: rhbz#1377259- Allow iscsid create netlink iscsid sockets. Resolves: rhbz#1358266 - Improve regexp for power_unit_file_t files. To catch just systemd power unit files. Resolves: rhbz#1375462- Update oracleasm SELinux module that can manage oracleasmfs_t blk files. Add dac_override cap to oracleasm_t domain. Resolves: rhbz#1331383 - Add few rules to pcp SELinux module to make ti able to start pcp_pmlogger service Resolves: rhbz#1206525- Add oracleasm_conf_t type and allow oracleasm_t to create /dev/oracleasm Resolves: rhbz#1331383 - Label /usr/share/pcp/lib/pmie as pmie_exec_t and /usr/share/pcp/lib/pmlogger as pmlogger_exec_t Resolves: rhbz#1206525 - Allow mdadm_t to getattr all device nodes Resolves: rhbz#1365171 - Add interface dbus_dontaudit_stream_connect_system_dbusd() Resolves:rhbz#1052880 - Add virt_stub_* interfaces for docker policy which is no longer a part of our base policy. Resolves: rhbz#1372705 - Allow guest-set-user-passwd to set users password. Resolves: rhbz#1369693 - Allow samdbox domains to use msg class Resolves: rhbz#1372677 - Allow domains using kerberos to read also kerberos config dirs Resolves: rhbz#1368492 - Allow svirt_sandbox_domains to r/w onload sockets Resolves: rhbz#1342930 - Add interface fs_manage_oracleasm() Resolves: rhbz#1331383 - Label /dev/kfd as hsa_device_t Resolves: rhbz#1373488 - Update seutil_manage_file_contexts() interface that caller domain can also manage file_context_t dirs Resolves: rhbz#1368097 - Add interface to write to nsfs inodes Resolves: rhbz#1372705 - Allow systemd services to use PrivateNetwork feature Resolves: rhbz#1372705 - Add a type and genfscon for nsfs. Resolves: rhbz#1372705 - Allow run sulogin_t in range mls_systemlow-mls_systemhigh. Resolves: rhbz#1290400- Allow arpwatch to create netlink netfilter sockets. Resolves: rhbz#1358261 - Fix file context for /etc/pki/pki-tomcat/ca/ - new interface oddjob_mkhomedir_entrypoint() - Move label for /var/lib/docker/vfs/ to proper SELinux module - Allow mdadm to get attributes from all devices. - Label /etc/puppetlabs as puppet_etc_t. - Allow systemd-machined to communicate to lxc container using dbus - Allow systemd_resolved to send dbus msgs to userdomains Resolves: rhbz#1236579 - Allow systemd-resolved to read network sysctls Resolves: rhbz#1236579 - Allow systemd_resolved to connect on system bus. Resolves: rhbz#1236579 - Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t - Label all files in /dev/oracleasmfs/ as oracleasmfs_t Resolves: rhbz#1331383- Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_t Resolves:rhbz#1366915 - Allow certmonger to manage all systemd unit files Resolves:rhbz#1366915 - Grant certmonger "chown" capability Resolves:rhbz#1366915 - Allow ipa_helper_t stream connect to dirsrv_t domain Resolves: rhbz#1368418 - Update oracleasm SELinux module Resolves: rhbz#1331383 - label /var/lib/kubelet as svirt_sandbox_file_t Resolves: rhbz#1369159 - Add few interfaces to cloudform.if file Resolves: rhbz#1367834 - Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module Resolves: rhbz#1347514 - Allow krb5kdc_t to read krb4kdc_conf_t dirs. Resolves: rhbz#1368492 - Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run. Resolves: rhbz#1365653 - Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. Resolves: rhbz#1365653 - Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t type Resolves: rhbz#1331383 - A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init. Resolves: rhbz#1367834 - Allow iptables to creating netlink generic sockets. Resolves: rhbz#1364359- Allow ipmievd domain to create lock files in /var/lock/subsys/ Resolves:rhbz#1349058 - Update policy for ipmievd daemon. Resolves:rhbz#1349058 - Dontaudit hyperkvp to getattr on non security files. Resolves: rhbz#1349356 - Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_t Resolves: rhbz#1347514 - Fixed lsm SELinux module - Add sys_admin capability to sbd domain Resolves: rhbz#1322725 - Allow vdagent to comunnicate with systemd-logind via dbus Resolves: rhbz#1366731 - Allow lsmd_plugin_t domain to create fixed_disk device. Resolves: rhbz#1238066 - Allow opendnssec domain to create and manage own tmp dirs/files Resolves: rhbz#1366649 - Allow opendnssec domain to read system state Resolves: rhbz#1366649 - Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs Resolves: rhbz#1366649 - Allow rasdaemon to mount/unmount tracefs filesystem. Resolves: rhbz#1364380 - Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/ Resolves: rhbz#1367520 - Modify interface den_read_nvme() to allow also read nvme_device_t block files. Resolves: rhbz#1362564 - Label /var/run/storaged as lvm_var_run_t. Resolves: rhbz#1264390 - Allow unconfineduser to run ipa_helper_t. Resolves: rhbz#1361636- Dontaudit mock to write to generic certs. Resolves: rhbz#1271209 - Add labeling for corosync-qdevice and corosync-qnetd daemons, to run as cluster_t Resolves: rhbz#1347514 - Revert "Label corosync-qnetd and corosync-qdevice as corosync_t domain" - Allow modemmanager to write to systemd inhibit pipes Resolves: rhbz#1365214 - Label corosync-qnetd and corosync-qdevice as corosync_t domain Resolves: rhbz#1347514 - Allow ipa_helper to read network state Resolves: rhbz#1361636 - Label oddjob_reqiest as oddjob_exec_t Resolves: rhbz#1361636 - Add interface oddjob_run() Resolves: rhbz#1361636 - Allow modemmanager chat with systemd_logind via dbus Resolves: rhbz#1362273 - Allow NetworkManager chat with puppetagent via dbus Resolves: rhbz#1363989 - Allow NetworkManager chat with kdumpctl via dbus Resolves: rhbz#1363977 - Allow sbd send msgs to syslog Allow sbd create dgram sockets. Allow sbd to communicate with kernel via dgram socket Allow sbd r/w kernel sysctls. Resolves: rhbz#1322725 - Allow ipmievd_t domain to re-create ipmi devices Label /usr/libexec/openipmi-helper as ipmievd_exec_t Resolves: rhbz#1349058 - Allow rasdaemon to use tracefs filesystem. Resolves: rhbz#1364380 - Fix typo bug in dirsrv policy - Some logrotate scripts run su and then su runs unix_chkpwd. Allow logrotate_t domain to check passwd. Resolves: rhbz#1283134 - Add ipc_lock capability to sssd domain. Allow sssd connect to http_cache_t Resolves: rhbz#1362688 - Allow dirsrv to read dirsrv_share_t content Resolves: rhbz#1363662 - Allow virtlogd_t to append svirt_image_t files. Resolves: rhbz#1358140 - Allow hypervkvp domain to read hugetlbfs dir/files. Resolves: rhbz#1349356 - Allow mdadm daemon to read nvme_device_t blk files Resolves: rhbz#1362564 - Allow selinuxusers and unconfineduser to run oddjob_request Resolves: rhbz#1361636 - Allow sshd server to acces to Crypto Express 4 (CEX4) devices. Resolves: rhbz#1362539 - Fix labeling issue in init.fc file. Path /usr/lib/systemd/fedora-* changed to /usr/lib/systemd/rhel-*. Resolves: rhbz#1363769 - Fix typo in device interfaces Resolves: rhbz#1349058 - Add interfaces for managing ipmi devices Resolves: rhbz#1349058 - Add interfaces to allow mounting/umounting tracefs filesystem Resolves: rhbz#1364380 - Add interfaces to allow rw tracefs filesystem Resolves: rhbz#1364380 - Add interface dev_read_nvme() to allow reading Non-Volatile Memory Host Controller devices. Resolves: rhbz#1362564 - Label /sys/kernel/debug/tracing filesystem Resolves: rhbz#1364380 - Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1357857- Dontaudit mock_build_t can list all ptys. Resolves: rhbz#1271209 - Allow ftpd_t to mamange userhome data without any boolean. Resolves: rhbz#1097775 - Add logrotate permissions for creating netlink selinux sockets. Resolves: rhbz#1283134 - Allow lsmd_plugin_t to exec ldconfig. Resolves: rhbz#1238066 - Allow vnstatd domain to read /sys/class/net/ files Resolves: rhbz#1358243 - Remove duplicate allow rules in spamassassin SELinux module Resolves:rhbz#1358175 - Allow spamc_t and spamd_t domains create .spamassassin file in user homedirs Resolves:rhbz#1358175 - Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1357857 - Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data. Resolves: rhbz#1330464 - Allow gnome-keyring also manage user_tmp_t sockets. Resolves: rhbz#1257057 - corecmd: Remove fcontext for /etc/sysconfig/libvirtd Resolves:rhbz#1351382- Allow ipa_dnskey domain to search cache dirs Resolves: rhbz#1350957- Allow ipa-dnskey read system state. Reasolves: rhbz#1350957 - Allow dogtag-ipa-ca-renew-agent-submit labeled as certmonger_t to create /var/log/ipa/renew.log file Resolves: rhbz#1350957- Allow firewalld to manage net_conf_t files. Resolves:rhbz#1304723 - Allow logrotate read logs inside containers. Resolves: rhbz#1303514 - Allow sssd to getattr on fs_t Resolves: rhbz#1356082 - Allow opendnssec domain to manage bind chace files Resolves: rhbz#1350957 - Fix typo in rhsmcertd policy module Resolves: rhbz#1329475 - Allow systemd to get status of systemd-logind daemon Resolves: rhbz#1356141 - Label more ndctl devices not just ndctl0 Resolves: rhbz#1355809- Allow rhsmcertd to copy certs into /etc/docker/cert.d - Add interface docker_rw_config() Resolves: rhbz#1344500 - Fix logrotate fc file to label also /var/lib/logrotate/ dir as logrotate_var_lib_t Resolves: rhbz#1355632 - Allow rhsmcertd to read network sysctls Resolves: rhbz#1329475 - Label /var/log/graphite-web dir as httpd_log_t Resolves: rhbz#1310898 - Allow mock to use generic ptys Resolves: rhbz#1271209 - Allow adcli running as sssd_t to write krb5.keytab file. Resolves: rhbz#1356082 - Allow openvswitch connect to openvswitch_port_t type. Resolves: rhbz#1335024 - Add SELinux policy for opendnssec service. Resolves: rhbz#1350957 - Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd Resolves: rhbz#1350957 - label /dev/ndctl0 device as nvram_device_t Resolves: rhbz#1355809- Allow lttng tools to block suspending Resolves: rhbz#1256374 - Allow creation of vpnaas in openstack Resolves: rhbz#1352710 - virt: add strict policy for virtlogd daemon Resolves:rhbz#1311606 - Update makefile to support snapperd_contexts file Resolves: rhbz#1352681- Allow udev to manage systemd-hwdb files - Add interface systemd_hwdb_manage_config() Resolves: rhbz#1350756 - Fix paths to infiniband devices. This allows use more then two infiniband interfaces. Resolves: rhbz#1210263- Allow virtual machines to rw infiniband devices. Resolves: rhbz#1210263 - Allow opensm daemon to rw infiniband_mgmt_device_t Resolves: rhbz#1210263 - Allow systemd_hwdb_t to relabel /etc/udev/hwdb.bin file. Resolves: rhbz#1350756 - Make label for new infiniband_mgmt deivices Resolves: rhbz#1210263- Fix typo in brltty SELinux module - Add new SELinux module sbd Resolves: rhbz#1322725 - Allow pcp dmcache metrics collection Resolves: rhbz#1309883 - Allow pkcs_slotd_t to create dir in /var/lock Add label pkcs_slotd_log_t Resolves: rhbz#1350782 - Allow openvpn to create sock files labeled as openvpn_var_run_t Resolves: rhbz#1328246 - Allow hypervkvp daemon to getattr on all filesystem types. Resolves: rhbz#1349356 - Allow firewalld to create net_conf_t files Resolves: rhbz#1304723 - Allow mock to use lvm Resolves: rhbz#1271209 - Allow keepalived to create netlink generic sockets. Resolves: rhbz#1349809 - Allow mirromanager creating log files in /tmp Resolves:rhbz#1328818 - Rename few modules to make it consistent with source files Resolves: rhbz#1351445 - Allow vmtools_t to transition to rpm_script domain Resolves: rhbz#1342119 - Allow nsd daemon to manage nsd_conf_t dirs and files Resolves: rhbz#1349791 - Allow cluster to create dirs in /var/run labeled as cluster_var_run_t Resolves: rhbz#1346900 - Allow sssd read also sssd_conf_t dirs Resolves: rhbz#1350535 - Dontaudit su_role_template interface to getattr /proc/kcore Dontaudit su_role_template interface to getattr /dev/initctl Resolves: rhbz#1086240 - Add interface lvm_getattr_exec_files() Resolves: rhbz#1271209 - Fix typo Compliling vs. Compiling Resolves: rhbz#1351445- Allow krb5kdc_t to communicate with sssd Resolves: rhbz#1319933 - Allow prosody to bind on prosody ports Resolves: rhbz#1304664 - Add dac_override caps for fail2ban-client Resolves: rhbz#1316678 - dontaudit read access for svirt_t on the file /var/db/nscd/group Resolves: rhbz#1301637 - Allow inetd child process to communicate via dbus with systemd-logind Resolves: rhbz#1333726 - Add label for brltty log file Resolves: rhbz#1328818 - Allow dspam to read the passwd file Resolves: rhbz#1286020 - Allow snort_t to communicate with sssd Resolves: rhbz#1284908 - svirt_sandbox_domains need to be able to execmod for badly built libraries. Resolves: rhbz#1206339 - Add policy for lttng-tools package. Resolves: rhbz#1256374 - Make mirrormanager as application domain. Resolves: rhbz#1328234 - Add support for the default lttng-sessiond port - tcp/5345. This port is used by LTTng 2.x central tracing registry session daemon. - Add prosody ports Resolves: rhbz#1304664 - Allow sssd read also sssd_conf_t dirs Resolves: rhbz#1350535- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs. Resolves:rhbz#1331315 - Label named-pkcs11 binary as named_exec_t. Resolves: rhbz#1331315 - Allow glusterd daemon to get systemd status Resolves: rhbz#1321785 - Allow logrotate dbus-chat with system_logind daemon Resolves: rhbz#1283134 - Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid files Resolves: rhbz#1336211 - Add interface cron_read_pid_files() Resolves: rhbz#1336211 - Allow pcp_pmlogger to create unix dgram sockets Resolves: rhbz#1336211 - Add hwloc-dump-hwdata SELinux policy Resolves: rhbz#1344054 - Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t. Resolves: rhbz#1121171 - Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd() Resolves: rhbz#1259764 - Create label for openhpid log files. esolves: rhbz#1259764 - Label /var/lib/ganglia as httpd_var_lib_t Resolves: rhbz#1260536 - Allow firewalld_t to create entries in net_conf_t dirs. Resolves: rhbz#1304723 - Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals Resolves: rhbz#1288255 - Include patch from distgit repo: policy-RHEL-7.1-flask.patch. Resolves: rhbz#1329560 - Update refpolicy to handle hwloc Resolves: rhbz#1344054 - Label /etc/dhcp/scripts dir as bin_t - Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals. Resolves: rhbz#1288255- Allow firewalld_t to create entries in net_conf_t dirs. Resolves: rhbz#1304723 - Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals Resolves: rhbz#1288255 - Allow mongod log to syslog. Resolves: rhbz#1306995 - Allow rhsmcertd connect to port tcp 9090 Resolves: rhbz#1337319 - Label for /bin/mail(x) was removed but /usr/bin/mail(x) not. This path is also needed to remove. Resolves: rhbz#1262483 Resolves: rhbz#1277506 - Label /usr/libexec/mimedefang-wrapper as spamd_exec_t. Resolves: rhbz#1301516 - Add new boolean spamd_update_can_network. Resolves: rhbz#1305469 - Allow rhsmcertd connect to tcp netport_port_t Resolves: rhbz#1329475 - Fix SELinux context for /usr/share/mirrormanager/server/mirrormanager to Label all binaries under dir as mirrormanager_exec_t. Resolves: rhbz#1328234 - Allow prosody to bind to fac_restore tcp port. Resolves: rhbz#1321787 - Allow ninfod to read raw packets Resolves: rhbz#1317964 - Allow pegasus get attributes from qemu binary files. Resolves: rhbz#1260835 - Allow pegasus get attributes from qemu binary files. Resolves: rhbz#1271159 - Allow tuned to use policykit. This change is required by cockpit. Resolves: rhbz#1346464 - Allow conman_t to read dir with conman_unconfined_script_t binary files. Resolves: rhbz#1297323 - Allow pegasus to read /proc/sysinfo. Resolves: rhbz#1265883 - Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals. Resolves: rhbz#1288255 - Label tcp ports:16379, 26379 as redis_port_t Resolves: rhbz#1348471 - Allow systemd to relabel /var and /var/lib directories during boot. - Add files_relabel_var_dirs() and files_relabel_var_dirs() interfaces. - Add files_relabelto_var_lib_dirs() interface. - Label tcp port 2004 as mailbox_port_t. Resolves: rhbz#1332843 - Label tcp and udp port 5582 as fac_restore_port_t Resolves: rhbz#1321787 - Allow sysadm_t user to run postgresql-setup. Resolves: rhbz#1282543 - Allow sysadm_t user to dbus chat with oddjob_t. This allows confined admin run oddjob mkhomedirfor script. Resolves: rhbz#1297480 - Update netlink socket classes.- Allow conman to kill conman_unconfined_script. Resolves: rhbz#1297323 - Make conman_unconfined_script_t as init_system_domain. Resolves:rhbz#1297323 - Allow init dbus chat with apmd. Resolves:rhbz#995898 - Patch /var/lib/rpm is symlink to /usr/share/rpm on Atomic, due to this change we need to label also /usr/share/rpm as rpm_var_lib_t. Resolves: rhbz#1233252 - Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t Resolves: rhbz#1052880 - Add mediawiki rules to proper scope Resolves: rhbz#1301186 - Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t Resolves: rhbz#1052880 - Allow mysqld_safe to inherit rlimit information from mysqld Resolves: rhbz#1323673 - Allow collectd_t to stream connect to postgresql. Resolves: rhbz#1344056 - Allow mediawiki-script to read /etc/passwd file. Resolves: rhbz#1301186 - Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc. Resolves: rhbz#1344505 - Add labels for mediawiki123 Resolves: rhbz#1293872 - Fix label for all fence_scsi_check scripts - Allow ip netns to mounton root fs and unmount proc_t fs. Resolves: rhbz#1343776 Resolves: rhbz#1286851 - Allow sysadm_t to run newaliases command. Resolves: rhbz#1344828 - Add interface sysnet_filetrans_named_net_conf() Resolves: rhbz#1344505- Fix several issues related to the SELinux Userspace changes- Allow glusterd domain read krb5_keytab_t files. Resolves: rhbz#1343929 - Fix typo in files_setattr_non_security_dirs. Resolves: rhbz#1115987- Allow tmpreaper_t to read/setattr all non_security_file_type dirs Resolves: rhbz#1115987 - Allow firewalld to create firewalld_var_run_t directory. Resolves: rhbz#1304723 - Add interface firewalld_read_pid_files() Resolves: rhbz#1304723 - Label /usr/libexec/rpm-ostreed as rpm_exec_t. Resolves: rhbz#1340542 - Allow sanlock service to read/write cephfs_t files. Resolves: rhbz#1315332 - Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) - Added missing docker interfaces: - docker_typebounds - docker_entrypoint Resolves: rhbz#1236580 - Add interface files_setattr_non_security_dirs() Resolves: rhbz#1115987 - Add support for onloadfs - Allow iptables to read firewalld pid files. Resolves: rhbz#1304723 - Add SELinux support for ceph filesystem. Resolves: rhbz#1315332 - Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) Resolves: rhbz#1236580- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) - Added missing docker interfaces: - docker_typebounds - docker_entrypoint Resolves: rhbz#1236580 - New interfaces needed for systemd-machinectl Resolves: rhbz#1236580 - New interfaces needed by systemd-machine Resolves: rhbz#1236580 - Add interface allowing sending and receiving messages from virt over dbus. Resolves: rhbz#1236580 - Backport docker policy from Fedora. Related: #1303123 Resolves: #1341257 - Allow NetworkManager_t and policykit_t read access to systemd-machined pid files. Resolves: rhbz#1236580 - Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) - Added interfaces needed by new docker policy. Related: rhbz#1303123 - Add support for systemd-machined daemon Resolves: rhbz#1236580 - Allow rpm-ostree domain transition to install_t domain from init_t. Resolves: rhbz#1340542- dnsmasq: allow NetworkManager to control dnsmasq via D-Bus Resolves: rhbz#1336722 - Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te Resolves: rhbz#1333198 - sftpd_* booleans are functionless these days. Resolves: rhbz#1335656 - Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t. Resolves: rhbz#1335828 - Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus. Resolves: rhbz#1336760 - Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t. Resolves: rhbz#1336737 - Label /usr/libexec/storaged/storaged as lvm_exec_t to run storaged daemon in lvm_t SELinux domain. Resolves: rhbz#1264390 - Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t. Resolves: rhbz#1337061 - Revert "Allow all domains some process flags." Resolves: rhbz#1303644 - Revert "Remove setrlimit to all domains." Resolves: rhbz#1303644 - Label /usr/sbin/xrdp* files as bin_t Resolves: rhbz#1276777 - Add mls support for some db classes Resolves: rhbz#1303651 - Allow systemd_resolved_t to check if ipv6 is disabled. Resolves: rhbz#1236579 - Allow systemd_resolved to read systemd_networkd run files. Resolves: rhbz#1236579- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus. Resolves: rhbz#1336760 - Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t. Resolves: rhbz#1336737- Allow logwatch to domtrans to postqueue Resolves: rhbz#1331542 - Label /var/log/ganesha.log as gluster_log_t - Allow glusterd_t domain to create glusterd_log_t files. - Label /var/run/ganesha.pid as gluster_var_run_t. Resolves: rhbz#1335828 - Allow zabbix to connect to postgresql port Resolves: rhbz#1330479 - Add userdom_destroy_unpriv_user_shared_mem() interface. Related: rhbz#1306403 - systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments. Resolves: rhbz#1306403- We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed. Resolves: rhbz#1333952- Add interface glusterd_dontaudit_read_lib_dirs() Resolves: rhbz#1295680 - Dontaudit Occasionally observing AVC's while running geo-rep automation Resolves: rhbz#1295680 - Allow glusterd to manage socket files labeled as glusterd_brick_t. Resolves: rhbz#1331561 - Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content Resolves: rhbz#1246522 - Allow stunnel create log files. Resolves: rhbz#1296851 - Label tcp port 8181 as intermapper_port_t. Resolves: rhbz#1334783 - Label tcp/udp port 2024 as xinuexpansion4_port_t Resolves: rhbz#1334783 - Label tcp port 7002 as afs_pt_port_t Label tcp/udp port 2023 as xinuexpansion3_port_t Resolves: rhbz#1334783 - Dontaudit ldconfig read gluster lib files. Resolves: rhbz#1295680 - Add interface auth_use_nsswitch() to systemd_domain_template. Resolves: rhbz#1236579- Label /usr/bin/ganesha.nfsd as glusterd_exec_t to run ganesha as glusterd_t. Allow glusterd_t stream connect to rpbind_t. Allow cluster_t to create symlink /var/lib/nfs labeled as var_lib_nfs_t. Add interface rpc_filetrans_var_lib_nfs_content() Add new boolean: rpcd_use_fusefs to allow rpcd daemon use fusefs. Resolves: rhbz#1312809 Resolves: rhbz#1323947 - Allow dbus chat between httpd_t and oddjob_t. Resolves: rhbz#1324144 - Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. Resolves: rhbz#1324144 - Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. Resolves: rhbz#1324144 - Allow prosody to listen on port 5000 for mod_proxy65. Resolves: rhbz#1316918 - Allow pcp_pmcd_t domain to manage docker lib files. This rule is needed to allow pcp to collect container information when SELinux is enabled. Resolves: rhbz#1309454- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs. Resolves: rhbz#1319442 - Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. Resolves: rhbz#1296640 - Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits. Resolves: rhbz#1097775 - /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. Resolves: rhbz#1262483 - Allow nsd daemon to create log file in /var/log as nsd_log_t Resolves: rhbz#1293140 - Sanlock policy update. - New sub-domain for sanlk-reset daemon Resolves: rhbz#1212324 - Label all run tgtd files, not just socket files Resolves: rhbz#1280280 - Label all run tgtd files, not just socket files. Resolves: rhbz#1280280 - Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody. Resolves: rhbz#1321049 - unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets. Resolves: rhbz#1318224 - Allow prosody to listen on port 5000 for mod_proxy65. Resolves: rhbz#1316918 - Allow targetd to read/write to /dev/mapper/control device. Resolves: rhbz#1063714 - Allow KDM to get status about power services. This change allow kdm to be able do shutdown. Resolves: rhbz#1316724 - Allow systemd-resolved daemon creating netlink_route sockets. Resolves:rhbz#1236579 - Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used Resolves: rhbz#1065362 - Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t Resolves: rhbz#1321943 - Label all nvidia binaries as xserver_exec_t Resolves: rhbz#1322283- Create new permissivedomains CIL module and make it active. Resolves: rhbz#1320451 - Add support for new mock location - /usr/libexec/mock/mock. Resolves: rhbz#1271209 - Allow bitlee to create bitlee_var_t dirs. Resolves: rhbz#1268651 - Allow CIM provider to read sssd public files. Resolves: rhbz#1263339 - Fix some broken interfaces in distro policy. Resolves: rhbz#1121171 - Allow power button to shutdown the laptop. Resolves: rhbz#995898 - Allow lsm plugins to create named fixed disks. Resolves: rhbz#1238066 - Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.confResolves: rhbz#1278777 - Allow hyperv domains to rw hyperv devices. Resolves: rhbz#1309361 - Label /var/www/html(/.*)?/wp_backups(/.*)? as httpd_sys_rw_content_t.Resolves: rhbz#1246780 - Create conman_unconfined_script_t type for conman script stored in /use/share/conman/exec/ Resolves: rhbz#1297323 - Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib. - Add support for /dev/mptctl device used to check RAID status. Resolves: rhbz#1258029 - Create hyperv* devices and create rw interfaces for this devices. Resolves: rhbz#1309361 - Add fixes for selinux userspace moving the policy store to /var/lib/selinux. - Remove optional else block for dhcp ping- Allow rsync_export_all_ro boolean to read also non_auth_dirs/files/symlinks. Resolves: rhbz#1263770 - Fix context of "/usr/share/nginx/html". Resolves: rhbz#1261857 - Allow pmdaapache labeled as pcp_pmcd_t access to port 80 for apache diagnostics Resolves: rhbz#1270344 - Allow pmlogger to create pmlogger.primary.socket link file. Resolves: rhbz#1270344 - Label nagios scripts as httpd_sys_script_exec_t. Resolves: rhbz#1260306 - Add dontaudit interface for kdumpctl_tmp_t Resolves: rhbz#1156442 - Allow mdadm read files in EFI partition. Resolves: rhbz#1291801 - Allow nsd_t to bind on nsf_control tcp port. Allow nsd_crond_t to read nsd pid. Resolves: rhbz#1293140 - Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs Resolves: rhbz#1293140 - Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface. Resolves: rhbz#1265102 - Add missing labeling for /usr/libexec/abrt-hook-ccpp. Resolves: rhbz#1213409 - Allow pcp_pmie and pcp_pmlogger to read all domains state. Resolves: rhbz#1206525 - Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port. Resolves: rhbz#1275246 - cockpit has grown content in /var/run directory Resolves: rhbz#1279429 - Allow collectd setgid capability Resolves:#1310898 - Remove declaration of empty booleans in virt policy. Resolves: rhbz#1103153 - Fix typo in drbd policy - Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs. Allow drbd_t create drbd_tmp_t files in /tmp. Resolves: rhbz#1134883 - Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files. Resolves: rhbz#1293788 - Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern. Resolves: rhbz#1254188 - Allow abrt_t to read sysctl_net_t files. Resolves: rhbz#1254188 - The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system. - Allow abrt-hook-ccpp to getattr on all executables. - Allow setuid/setgid capabilities for abrt-hook-ccpp. Resolves: rhbz#1254188 - abrt-hook-ccpp needs to have setfscreate access because it is SELinux aware and compute a target labeling. Resolves: rhbz#1254188 - Allow abrt-hook-ccpp to change SELinux user identity for created objects. Resolves: rhbz#1254188 - Dontaudit write access to inherited kdumpctl tmp files. Resolves: rbhz#1156442 - Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables) Resolves: rhbz#1291801 - Label 8952 tcp port as nsd_control. Resolves: rhbz#1293140 - Allow ipsec to use pam. Resolves: rhbz#1315700 - Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020 - Allow setrans daemon to read /proc/meminfo. Resolves: rhbz#1316804 - Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg Resolves: rhbz#1298151 - Label tcp port 5355 as llmnr-> Link-Local Multicast Name Resolution Resolves: rhbz#1236579 - Add new selinux policy for systemd-resolved dawmon. Resolves: rhbz#1236579 - Add interface ssh_getattr_server_keys() interface. Resolves: rhbz#1306197 - Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106 Resolves: rhbz#1306197 - Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used. Resolves: rhbz#1309417 - Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t. Resolves: rhbz#1293788- Prepare selinux-policy package for userspace release 2016-02-23. Resolves: rhbz#1305982- Allow sending dbus msgs between firewalld and system_cronjob domains. Resolves: rhbz#1284902 - Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols. Resolves: rhbz#1242506 - Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba. Resolves: rhbz#1284972 - Add support for systemd-hwdb daemon. Resolves: rhbz#1257940 - Add interface fs_setattr_cifs_dirs(). Resolves: rhbz#1284972- Add new SELinux policy fo targetd daemon. Resolves: rhbz#1063714 - Add new SELinux policy fo ipmievd daemon. Resolves: rhbz#1083031 - Add new SELinux policy fo hsqldb daemon. Resolves: rhbz#1083171 - Add new SELinux policy for blkmapd daemon. Resolves: rhbz#1072997 - Allow p11-child to connect to apache ports. - Label /usr/sbin/lvmlockd binary file as lvm_exec_t. Resolves: rhbz#1278028 - Add interface "lvm_manage_lock" to lvm policy. Resolves: rhbz#1063714- Allow openvswitch domain capability sys_rawio. Resolves: rhbz#1278495- Allow openvswitch to manage hugetlfs files and dirs. Resolves: rhbz#1278495 - Add fs_manage_hugetlbfs_files() interface. Resolves: rhbz#1278495- Allow smbcontrol domain to send sigchld to ctdbd domain. Resolves: #1293784 - Allow openvswitch read/write hugetlb filesystem. Resolves: #1278495Allow hypervvssd to list all mountpoints to have VSS live backup working correctly. Resolves:#1247880- Revert Add missing labeling for /usr/libexec/abrt-hook-ccpp patch Resolves: #1254188- Allow search dirs in sysfs types in kernel_read_security_state. Resolves: #1254188 - Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs. Resolves: #1254188- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs Resolves: #1254188 - We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes. Resolves:#1261938- Remove labeling for modules_dep_t file contexts to have labeled them as modules_object_t. - Update files_read_kernel_modules() to contain modutils_read_module_deps_files() calling because module deps labeling could remain and it allows to avoid regressions. Resolves:#1266928- We need to require sandbox_web_type attribute in sandbox_x_domain_template(). Resolves: #1261938 - ipsec: The NM helper needs to read the SAs Resolves: #1259786 - ipsec: Allow ipsec management to create ptys Resolves: #1259786- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type. Resolves:#1261938 - Allow abrt_t domain to write to kernel msg device. Resolves: #1257828 - Allow rpcbind_t domain to change file owner and group Resolves: #1265266- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind. Resolves: #1256459- Allow dirsrv-admin script to read passwd file. Allow dirsrv-admin script to read httpd pid files. Label dirsrv-admin unit file and allow dirsrv-admin domains to use it. Resolves: #1230300 - Allow qpid daemon to connect on amqp tcp port. Resolves: #1261805- Label /etc/ipa/nssdb dir as cert_t Resolves:#1262718 - Do not provide docker policy files which is shipped by docker-selinux.rpm Resolves:#1262812- Add labels for afs binaries: dafileserver, davolserver, salvageserver, dasalvager Resolves: #1192338 - Add lsmd_plugin_t sys_admin capability, Allow lsmd_plugin_t getattr from sysfs filesystem. Resolves: #1238079 - Allow rhsmcertd_t send signull to unconfined_service_t domains. Resolves: #1176078 - Remove file transition from snmp_manage_var_lib_dirs() interface which created snmp_var_lib_t dirs in var_lib_t. - Allow openhpid_t daemon to manage snmp files and dirs. Resolves: #1243902 - Allow mdadm_t domain read/write to general ptys and unallocated ttys. Resolves: #1073314 - Add interface unconfined_server_signull() to allow domains send signull to unconfined_service_t Resolves: #1176078- Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS. Resolves:#1250456- Fix labeling for fence_scsi_check script Resolves: #1255020 - Allow openhpid to read system state Allow openhpid to connect to tcp http port. Resolves: #1244248 - Allow openhpid to read snmp var lib files. Resolves: #1243902 - Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe - Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t Resolves: #1243403 - Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl Resolves: #1255020- Fix regexp in chronyd.fc file Resolves: #1243764 - Allow passenger to getattr filesystem xattr Resolves: #1196555 - Label mdadm.conf.anackbak as mdadm_conf_t file. Resolves: #1088904 - Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc." - Allow watchdog execute fenced python script. Resolves: #1255020 - Added inferface watchdog_unconfined_exec_read_lnk_files() - Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t. Resolves: #1230877- Allow watchdog execute fenced python script. Resolves: #1255020 - Added inferface watchdog_unconfined_exec_read_lnk_files() - Label /var/run/chrony-helper dir as chronyd_var_run_t. Resolves: #1243764 - Allow dhcpc_t domain transition to chronyd_t Resolves: #1243764- Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file. Resolves: #1252442- Allow exec pidof under hypervkvp domain. Resolves: #1254870 - Allow hypervkvp daemon create connection to the system DBUS Resolves: #1254870- Allow openhpid_t to read system state. Resolves: #1244248 - Added labels for files provided by rh-nginx18 collection Resolves: #1249945 - Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db. Resolves: #1252968 - Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution. Resolves: #1243431 - Allow abrt_dump_oops_t to read proc_security_t files. - Allow abrt_dump_oops to signull all domains Allow abrt_dump_oops to read all domains state Allow abrt_dump_oops to ptrace all domains - Add interface abrt_dump_oops_domtrans() - Add mountpoint dontaudit access check in rhsmcertd policy. Resolves: #1243431 - Allow samba_net_t to manage samba_var_t sock files. Resolves: #1252937 - Allow chrome setcap to itself. Resolves: #1251996 - Allow httpd daemon to manage httpd_var_lib_t lnk_files. Resolves: #1253706 - Allow chronyd exec systemctl Resolves: #1243764 - Add inteface chronyd_signal Allow timemaster_t send generic signals to chronyd_t. Resolves: #1243764 - Added interface fs_dontaudit_write_configfs_dirs - Add label for kernel module dep files in /usr/lib/modules Resolves:#916635 - Allow kernel_t domtrans to abrt_dump_oops_t - Added to files_dontaudit_write_all_mountpoints intefface new dontaudit rule, that domain included this interface dontaudit capability dac_override. - Allow systemd-networkd to send logs to systemd-journald. Resolves: #1236616- Fix label on /var/tmp/kiprop_0 Resolves:#1220763 - Allow lldpad_t to getattr tmpfs_t. Resolves: #1246220 - Label /dev/shm/lldpad.* as lldapd_tmpfs_t Resolves: #1246220 - Allow audisp client to read system state.- Allow pcp_domain to manage pcp_var_lib_t lnk_files. Resolves: #1252341 - Label /var/run/xtables.* as iptables_var_run_t Resolves: #1243403- Add interface to read/write watchdog device - Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde Resolves:#1210237 - Allow apcupsd_t to read /sys/devices Resolves:#1189185 - Allow logrotate to reload services. Resolves: #1242453 - Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device) Resolves: #1244260 - Allow openhpid liboa_soap plugin to read generic certs. Resolves: #1244248 - Allow openhpid liboa_soap plugin to read resolv.conf file. Resolves: #1244248 - Label /usr/libexec/chrony-helper as chronyd_exec_t - Allow chronyd_t to read dhcpc state. - Allow chronyd to execute mkdir command.- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t. Resolves:#1073314 - Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS. - Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users. - Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode. - Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling. Resolves:#1183503 - Add support for /etc/sanlock which is writable by sanlock daemon. Resolves:#1231377 - Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet. Resolves:#1243775 - Allow snapperd to pass data (one way only) via pipe negotiated over dbus Resolves:#1250550 - Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user.- Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files). Resolves: #1243902 - Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device Resolves: #1238079 - Allow lsm_plugin_t to rw raw_fixed_disk. Resolves:#1238079 - Allow rhsmcertd to send signull to unconfined_service.- Allow httpd_suexec_t to read and write Apache stream sockets Resolves: #1243569 - Allow qpid to create lnk_files in qpid_var_lib_t Resolves: #1247279- Allow drbd to get attributes from filesystems. - Allow redis to read kernel parameters. Resolves: #1209518 - Allow virt_qemu_ga_t domtrans to passwd_t - Allow audisp_remote_t to start power unit files domain to allow halt system. Resolves: #1186780 - Allow audisp_remote_t to read/write user domain pty. Resolves: #1186780 - Label /usr/sbin/chpasswd as passwd_exec_t. - Allow sysadm to administrate ldap environment and allow to bind ldap port to allow to setup an LDAP server (389ds). Resolves:#1221121- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te - Allow pcp_pmcd daemon to read postfix config files. - Allow pcp_pmcd daemon to search postfix spool dirs. Resolves: #1213740 - Added Booleans: pcp_read_generic_logs. Resolves: #1213740 - Allow drbd to read configuration options used when loading modules. Resolves: #1134883 - Allow glusterd to manage nfsd and rpcd services. - Allow glusterd to communicate with cluster domains over stream socket. - glusterd call pcs utility which calls find for cib.* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes.- Allow glusterd to manage nfsd and rpcd services. - Allow networkmanager to communicate via dbus with systemd_hostanmed. Resolves: #1234954 - Allow stream connect logrotate to prosody. - Add prosody_stream_connect() interface. - httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t. - Allow prosody to create own tmp files/dirs. Resolves:#1212498- Allow networkmanager read rfcomm port. Resolves:#1212498 - Remove non exists label. - Fix *_admin intefaces where body is not consistent with header. - Label /usr/afs/ as afs_files_t, Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t, Allow afs_bosserver_t read kerberos config - Remove non exits nfsd_ro_t label. - Make all interfaces related to openshift_cache_t as deprecated. - Add rpm_var_run_t label to rpm_admin header - Add jabberd_lock_t label to jabberd_admin header. - Add samba_unconfined_script_exec_t to samba_admin header. - inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t - Fix ctdb policy - Add samba_signull_winbind() - Add samba_signull_unconfined_net() - Allow ctdbd_t send signull to samba_unconfined_net_t. - Allow openshift_initrc_t to communicate with firewalld over dbus Resolves:#1221326- Allow gluster to connect to all ports. It is required by random services executed by gluster. - Add interfaces winbind_signull(), samba_unconfined_net_signull(). - Dontaudit smbd_t block_suspend capability. This is kernel bug. - Allow ctdbd sending signull to process winbind, samba_unconfined_net, to checking if processes exists. - Add tmpreaper booleans to use nfs_t and samba_share_t. - Fix path from /usr/sbin/redis-server to /usr/bin/redis-server - Allow connect ypserv to portmap_port_t - Fix paths in inn policy, Allow innd read innd_log_t dirs, Allow innd execute innd_etc_t files - Add support for openstack-nova-* packages - Allow NetworkManager_t send signull to dnssec_trigger_t. - Allow glusterd to execute showmount in the showmount domain. - Label swift-container-reconciler binary as swift_t. - Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files. - Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?" Resolves:#1213540 - Merge all nova_* labels under one nova_t.- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins Resolves:#1233550 - Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ - Add support for oddjob based helper in FreeIPA. - Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob. - Add nagios_domtrans_unconfined_plugins() interface. - Update mta_filetrans_named_content() interface to cover more db files. Resolves:#1167468 - Add back ftpd_use_passive_mode boolean with fixed description. - Allow pmcd daemon stream connect to mysqld. - Allow pcp domains to connect to own process using unix_stream_socket. Resolves:#1213709 - Allow abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly. - Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob. - Add support for oddjob based helper in FreeIPA. - Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/- Allow iptables to read ctdbd lib files. Resolves:#1224879 - Add systemd_networkd_t to nsswitch domains. - Allow drbd_t write to fixed_disk_device. Reason: drbdmeta needs write to fixed_disk_device during initialization. Resolves:#1130675 - Allow NetworkManager write to sysfs. - Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission. - Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types. - Allow NetworkManager write to sysfs. - Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. - Dontaudit apache to manage snmpd_var_lib_t files/dirs. - Add interface snmp_dontaudit_manage_snmp_var_lib_files(). - Dontaudit mozilla_plugin_t cap. sys_ptrace. - Rename xodbc-connect port to xodbc_connect - Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. - Allow iscsid write to fifo file kdumpctl_tmp_t. Appears when kdump generates the initramfs during the kernel boot. - Dontaudit chrome to read passwd file. - nrpe needs kill capability to make gluster moniterd nodes working. Resolves:#1235587- We allow can_exec() on ssh_keygen on gluster. But there is a transition defined by init_initrc_domain() because we need to allow execute unconfined services by glusterd. So ssh-keygen ends up with ssh_keygen_t and we need to allow to manage /var/lib/glusterd/geo-replication/secret.pem. - Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so. - Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password. - Label gluster python hooks also as bin_t. - Allow glusterd to interact with gluster tools running in a user domain - Add glusterd_manage_lib_files() interface. - ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. - Allow samba_t net_admin capability to make CIFS mount working. - S30samba-start gluster hooks wants to search audit logs. Dontaudit it. Resolves:#1224879- Allow glusterd to send generic signals to systemd_passwd_agent processes. - Allow glusterd to access init scripts/units without defined policy - Allow glusterd to run init scripts. - Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain. Resolves:#1224879- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block. - Allow samba-net to access /var/lib/ctdbd dirs/files. - Allow glusterd to send a signal to smbd. - Make ctdbd as home manager to access also FUSE. - Allow glusterd to use geo-replication gluster tool. - Allow glusterd to execute ssh-keygen. - Allow glusterd to interact with cluster services. - Allow glusterd to connect to the system DBUS for service (acquire_svc). - Label /dev/log correctly. Resolves:#1230932- Back port the latest F22 changes to RHEL7. It should fix most of RHEL7.2 bugs - Add cgdcbxd policy Resolves:#1072493 - Fix ftp_homedir boolean Resolve:#1097775 - Dontaudit ifconfig writing inhertited /var/log/pluto.log. - Allow cluster domain to dbus chat with systemd-logind. Resolves:#1145215 - Dontaudit write access to inherited kdumpctl tmp files Resolves:#1156442 - Allow isnsd_t to communicate with sssd Resolves:#1167702 - Allow rwho_t to communicate with sssd Resolves:#1167718 - Allow sblim_gatherd_t to communicate with sssd Resolves:#1167732 - Allow pkcs_slotd_t to communicate with sssd Resolves:#1167737 - Allow openvswitch_t to communicate with sssd Resolves:#1167816 - Allow mysqld_safe_t to communicate with sssd Resolves:#1167832 - Allow sshd_keygen_t to communicate with sssd Resolves:#1167840 - Add support for iprdbg logging files in /var/log. Resolves:#1174363 - Allow tmpreaper_t to manage ntp log content Resolves:#1176965 - Allow gssd_t to manage ssh keyring Resolves:#1184791 - Allow httpd_sys_script_t to send system log messages Resolves:#1185231 - Allow apcupsd_t to read /sys/devices Resolves:#1189185 - Allow dovecot_t sys_resource capability Resolves:#1191143 - Add support for mongod/mongos systemd unit files. Resolves:#1197038 - Add bacula fixes - Added label mysqld_etc_t for /etc/my.cnf.d/ dir. Resolves:#1203991- Label /usr/libexec/postgresql-ctl as postgresql_exec_t. - Add more restriction on entrypoint for unconfined domains. - Only allow semanage_t to be able to setenforce 0, no all domains that use selinux_semanage interface - Allow all domains to read /dev/urandom. It is needed by all apps/services linked to libgcrypt. There is no harm to allow it by default. - Update policy/mls for sockets related to access perm. Rules were contradictory. - Add nagios_run_pnp4nagios and nagios_run_sudo booleans to allow r un sudo from NRPE utils scripts and allow run nagios in conjunction w ith PNP4Nagios. Resolves:#1201054 - Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead. - Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type - Label /var/lib/tftpboot/aarch64(/.*)? and /var/lib/tftpboot/images2(/.*)? - Add support for iprdbg logging files in /var/log. - Add fixes to rhsmcertd_t - Allow puppetagent_t to transfer firewalld messages over dbus - Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script. - Added label mysqld_etc_t for /etc/my.cnf.d/ dir. - Add support for mongod/mongos systemd unit files. - cloudinit and rhsmcertd need to communicate with dbus - Allow dovecot_t sys_resource capability- ALlow mongod execmem by default. - Update policy/mls for sockets. Rules were contradictory. Resolves:#1207133 - Allow a user to login with different security level via ssh.- Update seutil_manage_config() interface. Resolves:#1185962 - Allow pki-tomcat relabel pki_tomcat_etc_rw_t. - Turn on docker_transition_unconfined by default- Allow virtd to list all mountpoints. Resolves:#1180713- pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t. - Allow fowner capability for sssd because of selinux_child handling. - ALlow bind to read/write inherited ipsec pipes - Allow hypervkvp to read /dev/urandom and read addition states/config files. - Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd. - Add glusterd_filetrans_named_pid() interface - Allow radiusd to connect to radsec ports. - Allow setuid/setgid for selinux_child - Allow lsmd plugin to connect to tcp/5988 by default. - Allow lsmd plugin to connect to tcp/5989 by default. - Update ipsec_manage_pid() interface. Resolves:#1184978- Update ipsec_manage_pid() interface. Resolves:#1184978- Allow ntlm_auth running in winbind_helper_t to access /dev/urandom.- Add auditing support for ipsec. Resolves:#1182524 - Label /ostree/deploy/rhel-atomic-host/deploy directory as system_conf_t - Allow netutils chown capability to make tcpdump working with -w- Allow ipsec to execute _updown.netkey script to run unbound-control. - Allow neutron to read rpm DB. - Add additional fixes for hyperkvp * creates new ifcfg-{name} file * Runs hv_set_ifconfig.sh, which does the following * Copies ifcfg-{name} to /etc/sysconfig/network-scripts - Allow svirt to read symbolic links in /sys/fs/cgroups labeled as tmpfs_t - Add labeling for pacemaker.log. - Allow radius to connect/bind radsec ports. - Allow pm-suspend running as virt_qemu_ga to read /var/log/pm-suspend.log - Allow virt_qemu_ga to dbus chat with rpm. - Update virt_read_content() interface to allow read also char devices. - Allow glance-registry to connect to keystone port. Resolves:#1181818- Allow sssd to send dbus all user domains. Resolves:#1172291 - Allow lsm plugin to read certificates. - Fix labeling for keystone CGI scripts. - Make snapperd back as unconfined domain.- Fix bugs in interfaces discovered by sepolicy. - Allow slapd to read /usr/share/cracklib/pw_dict.hwm. - Allow lsm plugins to connect to tcp/18700 by default. - Allow brltty mknod capability to allow create /var/run/brltty/vcsa. - Fix pcp_domain_template() interface. - Fix conman.te. - Allow mon_fsstatd to read /proc/sys/fs/binfmt_misc - Allow glance-scrubber to connect tcp/9191. - Add missing setuid capability for sblim-sfcbd. - Allow pegasus ioctl() on providers. - Add conman_can_network. - Allow chronyd to read chrony conf files located in /run/timemaster/. - Allow radius to bind on tcp/1813 port. - dontaudit block suspend access for openvpn_t - Allow conman to create files/dirs in /tmp. - Update xserver_rw_xdm_keys() interface to have 'setattr'. Resolves:#1172291 - Allow sulogin to read /dev/urandom and /dev/random. - Update radius port definition to have also tcp/18121 - Label prandom as random_device_t. - Allow charon to manage files in /etc/strongimcv labeled as ipsec_conf_t.- Allow virt_qemu_ga_t to execute kmod. - Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean. - Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs. Resolves:#1113725 - Enable OpenStack cinder policy - Add support for /usr/share/vdsm/daemonAdapter - Add support for /var/run/gluster- Remove old pkcsslotd.pp from minimum package - Allow rlogind to use also rlogin ports. - Add support for /usr/libexec/ntpdate-wrapper. Label it as ntpdate_exec_t. - Allow bacula to connect also to postgresql. - Label /usr/libexec/tomcat/server as tomcat_exec_t - Add support for /usr/sbin/ctdbd_wrapper - Add support for /usr/libexec/ppc64-diag/rtas_errd - Allow rpm_script_roles to access system_mail_t - Allow brltty to create /var/run/brltty - Allow lsmd plugin to access netlink_route_socket - Allow smbcontrol to read passwd - Add support for /usr/libexec/sssd/selinux_child and create sssd_selinux_manager_t domain for it Resolves:#1140106 - Allow osad to execute rhn_check - Allow load_policy to rw inherited sssd pipes because of selinux_child - Allow admin SELinux users mounting / as private within a new mount namespace as root in MLS - Add additional fixes for su_restricted_domain_template to make moving to sysadm_r and trying to su working correctly - Add additional booleans substitions- Add seutil_dontaudit_access_check_semanage_module_store() interface Resolves:#1140106 - Update to have all _systemctl() interface also init_reload_services(). - Dontaudit access check on SELinux module store for sssd. - Add labeling for /sbin/iw. - Allow named_filetrans_domain to create ibus directory with correct labeling.- Allow radius to bind tcp/1812 radius port. - Dontaudit list user_tmp files for system_mail_t. - Label virt-who as virtd_exec_t. - Allow rhsmcertd to send a null signal to virt-who running as virtd_t. - Add missing alias for _content_rw_t. Resolves:#1089177 - Allow spamd to access razor-agent.log. - Add fixes for sfcb from libvirt-cim TestOnly bug. - Allow NetworkManager stream connect on openvpn. - Make /usr/bin/vncserver running as unconfined_service_t. - getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain. - Label /etc/docker/certs.d as cert_t.- Label /etc/strongimcv as ipsec_conf_file_t. - Add support for /usr/bin/start-puppet-ca helper script Resolves:#1160727 - Allow rpm scripts to enable/disable transient systemd units. Resolves:#1154613 - Make kpropdas nsswitch domain Resolves:#1153561 - Make all glance domain as nsswitch domains Resolves:#1113281 - Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active - Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t Resolves:#1140106- Dontaudit access check on setfiles/load_policy for sssd_t. Resolves:#1140106 - Add kdump_rw_inherited_kdumpctl_tmp_pipes() Resolves:#1156442 - Make linuxptp services as unconfined. - Added new policy linuxptp. Resolves:#1149693 - Label keystone cgi files as keystone_cgi_script_exec_t. Resolves:#1138424 - Make tuned as unconfined domain- Allow guest to connect to libvirt using unix_stream_socket. - Allow all bus client domains to dbus chat with unconfined_service_t. - Allow inetd service without own policy to run in inetd_child_t which is unconfined domain. - Make opensm as nsswitch domain to make it working with sssd. - Allow brctl to read meminfo. - Allow winbind-helper to execute ntlm_auth in the caller domain. Resolves:#1160339 - Make plymouthd as nsswitch domain to make it working with sssd. Resolves:#1160196 - Make drbd as nsswitch domain to make it working with sssd. - Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working. - Add support for /var/lib/sntp directory. - Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc - Allow winbind to read usermodehelper - Allow telepathy domains to execute shells and bin_t - Allow gpgdomains to create netlink_kobject_uevent_sockets - Allow mongodb to bind to the mongo port and mongos to run as mongod_t - Allow abrt to read software raid state. - Allow nslcd to execute netstat. - Allow dovecot to create user's home directory when they log into IMAP. - Allow login domains to create kernel keyring with different level.- Allow modemmanger to connectto itself Resolves:#1120152 - Allow pki_tomcat to create link files in /var/lib/pki-ca. Resolves:#1121744 - varnishd needs to have fsetid capability Resolves:#1125165 - Allow snapperd to dbus chat with system cron jobs. Resolves:#1152447 - Allow dovecot to create user's home directory when they log into IMAP Resolves:#1152773 - Add labeling for /usr/sbin/haproxy-systemd-wrapper wrapper to make haproxy running haproxy_t. - ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t. - Allow nslcd to execute netstat. - Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability. - Allow nslcd to read /dev/urandom.- Add back kill permisiion for system class Resolves:#1150011- Add back kill permisiion for service class Resolves:#1150011 - Make rhsmcertd_t also as dbus domain. - Allow named to create DNS_25 with correct labeling. - Add cloudform_dontaudit_write_cloud_log() - Call auth_use_nsswitch to apache to read/write cloud-init keys. - Allow cloud-init to dbus chat with certmonger. - Fix path to mon_statd_initrc_t script. - Allow all RHCS services to read system state. - Allow dnssec_trigger_t to execute unbound-control in own domain. - kernel_read_system_state needs to be called with type. Moved it to antivirus.if. - Added policy for mon_statd and mon_procd services. BZ (1077821) - Allow opensm_t to read/write /dev/infiniband/umad1. - Allow mongodb to manage own log files. - Allow neutron connections to system dbus. - Add support for /var/lib/swiftdirectory. - Allow nova-scheduler to read certs. - Allow openvpn to access /sys/fs/cgroup dir. - Allow openvpn to execute systemd-passwd-agent in systemd_passwd_agent_t to make openvpn working with systemd. - Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files. - Add auth_use_nsswitch for portreserve to make it working with sssd. - automount policy is non-base module so it needs to be called in optional block. - ALlow sensord to getattr on sysfs. - Label /usr/share/corosync/corosync as cluster_exec_t. - Allow lmsd_plugin to read passwd file. BZ(1093733) - Allow read antivirus domain all kernel sysctls. - Allow mandb to getattr on file systems - Allow nova-console to connect to mem_cache port. - Make sosreport as unconfined domain. - Allow mondogdb to 'accept' accesses on the tcp_socket port. - ALlow sanlock to send a signal to virtd_t.- Build also MLS policy Resolves:#1138424- Add back kill permisiion for system class - Allow iptables read fail2ban logs. - Fix radius labeled ports - Add userdom_manage_user_tmpfs_files interface - Allow libreswan to connect to VPN via NM-libreswan. - Label 4101 tcp port as brlp port - fix dev_getattr_generic_usb_dev interface - Allow all domains to read fonts - Make sure /run/systemd/generator and system is labeled correctly on creation. - Dontaudit aicuu to search home config dir. - Make keystone_cgi_script_t domain. Resolves:#1138424 - Fix bug in drbd policy, - Added support for cpuplug. - ALlow sanlock_t to read sysfs_t. - Added sendmail_domtrans_unconfined interface - Fix broken interfaces - radiusd wants to write own log files. - Label /usr/libexec/rhsmd as rhsmcertd_exec_t - Allow rhsmcertd send signull to setroubleshoot. - Allow rhsmcertd manage rpm db. - Added policy for blrtty. - Fix keepalived policy - Allow rhev-agentd dbus chat with systemd-logind. - Allow keepalived manage snmp var lib sock files. - Add support for /var/lib/graphite-web - Allow NetworkManager to create Bluetooth SDP sockets - It's going to do the the discovery for DUN service for modems with Bluez 5. - Allow swift to connect to all ephemeral ports by default. - Allow sssd to read selinux config to add SELinux user mapping. - Allow lsmd to search own plguins. - Allow abrt to read /dev/memto generate an unique machine_id and uses sosuploader's algorithm based off dmidecode[1] fields. - ALlow zebra for user/group look-ups. - Allow nova domains to getattr on all filesystems. - Allow collectd sys_ptrace and dac_override caps because of reading of /proc/%i/io for several processes. - Allow pppd to connect to /run/sstpc/sstpc-nm-sstp-service-28025 over unix stream socket. - Allow rhnsd_t to manage also rhnsd config symlinks. - ALlow user mail domains to create dead.letter. - Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. - Allow pki-tomcat to change SELinux object identity. - Allow radious to connect to apache ports to do OCSP check - Allow git cgi scripts to create content in /tmp - Allow cockpit-session to do GSSAPI logins. - Allow sensord read in /proc - Additional access required by usbmuxd- Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems - Label /usr/lib/erlang/erts.*/bin files as bin_t - Add files_dontaudit_access_check_home_dir() inteface. - Allow udev_t mounton udev_var_run_t dirs #(1128618) - Add systemd_networkd_var_run_t labeling for /var/run/systemd/netif and allow systemd-networkd to manage it. - Add init_dontaudit_read_state() interface. - Add label for ~/.local/share/fonts - Allow unconfined_r to access unconfined_service_t. - Allow init to read all config files - Add new interface to allow creation of file with lib_t type - Assign rabbitmq port. - Allow unconfined_service_t to dbus chat with all dbus domains - Add new interfaces to access users keys. - Allow domains to are allowed to mounton proc to mount on files as well as dirs - Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories. - Add a port definition for shellinaboxd - Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t - Allow userdomains to stream connect to pcscd for smart cards - Allow programs to use pam to search through user_tmp_t dires (/tmp/.X11-unix) - Update to rawhide-contrib changes Resolves:#1123844- Rebase to 3.13.1 which we have in Fedora21 Resolves:#1128284- Back port fixes from Fedora. Mainly OpenStack and Docker fixes- Add policy-rhel-7.1-{base,contrib} patches- Add support for us_cli ports - Fix labeling for /var/run/user//gvfs - add support for tcp/9697 - Additional rules required by openstack, needs backport to F20 and RHEL7 - Additional access required by docker - ALlow motion to use tcp/8082 port - Allow init_t to setattr/relabelfrom dhcp state files - Dontaudit antivirus domains read access on all security files by default - Add missing alias for old amavis_etc_t type - Allow block_suspend cap for haproxy - Additional fixes for instack overcloud - Allow OpenStack to read mysqld_db links and connect to MySQL - Remove dup filename rules in gnome.te - Allow sys_chroot cap for httpd_t and setattr on httpd_log_t - Allow iscsid to handle own unit files - Add iscsi_systemctl() - Allow mongod to create also sock_files in /run with correct labeling - Allow httpd to send signull to apache script domains and don't audit leaks - Allow rabbitmq_beam to connect to httpd port - Allow aiccu stream connect to pcscd - Allow dmesg to read hwdata and memory dev - Allow all freeipmi domains to read/write ipmi devices - Allow sblim_sfcbd to use also pegasus-https port - Allow rabbitmq_epmd to manage rabbit_var_log_t files - Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input - Allow docker to status any unit file and allow it to start generic unit files- Change hsperfdata_root to have as user_tmp_t Resolves:#1076523- Fix Multiple same specifications for /var/named/chroot/dev/zero - Add labels for /var/named/chroot_sdb/dev devices - Add support for strongimcv - Use kerberos_keytab_domains in auth_use_nsswitch - Update auth_use_nsswitch to make all these types as kerberos_keytab_domain to - Allow net_raw cap for neutron_t and send sigkill to dnsmasq - Fix ntp_filetrans_named_content for sntp-kod file - Add httpd_dbus_sssd boolean - Dontaudit exec insmod in boinc policy - Rename kerberos_keytab_domain to kerberos_keytab_domains - Add kerberos_keytab_domain() - Fix kerberos_keytab_template() - Make all domains which use kerberos as kerberos_keytab_domain Resolves:#1083670 - Allow kill capability to winbind_t- varnishd wants chown capability - update ntp_filetrans_named_content() interface - Add additional fixes for neutron_t. #1083335 - Dontaudit getattr on proc_kcore_t - Allow pki_tomcat_t to read ipa lib files - Allow named_filetrans_domain to create /var/cache/ibus with correct labelign - Allow init_t run /sbin/augenrules - Add dev_unmount_sysfs_fs and sysnet_manage_ifconfig_run interfaces - Allow unpriv SELinux user to use sandbox - Add default label for /tmp/hsperfdata_root- Add file subs also for /var/home- Allow xauth_t to read user_home_dir_t lnk_file - Add labeling for lightdm-data - Allow certmonger to manage ipa lib files - Add support for /var/lib/ipa - Allow pegasus to getattr virt_content - Added some new rules to pcp policy - Allow chrome_sandbox to execute config_home_t - Add support for ABRT FAF- Allow kdm to send signull to remote_login_t process - Add gear policy - Turn on gear_port_t - Allow cgit to read gitosis lib files by default - Allow vdagent to read xdm state - Allow NM and fcoeadm to talk together over unix_dgram_socket- Back port fixes for pegasus_openlmi_admin_t from rawhide Resolves:#1080973 - Add labels for ostree - Add SELinux awareness for NM - Label /usr/sbin/pwhistory_helper as updpwd_exec_t- add gnome_append_home_config() - Allow thumb to append GNOME config home files - Allow rasdaemon to rw /dev/cpu//msr - fix /var/log/pki file spec - make bacula_t as auth_nsswitch domain - Identify pki_tomcat_cert_t as a cert_type - Define speech-dispater_exec_t as an application executable - Add a new file context for /var/named/chroot/run directory - update storage_filetrans_all_named_dev for sg* devices - Allow auditctl_t to getattr on all removeable devices - Allow nsswitch_domains to stream connect to nmbd - Allow unprivusers to connect to memcached - label /var/lib/dirsrv/scripts-INSTANCE as bin_t- Allow also unpriv user to run vmtools - Allow secadm to read /dev/urandom and meminfo Resolves:#1079250 - Add booleans to allow docker processes to use nfs and samba - Add mdadm_tmpfs support - Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java running as pki_tomcat_t - Allow vmware-user-sui to use user ttys - Allow talk 2 users logged via console too - Allow ftp services to manage xferlog_t - Make all pcp domanis as unconfined for RHEL7.0 beucause of new policies - allow anaconda to dbus chat with systemd-localed- allow anaconda to dbus chat with systemd-localed - Add fixes for haproxy based on bperkins@redhat.com - Allow cmirrord to make dmsetup working - Allow NM to execute arping - Allow users to send messages through talk - Add userdom_tmp_role for secadm_t- Add additional fixes for rtas_errd - Fix transitions for tmp/tmpfs in rtas.te - Allow rtas_errd to readl all sysctls- Add support for /var/spool/rhsm/debug - Make virt_sandbox_use_audit as True by default - Allow svirt_sandbox_domains to ptrace themselves- Allow docker containers to manage /var/lib/docker content- Allow docker to read tmpfs_t symlinks - Allow sandbox svirt_lxc_net_t to talk to syslog and to sssd over stream sockets- Allow collectd to talk to libvirt - Allow chrome_sandbox to use leaked unix_stream_sockets - Dontaudit leaks of sockets into chrome_sandbox_t - If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t - Run vmtools as unconfined domains - Allow snort to manage its log files - Allow systemd_cronjob_t to be entered via bin_t - Allow procman to list doveconf_etc_t - allow keyring daemon to create content in tmpfs directories - Add proper labelling for icedtea-web - vpnc is creating content in networkmanager var run directory - Label sddm as xdm_exec_t to make KDE working again - Allow postgresql to read network state - Allow java running as pki_tomcat to read network sysctls - Fix cgroup.te to allow cgred to read cgconfig_etc_t - Allow beam.smp to use ephemeral ports - Allow winbind to use the nis to authenticate passwords- Make rtas_errd_t as unconfined domain for F20.It needs additional fixes. It runs rpm at least. - Allow net_admin cap for fence_virtd running as fenced_t - Make abrt-java-connector working - Make cimtest script 03_defineVS.py of ComputerSystem group working - Fix git_system_enable_homedirs boolean - Allow munin mail plugins to read network systcl- Allow vmtools_helper_t to execute bin_t - Add support for /usr/share/joomla - /var/lib/containers should be labeled as openshift content for now - Allow docker domains to talk to the login programs, to allow a process to login into the container - Allow install_t do dbus chat with NM - Fix interface names in anaconda.if - Add install_t for anaconda. A new type is a part of anaconda policy - sshd to read network sysctls- Allow zabbix to send system log msgs - Allow init_t to stream connect to ipsec Resolves:#1060775- Add docker_connect_any boolean- Allow unpriv SELinux users to dbus chat with firewalld - Add lvm_write_metadata() - Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type - Allow pegasus_openlmi_storage_t to write lvm metadata - Add hide_broken_symptoms for kdumpgui because of systemd bug - Make kdumpgui_t as unconfined domain Resolves:#1044299 - Allow docker to connect to tcp/5000- Allow numad to write scan_sleep_millisecs - Turn on entropyd_use_audio boolean by default - Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. - Allow lscpu running as rhsmcertd_t to read /proc/sysinfo - Fix label on irclogs in the homedir - Allow kerberos_keytab_domain domains to manage keys until we get sssd fix - Allow postgresql to use ldap - Add missing syslog-conn port - Add support for /dev/vmcp and /dev/sclp Resolves:#1069310- Modify xdm_write_home to allow create files/links in /root with xdm_home_ - Allow virt domains to read network state Resolves:#1072019- Added pcp rules - dontaudit openshift_cron_t searching random directories, should be back ported to RHEL6 - clean up ctdb.te - Allow ctdbd to connect own ports - Fix samba_export_all_rw booleanto cover also non security dirs - Allow swift to exec rpm in swift_t and allow to create tmp files/dirs - Allow neutron to create /run/netns with correct labeling - Allow certmonger to list home dirs- Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-ask - Add sysnet_filetrans_named_content_ifconfig() interface - Allow ctdbd to connect own ports - Fix samba_export_all_rw booleanto cover also non security dirs - Allow swift to exec rpm in swift_t and allow to create tmp files/dirs - Allow neutron to create /run/netns with correct labeling - Allow kerberos keytab domains to manage sssd/userdomain keys" - Allow to run ip cmd in neutron_t domain- Allow block_suspend cap2 for systemd-logind and rw dri device - Add labeling for /usr/libexec/nm-libreswan-service - Allow locallogin to rw xdm key to make Virtual Terminal login providing smartcard pin working - Add xserver_rw_xdm_keys() - Allow rpm_script_t to dbus chat also with systemd-located - Fix ipa_stream_connect_otpd() - update lpd_manage_spool() interface - Allow krb5kdc to stream connect to ipa-otpd - Add ipa_stream_connect_otpd() interface - Allow vpnc to unlink NM pids - Add networkmanager_delete_pid_files() - Allow munin plugins to access unconfined plugins - update abrt_filetrans_named_content to cover /var/spool/debug - Label /var/spool/debug as abrt_var_cache_t - Allow rhsmcertd to connect to squid port - Make docker_transition_unconfined as optional boolean - Allow certmonger to list home dirs- Make snapperd as unconfined domain and add additional fixes for it - Remove nsplugin.pp module on upgrade- Add snapperd_home_t for HOME_DIR/.snapshots directory - Make sosreport as unconfined domain - Allow sosreport to execute grub2-probe - Allow NM to manage hostname config file - Allow systemd_timedated_t to dbus chat with rpm_script_t - Allow lsmd plugins to connect to http/ssh/http_cache ports by default - Add lsmd_plugin_connect_any boolean - Allow mozilla_plugin to attempt to set capabilities - Allow lsdm_plugins to use tcp_socket - Dontaudit mozilla plugin from getattr on /proc or /sys - Dontaudit use of the keyring by the services in a sandbox - Dontaudit attempts to sys_ptrace caused by running ps for mysqld_safe_t - Allow rabbitmq_beam to connect to jabber_interserver_port - Allow logwatch_mail_t to transition to qmail_inject and queueu - Added new rules to pcp policy - Allow vmtools_helper_t to change role to system_r - Allow NM to dbus chat with vmtools - Fix couchdb_manage_files() to allow manage couchdb conf files - Add support for /var/run/redis.sock - dontaudit gpg trying to use audit - Allow consolekit to create log directories and files - Fix vmtools policy to allow user roles to access vmtools_helper_t - Allow block_suspend cap2 for ipa-otpd - Allow pkcsslotd to read users state - Add ioctl to init_dontaudit_rw_stream_socket - Add systemd_hostnamed_manage_config() interface - Remove transition for temp dirs created by init_t - gdm-simple-slave uses use setsockopt - sddm-greater is a xdm type program- Add lvm_read_metadata() - Allow auditadm to search /var/log/audit dir - Add lvm_read_metadata() interface - Allow confined users to run vmtools helpers - Fix userdom_common_user_template() - Generic systemd unit scripts do write check on / - Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files - Add additional fixes needed for init_t and setup script running in generic unit files - Allow general users to create packet_sockets - added connlcli port - Add init_manage_transient_unit() interface - Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t - Fix userdomain.te to require passwd class - devicekit_power sends out a signal to all processes on the message bus when power is going down - Dontaudit rendom domains listing /proc and hittping system_map_t - Dontauit leaks of var_t into ifconfig_t - Allow domains that transition to ssh_t to manipulate its keyring - Define oracleasm_t as a device node - Change to handle /root as a symbolic link for os-tree - Allow sysadm_t to create packet_socket, also move some rules to attributes - Add label for openvswitch port - Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label. - Allow postfix_local to read .forward in pcp lib files - Allow pegasus_openlmi_storage_t to read lvm metadata - Add additional fixes for pegasus_openlmi_storage_t - Allow bumblebee to manage debugfs - Make bumblebee as unconfined domain - Allow snmp to read etc_aliases_t - Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem - Allow pegasus_openlmi_storage_t to read /proc/1/environ - Dontaudit read gconf files for cupsd_config_t - make vmtools as unconfined domain - Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig. - Allow collectd_t to use a mysql database - Allow ipa-otpd to perform DNS name resolution - Added new policy for keepalived - Allow openlmi-service provider to manage transitient units and allow stream connect to sssd - Add additional fixes new pscs-lite+polkit support - Add labeling for /run/krb5kdc - Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20 - Allow pcscd to read users proc info - Dontaudit smbd_t sending out random signuls - Add boolean to allow openshift domains to use nfs - Allow w3c_validator to create content in /tmp - zabbix_agent uses nsswitch - Allow procmail and dovecot to work together to deliver mail - Allow spamd to execute files in homedir if boolean turned on - Allow openvswitch to listen on port 6634 - Add net_admin capability in collectd policy - Fixed snapperd policy - Fixed bugsfor pcp policy - Allow dbus_system_domains to be started by init - Fixed some interfaces - Add kerberos_keytab_domain attribute - Fix snapperd_conf_t def- Addopt corenet rules for unbound-anchor to rpm_script_t - Allow runuser to send send audit messages. - Allow postfix-local to search .forward in munin lib dirs - Allow udisks to connect to D-Bus - Allow spamd to connect to spamd port - Fix syntax error in snapper.te - Dontaudit osad to search gconf home files - Allow rhsmcertd to manage /etc/sysconf/rhn director - Fix pcp labeling to accept /usr/bin for all daemon binaries - Fix mcelog_read_log() interface - Allow iscsid to manage iscsi lib files - Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it. - Make tuned_t as unconfined domain for RHEL7.0 - Allow ABRT to read puppet certs - Add sys_time capability for virt-ga - Allow gemu-ga to domtrans to hwclock_t - Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages - Fix some AVCs in pcp policy - Add to bacula capability setgid and setuid and allow to bind to bacula ports - Changed label from rhnsd_rw_conf_t to rhnsd_conf_t - Add access rhnsd and osad to /etc/sysconfig/rhn - drbdadm executes drbdmeta - Fixes needed for docker - Allow epmd to manage /var/log/rabbitmq/startup_err file - Allow beam.smp connect to amqp port - Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true - Allow init_t to manage pluto.ctl because of init_t instead of initrc_t - Allow systemd_tmpfiles_t to manage all non security files on the system - Added labels for bacula ports - Fix label on /dev/vfio/vfio - Add kernel_mounton_messages() interface - init wants to manage lock files for iscsi- Added osad policy - Allow postfix to deliver to procmail - Allow bumblebee to seng kill signal to xserver - Allow vmtools to execute /usr/bin/lsb_release - Allow docker to write system net ctrls - Add support for rhnsd unit file - Add dbus_chat_session_bus() interface - Add dbus_stream_connect_session_bus() interface - Fix pcp.te - Fix logrotate_use_nfs boolean - Add lot of pcp fixes found in RHEL7 - fix labeling for pmie for pcp pkg - Change thumb_t to be allowed to chat/connect with session bus type - Allow call renice in mlocate - Add logrotate_use_nfs boolean - Allow setroubleshootd to read rpc sysctl- Turn on bacula, rhnsd policy - Add support for rhnsd unit file - Add dbus_chat_session_bus() interface - Add dbus_stream_connect_session_bus() interface - Fix logrotate_use_nfs boolean - Add lot of pcp fixes found in RHEL7 - fix labeling for pmie for pcp pkg - Change thumb_t to be allowed to chat/connect with session bus type - Allow call renice in mlocate - Add logrotate_use_nfs boolean - Allow setroubleshootd to read rpc sysctl - Fixes for *_admin interfaces - Add pegasus_openlmi_storage_var_run_t type def - Add support for /var/run/openlmi-storage - Allow tuned to create syslog.conf with correct labeling - Add httpd_dontaudit_search_dirs boolean - Add support for winbind.service - ALlow also fail2ban-client to read apache logs - Allow vmtools to getattr on all fs - Add support for dey_sapi port - Add logging_filetrans_named_conf() - Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring- Update snapper policy - Allow domains to append rkhunter lib files - Allow snapperd to getattr on all fs - Allow xdm to create /var/gdm with correct labeling - Add label for snapper.log - Allow fail2ban-client to read apache log files - Allow thumb_t to execute dbus-daemon in thumb_t- Allow gdm to create /var/gdm with correct labeling - Allow domains to append rkhunterl lib files. #1057982 - Allow systemd_tmpfiles_t net_admin to communicate with journald - Add interface to getattr on an isid_type for any type of file - Update libs_filetrans_named_content() to have support for /usr/lib/debug directory - Allow initrc_t domtrans to authconfig if unconfined is enabled - Allow docker and mount on devpts chr_file - Allow docker to transition to unconfined_t if boolean set - init calling needs to be optional in domain.te - Allow uncofined domain types to handle transient unit files - Fix labeling for vfio devices - Allow net_admin capability and send system log msgs - Allow lldpad send dgram to NM - Add networkmanager_dgram_send() - rkhunter_var_lib_t is correct type - Back port pcp policy from rawhide - Allow openlmi-storage to read removable devices - Allow system cron jobs to manage rkhunter lib files - Add rkhunter_manage_lib_files() - Fix ftpd_use_fusefs boolean to allow manage also symlinks - Allow smbcontrob block_suspend cap2 - Allow slpd to read network and system state info - Allow NM domtrans to iscsid_t if iscsiadm is executed - Allow slapd to send a signal itself - Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA. - Fix plymouthd_create_log() interface - Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package - Add mozilla_plugin_exec_t for /usr/lib/firefox/plugin-container - Allow postfix and cyrus-imapd to work out of box - Allow fcoemon to talk with unpriv user domain using unix_stream_socket - Dontaudit domains that are calling into journald to net_admin - Add rules to allow vmtools to do what it does - snapperd is D-Bus service - Allow OpenLMI PowerManagement to call 'systemctl --force reboot' - Add haproxy_connect_any boolean - Allow haproxy also to use http cache port by default Resolves:#1058248- Allow apache to write to the owncloud data directory in /var/www/html... - Allow consolekit to create log dir - Add support for icinga CGI scripts - Add support for icinga - Allow kdumpctl_t to create kdump lock file Resolves:#1055634 - Allow kdump to create lnk lock file - Allow nscd_t block_suspen capability - Allow unconfined domain types to manage own transient unit file - Allow systemd domains to handle transient init unit files - Add interfaces to handle transient- Add cron unconfined role support for uncofined SELinux user - Call corenet_udp_bind_all_ports() in milter.te - Allow fence_virtd to connect to zented port - Fix header for mirrormanager_admin() - Allow dkim-milter to bind udp ports - Allow milter domains to send signull itself - Allow block_suspend for yum running as mock_t - Allow beam.smp to manage couchdb files - Add couchdb_manage_files() - Add labeling for /var/log/php_errors.log - Allow bumblebee to stream connect to xserver - Allow bumblebee to send a signal to xserver - gnome-thumbnail to stream connect to bumblebee - Allow xkbcomp running as bumblebee_t to execute bin_t - Allow logrotate to read squid.conf - Additional rules to get docker and lxc to play well with SELinux - Allow bumbleed to connect to xserver port - Allow pegasus_openlmi_storage_t to read hwdata- Allow init_t to work on transitient and snapshot unit files - Add logging_manage_syslog_config() - Update sysnet_dns_name_resolve() to allow connect to dnssec por - Allow pegasus_openlmi_storage_t to read hwdata Resolves:#1031721 - Fix rhcs_rw_cluster_tmpfs() - Allow fenced_t to bind on zented udp port - Added policy for vmtools - Fix mirrormanager_read_lib_files() - Allow mirromanager scripts running as httpd_t to manage mirrormanager pid files - Allow ctdb to create sock files in /var/run/ctdb - Add sblim_filetrans_named_content() interface - Allow rpm scritplets to create /run/gather with correct labeling - Allow gnome keyring domains to create gnome config dirs - Dontaudit read/write to init stream socket for lsmd_plugin_t - Allow automount to read nfs link files - Allow lsm plugins to read/write lsmd stream socket - Allow certmonger to connect ldap port to make IPA CA certificate renewal working. - Add also labeling for /var/run/ctdb - Add missing labeling for /var/lib/ctdb - ALlow tuned to manage syslog.conf. Should be fixed in tuned. #1030446 - Dontaudit hypervkvp to search homedirs - Dontaudit hypervkvp to search admin homedirs - Allow hypervkvp to execute bin_t and ifconfig in the caller domain - Dontaudit xguest_t to read ABRT conf files - Add abrt_dontaudit_read_config() - Allow namespace-init to getattr on fs - Add thumb_role() also for xguest - Add filename transitions to create .spamassassin with correct labeling - Allow apache domain to read mirrormanager pid files - Allow domains to read/write shm and sem owned by mozilla_plugin_t - Allow alsactl to send a generic signal to kernel_t- Add back rpm_run() for unconfined user- Add missing files_create_var_lib_dirs() - Fix typo in ipsec.te - Allow passwd to create directory in /var/lib - Add filename trans also for event21 - Allow iptables command to read /dev/rand - Add sigkill capabilityfor ipsec_t - Add filename transitions for bcache devices - Add additional rules to create /var/log/cron by syslogd_t with correct labeling - Add give everyone full access to all key rings - Add default lvm_var_run_t label for /var/run/multipathd - Fix log labeling to have correct default label for them after logrotate - Labeled ~/.nv/GLCache as being gstreamer output - Allow nagios_system_plugin to read mrtg lib files - Add mrtg_read_lib_files() - Call rhcs_rw_cluster_tmpfs for dlm_controld - Make authconfing as named_filetrans domain - Allow virsh to connect to user process using stream socket - Allow rtas_errd to read rand/urand devices and add chown capability - Fix labeling from /var/run/net-snmpd to correct /var/run/net-snmp Resolves:#1051497 - Add also chown cap for abrt_upload_watch_t. It already has dac_override - Allow sosreport to manage rhsmcertd pid files - Add rhsmcertd_manage_pid_files() - Allow also setgid cap for rpc.gssd - Dontaudit access check for abrt on cert_t - Allow pegasus_openlmi_system providers to dbus chat with systemd-logind- Fix semanage import handling in spec file- Add default lvm_var_run_t label for /var/run/multipathd Resolves:#1051430 - Fix log labeling to have correct default label for them after logrotate - Add files_write_root_dirs - Add new openflow port label for 6653/tcp and 6633/tcp - Add xserver_manage_xkb_libs() - Label tcp/8891 as milter por - Allow gnome_manage_generic_cache_files also create cache_home_t files - Fix aide.log labeling - Fix log labeling to have correct default label for them after logrotate - Allow mysqld-safe write access on /root to make mysqld working - Allow sosreport domtrans to prelikn - Allow OpenvSwitch to connec to openflow ports - Allow NM send dgram to lldpad - Allow hyperv domains to execute shell - Allow lsmd plugins stream connect to lsmd/init - Allow sblim domains to create /run/gather with correct labeling - Allow httpd to read ldap certs - Allow cupsd to send dbus msgs to process with different MLS level - Allow bumblebee to stream connect to apmd - Allow bumblebee to run xkbcomp - Additional allow rules to get libvirt-lxc containers working with docker - Additional allow rules to get libvirt-lxc containers working with docker - Allow docker to getattr on itself - Additional rules needed for sandbox apps - Allow mozilla_plugin to set attributes on usb device if use_spice boolean enabled - httpd should be able to send signal/signull to httpd_suexec_t - Add more fixes for neturon. Domtrans to dnsmasq, iptables. Make neutron as filenamtrans domain.- Add neutron fixes- Allow sshd to write to all process levels in order to change passwd when running at a level - Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range - Allow apcuspd_t to status and start the power unit file - Allow udev to manage kdump unit file - Added new interface modutils_dontaudit_exec_insmod - Allow cobbler to search dhcp_etc_t directory - systemd_systemctl needs sys_admin capability - Allow sytemd_tmpfiles_t to delete all directories - passwd to create gnome-keyring passwd socket - Add missing zabbix_var_lib_t type - Fix filename trans for zabbixsrv in zabbix.te - Allow fprintd_t to send syslog messages - Add zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port - Allow mozilla plugin to chat with policykit, needed for spice - Allow gssprozy to change user and gid, as well as read user keyrings - Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly - Allow polipo to connect to http_cache_ports - Allow cron jobs to manage apache var lib content - Allow yppassword to manage the passwd_file_t - Allow showall_t to send itself signals - Allow cobbler to restart dhcpc, dnsmasq and bind services - Allow certmonger to manage home cert files - Add userdom filename trans for user mail domains - Allow apcuspd_t to status and start the power unit file - Allow cgroupdrulesengd to create content in cgoups directories - Allow smbd_t to signull cluster - Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t - Add label for /var/spool/cron.aquota.user - Allow sandbox_x domains to use work with the mozilla plugin semaphore - Added new policy for speech-dispatcher - Added dontaudit rule for insmod_exec_t in rasdaemon policy - Updated rasdaemon policy - Allow system_mail_t to transition to postfix_postdrop_t - Clean up mirrormanager policy - Allow virt_domains to read cert files, needs backport to RHEL7 - Allow sssd to read systemd_login_var_run_t - Allow irc_t to execute shell and bin-t files: - Add new access for mythtv - Allow rsync_t to manage all non auth files - allow modemmanger to read /dev/urand - Allow sandbox apps to attempt to set and get capabilties- Add labeling for /var/lib/servicelog/servicelog.db-journal - Add support for freeipmi port - Add sysadm_u_default_contexts - Make new type to texlive files in homedir - Allow subscription-manager running as sosreport_t to manage rhsmcertd - Additional fixes for docker.te - Remove ability to do mount/sys_admin by default in virt_sandbox domains - New rules required to run docker images within libivrt - Add label for ~/.cvsignore - Change mirrormanager to be run by cron - Add mirrormanager policy - Fixed bumblebee_admin() and mip6d_admin() - Add log support for sensord - Fix typo in docker.te - Allow amanda to do backups over UDP - Allow bumblebee to read /etc/group and clean up bumblebee.te - type transitions with a filename not allowed inside conditionals - Don't allow virt-sandbox tools to use netlink out of the box, needs back port to RHEL7 - Make new type to texlive files in homedir- Allow freeipmi_ipmidetectd_t to use freeipmi port - Update freeipmi_domain_template() - Allow journalctl running as ABRT to read /run/log/journal - Allow NM to read dispatcher.d directory - Update freeipmi policy - Type transitions with a filename not allowed inside conditionals - Allow tor to bind to hplip port - Make new type to texlive files in homedir - Allow zabbix_agent to transition to dmidecode - Add rules for docker - Allow sosreport to send signull to unconfined_t - Add virt_noatsecure and virt_rlimitinh interfaces - Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipmi port - Add sysadm_u_default_contexts - Add logging_read_syslog_pid() - Fix userdom_manage_home_texlive() interface - Make new type to texlive files in homedir - Add filename transitions for /run and /lock links - Allow virtd to inherit rlimit information Resolves:#975358- Change labeling for /usr/libexec/nm-dispatcher.action to NetworkManager_exec_t Resolves:#1039879 - Add labeling for /usr/lib/systemd/system/mariadb.service - Allow hyperv_domain to read sysfs - Fix ldap_read_certs() interface to allow acess also link files - Add support for /usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt - Allow tuned to run modprobe - Allow portreserve to search /var/lib/sss dir - Add SELinux support for the teamd package contains team network device control daemon. - Dontaudit access check on /proc for bumblebee - Bumblebee wants to load nvidia modules - Fix rpm_named_filetrans_log_files and wine.te - Add conman policy for rawhide - DRM master and input event devices are used by the TakeDevice API - Clean up bumblebee policy - Update pegasus_openlmi_storage_t policy - Add freeipmi_stream_connect() interface - Allow logwatch read madm.conf to support RAID setup - Add raid_read_conf_files() interface - Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling - add rpm_named_filetrans_log_files() interface - Allow dkim-milter to create files/dirs in /tmp - update freeipmi policy - Add policy for freeipmi services - Added rdisc_admin and rdisc_systemctl interfaces - opensm policy clean up - openwsman policy clean up - ninfod policy clean up - Added new policy for ninfod - Added new policy for openwsman - Added rdisc_admin and rdisc_systemctl interfaces - Fix kernel_dontaudit_access_check_proc() - Add support for /dev/uhid - Allow sulogin to get the attributes of initctl and sys_admin cap - Add kernel_dontaudit_access_check_proc() - Fix dev_rw_ipmi_dev() - Fix new interface in devices.if - DRM master and input event devices are used by the TakeDevice API - add dev_rw_inherited_dri() and dev_rw_inherited_input_dev() - Added support for default conman port - Add interfaces for ipmi devices- Allow sosreport to send a signal to ABRT - Add proper aliases for pegasus_openlmi_service_exec_t and pegasus_openlmi_service_t - Label /usr/sbin/htcacheclean as httpd_exec_t Resolves:#1037529 - Added support for rdisc unit file - Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs - Allow runuser running as logrotate connections to system DBUS - Label bcache devices as fixed_disk_device_t - Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service - Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t- Add back setpgid/setsched for sosreport_t- Added fix for clout_init to transition to rpm_script_t (dwalsh@redhat.com)- Dontaudit openshift domains trying to use rawip_sockets, this is caused by a bad check in the kernel. - Allow git_system_t to read git_user_content if the git_system_enable_homedirs boolean is turned on - Add lsmd_plugin_t for lsm plugins - Allow dovecot-deliver to search mountpoints - Add labeling for /etc/mdadm.conf - Allow opelmi admin providers to dbus chat with init_t - Allow sblim domain to read /dev/urandom and /dev/random - Allow apmd to request the kernel load modules - Add glusterd_brick_t type - label mate-keyring-daemon with gkeyringd_exec_t - Add plymouthd_create_log() - Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6 - Allow sssd to request the kernel loads modules - Allow gpg_agent to use ssh-add - Allow gpg_agent to use ssh-add - Dontaudit access check on /root for myslqd_safe_t - Allow ctdb to getattr on al filesystems - Allow abrt to stream connect to syslog - Allow dnsmasq to list dnsmasq.d directory - Watchdog opens the raw socket - Allow watchdog to read network state info - Dontaudit access check on lvm lock dir - Allow sosreport to send signull to setroubleshootd - Add setroubleshoot_signull() interface - Fix ldap_read_certs() interface - Allow sosreport all signal perms - Allow sosreport to run systemctl - Allow sosreport to dbus chat with rpm - Add glusterd_brick_t files type - Allow zabbix_agentd to read all domain state - Clean up rtas.if - Allow smoltclient to execute ldconfig - Allow sosreport to request the kernel to load a module - Fix userdom_confined_admin_template() - Add back exec_content boolean for secadm, logadm, auditadm - Fix files_filetrans_system_db_named_files() interface - Allow sulogin to getattr on /proc/kcore - Add filename transition also for servicelog.db-journal - Add files_dontaudit_access_check_root() - Add lvm_dontaudit_access_check_lock() interface- Allow watchdog to read /etc/passwd - Allow browser plugins to connect to bumblebee - New policy for bumblebee and freqset - Add new policy for mip6d daemon - Add new policy for opensm daemon - Allow condor domains to read/write condor_master udp_socket - Allow openshift_cron_t to append to openshift log files, label /var/log/openshift - Add back file_pid_filetrans for /var/run/dlm_controld - Allow smbd_t to use inherited tmpfs content - Allow mcelog to use the /dev/cpu device - sosreport runs rpcinfo - sosreport runs subscription-manager - Allow staff_t to run frequency command - Allow systemd_tmpfiles to relabel log directories - Allow staff_t to read xserver_log file - Label hsperfdata_root as tmp_t- More sosreport fixes to make ABRT working- Fix files_dontaudit_unmount_all_mountpoints() - Add support for 2608-2609 tcp/udp ports - Should allow domains to lock the terminal device - More fixes for user config files to make crond_t running in userdomain - Add back disable/reload/enable permissions for system class - Fix manage_service_perms macro - We need to require passwd rootok - Fix zebra.fc - Fix dnsmasq_filetrans_named_content() interface - Allow all sandbox domains create content in svirt_home_t - Allow zebra domains also create zebra_tmp_t files in /tmp - Add support for new zebra services:isisd,babeld. Add systemd support for zebra services. - Fix labeling on neutron and remove transition to iconfig_t - abrt needs to read mcelog log file - Fix labeling on dnsmasq content - Fix labeling on /etc/dnsmasq.d - Allow glusterd to relabel own lib files - Allow sandbox domains to use pam_rootok, and dontaudit attempts to unmount file systems, this is caused by a bug in systemd - Allow ipc_lock for abrt to run journalctl- Fix config.tgz- Fix passenger_stream_connect interface - setroubleshoot_fixit wants to read network state - Allow procmail_t to connect to dovecot stream sockets - Allow cimprovagt service providers to read network states - Add labeling for /var/run/mariadb - pwauth uses lastlog() to update system's lastlog - Allow account provider to read login records - Add support for texlive2013 - More fixes for user config files to make crond_t running in userdomain - Add back disable/reload/enable permissions for system class - Fix manage_service_perms macro - Allow passwd_t to connect to gnome keyring to change password - Update mls config files to have cronjobs in the user domains - Remove access checks that systemd does not actually do- Add support for yubikey in homedir - Add support for upd/3052 port - Allow apcupsd to use PowerChute Network Shutdown - Allow lsmd to execute various lsmplugins - Add labeling also for /etc/watchdog\.d where are watchdog scripts located too - Update gluster_export_all_rw boolean to allow relabel all base file types - Allow x86_energy_perf tool to modify the MSR - Fix /var/lib/dspam/data labeling- Add files_relabel_base_file_types() interface - Allow netlabel-config to read passwd - update gluster_export_all_rw boolean to allow relabel all base file types caused by lsetxattr() - Allow x86_energy_perf tool to modify the MSR - Fix /var/lib/dspam/data labeling - Allow pegasus to domtrans to mount_t - Add labeling for unconfined scripts in /usr/libexec/watchdog/scripts - Add support for unconfined watchdog scripts - Allow watchdog to manage own log files- Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory. - Label /etc/yum.repos.d as system_conf_t - Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t - Allow dac_override for sysadm_screen_t - Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file. - Allow netlabel-config to read meminfo - Add interface to allow docker to mounton file_t - Add new interface to exec unlabeled files - Allow lvm to use docker semaphores - Setup transitons for .xsessions-errors.old - Change labels of files in /var/lib/*/.ssh to transition properly - Allow staff_t and user_t to look at logs using journalctl - pluto wants to manage own log file - Allow pluto running as ipsec_t to create pluto.log - Fix alias decl in corenetwork.te.in - Add support for fuse.glusterfs - Allow dmidecode to read/write /run/lock/subsys/rhsmcertd - Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files. - Additional access for docker - Added more rules to sblim policy - Fix kdumpgui_run_bootloader boolean - Allow dspam to connect to lmtp port - Included sfcbd service into sblim policy - rhsmcertd wants to manaage /etc/pki/consumer dir - Add kdumpgui_run_bootloader boolean - Add support for /var/cache/watchdog - Remove virt_domain attribute for virt_qemu_ga_unconfined_t - Fixes for handling libvirt containes - Dontaudit attempts by mysql_safe to write content into / - Dontaudit attempts by system_mail to modify network config - Allow dspam to bind to lmtp ports - Add new policy to allow staff_t and user_t to look at logs using journalctl - Allow apache cgi scripts to list sysfs - Dontaudit attempts to write/delete user_tmp_t files - Allow all antivirus domains to manage also own log dirs - Allow pegasus_openlmi_services_t to stream connect to sssd_t- Add missing permission checks for nscd- Fix alias decl in corenetwork.te.in - Add support for fuse.glusterfs - Add file transition rules for content created by f5link - Rename quantum_port information to neutron - Allow all antivirus domains to manage also own log dirs - Rename quantum_port information to neutron - Allow pegasus_openlmi_services_t to stream connect to sssd_t- Allow sysadm_t to read login information - Allow systemd_tmpfiles to setattr on var_log_t directories - Udpdate Makefile to include systemd_contexts - Add systemd_contexts - Add fs_exec_hugetlbfs_files() interface - Add daemons_enable_cluster_mode boolean - Fix rsync_filetrans_named_content() - Add rhcs_read_cluster_pid_files() interface - Update rhcs.if with additional interfaces from RHEL6 - Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t - Allow glusterd_t to mounton glusterd_tmp_t - Allow glusterd to unmout al filesystems - Allow xenstored to read virt config - Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct label - Allow mozilla_plugin_t to mmap hugepages as an executable- Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp- Allow sshd_t to read openshift content, needs backport to RHEL6.5 - Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t - Make sur kdump lock is created with correct label if kdumpctl is executed - gnome interface calls should always be made within an optional_block - Allow syslogd_t to connect to the syslog_tls port - Add labeling for /var/run/charon.ctl socket - Add kdump_filetrans_named_content() - Allo setpgid for fenced_t - Allow setpgid and r/w cluster tmpfs for fenced_t - gnome calls should always be within optional blocks - wicd.pid should be labeled as networkmanager_var_run_t - Allow sys_resource for lldpad- Add rtas policy- Allow mailserver_domains to manage and transition to mailman data - Dontaudit attempts by mozilla plugin to relabel content, caused by using mv and cp commands - Allow mailserver_domains to manage and transition to mailman data - Allow svirt_domains to read sysctl_net_t - Allow thumb_t to use tmpfs inherited from the user - Allow mozilla_plugin to bind to the vnc port if running with spice - Add new attribute to discover confined_admins and assign confined admin to it - Fix zabbix to handle attributes in interfaces - Fix zabbix to read system states for all zabbix domains - Fix piranha_domain_template() - Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files. - Allow lldpad sys_rouserce cap due to #986870 - Allow dovecot-auth to read nologin - Allow openlmi-networking to read /proc/net/dev - Allow smsd_t to execute scripts created on the fly labeled as smsd_spool_t - Add zabbix_domain attribute for zabbix domains to treat them together - Add labels for zabbix-poxy-* (#1018221) - Update openlmi-storage policy to reflect #1015067 - Back port piranha tmpfs fixes from RHEL6 - Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop - Add postfix_rw_spool_maildrop_files interface - Call new userdom_admin_user_templat() also for sysadm_secadm.pp - Fix typo in userdom_admin_user_template() - Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey - Add new attribute to discover confined_admins - Fix labeling for /etc/strongswan/ipsec.d - systemd_logind seems to pass fd to anyone who dbus communicates with it - Dontaudit leaked write descriptor to dmesg- Activate motion policy- Fix gnome_read_generic_data_home_files() - allow openshift_cgroup_t to read/write inherited openshift file types - Remove httpd_cobbler_content * from cobbler_admin interface - Allow svirt sandbox domains to setattr on chr_file and blk_file svirt_sandbox_file_t, so sshd will work within a container - Allow httpd_t to read also git sys content symlinks - Allow init_t to read gnome home data - Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to really need it. - Allow virsh to execute systemctl - Fix for nagios_services plugins - add type defintion for ctdbd_var_t - Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file - Allow net_admin/netlink_socket all hyperv_domain domains - Add labeling for zarafa-search.log and zarafa-search.pid - Fix hypervkvp.te - Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. - Add hypervkvp_unit_file_t type - Fix logging policy - Allow syslog to bind to tls ports - Update labeling for /dev/cdc-wdm - Allow to su_domain to read init states - Allow init_t to read gnome home data - Make sure if systemd_logind creates nologin file with the correct label - Clean up ipsec.te- Add auth_exec_chkpwd interface - Fix port definition for ctdb ports - Allow systemd domains to read /dev/urand - Dontaudit attempts for mozilla_plugin to append to /dev/random - Add label for /var/run/charon.* - Add labeling for /usr/lib/systemd/system/lvm2.*dd policy for motion service - Fix for nagios_services plugins - Fix some bugs in zoneminder policy - add type defintion for ctdbd_var_t - Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file - Allow net_admin/netlink_socket all hyperv_domain domains - Add labeling for zarafa-search.log and zarafa-search.pid - glusterd binds to random unreserved ports - Additional allow rules found by testing glusterfs - apcupsd needs to send a message to all users on the system so needs to look them up - Fix the label on ~/.juniper_networks - Dontaudit attempts for mozilla_plugin to append to /dev/random - Allow polipo_daemon to connect to flash ports - Allow gssproxy_t to create replay caches - Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. - Add hypervkvp_unit_file_t type- init reload from systemd_localed_t - Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd - Allow systemd_localed_t to ask systemd to reload the locale. - Add systemd_runtime_unit_file_t type for unit files that systemd creates in memory - Allow readahead to read /dev/urand - Fix lots of avcs about tuned - Any file names xenstored in /var/log should be treated as xenstored_var_log_t - Allow tuned to inderact with hugepages - Allow condor domains to list etc rw dirs- Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. - Add hypervkvp_unit_file_t type - Add additional fixes forpegasus_openlmi_account_t - Allow mdadm to read /dev/urand - Allow pegasus_openlmi_storage_t to create mdadm.conf and write it - Add label/rules for /etc/mdadm.conf - Allow pegasus_openlmi_storage_t to transition to fsadm_t - Fixes for interface definition problems - Dontaudit dovecot-deliver to gettatr on all fs dirs - Allow domains to search data_home_t directories - Allow cobblerd to connect to mysql - Allow mdadm to r/w kdump lock files - Add support for kdump lock files - Label zarafa-search as zarafa-indexer - Openshift cgroup wants to read /etc/passwd - Add new sandbox domains for kvm - Allow mpd to interact with pulseaudio if mpd_enable_homedirs is turned on - Fix labeling for /usr/lib/systemd/system/lvm2.* - Add labeling for /usr/lib/systemd/system/lvm2.* - Fix typos to get a new build. We should not cover filename trans rules to prevent duplicate rules - Add sshd_keygen_t policy for sshd-keygen - Fix alsa_home_filetrans interface name and definition - Allow chown for ssh_keygen_t - Add fs_dontaudit_getattr_all_dirs() - Allow init_t to manage etc_aliases_t and read xserver_var_lib_t and chrony keys - Fix up patch to allow systemd to manage home content - Allow domains to send/recv unlabeled traffic if unlabelednet.pp is enabled - Allow getty to exec hostname to get info - Add systemd_home_t for ~/.local/share/systemd directory- Fix lxc labels in config.tgz- Fix labeling for /usr/libexec/kde4/kcmdatetimehelper - Allow tuned to search all file system directories - Allow alsa_t to sys_nice, to get top performance for sound management - Add support for MySQL/PostgreSQL for amavis - Allow openvpn_t to manage openvpn_var_log_t files. - Allow dirsrv_t to create tmpfs_t directories - Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label - Dontaudit leaked unix_stream_sockets into gnome keyring - Allow telepathy domains to inhibit pipes on telepathy domains - Allow cloud-init to domtrans to rpm - Allow abrt daemon to manage abrt-watch tmp files - Allow abrt-upload-watcher to search /var/spool directory - Allow nsswitch domains to manage own process key - Fix labeling for mgetty.* logs - Allow systemd to dbus chat with upower - Allow ipsec to send signull to itself - Allow setgid cap for ipsec_t - Match upstream labeling- Do not build sanbox pkg on MLS- wine_tmp is no longer needed - Allow setroubleshoot to look at /proc - Allow telepathy domains to dbus with systemd logind - Fix handling of fifo files of rpm - Allow mozilla_plugin to transition to itself - Allow certwatch to write to cert_t directories - New abrt application - Allow NetworkManager to set the kernel scheduler - Make wine_domain shared by all wine domains - Allow mdadm_t to read images labeled svirt_image_t - Allow amanda to read /dev/urand - ALlow my_print_default to read /dev/urand - Allow mdadm to write to kdumpctl fifo files - Allow nslcd to send signull to itself - Allow yppasswd to read /dev/urandom - Fix zarafa_setrlimit - Add support for /var/lib/php/wsdlcache - Add zarafa_setrlimit boolean - Allow fetchmail to send mails - Add additional alias for user_tmp_t because wine_tmp_t is no longer used - More handling of ther kernel keyring required by kerberos - New privs needed for init_t when running without transition to initrc_t over bin_t, and without unconfined domain installed- Dontaudit attempts by sosreport to read shadow_t - Allow browser sandbox plugins to connect to cups to print - Add new label mpd_home_t - Label /srv/www/logs as httpd_log_t - Add support for /var/lib/php/wsdlcache - Add zarafa_setrlimit boolean - Allow fetchmail to send mails - Add labels for apache logs under miq package - Allow irc_t to use tcp sockets - fix labels in puppet.if - Allow tcsd to read utmp file - Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to access host keys - Define svirt_socket_t as a domain_type - Take away transition from init_t to initrc_t when executing bin_t, allow init_t to run chk_passwd_t - Fix label on pam_krb5 helper apps- Allow ldconfig to write to kdumpctl fifo files - allow neutron to connect to amqp ports - Allow kdump_manage_crash to list the kdump_crash_t directory - Allow glance-api to connect to amqp port - Allow virt_qemu_ga_t to read meminfo - Add antivirus_home_t type for antivirus date in HOMEDIRS - Allow mpd setcap which is needed by pulseaudio - Allow smbcontrol to create content in /var/lib/samba - Allow mozilla_exec_t to be used as a entrypoint to mozilla_domtrans_spec - Add additional labeling for qemu-ga/fsfreeze-hook.d scripts - amanda_exec_t needs to be executable file - Allow block_suspend cap for samba-net - Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t - Allow init_t to run crash utility - Treat usr_t just like bin_t for transitions and executions - Add port definition of pka_ca to port 829 for openshift - Allow selinux_store to use symlinks- Allow block_suspend cap for samba-net - Allow t-mission-control to manage gabble cache files - Allow nslcd to read /sys/devices/system/cpu - Allow selinux_store to use symlinks- Allow xdm_t to transition to itself - Call neutron interfaces instead of quantum - Allow init to change targed role to make uncofined services (xrdp which now has own systemd unit file) working. We want them to have in unconfined_t - Make sure directories in /run get created with the correct label - Make sure /root/.pki gets created with the right label - try to remove labeling for motion from zoneminder_exec_t to bin_t - Allow inetd_t to execute shell scripts - Allow cloud-init to read all domainstate - Fix to use quantum port - Add interface netowrkmanager_initrc_domtrans - Fix boinc_execmem - Allow t-mission-control to read gabble cache home - Add labeling for ~/.cache/telepathy/avatars/gabble - Allow memcache to read sysfs data - Cleanup antivirus policy and add additional fixes - Add boolean boinc_enable_execstack - Add support for couchdb in rabbitmq policy - Add interface couchdb_search_pid_dirs - Allow firewalld to read NM state - Allow systemd running as git_systemd to bind git port - Fix mozilla_plugin_rw_tmpfs_files()- Split out rlogin ports from inetd - Treat files labeld as usr_t like bin_t when it comes to transitions - Allow staff_t to read login config - Allow ipsec_t to read .google authenticator data - Allow systemd running as git_systemd to bind git port - Fix mozilla_plugin_rw_tmpfs_files() - Call the correct interface - corenet_udp_bind_ktalkd_port() - Allow all domains that can read gnome_config to read kde config - Allow sandbox domain to read/write mozilla_plugin_tmpfs_t so pulseaudio will work - Allow mdadm to getattr any file system - Allow a confined domain to executes mozilla_exec_t via dbus - Allow cupsd_lpd_t to bind to the printer port - Dontaudit attempts to bind to ports < 1024 when nis is turned on - Allow apache domain to connect to gssproxy socket - Allow rlogind to bind to the rlogin_port - Allow telnetd to bind to the telnetd_port - Allow ktalkd to bind to the ktalkd_port - Allow cvs to bind to the cvs_port- Cleanup related to init_domain()+inetd_domain fixes - Use just init_domain instead of init_daemon_domain in inetd_core_service_domain - svirt domains neeed to create kobject_uevint_sockets - Lots of new access required for sosreport - Allow tgtd_t to connect to isns ports - Allow init_t to transition to all inetd domains: - openct needs to be able to create netlink_object_uevent_sockets - Dontaudit leaks into ldconfig_t - Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls - Move kernel_stream_connect into all Xwindow using users - Dontaudit inherited lock files in ifconfig o dhcpc_t- Also sock_file trans rule is needed in lsm - Fix labeling for fetchmail pid files/dirs - Add additional fixes for abrt-upload-watch - Fix polipo.te - Fix transition rules in asterisk policy - Add fowner capability to networkmanager policy - Allow polipo to connect to tor ports - Cleanup lsmd.if - Cleanup openhpid policy - Fix kdump_read_crash() interface - Make more domains as init domain - Fix cupsd.te - Fix requires in rpm_rw_script_inherited_pipes - Fix interfaces in lsm.if - Allow munin service plugins to manage own tmpfs files/dirs - Allow virtd_t also relabel unix stream sockets for virt_image_type - Make ktalk as init domain - Fix to define ktalkd_unit_file_t correctly - Fix ktalk.fc - Add systemd support for talk-server - Allow glusterd to create sock_file in /run - Allow xdm_t to delete gkeyringd_tmp_t files on logout - Add fixes for hypervkvp policy - Add logwatch_can_sendmail boolean - Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb - Allow xdm_t to delete gkeyringd_tmp_t files on logout- Add selinux-policy-sandbox pkg0 - Allow rhsmcertd to read init state - Allow fsetid for pkcsslotd - Fix labeling for /usr/lib/systemd/system/pkcsslotd.service - Allow fetchmail to create own pid with correct labeling - Fix rhcs_domain_template() - Allow roles which can run mock to read mock lib files to view results - Allow rpcbind to use nsswitch - Fix lsm.if summary - Fix collectd_t can read /etc/passwd file - Label systemd unit files under dracut correctly - Add support for pam_mount to mount user's encrypted home When a user logs in and logs out using ssh - Add support for .Xauthority-n - Label umount.crypt as lvm_exec_t - Allow syslogd to search psad lib files - Allow ssh_t to use /dev/ptmx - Make sure /run/pluto dir is created with correct labeling - Allow syslog to run shell and bin_t commands - Allow ip to relabel tun_sockets - Allow mount to create directories in files under /run - Allow processes to use inherited fifo files- Add policy for lsmd - Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory - Update condor_master rules to allow read system state info and allow logging - Add labeling for /etc/condor and allow condor domain to write it (bug) - Allow condor domains to manage own logs - Allow glusterd to read domains state - Fix initial hypervkvp policy - Add policy for hypervkvpd - Fix redis.if summary- Allow boinc to connect to @/tmp/.X11-unix/X0 - Allow beam.smp to connect to tcp/5984 - Allow named to manage own log files - Add label for /usr/libexec/dcc/start-dccifd and domtrans to dccifd_t - Add virt_transition_userdomain boolean decl - Allow httpd_t to sendto unix_dgram sockets on its children - Allow nova domains to execute ifconfig - bluetooth wants to create fifo_files in /tmp - exim needs to be able to manage mailman data - Allow sysstat to getattr on all file systems - Looks like bluetoothd has moved - Allow collectd to send ping packets - Allow svirt_lxc domains to getpgid - Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff - Allow frpintd_t to read /dev/urandom - Allow asterisk_t to create sock_file in /var/run - Allow usbmuxd to use netlink_kobject - sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket - More cleanup of svirt_lxc policy - virtd_lxc_t now talks to dbus - Dontaudit leaked ptmx_t - Allow processes to use inherited fifo files - Allow openvpn_t to connect to squid ports - Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert() - Allow ssh_t to use /dev/ptmx - Make sure /run/pluto dir is created with correct labeling - Allow syslog to run shell and bin_t commands - Allow ip to relabel tun_sockets - Allow mount to create directories in files under /run - Allow processes to use inherited fifo files - Allow user roles to connect to the journal socket- selinux_set_enforce_mode needs to be used with type - Add append to the dontaudit for unix_stream_socket of xdm_t leak - Allow xdm_t to create symlinks in log direcotries - Allow login programs to read afs config - Label 10933 as a pop port, for dovecot - New policy to allow selinux_server.py to run as semanage_t as a dbus service - Add fixes to make netlabelctl working on MLS - AVCs required for running sepolicy gui as staff_t - Dontaudit attempts to read symlinks, sepolicy gui is likely to cause this type of AVC - New dbus server to be used with new gui - After modifying some files in /etc/mail, I saw this needed on the next boot - Loading a vm from /usr/tmp with virt-manager - Clean up oracleasm policy for Fedora - Add oracleasm policy written by rlopez@redhat.com - Make postfix_postdrop_t as mta_agent to allow domtrans to system mail if it is executed by apache - Add label for /var/crash - Allow fenced to domtrans to sanclok_t - Allow nagios to manage nagios spool files - Make tfptd as home_manager - Allow kdump to read kcore on MLS system - Allow mysqld-safe sys_nice/sys_resource caps - Allow apache to search automount tmp dirs if http_use_nfs is enabled - Allow crond to transition to named_t, for use with unbound - Allow crond to look at named_conf_t, for unbound - Allow mozilla_plugin_t to transition its home content - Allow dovecot_domain to read all system and network state - Allow httpd_user_script_t to call getpw - Allow semanage to read pid files - Dontaudit leaked file descriptors from user domain into thumb - Make PAM authentication working if it is enabled in ejabberd - Add fixes for rabbit to fix ##992920,#992931 - Allow glusterd to mount filesystems - Loading a vm from /usr/tmp with virt-manager - Trying to load a VM I got an AVC from devicekit_disk for loopcontrol device - Add fix for pand service - shorewall touches own log - Allow nrpe to list /var - Mozilla_plugin_roles can not be passed into lpd_run_lpr - Allow afs domains to read afs_config files - Allow login programs to read afs config - Allow virt_domain to read virt_var_run_t symlinks - Allow smokeping to send its process signals - Allow fetchmail to setuid - Add kdump_manage_crash() interface - Allow abrt domain to write abrt.socket- Add more aliases in pegasus.te - Add more fixes for *_admin interfaces - Add interface fixes - Allow nscd to stream connect to nmbd - Allow gnupg apps to write to pcscd socket - Add more fixes for openlmi provides. Fix naming and support for additionals - Allow fetchmail to resolve host names - Allow firewalld to interact also with lnk files labeled as firewalld_etc_rw_t - Add labeling for cmpiLMI_Fan-cimprovagt - Allow net_admin for glusterd - Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ - Add pegasus_openlmi_system_t - Fix puppet_domtrans_master() to make all puppet calling working in passenger.te - Fix corecmd_exec_chroot() - Fix logging_relabel_syslog_pid_socket interface - Fix typo in unconfineduser.te - Allow system_r to access unconfined_dbusd_t to run hp_chec- Allow xdm_t to act as a dbus client to itsel - Allow fetchmail to resolve host names - Allow gnupg apps to write to pcscd socket - Add labeling for cmpiLMI_Fan-cimprovagt - Allow net_admin for glusterd - Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ - Add pegasus_openlmi_system_t - Fix puppet_domtrans_master() to make all puppet calling working in passenger.te -httpd_t does access_check on certs- Add support for cmpiLMI_Service-cimprovagt - Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t - Label pycmpiLMI_Software-cimprovagt as rpm_exec_t - Add support for pycmpiLMI_Storage-cimprovagt - Add support for cmpiLMI_Networking-cimprovagt - Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working - Allow virtual machines and containers to run as user doains, needed for virt-sandbox - Allow buglist.cgi to read cpu info- Allow systemd-tmpfile to handle tmp content in print spool dir - Allow systemd-sysctl to send system log messages - Add support for RTP media ports and fmpro-internal - Make auditd working if audit is configured to perform SINGLE action on disk error - Add interfaces to handle systemd units - Make systemd-notify working if pcsd is used - Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t - Instead of having all unconfined domains get all of the named transition rules, - Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default. - Add definition for the salt ports - Allow xdm_t to create link files in xdm_var_run_t - Dontaudit reads of blk files or chr files leaked into ldconfig_t - Allow sys_chroot for useradd_t - Allow net_raw cap for ipsec_t - Allow sysadm_t to reload services - Add additional fixes to make strongswan working with a simple conf - Allow sysadm_t to enable/disable init_t services - Add additional glusterd perms - Allow apache to read lnk files in the /mnt directory - Allow glusterd to ask the kernel to load a module - Fix description of ftpd_use_fusefs boolean - Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process controls, but add them to svirt_lxc_net_t - Allow glusterds to request load a kernel module - Allow boinc to stream connect to xserver_t - Allow sblim domains to read /etc/passwd - Allow mdadm to read usb devices - Allow collectd to use ping plugin - Make foghorn working with SNMP - Allow sssd to read ldap certs - Allow haproxy to connect to RTP media ports - Add additional trans rules for aide_db - Add labeling for /usr/lib/pcsd/pcsd - Add labeling for /var/log/pcsd - Add support for pcs which is a corosync and pacemaker configuration tool- Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t - Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1 - Allow all domains that can domtrans to shutdown, to start the power services script to shutdown - consolekit needs to be able to shut down system - Move around interfaces - Remove nfsd_rw_t and nfsd_ro_t, they don't do anything - Add additional fixes for rabbitmq_beam to allow getattr on mountpoints - Allow gconf-defaults-m to read /etc/passwd - Fix pki_rw_tomcat_cert() interface to support lnk_files- Add support for gluster ports - Make sure that all keys located in /etc/ssh/ are labeled correctly - Make sure apcuspd lock files get created with the correct label - Use getcap in gluster.te - Fix gluster policy - add additional fixes to allow beam.smp to interact with couchdb files - Additional fix for #974149 - Allow gluster to user gluster ports - Allow glusterd to transition to rpcd_t and add additional fixes for #980683 - Allow tgtd working when accessing to the passthrough device - Fix labeling for mdadm unit files- Add mdadm fixes- Fix definition of sandbox.disabled to sandbox.pp.disabled- Allow mdamd to execute systemctl - Allow mdadm to read /dev/kvm - Allow ipsec_mgmt_t to read l2tpd pid content- Allow nsd_t to read /dev/urand - Allow mdadm_t to read framebuffer - Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t - Allow mozilla_plugin_config_t to create tmp files - Cleanup openvswitch policy - Allow mozilla plugin to getattr on all executables - Allow l2tpd_t to create fifo_files in /var/run - Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory - Allow mdadm to connecto its own unix_stream_socket - FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now. - Allow apache to access smokeping pid files - Allow rabbitmq_beam_t to getattr on all filesystems - Add systemd support for iodined - Allow nup_upsdrvctl_t to execute its entrypoint - Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch - add labeling for ~/.cache/libvirt-sandbox - Add interface to allow domains transitioned to by confined users to send sigchld to screen program - Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab - Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service - Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs. - Allow staff to getsched all domains, required to run htop - Add port definition for redis port - fix selinuxuser_use_ssh_chroot boolean- Add prosody policy written by Michael Scherer - Allow nagios plugins to read /sys info - ntpd needs to manage own log files - Add support for HOME_DIR/.IBMERS - Allow iptables commands to read firewalld config - Allow consolekit_t to read utmp - Fix filename transitions on .razor directory - Add additional fixes to make DSPAM with LDA working - Allow snort to read /etc/passwd - Allow fail2ban to communicate with firewalld over dbus - Dontaudit openshift_cgreoup_file_t read/write leaked dev - Allow nfsd to use mountd port - Call th proper interface - Allow openvswitch to read sys and execute plymouth - Allow tmpwatch to read /var/spool/cups/tmp - Add support for /usr/libexec/telepathy-rakia - Add systemd support for zoneminder - Allow mysql to create files/directories under /var/log/mysql - Allow zoneminder apache scripts to rw zoneminder tmpfs - Allow httpd to manage zoneminder lib files - Add zoneminder_run_sudo boolean to allow to start zoneminder - Allow zoneminder to send mails - gssproxy_t sock_file can be under /var/lib - Allow web domains to connect to whois port. - Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t. - We really need to add an interface to corenet to define what a web_client_domain is and - then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain. - Add labeling for cmpiLMI_LogicalFile-cimprovagt - Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules - Update policy rules for pegasus_openlmi_logicalfile_t - Add initial types for logicalfile/unconfined OpenLMI providers - mailmanctl needs to read own log - Allow logwatch manage own lock files - Allow nrpe to read meminfo - Allow httpd to read certs located in pki-ca - Add pki_read_tomcat_cert() interface - Add support for nagios openshift plugins - Add port definition for redis port - fix selinuxuser_use_ssh_chroot boolean- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean. - Allow bootloader to manage generic log files - Allow ftp to bind to port 989 - Fix label of new gear directory - Add support for new directory /var/lib/openshift/gears/ - Add openshift_manage_lib_dirs() - allow virtd domains to manage setrans_var_run_t - Allow useradd to manage all openshift content - Add support so that mozilla_plugin_t can use dri devices - Allow chronyd to change the scheduler - Allow apmd to shut downthe system - Devicekit_disk_t needs to manage /etc/fstab- Make DSPAM to act as a LDA working - Allow ntop to create netlink socket - Allow policykit to send a signal to policykit-auth - Allow stapserver to dbus chat with avahi/systemd-logind - Fix labeling on haproxy unit file - Clean up haproxy policy - A new policy for haproxy and placed it to rhcs.te - Add support for ldirectord and treat it with cluster_t - Make sure anaconda log dir is created with var_log_t- Allow lvm_t to create default targets for filesystem handling - Fix labeling for razor-lightdm binaries - Allow insmod_t to read any file labeled var_lib_t - Add policy for pesign - Activate policy for cmpiLMI_Account-cimprovagt - Allow isnsd syscall=listen - /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler - Allow ctdbd to use udp/4379 - gatherd wants sys_nice and setsched - Add support for texlive2012 - Allow NM to read file_t (usb stick with no labels used to transfer keys for example) - Allow cobbler to execute apache with domain transition- condor_collector uses tcp/9000 - Label /usr/sbin/virtlockd as virtd_exec_t for now - Allow cobbler to execute ldconfig - Allow NM to execute ssh - Allow mdadm to read /dev/crash - Allow antivirus domains to connect to snmp port - Make amavisd-snmp working correctly - Allow nfsd_t to mounton nfsd_fs_t - Add initial snapper policy - We still need to have consolekit policy - Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t - Dontaudit sandbox apps attempting to open user_devpts_t - Allow dirsrv to read network state - Fix pki_read_tomcat_lib_files - Add labeling for /usr/libexec/nm-ssh-service - Add label cert_t for /var/lib/ipa/pki-ca/publish - Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant - Allow nfsd_t to mounton nfsd_fs_t - Dontaudit sandbox apps attempting to open user_devpts_t - Allow passwd_t to change role to system_r from unconfined_r- Don't audit access checks by sandbox xserver on xdb var_lib - Allow ntop to read usbmon devices - Add labeling for new polcykit authorizor - Dontaudit access checks from fail2ban_client - Don't audit access checks by sandbox xserver on xdb var_lib - Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream - Fix labeling for all /usr/bim/razor-lightdm-* binaries - Add filename trans for /dev/md126p1- Make vdagent able to request loading kernel module - Add support for cloud-init make it as unconfined domain - Allow snmpd to run smartctl in fsadm_t domain - remove duplicate openshift_search_lib() interface - Allow mysqld to search openshift lib files - Allow openshift cgroup to interact with passedin file descriptors - Allow colord to list directories inthe users homedir - aide executes prelink to check files - Make sure cupsd_t creates content in /etc/cups with the correct label - Lest dontaudit apache read all domains, so passenger will not cause this avc - Allow gssd to connect to gssproxy - systemd-tmpfiles needs to be able to raise the level to fix labeling on /run/setrans in MLS - Allow systemd-tmpfiles to relabel also lock files - Allow useradd to add homdir in /var/lib/openshift - Allow setfiles and semanage to write output to /run/files- Add labeling for /dev/tgt - Dontaudit leak fd from firewalld for modprobe - Allow runuser running as rpm_script_t to create netlink_audit socket - Allow mdadm to read BIOS non-volatile RAM- accountservice watches when accounts come and go in wtmp - /usr/java/jre1.7.0_21/bin/java needs to create netlink socket - Add httpd_use_sasl boolean - Allow net_admin for tuned_t - iscsid needs sys_module to auto-load kernel modules - Allow blueman to read bluetooth conf - Add nova_manage_lib_files() interface - Fix mplayer_filetrans_home_content() - Add mplayer_filetrans_home_content() - mozilla_plugin_config_roles need to be able to access mozilla_plugin_config_t - Revert "Allow thumb_t to append inherited xdm stream socket" - Add iscsi_filetrans_named_content() interface - Allow to create .mplayer with the correct labeling for unconfined - Allow iscsiadmin to create lock file with the correct labeling- Allow wine to manage wine home content - Make amanda working with socket actiovation - Add labeling for /usr/sbin/iscsiadm - Add support for /var/run/gssproxy.sock - dnsmasq_t needs to read sysctl_net_t- Fix courier_domain_template() interface - Allow blueman to write ip_forward - Allow mongodb to connect to mongodb port - Allow mongodb to connect to mongodb port - Allow java to bind jobss_debug port - Fixes for *_admin interfaces - Allow iscsid auto-load kernel modules needed for proper iSCSI functionality - Need to assign attribute for courier_domain to all courier_domains - Fail2ban reads /etc/passwd - postfix_virtual will create new files in postfix_spool_t - abrt triggers sys_ptrace by running pidof - Label ~/abc as mozilla_home_t, since java apps as plugin want to create it - Add passenger fixes needed by foreman - Remove dup interfaces - Add additional interfaces for quantum - Add new interfaces for dnsmasq - Allow passenger to read localization and send signull to itself - Allow dnsmasq to stream connect to quantum - Add quantum_stream_connect() - Make sure that mcollective starts the service with the correct labeling - Add labels for ~/.manpath - Dontaudit attempts by svirt_t to getpw* calls - sandbox domains are trying to look at parent process data - Allow courior auth to create its pid file in /var/spool/courier subdir - Add fixes for beam to have it working with couchdb - Add labeling for /run/nm-xl2tpd.con - Allow apache to stream connect to thin - Add systemd support for amand - Make public types usable for fs mount points - Call correct mandb interface in domain.te - Allow iptables to r/w quantum inherited pipes and send sigchld - Allow ifconfig domtrans to iptables and execute ldconfig - Add labels for ~/.manpath - Allow systemd to read iscsi lib files - seunshare is trying to look at parent process data- Fix openshift_search_lib - Add support for abrt-uefioops-oops - Allow colord to getattr any file system - Allow chrome processes to look at each other - Allow sys_ptrace for abrt_t - Add new policy for gssproxy - Dontaudit leaked file descriptor writes from firewalld - openshift_net_type is interface not template - Dontaudit pppd to search gnome config - Update openshift_search_lib() interface - Add fs_list_pstorefs() - Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18 - Better labels for raspberry pi devices - Allow init to create devpts_t directory - Temporarily label rasbery pi devices as memory_device_t, needs back port to f18 - Allow sysadm_t to build kernels - Make sure mount creates /var/run/blkid with the correct label, needs back port to F18 - Allow userdomains to stream connect to gssproxy - Dontaudit leaked file descriptor writes from firewalld - Allow xserver to read /dev/urandom - Add additional fixes for ipsec-mgmt - Make SSHing into an Openshift Enterprise Node working- Add transition rules to unconfined domains and to sysadm_t to create /etc/adjtime - with the proper label. - Update files_filetrans_named_content() interface to get right labeling for pam.d conf files - Allow systemd-timedated to create adjtime - Add clock_create_adjtime() - Additional fix ifconfing for #966106 - Allow kernel_t to create boot.log with correct labeling - Remove unconfined_mplayer for which we don't have rules - Rename interfaces - Add userdom_manage_user_home_files/dirs interfaces - Fix files_dontaudit_read_all_non_security_files - Fix ipsec_manage_key_file() - Fix ipsec_filetrans_key_file() - Label /usr/bin/razor-lightdm-greeter as xdm_exec_t instead of spamc_exec_t - Fix labeling for ipse.secrets - Add interfaces for ipsec and labeling for ipsec.info and ipsec_setup.pid - Add files_dontaudit_read_all_non_security_files() interface - /var/log/syslog-ng should be labeled var_log_t - Make ifconfig_var_run_t a mountpoint - Add transition from ifconfig to dnsmasq - Allow ifconfig to execute bin_t/shell_exec_t - We want to have hwdb.bin labeled as etc_t - update logging_filetrans_named_content() interface - Allow systemd_timedate_t to manage /etc/adjtime - Allow NM to send signals to l2tpd - Update antivirus_can_scan_system boolean - Allow devicekit_disk_t to sys_config_tty - Run abrt-harvest programs as abrt_t, and allow abrt_t to list all filesystem directories - Make printing from vmware working - Allow php-cgi from php54 collection to access /var/lib/net-snmp/mib_indexes - Add virt_qemu_ga_data_t for qemu-ga - Make chrome and mozilla able to connect to same ports, add jboss_management_port_t to both - Fix typo in virt.te - Add virt_qemu_ga_unconfined_t for hook scripts - Make sure NetworkManager files get created with the correct label - Add mozilla_plugin_use_gps boolean - Fix cyrus to have support for net-snmp - Additional fixes for dnsmasq and quantum for #966106 - Add plymouthd_create_log() - remove httpd_use_oddjob for which we don't have rules - Add missing rules for httpd_can_network_connect_cobbler - Add missing cluster_use_execmem boolean - Call userdom_manage_all_user_home_type_files/dirs - Additional fix for ftp_home_dir - Fix ftp_home_dir boolean - Allow squit to recv/send client squid packet - Fix nut.te to have nut_domain attribute - Add support for ejabberd; TODO: revisit jabberd and rabbit policy - Fix amanda policy - Add more fixes for domains which use libusb - Make domains which use libusb working correctly - Allow l2tpd to create ipsec key files with correct labeling and manage them - Fix cobbler_manage_lib_files/cobbler_read_lib_files to cover also lnk files - Allow rabbitmq-beam to bind generic node - Allow l2tpd to read ipse-mgmt pid files - more fixes for l2tpd, NM and pppd from #967072- Dontaudit to getattr on dirs for dovecot-deliver - Allow raiudusd server connect to postgresql socket - Add kerberos support for radiusd - Allow saslauthd to connect to ldap port - Allow postfix to manage postfix_private_t files - Add chronyd support for #965457 - Fix labeling for HOME_DIR/\.icedtea - CHange squid and snmpd to be allowed also write own logs - Fix labeling for /usr/libexec/qemu-ga - Allow virtd_t to use virt_lock_t - Allow also sealert to read the policy from the kernel - qemu-ga needs to execute scripts in /usr/libexec/qemu-ga and to use /tmp content - Dontaudit listing of users homedir by sendmail Seems like a leak - Allow passenger to transition to puppet master - Allow apache to connect to mythtv - Add definition for mythtv ports- Add additional fixes for #948073 bug - Allow sge_execd_t to also connect to sge ports - Allow openshift_cron_t to manage openshift_var_lib_t sym links - Allow openshift_cron_t to manage openshift_var_lib_t sym links - Allow sge_execd to bind sge ports. Allow kill capability and reads cgroup files - Remove pulseaudio filetrans pulseaudio_manage_home_dirs which is a part of pulseaudio_manage_home_files - Add networkmanager_stream_connect() - Make gnome-abrt wokring with staff_t - Fix openshift_manage_lib_files() interface - mdadm runs ps command which seems to getattr on random log files - Allow mozilla_plugin_t to create pulseaudit_home_t directories - Allow qemu-ga to shutdown virtual hosts - Add labelling for cupsd-browsed - Add web browser plugins to connect to aol ports - Allow nm-dhcp-helper to stream connect to NM - Add port definition for sge ports- Make sure users and unconfined domains create .hushlogin with the correct label - Allow pegaus to chat with realmd over DBus - Allow cobblerd to read network state - Allow boicn-client to stat on /dev/input/mice - Allow certwatch to read net_config_t when it executes apache - Allow readahead to create /run/systemd and then create its own directory with the correct label- Transition directories and files when in a user_tmp_t directory - Change certwatch to domtrans to apache instead of just execute - Allow virsh_t to read xen lib files - update policy rules for pegasus_openlmi_account_t - Add support for svnserve_tmp_t - Activate account openlmi policy - pegasus_openlmi_domain_template needs also require pegasus_t - One more fix for policykit.te - Call fs_list_cgroups_dirs() in policykit.te - Allow nagios service plugin to read mysql config files - Add labeling for /var/svn - Fix chrome.te - Fix pegasus_openlmi_domain_template() interfaces - Fix dev_rw_vfio_dev definiton, allow virtd_t to read tmpfs_t symlinks - Fix location of google-chrome data - Add support for chome_sandbox to store content in the homedir - Allow policykit to watch for changes in cgroups file system - Add boolean to allow mozilla_plugin_t to use spice - Allow collectd to bind to udp port - Allow collected_t to read all of /proc - Should use netlink socket_perms - Should use netlink socket_perms - Allow glance domains to connect to apache ports - Allow apcupsd_t to manage its log files - Allow chrome objects to rw_inherited unix_stream_socket from callers - Allow staff_t to execute virtd_exec_t for running vms - nfsd_t needs to bind mountd port to make nfs-mountd.service working - Allow unbound net_admin capability because of setsockopt syscall - Fix fs_list_cgroup_dirs() - Label /usr/lib/nagios/plugins/utils.pm as bin_t - Remove uplicate definition of fs_read_cgroup_files() - Remove duplicate definition of fs_read_cgroup_files() - Add files_mountpoint_filetrans interface to be used by quotadb_t and snapperd - Additional interfaces needed to list and read cgroups config - Add port definition for collectd port - Add labels for /dev/ptp* - Allow staff_t to execute virtd_exec_t for running vms- Allow samba-net to also read realmd tmp files - Allow NUT to use serial ports - realmd can be started by systemctl now- Remove userdom_home_manager for xdm_t and move all rules to xserver.te directly - Add new xdm_write_home boolean to allow xdm_t to create files in HOME dirs with xdm_home_t - Allow postfix-showq to read/write unix.showq in /var/spool/postfix/pid - Allow virsh to read xen lock file - Allow qemu-ga to create files in /run with proper labeling - Allow glusterd to connect to own socket in /tmp - Allow glance-api to connect to http port to make glance image-create working - Allow keystonte_t to execute rpm- Fix realmd cache interfaces- Allow tcpd to execute leafnode - Allow samba-net to read realmd cache files - Dontaudit sys_tty_config for alsactl - Fix allow rules for postfix_var_run - Allow cobblerd to read /etc/passwd - Allow pegasus to read exports - Allow systemd-timedate to read xdm state - Allow mout to stream connect to rpcbind - Add labeling just for /usr/share/pki/ca-trust-source instead of /usr/share/pki- Allow thumbnails to share memory with apps which run thumbnails - Allow postfix-postqueue block_suspend - Add lib interfaces for smsd - Add support for nginx - Allow s2s running as jabberd_t to connect to jabber_interserver_port_t - Allow pki apache domain to create own tmp files and execute httpd_suexec - Allow procmail to manger user tmp files/dirs/lnk_files - Add virt_stream_connect_svirt() interface - Allow dovecot-auth to execute bin_t - Allow iscsid to request that kernel load a kernel module - Add labeling support for /var/lib/mod_security - Allow iw running as tuned_t to create netlink socket - Dontaudit sys_tty_config for thumb_t - Add labeling for nm-l2tp-service - Allow httpd running as certwatch_t to open tcp socket - Allow useradd to manager smsd lib files - Allow useradd_t to add homedirs in /var/lib - Fix typo in userdomain.te - Cleanup userdom_read_home_certs - Implement userdom_home_reader_certs_type to allow read certs also on encrypt /home with ecryptfs_t - Allow staff to stream connect to svirt_t to make gnome-boxes working- Allow lvm to create its own unit files - Label /var/lib/sepolgen as selinux_config_t - Add filetrans rules for tw devices - Add transition from cupsd_config_t to cupsd_t- Add filetrans rules for tw devices - Cleanup bad transition lines- Fix lockdev_manage_files() - Allow setroubleshootd to read var_lib_t to make email_alert working - Add lockdev_manage_files() - Call proper interface in virt.te - Allow gkeyring_domain to create /var/run/UID/config/dbus file - system dbus seems to be blocking suspend - Dontaudit attemps to sys_ptrace, which I believe gpsd does not need - When you enter a container from root, you generate avcs with a leaked file descriptor - Allow mpd getattr on file system directories - Make sure realmd creates content with the correct label - Allow systemd-tty-ask to write kmsg - Allow mgetty to use lockdev library for device locking - Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music - When you enter a container from root, you generate avcs with a leaked file descriptor - Make sure init.fc files are labeled correctly at creation - File name trans vconsole.conf - Fix labeling for nagios plugins - label shared libraries in /opt/google/chrome as testrel_shlib_t- Allow certmonger to dbus communicate with realmd - Make realmd working- Fix mozilla specification of homedir content - Allow certmonger to read network state - Allow tmpwatch to read tmp in /var/spool/{cups,lpd} - Label all nagios plugin as unconfined by default - Add httpd_serve_cobbler_files() - Allow mdadm to read /dev/sr0 and create tmp files - Allow certwatch to send mails - Fix labeling for nagios plugins - label shared libraries in /opt/google/chrome as testrel_shlib_t- Allow realmd to run ipa, really needs to be an unconfined_domain - Allow sandbox domains to use inherted terminals - Allow pscd to use devices labeled svirt_image_t in order to use cat cards. - Add label for new alsa pid - Alsa now uses a pid file and needs to setsched - Fix oracleasmfs_t definition - Add support for sshd_unit_file_t - Add oracleasmfs_t - Allow unlabeled_t files to be stored on unlabeled_t filesystems- Fix description of deny_ptrace boolean - Remove allow for execmod lib_t for now - Allow quantum to connect to keystone port - Allow nova-console to talk with mysql over unix stream socket - Allow dirsrv to stream connect to uuidd - thumb_t needs to be able to create ~/.cache if it does not exist - virtd needs to be able to sys_ptrace when starting and stoping containers- Allow alsa_t signal_perms, we probaly should search for any app that can execute something without transition and give it signal_perms... - Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets - Fix deny_ptrace boolean, certain ptrace leaked into the system - Allow winbind to manage kerberos_rcache_host - Allow spamd to create spamd_var_lib_t directories - Remove transition to mozilla_tmp_t by mozilla_t, to allow it to manage the users tmp dirs - Add mising nslcd_dontaudit_write_sock_file() interface - one more fix - Fix pki_read_tomcat_lib_files() interface - Allow certmonger to read pki-tomcat lib files - Allow certwatch to execute bin_t - Allow snmp to manage /var/lib/net-snmp files - Call snmp_manage_var_lib_files(fogorn_t) instead of snmp_manage_var_dirs - Fix vmware_role() interface - Fix cobbler_manage_lib_files() interface - Allow nagios check disk plugins to execute bin_t - Allow quantum to transition to openvswitch_t - Allow postdrop to stream connect to postfix-master - Allow quantum to stream connect to openvswitch - Add xserver_dontaudit_xdm_rw_stream_sockets() interface - Allow daemon to send dgrams to initrc_t - Allow kdm to start the power service to initiate a reboot or poweroff- Add mising nslcd_dontaudit_write_sock_file() interface - one more fix - Fix pki_read_tomcat_lib_files() interface - Allow certmonger to read pki-tomcat lib files - Allow certwatch to execute bin_t - Allow snmp to manage /var/lib/net-snmp files - Don't audit attempts to write to stream socket of nscld by thumbnailers - Allow git_system_t to read network state - Allow pegasas to execute mount command - Fix desc for drdb_admin - Fix condor_amin() - Interface fixes for uptime, vdagent, vnstatd - Fix labeling for moodle in /var/www/moodle/data - Add interface fixes - Allow bugzilla to read certs - /var/www/moodle needs to be writable by apache - Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest - Fix namespace_init_t to create content with proper labels, and allow it to manage all user content - Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean - Fixes for dlm_controld - Fix apache_read_sys_content_rw_dirs() interface - Allow logrotate to read /var/log/z-push dir - Fix sys_nice for cups_domain - Allow postfix_postdrop to acces postfix_public socket - Allow sched_setscheduler for cupsd_t - Add missing context for /usr/sbin/snmpd - Kernel_t needs mac_admin in order to support labeled NFS - Fix systemd_dontaudit_dbus_chat() interface - Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest - Allow consolehelper domain to write Xauth files in /root - Add port definition for osapi_compute port - Allow unconfined to create /etc/hostname with correct labeling - Add systemd_filetrans_named_hostname() interface- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean - Fixes for dlm_controld - Fix apache_read_sys_content_rw_dirs() interface - Allow logrotate to read /var/log/z-push dir - Allow postfix_postdrop to acces postfix_public socket - Allow sched_setscheduler for cupsd_t - Add missing context for /usr/sbin/snmpd - Allow consolehelper more access discovered by Tom London - Allow fsdaemon to send signull to all domain - Add port definition for osapi_compute port - Allow unconfined to create /etc/hostname with correct labeling - Add systemd_filetrans_named_hostname() interface- Fix file_contexts.subs to label /run/lock correctly- Try to label on controlC devices up to 30 correctly - Add mount_rw_pid_files() interface - Add additional mount/umount interfaces needed by mock - fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk - Fix tabs - Allow initrc_domain to search rgmanager lib files - Add more fixes which make mock working together with confined users * Allow mock_t to manage rpm files * Allow mock_t to read rpm log files * Allow mock to setattr on tmpfs, devpts * Allow mount/umount filesystems - Add rpm_read_log() interface - yum-cron runs rpm from within it. - Allow tuned to transition to dmidecode - Allow firewalld to do net_admin - Allow mock to unmont tmpfs_t - Fix virt_sigkill() interface - Add additional fixes for mock. Mainly caused by mount running in mock_t - Allow mock to write sysfs_t and mount pid files - Add mailman_domain to mailman_template() - Allow openvswitch to execute shell - Allow qpidd to use kerberos - Allow mailman to use fusefs, needs back port to RHEL6 - Allow apache and its scripts to use anon_inodefs - Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7 - Realmd needs to connect to samba ports, needs back port to F18 also - Allow colord to read /run/initial-setup- - Allow sanlock-helper to send sigkill to virtd which is registred to sanlock - Add virt_kill() interface - Add rgmanager_search_lib() interface - Allow wdmd to getattr on all filesystems. Back ported from RHEL6- Allow realmd to create tmp files - FIx ircssi_home_t type to irssi_home_t - Allow adcli running as realmd_t to connect to ldap port - Allow NetworkManager to transition to ipsec_t, for running strongswan - Make openshift_initrc_t an lxc_domain - Allow gssd to manage user_tmp_t files - Fix handling of irclogs in users homedir - Fix labeling for drupal an wp-content in subdirs of /var/www/html - Allow abrt to read utmp_t file - Fix openshift policy to transition lnk_file, sock-file an fifo_file when created in a tmpfs_t, needs back port to RHEL6 - fix labeling for (oo|rhc)-restorer-wrapper.sh - firewalld needs to be able to write to network sysctls - Fix mozilla_plugin_dontaudit_rw_sem() interface - Dontaudit generic ipc read/write to a mozilla_plugin for sandbox_x domains - Add mozilla_plugin_dontaudit_rw_sem() interface - Allow svirt_lxc_t to transition to openshift domains - Allow condor domains block_suspend and dac_override caps - Allow condor_master to read passd - Allow condor_master to read system state - Allow NetworkManager to transition to ipsec_t, for running strongswan - Lots of access required by lvm_t to created encrypted usb device - Allow xdm_t to dbus communicate with systemd_localed_t - Label strongswan content as ipsec_exec_mgmt_t for now - Allow users to dbus chat with systemd_localed - Fix handling of .xsession-errors in xserver.if, so kde will work - Might be a bug but we are seeing avc's about people status on init_t:service - Make sure we label content under /var/run/lock as <> - Allow daemon and systemprocesses to search init_var_run_t directory - Add boolean to allow xdm to write xauth data to the home directory - Allow mount to write keys for the unconfined domain - Add unconfined_write_keys() interface- Add labeling for /usr/share/pki - Allow programs that read var_run_t symlinks also read var_t symlinks - Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports - Fix labeling for /etc/dhcp directory - add missing systemd_stub_unit_file() interface - Add files_stub_var() interface - Add lables for cert_t directories - Make localectl set-x11-keymap working at all - Allow abrt to manage mock build environments to catch build problems. - Allow virt_domains to setsched for running gdb on itself - Allow thumb_t to execute user home content - Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000 - Allow certwatch to execut /usr/bin/httpd - Allow cgred to send signal perms to itself, needs back port to RHEL6 - Allow openshift_cron_t to look at quota - Allow cups_t to read inhered tmpfs_t from the kernel - Allow yppasswdd to use NIS - Tuned wants sys_rawio capability - Add ftpd_use_fusefs boolean - Allow dirsrvadmin_t to signal itself- Allow localectl to read /etc/X11/xorg.conf.d directory - Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors"" - Allow mount to transition to systemd_passwd_agent - Make sure abrt directories are labeled correctly - Allow commands that are going to read mount pid files to search mount_var_run_t - label /usr/bin/repoquery as rpm_exec_t - Allow automount to block suspend - Add abrt_filetrans_named_content so that abrt directories get labeled correctly - Allow virt domains to setrlimit and read file_context- Allow nagios to manage nagios spool files - /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6 - Add swift_alias.* policy files which contain typealiases for swift types - Add support for /run/lock/opencryptoki - Allow pkcsslotd chown capability - Allow pkcsslotd to read passwd - Add rsync_stub() interface - Allow systemd_timedate also manage gnome config homedirs - Label /usr/lib64/security/pam_krb5/pam_krb5_cchelper as bin_t - Fix filetrans rules for kdm creates .xsession-errors - Allow sytemd_tmpfiles to create wtmp file - Really should not label content under /var/lock, since it could have labels on it different from var_lock_t - Allow systemd to list all file system directories - Add some basic stub interfaces which will be used in PRODUCT policies- Fix log transition rule for cluster domains - Start to group all cluster log together - Dont use filename transition for POkemon Advanced Adventure until a new checkpolicy update - cups uses usbtty_device_t devices - These fixes were all required to build a MLS virtual Machine with single level desktops - Allow domains to transiton using httpd_exec_t - Allow svirt domains to manage kernel key rings - Allow setroubleshoot to execute ldconfig - Allow firewalld to read generate gnome data - Allow bluetooth to read machine-info - Allow boinc domain to send signal to itself - Fix gnome_filetrans_home_content() interface - Allow mozilla_plugins to list apache modules, for use with gxine - Fix labels for POkemon in the users homedir - Allow xguest to read mdstat - Dontaudit virt_domains getattr on /dev/* - These fixes were all required to build a MLS virtual Machine with single level desktops - Need to back port this to RHEL6 for openshift - Add tcp/8891 as milter port - Allow nsswitch domains to read sssd_var_lib_t files - Allow ping to read network state. - Fix typo - Add labels to /etc/X11/xorg.d and allow systemd-timestampd_t to manage them- Adopt swift changes from lhh@redhat.com - Add rhcs_manage_cluster_pid_files() interface - Allow screen domains to configure tty and setup sock_file in ~/.screen directory - ALlow setroubleshoot to read default_context_t, needed to backport to F18 - Label /etc/owncloud as being an apache writable directory - Allow sshd to stream connect to an lxc domain- Allow postgresql to manage rgmanager pid files - Allow postgresql to read ccs data - Allow systemd_domain to send dbus messages to policykit - Add labels for /etc/hostname and /etc/machine-info and allow systemd-hostnamed to create them - All systemd domains that create content are reading the file_context file and setfscreate - Systemd domains need to search through init_var_run_t - Allow sshd to communicate with libvirt to set containers labels - Add interface to manage pid files - Allow NetworkManger_t to read /etc/hostname - Dontaudit leaked locked files into openshift_domains - Add fixes for oo-cgroup-read - it nows creates tmp files - Allow gluster to manage all directories as well as files - Dontaudit chrome_sandbox_nacl_t using user terminals - Allow sysstat to manage its own log files - Allow virtual machines to setrlimit and send itself signals. - Add labeling for /var/run/hplip- Fix POSTIN scriptlet- Merge rgmanger, corosync,pacemaker,aisexec policies to cluster_t in rhcs.pp- Fix authconfig.py labeling - Make any domains that write homedir content do it correctly - Allow glusterd to read/write anyhwere on the file system by default - Be a little more liberal with the rsync log files - Fix iscsi_admin interface - Allow iscsid_t to read /dev/urand - Fix up iscsi domain for use with unit files - Add filename transition support for spamassassin policy - Allow web plugins to use badly formated libraries - Allow nmbd_t to create samba_var_t directories - Add filename transition support for spamassassin policy - Add filename transition support for tvtime - Fix alsa_home_filetrans_alsa_home() interface - Move all userdom_filetrans_home_content() calling out of booleans - Allow logrotote to getattr on all file sytems - Remove duplicate userdom_filetrans_home_content() calling - Allow kadmind to read /etc/passwd - Dontaudit append .xsession-errors file on ecryptfs for policykit-auth - Allow antivirus domain to manage antivirus db links - Allow logrotate to read /sys - Allow mandb to setattr on man dirs - Remove mozilla_plugin_enable_homedirs boolean - Fix ftp_home_dir boolean - homedir mozilla filetrans has been moved to userdom_home_manager - homedir telepathy filetrans has been moved to userdom_home_manager - Remove gnome_home_dir_filetrans() from gnome_role_gkeyringd() - Might want to eventually write a daemon on fusefsd. - Add policy fixes for sshd [net] child from plautrba@redhat.com - Tor uses a new port - Remove bin_t for authconfig.py - Fix so only one call to userdom_home_file_trans - Allow home_manager_types to create content with the correctl label - Fix all domains that write data into the homedir to do it with the correct label - Change the postgresql to use proper boolean names, which is causing httpd_t to - not get access to postgresql_var_run_t - Hostname needs to send syslog messages - Localectl needs to be able to send dbus signals to users - Make sure userdom_filetrans_type will create files/dirs with user_home_t labeling by default - Allow user_home_manger domains to create spam* homedir content with correct labeling - Allow user_home_manger domains to create HOMEDIR/.tvtime with correct labeling - Add missing miscfiles_setattr_man_pages() interface and for now comment some rules for userdom_filetrans_type to make build process working - Declare userdom_filetrans_type attribute - userdom_manage_home_role() needs to be called withoout usertype attribute because of userdom_filetrans_type attribute - fusefsd is mounding a fuse file system on /run/user/UID/gvfs- Man pages are now generated in the build process - Allow cgred to list inotifyfs filesystem- Allow gluster to get attrs on all fs - New access required for virt-sandbox - Allow dnsmasq to execute bin_t - Allow dnsmasq to create content in /var/run/NetworkManager - Fix openshift_initrc_signal() interface - Dontaudit openshift domains doing getattr on other domains - Allow consolehelper domain to communicate with session bus - Mock should not be transitioning to any other domains, we should keep mock_t as mock_t - Update virt_qemu_ga_t policy - Allow authconfig running from realmd to restart oddjob service - Add systemd support for oddjob - Add initial policy for realmd_consolehelper_t which if for authconfig executed by realmd - Add labeling for gnashpluginrc - Allow chrome_nacl to execute /dev/zero - Allow condor domains to read /proc - mozilla_plugin_t will getattr on /core if firefox crashes - Allow condor domains to read /etc/passwd - Allow dnsmasq to execute shell scripts, openstack requires this access - Fix glusterd labeling - Allow virtd_t to interact with the socket type - Allow nmbd_t to override dac if you turned on sharing all files - Allow tuned to created kobject_uevent socket - Allow guest user to run fusermount - Allow openshift to read /proc and locale - Allow realmd to dbus chat with rpm - Add new interface for virt - Remove depracated interfaces - Allow systemd_domains read access on etc, etc_runtime and usr files, also allow them to connect stream to syslog socket - /usr/share/munin/plugins/plugin.sh should be labeled as bin_t - Remove some more unconfined_t process transitions, that I don't believe are necessary - Stop transitioning uncofnined_t to checkpc - dmraid creates /var/lock/dmraid - Allow systemd_localed to creatre unix_dgram_sockets - Allow systemd_localed to write kernel messages. - Also cleanup systemd definition a little. - Fix userdom_restricted_xwindows_user_template() interface - Label any block devices or char devices under /dev/infiniband as fixed_disk_device_t - User accounts need to dbus chat with accountsd daemon - Gnome requires all users to be able to read /proc/1/- virsh now does a setexeccon call - Additional rules required by openshift domains - Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-service execute work - Allow spamd_update_t to search spamc_home_t - Avcs discovered by mounting an isci device under /mnt - Allow lspci running as logrotate to read pci.ids - Additional fix for networkmanager_read_pid_files() - Fix networkmanager_read_pid_files() interface - Allow all svirt domains to connect to svirt_socket_t - Allow virsh to set SELinux context for a process. - Allow tuned to create netlink_kobject_uevent_socket - Allow systemd-timestamp to set SELinux context - Add support for /var/lib/systemd/linger - Fix ssh_sysadm_login to be working on MLS as expected- Rename files_rw_inherited_tmp_files to files_rw_inherited_tmp_file - Add missing files_rw_inherited_tmp_files interface - Add additional interface for ecryptfs - ALlow nova-cert to connect to postgresql - Allow keystone to connect to postgresql - Allow all cups domains to getattr on filesystems - Allow pppd to send signull - Allow tuned to execute ldconfig - Allow gpg to read fips_enabled - Add additional fixes for ecryptfs - Allow httpd to work with posgresql - Allow keystone getsched and setsched- Allow gpg to read fips_enabled - Add support for /var/cache/realmd - Add support for /usr/sbin/blazer_usb and systemd support for nut - Add labeling for fenced_sanlock and allow sanclok transition to fenced_t - bitlbee wants to read own log file - Allow glance domain to send a signal itself - Allow xend_t to request that the kernel load a kernel module - Allow pacemaker to execute heartbeat lib files - cleanup new swift policy- Fix smartmontools - Fix userdom_restricted_xwindows_user_template() interface - Add xserver_xdm_ioctl_log() interface - Allow Xusers to ioctl lxdm.log to make lxdm working - Add MLS fixes to make MLS boot/log-in working - Add mls_socket_write_all_levels() also for syslogd - fsck.xfs needs to read passwd - Fix ntp_filetrans_named_content calling in init.te - Allow postgresql to create pg_log dir - Allow sshd to read rsync_data_t to make rsync working - Change ntp.conf to be labeled net_conf_t - Allow useradd to create homedirs in /run. ircd-ratbox does this and we should just allow it - Allow xdm_t to execute gstreamer home content - Allod initrc_t and unconfined domains, and sysadm_t to manage ntp - New policy for openstack swift domains - More access required for openshift_cron_t - Use cupsd_log_t instead of cupsd_var_log_t - rpm_script_roles should be used in rpm_run - Fix rpm_run() interface - Fix openshift_initrc_run() - Fix sssd_dontaudit_stream_connect() interface - Fix sssd_dontaudit_stream_connect() interface - Allow LDA's job to deliver mail to the mailbox - dontaudit block_suspend for mozilla_plugin_t - Allow l2tpd_t to all signal perms - Allow uuidgen to read /dev/random - Allow mozilla-plugin-config to read power_supply info - Implement cups_domain attribute for cups domains - We now need access to user terminals since we start by executing a command outside the tty - We now need access to user terminals since we start by executing a command outside the tty - svirt lxc containers want to execute userhelper apps, need these changes to allow this to happen - Add containment of openshift cron jobs - Allow system cron jobs to create tmp directories - Make userhelp_conf_t a config file - Change rpm to use rpm_script_roles - More fixes for rsync to make rsync wokring - Allow logwatch to domtrans to mdadm - Allow pacemaker to domtrans to ifconfig - Allow pacemaker to setattr on corosync.log - Add pacemaker_use_execmem for memcheck-amd64 command - Allow block_suspend capability - Allow create fifo_file in /tmp with pacemaker_tmp_t - Allow systat to getattr on fixed disk - Relabel /etc/ntp.conf to be net_conf_t - ntp_admin should create files in /etc with the correct label - Add interface to create ntp_conf_t files in /etc - Add additional labeling for quantum - Allow quantum to execute dnsmasq with transition- boinc_cliean wants also execmem as boinc projecs have - Allow sa-update to search admin home for /root/.spamassassin - Allow sa-update to search admin home for /root/.spamassassin - Allow antivirus domain to read net sysctl - Dontaudit attempts from thumb_t to connect to ssd - Dontaudit attempts by readahead to read sock_files - Dontaudit attempts by readahead to read sock_files - Create tmpfs file while running as wine as user_tmpfs_t - Dontaudit attempts by readahead to read sock_files - libmpg ships badly created librarie- Change ssh_use_pts to use macro and only inherited sshd_devpts_t - Allow confined users to read systemd_logind seat information - libmpg ships badly created libraries - Add support for strongswan.service - Add labeling for strongswan - Allow l2tpd_t to read network manager content in /run directory - Allow rsync to getattr any file in rsync_data_t - Add labeling and filename transition for .grl-podcasts- mount.glusterfs executes glusterfsd binary - Allow systemd_hostnamed_t to stream connect to systemd - Dontaudit any user doing a access check - Allow obex-data-server to request the kernel to load a module - Allow gpg-agent to manage gnome content (~/.cache/gpg-agent-info) - Allow gpg-agent to read /proc/sys/crypto/fips_enabled - Add new types for antivirus.pp policy module - Allow gnomesystemmm_t caps because of ioprio_set - Make sure if mozilla_plugin creates files while in permissive mode, they get created with the correct label, user_home_t - Allow gnomesystemmm_t caps because of ioprio_set - Allow NM rawip socket - files_relabel_non_security_files can not be used with boolean - Add interface to thumb_t dbus_chat to allow it to read remote process state - ALlow logrotate to domtrans to mdadm_t - kde gnomeclock wants to write content to /tmp- kde gnomeclock wants to write content to /tmp - /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde - Allow blueman_t to rwx zero_device_t, for some kind of jre - Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre - Ftp full access should be allowed to create directories as well as files - Add boolean to allow rsync_full_acces, so that an rsync server can write all - over the local machine - logrotate needs to rotate logs in openshift directories, needs back port to RHEL6 - Add missing vpnc_roles type line - Allow stapserver to write content in /tmp - Allow gnome keyring to create keyrings dir in ~/.local/share - Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on - Add interface to colord_t dbus_chat to allow it to read remote process state - Allow colord_t to read cupsd_t state - Add mate-thumbnail-font as thumnailer - Allow sectoolm to sys_ptrace since it is looking at other proceses /proc data. - Allow qpidd to list /tmp. Needed by ssl - Only allow init_t to transition to rsync_t domain, not initrc_t. This should be back ported to F17, F18 - - Added systemd support for ksmtuned - Added booleans ksmtuned_use_nfs ksmtuned_use_cifs - firewalld seems to be creating mmap files which it needs to execute in /run /tmp and /dev/shm. Would like to clean this up but for now we will allow - Looks like qpidd_t needs to read /dev/random - Lots of probing avc's caused by execugting gpg from staff_t - Dontaudit senmail triggering a net_admin avc - Change thumb_role to use thumb_run, not sure why we have a thumb_role, needs back port - Logwatch does access check on mdadm binary - Add raid_access_check_mdadm() iterface- Fix systemd_manage_unit_symlinks() interface - Call systemd_manage_unit_symlinks(() which is correct interface - Add filename transition for opasswd - Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock - Allow sytstemd-timedated to get status of init_t - Add new systemd policies for hostnamed and rename gnomeclock_t to systemd_timedate_t - colord needs to communicate with systemd and systemd_logind, also remove duplicate rules - Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock - Allow gpg_t to manage all gnome files - Stop using pcscd_read_pub_files - New rules for xguest, dontaudit attempts to dbus chat - Allow firewalld to create its mmap files in tmpfs and tmp directories - Allow firewalld to create its mmap files in tmpfs and tmp directories - run unbound-chkconf as named_t, so it can read dnssec - Colord is reading xdm process state, probably reads state of any apps that sends dbus message - Allow mdadm_t to change the kernel scheduler - mythtv policy - Update mandb_admin() interface - Allow dsspam to listen on own tpc_socket - seutil_filetrans_named_content needs to be optional - Allow sysadm_t to execute content in his homedir - Add attach_queue to tun_socket, new patch from Paul Moore - Change most of selinux configuration types to security_file_type. - Add filename transition rules for selinux configuration - ssh into a box with -X -Y requires ssh_use_ptys - Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on - Allow all unpriv userdomains to send dbus messages to hostnamed and timedated - New allow rules found by Tom London for systemd_hostnamed- Allow systemd-tmpfiles to relabel lpd spool files - Ad labeling for texlive bash scripts - Add xserver_filetrans_fonts_cache_home_content() interface - Remove duplicate rules from *.te - Add support for /var/lock/man-db.lock - Add support for /var/tmp/abrt(/.*)? - Add additional labeling for munin cgi scripts - Allow httpd_t to read munin conf files - Allow certwatch to read meminfo - Fix nscd_dontaudit_write_sock_file() interfac - Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t - llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling- Allow gnomeclock to talk to puppet over dbus - Allow numad access discovered by Dominic - Add support for HOME_DIR/.maildir - Fix attribute_role for mozilla_plugin_t domain to allow staff_r to access this domain - Allow udev to relabel udev_var_run_t lnk_files - New bin_t file in mcelog- Remove all mcs overrides and replace with t1 != mcs_constrained_types - Add attribute_role for iptables - mcs_process_set_categories needs to be called for type - Implement additional role_attribute statements - Sodo domain is attempting to get the additributes of proc_kcore_t - Unbound uses port 8953 - Allow svirt_t images to compromise_kernel when using pci-passthrough - Add label for dns lib files - Bluetooth aquires a dbus name - Remove redundant files_read_usr_file calling - Remove redundant files_read_etc_file calling - Fix mozilla_run_plugin() - Add role_attribute support for more domains- Mass merge with upstream- Bump the policy version to 28 to match selinux userspace - Rebuild versus latest libsepol- Add systemd_status_all_unit_files() interface - Add support for nshadow - Allow sysadm_t to administrate the postfix domains - Add interface to setattr on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Add systemd_status_all_unit_files() interface - Add support for nshadow - Allow sysadm_t to administrate the postfix domains - Add interface to setattr on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t sys_admin for use with afs logins - Add labeling for /var/named/chroot/etc/localtim- Allow setroubleshoot_fixit to execute rpm - zoneminder needs to connect to httpd ports where remote cameras are listening - Allow firewalld to execute content created in /run directory - Allow svirt_t to read generic certs - Dontaudit leaked ps content to mozilla plugin - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - init scripts are creating systemd_unit_file_t directories- systemd_logind_t is looking at all files under /run/user/apache - Allow systemd to manage all user tmp files - Add labeling for /var/named/chroot/etc/localtime - Allow netlabel_peer_t type to flow over netif_t and node_t, and only be hindered by MLS, need back port to RHEL6 - Keystone is now using a differnt port - Allow xdm_t to use usbmuxd daemon to control sound - Allow passwd daemon to execute gnome_exec_keyringd - Fix chrome_sandbox policy - Add labeling for /var/run/checkquorum-timer - More fixes for the dspam domain, needs back port to RHEL6 - More fixes for the dspam domain, needs back port to RHEL6 - sssd needs to connect to kerberos password port if a user changes his password - Lots of fixes from RHEL testing of dspam web - Allow chrome and mozilla_plugin to create msgq and semaphores - Fixes for dspam cgi scripts - Fixes for dspam cgi scripts - Allow confine users to ptrace screen - Backport virt_qemu_ga_t changes from RHEL - Fix labeling for dspam.cgi needed for RHEL6 - We need to back port this policy to RHEL6, for lxc domains - Dontaudit attempts to set sys_resource of logrotate - Allow corosync to read/write wdmd's tmpfs files - I see a ptrace of mozilla_plugin_t by staff_t, will allow without deny_ptrace being set - Allow cron jobs to read bind config for unbound - libvirt needs to inhibit systemd - kdumpctl needs to delete boot_t files - Fix duplicate gnome_config_filetrans - virtd_lxc_t is using /dev/fuse - Passenger needs to create a directory in /var/log, needs a backport to RHEL6 for openshift - apcupsd can be setup to listen to snmp trafic - Allow transition from kdumpgui to kdumpctl - Add fixes for munin CGI scripts - Allow deltacloud to connect to openstack at the keystone port - Allow domains that transition to svirt domains to be able to signal them - Fix file context of gstreamer in .cache directory - libvirt is communicating with logind - NetworkManager writes to the systemd inhibit pipe- Allow munin disk plugins to get attributes of all directories - Allow munin disk plugins to get attributes of all directorie - Allow logwatch to get attributes of all directories - Fix networkmanager_manage_lib() interface - Fix gnome_manage_config() to allow to manage sock_file - Fix virtual_domain_context - Add support for dynamic DNS for DHCPv6- Allow svirt to use netlink_route_socket which was a part of auth_use_nsswitch - Add additional labeling for /var/www/openshift/broker - Fix rhev policy - Allow openshift_initrc domain to dbus chat with systemd_logind - Allow httpd to getattr passenger log file if run_stickshift - Allow consolehelper-gtk to connect to xserver - Add labeling for the tmp-inst directory defined in pam_namespace.conf - Add lvm_metadata_t labeling for /etc/multipath- consoletype is no longer used- Add label for efivarfs - Allow certmonger to send signal to itself - Allow plugin-config to read own process status - Add more fixes for pacemaker - apache/drupal can run clamscan on uploaded content - Allow chrome_sandbox_nacl_t to read pid 1 content- Fix MCS Constraints to control ingres and egres controls on the network. - Change name of svirt_nokvm_t to svirt_tcg_t - Allow tuned to request the kernel to load kernel modules- Label /var/lib/pgsql/.ssh as ssh_home_t - Add labeling for /usr/bin/pg_ctl - Allow systemd-logind to manage keyring user tmp dirs - Add support for 7389/tcp port - gems seems to be placed in lots of places - Since xdm is running a full session, it seems to be trying to execute lots of executables via dbus - Add back tcp/8123 port as http_cache port - Add ovirt-guest-agent\.pid labeling - Allow xend to run scsi_id - Allow rhsmcertd-worker to read "physical_package_id" - Allow pki_tomcat to connect to ldap port - Allow lpr to read /usr/share/fonts - Allow open file from CD/DVD drive on domU - Allow munin services plugins to talk to SSSD - Allow all samba domains to create samba directory in var_t directories - Take away svirt_t ability to use nsswitch - Dontaudit attempts by openshift to read apache logs - Allow apache to create as well as append _ra_content_t - Dontaudit sendmail_t reading a leaked file descriptor - Add interface to have admin transition /etc/prelink.cache to the proper label - Add sntp support to ntp policy - Allow firewalld to dbus chat with devicekit_power - Allow tuned to call lsblk - Allow tor to read /proc/sys/kernel/random/uuid - Add tor_can_network_relay boolean- Add openshift_initrc_signal() interface - Fix typos - dspam port is treat as spamd_port_t - Allow setroubleshoot to getattr on all executables - Allow tuned to execute profiles scripts in /etc/tuned - Allow apache to create directories to store its log files - Allow all directories/files in /var/log starting with passenger to be labeled passenger_log_t - Looks like apache is sending sinal to openshift_initrc_t now,needs back port to RHEL6 - Allow Postfix to be configured to listen on TCP port 10026 for email from DSPAM - Add filename transition for /etc/tuned/active_profile - Allow condor_master to send mails - Allow condor_master to read submit.cf - Allow condor_master to create /tmp files/dirs - Allow condor_mater to send sigkill to other condor domains - Allow condor_procd sigkill capability - tuned-adm wants to talk with tuned daemon - Allow kadmind and krb5kdc to also list sssd_public_t - Allow accountsd to dbus chat with init - Fix git_read_generic_system_content_files() interface - pppd wants sys_nice by nmcli because of "syscall=sched_setscheduler" - Fix mozilla_plugin_can_network_connect to allow to connect to all ports - Label all munin plugins which are not covered by munin plugins policy as unconfined_munin_plugin_exec_t - dspam wants to search /var/spool for opendkim data - Revert "Add support for tcp/10026 port as dspam_port_t" - Turning on labeled networking requires additional access for netlabel_peer_t; these allow rules need to be back ported to RHEL6 - Allow all application domains to use fifo_files passed in from userdomains, also allow them to write to tmp_files inherited from userdomain - Allow systemd_tmpfiles_t to setattr on mandb_cache_t- consolekit.pp was not removed from the postinstall script- Add back consolekit policy - Silence bootloader trying to use inherited tty - Silence xdm_dbusd_t trying to execute telepathy apps - Fix shutdown avcs when machine has unconfined.pp disabled - The host and a virtual machine can share the same printer on a usb device - Change oddjob to transition to a ranged openshift_initr_exec_t when run from oddjob - Allow abrt_watch_log_t to execute bin_t - Allow chrome sandbox to write content in ~/.config/chromium - Dontaudit setattr on fontconfig dir for thumb_t - Allow lircd to request the kernel to load module - Make rsync as userdom_home_manager - Allow rsync to search automount filesystem - Add fixes for pacemaker- Add support for 4567/tcp port - Random fixes from Tuomo Soini - xdm wants to get init status - Allow programs to run in fips_mode - Add interface to allow the reading of all blk device nodes - Allow init to relabel rpcbind sock_file - Fix labeling for lastlog and faillog related to logrotate - ALlow aeolus_configserver to use TRAM port - Add fixes for aeolus_configserver - Allow snmpd to connect to snmp port - Allow spamd_update to create spamd_var_lib_t directories - Allow domains that can read sssd_public_t files to also list the directory - Remove miscfiles_read_localization, this is defined for all domains- Allow syslogd to request the kernel to load a module - Allow syslogd_t to read the network state information - Allow xdm_dbusd_t connect to the system DBUS - Add support for 7389/tcp port - Allow domains to read/write all inherited sockets - Allow staff_t to read kmsg - Add awstats_purge_apache_log boolean - Allow ksysguardproces to read /.config/Trolltech.conf - Allow passenger to create and append puppet log files - Add puppet_append_log and puppet_create_log interfaces - Add puppet_manage_log() interface - Allow tomcat domain to search tomcat_var_lib_t - Allow pki_tomcat_t to connect to pki_ca ports - Allow pegasus_t to have net_admin capability - Allow pegasus_t to write /sys/class/net//flags - Allow mailserver_delivery to manage mail_home_rw_t lnk_files - Allow fetchmail to create log files - Allow gnomeclock to manage home config in .kde - Allow bittlebee to read kernel sysctls - Allow logrotate to list /root- Fix userhelper_console_role_template() - Allow enabling Network Access Point service using blueman - Make vmware_host_t as unconfined domain - Allow authenticate users in webaccess via squid, using mysql as backend - Allow gathers to get various metrics on mounted file systems - Allow firewalld to read /etc/hosts - Fix cron_admin_role() to make sysadm cronjobs running in the sysadm_t instead of cronjob_t - Allow kdumpgui to read/write to zipl.conf - Commands needed to get mock to build from staff_t in enforcing mode - Allow mdadm_t to manage cgroup files - Allow all daemons and systemprocesses to use inherited initrc_tmp_t files - dontaudit ifconfig_t looking at fifo_files that are leaked to it - Add lableing for Quest Authentication System- Fix filetrans interface definitions - Dontaudit xdm_t to getattr on BOINC lib files - Add systemd_reload_all_services() interface - Dontaudit write access on /var/lib/net-snmp/mib_indexes - Only stop mcsuntrustedproc from relableing files - Allow accountsd to dbus chat with gdm - Allow realmd to getattr on all fs - Allow logrotate to reload all services - Add systemd unit file for radiusd - Allow winbind to create samba pid dir - Add labeling for /var/nmbd/unexpected - Allow chrome and mozilla plugin to connect to msnp ports- Fix storage_rw_inherited_fixed_disk_dev() to cover also blk_file - Dontaudit setfiles reading /dev/random - On initial boot gnomeclock is going to need to be set buy gdm - Fix tftp_read_content() interface - Random apps looking at kernel file systems - Testing virt with lxc requiers additional access for virsh_t - New allow rules requied for latest libvirt, libvirt talks directly to journald,lxc setup tool needs compromize_kernel,and we need ipc_lock in the container - Allow MPD to read /dev/radnom - Allow sandbox_web_type to read logind files which needs to read pulseaudio - Allow mozilla plugins to read /dev/hpet - Add labeling for /var/lib/zarafa-webap - Allow BOINC client to use an HTTP proxy for all connections - Allow rhsmertd to domain transition to dmidecod - Allow setroubleshootd to send D-Bus msg to ABRT- Define usbtty_device_t as a term_tty - Allow svnserve to accept a connection - Allow xend manage default virt_image_t type - Allow prelink_cron_system_t to overide user componant when executing cp - Add labeling for z-push - Gnomeclock sets the realtime clock - Openshift seems to be storing apache logs in /var/lib/openshift/.log/httpd - Allow lxc domains to use /dev/random and /dev/urandom- Add port defintion for tcp/9000 - Fix labeling for /usr/share/cluster/checkquorum to label also checkquorum.wdmd - Add rules and labeling for $HOME/cache/\.gstreamer-.* directory - Add support for CIM provider openlmi-networking which uses NetworkManager dbus API - Allow shorewall_t to create netlink_socket - Allow krb5admind to block suspend - Fix labels on /var/run/dlm_controld /var/log/dlm_controld - Allow krb5kdc to block suspend - gnomessytemmm_t needs to read /etc/passwd - Allow cgred to read all sysctls- Allow all domains to read /proc/sys/vm/overcommit_memory - Make proc_numa_t an MLS Trusted Object - Add /proc/numactl support for confined users - Allow ssh_t to connect to any port > 1023 - Add openvswitch domain - Pulseaudio tries to create directories in gnome_home_t directories - New ypbind pkg wants to search /var/run which is caused by sd_notify - Allow NM to read certs on NFS/CIFS using use_nfs_*, use_samba_* booleans - Allow sanlock to read /dev/random - Treat php-fpm with httpd_t - Allow domains that can read named_conf_t to be able to list the directories - Allow winbind to create sock files in /var/run/samba- Add smsd policy - Add support for OpenShift sbin labelin - Add boolean to allow virt to use rawip - Allow mozilla_plugin to read all file systems with noxattrs support - Allow kerberos to write on anon_inodefs fs - Additional access required by fenced - Add filename transitions for passwd.lock/group.lock - UPdate man pages - Create coolkey directory in /var/cache with the correct label- Fix label on /etc/group.lock - Allow gnomeclock to create lnk_file in /etc - label /root/.pki as a home_cert_t - Add interface to make sure rpcbind.sock is created with the correct label - Add definition for new directory /var/lib/os-probe and bootloader wants to read udev rules - opendkim should be a part of milter - Allow libvirt to set the kernel sched algorythm - Allow mongod to read sysfs_t - Add authconfig policy - Remove calls to miscfiles_read_localization all domains get this - Allow virsh_t to read /root/.pki/ content - Add label for log directory under /var/www/stickshift- Allow getty to setattr on usb ttys - Allow sshd to search all directories for sshd_home_t content - Allow staff domains to send dbus messages to kdumpgui - Fix labels on /etc/.pwd.lock and friends to be passwd_file_t - Dontaudit setfiles reading urand - Add files_dontaudit_list_tmp() for domains to which we added sys_nice/setsched - Allow staff_gkeyringd_t to read /home/$USER/.local/share/keyrings dir - Allow systemd-timedated to read /dev/urandom - Allow entropyd_t to read proc_t (meminfo) - Add unconfined munin plugin - Fix networkmanager_read_conf() interface - Allow blueman to list /tmp which is needed by sys_nic/setsched - Fix label of /etc/mail/aliasesdb-stamp - numad is searching cgroups - realmd is communicating with networkmanager using dbus - Lots of fixes to try to get kdump to work- Allow loging programs to dbus chat with realmd - Make apache_content_template calling as optional - realmd is using policy kit- Add new selinuxuser_use_ssh_chroot boolean - dbus needs to be able to read/write inherited fixed disk device_t passed through it - Cleanup netutils process allow rule - Dontaudit leaked fifo files from openshift to ping - sanlock needs to read mnt_t lnk files - Fail2ban needs to setsched and sys_nice- Change default label of all files in /var/run/rpcbind - Allow sandbox domains (java) to read hugetlbfs_t - Allow awstats cgi content to create tmp files and read apache log files - Allow setuid/setgid for cupsd-config - Allow setsched/sys_nice pro cupsd-config - Fix /etc/localtime sym link to be labeled locale_t - Allow sshd to search postgresql db t since this is a homedir - Allow xwindows users to chat with realmd - Allow unconfined domains to configure all files and null_device_t service- Adopt pki-selinux policy- pki is leaking which we dontaudit until a pki code fix - Allow setcap for arping - Update man pages - Add labeling for /usr/sbin/mcollectived - pki fixes - Allow smokeping to execute fping in the netutils_t domain- Allow mount to relabelfrom unlabeled file systems - systemd_logind wants to send and receive messages from devicekit disk over dbus to make connected mouse working - Add label to get bin files under libreoffice labeled correctly - Fix interface to allow executing of base_ro_file_type - Add fixes for realmd - Update pki policy - Add tftp_homedir boolean - Allow blueman sched_setscheduler - openshift user domains wants to r/w ssh tcp sockets- Additional requirements for disable unconfined module when booting - Fix label of systemd script files - semanage can use -F /dev/stdin to get input - syslog now uses kerberos keytabs - Allow xserver to compromise_kernel access - Allow nfsd to write to mount_var_run_t when running the mount command - Add filename transition rule for bin_t directories - Allow files to read usr_t lnk_files - dhcpc wants chown - Add support for new openshift labeling - Clean up for tunable+optional statements - Add labeling for /usr/sbin/mkhomedir_helper - Allow antivirus domain to managa amavis spool files - Allow rpcbind_t to read passwd - Allow pyzor running as spamc to manage amavis spool- Add interfaces to read kernel_t proc info - Missed this version of exec_all - Allow anyone who can load a kernel module to compromise kernel - Add oddjob_dbus_chat to openshift apache policy - Allow chrome_sandbox_nacl_t to send signals to itself - Add unit file support to usbmuxd_t - Allow all openshift domains to read sysfs info - Allow openshift domains to getattr on all domains- MLS fixes from Dan - Fix name of capability2 secure_firmware->compromise_kerne- Allow xdm to search all file systems - Add interface to allow the config of all files - Add rngd policy - Remove kgpg as a gpg_exec_t type - Allow plymouthd to block suspend - Allow systemd_dbus to config any file - Allow system_dbus_t to configure all services - Allow freshclam_t to read usr_files - varnishd requires execmem to load modules- Allow semanage to verify types - Allow sudo domain to execute user home files - Allow session_bus_type to transition to user_tmpfs_t - Add dontaudit caused by yum updates - Implement pki policy but not activated- tuned wants to getattr on all filesystems - tuned needs also setsched. The build is needed for test day- Add policy for qemu-qa - Allow razor to write own config files - Add an initial antivirus policy to collect all antivirus program - Allow qdisk to read usr_t - Add additional caps for vmware_host - Allow tmpfiles_t to setattr on mandb_cache_t - Dontaudit leaked files into mozilla_plugin_config_t - Allow wdmd to getattr on tmpfs - Allow realmd to use /dev/random - allow containers to send audit messages - Allow root mount any file via loop device with enforcing mls policy - Allow tmpfiles_t to setattr on mandb_cache_t - Allow tmpfiles_t to setattr on mandb_cache_t - Make userdom_dontaudit_write_all_ not allow open - Allow init scripts to read all unit files - Add support for saphostctrl ports- Add kernel_read_system_state to sandbox_client_t - Add some of the missing access to kdumpgui - Allow systemd_dbusd_t to status the init system - Allow vmnet-natd to request the kernel to load a module - Allow gsf-office-thum to append .cache/gdm/session.log - realmd wants to read .config/dconf/user - Firewalld wants sys_nice/setsched - Allow tmpreaper to delete mandb cache files - Firewalld wants sys_nice/setsched - Allow firewalld to perform a DNS name resolution - Allown winbind to read /usr/share/samba/codepages/lowcase.dat - Add support for HTTPProxy* in /etc/freshclam.conf - Fix authlogin_yubike boolean - Extend smbd_selinux man page to include samba booleans - Allow dhcpc to execute consoletype - Allow ping to use inherited tmp files created in init scripts - On full relabel with unconfined domain disabled, initrc was running some chcon's - Allow people who delete man pages to delete mandb cache files- Add missing permissive domains- Add new mandb policy - ALlow systemd-tmpfiles_t to relabel mandb_cache_t - Allow logrotate to start all unit files- Add fixes for ctbd - Allow nmbd to stream connect to ctbd - Make cglear_t as nsswitch_domain - Fix bogus in interfaces - Allow openshift to read/write postfix public pipe - Add postfix_manage_spool_maildrop_files() interface - stickshift paths have been renamed to openshift - gnome-settings-daemon wants to write to /run/systemd/inhibit/ pipes - Update man pages, adding ENTRYPOINTS- Add mei_device_t - Make sure gpg content in homedir created with correct label - Allow dmesg to write to abrt cache files - automount wants to search virtual memory sysctls - Add support for hplip logs stored in /var/log/hp/tmp - Add labeling for /etc/owncloud/config.php - Allow setroubleshoot to send analysys to syslogd-journal - Allow virsh_t to interact with new fenced daemon - Allow gpg to write to /etc/mail/spamassassiin directories - Make dovecot_deliver_t a mail server delivery type - Add label for /var/tmp/DNS25- Fixes for tomcat_domain template interface- Remove init_systemd and init_upstart boolean, Move init_daemon_domain and init_system_domain to use attributes - Add attribute to all base os types. Allow all domains to read all ro base OS types- Additional unit files to be defined as power unit files - Fix more boolean names- Fix boolean name so subs will continue to work- dbus needs to start getty unit files - Add interface to allow system_dbusd_t to start the poweroff service - xdm wants to exec telepathy apps - Allow users to send messages to systemdlogind - Additional rules needed for systemd and other boot apps - systemd wants to list /home and /boot - Allow gkeyringd to write dbus/conf file - realmd needs to read /dev/urand - Allow readahead to delete /.readahead if labeled root_t, might get created before policy is loaded- Fixes to safe more rules - Re-write tomcat_domain_template() - Fix passenger labeling - Allow all domains to read man pages - Add ephemeral_port_t to the 'generic' port interfaces - Fix the names of postgresql booleans- Stop using attributes form netlabel_peer and syslog, auth_use_nsswitch setsup netlabel_peer - Move netlable_peer check out of booleans - Remove call to recvfrom_netlabel for kerberos call - Remove use of attributes when calling syslog call - Move -miscfiles_read_localization to domain.te to save hundreds of allow rules - Allow all domains to read locale files. This eliminates around 1500 allow rules- Cleanup nis_use_ypbind_uncond interface - Allow rndc to block suspend - tuned needs to modify the schedule of the kernel - Allow svirt_t domains to read alsa configuration files - ighten security on irc domains and make sure they label content in homedir correctly - Add filetrans_home_content for irc files - Dontaudit all getattr access for devices and filesystems for sandbox domains - Allow stapserver to search cgroups directories - Allow all postfix domains to talk to spamd- Add interfaces to ignore setattr until kernel fixes this to be checked after the DAC check - Change pam_t to pam_timestamp_t - Add dovecot_domain attribute and allow this attribute block_suspend capability2 - Add sanlock_use_fusefs boolean - numad wants send/recieve msg - Allow rhnsd to send syslog msgs - Make piranha-pulse as initrc domain - Update openshift instances to dontaudit setattr until the kernel is fixed.- Fix auth_login_pgm_domain() interface to allow domains also managed user tmp dirs because of #856880 related to pam_systemd - Remove pam_selinux.8 which conflicts with man page owned by the pam package - Allow glance-api to talk to mysql - ABRT wants to read Xorg.0.log if if it detects problem with Xorg - Fix gstreamer filename trans. interface- Man page fixes by Dan Walsh- Allow postalias to read postfix config files - Allow man2html to read man pages - Allow rhev-agentd to search all mountpoints - Allow rhsmcertd to read /dev/random - Add tgtd_stream_connect() interface - Add cyrus_write_data() interface - Dontaudit attempts by sandboxX clients connectiing to the xserver_port_t - Add port definition for tcp/81 as http_port_t - Fix /dev/twa labeling - Allow systemd to read modules config- Merge openshift policy - Allow xauth to read /dev/urandom - systemd needs to relabel content in /run/systemd directories - Files unconfined should be able to perform all services on all files - Puppet tmp file can be leaked to all domains - Dontaudit rhsmcertd-worker to search /root/.local - Allow chown capability for zarafa domains - Allow system cronjobs to runcon into openshift domains - Allow virt_bridgehelper_t to manage content in the svirt_home_t labeled directories- nmbd wants to create /var/nmbd - Stop transitioning out of anaconda and firstboot, just causes AVC messages - Allow clamscan to read /etc files - Allow bcfg2 to bind cyphesis port - heartbeat should be run as rgmanager_t instead of corosync_t - Add labeling for /etc/openldap/certs - Add labeling for /opt/sartest directory - Make crontab_t as userdom home reader - Allow tmpreaper to list admin_home dir - Add defition for imap_0 replay cache file - Add support for gitolite3 - Allow virsh_t to send syslog messages - allow domains that can read samba content to be able to list the directories also - Add realmd_dbus_chat to allow all apps that use nsswitch to talk to realmd - Separate out sandbox from sandboxX policy so we can disable it by default - Run dmeventd as lvm_t - Mounting on any directory requires setattr and write permissions - Fix use_nfs_home_dirs() boolean - New labels for pam_krb5 - Allow init and initrc domains to sys_ptrace since this is needed to look at processes not owned by uid 0 - Add realmd_dbus_chat to allow all apps that use nsswitch to talk to realmd- Separate sandbox policy into sandbox and sandboxX, and disable sandbox by default on fresh installs - Allow domains that can read etc_t to read etc_runtime_t - Allow all domains to use inherited tmpfiles- Allow realmd to read resolv.conf - Add pegasus_cache_t type - Label /usr/sbin/fence_virtd as virsh_exec_t - Add policy for pkcsslotd - Add support for cpglockd - Allow polkit-agent-helper to read system-auth-ac - telepathy-idle wants to read gschemas.compiled - Allow plymouthd to getattr on fs_t - Add slpd policy - Allow ksysguardproces to read/write config_usr_t- Fix labeling substitution so rpm will label /lib/systemd content correctly- Add file name transitions for ttyACM0 - spice-vdagent(d)'s are going to log over to syslog - Add sensord policy - Add more fixes for passenger policy related to puppet - Allow wdmd to create wdmd_tmpfs_t - Fix labeling for /var/run/cachefilesd\.pid - Add thumb_tmpfs_t files type- Allow svirt domains to manage the network since this is containerized - Allow svirt_lxc_net_t to send audit messages- Make "snmpwalk -mREDHAT-CLUSTER-MIB ...." working - Allow dlm_controld to execute dlm_stonith labeled as bin_t - Allow GFS2 working on F17 - Abrt needs to execute dmesg - Allow jockey to list the contents of modeprobe.d - Add policy for lightsquid as squid_cron_t - Mailscanner is creating files and directories in /tmp - dmesg is now reading /dev/kmsg - Allow xserver to communicate with secure_firmware - Allow fsadm tools (fsck) to read /run/mount contnet - Allow sysadm types to read /dev/kmsg -- Allow postfix, sssd, rpcd to block_suspend - udev seems to need secure_firmware capability - Allow virtd to send dbus messages to firewalld so it can configure the firewall- Fix labeling of content in /run created by virsh_t - Allow condor domains to read kernel sysctls - Allow condor_master to connect to amqp - Allow thumb drives to create shared memory and semaphores - Allow abrt to read mozilla_plugin config files - Add labels for lightsquid - Default files in /opt and /usr that end in .cgi as httpd_sys_script_t, allow - dovecot_auth_t uses ldap for user auth - Allow domains that can read dhcp_etc_t to read lnk_files - Add more then one watchdog device - Allow useradd_t to manage etc_t files so it can rename it and edit them - Fix invalid class dir should be fifo_file - Move /run/blkid to fsadm and make sure labeling is correct- Fix bogus regex found by eparis - Fix manage run interface since lvm needs more access - syslogd is searching cgroups directory - Fixes to allow virt-sandbox-service to manage lxc var run content- Fix Boolean settings - Add new libjavascriptcoregtk as textrel_shlib_t - Allow xdm_t to create xdm_home_t directories - Additional access required for systemd - Dontaudit mozilla_plugin attempts to ipc_lock - Allow tmpreaper to delete unlabeled files - Eliminate screen_tmp_t and allow it to manage user_tmp_t - Dontaudit mozilla_plugin_config_t to append to leaked file descriptors - Allow web plugins to connect to the asterisk ports - Condor will recreate the lock directory if it does not exist - Oddjob mkhomedir needs to connectto user processes - Make oddjob_mkhomedir_t a userdom home manager- Put placeholder back in place for proper numbering of capabilities - Systemd also configures init scripts- Fix ecryptfs interfaces - Bootloader seems to be trolling around /dev/shm and /dev - init wants to create /etc/systemd/system-update.target.wants - Fix systemd_filetrans call to move it out of tunable - Fix up policy to work with systemd userspace manager - Add secure_firmware capability and remove bogus epolwakeup - Call seutil_*_login_config interfaces where should be needed - Allow rhsmcertd to send signal to itself - Allow thin domains to send signal to itself - Allow Chrome_ChildIO to read dosfs_t- Add role rules for realmd, sambagui- Add new type selinux_login_config_t for /etc/selinux//logins/ - Additional fixes for seutil_manage_module_store() - dbus_system_domain() should be used with optional_policy - Fix svirt to be allowed to use fusefs file system - Allow login programs to read /run/ data created by systemd_login - sssd wants to write /etc/selinux//logins/ for SELinux PAM module - Fix svirt to be allowed to use fusefs file system - Allow piranha domain to use nsswitch - Sanlock needs to send Kill Signals to non root processes - Pulseaudio wants to execute /run/user/PID/.orc- Fix saslauthd when it tries to read /etc/shadow - Label gnome-boxes as a virt homedir - Need to allow svirt_t ability to getattr on nfs_t file systems - Update sanlock policy to solve all AVC's - Change confined users can optionally manage virt content - Handle new directories under ~/.cache - Add block suspend to appropriate domains - More rules required for containers - Allow login programs to read /run/ data created by systemd_logind - Allow staff users to run svirt_t processes- Update to upstream- More fixes for systemd to make rawhide booting from Dan Walsh- Add systemd fixes to make rawhide booting- Add systemd_logind_inhibit_var_run_t attribute - Remove corenet_all_recvfrom_unlabeled() for non-contrib policies because we moved it to domain.if for all domain_type - Add interface for mysqld to dontaudit signull to all processes - Label new /var/run/journal directory correctly - Allow users to inhibit suspend via systemd - Add new type for the /var/run/inhibit directory - Add interface to send signull to systemd_login so avahi can send them - Allow systemd_passwd to send syslog messages - Remove corenet_all_recvfrom_unlabeled() calling fro policy files - Allow editparams.cgi running as httpd_bugzilla_script_t to read /etc/group - Allow smbd to read cluster config - Add additional labeling for passenger - Allow dbus to inhibit suspend via systemd - Allow avahi to send signull to systemd_login- Add interface to dontaudit getattr access on sysctls - Allow sshd to execute /bin/login - Looks like xdm is recreating the xdm directory in ~/.cache/ on login - Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jounald - Fix semanage to work with unconfined domain disabled on F18 - Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls - Virt seems to be using lock files - Dovecot seems to be searching directories of every mountpoint - Allow jockey to read random/urandom, execute shell and install third-party drivers - Add aditional params to allow cachedfiles to manage its content - gpg agent needs to read /dev/random - The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd wants to read and write - Add a bunch of dontaudit rules to quiet svirt_lxc domains - Additional perms needed to run svirt_lxc domains - Allow cgclear to read cgconfig - Allow sys_ptrace capability for snmp - Allow freshclam to read /proc - Allow procmail to manage /home/user/Maildir content - Allow NM to execute wpa_cli - Allow amavis to read clamd system state - Regenerate man pages- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- Add realmd and stapserver policies - Allow useradd to manage stap-server lib files - Tighten up capabilities for confined users - Label /etc/security/opasswd as shadow_t - Add label for /dev/ecryptfs - Allow condor_startd_t to start sshd with the ranged - Allow lpstat.cups to read fips_enabled file - Allow pyzor running as spamc_t to create /root/.pyzor directory - Add labelinf for amavisd-snmp init script - Add support for amavisd-snmp - Allow fprintd sigkill self - Allow xend (w/o libvirt) to start virtual machines - Allow aiccu to read /etc/passwd - Allow condor_startd to Make specified domain MCS trusted for setting any category set for the processes it executes - Add condor_startd_ranged_domtrans_to() interface - Add ssd_conf_t for /etc/sssd - accountsd needs to fchown some files/directories - Add ICACLient and zibrauserdata as mozilla_filetrans_home_content - SELinux reports afs_t needs dac_override to read /etc/mtab, even though everything works, adding dontaudit - Allow xend_t to read the /etc/passwd file- Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t - Add init_access_check() interface - Fix label on /usr/bin/pingus to not be labeled as ping_exec_t - Allow tcpdump to create a netlink_socket - Label newusers like useradd - Change xdm log files to be labeled xdm_log_t - Allow sshd_t with privsep to work in MLS - Allow freshclam to update databases thru HTTP proxy - Allow s-m-config to access check on systemd - Allow abrt to read public files by default - Fix amavis_create_pid_files() interface - Add labeling and filename transition for dbomatic.log - Allow system_dbusd_t to stream connect to bluetooth, and use its socket - Allow amavisd to execute fsav - Allow tuned to use sys_admin and sys_nice capabilities - Add php-fpm policy from Bryan - Add labeling for aeolus-configserver-thinwrapper - Allow thin domains to execute shell - Fix gnome_role_gkeyringd() interface description - Lot of interface fixes - Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files - Allow OpenMPI job to use kerberos - Make deltacloudd_t as nsswitch_domain - Allow xend_t to run lsscsi - Allow qemu-dm running as xend_t to create tun_socket - Add labeling for /opt/brother/Printers(.*/)?inf - Allow jockey-backend to read pyconfig-64.h labeled as usr_t - Fix clamscan_can_scan_system boolean - Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11- initrc is calling exportfs which is not confined so it attempts to read nfsd_files - Fixes for passenger running within openshift. - Add labeling for all tomcat6 dirs - Add support for tomcat6 - Allow cobblerd to read /etc/passwd - Allow jockey to read sysfs and and execute binaries with bin_t - Allow thum to use user terminals - Allow cgclear to read cgconfig config files - Fix bcf2g.fc - Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other domains - Allow dbomatic to execute ruby - abrt_watch_log should be abrt_domain - Allow mozilla_plugin to connect to gatekeeper port- add ptrace_child access to process - remove files_read_etc_files() calling from all policies which have auth_use_nsswith() - Allow boinc domains to manage boinc_lib_t lnk_files - Add support for boinc-client.service unit file - Add support for boinc.log - Allow mozilla_plugin execmod on mozilla home files if allow_ex - Allow dovecot_deliver_t to read dovecot_var_run_t - Allow ldconfig and insmod to manage kdumpctl tmp files - Move thin policy out from cloudform.pp and add a new thin poli - pacemaker needs to communicate with corosync streams - abrt is now started on demand by dbus - Allow certmonger to talk directly to Dogtag servers - Change labeling for /var/lib/cobbler/webui_sessions to httpd_c - Allow mozila_plugin to execute gstreamer home files - Allow useradd to delete all file types stored in the users hom - rhsmcertd reads the rpm database - Add support for lightdm- Add tomcat policy - Remove pyzor/razor policy - rhsmcertd reads the rpm database - Dontaudit thumb to setattr on xdm_tmp dir - Allow wicd to execute ldconfig in the networkmanager_t domain - Add /var/run/cherokee\.pid labeling - Allow mozilla_plugin to create mozilla_plugin_tmp_t lnk files too - Allow postfix-master to r/w pipes other postfix domains - Allow snort to create netlink_socket - Add kdumpctl policy - Allow firstboot to create tmp_t files/directories - /usr/bin/paster should not be labeled as piranha_exec_t - remove initrc_domain from tomcat - Allow ddclient to read /etc/passwd - Allow useradd to delete all file types stored in the users homedir - Allow ldconfig and insmod to manage kdumpctl tmp files - Firstboot should be just creating tmp_t dirs and xauth should be allowed to write to those - Transition xauth files within firstboot_tmp_t - Fix labeling of /run/media to match /media - Label all lxdm.log as xserver_log_t - Add port definition for mxi port - Allow local_login_t to execute tmux- apcupsd needs to read /etc/passwd - Sanlock allso sends sigkill - Allow glance_registry to connect to the mysqld port - Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl - Allow firefox plugins/flash to connect to port 1234 - Allow mozilla plugins to delete user_tmp_t files - Add transition name rule for printers.conf.O - Allow virt_lxc_t to read urand - Allow systemd_loigind to list gstreamer_home_dirs - Fix labeling for /usr/bin - Fixes for cloudform services * support FIPS - Allow polipo to work as web caching - Allow chfn to execute tmux- Add support for ecryptfs * ecryptfs does not support xattr * we need labeling for HOMEDIR - Add policy for (u)mount.ecryptfs* - Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage host cache - Allow dovecot to manage Maildir content, fix transitions to Maildir - Allow postfix_local to transition to dovecot_deliver - Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code - Cleanup interface definitions - Allow apmd to change with the logind daemon - Changes required for sanlock in rhel6 - Label /run/user/apache as httpd_tmp_t - Allow thumb to use lib_t as execmod if boolean turned on - Allow squid to create the squid directory in /var with the correct labe - Add a new policy for glusterd from Bryan Bickford (bbickfor@redhat.com) - Allow virtd to exec xend_exec_t without transition - Allow virtd_lxc_t to unmount all file systems- PolicyKit path has changed - Allow httpd connect to dirsrv socket - Allow tuned to write generic kernel sysctls - Dontaudit logwatch to gettr on /dev/dm-2 - Allow policykit-auth to manage kerberos files - Make condor_startd and rgmanager as initrc domain - Allow virsh to read /etc/passwd - Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs - xdm now needs to execute xsession_exec_t - Need labels for /var/lib/gdm - Fix files_filetrans_named_content() interface - Add new attribute - initrc_domain - Allow systemd_logind_t to signal, signull, sigkill all processes - Add filetrans rules for etc_runtime files- Rename boolean names to remove allow_- Mass merge with upstream * new policy topology to include contrib policy modules * we have now two base policy patches- Fix description of authlogin_nsswitch_use_ldap - Fix transition rule for rhsmcertd_t needed for RHEL7 - Allow useradd to list nfs state data - Allow openvpn to manage its log file and directory - We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly - Allow thumb to use nvidia devices - Allow local_login to create user_tmp_t files for kerberos - Pulseaudio needs to read systemd_login /var/run content - virt should only transition named system_conf_t config files - Allow munin to execute its plugins - Allow nagios system plugin to read /etc/passwd - Allow plugin to connect to soundd port - Fix httpd_passwd to be able to ask passwords - Radius servers can use ldap for backing store - Seems to need to mount on /var/lib for xguest polyinstatiation to work. - Allow systemd_logind to list the contents of gnome keyring - VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL - Add policy for isns-utils- Add policy for subversion daemon - Allow boinc to read passwd - Allow pads to read kernel network state - Fix man2html interface for sepolgen-ifgen - Remove extra /usr/lib/systemd/system/smb - Remove all /lib/systemd and replace with /usr/lib/systemd - Add policy for man2html - Fix the label of kerberos_home_t to krb5_home_t - Allow mozilla plugins to use Citrix - Allow tuned to read /proc/sys/kernel/nmi_watchdog - Allow tune /sys options via systemd's tmpfiles.d "w" type- Dontaudit lpr_t to read/write leaked mozilla tmp files - Add file name transition for .grl-podcasts directory - Allow corosync to read user tmp files - Allow fenced to create snmp lib dirs/files - More fixes for sge policy - Allow mozilla_plugin_t to execute any application - Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain - Allow mongod to read system state information - Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t - Allow polipo to manage polipo_cache dirs - Add jabbar_client port to mozilla_plugin_t - Cleanup procmail policy - system bus will pass around open file descriptors on files that do not have labels on them - Allow l2tpd_t to read system state - Allow tuned to run ls /dev - Allow sudo domains to read usr_t files - Add label to machine-id - Fix corecmd_read_bin_symlinks cut and paste error- Fix pulseaudio port definition - Add labeling for condor_starter - Allow chfn_t to creat user_tmp_files - Allow chfn_t to execute bin_t - Allow prelink_cron_system_t to getpw calls - Allow sudo domains to manage kerberos rcache files - Allow user_mail_domains to work with courie - Port definitions necessary for running jboss apps within openshift - Add support for openstack-nova-metadata-api - Add support for nova-console* - Add support for openstack-nova-xvpvncproxy - Fixes to make privsep+SELinux working if we try to use chage to change passwd - Fix auth_role() interface - Allow numad to read sysfs - Allow matahari-rpcd to execute shell - Add label for ~/.spicec - xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it - Devicekit_disk wants to read the logind sessions file when writing a cd - Add fixes for condor to make condor jobs working correctly - Change label of /var/log/rpmpkgs to cron_log_t - Access requires to allow systemd-tmpfiles --create to work. - Fix obex to be a user application started by the session bus. - Add additional filename trans rules for kerberos - Fix /var/run/heartbeat labeling - Allow apps that are managing rcache to file trans correctly - Allow openvpn to authenticate against ldap server - Containers need to listen to network starting and stopping events- Make systemd unit files less specific- Fix zarafa labeling - Allow guest_t to fix labeling - corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean - add lxc_contexts - Allow accountsd to read /proc - Allow restorecond to getattr on all file sytems - tmpwatch now calls getpw - Allow apache daemon to transition to pwauth domain - Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t - The obex socket seems to be a stream socket - dd label for /var/run/nologin- Allow jetty running as httpd_t to read hugetlbfs files - Allow sys_nice and setsched for rhsmcertd - Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports - Allow setfiles to append to xdm_tmp_t - Add labeling for /export as a usr_t directory - Add labels for .grl files created by gstreamer- Add labeling for /usr/share/jetty/bin/jetty.sh - Add jetty policy which contains file type definitios - Allow jockey to use its own fifo_file and make this the default for all domains - Allow mozilla_plugins to use spice (vnc_port/couchdb) - asterisk wants to read the network state - Blueman now uses /var/lib/blueman- Add label for nodejs_debug - Allow mozilla_plugin_t to create ~/.pki directory and content- Add clamscan_can_scan_system boolean - Allow mysqld to read kernel network state - Allow sshd to read/write condor lib files - Allow sshd to read/write condor-startd tcp socket - Fix description on httpd_graceful_shutdown - Allow glance_registry to communicate with mysql - dbus_system_domain is using systemd to lauch applications - add interfaces to allow domains to send kill signals to user mail agents - Remove unnessary access for svirt_lxc domains, add privs for virtd_lxc_t - Lots of new access required for secure containers - Corosync needs sys_admin capability - ALlow colord to create shm - .orc should be allowed to be created by any app that can create gstream home content, thumb_t to be specific - Add boolean to control whether or not mozilla plugins can create random content in the users homedir - Add new interface to allow domains to list msyql_db directories, needed for libra - shutdown has to be allowed to delete etc_runtime_t - Fail2ban needs to read /etc/passwd - Allow ldconfig to create /var/cache/ldconfig - Allow tgtd to read hardware state information - Allow collectd to create packet socket - Allow chronyd to send signal to itself - Allow collectd to read /dev/random - Allow collectd to send signal to itself - firewalld needs to execute restorecon - Allow restorecon and other login domains to execute restorecon- Allow logrotate to getattr on systemd unit files - Add support for tor systemd unit file - Allow apmd to create /var/run/pm-utils with the correct label - Allow l2tpd to send sigkill to pppd - Allow pppd to stream connect to l2tpd - Add label for scripts in /etc/gdm/ - Allow systemd_logind_t to ignore mcs constraints on sigkill - Fix files_filetrans_system_conf_named_files() interface - Add labels for /usr/share/wordpress/wp-includes/*.php - Allow cobbler to get SELinux mode and booleans- Add unconfined_execmem_exec_t as an alias to bin_t - Allow fenced to read snmp var lib files, also allow it to read usr_t - ontaudit access checks on all executables from mozilla_plugin - Allow all user domains to setexec, so that sshd will work properly if it call setexec(NULL) while running withing a user mode - Allow systemd_tmpfiles_t to getattr all pipes and sockets - Allow glance-registry to send system log messages - semanage needs to manage mock lib files/dirs- Add policy for abrt-watch-log - Add definitions for jboss_messaging ports - Allow systemd_tmpfiles to manage printer devices - Allow oddjob to use nsswitch - Fix labeling of log files for postgresql - Allow mozilla_plugin_t to execmem and execstack by default - Allow firewalld to execute shell - Fix /etc/wicd content files to get created with the correct label - Allow mcelog to exec shell - Add ~/.orc as a gstreamer_home_t - /var/spool/postfix/lib64 should be labeled lib_t - mpreaper should be able to list all file system labeled directories - Add support for apache to use openstack - Add labeling for /etc/zipl.conf and zipl binary - Turn on allow_execstack and turn off telepathy transition for final release- More access required for virt_qmf_t - Additional assess required for systemd-logind to support multi-seat - Allow mozilla_plugin to setrlimit - Revert changes to fuse file system to stop deadlock- Allow condor domains to connect to ephemeral ports - More fixes for condor policy - Allow keystone to stream connect to mysqld - Allow mozilla_plugin_t to read generic USB device to support GPS devices - Allow thum to file name transition gstreamer home content - Allow thum to read all non security files - Allow glance_api_t to connect to ephemeral ports - Allow nagios plugins to read /dev/urandom - Allow syslogd to search postfix spool to support postfix chroot env - Fix labeling for /var/spool/postfix/dev - Allow wdmd chown - Label .esd_auth as pulseaudio_home_t - Have no idea why keyring tries to write to /run/user/dwalsh/dconf/user, but we can dontaudit for now- Add support for clamd+systemd - Allow fresclam to execute systemctl to handle clamd - Change labeling for /usr/sbin/rpc.ypasswd.env - Allow yppaswd_t to execute yppaswd_exec_t - Allow yppaswd_t to read /etc/passwd - Gnomekeyring socket has been moved to /run/user/USER/ - Allow samba-net to connect to ldap port - Allow signal for vhostmd - allow mozilla_plugin_t to read user_home_t socket - New access required for secure Linux Containers - zfs now supports xattrs - Allow quantum to execute sudo and list sysfs - Allow init to dbus chat with the firewalld - Allow zebra to read /etc/passwd- Allow svirt_t to create content in the users homedir under ~/.libvirt - Fix label on /var/lib/heartbeat - Allow systemd_logind_t to send kill signals to all processes started by a user - Fuse now supports Xattr Support- upowered needs to setsched on the kernel - Allow mpd_t to manage log files - Allow xdm_t to create /var/run/systemd/multi-session-x - Add rules for missedfont.log to be used by thumb.fc - Additional access required for virt_qmf_t - Allow dhclient to dbus chat with the firewalld - Add label for lvmetad - Allow systemd_logind_t to remove userdomain sock_files - Allow cups to execute usr_t files - Fix labeling on nvidia shared libraries - wdmd_t needs access to sssd and /etc/passwd - Add boolean to allow ftp servers to run in passive mode - Allow namepspace_init_t to relabelto/from a different user system_u from the user the namespace_init running with - Fix using httpd_use_fusefs - Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it for chrome_sandbox- Rename rdate port to time port, and allow gnomeclock to connect to it - We no longer need to transition to ldconfig from rpm, rpm_script, or anaconda - /etc/auto.* should be labeled bin_t - Add httpd_use_fusefs boolean - Add fixes for heartbeat - Allow sshd_t to signal processes that it transitions to - Add condor policy - Allow svirt to create monitors in ~/.libvirt - Allow dovecot to domtrans sendmail to handle sieve scripts - Lot of fixes for cfengine- /var/run/postmaster.* labeling is no longer needed - Alllow drbdadmin to read /dev/urandom - l2tpd_t seems to use ptmx - group+ and passwd+ should be labeled as /etc/passwd - Zarafa-indexer is a socket- Ensure lastlog is labeled correctly - Allow accountsd to read /proc data about gdm - Add fixes for tuned - Add bcfg2 fixes which were discovered during RHEL6 testing - More fixes for gnome-keyring socket being moved - Run semanage as a unconfined domain, and allow initrc_t to create tmpfs_t sym links on shutdown - Fix description for files_dontaudit_read_security_files() interface- Add new policy and man page for bcfg2 - cgconfig needs to use getpw calls - Allow domains that communicate with the keyring to use cache_home_t instead of gkeyringd_tmpt - gnome-keyring wants to create a directory in cache_home_t - sanlock calls getpw- Add numad policy and numad man page - Add fixes for interface bugs discovered by SEWatch - Add /tmp support for squid - Add fix for #799102 * change default labeling for /var/run/slapd.* sockets - Make thumb_t as userdom_home_reader - label /var/lib/sss/mc same as pubconf, so getpw domains can read it - Allow smbspool running as cups_t to stream connect to nmbd - accounts needs to be able to execute passwd on behalf of users - Allow systemd_tmpfiles_t to delete boot flags - Allow dnssec_trigger to connect to apache ports - Allow gnome keyring to create sock_files in ~/.cache - google_authenticator is using .google_authenticator - sandbox running from within firefox is exposing more leaks - Dontaudit thumb to read/write /dev/card0 - Dontaudit getattr on init_exec_t for gnomeclock_t - Allow certmonger to do a transition to certmonger_unconfined_t - Allow dhcpc setsched which is caused by nmcli - Add rpm_exec_t for /usr/sbin/bcfg2 - system cronjobs are sending dbus messages to systemd_logind - Thumnailers read /dev/urand- Allow auditctl getcap - Allow vdagent to use libsystemd-login - Allow abrt-dump-oops to search /etc/abrt - Got these avc's while trying to print a boarding pass from firefox - Devicekit is now putting the media directory under /run/media - Allow thumbnailers to create content in ~/.thumbails directory - Add support for proL2TPd by Dominick Grift - Allow all domains to call getcap - wdmd seems to get a random chown capability check that it does not need - Allow vhostmd to read kernel sysctls- Allow chronyd to read unix - Allow hpfax to read /etc/passwd - Add support matahari vios-proxy-* apps and add virtd_exec_t label for them - Allow rpcd to read quota_db_t - Update to man pages to match latest policy - Fix bug in jockey interface for sepolgen-ifgen - Add initial svirt_prot_exec_t policy- More fixes for systemd from Dan Walsh- Add a new type for /etc/firewalld and allow firewalld to write to this directory - Add definition for ~/Maildir, and allow mail deliver domains to write there - Allow polipo to run from a cron job - Allow rtkit to schedule wine processes - Allow mozilla_plugin_t to acquire a bug, and allow it to transition gnome content in the home dir to the proper label - Allow users domains to send signals to consolehelper domains- More fixes for boinc policy - Allow polipo domain to create its own cache dir and pid file - Add systemctl support to httpd domain - Add systemctl support to polipo, allow NetworkManager to manage the service - Add policy for jockey-backend - Add support for motion daemon which is now covered by zoneminder policy - Allow colord to read/write motion tmpfs - Allow vnstat to search through var_lib_t directories - Stop transitioning to quota_t, from init an sysadm_t- Add svirt_lxc_file_t as a customizable type- Add additional fixes for icmp nagios plugin - Allow cron jobs to open fifo_files from cron, since service script opens /dev/stdin - Add certmonger_unconfined_exec_t - Make sure tap22 device is created with the correct label - Allow staff users to read systemd unit files - Merge in previously built policy - Arpwatch needs to be able to start netlink sockets in order to start - Allow cgred_t to sys_ptrace to look at other DAC Processes- Back port some of the access that was allowed in nsplugin_t - Add definitiona for couchdb ports - Allow nagios to use inherited users ttys - Add git support for mock - Allow inetd to use rdate port - Add own type for rdate port - Allow samba to act as a portmapper - Dontaudit chrome_sandbox attempts to getattr on chr_files in /dev - New fixes needed for samba4 - Allow apps that use lib_t to read lib_t symlinks- Add policy for nove-cert - Add labeling for nova-openstack systemd unit files - Add policy for keystoke- Fix man pages fro domains - Add man pages for SELinux users and roles - Add storage_dev_filetrans_named_fixed_disk() and use it for smartmon - Add policy for matahari-rpcd - nfsd executes mount command on restart - Matahari domains execute renice and setsched - Dontaudit leaked tty in mozilla_plugin_config - mailman is changing to a per instance naming - Add 7600 and 4447 as jboss_management ports - Add fixes for nagios event handlers - Label httpd.event as httpd_exec_t, it is an apache daemon- Add labeling for /var/spool/postfix/dev/log - NM reads sysctl.conf - Iscsi log file context specification fix - Allow mozilla plugins to send dbus messages to user domains that transition to it - Allow mysql to read the passwd file - Allow mozilla_plugin_t to create mozilla home dirs in user homedir - Allow deltacloud to read kernel sysctl - Allow postgresql_t to connectto itselfAllow postgresql_t to connectto itself - Allow postgresql_t to connectto itself - Add login_userdomain attribute for users which can log in using terminal- Allow sysadm_u to reach system_r by default #784011 - Allow nagios plugins to use inherited user terminals - Razor labeling is not used no longer - Add systemd support for matahari - Add port_types to man page, move booleans to the top, fix some english - Add support for matahari-sysconfig-console - Clean up matahari.fc - Fix matahari_admin() interfac - Add labels for/etc/ssh/ssh_host_*.pub keys- Allow ksysguardproces to send system log msgs - Allow boinc setpgid and signull - Allow xdm_t to sys_ptrace to run pidof command - Allow smtpd_t to manage spool files/directories and symbolic links - Add labeling for jetty - Needed changes to get unbound/dnssec to work with openswan- Add user_fonts_t alias xfs_tmp_t - Since depmod now runs as insmod_t we need to write to kernel_object_t - Allow firewalld to dbus chat with networkmanager - Allow qpidd to connect to matahari ports - policykit needs to read /proc for uses not owned by it - Allow systemctl apps to connecto the init stream- Turn on deny_ptrace boolean- Remove pam_selinux.8 man page. There was a conflict.- Add proxy class and read access for gssd_proxy - Separate out the sharing public content booleans - Allow certmonger to execute a script and send signals to apache and dirsrv to reload the certificate - Add label transition for gstream-0.10 and 12 - Add booleans to allow rsync to share nfs and cifs file sytems - chrome_sandbox wants to read the /proc/PID/exe file of the program that executed it - Fix filename transitions for cups files - Allow denyhosts to read "unix" - Add file name transition for locale.conf.new - Allow boinc projects to gconf config files - sssd needs to be able to increase the socket limit under certain loads - sge_execd needs to read /etc/passwd - Allow denyhost to check network state - NetworkManager needs to read sessions data - Allow denyhost to check network state - Allow xen to search virt images directories - Add label for /dev/megaraid_sas_ioctl_node - Add autogenerated man pages- Allow boinc project to getattr on fs - Allow init to execute initrc_state_t - rhev-agent package was rename to ovirt-guest-agent - If initrc_t creates /etc/local.conf then we need to make sure it is labeled correctly - sytemd writes content to /run/initramfs and executes it on shutdown - kdump_t needs to read /etc/mtab, should be back ported to F16 - udev needs to load kernel modules in early system boot- Need to add sys_ptrace back in since reading any content in /proc can cause these accesses - Add additional systemd interfaces which are needed fro *_admin interfaces - Fix bind_admin() interface- Allow firewalld to read urand - Alias java, execmem_mono to bin_t to allow third parties - Add label for kmod - /etc/redhat-lsb contains binaries - Add boolean to allow gitosis to send mail - Add filename transition also for "event20" - Allow systemd_tmpfiles_t to delete all file types - Allow collectd to ipc_lock- make consoletype_exec optional, so we can remove consoletype policy - remove unconfined_permisive.patch - Allow openvpn_t to inherit user home content and tmp content - Fix dnssec-trigger labeling - Turn on obex policy for staff_t - Pem files should not be secret - Add lots of rules to fix AVC's when playing with containers - Fix policy for dnssec - Label ask-passwd directories correctly for systemd- sshd fixes seem to be causing unconfined domains to dyntrans to themselves - fuse file system is now being mounted in /run/user - systemd_logind is sending signals to processes that are dbus messaging with it - Add support for winshadow port and allow iscsid to connect to this port - httpd should be allowed to bind to the http_port_t udp socket - zarafa_var_lib_t can be a lnk_file - A couple of new .xsession-errors files - Seems like user space and login programs need to read logind_sessions_files - Devicekit disk seems to be being launched by systemd - Cleanup handling of setfiles so most of rules in te file - Correct port number for dnssec - logcheck has the home dir set to its cache- Add policy for grindengine MPI jobs- Add new sysadm_secadm.pp module * contains secadm definition for sysadm_t - Move user_mail_domain access out of the interface into the te file - Allow httpd_t to create httpd_var_lib_t directories as well as files - Allow snmpd to connect to the ricci_modcluster stream - Allow firewalld to read /etc/passwd - Add auth_use_nsswitch for colord - Allow smartd to read network state - smartdnotify needs to read /etc/group- Allow gpg and gpg_agent to store sock_file in gpg_secret_t directory - lxdm startup scripts should be labeled bin_t, so confined users will work - mcstransd now creates a pid, needs back port to F16 - qpidd should be allowed to connect to the amqp port - Label devices 010-029 as usb devices - ypserv packager says ypserv does not use tmp_t so removing selinux policy types - Remove all ptrace commands that I believe are caused by the kernel/ps avcs - Add initial Obex policy - Add logging_syslogd_use_tty boolean - Add polipo_connect_all_unreserved bolean - Allow zabbix to connect to ftp port - Allow systemd-logind to be able to switch VTs - Allow apache to communicate with memcached through a sock_file- Fix file_context.subs_dist for now to work with pre usrmove- More /usr move fixes- Add zabbix_can_network boolean - Add httpd_can_connect_zabbix boolean - Prepare file context labeling for usrmove functions - Allow system cronjobs to read kernel network state - Add support for selinux_avcstat munin plugin - Treat hearbeat with corosync policy - Allow corosync to read and write to qpidd shared mem - mozilla_plugin is trying to run pulseaudio - Fixes for new sshd patch for running priv sep domains as the users context - Turn off dontaudit rules when turning on allow_ypbind - udev now reads /etc/modules.d directory- Turn on deny_ptrace boolean for the Rawhide run, so we can test this out - Cups exchanges dbus messages with init - udisk2 needs to send syslog messages - certwatch needs to read /etc/passwd- Add labeling for udisks2 - Allow fsadmin to communicate with the systemd process- Treat Bip with bitlbee policy * Bip is an IRC proxy - Add port definition for interwise port - Add support for ipa_memcached socket - systemd_jounald needs to getattr on all processes - mdadmin fixes * uses getpw - amavisd calls getpwnam() - denyhosts calls getpwall()- Setup labeling of /var/rsa and /var/lib/rsa to allow login programs to write there - bluetooth says they do not use /tmp and want to remove the type - Allow init to transition to colord - Mongod needs to read /proc/sys/vm/zone_reclaim_mode - Allow postfix_smtpd_t to connect to spamd - Add boolean to allow ftp to connect to all ports > 1023 - Allow sendmain to write to inherited dovecot tmp files - setroubleshoot needs to be able to execute rpm to see what version of packages- Merge systemd patch - systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online - Allow deltacloudd dac_override, setuid, setgid caps - Allow aisexec to execute shell - Add use_nfs_home_dirs boolean for ssh-keygen- Fixes to make rawhide boot in enforcing mode with latest systemd changes- Add labeling for /var/run/systemd/journal/syslog - libvirt sends signals to ifconfig - Allow domains that read logind session files to list them- Fixed destined form libvirt-sandbox - Allow apps that list sysfs to also read sympolicy links in this filesystem - Add ubac_constrained rules for chrome_sandbox - Need interface to allow domains to use tmpfs_t files created by the kernel, used by libra - Allow postgresql to be executed by the caller - Standardize interfaces of daemons - Add new labeling for mm-handler - Allow all matahari domains to read network state and etc_runtime_t files- New fix for seunshare, requires seunshare_domains to be able to mounton / - Allow systemctl running as logrotate_t to connect to private systemd socket - Allow tmpwatch to read meminfo - Allow rpc.svcgssd to read supported_krb5_enctype - Allow zarafa domains to read /dev/random and /dev/urandom - Allow snmpd to read dev_snmp6 - Allow procmail to talk with cyrus - Add fixes for check_disk and check_nagios plugins- default trans rules for Rawhide policy - Make sure sound_devices controlC* are labeled correctly on creation - sssd now needs sys_admin - Allow snmp to read all proc_type - Allow to setup users homedir with quota.group- Add httpd_can_connect_ldap() interface - apcupsd_t needs to use seriel ports connected to usb devices - Kde puts procmail mail directory under ~/.local/share - nfsd_t can trigger sys_rawio on tests that involve too many mountpoints, dontaudit for now - Add labeling for /sbin/iscsiuio- Add label for /var/lib/iscan/interpreter - Dont audit writes to leaked file descriptors or redirected output for nacl - NetworkManager needs to write to /sys/class/net/ib*/mode- Allow abrt to request the kernel to load a module - Make sure mozilla content is labeled correctly - Allow tgtd to read system state - More fixes for boinc * allow to resolve dns name * re-write boinc policy to use boinc_domain attribute - Allow munin services plugins to use NSCD services- Allow mozilla_plugin_t to manage mozilla_home_t - Allow ssh derived domain to execute ssh-keygen in the ssh_keygen_t domain - Add label for tumblerd- Fixes for xguest package- Fixes related to /bin, /sbin - Allow abrt to getattr on blk files - Add type for rhev-agent log file - Fix labeling for /dev/dmfm - Dontaudit wicd leaking - Allow systemd_logind_t to look at process info of apps that exchange dbus messages with it - Label /etc/locale.conf correctly - Allow user_mail_t to read /dev/random - Allow postfix-smtpd to read MIMEDefang - Add label for /var/log/suphp.log - Allow swat_t to connect and read/write nmbd_t sock_file - Allow systemd-tmpfiles to setattr for /run/user/gdm/dconf - Allow systemd-tmpfiles to change user identity in object contexts - More fixes for rhev_agentd_t consolehelper policy- Use fs_use_xattr for squashf - Fix procs_type interface - Dovecot has a new fifo_file /var/run/dovecot/stats-mail - Dovecot has a new fifo_file /var/run/stats-mail - Colord does not need to connect to network - Allow system_cronjob to dbus chat with NetworkManager - Puppet manages content, want to make sure it labels everything correctly- Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it - Allow all postfix domains to use the fifo_file - Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t - Allow apmd_t to read grub.cfg - Let firewallgui read the selinux config - Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp - Fix devicekit_manage_pid_files() interface - Allow squid to check the network state - Dontaudit colord getattr on file systems - Allow ping domains to read zabbix_tmp_t files- Allow mcelog_t to create dir and file in /var/run and label it correctly - Allow dbus to manage fusefs - Mount needs to read process state when mounting gluster file systems - Allow collectd-web to read collectd lib files - Allow daemons and system processes started by init to read/write the unix_stream_socket passed in from as stdin/stdout/stderr - Allow colord to get the attributes of tmpfs filesystem - Add sanlock_use_nfs and sanlock_use_samba booleans - Add bin_t label for /usr/lib/virtualbox/VBoxManage- Add ssh_dontaudit_search_home_dir - Changes to allow namespace_init_t to work - Add interface to allow exec of mongod, add port definition for mongod port, 27017 - Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t - Allow spamd and clamd to steam connect to each other - Add policy label for passwd.OLD - More fixes for postfix and postfix maildro - Add ftp support for mozilla plugins - Useradd now needs to manage policy since it calls libsemanage - Fix devicekit_manage_log_files() interface - Allow colord to execute ifconfig - Allow accountsd to read /sys - Allow mysqld-safe to execute shell - Allow openct to stream connect to pcscd - Add label for /var/run/nm-dns-dnsmasq\.conf - Allow networkmanager to chat with virtd_t- Pulseaudio changes - Merge patches- Merge patches back into git repository.- Remove allow_execmem boolean and replace with deny_execmem boolean- Turn back on allow_execmem boolean- Add more MCS fixes to make sandbox working - Make faillog MLS trusted to make sudo_$1_t working - Allow sandbox_web_client_t to read passwd_file_t - Add .mailrc file context - Remove execheap from openoffice domain - Allow chrome_sandbox_nacl_t to read cpu_info - Allow virtd to relabel generic usb which is need if USB device - Fixes for virt.if interfaces to consider chr_file as image file type- Remove Open Office policy - Remove execmem policy- MCS fixes - quota fixes- Remove transitions to consoletype- Make nvidia* to be labeled correctly - Fix abrt_manage_cache() interface - Make filetrans rules optional so base policy will build - Dontaudit chkpwd_t access to inherited TTYS - Make sure postfix content gets created with the correct label - Allow gnomeclock to read cgroup - Fixes for cloudform policy- Check in fixed for Chrome nacl support- Begin removing qemu_t domain, we really no longer need this domain. - systemd_passwd needs dac_overide to communicate with users TTY's - Allow svirt_lxc domains to send kill signals within their container- Remove qemu.pp again without causing a crash- Remove qemu.pp, everything should use svirt_t or stay in its current domain- Allow policykit to talk to the systemd via dbus - Move chrome_sandbox_nacl_t to permissive domains - Additional rules for chrome_sandbox_nacl- Change bootstrap name to nacl - Chrome still needs execmem - Missing role for chrome_sandbox_bootstrap - Add boolean to remove execmem and execstack from virtual machines - Dontaudit xdm_t doing an access_check on etc_t directories- Allow named to connect to dirsrv by default - add ldapmap1_0 as a krb5_host_rcache_t file - Google chrome developers asked me to add bootstrap policy for nacl stuff - Allow rhev_agentd_t to getattr on mountpoints - Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets- Fixes for cloudform policies which need to connect to random ports - Make sure if an admin creates modules content it creates them with the correct label - Add port 8953 as a dns port used by unbound - Fix file name transition for alsa and confined users- Turn on mock_t and thumb_t for unconfined domains- Policy update should not modify local contexts- Remove ada policy- Remove tzdata policy - Add labeling for udev - Add cloudform policy - Fixes for bootloader policy- Add policies for nova openstack- Add fixes for nova-stack policy- Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain - Allow init process to setrlimit on itself - Take away transition rules for users executing ssh-keygen - Allow setroubleshoot_fixit_t to read /dev/urand - Allow sshd to relbale tunnel sockets - Allow fail2ban domtrans to shorewall in the same way as with iptables - Add support for lnk files in the /var/lib/sssd directory - Allow system mail to connect to courier-authdaemon over an unix stream socket- Add passwd_file_t for /etc/ptmptmp- Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK) - Make corosync to be able to relabelto cluster lib fies - Allow samba domains to search /var/run/nmbd - Allow dirsrv to use pam - Allow thumb to call getuid - chrome less likely to get mmap_zero bug so removing dontaudit - gimp help-browser has built in javascript - Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t - Re-write glance policy- Move dontaudit sys_ptrace line from permissive.te to domain.te - Remove policy for hal, it no longer exists- Don't check md5 size or mtime on certain config files- Remove allow_ptrace and replace it with deny_ptrace, which will remove all ptrace from the system - Remove 2000 dontaudit rules between confined domains on transition and replace with single dontaudit domain domain:process { noatsecure siginh rlimitinh } ;- Fixes for bootloader policy - $1_gkeyringd_t needs to read $HOME/%USER/.local/share/keystore - Allow nsplugin to read /usr/share/config - Allow sa-update to update rules - Add use_fusefs_home_dirs for chroot ssh option - Fixes for grub2 - Update systemd_exec_systemctl() interface - Allow gpg to read the mail spool - More fixes for sa-update running out of cron job - Allow ipsec_mgmt_t to read hardware state information - Allow pptp_t to connect to unreserved_port_t - Dontaudit getattr on initctl in /dev from chfn - Dontaudit getattr on kernel_core from chfn - Add systemd_list_unit_dirs to systemd_exec_systemctl call - Fixes for collectd policy - CHange sysadm_t to create content as user_tmp_t under /tmp- Shrink size of policy through use of attributes for userdomain and apache- Allow virsh to read xenstored pid file - Backport corenetwork fixes from upstream - Do not audit attempts by thumb to search config_home_t dirs (~/.config) - label ~/.cache/telepathy/logger telepathy_logger_cache_home_t - allow thumb to read generic data home files (mime.type)- Allow nmbd to manage sock file in /var/run/nmbd - ricci_modservice send syslog msgs - Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly - Allow systemd_logind_t to manage /run/USER/dconf/user- Fix missing patch from F16- Allow logrotate setuid and setgid since logrotate is supposed to do it - Fixes for thumb policy by grift - Add new nfsd ports - Added fix to allow confined apps to execmod on chrome - Add labeling for additional vdsm directories - Allow Exim and Dovecot SASL - Add label for /var/run/nmbd - Add fixes to make virsh and xen working together - Colord executes ls - /var/spool/cron is now labeled as user_cron_spool_t- Stop complaining about leaked file descriptors during install- Remove java and mono module and merge into execmem- Fixes for thumb policy and passwd_file_t- Fixes caused by the labeling of /etc/passwd - Add thumb.patch to transition unconfined_t to thumb_t for Rawhide- Add support for Clustered Samba commands - Allow ricci_modrpm_t to send log msgs - move permissive virt_qmf_t from virt.te to permissivedomains.te - Allow ssh_t to use kernel keyrings - Add policy for libvirt-qmf and more fixes for linux containers - Initial Polipo - Sanlock needs to run ranged in order to kill svirt processes - Allow smbcontrol to stream connect to ctdbd- Add label for /etc/passwd- Change unconfined_domains to permissive for Rawhide - Add definition for the ephemeral_ports- Make mta_role() active - Allow asterisk to connect to jabber client port - Allow procmail to read utmp - Add NIS support for systemd_logind_t - Allow systemd_logind_t to manage /run/user/$USER/dconf dir which is labeled as config_home_t - Fix systemd_manage_unit_dirs() interface - Allow ssh_t to manage directories passed into it - init needs to be able to create and delete unit file directories - Fix typo in apache_exec_sys_script - Add ability for logrotate to transition to awstat domain- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state - Add SELinux support for ssh pre-auth net process in F17 - Add logging_syslogd_can_sendmail boolean- Add definition for ephemeral ports - Define user_tty_device_t as a customizable_type- Needs to require a new version of checkpolicy - Interface fixes- Allow sanlock to manage virt lib files - Add virt_use_sanlock booelan - ksmtuned is trying to resolve uids - Make sure .gvfs is labeled user_home_t in the users home directory - Sanlock sends kill signals and needs the kill capability - Allow mockbuild to work on nfs homedirs - Fix kerberos_manage_host_rcache() interface - Allow exim to read system state- Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files - We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t- Allow collectd to read hardware state information - Add loop_control_device_t - Allow mdadm to request kernel to load module - Allow domains that start other domains via systemctl to search unit dir - systemd_tmpfilses, needs to list any file systems mounted on /tmp - No one can explain why radius is listing the contents of /tmp, so we will dontaudit - If I can manage etc_runtime files, I should be able to read the links - Dontaudit hostname writing to mock library chr_files - Have gdm_t setup labeling correctly in users home dir - Label content unde /var/run/user/NAME/dconf as config_home_t - Allow sa-update to execute shell - Make ssh-keygen working with fips_enabled - Make mock work for staff_t user - Tighten security on mock_t- removing unconfined_notrans_t no longer necessary - Clean up handling of secure_mode_insmod and secure_mode_policyload - Remove unconfined_mount_t- Add exim_exec_t label for /usr/sbin/exim_tidydb - Call init_dontaudit_rw_stream_socket() interface in mta policy - sssd need to search /var/cache/krb5rcache directory - Allow corosync to relabel own tmp files - Allow zarafa domains to send system log messages - Allow ssh to do tunneling - Allow initrc scripts to sendto init_t unix_stream_socket - Changes to make sure dmsmasq and virt directories are labeled correctly - Changes needed to allow sysadm_t to manage systemd unit files - init is passing file descriptors to dbus and on to system daemons - Allow sulogin additional access Reported by dgrift and Jeremy Miller - Steve Grubb believes that wireshark does not need this access - Fix /var/run/initramfs to stop restorecon from looking at - pki needs another port - Add more labels for cluster scripts - Allow apps that manage cgroup_files to manage cgroup link files - Fix label on nfs-utils scripts directories - Allow gatherd to read /dev/rand and /dev/urand- pki needs another port - Add more labels for cluster scripts - Fix label on nfs-utils scripts directories - Fixes for cluster - Allow gatherd to read /dev/rand and /dev/urand - abrt leaks fifo files- Add glance policy - Allow mdadm setsched - /var/run/initramfs should not be relabeled with a restorecon run - memcache can be setup to override sys_resource - Allow httpd_t to read tetex data - Allow systemd_tmpfiles to delete kernel modules left in /tmp directory.- Allow Postfix to deliver to Dovecot LMTP socket - Ignore bogus sys_module for lldpad - Allow chrony and gpsd to send dgrams, gpsd needs to write to the real time clock - systemd_logind_t sets the attributes on usb devices - Allow hddtemp_t to read etc_t files - Add permissivedomains module - Move all permissive domains calls to permissivedomain.te - Allow pegasis to send kill signals to other UIDs- Allow insmod_t to use fds leaked from devicekit - dontaudit getattr between insmod_t and init_t unix_stream_sockets - Change sysctl unit file interfaces to use systemctl - Add support for chronyd unit file - Allow mozilla_plugin to read gnome_usr_config - Add policy for new gpsd - Allow cups to create kerberos rhost cache files - Add authlogin_filetrans_named_content, to unconfined_t to make sure shadow and other log files get labeled correctly- Make users_extra and seusers.final into config(noreplace) so semanage users and login does not get overwritten- Add policy for sa-update being run out of cron jobs - Add create perms to postgresql_manage_db - ntpd using a gps has to be able to read/write generic tty_device_t - If you disable unconfined and unconfineduser, rpm needs more privs to manage /dev - fix spec file - Remove qemu_domtrans_unconfined() interface - Make passenger working together with puppet - Add init_dontaudit_rw_stream_socket interface - Fixes for wordpress- Turn on allow_domain_fd_use boolean on F16 - Allow syslog to manage all log files - Add use_fusefs_home_dirs boolean for chrome - Make vdagent working with confined users - Add abrt_handle_event_t domain for ABRT event scripts - Labeled /usr/sbin/rhnreg_ks as rpm_exec_t and added changes related to this change - Allow httpd_git_script_t to read passwd data - Allow openvpn to set its process priority when the nice parameter is used- livecd fixes - spec file fixes- fetchmail can use kerberos - ksmtuned reads in shell programs - gnome_systemctl_t reads the process state of ntp - dnsmasq_t asks the kernel to load multiple kernel modules - Add rules for domains executing systemctl - Bogus text within fc file- Add cfengine policy- Add abrt_domain attribute - Allow corosync to manage cluster lib files - Allow corosync to connect to the system DBUS- Add sblim, uuidd policies - Allow kernel_t dyntrasition to init_t- init_t need setexec - More fixes of rules which cause an explosion in rules by Dan Walsh- Allow rcsmcertd to perform DNS name resolution - Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts - Allow tmux to run as screen - New policy for collectd - Allow gkeyring_t to interact with all user apps - Add rules to allow firstboot to run on machines with the unconfined.pp module removed- Allow systemd_logind to send dbus messages with users - allow accountsd to read wtmp file - Allow dhcpd to get and set capabilities- Fix oracledb_port definition - Allow mount to mounton the selinux file system - Allow users to list /var directories- systemd fixes- Add initial policy for abrt_dump_oops_t - xtables-multi wants to getattr of the proc fs - Smoltclient is connecting to abrt - Dontaudit leaked file descriptors to postdrop - Allow abrt_dump_oops to look at kernel sysctls - Abrt_dump_oops_t reads kernel ring buffer - Allow mysqld to request the kernel to load modules - systemd-login needs fowner - Allow postfix_cleanup_t to searh maildrop- Initial systemd_logind policy - Add policy for systemd_logger and additional proivs for systemd_logind - More fixes for systemd policies- Allow setsched for virsh - Systemd needs to impersonate cups, which means it needs to create tcp_sockets in cups_t domain, as well as manage spool directories - iptables: the various /sbin/ip6?tables.* are now symlinks for /sbin/xtables-multi- A lot of users are running yum -y update while in /root which is causing ldconfig to list the contents, adding dontaudit - Allow colord to interact with the users through the tmpfs file system - Since we changed the label on deferred, we need to allow postfix_qmgr_t to be able to create maildrop_t files - Add label for /var/log/mcelog - Allow asterisk to read /dev/random if it uses TLS - Allow colord to read ini files which are labeled as bin_t - Allow dirsrvadmin sys_resource and setrlimit to use ulimit - Systemd needs to be able to create sock_files for every label in /var/run directory, cupsd being the first. - Also lists /var and /var/spool directories - Add openl2tpd to l2tpd policy - qpidd is reading the sysfs file- Change usbmuxd_t to dontaudit attempts to read chr_file - Add mysld_safe_exec_t for libra domains to be able to start private mysql domains - Allow pppd to search /var/lock dir - Add rhsmcertd policy- Update to upstream- More fixes * http://git.fedorahosted.org/git/?p=selinux-policy.git- Fix spec file to not report Verify errors- Add dspam policy - Add lldpad policy - dovecot auth wants to search statfs #713555 - Allow systemd passwd apps to read init fifo_file - Allow prelink to use inherited terminals - Run cherokee in the httpd_t domain - Allow mcs constraints on node connections - Implement pyicqt policy - Fixes for zarafa policy - Allow cobblerd to send syslog messages- Add policy.26 to the payload - Remove olpc stuff - Remove policygentool- Fixes for zabbix - init script needs to be able to manage sanlock_var_run_... - Allow sandlock and wdmd to create /var/run directories... - mixclip.so has been compiled correctly - Fix passenger policy module name- Add mailscanner policy from dgrift - Allow chrome to optionally be transitioned to - Zabbix needs these rules when starting the zabbix_server_mysql - Implement a type for freedesktop openicc standard (~/.local/share/icc) - Allow system_dbusd_t to read inherited icc_data_home_t files. - Allow colord_t to read icc_data_home_t content. #706975 - Label stuff under /usr/lib/debug as if it was labeled under /- Fixes for sanlock policy - Fixes for colord policy - Other fixes * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log- Add rhev policy module to modules-targeted.conf- Lot of fixes * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log- Allow logrotate to execute systemctl - Allow nsplugin_t to getattr on gpmctl - Fix dev_getattr_all_chr_files() interface - Allow shorewall to use inherited terms - Allow userhelper to getattr all chr_file devices - sandbox domains should be able to getattr and dontaudit search of sysctl_kernel_t - Fix labeling for ABRT Retrace Server- Dontaudit sys_module for ifconfig - Make telepathy and gkeyringd daemon working with confined users - colord wants to read files in users homedir - Remote login should be creating user_tmp_t not its own tmp files- Fix label for /usr/share/munin/plugins/munin_* plugins - Add support for zarafa-indexer - Fix boolean description - Allow colord to getattr on /proc/scsi/scsi - Add label for /lib/upstart/init - Colord needs to list /mnt- Forard port changes from F15 for telepathy - NetworkManager should be allowed to use /dev/rfkill - Fix dontaudit messages to say Domain to not audit - Allow telepathy domains to read/write gnome_cache files - Allow telepathy domains to call getpw - Fixes for colord and vnstatd policy- Allow init_t getcap and setcap - Allow namespace_init_t to use nsswitch - aisexec will execute corosync - colord tries to read files off noxattr file systems - Allow init_t getcap and setcap- Add support for ABRT retrace server - Allow user_t and staff_t access to generic scsi to handle locally plugged in scanners - Allow telepath_msn_t to read /proc/PARENT/cmdline - ftpd needs kill capability - Allow telepath_msn_t to connect to sip port - keyring daemon does not work on nfs homedirs - Allow $1_sudo_t to read default SELinux context - Add label for tgtd sock file in /var/run/ - Add apache_exec_rotatelogs interface - allow all zaraha domains to signal themselves, server writes to /tmp - Allow syslog to read the process state - Add label for /usr/lib/chromium-browser/chrome - Remove the telepathy transition from unconfined_t - Dontaudit sandbox domains trying to mounton sandbox_file_t, this is caused by fuse mounts - Allow initrc_t domain to manage abrt pid files - Add support for AEOLUS project - Virt_admin should be allowed to manage images and processes - Allow plymountd to send signals to init - Change labeling of fping6- Add filename transitions- Fixes for zarafa policy - Add support for AEOLUS project - Change labeling of fping6 - Allow plymountd to send signals to init - Allow initrc_t domain to manage abrt pid files - Virt_admin should be allowed to manage images and processes- xdm_t needs getsession for switch user - Every app that used to exec init is now execing systemdctl - Allow squid to manage krb5_host_rcache_t files - Allow foghorn to connect to agentx port - Fixes for colord policy- Add Dan's patch to remove 64 bit variants - Allow colord to use unix_dgram_socket - Allow apps that search pids to read /var/run if it is a lnk_file - iscsid_t creates its own directory - Allow init to list var_lock_t dir - apm needs to verify user accounts auth_use_nsswitch - Add labeling for systemd unit files - Allow gnomeclok to enable ntpd service using systemctl - systemd_systemctl_t domain was added - Add label for matahari-broker.pid file - We want to remove untrustedmcsprocess from ability to read /proc/pid - Fixes for matahari policy - Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir - Allow sshd to transition to sysadm_t if ssh_sysadm_login is turned on- Fix typo- Add /var/run/lock /var/lock definition to file_contexts.subs - nslcd_t is looking for kerberos cc files - SSH_USE_STRONG_RNG is 1 which requires /dev/random - Fix auth_rw_faillog definition - Allow sysadm_t to set attributes on fixed disks - allow user domains to execute lsof and look at application sockets - prelink_cron job calls telinit -u if init is rewritten - Fixes to run qemu_t from staff_t- Fix label for /var/run/udev to udev_var_run_t - Mock needs to be able to read network state- Add file_contexts.subs to handle /run and /run/lock - Add other fixes relating to /run changes from F15 policy- Allow $1_sudo_t and $1_su_t open access to user terminals - Allow initrc_t to use generic terminals - Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs -systemd is going to be useing /run and /run/lock for early bootup files. - Fix some comments in rlogin.if - Add policy for KDE backlighthelper - sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems - sssd wants to read .k5login file in users homedir - setroubleshoot reads executables to see if they have TEXTREL - Add /var/spool/audit support for new version of audit - Remove kerberos_connect_524() interface calling - Combine kerberos_master_port_t and kerberos_port_t - systemd has setup /dev/kmsg as stderr for apps it executes - Need these access so that init can impersonate sockets on unix_dgram_socket- Remove some unconfined domains - Remove permissive domains - Add policy-term.patch from Dan- Fix multiple specification for boot.log - devicekit leaks file descriptors to setfiles_t - Change all all_nodes to generic_node and all_if to generic_if - Should not use deprecated interface - Switch from using all_nodes to generic_node and from all_if to generic_if - Add support for xfce4-notifyd - Fix file context to show several labels as SystemHigh - seunshare needs to be able to mounton nfs/cifs/fusefs homedirs - Add etc_runtime_t label for /etc/securetty - Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly - login.krb needs to be able to write user_tmp_t - dirsrv needs to bind to port 7390 for dogtag - Fix a bug in gpg policy - gpg sends audit messages - Allow qpid to manage matahari files- Initial policy for matahari - Add dev_read_watchdog - Allow clamd to connect clamd port - Add support for kcmdatetimehelper - Allow shutdown to setrlimit and sys_nice - Allow systemd_passwd to talk to /dev/log before udev or syslog is running - Purge chr_file and blk files on /tmp - Fixes for pads - Fixes for piranha-pulse - gpg_t needs to be able to encyprt anything owned by the user- mozilla_plugin_tmp_t needs to be treated as user tmp files - More dontaudits of writes from readahead - Dontaudit readahead_t file_type:dir write, to cover up kernel bug - systemd_tmpfiles needs to relabel faillog directory as well as the file - Allow hostname and consoletype to r/w inherited initrc_tmp_t files handline hostname >> /tmp/myhost- Add policykit fixes from Tim Waugh - dontaudit sandbox domains sandbox_file_t:dir mounton - Add new dontaudit rules for sysadm_dbusd_t - Change label for /var/run/faillock * other fixes which relate with this change- Update to upstream - Fixes for telepathy - Add port defition for ssdp port - add policy for /bin/systemd-notify from Dan - Mount command requires users read mount_var_run_t - colord needs to read konject_uevent_socket - User domains connect to the gkeyring socket - Add colord policy and allow user_t and staff_t to dbus chat with it - Add lvm_exec_t label for kpartx - Dontaudit reading the mail_spool_t link from sandbox -X - systemd is creating sockets in avahi_var_run and system_dbusd_var_run- gpg_t needs to talk to gnome-keyring - nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd - enforce MCS labeling on nodes - Allow arpwatch to read meminfo - Allow gnomeclock to send itself signals - init relabels /dev/.udev files on boot - gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_exec_t - nautilus checks access on /media directory before mounting usb sticks, dontaudit access_check on mnt_t - dnsmasq can run as a dbus service, needs acquire service - mysql_admin should be allowed to connect to mysql service - virt creates monitor sockets in the users home dir- Allow usbhid-ups to read hardware state information - systemd-tmpfiles has moved - Allo cgroup to sys_tty_config - For some reason prelink is attempting to read gconf settings - Add allow_daemons_use_tcp_wrapper boolean - Add label for ~/.cache/wocky to make telepathy work in enforcing mode - Add label for char devices /dev/dasd* - Fix for apache_role - Allow amavis to talk to nslcd - allow all sandbox to read selinux poilcy config files - Allow cluster domains to use the system bus and send each other dbus messages- Update to upstream- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Update to ref policy - cgred needs chown capability - Add /dev/crash crash_dev_t - systemd-readahead wants to use fanotify which means readahead_t needs sys_admin capability- New labeling for postfmulti #675654 - dontaudit xdm_t listing noxattr file systems - dovecot-auth needs to be able to connect to mysqld via the network as well as locally - shutdown is passed stdout to a xdm_log_t file - smartd creates a fixed disk device - dovecot_etc_t contains a lnk_file that domains need to read - mount needs to be able to read etc_runtim_t:lnk_file since in rawhide this is a link created at boot- syslog_t needs syslog capability - dirsrv needs to be able to create /var/lib/snmp - Fix labeling for dirsrv - Fix for dirsrv policy missing manage_dirs_pattern - corosync needs to delete clvm_tmpfs_t files - qdiskd needs to list hugetlbfs - Move setsched to sandbox_x_domain, so firefox can run without network access - Allow hddtemp to read removable devices - Adding syslog and read_policy permissions to policy * syslog Allow unconfined, sysadm_t, secadm_t, logadm_t * read_policy allow unconfined, sysadm_t, secadm_t, staff_t on Targeted allow sysadm_t (optionally), secadm_t on MLS - mdadm application will write into /sys/.../uevent whenever arrays are assembled or disassembled.- Add tcsd policy- ricci_modclusterd_t needs to bind to rpc ports 500-1023 - Allow dbus to use setrlimit to increase resoueces - Mozilla_plugin is leaking to sandbox - Allow confined users to connect to lircd over unix domain stream socket which allow to use remote control - Allow awstats to read squid logs - seunshare needs to manage tmp_t - apcupsd cgi scripts have a new directory- Fix xserver_dontaudit_read_xdm_pid - Change oracle_port_t to oracledb_port_t to prevent conflict with satellite - Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file. * These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t - Allow readahead to manage readahead pid dirs - Allow readahead to read all mcs levels - Allow mozilla_plugin_t to use nfs or samba homedirs- Allow nagios plugin to read /proc/meminfo - Fix for mozilla_plugin - Allow samba_net_t to create /etc/keytab - pppd_t setting up vpns needs to run unix_chkpwd, setsched its process and write wtmp_t - nslcd can read user credentials - Allow nsplugin to delete mozilla_plugin_tmpfs_t - abrt tries to create dir in rpm_var_lib_t - virt relabels fifo_files - sshd needs to manage content in fusefs homedir - mock manages link files in cache dir- nslcd needs setsched and to read /usr/tmp - Invalid call in likewise policy ends up creating a bogus role - Cannon puts content into /var/lib/bjlib that cups needs to be able to write - Allow screen to create screen_home_t in /root - dirsrv sends syslog messages - pinentry reads stuff in .kde directory - Add labels for .kde directory in homedir - Treat irpinit, iprupdate, iprdump services with raid policy- NetworkManager wants to read consolekit_var_run_t - Allow readahead to create /dev/.systemd/readahead - Remove permissive domains - Allow newrole to run namespace_init- Add sepgsql_contexts file- Update to upstream- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on - Add puppetmaster_use_db boolean - Fixes for zarafa policy - Fixes for gnomeclock poliy - Fix systemd-tmpfiles to use auth_use_nsswitch- gnomeclock executes a shell - Update for screen policy to handle pipe in homedir - Fixes for polyinstatiated homedir - Fixes for namespace policy and other fixes related to polyinstantiation - Add namespace policy - Allow dovecot-deliver transition to sendmail which is needed by sieve scripts - Fixes for init, psad policy which relate with confined users - Do not audit bootloader attempts to read devicekit pid files - Allow nagios service plugins to read /proc- Add firewalld policy - Allow vmware_host to read samba config - Kernel wants to read /proc Fix duplicate grub def in cobbler - Chrony sends mail, executes shell, uses fifo_file and reads /proc - devicekitdisk getattr all file systems - sambd daemon writes wtmp file - libvirt transitions to dmidecode- Add initial policy for system-setup-keyboard which is now daemon - Label /var/lock/subsys/shorewall as shorewall_lock_t - Allow users to communicate with the gpg_agent_t - Dontaudit mozilla_plugin_t using the inherited terminal - Allow sambagui to read files in /usr - webalizer manages squid log files - Allow unconfined domains to bind ports to raw_ip_sockets - Allow abrt to manage rpm logs when running yum - Need labels for /var/run/bittlebee - Label .ssh under amanda - Remove unused genrequires for virt_domain_template - Allow virt_domain to use fd inherited from virtd_t - Allow iptables to read shorewall config- Gnome apps list config_home_t - mpd creates lnk files in homedir - apache leaks write to mail apps on tmp files - /var/stockmaniac/templates_cache contains log files - Abrt list the connects of mount_tmp_t dirs - passwd agent reads files under /dev and reads utmp file - squid apache script connects to the squid port - fix name of plymouth log file - teamviewer is a wine app - allow dmesg to read system state - Stop labeling files under /var/lib/mock so restorecon will not go into this - nsplugin needs to read network state for google talk- Allow xdm and syslog to use /var/log/boot.log - Allow users to communicate with mozilla_plugin and kill it - Add labeling for ipv6 and dhcp- New labels for ghc http content - nsplugin_config needs to read urand, lvm now calls setfscreate to create dev - pm-suspend now creates log file for append access so we remove devicekit_wri - Change authlogin_use_sssd to authlogin_nsswitch_use_ldap - Fixes for greylist_milter policy- Update to upstream - Fixes for systemd policy - Fixes for passenger policy - Allow staff users to run mysqld in the staff_t domain, akonadi needs this - Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py - auth_use_nsswitch does not need avahi to read passwords,needed for resolving data - Dontaudit (xdm_t) gok attempting to list contents of /var/account - Telepathy domains need to read urand - Need interface to getattr all file classes in a mock library for setroubleshoot- Update selinux policy to handle new /usr/share/sandbox/start script- Update to upstream - Fix version of policy in spec file- Allow sandbox to run on nfs partitions, fixes for systemd_tmpfs - remove per sandbox domains devpts types - Allow dkim-milter sending signal to itself- Allow domains that transition to ping or traceroute, kill them - Allow user_t to conditionally transition to ping_t and traceroute_t - Add fixes to systemd- tools, including new labeling for systemd-fsck, systemd-cryptsetup- Turn on systemd policy - mozilla_plugin needs to read certs in the homedir. - Dontaudit leaked file descriptors from devicekit - Fix ircssi to use auth_use_nsswitch - Change to use interface without param in corenet to disable unlabelednet packets - Allow init to relabel sockets and fifo files in /dev - certmonger needs dac* capabilities to manage cert files not owned by root - dovecot needs fsetid to change group membership on mail - plymouthd removes /var/log/boot.log - systemd is creating symlinks in /dev - Change label on /etc/httpd/alias to be all cert_t- Fixes for clamscan and boinc policy - Add boinc_project_t setpgid - Allow alsa to create tmp files in /tmp- Push fixes to allow disabling of unlabeled_t packet access - Enable unlabelednet policy- Fixes for lvm to work with systemd- Fix the label for wicd log - plymouthd creates force-display-on-active-vt file - Allow avahi to request the kernel to load a module - Dontaudit hal leaks - Fix gnome_manage_data interface - Add new interface corenet_packet to define a type as being an packet_type. - Removed general access to packet_type from icecast and squid. - Allow mpd to read alsa config - Fix the label for wicd log - Add systemd policy- Fix gnome_manage_data interface - Dontaudit sys_ptrace capability for iscsid - Fixes for nagios plugin policy- Fix cron to run ranged when started by init - Fix devicekit to use log files - Dontaudit use of devicekit_var_run_t for fstools - Allow init to setattr on logfile directories - Allow hald to manage files in /var/run/pm-utils/ dir which is now labeled as devicekit_var_run_t- Fix up handling of dnsmasq_t creating /var/run/libvirt/network - Turn on sshd_forward_ports boolean by default - Allow sysadmin to dbus chat with rpm - Add interface for rw_tpm_dev - Allow cron to execute bin - fsadm needs to write sysfs - Dontaudit consoletype reading /var/run/pm-utils - Lots of new privs fro mozilla_plugin_t running java app, make mozilla_plugin - certmonger needs to manage dirsrv data - /var/run/pm-utils should be labeled as devicekit_var_run_t- fixes to allow /var/run and /var/lock as tmpfs - Allow chrome sandbox to connect to web ports - Allow dovecot to listem on lmtp and sieve ports - Allov ddclient to search sysctl_net_t - Transition back to original domain if you execute the shell- Remove duplicate declaration- Update to upstream - Cleanup for sandbox - Add attribute to be able to select sandbox types- Allow ddclient to fix file mode bits of ddclient conf file - init leaks file descriptors to daemons - Add labels for /etc/lirc/ and - Allow amavis_t to exec shell - Add label for gssd_tmp_t for /var/tmp/nfs_0- Put back in lircd_etc_t so policy will install- Turn on allow_postfix_local_write_mail_spool - Allow initrc_t to transition to shutdown_t - Allow logwatch and cron to mls_read_to_clearance for MLS boxes - Allow wm to send signull to all applications and receive them from users - lircd patch from field - Login programs have to read /etc/samba - New programs under /lib/systemd - Abrt needs to read config files- Update to upstream - Dontaudit leaked sockets from userdomains to user domains - Fixes for mcelog to handle scripts - Apply patch from Ruben Kerkhof - Allow syslog to search spool dirs- Allow nagios plugins to read usr files - Allow mysqld-safe to send system log messages - Fixes fpr ddclient policy - Fix sasl_admin interface - Allow apache to search zarafa config - Allow munin plugins to search /var/lib directory - Allow gpsd to read sysfs_t - Fix labels on /etc/mcelog/triggers to bin_t- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t - Allow saslauthd_t to create krb5_host_rcache_t files in /tmp - Fix xserver interface - Fix definition of /var/run/lxdm- Turn on mediawiki policy - kdump leaks kdump_etc_t to ifconfig, add dontaudit - uux needs to transition to uucpd_t - More init fixes relabels man,faillog - Remove maxima defs in libraries.fc - insmod needs to be able to create tmpfs_t files - ping needs setcap- Allow groupd transition to fenced domain when executes fence_node - Fixes for rchs policy - Allow mpd to be able to read samba/nfs files- Fix up corecommands.fc to match upstream - Make sure /lib/systemd/* is labeled init_exec_t - mount wants to setattr on all mountpoints - dovecot auth wants to read dovecot etc files - nscd daemon looks at the exe file of the comunicating daemon - openvpn wants to read utmp file - postfix apps now set sys_nice and lower limits - remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly - Also resolves nsswitch - Fix labels on /etc/hosts.* - Cleanup to make upsteam patch work - allow abrt to read etc_runtime_t- Add conflicts for dirsrv package- Update to upstream - Add vlock policy- Fix sandbox to work on nfs homedirs - Allow cdrecord to setrlimit - Allow mozilla_plugin to read xauth - Change label on systemd-logger to syslogd_exec_t - Install dirsrv policy from dirsrv package- Add virt_home_t, allow init to setattr on xserver_tmp_t and relabel it - Udev needs to stream connect to init and kernel - Add xdm_exec_bootloader boolean, which allows xdm to execute /sbin/grub and read files in /boot directory- Allow NetworkManager to read openvpn_etc_t - Dontaudit hplip to write of /usr dirs - Allow system_mail_t to create /root/dead.letter as mail_home_t - Add vdagent policy for spice agent daemon- Dontaudit sandbox sending sigkill to all user domains - Add policy for rssh_chroot_helper - Add missing flask definitions - Allow udev to relabelto removable_t - Fix label on /var/log/wicd.log - Transition to initrc_t from init when executing bin_t - Add audit_access permissions to file - Make removable_t a device_node - Fix label on /lib/systemd/*- Fixes for systemd to manage /var/run - Dontaudit leaks by firstboot- Allow chome to create netlink_route_socket - Add additional MATHLAB file context - Define nsplugin as an application_domain - Dontaudit sending signals from sandboxed domains to other domains - systemd requires init to build /tmp /var/auth and /var/lock dirs - mount wants to read devicekit_power /proc/ entries - mpd wants to connect to soundd port - Openoffice causes a setattr on a lib_t file for normal users, add dontaudit - Treat lib_t and textrel_shlib_t directories the same - Allow mount read access on virtual images- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs. - Allow devicekit_power to domtrans to mount - Allow dhcp to bind to udp ports > 1024 to do named stuff - Allow ssh_t to exec ssh_exec_t - Remove telepathy_butterfly_rw_tmp_files(), dev_read_printk() interfaces which are nolonger used - Fix clamav_append_log() intefaces - Fix 'psad_rw_fifo_file' interface- Allow cobblerd to list cobler appache content- Fixup for the latest version of upowed - Dontaudit sandbox sending SIGNULL to desktop apps- Update to upstream-Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access - dovecot-auth_t needs ipc_lock - gpm needs to use the user terminal - Allow system_mail_t to append ~/dead.letter - Allow NetworkManager to edit /etc/NetworkManager/NetworkManager.conf - Add pid file to vnstatd - Allow mount to communicate with gfs_controld - Dontaudit hal leaks in setfiles- Lots of fixes for systemd - systemd now executes readahead and tmpwatch type scripts - Needs to manage random seed- Allow smbd to use sys_admin - Remove duplicate file context for tcfmgr - Update to upstream- Fix fusefs handling - Do not allow sandbox to manage nsplugin_rw_t - Allow mozilla_plugin_t to connecto its parent - Allow init_t to connect to plymouthd running as kernel_t - Add mediawiki policy - dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs. - Disable transition from dbus_session_domain to telepathy for F14 - Allow boinc_project to use shm - Allow certmonger to search through directories that contain certs - Allow fail2ban the DAC Override so it can read log files owned by non root users- Start adding support for use_fusefs_home_dirs - Add /var/lib/syslog directory file context - Add /etc/localtime as locale file context- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user - Turn off iptables from unconfined user - Allow sudo to send signals to any domains the user could have transitioned to. - Passwd in single user mode needs to talk to console_device_t - Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio - locate tried to read a symbolic link, will dontaudit - New labels for telepathy-sunshine content in homedir - Google is storing other binaries under /opt/google/talkplugin - bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug - Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15 - modemmanger and bluetooth send dbus messages to devicekit_power - Samba needs to getquota on filesystems labeld samba_share_t- Dontaudit attempts by xdm_t to write to bin_t for kdm - Allow initrc_t to manage system_conf_t- Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory. - Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets - Allow confined users to read xdm_etc_t files - Allow xdm_t to transition to xauth_t for lxdm program- Rearrange firewallgui policy to be more easily updated to upstream, dontaudit search of /home - Allow clamd to send signals to itself - Allow mozilla_plugin_t to read user home content. And unlink pulseaudio shm. - Allow haze to connect to yahoo chat and messenger port tcp:5050. Bz #637339 - Allow guest to run ps command on its processes by allowing it to read /proc - Allow firewallgui to sys_rawio which seems to be required to setup masqerading - Allow all domains to search through default_t directories, in order to find differnet labels. For example people serring up /foo/bar to be share via samba. - Add label for /var/log/slim.log- Pull in cleanups from dgrift - Allow mozilla_plugin_t to execute mozilla_home_t - Allow rpc.quota to do quotamod- Cleanup policy via dgrift - Allow dovecot_deliver to append to inherited log files - Lots of fixes for consolehelper- Fix up Xguest policy- Add vnstat policy - allow libvirt to send audit messages - Allow chrome-sandbox to search nfs_t- Update to upstream- Add the ability to send audit messages to confined admin policies - Remove permissive domain from cmirrord and dontaudit sys_tty_config - Split out unconfined_domain() calls from other unconfined_ calls so we can d - virt needs to be able to read processes to clearance for MLS- Allow all domains that can use cgroups to search tmpfs_t directory - Allow init to send audit messages- Update to upstream- Allow mdadm_t to create files and sock files in /dev/md/- Add policy for ajaxterm- Handle /var/db/sudo - Allow pulseaudio to read alsa config - Allow init to send initrc_t dbus messagesAllow iptables to read shorewall tmp files Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr intd label vlc as an execmem_exec_t Lots of fixes for mozilla_plugin to run google vidio chat Allow telepath_msn to execute ldconfig and its own tmp files Fix labels on hugepages Allow mdadm to read files on /dev Remove permissive domains and change back to unconfined Allow freshclam to execute shell and bin_t Allow devicekit_power to transition to dhcpc Add boolean to allow icecast to connect to any port- Merge upstream fix of mmap_zero - Allow mount to write files in debugfs_t - Allow corosync to communicate with clvmd via tmpfs - Allow certmaster to read usr_t files - Allow dbus system services to search cgroup_t - Define rlogind_t as a login pgm- Allow mdadm_t to read/write hugetlbfs- Dominic Grift Cleanup - Miroslav Grepl policy for jabberd - Various fixes for mount/livecd and prelink- Merge with upstream- More access needed for devicekit - Add dbadm policy- Merge with upstream- Allow seunshare to fowner- Allow cron to look at user_cron_spool links - Lots of fixes for mozilla_plugin_t - Add sysv file system - Turn unconfined domains to permissive to find additional avcs- Update policy for mozilla_plugin_t- Allow clamscan to read proc_t - Allow mount_t to write to debufs_t dir - Dontaudit mount_t trying to write to security_t dir- Allow clamscan_t execmem if clamd_use_jit set - Add policy for firefox plugin-container- Fix /root/.forward definition- label dead.letter as mail_home_t- Allow login programs to search /cgroups- Fix cert handling- Fix devicekit_power bug - Allow policykit_auth_t more access.- Fix nis calls to allow bind to ports 512-1024 - Fix smartmon- Allow pcscd to read sysfs - systemd fixes - Fix wine_mmap_zero_ignore boolean- Apply Miroslav munin patch - Turn back on allow_execmem and allow_execmod booleans- Merge in fixes from dgrift repository- Update boinc policy - Fix sysstat policy to allow sys_admin - Change failsafe_context to unconfined_r:unconfined_t:s0- New paths for upstart- New permissions for syslog - New labels for /lib/upstart- Add mojomojo policy- Allow systemd to setsockcon on sockets to immitate other services- Remove debugfs label- Update to latest policy- Fix eclipse labeling from IBMSupportAssasstant packageing- Make boot with systemd in enforcing mode- Update to upstream- Add boolean to turn off port forwarding in sshd.- Add support for ebtables - Fixes for rhcs and corosync policy-Update to upstream-Update to upstream-Update to upstream- Add Zarafa policy- Cleanup of aiccu policy - initial mock policy- Lots of random fixes- Update to upstream- Update to upstream - Allow prelink script to signal itself - Cobbler fixes- Add xdm_var_run_t to xserver_stream_connect_xdm - Add cmorrord and mpd policy from Miroslav Grepl- Fix sshd creation of krb cc files for users to be user_tmp_t- Fixes for accountsdialog - Fixes for boinc- Fix label on /var/lib/dokwiki - Change permissive domains to enforcing - Fix libvirt policy to allow it to run on mls- Update to upstream- Allow procmail to execute scripts in the users home dir that are labeled home_bin_t - Fix /var/run/abrtd.lock label- Allow login programs to read krb5_home_t Resolves: 594833 - Add obsoletes for cachefilesfd-selinux package Resolves: #575084- Allow mount to r/w abrt fifo file - Allow svirt_t to getattr on hugetlbfs - Allow abrt to create a directory under /var/spool- Add labels for /sys - Allow sshd to getattr on shutdown - Fixes for munin - Allow sssd to use the kernel key ring - Allow tor to send syslog messages - Allow iptabels to read usr files - allow policykit to read all domains state- Fix path for /var/spool/abrt - Allow nfs_t as an entrypoint for http_sys_script_t - Add policy for piranha - Lots of fixes for sosreport- Allow xm_t to read network state and get and set capabilities - Allow policykit to getattr all processes - Allow denyhosts to connect to tcp port 9911 - Allow pyranha to use raw ip sockets and ptrace itself - Allow unconfined_execmem_t and gconfsd mechanism to dbus - Allow staff to kill ping process - Add additional MLS rules- Allow gdm to edit ~/.gconf dir Resolves: #590677 - Allow dovecot to create directories in /var/lib/dovecot Partially resolves 590224 - Allow avahi to dbus chat with NetworkManager - Fix cobbler labels - Dontaudit iceauth_t leaks - fix /var/lib/lxdm file context - Allow aiccu to use tun tap devices - Dontaudit shutdown using xserver.log- Fixes for sandbox_x_net_t to match access for sandbox_web_t ++ - Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory - Add dontaudit interface for bluetooth dbus - Add chronyd_read_keys, append_keys for initrc_t - Add log support for ksmtuned Resolves: #586663- Allow boinc to send mail- Allow initrc_t to remove dhcpc_state_t - Fix label on sa-update.cron - Allow dhcpc to restart chrony initrc - Don't allow sandbox to send signals to its parent processes - Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t Resolves: #589136- Fix location of oddjob_mkhomedir Resolves: #587385 - fix labeling on /root/.shosts and ~/.shosts - Allow ipsec_mgmt_t to manage net_conf_t Resolves: #586760- Dontaudit sandbox trying to connect to netlink sockets Resolves: #587609 - Add policy for piranha- Fixups for xguest policy - Fixes for running sandbox firefox- Allow ksmtuned to use terminals Resolves: #586663 - Allow lircd to write to generic usb devices- Allow sandbox_xserver to connectto unconfined stream Resolves: #585171- Allow initrc_t to read slapd_db_t Resolves: #585476 - Allow ipsec_mgmt to use unallocated devpts and to create /etc/resolv.conf Resolves: #585963- Allow rlogind_t to search /root for .rhosts Resolves: #582760 - Fix path for cached_var_t - Fix prelink paths /var/lib/prelink - Allow confined users to direct_dri - Allow mls lvm/cryptosetup to work- Allow virtd_t to manage firewall/iptables config Resolves: #573585- Fix label on /root/.rhosts Resolves: #582760 - Add labels for Picasa - Allow openvpn to read home certs - Allow plymouthd_t to use tty_device_t - Run ncftool as iptables_t - Allow mount to unmount unlabeled_t - Dontaudit hal leaks- Allow livecd to transition to mount- Update to upstream - Allow abrt to delete sosreport Resolves: #579998 - Allow snmp to setuid and gid Resolves: #582155 - Allow smartd to use generic scsi devices Resolves: #582145- Allow ipsec_t to create /etc/resolv.conf with the correct label - Fix reserved port destination - Allow autofs to transition to showmount - Stop crashing tuned- Add telepathysofiasip policy- Update to upstream - Fix label for /opt/google/chrome/chrome-sandbox - Allow modemmanager to dbus with policykit- Fix allow_httpd_mod_auth_pam to use auth_use_pam(httpd_t) - Allow accountsd to read shadow file - Allow apache to send audit messages when using pam - Allow asterisk to bind and connect to sip tcp ports - Fixes for dovecot 2.0 - Allow initrc_t to setattr on milter directories - Add procmail_home_t for .procmailrc file- Fixes for labels during install from livecd- Fix /cgroup file context - Fix broken afs use of unlabled_t - Allow getty to use the console for s390- Fix cgroup handling adding policy for /cgroup - Allow confined users to write to generic usb devices, if user_rw_noexattrfile boolean set- Merge patches from dgrift- Update upstream - Allow abrt to write to the /proc under any process- Fix ~/.fontconfig label - Add /root/.cert label - Allow reading of the fixed_file_disk_t:lnk_file if you can read file - Allow qemu_exec_t as an entrypoint to svirt_t- Update to upstream - Allow tmpreaper to delete sandbox sock files - Allow chrome-sandbox_t to use /dev/zero, and dontaudit getattr file systems - Fixes for gitosis - No transition on livecd to passwd or chfn - Fixes for denyhosts- Add label for /var/lib/upower - Allow logrotate to run sssd - dontaudit readahead on tmpfs blk files - Allow tmpreaper to setattr on sandbox files - Allow confined users to execute dos files - Allow sysadm_t to kill processes running within its clearance - Add accountsd policy - Fixes for corosync policy - Fixes from crontab policy - Allow svirt to manage svirt_image_t chr files - Fixes for qdisk policy - Fixes for sssd policy - Fixes for newrole policy- make libvirt work on an MLS platform- Add qpidd policy- Update to upstream- Allow boinc to read kernel sysctl - Fix snmp port definitions - Allow apache to read anon_inodefs- Allow shutdown dac_override- Add device_t as a file system - Fix sysfs association- Dontaudit ipsec_mgmt sys_ptrace - Allow at to mail its spool files - Allow nsplugin to search in .pulse directory- Update to upstream- Allow users to dbus chat with xdm - Allow users to r/w wireless_device_t - Dontaudit reading of process states by ipsec_mgmt- Fix openoffice from unconfined_t- Add shutdown policy so consolekit can shutdown system- Update to upstream- Update to upstream- Update to upstream - These are merges of my patches - Remove 389 labeling conflicts - Add MLS fixes found in RHEL6 testing - Allow pulseaudio to run as a service - Add label for mssql and allow apache to connect to this database port if boolean set - Dontaudit searches of debugfs mount point - Allow policykit_auth to send signals to itself - Allow modcluster to call getpwnam - Allow swat to signal winbind - Allow usbmux to run as a system role - Allow svirt to create and use devpts- Add MLS fixes found in RHEL6 testing - Allow domains to append to rpm_tmp_t - Add cachefilesfd policy - Dontaudit leaks when transitioning- Change allow_execstack and allow_execmem booleans to on - dontaudit acct using console - Add label for fping - Allow tmpreaper to delete sandbox_file_t - Fix wine dontaudit mmap_zero - Allow abrt to read var_t symlinks- Additional policy for rgmanager- Allow sshd to setattr on pseudo terms- Update to upstream- Allow policykit to send itself signals- Fix duplicate cobbler definition- Fix file context of /var/lib/avahi-autoipd- Merge with upstream- Allow sandbox to work with MLS- Make Chrome work with staff user- Add icecast policy - Cleanup spec file- Add mcelog policy- Lots of fixes found in F12- Fix rpm_dontaudit_leaks- Add getsched to hald_t - Add file context for Fedora/Redhat Directory Server- Allow abrt_helper to getattr on all filesystems - Add label for /opt/real/RealPlayer/plugins/oggfformat\.so- Add gstreamer_home_t for ~/.gstreamer- Update to upstream- Fix git- Turn on puppet policy - Update to dgrift git policy- Move users file to selection by spec file. - Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t- Update to upstream- Remove most of the permissive domains from F12.- Add cobbler policy from dgrift- add usbmon device - Add allow rulse for devicekit_disk- Lots of fixes found in F12, fixes from Tom London- Cleanups from dgrift- Add back xserver_manage_home_fonts- Dontaudit sandbox trying to read nscd and sssd- Update to upstream- Rename udisks-daemon back to devicekit_disk_t policy- Fixes for abrt calls- Add tgtd policy- Update to upstream release- Add asterisk policy back in - Update to upstream release 2.20091117- Update to upstream release 2.20091117- Fixup nut policy- Update to upstream- Allow vpnc request the kernel to load modules- Fix minimum policy installs - Allow udev and rpcbind to request the kernel to load modules- Add plymouth policy - Allow local_login to sys_admin- Allow cupsd_config to read user tmp - Allow snmpd_t to signal itself - Allow sysstat_t to makedir in sysstat_log_t- Update rhcs policy- Allow users to exec restorecond- Allow sendmail to request kernel modules load- Fix all kernel_request_load_module domains- Fix all kernel_request_load_module domains- Remove allow_exec* booleans for confined users. Only available for unconfined_t- More fixes for sandbox_web_t- Allow sshd to create .ssh directory and content- Fix request_module line to module_request- Fix sandbox policy to allow it to run under firefox. - Dont audit leaks.- Fixes for sandbox- Update to upstream - Dontaudit nsplugin search /root - Dontaudit nsplugin sys_nice- Fix label on /usr/bin/notepad, /usr/sbin/vboxadd-service - Remove policycoreutils-python requirement except for minimum- Fix devicekit_disk_t to getattr on all domains sockets and fifo_files - Conflicts seedit (You can not use selinux-policy-targeted and seedit at the same time.)- Add wordpress/wp-content/uploads label - Fixes for sandbox when run from staff_t- Update to upstream - Fixes for devicekit_disk- More fixes- Lots of fixes for initrc and other unconfined domains- Allow xserver to use netlink_kobject_uevent_socket- Fixes for sandbox- Dontaudit setroubleshootfix looking at /root directory- Update to upsteam- Allow gssd to send signals to users - Fix duplicate label for apache content- Update to upstream- Remove polkit_auth on upgrades- Add back in unconfined.pp and unconfineduser.pp - Add Sandbox unshare- Fixes for cdrecord, mdadm, and others- Add capability setting to dhcpc and gpm- Allow cronjobs to read exim_spool_t- Add ABRT policy- Fix system-config-services policy- Allow libvirt to change user componant of virt_domain- Allow cupsd_config_t to be started by dbus - Add smoltclient policy- Add policycoreutils-python to pre install- Make all unconfined_domains permissive so we can see what AVC's happen- Add pt_chown policy- Add kdump policy for Miroslav Grepl - Turn off execstack boolean- Turn on execstack on a temporary basis (#512845)- Allow nsplugin to connecto the session bus - Allow samba_net to write to coolkey data- Allow devicekit_disk to list inotify- Allow svirt images to create sock_file in svirt_var_run_t- Allow exim to getattr on mountpoints - Fixes for pulseaudio- Allow svirt_t to stream_connect to virtd_t- Allod hald_dccm_t to create sock_files in /tmp- More fixes from upstream- Fix polkit label - Remove hidebrokensymptoms for nss_ldap fix - Add modemmanager policy - Lots of merges from upstream - Begin removing textrel_shlib_t labels, from fixed libraries- Update to upstream- Allow certmaster to override dac permissions- Update to upstream- Fix context for VirtualBox- Update to upstream- Allow clamscan read amavis spool files- Fixes for xguest- fix multiple directory ownership of mandirs- Update to upstream- Add rules for rtkit-daemon- Update to upstream - Fix nlscd_stream_connect- Add rtkit policy- Allow rpcd_t to stream connect to rpcbind- Allow kpropd to create tmp files- Fix last duplicate /var/log/rpmpkgs- Update to upstream * add sssd- Update to upstream * cleanup- Update to upstream - Additional mail ports - Add virt_use_usb boolean for svirt- Fix mcs rules to include chr_file and blk_file- Add label for udev-acl- Additional rules for consolekit/udev, privoxy and various other fixes- New version for upstream- Allow NetworkManager to read inotifyfs- Allow setroubleshoot to run mlocate- Update to upstream- Add fish as a shell - Allow fprintd to list usbfs_t - Allow consolekit to search mountpoints - Add proper labeling for shorewall- New log file for vmware - Allow xdm to setattr on user_tmp_t- Upgrade to upstream- Allow fprintd to access sys_ptrace - Add sandbox policy- Add varnishd policy- Fixes for kpropd- Allow brctl to r/w tun_tap_device_t- Add /usr/share/selinux/packages- Allow rpcd_t to send signals to kernel threads- Fix upgrade for F10 to F11- Add policy for /var/lib/fprint-Remove duplicate line- Allow svirt to manage pci and other sysfs device data- Fix package selection handling- Fix /sbin/ip6tables-save context - Allod udev to transition to mount - Fix loading of mls policy file- Add shorewall policy- Additional rules for fprintd and sssd- Allow nsplugin to unix_read unix_write sem for unconfined_java- Fix uml files to be owned by users- Fix Upgrade path to install unconfineduser.pp when unocnfined package is 3.0.0 or less- Allow confined users to manage virt_content_t, since this is home dir content - Allow all domains to read rpm_script_tmp_t which is what shell creates on redirection- Fix labeling on /var/lib/misc/prelink* - Allow xserver to rw_shm_perms with all x_clients - Allow prelink to execute files in the users home directory- Allow initrc_t to delete dev_null - Allow readahead to configure auditing - Fix milter policy - Add /var/lib/readahead- Update to latest milter code from Paul Howarth- Additional perms for readahead- Allow pulseaudio to acquire_svc on session bus - Fix readahead labeling- Allow sysadm_t to run rpm directly - libvirt needs fowner- Allow sshd to read var_lib symlinks for freenx- Allow nsplugin unix_read and write on users shm and sem - Allow sysadm_t to execute su- Dontaudit attempts to getattr user_tmpfs_t by lvm - Allow nfs to share removable media- Add ability to run postdrop from confined users- Fixes for podsleuth- Turn off nsplugin transition - Remove Konsole leaked file descriptors for release- Allow cupsd_t to create link files in print_spool_t - Fix iscsi_stream_connect typo - Fix labeling on /etc/acpi/actions - Don't reinstall unconfine and unconfineuser on upgrade if they are not installed- Allow audioentroy to read etc files- Add fail2ban_var_lib_t - Fixes for devicekit_power_t- Separate out the ucnonfined user from the unconfined.pp package- Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t.- Upgrade to latest upstream - Allow devicekit_disk sys_rawio- Dontaudit binds to ports < 1024 for named - Upgrade to latest upstream- Allow podsleuth to use tmpfs files- Add customizable_types for svirt- Allow setroubelshoot exec* privs to prevent crash from bad libraries - add cpufreqselector- Dontaudit listing of /root directory for cron system jobs- Fix missing ld.so.cache label- Add label for ~/.forward and /root/.forward- Fixes for svirt- Fixes to allow svirt read iso files in homedir- Add xenner and wine fixes from mgrepl- Allow mdadm to read/write mls override- Change to svirt to only access svirt_image_t- Fix libvirt policy- Upgrade to latest upstream- Fixes for iscsid and sssd - More cleanups for upgrade from F10 to Rawhide.- Add pulseaudio, sssd policy - Allow networkmanager to exec udevadm- Add pulseaudio context- Upgrade to latest patches- Fixes for libvirt- Update to Latest upstream- Fix setrans.conf to show SystemLow for s0- Further confinement of qemu images via svirt- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild- Allow NetworkManager to manage /etc/NetworkManager/system-connections- add virtual_image_context and virtual_domain_context files- Allow rpcd_t to send signal to mount_t - Allow libvirtd to run ranged- Fix sysnet/net_conf_t- Fix squidGuard labeling- Re-add corenet_in_generic_if(unlabeled_t)* Tue Feb 10 2009 Dan Walsh 3.6.5-2 - Add git web policy- Add setrans contains from upstream- Do transitions outside of the booleans- Allow xdm to create user_tmp_t sockets for switch user to work- Fix staff_t domain- Grab remainder of network_peer_controls patch- More fixes for devicekit- Upgrade to latest upstream- Add boolean to disallow unconfined_t login- Add back transition from xguest to mozilla- Add virt_content_ro_t and labeling for isos directory- Fixes for wicd daemon- More mls/rpm fixes- Add policy to make dbus/nm-applet work- Remove polgen-ifgen from post and add trigger to policycoreutils-python- Add wm policy - Make mls work in graphics mode- Fixed for DeviceKit- Add devicekit policy- Update to upstream- Define openoffice as an x_domain- Fixes for reading xserver_tmp_t- Allow cups_pdf_t write to nfs_t- Remove audio_entropy policy- Update to upstream- Allow hal_acl_t to getattr/setattr fixed_disk- Change userdom_read_all_users_state to include reading symbolic links in /proc- Fix dbus reading /proc information- Add missing alias for home directory content- Fixes for IBM java location- Allow unconfined_r unconfined_java_t- Add cron_role back to user domains- Fix sudo setting of user keys- Allow iptables to talk to terminals - Fixes for policy kit - lots of fixes for booting.- Cleanup policy- Rebuild for Python 2.6- Fix labeling on /var/spool/rsyslog- Allow postgresl to bind to udp nodes- Allow lvm to dbus chat with hal - Allow rlogind to read nfs_t- Fix cyphesis file context- Allow hal/pm-utils to look at /var/run/video.rom - Add ulogd policy- Additional fixes for cyphesis - Fix certmaster file context - Add policy for system-config-samba - Allow hal to read /var/run/video.rom- Allow dhcpc to restart ypbind - Fixup labeling in /var/run- Add certmaster policy- Fix confined users - Allow xguest to read/write xguest_dbusd_t- Allow openoffice execstack/execmem privs- Allow mozilla to run with unconfined_execmem_t- Dontaudit domains trying to write to .xsession-errors- Allow nsplugin to look at autofs_t directory- Allow kerneloops to create tmp files- More alias for fastcgi- Remove mod_fcgid-selinux package- Fix dovecot access- Policy cleanup- Remove Multiple spec - Add include - Fix makefile to not call per_role_expansion- Fix labeling of libGL- Update to upstream- Update to upstream policy- Fixes for confined xwindows and xdm_t- Allow confined users and xdm to exec wm - Allow nsplugin to talk to fifo files on nfs- Allow NetworkManager to transition to avahi and iptables - Allow domains to search other domains keys, coverup kernel bug- Fix labeling for oracle- Allow nsplugin to comminicate with xdm_tmp_t sock_file- Change all user tmpfs_t files to be labeled user_tmpfs_t - Allow radiusd to create sock_files- Upgrade to upstream- Allow confined users to login with dbus- Fix transition to nsplugin- Add file context for /dev/mspblk.*- Fix transition to nsplugin '- Fix labeling on new pm*log - Allow ssh to bind to all nodes- Merge upstream changes - Add Xavier Toth patches- Add qemu_cache_t for /var/cache/libvirt- Remove gamin policy- Add tinyxs-max file system support- Update to upstream - New handling of init scripts- Allow pcsd to dbus - Add memcache policy- Allow audit dispatcher to kill his children- Update to upstream - Fix crontab use by unconfined user- Allow ifconfig_t to read dhcpc_state_t- Update to upstream- Update to upstream- Allow system-config-selinux to work with policykit- Fix novel labeling- Consolodate pyzor,spamassassin, razor into one security domain - Fix xdm requiring additional perms.- Fixes for logrotate, alsa- Eliminate vbetool duplicate entry- Fix xguest -> xguest_mozilla_t -> xguest_openiffice_t - Change dhclient to be able to red networkmanager_var_run- Update to latest refpolicy - Fix libsemanage initial install bug- Add inotify support to nscd- Allow unconfined_t to setfcap- Allow amanda to read tape - Allow prewikka cgi to use syslog, allow audisp_t to signal cgi - Add support for netware file systems- Allow ypbind apps to net_bind_service- Allow all system domains and application domains to append to any log file- Allow gdm to read rpm database - Allow nsplugin to read mplayer config files- Allow vpnc to run ifconfig- Allow confined users to use postgres - Allow system_mail_t to exec other mail clients - Label mogrel_rails as an apache server- Apply unconfined_execmem_exec_t to haskell programs- Fix prelude file context- allow hplip to talk dbus - Fix context on ~/.local dir- Prevent applications from reading x_device- Add /var/lib/selinux context- Update to upstream- Add livecd policy- Dontaudit search of admin_home for init_system_domain - Rewrite of xace interfaces - Lots of new fs_list_inotify - Allow livecd to transition to setfiles_mac- Begin XAce integration- Merge Upstream- Allow amanada to create data files- Fix initial install, semanage setup- Allow system_r for httpd_unconfined_script_t- Remove dmesg boolean - Allow user domains to read/write game data- Change unconfined_t to transition to unconfined_mono_t when running mono - Change XXX_mono_t to transition to XXX_t when executing bin_t files, so gnome-do will work- Remove old booleans from targeted-booleans.conf file- Add boolean to mmap_zero - allow tor setgid - Allow gnomeclock to set clock- Don't run crontab from unconfined_t- Change etc files to config files to allow users to read them- Lots of fixes for confined domains on NFS_t homedir- dontaudit mrtg reading /proc - Allow iscsi to signal itself - Allow gnomeclock sys_ptrace- Allow dhcpd to read kernel network state- Label /var/run/gdm correctly - Fix unconfined_u user creation- Allow transition from initrc_t to getty_t- Allow passwd to communicate with user sockets to change gnome-keyring- Fix initial install- Allow radvd to use fifo_file - dontaudit setfiles reading links - allow semanage sys_resource - add allow_httpd_mod_auth_ntlm_winbind boolean - Allow privhome apps including dovecot read on nfs and cifs home dirs if the boolean is set- Allow nsplugin to read /etc/mozpluggerrc, user_fonts - Allow syslog to manage innd logs. - Allow procmail to ioctl spamd_exec_t- Allow initrc_t to dbus chat with consolekit.- Additional access for nsplugin - Allow xdm setcap/getcap until pulseaudio is fixed- Allow mount to mkdir on tmpfs - Allow ifconfig to search debugfs- Fix file context for MATLAB - Fixes for xace- Allow stunnel to transition to inetd children domains - Make unconfined_dbusd_t an unconfined domain- Fixes for qemu/virtd- Fix bug in mozilla policy to allow xguest transition - This will fix the libsemanage.dbase_llist_query: could not find record value libsemanage.dbase_llist_query: could not query record value (No such file or directory) bug in xguest- Allow nsplugin to run acroread- Add cups_pdf policy - Add openoffice policy to run in xguest- prewika needs to contact mysql - Allow syslog to read system_map files- Change init_t to an unconfined_domain- Allow init to transition to initrc_t on shell exec. - Fix init to be able to sendto init_t. - Allow syslog to connect to mysql - Allow lvm to manage its own fifo_files - Allow bugzilla to use ldap - More mls fixes- fixes for init policy (#436988) - fix build- Additional changes for MLS policy- Fix initrc_context generation for MLS- Fixes for libvirt- Allow bitlebee to read locale_t- More xselinux rules- Change httpd_$1_script_r*_t to httpd_$1_content_r*_t- Prepare policy for beta release - Change some of the system domains back to unconfined - Turn on some of the booleans- Allow nsplugin_config execstack/execmem - Allow nsplugin_t to read alsa config - Change apache to use user content- Add cyphesis policy- Fix Makefile.devel to build mls modules - Fix qemu to be more specific on labeling- Update to upstream fixes- Allow staff to mounton user_home_t- Add xace support- Add fusectl file system- Fixes from yum-cron - Update to latest upstream- Fix userdom_list_user_files- Merge with upstream- Allow udev to send audit messages- Add additional login users interfaces - userdom_admin_login_user_template(staff)- More fixes for polkit- Eliminate transition from unconfined_t to qemu by default - Fixes for gpg- Update to upstream- Fixes for staff_t- Add policy for kerneloops - Add policy for gnomeclock- Fixes for libvirt- Fixes for nsplugin- More fixes for qemu- Additional ports for vnc and allow qemu and libvirt to search all directories- Update to upstream - Add libvirt policy - add qemu policy- Allow fail2ban to create a socket in /var/run- Allow allow_httpd_mod_auth_pam to work- Add audisp policy and prelude- Allow all user roles to executae samba net command- Allow usertypes to read/write noxattr file systems- Fix nsplugin to allow flashplugin to work in enforcing mode- Allow pam_selinux_permit to kill all processes- Allow ptrace or user processes by users of same type - Add boolean for transition to nsplugin- Allow nsplugin sys_nice, getsched, setsched- Allow login programs to talk dbus to oddjob- Add procmail_log support - Lots of fixes for munin- Allow setroubleshoot to read policy config and send audit messages- Allow users to execute all files in homedir, if boolean set - Allow mount to read samba config- Fixes for xguest to run java plugin- dontaudit pam_t and dbusd writing to user_home_t- Update gpg to allow reading of inotify- Change user and staff roles to work correctly with varied perms- Fix munin log, - Eliminate duplicate mozilla file context - fix wpa_supplicant spec- Fix role transition from unconfined_r to system_r when running rpm - Allow unconfined_domains to communicate with user dbus instances- Fixes for xguest- Let all uncofined domains communicate with dbus unconfined- Run rpm in system_r- Zero out customizable types- Fix definiton of admin_home_t- Fix munin file context- Allow cron to run unconfined apps- Modify default login to unconfined_u- Dontaudit dbus user client search of /root- Update to upstream- Fixes for polkit - Allow xserver to ptrace- Add polkit policy - Symplify userdom context, remove automatic per_role changes- Update to upstream - Allow httpd_sys_script_t to search users homedirs- Allow rpm_script to transition to unconfined_execmem_t- Remove user based home directory separation- Remove user specific crond_t- Merge with upstream - Allow xsever to read hwdata_t - Allow login programs to setkeycreate- Update to upstream- Update to upstream- Allow XServer to read /proc/self/cmdline - Fix unconfined cron jobs - Allow fetchmail to transition to procmail - Fixes for hald_mac - Allow system_mail to transition to exim - Allow tftpd to upload files - Allow xdm to manage unconfined_tmp - Allow udef to read alsa config - Fix xguest to be able to connect to sound port- Fixes for hald_mac - Treat unconfined_home_dir_t as a home dir - dontaudit rhgb writes to fonts and root- Fix dnsmasq - Allow rshd full login privs- Allow rshd to connect to ports > 1023- Fix vpn to bind to port 4500 - Allow ssh to create shm - Add Kismet policy- Allow rpm to chat with networkmanager- Fixes for ipsec and exim mail - Change default to unconfined user- Pass the UNK_PERMS param to makefile - Fix gdm location- Make alsa work- Fixes for consolekit and startx sessions- Dontaudit consoletype talking to unconfined_t- Remove homedir_template- Check asound.state- Fix exim policy- Allow tmpreadper to read man_t - Allow racoon to bind to all nodes - Fixes for finger print reader- Allow xdm to talk to input device (fingerprint reader) - Allow octave to run as java- Allow login programs to set ioctl on /proc- Allow nsswitch apps to read samba_var_t- Fix maxima- Eliminate rpm_t:fifo_file avcs - Fix dbus path for helper app- Fix service start stop terminal avc's- Allow also to search var_lib - New context for dbus launcher- Allow cupsd_config_t to read/write usb_device_t - Support for finger print reader, - Many fixes for clvmd - dbus starting networkmanager- Fix java and mono to run in xguest account- Fix to add xguest account when inititial install - Allow mono, java, wine to run in userdomains- Allow xserver to search devpts_t - Dontaudit ldconfig output to homedir- Remove hplip_etc_t change back to etc_t.- Allow cron to search nfs and samba homedirs- Allow NetworkManager to dbus chat with yum-updated- Allow xfs to bind to port 7100- Allow newalias/sendmail dac_override - Allow bind to bind to all udp ports- Turn off direct transition- Allow wine to run in system role- Fix java labeling- Define user_home_type as home_type- Allow sendmail to create etc_aliases_t- Allow login programs to read symlinks on homedirs- Update an readd modules- Cleanup spec file- Allow xserver to be started by unconfined process and talk to tty- Upgrade to upstream to grab postgressql changes- Add setransd for mls policy- Add ldconfig_cache_t- Allow sshd to write to proc_t for afs login- Allow xserver access to urand- allow dovecot to search mountpoints- Fix Makefile for building policy modules- Fix dhcpc startup of service- Fix dbus chat to not happen for xguest and guest users- Fix nagios cgi - allow squid to communicate with winbind- Fixes for ldconfig- Update from upstream- Add nasd support- Fix new usb devices and dmfm- Eliminate mount_ntfs_t policy, merge into mount_t- Allow xserver to write to ramfs mounted by rhgb- Add context for dbus machine id- Update with latest changes from upstream- Fix prelink to handle execmod- Add ntpd_key_t to handle secret data- Add anon_inodefs - Allow unpriv user exec pam_exec_t - Fix trigger- Allow cups to use generic usb - fix inetd to be able to run random apps (git)- Add proper contexts for rsyslogd- Fixes for xguest policy- Allow execution of gconf- Fix moilscanner update problem- Begin adding policy to separate setsebool from semanage - Fix xserver.if definition to not break sepolgen.if- Add new devices- Add brctl policy- Fix root login to include system_r- Allow prelink to read kernel sysctls- Default to user_u:system_r:unconfined_t- fix squid - Fix rpm running as uid- Fix syslog declaration- Allow avahi to access inotify - Remove a lot of bogus security_t:filesystem avcs- Remove ifdef strict policy from upstream- Remove ifdef strict to allow user_u to login- Fix for amands - Allow semanage to read pp files - Allow rhgb to read xdm_xserver_tmp- Allow kerberos servers to use ldap for backing store- allow alsactl to read kernel state- More fixes for alsactl - Transition from hal and modutils - Fixes for suspend resume. - insmod domtrans to alsactl - insmod writes to hal log- Allow unconfined_t to transition to NetworkManager_t - Fix netlabel policy- Update to latest from upstream- Update to latest from upstream- Update to latest from upstream- Allow pcscd_t to send itself signals- Fixes for unix_update - Fix logwatch to be able to search all dirs- Upstream bumped the version- Allow consolekit to syslog - Allow ntfs to work with hal- Allow iptables to read etc_runtime_t- MLS Fixes- Fix path of /etc/lvm/cache directory - Fixes for alsactl and pppd_t - Fixes for consolekit- Allow insmod_t to mount kvmfs_t filesystems- Rwho policy - Fixes for consolekit- fixes for fusefs- Fix samba_net to allow it to view samba_var_t- Update to upstream- Fix Sonypic backlight - Allow snmp to look at squid_conf_t- Fixes for pyzor, cyrus, consoletype on everything installs- Fix hald_acl_t to be able to getattr/setattr on usb devices - Dontaudit write to unconfined_pipes for load_policy- Allow bluetooth to read inotifyfs- Fixes for samba domain controller. - Allow ConsoleKit to look at ttys- Fix interface call- Allow syslog-ng to read /var - Allow locate to getattr on all filesystems - nscd needs setcap- Update to upstream- Allow samba to run groupadd- Update to upstream- Allow mdadm to access generic scsi devices- Fix labeling on udev.tbl dirs- Fixes for logwatch- Add fusermount and mount_ntfs policy- Update to upstream - Allow saslauthd to use kerberos keytabs- Fixes for samba_var_t- Allow networkmanager to setpgid - Fixes for hal_acl_t- Remove disable_trans booleans - hald_acl_t needs to talk to nscd- Fix prelink to be able to manage usr dirs.- Allow insmod to launch init scripts- Remove setsebool policy- Fix handling of unlabled_t packets- More of my patches from upstream- Update to latest from upstream - Add fail2ban policy- Update to remove security_t:filesystem getattr problems- Policy for consolekit- Update to latest from upstream- Revert Nemiver change - Set sudo as a corecmd so prelink will work, remove sudoedit mapping, since this will not work, it does not transition. - Allow samba to execute useradd- Upgrade to the latest from upstream- Add sepolgen support - Add bugzilla policy- Fix file context for nemiver- Remove include sym link- Allow mozilla, evolution and thunderbird to read dev_random. Resolves: #227002 - Allow spamd to connect to smtp port Resolves: #227184 - Fixes to make ypxfr work Resolves: #227237- Fix ssh_agent to be marked as an executable - Allow Hal to rw sound device- Fix spamassisin so crond can update spam files - Fixes to allow kpasswd to work - Fixes for bluetooth- Remove some targeted diffs in file context file- Fix squid cachemgr labeling- Add ability to generate webadm_t policy - Lots of new interfaces for httpd - Allow sshd to login as unconfined_t- Continue fixing, additional user domains- Begin adding user confinement to targeted policy- Fixes for prelink, ktalkd, netlabel- Allow prelink when run from rpm to create tmp files Resolves: #221865 - Remove file_context for exportfs Resolves: #221181 - Allow spamassassin to create ~/.spamassissin Resolves: #203290 - Allow ssh access to the krb tickets - Allow sshd to change passwd - Stop newrole -l from working on non securetty Resolves: #200110 - Fixes to run prelink in MLS machine Resolves: #221233 - Allow spamassassin to read var_lib_t dir Resolves: #219234- fix mplayer to work under strict policy - Allow iptables to use nscd Resolves: #220794- Add gconf policy and make it work with strict- Many fixes for strict policy and by extension mls.- Fix to allow ftp to bind to ports > 1024 Resolves: #219349- Allow semanage to exec it self. Label genhomedircon as semanage_exec_t Resolves: #219421 - Allow sysadm_lpr_t to manage other print spool jobs Resolves: #220080- allow automount to setgid Resolves: #219999- Allow cron to polyinstatiate - Fix creation of boot flags Resolves: #207433- Fixes for irqbalance Resolves: #219606- Fix vixie-cron to work on mls Resolves: #207433Resolves: #218978- Allow initrc to create files in /var directories Resolves: #219227- More fixes for MLS Resolves: #181566- More Fixes polyinstatiation Resolves: #216184- More Fixes polyinstatiation - Fix handling of keyrings Resolves: #216184- Fix polyinstatiation - Fix pcscd handling of terminal Resolves: #218149 Resolves: #218350- More fixes for quota Resolves: #212957- ncsd needs to use avahi sockets Resolves: #217640 Resolves: #218014- Allow login programs to polyinstatiate homedirs Resolves: #216184 - Allow quotacheck to create database files Resolves: #212957- Dontaudit appending hal_var_lib files Resolves: #217452 Resolves: #217571 Resolves: #217611 Resolves: #217640 Resolves: #217725- Fix context for helix players file_context #216942- Fix load_policy to be able to mls_write_down so it can talk to the terminal- Fixes for hwclock, clamav, ftp- Move to upstream version which accepted my patches- Fixes for nvidia driver- Allow semanage to signal mcstrans- Update to upstream- Allow modstorage to edit /etc/fstab file- Fix for qemu, /dev/- Fix path to realplayer.bin- Allow xen to connect to xen port- Allow cups to search samba_etc_t directory - Allow xend_t to list auto_mountpoints- Allow xen to search automount- Fix spec of jre files- Fix unconfined access to shadow file- Allow xend to create files in xen_image_t directories- Fixes for /var/lib/hal- Remove ability for sysadm_t to look at audit.log- Fix rpc_port_types - Add aide policy for mls- Merge with upstream- Lots of fixes for ricci- Allow xen to read/write fixed devices with a boolean - Allow apache to search /var/log- Fix policygentool specfile problem. - Allow apache to send signals to it's logging helpers. - Resolves: rhbz#212731- Add perms for swat- Add perms for swat- Allow daemons to dump core files to /- Fixes for ricci- Allow mount.nfs to work- Allow ricci-modstorage to look at lvm_etc_t- Fixes for ricci using saslauthd- Allow mountpoint on home_dir_t and home_t- Update xen to read nfs files- Allow noxattrfs to associate with other noxattrfs- Allow hal to use power_device_t- Allow procemail to look at autofs_t - Allow xen_image_t to work as a fixed device- Refupdate from upstream- Add lots of fixes for mls cups- Lots of fixes for ricci- Fix number of cats- Update to upstream- More iSCSI changes for #209854- Test ISCSI fixes for #209854- allow semodule to rmdir selinux_config_t dir- Fix boot_runtime_t problem on ppc. Should not be creating these files.- Fix context mounts on reboot - Fix ccs creation of directory in /var/log- Update for tallylog- Allow xend to rewrite dhcp conf files - Allow mgetty sys_admin capability- Make xentapctrl work- Don't transition unconfined_t to bootloader_t - Fix label in /dev/xen/blktap- Patch for labeled networking- Fix crond handling for mls- Update to upstream- Remove bluetooth-helper transition - Add selinux_validate for semanage - Require new version of libsemanage- Fix prelink- Fix rhgb- Fix setrans handling on MLS and useradd- Support for fuse - fix vigr- Fix dovecot, amanda - Fix mls- Allow java execheap for itanium- Update with upstream- mls fixes- Update from upstream- More fixes for mls - Revert change on automount transition to mount- Fix cron jobs to run under the correct context- Fixes to make pppd work- Multiple policy fixes - Change max categories to 1023- Fix transition on mcstransd- Add /dev/em8300 defs- Upgrade to upstream- Fix ppp connections from network manager- Add tty access to all domains boolean - Fix gnome-pty-helper context for ia64- Fixed typealias of firstboot_rw_t- Fix location of xel log files - Fix handling of sysadm_r -> rpm_exec_t- Fixes for autofs, lp- Update from upstream- Fixup for test6- Update to upstream- Update to upstream- Fix suspend to disk problems- Lots of fixes for restarting daemons at the console.- Fix audit line - Fix requires line- Upgrade to upstream- Fix install problems- Allow setroubleshoot to getattr on all dirs to gather RPM data- Set /usr/lib/ia32el/ia32x_loader to unconfined_execmem_exec_t for ia32 platform - Fix spec for /dev/adsp- Fix xen tty devices- Fixes for setroubleshoot- Update to upstream- Fixes for stunnel and postgresql - Update from upstream- Update from upstream - More java fixes- Change allow_execstack to default to on, for RHEL5 Beta. This is required because of a Java compiler problem. Hope to turn off for next beta- Misc fixes- More fixes for strict policy- Quiet down anaconda audit messages- Fix setroubleshootd- Update to the latest from upstream- More fixes for xen- Fix anaconda transitions- yet more xen rules- more xen rules- Fixes for Samba- Fixes for xen- Allow setroubleshootd to send mail- Add nagios policy- fixes for setroubleshoot- Added Paul Howarth patch to only load policy packages shipped with this package - Allow pidof from initrc to ptrace higher level domains - Allow firstboot to communicate with hal via dbus- Add policy for /var/run/ldapi- Fix setroubleshoot policy- Fixes for mls use of ssh - named has a new conf file- Fixes to make setroubleshoot work- Cups needs to be able to read domain state off of printer client- add boolean to allow zebra to write config files- setroubleshootd fixes- Allow prelink to read bin_t symlink - allow xfs to read random devices - Change gfs to support xattr- Remove spamassassin_can_network boolean- Update to upstream - Fix lpr domain for mls- Add setroubleshoot policy- Turn off auditallow on setting booleans- Multiple fixes- Update to upstream- Update to upstream - Add new class for kernel key ring- Update to upstream- Update to upstream- Break out selinux-devel package- Add ibmasmfs- Fix policygentool gen_requires- Update from Upstream- Fix spec of realplay- Update to upstream- Fix semanage- Allow useradd to create_home_dir in MLS environment- Update from upstream- Update from upstream- Add oprofilefs- Fix for hplip and Picasus- Update to upstream- Update to upstream- fixes for spamd- fixes for java, openldap and webalizer- Xen fixes- Upgrade to upstream- allow hal to read boot_t files - Upgrade to upstream- allow hal to read boot_t files- Update from upstream- Fixes for amavis- Update from upstream- Allow auditctl to search all directories- Add acquire service for mono.- Turn off allow_execmem boolean - Allow ftp dac_override when allowed to access users homedirs- Clean up spec file - Transition from unconfined_t to prelink_t- Allow execution of cvs command- Update to upstream- Update to upstream- Fix libjvm spec- Update to upstream- Add xm policy - Fix policygentool- Update to upstream - Fix postun to only disable selinux on full removal of the packages- Allow mono to chat with unconfined- Allow procmail to sendmail - Allow nfs to share dosfs- Update to latest from upstream - Allow selinux-policy to be removed and kernel not to crash- Update to latest from upstream - Add James Antill patch for xen - Many fixes for pegasus- Add unconfined_mount_t - Allow privoxy to connect to httpd_cache - fix cups labeleing on /var/cache/cups- Update to latest from upstream- Update to latest from upstream - Allow mono and unconfined to talk to initrc_t dbus objects- Change libraries.fc to stop shlib_t form overriding texrel_shlib_t- Fix samba creating dirs in homedir - Fix NFS so its booleans would work- Allow secadm_t ability to relabel all files - Allow ftp to search xferlog_t directories - Allow mysql to communicate with ldap - Allow rsync to bind to rsync_port_t- Fixed mailman with Postfix #183928 - Allowed semanage to create file_context files. - Allowed amanda_t to access inetd_t TCP sockets and allowed amanda_recover_t to bind to reserved ports. #149030 - Don't allow devpts_t to be associated with tmp_t. - Allow hald_t to stat all mountpoints. - Added boolean samba_share_nfs to allow smbd_t full access to NFS mounts. - Make mount run in mount_t domain from unconfined_t to prevent mislabeling of /etc/mtab. - Changed the file_contexts to not have a regex before the first ^/[a-z]/ whenever possible, makes restorecon slightly faster. - Correct the label of /etc/named.caching-nameserver.conf - Now label /usr/src/kernels/.+/lib(/.*)? as usr_t instead of /usr/src(/.*)?/lib(/.*)? - I don't think we need anything else under /usr/src hit by this. - Granted xen access to /boot, allowed mounting on xend_var_lib_t, and allowed xenstored_t rw access to the xen device node.- More textrel_shlib_t file path fixes - Add ada support- Get auditctl working in MLS policy- Add mono dbus support - Lots of file_context fixes for textrel_shlib_t in FC5 - Turn off execmem auditallow since they are filling log files- Update to upstream- Allow automount and dbus to read cert files- Fix ftp policy - Fix secadm running of auditctl- Update to upstream- Update to upstream- Fix policyhelp- Fix pam_console handling of usb_device - dontaudit logwatch reading /mnt dir- Update to upstream- Get transition rules to create policy.20 at SystemHigh- Allow secadmin to shutdown system - Allow sendmail to exec newalias- MLS Fixes dmidecode needs mls_file_read_up - add ypxfr_t - run init needs access to nscd - udev needs setuid - another xen log file - Dontaudit mount getattr proc_kcore_t- fix buildroot usage (#185391)- Get rid of mount/fsdisk scan of /dev messages - Additional fixes for suspend/resume- Fake make to rebuild enableaudit.pp- Get xen networking running.- Fixes for Xen - enableaudit should not be the same as base.pp - Allow ps to work for all process- more xen policy fixups- more xen fixage (#184393)- Fix blkid specification - Allow postfix to execute mailman_que- Blkid changes - Allow udev access to usb_device_t - Fix post script to create targeted policy config file- Allow lvm tools to create drevice dir- Add Xen support- Fixes for cups - Make cryptosetup work with hal- Load Policy needs translock- Fix cups html interface- Add hal changes suggested by Jeremy - add policyhelp to point at policy html pages- Additional fixes for nvidia and cups- Update to upstream - Merged my latest fixes - Fix cups policy to handle unix domain sockets- NSCD socket is in nscd_var_run_t needs to be able to search dir- Fixes Apache interface file- Fixes for new version of cups- Turn off polyinstatiate util after FC5- Fix problem with privoxy talking to Tor- Turn on polyinstatiation- Don't transition from unconfined_t to fsadm_t- Fix policy update model.- Update to upstream- Fix load_policy to work on MLS - Fix cron_rw_system_pipes for postfix_postdrop_t - Allow audotmount to run showmount- Fix swapon - allow httpd_sys_script_t to be entered via a shell - Allow httpd_sys_script_t to read eventpolfs- Update from upstream- allow cron to read apache files- Fix vpnc policy to work from NetworkManager- Update to upstream - Fix semoudle polcy- Update to upstream - fix sysconfig/selinux link- Add router port for zebra - Add imaze port for spamd - Fixes for amanda and java- Fix bluetooth handling of usb devices - Fix spamd reading of ~/ - fix nvidia spec- Update to upsteam- Add users_extra files- Update to upstream- Add semodule policy- Update from upstream- Fix for spamd to use razor port- Fixes for mcs - Turn on mount and fsadm for unconfined_t- Fixes for the -devel package- Fix for spamd to use ldap- Update to upstream- Update to upstream - Fix rhgb, and other Xorg startups- Update to upstream- Separate out role of secadm for mls- Add inotifyfs handling- Update to upstream - Put back in changes for pup/zen- Many changes for MLS - Turn on strict policy- Update to upstream- Update to upstream - Fixes for booting and logging in on MLS machine- Update to upstream - Turn off execheap execstack for unconfined users - Add mono/wine policy to allow execheap and execstack for them - Add execheap for Xdm policy- Update to upstream - Fixes to fetchmail,- Update to upstream- Fix for procmail/spamassasin - Update to upstream - Add rules to allow rpcd to work with unlabeled_networks.- Update to upstream - Fix ftp Man page- Update to upstream- fix pup transitions (#177262) - fix xen disks (#177599)- Update to upstream- More Fixes for hal and readahead- Fixes for hal and readahead- Update to upstream - Apply- Add wine and fix hal problems- Handle new location of hal scripts- Allow su to read /etc/mtab- Update to upstream- Fix "libsemanage.parse_module_headers: Data did not represent a module." problem- Allow load_policy to read /etc/mtab- Fix dovecot to allow dovecot_auth to look at /tmp- Allow restorecon to read unlabeled_t directories in order to fix labeling.- Add Logwatch policy- Fix /dev/ub[a-z] file context- Fix library specification - Give kudzu execmem privs- Fix hostname in targeted policy- Fix passwd command on mls- Lots of fixes to make mls policy work- Add dri libs to textrel_shlib_t - Add system_r role for java - Add unconfined_exec_t for vncserver - Allow slapd to use kerberos- Add man pages- Add enableaudit.pp- Fix mls policy- Update mls file from old version- Add sids back in - Rebuild with update checkpolicy- Fixes to allow automount to use portmap - Fixes to start kernel in s0-s15:c0.c255- Add java unconfined/execmem policy- Add file context for /var/cvs - Dontaudit webalizer search of homedir- Update from upstream- Clean up spec - range_transition crond to SystemHigh- Fixes for hal - Update to upstream- Turn back on execmem since we need it for java, firefox, ooffice - Allow gpm to stream socket to itself- fix requirements to be on the actual packages so that policy can get created properly at install time- Allow unconfined_t to execmod texrel_shlib_t- Update to upstream - Turn off allow_execmem and allow_execmod booleans - Add tcpd and automount policies- Add two new httpd booleans, turned off by default * httpd_can_network_relay * httpd_can_network_connect_db- Add ghost for policy.20- Update to upstream - Turn off boolean allow_execstack- Change setrans-mls to use new libsetrans - Add default_context rule for xdm- Change Requires to PreReg for requiring of policycoreutils on install- New upstream releaseAdd xdm policyUpdate from upstreamUpdate from upstreamUpdate from upstream- Also trigger to rebuild policy for versions up to 2.0.7.- No longer installing policy.20 file, anaconda handles the building of the app.- Fixes for dovecot and saslauthd- Cleanup pegasus and named - Fix spec file - Fix up passwd changing applications-Update to latest from upstream- Add rules for pegasus and avahi- Start building MLS Policy- Update to upstream- Turn on bash- Initial version/bin/sh  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,,./0123456789:;<=>?@ABCDEFGHIJKL3.13.1-229.el7    develMakefileexample.fcexample.ifexample.tehtmlNetworkManager.htmlabrt.htmlabrt_dump_oops.htmlabrt_handle_event.htmlabrt_helper.htmlabrt_retrace_coredump.htmlabrt_retrace_worker.htmlabrt_upload_watch.htmlabrt_watch_log.htmlaccountsd.htmlacct.htmladmin_crontab.htmlafs.htmlafs_bosserver.htmlafs_fsserver.htmlafs_kaserver.htmlafs_ptserver.htmlafs_vlserver.htmlaiccu.htmlaide.htmlajaxterm.htmlajaxterm_ssh.htmlalsa.htmlamanda.htmlamanda_recover.htmlamtu.htmlanaconda.htmlanon_sftpd.htmlantivirus.htmlapcupsd.htmlapcupsd_cgi_script.htmlapm.htmlapmd.htmlarpwatch.htmlasterisk.htmlaudisp.htmlaudisp_remote.htmlauditadm.htmlauditadm_screen.htmlauditadm_su.htmlauditadm_sudo.htmlauditctl.htmlauditd.htmlauthconfig.htmlautomount.htmlavahi.htmlawstats.htmlawstats_script.htmlbacula.htmlbacula_admin.htmlbacula_unconfined_script.htmlbcfg2.htmlbitlbee.htmlblkmapd.htmlblktap.htmlblueman.htmlbluetooth.htmlbluetooth_helper.htmlboinc.htmlboinc_project.htmlbootloader.htmlbrctl.htmlbrltty.htmlbugzilla_script.htmlbumblebee.htmlcachefiles_kernel.htmlcachefilesd.htmlcalamaris.htmlcallweaver.htmlcanna.htmlcardmgr.htmlccs.htmlcdcc.htmlcdrecord.htmlcertmaster.htmlcertmonger.htmlcertmonger_unconfined.htmlcertwatch.htmlcfengine_execd.htmlcfengine_monitord.htmlcfengine_serverd.htmlcgclear.htmlcgconfig.htmlcgdcbxd.htmlcgred.htmlcheckpc.htmlcheckpolicy.htmlchfn.htmlchkpwd.htmlchrome_sandbox.htmlchrome_sandbox_nacl.htmlchronyc.htmlchronyd.htmlchroot_user.htmlcinder_api.htmlcinder_backup.htmlcinder_scheduler.htmlcinder_volume.htmlciped.htmlclogd.htmlcloud_init.htmlcluster.htmlclvmd.htmlcmirrord.htmlcobblerd.htmlcockpit_session.htmlcockpit_ws.htmlcollectd.htmlcollectd_script.htmlcolord.htmlcomsat.htmlcondor_collector.htmlcondor_master.htmlcondor_negotiator.htmlcondor_procd.htmlcondor_schedd.htmlcondor_startd.htmlcondor_startd_ssh.htmlconman.htmlconman_unconfined_script.htmlconsolekit.htmlcontainer.htmlcontainer_auth.htmlcontainer_runtime.htmlcouchdb.htmlcourier_authdaemon.htmlcourier_pcp.htmlcourier_pop.htmlcourier_sqwebmail.htmlcourier_tcpd.htmlcpucontrol.htmlcpufreqselector.htmlcpuplug.htmlcpuspeed.htmlcrack.htmlcrond.htmlcronjob.htmlcrontab.htmlctdbd.htmlcups_pdf.htmlcupsd.htmlcupsd_config.htmlcupsd_lpd.htmlcvs.htmlcvs_script.htmlcyphesis.htmlcyrus.htmldbadm.htmldbadm_sudo.htmldbskkd.htmldcc_client.htmldcc_dbclean.htmldccd.htmldccifd.htmldccm.htmldcerpcd.htmlddclient.htmldeltacloudd.htmldenyhosts.htmldepmod.htmldevicekit.htmldevicekit_disk.htmldevicekit_power.htmldhcpc.htmldhcpd.htmldictd.htmldirsrv.htmldirsrv_snmp.htmldirsrvadmin.htmldirsrvadmin_script.htmldirsrvadmin_unconfined_script.htmldisk_munin_plugin.htmldkim_milter.htmldlm_controld.htmldmesg.htmldmidecode.htmldnsmasq.htmldnssec_trigger.htmldovecot.htmldovecot_auth.htmldovecot_deliver.htmldrbd.htmldspam.htmldspam_script.htmlentropyd.htmleventlogd.htmlevtchnd.htmlexim.htmlfail2ban.htmlfail2ban_client.htmlfcoemon.htmlfenced.htmlfetchmail.htmlfingerd.htmlfirewalld.htmlfirewallgui.htmlfirstboot.htmlfoghorn.htmlfprintd.htmlfreeipmi_bmc_watchdog.htmlfreeipmi_ipmidetectd.htmlfreeipmi_ipmiseld.htmlfreqset.htmlfsadm.htmlfsdaemon.htmlftpd.htmlftpdctl.htmlgames.htmlgames_srv.htmlgconfd.htmlgconfdefaultsm.htmlgdomap.htmlgeoclue.htmlgetty.htmlgfs_controld.htmlgit_script.htmlgit_session.htmlgit_system.htmlgitosis.htmlglance_api.htmlglance_registry.htmlglance_scrubber.htmlglusterd.htmlgnomesystemmm.htmlgpg.htmlgpg_agent.htmlgpg_helper.htmlgpg_pinentry.htmlgpg_web.htmlgpm.htmlgpsd.htmlgreylist_milter.htmlgroupadd.htmlgroupd.htmlgssd.htmlgssproxy.htmlguest.htmlhaproxy.htmlhddtemp.htmlhostname.htmlhsqldb.htmlhttpd.htmlhttpd_helper.htmlhttpd_passwd.htmlhttpd_php.htmlhttpd_rotatelogs.htmlhttpd_suexec.htmlhttpd_sys_script.htmlhttpd_unconfined_script.htmlhttpd_user_script.htmlhwclock.htmlhwloc_dhwd.htmlhypervkvp.htmlhypervvssd.htmliceauth.htmlicecast.htmlifconfig.htmlindex.htmlinetd.htmlinetd_child.htmlinit.htmlinitrc.htmlinnd.htmlinsmod.htmlinstall.htmliodined.htmliotop.htmlipa_dnskey.htmlipa_helper.htmlipa_otpd.htmlipmievd.htmlipsec.htmlipsec_mgmt.htmliptables.htmlirc.htmlirqbalance.htmlirssi.htmliscsid.htmlisnsd.htmliwhd.htmljabberd.htmljabberd_router.htmljockey.htmljournalctl.htmlkadmind.htmlkdump.htmlkdumpctl.htmlkdumpgui.htmlkeepalived.htmlkeepalived_unconfined_script.htmlkernel.htmlkeyboardd.htmlkeystone.htmlkeystone_cgi_script.htmlkismet.htmlklogd.htmlkmscon.htmlkpropd.htmlkrb5kdc.htmlksmtuned.htmlktalkd.htmll2tpd.htmlldconfig.htmllircd.htmllivecd.htmllldpad.htmlload_policy.htmlloadkeys.htmllocal_login.htmllocate.htmllockdev.htmllogadm.htmllogrotate.htmllogrotate_mail.htmllogwatch.htmllogwatch_mail.htmllpd.htmllpr.htmllsassd.htmllsmd.htmllsmd_plugin.htmllttng_sessiond.htmllvm.htmllwiod.htmllwregd.htmllwsmd.htmlmail_munin_plugin.htmlmailman_cgi.htmlmailman_mail.htmlmailman_queue.htmlman2html_script.htmlmandb.htmlmcelog.htmlmdadm.htmlmediawiki_script.htmlmemcached.htmlmencoder.htmlminidlna.htmlminissdpd.htmlmip6d.htmlmirrormanager.htmlmock.htmlmock_build.htmlmodemmanager.htmlmojomojo_script.htmlmon_procd.htmlmon_statd.htmlmongod.htmlmotion.htmlmount.htmlmount_ecryptfs.htmlmozilla.htmlmozilla_plugin.htmlmozilla_plugin_config.htmlmpd.htmlmplayer.htmlmrtg.htmlmscan.htmlmunin.htmlmunin_script.htmlmysqld.htmlmysqld_safe.htmlmysqlmanagerd.htmlmythtv_script.htmlnagios.htmlnagios_admin_plugin.htmlnagios_checkdisk_plugin.htmlnagios_eventhandler_plugin.htmlnagios_mail_plugin.htmlnagios_openshift_plugin.htmlnagios_script.htmlnagios_services_plugin.htmlnagios_system_plugin.htmlnagios_unconfined_plugin.htmlnamed.htmlnamespace_init.htmlncftool.htmlndc.htmlnetlabel_mgmt.htmlnetlogond.htmlnetutils.htmlneutron.htmlnewrole.htmlnfsd.htmlninfod.htmlnmbd.htmlnova.htmlnrpe.htmlnscd.htmlnsd.htmlnsd_crond.htmlnslcd.htmlntop.htmlntpd.htmlnumad.htmlnut_upsd.htmlnut_upsdrvctl.htmlnut_upsmon.htmlnutups_cgi_script.htmlnx_server.htmlnx_server_ssh.htmlobex.htmloddjob.htmloddjob_mkhomedir.htmlopenct.htmlopendnssec.htmlopenhpid.htmlopenshift.htmlopenshift_app.htmlopenshift_cgroup_read.htmlopenshift_cron.htmlopenshift_initrc.htmlopenshift_net_read.htmlopenshift_script.htmlopensm.htmlopenvpn.htmlopenvpn_unconfined_script.htmlopenvswitch.htmlopenwsman.htmloracleasm.htmlosad.htmlpads.htmlpam_console.htmlpam_timestamp.htmlpassenger.htmlpasswd.htmlpcp_pmcd.htmlpcp_pmie.htmlpcp_pmlogger.htmlpcp_pmmgr.htmlpcp_pmproxy.htmlpcp_pmwebd.htmlpcscd.htmlpegasus.htmlpegasus_openlmi_account.htmlpegasus_openlmi_admin.htmlpegasus_openlmi_logicalfile.htmlpegasus_openlmi_services.htmlpegasus_openlmi_storage.htmlpegasus_openlmi_system.htmlpegasus_openlmi_unconfined.htmlpesign.htmlphc2sys.htmlping.htmlpingd.htmlpiranha_fos.htmlpiranha_lvs.htmlpiranha_pulse.htmlpiranha_web.htmlpkcs_slotd.htmlpki_ra.htmlpki_tomcat.htmlpki_tomcat_script.htmlpki_tps.htmlplymouth.htmlplymouthd.htmlpodsleuth.htmlpolicykit.htmlpolicykit_auth.htmlpolicykit_grant.htmlpolicykit_resolve.htmlpolipo.htmlpolipo_session.htmlportmap.htmlportmap_helper.htmlportreserve.htmlpostfix_bounce.htmlpostfix_cleanup.htmlpostfix_local.htmlpostfix_map.htmlpostfix_master.htmlpostfix_pickup.htmlpostfix_pipe.htmlpostfix_postdrop.htmlpostfix_postqueue.htmlpostfix_qmgr.htmlpostfix_showq.htmlpostfix_smtp.htmlpostfix_smtpd.htmlpostfix_virtual.htmlpostgresql.htmlpostgrey.htmlpppd.htmlpptp.htmlprelink.htmlprelink_cron_system.htmlprelude.htmlprelude_audisp.htmlprelude_correlator.htmlprelude_lml.htmlpreupgrade.htmlprewikka_script.htmlprivoxy.htmlprocmail.htmlprosody.htmlpsad.htmlptal.htmlptchown.htmlptp4l.htmlpublicfile.htmlpulseaudio.htmlpuppetagent.htmlpuppetca.htmlpuppetmaster.htmlpwauth.htmlpyicqt.htmlqdiskd.htmlqemu_dm.htmlqmail_clean.htmlqmail_inject.htmlqmail_local.htmlqmail_lspawn.htmlqmail_queue.htmlqmail_remote.htmlqmail_rspawn.htmlqmail_send.htmlqmail_smtpd.htmlqmail_splogger.htmlqmail_start.htmlqmail_tcp_env.htmlqpidd.htmlquota.htmlquota_nld.htmlrabbitmq.htmlracoon.htmlradiusd.htmlradvd.htmlrasdaemon.htmlrdisc.htmlreadahead.htmlrealmd.htmlrealmd_consolehelper.htmlredis.htmlregex_milter.htmlremote_login.htmlrestorecond.htmlrhev_agentd.htmlrhev_agentd_consolehelper.htmlrhgb.htmlrhnsd.htmlrhsmcertd.htmlricci.htmlricci_modcluster.htmlricci_modclusterd.htmlricci_modlog.htmlricci_modrpm.htmlricci_modservice.htmlricci_modstorage.htmlrlogind.htmlrngd.htmlroundup.htmlrpcbind.htmlrpcd.htmlrpm.htmlrpm_script.htmlrshd.htmlrssh.htmlrssh_chroot_helper.htmlrsync.htmlrtas_errd.htmlrtkit_daemon.htmlrun_init.htmlrwho.htmlsamba_net.htmlsamba_unconfined_net.htmlsamba_unconfined_script.htmlsambagui.htmlsandbox.htmlsandbox_min.htmlsandbox_min_client.htmlsandbox_net.htmlsandbox_net_client.htmlsandbox_web.htmlsandbox_web_client.htmlsandbox_x.htmlsandbox_x_client.htmlsandbox_xserver.htmlsanlk_resetd.htmlsanlock.htmlsaslauthd.htmlsbd.htmlsblim_gatherd.htmlsblim_reposd.htmlsblim_sfcbd.htmlsecadm.htmlsecadm_screen.htmlsecadm_su.htmlsecadm_sudo.htmlsectoolm.htmlselinux_munin_plugin.htmlsemanage.htmlsendmail.htmlsensord.htmlsepgsql_ranged_proc.htmlsepgsql_trusted_proc.htmlservices_munin_plugin.htmlsetfiles.htmlsetfiles_mac.htmlsetkey.htmlsetrans.htmlsetroubleshoot_fixit.htmlsetroubleshootd.htmlsetsebool.htmlsftpd.htmlsge_execd.htmlsge_job.htmlsge_job_ssh.htmlsge_shepherd.htmlshorewall.htmlshowmount.htmlslapd.htmlslpd.htmlsmbcontrol.htmlsmbd.htmlsmbmount.htmlsmokeping.htmlsmokeping_cgi_script.htmlsmoltclient.htmlsmsd.htmlsnapperd.htmlsnmpd.htmlsnort.htmlsosreport.htmlsoundd.htmlspamass_milter.htmlspamc.htmlspamd.htmlspamd_update.htmlspc.htmlspeech-dispatcher.htmlsquid.htmlsquid_cron.htmlsquid_script.htmlsrvsvcd.htmlssh.htmlssh_keygen.htmlssh_keysign.htmlsshd.htmlsshd_keygen.htmlsshd_net.htmlsshd_sandbox.htmlsssd.htmlsssd_selinux_manager.htmlstaff.htmlstaff_consolehelper.htmlstaff_dbusd.htmlstaff_gkeyringd.htmlstaff_screen.htmlstaff_seunshare.htmlstaff_ssh_agent.htmlstaff_sudo.htmlstaff_wine.htmlstapserver.htmlstunnel.htmlstyle.csssulogin.htmlsvc_multilog.htmlsvc_run.htmlsvc_start.htmlsvirt.htmlsvirt_kvm_net.htmlsvirt_qemu_net.htmlsvirt_socket.htmlsvirt_tcg.htmlsvnserve.htmlswat.htmlswift.htmlsysadm.htmlsysadm_gkeyringd.htmlsysadm_passwd.htmlsysadm_screen.htmlsysadm_seunshare.htmlsysadm_ssh_agent.htmlsysadm_su.htmlsysadm_sudo.htmlsyslogd.htmlsysstat.htmlsystem_cronjob.htmlsystem_dbusd.htmlsystem_mail.htmlsystem_munin_plugin.htmlsystemd_bootchart.htmlsystemd_hostnamed.htmlsystemd_hwdb.htmlsystemd_initctl.htmlsystemd_localed.htmlsystemd_logger.htmlsystemd_logind.htmlsystemd_machined.htmlsystemd_networkd.htmlsystemd_notify.htmlsystemd_passwd_agent.htmlsystemd_resolved.htmlsystemd_sysctl.htmlsystemd_timedated.htmlsystemd_tmpfiles.htmltangd.htmltargetd.htmltcpd.htmltcsd.htmltelepathy_gabble.htmltelepathy_idle.htmltelepathy_logger.htmltelepathy_mission_control.htmltelepathy_msn.htmltelepathy_salut.htmltelepathy_sofiasip.htmltelepathy_stream_engine.htmltelepathy_sunshine.htmltelnetd.htmltftpd.htmltgtd.htmlthin.htmlthin_aeolus_configserver.htmlthumb.htmltimemaster.htmltlp.htmltmpreaper.htmltomcat.htmltor.htmltraceroute.htmltuned.htmltvtime.htmludev.htmlulogd.htmluml.htmluml_switch.htmlunconfined.htmlunconfined_cronjob.htmlunconfined_dbusd.htmlunconfined_mount.htmlunconfined_munin_plugin.htmlunconfined_sendmail.htmlunconfined_service.htmlupdate_modules.htmlupdfstab.htmlupdpwd.htmlusbmodules.htmlusbmuxd.htmluser.htmluser_dbusd.htmluser_gkeyringd.htmluser_mail.htmluser_screen.htmluser_seunshare.htmluser_ssh_agent.htmluser_wine.htmluseradd.htmlusernetctl.htmlutempter.htmluucpd.htmluuidd.htmluux.htmlvarnishd.htmlvarnishlog.htmlvdagent.htmlvhostmd.htmlvirsh.htmlvirsh_ssh.htmlvirt_bridgehelper.htmlvirt_qemu_ga.htmlvirt_qemu_ga_unconfined.htmlvirt_qmf.htmlvirtd.htmlvirtd_lxc.htmlvirtlogd.htmlvlock.htmlvmtools.htmlvmtools_helper.htmlvmtools_unconfined.htmlvmware.htmlvmware_host.htmlvnstat.htmlvnstatd.htmlvpnc.htmlw3c_validator_script.htmlwatchdog.htmlwatchdog_unconfined.htmlwdmd.htmlwebadm.htmlwebalizer.htmlwebalizer_script.htmlwinbind.htmlwinbind_helper.htmlwine.htmlwireshark.htmlwpa_cli.htmlxauth.htmlxdm.htmlxdm_unconfined.htmlxenconsoled.htmlxend.htmlxenstored.htmlxguest.htmlxguest_dbusd.htmlxguest_gkeyringd.htmlxserver.htmlypbind.htmlyppasswdd.htmlypserv.htmlypxfr.htmlzabbix.htmlzabbix_agent.htmlzabbix_script.htmlzarafa_deliver.htmlzarafa_gateway.htmlzarafa_ical.htmlzarafa_indexer.htmlzarafa_monitor.htmlzarafa_server.htmlzarafa_spooler.htmlzebra.htmlzoneminder.htmlzoneminder_script.htmlzos_remote.htmlincludeMakefileadminadmin.xmlbootloader.ifconsoletype.ifdmesg.ifnetutils.ifsu.ifsudo.ifusermanage.ifappsapps.xmlseunshare.ifbuild.confcontribcontrib.xmlabrt.ifaccountsd.ifacct.ifada.ifafs.ifaiccu.ifaide.ifaisexec.ifajaxterm.ifalsa.ifamanda.ifamavis.ifamtu.ifanaconda.ifantivirus.ifapache.ifapcupsd.ifapm.ifapt.ifarpwatch.ifasterisk.ifauthbind.ifauthconfig.ifautomount.ifavahi.ifawstats.ifbackup.ifbacula.ifbcfg2.ifbind.ifbird.ifbitlbee.ifblkmapd.ifblueman.ifbluetooth.ifboinc.ifbrctl.ifbrltty.ifbugzilla.ifbumblebee.ifcachefilesd.ifcalamaris.ifcallweaver.ifcanna.ifccs.ifcdrecord.ifcertmaster.ifcertmonger.ifcertwatch.ifcfengine.ifcgdcbxd.ifcgroup.ifchrome.ifchronyd.ifcinder.ifcipe.ifclamav.ifclockspeed.ifclogd.ifcloudform.ifcmirrord.ifcobbler.ifcockpit.ifcollectd.ifcolord.ifcomsat.ifcondor.ifconman.ifconsolekit.ifcontainer.ifcorosync.ifcouchdb.ifcourier.ifcpucontrol.ifcpufreqselector.ifcpuplug.ifcron.ifctdb.ifcups.ifcvs.ifcyphesis.ifcyrus.ifdaemontools.ifdante.ifdbadm.ifdbskk.ifdbus.ifdcc.ifddclient.ifddcprobe.ifdenyhosts.ifdevicekit.ifdhcp.ifdictd.ifdirmngr.ifdirsrv-admin.ifdirsrv.ifdistcc.ifdjbdns.ifdkim.ifdmidecode.ifdnsmasq.ifdnssec.ifdnssectrigger.ifdovecot.ifdpkg.ifdrbd.ifdspam.ifentropyd.ifetcd.ifevolution.ifexim.iffail2ban.iffcoe.iffetchmail.iffinger.iffirewalld.iffirewallgui.iffirstboot.iffprintd.iffreeipmi.iffreqset.ifftp.ifgames.ifgatekeeper.ifgdomap.ifgear.ifgeoclue.ifgift.ifgit.ifgitosis.ifglance.ifglusterd.ifgnome.ifgnomeclock.ifgpg.ifgpm.ifgpsd.ifgssproxy.ifguest.ifhadoop.ifhal.ifhddtemp.ifhostapd.ifhowl.ifhsqldb.ifhwloc.ifhypervkvp.ifi18n_input.ificecast.ififplugd.ifimaze.ifinetd.ifinn.ifiodine.ifiotop.ifipa.ifipmievd.ifirc.ifircd.ifirqbalance.ifiscsi.ifisns.ifjabber.ifjava.ifjetty.ifjockey.ifjournalctl.ifkde.ifkdump.ifkdumpgui.ifkeepalived.ifkerberos.ifkerneloops.ifkeyboardd.ifkeystone.ifkismet.ifkmscon.ifksmtuned.ifktalk.ifkudzu.ifl2tp.ifldap.iflightsquid.iflikewise.iflinuxptp.iflircd.iflivecd.iflldpad.ifloadkeys.iflockdev.iflogrotate.iflogwatch.iflpd.iflsm.iflttng-tools.ifmailman.ifmailscanner.ifman2html.ifmandb.ifmcelog.ifmcollective.ifmediawiki.ifmemcached.ifmilter.ifminidlna.ifminissdpd.ifmip6d.ifmirrormanager.ifmock.ifmodemmanager.ifmojomojo.ifmon_statd.ifmongodb.ifmono.ifmonop.ifmotion.ifmozilla.ifmpd.ifmplayer.ifmrtg.ifmta.ifmunin.ifmysql.ifmythtv.ifnaemon.ifnagios.ifnamespace.ifncftool.ifnessus.ifnetworkmanager.ifninfod.ifnis.ifnova.ifnscd.ifnsd.ifnslcd.ifnsplugin.ifntop.ifntp.ifnumad.ifnut.ifnx.ifoav.ifobex.ifoddjob.ifoident.ifopenca.ifopenct.ifopendnssec.ifopenhpi.ifopenhpid.ifopenshift-origin.ifopenshift.ifopensm.ifopenvpn.ifopenvswitch.ifopenwsman.iforacleasm.ifosad.ifpacemaker.ifpads.ifpassenger.ifpcmcia.ifpcp.ifpcscd.ifpegasus.ifperdition.ifpesign.ifpingd.ifpiranha.ifpkcs.ifpki.ifplymouthd.ifpodsleuth.ifpolicykit.ifpolipo.ifportage.ifportmap.ifportreserve.ifportslave.ifpostfix.ifpostfixpolicyd.ifpostgrey.ifppp.ifprelink.ifprelude.ifprivoxy.ifprocmail.ifprosody.ifpsad.ifptchown.ifpublicfile.ifpulseaudio.ifpuppet.ifpwauth.ifpxe.ifpyzor.ifqemu.ifqmail.ifqpid.ifquantum.ifquota.ifrabbitmq.ifradius.ifradvd.ifraid.ifrasdaemon.ifrazor.ifrdisc.ifreadahead.ifrealmd.ifredis.ifremotelogin.ifresmgr.ifrgmanager.ifrhcs.ifrhev.ifrhgb.ifrhnsd.ifrhsmcertd.ifricci.ifrkhunter.ifrlogin.ifrngd.ifrolekit.ifroundup.ifrpc.ifrpcbind.ifrpm.ifrshd.ifrssh.ifrsync.ifrtas.ifrtkit.ifrwho.ifsamba.ifsambagui.ifsamhain.ifsandbox.ifsandboxX.ifsanlock.ifsasl.ifsbd.ifsblim.ifscreen.ifsectoolm.ifsendmail.ifsensord.ifsetroubleshoot.ifsge.ifshorewall.ifshutdown.ifslocate.ifslpd.ifslrnpull.ifsmartmon.ifsmokeping.ifsmoltclient.ifsmsd.ifsmstools.ifsnapper.ifsnmp.ifsnort.ifsosreport.ifsoundserver.ifspamassassin.ifspeech-dispatcher.ifspeedtouch.ifsquid.ifsssd.ifstapserver.ifstunnel.ifsvnserve.ifswift.ifswift_alias.ifsxid.ifsysstat.iftangd.iftargetd.iftcpd.iftcsd.iftelepathy.iftelnet.iftftp.iftgtd.ifthin.ifthumb.ifthunderbird.iftimidity.iftlp.iftmpreaper.iftomcat.iftor.iftransproxy.iftripwire.iftuned.iftvtime.iftzdata.ifucspitcp.ifulogd.ifuml.ifupdfstab.ifuptime.ifusbmodules.ifusbmuxd.ifuserhelper.ifusernetctl.ifuucp.ifuuidd.ifuwimap.ifvarnishd.ifvbetool.ifvdagent.ifvhostmd.ifvirt.ifvlock.ifvmtools.ifvmware.ifvnstatd.ifvpn.ifw3c.ifwatchdog.ifwdmd.ifwebadm.ifwebalizer.ifwine.ifwireshark.ifwm.ifxen.ifxfs.ifxguest.ifxprint.ifxscreensaver.ifyam.ifzabbix.ifzarafa.ifzebra.ifzoneminder.ifzosremote.ifglobal_booleans.xmlglobal_tunables.xmlkernelkernel.xmlcorecommands.ifcorenetwork.ifdevices.ifdomain.iffiles.iffilesystem.ifkernel.ifmcs.ifmls.ifselinux.ifstorage.ifterminal.ifubac.ifunlabelednet.ifrolesroles.xmlauditadm.iflogadm.ifsecadm.ifstaff.ifsysadm.ifsysadm_secadm.ifunconfineduser.ifunprivuser.ifservicesservices.xmlpostgresql.ifssh.ifxserver.ifsupportall_perms.sptdivert.m4file_patterns.sptipc_patterns.sptloadable_module.sptmisc_macros.sptmisc_patterns.sptmls_mcs_macros.sptobj_perm_sets.sptpolicy.dtdsegenxml.pysegenxml.pycsegenxml.pyoundivert.m4systemsystem.xmlapplication.ifauthlogin.ifclock.iffstools.ifgetty.ifhostname.ifhotplug.ifinit.ifipsec.ifiptables.iflibraries.iflocallogin.iflogging.iflvm.ifmiscfiles.ifmodutils.ifmount.ifnetlabel.ifselinuxutil.ifsetrans.ifsysnetwork.ifsystemd.ifudev.ifunconfined.ifuserdomain.ifpolicy.dtdpolicy.xmlinterface_info/usr/share/selinux//usr/share/selinux/devel//usr/share/selinux/devel/html//usr/share/selinux/devel/include//usr/share/selinux/devel/include/admin//usr/share/selinux/devel/include/apps//usr/share/selinux/devel/include/contrib//usr/share/selinux/devel/include/kernel//usr/share/selinux/devel/include/roles//usr/share/selinux/devel/include/services//usr/share/selinux/devel/include/support//usr/share/selinux/devel/include/system//var/lib/sepolgen/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=genericdrpmxz2noarch-redhat-linux-gnu  directoryASCII textSE Linux policy interface sourceSE Linux policy module sourceHTML document, ASCII textmakefile script, ASCII textC++ source, ASCII textASCII text, with very long linesASCII text, with no line terminatorsPython script, ASCII text executablepython 2.7 byte-compiledXML 1.0 document, ASCII textcannot open (No such file or directory)?p7zXZ !#,_]"k%%khuJf} {.L(GjY;S_n&8jdSIO4#i&IO"y f1P ѝ `,GLh#yB,g0_>Tj dzip-v7Ie䱗m6 tI5.T gxa+lڻ7)ۏ>Jw哣W!"eJ8I򸛪PwRCżE iZH\9\]?b;\JeZSJb8 ‚_4KSIeAq6 [QQ8OA1)uʹkt.;ߣɭex:SxDOĸn_9'؉!9g# H?'rS07Mdxsnk224yZk_I7;[*cw8H`սRkYŦ JCXg: Rr:)2n`}B[,_.<4Nxi0l?PDpf,jwMEJ<4C>l˥òm) 0R(>;!o [W9rEizb+fW.iWS8qֵ;.%7)L9WpP:%Bt!^/gFZ`_ p*/Z`|;<X5~\sʹM=4t.N*?i i +W1;JC #r/vqHuZ4ys[0򣜠 4?rg,<AM0&a _ZO Zf$JF^OF)S~N2j{0 ~'%6 %Ѱ 2&Da{yDseFu,iL]Ӓ h;d26my4RZuz7 -l$K+*\OZ;,GT[- {,+B}CyQt4[nG[T&͈г44μŤFB۽gGG0kIMΓ*4?8iʡeدW#ub/loöuw7ݪ)R|9FlMv޼{0O{ɤښu)T#6f1:xv_eP2Ep6ƛNdVK~,Q H !}{zHuB6^0e PnrGtD/PVHxD 6.6~O|BHzAG`OofN;P+W I^WN٧ӳ^~K4RQx$kL' (~Eƍ +lר8CԪ}V+2VꓦXcV!)ܘ\miJ0iCYLӆF=?w,#K^Pq8 x6S.'YzV CEUoX kl3MjOqN L"~s:mҦDqx90QY`d'+jThw"_-A.ϓ :7rR:qc9nPH96T/q1iʀ.J'ej\&4ZJzZst'!r^tGƐb4PCl񭿰G4` K,+Z#D4 I>GF(u[AiDhV/` sF v9:ǩ1{  tPn3m~bLE$!qW`a;ic~4oN&MzxN}#hf4M\- m HR)m@v.y5fU (ǐ)1 a#5]["'vtQ Tdܡä.ZӰ M! $ϺC\yƶ}uWyV[^`[XRf '?Z6zlmfB_|kfG]*\{#n=d[uWQ6[EJ4(U^!Qʜ~l9S|7s$ϕ:{>U=ؚ:q"O/s=]7=$S'`Us gC^a uPO'^rܬ!+H5&fڦ̿c d h_B'jy ZyM@YHa8;RHK88gnjρ@sq iV7fM2/-!> uy-=cRy,=3 D# dCCQsR:UՑxt]XX_ *&Ec/3$ >aOѢj .QWc A68g{N?'xTX}! L'-]$@P\!׈cw9j'ܨJ,ƍԳ$֒]%ԷSC XHOVRœtGL9qUaʐT\x3 >'XP 7X9H뺡U.:ù9$wKfxh&BkAg\Aq520%LQ ^V)'~Y0BMog߯4չp2Ǯ1UIq_0jS\9 A#4`(ƠDCm|f}=h+<&B%\2vޕ-?+ԂCNrdDIzOFa$|*N8L$rakѸ!楌u:-)(8ZzOf+F]( ΧY.Θ3B NI˧(ţw&ϴ9CGNV58TG+_ k 5$m%BPܨ{iwb*#Z9iӛWg .ճ;xcNG| xzHT<ORnn>1ށJ]wE4WU~25x:ԉ:^Ob*S:?Q `G(+G..`=aXꈙ:e8K]+9>4WEЉe|?8bնSz<odhមUA-N9BuXGYspNLM'e 9eϬR&9ON2QEmВOXbumLwO!|6%y N&"p Ss,&$\VɧCyL񜹅 w/: 7vꀮ\E {i$+Vz>]GDVbŃ=IJt 8OK䅋~y|쿃k.6 ^K[_B rjd#  3 vN_1-mxµs H2Uj[(F"FB:C9cJ.w>~I(,'jڷ* @U/kr %}x@,Jp)tB};K\2YE!k!e&}+2*KE Yz T>B ]4UDBW 9-^.5A>g-)J. *i"8Y< `ֹ?o"K{jwwx{`&n[HYrA~,8sI29&c!m A1ևzUgFdV,w~Sd)N jӭ447|u dIq*7l:lPXt 4)~33c+NOvn?y@x}$RM>:$?t cfzآ<z vuƳ`Hw$QidTvRmBQн^L`l>vǀeqkA|B=܍lȏFhPvӣҤ-zv \s`PqLZ ބKUpFpڧnz7mᡳn=@ж|s.6C H&)|aZF4! TIȭ(T L$xX Ͱ7=sWׯk·|ݷL=7|=QH N@泉Hֵ8mR CZrI9i!&7uq i htdakP; TnyESB3dĿ;ͲԴI mh: 1rŦ(bqᡅk_V<n>OAsn'j^T :s`=KheFAeZ_Q. 5d[CF~%ko3k!TKxh@vINOR~TwAzbL*tCB_,Wo*d_{o λMaUz> O26cIy Xet 01o+F5X€I8#7|I4Ҩ?ATGL5.=<8Fs=Sn |zSQHr]cM03=]x+kp S '\k@ZpfQ] a#V %wf>gz,d^*t䓝/eb/PRhGU55,NjyûV礋.5zްA1 Cp,.bcp1:IkW1c_T+[/1cZč~kB}/\S}0tC` wVwb UKofmSM`P*51.+:^Qbx8-Vh(ayG#V4:Ấ ߦ`- ) j<}ѨiU>uƇ6B"[-Vb˼|lRj45Pԝ,fn|4A*'yMYx0n-&- /r#BUC !2`ndHaf[J-_Z1:z^J2':н;MZ@c섳;˶}w5I3d[f,Q+}#&ȁ1ҽJSI4p#e|_0rnfHbY'+5oC~ e/H]/KIeNNAi?jZ+8_;(G^䊙! T[x,eM-֖-ֽ ?0oZxH>k» t]947HSbhA#da,xyycTSiEE@z+7KȊʣw!qf/C(5L%D#բ_Yɨ{vSmN5 SL_(h%TYTJcgU݅ZЈR1\ztKBf"!z>E<~w(K zMD ؘe 0_YRb]ɫ~SF-4 QB6*LTP6.^N{(`"Ȩks^KZp9I~e7bi%y/#zƄSRp|̧ٶ娪7l cܥ烞"nLMYP;/ '+#`Pk%M`Y4+˥0a{Lݘ!cN,Zt~hUd0CS#m^ T,06hwTt[jeD"Dث)ku Z9ݮ1bߴ9 EO*>gt[!"פ#|1vh#ēV^/@2Ս~yOutًh݃;E"a"ܷ_yم>ve+V»=tk^Jª^=a8s3&ѕ-t/:z ޤc"qܰ}rr(H$.A=bM.z̍S,M&$IY솖Q{gȰf3K!f.ft}k⨜:4e s tDpӢ^h,q>@G/)f݆gn9D&~ٝE($ \fޞ9xQ$Wj5XacHû(W7?A4MvJcLo<6/S)$:\*{1&j  FUgo+'NUpKy,xF5AQNғ`(n^slvN]}n0uUÄnZBpB"/vRQ27J0NOڼ 4ˇB5$ +{nOps9yS)p{`{`m*}]Jyu&?s#.)}ѵf#,<#zVxɃk}<}(-N0 n2g>3 ^T/*{v'}BO2}* 7,@;% {UdS*4oC&~Ŝ"9i^.۰^DlOr%ͣ[#80}+YD߁XJz̴Cߌ$_" 2/7uwdjf8-|JBYT<7#|&6F[po^u+`N:5HT|nMؖms.af (X߀MI60NLH>c-F3fuD.h(Oi D16a8:;k:.e֒ +&vk9Nm۾Loc6Mݜ!4Vg[-z<ŇuCVO"k!i\݀ #5䣿ͮi&פrq4EԸ}O/y7y0ZM%@86t̪%ꄽ=sBF ѲKGK,9㝔˸Y7#]'w fc!蘞΍^nsI`uHݾ+(u!}J̕hRfJGdi3!xsRSZϯYXNoicbTR+=Ǫ[tcγ ap ' _.yAJ翖zjI?!:rqIac!" i!Dr3!?-SwAYTkK/'"5Np)=8%lh U*3K t/Çc59yJMz] <y vBI=.#~ag,0=y?w Z4緘䵽?jˋ5u K如˃5{IA DNۥzMD6 tTxVz8g̴yܩCr/d)b8CVDA.7ov>E̲!:sD: \TT)1xպ-(mAq BhGn}eٱn-U0Fa m>Pr @WpZ[|(vd4JZ1bv|*Vru^A/ų8'us7( ӚEKYj"滩M\jS[xϫmHUBea6[^'TU` TDЪS"aNK˚p?wQ JI_|6Y3cxz}omQ Tm$8u^u&7bdNn%/xcH.h5A>ZpX tEG Uж弻߀׷·.8x;: 2iuC.CuZ1PӲ SZTifW|-(uVJsXQT>4~-o!-o߹LƉ.P4iJք2ţ D唗3|':8UՆoNIjOPB ըK{oKN)W7#̹eWFb\ˀؒ Vd5wʱhqZ&\DAR:ӟað~#.:6KںB[ ,r;ơ|'L`9 ; <<^1ȩ{ Dhb("Ƞ#=2Oz >>L^=| slNHn%Zbń5ua\2Ry mL_| qӦp̌r+︕[>r?IX9D"XKAPޤ}YQ]lC (PB<$re#`[*Ì'ɖZϸ+TXP{T!A]LnDOݟ\Nσ`NnSPjhӶA*Q,mcgiZj;\e_UkKq5@Ls9 B-W:׽')FFӦHDOr@⽎JNFֱwV΢mqNa{u5UtP,$[Pt$47X+@+GIB}w5J.c Å1uimLF"3Cuյ1 (UɻH~m/ M'lMÚ8' ԆH@ :ZGܤf1E jjZ& 'Lv(ylDTB|h(1%aazW;qYZQR!<ֶݪ4fh/"Wh5w>y H0+BY^bOEWޡYM=No]EȞcȘCY>Dc,xt ]UСb܋hQK5aF\|kVeyQ?`%@?~kQQXIRg7'=1e[X;d GPI* `#"Ί@/ϸE 8Pj 9̣p.\UlEL#ohTg8w]RI8x&:fyrױE qcDa.cD뚏 %DRrZX́thoÿ89=K!!j&LOP8`a ĒV|?/K}gdH$ +''zi@ux]D(.&JqQ=h=n/*Pvie$lVWwNt\ҝ;, j4Kd%045&&1jGJ2k Ɨ)xpҨHX "v6=N=8Rf㲺TXk7݃.duH&Yd+e] [Mڶ:c"??2.F& o.'콆BǪ]aĸ4Li h.'rb1/"H£ iW.Qyp`J39VڞMTpgM LÛ9^Fr"LIYE22{}hIቶV,Ű좸v(Hq.t 3mV"փM[{dV[Dwgૢs5i;M5e<@jxwZt{ 'GKNokt.BG,wC̡"֦ TB='0շ۬LV/Ա29CKƮgAYhD6?F{,ʓæ5fA);N9DH3,Q]*<+@\*P_8S/KT05:l!V="^(gzZ-=y뉦jlΒpR+i=mm7)F?SY=!Qf!*`. nPwS(9d ;K`htg2UO1RS* >Djzl֧ X MjPZVI>+FEG[m^Q>j}@)g>̟kl1I;'`Q7+ #_*ݕ\+R&WD,)IW9`;CjuB`:0 @yzK,=E=]$u2Ҍ g2Y,гC"'҈ cv ;vV;9.җ)jq( p)[LG NuXSF &^Aȵ BB18wbr Y {PE+gb9~tkò|N)Fϋ.ؓrh@L$M8 U8>Q I|[_6|PIC{\':+5<$zl>+ 읍mjW l4M_Su_ >wkc=,Y,O8r[}.m1_`a/֋u-*.uFyG^&tZجA(`7]zG=qk_n@f+̅k2ALlK5qD75uy TA zaTndՈD! FykWOveflk+){cO'_Ӻ/6[hR(Jl~6,] %3=\s(y'cb4.BɄ =oVͼ)RSuUwQ a:UP=5[s94ؿ,{50c=X6 W)ޯoVz'l=xTwϡcO_p'uB ItJ8s^F<@^:IF|S_kf3GZ 1z3}yLGsjnOs#1K(8t 9TW²m+M6.nZ'+$H$NBm$}9ץ{[OfL=yR:5P5@5u huQEOӌG_l2IioZi_r/[ (ȷ0fe3*\c gஹ.6 q1 "ȐtRKd&ttaqpm TtadWDZp~e|o۟[cx.ҬDʴ쩾t4';BPfO63KB m 1dt[ ,$m!|ca<2Sv~#.7H{pӅ"]Hi:rv7R J]1R?9.n"' 3cyb㌞dNXbC N5MSx̐BP'5)bP'Y)f*8 S*"a!aV[>/be~g3HOKXOc|'躽"/ `ڒ)7:x`"SPX mɾɓip}n<hdIVws4,6m>?A JvM}´E?lȢ'K-x"{(Yۇ  s,&QAvGGC ͠ I^5-+oW#N'K֧y\X09kpŒrJ'n۹:/i8axrSp7~iziki */PL~yJ*B$ASuX@=(zP51a|O@Q2\ Y89e5t|4Q+VK!i0OM$6Y҉Ø]UjW;ƞ,tmAݲLht\2^DZN.>p#(0yQU] p:(1g+)/4@Q\a 4㰻"VR:iV:$1bqL}A>)=K_w>հYs+;4K4̀Ҝ. u$¹N^ceЋ~rC"CxFqG!曁W1<:G0n)lnztkUYYظ L`8okɸ+Ca&qSm(ڢhdq"{d4[Op4f$`HO^*-(øVMA/:WHJjbKoHE9H?kp8~*h9M` uC:^C<8 p}F*o6[6?Ψ9Sٽ6;dw"[Kܥ}lK# JL7CЈ*/Lsӳ$J//}DĚodeJjwbE<)][xj9_ l؇tO$)0|2hR[Ԛp <`*X)4#˞bB6lvxƕؾG>gYe&?Ǫ&]r$A%I. qwMA+hy:Tc%VV{إR,z {izH KпNf׶zBoh4HKH'nH:A[![!.6+!"y(<0]/ܖ %W7]1ҮXpOF[ѽLa4OP!go7oc*g)ԓg8@7: k>yhH~3If$)4h+&D&Ccٖa2b!m1i6Z٧@heF-/K>$LMTmNJLsmnqqU ӻWiY' E)gG]eRF֭TBt,OهEpjt=kS4ióRb87]nݗZM%%+KDB6J2tO+yEܡzxH൝GJd$vަpVDEJ⏼bU1ЍwcV+;ER/]o2+ĽȗAM52BD#GB4b^8;HZ^)g5)쉬9.Ӝ2*Y3ɹ_5 #]NT E 5,<ë2r ҭ_Khu*!(eRzv3ozى7U vm|p\O`-#1 ̗YKA7헉=Al}X%26K/_aXGҹSE$J hnمyX2nD#GR g3 .>@UkFOXɁ}~wFa xb/-?>I-Hh5Y dd.0tNgr`M]vW"D᾽-2j :4ΦmLŨhkݗfDΧGD)Ç$ƺ?َ=~A DvxX|/AO߷gBKA&2`?aAjvӓOӫL×N ۻ8g]Cƴ =g(bᎍ'Bܖ[KMPq" MAQfGZʪtv=)HBx2AdV +"E%*l("yJ^@d+ vQth+iRrg針nId{L'YoIURv_`Я$Rŷ+_X_&9Q^ɿPcI|=`gN(FLW['TQFNzb_?Z,Ėm̨U"c?m*RЪi`)yf8c|=>vbnT4FsI}- g ^`e羪F>!33p"0lCu-rŅ<21e?Gdt=U8na~TIs 1i&_FdC+?ĕNB/Ypnkig&CF e-mT_uS8#z&v/!y)8[U \xYQÑ=Nw̟̑1D𱿗ŒEf )P@RxN<@>i~S3v~yb K'\`3H!f"OD|%*$ژdN\,*ZZ.SkԉQ0{K;t'¸(kFS`R-Sيnsm1ՇYSbhɈ|\r~R^THbT/&?L9Ryy9le9Lgl /QlSC7&W!iwf3jlq(%Gڠm`㬏ۛWX*퓘:I\gI&]xk}6]gHc/бd~K&)+5)rtW)gU.,ˡ.QdD!i'ys %TS6+48/}nI;s&4vQǜA>%WP< dX^_NH;}K _2f_#ɝebK3 9>͍=vy{H5 68a7MLᛕfP2% @v[q#iΖrC(CqO*%4T3}Uxb4`-EgY]2՚㰛8/jd(b^jءQ5o:]%ٲM˰ObG0QPpme@*_$*ykIx?'F'f(NM6+bzc*<ίFfl )S҄ޭ,dQ9`FE1P P7LpżoT 03ㄴx`/$AZNkݧhXqN;Wj6K ,xJ >jINöxGj#e1T#cfGu0*v4[I4!Qq7/Qe}?n^b `Mt%zJy" 5*~'sJ4Qoq22[h*QT[_jIL n-/91%`7Kv\6g d0ƌgte&D[رlb}yB ϕgO$3S ]taU@"nXw"TL ፣Ĉo#M6`Z~iamtap3k)ݼ5HCWnP݂_ ͧkEEgl\-|ߨ?oqj'CGoz0薁\I.g6>;)/<6.:SANEh^MV%hfru0Rm'X);ŭt,k[=y ݢxK}ڕ8O4E<LMB1,c;ǵǡ/ar6F-5ye0lv.z!UӺc3ӝUtj۶M/?=˯p9f. O $Y?ןXwte7ÞEŒ\,}ݳkL \ žC-(qu7Be"$f" v'M+˲~lۄ3-Ì&0Zij{JU"ţBdJXe }nV)Th!V>CtwN;L7񀛊X=V30tPؖ;@ӥ~I\%}JyӮLclM*I3m¬mAJ|Fr?gZHy(Ukƈ]YGN*AO ޷/jd'5IW2BD+r͞; \3O'cYH{ skC >S^չ|v`_ע!B+g )6mRafpLSXЪ}r}I'+2qWoiZ!GJ~<"HJ1fw [J Fw7,w_ unEHLo9s1ZUwS}pV-ogkJsULt|qߩ9z\Q,0hyM g#憷<*{M6U{0^a3l^F/ORٌ] J埼 !"zG"OcD\U1QGqNfRE*ZfyRXFR\0lkz{GzPR: 8/׸U8TCjK4z` ,"#&{&3MEY9p4yaN3R[IZs_jv9N9݆:lwQ!-X#W"ͱY[֙YڷwlG2&IE.́{x\&nhOhw HG^ՠzZm#\]fpʜ:Tmݼa5ä C9JdذVuƤGsoq4^^-C{ZI,H !}o%3-auC&}Nz!/m/-ͺ ܭC?T[/LE~ xjӒ7 cqDžQm'2Cm1$ (pQ ÊÐVwbE5mc~e<7~PcwYrM<\?rx]Nv5v}ԑ AnW8W{/`b?w%r##N`Sb??XLNMC{>kbswx0!'q(v }EˏМ\TfKm0[ A" ADW~/8as?a(U2n;6(TzyneͿ%K% >2S9 Hu5ϵ@*7B&H *Uq,! mVS6mP%m (ќX'fVV'8fm;KqhKخWLf<"2JX p$~ $k :K2{9V F lByNjqn^46A'-n>1UꙆ{[R dmol(\?W`ޢ_K+E,*L%L~өX<G,jI~Ut(Bxlu1w?efL c}җE+kzΆkj|_Tqm;<:91 k "8AEX"pqȰdnerp*\fKh౫!l.uaGἜ3I0e&IM A R뜆ؐ apL.`+0 :J-gzMcXGS-φu,X1H4aBAkΤ $n+\.٦Qsӫ-:ΤjxM,|%f\"/c~.%AVb%pW{!2~p(ˉ}n"PN/4cEɴ9_3BZD=H o8ORP̯.C682eE"@EB$0wi:}.rꦓ7|lg% c}SNQmn eЭFr%@y҇?=ڹIU9 bp]MYzD_GХ=^:٫K?s{Nn—OQ+ik#j}+0+ ӄӶ7_)7У.dEL\zao*O1d'ӏˇ]V8( HacW)JeК=)I`rۺTEP_=aZbyՍNB*ʴ0EY#:$ e]O3e `98!&rDQ|3[Wjwdz/EJ}/ \#hmkn| ICZaq^J2ʛNA=G(Bh16(X!in3lgnѱpjOBГǚ+jw\f++t Rg9qQoZP#oMO:|[(:p!v K RX @`5AvI7t&d6k]h)YĽ" {5!N&QlÀ" su:{0#-OdtEz ʮq6,a]W)2nYo8a*9>qϕ^'i_6'eʼnH948r{Q5 mȪ8R۾ Bʺ_ t4ᗶMliu8C"N)Sl,۩~Fv̸4h}Kx0,R wprhᦲlU7Ѕ*FB79 e OQ NĩVd:*Ci O&7=`+!'z k*h1i7ՙ :,Dӧt <;:1PŢ3la!+B෻"DWT>b_HsK9pt:pVNqsK@~80K3:kФCcI] I]qqK+0elѯr 1RqJj˥'~HN Y YwVFˆ9Ʒՙ34K7! rNИ9OuI?RM( դVh@ Zf[Fhq /?7^%(+<SI1L/1c&L#F4ql )m06O2A{4%U>Djv8qХloفQ?ĢwrCK|ZSɉhFjǣGe3'˘>y%f:3J niI+|s_pK䗳zl~z{ {}d|u`.ݺ(p?K1dRu->orv&KoSy"7zyKigvD ~g;' U9 3HqPZrvYE@7}֝px!M) MCs x ۤhS|էJ剏ūy2F08`.PC̣8"j1((go4: 2+2Sd,?\JmUn1V<>̲r) rK i,# vTͣE @|.1lCciqDeqV n/G|Tf4D~߼dH%K.q&>APF7J>Uh+%qFa;7(^[;@-O:9ش&ǂ4^COR}@ jujox?vޱ[҇MK)^/Nj/MD`xa~mHQǛ&iWwp)h?S~rn{!4H_5)}W BX6k;t#NgfbYTx$OiT4XGŰ B^]>iv,`hkȌh$ .@8UX͆IzeM*>zwǐ`{XP:/|Th@Au`G+♲|M^P7n>Fq,2uxq1B-G1Q[R ʏ$ٟl Cjݰky$+[A^}a6be"OwPotH1 q/+r&a!MCPߓ>^(BnOK-yn "* '{t$ˊmx!{ .^+}W"d:Bs/S6W7d"MOcjTUS:+"loTDv(Tע&)qc6BTفy{nG\/Svxy;eTpe[3SktgCۏռD+0bݓ4[̽{pҿ=܆f*L2cpN(UZ.0xNwq}u%hL8sl1n֐g#L[ RdVANmxu=1`1uxq/ @-fP@ܜnh A(w7E2J*iFIw{eWh+ ytL޳7:pИF)@UǑB;1^XxWIٻ `dbZߖ)ԭLg:<\k~JJ8LJ׹28 | NG[-,8JJ!5NR,|.s/?N:@pԧIP*FXbkSrSۅR>@ϟT܃COV0M ҧ}g 4-kUqټ'k806?nm%j_QP~Ӂoh$ xW[ڹfH2)+H !_/)bYDe }(y=4$h!l9 {j\.-m(~tq&a%9!$ÇMvq}br x^M8 .4hP ɐaPVkUAWbw-DL* w̽IimUm76<~L tUU暕 tj&۳ˠ1|..sQ'Rp|FۃW YlӦՎiFr\|=|-B Oۄ=⾺wABS"Q9LdQ):7zsQzmI vwj2b+_¾ ῪJAH_acXCRUF α3gJuʮJ eQ'g*[W  ݽ3$ф."=wKEM醢{,Wߠ\RP<rظ*ŐOo`EEZLSogOr51~PȪ_n*pKzQ*ӁHh9(M>GӕC/`74!P'!5j d1u5~LjqTi֊@B,1ÆrG ]m:*ZD+XmfGSˆᠣws2PXHNT_f) S S1xCzę'~l}𒡪4xLف,˲F A򁝑w+3Cf&R׹zglo}fd-`=l-Qc_f\ ՜pxhP5bt>|cWsu>eHnYf(o1,XB9jr2\;jY)*/Z0Ybsmd d]{>XZnOy Z,U7ר0;Z6-53꯲UvvX$&(?*oL4aM^'Ph+&sK1{jA (fTFOrz >?)e> àhdR@ `KUrwSX˾;e:`YUrݔd3F ,><`^ 3UwA>Do+c2&Ӳa2ŽFnUݷ7hAvi.Sq\@HO|߭<$-To87y1z)sۘM+"[cHoD6 C(=ٶedyNc3lvoP)dKuG+%tVʜ@!2U0xLTZW]1gIq)ǭB1+RK/+q"l5t!hC5O!4 ?y̢V[Tn-!x;5sV{ 0l&Ջ!zɝm(Dveֳ""~i>t (rQck-Z*f\ĥ+ fSDQ-%YuXRO}fZ9bYT3*Vr+Hă&;7%7|^o2W;!q3-?ʖ۝3GCKo{DH5a+zFĮeaT#urq^XIg< 1gU 88X67^(֜2 ]C`#cPv&E0Aj~2q 2VZ+mЀaAf-yDk΃/vM&6kC({VEG5v3( K>BsM:LQDMm{" ,'_J5êM#4 j|`Μ<51 hK { #MsEy|6{LPi=IfNT9rl)*ث?qc?I-^ſj؄U(CaaR2AwOs{K?] {qiB_"NòoSx׮Hb*6A%nVl^"/FX΂. NMxsXtզ՞Cpn*(wgy{tZ6VD#RV#'x筚#]pV{ɫsTq =BHPt~c&g+fU>"u.Ͽ"6!X<ؼZc$40*g-bZ"{JiTˣ~wR8/ ݱ.nV c!.P4 ;wq0y(KMR?Ґ- t!I{z~jyXʜa;mNUI3/ԥ7)ܣe-I/Ǡ*DX^Yyp&Ieuc^N 3E9V[=n{fqpK(yx^z ٨ T)! 5p^]xDbM vI cK R |n[2kOE'iwQbls}qgko9l,~J ٿ*`Y`߶$w09w<4ϝ%%h([ ad!,:_:`uIuH+Dh\EMbr1 [ʤa-5J!e5 vU%E@HlL0QdbԨBW$u6zJ \CIG"2[9Ќ$Q-E~4j;iG28<>uѵ׹{~YaZe: Y/`p UFςyz*I6Bs^_>(Em'%P/_"*jM'ڡQ֐_3~Op<}9[=>UqҘm/B>f4z%!( sČ*9H;s'[@G\.d}2<<*.>ss2q=ʒk~44TgiC/pttJh4$.`hl/f c*F6ŞpÐVg꜡h3]O f2Po[/E_.W$[ehp>= s&6&MhFwkk-Yiʺsj;k>Kh, A[vz!1>i\:1bTԔCo'-@u! I3B;Rg|=ؗj>}g|0!.EYDm7Ǭ+'d!(\>VeCh٭(©ecB@.|pP<&Ic)`dK_9|Q΀I5i i=kᵷј֚qȈ/]H4D,e>Q W$jEx }cnP #L8$Ʈ0W?UM7%DltOo_Ҳ^%]sUÛ;< +"+" 'GC4uxsJgcJXjgxurSpUV]<  #ա遪{"/D8`)pS~Rҋq}^M3Igӯ/@MC3}£N1/ܻűK±[?Q{IAHF@, vzl?V9짛t 6x|_+,vhSK2B K09=t`!* :0SW3l3L{L#iQЄ(n~8-ڽ9#נ>9o}X:F\m{)hޑĝ ƕ"=)aQxv!BYS|}*}}읷n1=*w8P=jҖKtکXn֥EH88aomi~U Hꛙv NƚM g*sÜys3H~[XؤCω26%D_Δ'TȏH{N'|Ԅ4n9}#*_5ˀXr6]U+2'k6G¢SxT$8 ɖ ʍ\-o8#GlH 6;ͦ[.- /a<mrw:<Ʌuo:v)䚧Au7jHgѴ#n7r&јⳫjgn˪™yOC+fiR shH^g7) s8&Gz|5x6fbÄA铤s6,nyQ2mCEӚ=ox 6E AFk̚6?L鷃; 2Z:W|ZMfv́M"w6"3L'x= :q?X@iRXUE2rDҚ5C } J/{ DBiC.P*IH.v4oH4BKC ׭5=犗;xoD48[V*lS"9V:b6^Kߐ#akب3*&-#]B0́b+ɬ&E〕ٸtzC=\8z鯼{" F%ura44LZKgzbn$joˁR~ -(X3P~_?rզ_jHŒZhy:xqVwgUKmԑ.KDׂ0xܨJF Qmd|0̃KG=ps_H_24ZfqOIɞ_xY O?<:ƞt:fμ #@?wu0FZ1GYWښp~d=1vT&!KqX{r-J?C7|F\%@EBߖ!=Njr7z>3Ly"IzN $?1?#0EmKFڏP!TL%kųۃ\̮ֈ!0Z1P/Ġr6^{^ 3fqMaЦ+7}0?<_rp9=:(rme@>wRl9rƯ,V !~g=mBZvp2R@/_R[f(@3yK$BbuXᄬfXWz*'Evuٞ [Ϝ _s0ĕ.8>qd" Oqc''żcJi)x"WҰ,NA̸LwI@aQˆذ=̏pC,fPɮg bnC3Pa'A@ 켜 7(0掶˜t4|N %!o8./yп#o$JNW$}#fsn|zfȷ{D£t_+b![Cӆ]<^n~BG^~!b>.(țMDC ÃV&r iټ61JGcҹ`E#)'1eY#'':[3s V㏔3A1f_}K#<*Jla7Jog8nU2>W_~<\B ~ 濈-ETް+}t{`\rCGF4s,d{ MVPg~+ҷpHOQ fS$4V%5bI?';%|GuEqEpx N_i.n/%`BF "X%]_4S7)vCi{p.5ͅ)DT+DF>bKL6ӹQr" AyA1fuzǪ7h§P^V^GR܌RQc 9BSJE9ƕCkwbv6t;Ke>X r˿LiG 6{3Uv?0уL œbe Fb[OI`o8q?07MhD~{]Ig&.7&J3E걟`7C/ Ahm4# OD[tE]ȯtopw5h(eJG8 hQ5-$f1Aa@"a!`X"p"G֞qA>5)Ƕ!N$xT81.[hc?r 2c_gF5H٦>?pE8tJinW+j [oSizxEI9{H4:mEOh*K]oY' -pdҋ>etUGtQDTKR+n% !hũbӉRE25ŪϘD 1,]U.*]gR ?` k5q E+7f#hKF%3UL$ )th fHDS C|^Mh'X&֗ޒ;;'Ǽ7iq(BhNjm&+yyp<)бo m3=^+uNAUJȇ.n:v7i^5)2/L(?U Ƥmo+]Z]A >'CHsjh^R("lG+'vGgq4n Z>ByBfJ´fyvBi9qFtA('rYHoj{+]E?CG7=,m{0w kx2޷y)a oy#O~ 42gf-J;DQ,#?Ĺ|O^NLQb(qp*z|5P#pAe~+%^=S'b[M`)Z>"Q=*~}ڀnbC0mDtG~ǎ ڡ5dE 暿F{ lZu͢]ʂ4Ω-ơA'߂Cb$*5muڤ, ғfZp_SKocgAo. sє^ֱڎ릌{]ix]_̭ҌD0T ˜4\ i-I[Ģp).;KftLiܼ?bZ@OS'"S% 0ݗ{5(D*T[1DÂp N]Sw߫7oYj!/S\;~*Cs:v k=IQzqî$L7!U@WţK?`:e[ gDצ4 hN)$ߞPȺRV.79E:ĽKח;`O?r9˯ffU}qU:խbT?/MȾ:ah}ssnֆ(=,why=3ѺGuX> /C".QنHE}Tgio•K.pHVsK.Zdh ƽ5hrɩUm?srŲ`f9V#<7@߭B RYٚ !+tAp64({BwC;.7 }]ZN;dB,RwjUXg#ygPcg.5- HjP0CV ?_sPfТ 7{^̢ܶXkpyv`J|jY[MHG>OwkdD&it*XhvVc${s$m6Ǵ RVW 5uCshkTA=]ʤ2h٤~xHyaBM3rF +nȭZ99W2CNUEt{/]C8 y\ňDQj+o1jJ#Na*啙RTkHp(uzbB["TbQ dc$B\E5=)s5.ycvwW8(&6pG-\-[%L? H__$P{ǪzWMo°I  $Z3mI5.f+kwhxE80{;T܍'Mأ*jR_T "$ԕm ҅>8Ԝiթ^h1{n6EG}/ $n,Bx, r'Lb=kL:z#TE0m`'V$-#SϽ@MķHއvqAgEQ:hn/ۥNE2-1pU 27x;sɿfN`~(2צ%p(~)g;z d/t5mU"Xw͛/ݻ-V棔!$*EHK[< 9FhHS66to X~s&vkk ~Y`laKnA2wq@g RP T';mg{3<'PX怽B7f@_룴 f$(SbSk&زcZ@!SWO!ڈF|d;J8(|AC{Xװ2?B=&%s*b4⫄Nn*;0+(:F$q4+p6 U%9Jg24QQ,rp7>lZߠkdŊ˕:Uh؃ڛq;i6:z̷29QUP6(VSoD!ĭC˔‰ʝz&>}˔- ]p<%c2n1}'_)΍QAHd <,g>CT*9 V.7He?=S e3gPa{<ɗ5 qx SlzuGP"g!ooޟ,țKǬg|՚"zKwm Y~<ɥs?RWgu] Y/kyxpGMV ),l+j  TH3: :F*ݕ&}&m8.+I@n9&88_\.)9"SEXѼ:|`#e^Y.Nm;-DtFkF91{ RmF,a>^Sӵ`Hqt-)vأK-Y+vkj }B0 **Wa=6&v4nĸM{'P 8Y~&#6Z۟OSd[(0griשg϶oIiXg+;mO tUD :[kͲUR^jBCZDiZ^2˷ǟYZ'-"$,gQx*%zHGWym{mm)m/`@-p #A!ijk3#Ճwik8:Fx/[;#ʻqגZ2Y6|sM)##~ł q@\f[lT.mwܫ|]E?SV>b\{pL25_trʹܶ Ӑ'FϦaaF'ZN>K%S5W|\g&* Zns7z̀A`g5,g #dy4 z, R=X|z .Z+@- W1ՒmnʻSm_Xܹ)S"cl3`gn49p0}toJEhّ̼KSp/ϙ ESEQʀ/\I&=[yS9IjIo/0VٟBNq ܾL Q^&^p ",^.-;Kٯ N70gᨩ9s_ILwX !1Ɛ?t c+h"+M#( !Zv}!K]F¤sjv{p_jyB_8V4r >c<[o୽9̴ojZ'Llu&K| =|@H|;*+QP~RQr(XnOC[s X 篔.~l /Gg9>̕TsaX6?.ߞcC)Vs֗a-/MԬ` oy9]) ۤv.+q'jѺA}_.vuR4k]0ObCp" 3JI: CH}ZE}? <[g@B 硻vҲfcApg:qmOoʹu@e S@$Wzl'꿾穙d`rf"S)#jMم*#'S{CY!M[cQ7&q緾Lb ;O?x4ۖy?9f 7VeM0n6mt]Уvb]@k]F+I`mތ!98VtW{{_C8v9U5XȞ8+b0?k/UNhdpxq_QHNcBb]I^4{zʴ#&SJ y,ʛ2?3{ZxDf9c+]и4kǮvt>XpO 8Hj,kos{ =VFq6/,؟v3Y,cG O^T'tF!"jk1ePcxAh[~@|Tq^IϔvzG|,K-U5SNHtOc-S˂'X M#6oBh(J vuio$~̖?gJ#VShagHצa ] x V"pɵf.7+27ыyȑG-7TK J>+Rf9jWi#,p}0G+_bk2_2n$0#v܍. 9 E@BB?}y Jt>`›!=K<>Ʈ&.ڲ|lן^OmX&ve aX'jCh~pO"W9[v*jew`>.IEC"lS{vxN ad:8j,6 k:$ xs&>HУ\DZ;eZfͤ>L'ȭq=۱P%^konxT]`3 mM<\#`p.nT.mtmm)twdO|yV~BXB lv6IBb@ޗs IW'dLS>%֛&>)ݣmg0fR]+ T+S=Ybs˾qwɁXv;\-fT2HYn'fbj]yp?PJvqp~k ay,2+EeH3PB*YfSLc]ܒ w'n Th, ݁# dmqԛ!իKW$] PO;?4KZf>p)Gk(u1mgr(L\cHYFgj KH X3WƉ WVȡgRr(쨭\uQ0Qovҵ2B]>1yrrH$R$%prn&֏Ը^{C#*kDbtb] +toNǾ#RN=%"'+?=υw]-Dn0(w f- ?l1غ~o+n+Gj"Ƹ_)-,0ѻ'QRig V5,DHl)D3Z2+Z[i-ߪKsWy[C_ w_ hN ;w0QF|fW]ܗJѥZ 2u =ד_ LyL`qE`ZKtПc7Ǝ"zGݯ)I4hOڐ"MWE[w]s*ƅՃ'qqu-?ZUI8H_ 3i3R-VD枊`cN>r[oۄ ;h wt/7}'Vp5[t'FfwIFwtkL (De,#UXԇBW 33.!_hreEAz~ƏWPz:Vuep`=j1<.^AecQcx8R*Ӷ8Ke.MF maX'oƒ(;neeu*u$.^L(e|?\F%.wg1q1 ޔiO5}ۚ;+ !B@\8 Oٷ*;v476 UkE&W@ yŷQ5WFųOWn/:\\h(~h\ʦ947VhV8]4 @*sT+7Q " 0Ŀ4)S84+˶EGaԛ _QC_I҇삥;ƀy}߳(qU ?(?-@M_h̆U/yɒq hهO@ A1DmS/W8;lRPSN!fJGhr)TʯBvR'Zl9#E[%]P*kF+; _| x @c"ˁ>]8-J?%-ȍ6?wvmJ5!s~9fUZ9<ͬe[-cZL$SZ9[|-ZR΋wa%i%h'wR]852{-߇:tIdp:f}b)+ NDx< VDY'ɥe1$6@:u/M\u%YLٲP |~ vJ9b:7n׶AFL `Ю)鹭*M_ 0o~Gwezi3E3:F^* jS v1l+7o (*w${.n/٧@Ep"~D DCxbԱ!0MJ6 R $Y;+{nǞ8uELa/',.c'}226̑;cCID ._5ϞQϞ 91ZNQݏhN0,Z)+͜7z\YI Sbnb4:P/Q&pa3).&;)IFbU!rw;-"F('ޗ cЦAVj E[s&QaUgOgy_Ӿg5ac!Iah\ΕO %7NCZj$0^@Baۍ&%Jo\nd Fw@$٨ _1.&ӮWç0nD|~2^*94y8*~N}W06bT6{;vp.N;:ط*BRx i VĴX}m]qnʆtJ:'}"?bz􃭔 qQeyV5OW=P/m\|c jJm҈srs&kՅ9IvvUUR/?#\]::y/wS]WMChBJtɞf9Czcjr+~.HL[f8kJmW敏.]/7RY EZVt=}$S`]ʬ^;&^0g,n~4?9y 7 etP@R&LŒXtrx(Ʒ 2 Ǝľ*;Otf= ̖VoMV+Axw^hhMݎzMU ӥ߷ \3eYJ8ƺ%gY Z;X-ڌ}&Mn Ut/qWiEIwi]Y DÒ0dYWfm*RdQ7 #P{$|/rQf p2;Z֫7|d!^HWJhQR'wfNj&1^I03lLV`G6wЖ=s[\TL4g/:kHU92>=E~um )^b{v- (?:)Sk]*I*_F!~ptD{ cL+= NEK zP9]\[1",&ޥc1DbE .9Qs'|FhH VWx7u3kuqJ [p }ںYHV.FGxLPac_ Z@%&`8IuݟUhH|-j&[Xz͹&DC&Z; '7 =oZ@?Tk|DG RQ6g@c2??hRDsD tP `tʚTDw*1x!]?"V둎Қ ;K&D>(PY~ݨZccwAnlBI3oN~}=9. |3xHn]%HnဤLBĔ/H HO XfL`H{LCM}0{Gwm2 Gadfr%WI/7|)`rXٺT>e%!@]c ]שl{2d415C0^ ?_VPT4P닃`й.,2ӗcxJpitnqYu栁󛌪^zcq#y_bwdIfp1kգ|\PmOJyC4+2v΄So5fu&{Hm@$%u*BΤUteP py`)H@jR@٦P߸/9~PcNnqS_8DIsV:*楳1 tVp?xjdqd %6ZzwvJ2[c1=)hKP^ i.ٹ3FƲpB8u[PF &A0~HI`:ld4/&{ɬ-g#a<- KL 6_ ha.' $É"UL8nˇ2t>$u2FZlsxtwmhXeIVT$ǥa7@1O ؼ73Ss^GdgT+ڔyCx^2W٠2OI@U~jrXؙ2~2øbv#Lx'GM.*+8Ť{;"T^ޜLQI %PiПN‘!IcM"gWFTT-r(([O޿Fϰ.6ڱHk2{U{⨐vѣ dcہ\r4lIV z{Y1qr09#E4j~oSGz"hw K>WhñY9s뗦!ZtfbK==wliCG)ѦwM bP-L4nSEdH1^<0-]?.D)>MaD5[ 0LT5K݊}Nޔ ]˷Y='ۯ{cxmiaf]2XNU4Z ʆ&)a0.&m#E|'ZiE~g;ͶmJ?x"{\0* 8HPl}*GddLl;~@X½$dwmg'2R׎-o @ema}xد5 ór2.w\CM D3rw8P Vԕ.|7`mkDp+*(ߡb8N]l=mBq,7b:qP^ÉNtu5t0n4k#tg4 M#%|"L^(Y:y"&45tgJ{B6T>2-7D~`TxY%kmj֝ 8j$ZNlq.V8DF }Aƈ@<iEK!Ɉ§O%nvϻ0eǃ,t^Y1ܴ, m'ϸG_ZߊZb^}_^%~, ZCL)0m9Nwo> v% [lAP%$˝v x L`%rn!\k^"^n 8qebk"I!v=1}}=Jx +pnZ%q(I.= 15] ]0Nc܈uN{]UpV'&;xko9;h_29~:6B@=) 0>'K8AJdH|#m˄(kd37Ld$ g 8D@X3NxIUH%Z'| ޥ"ƃ GU_ RkK9?9L,c6=Rp+bRn+լDsEn]p.5b6]Y۱$T}-ӻ ʰW~kQϽzs{NSFFW'5[n8+8pQ~*S8ۃKr[J(@0f]W6>"Jtn PHҫ2%ibEq\^k(=f HeLݲKI>i\F7l|;'pR./c";aXV ڶ1qJTڍ;b 2G_&EB%0#lo4|$UG{G_EquÙ}ڧhC7:mME2R v! &}B@yIϝtdv[Y,FvC^X/HמYiN 왰>z|sҴ:iEfհLNu0sx!njx͸!]mѱwVXwXgvi؎e{cnuT#_[3鸺 sW6U/ wbtUkcP7H*Y88H #U;+1q#Suz d=]2dCl/dGV݌T(4<)}]=N B9vf9:FcS#Uf7YUMRڞHq\aAv: v$a^<s )oɞр96ŪsW2ߛfVs)1&v$yU\βKjƝ7QO" -עBPoJ[.,H=1_H>ɶ^yB{yO)9ŮNFaUiMJs+1Yo1%G].Cn6d 4Z ԁ.>cq?u^`-1*v]z 55v{Hago&Xq&'a߂uR看x`:G@9]js%[y%Zg]T=2@RN)ס;X {X3uB"+Mu"Κj\~՗D[ ȯfD`,ieFssKqftNZABܢ=**)*'̭zF+i2M2ODZAHPw7ibB,9 vI硍KzSd!{،߁SbsvZ>aP(3׊R|ZL l(`7V|!T d.mz@uG sI|9okCUY5!"\ 'Eg28Y5̛KUP_]E[S y1tFcٗ Ha[Ä\Qm/Q1:,܎aa\ Bxa k])S}K(k,E/^iR}Hߐ/C3>nh;ݽP՝WZSAeqZV)5uՄU!Y{ҡ1ecEEj{.YzM!Z-ZY= s.F~*$>rvZh m>ZjAJla 0.HH2hFp 7dO~姸 Q3*9ZپoTMeLOi ֯;KB!1bH-X,~y~qcTdNO _)JD1aǓ2=jwqj.}9epX^%^S׭}9I6UdcCc长C<-<(A ?2ι?f(TnPz[I1= "S!_)̀HkMݫ〚ldq۪)֟80.W oA$01f#j՞兒SڬK~5 =']M# +xpM<eW"Vs 8 J4#ڕZ8"(9Yt񏎓PJ&LguARٻE_sXȸWϵU򰝺nT57G/ 3Eoosz΀I>-6~V 5 Eh+)JʨIQ} 712os$:J{sZ=CN/4_SPhK y> 2JD]bxסFOܦWvn/k uOPI#:߈HUpRQ=\| 9a |๞p-hhUUmi[.Ծ@FۻkKh+-Bba}A)p E0˕/=@4Q6G1+PزU5bH6`:oTP#=v{pA{Q(a>@9'X,w;[MlJsu8JuQO N];,|[o dtP+?{kX4Νqo*n% xm v4O C} qc`cK'8ÕG1LŒc[2U+l 2x嗑D?Ȳ.C30.*ڢ1olu3N4Է{7Z}"*_9c2r(wi .yg,m a̵͖l%&Ҿ]r>LrWb\˗Px\&iC2O}۴M&QGr qzj$B#OgnHx_[5܌†'agdBϟ&l5?Jy%PXl gQ*>!k2MBñWWATlTR6qV)9[B^,6w?B`]s&Vr@ץt}8l0Z~!s*_?<q}Mqa46ҷ$E :lTw2L܃̆8'Gm]*."V^kD{1V1zئfTv_n @()r~(Xuqg*4<au|ᩂ4d#:U5-|\!4}ǢpuNnҦ"C?EԈ[*MIXyj&38JnCC̓PZM<q}]z]m1K${'28)cM/C$̯V,ASECӹ7 ї"Bxf&εfdt'PP!6[ŖSÒYqeh6Z7% <K}G$[þ| )"YL7LyL4iG*YD+i2 *X}L1WeoT45?¿G۪}w{B`CKhqQX|2Z _(4#lȴ埦vN;߯61fv`Ik #%M:?ο$@F݇-^ZҳEHCumfN8`~FMk:9¸'vsHuXCF} P+Φp&~ ʴL;g& %IUrBa*ϒxqpN ;4]y|yԈcb)4Z].U^7fU1~DZԤߑDY^eD&[H٭'ұY>zmKQK~Fxbj; UȎ8+t]= jĭ4.|^bk"mM{kÍ2DF]{7r40cRWCcۇR1 lLSPI}ߠDZsD1 lnw54{!>3.׌9g [*)#P5wuN}k_cgPKt(%>أ,4~یQVgᾇR-~MÍֽydX`]:)J04cGd3F%e+J+^4XM?a ͦQ_I5 6&%ZcX}`L!$-āT]p9qb-t~L 0p">iua3NO4XO={a\ s~OJ_ {ۏSa ?)t@`!fU#Jl_UyXsim1d^"n5FEK0ǔرR1ATa/!{W>K2˺>Q4_Ai V驰-&R^TnONR]4l~P Ta=[uB ]B-^_ :IуvZPB)xj]IAWhM|!;ӹ?6j2psM/cvP^vWtl5sثjЙ䓁ƭͰ]E棴\V\#^z>l{&>+KH EѦqp/5CxvP]Fqkb41kS/lK[=`g>$t w-ֺ\QG"u 񶘴/apIn- 2ų}:R|i˔pz ~/cP)vE弐B$R05{ԍ H_koU,;9ɻZ4`tIgW]XV&t k"D ~% шybos,b'yXZ_^67P:;?n'!->H-wl5Q wMcةa_y99/plTEc7vS>IJ^3.kKȣ P3Ѫ:SQ[ض.35.P\ o-|b?-wAϯޖ Jcj3M8 "J tx2b%x_#2#se8l+ב ICyS yzP_k..`Ln EkĆq*BQɝ1[ȧ ~6v 9p{&C3 Q}Ҿ\k/GXϽ{8RLO<ay-\U*gN^pvl|rsj1>{ojBeV]}\0-់6GokW~wU}| lW۝źW=1_陗ᯒhz"yl dh⬼KTv}12̞-I1̖df]Bj臙EMK9츨HDk [BJlmxvr l4߉hZٕdzF(E )_!Sl?nK;q/d0've"5EČ~ҐC˛ -LaLjofy͎>b߿3gh`6uHqF"(jKJNAu4,j\* }r0҂ODO䠦{X߱>4!'Gj D <؛ie༹ÖAWu+Y Fy}y='UZ^Et_g) L~)}y!h&`Ԝ@J%N]thnN9.¬fjlZ*i(.TV&%xC26JG09cBsω ̥7\<+(9 "P$r9Oz0D&?um@W|*8ЮG:=U۝\x3&(3-$R Nz/)·/* 2*hLo_Fed$,u)X~E@Bh}B 1S'1_IctPE0&H#gr)Gf8?ɋ0 -2G-D( mE P;UzWeM\)x{=/ %+V "^#sCnOnDOPAMג ;4^ &EhS\_)Hx~Caѱ4ܮ=y&U΁Tfc~ TPs5 <*:ЌyQļm]p}?B k!І?De} v**ۯ=7hTڒ.3vfI+zʪ|gzj =SֽG_S]p_a1$\3S[ EͣjDC֝ nk!gXՉꃤ1<<-T.k wҜ7X,29x9D '#V+# kI˻Q>@L F J/N|̾o_ݪ)N ' ,uӓv}*+G*Ij^M[š.+ֻ Xu#Ԟc}bjJ+ ܨ1gC TCZ_`jb-P&>?=d!n)좹La4^ϕ"qhhi3RpqX:Oh =HZ/^ŶCSXG,㢖QiX\ )ѬAE.@wv;5_wb[v[.2i7`.'ic̔mxdφһKf,_['/?kLiAKN֪b j|-*_D OzN?}/RoUfsLq?YV Xeb!M 6#FM =sPftZP[CMR!;~l皣3_т4,,&Mkk ׍oA{'& ٗ7SS& _0x >{JT _@q ؘڡשU yyt5T "fN &=xE_DITBPxВ]!ʚi{%͢m)X4+M?_r4>o ߌpӳd~QmU4xc̿2W2S Nklǒ$1 e50cLzqgmqѕ`oI~1j_©2>+;P  ~օTZH룸S^lPb1 -s> .Pطyt:eoEqAY5)_{njyR>bϮ帵~g0 p9ky*f;愈qQ0Vn@Z}H:~f0 #MlL4%-XJebWh/"gC ?9Уf2?pZoEGx֟%/~?B U8m0nr:ם~ e-/r_{4hF5(דcr7miRc͚1տɚK3{ /2Ajxjz 퐴Mx苅?p*kĚ_P,4ۏy^.ɌRW~)x5?4(`9/`&P3pxit\C>P3ᰔmֵqvry0Vm5`yRTu=F]UA|i(4^GOPlz)ǻ=l]ɥ ڤЪKcHs%/_]B.(r7ē`As]~x܀ VqsDh*{x2M YbhFYfK=Q`KT xl ΋XfqeJ>O^6gAX_e:nOF&6)t坧) glpE j*%,kjpy1/,&Ԁ"}#Ñ{Ԃ$[ 'ìKLY[1Cp8/R}ʗB l1݅Dd ~ώYQXS}=Tٿ%&;ogZY "22Gx>'Z @![SHJBW 4I}8+!0ZS7DJv~V?Ja*PHuIi_{IuaxnRda{`?Ұ#A_rTLS$=nߦ2/R[nРIp@>sR4Hbut2MxAv\u[bVrض55Q|DɮM55iX}{}欀ʕK Zq񨙙,I?'7cgD5|2{@faZD;q2n\NA8呠T]fP?kf4OxZ&M7R =-(ǚ僷!Tq`'1}k|痾E3tQ$8r[r{mKxoy13kt{b]p8l_lTٌ?-JKaxiu@/j~Wa<Bm-:0~B^?uL*P"WD0E4V4ĽQlAZՐYL֯I/@cMҬFZ_[n'<~_)oM\cؚm}NJ6NEPG̀Z0s9L.v~L@S}sیq{Ge=Ck?I2.eIyñ< 6#'ncXD-[p(;l╩D*= ]#թniҪ G]mp3`I#"ج?g5K!GLT\cj/uAA\zю73ooglNLO/cl8U# ],?-ab0&n\-Q\@BQ^a;Ԗo k|k"4y/C1wdMFr~I $R:UBEds;؁}&B-)f=]<Ǧd"2yEO-pGl5=Zgf%mL\\cm[ GOjwg+DWH+~d z`x`$gšYdƁ4 \.*vr5zy$k{w9Z*[tX@KodS݄"u\}e&ᑖU;n"l X`B?YVԚ۽+mҏ@ u9 ߂@No|l U~1]^?rkҫj(ڞf"]6>WQіp% Sfc!ͶuFĞ"3;4O UCx9}-@nJ\t+MHu%f^FqH0>f|Ȏ7_KÂ-:I UwdMY4 Q3g<_zAu#/cvM$^]t_k* )^L)o}cL5&X\پNbFc~M`I)@> OmN2Rm6u:;sQDuUC&0j@P@#XXgB5J=!ݼ \x( IsVvVr}X˗:'y2yV城 u>~#4FEp}KjT C(aVbSV`sј w)."G\XVjWۮoj#-2ۻ&$\$;MKjrq *z~qk)G/rvR Kf(ػ5GCݢW"I1܊};B_nƃ ;g58+`a==(!-zXl.8fb0CL|Y {sO w4v<,n {=zlD[WSZDPcJKߗUKo8 %]=$\2ļtF?Ur__W-Vd; '3!y tķ]cF{3(]"OW>+ tE CdaX VaLÐ=t̃ AĤq0[{sy̽:FtA#A 3_$ط &֎&{_/^)B-Z<@g=8sk6!E d-G"Ac~bM~wF*\ÁʊD63@§-V7U4I#/`pWn@5 &2}IckGh_?#֋SpQ[-Pw" +n_LD&֒дmѰN>T]GN>V{}Sq xn,wr(x80K)GYv| $p 3sgfn!aaI-/|}tal[jlHk",s=䉒` Y9R VB-:/NAΞx^;Kfzr +^gN\V}jV~VD:DczEЈx B+WiLG0WȠ>onzlLj{o<Z{l3WʥE% (b`SŠ/:/>p1 ,$U@rlA)ɁK" @*O*dJb#+ܐsp*04^ `D׵:Ĕa=z%HlE&U6{q#ʧ\~oWdT>x߿PۥbGSqe[3o3ŋk*ӯ="( :Hy'`CB AmMqם܍ 3,)m&ֶ5DPq**n0g(A3&Ej7$HD"58%;]^=@Es7\˴_ei5&. XH4zݷwAH3 uI/#o7l@ Er D9H%[ONi42MR-}X4ܨ&des[49O.R4Z܊bԠCcy:a6zxEV%4'J{F{+>ޥyXʹnl?N/Y'ntLJ_#u hc~nA H`SZ$G!nU'ι:v)OPca )lk;WX8Ǵt G.߰IAUbtf4mxWRtB (MSGb=.w41Ax 8:eCt)lgI&26ϝFmg$>N#.a?5V$C2h{L]Ղf喎6XdaƋXkYOoZbKP\TpFOZt-)a3W1z'K vt,GGMhȐN۷&P|xa/);0.z9 7^~cCڑpO'ͳN-!|K'D~OI@Cz5Շ>>PkU[#1{O.qS]Iu%.GAVzNׂ@0"H]vpk\Nׇ-87Hw>zMJ}:W8 8 ӻd/x\nJ |kA}ܱSg#XӔؒs v4.ߘjHPb62w׈C"Np;uBڶݳRL`Q2t׎P )ÕY,CFihVhp|J[81 PBs-- ƂLNOy=cyoާڍ$L!Q|:h(fʄNbzj̷&Q-HQ- >6 dVuV<e2Ɠϊ.)Ķ YZ