From patchwork Tue Aug 4 01:34:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11699389 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E67641392 for ; Tue, 4 Aug 2020 01:34:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E97A920786 for ; Tue, 4 Aug 2020 01:34:34 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="TIcMzG8D" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728926AbgHDBee (ORCPT ); Mon, 3 Aug 2020 21:34:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51104 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgHDBed (ORCPT ); Mon, 3 Aug 2020 21:34:33 -0400 Received: from mail-qt1-x841.google.com (mail-qt1-x841.google.com [IPv6:2607:f8b0:4864:20::841]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C5628C06174A for ; Mon, 3 Aug 2020 18:34:32 -0700 (PDT) Received: by mail-qt1-x841.google.com with SMTP id k18so29777047qtm.10 for ; Mon, 03 Aug 2020 18:34:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:date:message-id:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=KFRyEWJ+SnU8Mx6RM6SDQB0INLWMQvW1g/imwXTTYjA=; b=TIcMzG8DFSdpxX52ttGrBdP+7jHZzXtjJAcutfDlKSOVbdFwIbdUAtIrnJw21W9Zob Jy58aU5mh2RQKr6pYTdA+JDm32r+JogdoDt8qAH62IKePyQ40LlA9hh52cFSZ8BtDyqt 1qsIfoo2mCBdjvxillXyxFBMDhZz8AHzHFpv3WwnqwCC9rmGXY/QKcz8d8QCaYGo0hIl xIrlzmknzQv/cwDRr746d0FS39iDWE+pD797jCmsUlFp1xRHRxrydB0b8xb8S2JsloHQ gXnaKiWdNn7kFh2sHb1SnXb6FxTC1LeZAQqV7YB0TQV19DXumZlSBryFD2VDMwONlYGO D52w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=KFRyEWJ+SnU8Mx6RM6SDQB0INLWMQvW1g/imwXTTYjA=; b=icrBBji0LBMZ6ZfukidyNHii2xDKkk5nq/GipVdXWcShe6icWJ/At/YKphDVS7jCzy iQ1CPUpB4/9w/X7+yuq2IQsqmRG5DWLjaa0Qxq/BBRxNFMK+poP7wJzx66XchzD7GpW1 FcIvoIrDYyvhgVFMSwuWWaIyuocHL8j3ZJq+kf76OW1WGoYxweBoORkusaBrqaBpSkEE UxODFxeegY7hkKC1w4QBOBGNGpBh3p0OWVy433x/oLGcnJrKsNhfAJU4S1jjCJEw/4c/ LGZ/BgFCJYL9vyc2oMmyD6jHLEZI1F1cRWrBlLpTdxpId3rLVx7OHqs9hNzokOzT0jfT T7uQ== X-Gm-Message-State: AOAM533gHxoX8KmwpdDws0k6RYjGcKZfHiTXvoxcfdn3vcoqhXg10ORJ OdvzNZif9tVrTDMQ7gc494jzg1t9+g6j X-Google-Smtp-Source: ABdhPJw+RO0rrBO027oJD1hLP2fHKQAtyLkx2NrKi4vtsumWDBYuaqHwRKm4La1dvErv8NTleKZ4vg== X-Received: by 2002:aed:2793:: with SMTP id a19mr19773030qtd.168.1596504869538; Mon, 03 Aug 2020 18:34:29 -0700 (PDT) Received: from localhost (pool-96-230-24-152.bstnma.fios.verizon.net. [96.230.24.152]) by smtp.gmail.com with ESMTPSA id s30sm24245678qtc.87.2020.08.03.18.34.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Aug 2020 18:34:28 -0700 (PDT) Subject: [RFC,selinux-notebook PATCH 11/18] postgresql: update PostgreSQL SELinux Support section From: Paul Moore To: selinux@vger.kernel.org Date: Mon, 03 Aug 2020 21:34:27 -0400 Message-ID: <159650486774.8961.2667775016658143771.stgit@sifl> In-Reply-To: <159650470076.8961.12721446818345626943.stgit@sifl> References: <159650470076.8961.12721446818345626943.stgit@sifl> User-Agent: StGit/0.23 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org From: Richard Haines Removed image 24 and replaced with a table, also reformatted to use only markdown. Added a section index to see if useful. Signed-off-by: Richard Haines Signed-off-by: Paul Moore --- src/images/24-database-table.png | Bin src/postgresql.md | 141 +++++++++++++++----------------------- 2 files changed, 57 insertions(+), 84 deletions(-) delete mode 100644 src/images/24-database-table.png diff --git a/src/images/24-database-table.png b/src/images/24-database-table.png deleted file mode 100644 index f1d81fcb0c6852be8d252c7fd94a1445b38f3b34..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 44747 zcmaHT1yq&Mwl3XBhjb$i(w$0!AQI9o(jgrpUD74pNFy!X(k0TJ(#=Ndt?h|>&K>W) z;TQ<=@4f$6YtFBxVXstVG0{lSU|?V{<>h45VPN3pU|?WBq9B2-*<-5#tz3kH=2N z&V0S?exXw8dN9UQTuMFx%e*K)C$~k%5aGkxDOOfHiZBjG8e69&Mi$=De7&a#VgXdc zR41t0+$a=Y2VA$y&SRp7!U?*OkxE~9m~ODv?%ft_`ENTEIa(6}<0ZjWu8vD%MFo_s zj_G(E*2PyfdeF5M#5MDd(y85QGfbFSakhxu?3GrM7%B@LHE!SvPH4a5Os&1yPHUdl zGF&oSSnUj0@_W2Bbi10fY+kT$U%JSRdCG0kn8c?0U73IBr|1J@W57+ipwnzJFIw!& z-4&|u`3OIwab^|a%{hq^l4QU@exXu^*<@*D+n%PbE${78sTPM@HzvP^7&Wq?-+f(F zl)lg9^l6Sl_7rQ&N!OLvPKH}O37^BNgd2F&Z)eSu^|!%?XPv|`V^``}W=y-(c;DS$ zuechphn`EJv*9DpgbEGNWl6^H27F9rOORaUM)Ahm$2N=7YQy-XZi)RO4-x zcVW13#aF zU(8`+az@uId+yWs8~WauH}sKM(>?lIv$tNT^MeJhg@$E3XgtC@qxA4PfcVLuyYsOn zlL$5o;~WeVPN&!xgpNdp-qoa>MiNd-y7sMGntF~eZto8pR_49chr+girQwPyK5GyWGLAsg~yqxmzf4WMQ}ut^j0P@ zMuPpjjBJ*FP@#Z31^sdD+%n7OO5rfmD?Ex9$N&u3D2Fkm1fFxYF3B+jEx7u z7W}Ou^gAE&%0S!u8#w8OUS)T^TdoO`KE+Nt76R z>*y%WuzSc;V#?58n|LF2f{l(#c9Sf)okDwah#Vqa@O>5(hj@AARHQWdU0LzRyBgug zyYs_G(d$K1Aq>w5`}K;}tGCzd5ggxfXkX606$uXfbMgE2%}ZV*@OL5QL`yFF$pO#! z{=03l2Z-rH_-j^7zWDXEEZh1yhMPlk?5FG8y_ObCscy?2-1I`8O%wYiao4&4KxI`4&ksW%tzYae>js+pYrRlLMmNyis*gr@19kY-JQh?U5&ZyP|qZWaiTo zHL+p_UYG=VOc--@c$ieW9F1-0KYZcd?-1#Smpl8G*0#Wcba{hBRYGd5t-hxS)G=~YZ4iT zX;-Ay$A?>n_V5Ds=P1yB;F})E{w|aH6Xux?16%9GWWCLG6#sHDZrgF&?c3YK&L?E0 zrrOUJTfN+LTm0_>!B*<6FEr|Ya?VrPdi7<_yaNGdAB9u7?>))zw8T4E_5`fuHWt^D zik344FA9c*ls=0$SUp$2r7FJfF?)$E==t5U+%|y_+t1bJiZS6vCRo8gHWO zl39B)&bPGWwqmCtS1{|vB?46bd>BV!h=o@qdzFY%gYo!SI5vdVH~C^ zwnCB|crO2wB1zsiB>fr3tN~h7A%lmm6l>;1^OWch(Ume!U&tEr%=Zub3dUOs0YB() zedcSee$92bsva-5Dj!t|CG>_$AS3>GmL<=+i*+bA{@VzLmL~zM?^yY@Ns}@o4{s!Y zLzf?(@1w`43?saeczM9B@KkY;>g}=lp)0G&eak5qTlkFoRP4q=_%fze z7tFOf7Xu!u9s}=-J-T?3Z~7-?r#09LPKTq_8041?g#pjH!+4J885-T>l;aN z?MQh+UCNO8VMd?-CW>msv7dYi^!Sv(!>aBl4EE!7yKNy(Y?$e2(G;Tdk)p7KO2jGj z20!%hx5uO7$Fg}$!$2Jb`wiUPNC_eu_Bm~eQ+LVFxChp;lyzh8k&uhJma82qAU%#B z1p-Q>1AgQes>J`GQ*dWGbn((2l6@VST0bi^0~*oRXMuH;Tji-+P`!0)-jc`LDbvKi zrw#bXC6TpT{eeA8QUXcx1Gp#V4Cdv6I-_~ck|7_}@E9OTU>*0Y;{WQ@HjjA9>#F3$ zPK!TG%>B0OfIGF<`L1LE`*ZdCu+bm>$Q17g*&UgmPCeuP`l`$8Tl!8EW#L>GI@{|{ z;{54cg>yqMyjel(QL|9jf9|sTiqyQnq1n*usMCq-X+swpOXF)*(P?tOyVIi#x8>@` z-fX23>h54nMc0F+&R?8|IXQMFiZ zKV+_%=&7|A)1a!sktn|~d1D;%gxsc-oKFze3y#&KJ2=Wvddt?=b5>k_ChUXO>4l3; zH+Pi7qq(=31#2s2#v4tYUYn174D^DQr@cg#_(d^Os^Uw8Stsmiw)Lq?A-5j0+iPyv zn*m!&Wy0r1Xx#O7l=D|}Mgf>{mO=H3rox5T3(qedM|(keGhfm?DF3GVBkjWG2hW#q zp7%eC1%B9wL8NwOntBm`5nb@0y`e#2G4yWZM>}9~4Q=pA*q@^?r1D4xos>`L&#@-i zGne)%TuHq!s@isZF_tocwPU?8y3wZ3o%IWL)+<)OCtq3d5PZ#v)$DjL_4PP8$a`$q zt&B^(lHhmi^>WP-ny{?(`bU`kr4*e?CT(vcjYvD?xBJH)dtZxe5ZDZp^EDjTb#mTZ z#JKBzEP6G=OcV(-3i{v`6VVefh!MZj<`02J1)|oruQTDbi%vs{W={(65ee_?g1i$^ zoCpqL)O(p$Y9^U+G>UNj`Rz5+0zI`!a-Q^I`@Ng#L98tbJxYc1}8Ps;qP%2AZ! z%NYPiz1cSByzb@wSn%Ya#OI_FIdRmOf}s{SlD)GEW1P zq9Eb6+RirO`d7+)iX4Ws~6)u3rURJ>u-9jhP-; znf|<8e75tm-?Ix66bSxu`BP=UF_r%^=0tKy} z;$&3#xHf$AxMoU4Sf`iXw+wCPUS!!Y;QA&eX*9)UTl85>PtdLNlQssYE?Vm$E%829e01Dwi&+>*a(P* zOmN;@pY9|m(tr9^EXSDcAa#~DjL3{r)xm{?OdX>c_7UTPukN_{SnT$SAQ*16KP#Ew zSc9%*`S#>|42IC&Gvir#oM+9i2T|!_83}s0N@Uyi`>QM1WBcxvke6L}nlvY4*S><2 zlc`c@%LUfE(t!#Hr>;>aVr#-QT;9Ibs|1{{_YMoaOlk^4$X!!>KBB>ijpkRYT0XM+ zsR*ilrK!f%L5YoWn6NDf-_&A3r$);|oqNl0@pZ%-=W*_QQ|q(4cxf5$g|i~H&UWnN zo$JQa-mIOhQ_#j!kB}C*DZ+^gBniF}qM$ckn?__HVj+@g-)Fu|^2l$*mDHZQ;2pw4R$@^8CC1|?*+Fs z!m|J4^{8R1Sz9|{F=W_nHL8r!W0kcK$PM-5(L<|uOPBLtlmdbLxtx@lEclWDGeSF! zyGyqFWY>}SRgQ3=&RUAqRN)pcXI!CN9^+*1R_5%9slof!%U`7~D!Z-3twDBp*3;T? z+-5(p(PfJ~*25SV0iQ7TZJ*FNQBopC^BGEF>(kF{c zaSi}=zdD6nhtJG!(U#*@b0&3?scQR+f37 zkuz7wv0caT2!KQ@%G8`cwN?Uwn5J#45ZB%HVH4V$esqQ;O;bJ3Ne7?uUwtMq=eDw$A zd6PwAhAtfpJ(Xe_0(q`Plwz4z@e26rM2RSSdAO1}3JAvZUFsao&el@eT&D)lO?pB% zwUfdzOXMyC-AcPqCV*xTCkMmPDH1~F6lz;@qD!|Pd9`-HX+Go{xss&+xeCGRmyTr} zwR;i_R1Zl~zqvM=CF@-ov;TAMlOrn>Z=eKUYrF6(i2;_@hn1d0%)7CGJkM$EG^NTU z*a}^T8K;j4ER)xGmKy7Z(;&O+P!FP6kzu8P{jTVITmTMmP?-*51%jD@dHze$bZ+U5}B$ z%|-azk2PWgpTX|RsmBEtQ~&$0kIZq{^x1-aoPpT9c})!n%z?#Xd-H$$!XS#xn&|C8 z&4Ax9ktw=ff;hM>2owaIkyt>=X*+y!S+#LqGbYAO8$;pu zvIJiVR+G=lx!&*cK*E1w%g2A> zT}v_j?6~6h*b11~O^IAoEt(FqQ>$znghx{&cF(_Ybvoe>b6L}JUfcTXtp9n)=4!Eg z3pU)>v!>C#onP^tP*eLF9XA$1$0I~etE43hNkm(W4;+o69(wgBh{#|U=?NJzvSsi@ z573K5pHvX~J>EAoshpB|pLE)7{)p{-`sQ?}hcRhmp3 z3S1U4a#NYeHTApA+V|6g+hj?4PVzGVNPtFsOmC+w5=piul-ZjV!O_-;Ipjnhl-Qfe zde)fFyneKJK=LS zz&KFX!O0iILlFjFK`!J{tZP%<8&}nMay~rnCDgOy?w-UbvI7>hD>_?k%p0Cbv6&O0 zJg-gBnCN^)-|VjNOv0=`*{sa!Vpf|()-++?B9x~xp#Gk%lfr2p8_>TF%!7|t)Z`i4`v^=m9f){WHQ0nF>UTClf2 zr&fxDt2w7m88cCj3p3n~g6etKD~}H|K-aN9%8yqmabfRCTjHC4M|%zKJ+kGU@Y8|1 zoH=&ZCnG?Btx!(myUMzu&vb@LggcyM(3dejz8Fz^!Hff%Nf8@zE{)pPqtLtSZ`kZs+&VEiSPHRzE`UoB0!2^nRV+9=A8M>wlje z{po<%F~res!-CuwO=7vbymGCiQcQpPz8i#&Vpy;CI709|0sK%Z}NdiG5RvU z0!YCct<+KHW8y0>N5X?7{g0NK`#V#g^1O>_Uj2l=zWNe5?^BaYtH~_j1~$To7F{O3 z4>y+lGkVT%gmwVQtMX5D0?TAFf$4ReC=b5a)kW1$F^orWbMzPLZR3rXfK1BUBt}GB z+`b;pQeyMsM|h=7N~wuG)@@K%t57B&cXJ8eFAt^iuGW0XhCPj=c7gWv4M*_mX)oue z5Jt4!naZrg&a)oUqed*Rui@1{@QThASjx>DjX4rlG;uS#$35rAz1^R9g{LIvcDe(| zxCFFDyER{U3!o*&OMWJ9*E#M)rgYJ@txJq@-TtJ2uqL>r9tKVtx0zAiW>}`0>GOyu zfXju4ipCJ41)Fqdpzt;tw0i2mu6P}{+HzCn8EYgx+}|=@Z=@gAFN^|&=41D8v(q5u z^mu>0UbM*1*O=JQrLYg=#uKH*uhe zkp2;v$*LLQTbONjpj>@Q;Ww%xd}xOB%AI{d_#Nx4UT7AhE8-N)1WZp9+*p4-MHF85 zB>?@YZ|GhU-}B*6T4s&*Z2Ww!TJ8d%DIwPx8)4YKF&wVktCOcsEs81CpMW0hJjonp z&((d4Phz5vOPe;KuW~_=K`7J@A$(V;YUltNzy&cxa6L`hZpz`i0XB=?{;%>4BQ+Y0*!QsQ zxar5>llbS-@O2X|y%JKy!w0@mGDX#%mzZW~;)gJ+vpMwO$j&Yjvfw=Y+2=?@uyCq- z5kY7X7(1Zgje8@iV1+*)-J|}MrLtwxw(Vv+5iGPF$wnHfpHE8U>LkiSyTERwL@qc| zJNtVelfB1J)whKi$Ypm%(QzxSEDF)g>Uffg#Xto3SCb|&doh`re+GZer~PtJw(YL# z4-UJ*S?pH&U)bHE_0lVD&`UM0-`<&OIfz;Pt?!Mcnk2Eeu{Fl(WN-Tno~p>H#=syW!TYPnQ80?Hg9K=%7@%ej9K2Sxl1{3Sjzo zDA8c}sADxEV=B<2gfz<4Po`O%1(150st05(Wa--wyEVJEh!qs4t_4f9OMRS%qX>?3 zyzDZ&YB?XZHf~~8JFtlq%u@Ha6)q%C>F(+ye+^@m_zsAXeErE0wF;ZI>yD}n+tMqq zC?;c&P&wZYyqhC+RQqHvyJHHR)3LEt{;sPgz@;o5C2SYsQxogH5 z0MFmG3_R#>qEVM&;gJw5@sZ%ed<)>cV!e$|Ax-pXGhvLG+P}4x4yvPD)eAnMzDL^z zh|QWHtUy$etxm)H?Xm*CmP_>Y#~=4y`h9CRvkQ4SQg5pbt$~)KI(mKwdbcKyu-lQ% z=yD3txkd5-3jlp^hA$*wu}*Qf;}qGy;v2A*6{94hkBHqKbWRN7m&jQ448^{Ob3_!E zZ|f!04GiIq)eNJuiDdu2o4e`e-exGZnf#iqX88FPx$FMq%dhu8$_y#q01ks0IBx)X zTcYq&lYH8v3FI+|OB1QPoS>rn` z;AU>hZ?%1Tqv(W4`%`~gCYMI5Qip$)S^YqI5Ho{+kzJM;ddI}WM8?ii0!qg;)ltLk zr{mlErnelFM`Pl<*#TYMZ;tklcN*s5_h*VRVgM9kDoT&LyXrILoct6=K_M&ki_oB? z?^uUCoarJ6@Xlt#iaQLo7w?UX3W^H@mwH~whe$0c#eN3Y-SN#2V^3d&eeiqy&=J&kV z-4x&cA;o$6V$Gz053yGZpBY=9o6yB|@8^J~UP%8CfqlcMUq8B6w*tb0h`l&RQlZ!) zztU;N_I!yELOK!?AKPKXsJR<+N6Vs&|XtKtb~6r2O5@a-fz{#mRSx zf5;erN!?_JKYX_XP7WwUHal4I%=!g) z;Ki^0U6cQ^zW;@LZp52JbWy1Tu|I@*x=Nu?55l3+fuGF%5#q3=Lce7TB3-uu>Mfv$ zLLFHAI-eRG`V5^eMkam>IKa<~IGXe%iMoVyaikKEQ0XQ%A%FHOmjI45UtWMjNxXgk zwP3L@&2A5>L0lg-AAia2Y_i)K%~%5bWBVWVeKinmN7FseZth#b%|_Umu@>UaX=mCZ z5N)@hA%pYaE67H4^O)Ez>*q{tWkTqO%=%m}Em>E#TC}%v07|zuK;8-eP8=-$yk^LH zgmQ6y20SojqXj=KyvvJHAM=0$AmQT{)Asusz7=n0H{f?H*e@oos~MnB`_p})iWWJO zJ6qt`l??3weJ7R-Ak&?L1+V$Yu{i*19z{e-^!(70|vDhvL**aIs5}(~S-3HzzlVEE$TO;0$(xpOEiCvkVR6Qs_Fw zrF5xN`wI>BF7?GMbTNDWodL+rz!hx-J?58fRVPxtjQi4unL1Ndv77wzE|aZaps%k# z5!$74n|MJqS50K#-dSEVDm37uo#eghkIZmw%1exQI`W0r8Qjx)Xxqz;mFyY5U8Y^}F9iS@W$HpuIH!lGhB7`XV_9 zJRH?dsVKI2JdBAy+6-kEsb(E*XSf+OGr|q5P_7H~j;$|?Y+SGS@#i#wY=w5-%Z)y# zeLboZkkBYr_}z0aH{=hGJpU*#3cz@28jn?+uIKLpTMq%2GZ^EZb6wzWkz@(1P>)XW zxQCd27VHy35cBC8?JP((cpt$CNaujevp&a%e->ohASh99+LS~z zHC|IIhz#Ln7#GD-nob#~xy^N!7q31kN&ZB~iPfB=P z203Rza>Mp*;4x2+;}zy}7r-gnHop1Sk9bj~j8ja?c~z3T&UUs`+u{{Z2t~hi7t%-M=AH+!EvH1K^FnCX0iOfIoU6~w<3{z5G$g$otpZ92`%pA=J&vh*h zjCn~)2eivmUII49&6bL^ZE%;aufIlQ^%LJOtJZvdZPIVjx*$6VRZGMunnaj z#{i&SWhJ`tuXxuifVW)&?z=I|Ov(kliuM-^)o4SVzLI>9_z@4A0;R$@Y6}Qd8|)w} zbP~&V8pU~bEvX%Nd~h8J*_su@6cH%}hLFd`u8zl6BAbZbNyl;w2=*|@Gj0ooV*Nfg zj-xOwT;oDuN@|tQqm~Y)JKj5-tKJmxwagMbP|KO>621`#z8Q^szibU8f~sjV z4rjJcPF;bh^$6+HdVrkOEhWETMWKuK<4+oUJR9Pu=OODPE*yDZTAq|{7^+R&JM=AL z4aBNk@Bdsz1hC-P!Jg>i+%<$u`>vHVJ1{lb4|m_@v*BS4!7Fw#i6`{x+BNlF?oQAO z5-wW;8Na3+`=>LZaXy=E^i)xb`TknXy7_+Q$u19U7gm#=htF5t>M$ zc7aCMHuY595Be$nYB|rCytT04sAh!EpP;BAlt!DT9Cvt~s05xLk`h!DtmSlfl+?T; zJ?l9}YN0G8bS_Z-5Snamxdzlchr{{08pwn(dh%UJOi~W4P9U}}YzybvZI8R(6^BPx z!6xvv<9$PD~bTOUe^8T?ii21(NF$G7Rs&En0)Fz_3z|Re@i;Kn% z4z{D&>O7wiI9RrhfI^syUmYvRBd{&Euo}M6hEDrqmpkrfq6?JgqHOIVzaFopZQm(p zzS2GIMumDeJ|YLvr$e6IYeFZ|mJed5!nXzA#SYgEzWb@P33z%7-FU%@>Yn@#w1Bg* z*@8#8fuw{)#aQLH)~Hfa&TxJUxH8e!LyB--3;nrHhA- zefsTyl`2xCDG(>0_lGYj3}kCMh-9Jm7XNMB;gDG|dC;|Fvn167#Ea#?N^xQ1V&J=t z=x65^8_`4PQ@7gTG5^vcfty<|uwPcQPNf#YS=P_Uus`X_rd#Pn7ZZprm4NsL0XP0< zqc$M`WeUn|Ydg$vVb!jhw*ZG>7X4VT<(F9 z$03N=*$#b}BmLA)+I~Y6u?-SoscZ}80nE3GvnfAb>hh(3^CpbI7QZ_Qu$8+9&CPb$ z(;tyg?kdEAE$PQxcEpD#d=m9`OW&R7XtZ&U_(#8O`hfS~LZ=i7QU3OLf9y9h5AT%` zs>MFLJ71(qxe(p;&6Lj)+H~t}(%m+EbP)UW*l+V@S1tg6n60zfGnap^I1P$}N)1Ja zSZTD_pC6O&fxXDxK*mbn2HM2|dF!R4kt%@|txOY*Ki%MytHi474L}s#fR|gtNpf0? zS>~I^?3-QX**WTAZ`COsFtUtyM*Vq&ZKM+LaDfj&%zN4>@n$zKTE&~dcse!F7-BGI+psiDghAL?O%mmWvW?e8P3C>UnK|}+C6-op zUfulebhXkPbUHU6#j1>sgt%3Ae6#RoGtPj3u2z+3p)F*AOIEsoB?igX$+=1jRz$R; z(Qe}FCv%>4KF!$h!LCM&N^~T%g!RwLkDkJIcT;+}b(RxOdL7@UJz{YRCl;l>6nrky zRy{xbd>0gz#R_>Z&H3h!W@ZDvTEWOqRHVi{9`jdYF>BH35Ui-_) zUK2osE2HueSmrjPf;+X4s-L3lq*nQfTu{m!1rv z|D7P|Ezo;yJRqVtsbe>`_u@|CW+ym8)&zJHcSjIfnsStW>KyU@{?t1Y#I+<{JF6QN zvFcew>&+grWeh=}TWIs9_E=xLE!{>0f4lY;VYe~2gt#WL1xTFtCU#GHLQkD!Y5-C>m<@;h%i zev)S-_K&`c@cdYdW6}X+g~szW>uyEVmQB2nt$8jh53~cyv;5wtYoT}o*%J)+H-UB{ z>kz0v^JY+6k8e_r#q^XnXpsBZVSqk4WgKB$DdpJPV{G8m$02HMMRaISM%5eO8d>7; z*t6T#b%9%vycVyb#DiYu&5Xnr83&u%iI<68-6H0^MeRjIR4K1E7MkDs3uJ7ZrN5l_ zF8VUK2d!C``-Wh87XdMOzzqRB-4d(T?$j9} zEUd4UQ+n{lPtms1(`(eFf{?BscvnBBG6^uI+~KSM?b=;cL+%Sw zf+k;ybkbQQ-!}EAZimy$k-K5{42~*d3R_rV*C#_=bENQA4-rmF(U>^^Q(2vfU&U_59@9=> z$4cO0!nxkm>>x*AWa^1UL9lEthF^SH$@fkeq{KbOIUZF#H%z$nt&XOP_NELA4n>H2 zhdmw|(uFeVO=9fWfoErgS%)Tfo|X`;ej^|9PzhyIi9tIM#rvzHQn0zaF{9Zbe1RsfrIFc0N zh@-DRo_axpr~_Ps#f-z(wRfI?x+}w|8Bovo&_$ln`s3r=+RC2~;8rFKZb=tmJ8r>1 z&z4S(g>;%)(W64KUGCJYAR~(fGlJe%ljPJZ=!W9q2^1liu(8ef$oSI53`Xvu(W))? zY)1~F-n_uw`t)D$9T0d0q>cNW-xNUR0D{K9DE?EU6_p4=wsj+F8C3At%u#Q}{tgq2 zOCryy+wlpsoei?oAKXISgxWD$GG;TZ5sNh2?fNBG-37z0Jw9*75rBs4{WhT^3^V#} z8N$HLw|&GXB}T@g&~s=KBc-jukX^?$1wu)6R3`PojxjH(*B3O=QlTnAZkJd!yjdF| zAUp{)E;A)RmlP3*E=LdIg9{jxaRtkA&JireCSU=~lqtFM%^Ja9AJmL77&iu>M0?GW z%FvsM&p_=VV{O}PoU^E(AmwEH3%LrrGn1}Oahj^uensrmx)w0k?;#YPKYRiEpINg) z)fPB8#h_L>%`Dv$STfz<@G5`zQ64_&-FfGp#4Z}GHw7k^CU#Z08hgU))Lkf0v&`Ur zlltQ`LfkXqckU;!GWNvW3fhg?Yl5decuOa1-Q|pm-2uF?to$%h@S-Ci$2H>v<^bxS z#v%n_MvRG^M+yVu?ofo)=#~H6u3UgbP&WyDp--^`7sm9B!j}SAG*V=e%nJSHFQ|;e zbkH%8BS7hS(BW;wdQS}i6ACDOL_Y0e#oZ3(RPAY6OnXV7h~%DBFww<|`Mb-@*tR3> z)gFkI+-@ZsF1{qS-E8}_SK1@YmR4ltEvMD~8$SZw#%1eiK53?-^bqcrgkU1-WS_2- zTIw@4fT&n=XiiXbU{9k^I1%E15ihz-DLckU(g#7lq;gwo{-Nw@QSnRbzzf8Baa&1b|Fp@9H`k1TSNV+%9K%TJ zk7aN%BahgnUrw-k;!GG$Hz0j85$oW>?ZMj03kn}nU^t#awzL=UKmYveokQ`afMtMW z0Mgtw8cUhc3eQVm?>Rh=Z2_}E-+_|V?F-M+EafMfKGa6&OrW>WmhCnoixNF3<0wZJ z_BP1TrLWU}B=Uk`4o7utD%$5(+0Eu92-!jPG+>gLZk%HHkL%`Zkz`?=9({Pk2p#*I zKmc;|x`EdrFH}$Y4h+r(i>_`g@x@>#lXVDO8e!}HrGW2pB*v}Koti48-3g?74tLNrkH8Xp_SLi-4;sXGH(WN z&=N5dqli)I)Jh>p$Y5_96QomPD#g6|i0TER3L|1qH!f$f;rnjB^4J90%v9)4?gs8~ zR}Wi=j~XxDPbzZM4Vb#_0D0-=&1kZ{oukS*YmN9(d^3`Jv`P@&eh;w=(sD7WXwmu+f|~{L=!p-` z|FHkdV#j88JcqBnQ{}OC->NETjWaJ$PAT`5cs3+gd=2IOlSBs+k0KuLu_`yv8e4 zFxavPO@|e@-2rKgu6+aIL2AzB%kK+)V`C7%95@yb^L_J1jyP*}ROhY*A|SfvU`H#a z0#DQzZNN>bN+v$Z66wcPY{T>L_Y@|~I_tIGsRU8udRALq4JjZ-(MXGmG-F>(rkYv8 zWm40HR`%~*f}2NSplSItpHc59!E27{kZacSW-FO7%E#MBnw1pn`T>b8Gn-7~G;rkd zB9Xgx$xzjc#=ztpRQnH2LIgHo^yEq;5OvI?mq1z;!!KVlum2_!Oo7elJ9Hur3|7|e z@0WI3+3?hU^Y07Va!{SW#H_Xfi<1Ffw9g^MAMM~&@k6(~PWwgucdA#M=f|g|<-dSh zOvg%R;~;f%2_IBJG+mUFh{+LoH?EztPm1=xTJ}E_`f!OZSKMWUpl5`MF5(WyTjo^gBwV3M0r6ImaH|y z>o21zGCW5?i0s`btI2%%BQPlD^two;+-Vf_&_lwv@2I^-HwWUEpoMJ)I_<`Q4gGWh zPbnT9s7GS5J)82O0W zzf_6!zms-jAS&`+$`VAi20W;(cJ6?maCHxeSR-hAVwYq*)p#lbonSOa(e(icT1QU= zR$+vHHM<@A*|P_7LeJS02v*J@9pwN<7ULJp;*}TCIa*ee3_PtGfa%%@e3U7kH0Z?8 z-(c38QcXhFV~(8V%LmXq|s2TZu-1D|QS3VZA`3CN#%6QX(n$ArQw% zJ}1G*9Cjbw3O`MJdSpsnt>jy55Nj8Tx9^tXPRw5ZTEmKO8VZeXgY5#Jkn~R?T)7Vz zgm8p9W;pyHjM)s<(SpA3%@&yS{LCGY^>7Qd>7P>R#!A|~I2h6`6TZKg zI&>q;s`Va2<2wdnEFo^Kz)Q!;u$8vt=-;_JnO>tj=)=?ny-$bMwF{uAXv9p7B!#zY zmgVZY%IpakTMiN4PBCRwo}3i48Lzfz1B7;{WznC@L-sZJ}XMH*m*N zIp5kfZ4Ixx_+a;^0(<7AL_iaevF4A#Zl5Djupb)X&(=ZB3aau3t7qvWEPUL?GS91K z*TcA~vcPUWE5|-<=5e`TsS#;L>d&fg+bj`{5m0C)+(X=@D^O?`%>c=l43m(hDuhm; z(kJy-OC3qhmQ{73T?rqy3Va^#Xhr(M)?JQ5`)pfu>a6sY&<>4C7G!A$eEg<%F*$TV zdB9#xT#jm*>w+DidM$pCxMkSbYqN~f{bbx7+?z}c8S`&{_%pQaMiEXrq zXIu;1*2W?B=HV{lcuQ@hpVj! zUcJv}vFci7fgQZAsD?2D3u!DTT?zHu?_volleJk=3dE(6xYS%{s6A z%E_d|3IJqBpM{Scz(xAJPp9-gk(_#733lD4nB&|D32v~7M}JD~b=NT-oDEQR>ja=a zP87NDFCLb`Vve*RxuHs_-xz?S7OCDHxy1Z1)QkN&9aHe*<<(m%1u21|wf^aQ&S;{S z7>DjHt}+}%-USOF)DZ9d?&HTG6~Qp+2k`$@!Xhbe-3}Paj}eop#=iuj(s}6aPWN`FmMBaoGHEjX5Vh|GX|-YZ&0f z*89*#Qn8H+A5;bSTpzE93lb({R#JOlB6qojKw712(TowqIL?^{!UM++@A_@e^S?)8W{E zn_Y(Rz2>K&cU0p7e~cNjL&UuyC##Wr-6GmdcO*g1+}Pi{ejt`kKoa1#Ps1~YhLF41 zqV~35e3+EwVTG1^D#ZY;6`n+-`tKeS8k0p#07?H><@~4o_#e&r69Y@kpUZvALK!f8 zBfD_81h~gF$p5|hCKNN~BxM_aJZIJaH%bZ`j3%05_rm2Mvhdt}p-hJvM%C+f2D2zy zXfo~yFcX!7*sV`K0w8tmViHpE9pW|`C&pV~IhJX62RTjbI@9^m$48!)ao@M&Z4@2l z5^-#pR`r!Y*M*n9MfJ;vlks&gvHjzMa8Kgm^PwK7J7t zT?=EN&Vfma#a*prJqs_Xb>}lt;Y00rSuB)o)#m)Z6+ScvNm!k9kt>G=G|D5K^9r_3;%Jn7bVZzDg_I{najw7y0$GA3sgadqQaOf7o>G0e#~Ly#7`$; zR#AS>KAs)6GQaVbnp}rJtwGaCu2e+d$BYFxY_emIcOC|biL3MzYJ!;0pGGjxG^n(h z{Q{P6fWl)FX9mo~F05XI(c|X2UvG!5)=2CXF_aI$6fLJ|_9E&2qQ(VV z!{YNuDX9v}TT_%NP%?+hzYQ{5oJ`gLn>TG@S|vlM3ABxc4@Zl0>z;#5McN!>Y%$9V zV0ccSUIjz}zTNltX~{vdZdt23;0j{{k0Yr^^j+tA%lu4p5o;uuDM-f91_)$3!ud%g zliBqT#IG%-^BaOGKG`!IRK(i1-a3S8BG6}F#LSuYq)#xHkt6!YgUJSf17xC8o zQs<&9p3C4O5LoulN2M)^P&6r;qwpWe=@TQxWTo*=sL2UjWka7wV%cH4p z=0ghC#wdFrWm_E_snBI#=DdR|7jt!x0;aKx9{N4GU-ENpqiW~{(@HnsJEntP@_AF6 zy%Fnp$L-?QtxpSAv%mUk*nUxJlSYfoKc{f~Cq{S4?E71w9mjD-2GgWFNUvEA!UpdczF zry0z2&5>{g$DQHmZm=VrHO8!I2`N(q;$)zntysenuWY4*X(9TZAi^HeHJ@)%ZCxN{ z5?2KgL!qULo@D*f|NC`h-Pwtb)vv*+Wl@G9LFKSTdS&8wijV{y(-%C{31 zZIN!BD;n&RNAZZ2)OB`C^AAN!A+`OttmHC6l>b-)Cgmc&UwP$y#=D+3?&fsLZ!tR`RI*d!INMMT-ytUSFw3H+6G@3Zc9CF+&sx}1y&u_OqmWvv~T3gcWi zc{kDT9xJ(-Xm6b#Y12ty7zykKCOzMp-UA$?IG-$I*Nbku3!Ar zbAQ?D`t;`5hrE|?WNMNzqV5dx&qrHdmFcSTx=Ins#w?D933gg;}iLxW8=L$>i1|+fw2>+6XF!YV32JldoDPRMG{wPI&|2+rXs5 zFOa9P-nJreeuRjcsKOgV64&*-vCDyecLe^IhUb>v?sUD!_`V4zxZ%1OwJe$b3;&0; zw~p&-+xkXD6p$8>4iQ06P`X1v0SPICpCC$ubc2K_DN<6>DWDRP(%l^@0+K&U6iFon z<&MeT&pFR~&U@eUyq|mj+JbIazqQt!bBu2d!lre`1TsB7zq%J|qkb$|d`4|&4ag+d zd?pw~@OQaoXS;mOu&2pat9+)I@-&d-?`f`EP0JZO`^VE#Z?Unsk0eCH*oZ%oyWO3y z6kXoDNIbx3PpC9DEqF56zW3r4FOZFOk=D2k70!;HA}3(+`tf{M`KVqSZr#(hDiwKB z0=`vYrblW77xkiNA28zhIhMkOjvb>275WoISosAnslxrS9}82`08U+6%@q6iUA7x` zRB`>?=U1CN+#V^811a2BJf*kD`lqE|qN_QVGmNNF;<0=hcJgSWKd;=8*?aiv4L*BB zw)TwWUjde@%k<+^9I^~0|JeaBv(ZZSAi>(mE@=L%fSBYJ3(Gz>`CIhP$!WpwpfBCd zp{ocAYpncyv3l9CDI~pKPBosNefKxuF=y**g>feb>1{gK8^QmZGp9q)MDYCq^moE$ zp5Zco+^{LqRECqzV%KqIp!rYluoMDR)gwf&!f1;1fh3W*rXjB%h)Oj@C>ux+-- zXYnkwAQ0?#816xIpM{Kp+=Zc~LK%ZA5Axm9D-5{+u%Ks$m)< z#-LO)t&i6QP4mli`9KZ>Vxz~ddnA7(YrFy$ckEVOYG`ST<=422S}2~n;OWz{8t-QW z=rs|ziI7dIrejJ>IYLf5HLi$3m-Ic+Ky}sdGZEWr=mD2UV_T^sxwKxlo@*PPcx|R>njsz zGXAF?m;KnLrbS}nRRa(L`XEqtL77ZJzNq>ZH(XITP$}Km>0`EDRpkCFQK$0G?2zP? zg_dhg?}8SS!Vy>$ zFK`~?eWTEb_C}Lzb!<&NdSq!=C|V0H%{Y6NV@G3;jg{Nll5kY7^MyUN79bnOM~O26 zEXZr3GeU2fXHfk$Tw+DE1lv>aOHMUWxR+km<<~uEMTC7F;%8{RslZ4NlXvnZ!S;vE?NKD!&x8~Pt95gSR&oS6imvA6iB@I>Ku0M3o+ zF%*7OWYm7gKhT#{ob#GY$IraA3B?fFnH0~BYp$T{&mlY;^0v*LP~VNMgEdTmoJIBL zeU-4b_C1THknr+Kns)rmw=E}pa}ZGRU^M931)~Om!h=Pw8!23lRzF&khM-xHFN|k=!bkj*d>z3hHD>)h-{PTMM!8xTTOh=*%Z#28R*03>>l$rPm}cX`IftY5}@`%{1h+ihG-M>Zh;fS5E%ONqP9@ zcaFA?%CpkFoiI{4?p$8wYH0SRyUCLU{L~rE#4YtV*W91vK1bCs0-l~)H`8wL_ciYv z$dgGKClp*VN@uz(u9(7`{JzUkwP3Gfz*?L_>7XCBoX8v0r6h#q?R!xt?&9V_+u6BF zYZY{gD26dJ^+rLSMkkh#Nsg>XH#k6xC^ODeO4>G5!jk^s8-bTIsW)G&GGkL&qNq~~ z1vH5*Ot@7KxaY-Kq$f5fa^h;PRjb#zhBJKgv^RbEgv>_v!O>*q4buD?kL{Hh@#8bA zyvZfei+bB9my}LdK5GB9^ihCr$)iYcD?~~_vcdj_*TYuTTSIC0gZ=qz0|M>#6)uHs ze#zg}=U>}{ojQ-I4M3b(;@m65wm8k~#MkD})REO{7npp(!t*L;4ZTW@X*o|R&!f|k z9XUf8$SjnAFV(XnopqGN-)ykC+$J=AH|CamKPb$XWstmkzI4CS!KOsX!19-Z$dMi;zGL&-vW&_Xi>TpAGvi_p6AX~tp**JzcE30n0Pp1*KA zDE0kXi=*PYm-4lJZkdqBM}D+eDEV&<7qCjMEJk2O1#J4yo&Aon_v|oB{p79B%h9JD z6zGZ-4ZKw*zcv<3{j&r^O$4sN^38PXM6dh>A#cWmQ(YJVuw{??KGAC3@>tEY?bp@{Q)W%-8S zZ2gQH{E?G=(#GH-d^acZAU-O~&U5{~lEAYG0oE(Op&+6^hLN;_ zUiSIZ)gko)lrFrw0&w zxzYOAeJ1);Avdq%e#E5v2=d+rliQsUz)fvA4v^(A>1c@Eif^k^o?kn4l9Ao7z{Pv& zirM-DkrO=4-=8Y0~NYcpP_ zZjV$pdoiG4qtonwKi#kTQU~AiQjHrVG!QP_6?Bns2zt51Z`}E)}LL?IMe-m zZTYL$Nq1NBLa-09PrCS0##A6 z3WEB?HBS&{Sla|2xY_dM4;IBclpTNb+rbHD>XPYBjdrX{)Vq?Mmb#x zYi}0_=3U3|{KymBcXXNZaz!*kd!Tka7#h9}r2Aryqrd`g?(fng`bnVi)dRStsr#zW zF|A|6Q6R{lzb^CJ>4GtsEna_TX^dDvnH!7Cpsuz7K1eWk2wa)DL7!p+>P|b6aXVlC{GvAcce*U^MRaUT+r3z` z)e=olRX{Df0%r75UaN{327*n#NeUeMwl`%WlNe>WPoytd@MPTUnWY}awc;%IA-Ska z2qB>XJyvT5C>|k78NqSDZ)@W>8q+vql7fl#B#hdKMId=o1QR|o& zJ^=M5UUpa=Ow)mARM$a2eM2?gsCgBP?Gt~OSnhE4=kY1-Xoq3SxgyVqpWQPj?yIP&e;d)`n{5~HD%?JTZD4* zDU-j1Rs-*`T>dgZ9*IYu!)gW48nwFZeX7jY`Z{jiAAblIsh6)c5$TGykhtt~tA1@+ z4a>5XZedl6Qtj3z*d)V>;=WrsB70@rbKjFKj+!N9@i^hjn9#UVe!R(~lg3>ABTJj~ zCu}Z~|Cn5+NIsgElQYro>O^jc0R?j{&Be>SIi(;8iTCkEcV>u}<2y!!(~JDRPuh0N zp~$Nk%hR7TfiH0Dj0}Ym4uF6vTB3u(ug)^B=HT5vk^*5Le7j7Pcar-EWA>qXEmKZ7 zbzb(){90P=>1nXBmPgMy`Yn1?W8M#FC(m3y$gA?)j?k0ZE8X!+ergDsMT1{vT>ZOi zODU_;A3GDt6=-*+huN~@1bdXze>9Svvbj9awR@e7ryk2%$Gv^>=JU&h_u~TerKHV0 z$wJzgbGu*7Ft%S6t~FF`)S%;i|D@~s;}$|8DfPb0Pc&O=JHH`0@)qGNomrB7z)gjK za-SKBfR_#@rvfLrK4CvCqLRsgHh{Fsb=5|m2Q{lVsm>pldLT#^fIGVvO(;l};!o|H zi>D{g>({25)#Zp7`lg3*5 zyEIY);)p(ZW@(l>x3z^Qs%H84Gur|cR>{1@b3kY4OY~{a)Qszmn6^5 z#d@PPlKHzX11fFR+|sWK#rvwUC$_+;?tCG?G;&w4X`9?TuVz+k+~&j8S#9F^8yt`; zBekbM8%8IZT;@VJUA(?kbz|;rT4IN0FLIh zAIfu%Y^nZoq4r)H*G-CDQd; z6=Y6ATXd3cg{_@rCl=&P&Pbp>AWej3E9h~+0#G2YskT71a^n}7prp+2AKF>Gt4BTH zV7@j29?yjR>yF1)4E%5K`7!HQjClG>gR3NRjr+ozFCW{R!ufvNxt$maFb8kpG(t%B zz6ZKX3hLJ>B9rA__8=D5oZh0K{#&BMc}njN-V5g`M-k%Y$2&S6A^VIx>+0dv{L4!J zKM12VkEM&93bAVQ5Z`F*^Im?r`%Qkte6-wl3XGMz1vEbcyRIxDSvj?^NU<)9_9eu@ zSxXzc9-xjmK#cFLEpc-@GE6P7fL^iMumHeZG4ab1&`n?0}2*^rEUoP2vvrg|Hk zxhB*vEB`=`Q5KpA^j4~Mf$^qM!U@_C%#fRV1xvpqxIgn}3>KvmY1AdY3x4jQYZs~0 zrvgKMvI08iJI0zlB4vOLx*yaq(YHe>M zh}haJ+-_o8rrq^}=0@N|H$LfsT=!Arulj6}lRS=`8>XO(3{J@8*PMivr$E$v?uMP- zG2T2`qbJ|_Y`J#P$vSzlRpc|<%FHY#JF2BwecFB){Wp<}%dkzwCOUUY3 zotT(pWW1;3$jNGauo}ITZTPmCa7$9$ueP%4?n~aXV}gUwW*|*=frRSCWJ|akvT)oi zIOi32-|Q)0s#a!kdhtnk`VUUkD|3<5YZ1`Q2om17oOZOhGlGx=$P3M{yZ!|I?Ij!q zsgDUeq@WA#T>GKALzqG>qj$%5%7dawId^TByw3Jk6CS=??h!#+!79kS&9cr2NmVo= zSZ-Y>F;#Mt3jKKI8MoGw+iT6y9h#WX184xh5}&83?q0fk7zX`0iTSL=B+A@mV4k7% z;DNr@IFZV%C(giw&+aBu>gtOHQYP^aJQdSVw$Q2PjLhFWQzZTM!2ejE_zqt3Wl)T> zl*5<0{V|~d6>ZlUVo%JfT#A$8sBmVM@vgCcLOhF_tZE2BoBd4KYR*ZY`OYH&=JKdAI$FT z)Sge-aR)_UQF!}y9VGoK?uEUr2bIL3KkySLY6?~2{w2j0aG>TpNLdwkavUfq8FTQg(%%`4gZ>!R)sbdx zpXC2m;zsnBK9aOZTu3;5w)f*@2x+JiKjKG-n5&=rBR_ElzPJ+&t^d5-%n{6X_%qz# zv7F~|2znbBpd$>ADk?3);vkMY`;XCWTsv@&oh7-k{MF}xar;6pcGKt+{x}QKz>fe> ztgV0ecJ(L0Ch5$;Ko?%KJ%Iv}?SgM+@N9?S7)z7b6G80*R*M3>rb&n8uMKbC7`|$w zOkt^(PJ2Q8;~newhniAD8wIQ}B$s&~4#8ddUxl;(RzUvqSOF|fsHOLYT+oKX_uvk> zQ;(g%aor{hNQL!>Yy$Q4V)zG0D*N;AWR8E@1OC0F{of&fvYSA2v>71EHu?QNK&-)k zsc;qL|2MH8|F=KgNY-q#9mNR~-jjas{2mQ-}J|8|a5ULKl05avEf~4zSfld7ujKC=vJc z)`aUl?FhL^5V{;HkbzDe>0A1k`{FQ#a5hsR)B)^|^&YS-O`sG?1E6T0eFpMuB7ngr zF6qUpG)gpv_tU=`gs>CPV}D196Wh==Na$U+s{a1Y1~iGiPAvThWQf(7diae8&8Dcn zdHe21l+0%XK#_7E2;A>2Pdwd*@_o@|++ML9@b2TTC*kw|2}HNVe2y3b6--0hAP8b1 z-i%oUq`M#J(g5gaQ;X+sMPW=f5QAd}x2Bql9UW~Fr40ls*&~CbLoZyFO;_UWh^-MLvTZ0D z66F-eX8`FEFtNh6JdI_B>$?(kczrFri4HJQqzW!TLKE-KJ1dLe4gkhdl0Jb6c^fI6 z2Qw9`dESjQH9^RXaH9M9fV^#t=X&b|Aj&EG_do-K`gNWHP6^CPvlT^&CigCijj?uF zhU`8&%lxufrUN7ph9MP(i+q+;Lj`vwB&ZMHC-nAZoNVsthGa@$yKE#99~*ET;%){F zR^1uTE8gg%J3qIADSmBWJg-TFV_JlHu4LN@qXpE+atwDzq_(H)Kl=b~7Ta5uBXNe~bJCnm*>-NZ5OpD@3#*m^G;DzM{xXCC_ zbJWYnEZq)b2AYx7%NbOWy-8y4kyZkU=T_hZ{3G%lUh$wK=&c{@7=>z|G7IP3l($Es zEMX;3!{>i1&RjE!xq0ig(D7WKB zF~<>_`WZsv$Kig{vMA3(Jdp#+`#ju9SBzg@pOI5LGG&hm#k=dr(TTDkWr-d#Ap z#1A1}pX$6k9JfMB<}@=ET62WPg!O_9;aU@pU8-4oa-s}PPAW4WYyv>i!3JDLD}I#M zmHH~-aZRAqRe0trfA%-kKSAWor!18hb333ypI~(CnL)XHu+)gr6q-s%#Tb-MK~i~? zBn-KBdWX@9g%CSl0qb5$3?J#Dw?W#k>*;;)+qE3Fsj5)nF;20*5`7p?;|l(TJB;Ky zXbU@`d1;_nI=3Kww!tGG>YSJ+L^nJWuvnF#|HHJS4}BO9w~Dy@-FdELHtaTlxs_-- zlK85mBUF?&{-RuAXvR>OOjJG3rm z+)G5plm$wPJAn^iCwuEeOqeCG5C7059JZw~APauVv??a9wYEuwXZiOAo|=!)P@su zLAt-5bG#%=#td~uu_udN_mIWRN<-}wSS!*cW$eBU3*mDzcn!C_2i{rhmLs1UM4VKi zX;YxWd=Nh+rQ&@mcoWk0jrz~r6Tg#d!BL z0bZEFBLeB)+t8uKkt2JG>V1!5$y{ledJ?k-*e3RVIhs**@MpVzYlZoMloc~nd2!PT za=`eqqOTKux(GFOXC*86Vajb4EZ%o)QHKpajq4{XV(jnzaGe zZ{U;c{n}!D%?tq)`HnRF_ZyC==!!cP6)Qb#HNKY0ZIXGz8KzEb7y?c$(7FvSvLN+q z9Weo*IC+*R?N#;BQG9`Q?kC8PrjhSKbt&YioJ8XnnJ$kznBI*Ql%Xvp;wQ+izMpq3 z*0n$K9tInNJ=yPs*s}s)$X|DvjK)Rc%t;DTjGmBY+*`& zh*cxyh!t4qejCjd+j4e`rU#W#5hlSMm6CGL$stY{?;7 zk)|Ooky|fWEuOO{f8$q&z4GSXZx~lFVjpWYXu*!`1k%+sY(3u5yKuQBHOIu+q#pk0 z*w2GqfOcY`Hud3GE)UmO-RCK=-cz$ohEM*KbC*>dZsrtGA)wewHzIoliR<_x%fn*dLu*!f8~_fukp5FZ#Prrpx22eg5O8~Cgb5^G`IT2X zq#QGpqaluK@f&?-SN*8JLDy=QUjZ~()P$Gq3MWkX&REo5r^&M1g}BPpK_tNMZrW+>uUAAcV} ze4Zm^}3-`~NsAqZoPdrVUOCTic^Ep2+=2k7v zOOo8H*FJAgcfRQ3W}U@d_m0;a7~O;9q1Sys^*D`_F7HpBkr5Bi8_xdp|*S?+JuG+l4G?K$e4mgPqnXp2GkJeosA z_2yn{?4l=C7m<4124%Yt4e`5lb3#@^HdJ$i0FKkELgr0Tvvh_-03E|tcMN3@;lkMJ zIY@xN`Y%=SKhEX9s^{$^ zS$m~fkx+|r7GfKnP`=vl6iN4DU08Fl>h3P0@N%MN?QJlSf0wBfa}dk+fPB>6*=>$Q zD+-o3G{~~G=@xcwJ3-@%^hd8%!-5OZTdfo_)dLa>8H(Y|)a8&Q*A^Ip!tt0Meo0?} zJehE^k0;hWV#Jx`3A6mqg=t@;zU!pv3Tr6l>N!^L@{0ZF;5-ZM^N4+gHTd$$pO^=c zG?-LPrnOzDDi&KBoe5XpA&(4utj?Je&;)Fc!x=pb=EB$0Jy||Zx@To#)FG8C_=>*!6@P{lC#2mA^Zh3C* zf&g>k%V4H&^`CGQtCG_A8!B#=!vh|c%*4u58uz3FFVKT=_-HPCiJO2-MVpQYRvQ2$ zT)`~#!UO(l0*)4&;0f52zZca1dARxOPwK&bJ36&oCV+<@4?4+~xB0X4TxtdA@g{%6 z!H7;cX93fm!W|Jf>ct-el)*=~Zn1sh^@>N}C-8QuyHB-7UHH!Wed5*~3-;{>T(Y?P zP1V2Q+&8xH0+ZN{V8{J1ob}LE+tH05%On3wXA}r*#zHn<+F=b9jH8`#$Rc4 zw)Z4YsNC2EZA0OYD>{+4lj@@&;b4>3$UQmON zt+=*Zar>_BbDQuf${!OAO-E~A=L>wjoANxDIQHuVmOu4Y zTaa0S+5DSTnB(>~Qn-cf_GnP*9`rprIj`Z!+WIs8=))_`?4FY}U23cjSzL47&kTp& z70`;#&1w668#n}{Vo~8Z5(_?4Xy(&$2lJBOV(5- zXc(DIEXK6R^QBeb%hnuP&Tvkp76FzgNyBK2K(wh=HtLHXy;o-LXasY`!k>6%oksC~xA{ExSEdz*-2SiWAgP^z_@tf`y; zoV!l=bRkIZ&d#UP4o!A9S4+Wj-r^qnw(|$G@f*CUWmV!}tF45eJ=KJ)_x4-HmEq=9 z(BX?6jFbgU5?A=6By zkROyQvUX@b%?j*)W!K4>ERSV`lNo@*L7rd!vJr@g_H+Xeo+~o*r7JHUXAPn#hKsKR zx7nvK`&Gy^9^u>ty-Td5K%Kg(^OQtQ!9cZ}LzY*a>o>5Z?yWvL&~0t@q+MKNI{Ac? z#bVn~nBZ|QXMO(#@$Skr%1SiIhdF>P(7^LcO=M2xM*J#LXpWtBdhD8$Dceq<#OA$8 z%38TmAiks&C^iSip8iB?G!k)RFG8M_@3?>8-8)GR$wW?~`%34N9fy1cyIt?zq2r#f zZZ(mzHeCi~?5!zHH*D#Q)MgpZy5nO@+L1K2E9YpAKZ|D(zlrIH$&R>iDfrsw zs-szP!c?vP`*N5(Ql~f|L;6HVAPCB(vw_}MY>tb`V`vpta#-I*QmRv51>70r7#bE~ z7w-{GWWby}mN%}miO*kzL2YrmYH+SsM#ZO#^? zOJEVQ931n4d+y<-(|_h@1Y(%+uE`hAN#N2DYZZCg0uFGZ;13ICg)QOY=-H>_?rG}= zH)v>oE=^RIJKvzC3p0og7`&)(=JCl3;`AXJt>pSlp67bxaXV7t)!J8gIO-o6cT=qEMK+&-KGnl1Ph_Va=KI0> z<}P7YFx`5EQLojJ{xLYGd<8arDQ=kiU z6w+&FY)3e_48}OcGXuQ2A_Jd4QuuZ94S{sQxfKIXpn8%-QpLi})_N(ftaMhFs6MH1 zkTwZ-j9b?MkNNplR?kZcKXVhq_;!b$Xe!6rtw|0gV#G}OQF@2&HgnsF#>8)Wrc)Qe z1(Y~r*hbvC2=8*q;@k4chhlFt$6HMzG+o74guFyH;suGi`{51Jk*g6o+r5N^?q{B>3^Km&*!_O+++vk`o~e&x zZxoB8L10ntGk*)22cZ_4O?S0t&eNu zc&nq|wM@~jab2TYm1G^BylzH#dp%v8<=UQ6_Gzm@YCE zN{dezL&Zw7w%GU^1?$GwSU7*^Ga6wom59$>=$UWZKE@IQ!TF#xVQzuw|)#uUv$)7=O)>ZaM%PKvCRL4&n zCx>QBR&U{!)h{m!TLwDu@a1<|Oor&y-+o>h* zNiiJa3-z>^dC{14vK>xurw0zQ@g2@gFKgvrPm-{+UzD*=S@5`3@Qc)bZ0-Vs{b=^) z6*Iinr?O8W*YLR6ZT5WTIpz1B?l_f`BH!tR{I||ql?>gFH@w?eoMX47t=3T`8NP3F zgo}jg$;jz|)i@8&a~0(N*eLc(v^S=sh+^B;9~XKlXKHx*(D7}3pMQd3-TLLOaa5;? znl#p!ONLXAQ<#-_*&l9o$A*3jR~U`+L=^kfW4HG1BKhJ;MM1SgWZPV0N9r!;bx%L@ z2Yw#6N}7850kS=XfBTu++g$QclK&BA{cqJd)s2WX-RGu+cmBe=S-Vd5jGH+xFllSZ zJ{hom_BY@iEs)MqXxRBrfL;4v!SH|k!3dWR5;xqK>$GX`!8siH4e5X(5=$?mu-f#3 z5Km;U$Y}3}hJ9k?V=BO^GY%m3;=9R*mabzKIhDYE4fhlK?%`$80Q4& zu?w(Ho}Lv}rvjyQ(OLNo8YtUxXew`3(Vz*0 zD*$x4zRy;3gh2+;6K10(FUpMcz(KkV*8MRwL9PNAy-F0Gpq3;$C=RJ5V15!!J^7HT!gokbRM8Vm3$98L~v0c9wj5)l@7rUmR z(4Rrs+3>Pl+=d3f0*H!!1ZV$TovI(I#C#dfPeiJs36x)Upvhl8Vo0Ro>bc(tVBM_C zn8i75<4*0%?r3WH1QfS6gjtKwiM(^X=4kprNu~fzOU&16fT!^d2C`#eP{f%}fH4rs zTg*vyC{oFuw(ST+x*k(+PBzYhLlhW5^6x1rU^(eR2E$m626xo2_ExnffiUZE;?YWr zCbZ7$hwI=d8gKvZ$1~DD&|fZ~f?3;CBTf=5Z2~4RscMy^z^MR6H*7r>+vs4MKxc6M zVw@4_o?82aBeaQC)I4|MSgJ;7CLn&soG_3~kt-2?&G+4gA)&OA-eO)9r>}P6AwYuT zX!7=*avN(x+^z<=n?F}WEsvDQ0Ge&VXeB`J^hG{y{tVC3PGDMxU-F+@`FG+oT%qZx zg11aS)2Y}2&0eot4?{ggZeDRPR|qFLbF6p*7&s}PMNZP8Q)ZuDZxRh=c6Y~OM@SKarNle0HJhk1Zc83G(=!J?`t!^ zpy@MeeYY9qnU^Gle)p)qR03#XeZr7HK=rFi z6~<1LRK*^{^>Gc^jfis2WN#NvB2M;~7I9`mkLhyPXWP*vsvCr60h}~7EL~}^A$?^< z_{qlQb1=JVYX#MISr0<6C4uH>?h&b|0AC?UfJb^LRFWWZR7^LlmCrOFZpq*&Rf!nL zv9@fDs(h3kQUoc$2IesFm=Tg2dVy;j=$#$A= zUkK5_t{E4zz&ZIq(z5tV*j|ajr)I)WD^!6d=*z#zX$@Ui9weZ&pZDL?=M=qL?c)4C zN4on`QTyig=#80(_NjfZK|{a_o8u3^W*Yo z@1hzEk&mAvRX6-xXa4lu;cIT*6OhN_&N5ywYiDvTJ>XQ}F25qXwRB~y=w68H{ip0* zw0L}RTtC)4O}UM(-h?IQa!92z$5l409W8X_U~y`|khYy8*@`H<%@xqcmr5I}GI(M! z3eO{X$FDG_ZFZa4U1J0OxSd5+82A-+S@XCi=ZwJtrxF|MpZ3FDgF=dvL&#rB+OxPJ zvdq)HTdUsgQY3zBq&hJnk+S~95w^DWW`3!AZKr!gVzI66#LLdXjnnwbNw?qm15ZtM zcoHigExF)%<#$65BMT77Lh}DVz+@SkYw$i+!CS#+_Auer!`-3)%$xrZf z9UjFoInb=~Nb9ZM$ms#K&mb~(9)kX!N`kyyS)mUB^67moaNUdR-WjGO>e+9hTQ<=4 zi%dOu#$BxBc_*|HhGW60yHdAjBLbPlNhWNTp7gonC(C?+@Zi*e19ihi6lK$+2?o`O zh?2hH@P%C7S;7X~wl9DWc*v+{{eV7o?EZT-k^CPMI-+RUABx&TOLj*?F1`2;!}N0O zb(~a(m*OUW>JNU~GTw0bT0CLi6|KTh1_O2~puN6jUpP+wD!2F-B8X?d!l5R7LVh%D zqFL5~t5I_c>Q|f8f#*(2eCrl@4vHU00l_^=(hDjz?M~eN=|*2`<7^nev2_5OZJ{QU zLMDn=Drx%y=}C^=+$ACY=!P%c{R6{?ittF8AMM*$Zvh`xb`XNcmp~b2`o7^Uz|l64 zkEPP&Gq?r8k5vH0y+7o$fQ5I3QG+h9Y*ex~$qU9a#d$Zbocj*qQCv z6X}4_D%iU}qx*PG=Mb@1R*QAvzDFPX#!DLHhTm)8!%v~uR%(UnZ6NW^Dxb5cLa9rL zDgGn#V?f>puEGv9#H#$wFW99y8DQ2(iKjn!Tt9$vp!X-3B$6Q(pwl_)w2Ei(g2XyU zJ?CQ2QEhy{Z@;6tArdL<$#CX5tIPtSG%&ObzogWm7B)L%-Q|F|5_TfxYiiviNEGo7 ztX6ZP5x4xd0sYi+t1~m{eI`dm36o3|gJ`*w&O9EZKGqBqRwfW}(3A%=3?Wn0#f6cz zVI4r+_Yh8&J5;7>@qPe@WB^W!yGx>M!XKH+3`Y@2EY5YNS9~>OrG^g98EacT{x@%1(S7ls-*ZsBP1=2inAmwT7Y1)_O@u(od-Gz zE$2e>mXhA~EGEWmqOL+q_@B=LZ%pVdBM#vardee9!urce8Fxg??V!kO->aOX+}q#Y>^f^iI{P4?MGCSHbE7b&~rbHd)FZ} zZ{0ZNc-Bh}6XKl%SY~*)#kN8H{PH~0Zc2>MB|=SA&$Mg@MM0*Qr=R)(W?KoscoPyx zT%!$T|Mm#x!6-6hnY0A<(Kkgtmrav3d)d=$h0DYuj?1I_uCx%9mP~ML4X>Rc7<*@J z8Tu9`#Xs@Cu5Eo8H@tAGn~b*6wDbX_%PIBAE}aewAw;t}VoalyJ0apHPe4wbSG?1F z1^{X7dlU=6{k?h6N&He>W*qw^Wt>`SQ&E#IuS1s^UccTBwwFk4P?YZ zN+-iazGR0MKJvMi&qb1m=C-UYC_r=dL*k+o5l zFkRzjaE*^4mhB236rLy630MbSpGcQ|W^gQ!G$L?twL-qv{CY(JLpnuY-$1$tRC|%2 zQd4<8)ZwZxs!ZZEWY~xkQmPK(6yZ=a>omvb7o^j%tpYk)jpzJGiBriH-UA$WRjFVn zngP>=r>tvb)!^DBiRofxDl05e$O(&Y0pfqdc!DPC!lh!#3o3ObXF2?y?|ohN=!&FC z@yu++42h}4hZ|(SsA7y{_d@q*%*L4Yc1qx!O0!m3|K-4;3yS3Zemhx4%%%}K95j92 z#!tyqPRoC3Xe)WjTG><*!7h#2NOpSq!nbu5s7OB1$Sn!acJAWS7ckuq)VgW?)=ii0 z7I=1V=W)BAq{uc<9o`|(BnCx}-GNO3>dvf>k$w{a;4%rrPazjgwjAmPFiXBbr`EZx zq87r)4w7Wmt$N<~vJ!zA(HDNF0Bxylc+GO_dXeB$y7Ytw3e#8>{=H%#XK!dqg3L!x z$(GLF-0=Q72TMqbVJRyO5b}?*%C_X91xU&yOJts@iw%&!Cs(;&nfJK0a643;Ykl}@ za5`(Y<7@M-RmcbdiY->TRhdvygI4BdAE$ZMvT4l|9#6&;Q+i@HAF;Ig2=WdklzvJrdG@}2Ua6JYAqDY zHc;`0tG{l6#Fd3ZeF-o~)!+&1MLOEUFbMTr=WNw@EQD_oxPmIBCGfngUcbbuWI5<` zs-ec{y$jh4Xi6}ee8Z)Z`?|Gl6-sXxz}(AGXQ~H7>`?v?Ry+8~VmZ*+=y+Ubg)*w_ zuu0&=xvgjKUkyFr1RNdnhv^0okdJYL!L{Q^DFaf1*rYw^@T$;}gJ=fWjOrYd#hr^C z56_9oOhq!VCQFoqo~9ajg5e2J2(18y=K@XZi_ZpuOnNZUCd#7`WNb#MP&w5MISzsS z1D`wPzZ(9}pg=&D42INOf}CayHWlee!UyxXz5p1l3oOh8?0i-S+hdlO%9{u;= zB0_>N_|bJ|E@5xZE1sf{K(e+zlQFZ4GKXTapbit0=7v|Q<*;X@7^r{rs2t3>)u8`> zk5c-E`TAR7nJ+^4t6Ji7AGCe*pguac7z&2l;;taL7s~nuQX)GzZo?Ubt>XMq0Nzi? zD;=ubJsfGZT-ZDgeV0l7V>(jPYK_yF^W;-CL+#f`eA;rC+!0+IPt>1d`hHHL*jSPqaZStUiOp$9%Ag+w7jE|dL9ukE|q z8EE#R@w=1rk$cZ&IE`81h^a$KEZ}ua?BxKt>MNd4+8!$I;|s zVMiM6t{udX*ns}n8BO&ei$CKr<+Xj2kZl#zW;a#3K^pXCh!5V)tV1R|Itc2DUh$D0 zZa*Ylbg@eJr!Mw7+e3<4(N6m!uBAki2WS7|xOLYT^*Ue#q;BjpupKLSatO{5>GDi+ZgF z(#@_-0x@daj`40!VNaO{p_|EaqK7o-HM93oM6b=-bmKeXu-TRrP_f z%U~cLN0se13^X?{c{)y+z@j zq=K$%>x39cd@uZNr%wu`%hW4mdD{1gS|__zOF}x!)R#oKu=X}*AaGp(aNLPuH}Z*G zFi4FIG;z-|1nSZOCa2tIOlqi0ft`bu^qrI(Gd5Ppn^P2XO5Bu6^Bv(jIP0rW_Z+Q; z_PuZfj*zn(fQqd=oRg=gVjZNonj-({g!rFGDFv0GI(J0Df{q%Psbx^X9d4FrpM%*u z=AIR&VZdt^1D~NE(%Sc=s;a%V@O*%qbRV1d1K7fMJ3`cJ>VkIDmmO(?57?3d!DH8! z^yJ~!%)B}{Ef&n4Za4v++Zy;S`D?U0<0cBlwSfUaPsyI*DO8qfwnjHQJav5C_;>?e zwFlO8VK3IF-gTUL){+x*Y$)`{f|zJ!+iM~3dAZ`YoT4r&O;`BLp^>2CAIXZQC0^W@oRzCJ~0sU3n_hA0-+mJ9Kf`K-CjQ#!huU zx2zFG(=*{q&nr21NhZG@%f9$IG+Xuc*sFwv+kEqdH|+c5)TS<601~}SET#@5vr)X! zBx8a}j4vW#3S$duwooRiQj?ntXoc@WIlBA^b(Q>AKQKX8dEGn&G|+L%DU&e1!75V( zVLAs0zuJQ{(^`-oiaZg^LX@{q-oxLmGXfCm9ExUe1r2lsV17CyaE94@LPO%V9>EYG zVJx(lY{!ry0@$f<>;?_yd*GCsh&M}Fx~1=KvW<>nr1XGgmo?;0aDGLTi8fhIR3B6_ z*J#;%VIk-Lygm;xhu;xqyL8e4j7R09M{4C8@6JQejj?xv+a;y9@=3>a=P?3neM56Lh8akg{mr3}{tFd=oFhrRX z9so2`WJL+yMPL}zCJzo+(6Gg3Qi%#s3~|I`Iw?{CAE*Lc9#hu@BJ;0R&fgXuZY?ie z7hifgSM@8S%G#D13f$MPEq2i?PlTvNG2(ae%z&2d6;;YA2J`hc%q4ABIYh>-eQ$@Q z#qG>Ramg9WLg{#djh~e8t@0=S?`lQ_f?B9g z&6*AQdc)N?aB!zk05fsjLOQMrnRrxv`1pgG{MITEH==Dx%x3s<2?&Zrr!bv2C*>0! z;*g-8QTEC|dPdF<#}w#mDR5Bm#~vtNChl0~n;eux%ZmpXjLKbRYk|sYTbXHFuKzqc zbYfYga9s2c%g#uugF*d!ZPW7+EyoXja`f*%J6(M^n4Z5`r#6uy3UXr6qJb@lv=1ckdUG-+aX-A|?6D)PK80HWd6fQ=$HBZ;9&HuVYa+N%(SPK+bB2~KX5m}^tNP~@n zj^ov3e6Ktl(tIXy+Mko-(tZ$s3Auecm!&w(`Az?hNa=_ytIM%2nbCiDJ!6?K3j>L4 zDrWFLy}6lde1Kn~h(_pS(VfK$YZ}~_TQ?xnhv^6BW17*3Qbc}042Wr`P}WNg@0d5= zd9LueKlhhgoqv687l$ei@a_*A@%(Gh8S4C627z&>P>N@NmsUMYk~PrIh#TCP$7xLx z4ji@RV8&j(dHYQVu^rogg!g6|-^X>}}7kP;L|4EFNLu zX$gZA?s@V?Mwj6)ANZnZBj+(Gd3%Nq^H*cdOgdd-d;NGF?j?Jv!(I?&dqqq|+>C3J zujhx>3;E)g>aoQ*n9rfyb6uMefA!Q~oF2{-U@@fi+&#_26y1Gs7TbR}i*tWBi&~uZ z${)7^=7JrEYdYl8w>LhN?q7~m;I8fd>5UeG_sN4Drigkz%q-g#H8|q05L*4!BSw=F ziJ>0xQ0@O7+*Aaay=d5(vkj)LMLJeTmZH*t>pi&mtf_rnNUw6;{)PNL*)5U7%gKhj z6asQWkJ)>;wT(;*COq$qr- z9Hi{+IVV`($Qu1WtzCIE)O*-36{5y63Ne<1isVZ6B+I0fY>7+Z3K0s^WOrj^$lJeZJHCo^#K6-}9dPp7Z+8an6{T-|zQ*p6By?7H8?N zKpOS}tH5{$bg}(l>Nkkdn9)*(WAok9?T~MWw#mM>z`dljLzSWk%VVDKZriIE6x=v3a@M9>B>w}*DfJiZJX(jkLL z{FLrmm%yj(2=l*p3#PLV2&Tk)K7@UavRj{`GT0(8jytvpKuKUweb^aj+`!`>g3bOS zgqW0o)S~$!44r5cj-V$YkhU%kvvse;b3zmvqM_$F%p_x4I;Hjoz+&4SqHi6W;tU&5 zn>`5Udg{A7k5WJy^k}H-^);KDaE_Ov8i$B~EqeiNFLXynHL&WXBXS%D{}Q!$3uiS9 zS|QY6QvG?i4%;2fP7k)OVz2SGPRorsV0>9PeFM1pIxN!&z%(y`!E#`zTLJmYm!clw z7;GsM>H!#jiZYV>p#oncGeqX5ftvfOO~9uRYFJWp6vQGND6z6*c9)>JlDYQx5r3$u z`8E}S%!CYNi(=(Q>7BF$fYA%Eu4trb=trA&RxXiAv|(CA>INv^EdaMR=S#O=@}Jd{ z;X=Uyk2#|tbpXGh1G~;C*n4Yy0DEzRllMd^*z?d1`An9I_k^JRchk+Y#_E~GEF~s4 zV4Kz^Q8Y<+T3*QvJ&4l@SMX$wx(!o)k(96#2oOeu)z~1^qCip#x&vR{v{(crt64#h z>Cao&m4vLan6cG;S6@&HkP+xO@Y)=d-k|K{V7j9od6QImY`~S{tC?H`xJBQ<{&1fi`wFZ^8r0%jlb!fO zG^SzYa}#Wv%pYG@D~{XQ4u|?A>h-J)`LtK=i$+~?3NT%59Q8^m;KKp7vO`;{1w_cuQ9X?)t z)n2VBUH1~iE>Xf(ozb~5{orLd1M#v zNY{0sJ17OWG+g;DRm8R@c|t&P0LFRQD1uWXM|%)LEKT)37e#}#3l5L6%n=hHy=j zRLg|>h-!mmW$qBb9mzF13h}IMv>h)6avA>ONxUx7xr_eBWz4e2T8Gw9h+;4Dbr9fD zB3eTFl!c*r79B=o54SM)=yugxl|g^S2m+>0XbMa!m0{SxuSp`T6H!}LzOc8AQqaPO2qZ2cj$0YHfpDl zY!}gz369R;>T2-3-hhaee2A^6ncQH~sY<@GaE55ptgxQ}WZx&Mopki-7)(|B(0ac< zjHItOrR!|0-ua4onRZ5{9rKf_pjl`Dl#~zQK<{TCLHIfHki};1fE1S801YT$H@aw> z)uf!Oi@AYl5`3LH$Tsorbi* zWcwIZ)Qb!wns+cwMpre1nB|z0dZq8zSIa8#hTXaBWX2SV}0m~n4Q^?MlEzOxKo4Fy#T6K zjHr-1kbdhE!0i2iGu$UR4Z`aZVTQ^N5b^%HdE%=)Z#nGF`aIMEkm(ZxX^|nT-Eo@O z@>_ig+OByF*HQK57ZZVzpA5zJ`GcAqMdvih0M28_MM0{Yrw$)<*j60%Fo7JsrWEX1 zA=JinR_=dA4*))x2jsvQ3a4~{%@LyHL0A@nRjzd8zKY5q63K=fdbyA9kps@^@365vZ|6qvEcU4yv5m zI2qkE)c3XYzkjlP;r)jq!?aPc<%I5@UC=s4BgCp7h;pC+V)5IgpAPMns-~HJ11COH zZ?@n<$mm5hHo7IfFkF7#`tw4Wu~(0KwrTQc@k`T4n9k5WqG<84qYPL&W*jwfxnK0} zEK^}^UXQANaazjGw{UM2eF9>)Tha7STDKc+O`G$O*{K|$O4y9~4a5I?8N>GEDwWXk z#KBfap@Qn&TxXZZkI?*LRpsWjbe}Q7iImy5i1Rmg@qH1)unmQTNfCWCJ+?P`ZXk*_ z>m_>gJmS!*10j48_Z2SmO~eawJNSfL1W$s)cMGk|pYt=W*H~2O;bR6BKsM^Dn?mBC z7S?uH9wf-sen`%LcYn7~*{vmTN$PedM=PDC+k9L5F?zWEHU{THyG6ClkZ5A8OmKR@ zH_}(FwMCRY|*d>WYiM^;g1xx z^-}pwB7Ytx^+o?=jLTfeAWGa^Psr-e9mokRGZy-F8R}wiLTrx&dqHn2v5d&$`>MAU zydv42tX$$bxb-`8Dge(IMy%M=&U0I;s*`T+S>c|RkZ4|`_0L4Cxp zhD5Ev3CzhaK;4rm5(yPsfz!7iPCKXF*%|;2JCDT}!Z*r&JN^3}(te>#6jQpuTwRmKf&kXbK6V7=#KE?bW%e<``RP{hnU z1P=`{uY=KP7YL-Q7Udlu{Jcd!-?AQ`Y&dG9^#+9l5h^gN=ON(vI2y7lLkX>9C8@ zeq~sX|KeqGyyALd>tm0_;LTNqAo?Y}&QZ3|BzftRx`DgsWLNtzhFh%Qk}pm2Q|07I zbDouKOY_1fhXXClE$l+GLpED>#bT;~PUO0s>$+S=;{n~w#W4Tn3A?!Xn?Kq|0=$-W z8n-p4&)rMVteoRb_%7eX^`d+wH+rxAUX^AB&rM--U$%s7QJf4u@{||;2XgOu@}M-~ z@u|ei3nPA-I8l7!qtF?N<`kPV%Z=Ixx+*LR6DF)jWG+}X1q7JnSU($RNUumUiL;^z zjUo>YU9vqae+&a9a)ylSAsEMOMKq0Tc8}+tRU`H~2@C>l#wqd|6@%Q}X*<)!@;+MXOyXD89Rl2`mPZQSliuZcdnqQzy=)lyP;q>9re^E`89?fV z^wx$!))`={y+JvGbpHDj>lWiEmDdVvIVO)M#2anL$8 zwni_HH+0O|>sE-C@X-}R%-3Pkxo3?I&ksz>pGni8wro2>9#&U_4x7@Jth~7;>Re8x zx95N;TXgw@E!p-T8)qlsKQB~yT>j|Mvf{6np&iHRqFmVf$$If{kGn04P!V;>wAy1D zMMSQL6^O7|roSMP-I={m^bV4urov43tpk04m+bXOQ~@hoY;~e*D%9=e?2PVUd+jfc zgCAjoeKj47R4TU~lOV&f{~S?(-OTuGB$iq;x@(lnCasJz|KoSK+<9B(Vch`0|zN{ z_D*l3GV!Kg+K1Du6O%BT3iP;#d;VYOmK+E5p-z`lZ}4k}ztNtGK`-IRF8;?A{#=6- z+h{QAM~A>A1e8>c_i?)gTJ0z z_Rf(j>!5b1MUG796*~8I@}d}4^y`1KB>I1P3;#;o@h?AF)yC$OmbOrn&+f-J!Otl@ LL*0CB+u;8I - ## sepgsql Overview The *sepgsql* extension adds SELinux mandatory access controls (MAC) to database objects such as tables, columns, views, functions, schemas and -sequences. **Figure 24: Database Security Context Information** shows a simple -database with one table, two columns and three rows, each with their object -class and associated security context (the [**Internal Tables**](#internal-tables) +sequences. **Table 1: Database Security Context Information** shows a simple +database with one table and two columns, each with their object class and +associated security context (the [**Internal Tables**](#internal-tables) section shows these entries from the *testdb* database in the [**Notebook sepgsql Example**](notebook-examples/sepgsql/testdb-example.sql). The database object classes and permissions are described in [**Appendix A - Object Classes and Permissions**](object_classes_permissions.md#database-object-classes). -![](./images/24-database-table.png) +| | +| :---: | +| **database** (*db_database*) - context = 'unconfined_u:object_r:postgresql_db_t:s0' This context is inherited from the database directory label - ls -Z /var/lib/pgsql/data | +| **schema** (*db_schema*) - security_label = 'unconfined_u:object_r:sepgsql_schema_t:s0:c10' | +| **table** (*db_table*) - security_label = 'unconfined_u:object_r:sepgsql_table_t:s0:c20' | + +| | | +| :---: | :---: | +| **column 1** (*db_column*) - security_label = 'unconfined_u:object_r:sepgsql_table_t:s0:c30' | **column 2** - (*db_column*) security_label = 'unconfined_u:object_r:sepgsql_table_t:s0:c40' | -**Figure 24: Database Security Context Information** - *Showing the security -contexts that can be associated to a schema, table and columns.* +**Table 1: Database Security Context Information** - *Showing the security contexts that can be associated to a schema, table and columns.* To use SE-PostgreSQL each Linux user must have a valid PostgreSQL database role (not to be confused with an SELinux role). The default @@ -68,9 +82,7 @@ with AVC audits being logged via the standard PostgreSQL logfile as described in the [**Logging Security Events**](#logging-security-events) section. -
- -### Installing SE-PostgreSQL +## Installing SE-PostgreSQL The [**https://www.postgresql.org/docs/11/sepgsql.html**](https://www.postgresql.org/docs/11/sepgsql.html) page contains all the information required to install the *sepgsql* extension. @@ -79,7 +91,7 @@ There are also instructions in the [**Notebook sepgsql Example - README**](notebook-examples/sepgsql/README.md) that describes building the example database used in the sections below. -### *SECURITY LABEL* SQL Command +## *SECURITY LABEL* SQL Command The '*SECURITY LABEL*' SQL command has been added to PostgreSQL to allow security providers to label or change a label on database objects. @@ -102,34 +114,32 @@ SECURITY LABEL ON COLUMN test_ns.info.email_addr IS 'unconfined_u:object_r:sepgsql_table_t:s0:c40'; ``` -### Additional SQL Functions +## Additional SQL Functions The following functions have been added: - - - - - - - - - - - - - - - - - - - -
sepgsql_getcon()Returns the client security context.
sepgsql_mcstrans_in(text con)Translates the readable range of the context into raw format provided the mcstransd daemon is running.
sepgsql_mcstrans_out(text con)Translates the raw range of the context into readable format provided the mcstransd daemon is running.
sepgsql_restorecon(text specfile)Sets security contexts on all database objects (must be superuser) according to the specfile. This is normally used for initialisation of the database by the sepgsql.sql script. If the parameter is NULL, then the default sepgsql_contexts file is used. See selabel_db(5) details.
- -
- -### *postgresql.conf* Entries +*sepgsql_getcon()* + +Returns the client security context. + +*sepgsql_mcstrans_in(text con)* + +Translates the readable *range* of the context into raw format provided the +***mcstransd**(8)* daemon is running. + +*sepgsql_mcstrans_out(text con)* + +Translates the raw *range* of the context into readable format provided the +***mcstransd**(8)* daemon is running. + +*sepgsql_restorecon(text specfile)* + +Sets security contexts on all database objects (must be superuser) according +to the *specfile*. This is normally used for initialisation of the database +by the *sepgsql.sql* script. If the parameter is NULL, then the default +*sepgsql_contexts* file is used. See ***selabel_db**(5)* details. + +## *postgresql.conf* Entries The *postgresql.conf* file supports the following additional entries to enable and manage SE-PostgreSQL: @@ -167,9 +177,7 @@ on (1 row) ``` -
- -### Logging Security Events +## Logging Security Events SE-PostgreSQL manages its own AVC audit entries in the standard PostgreSQL log normally located within the */var/lib/pgsql/data/pg_log* @@ -177,9 +185,7 @@ directory and by default only errors are logged (Note that there are no SE-PostgreSQL AVC entries added to the standard *audit.log*). The '*sepgsql.debug_audit = on*' can be set to log all audit events. -
- -### Internal Tables +## Internal Tables To support the overall database operation PostgreSQL has internal tables in the system catalog that hold information relating to databases, @@ -188,46 +194,15 @@ that holds the security label and other references. The *pg_seclabel* is shown in the table below and has been taken from . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeReferencesComments
objoidoidany OID columnThe OID of the object this security label pertains to.
classoidoidpg_class.oidThe OID of the system catalog this object appears in.
objsubidint4For a security label on a table column, this is the column number (the objoid and classoid refer to the table itself). For all other objects this column is zero.
providertextThe label provider associated with this label. Currently only SELinux is supported.
labeltextThe security label applied to this object.
+ +| **Name** | **Type** | **References** | **Comments** | +| -------- | -------- | -------------- | ------------ | +| objoid | oid | any OID column | The OID of the object this security label pertains to. | +| classoid | oid | pg_class.oid | The OID of the system catalog this object appears in. | +| objsubid | int4 | | For a security label on a table column, this is the column number (the *objoid* and *classoid* refer to the table itself). For all other objects this column is zero. | +| provider | text | | The label provider associated with this label. Currently only SELinux is supported. | +| label | text | | The security label applied to this object. | + These are entries taken from a '*SELECT * FROM pg_seclabel;*' command that refers to the example *testdb* database built using the @@ -260,8 +235,6 @@ objoid|classoid|objsubid|objtype|objnamespace| objname | provider| label | | | | | email_addr | | ``` -
- ---