pax_global_header00006660000000000000000000000064147621173720014524gustar00rootroot0000000000000052 comment=8e9157bbeea1899b7b8b257e7eaa71efef3fffed secilc-3.8.1/000077500000000000000000000000001476211737200127775ustar00rootroot00000000000000secilc-3.8.1/.gitignore000066400000000000000000000002211476211737200147620ustar00rootroot00000000000000secilc secilc.8 secil2conf secil2conf.8 secil2tree secil2tree.8 policy.* file_contexts docs/html docs/pdf docs/tmp opt-actual.bin opt-actual.cil secilc-3.8.1/LICENSE000066400000000000000000000033121476211737200140030ustar00rootroot00000000000000All files are licensed under the FreeBSD license, except for third party components, which are subject to their respective licenses as specified in their source files. FreeBSD License Copyright 2011 Tresys Technology, LLC. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY TRESYS TECHNOLOGY, LLC ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL TRESYS TECHNOLOGY, LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The views and conclusions contained in the software and documentation are those of the authors and should not be interpreted as representing official policies, either expressed or implied, of Tresys Technology, LLC. secilc-3.8.1/Makefile000066400000000000000000000047351476211737200144500ustar00rootroot00000000000000PREFIX ?= /usr BINDIR ?= $(PREFIX)/bin MANDIR ?= $(PREFIX)/share/man SECILC = secilc SECILC_SRCS := secilc.c SECILC_OBJS := $(patsubst %.c,%.o,$(SECILC_SRCS)) SECIL2CONF = secil2conf SECIL2CONF_SRCS := secil2conf.c SECIL2CONF_OBJS := $(patsubst %.c,%.o,$(SECIL2CONF_SRCS)) SECIL2TREE = secil2tree SECIL2TREE_SRCS := secil2tree.c SECIL2TREE_OBJS := $(patsubst %.c,%.o,$(SECIL2TREE_SRCS)) SECILC_MANPAGE = secilc.8 SECIL2CONF_MANPAGE = secil2conf.8 SECIL2TREE_MANPAGE = secil2tree.8 XMLTO = xmlto DIFF = diff CHECKPOLICY = checkpolicy POL_VERS = $(shell $(CHECKPOLICY) -V | cut -f 1 -d ' ') CFLAGS ?= -Wall -Wshadow -Wextra -Wundef -Wmissing-format-attribute -Wcast-align -Wstrict-prototypes -Wpointer-arith -Wunused override CFLAGS += -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 override LDLIBS += -lsepol all: $(SECILC) $(SECIL2CONF) $(SECIL2TREE) man $(SECILC): $(SECILC_OBJS) $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS) test: $(SECILC) ./$(SECILC) test/policy.cil ./$(SECILC) -c $(POL_VERS) -O -M 1 -f /dev/null -o opt-actual.bin test/opt-input.cil $(CHECKPOLICY) -b -C -M -o opt-actual.cil opt-actual.bin >/dev/null $(DIFF) test/opt-expected.cil opt-actual.cil $(SECIL2CONF): $(SECIL2CONF_OBJS) $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS) $(SECIL2TREE): $(SECIL2TREE_OBJS) $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS) man: $(SECILC_MANPAGE) $(SECIL2CONF_MANPAGE) $(SECIL2TREE_MANPAGE) $(SECILC_MANPAGE): $(SECILC_MANPAGE).xml $(XMLTO) man $(SECILC_MANPAGE).xml $(SECIL2CONF_MANPAGE): $(SECIL2CONF_MANPAGE).xml $(XMLTO) man $(SECIL2CONF_MANPAGE).xml $(SECIL2TREE_MANPAGE): $(SECIL2TREE_MANPAGE).xml $(XMLTO) man $(SECIL2TREE_MANPAGE).xml install: all man -mkdir -p $(DESTDIR)$(BINDIR) -mkdir -p $(DESTDIR)$(MANDIR)/man8 install -m 755 $(SECILC) $(DESTDIR)$(BINDIR) install -m 755 $(SECIL2CONF) $(DESTDIR)$(BINDIR) install -m 755 $(SECIL2TREE) $(DESTDIR)$(BINDIR) install -m 644 $(SECILC_MANPAGE) $(DESTDIR)$(MANDIR)/man8 install -m 644 $(SECIL2CONF_MANPAGE) $(DESTDIR)$(MANDIR)/man8 install -m 644 $(SECIL2TREE_MANPAGE) $(DESTDIR)$(MANDIR)/man8 doc: $(MAKE) -C docs clean: rm -f $(SECILC) rm -f $(SECILC_OBJS) rm -f $(SECIL2CONF) rm -f $(SECIL2CONF_OBJS) rm -f $(SECIL2TREE) rm -f $(SECIL2TREE_OBJS) rm -f policy.* rm -f file_contexts rm -f $(SECILC_MANPAGE) rm -f $(SECIL2CONF_MANPAGE) rm -f $(SECIL2TREE_MANPAGE) rm -f opt-actual.cil rm -f opt-actual.bin $(MAKE) -C docs clean relabel: .PHONY: all clean test install doc relabel man secilc-3.8.1/README000066400000000000000000000030661476211737200136640ustar00rootroot00000000000000SELinux Common Intermediate Language (CIL) Compiler INTRODUCTION The SELinux CIL Compiler is a compiler that converts the CIL language as described on the CIL design wiki into a kernel binary policy file. Please see the CIL Design Wiki at: http://github.com/SELinuxProject/cil/wiki/ for more information about the goals and features on the CIL language. DEPENDENCIES gcc >= 4.5.1 libsepol >= 2.5 BUILD STEPS Run "make" with one of the following targets: make Build the CIL compiler (secilc). make test Pass a sample policy to test with the compiler. make install Install the secilc compiler and man page to disk. make clean Remove temporary build files. make man Build the secilc man page. make bare Remove temporary build files and compile binaries. USAGE Execute 'secilc' with any number of CIL files as arguments. A binary policy and file_contexts file will be created. Use the '--help' option for more details. DOCUMENTATION There is a github markdown CIL Reference Guide in the docs directory. To view the table of contents, see README.md in the docs directory. To convert the github markdown content to HTML and PDF, change to the docs directory and run: make The documents will be located in the docs/html and docs/pdf directories. To build the html and pdf, the pandoc package is required. KNOWN ISSUES - Blocks inside of macros causes undefined behavior - Policy must be well formed. For example, invalid usage of sensitivities/categories/levels may create an unloaded binary - Recursive limits are not handled secilc-3.8.1/VERSION000066400000000000000000000000061476211737200140430ustar00rootroot000000000000003.8.1 secilc-3.8.1/docs/000077500000000000000000000000001476211737200137275ustar00rootroot00000000000000secilc-3.8.1/docs/Makefile000066400000000000000000000041701476211737200153710ustar00rootroot00000000000000CWD = $(shell pwd) HTMLDIR = $(CWD)/html PDFDIR = $(CWD)/pdf TMPDIR = $(CWD)/tmp TESTDIR = $(CWD)/../test # All the markdown files that make up the guide: FILE_LIST ?= cil_introduction.md \ cil_reference_guide.md \ cil_access_vector_rules.md \ cil_call_macro_statements.md \ cil_class_and_permission_statements.md \ cil_conditional_statements.md \ cil_constraint_statements.md \ cil_container_statements.md \ cil_context_statement.md \ cil_default_object_statements.md \ cil_file_labeling_statements.md \ cil_mls_labeling_statements.md \ cil_network_labeling_statements.md \ cil_policy_config_statements.md \ cil_role_statements.md \ cil_sid_statements.md \ cil_type_statements.md \ cil_user_statements.md \ cil_infiniband_statements.md \ cil_xen_statements.md PANDOC_FILE_LIST = $(addprefix $(TMPDIR)/,$(FILE_LIST)) PANDOC_HIGHLIGHT_STYLE="theme.theme" PDF_OUT=CIL_Reference_Guide.pdf HTML_OUT=CIL_Reference_Guide.html PANDOC = pandoc SED ?= sed OS := $(shell uname) ifeq ($(OS), Darwin) SED := gsed endif all: html pdf $(TMPDIR): mkdir -p $(TMPDIR) $(TMPDIR)/%.md: %.md | $(TMPDIR) cp -f $< $(TMPDIR)/ @# Substitute markdown links for conversion into PDF links $(SED) -i -re 's:(\[`[^`]*`\])\([^#]*([^\)]):\1\(\2:g' $@ $(TMPDIR)/policy.cil: $(TESTDIR)/policy.cil cp -f $< $@ @# add a title for the TOC to policy.cil. This is needed to play nicely with the PDF conversion. $(SED) -i '1i Example Policy\n=========\n```secil' $@ echo '```' >> $@ html: $(PANDOC_FILE_LIST) $(TMPDIR)/policy.cil secil.xml mkdir -p $(HTMLDIR) $(PANDOC) \ --highlight-style=$(PANDOC_HIGHLIGHT_STYLE) \ --syntax-definition=secil.xml \ --standalone \ --metadata title="CIL Reference Guide" \ --metadata document-css=false \ -t html \ $(PANDOC_FILE_LIST) $(TMPDIR)/policy.cil \ -o $(HTMLDIR)/$(HTML_OUT) pdf: $(PANDOC_FILE_LIST) $(TMPDIR)/policy.cil secil.xml mkdir -p $(PDFDIR) $(PANDOC) \ --highlight-style=$(PANDOC_HIGHLIGHT_STYLE) \ --syntax-definition=secil.xml \ --standalone \ --toc \ $(PANDOC_FILE_LIST) $(TMPDIR)/policy.cil \ -o $(PDFDIR)/$(PDF_OUT) clean: rm -rf $(HTMLDIR) rm -rf $(PDFDIR) rm -rf $(TMPDIR) secilc-3.8.1/docs/README.md000066400000000000000000000201101476211737200152000ustar00rootroot00000000000000CIL (Common Intermediate Language) =============== ## Table of Contents * [Introduction](cil_introduction.md#Introduction) * [Design Philosophy](cil_introduction.md#design-philosophy) * [Goals and Primary Features](cil_introduction.md#goals-and-primary-features) * [Design Overview](cil_introduction.md#design-overview) * [CIL Information](cil_reference_guide.md#cil-information) * [Declarations](cil_reference_guide.md#declarations) * [Definitions](cil_reference_guide.md#definitions) * [Symbol Character Set](cil_reference_guide.md#symbol-character-set) * [String Character Set](cil_reference_guide.md#string-character-set) * [Comments](cil_reference_guide.md#comments) * [Namespaces](cil_reference_guide.md#namespaces) * [Global Namespace](cil_reference_guide.md#global-namespace) * [Expressions](cil_reference_guide.md#expressions) * [Name String](cil_reference_guide.md#name-string) * [Example CIL Policy](../test/policy.cil) * [Access Vector Rules](cil_access_vector_rules.md#access-vector-rules) * [allow](cil_access_vector_rules.md#allow) * [auditallow](cil_access_vector_rules.md#auditallow) * [dontaudit](cil_access_vector_rules.md#dontaudit) * [neverallow](cil_access_vector_rules.md#neverallow) * [allowx](cil_access_vector_rules.md#allowx) * [auditallowx](cil_access_vector_rules.md#auditallowx) * [dontauditx](cil_access_vector_rules.md#dontauditx) * [neverallowx](cil_access_vector_rules.md#neverallowx) * [Call / Macro Statements](cil_call_macro_statements.md#call--macro-statements) * [call](cil_call_macro_statements.md#call) * [macro](cil_call_macro_statements.md#macro) * [Class and Permission Statements](cil_class_and_permission_statements.md#class-and-permission-statements) * [common](cil_class_and_permission_statements.md#common) * [classcommon](cil_class_and_permission_statements.md#classcommon) * [class](cil_class_and_permission_statements.md#class) * [classorder](cil_class_and_permission_statements.md#classorder) * [classpermission](cil_class_and_permission_statements.md#classpermission) * [classpermissionset](cil_class_and_permission_statements.md#classpermissionset) * [classmap](cil_class_and_permission_statements.md#classmap) * [classmapping](cil_class_and_permission_statements.md#classmapping) * [permissionx](cil_class_and_permission_statements.md#permissionx) * [Conditional Statements](cil_conditional_statements.md#conditional-statements) * [boolean](cil_conditional_statements.md#boolean) * [booleanif](cil_conditional_statements.md#booleanif) * [tunable](cil_conditional_statements.md#tunable) * [tunableif](cil_conditional_statements.md#tunableif) * [Constraint Statements](cil_constraint_statements.md#constraint-statements) * [constrain](cil_constraint_statements.md#constrain) * [validatetrans](cil_constraint_statements.md#validatetrans) * [mlsconstrain](cil_constraint_statements.md#mlsconstrain) * [mlsvalidatetrans](cil_constraint_statements.md#mlsvalidatetrans) * [Container Statements](cil_container_statements.md#container-statements) * [block](cil_container_statements.md#block) * [blockabstract](cil_container_statements.md#blockabstract) * [blockinherit](cil_container_statements.md#blockinherit) * [optional](cil_container_statements.md#optional) * [in](cil_container_statements.md#in) * [Context Statement](cil_context_statement.md#context-statement) * [context](cil_context_statement.md#context) * [Default Object Statements](cil_default_object_statements.md#default-object-statements) * [defaultuser](cil_default_object_statements.md#defaultuser) * [defaultrole](cil_default_object_statements.md#defaultrole) * [defaulttype](cil_default_object_statements.md#defaulttype) * [defaultrange](cil_default_object_statements.md#defaultrange) * [File Labeling Statements](cil_file_labeling_statements.md#file-labeling-statements) * [filecon](cil_file_labeling_statements.md#filecon) * [fsuse](cil_file_labeling_statements.md#fsuse) * [genfscon](cil_file_labeling_statements.md#genfscon) * [Multi-Level Security Labeling Statements](cil_mls_labeling_statements.md#multi-level-security-labeling-statements) * [sensitivity](cil_mls_labeling_statements.md#sensitivity) * [sensitivityalias](cil_mls_labeling_statements.md#sensitivityalias) * [sensitivityaliasactual](cil_mls_labeling_statements.md#sensitivityaliasactual) * [sensitivityorder](cil_mls_labeling_statements.md#sensitivityorder) * [category](cil_mls_labeling_statements.md#category) * [categoryalias](cil_mls_labeling_statements.md#categoryalias) * [categoryaliasactual](cil_mls_labeling_statements.md#categoryaliasactual) * [categoryorder](cil_mls_labeling_statements.md#categoryorder) * [categoryset](cil_mls_labeling_statements.md#categoryset) * [sensitivitycategory](cil_mls_labeling_statements.md#sensitivitycategory) * [level](cil_mls_labeling_statements.md#level) * [levelrange](cil_mls_labeling_statements.md#levelrange) * [rangetransition](cil_mls_labeling_statements.md#rangetransition) * [mlsconstrain](cil_mls_labeling_statements.md#mlsconstrain) * [mlsvalidatetrans](cil_mls_labeling_statements.md#mlsvalidatetrans) * [Network Labeling Statements](cil_network_labeling_statements.md#network-labeling-statements) * [ipaddr](cil_network_labeling_statements.md#ipaddr) * [netifcon](cil_network_labeling_statements.md#netifcon) * [nodecon](cil_network_labeling_statements.md#nodecon) * [portcon](cil_network_labeling_statements.md#portcon) * [Policy Configuration Statements](cil_policy_config_statements.md#policy-configuration-statements) * [mls](cil_policy_config_statements.md#mls) * [handleunknown](cil_policy_config_statements.md#handleunknown) * [policycap](cil_policy_config_statements.md#policycap) * [Role Statements](cil_role_statements.md#role-statements) * [role](cil_role_statements.md#role) * [roletype](cil_role_statements.md#roletype) * [roleattribute](cil_role_statements.md#roleattribute) * [roleattributeset](cil_role_statements.md#roleattributeset) * [roleallow](cil_role_statements.md#roleallow) * [roletransition](cil_role_statements.md#roletransition) * [rolebounds](cil_role_statements.md#rolebounds) * [SID Statements](cil_sid_statements.md#sid-statements) * [sid](cil_sid_statements.md#sid) * [sidorder](cil_sid_statements.md#sidorder) * [sidcontext](cil_sid_statements.md#sidcontext) * [Type Statements](cil_type_statements.md#type-statements) * [type](cil_type_statements.md#type) * [typealias](cil_type_statements.md#typealias) * [typealiasactual](cil_type_statements.md#typealiasactual) * [typeattribute](cil_type_statements.md#typeattribute) * [typeattributeset](cil_type_statements.md#typeattributeset) * [expandtypeattribute](cil_type_statements.md#expandtypeattribute) * [typebounds](cil_type_statements.md#typebounds) * [typechange](cil_type_statements.md#typechange) * [typemember](cil_type_statements.md#typemember) * [typetransition](cil_type_statements.md#typetransition) * [typepermissive](cil_type_statements.md#typepermissive) * [User Statements](cil_user_statements.md#user-statements) * [user](cil_user_statements.md#user) * [userrole](cil_user_statements.md#userrole) * [userattribute](cil_user_statements.md#userattribute) * [userattributeset](cil_user_statements.md#userattributeset) * [userlevel](cil_user_statements.md#userlevel) * [userrange](cil_user_statements.md#userrange) * [userbounds](cil_user_statements.md#userbounds) * [userprefix](cil_user_statements.md#userprefix) * [selinuxuser](cil_user_statements.md#selinuxuser) * [selinuxuserdefault](cil_user_statements.md#selinuxuserdefault) * [Infiniband Statements](cil_infiniband_statements.md#infiniband-statements) * [ibpkeycon](cil_infiniband_statements.md#ibpkeycon) * [ibendportcon](cil_infiniband_statements.md#ibendportcon) * [Xen Statements](cil_xen_statements.md#xen-statements) * [iomemcon](cil_xen_statements.md#iomemcon) * [ioportcon](cil_xen_statements.md#ioportcon) * [pcidevicecon](cil_xen_statements.md#pcidevicecon) * [pirqcon](cil_xen_statements.md#pirqcon) * [devicetreecon](cil_xen_statements.md#devicetreecon) * [Example Policy](../test/policy.cil#example-policy) secilc-3.8.1/docs/cil_access_vector_rules.md000066400000000000000000000273651476211737200211520ustar00rootroot00000000000000Access Vector Rules =================== Rules involving a source type, a target type, and class permissions or extended permissions. **Rule definition:** ```secil (av_flavor source_id target_id|self|notself|other classpermission_id|permissionx_id) ``` **Where:**

av_flavor

The flavor of access vector rule. Possible flavors are allow, auditallow, dontaudit, neverallow, deny, allowx, auditallowx, dontauditx, and neverallowx.

source_id

A single previously defined source type, typealias or typeattribute identifier.

target_id

A single previously defined target type, typealias or typeattribute identifier.

Instead it can be one of the special keywords self, notself or other.

The self keyword may be used to signify that source and target are the same. If the source is an attribute, each type of the source will be paired with itself as the target. The notself keyword may be used to signify that the target is all types except for the types of the source. The other keyword may be used as a short-hand way of writing a rule for each type of the source where it is paired with all of the other types of the source as the target.

classpermission_id

A single named or anonymous classpermissionset or a single set of classmap/classmapping identifiers. Used for allow, auditallow, dontaudit, neverallow rules.

permissionx_id

A single named or anonymous permissionx. Used for allowx, auditallowx, dontauditx, neverallowx rules.
allow ----- Specifies the access allowed between a source and target type. Note that access may be refined by constraint rules based on the source, target and class ([`validatetrans`](cil_constraint_statements.md#validatetrans) or [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans)) or source, target class and permissions ([`constrain`](cil_constraint_statements.md#constrain) or [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain) statements). **Rule definition:** ```secil (allow source_id target_id|self|notself|other classpermissionset_id ...) ``` **Examples:** These examples show a selection of possible permutations of [`allow`](cil_access_vector_rules.md#allow) rules: ```secil (class binder (impersonate call set_context_mgr transfer receive)) (class property_service (set)) (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) (classpermission cps_zygote) (classpermissionset cps_zygote (zygote (not (specifyids)))) (classmap android_classes (set_1 set_2 set_3)) (classmapping android_classes set_1 (binder (all))) (classmapping android_classes set_1 (property_service (set))) (classmapping android_classes set_1 (zygote (not (specifycapabilities)))) (classmapping android_classes set_2 (binder (impersonate call set_context_mgr transfer))) (classmapping android_classes set_2 (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith))) (classmapping android_classes set_3 cps_zygote) (classmapping android_classes set_3 (binder (impersonate call set_context_mgr))) (block av_rules (type type_1) (type type_2) (type type_3) (type type_4) (type type_5) (typeattribute all_types) (typeattributeset all_types (all)) ; These examples have named and anonymous classpermissionset's and ; classmap/classmapping statements (allow type_1 self (property_service (set))) ; anonymous (allow type_2 self (zygote (specifyids))) ; anonymous (allow type_3 self cps_zygote) ; named (allow type_4 self (android_classes (set_3))) ; classmap/classmapping (allow all_types all_types (android_classes (set_2))) ; classmap/classmapping ;; This rule will cause the build to fail unless --disable-neverallow ; (neverallow type_5 all_types (property_service (set))) (allow type_5 type_5 (property_service (set))) (allow type_1 all_types (property_service (set))) ) ``` auditallow ---------- Audit the access rights defined if there is a valid allow rule. Note: It does NOT allow access, it only audits the event. **Rule definition:** ```secil (auditallow source_id target_id|self|notself|other classpermissionset_id) ``` **Example:** This example will log an audit event whenever the corresponding [`allow`](cil_access_vector_rules.md#allow) rule grants access to the specified permissions: ```secil (allow release_app.process secmark_demo.browser_packet (packet (send recv append bind))) (auditallow release_app.process secmark_demo.browser_packet (packet (send recv))) ``` dontaudit --------- Do not audit the access rights defined when access denied. This stops excessive log entries for known events. Note that these rules can be omitted by the CIL compiler command line parameter `-D` or `--disable-dontaudit` flags. **Rule definition:** ```secil (dontaudit source_id target_id|self|notself|other classpermissionset_id ...) ``` **Example:** This example will not audit the denied access: ```secil (dontaudit zygote.process self (capability (fsetid))) ``` neverallow ---------- Never allow access rights defined. This is a compiler enforced action that will stop compilation until the offending rules are modified. Note that these rules can be over-ridden by the CIL compiler command line parameter `-N` or `--disable-neverallow` flags. **Rule definition:** ```secil (neverallow source_id target_id|self|notself|other classpermissionset_id ...) ``` **Example:** This example will not compile as `type_3` is not allowed to be a source type for the [`allow`](cil_access_vector_rules.md#allow) rule: ```secil (class property_service (set)) (block av_rules (type type_1) (type type_2) (type type_3) (typeattribute all_types) (typeattributeset all_types ((all))) (neverallow type_3 all_types (property_service (set))) ; This rule will fail compilation: (allow type_3 self (property_service (set))) ) ``` deny ---------- Remove the access rights defined from any matching allow rules. These rules are processed before [`neverallow`](cil_access_vector_rules.md#neverallow) checking. **Rule definition:** ```secil (deny source_id target_id|self classpermissionset_id ...) ``` **Example:** ```secil (class class1 (perm1 perm2)) (type type1) (type type2) (allow type1 type2 (class1 (perm1))) ; Allow-1 (deny type1 type2 (class1 (perm1))) ; Deny-1 ; Allow-1 will be complete removed by Deny-1. (type type3) (type type4) (allow type3 type4 (class1 (perm1 perm2))) ; Allow-2 (deny type3 type4 (class1 (perm1))) ; Deny-2 ; Allow-2 will be removed and replaced with the following when Deny-2 is evaluated ; (allow type3 type4 (class1 (perm2))) (type type5) (type type6) (typeattribute attr1) (typeattributeset attr1 (type5 type6)) (allow attr1 attr1 (class1 (perm1))) ; Allow-3 (deny type5 type6 (class1 (perm1))) ; Deny-3 ; Allow-3 will be removed and replaced with the following when Deny-3 is evaluated ; (allow type6 attr1 (class1 (perm1))) ; (allow type5 type5 (class1 (perm1))) ``` allowx ------ Specifies the access allowed between a source and target type using extended permissions. Unlike the [`allow`](cil_access_vector_rules.md#allow) statement, the statements [`validatetrans`](cil_constraint_statements.md#validatetrans), [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans), [`constrain`](cil_constraint_statements.md#constrain), and [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain) do not limit accesses granted by [`allowx`](cil_access_vector_rules.md#allowx). Note that for this to work there must *also* be valid equivalent [`allow`](cil_access_vector_rules.md#allow) rules present. **Rule definition:** ```secil (allowx source_id target_id|self|notself|other permissionx_id) ``` **Examples:** These examples show a selection of possible permutations of [`allowx`](cil_access_vector_rules.md#allowx) rules: ```secil (allow type_1 type_2 (tcp_socket (ioctl))) ;; pre-requisite (allowx type_1 type_2 (ioctl tcp_socket (range 0x2000 0x20FF))) (permissionx ioctl_nodebug (ioctl udp_socket (not (range 0x4000 0x4010)))) (allow type_3 type_4 (udp_socket (ioctl))) ;; pre-requisite (allowx type_3 type_4 ioctl_nodebug) ``` auditallowx ----------- Audit the access rights defined if there is a valid [`allowx`](cil_access_vector_rules.md#allowx) rule. It does NOT allow access, it only audits the event. Note that for this to work there must *also* be valid equivalent [`auditallow`](cil_access_vector_rules.md#auditallow) rules present. **Rule definition:** ```secil (auditallowx source_id target_id|self|notself|other permissionx_id) ``` **Examples:** This example will log an audit event whenever the corresponding [`allowx`](cil_access_vector_rules.md#allowx) rule grants access to the specified extended permissions: ```secil (allowx type_1 type_2 (ioctl tcp_socket (range 0x2000 0x20FF))) (auditallow type_1 type_2 (tcp_socket (ioctl))) ;; pre-requisite (auditallowx type_1 type_2 (ioctl tcp_socket (range 0x2005 0x2010))) ``` dontauditx ---------- Do not audit the access rights defined when access denied. This stops excessive log entries for known events. Note that for this to work there must *also* be at least one [`allowx`](cil_access_vector_rules.md#allowx) rule associated with the target type. Note that these rules can be omitted by the CIL compiler command line parameter `-D` or `--disable-dontaudit` flags. **Rule definition:** ```secil (dontauditx source_id target_id|self|notself|other permissionx_id) ``` **Examples:** This example will not audit the denied access: ```secil (allowx type_1 type_2 (ioctl tcp_socket (0x1))) ;; pre-requisite, just some irrelevant random ioctl (dontauditx type_1 type_2 (ioctl tcp_socket (range 0x3000 0x30FF))) ``` neverallowx ---------- Never allow access rights defined for extended permissions. This is a compiler enforced action that will stop compilation until the offending rules are modified. Note that these rules can be over-ridden by the CIL compiler command line parameter `-N` or `--disable-neverallow` flags. **Rule definition:** ```secil (neverallowx source_id target_id|self|notself|other permissionx_id) ``` **Examples:** This example will not compile as `type_3` is not allowed to be a source type and ioctl range for the [`allowx`](cil_access_vector_rules.md#allowx) rule: ```secil (class property_service (ioctl)) (block av_rules (type type_1) (type type_2) (type type_3) (typeattribute all_types) (typeattributeset all_types ((all))) (neverallowx type_3 all_types (ioctl property_service (range 0x2000 0x20FF))) ; This rule will fail compilation: (allowx type_3 self (ioctl property_service (0x20A0))) ) ``` secilc-3.8.1/docs/cil_call_macro_statements.md000066400000000000000000000143461476211737200214530ustar00rootroot00000000000000Call / Macro Statements ======================= call ---- Instantiate a [macro](#macro) within the current namespace. There may be zero or more parameters passed to the macro (with zero parameters this is similar to the [`blockinherit`](cil_container_statements.md#blockinherit) ([`call`](cil_call_macro_statements.md#call)) / [`blockabstract`](cil_container_statements.md#blockabstract) ([`macro`](cil_call_macro_statements.md#macro)) statements). Each parameter passed contains an argument to be resolved by the [macro](#macro), these can be named or anonymous but must conform to the parameter types defined in the [`macro`](cil_call_macro_statements.md#macro) statement. Macro rules are resolved by searching in the following order: - The macro namespace (If found this means that the name was declared in the macro and is now declared in the namespace of one of the parents of the call.) - The call arguments - The parent namespaces of the macro being called (if any) with the exception of the global namespace. - The parent namespaces of the call (if any) with the exception of the global namespace. - The global namespace **Statement definition:** ```secil (call macro_id [(param ...)]) ``` **Where:**

call

The call keyword.

macro_id

The identifier of the macro to be instantiated.

param

Zero or more parameters that are passed to the macro.
**Example:** See the [`macro`](cil_call_macro_statements.md#macro) statement for an example. macro ----- Declare a macro in the current namespace with its associated parameters. The macro identifier is used by the [`call`](cil_call_macro_statements.md#call) statement to instantiate the macro and resolve any parameters. The call statement may be within the body of a macro. [`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockinherit`](cil_container_statements.md#blockinherit), [`blockabstract`](cil_container_statements.md#blockabstract), and other [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks. Duplicate [`macro`](cil_call_macro_statements.md#macro) declarations in the same namespace will normally cause an error, but inheriting a macro into a namespace (with [`blockinherit`](cil_container_statements.md#blockinherit)) that already has a macro with the same name will only result in a warning message and not cause an error. This behavior allows inherited macros to be overridden with local ones. **Statement definition:** ```secil (macro macro_id ([(param_type param_id) ...]) cil_statements ... ) ``` **Where:**

macro

The macro keyword.

macro_id

The macro identifier.

param_type

Zero or more parameters that are passed to the macro. The param_type is a keyword used to determine the declaration type (e.g. type, class, categoryset).

The list of valid param_type entries are: string, name, type, role, user, sensitivity, category, bool, categoryset, level, levelrange, ipaddr, class, classmap, and classpermission.

The param_types categoryset, level, levelrange, classpermission, and ipaddr can by named or anonymous.

The param_types type, role, and user can be used for attributes.

The param_types type, sensitivity and category can be used for aliases.

The param_types name and string can be used interchangeably for an object_name in [`typetransition`](cil_type_statements.md#typetransition) and the path in [`filecon`](cil_file_labeling_statements.md#filecon) statements.

param_id

The parameter identifier used to reference the entry within the macro body (e.g. ARG1).

cil_statement

Zero or more valid CIL statements.
**Examples:** This example will instantiate the `binder_call` macro in the calling namespace (`my_domain`) and replace `ARG1` with `appdomain` and `ARG2` with `binderservicedomain`: ```secil (block my_domain (call binder_call (appdomain binderservicedomain)) ) (macro binder_call ((type ARG1) (type ARG2)) (allow ARG1 ARG2 (binder (call transfer))) (allow ARG2 ARG1 (binder (transfer))) (allow ARG1 ARG2 (fd (use))) ) ``` This example does not pass any parameters to the macro but adds a [`type`](cil_type_statements.md#type) identifier to the current namespace: ```secil (block unconfined (call add_type) .... (macro add_type () (type exec) ) ) ``` This example passes an anonymous and named IP address to the macro: ```secil (ipaddr netmask_1 255.255.255.0) (context netlabel_1 (system.user object_r unconfined.object low_low)) (call build_nodecon ((192.168.1.64) netmask_1)) (macro build_nodecon ((ipaddr ARG1) (ipaddr ARG2)) (nodecon ARG1 ARG2 netlabel_1) ) ``` secilc-3.8.1/docs/cil_class_and_permission_statements.md000066400000000000000000000456661476211737200235670ustar00rootroot00000000000000Class and Permission Statements =============================== common ------ Declares a common identifier in the current namespace with a set of common permissions that can be used by one or more [`class`](cil_class_and_permission_statements.md#class) identifiers. The [`classcommon`](cil_class_and_permission_statements.md#classcommon) statement is used to associate a [`common`](cil_class_and_permission_statements.md#common) identifier to a specific [`class`](cil_class_and_permission_statements.md#class) identifier. **Statement definition:** ```secil (common common_id (permission_id ...)) ``` **Where:**

common

The common keyword.

common_id

The common identifier.

permission_id

One or more permissions.
**Example:** This common statement will associate the [`common`](cil_class_and_permission_statements.md#common) identifier '`file`' with the list of permissions: ```secil (common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) ``` classcommon ----------- Associate a [`class`](cil_class_and_permission_statements.md#class) identifier to a one or more permissions declared by a [`common`](cil_class_and_permission_statements.md#common) identifier. **Statement definition:** ```secil (classcommon class_id common_id) ``` **Where:**

classcommon

The classcommon keyword.

class_id

A single previously declared class identifier.

common_id

A single previously declared common identifier that defines the common permissions for that class.
**Example:** This associates the `dir` class with the list of permissions declared by the `file common` identifier: ```secil (common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) (classcommon dir file) ``` class ----- Declares a class and zero or more permissions in the current namespace. **Statement definition:** ```secil (class class_id (permission_id ...)) ``` **Where:**

class

The class keyword.

class_id

The class identifier.

permission_id

Zero or more permissions declared for the class. Note that if zero permissions, an empty list is required as shown in the example.
**Examples:** This example defines a set of permissions for the `binder` class identifier: ```secil (class binder (impersonate call set_context_mgr transfer receive)) ``` This example defines a common set of permissions to be used by the `sem` class, the `(class sem ())` does not define any other permissions (i.e. an empty list): ```secil (common ipc (create destroy getattr setattr read write associate unix_read unix_write)) (classcommon sem ipc) (class sem ()) ``` and will produce the following set of permissions for the `sem` class identifier of: ```secil (class sem (create destroy getattr setattr read write associate unix_read unix_write)) ``` This example, with the following combination of the [`common`](cil_class_and_permission_statements.md#common), [`classcommon`](cil_class_and_permission_statements.md#classcommon) and [`class`](cil_class_and_permission_statements.md#class) statements: ```secil (common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) (classcommon dir file) (class dir (add_name remove_name reparent search rmdir open audit_access execmod)) ``` will produce a set of permissions for the `dir` class identifier of: ```secil (class dir (add_name remove_name reparent search rmdir open audit_access execmod ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) ``` classorder ---------- Defines the order of [class](#class)'s. This is a mandatory statement. Multiple [`classorder`](cil_class_and_permission_statements.md#classorder) statements declared in the policy will form an ordered list. **Statement definition:** ```secil (classorder (class_id ...)) ``` **Where:**

classorder

The classorder keyword.

class_id

One or more class identifiers.
**Example:** This will produce an ordered list of "`file dir process`" ```secil (class process) (class file) (class dir) (classorder (file dir)) (classorder (dir process)) ``` **Unordered Classorder Statement:** If users do not have knowledge of the existing [`classorder`](#classorder), the `unordered` keyword may be used in a [`classorder`](#classorder) statement. The [classes](#class) in an unordered statement are appended to the existing [`classorder`](#classorder). A class in an ordered statement always supersedes the class redeclaration in an unordered statement. The `unordered` keyword must be the first item in the [`classorder`](#classorder) listing. **Example:** This will produce an unordered list of "`file dir foo a bar baz`" ```secil (class file) (class dir) (class foo) (class bar) (class baz) (class a) (classorder (file dir)) (classorder (dir foo)) (classorder (unordered a)) (classorder (unordered bar foo baz)) ``` classpermission --------------- Declares a class permission set identifier in the current namespace that can be used by one or more [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s to associate one or more classes and permissions to form a named set. **Statement definition:** ```secil (classpermission classpermissionset_id) ``` **Where:**

classpermission

The classpermission keyword.

classpermissionset_id

The classpermissionset identifier.
**Example:** See the [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset) statement for examples. classpermissionset ------------------ Defines a class permission set identifier in the current namespace that associates a class and one or more permissions to form a named set. Nested expressions may be used to determine the required permissions as shown in the examples. Anonymous [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s may be used in av rules and constraints. **Statement definition:** ```secil (classpermissionset classpermissionset_id (class_id (permission_id | expr ...))) ``` **Where:**

classpermissionset

The classpermissionset keyword.

classpermissionset_id

The classpermissionset identifier.

class_id

A single previously declared class identifier.

permission_id

Zero or more permissions required by the class.

Note that there must be at least one permission identifier or expr declared).

expr

Zero or more expr's, the valid operators and syntax are:

(and (permission_id ...) (permission_id ...))

(or (permission_id ...) (permission_id ...))

(xor (permission_id ...) (permission_id ...))

(not (permission_id ...))

(all)
**Examples:** These class permission set statements will resolve to the permission sets shown in the kernel policy language [`allow`](cil_access_vector_rules.md#allow) rules: ```secil (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) (type test_1) (type test_2) (type test_3) (type test_4) (type test_5) ; NOT (classpermission zygote_1) (classpermissionset zygote_1 (zygote (not (specifyinvokewith specifyseinfo) ) )) (allow unconfined.process test_1 zygote_1) ;; allow unconfined.process test_1 : zygote { specifyids specifyrlimits specifycapabilities } ; ; AND - ALL - NOT - Equiv to test_1 (classpermission zygote_2) (classpermissionset zygote_2 (zygote (and (all) (not (specifyinvokewith specifyseinfo)) ) )) (allow unconfined.process test_2 zygote_2) ;; allow unconfined.process test_2 : zygote { specifyids specifyrlimits specifycapabilities } ; ; OR (classpermission zygote_3) (classpermissionset zygote_3 (zygote ((or (specifyinvokewith) (specifyseinfo))))) (allow unconfined.process test_3 zygote_3) ;; allow unconfined.process test_3 : zygote { specifyinvokewith specifyseinfo } ; ; XOR - This will not produce an allow rule as the XOR will remove all the permissions: (classpermission zygote_4) (classpermissionset zygote_4 (zygote (xor (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo) (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)))) ; ALL (classpermission zygote_all_perms) (classpermissionset zygote_all_perms (zygote (all))) (allow unconfined.process test_5 zygote_all_perms) ;; allow unconfined.process test_5 : zygote { specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo } ; ``` classmap -------- Declares a class map identifier in the current namespace and one or more class mapping identifiers. This will allow: 1. Multiple [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s to be linked to a pair of [`classmap`](cil_class_and_permission_statements.md#classmap) / [`classmapping`](cil_class_and_permission_statements.md#classmapping) identifiers. 2. Multiple [`class`](cil_class_and_permission_statements.md#class)s to be associated to statements and rules that support a list of classes: typetransition typechange typemember rangetransition roletransition defaultuser defaultrole defaulttype defaultrange validatetrans mlsvalidatetrans **Statement definition:** ```secil (classmap classmap_id (classmapping_id ...)) ``` **Where:**

classmap

The classmap keyword.

classmap_id

The classmap identifier.

classmapping_id

One or more classmapping identifiers.
**Example:** See the [`classmapping`](cil_class_and_permission_statements.md#classmapping) statement for examples. classmapping ------------ Define sets of [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s (named or anonymous) to form a consolidated [`classmapping`](cil_class_and_permission_statements.md#classmapping) set. Generally there are multiple [`classmapping`](cil_class_and_permission_statements.md#classmapping) statements with the same [`classmap`](cil_class_and_permission_statements.md#classmap) and [`classmapping`](cil_class_and_permission_statements.md#classmapping) identifiers that form a set of different [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)'s. This is useful when multiple class / permissions are required in rules such as the [`allow`](cil_access_vector_rules.md#allow) rules (as shown in the examples). **Statement definition:** ```secil (classmapping classmap_id classmapping_id classpermissionset_id) ``` **Where:**

classmapping

The classmapping keyword.

classmap_id

A single previously declared classmap identifier.

classmapping_id

The classmapping identifier.

classpermissionset_id

A single named classpermissionset identifier or a single anonymous classpermissionset using expr's as required (see the classpermissionset statement).
**Examples:** These class mapping statements will resolve to the permission sets shown in the kernel policy language [`allow`](cil_access_vector_rules.md#allow) rules: ```secil (class binder (impersonate call set_context_mgr transfer receive)) (class property_service (set)) (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) (classpermission cps_zygote) (classpermissionset cps_zygote (zygote (not (specifyids)))) (classmap android_classes (set_1 set_2 set_3)) (classmapping android_classes set_1 (binder (all))) (classmapping android_classes set_1 (property_service (set))) (classmapping android_classes set_1 (zygote (not (specifycapabilities)))) (classmapping android_classes set_2 (binder (impersonate call set_context_mgr transfer))) (classmapping android_classes set_2 (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith))) (classmapping android_classes set_3 cps_zygote) (classmapping android_classes set_3 (binder (impersonate call set_context_mgr))) (block map_example (type type_1) (type type_2) (type type_3) (allow type_1 self (android_classes (set_1))) (allow type_2 self (android_classes (set_2))) (allow type_3 self (android_classes (set_3))) ) ; The above will resolve to the following AV rules: ;; allow map_example.type_1 map_example.type_1 : binder { impersonate call set_context_mgr transfer receive } ; ;; allow map_example.type_1 map_example.type_1 : property_service set ; ;; allow map_example.type_1 map_example.type_1 : zygote { specifyids specifyrlimits specifyinvokewith specifyseinfo } ; ;; allow map_example.type_2 map_example.type_2 : binder { impersonate call set_context_mgr transfer } ; ;; allow map_example.type_2 map_example.type_2 : zygote { specifyids specifyrlimits specifycapabilities specifyinvokewith } ; ;; allow map_example.type_3 map_example.type_3 : binder { impersonate call set_context_mgr } ; ;; allow map_example.type_3 map_example.type_3 : zygote { specifyrlimits specifycapabilities specifyinvokewith specifyseinfo } ; ``` permissionx ----------- Defines a named extended permission, which can be used in the [`allowx`](cil_access_vector_rules.md#allowx), [`auditallowx`](cil_access_vector_rules.md#auditallowx), [`dontauditx`](cil_access_vector_rules.md#dontauditx), and [`neverallowx`](cil_access_vector_rules.md#neverallowx) statements. **Statement definition:** ```secil (permissionx permissionx_id (kind class_id (permission ... | expr ...))) ``` **Where:**

permissionx

The permissionx keyword.

kind

A keyword specifying how to interpret the extended permission values. Must be one of:

kind

description

ioctl

Permissions define a whitelist of ioctl values. Permission values must range from 0x0000 to 0xFFFF, inclusive.

class_id

A single previously declared class or classmap identifier.

permission

One or more numeric values, specified in decimal, or hexadecimal if prefixed with 0x, or octal if prefixed with 0. Values are interpreted based on the value of kind.

expr

An expression, with valid operators and syntax:

(range (permission ...) (permission ...))

(and (permission ...) (permission ...))

(or (permission ...) (permission ...))

(xor (permission ...) (permission ...))

(not (permission ...))

(all)
**Examples:** ```secil (permissionx ioctl_1 (ioctl tcp_socket (0x2000 0x3000 0x4000))) (permissionx ioctl_2 (ioctl tcp_socket (range 0x6000 0x60FF))) (permissionx ioctl_3 (ioctl tcp_socket (and (range 0x8000 0x90FF) (not (range 0x8100 0x82FF))))) ``` secilc-3.8.1/docs/cil_conditional_statements.md000066400000000000000000000203411476211737200216520ustar00rootroot00000000000000Conditional Statements ====================== boolean ------- Declares a run time boolean as true or false in the current namespace. The [`booleanif`](cil_conditional_statements.md#booleanif) statement contains the CIL code that will be in the binary policy file. [`boolean`](cil_conditional_statements.md#boolean) are not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks. **Statement definition:** ```secil (boolean boolean_id true|false) ``` **Where:**

boolean

The boolean keyword.

boolean_id

The boolean identifier.

true | false

The initial state of the boolean. This can be changed at run time using setsebool(8) and its status queried using getsebool(8).
**Example:** See the [`booleanif`](cil_conditional_statements.md#booleanif) statement for an example. booleanif --------- Contains the run time conditional statements that are instantiated in the binary policy according to the computed boolean identifier(s) state. [`call`](cil_call_macro_statements.md#call) statements are allowed within a [`booleanif`](cil_conditional_statements.md#booleanif), however the contents of the resulting macro must be limited to those of the [`booleanif`](cil_conditional_statements.md#booleanif) statement (i.e. [`allow`](cil_access_vector_rules.md#allow), [`auditallow`](cil_access_vector_rules.md#auditallow), [`dontaudit`](cil_access_vector_rules.md#dontaudit), [`typemember`](cil_type_statements.md#typemember), [`typetransition`](cil_type_statements.md#typetransition), [`typechange`](cil_type_statements.md#typechange) and the compile time [`tunableif`](cil_conditional_statements.md#tunableif) statement)). **Statement definition:** ```secil (booleanif boolean_id | expr ... (true cil_statements ...) (false cil_statements ...) ) ``` **Where:**

booleanif

The booleanif keyword.

boolean_id

Either a single boolean identifier or one or more expr's.

expr

Zero or more expr's, the valid operators and syntax are:

(and boolean_id boolean_id)

(or boolean_id boolean_id)

(xor boolean_id boolean_id)

(eq boolean_id boolean_id)

(neq boolean_id boolean_id)

(not boolean_id)

true

An optional set of CIL statements that will be instantiated when the boolean is evaluated as true.

false

An optional set of CIL statements that will be instantiated when the boolean is evaluated as false.
**Examples:** The second example also shows the kernel policy language equivalent: ```secil (boolean disableAudio false) (booleanif disableAudio (false (allow process mediaserver.audio_device (chr_file_set (rw_file_perms))) ) ) (boolean disableAudioCapture false) ;;; if(!disableAudio && !disableAudioCapture) { (booleanif (and (not disableAudio) (not disableAudioCapture)) (true (allow process mediaserver.audio_capture_device (chr_file_set (rw_file_perms))) ) ) ``` tunable ------- Tunables are similar to booleans, however they are used to manage areas of CIL statements that may or may not be in the final CIL policy that will be compiled (whereas booleans are embedded in the binary policy and can be enabled or disabled during run-time). Note that tunables can be treated as booleans by the CIL compiler command line parameter `-P` or `--preserve-tunables` flags. Since [`tunableif`](cil_conditional_statements.md#tunableif) statements are resolved first, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in [`in`](cil_container_statements.md#in), [`macro`](cil_call_macro_statements.md#macro), [`optional`](cil_container_statements.md#optional), and [`booleanif`](cil_conditional_statements.md#booleanif) blocks. To simplify processing, they are also not allowed in [`tunableif`](cil_conditional_statements.md#tunableif) blocks. **Statement definition:** ```secil (tunable tunable_id true|false) ``` **Where:**

tunable

The tunable keyword.

tunable_id

The tunable identifier.

true | false

The initial state of the tunable.
**Example:** See the [`tunableif`](cil_conditional_statements.md#tunableif) statement for an example. tunableif --------- Compile time conditional statement that may or may not add CIL statements to be compiled. If tunables are being treated as booleans (by using the CIL compiler command line parameter `-P` or `--preserve-tunables` flag), then only the statements allowed in a [`booleanif`](cil_conditional_statements.md#booleanif) block are allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block. Otherwise, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block. **Statement definition:** ```secil (tunableif tunable_id | expr ... (true cil_statements ...) (false cil_statements ...) ) ``` **Where:**

tunableif

The tunableif keyword.

tunable_id

Either a single tunable identifier or one or more expr's.

expr

Zero or more expr's, the valid operators and syntax are:

(and tunable_id tunable_id)

(or tunable_id tunable_id)

(xor tunable_id tunable_id)

(eq tunable_id tunable_id)

(neq tunable_id tunable_id)

(not tunable_id)

true

An optional set of CIL statements that will be instantiated when the tunable is evaluated as true.

false

An optional set of CIL statements that will be instantiated when the tunable is evaluated as false.
**Example:** This example will not add the range transition rule to the binary policy: ```secil (tunable range_trans_rule false) (block init (class process (process)) (type process) (tunableif range_trans_rule (true (rangetransition process sshd.exec process low_high) ) ) ; End tunableif ) ; End block ``` secilc-3.8.1/docs/cil_constraint_statements.md000066400000000000000000000270501476211737200215370ustar00rootroot00000000000000Constraint Statements ===================== constrain --------- Enable constraints to be placed on the specified permissions of the object class based on the source and target security context components. **Statement definition:** ```secil (constrain classpermissionset_id ... expression | expr ...) ``` **Where:**

constrain

The constrain keyword.

classpermissionset_id

A single named or anonymous classpermissionset or a single set of classmap/classmapping identifiers.

expression

There must be one constraint expression or one or more expr's. The expression consists of an operator and two operands as follows:

(op u1 u2)

(role_op r1 r2)

(op t1 t2)

(op u1 user_id | (user_id ...))

(op u2 user_id | (user_id ...))

(op r1 role_id | (role_id ...))

(op r2 role_id | (role_id ...))

(op t1 type_id | (type_id ...))

(op t2 type_id | (type_id ...))

where:

u1, r1, t1 = Source context: user, role or type

u2, r2, t2 = Target context: user, role or type

and:

op : eq neq

role_op : eq neq dom domby incomp

user_id : A single user or userattribute identifier.

role_id : A single role or roleattribute identifier.

type_id : A single type, typealias or typeattribute identifier.

expr

Zero or more expr's, the valid operators and syntax are:

(and expression expression)

(or expression expression)

(not expression)
**Examples:** Two constrain statements are shown with their equivalent kernel policy language statements: ```secil ;; constrain { file } { write } ;; (( t1 == unconfined.process ) and ( t2 == unconfined.object ) or ( r1 eq r2 )); (constrain (file (write)) (or (and (eq t1 unconfined.process) (eq t2 unconfined.object) ) (eq r1 r2) ) ) ;; constrain { file } { read } ;; (not( t1 == unconfined.process ) and ( t2 == unconfined.object ) or ( r1 eq r2 )); (constrain (file (read)) (not (or (and (eq t1 unconfined.process) (eq t2 unconfined.object) ) (eq r1 r2) ) ) ) ``` validatetrans ------------- The [`validatetrans`](cil_constraint_statements.md#validatetrans) statement is only used for `file` related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context. **Statement definition:** ```secil (validatetrans class_id expression | expr ...) ``` **Where:**

validatetrans

The validatetrans keyword.

class_id

A single previously declared class or classmap identifier.

expression

There must be one constraint expression or one or more expr's. The expression consists of an operator and two operands as follows:

(op u1 u2)

(role_op r1 r2)

(op t1 t2)

(op u1 user_id)

(op u2 user_id)

(op u3 user_id)

(op r1 role_id)

(op r2 role_id)

(op r3 role_id)

(op t1 type_id)

(op t2 type_id)

(op t3 type_id)

where:

u1, r1, t1 = Old context: user, role or type

u2, r2, t2 = New context: user, role or type

u3, r3, t3 = Process context: user, role or type

and:

op : eq neq

role_op : eq neq dom domby incomp

user_id : A single user or userattribute identifier.

role_id : A single role or roleattribute identifier.

type_id : A single type, typealias or typeattribute identifier.

expr

Zero or more expr's, the valid operators and syntax are:

(and expression expression)

(or expression expression)

(not expression)
**Example:** A validate transition statement with the equivalent kernel policy language statement: ```secil ; validatetrans { file } ( t1 == unconfined.process ); (validatetrans file (eq t1 unconfined.process)) ``` mlsconstrain ------------ Enable MLS constraints to be placed on the specified permissions of the object class based on the source and target security context components. **Statement definition:** ```secil (mlsconstrain classpermissionset_id ... expression | expr ...) ``` **Where:**

mlsconstrain

The mlsconstrain keyword.

classpermissionset_id

A single named or anonymous classpermissionset or a single set of classmap/classmapping identifiers.

expression

There must be one constraint expression or one or more expr's. The expression consists of an operator and two operands as follows:

(op u1 u2)

(mls_role_op r1 r2)

(op t1 t2)

(mls_role_op l1 l2)

(mls_role_op l1 h2)

(mls_role_op h1 l2)

(mls_role_op h1 h2)

(mls_role_op l1 h1)

(mls_role_op l2 h2)

(op u1 user_id)

(op u2 user_id)

(op r1 role_id)

(op r2 role_id)

(op t1 type_id)

(op t2 type_id)

where:

u1, r1, t1, l1, h1 = Source context: user, role, type, low level or high level

u2, r2, t2, l2, h2 = Target context: user, role, type, low level or high level

and:

op : eq neq

mls_role_op : eq neq dom domby incomp

user_id : A single user or userattribute identifier.

role_id : A single role or roleattribute identifier.

type_id : A single type, typealias or typeattribute identifier.

expr

Zero or more expr's, the valid operators and syntax are:

(and expression expression)

(or expression expression)

(not expression)
**Example:** An MLS constrain statement with the equivalent kernel policy language statement: ```secil ;; mlsconstrain { file } { open } ;; (( l1 eq l2 ) and ( u1 == u2 ) or ( r1 != r2 )); (mlsconstrain (file (open)) (or (and (eq l1 l2) (eq u1 u2) ) (neq r1 r2) ) ) ``` mlsvalidatetrans ---------------- The [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans) statement is only used for `file` related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context. **Statement definition:** ```secil (mlsvalidatetrans class_id expression | expr ...) ``` **Where:**

mlsvalidatetrans

The mlsvalidatetrans keyword.

class_id

A single previously declared class or classmap identifier.

expression

There must be one constraint expression or one or more expr's. The expression consists of an operator and two operands as follows:

(op u1 u2)

(mls_role_op r1 r2)

(op t1 t2)

(mls_role_op l1 l2)

(mls_role_op l1 h2)

(mls_role_op h1 l2)

(mls_role_op h1 h2)

(mls_role_op l1 h1)

(mls_role_op l2 h2)

(op u1 user_id)

(op u2 user_id)

(op u3 user_id)

(op r1 role_id)

(op r2 role_id)

(op r3 role_id)

(op t1 type_id)

(op t2 type_id)

(op t3 type_id)

where:

u1, r1, t1, l1, h1 = Source context: user, role, type, low level or high level

u2, r2, t2, l2, h2 = Target context: user, role, type, low level or high level

u3, r3, t3 = Process context: user, role or type

and:

op : eq neq

mls_role_op : eq neq dom domby incomp

user_id : A single user or userattribute identifier.

role_id : A single role or roleattribute identifier.

type_id : A single type, typealias or typeattribute identifier.

expr

Zero or more expr's, the valid operators and syntax are:

(and expression expression)

(or expression expression)

(not expression)
**Example:** An MLS validate transition statement with the equivalent kernel policy language statement: ```secil ;; mlsvalidatetrans { file } ( l1 domby h2 ); (mlsvalidatetrans file (domby l1 h2)) ``` secilc-3.8.1/docs/cil_container_statements.md000066400000000000000000000262071476211737200213400ustar00rootroot00000000000000Container Statements ==================== block ----- Start a new namespace. Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks. [`sensitivity`](cil_mls_labeling_statements.md#sensitivity) and [`category`](cil_mls_labeling_statements.md#category) statements are not allowed in [`block`](cil_container_statements.md#block) blocks. Duplicate declarations of a [`block`](cil_container_statements.md#block) in the same namespace will normally cause an error, but inheriting a block into a namespace (with [`blockinherit`](cil_container_statements.md#blockinherit)) that already has a block with the same name will only result in a warning message and not cause an error. The policy from both blocks will end up in the binary policy. This behavior was used in the past to allow a block to be declared so that an [`in-statement`](cil_container_statements.md#in) could be used on it, but now an [`in-statement`](cil_container_statements.md#in) can be specified to occur after inheritance, so this behavior is not necessary (but is still allowed). **Statement definition:** ```secil (block block_id cil_statement ... ) ``` **Where:**

block

The block keyword.

block_id

The namespace identifier.

cil_statement

Zero or more valid CIL statements.
**Example:** See the [`blockinherit`](cil_container_statements.md#blockinherit) statement for an example. blockabstract ------------- Declares the namespace as a 'template' and does not generate code until instantiated by another namespace that has a [`blockinherit`](cil_container_statements.md#blockinherit) statement. Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks. **Statement definition:** ```secil (block block_id (blockabstract template_id) cil_statement ... ) ``` **Where:**

block

The block keyword.

block_id

The namespace identifier.

blockabstract

The blockabstract keyword.

template_id

The abstract namespace identifier. This must match the block_id entry.

cil_statement

Zero or more valid CIL statements forming the abstract block.
**Example:** See the [`blockinherit`](cil_container_statements.md#blockinherit) statement for an example. blockinherit ------------ Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section. Inherited rules are resolved by searching namespaces in the following order: - The parent namespaces (if any) where the [`blockinherit`](cil_container_statements.md#blockinherit) rule is located with the exception of the global namespace. - The parent namespaces of the block being inherited (but not that block's namespace) with the exception of the global namespace. - The global namespace. Not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks. **Statement definition:** ```secil (block block_id (blockinherit template_id) cil_statement ... ) ``` **Where:**

block

The block keyword.

block_id

The namespace identifier.

blockinherit

The blockinherit keyword.

template_id

The inherited namespace identifier.

cil_statement

Zero or more valid CIL statements.
**Example:** This example contains a template `client_server` that is instantiated in two blocks (`netserver_app` and `netclient_app`): ```secil ; This is the template block: (block client_server (blockabstract client_server) ; Log file labeling (type log_file) (typeattributeset file_type (log_file)) (typeattributeset data_file_type (log_file)) (allow process log_file (dir (write search create setattr add_name))) (allow process log_file (file (create open append getattr setattr))) (roletype object_r log_file) (context log_file_context (u object_r log_file low_low)) ; Process labeling (type process) (typeattributeset domain (process)) (call app_domain (process)) (call net_domain (process)) ) ; This is a policy block that will inherit the abstract block above: (block netclient_app ; Add common policy rules to namespace: (blockinherit client_server) ; Label the log files (filecon "/data/data/com.se4android.netclient/.*" file log_file_context) ) ; This is another policy block that will inherit the abstract block above: (block netserver_app ; Add common policy rules to namespace: (blockinherit client_server) ; Label the log files (filecon "/data/data/com.se4android.netserver/.*" file log_file_context) ) ; This is an example of how blockinherits resolve inherits before copying (block a (type one)) (block b ; Notice that block a is declared here as well (block a (type two))) ; This will first copy the contents of block b, which results in type b.a.two being copied. ; Next, the contents of block a will be copied which will result in type a.one. (block ab (blockinherit b) (blockinherit a)) ``` optional -------- Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy. Not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks. [`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockabstract`](cil_container_statements.md#blockabstract), and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`optional`](cil_container_statements.md#optional) blocks. **Statement definition:** ```secil (optional optional_id cil_statement ... ) ``` **Where:**

optional

The optional keyword.

optional_id

The optional namespace identifier.

cil_statement

Zero or more valid CIL statements.
**Example:** This example will instantiate the optional block `ext_gateway.move_file` into policy providing all optional CIL statements can be resolved: ```secil (block ext_gateway ...... (optional move_file (typetransition process msg_filter.move_file.in_queue file msg_filter.move_file.in_file) (allow process msg_filter.move_file.in_queue (dir (read getattr write search add_name))) (allow process msg_filter.move_file.in_file (file (write create getattr))) (allow msg_filter.move_file.in_file unconfined.object (filesystem (associate))) (typetransition msg_filter.int_gateway.process msg_filter.move_file.out_queue file msg_filter.move_file.out_file) (allow msg_filter.int_gateway.process msg_filter.move_file.out_queue (dir (read write search))) (allow msg_filter.int_gateway.process msg_filter.move_file.out_file (file (read getattr unlink))) ) ; End optional block ..... ) ; End block ``` in -- Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This insertion can be specified to occur either before or after block inheritance has been resolved. Not allowed in [`macro`](cil_call_macro_statements.md#macro), [`booleanif`](cil_conditional_statements.md#booleanif), and other [`in`](cil_container_statements.md#in) blocks. [`tunable`](cil_conditional_statements.md#tunable) and [`in`](cil_container_statements.md#in) statements are not allowed in [`in`](cil_container_statements.md#in) blocks. **Statement definition:** ```secil (in [before|after] container_id cil_statement ... ) ``` **Where:**

in

The in keyword.

before|after

An optional value that specifies whether to process the [`in`](cil_container_statements.md#in) before or after block inheritance. If no value is specified, then the [`in`](cil_container_statements.md#in) will be processed before block inheritance.

container_id

A valid block, optional or macro namespace identifier.

cil_statement

Zero or more valid CIL statements.
**Example:** This will add rules to the container named `system_server`: ```secil (in system_server (dontaudit process secmark_demo.dns_packet (packet (send recv))) (allow process secmark_demo.dns_packet (packet (send recv))) ) ``` secilc-3.8.1/docs/cil_context_statement.md000066400000000000000000000060641476211737200206560ustar00rootroot00000000000000Context Statement ================= Contexts are formed using previously declared parameters and may be named or anonymous where: - Named - The context is declared with a context identifier that is used as a reference. - Anonymous - They are defined within the CIL labeling statement using user, role etc. identifiers. Each type is shown in the examples. context ------- Declare an SELinux security context identifier for labeling. The range (or current and clearance levels) MUST be defined whether the policy is MLS/MCS enabled or not. **Statement definition:** ```secil (context context_id (user_id role_id type_id levelrange_id))) ``` **Where:**

context

The context keyword.

context_id

The context identifier.

user_id

A single previously declared user identifier.

role_id

A single previously declared role identifier.

type_id

A single previously declared type or typealias identifier.

levelrange_id

A single previously declared levelrange identifier. This entry may also be defined by anonymous or named level, sensitivity, sensitivityalias, category, categoryalias or categoryset as discussed in the Multi-Level Security Labeling Statements section and shown in the examples.
**Examples:** This example uses a named context definition: ```secil (context runas_exec_context (u object_r exec low_low)) (filecon "/system/bin/run-as" file runas_exec_context) ``` to resolve/build a `file_contexts` entry of (assuming MLS enabled policy): ``` /system/bin/run-as -- u:object_r:runas.exec:s0-s0 ``` This example uses an anonymous context where the previously declared `user role type levelrange` identifiers are used to specify two [`portcon`](cil_network_labeling_statements.md#portcon) statements: ```secil (portcon udp 1024 (test.user object_r test.process ((s0) (s1)))) (portcon tcp 1024 (test.user object_r test.process (system_low system_high))) ``` This example uses an anonymous context for the first and named context for the second in a [`netifcon`](cil_network_labeling_statements.md#netifcon) statement: ```secil (context netif_context (test.user object_r test.process ((s0 (c0)) (s1 (c0))))) (netifcon eth04 (test.user object_r test.process ((s0 (c0)) (s1 (c0)))) netif_context) ``` secilc-3.8.1/docs/cil_default_object_statements.md000066400000000000000000000154341476211737200223300ustar00rootroot00000000000000Default Object Statements ========================= These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater. defaultuser ----------- Allows the default user to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27. **Statement definition:** ```secil (defaultuser class_id default) ``` **Where:**

defaultuser

The defaultuser keyword.

class_id

A single previously declared class or classmap identifier, or a list of previously declared class or classmap identifiers enclosed within parentheses.

default

A keyword of either source or target.
**Example:** When creating new `binder`, `property_service`, `zygote` or `memprotect` objects the [`user`](cil_user_statements.md#user) component of the new security context will be taken from the `source` context: ```secil (class binder (impersonate call set_context_mgr transfer receive)) (class property_service (set)) (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) (class memprotect (mmap_zero)) (classmap android_classes (android)) (classmapping android_classes android (binder (all))) (classmapping android_classes android (property_service (set))) (classmapping android_classes android (zygote (not (specifycapabilities)))) (defaultuser (android_classes memprotect) source) ; Will produce the following in the binary policy file: ;; default_user binder source; ;; default_user zygote source; ;; default_user property_service source; ;; default_user memprotect source; ``` defaultrole ----------- Allows the default role to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27. ```secil (defaultrole class_id default) ``` **Where:**

defaultrole

The defaultrole keyword.

class_id

A single previously declared class or classmap identifier, or a list of previously declared class or classmap identifiers enclosed within parentheses.

default

A keyword of either source or target.
**Example:** When creating new `binder`, `property_service` or `zygote` objects the [`role`](cil_role_statements.md#role) component of the new security context will be taken from the `target` context: ```secil (class binder (impersonate call set_context_mgr transfer receive)) (class property_service (set)) (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) (defaultrole (binder property_service zygote) target) ; Will produce the following in the binary policy file: ;; default_role binder target; ;; default_role zygote target; ;; default_role property_service target; ``` defaulttype ----------- Allows the default type to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 28. **Statement definition:** ```secil (defaulttype class_id default) ``` **Where:**

defaulttype

The defaulttype keyword.

class_id

A single previously declared class or classmap identifier, or a list of previously declared class or classmap identifiers enclosed within parentheses.

default

A keyword of either source or target.
**Example:** When creating a new `socket` object, the [`type`](cil_type_statements.md#type) component of the new security context will be taken from the `source` context: ```secil (defaulttype socket source) ``` defaultrange ------------ Allows the default level or range to be taken from the source, target, or both contexts when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27. glblub as the default requires policy version 32. **Statement definition:** ```secil (defaultrange class_id default ) ``` **Where:**

defaultrange

The defaultrange keyword.

class_id

A single previously declared class or classmap identifier, or a list of previously declared class or classmap identifiers enclosed within parentheses.

default

A keyword of either source, target, or glblub.

range

A keyword of either low, high, or low-high.
**Example:** When creating a new `file` object, the appropriate `range` component of the new security context will be taken from the `target` context: ```secil (defaultrange file target low_high) ``` MLS userspace object managers may need to compute the common parts of a range such that the object is created with the range common to the subject and containing object: ```secil (defaultrange db_table glblub) ``` secilc-3.8.1/docs/cil_design.dia000066400000000000000000000152001476211737200165040ustar00rootroot00000000000000‹í]moãF’þî_A8À!h{úý%ÚÉ"»›Ã ÉáîÛ€–h[7´¨#åqüå~ûU5)¿HÔŒÆÍ–‡JÉÌئºØduÕSUOWÿíïܔه¢nÕòí9#ô<+–³j¾X^½=ÿÏßÿý¯öüïßým¾È¿…ÿ¯êü&ƒO,üîíùõz½úöÍ›»»;RÞ7ùºªI¹¸%Mñæÿò²ÌßÀEoο;˲§ÌóuŽ?ë~š¯×õââv]dËü¦x{~‘ÏÞ_ÕÕír~Þ^Õ]7«ÊªÎ>äåÛó¯.ý×ù›n˜7ÏÆùÈØ«üª¸¨‹üýþ¡)|9÷’¡WE½=ìͪjpÉú~µsÉžqðÏ'×tW5pÑò껯~*Öë¢þª½­î‡ãõÝì^A뛼¾Z,weÁó)Û‡Á‰¿4³JPnÄæ¹|¾¸‹ãŠ++®>®¸EónUÕë:_¬wE^TUYäËV꺾-^.§™å%¨ØǦÅ^>úåb½®>qÿ—yÙ2öÇ+îsWïU½˜|ñ>»bÏ(w‹ùúúÝ‘W;ú}¤Ñ?,šÅEYôÝýb¹løûa†ß~;Þ‚?~ßE\Ý.æEó 5{~Íž‘®»ËÞ|ê©o_wèƒi´å°½ˆ2¿/ênø<ºê¬{ÁÅyòª‹ÿ)fënz¿­óå<¯çÙ_³Tœ?"À‹ùÛóŸéódz=! ,ßÎóYUJDÄ„¡¶ç¼k1öq±=| È—We±Áʘ2Fœš0 ß¿L\Q7ïfU½ÜŃMÉËð¶cwZvƒ0úu±¸º^ïÞ+Ý“/k_&¬¹®îÞõàÃO;¾þEúæQ?PØß‹?ÖO4–uËB5V JDDDõ"(1ʨ©MByÚ™jÔÄ' òÖ5û^¨G°Ï®Û¼ÿüñ§=h÷#.bÞ¨–ë>Yøóì2¿Y”÷pKù²9Ïšõ=Ú2°JíGÿ£(?ëÅ,jr?ÿvJÏb¡ÄÒç_2Lèsí;L_"ç¹×üHxEi˜ À¤WË›¢ÿeËÛ›îA(¥×'~ÞŠøàoi{M<ÞŠ8Š%âá¾SgS  Q½' ‘ÄQ0F<ƒiå¬Ñ×e5{ŸåÉ$Å6I}ª˜ŒÒ’7JÖ¨‰&2ªMB`… iB5G‰fék.[ÕÕ¬hš¿$Ëß2íèc2L#4LrÃd¢neó‘›$†z‰zD†©¬®’Q:’Q2)„¹QR„p[I9‚›@àf9b%)P å| iVæM“].`&_Ãzÿ%™¦cDrÛ™LÓM“/ÙØÙ¥Öúì–5HIr)/ËênÉ!pzf©’©:Š²)é4[õÓbYôT‘M°­bÄAØÅMT[Å°.j&Šç´2ø‡ä‚æ þ2ɳj¹|W,ç~2Ÿ;Åž«àžàªƸðÚg«í{èã{|VÉy9—×uu·_Ë8ú]Y,¯>V1§D…ŠøDMþ` øÆA±`4;žjó›ì–LgÉוçYd¿}{.w)"[ƒ~æÂìgwØàu©ˆ…ØÃÅ\•¸ 1¾QS>ÜŽJîšÑ!äIÜ3ö…©’èçT}BT¬¾†0_hpqô1:sD[€Äl1úO?ü÷¿fÿ–߬¦g¿|ÿëo?üšpotÜÛ«– ùŽù²`%÷ ˆ(TQcYD3’ŒÄê†p̈)—ÈL3˜ÅvZ«Èðwï4{.•„+*—;É\‚§…ís(lwT¡ç³¬û,c{?G³`Ò).¶ Ò—c®o\7(dª"MÙ„Ibc‚éÀY‚¦9xIJÙ£wVÑ4ã[`€MÿP–‹UÓë­‚)‹‚{¢'<*¢1Ò †¤EI(ÇQÆåý‡Ïí î?‘Ç aÏ…¹£©Z0MP|XËŠš1Æ}Él*1ž©M\U žÛ—¨jj_€ËLÒ}À¾pËâª#T†’£r ’-·ÉÙšêØ è½óì¹5Çë§Òö¥Æ0!ð/ €à"2ß·ï+˜«Ã5î»QQ „­ Ù¹#VøDÏ8„?¯ŠeöK^Ë”ŒìQÆ”ü’€ºzËÄ=Ó8*þ1¢%4ÔåÓÏÈÖ‰ uÃç– n§gf€J2ovàþ©j†®8î(T‰)J¶¨mœ íb#Ý}ÓìÑNÐK«P=s/M÷$¤ûÅ"]‚tõ+!];@¶Yáb3q³Í^óHWO¡£¹ž“žðmt|»«‚ ߎßóp ææøÖù¬j‹os |<·?¾Ý×Oƒ gT'Òq•ÌË ]†ÇIøÆÂõáö†äù¢{¾]%Lžo„Ô.NúÀ‹”õª¸±¶5 bXo‘ÀiD^Ñ)]½Óë÷ÜßR*%\€­Cl9ÀÞiy8†çqŸá‘kÆn“> ái1öå|öé ÁsK9ÛNφ ÁýõÔR°¸L•֓aœÕÞ•X­Dü¤mÿ<ûÕ“ïx¬Ò‰ |j>ÅøÎ_'iËå…¡Íåq½ ÃZµ¼J…•ÔxÈ «DN8FÛ£Š)„gò–Ó¦„öm¢ópA àáZÒ§"ópƒç–€n§gzÿ§ý;§‘ã)Ý2[AËàí[*‘';WÒ;¹~}þŽhJ•œ8A~¬U¯—*‚v„éF㯘'qÄ©i·{ˆ±—béƒ7q„L+yŽN¿ì›Ò$Å|€cÌÄu†iEeE ꙡŽá‰4BrÿFï,{¯äŒ¼/¦­LŽä´ Ù¾ÖüÙ‡ù±ò#n€UnýéO6îÆSÛ1ÕfH˜öŽ„"G‚ Sv$zv¤GSzdŒgeÐr#b"ãfEî|÷ÖÈÒˆHùÚd‘>ª†É3Y+‚)GBùÐ76ÓÅ<2mµƒ£3mÃçö§ ¹?¢já‹<Çèšf7ZÞï::©ÃTL?}çLéÓËêˆpâ‹Á¬ŠÆ"°ÜƵfÎ8uÃ¥˜‚dI­lÛÚ»èÄ—}óìõó€ñÆ´f&íV<µÄŽ Hìö:Ä!À,lâHäŽ"Ú¤Ž&Ú—èH²:þÔDE¢vÔ0…Q#ܶ!† ¼8ÛŠá›mwRuŒmýÓë‡ÂÔßRÚ¶qjHã#`á¤ñJ[¡Y­çD X[¢KÙrÚb > ¬‘ŽZ3v•0‘ækƒ©Q’Ýn´Šh’PˆÏiM%Gb7î‹™D TbFuêÎŒrD;ç1œV,j¡$I«ýæ1*ìÔë€ó{Ç¢7¶Ý7É~ͤ”ùc,-qr°6„%Ì+ÁZ7„Á§Tl¢aõª•’PÇd""$lû MLØvœØVÒÌ7ÊÓ£ãž"½/Ï ‘ ;1¤mF>1dˆ&N£ÊÓ_$ž¨Ð¾Wåx§c^Ð# ÞªœŠ¬rÌ0ÅW¾s`ÀÔpËÛ=±¸6N9jýÖC59å¤öz@¥Žbígï¥Ôu›O ÆJ!Ö‰…X& Ä’4rˆµo¡‹º1BxÖ¿ 1OAIœI¿°µe˜²³²Ý„" ñzÿ<{=‘1ÚùKµ3i¡ŸÖBÿÈZ=`¡¿IÊ2¦ 'BÅÍ–*¿¤­Ï§À “AªEJGKÉ”è…Â>ULé”n4“*<°EEqCZ4H®KðréUώ­êjV¤SŽßÝQÃdFšÞ &SIûrV|£î9Ê´r8˜&KJµÄÅÝ 4ÀôRž­Ó53@^×óVåLÄMëR¤p|¸È+óûΤxióÝÃïþYöê¦_wÙz§Û“Ðû•N-“Ád%©ÚšŠ‰{oÄè.øFŠnkç!ÁÝ42AÞ‘B^7€…’]ñ•»¸&JlªËAˆëŠËÒE…¼áÓKl†uSáûH/‰bÙ çÞ%>h"YÌ0EY¾…³g ¡†ûØZp×¾9¥|M­)X8C˜°Õ@É—¶z8<ÌÚ3ÍÞ8 n§UOËEŠ³N¬Ärx•t¯ÃeP|€Äóé},ÜS7ug æŒ)hÜ‚æÞ ÏePRÆ^çûæÙò¤%«d"-ÚB9QHÑ×I¨(1@¸bq·SôÊáFΦ|îœr=žúaâ3)›Ò§Ž)2BFƒ’·ú(Æi#gcœ‘®•;ãTVWÉ6E·MýÚ˜lÓmS0ÛŠKÌCè 6zyp÷ƒ–‰¢„ÑAø( Ó/yÝÙïu‘°StûÔ¯‘É<°AÒtÆåLØ “Ä8§ãö¨ÓÎ/I:ß×P*&Ì IÅÆïŒÛ?ÏþKñ®R«º“;6/öV’Tô­ÒðSﱨ’*êFA°½HÁ]$JMxÜ#ïçtH­N£‰yòõR3sP­OSyúe_hM›kX'ùìýU]Ý.çÛ/ªª,òe+s]ßÇÂv€Ǫ̈^xªbÜîÌ­IÛž‰‚‚"ã¡zc€Á³EùîâvQ‚µlÖ ¡Mó®J& ü%á=6˜Ž…;ã&LÇ=0„€Œ)·àù¸"q»{„ÎèÿÊõ–Ïsý«#LŽß¿î‰ä4#:•Ý…ª+¥C9Ìáñȯõ–S½ÝxÏ{߃i/É…ojk/ƒ8ÞÁå:˜Ç$î³Aƒ÷+”Ã[9\MÑþ·A]äî˜^âû>ª[01 ¬çÛ²¸êÆP€—ƒêÆqc¥·"«[øôþtê¶'²×ÁÜ Gô„Y\ÿ­BE«f ß>nÜåcë˼i²ËE™ª[Ñcú>eL!ýk[Z¹Œð¥mDLn2Ú#c—D…›‚`Ky©h9(Ú7Ëž+9QÌP‚ëDL>±èH‡œÃ¤cŸÃô¬L±±êL8‹¼³Í;/!õ„óØÛÚÂ'—€n§hÁd M$Æ6.ªšuB$]G$ouNŒ變ú&ƒ=O876ÎíÓÅ„sLjs͹I…O»0õd&G”R{Iœ±©ßÕ-,(ûÒmþ‡Ý}Óì ­ÓJà}IúÒ:Q‚º_,Ô 9›I«×Ùƒ§Ã›a{!ÜXs‰?Dªv‹QØVéMcàÐBúˆ¾Ç¥Gúg/#íH´‰®#ã–6y[k¢nÊ^ÓRû"6ç–âïVÏL0Å…i$P9laSÍ:)ÂbžÇ‚ÛóZÆÇ€_”Õì}–NÞŽî{U1yÀÆß&œÚÉ­c2R鸅&nµg·qf}¡É0Ë<ýŽ¹èø¾yözM­[·i˜“)Oøcî^­ÖdÂyUÂÓë0#„,,uu»´­6E>r€é¥Š®‰Â*+h‹>™ˆ¬mÏdD?"D¿â”òy]Å©ŒÏ`èŸgï¥R;攲´A÷ÔüJHs5Ã_'±k‰JØÓpÂÅËϘ>l•·b8±>²•„ú Š v±-Ž–¥ã™ŽàöêdŠpÇ™ã5j€Üë¨(2nòu|'o‘ÓØÂÞ¸9Þà¹%ÐÛéY0Çʇ:RâËpTF.'8#=–”ŒŠ©×+=§ÑèÉ”}óìWO®´¿”ÑÄf81ÐkB’)æ•Ø Æ °ÐÕ1@o+fz qžQ9*ЛÚvðöêc¼#¼Ál+æ6|w­{’rÂ_´ƒ¼‘wІO/ÞN× 4èHÿ6y() âtJÉÀ‚Xª=ä}±>òî™e¿rrÕ^)y¼'xU൯xm8{ ûÒpŠ´µ˜+¼“ÂîrK´ØlZÜÍ˲ºËλ,ïyvÐþÄ­óðî,:OH8:îSÔ„Ç×ϲðX+wÇ£ð2°¯‡A¢ö Òa}g·Ú⩨}gÕ 5šµÁ@™j"hÜ>³!¾Í,cÄZp³‚¨Ïl]4x±Ôiö.µO'“G![ØÐ-Ë`óW·YcÔµMf5¾[­—Õ/=“òà8¿g†½}šg­'¦©¨u*1þ&L·¯sÔ‚ æbqÑ&`5‰Z|F1Ü‹÷Øb X˜¨ý ƒ'öÅu„Æ3¾é³–ÐcÂû‹V pèX}C¨Ž|èê2ˆaj*4v7·„ë¨õ‹à™¥v³z~Œh;á`Çâ*ÃÌHa¾õ¸ô˜ÚDV´à©¥ Àš…ŸƒDýflìðWÏäHlö&ð¨6Éî®1‰¿c³³Uµj2ì­œ=Æ©ðÛda·D²£´áçK‚“DÆ=Çd —›«©&Ñ!€D3Þ4û>›-ÊMŽ-Y¦è–iW“e£ebtž›0CxdÑD;*§Êcž~³–éq”:ðÀ.Ðð¸®ìòvÙ–»îòòý6dkË-Hó€ >A2ärQDZr¶Xú HV.à'ꮋÙûbîK#ï‹û»ªžC`‹#Á§Ïº „Æí¸XŽX®óÅîÏ‹˜çëcÞÛÙú¶l8«jøkU-çþŠøuã¤\–÷Ù¼˜•yûÊ›º-ÝÍñÖÖ×pKͺX‘ì_þ2,«´…i>Ÿã ð£u~ñXÏi§vY檺½y«¬f¹/ñ\•Õü Ÿz³ÊgÅæãäì·®bƒãlÄølʪ‹Ëë À×Xwyzß9kJµZóÇJ <²VüÝ¢,³ õ6ÏJxx5ÉζªWÍuu[ÎñJxÎ뺺÷o+GíÞ<ä™b{¦>s”\Ó(]S0AÜúº@£¶ÞõB4Q˜RÄãeÊQd¾ÿí÷d’¢wÜíQÃd’Fi’ø‡ÓùãÜ RÅ=N´gÅYŠÇȃ<ÞÊ5r ý¯À•,Ô1,T¿VJ#%H6ú-¸,n²ÑoæT¾Íý9ÜLïFxüvÆûÐìFŽ‹æËû.mÃÑ»¼ñÔ¿‡p²•7ý*o0f_¯‹›V¹«lUÔ0Î Vj¢Þ²ªÞß®ÃË3?ôÎï!mÌ:ÿüñ§ì¿ï$û¾ino0*Í!´m¯mÚªys;Ã=—·åäa* <†l¹hؘìðÒªÛ /ÙàQÚ`9y¼=•.êææ)«š®¥ö{ìG‘Xý±5nõ°8yNß¾+êâ Mîª.>,ªÛ¦¼¼ü:ÿPdE±<«‹U ¶~ëëÌ¿x§›¼çV6´U’uÒgySdÕ¥OⶻãêÛ²hM(žk³hšMŠôìb±¾ÉW+t‘#…¼òC,üš¼-š°Él&“{øî:KF÷Unû}™ßõwgí7ðÿUß|wöÿÙ;C!5»secilc-3.8.1/docs/cil_design.jpeg000066400000000000000000004247211476211737200167100ustar00rootroot00000000000000ÿØÿàJFIFÿÛC    $.' ",#(7),01444'9=82<.342ÿÛC  2!!22222222222222222222222222222222222222222222222222ÿÀÖÈ"ÿÄ ÿĵ}!1AQa"q2‘¡#B±ÁRÑð$3br‚ %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyzƒ„…†‡ˆ‰Š’“”•–—˜™š¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒÓÔÕÖ×ØÙÚáâãäåæçèéêñòóôõö÷øùúÿÄ ÿĵw!1AQaq"2B‘¡±Á #3RðbrÑ $4á%ñ&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz‚ƒ„…†‡ˆ‰Š’“”•–—˜™š¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒÓÔÕÖ×ØÙÚâãäåæçèéêòóôõö÷øùúÿÚ ?÷ú(¢€ (¢€ (¢€ (¢€9MkÄqÍ«¦·%•¸»š+{8íâd)­ï )rÌPŸ•—µVƒÄ£ýƒuÖ|ßÜØ?îטÏÚ;l^zñ×­lÂ+W³MgªêvVóÌgšÒÞD;“–<¡uÜy;YrI=ê;ŸZÍhÁ¨_ZI¥&¥ð˜Ë¬¯¿#çF]¿¼nÏNh£¢«ØÛKig^Ï{"ç3Üù$ó±UxéÀ=y«QEQEQEQEQEQEQEQEZßPµº»»µ†]ÓYºÇ:í#c2‡$`ü¬µf¸¨5¥x«ÄÑKk©,——µ¬Ñé³Í£Æ¹ÞˆTÀƒ“Æ+›ðîŽÖ°yš­œï4zt±j–°ès«Þ±Q¸<ÅÙ'mÀ௩ÆÐH Y¢¼¦=Ä1x_S´¼‚æ]a¥´yçeiÄöA—÷*WfòŠ2 ÇþZ šÏërÚd_fi´ÇÖ„Ïhš<Ö0@¢Òe?º’›nz)'î9õ ȃÄúMÖ¦Ú|O$Ë+B]-e0‡\î_7nÍû9©tø,­µ Øílæ•bV%Yb` #åÀ {×' ¸ÓüEooáñ®$Rß»^ØÝY0´Dff’D•`–%€W “÷};êÅ´ñ=•Ö‰ý²ðÜÛéß`[ó<¨0#!˜Œ)$²…Éw&¸}Ú9µ lt»•ÕWÄ—’IövÙöqq.ðeÆݤevg;¹ÇzŽÇ@¿¸ðýŒºdÆY|ml‘Í ~Ñòr>ø%N:ŒŠõU`êNAÕýµœ¶‘\I±îæò!IÞûñÇO•äñÅy¬Ö:|z®Ÿ}£h#icuáù£H±!,ñJUVù‰%‡Í´}k¦ñÆkxt+›Ý/ûBÖÓPßp‚ÐÜ°ŒÃ*ýÀ¬HÞcÈôµoéšœ:­´³À²*Çq5±;¢‘£cÁÕ7[ü¿/a\)nÛ‘šô‡’ò(²ÈŽÆebm+ÃsœÜ`ºzq™«‡ñõ…åãKö[IçχõXG•oÞ:ñxþ&ÁÀêpqXž,Ñ¢Ò¡»ŽÓM•,&‡MóR*&”^ <ñ™ ž¤äñ“@§Uî¯í¬å´ŠâMw7‘ÚN÷ØÏŽ:|¨Ç'Ž+€’ÂGÓµ‰´­*êßJ]CO¹‚Óì 7“4o;¤$U`n*prjêV0êºüÚ­îƒus§G¬C!é¯#ÈÎ#O³N2Ã(ÉQÏrs6¾›[Ã¥7Û%ñçŸ#@K5³Ë8Ãdªe*p~S{æ€;ë ûmSO·¿³“Ͷ¹e‰ö•Ü¤dÇ­X¯,Ót‹koønÖmàZYÌ‹­Ú&šàÌâPìs:‡ÚIPÀðyÅuþ²xü9-½Í¬‘YËq9¶µ¹NRÙœìFSÐm<)èc¹amªiö÷öry¶×1¬±>Ò»”Œƒƒ‚8õ¨£Ôá“Z¸Ò‚ÉçÁoË1iYEç9³Çq^a£èú}¦› Ã©øfêK [‚öÙ4©ý;# OÞeC ȸÎiñhÚò]YK©ÙÞ]XC¤Y&¥ji' %ÁÙ¸gÌ)¹ ÆXÿu€=fŠòýGG½¸ñmì·¡–K¸$Ó®×FžâH¡U “+…„nX ä“j;€Ö«o¨Ç¦ÜG¨7ˆoYãˆùßgy'ïŒì ©Ã’Sšôz˽×ì,¬5‹²Ï(Òžî8Óæ]± p3€IF®9ëÖ¹ŸYÿg\ÝÚA§*Ú¤ÿÄÁô¹,f™Áa¶PüÊÀr\qɪ:®oñ"Ñê7ö“=¤ñX3y¨Öˆ¥VP¸Üd òg$óƒšôu`è¬:š‚êþÚÎ[H®$Ø÷sy¤ï}Œøã§ÊŒrxâ¸OFþƺ¾MЖk+«Qq[<±<‚rGEæW w>ff²môQäFu- Üiv^ óRÑäT[w³Á1ÛìÍ`Hç'¹E6=¾Zl]©´mÆÓµ:€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ +Ÿÿ„ïÁÿô5èø1‡ÿŠ£þ¿ÿÐסÿàÆþ*€: +Ÿÿ„ïÁÿô5èø1‡ÿŠ£þ¿ÿÐסÿàÆþ*€: +Ÿÿ„ïÁÿô5èø1‡ÿŠ£þ¿ÿÐסÿàÆþ*€: +Ÿÿ„ïÁÿô5èø1‡ÿŠ£þ¿ÿÐסÿàÆþ*€: +Ÿÿ„ïÁÿô5èø1‡ÿŠ£þ¿ÿÐסÿàÆþ*€: +Ÿÿ„ïÁÿô5èø1‡ÿŠ£þ¿ÿÐסÿàÆþ*€: +Ÿÿ„ïÁÿô5èø1‡ÿŠ£þ¿ÿÐסÿàÆþ*€: +Ÿÿ„ïÁÿô5èø1‡ÿŠ£þ¿ÿÐסÿàÆþ*€: +Ÿÿ„ïÁÿô5èø1‡ÿŠ£þ¿ÿÐסÿàÆþ*€: +Ÿÿ„ïÁÿô5èø1‡ÿŠ£þ¿ÿÐסÿàÆþ*€: +Ÿÿ„ïÁÿô5èø1‡ÿŠ£þ¿ÿÐסÿàÆþ*€: +Ÿÿ„ïÁÿô5èø1‡ÿŠ£þ¿ÿÐסÿàÆþ*€: +Ÿÿ„ïÁÿô5èø1‡ÿŠ£þ¿ÿÐסÿàÆþ*€: +ÇÅžÔï#³°ñ•wu&vCìr;`p äà Ø Šó?ÛßO⿵[hëÕ¾§f#¹‹L–I¥ƒ|[ßí!‚*m.¥0xœg!×¹Õ§³ÓÊj7ÅÃÎÍnZYm~ÚÌÊU™v†8å¨Ò¨®SÀö"ÎÞý¢m–ÒÌ­ºiRØGÚlŽF$€N03ŸS\æ£ß'ŠÒ[âÐêI¨Í+Ü&3<ð–}ªn·ù~^¸RÜ·#4ßÙjÐ^Ì-¶KඎæKi“9`»ˆÊç(ÞŸJv‘©Ã­hÖZ¥²È°]À“Ʋ+FpHÏ>µÀx7F‡OÕt[KD‘nŸB³†)ÞÁ˜Å:y»Ã8Så¶ÖA–#8ÇlU o ê6Ñ?±,'³Ö.4Ẕ!I ¦$(²1Æ0!w· Åz•¶Ÿ Åk–4“°ÜN^G.çŸVb*Åy2h >•y­¼©Óié5•¾‰qb¿-ÜlÒîÛ˜.í̽†I8èZºiž¾‡KÒ¡•b¶“ʱ‰B$„‚v€¾¤žž´¯Eyz5ܱk6P鬚uÄšK¬všTÖ1gÎ+A³ p#¹î¼;§ /Y×­íìþ˧™â’Þ4dY1(rƒ§QÎ;ç½tTW›iÚlɯX‘¥Ýǯ&«q-ö¢Ð0I-I“hó±µÔ©Œ*J8Í`hº}å߃4…ðÆweªbÊ.®Œ-›tCËS!-´® Øðô hª÷¶6Ú¸·»ÌˆI¡wó#‡SÇ£(?…y­¾ ðÇŠ…„'Ÿ£K±ƒCžÉ^]‚ŽÞd‡8%sž2OÔèÚ:i,™l¬µ”ºlFBˆBI2»Œ±è_’yQ€@[ûgÔ¥ÓÖLÝE Nñí<#–U9éÉFã¯J‹HÔáÖ´k-RÙdX.àIãY €#8$gŸZàü%¤¥ž¿§]jš<ÆêM*Þ.e±ghåæ ºM§Ë; c,FFN+6ÛÂú‡…4OìK ìõ‹xn¥RC)‰ ,Œq† ]Ämè1@·PÏ;C$ –Q,› F#IÜÙ#Ž1ÆNHã¸ó­Fû7[HÍյŀ‚[{ {2¯ÏÎÙ¼É0H%sž2OšmÆÝ284Qmio¬—Yi’Yy¨læC |ÈC»ãé”WœxVh¼1 æÝ%ÞÎ8í㉥=•ÅÄ­'–E“kå.0>c^@Q@Q@gêzî¢y_ÚÚ­‡Ÿ/íw üc8ÜFq‘ÓÔV…y¿Žì,õ?Š_lïí »µ“ûK|3Æ$FÄ FTðp@?…uðø?þ†½ÿ0ÿñTÂwàÿúô?üÃÿÅQÿ'ƒÿèTÐÿð]ÿGü žÿ¡SCÿÁt?üMðø?þ†½ÿ0ÿñTÂwàÿúô?üÃÿÅQÿ'ƒÿèTÐÿð]ÿGü žÿ¡SCÿÁt?üMðø?þ†½ÿ0ÿñTÂwàÿúô?üÃÿÅQÿ'ƒÿèTÐÿð]ÿGü žÿ¡SCÿÁt?üMðø?þ†½ÿ0ÿñTÂwàÿúô?üÃÿÅQÿ'ƒÿèTÐÿð]ÿGü žÿ¡SCÿÁt?üMðø?þ†½ÿ0ÿñTÂwàÿúô?üÃÿÅQÿ'ƒÿèTÐÿð]ÿGü žÿ¡SCÿÁt?üMðø?þ†½ÿ0ÿñTÂwàÿúô?üÃÿÅQÿ'ƒÿèTÐÿð]ÿGü žÿ¡SCÿÁt?üMðø?þ†½ÿ0ÿñTÂwàÿúô?üÃÿÅQÿ'ƒÿèTÐÿð]ÿGü žÿ¡SCÿÁt?üMðø?þ†½ÿ0ÿñTÂwàÿúô?üÃÿÅQÿ'ƒÿèTÐÿð]ÿGü žÿ¡SCÿÁt?üMðø?þ†½ÿ0ÿñTÂwàÿúô?üÃÿÅQÿ'ƒÿèTÐÿð]ÿGü žÿ¡SCÿÁt?üMðø?þ†½ÿ0ÿñTÂwàÿúô?üÃÿÅQÿ'ƒÿèTÐÿð]ÿGü žÿ¡SCÿÁt?üMðø?þ†½ÿ0ÿñTÂwàÿúô?üÃÿÅTsø/Á6¶òÜ\xkÃðÁ’I,!UE$’WÎk‡Ÿ\ørצðòOA˜ä»Ò<=Ð,€ò›Èœ`ädÀ‚s@çü'~ÿ¡¯CÿÁŒ?üUðø?þ†½ÿ0ÿñUçÿÛž÷—Ÿõ[+Uæk« D#…Þw#$('ð:Wa£hüC§%þ‘¡øröÕ°7Ãc ÚHk ¹VÁS‚3È  øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€øNüÿC^‡ÿƒøª?á;ðý zþ aÿâ¨ÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&€44ÍwGÖüßìVÆÿÉÇ™öK„—fsŒí'ÁëèkB¼ßÀ–zgÅ/ˆVvZZÇý›²#¢æ' 8$ŸÆ½"€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€<Ÿá„ü7©ü-ѯ/ü?¥]ÝIçïš{(ävÄò–#'øWqÿ'ƒÿèTÐÿð]ÿ\ÿÁ/ù$:ý¼éD•ß’K1’OjÀÿ„Áÿô*hø.‡ÿ‰£þOÿЩ¡ÿàºþ&´tmgOñ—¥¥Ü‹‹9K)\àx È=E_ þOÿЩ¡ÿàºþ&øA<ÿB¦‡ÿ‚èøš»c­E{~lM­Í½ÊÚEvñΪ ,ŒêàŸ˜Û=ºrkN€9ÿøA<ÿB¦‡ÿ‚èøš?áðý šþ ¡ÿâk ¢€9ÿøA<ÿB¦‡ÿ‚èøš?áðý šþ ¡ÿâk ¢€9ÿøA<ÿB¦‡ÿ‚èøš?áðý šþ ¡ÿâk ª÷WöÖrÚEq&Ç»›È„m'{ìgÇ>Tc“Çÿ'ƒÿèTÐÿð]ÿGü žÿ¡SCÿÁt?üMtP?ÿ'ƒÿèTÐÿð]ÿGü žÿ¡SCÿÁt?üMtP?ÿ'ƒÿèTÐÿð]ÿGü žÿ¡SCÿÁt?üMtP?ÿ'ƒÿèTÐÿð]ÿGü žÿ¡SCÿÁt?üMtP?ÿ'ƒÿèTÐÿð]ÿGü žÿ¡SCÿÁt?üMtP?ÿ'ƒÿèTÐÿð]ÿGü žÿ¡SCÿÁt?üMtP?ÿ'ƒÿèTÐÿð]ÿGü žÿ¡SCÿÁt?üMtP—ëZ¢|^øý“¥XØyßÚ>gÙ-Ò-ø·ÎÐ3Œž¾¦½B¼ÿÅ¿òW¾ÜOÿIÖ½€ ¥¤jpëZ=ž§l²$p¬Ñ¬€ Ã#8$gñ®bÚÎÒ?êë:MÅÍü—húuïØÞdŽ- E†Jç9ç5‰m¦´O /ˆ4kËÍ2 Å- ³yÌW8ix€';C€Ä|§=3šôú+ÊcÓ/m$Ðînôéu^;kXšÚ÷M’àF“¹.G˨o˜’rP}jÆ£ß'ŠÒ[âÐêI¨Í+Ü&3<ð–}ªn·ù~^¸RÜ·#4éÔWãÓÛÆ~:ž-ý ²¾-vÍqšßÆ –ºlŽOYÓõ‡ðב&ˆßÚÚY{ ßN–îä6é F’£ ¢ˆù$’OCŒd¢¸ ½îäøÚúÒ̦³1 §Üºmaþ‡“mÉܹr0Ob¦€ÓéwqÚ[ÊM6ž“Y[è—+òÝÆÍ!Þí¹‚îÜËØd“@£umg-¤Wl{¹¼ˆFÒw¾Æ|qÓåF9Õ|;io­7@ót[]^)üˆôó2kGG)©Èó<¼…‘“Ó5>¥áá5ω5H´¹MòjvrXJ!mê‹°c‡ Ž»H=1@Ta··ÐôD·±´•­ì­öÃmÜåQxEÜy<`dýMyþ£ß'ŠÒ[âÐêI¨Í+Ü&3<ð–}ªn·ù~^¸RÜ·#5ZëL–$ñ5¾Ÿ¤Ëv÷z~¡¾î]&Xn•Ø±ùÇ‹€IÂ…hÕ”åAÁjZóØ,¾ËãÈ®`ÓZòiæ_:[­.E{Uí-Ñù6p?w×,k£»ºƒÄ~žáý½½õ£m1GºpŒ ª¹ÎG ä×·±¶µ¸»¸†=²ÝÈ%·½‚*ÏO•qéV+άtÛ‰¼«Eg¥[YÉgp—vç=€¸–0® …þeåvЂj¶“¡ÃâkK×5M1®-uX/®Ý'r*1¶[t~Ùò0ø·ÈÍzuRÒ58u­ËT¶Y ¸xÖ@`Î çÖ¸¯ èsi³xZïì7]M§M£4ˆÛÙ±A+I»ºrszf‹~<-¦ÛèZ>¡§kQèóG¨K$JL@"yŒfÝ‚¸'`|½(Öu]N"È]Ü,š(qî’Ez‘Æ\gÛ5v¼¾M1dû[xE¼±ÒËé»­ÚÍáß2]«;ˆØò§Þ|`ã©ÆkÐí5(¯/ïí#ŽPÖN‘É#±™>çœ\ôê(íæÚv›2kÖ$iwqëɪÜK}¨´ KRdÚ<ìmu*c €’¤3]ÃýÁzJý€ZÞIeڷǶVp½<ädŒ(§¢¼©lâ·×4oµiwI­~V¹¾hVXÏœcýé]v”‚vã ÅEöMfohZ]†Ÿ¨Ã¨éÚ Í¤²4¤Â8*ÈÀIVÚÀã¡Ízõí¾as}w'—mmM+ਠ’p9<Ò¦V¡”ä‘^g&‰þ—â‹}CžÏL¹Ñ¼”µžÑ ÝâLÀù†PÇ'œf¨jZ•mo¥´vñÆ»Ws–8÷$’O¹5JËAÓ4ñ§‹[o,iöÍikó±òâm™^O?êÓ““ǹ cÃ~2ÔõY-n.¬œÙ]Ú5×î´ëˆ¾Ë€TË Ù.A<®ÞGƒš±ájž ž nmÂÚ]Y›¥O¸‡È9M¨el—!ÉÊãîœksNð晤ÜyÖQÏV/µJÐÆP‘–(Ÿð)tÏiº<í-ŒsÄ •}ªV‰ á#,Q9ÂjQEQEQEQEQEQEæúÅ»ü@ø{á{©vøkCŠ5+L²=ôò«4cr0>Z­Ûæ†à¯¢A6¶ñ[ÛÅ0D#Ž5 ¨ `Æ+ÏôÙ—ÃÿõÛ[ñ"Ÿ[ÛO§H±±F6ñ2É60›Œc$ôJ+Ìük`¾½>>ÐÄv°}¡?·íX‹èÑ7ªî %RIåÉv$õ é•ç&]CÃxBÜHú·ˆn#‚Í6eQˆòHäµFIäóœ`=Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( ?ð—ü•ïˆ¿÷ ÿÒv¯@¯?ð—ü•ïˆ¿÷ ÿÒv«´-"ÿH†öóK²¸»[ÛòÀ®â3w)¸Œí!˜Óæ>´Ø‹ˆZåí„Ñ™ÑFˆ0ܪIˆê*ÀcéRWœjZtš>¿®Â=Hï›&¡¨%½Ã(GÀh%bŠXÊ \uïíÛ×ÓZÈßßËx5Ylmç°†ÜÍrKŸõƒÊR œ”8œPsEyæ‹­ëzôÚ³jrÚy©© §Ž(L’›{ˆâCÑй^N;ÛßkZjó_Ëu-ض»¸°„, g"Ær¥J4R»ƒžyÁ E¢¹_ ]k²_Í£öÉlžÝ%Š{ϲ‡ß“¸(·b ‚3ÈÁäæ°/SÓµÞXk7ÌÚÍŒ Å Æ¢Ñ ³q±QÏAëÍzMçÚÎ¥âHuËM¸Ôg’ÊÁ.#•RÏ3»´œËæýØØ÷`¹9Æc> ñMî±|mm®ØÜÁµF´ò ²Fîdgq&NöÚS÷¹ E¢¹ÿ_]Áq£ØZÝ›¨]˜$»¬Ñ¸ ÜÅ@¿â°uSV³—X†?´FÓñXa&퉗&O” £Ë „ÚrO=wÔW «jšÜ×Ú£Zê2éñÙèPê ÃþùŒù YIÛˆÀ `ñÁåöºÎ¨±t‹‚*¢í÷˜É@<Æ\‘¿+žÀP¡ÒHrIíXžÔÍ߇äœI{u=»Ë‹v‘¬Þb 7”6:ex5Ä]êúµß†#2ët5êöDŠ(—쬨­ˆð¹Ùó;÷ãô»+û-NØ\Ø]ÁwnIX$)#‚2*Åsw^øo-ä3=ÝͦžeçUê#!«ìךçõwWÑþÎ? ­‘XN·òÃ`\ˆÜª©L‘‘3Éà€G¢¼ãTñ·a«¾…owuxú(~Û[‰ÐŽuWº¶i3YÙ®ÙPHþ"½ë²ñ¿öŒÞ¹±Ò yooÊÙ¡\¹Ã»0h ¸îÇ\W?ðZD‡àæ‹,®© †gc€ O&I=…z:ÈŠèÁ‘†U”äê(𶩥kš½…æ—ÀŽòÔZÊÓB‡hŽDÞQp~Em¸þ"}iž³´¶ÕçþÑÒn?á!7W úƒÙ»Œ»Û>6íØTÝÆ1Ž+°†â”g‚håUvŠ0`I §ÁØŠ’€8Oé÷¶rÙ›«KˆøvÂóc+‰§Üœ¼22:ŒZzÙ@¾,Õ$Ôô©çÕ%¹VÒïšÉæŽ(¼´ @¥bÇ$¹ÎyÍwN÷WÓtÙ#ŽûP´µy™y• b<€9>”åŸØ÷ áéáÓ´]BÞüxzò ]žÙÔÝÜ´`(ÜGïܾòwpHÏ8­mKÁ–Ku­GŽÆìD’±±V»_ÞY°æûÜŽy¯DK«y'0$ñ4Â5Æ® bB¶= SƒßÒ¥ 8×|?&¯6³yw¦Íqrž€Z¹‰‰ Ü7ÉÿMA)Œ|Ãw¿5õ¯ßZ‹¸t[)b†âÊÎKÀ³ †YÏ›¸¥Ü¦w Á˜qžEzZO ’ÉJ$X"°%222;dT”æ^[–Ó"û3M¦¾´&{TÑ求“)ÄRB3mÏE$ã¹Ì—Z)a§­öˆ÷vŸâ †ÿaiö[2LdaI)¹“AÃK¨Þâž8hÖiA1ÆXp1’|dgë@QPE}i?‘äÝA'Ú#2ò@|ÄË.:™y£Ö§ Š( Š( Š( Š( Š( Š( ?ñoü•ï‡_÷ÿÒu¯@¯?ñoü•ï‡_÷ÿÒu¯@ «Ém¡ƒÉ‹›ˆä–$Ú~eB¡Žz ^¾¿ZÉñœWÞ– ÀŒÉ&Ñ®³µÃaâ^]0Àv5Èiúm»j~¾Ô|/ Vð-åº}ŸIpªÆXš<¬Ðƒ¶Có}ÒO#4èóÎa’K/›&ÂшÆÒw6HãŒqžH㸚¼ëAð÷öw‡| äéo ÒÏ —çÈ"E"Òa™N20Í·æé=©¾ðüúM§„ä´Óä´»“I’;é %O™²2¢SŒä08 Ó(¿’ÆÚ]B ÷70G$Q¾ãò«•,1Ðä¢þ_Z±^U Gi¦k¾uѯíµ4»£©µu{‰•bÜrGï™sÀgœW©E –+(u µÆg±>Š( Šãõ¿Š^ ðæ±>“«k?g¾ƒo™Ùf}»”0åPƒÁƒYÿð»~ÐÃÿ’Wün€=Šóÿø]¿?èaÿÉ+þ7Gü.߇Ÿô0ÿä•Çÿ @¢¼ÿþoÃÏúòJãÿÑÿ ·áçý ?ù%qÿÆè¶Ôtû}VÂ[+±!·”aÖ9ž2G¦ä à÷äd XŽ4†$Š$T*ªŒ@+ÿ…Ûðóþ†ü’¸ÿãtÂíøyÿCþI\ñºô +Ïÿávü<ÿ¡‡ÿ$®?øÝð»~ÐÃÿ’Wün€=Šóÿø]¿?èaÿÉ+þ7Gü.߇Ÿô0ÿä•Çÿ @¢¸{‹þÔõk =w̺º•!…>É8Üì@Q’˜$u®â€+ÝXÛ^½³\G¼ÛL'ˆî#k€@îíÙ‘ósœUÛ¿êš5¶¤ñ_`¦†u(Ù£@#pp1°Ý·$“ò˜ö隷8›VñU®›9ûEÚ$¯b »½K6pÒ\¤nab n229ùêt ›Ïí=gM»¼’ðYM•4¨Šå^5l6ÅU89ÁÀà­oQ^}iâJ6ók>zÿÂAq¦µ•UˆJê9 ¿z œãhäw¬ù<]¬Am$š„Ïáû½NÎ{èmT«F£Æ±ó°‰3‰<¼Šõ+„Õ¯µë-KJÒ!½Ô®d»·šêK‹XíRËå v A¸“÷Ÿ§=MU}WÄó¥ñŸQ:}ÅŽƒëÃPÈãtà’pß).UOÐŽrè´TWêÂÞá”)–%rl€jz(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Šóÿ É^ø‹ÿpÏý'jî綂ê!Ä1Íe}²(a¹He8=ÁƒØ€k„ð—ü•ïˆ¿÷ ÿÒv­zò÷þÍJ·ÕŸO‚îÚîI i;´f¡K«@f=:gØ€‚K;Y^g’Úy¢ÊÍ&HÆp­ê¿3pxù­V½Ð´I!Ký*Æé`ÿR'·Gÿ»‘ÇNÕçwþ4ÕO†_T´»½{» u:ÛÃl-¤äò|H#$Î@]Iº¼ói¶S] \<Ï…`Ëóžz púŽ·¬iÖºðÔo.–é¬/ç±Q´–n±‚T¦ÌÜ«·"N '­jG©ê–Þ)„jWwi§ÜΰY‹u·kv&,ì“5_psvð(¥Ô4]+W1KL³½1Çö˜M‡Ûp8¤¸Ðô‹ËÈo.t»î ÀŠymÑž"¾ÒF¡6—s¨yÚeˆ»š¢·û8Ér¾kJCÛÄg#É€:øG41qmqý§yöª©o'ÙSt*½e@íŠeÞ‹áâóÍ3K/¨:¤¾tæåÆJ†ÈùÏ€sÒ¹›ý_YŠë_¾‹Tt¶Óu Ha´òc(èñÀ\3ÝÏšÄAÔ`U)/5 F÷@ÔnõL¤¾ –ÓÌhžƒ å°™l’9à(Ðí,íl-RÖÎÚkxÆ(P"(öU¡Ðô‹vºh4«šðrRÝÎ]ø6rzúÖw‰îoâ¸Ð­l/ZÐÞê>DÒ,híåù9p  ÁÇnã ó֚Ʊ¨j‘è’kogå5ñkõ†/2&TTe(0¯–ÂŒã¼Ðy!‚ÚÕ̦8­ãBX¶ç=€±nü-¥\è†ÃM¶²±·–æÞé¾Ín¡$òåI9 €wÆ}óÏJânµý_Ä>Õ&›R]=-ü>·l‰ºiPXîˆÈŒ`)æêx«÷úψøišBÞ!´Ò`¹ˆ[­©»ï—Î`|±°““Èâ€;dÐthôÇÓSI°[;šÔ[ ‰©L`þU‹@ÐÓriºj)0ZäGÈ%§Þ*\JÀ‡UÕàñ5¹Õ纂Îîe†Ö;o³Ém¸Å“‡PûƒòÞKâ('ox~x¯.Sʶ»AÆC•òÎ>d'æ8郒@:¸-áµ ·†8aA…Ž5 «ô¥I^a/‰õ»_Ũ®².æÔ4 ½D †0,åŽ5e)…É@[i¸äzŠëu;½GÃþ Ôµ#s&£}«Ü)•T0Làägœœw ŠŠóøµrÎÒçûB}T[OÖåÒÉ® ï ]±¬lP«ep\qÎI¦Aâ}]4 V9§’+›]b 8]Þ$&Hc—É%äeóH㎠r(¿kˆRâ;vš1<ŠÎ‘–™WˆH—'¶G­I\5þ›¨hv‘ø†ìÌ,¯Ë^40‚îµù@®9+Óó®‡Âº…Æ«á}:öì«\Ë2²®0à;gÅlQEã¾ 'þÓKOùg,ÞTÿõÅïŠÉŸm…«»¹¹¿¿ñuÞ™­&™oei ¬QÄÍp]œÆEolåÁÉ<ô¬ƒÖpjô›;¨Ä–óÇsˆ‰Lò‚?*íîô]/Pû9¿Óíoߘ^æ•ú‚Àxë@%¾£s ”ÖVz”Wm¨ê·,c¶?"]0,æ|(PXp'>Õ4$Ö.-4]röææßJ¹²³–_°, ©4‡æ,€É°–P<¾G9õ®ÖmI¹'Òì¥ÈÒ {tm®Ç,Ã#‚O$õ&£ÿ„wC×ØÚwŸjª–ò}•7B«÷Be@ìJÃÑu-N?5ž³ww¾äÎö‘ªÀÖ’F®0Q”y¡‚•ÈsŒ“ŠÊñT7±ø“_¾µÕîížßÃÞr"E¡ÃJvñ¶T•Éç<õÆí­4M'O¼šîËL²¶¹›>lÐÛª<™9;˜ ž}jylm'iZkX$i¢òd/%ãçä9꼞:rhϵíb÷JÖ/o,Ô›‰tÍ.ê©û±%ÌÊX!rn!sŒñ]G…çÖ\_C«Gu²9WìÒ^9¨Èq)ÁÎAq“®ú}”žfû;vóbɺ wÆ3„Z(„°ˆ›@;FqódñÖ»dÐô˜ïôz]’Þ2…·A&ò-»Î ÷4¶ú.•gv×vºe”,X´Ñ@ªäž¹ gžôÄÚ³Gý—äÿË/]CmŽñŸ?Ì_ ùøí°zW¢Vu¶‡§Ú}‹É€±+ˆ2äí/÷˜äòÇŸ˜óó7©­(¢Š(¢Š(¢Š(¢Š(¢Š(¢ŠóÿÿÉ^øuÿq?ý'Zô óÿÿÉ^øuÿq?ý'Zô (¢Š(¢ŠË°ðö›¦ß=í¼s5Ë¡ÌžæIŠ!9*›Øì\€p¸JÔ¢Š(¢Šóÿ É^ø‹ÿpÏý'jô óÿ É^ø‹ÿpÏý'jô (¢Š(¢Š(¢Š(¢Š(¢ŠóÿŠó%Ø×cÿ³× WŸüSÿ™+þÆ»ýž½€ (¢€ (¢€ (¢€ óÿÿÉ^øuÿq?ý'Zô óÿÿÉ^øuÿq?ý'Zô (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ *ž«ªØèz]Ƨ©ÜÇmgn›å•ú(þd“€ä’É5ÃÃwãÿ!¸°1ø7LÂ&»µûEôÛX€Z'ÂFŒqËœ¬ z%aøÇ__ x;UÖ™£kn͘¬ÊÒŸ–5!yÁr£·^£­sð‰|Cÿ¢Ÿÿ” ñ®/â2¾·Ó•ÖIV¨¡Ù[r±À䆃،Õä·†)¥š8cIe Èê ÀÀÉïÅpðŽüJ¾ÿI¹ñÝŽ—3ýë; !'†èÜÜtù­Z¢€ˆ±¢¢(TPªŒ=:Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(Ïü%ÿ%{â/ýÃ?ô«§Õ|7e­jöW—ñ[ÜÛÛÛϵž"9‘¢`ÜñÇ•é߶9æ<%ÿ%{â/ýÃ?ô«WÆšµŒÜÚÜ]æÁ²Ýµ€·i×pÅf~vüÙÆ(jë@ѯJ½&ÂàÇ’žm²>Øúm/·J¸-­Äï8‚!3¢ÆÒ™$)=À,ØçָɼE¨mÿaÃwºæúêÞ{)¼µY²—“Œc#Ê•rFG˜žÕQ5M-´ë®ºGy®Ýé¾H¶ˆˆ¡Gœ+)ÛŸ0€’¸ê¤ä¶ ÃÖK}3K¶–äùæàS)߀>m¬Tç±#ڮͧXÜ%ÊOeo*].âV€07d|ÜqÍyäWŽ£âÖ}mí§Û(¼ÙV9`Û€T lŸ—S€3ÅëwUÖÓCµmTiÆæÊææKÈbŒ›†ŠE@THBÛÏÁ s@lv‹—L·³Óãc–KXâAÀùQŠÓ÷`àÀéNºÑ4›Ûè¯nô»+‹¸qåO-º<‰ŽFÖ##ð®WÁº”úƽý£tOq Ù;”V>mÏÌ¡ê=G©kÚ¬WšµôZ—”šv§oe™å!«ùY,Hß¹¼ÆÛ´òŽ4ÕÅáí.¤‹GÓã{µd¹e¶@fVûÁÎ>`{ƒÖžš“¤u(ô»$¿#émÐKŒcïã=8ëY~›Q¿÷·Ú”³ ¿¼¶†ßËQ;‡Eä.âÀ.3œc¶y¬5Ý^K½&õµ©}­Íc&œalqÆeAÛ¿wîÔ±$õà ïZÞ¸Žá¡ŒÏ²$…FåVÁ`PÕÈïéT¥Ð4iþÍçi6}”æß}²$ç?&GËÏ¥rÿð’êéö×î%ñå›FCIr\l@1ýÔNz÷Ï<óú®¯ªÝø1ÌÚɼ]g÷w’ÅQ/Ù™cVÂas³ç(wn9Æ4é—Ú>™©º=þivÑ‚§d*P28ÍCy£èo,z…ö›§4–‰”¹ž&^r”¾ÕËê·úÍæ‹¢ÙÞj—hµšá® K?=Ê”˜= 9' [{šËÕu=RÐ5¨µõÒå±Ð„ó@‰­Ã¸”1cóavÞO€;ûG³¹’úÃM±‚{™.-àEiAç%€ÉÏZ[íIÔåßévWr1‡žÝ$!OUÉ9×û!öÞ€ SåÞÉ¿nq»Œõ®nÊYµx~TÖ5T’mB„ñ[ w¤°nGÚ…¡+ÙFç Å;™ 5Ô6qÅ<¨e2ª…’Lª&ìõl„QžxP;Rbé_o7ÿÙ–_l-¼Üy ænÆ3»Î8®=µ\è7Ú¤Ú£ÈF¹ö8 0Eå¤CPX‡ðä¶ÐFsÜdf’ g[‡ÉÔdÔd¹ŽMrîÀYy1„1#Ì©‚váå¯9ÁA<Ðw-¼3ÕoRyìüA{v5·Šiä[ˆpÄ®è^ >BÜÿ7Jèo4]+P1Ý2ÎäÄ¥có WØP28—Ú‘©¬+¥Xݬê„öé ýÜŽ? Âø…¨%¿‡âÓœ[U¸K6Dò¸ˆó1 €±ÄjýR+ŸÑ5›ÇÑ´]O½¸³{}eô¹$’Ûl¦Ù`–HŽÉW*J,\‘Ôw½MH‹R:”z]’_‘ƒt¶è%Æ1÷ñžœu«mo Ïï m4A„rdÔg?AXžÔ/&Ò/¾Õ#]ÜY]Ü[¬›UZ`Œvä(v0ì+ÃZÖ§=î€÷:¨¿MgO’îXDH¢Õ†ÃòìË”;ËÏQ@Lz »1i6)öÐVëmº<ä?6rzç­_Ú6íÀÛŒcb¼®k–Òu¯í1«\ßiSÜInÑF«Çíã`¾V‘“ÆÚ½6­â«]6sö‹´I^ÄAwz–l᤹HÜ*ÂÄ(Üddsó0ÙÃá­Þ ˆ Ñ4Ø¡¹ÇŸZ¢¬¸9€n}jxt2ÚÒkX4ëH­§ÿ[ @ª’pæ`ðç°³´ ›Ïí=gM»¼’ðYM•4¨Šå^5l6ÅU89ÁÀà­oP-KÓDbÃM³µˆ TØ‚À`q«Ÿ]£Ò­Ao ¬ ¼1à ,q¨U_ *J(¢Š(Ì~êi£| Ó5ŒÉä¥ÁXÔàÈæâ@¨©bã]ŒÞ(²±×¤Òõ9í,ŠÚÁ2Ë5ʨ‘äyWbîÆHò¿ô®ÀV“Þ~ÏZZÛFÒÍt‘(ÉÃxÒíçf?é5Ý?Q—ÄZ•õ®ƒý¥m¢Çe™#M¯¾bC „álz`p¾ž#³Keo¤‚ÊßL¸Hây‚£nŠ92IÀ_õ˜ÆOO|U«sH´°ŠþçU±†Î\yw\"Æùé†'¸¨<3¬é—±^5£j"ÏP†o)e@×*¶ ‘w0ƒ‚pÄt>Ôý7DÕô}BÓYm®”µéþÏ‚X·Úyò«©Rì¨N†Ãun2(ªÿ„†Õu{ËY^­m¬a½70VF•~€+9Ï;½¹»}©Øi–ŸjÔ/­­-²q*Æ™=9'Æë>Õnü]½–ÞÚÎÓ|’ IÝrË×Óz²“òçþú]ÿ.¯%½‰Òãœ?7?g™Ñ666y¿»Îâ ç[MB6Žquu Wdbçw\ì~뀃¥tTQEQEQEQEQEQEQEQEQEçþ-ÿ’½ðëþâúNµèçþ-ÿ’½ðëþâúNµèQEQEQEQEçþÿ’½ñþáŸúNÕèçþÿ’½ñþáŸúNÕèQEQUÖþÍì>Þ·p/,Ëö òö’Ûºcæ¨Zx¯Ã·áÍž¿¥Üöïòo#}»˜*猒õ'¯ES»ÕôÛ¯5Kan‹$Æi•<µbB³dð z‘T‡‹ü2ÖMz¾"Ò ªH"iÅì{È$)mØÉœ{PÍ ¥åµý¬wVwÜ[È2’Âáч±„êúhÕ–uA¨Ü-<åóHÆs³9Æ9é@(¢ŠóÿŠó%Ø×cÿ³× WŸüSÿ™+þÆ»ýž½€ (¢€ (¢€ (¢€ óÿÿÉ^øuÿq?ý'Zô óÿÿÉ^øuÿq?ý'Zô (¢€ (¢€ à›S×ï|=ªø¢×Vû:ZItmôãfŽu"F+¿sydåXÈàãžö¹«¯Y\½ÜnÔ"Óï%in´è¤QÌÇ/œ©pýà¬ÉÈäÐ3ã{ø˜Ý.¿Ùº{À.'kœI¶H£²¦Îv‰9‡Œžz—Ä[-?\¹±"ÈÅiq´æKõŽà³í9ŽeÕwŒœŽ€qR'ƒÚ÷]צ½žî »Ø$[h¤O*æ8à„ Ã”oF¹œŒV»øuWUšúÓS¿²,·6ðü¹œ¹;‘™I  í+œzÐ}§‹®§¼‹ÎÒ’+u9ôÄœ]nrñ´ŠfÀ6Ÿ,½OB9ªþ2Õ®ìµÝÎKS²·¹†åä:uˆº•Ù<­£iŠBÌÙ ­l§†¬£†„³í‡Q“Q\°É‘Ý܃ÇÝÌ×Í[¸Ò ¸ÖlµGyöqKjÚD›7gŒçäçÖ€8û/j|ZE·ˆ Ó£»¹h!•>Ü©wºV ­öm½2Ã8lŽN0*î­ã‰t«[ÌÓ zuÔ6†â[Á™$±ÆË€W n%†ÈÏJ½wàëK»Ë‰õôQ\^C}-¼mGš"…I% c÷k‘»€jÍφ,n“S=Àkû˜îÙÕÀh¥#Td8ãRžsÎ{P·ÚôC••Ýìš‚Ø‘k¨‰ ¡yC‰Br0„´ÏŒôzªÚ½Œ’Ën-ç†â[y¢Y7ªº1Sµ°22^‚¡ÃÙ{)/5[ûélî¾Õ“ù@îòÞ=¤"(Û‰ðÎ9«šv™˜·+ HÂââK—ÞAÃ9É¥q>‚[ÇÞÐu£¹Òîn/.g¶‘AY$†ÆOrfùzò z%qô[ë›}3^Ðç´ƒ^Ñ®7Ùý¬â9Ä£Ëks’2eT¹Às¸hxWÇ:/‹’T±–K{øÒãN»;¨ 0Sº<“Œ‘ÈÈÉÁä:J§ªéV:æ—q¦jvÑÜÙÜ&Éb~Œ?˜ à‚90E\®Å9i¯_ž–;ßNŒ‘…’ < ï;g TnÂáŽà ¯Ìr¾&\Z|?Ñín¼-â½NKxŒ"êÃLBèŒÊX0ÎÕ §Žªs“Íuð´ÿêBñÏþ ÿû:ê<+áë x_NÐí[|v‘/‚<Ç'.ø$ãs8ÏÀâ¶(ÏÿáiÿÔ…ãŸüÿötÂÓÿ© Ç?ø'ÿìëÐ( ?ÿ…§ÿRŽðOÿÙÑÿ Oþ¤/ÿàŸÿ³¯@¢€<ÿþŸýH^9ÿÁ?ÿgGü-?ú¼sÿ‚þνŠóÿøZõ!xçÿÿýð´ÿêBñÏþ ÿû:ô (ÏÿáiÿÔ…ãŸüÿöuå<[ªiž#‹ÅžÓÁ ÷ˆ…Çá\o„¿ä¯|Eÿ¸gþ“µlë×—¿ð–hšU¾¬ú|v×rHcHÙÝ£0í ]X1éÓ>Äh&ŠÍâ–ÖîgŠC¹¶´‰!ÚbF*ÎY·Ä•\`.ÆI7ÆŸd¡Ú[€“4éˆÇË#d³Ž8c¹²zÇÖ¼ÎÿÆš©ðËê–—w¯wa`n§[xm…´€<C!‰dÈŒä Úñ>µ¬Yj:ÔöW’%¾™¢Å~–©dK)yó¹™IÙˆÆ@ ñÁ䩺Ð4kä)w¤X\).ÄKlŽ b GrªO©Ò¤¼Ñ´½FÖ+[Ý6ÎæÞ,ážtL 00+…›VñU®›9ûEÚ$¯b »½K6pÒ\¤nab n229ù_I¨M¥jú]Æ«s'صm7ʺ1Ä$ØòÂpØM§kAÚ: 眀w-‰»­ÖØÜÄ Œaw r£c‘€ùÿ{=é²élúŒzŒºu¤—Ñ Grð©• ldu® ÛUÒ/üO¨[ë2Új–jñI Gí; ¶W2£+q³n¯J³w®x’ãÄz¢iðݘôëÈ X좌¬lÍ)‘Ä í´®ÀûÜŠî1g¦ÚÍ. µ¶MóÊü".Igv=$’O¹5—}á:÷S³Õ ‚ÖÞî+¥¸’â;uó'YB–8ùÉÏJå5oXÓ­uá¨Þ]-ÓX_Ïb¢;i,Ýc©L/™¹WnDœOZÔSÕ-¼SÔ®îÓO¹`³ënÖìLYÙ'j¾àç íàP@Úf†šºNÖ:rêræUÄ‚gÛ€Xn8Ü£=²=j[}J³–æ[m2Î .³ö‡ŠS6¾@ùº÷¬?^êk6–º\°Gq.™}$~r®ß5L b2Î}ŽFsV|)5ÔW¶·wŒ—¶³š;ô€Iå 0Œ¤ƒ×žhÍ·áÈt”²ºÒô¨ôÕ•vA-¼b#6»‹0¹'Þ§Ÿ@Ñ®£‚;&Âd6B²[#×ÑAa^}ö;¸ü©•Õ.%wñ HÖdŒ¬L5AóaUI'‚A8ôÅ[Ôuí{MÔCKË»ÆmJ8ñ#¶[[™vû"ݹHŽ‡¡8 úïN±¿²6W–V÷¤`š%tã§ÊF8¨ƒ£5µ­³i6 Fßo¶M°·\ ÆûŠ­á™õI´“ý¯¥ÌsHŠd1otå."%c€q‘ÐgÅéž,¿¶ðê:óÝ&£¦Í5ÖÛx¿ÑÌqîóUA$7ÊCdçJôS§Ù ÒßÉi|ã–6™7ïߌcvÿ›=sÏZ…’ª¨´€*LgP#IqÇÞ%˜“דë^xþ"ñ «éßj½ŠæÓ µ­šd>S†å í^2|ÇØÕ­gRñ$:åΦÜj3Ée`—Ê©g™ÝÚNeó ~ìl û°\œã :_ƒÖË_}Vá´öo.DXìôñlÈT³Êw7˜øP3ÀäñÍk[xwD³·–Þ×FÓà†fV–8­QUÈ9€$Fk‘¸ÖuåmkQmA¡O¾³‰,V8™ É»H¬ÛKelF¨À­OZ̾0ñdÇP¹hþÝû;,{m  ä&î>èù±ÎNMtïm—\Io4!„r2É»®Qœ â©Gý‰u«Î±gË©Û²I0]4giUfþ v³Of#½rš–½ªÅy«_E©yI§jvöQéžR:¿•’Äû›Ìm»H(àóZ>µšÞ e忸¹ßªÜ²¬`)0$mU9¬@ÉükÍ­tûݺRŬÝ“ÅwÈ¥ã„ùX›™@Aó“ódzcŠÒ¹ñ¹›gb³ÜOs&±>ž÷GÌÉ‘—M±;Tr1× œ éü7ám;Ú]­¼6Ö­w¬vÓ^%ºÆó„P2ÄdöèI«VÞÑ,–EµÑôøWY$Z¢‡emÊÇ’b3U¼=q«K¢HuT1ÝÅ$ˆ9s ?#H"b¡±Œàö<•Êîk¶:]á¾¼¿mZÆ/î-åŽÙ¢’çÍòZ%ÎÒ¡ÀÝóß ‚–ðÅ4³G i,¤Tø=ð8©+‚}kWÕ Œö¡¶³Ôõǵ·xâñmä®å9-$LÀœñ·¨È)¦êšìsØOu«µÌgYŸKxM¼j²F†P²"L '/û=躷¸†îÞ;‹i£š TûXî¥\DÙÊ‘¥\´ñŸuá[È5 kA×bkD…l4µÄ®Ï„T?½~YˆPp0y®£JñŽ‡­MVwRî–#4^}¬° Pc,†EPàd}ÜÓ£ñn‡7†‡ˆa½2ée‚‰£†F$—òÀq;¸Æ(Ï.VãHð³a¬ÜÆ©,—QZÀëžmŒé f (”rXÞ€3¼kiªØ]lœ:Œ¯x±±–ïV{#)R3žwI×''ŠåðÕÖµ~ßc–æîòrús²ÙÊ€ÇÌ Üв"30áCdqœwã-+E¹”jQ£Î-Ñ_JºYB¥€T1înŽ@#ŠÓÒõ[-fÈ]ØMæùåYN ²°H=ˆ€-FÛâFÜ­•rô>ãÚEçÿÿæJÿ±®Çÿg¯@¯?ø§ÿ2Wýv?û=zQEQEQEçþ-ÿ’½ðëþâúNµèçþ-ÿ’½ðëþâúN´èQEQEQEQEQEQEâé~ÐæÕõyü«xøU^^W=v8?‘$€ üKã;\A¦G—úõâc¥Ûÿ¬œçfÆ#N¤»`¬Fv‘Xþ ðeôz£ø¿ÅòGuâ‹”Ú‘¯1iÑâ(†HÎ ¹ê@',Ο¥xSWñãÛë¾>Eh—iÓü8¸B»p¦ãŒÈýÓŒr™YâOøkÅÞY×4ˆ.äfËG 8]èCmù‰Ûœd箂ŠóÿøR_?è^ÿÉÛþ9]†¡é~Ó’ÃH°‚ÊÕpvB˜Ü@s¬Ø,rN95¡EQEQEQEQEQEQEóÃko-ÅıÃH^I$`ªŠI$ð椯;ø­u}o£ø+Ky!»ñ%ÃC%ÂÿË+hÀiß\¤|¼†]ã©Ïø#ádžüeáóâ/øVÒÖ]BâI­ ¶’h<»bqdB‰œT]¬rI'¬±ø?à>ò;¨|9È™ÀžY&CG(ìTõî8ëÖ»H †ÖÞ+{x£†$qÆ¡U à8ÅI@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@á/ù+ßîÿ¤í]>«á»-kW²¼¿ŠÞæÞÞÞx ¬ð ÌçŽ<¯Ný±Ï1á/ù+ßîÿ¤í[ZíÝô¾#°ÑíõFÒá–Ò{¦¸HãgvFŒb•,xÎÁЭ֣^”7zM…ÁŽ/%<Ûd}±ôÚ28_n•p[[‰ÞqBgE¤72HR{€Y°=Ï­q^Ö5j–> ÖöˤZ^I &&‘䘖RB2ÆÏLÎuu»ËÙŸÊë$‚+TPì­¹XàrCAìFjÌÚuÂ\¤öVò¥Ðá^%a(vGÍÇןé.Õgðæ£{w¨Fd‹ÃPßÇ'–Š¾q7!œqÈù#àñÀã“™ÄzÁŠóS§–lom-Nò£ÅÀ‘a$±#~æó[nÒÚ8<Ðq¥ÛÚ½¬:mœVîT´Iª1P’ÁÀUÓhô¦ÝhšMíôW·z]•ÅÜ8ò§–ÝDÇ#k‘øW¨]êZ%÷‹¯ìï®ßVµ·ò¶@Q±[¯™óåCm]λ<“v=KÄ¢æÓI»¸¼±K»ÿ*;땵k‘ä+¶=Ñ,˜¯Ý=3Íu6º/‡™ïe³Ó4²×à»x`2ó‡IóÔƧMI‹R:”z]’_‘ƒt¶è%Æ1÷ñžœu¬/´£CÕ \Ç<«ª^<€È•†HœãÞ¹ëËÝNx£MÖ/uª®‹%ä‰lbÚQÁ0´kÊ1aþlzhÑ.´û+ßøû´·¸ýÛEûØÃüËÈèv®G|J‹H´Òm4èÆ‹oe Œ¿½O±"¬oŸâx9ãšçtÁª·Š¿³›^»–Ê×Nµº!¢ƒt®òL,#.Ô€‘Îp4ýg_¾Ñ|øµv¶û7†mµ‘[C‡¼ìäáO–UDZäÐF‹¥ ‰î™eç\2<Òy ºFBKd@ ž„Sît­:ò;ˆî¬-gŽçzË °— À›ï\V¹¯ê²Å«Ü[jÃKv‹üQˆ£q3¸å·‚v‚@\“’xbÏVÕ¢ñ£ê·—kcw"Eiöu·kwc;dãÍWÜä|¼”ØÙØÚiÖ©kck­º}Ø Œ"/Ðbx_ÃZ.™áû8í!°»/e¼—Ñ@ƒíq„Fw)¦HªºÕ¬ÓüDðûG¨\ÛcxvıØ{rA܇®yÇ?(Æ9Î/îµ3KðŒW“Oe}¤04H«–‘•(@Ü~RAÜNO#(µ·Ð4kDd·Òl!FØJÇlŠÆÜð·Ì="©húNª#mSM²¼åÝ@’lõ#p8¯3Õ5íJÿFÕìÚóS’ÇPðååôÞEjŒBÁŒG’–Bnô9Î;MnÖx¾j‘Nêi?³¥arër6•ãtÎ;çšÖ³.«g,ÖBÂòÖáÃHðì‘%tÀ‘HÚ£Ûhô¦²hqjSjNºr_ÄRÚ[¢J…¶íŸ¨Îä“Îáê+Š›QÕl,o`‹_{eÑ´hoc3C 7%¼Ã‡ùîÆÅA³iç“šmäÏqgâ9¤ŒÆòkšK²ªH²8ü(¾—HÓgÔcÔeÓ­$¾ˆb;—…L¨=c#­X†Þpâcˆ;™"…ÜÄä±ÇRO$× k®jóÜX^Tÿ§ê·siÂ(ñ¡”S·~õòÃ6âAð8¬H¼q¯ÜG.•x£Ò!Ù©æ0î29‘ø<+§ZôvÓ4;]E/ËO†úâa²s,²Ê±†ÆKlßïݳV&Ò´ë›I­'°µ–Úw/,/ ²HÄä–R0NyɬÏÜÜCy AÆ/µj&"³û<Í‘¸UN}±Ðs¾Óü ½M¤ûE´ ¸1®Ö(1mUÏCÁË{ÐOiaeaf¶vv[Ú¨ C a×å'‡mm4«Ë]ÛNÒfºic²R¾„•R»Ž ÆOô= ^j3ÛøÇK²ó‚YÏaw,Š@Ã:<NzŒ+ÉÆ—Þ•«k:ä~u‰-Åþ›sss40ÄZFF„!”¨ÿX{`ƒô ¯°Ñ¬tí3N°†Ý=-‹¨&=¨P0=›i##ÔúÓm±®üµ´ûÜ‹Ôln\¶&þñßówçžµÆxFkícÅk©ÜêS¬¯¢Ù¼±F‘ˆå"K…9Ê#w·\` ü w5þ§åË+O7†ôù$e@ ±{‚xô€:Û= HÓ¤y,t«Wt»AnˆYI1Ò–ÛCÒ,¬ç³µÒì µ¸Èš­ÑRLŒÊG×#®ø’úÏ^ØÜêZéZØ\FÑ[ U24a—$‰‹â@À®Fx#Ç{@#Ðô˜µ3©G¥Ù%ù7Kn‚\céÇZ*ýçÿ¿äè_öñÿ¥Wsyg¡e=ÔbKyãhäCüJFü«†ø%ÿ$‡Bÿ·ý(’ºOÞOeá›—¶‘¢žg†Õ%^±™¥H·q¿?…\»Ò-®+•¶´mFÚ2¶—w0 šF3œ†Ç¨ 3ëYKáWÂèbáN.£»šcÄ®.wùsÀfc'÷ÅQÔµísKñ&«­Œºu†• Ð…®ŠÊ~i·ýÛcå‚ØùAÎXâÎ¥ãE¶KÉl,~ß ¸²Öm‚G¹* àôVWÏû@{ÐÒh:4zc驤Ø-ƒÍj-DÇÔ¦0*³gci§Z¥­¬¶é÷b‚0ˆ¿@8Éê>=þÈ‘ìu K;mL\$(²ß„¶*èÎÌÈ Œ# mÎ@æ·<7¯Ãâ='í±ÁI^S Srœ®8e<p8=â€#ð×…ôÿ é–AolבZÇo5â[¬rN@ËÏn„š¹q¡é–0ØÜéV3ÙÁ&Þ[thãÀÀÚ¤``zW- x‹Rÿ„gÃ6v¶¿Úz¥Þ–·r½ÕÑŒlP€³>Ö%‹8ÀÇ<äŠ|ž=šãNšûJÑÍÔ6ºrßݬ×>SÆ>#Qµƒ8òÛ<Óæ€:{ÍJÔLûL²¹6ç0™àWò¿ÝÈã éIu¢i7·Ñ^ÝévWpãÊž[ty¬FGáYzf¡3ø®âÝÌztÑÆÎXDùd`=pǹ®Ž€3#ð懗2G£iÈ÷JVá–Õ˜Hs˜zX¼=¤[Áoom§[[[Á8¸Hmã'˜Š®ëž{€{ Ò¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€<ÿÅ¿òW¾ÜOÿIÖ½¼ÿÅ¿òW¾ÜOÿIÖ½€ (¢€ (¢€ (¢€<ÿâƃâ_hv¾Ð"mï%/}w<Ê©G†D#ŽçÁÊŽ6`ðƳü#ð/ÂÞÛq©'öÝðÏÏw¯ÞE’}âܨ#êPŸøKþJ÷Ä_û†é;W WŸøKþJ÷Ä_û†é;W PEP’ÅámV?‡šYGÕ.u‰m…µ­Â¬q؉°²±ÙeÂùŸqw55æ•®Á§ëºAÒZÒ»‹Ë?ìök”ˆ‰¢I@c€@dÁR9cȽRŠóæÑÍœÚý¦¶š®¢·[^Å©[@LÇi(ãd …^CƒÍSÔ[[¿ð~· 6±uiÝ›XÜϧ”¼eÆÒ(F ÆA)“Ïé´PÞC{¬Ã£Giªx‚i"ÖG»ºÒ…¼–ëäJ2 U+’Jž[¯"·ügs¦[êzuâL÷1_I#Þ:`^ 0âAü9ÁÚBð žÅt´PEP›übûgöw„ÿ³¼·ÂKgö´gËó1&ÝøçnqœsŠ±ÿþ¤oü›£âŸüÉ_ö5Øÿìõèçÿð–üCÿ¢aÿ•ûð£þŸýH^9ÿÁ?ÿg^Eyÿü.¯Gû»ÍV{+¥âk[‹ĸûÈà!È8'‘Ö· øƒàÛ›x§OhÁ$@ê$½3ʱO±ŽõÒVþ ð­ÕÄ·ѦžW/$’XDÌìNI$®I'œÐ¥ýž§gå…Üv²gdÐH$FÁ á‡øQöÏìëŸìï#íÞSýŸíòüÌ»ñÎÜã8çÇß|ð¡y%ÔÞ$|dA, À„F :võë\ÿ‰üá¯hsjGÅž+Ðô˜xƒOÓµV ¼ó²%`If;›“݉ € øסx¯ìšv¤³u¹vÇå°>Lòÿ«nqœ•°rÁAcÍhx·þJ÷ïû‰ÿé:ׄhÿ|{â‰^öêÓì^~ùZãU”£Èû°w.MÄäå”g®yô½;ÂÞ ø‹ðûN¼ñÞ²›õ#ÎM«n‚Õ"XÇMØ’@=²Š( Š( Š( Š( ŠŽyáµ·–ââXá‚$/$’0UE$’xsRP\?Šüoyk®[øW–°j>%›J³äXÃÁ2LTäd…<ƒÝUóüCâ}SÅ÷ƒÃ^Ÿ÷2ñ¨xŠ/ž DÀ%"qÃÌCºxÈä²vðÆ—á›3Ÿï¥ææî_ž{§É%å“«±,Çž™8q@~ð<>¸¾Õ/o¤ÕüA¨97zœÑ„f\ðˆ¹!8°ì/YEQEQX¾0¸¾µðn³q¦ï±ÙJД`ÁO zŽ£Þ¹–°ÐôO·­ÅíÎ×x-ylbrï!þ<­¹²AÇ<РQ^yáŸêÒØøfîãU:¤šµ”²On"B2 mɱA7ÈÙ$e†1Ò³í¼Mâ·ð­Æ¸ZëÊ›F¹»ó&[O* –-éä„båAÈ"@OLã‘@§EszEΣ‰&Ó/u½ì"» $H†7.ÊÁvòð0Hõ5‰ªkÚ¥µÿŠ.cÖ6®“wlXyQâEx¢%•Üw30\AõPEpPx’øø»MX.u ôÍBúâÏý"+e„ÒSû­¤M•h¶’à‚3ӌ҇[ñ xKÂ÷O¨^]]ë†!,El0¼˜ˆ8TÜÄó“ÐàtéTWgyâkÍSJÒï/®4ã$WÏ+ˆíži7„DÇÑ[@àóÀã/…µ WÂúuíÙV¸–ee ÂqÛ8Î(^Š( Š*ž­%ô:5ôº\1Ϩ%¼k‡ ò…;ò8-Ô}E\¯;ø2ø·ÄºïŽ˜IäHÿÙZVèÙGÙ#!™Ô7 $$ò2¥Jç¨zÇÅ=/Æ’ËG–µ½zTÒ>Ãrù6ï7ÈîØ!ŒaIè<•ÈÎTz†‡£Yø{C²Ò,e­¤Kd[Y°,NI8ä’hBŠ( Š( Š( Š(  ×Ú…–—jnµ Ë{Ku82ÜJ± ?R@§ÚÝÛß[%Í¥ÄWH2’ÄáÕ‡¨#ƒ\·ˆçµÓ¼g¢jz»$zTVפòñ,cÚÌO ”ÇÜw®^âöÞ+ã}o}=‡‡oüD˜šÞF…%Qg'šÁ—ŒÈ£-Ó*[=èÕè¯/¼Õµì g·½wÑX–/·O$­B1B×*¬êžgʸ 7sš±¤­Þ©©èvW:Ô“ÙI¡"¶©Êë",ÃL3•ÞÃw_s“H¢¸Ÿí+Ù> Ýê u/ÛSG…Àm²oXÛ‘Ѹ#½cK®Û[­×Ø5íCN6p ÇmBDò.eQº\“‹¡z òéôW•éwך“[iÍ©Ü eñ'ÙƒÚêRÌZbÒ”óÈWuÜO'‘ÆÓïï58|UyfuH,§‚êôä¼Ö&‹Ì€,yÄ\n;ÁbųýÜf€=FŠóË.âšÏR:ü“MâK»FI.]¢ò<ÙÔ&ÂvàmR21ŒãŠô:(¢Š(¢°uWP]jÇDÒ²Þ\Ã%Ì“Ý#:CRv+)f,êÜ:@ÔW#Œ¦²–M;U²yõ8ïÖÅWOQ¶bð™‘ÀvAU ‚NëŽjùñm§Øb•-/î[¦³[Tóüå²òÛKnÝ·ç‘@ôW4õÄK¨]imâg¶»U–]bÆÙ¯ˆÄ[#I»œ1#¶HíO—Pñ#K}¦Ùê¢Âýc–æ¶[©"0(¡ÔD]Y—<”Žý@:?Âz]¾aagg¨½œF$š{e'®Î3éš¹s¦è\Ū]YiñÏn8®å‰F ÀPädrp=놗ÄúÞ«8‡B›Q•"Ò⺆DŠÑZâF. ˜JË„"09'‘Å3_Ô5MOKÕ..µg¦¥ekýœ6FÜÐ9%±¸±.pC€8<šô´m.âîK¹´Û9.dˆÂó< ]£=P±+íҢú:{ØE£iñÙ;kuµA7©\`ž5âËë»It-u°‹ÝMm¦”"1(a•¶À€K*àã®:Œƒ“ý»zúkYûùo«-¼öÛ™®B)sþ°yJ@€2‡Šìm¬,ì­µ­¤@I&(£ §=xsPXèzN™Ñiú]•¤sÿ­[{tŒIþðg©ë\F—¯ëšÐÑ¢„Öå¡ÔþÒaŠ$ÆÞt;:+Nvåy8ìE+ox­ü+q®ºò¦Ñ®nüÉ–ÓÊ‚e‹zy!¹PrÓ8äP£Xhúf”Ó´ëK0T!ð,yPI匳«ZlVZDrIe µŠ¸¶H¤#@D`ŠT|ÀO½ŽõÅxŽ]M4OiWZ¤×Jþ{µsjÈø:®î\°çæô†îßU³Ö5‹‹=~äKiáë{:Haf•ƒÜ²«aìàƒ´<|øIâo ¤p+éÐ@°˜wI§¬³D§‚a°œq÷[µjÁ hö×âþ*É/BíBóqŒc~3ÓŽµÇjÞ ñ æ­%®”—q´:d7‘­°¶+$’oÿYç°>XÚɃÉÉUèu]^[^{¨,îæXmc¶û<–ÛŒY1Èpe¸? íàPM-¦•®Aks-½–¡ ‘=´®‹*ƒÔ:GЊ_³é–FÆ?&ÒÜǘ,×j¦ß—;#¾U<Ëí\®ë)¥h:¥õíÔzT–VfW±ŠÛh•ÎÎF]ÁNP+É®·Äw——z Û¼içê'óWìó7SÓ•^Fæhõ¶ƒ£YÈÒZé6;+#4VȤ«cp$‡>¸-¾•§Yéí§ÛXZÁdÁ¶ŠXÈo¼6Žrsë\ï„u Eî¦Óõ»›çÕÞ9Þ)ÖßÉÁ$…¢”$‡ù¸OQÖ5›3ã-N;Ù$‹F8µ²G°Ÿ²Ç!.vî 3–á‡~HÀ]Ö¥ßIo%Þ›gpöÇ04°+˜¿Ý$|½J™ôû)<Ýö–íçH’˺0wºíÚÍÇ$m\ÈÚ=pñkå¥Ïö„ú¨¶ž8­Ë¥“\Þ@»cXØ¡VÊà¸ãœ“PXøZº‘ty¯n-%:ÓX5ôñۙѰœ) º0±ÚÀéž(¶[  kíKia­q4F‚yv†çˆP}2*Q¤é£n4ûQ¶àÝ.!^&9̃¾r~n¼šåµ;é|[áëXu»„™tûð÷¢(Œ¬–ݶl8ÏËØð# ø£WH¢³Bæ.+œÚ%¨Iåf‘KH&`DyŒpœŒŸ˜q@•yö$Hî/~Ϋ£’lœ  ž„î+ÿÇz«‡ôx^7ƒMµ€¥ÁºLb0eÚW{Æã†<œúõ¸=PÕ5=/T¸ºÔœvš••¯öpHÙs@ä–ÆâĹÁ àòkÒÖXÝÝEgLPrW<ŒúPºe†¦ˆ—öV×koEž%+zŒŽ 2ÎßL+ØÃi¶×Ì· Uý×Ì ÇÝù=Wž•ÇøMÐõH5 S]ŽÚ]bFá'šá±%®ÙXD¨Äæ5ØŒœçœÕM&îú[ÿì{}Q´¸e»Õîšá#Ù.È<Å*Xñœ‚9 èhºPšÖa¦Y mïä.èAë°ãåü*km>ÊÌ©µ´·€¬K ùQ…Äk©Àû£' Éõ®ÛÄšÔöºN³ss•-½±‘ôô“Íw ™V@dÙM¾_ õ«gYñ µ[Ķ±Ô ¶1¢Úù&&³¼›ØK¸‡m»¼r(¬›CÒn/~Û>—e-ÞTùïnŒùR Äg‚˜~Š(¢Š(Ïþ É!пíãÿJ$®ÇZÓYÑ®´öÄfO’P2cpr¬røWðKþI…ÿoúQ%zc]i,šŸöäs]µÚZˆfµ¶ò‚Ý*îeSæ]±†^¼œW/oà»›o‡CHŽ êæþÞæhÖaº$¡óŒÇ *Œàãµz ÍÿÂjwÎú– ú‘nQ-™!@nÖa·nâNO5·ck%ªÃ-åÅã‚IšãföÏûŠª?*ÍÎZÃc¥ÛÙjöré¶ÆÒ¨<ƈ…ʶä*s±NväÆ+ Ä~’+Ó¼?e©/Ú4á`ÏÌ+ (ÜÏó™Æö;£ŽH5èPN›¢‹JâöI¼ÙÞXÆÜlŽ0N=ÉgbO¦ÑÚµ¨¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€<ÿÅ¿òW¾ÜOÿIÖ½¼ÿÅ¿òW¾ÜOÿIÖ½€ (¢€ (¢€ (¢€ (¢€<ÿÂ_òW¾"ÿÜ3ÿIÚ½¼ÿÂ_òW¾"ÿÜ3ÿIÚ½€ (¢€ (¢€ (¢€ (¢€ (¢€<ÿâŸüÉ_ö5ØÿìõèçÿÿæJÿ±®Çÿg¯@ Š( Š( Š( ¼ÿÅ¿òW¾ÜOÿIÖ½¼ÿÅ¿òW¾ÜOÿIÖ€=Š( Š( Š+ƒÕ|q©j>%¸ðÇ‚lm/õ DÍõýÜŒ-,›<#mw8a…#×k…ï(¯;ƒÁÿn-â—Ä™öxí4¨Wl epü@àd7¨*q»€é_4K„»·ñ&›âXÍeyf¶LØ Ç‘¼€Ê £9 öÃøýã/ì_ Çáë9¶ßj¿ë¶6;p~láÎC(U?ê#øµá -&Öy4ÝÙ"³Õõ'ßw~Ë ™ÐXüÌÇæ ?2 oÜüjÕ5Oê!J¿†àÚ¾‘ög™ìQxT}ì…I!‰ÀÁ;r¯w¢|𶃬A©[jãMí£í¢.ªTüÑ*8àöaï‘‘@‰¥iV:—o¦i–ÑÛYۦȢNŠ?™$ä’y$’rM\¨áž”/±ÊÙ #•Š°ã¸`Aˆ"¤ ŠåüWãøGå·Ó´Ý2}k]ºÃC§[6pS,‚#ŒÍÁ>ÁˆÇÿ„wâU÷úMÏŽìt¹ŸïYØi <1ãµå;Î@ÉÏBH@Eyÿü#¿¬Òm¼wcªLŸvÎÿHH!“<ÏÞ0F:àšØð§Œá –ãNÔ´Éô]v×-6rÙ&=ÅD±¾’2F7/û$¨ªZ&“¦ÜËsc¥ÙZÏ7úÙ`·Dgïó2·<ðÚÛËqq,pÁ’I*¢’I<9©(Ã^Óü7¦ZA½³^Ek¼×‰n±É8E,G=ºjÊøwDIî§]OYnÑ’âAj¦VûÁÎ>`{ƒÖ´«ñMׇtM.}wÄ&/9¬íäXÒ㙥n#È9ü£ÊHV- [´clùFí ä.zã=«&ßÂú|zåþ­somusqt·I%º—·"ã±ÉçËÎF:ã¶kšÿ‹¿ÿR7þMÔsø£Ç^·—PñVƒ¦ê:Z!y§ðüæZªŽKG)Á$r¤m ÄÐjš“ñ¾K²[ÂæCp¶è$ÞA·c9Á#>椓JÓ¦ÓF›-…«Ø-Z1Ìc1I¥j¶:æ—o©é—1ÜÙÜ&ø¥NŒ?˜ äypE\  všV`°­žŸkn VH„0ªyjÄ À%T:àzUˆ-áµ ·†8aA…Ž5 «ô¥IEQQÏ<6¶òÜ\K0D…ä’F ¨ d’OÎhJ+Îã×¼_ã—˜xb(ô _ë7öí$÷JT2¼0aé—ê®ÃŸð‰|Cÿ¢Ÿÿ” ñ —0£ Þçž+꿇 ´¿‡Ör˜¤ûn§>D×ÏÂS9«“µxòry'…Kmká5ºÙê]¦¥á¹nYµM&ÐÅ5±`]åžlt8TŒwÚµêO Õ¼WòÇ4 xäƒ+©Ásš’Š( ŠáüYãË;X_ x_KþÛñ,‘4­n$ ¢mÈyXð2Jár2än]Õÿáø•}þ“sã».gûÖvBO xàmyNó2sÐ’P Q^ÿŸ¬yÓ¾!ý¢?ãÞ×PÒã1W¼äÀÜy=hÑr9ÀᔀEz%çÿñwÿêFÿɺ±¥øòâ×\´ðïŒ4¿ì}ZërÚÜÇ ’Îô®îߪ³‘ €T–€uº®¯£Þé— ë å¼–ò4d êT‘Fp}*Ò¨DUÅ-QEQEQEV.±¢O{¨Yêz}êÙj6ˆñ,’CæÇ$o´²:nRFQHÃúÖÕÂj^Ômît™íï^}RãZû]ÕïÙ³mµ™Áùc*cv~o½“šµuà8ï´ØÖêæÚçP[ç¿i®l„<Œ¥ ˜K}͸nÈÚs]Îi^]6ûO»c´‚æ&†ÆÈ[ÄæV‰· vãÊÇSœõªúž‰6ð·UÑ­ËÞLš]ÌQùqÒ±FÀ 2rIÆ9¬éþ$6¥q-·‚´ ¿<Vk˜å[kE*pÊ'q‡q”8PAVÈ ½Õ!y5a&¸òb‚ôM¨#YFYSï7•PØ*Í?Ið*éwÌ—VÈ©ªÿiy6¶BÇú)ƒb¨cÎìóéÏZ“@ñ펭ª.‡¨Z]è¾ ØXé×Ƀ _¼Ñ8ùeL†Á$#`WY@…×-¥ñ Æ©zK­ÔÉ<Ë{¥­ÄªÀ*Ÿ.MÃh!AÁ ƒ’:Õèü/åÛÛEöÌù´Úž|¯½æI#ìëÆ<ÌgÛ§5ÐÑ@Q@á/ù+ßîÿ¤í]®¡¥éú´ JÂÖöÛ„w0¬Š®kŠð—ü•ïˆ¿÷ ÿÒv­zò÷þÍJ·ÕŸO‚îÚîI i;´f¡K«@f=:gØ€ ßìËð o&à4~Rí 7 sò€9ìíU_ÃZ š|z{èškYFÛÒÙ­Æê¼þÿÆš©ðËê–—w¯wa`n§[xm…´€<C!‰dÈŒä Úñ>µ¬Yj:ÔöW’%¾™¢Å~–©dK)yó¹™IÙˆÆ@ ñÁä©»Ð4mB("½Òl.c·&¶GöAt)דwt·7:]”× ¬²[£8äHÏÃÍ«xª×Mœý¢íW±]Þ¥›8i.R7 °± 7üÇŒ/ˆ$Ô&Òµ}.ãU¹“ìZ¶›å]âlya8l&Óµ‰ ísÎ@:Í_J²ñöqK-¼É§^y·ì‹(b`tòÜgŽ& ȳy ý”@ñ•™¥28”¶•À{‘@³Ò´¨~Ò¶Övq[$æˆÖ5‰Xïç ½q“Ò¢Ohb[›ˆô}8IvŒ—-²feo¼ãæ¾zרëzÆk¯ FòénšÂþ{ÛIfë%Ja|ÍÊ»r$à’zÖ¤zž©mâ˜F¥wvš}Ì똷[v·bbÎÉ8óU÷9o€:Ö´¶iZV·ˆÈÑùLÅJtŸNO*µ®‡¤XÁ$zU¼RG妱¼W¨ÜÃqmeaw©EvÐËq²Æ;cò&ÐYÌøP °àN}«ž‡Ä:I¨C©›!†muO*(#eißÎ'%”‡Ë€Aé‚9Èo©hú%ݲ>«§ióAh¥‘® FXTHÜ0 úS¡Ñ´a¨ V 6À^²ñv'˜Aûàg÷®+ÄÚ¦£©éÚò®¥ými ­ß’#F™R]ÛËvFÒIç ­í_R¹Òüa-¬©’µ¥¹¸u °,Žˆ\ƒÇ¸ÏÆx  OøG41qmqý§yöª©o'ÙSt*½e@튽=­½ÉŒÏR˜›|~bØØ+‘ž‡ Ã>„ú×'vú¤ZÝ–„i2ÝÇ•û¾ŸŸ¿@t>Ðmข MŠœyñ¥ª*˃‘¸†çÖ¤þÁÑ…Œ¶?Ù6d˜†–³'–äeÆ ÂÏ ô®$xĺ–«{%„A,î-ãéöQ#$nÆC#‰rC¶Ò¸½È«6Úž¶ÏܚĦ+vïMò1H–I‘;3½v/$@äÍvvúm… €[Y[B-Ñ£„G¯”ŒAe\*¹®¥W¹ðö‰y Ýhú|ñ[ÿ©Im‘–?÷A~Äh1k–ß ü3ý™¨^ÏæAÌ‘}˜N‘¾ä>b„8m¹ß“Œó]ƃ§ ØÞÃq-ÄsB¬%™;z–zãJuƇ¤ÝÝ-ÍΗe5€«,–èÎ93ÅZŽÚ¦šhá%˜ƒ+ªÒ07øsRÑ@÷‘w¨G¨\éV3^Ç—2[£H¸é†#"–ëBÒ/m¾Íw¥XÜAæ´ÞT¶èëæ1$¾ÆâI$õÉ5~ŠÏ—BÒ'¾†úm*ÆK¸NöèdŒ›XŒŒ{S®4]*òþû2Î{È0b¸–i#ÁÈÚÄdséW¨ Š( Š( ?ø%ÿ$‡Bÿ·ý(’ºJñøRåŠý¢X-]”àªK2Fç=°®y®à—ü’ þÞ?ô¢Jíu=: [K¹ÓîwyW”b§ ¹îb úŠåü_â‰ü4³5„¶Î–6Ÿi–ÈXO3”ºÉÛ!HÁ •w:Åâù§ ”OFäΔMuÚ—…4gÍ:ŒÌÓÛ‹{·D'AœT`›gŒUì 3íŸkû7ïþÒ.÷yþ´Eä†Æqþ¯åÇNøÏ4Éx†*ÚöH4é[QÒæÔ,቙d¹-óå[€\Ðækã»»ípÙÛClÖ÷W°Å§HC, ¿Ú çªù2c ®sÎz]7Âú6“pÓÙÚs‰CÌò,hNJF¬HIåPÒ›cá- Mm-¬ôõˆéqÉ™ÞÇÊY>øäóŸS“×ÔÐ|I©ßéòhðißeßß‹V{”fT_*W$Ã'1Ž3ÏN3‘‹mâMvû\¶Ña:tw ׉upÐ;!òL;Yx#"aXà÷8çkÄzöüšB>ß"Òûí31‘Šù2 ØËÈ`ΤŒc9ÍY±ðö—¦Ém%­±I-ÒT͉̎YZBÄ’X±E%›'Ž½h‹Åº˜k]Nxí‘w5’A7Ú#ØdËnÚÙ1¨Q€zœS$ñF¹iá;\­Œ‰¨ ²ZÁm+´&fP»ÙX™p$*)$`u®† hðjßÚqÚsæ<£39d`C:ÆNÅc“–“Ï&¢‹Â$6ÓÛ%¤Ÿf™v›v¹•¢A¸0òжØð@#` b€9óâŸ'Ûdߺ»½ùÑ®‚ùF2Ûűa!!†Ã† da;øªýot÷7VQéSà ÿ°M$WìC(u|Aü8ó3Ë{VÙð®˜mE¾ýKh3ö¥Ï™œcýg™»íœ{SO„4Cöuû4¢uEHêQ Ør»£ ±È<å  ¾-•`½ðÔÌ XõFb\ [ƒTôj¯&—6©›ZêÖ2^À–¨ÁàÚªû–"L«ýà‘Óšên¬-¯eµ–â-ïi7Ÿ ÜF×ÚÉž:ü®ÃŽjŽ™áGº766¦96ÓtÎë HÕ˜ˆÔ8PÒ€14_ë—zŽ‚/†öMbÊKÄXÃÀ• !ø“–téY1·¼—ÄÚµßüJ§‹OКâ(olZld.ÒÁpX˜ãm ÂXx’FK[K;{X%†mï&¸ÎöSÀ€¿q22ÝxÒ]èÚ}ô—R\[ï{«_±Ìw°ÝÍòðxûÍÈçž´ÂÏ£êz¤v‘(¸Ô5H"Wû,· 9>T;ð¸×$àWgá½NóUÒ|ûëg‚t•â;­ä€Hðê’|ÊÁÁéÈÉëDþÑî#$µaçL“³¤ÎŽ²"Õ•ƒB@Ê‘ßÔÕë4ëU¶·2˜Á'3Lò¹'Õœ–?‰ /IÕ5øZ[³}·]»Ýs%Ê3„i"–g8 ®ÏAŽ8 ÒâÒá|=ö[;ˆ§×o^Oµéò]¤Hf™’Cáœ6TÓæ€=ŠòÓ.†´ç½Ógº»³kèí¬.ôI®`‘ íå “ Úª™ˆ z‘[°Z4<Šò=$Ü\Ü̦ss¦I¾Í|œßÜ(1Ic@W‹/®4Ïë—örywVº}ÄоÐvºÆÅNµ—ðÏJ±Ò~è)amâÊ©¶õ’WYRIü€`+¤¿±·Ôôë› ÈüË[¨ž“q‘ 29ô¯7ðljî<y‚¼k<C XÒ5–ÄP]@ƒžEžx’U¤õ *8'†êÞ+‹ycš PkÃcyW]ŠÛIá— gkn šÐøa£Ûé^Óf‰ç–ãS‰5+Éç”»Ë<ȬìIüáÎNIЋÁ>´ðõö‰§i°iö·Ö†Òw´VGB….A,À1å³É$ç&¹ÿ‡þ!}>+ox‰`²ñ†Þ$-²öÚ5&ˆÁÈ*~F$.P@¢Š§ªê¶:—q©êw1ÛYÛ¦ùe~Š?™$à9$€2Mpú+áïŒú΋`d¶˜5©¢’FaÏœcbƒ8Ëu9z%yÿƒ¡¼ñ'ŒµÝ[}–ÆKA¦èë’âÔH\ÎêÀ¼í+Óå' ðÇÐ(¢Š(¯?øµþ‘£ø{I—æ±Õ|Aee{O6ÅŠçªòŠr‚ ;@'‚ ì(9à†êÞ[{ˆ£š P¤‘È¡•ÔŒAà‚8Åxß‚|iÿ¤ðψõ+7[¼·²:e‡Ÿ‡ÈŒ¾àKXó“†×qâÏÙès®‹¦í?]nŠÓN·FI6nV˜n]‘ò¤’AÚIEÏxjo x|Á{qÖ©yq%î£s*²ÜHrÄ€…àvç$P‚|Dñž©¥xÒ/xr×Ä~¸¿ˆ%ÔZ•§”—/Úk3+á ùpå²;üz‹_¼‡J×4‰â¿“vÉtØ^t|cû¡ºEÀq¿<“´ Øñ«ÏøÓíÚæ±ö} Ò%ŠÎÒÏ&VÈ%Ù‹åQ·ãrªƒ‚3]LJ¼+¡xRÌÚèzdQ·ß( y0Iœå›Ž2N3Årà†oůñnTŠËÖ‹â½ËûCRÐ%–O°—ÇÚ •6J&@+øðÇ zMÄzGŠtµÔ´[èîí ”Þ ©VC+Tô8 pAèEjV_ˆô ø~óEÔ–Cit_Ëm¬¤ÊÀú†ó‘Ç Ž+R¹?øÍ|>‰¥éqÇâ‹Ôÿ‰v›ó!Üw aQFæ%Š‚¹$aü:ø‹£Þ|?Ñå×üG¥A©¬F)’âùC±™œ;nÜʪФç½uðø?þ†½ÿ0ÿñUá_…þÑÑ¿Ý8’OûéHOb»ø~ÏÀíáŸhZ.tßK9¼²²Œ0Ëç$œ» EÎr[©`4é6zeœvvZZÇÁ$“… ’OãV*½ýž§gå…Üv²gdÐH$FÁ á‡øUŠçü]á;?èík+ý–ú<=–¡5¤•ƒ#u^Qs‚ E‡^!¸ñWÃýX¼\]MIŽGÎèÍ?¸©lÆqÚ¬x»Å–~ÑÚêTûUô˜K->7k¹ *…Eêܺçpzÿ¼=qá_‡ú>xÙº†"ó ‘ÝšFN ib¹œg½uQEQEyÿ„¿ä¯|Eÿ¸gþ“µtú¯†ìµ­^Êòþ+{›{{yà6³À$G24Lž8ò½;öÇ<Ç„¿ä¯|Eÿ¸gþ“µnkWWóx–ÃI¶Ô›M…í'ºyÒ4f‘‘£PŸ8 (ÞIÀÏLÍ_m#@Ö!†áôí2ö!• †ä_/¦Õ8?/°â´µ¸çD&tXÚ@ƒs $…'¸›Üú×”èzÞ¦¾;°šziZWѨ‰n™Œ¤–Þ òÿv AËzWqâMKP‡ÂPÞYIö;Éç³,ü¿6x‘¯GøP·‡tK%‘mt}>•ÖIV¨¡Ù[r±À䆃،ՙ´ë„¹Iì­åK ¼JÂP웎9®:÷[ÕtØ5{©4¡gmüñGºçòÃ3UBT³`ãŒçæß¾£{¯XirëwOýŸ¯,1ßG"C¾ÊWÃ,¦õ$Ž ?#84ßãévö¯k›g»•-@ªŒT¤€0p@ôÚ=)·Z&“{}íÞ—eqw<©å·G‘1ÈÚÄd~™â{F4; ÷µkÍCìóL#Gc‘3œ”uÈ86¾·nöWWºÃ\@5‰ôÉb6ñªÉ@•\‰2€œ¸þô×Eáí.¤‹GÓã{µd¹e¶@fVûÁÎ>`{ƒÖ’ÓKЦºZ³°ÓžâT —ÐÂ…ÝHà‰É{ô®_Ã>!Ô.¼Mik%Æ¡qa¨iÒ^À÷ÑÛ!;^ ­ˆîÂCă<zã™ÐŸe'›¾ÎݼèDf0wÆ3„~C꼞:r}k„Ö!Õ-|G­Ïe­O Ö^·˜ÊÐÄÍ;¬—%C‚»Bœ… y"¢Ox›SÕ/%°‚è%œöè-“ì¢FHÝŒ†Gä‡m¥p8{šíçÐt{«¨.®4›n-ÀÍ%º3Æ@¤ŒŒ{Uadªª- “ÔÆ„’\q÷‰f$õäúÖ'‹/®í%Ð`µÔ>Â/u5¶šPˆÄ¡†VÚ7,«ƒŽ¸ê2Oöíëé­doï弬¶6óØCnf¹¥ÏúÁå)NÊN(£“Âþ–‚M Lxd”Ìñµ¤eZOï‘Ž[ß­iÅpD‘EÇ(TD @a^¢ëzÞ½6…lÚœ¶žjjBéãŠ$¦Þâ8ôtçnW“ŽÄ6÷ÄšÖ„š¼×òÝKv-®î,! Yȱœ©RƒÍT®àçžphÑh®k“k2Éuý¤÷²[˜¢x$¼¡ÙŽýû~ÎÄlÀLgžO'·K@Q@Q@Q@Q@ðKþI…ÿoúQ%zyÿÁ/ù$:ý¼éD•èQEQEQEQEQEQEQEQEQEQEQEQEçþ-ÿ’½ðëþâúNµ×IâTirëzj$€-夑6g<‚;W#âßù+ß¿î'ÿ¤ëL“A»ñ‰üUdoàƒM7ö<e/3‚$Þtîï@‡Ey®½$ž<Ó…¬ÒF—:•Í¥Í¼º¬“Iµc˜ÖÅvB7F¥H`Hìrq”'6ðö­{¯ÜO%Ƙ'žÒë\žÖ[—*¤4L§æaÊìÀ ¸Ï4ì4W™x¯S¿:ëÅ%üz]³iñ=ƒÝê²X3ÜHTa+®(ÇÇvkFÐï|G{«ëw¶ÂÖæÞ5{{§X¡Ýmm¨~Rœýå=r0I4ØjZ¶›£[­Æ©¨ZXÀϱdº™bRØ'±8cQišþ­F•«X_˜°d·).ÌçÚN3ƒùVƒG#5â2ko§ü=Ò¾É4–·Ö^·º†GÕ$¶WmŒG— ©Wæ ÆÍ{=½õµÕÅݼ2n–ÒAë´ŒQ\zü®§Z±^måÄ^=Õ…äòÚh²jP–š+ºçì¶û#•‡*‡¶8fÂ’VÓu-Vos«ÚÚj :Ïm6«!sn … hcÙ€»8<ã%ŽH RªW:µ…œr¼×Qñ[Èî)$…U€É—N½˜œ×%à Ae¹»±7¿ÚSEo-ü¤—ÊÄ°å_ˆ\ã%ŒéXZíµŠj¾'·7óÁ¨ÜkkÃÛ_qžÐ"ÛNiÆ1À W¢¼ãT¸Ôô;ÄvZuÝÜÛ^ÚbIî¤y ‚A—îŽì1PIP7²!¤>(Ò×N[àÑÇÿ Å]|¢#y´8;°àsÜtàzµG=Ä6Ñù—G{•7HÁFæ!Td÷$€=IäúŽ·}vöÌׇH´“J†M9µ f[B&%Ã1`ö†O•Ï ƒƒ¸×[ãx¾ÑàhžúR¾]Í”³É¯¨Æ]²!@Ürzc<×Õ{{ëk«‹»xdÝ-¤‚)×i¢¸õù]Oµæ³j±­åѳ×.ßRKëhô‹T¾yæÔˆ²ÁK2¶eÝ!ÜW‘Š±%Ýå·ŽµÅši-ô–Ôcı9O2ëì¶þ\r° ¬g¶8fùI€=*Šñ«M[Voj7_ÛQ-úh—r_@5ye¹IÄY äQnÊÀŒ)žøº«•¸Ó®µ{u»›håÑRµ]ÎÒˆfÜêd‰Ú €1wtW%àN­:ýaß2ÛMƒ4Z”š„S€þêY9>…{∮Z×T{ Ù£ŠãÃw×{?µå»–G°¶à<‰öÊ£}02ì•\_[I´ñ'úRÂ'1í§£6·m¥Þ_\Mý†·QùÒ´ì& àº'Œ£ŒOð³i­ã»Ñ¥j³ê6ÃJ€ù²Ý5ÆÌ“ ;} \ñžƒ8 ÒÞúÚêâîÞ7Ki ŠuÚFÆ(®=~WSÇ­X¯+Õo!´ñ'ŠšßTº‡Z…©Óìã•gso#Ëç£d£åëZkγéºdš”‡Qÿ„’é&€ÌL‚%ÃFg;6yxÏÛŠíbÖ,f½ŠÍ%o´KçlF‰×w”Á$<Ž€²óß98¾¶:“iâOô¥„NcÚxBJƒžA¯1¼¿Õ<É.m%š[øañÛ·2:íºŒ(Ps  `*xÃûc^7‰%0ÿaG·Pžé®^O›ÌbO¡#?.xÅz}Ìxö+Í&ëÉ‘eXnŒfXõ9/ãìC”–Nqóc ]=çþ-ÿ’½ðëþâúNµèçþ-ÿ’½ðëþâúN´èQEQE^úÂÏS³’ÎþÒ »Y1¾ã#`‚2§ƒ‚ü*Åçÿð¤¾нÿ“·ür´4o…ž Ð5¿Ó´é0Qæ’I¶A ¢F`¬aÈõ®ÂŠ(¢Š*½íýž›j÷W÷pZÛ¦7K<sÀÉмWf-uÍ2 Ø×î'ÑçÕ¿³#»&çÌx†aqH –EŒÃ* #Ž g_xÎÑ´ÿ?Hf¸aum™%´« ¤—ÄÅ$ +à9ÁRFqÔP‡‡¼+¡xRÌÚèzdQ·ß( y0Iœå›Ž2N3ÅlU[FÓRId³˜MR´,êÒËÔÑ°xÈÈÈ#¨5j€ (¢€#žn­å·¸Š9 • IŠ]HÁ#ŒW}ðÀ:…ä—Sxr‘ñ‘²Bƒ(éØs×­wPÁ‡Ö×NžŒ¼nD—3:’yVr{Aï]¥…ž™g…¤–±çd0F#EÉ$áG$“øÕŠ(¢Š(®?Yøm¡jš‹êvr_hzœ™^è×ÚI”’Ì«eˆ$‘¸•ñ]…r~6ñ%ŸÃïßÚꑇµ·š×ε—sArFÅBS%\;'¡ã­pþðŒÞ/ðF™®Üx×ƶóÜ£‰#Y%w#²2™•Î9Æq“Œ×¢xoÁz…¼ÉtëM×ÓdÜ_Ü1–æv8Ü^CÏÌT1 žp*OéM¡ø+DÓ%¶ŽÚ{{(’x“n]£Ìû¼[q$u$žs[”QEQEQEQEQEQQÏ<6¶òÜ\K0D…ä’F ¨ d’OÎj¾­©C£h×Ú¥ÂÈÐY[Éq"Æb¨¥ˆ gÔP™ÿÂ8–¾>Ô4?ê÷Þš;D¼»û:-ÝŠ¼ŽÙFøŠb2¸?p“±ÿ—Ä?ú)ÿù@·ÿ±ð¶Æàø]¼E©Ç_Ķ¡rŃaþåòDb=¥T“·qtÅrz€¬tQuÍBîïZñ§Q¾|˜Ã}å‰Ëd¶ØgºÊ( Š( Š( ?ð—ü•ïˆ¿÷ ÿÒv®Ú÷M°ÔÑþÊÚé·"ÏÈúŒŽ q>ÿ’½ñþáŸúNÕ©­ZÍ?ÄO´z…Í°7‡lK ‡·$ÈzçœsòŒcœ€mË hÓ Q.“a ´ÿ`öÈ|Ÿ÷8ù »=¼71ˆç†9P2¾Ù0ܤ2œà€Aì@5ç7߈U ‘5 ÉEî·y§¢[El 1E$»@S!òÂ嘌gå-Í>MsÅFçNÒ&‹Q†yVêC-°²72¬nþP8|°\žŒà¿’ÂÎU¸Y- qr18hÁóF1†ãæãŽj±ðþŠt±¦"Àéàî¿fO+9Îvcü)š åÝÎgý¨"S0†ž$u<ç°¤Œv$vÍjPOko!€¼7ÛáÊå¶Ò¹_C‚G‰éƒO²@´·f3¨Ž$9%ÇxäóדV(  z“§ÏçÙivVÓa‡™ º#aˆ,2r}p)ÇGÓ QDtë?.(M¼kä.#€P p§Žœ »ETÓô­;H€Á¦ØZÙB[qŽÚIõÂÍ2mJ¸XÖ}2ÊQÆâ0öêÛ%'qq‘ÃIÏ\š½EFÖð½Äw m¸• é¶ -•²Çf(PD F„`ªŒp`zUª()|1 ,vÑ®‡¦¶bð(´19%F>Sžr+BæÖÞöÚKk¨"ž ׊T ¬=<RÑ@âÒ´è"h¡Óíc¡åÄ3„Àtnn:|ÇÖ£ŸAÑîn ºŸI±–âÜ ²[£<@t HÈǵhQ@ZÞ…¸úh¹òÞ K£;Ã,BE˜¤iŒ~ó=úcÔÏ¢i2iÑiÏ¥Ù5ŒDíšÝ hGL.0:š¿EU·Ó,- fÚÆÚqŽ%]Ø3ãÄ}HÔVº“cw5Õ¦—eos>|é¡·Dy2rw2yõ«ôP-?FÒôŸ7û7M³²óˆ2ýšyÁm g©ëëWh¢€ (¢€ (¢€ (¢€ (¢€<ÿà—ü’ þÞ?ô¢Jô ñÿÏñÁÞ±Ð?á]ý³ì¾gïÿ¶­ãݺF»Î1»{WAÿ oÄ?ú&ù_·ÿ ô +Ïÿá-ø‡ÿDÃÿ+öÿáGü%¿ÿè˜å~ßü(Ð(¯?ÿ„·âýü¯Ûÿ…ð–üCÿ¢aÿ•ûð @¢¼ÿþ߈ôL?ò¿oþÂ[ñþ‰‡þWíÿ€=ŠóÿøK~!ÿÑ0ÿÊý¿øQÿ oÄ?ú&ù_·ÿ ô +Ïÿá-ø‡ÿDÃÿ+öÿáGü%¿ÿè˜å~ßü(Ð(¯?ÿ„·âýü¯Ûÿ…ð–üCÿ¢aÿ•ûð @¢¼ÿþ߈ôL?ò¿oþÂ[ñþ‰‡þWíÿ€=ŠóÿøK~!ÿÑ0ÿÊý¿øQÿ oÄ?ú&ù_·ÿ ô +Ïÿá-ø‡ÿDÃÿ+öÿáGü%¿ÿè˜å~ßü(Ð(¯?ÿ„·âýü¯Ûÿ…ð–üCÿ¢aÿ•ûð @¢¼ÿþ߈ôL?ò¿oþÂ[ñþ‰‡þWíÿ€=ŠóÿøK~!ÿÑ0ÿÊý¿øQÿ oÄ?ú&ù_·ÿ <[ÿ%{á×ýÄÿôk´ºÕllí/®¦ºŒE`Œ÷ENã ¼î';H8ÆpG­yÜQxËÄü+«jÞþƱÒ~×æKý§ Æï6£…Á€8¯lQ¬Eal>%#ÝȺ„¶“K³Þ?ϲŒÁƒ ØãŠôõ`Êt#"–¼Ç]“TÐ^òÓM¿¾–),í'¸iîŒ@ÎRWVÃÁN»W @®ÀóË=½û JÒöÏÎ_³ýŸR{ÿ+å”Ìê çœã$g  ®Šòý?XÆ¢ÝV[rЕŒ-ÄefÜK©$’.z|·Àñ$³GLþ\AØí‚ÛWÔáIÀì¥I\"²2xvçQ¹’ÖÎ O÷Ó­ÛÛ¬j`˜]YvüÛFsßÎpõ¹5Þ&¾²¿½qk¨Ú@€^ʱÃnÐÛ™XmÝŒ‡b[kmå€ÎMzeäÒêz”z\m­e6‹&¢«,°kÓJ°Gä±Ø÷ž^ôS SžHÎÝÀì|-©4sªZÜ‹‹·†ÒXnšä8$”O4¨.@n#œrIæ€7ïµ -.ÔÝj–ö–êpe¸•c@~¤Oµ»·¾¶K›Kˆ® e%‰Ã«PG¹oÏk§xÏDÔõvHô¨­®#Iåâ(.Xǵ˜ž($¸ï\½Åí¼WÆúÞú{ßø‰15¼ J¢ÎO5ƒ.1‘F[¦T¶{ЫÑ^_y«jØÏozï¢6±,_nžþH7Z„b…®UYÕ<Ï”?pnç5cI[½SSÐì®u©'²’ BEm;S•ÖDY †˜g+½†î¾ç' ‘Eq?ÚW²|»Ôê_¶¦; €ÛdÞ±¶#£pGzÆ—]¶·[¯°j7Ú†œlàŽÚ„‰ä\4Ê£t¹& BôäÓè¯.µÔï®|%­[Ǩʂ vÎÖÞâÞýî"‘íK”3Þ8É9–]O¨ÙøžòÀj±YÍäK§-þ·:!!âŒ'ÜL€’ÄŽƒnÑ@©TŸV°G¶OµFÆæá­bØwƒ*‡,„Œàç8Á\u⸛.âšÏR:ü“MâK»FI.]¢ò<ÙÔ&ÂvàmR21ŒãŠÇ´°ÓÞöÃMQºKÑâ‹¿´Bº„†Xã+xÈv–%7/ñ ÎsžhÖè¯1¿Ô5+M q{)°ƒ[¸µ¹¹¹¿’Xy^áUFí«¿¯ÍT½Ô¦µÑ쮯ôè”QEQEQEQEQE¶ðÎc3C†'ó#. ìl¸g¡Á#>õ%^=>Ê„ÑZ[¤ª\‡XÀ`\‚üãøˆú3PÚèºU•ô×Öše½ÜùÏ ’I““¹€ÉäÍ^¢€ (¢€ +Ÿñ_‹,ü-goæ'Úu+éE¾Ÿ`Žî¦bPO ¹#,xîH›ƒÁÞ+ñ5¼WÞ+ñf¥¥Ü2M;Ãò‹hí‰2³üÆSžNîhÑ+厶·š_Å J_´m‡U´‚]‘9£SkŽ3óûŽõéíÿð«?ê}ñÏþ?û áõß Kcñ+GÕ¾&ÞAªh‰Y[jB$‚9. <ˆ·1ÂŒ¸È ¸à½v ô_Ýy^%ñ¾³|÷Ëm07“HsóËVäàòŒgæÀOH¢Š(¢Š(¨à¸†êžÞhæ…ÆRHØ2°õu©(ÅZUÞ³ ½‹À—?h·™|ìýÜÉ!Î9\ÛZ[’Û$V"6. dcÓ(¢€ (¢€ ùsã}•÷†ðTpôßü'~ÿ¡¯CÿÁŒ?üUy?Ã6qyZωæ‚ÿù––ÖÒ -¦ŒglŽØùÕ¸`£Ýœ•©àÏ[xßK}NÃMÔ­lÃìŽ[ØÑÄgvͮĀF àg’:J( Š( ŠÇñŠ´/ Y‹­sS‚Ê6ûÉ/&j ³cpÎÆrx®_þoÃÏúòJãÿРQXþñV…â»3u¡êp^Æ¿|!!ãÉ nC†\í8ÈÆG±@á/ù+ßîÿ¤í]µæ™a¨˜MõµÑÄ‘yñ+ùl:2äp}Åq>ÿ’½ñþáŸúNÕèRm+N¸²–Êk Y-evy xT£³6æ%HÁ%‰$÷'5žÑ%ӣӤѴ÷±·%³Z¡‰O¨\`´¨  ðiöV®¯oio ¤Bhã V0r`}ÐON•bŠ(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢ŠÃñmôz‡'šU”£Ie£¹6ûw:®æ”sŒüÌ: ÐåÇü?Ô'¼·Ö`–àO¦¡å@Ëx÷`!†'À™Ô3ÎØ${d€ d[Ë·Ô⿽šê_ÞZ¥ºvˆÄ$V=„íÀÚ¤dcÇÝišd:U´°@Ò2Éq5É.A;¥‘¤aÀeŽ=±Ö®×‘èsëz½Œ‘C­Äš¬ºdßk€jòÍp·;AVò (€«ñµH8çƒRèúþ«¬ëºd¢êñ-†úæÿÄ6Oq3¾Ý~ ŠX•@ÚQbv˜œäÕQsÆ·¢½Þ©rúÑ×å[‹¸fX£_8&"'»BÀ ÛºœÐ©ÑXš…Á×üy6‹u"½Í¬†Òx÷#ÁÚFp~ðZàô}UÖuÝ2Qux–ž"¹[»x÷°Cl_zE}°dwÞsÔЧÙ_[j¼¶²yˆ“I¤aãrŽ9ôe#ðâ³'›JÖ/t&7,ÁŸQ³O-“Ì ·\€ッ’= r:T2ØÍi¨Ã{xãÄ׶ÒCç·’bi®2¾^vç 6ìnÏ|qTšÿVoøjþÉå¸Õ…ïeØ™äűÏ9,Ùç¾O­zµÃøê[BïÉÕ­.ì¼„Ý z¼—ò$¹9b]Ç‘Õ=W€9©-¯-$ñž¡³«ÏmÚ&eöÇ…$‡ËB Æå‹äØÆ8Åt­‡Šü/,qÌí§ê–l‚XÆÖ1È„dnãð­5Pˆª:Šñ»-Gìþ³KÍZóOx¼=k&¼íŸpU÷aAÄÏ‘Ør0zsšèuÍNK/ØM}|²ÊÑ[/öTœ–óÇ!™’ùg#!º4è”W˜èúŽ«qâ´[NÖ @j3,ösjÒo{pÎVÓËØÝŒq’Ü‘[^.¾´¶ñ^…§«\iúl–—1ŽííÑ™Lwº‘ŒnlŽN;à€v”Wë>$¾‹Ã^{ÜÜÁªZifê î59-LÃtž[, ¤NÅQK†|ær:[¶ÕøÛQ±¹½–þÉ‚Ø[‰ÜÇ6q1Û;Xå‰Ážƒ$俨帆‰%š8ÚgòâÀlÚ¾§ N`}+Ê’öò].ïìüMm$Ú|möMj[Ù¢‘®ãVbΊcܬANœtÔúÔVÖúìvú†£y•§ëQ76£2y %œ™Ì»Ã¿n õ#è:<¶±Úɤؽ¼ndHZÝ +’I`1€I$“îh+áóðˆå•‹Z©Ü½¸ö®–£··‚Ò‚Úá…8Ô*¨ôp*J(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š+“ø…¯ßh^·‹IhÓVÕoaÓle•wG²Ÿ¾þÁCÃsŒ‚3]epà™|?¥k)“A¡kº¥Ôq)iÉ°t$Ür@O¹á?éÞÓš+Uóo®vÉ|åšK¹€ù¤bÌÇ“¹¶ç±ÇSž‚«Ø_[êzuµýœže­ÔI4/´ÈÀ8<Œ‚:ÕŠçüYá;źrÅt¾Uõ¶é,/²Éi1,ŠU”ðv¶Üà•è1Oáî¿}®ø~â-Y£}[J½›M¾–%Û²Ä~ú{*O ÎpÅt—÷Öúfsy'—kkÍ3í'j(%Ž'•ä~ ð$Þ%°Ô|Hþ!ñ>‹µ©Ü_ÚÚXÞ›oÜ»ü"m#y9‚»ph¨Õþ(é¾ñçü#:ý¤–L‘=ž¢eVŠE`A2 `:•ÉÏL£šî ž«x®-åŽh%@ñÉWR2#‚ç5òÇÄmmSƶÞðÖ§â]Ú!ûC^^¡o#0R£åÂîbq’ÚT×¥ü)ø]â_í»ÔüG=¤r|í¤Ú2É'a>apWwÊPìÀ“©þñST¹Uº»ÓücpУ¾Ó­‘½dýâ¶Dàqà· “¨ƒá÷ƒm­â<+£)’Ê7bÇ,À–>ä’{ÖÁ_Ýü-Óläù.­%¸‚æááN䣯UlpyäW P'©|4ð†£n¨š%¦Ÿû[¸–TÉ®z«`‚3ÁUꦓ¡Í¨éwöÅ·ïÅN×:Ù†Ctlí*Xå >Í©|<Ò/gñG‹´·$qii¨"U26Ò¨W€Ë†Ï}Ùï]«àK¸Ôõ?ˆÞ5¶³·MòÊúÇ ?N’H$Ðç„~'x[Æ›bÓo¼«ãŸô°#›øº ü)o”¶3Š¹ãÍá‰ì­ãºÕ/.#²Ó­¤%V[‰Ð2ÜÜddùcà üGãk‡ŸEÓd¶ÒÝØÇw&#UË`o „ÚJ/¨\×µø¯Ãú…g½·Ž×T³¸’ËQ¶Œ–X®#8`BÃpH±“‚k žxmm常–8`‰ É$ŒQ@É$žœ×ð—ý#Gñ­Ícªø‚ööÊ^žl%‚†ÇUå`€xé@„¿ä¯|Eÿ¸gþ“µzyÿ„¿ä¯|Eÿ¸gþ“µzQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQ^c«êÞN½âdMbñuxo­—K².ɆUcÎד¸`íæúîO.ÚÚ&šWÚNÔPKOô¯7M~á¼kdtùZâþêÖkYµY%s²9Šî·+²º5*CW±ÉÀ·v 5Ù?¶nnõ·Ð§mFÞ{Çv†_(ïq £Zôå`Êt#"™ Ä7(ÏÑʪí`À2’¬§ÁØŠæ¼!uq<—ɪÏ(ÖQ‡h\ˆ¢‹Ÿ,Ľ ü}IÈ8ÆÕå­dƒLðö³¦£uÒkR. «{$’ÛZµãf@…ŽÌÆs¼H%²HÍz|0ÅmpAE j#E ª `@U}ZÁÙ>Õ›†µ‹aÞ ª²3‚oœãq׊Ãðmи“WK;鯴ˆ®Ul®e§Ü j\,ŒIu O$žr3Çm¥†ž÷¶lzÒ^]ý¢Ô$2Ç[ÆC´±)¹ˆNsœó@·Ey-Þ¥¨[Í֢ɤAs}Ú/5yl÷:H¢%{…VbB–À$nÇ$㫼ºÔ!øIu. ³_ǤNâòÖCó0Šº¾ç€rç‘@}çvšÜçT›N¿Ô5M> Íxåä’;œ*–'Ë®ì¨ÆÝ àwÇU¼’fÆ×Tt·ó4–Š[MZ[Ó–ìÇ&ÙAåT¼Ï©×(¯+ºŸQ³ñ=å€Õb³š È—N[ýnt2BB1Ä%O¸™%‰Ý¢´uY.ã¼ñ>¤šúÉaªY¥´Krâ$S±uØÒ{dzä`ó@ü7Ü£<G*«´lQƒÊJ²œwGb*´Úd3k6š£4‚{X%´¬†2Ùã9ýÚãžçðä¼q£è¶Úר²\C©Ü‹ˆf¼’C½ËùDÆÌvî ¿6ìä“]ÕQEQEQEQEQEçþ-ÿ’½ðëþâúNµèçþ-ÿ’½ðëþâúN´èQEQEQEQEQEQEQEQEŸ©èZ>·åkiV7þN|¿µÛ¤»3Œãp8ÎOAZP?ÿ'ƒÿèTÐÿð]ÿ]PEPEPEPEPEPEPEPEPEóÃmo%ÅÄ©1)y$‘‚ª($“Àw  (¤ ƒÐŠZó÷ð©á«Ë«ïêX-̦iôkø÷Ø»)·ç‡-òç$(á@Åßÿ©ÿ&ëÐ( ?Oêž%¼µ¾ñö©úÛJ&ƒF°eŠ8rû¾y²0ß60KT‘^EOMÒ¬t‹v‚ÂÚ8ÜÉ!^ZW îÇ—s–bIîM\¢Šàõ jú'ˆ&ñ/‚¢Ïváõm*l$z†ÐØ(ø&9IcÏ I ÝèÿágÜAû«ÏxÉ.“å™môá4aÇ @À:ç8`9× Q@ÿ þ»¬¡ø{ÀºäWÏÿ-µ¸´*xÞÍ’_©(¿1±Òµ<àæÐÞãXÖ.cÔ|Q¨" í@F¨0ªŽ0Uç±=‚õ”PEP?‰ü1¥ø»C›HÕàómäåYxxœtt=˜dþdA òpø‡ÆžCmâmïÄ–ûÛÉÕtHU¥|±Ú²Ûü»HPIeùFTrrkÑ( ?ÿ…§ÿRŽðOÿÙÕ{/Ä¿åŽ-rËûÂ-óK¦Èê×—à2¼fBî•x!ê úECko½¼QÃH8ãPªŠpb«êZUŽ±n¶Ú´wVáØ%ù£rztp3¨\¢€ Žx!º·–Þâ(æ‚T)$r(eu#x Ž1RQ@wƒâÿ<ÇÃǯèlùF¿¸hçµP¡U ‰\?E@X’dÿ„·âýü¯Ûÿ…zçrh>/ñËÂ|O,z†¯™4k †’{¥*U’yÔ°õÂuW á€#Ð ‚­íâŽ"@‘Ç…TP0€ã%çþÿ’½ñþáŸúNÕèçþÿ’½ñþáŸúNÕèQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEU+=2ÝFê&½üë<¡ˆÀaF6ñÓŽ¹ç5vŠ*–™¦C¥[K #,—\’äºYFÆXãÛjíQEQEQEQEUMWN‡WÑïtˆu†òÞKy2u*HÈ#8>•nŠEPˆª:ŠZ( Š( Š( Š( Š( Š( Š( Š( ¼ÿÅ¿òW¾ÜOÿIÖ½¼ÿÅ¿òW¾ÜOÿIÖ€=Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( °|ml×~×àE‘ôé¬lC3ygcžN8ïÓ½oQ@{¨ëPøIÓ5½ömKOx¥³1‹Ç¹WÆèŽæfçÌ_/¯f;qŒn¦ÒfÖ¬%ñ¡>½gqgŸ ÞHEÄžD±pᘱ`A ~\æ½+QÒ"Õ.l¤¸¸œCi0œ[©Q®¸(_ß)3×8’ÏL†Æ÷Qº‰¤/:Ï(b0F‘¼tÄc®yÍyö«¨ê§Æ7ð>§kcsä+§¥Î­$áÚ„í·•›q. $xùp+Ó¨¢€ (¢€<äxß^¶ð•ž·y›#_éSÝÃ18K&P—;”…9ÆÒOZÛ“SñÔ,´˜¦ÒÖúâÚ[Ç™í¤1ÆŠcQQ ,ÛŸ—ÈwšÃþÒôïZØ_Û î?³¾ÃrVâV  Kå‚@@Äd• OS[šž¦ë¶C!h¤†y!u eÞŒ#88 {Fñ>¯ây"]5ll„Vp\Üý¦7›sÈ\lM¬¸Ë?9Îr8àÔZgŒµ=KX‹Ë²w°–ú[Ci×¢DgO4ÎG”Fäå@à7Þ$]ÞÑ¥kV[W€ÛB°Dmg’Ý/D>[ Ê?ºr9>µ$^Ó ÔÛP†9♤2²%Ô«sÕŒA¶=IÛœó@òx›]¤A¿Š+‡²ÓÎXÞm„eœ¶ÉA$(n+sÃ:œú¦Ÿ4—71Ïøçÿý…ð«?ê}ñÏþ?û ô (ÏÿáVÔûãŸüö¬ÿ©÷Ç?ø8ÿì+Ð( ?ÿ…YÿSïŽðqÿØQÿ ³þ§ßÿàãÿ°¯@¢€<ÿþgýO¾9ÿÁÇÿaGü*ÏúŸ|sÿƒþ½ŠóÿøUŸõ>øçÿý…ð«?ê}ñÏþ?û ô (ÏÿáVÔûãŸüö¬ÿ©÷Ç?ø8ÿì+Ð( ?ÿ…YÿSïŽðqÿØQÿ ³þ§ßÿàãÿ°¯@¢€<ÿþgýO¾9ÿÁÇÿaGü*ÏúŸ|sÿƒþ½ŠóÿøUŸõ>øçÿý…ð«?ê}ñÏþ?û ô (ÏÿáVÔûãŸüö¬ÿ©÷Ç?ø8ÿì+Ð( ?ÿ…YÿSïŽðqÿØQÿ ³þ§ßÿàãÿ°¯@¢€<ÿþgýO¾9ÿÁÇÿaGü*ÏúŸ|sÿƒþ½ŠóÿøUŸõ>øçÿý…ð«?ê}ñÏþ?û ô (ÏÿáVÔûãŸüö¬ÿ©÷Ç?ø8ÿì+cÄ?|#á[Ág¬kpAtzŠòºp̨ \†nÆ{f±ÿávü<ÿ¡‡ÿ$®?øÝð«?ê}ñÏþ?û ?áVÔûãŸüöÜXßÙêvqÞX]Áwk&vM‚DlppA…X ?ÿ…YÿSïŽðqÿØQÿ ³þ§ßÿàãÿ°¯@¢€<ÿþgýO¾9ÿÁÇÿaGü*ÏúŸ|sÿƒþ½ŠóÿøUŸõ>øçÿý…ð«?ê}ñÏþ?û ô (ÏÿáVÔûãŸüö¬ÿ©÷Ç?ø8ÿì+Ð( ?ÿ…YÿSïŽðqÿØQÿ ³þ§ßÿàãÿ°¯@¢€<ÿþgýO¾9ÿÁÇÿaGü*ÏúŸ|sÿƒþ½ŠóÿøUŸõ>øçÿý…ð«?ê}ñÏþ?û ô (ÏÿáVÔûãŸüö¬ÿ©÷Ç?ø8ÿì+Ð( ?ÿ…YÿSïŽðqÿØQÿ ³þ§ßÿàãÿ°¯@¢€<ÿþgýO¾9ÿÁÇÿaGü*ÏúŸ|sÿƒþ½ŠóÿøUŸõ>øçÿý…ð«?ê}ñÏþ?û ô (ÏÿáVÔûãŸüö¬ÿ©÷Ç?ø8ÿì+Ð( ?ÿ…YÿSïŽðqÿØQÿ ³þ§ßÿàãÿ°¯@¢€<ÿþgýO¾9ÿÁÇÿaGü*ÏúŸ|sÿƒþ½ŠóÿøUŸõ>øçÿý…ð«?ê}ñÏþ?û ô (ÇüKá«Ïj>¼³ñŠï>Õâ K9¡¾ÔÌ‘´lI`Tœíž0OìçÿÿæJÿ±®Çÿg¯@ Š( Š( Š( Š( Š( Š( Š( Š( Š( ¼ÿãoü’wþÝÿô¢:ô ñ‹?еOø«Ã^dözͬ±ÇöK¸Œm2¬ññžC)pçqP[æ€=¢Šäìþ#xsTñdÒ.dÔîÝåšÉ<È-ÕT6^Lã!A]ß1ÁÁ®²€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€<ÿâŸüÉ_ö5ØÿìõèçÿÿæJÿ±®Çÿg¯@ 6ñ_›ý¹›/¶kÿhý‹ÊýþÏõ>WæìÿQþÎ3ùÕó¤ß[ÜiZ-î”~Úe½¸ûr[ˆ¹Ýûç.Ü”R Î}{ª(DÓî­5¿\Oȯ/£šÜôС<>daÏ¥nQEQEQEQEQEQEQEQEQEQEQEQEQEÃøÇVÕ/üC§x/@›ì÷W±­JñdÙ%¥p…¢$æ9,ªFJ‘œ †^â¼ïRž#ãÆ›y¨K½¾§¡6Ÿg#°[…¸cö;YqœH'Šê2Ç,ÞÃ8+rŠ(ÌüKá¦ðÜøÓÁv‘ÂaEmSII+[›dV,Ê›p²¨Á0†,Cz%…õ¾§§[_ÙÉæZÝD“BûHÜŒSƒÈÈ#­s5['áμ÷÷1À.,¦µ‡wY%xÙUu$ŸÈN&µ<'cq¦x7C°¼ËºµÓíá™7µÖ5 288 ô  Š(¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€<ÿâŸüÉ_ö5ØÿìõèçÿÿæJÿ±®Çÿg¯@ Š( Š( Š( Š( Š( Š+ûÅžÓ/$³¿ñ•iu7Ã=ìqºä2¤ädØ¢¹ÿøNüÿC^‡ÿƒøª?á;ðý zþ aÿ⨠¢¹ÿøNüÿC^‡ÿƒøª?á;ðý zþ aÿ⨠¢¹ÿøNüÿC^‡ÿƒøª?á;ðý zþ aÿ⨠¯ŸÿhŸÿǧ‹ì¡ôµ¿Ø¿÷îC…ú¡f?óÌ öøNüÿC^‡ÿƒøªÏ×Õ©%î½m.Ÿâ-#OµÈ·¿’Rή¬ )8Êç¯l`ƒRÇá}"=:êÇìÎðÝ8’v–âI$vÚÆFbùW<`c{®K/‹-ôùmmdŽßWŽ”—MÖrHXãvr3Ž„ñÞ¹{-SU¸øjÚ~ž,ÒÞÇÃ1Mpn™æó"•` ÜCdœ`c5è¾Ñìç[9˜\‹¯2K‰$c(ŒÆ–bIØÄsýC7‚ô 좳{'ñÚ‹=‰s*„gøa¼ œnÏSêhSKÿE—ýpOýW,<]v¾(¶±ŽK{Û;»©­Sɱž?-Ñ$p<ö&9îʸ úàÖäÏ®ÚËäiú^™%œaV'›Q’7 ÕD-ûèÓÂZ*ÞGt-dó"šIâi”¤nვMÛW!Û8“ž´È^x^¾ðô‹%ý½†ª—Ví³ç‚HÜ¢²’Ò~õ2pYpÅÆ÷ŽcÔ¥‹íVÞ{ÉS¿ÙÛdŠÒ¢° ¿ ò 2;ä__è‹Ì-oq(¸TGyï&–@ªÛ”+³–@‘´ŒkB]&ÎãLM:t’keØ@–gv%2’äî' “ÏzæW\ºÑô}b­ìû"úÖÆ‚E^;rÇfãŽf|xuÁ%oüI¬Û_ëRƶÙú]õµ±¢s,«"BÌwn‘æ’>SœcŽ§fûº6¥w%ÍÕ«¼’&ñŒ×67+¦\jYÉ‘E$qbk•…•”¹9È`yÏAŒíQ¾¹¾Õtý@ÛÉ=ŒÈ¢kxÚ5‘^5qò–bÉNp)-ü%¢ÛA$Ik#‰fšæY\˜œ£wyuwd²Oyfl'}ì ÀI;xÄpäŸj½qâ½pXXê`YZé—q½ÇÚ–Î[Õ·A·bIå8Á ³û«ŒsǪ“AÓ%!í².n!¹›÷óIÏ-ºñ)8sœœÓ¸ðn‰rÓ‚æ4ÙåŠ Ù¢Ë}ì¢8RR1‚I'’hr'Y"I•Õ”Êr=ǵ:šˆ‘F±Æ¡Q@UUÂ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@ñOþd¯ûìözô óÿŠó%Ø×cÿ³× PEPEPEPEPEPEPEPEPEË_øÎÑ´Ö¸Ò®\ÛD$’ÚU…ÒKˆâb’ðà©#8ê(©¢²î|p›É\à€9=;j+”Ó|q§ÿÂ=¤Þêóˆnîìc»™ ‚GH•‡.ÛCyiœüÌ@àóÁ®¨ÀAE-Q@W?â¿é~³·–ÿÏžâêQ ­•¢y“Ü9 a#8ÈÏ=Àê@ ×özeœ——÷pZZÇóO $–< ’ã^g%æ¥ñqá]2Ò; Ú^ï]V}Âêé‘HY-@ÄUó‡'®2FnXø;Yñäz·ÄÝÛÁvf±ðì.  ÎÀ~ù^¸örƒÒ(Îà—âG„íâÓÿ³-Ö/õȵÿjp_]Aµ­4Ë5u±´‘w(V9’L†a•,qœ)^âŠ(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(Ïþ)ÿÌ•ÿc]þÏ^^ñOþd¯ûìözô (¢Š(¢Š(¢Š(¢Š(¢Š+Ëô] GÖþ/|@þÖÒ¬oüŸìï/ívé.ÌÛœãp8ÎOA^¡^á/ù+ßîÿ¤í@ü žÿ¡SCÿÁt?üMð‚x?þ…MÿÐÿñ5ÐQ@ÿü žÿ¡SCÿÁt?üMð‚x?þ…MÿÐÿñ5ÐQ@ÿü žÿ¡SCÿÁt?üMð‚x?þ…MÿÐÿñ5ÐQ@ÿü žÿ¡SCÿÁt?üMð‚x?þ…MÿÐÿñ5ÐQ@ÿü žÿ¡SCÿÁt?üMð‚x?þ…MÿÐÿñ5ÐQ@ÿü žÿ¡SCÿÁt?üMð‚x?þ…MÿÐÿñ5ÐQ@ÿü žÿ¡SCÿÁt?üMð‚x?þ…MÿÐÿñ5ÐQ@ÿü žÿ¡SCÿÁt?üMð‚x?þ…MÿÐÿñ5ÐQ@ðKþI…ÿoúQ%C¬I«K¥üI[‹ø¥±† ’8 /¹3e ¬\€>c‘·’Iã8©¾ É!пíãÿJ$®ªëÃZUä÷óM¤ê.‘ndT™ ì9@Áwmãv7Þ€9‹ÿë:šÖú9îWµ6ÐJDfY|¢® ³>ÞTÝ0+{ýþ¦—‘ßÀá­ä ÇØf´YÔ¨9ËóAäŽÏ8o4 /PyZîÑe2À¶í–o¸­¹qÏ7 ŽAÇÓw ÷˲DKm,¨!Z9˜sœàŽ•ÅG'ˆ'þÈwÔ-.%ÿ„¢ò( °Iû½«x¤“æÊùPmÀg½z—£Xèé0³IwLáå’iÞi€ÜîKÉâ«Çá&@^¤‰…É»Qö™ k)WVqí ‘#çœäó@íÇŒµ+}2ÖŠí9u)ô÷šI§| ìd¡.rª>]ÜrØÐøsT»Ôôƒq¨[µ¼ÑÊñ±x$€Hªx$Ÿ2‚0pzr2qš|þÒ®md¶’Ù¶=Ë]îI]f9Ë«‚O'î‘ÔŠ·g§ÛØY‹HD­9óæy™³×,ä±üMqv¾3Õ¦¹¸¶¶ŽßT’]6kÛ&†Æ{dvŒ ØBD ùŠC!: ŠŠ}kYÔdÐÒ×Y´K¯ísêtÉíöƒm+…’”1g®ÊGÝ祃Áº³+Em8d·kXɼ˜˜âb¤¢ÿ(Ê.1ŒcŒS¿áÑ~ÊÖ擺apg7³üÀ»CyÛüÌ…$}î„Žô¶ íˆ-ŽH®ÇA‚?ˆ–bÿZkk[ K¨¢“Xºu4³†$àDh0r8éÉ®ÂÞÆÞÖâyâWO´ÈZFlí]£‚N8ºõ<К}ªjsjK.æ… y7Q 2Œgnqž~”溊5O xDžöK‹&К{x FYU¢ †bH`ÀöQ·ý®µÖxk\Õ5 Bâ×P™•.WM¸´MÄÑânXŽ`yð1Î’xoHKK+O±#[Ù[µ¬»3*ÄÊ”‚~`@œÔš^‡c£—û'Ú¾`ÝË0P:3mÃÀêÞGâ_j“.“t¶÷Ö6ê·,Ò,NЩ'š6à¶î„ÇjèæÖ|A%÷‰ŒsE¥0ŽÞßËc-ÛtÛÀgô9py;sèZmÁ»2Ûn7rÅ4ÿ; ï݇¯ؽ:ãš{hö,·ãÊeþÐp÷%%u.Á©ÚŠ>\tÏZâ§ÖµFM -u›Dºþ×0N§Lžßh6Ò¸Y!yCÆzàü¤}ÞzoêZ•ƒèÖöeóïï¾Êï›nؾÖw['všÜ©‚÷™v¼óáLj¯¼Iá+Á6úõ§†í,¾]íè’GuŽØ`m;¾RrO+ÔeXÕõÿÜͪ7‡¼i¯®%À†îYþɧŽ¤Í ÀΪs•a÷€V¹áO‡ö~¼¸Õõ+í¯]Je›U¹„ óå¨SŒ)ç§@ª74iÒ×MÑlc´´_b’Řõ,ÌIcÐd“À ©@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@ñOþd¯ûìözô óÿŠó%Ø×cÿ³× PEPEPEPEPEP^á/ù+ßîÿ¤í^^á/ù+ßîÿ¤í@EPEPEPEPEPEPEPEPŸüÿ’C¡ÛÇþ”IVnu«ûoÝÙi¶öMs­ÅfóK6å6"Rì °Úè0ëÍVø%ÿ$‡Bÿ·ý(’ºó¡i­öÓmþ‘ö¡w¿{­y!±œ«ùqÓ¾3ÍVÐõyï4›¹¯Ö?>Êâx%0) þ[¹T’F@8=Íaø_Åú¦µue%Õ¡W¶Íp4ûˆE¯•ZYÉAüË·‘À æºëKk™m£Ø&™ç“æ'.Ç,yõ=ªŽŸá­/K™¤³†hÔ©Q ¹•¡@z…‰˜¢÷@ H|A¹´7rOäjãLžþÞH,gµFòÊ ¡ä%dSæ)Þ¼ r9o]ÄKqá¡su¥ÉxÚ°òš+i8ókq»p2øê0W>ÝkrÛÁú£†ŽÉŸm³ÙªÏq$ª°>ÝÑ…v /ʼcT–žÒ¬¹Š;†6Ó ¡ó¯&—Ë`Œƒnö8]†Þœôé@†õ+­OO˜ß,"êÚêkYZ*ŽQÈ  ’FF 8õ5ÆøKP»¶ðüCOÓ¡¹½ƒÂöSCÁ36œãh+89cϹë@~×oõVšVH"¾H’G±2ÛÉsK±®F®¦³ÔµmS]¿KW²ƒNÓî…¬‰,.óLv#± 8*ÙÆxÍ^ÓŠÖ?-i'a¸œ¼Ž]Ï>¬Äþ™Âƒ“ØiÞ3ñ§b.mtå™®¬îΛsBáC$m+áeÜ —o `k°›ÃÚ]ÄòÏ%®f’å.ÚA#ª*¯Ê¡Hdäæ_ÙhþlúM»‰„l!·’öan¤ó…BYcî©Ç§jÅ“Æs\%Σ¦­¼šE±±JêK7œÊÒAÀÙ‘·Ôš­¢xæ÷S¿ŠÞ[ku $÷?"±-b±+Ä㟼L±‚zpØŒlh~´°ð„ºì0Éߜ׉`Œe$²©àà´t­OéV:‚_ÛY¬w)h–Já¡Ê¦3Ž~½9â€9|g®Yhi©ÝE§:ßhוœq#þᣌH©!-ûÀC °ÙÈÆ9Ík¾¥â#¨ØéQË¥‹Éí¤¼’W·Æˆ¥F™–bÎ~|€û¼Õȼ CÌ)bÞUͻڲ4ò2¤/÷£ŒÄj}oAè*ö¡¢Xjm\Å&ø,rE3Äê­Ë¹%NA88”ÁxgĆ‹áø%6ö:kÚ@~Ñ-œ³¤®ÎÁ“ÍF >P ‚ o½6°SÁšqÚ–³-½²¢Çn.æòp‡+º=û[ûÀô­7L·Òã¸H7Ÿ´\Is#9É.ìXþ€=€ëÖ€9¨¼[sÿ e¥€žÞîÆòîkEhl'ÉdIý{‡÷l¥W\͇Ç:ÕŸ‡´ýcR‚Âd¿Ò¥½Ž dxÌr"£,ÌÙVÝè6ÿµÖº¸¼)£C¨C{´‚h'{ˆA¸¤r8`ì¨[jç{dŽsÖ¤ÑÅ•™²V¶³¶kXcvfU‰”+)ÉùP9  Mj‹ñí5ilåœi0ö‘´kƒ,œmfcÁÏ9çÐSuŸÜéšúC ö÷‹yoi4 a;4fVEË\å+ ;Éç$Vö›áÝ3I¼’îÒ)¾Ó$K Ë5Ì“1E$ªåØð ?EuáMòñ‘¤yã¹e,fXÊ•r¶îœdã4Éë^$ÖÛGñ-¼÷0é·qXÞIkئI6Æ$I÷ìíÁù@*Xg¦u¦-âéЋûˆg¸Û–’LjGo”³Ö¨/…4q<Ó=¼Ó´ÑÉ-ÅÔ³*¤Ÿ}Q]ˆ@{í´4û4Ë4´¶3˜“îùÓ¼Ì?àNKcñâ€-QEQEQEQEQEQEQEQEQEQEQEQEçÿÿæJÿ±®Çÿg¯@¯?ø§ÿ2Wýv?û=zQEQEQEQEQEQEQEQEQEQEæ÷w> øƒ®jÚN‘ªÿbøsK»[[‹ûMÂòætÃKG”£ ÁÉ•˜H¯?ø%ÿ$‡Bÿ·ý(’€$‡àçÑÌ×:L—×nŒ&¹»º–G™™Hgo›ÎIÈä`Šó|"Ó4ôø;TÔ¼1x\½­Ä’Å1Vy±;à À óäq^‰YúßöÇö<ÿØaþÓù|Ÿ·ïò~ðÝ»gÍ÷wcñ@7kàFøŸâÍ}¼w¨Éµ¤<6‹g¤…H£€©tpî¬X9f ™psŒ€;K‚ž±û3aý¢h62ââGóqË®í‡$r6í=1Ž+ÿ‹ÿ “þeOí¿øGÿéãìßgûGýõæoü1ï]‡ü]ÿú‘¿òn€;È †ÖÞ+{x£†$qÆ¡U à8ÅWÕo&Óô»‹È-$»xÌ6ñg|Š9`€¹öçjñ¸àdg#‹ÿ‹¿ÿR7þMÑÿþ¤oü›  MâO…ü€rÅíõ¶n..äòâ2Gm¤üÎáqêÌã\?„¿ä¯|Eÿ¸gþ“µk|EeOÊÍ,‘(¼²&H†]Ú¢åG¨í@Õýµœ¶±\I±îæò!IÞûYñÇO•äñÅX¯3¶ºŽéÑé÷ó_èñkqýšâK†¸Íǘ«#X´õ8,GlÓT»:½¯‘©]Mâ'Ôîc»Ó^áŒin<Ý™‹;QˆŠ¸±#“œP¢^ß[iÖââîO.#$qÚOÌîG¬À~5b¼ž[Ë{ŸÇ5®­-÷ˆÚ]=ï-nï\ùsý®‡‹$Bñò¨ãÖ»\ý§J‘®.®eÔ„¤_ÇppÐM” ’@ÆÜpF[$‚Šó[=qæñîœ-g’$¹Ôn­nmåÕdšM©Ì7[ÙÝ•!#±ÉÇ¥PEPEPEPEPEPEPEPEPEPEPEPEPŸüSÿ™+þÆ»ýž½¼ÿâŸüÉ_ö5ØÿìõÍü]Ð>%ê–óQŽçEØÞe…‚˜'+‰2,L£i @o˜‘ˆøÍwÿ¼9gâ[?Ás&¡«\Ü µ‚y¦X3HA„Úw îœcšë+ä…[°ø‹öM. *-oÊšãÖ¡—ºòàl’@ªãœq¸u ÿ‹¿ÿR7þMРQ^ÿþ¤oü›£þ.ÿýHßù7@Eyÿü]ÿú‘¿ònø»ÿõ#äÝzçÿñwÿêFÿɺ?âïÿÔÿ“tèWŸÿÅßÿ©ÿ&èÿ‹¿ÿR7þMРWŸøKþJ÷Ä_û†é;Qÿþ¤oü›¬ÿ†ÿÛð±ü}ý¿öí?ø—yß`ßäÿ©}»wüßwnsß4êQEQE@ë!­ÃJÊn.žÒ Ñ8Ý*‡,91œô8àœŒóZÅå ñ”¶úî¯>f¶°¶ž©xöÉ<…ŸÌåHób1°çƒÓš§ Ä×/¡<óI+/Šï£RìX…QxF{°Ü^ß[iÖââîO.#$qÚOÌîG¬À~5b¹_ˆ¬©àÙY¥’%–DÉË ûT\¨õ«žƒXKMb ¬õ™æðÔ´j×’Þ4±Ö³‡C+¹†¤€ÍŽØ‹=ÔVò@’ <žT{P¶[inp8SÉÀíÔŠ¯±a6†ºÔsçOk´‰¶0ýÞÝÛ¶ã=;c5ÆéúÅÅáÒ¦Šúy!ŸÄ×P†óŽàªû§Ê¤œé\ªÜÇÿ(‡RÕ.l£Âð¶›W Ï!ŽO3å·6œàÇ9 gŠTž–3¹C)Æ2"ŸT´æÙ¢Z> m·C…'å+Ì4ýv{»¹£³ÕÍ…½ö‹s;I6«%ë[J­V: #Ub¶@=b{ˆm£ó.&Ž(÷*n‘‚ÌB¨ÉîIz’*Jò»‹›MOÀº‚f0Yjvm-ÜÄ×p²‰¢.é;ØUÉ#¢‘ž£5é¶Fݬ-šÒo>ØĦ)|Ó.ôÀÃo$–ÈÁÜIÏ\ÐôQEyÿÁ/ù$:ý¼éD•zÿĚ͵þµ,kaýŸ¥ß[[Ú'2ʲ$,Çvì)i#å9Æ8êhüÿ’C¡ÛÇþ”I]|Ú›p—É-¶å¾™'¸Øotªzñp08÷4ÏZx£UšæÆöXìÿ²¯µtøáTa<{LŠ®_vÖÉŒåBŒÔâ³/õOP—DÕ'‹¥ÿmÉP¢7ž¢%w3ÃØNУžk®‡Ã=¾­ý§©>cʹ™Ìi#Ö2ÛŽNXNO<šoü"º7öŒwße:;ƒuóäòÒRçîÚ ÜÙ s“ž´Ëiž5ñ£d·VúIºûU„—Vð¦Ÿq…†Didù%Ü ]¼Ž2k¦ðέ.«iqö›¸g¸†]’"XËhÑeA ÑÈÌÀóœçt¥ƒÂZ=ªÊEsR!O)ofÆ_-7íþ*æ—£Xèé0³IwLáå’iÞi€ÜîKÉâ€9ȼ[sÿ e¥€žÞîÆòîkEhl'ÉdIý{‡÷l¥W\¡Œ5Åð΃r,þÕ­ì1 { æ[uòšFbˆÅä$(Àq“’@ÍuxSF‡P†ö;iÐN÷ƒq!HäpÁÙP¶ÕÎöÈç­HþҤѭ4“lËgf[•ÕáÚ0¥dx qsÉõ tbêûB’óQµ’¡y³o$>j©8uI>e 0pzŒžµˆÞ ñ"xJ :S}¸ÚkQ ŸºÍ€òoùþY:…^{]mŒuªÛ[ù¦0IÌÓ<¬Ië–rXþ&³!ðŽ‹oE´Âé"Àn¥1FRE‘v!m¨*œ(Œtâ€9Æñ†¹«wj°-Ø°»KYRßI¹&ã!™dRÉպų·$¨"®ë>-¹Ó5ô†íî-òÞÒhÂvh̬‹–¸ÊV@v’1ÎH­Ûi—:™Ô9Ò労†©bYJýÒèŒð0< Tw^ѯ/ê{iGž;–Qq"ÆeŒ©W(ná±yÆN0s@u¯ˆõÝ.À$×q]Ë{­^ÚÂÿ`žsÇ,ʼnDvg@Ý£©À­ˆ|K¬ÝXé–ék¶¥{{-¨šêÒXãÙ;ù¢&*ÿ2¨Â’0Iäãy|%£Ln [Î<ù¾ÐBÝÊ¡%É%ã¿vÇqÉL“žµ3øwM“O†ÊD¸xá—ÎŽFº”ÊÏÌ%Ý¿8$gwBGJÉðdÓE¢j³^3G©Þ|œ•$HÙÛž{tªÉâ|xnÏY“û0ÿjd³·Xœy ;¨S$›ÎðdáW$`uÍtú^“c£Z5­„&(ZF•vr]ŽX’Ä’I9¬øü¡Çm=ªÚËöY†Ónn¥1 Üyh[lx`Ø  YœñƒÐÁá=Úö ¸í¥ómæyá s+$r8`̨[hÎöÎ$ç­Y³Ð´Û°}šÛËþÏ·k[o—lÊòyÿVœœž=Íq#Å÷ÒFÚ•­…ŠßÍa¦Î‚Ó]É ) ýÑóã “œô­iüKªÙC¨ÙʶSj0_[YÁ2ÆÑÂÞ~ͬÈX‘·qÈ ÎLñ°žÑ#ŒF–XP kô†S,c¯g$ûô9R꺭Ֆ¤"±‚yïv4‰<ÏÈɧrä¡eÖ€ ðþ§©Ýê:͆¦mM>hãImcd_%Y›æé“øמ Ÿû!ßP´¸—þ‹È 2Á'îö­â’O˜w(åA·žõ×xOÃóh‰¨Ír"Iï®­wNTË #|¤– uÇj¹†t˜uzJ&&íGÚd1¬¥]YÄ{¶‚Dœs“Ís·2Ô­ôËX^(´åÔ§ÓÞhm&ž5òƒ±B„¹Ê¨ùwpIË`Vöƒ¬]_hRÞj6²C4"¶mä‡ÍU'©'Ì¡†C‘“Ö¦ŸÃšUͬ–Ò[6ǹk½É+£¬Ç9upC)äýÒ:‘W,l`Ó­VÚßÍ1‚Nf™åbO\³’Çñ4À gT—Sðþ·ªM¦AúUÝä%UÀ·"`²ÇxŒ°ÛÐñÒ£ÔÐxănY98$®ÑÛ'¡ÿ„7BÑA¬±¥’d’©c•ZC—>b°˜òFpjÍdžô«»ˆçš Òß짒,²E ‰Ìßx¦€2õïÞirkkvíöµ·©9yœ6ù~AÓ¯5‘âßÙßÜX¬vÓ\ÛZÇtË•u8”¾í°ƒmŸpþñºîN t‘x?DŠ+ÈþË,‚ò×ìs™®¥‘žFÍÌÄó7CÆj}CÚf¥p—Ç:N‘ù^m½Ô°3&sµŒl¥—$ðr9>´mâ=JOGk|±éÖ“:­´72–œƒq8o-_vá°®~S]udÿÂ7¥ÿiǨ4S¼ñ¿˜Š÷R´HøÛ¸F[`lw5­@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@ñOþd¯ûìözô óÿŠó%Ø×cÿ³× PEPEPEPEPE…aãR…f·¿Ä/n×),ÐÉSœkÑ( OÁ^Ô´wÕµm~âÒã^Õî·RZ$h»bAêsÉØ%±“ÖQEOUÓaÖ4»:å¤÷)åÌ€^3÷“8à2åI ‚¹EcÚøWB±ðôúž™¾™µ6–!Š7…üF¦,ùCä?3nëÐàÕˆ|Kª7ˆ…µÜqØ[J@µ·¸²—uÎb q»ËVݸl+Ÿ”Ð_EqzF¥«øŠÒK;»èìu(ÞÚâKT²šÚHTJг9óU‚²o\)ç׶4«ñà÷ÒN¥!ÔÍàÛ›p©Lç9ç®x  š+‹Ö ŸJ—Ãíyt÷Dk“N’J¡·¹`ƒ'°â©¿õ};I¶Õ5{¡Ô4Éoía· UV»!Á2à.ès@EqÂ^ë3h7—–1É·ÂæÊ9"$}£çŒ‚ìpV2½yÝÏ¥tšE¥Å†‘ikwt×WFIØ’d#¹Ï4vŠómkÃúÄ6›y«ÁÕý¼R­ôp²Üƒ¹KŒ‚ñ—#¹ ö9©ý´Ú-ÌzœÖ–Í&Ÿo­îŽÎ&‰%hç„gif+¸ŒžOZõJ+Œ°ÔµÍzÛVÒf2A,¶'ìú„ZuÍšÅ#]¸—’Tí`ÊF}+¥Ò¬îl­æŽêé®]î%•Y‰;Q˜•^{@ü(õÄù~ ðÔ:U’êQ_\êpÚ¯’ÂZ1vp$–ˆ¶3ÎãÜæ¡ŸÆ:ÄzÅÕ´¿iŽÂæ+Y£‹K¹v¸%PÈë"å"~B¶âvòFA òŠâ[ÆSÁâX-šh/4û‹‰íÁ‚Âtòš8äõìLrÝ2•\}pk-å×¼C}¡Ë=Í¥«êšEì–j^ÔÉ{rÛŽò7)Ü»yŽ”kâŸüÉ_ö5Øÿìõèæ>>³¹²·ð„wWMrïã+YU˜“µ¤*¼öøW§P>«á] [ÔlµGL‚këcšÞçdFBYFá‚TNÓ•ÏjØ¢Š(¢Š(¢Š(¢Š(¢Š+Ïü%ÿ%{â/ýÃ?ô«Ð+Ïü%ÿ%{â/ýÃ?ô¨Ð(¢Š(¢Š*9ãi­ä&xÔ¨–0¥úÀŒpGµIEgiúmÝœí$úÝýú•Ú#¹Hƒ‘ÈòâSžÝqÏJÑ¢Š(¢ŠÊMè¾ûGü$Z™‹Ìßöc·—Œçf|Û{}ìã¾y­Z( Š( Š( ?ø%ÿ$‡Bÿ·ý(’·!Õõ[ÝWS{v³‡LÒî<‰c’’iˆ]Š°pï€ œgŒÖÁ/ù$:ý¼éD•ÖIáý6M_ûSÊ™.ÉVsÌ‘¤¥Fº+rX‚€1t/j×Wz7ö’X›}jÍ®íÖÙX=¾0G%ˆ•þð ÈéÍgèÞ"ñN«ÿîé4x¿µôé/[²7ÊÀ½³æôã§ôúg†4èÜØÚ´rl1¦éÖ$$‘«1© p ¥Mg¡i¶Ùÿf¶ÙýŸlÖ¶¿;.&Ù•äóþ­99<{šåtÿ꺆¨† –ÊKÉ­D+§ÜQD¦à(‚È2 p© Š‰|c­G¡ÜÍ;Y.®’Z/Ø&±šÜÁçN±¶âÎ|ň˜…u+á*;ù/#Šxä‘ÚGŽ;©V&vûÌb ³qÉÉÛœóÖ²µ_X\i3ZÙÆÍ,óZ™^öêiɆ)ÒF@ÎX€Ø'·Z­7‰u¨µ±áÀtöÔä¸DKÏ!Ä+Dòcß’ÃËaü䎔áâmbk=6c±MBmb].áÙ¢ZJÆDPÀóå©ÚOr3ÞµÿáÑ>ÆöÆÚbqpfk©Lþ`C ‹y€…àa¸t«Ph]µ½ŒÚ…ŽÆf¸·Ø•‘•Õ˜œå‰>Kg%³×šç,üI®jWñéÃNŠú&º7Âí¬2*ˆ[x',vàýêÂðæ·6™áK»¸m-~Óeáx¯Ø,Á®HF Œ )Ûæny㺛ÂúDͼÛH’y²MæEq$oºLù•ÚØ\ãÇؼ'¡Áa5ŒV!-¦²{Æ$|q¿ ×õÈçž¼ ýñF·¦\µ…ÂiòÞ\%©µtÒ8Úi¼¢%‚ðr6îéÖµü?©êwzŽ³a©›G“Oš8Ò[XÙ£WÉVfÁùºdþ56³ Zê×.,`¸º’€,óQž”Û h÷#-o,r ¤œḴH¯'/‡F ÀÈ8  ­rúãSøK¬^]ZIiq.rÒÁ"²”o)²0Àg¦@8ªã;ÅðÄÚÔ6Ñys•œ7yUÌ‚6yU2zœù`nãËazÙt«9ôit™ci,¥­äF‘‰d`T‚ÙÝ’ ç9÷ªóxsI¸7žmš°½T ½€rŸu°Œ˜|Üxç¬üWª£Âu e‚ý-e»k í¤‰û·T”åq.Ô<°ùtªÓøÛTN´¼ö›uX'm4272y¨¶ÁþnC£†8ÇCŠÕ×<)ö¯ Ýhzx-û¸šúöiž4îè_yf\¨Ï9ãbëBÓ/SNK‹DuÓ¦IíH:‚ªF8¡ãò BÇÆú®±=¥­Œ6PËtðÛù“FΰMövžpT0ݱB‚9$“V­Î+Kee†!„ ìä«OâhÏ"’òßÁO‹×X¾›S¹6“K\±‚_9Ð4"ìP$ó[~$Ö^êÞ{•°ûÚÍƘ"Ž'…G•VMňÎc®ÞùÈéZÐxCC·¿KȬˆxå3GžC råÖ"Û¹'!Aæ­®…¦¤qF¶ØX®Þõöâgffn½Ë±ÇNzt ?Ãþ"ÿ„{ÁÞ{ÑérhÅÚLë,q õÆ ,‡§T÷­ëÍgU±ð…Ôööˬ]½¼2ÊŠYYTäg$.ãß'³QkŠûNÑ´;k[dÑ짊Gó%bè±QwnÆÒK õÏ÷öº”–—‘y> \• ‚ ŒA‚9(‚Þ£áù¼Ssr–÷7çP³¶F‚<¶2G†òÁgà6v‚IÆæ®Ûø«\¸’ 5mâKÛ›Ï" Û>{hZ1 JÏäÈC’6•Úƒ‘Òº¼+£Ei{möFxïd¹2Í$#(X³1l«‚F¥#xWI{±Éԩ扖Io§yQÀÀe•œº28#©õ  t¹ŸNñN³s¨]Z,ðhVÏ%Ç–É"[“¸©b@é‘“õªð›jém©À©m=å³Ø%–ÂâÍn.<¢ rÜa¾`H9„WV<5¤ù7=³J·¢Òc4Ï!’ \…%˜’s#œõ篢ÂZ,o3›y¤’s’I®¥‘ßÉ2,³1?+sïÐäq@~'ñN§á»y_í–7SÙÚ›«›x´Ë‡2(,~ò;U È$ÀéJîûTKßÉq=¥å„ZÍ„QZÏ›þË‚­æ`c~ìmåþnø®¯Uð¶­É;ßÛI'Ú!û<á.$eŒgÂ0 Í‚yâ–ãÂúEÕä·RÛÊd•¢yneTv•‘Š XNHÎ:q@¶ž(Õf¹±½–;?ì«íF]>8UOÓ"«—ݵ²c9P£õ8¦Ûx›[i¢¹š;³›W¹ÓRãu“òª>òÄg1€FÞùÈé[°øcG·Õ¿´ãµ"çÌyW39$`C:Æ[b±ÉË Éç“RL6é¶ýÚ]=â1¸™Ù™›9î]¸éÏN”•á=vÿUi¡Õd‚+ä‰${c-¼g9»*ä`:àpj¦³âÛ3_HažÞâÑo-í&,'fŒÊȹk€|¥`da#äŠßÓ™q§=ªµ¥Ä¯4‘–c—w23œƒ¼–èqŒ`Tšn—m¥BñÛ5ËmÌ×RNÄôûÒ3{f€8¿êz¥¦áK+Ódlo4ÐùHË$^Z&71b2±<Áç­1¼y¨C¢ÂKKÕ]ëR´4û‹xÉ„/Ë™%S½Nä#§lŠì­ô2Ö->(mB¦Ÿ ·µRìBFT)^O<(樧‚tãû¬g%ŽÙ.¦p¶ò`4k–;WåÆ1Ž1@7¾(ÖôË–°¸M>[ˈíM«Ç¤q´ÒùD8,KàämÝÓ­d^}´/‰SP{y.YÒƒIn…Ç™m‚’WŽÙ?Zîït 3Pyê×Ìi!X·°;U·®0x!¹ 9ÔøWG† ˜–ÕÙngŠæf’âGi$Œ©F,ÌI ¢÷çÐ7gã}JëQ-Œ’iÆîkvŠ=6ã|iuóLäyG,œ¨é»ï¤Ó/õmOÄþÔ5±¯l.naŽÝX4!–#±‰c¼à˜çbtÉ1³ÇÌ8þ$'ôî;tôP žÖE­Ì‘¬Vºƒ¬QùË­]ÜbY:o‘s`Êî#=iºƒõ}>éõkW¹MPÞÅ׳J¦6µXZgRû† €Ç×ëÁç¥zß‚¾é·š.çR˜JìÍö«¢Ê2qíLüƒæÛ»¨Î8 ²Š( Š( Š( Š+‡ÕV€B.vƒÕ†õ;H5Ÿÿ ?Äy>tøu+Îé.·4Ã¦Ä a[$6[¨Ã©èÌhž ³°¹–öî!%éÔ.®ã+<†5ó%vVòÉ ¼#Ý·# 8¬!ñ6ûG¸uñŸƒõ-Ð"¸¿‰þÛn€’?xñ¯ÈK ’XgúÃuoż±Í¨9#`ÊêFApAæ€3§ðÞ“qcö7¶aÚ^íLs::LìÌή¬I.Ýà‘ÓŠ…ü%¢½­ªÚÉZ—0É̱J¥Î_÷ŠÁÎãËdòy9­º("óÃ:]ôË,w ,QD°]Ë ´c¢³#㯠ž§Ö‘ü1¥I~·²E<’«nT{¹Z%m»wËl ‚y<ÖÅ™¦xNÒ'–{TœÍ"in.eö‚HPÒ3¹'ZtQ@®¬-¯eµ–â-ïi7Ÿ ÜF×ÚÉž:ü®ÃŽk*h¶Q\ý“OFimÞÝbžY$‰cn±ª±"4'UqÓŠÞ¢€9O xbãIÕo5+¨¡æ‚+háŠök² ´²€ÇïP¾õÕÑEWº°¶½{g¸{[L'ˆî#k€@[21ö–È`•Ýê3Þ¸«uÛŸ xâ[ëk›éîâx¦–'ùA²Ÿ&L¹20ääÏ·ZôkKk˜[G°M3O'ÌN]ŽXóêj…Ÿ†t›¶Kx%ÚÏö‹t{™a}ŒŸ f!Wk°Ú>Qž”ƒ¦k—wÞ °†òÒÎKècÔ¡y¢V\˜¥…F̱ڮ$òÅ2I¶0q"O¿d‡nÊRÃ=0t5?k\Úf•çA-íż—2]G¥\NT  "Ù²KòÅ°1îm¯…4q<Ó=¼Ó´ÑÉ-ÅÔ³*¤Ÿ}Q]ˆ@{í‰<+¤ËimnéxE©o"o·Î&Œ7P%ß¿ØàqÀ ~/xŠúY [+ƒHŠþXoa“˜Ï*²}å*§ÊáˆÈÏ çŽÃM½]KK´¾DdK˜ReVê¡”ιéücy¯MswIbtè,ãAu*¹Úò³‡ ‚èÁÓ!‰ÎGJè’ÂÚ;ßµ¤efòD B„ç“× AtÓ¬x“Å-.¯ªZ=¤Ð¥»Á*G6ñ±>^ï,òI9SšË¶ñþ·w¦X›{@n×I·¾³n.>Ñ$ˆE1 DÃó6~÷Cƒ]uMBþæòæÞáÞ詸Œ^̱M… 7Ä#| WµX¾ðÞ—¨MÒÃ,RÇ…^ÖæKrc„&6]Ê9À9&€3ô­_W×5;§¶¶š}œé°Ü@í<ŒcGnC7‚­œ•…g¬ÝiºdÐØÝÛÇs.©©¸‰ôùï@·OÑ!!•r@,rG×é‡T’Å4w?)cÌ‘¬…Fº+r,AQÉáMFVû4ˆÁæ}Ñ\Io5÷È VVnvž=¨JñV§­ÝÚËZ[éçG´Õ&W‰¤—2™7F¤2Ž‘ðpp{ñ—kñ UþÊmZ}5¦µ“O’ñ4ûˆ» ˆÓH6HnP:p9®ÛMдÝ#Ëû ·•åÚÅf¿;6!‹vÅ䞛۞§<“U­¼'£Z,É´¾D±´Ml÷2¼ï*ÄÌQAôP('G¢üA»MZ[9gL$=¤màË'Y˜ðsÎyô,šîªž+—Ní¬mÚO*ÌOc+‹ŸÝîN ;³ò» }k_MðÞIwißi’%…åšæI˜¢’UrìxŸÎ‘¼;¦¾ªº“Ç<—(þj,—R´JøÆám€àžBçšæÇòè·VÖöÂâÃE¸½¿GV"+”Ü‹ÁoŠl÷™Í:óÄ*´—Q„ÿc™,ôåÔ÷y2`©Þ<œoëû³ûΟìVžáXã±×U¶¶óuɤ{Èm¤bvl…cÆI8³VÄú6Ÿs-Ì’Ûî{›Qg)ÞÃtCwË׾܎yë@+Ëi§‚Tc,ŠÖ¶û‚°`ÈÈmÇŽ:Ö­ÿŠ5X.5+È#³þËÓo¢²šF3Ë»ËÜêÁ¶®<Ñ…*wc¨È­Fðn‚×­vlŸÍwŽIÚ%Ù#Fª©½7mm¡ƒ‚3Ô“SÜxcGºÕ´¦µ-s½$lLâ7tÆÇhÃlf\  è(Ž¶Öõ="ÆSoå[ØOS{‹ÙleºXȺ|+,l¥Žó6×i¬jbÇC{Øîíá'`Ži"i–`g'<rIÏ„tk¨š)!¹XÝå‘Ò+É£Y Œ]÷p$àäsŒb¯ÞéVZ…€±¸‡6êPªÆÆ2…H*U”‚¤0AÅqÖÞ/ÖoÞÒ´§YþÍ’iìæ…JVœH!v§Içº?ŒuCR¶ kçZIy%¤‹—r…O;Î9“îo¼H5ÒÚø_H²•e†ÙüÁwöÝï<ŽÆo(ż–bIØHçŽýy§EáÍ2 Mµcž)šC+"]J±=XÄacÔ¹Ï4OÄúÍÖšÖÐØÝÛÇs*»ˆŸOžñä Ž‰ «’2Ç dqTm¼M©ëqè+¤Çim.£¦iJ×hÒ*/îñ…e9&O½žès[ÚŽ‡§ê“Å=ÔRbF^)Þ"Q±¹NÆ”íŽ*ð¾l¬,ÖÚHⰋȶò®$ãlÞ¬© ¹œàg¥y厭«]|9¹±±[(¡²Ð<ûŸ=YÚS"Ëò£püÄ6Iè1šë|I5ü°}:ìZÏçØ'˜U›†ž%#åe89äg‘‘ß"ôž ðô–QÙKd¶û'—Ĩpµ†õ8 œdã­j]éVWÚYÓn!-hUW`vR6T†A‚AÍjšö½k>¥ £i®Ú=‚^]´Ðº‹–mçbÿ»ŒüÇ'§¯ëÚÖ£o¤é÷š]¹òî]LÓ5¤—FÞ2…ƒyQ°fçhàñœÔ÷žÑoü¯µÛÍ1Ž-w.eŒ„”îÌ«’x}ÓêjÚê±GɹAÊ›k©mØq½)Ƕq@W.]:6úîâÖ}*êÆiZêehÓÌ‚N"Èpy1šÆ+ñlv—·SÛi*lnm-æ¶Ù gy〰¸…ØÓuÁÈS»­xV=FÇHÑ­í-#Ò-n#š]ÎÛÔFAUEÁÎîCÂzçi´-6qx%¶Ü/'Žæ†ù#ºñ-8qÏS@–µ«ëÍ£êVfòÖBÇU°‹í6ðÈ©$rË ÆÏ3#ïÃq nâ}GÅz†•«An÷vw±¥Ýµ¥ÔvúmÀØÒ².ã6æ2ØÜãäŠén´ 2ñ/’{bÂù‘®‘”³&6AÊ‘´`®9ëTσt6‘]íœ‡½™ƒKR’0/†q±~c’qÉ4ÍèZ¦©¥«Hßc}2^Z‚7œ ÝJîÝŽãnÞœîí[:.½¨Ýx‚{ Q ´}Óy6me*;"¾ÖrÅ%pHPÜ3Ò¯[øKDµÔ~ß £‰üù.pn$dóœ’Òl-·qÜ~ld5§‡tÛ-HêG;\á‚´×RÊ# rÁتgî@—‰n'Ó¼i}¬Ì–WPi:0º‚ mÉubÒ–BØBJŒ¶ÓòñŽõgRñ7ˆ4cucrºeÆ ÎH$Š)#‹\¬,¬¥ÉÈÎCÎz `õ“éW7Ïl’ÉqmöY·’UâÉ;JôÇÌÝ»Õ h¶ÐIZÈâG…Ù¦¹–W&'ÜÌ[j°È\㯚‡_Öo|;᥺—Ê»¾y¢·VŠÞ@›¤(>Z—r9À$œ`cal’»Cœ`óÓßØZêvRYÞ³[ÉÈxèr#A‚9TG†tÏìé,].¥…äYKM{4’R ²ÈÎ]H ‚1@ÝŒu[ðšl)lº›êmb.'³š‹q?˜`r§nÒÜžsŠƒP¹ñâmbîÞ]6K›] Þ{†x$»%º!UCå23É-Œt9ã¦ÿ„CDû,Öÿe“\ §“í2ù¾pP‚A&íêÛ@wõ5b?é‘Gp‚í¢Òf–yž \€Y˜œæGç9節*ëÚÝÕ—…âÔôø¡k‰¥µHÒ|•ýôÑ¡Î0z9ü}zVdþ&Õl¡Ôm&[9õ/­¬à•#hâo?fÖe,ÄmÜrsÓcÓrX\ð¯Žt_$©c,–÷ð;¥ÆvwP`§ty'#‘‘“ƒÈ t•OUÒ¬uÍ.ãLÔí£¹³¸M’Äý0AÁr`Š¹\ŠëzƒùwKÄ’AO1Ö2ÊA0H=ˆ¹áÍÇÂÞ³ÑtÕZZ¡Tós1$³1>¥‰<`sÀŠ§ã ÿÂ]à½SCyr]Eû§-€$R7—r®p3Œãš§àϯˆô½R8ìñtöºý¦Cœ/#'dÞNÍÌË» e°2Ùð÷KÕ}kÅzå—ö~¥¯ËŸaŸ³Álˆ6FD„[ðáNTGñ2ÏÄÞ"ÒÇ…ü5obùÛµ åh’Þ.¡.\©Rv ph‹ðí§^m¶ñ]Ÿö|Üÿ¦Z+<'ïS—^Ž7ä’~Q[ŠšoʼnÐÜ^Ç}áß ¥»Ãi «-½åĪÍæ¹ lÙÈÈ<€YZOü ð·‡6ÜjIý·|3óÝÆ+÷‡dƒÁx·*ÅIw©CàŠšŽ£¬,‰£ø¡-‘5ŠÖâdHsÀeù·œè@fPL¢Š(ƒø›á¨nôi|Seq&Ÿâ ÞK«Kè@ÜU±‰ÇFF=7 ²¶†“ñºŽc{qâ Î{‹xå’ÚMF-г(%H9ã éÐVÄßÃi£Kák+y5k¶òZÚXÂF஥L®z*(ÉÉë´ô™t4Ÿ‡Ó´k+èדÛÛÇ—2iÑn™•@.r É#=O^¦€.Âwàÿúô?üÃÿÅTsø×Á·6òÀþ,Ñ‚H…ǪFŒá•ÁSî#µIÿ'ƒÿèTÐÿð]ÿQÏà¿ÚÛËqqá¯ÃH^I$°…U ’I\9 '³øçwáo]hž#šÓÄvp>#Ö4¢¤R TŒ~dR]»[—<žóÄŸô³ðÏYñ…õ/f¶‰Q66×ä)]‘—#–—æÛès^a7Â}gâ'Š.5hôˆ6ž5{(¦|ý‹2”x”œ–RHa“Æ:KDžxmm常–8`‰ É$ŒQ@É$žœ×ø:ëþ?ˆzìíçƒF‡OE”³&>Û‰K¼ª ¨ (Èç=A@¤QEQEQEQEQEQEQEQEQEçÿÿæJÿ±®Çÿg¯@¯?ø§ÿ2Wýv?û=zQEQEQEQEQEåú.»£èŸ¾ kj¶6wöw—ö»„‹~-Îq¸Œã#§¨¯P¬{ï øoS¼’òÿÃúUÝÔ˜ß4öQÈí€Ë“€ü(¿ü'~ÿ¡¯CÿÁŒ?üUðø?þ†½ÿ0ÿñT àÿú4?üCÿÄÑÿ'ƒÿèTÐÿð]ÿ@ü'~ÿ¡¯CÿÁŒ?üUðø?þ†½ÿ0ÿñT àÿú4?üCÿÄÑÿ'ƒÿèTÐÿð]ÿ@ü'~ÿ¡¯CÿÁŒ?üUðø?þ†½ÿ0ÿñT àÿú4?üCÿÄÑÿ'ƒÿèTÐÿð]ÿ@ü'~ÿ¡¯CÿÁŒ?üUðø?þ†½ÿ0ÿñT àÿú4?üCÿÄÑÿ'ƒÿèTÐÿð]ÿ@ü'~ÿ¡¯CÿÁŒ?üUðø?þ†½ÿ0ÿñT àÿú4?üCÿÄÑÿ'ƒÿèTÐÿð]ÿ@ü'~ÿ¡¯CÿÁŒ?üUðø?þ†½ÿ0ÿñT àÿú4?üCÿÄÑÿ'ƒÿèTÐÿð]ÿ@ü'~ÿ¡¯CÿÁŒ?üUðø?þ†½ÿ0ÿñT àÿú4?üCÿÄÑÿ'ƒÿèTÐÿð]ÿ@ü'~ÿ¡¯CÿÁŒ?üUðø?þ†½ÿ0ÿñT àÿú4?üCÿÄÑÿ'ƒÿèTÐÿð]ÿ@ÿÁ/ù$:ý¼éD••¯iu®x‹P¾]>å­5 >;gk?ßB BÇhÃ6@$玕é¶6zeœvvZZÇÁ$“… ’OãU§Ð´Ûƒve¶ÜnåŠiþvÞ=»^1±zuÇ4ÍÿÂYz|Oo§Ãqkskys=¤Nš|è°È‰# ÌO—/1•e]¤¡¨On²¾Ø¶³Ùé2^j1r<¹ÃÖ sÀßÀ“žº(¼)£C¨C{´‚h'{ˆA¸¤r8`ì¨[jç{dŽsÖ¥·ðæju3Œ`jŒZô1,&$r “ÀÀäúšÀ¼ñ·£[kÐêOžöÇHmJÞKx#$ùK“à äOÓéŸo6JúŒ–Ï;üØ·‘P>^Xî çæã>‚¨Áá=ÚÆúÍ-dx¯¡û=ÉšæY]âÁ]›Ù‹›N1WcÒ­£ÖTÍÃ[%¨üªŠÌÜ{’Üÿº=òÍøËÅw^7ÚOo/Øí~Õ=ŸØ'ÙFãÌ‘°‚áœ{ mˆ/u™ã[ìí2úÚÜÆÑ9–T‘!f;·aHóI)Î1ÇSµªø[GÖäïí¤“íýžp—F²Æ3€áÆæÁ<ŒñV$ÐtÙ£½ŽKl¥ì©5ÀóçtªzñtÇOs@uΩªê÷šô¢Í4Ù5׆ULžX™3Ãga;BŒdry®žöà'4{o³ÂÆK+·2éµ áNpÝÏÂ:S¿áÑ¿´c¾û+ùÑܨǟ'–’œîqí Í’99ëZ2X[K¨A~ñææÞ9"‰÷•\©aŽ‡;¯§Ö€9_ x“YÔ‡åÔÖÀǬصʥ´N¦P‚YŽàCÃÇ=j kUŸIñ¦¡%¤q½Ôö:u¬>nv+És:lsœàuÆ8Íuº›dšr[Ûl]6 ÞÇËB‘Éç…œž)/´ 3R’æK»Q+ÜÃ’ì2ˆÌéŒf$ƒœsÀ pø›Z]Kþò4ó«ál·~Sˆ<³›y~íØvï÷Î8«ºæ¯©éVövâþÇûJD‘ÙSL¸¸óB‘ÊÇ–Eäe‰`2:ÕßøD´_ìö³û,…´™M̦o7ó<íÞfìqÙÇ*I|1¥N–Ë$wÛ#F’}®`å‚Êï»s‚@$1=(àÖüJuQ•ößi÷^s·{Ü63íš[ÿj°\jWGgý—¦ßEe4.Œg—w—¹Õƒm\y£ TîÇQ‘]›¡iºAŒØÛy>]¬Vió³b÷l^Ié¹¹êsɨn<1£Ýj¿ÚSZ–¹Þ’6&qºcc´a¶3. Œ t_ÃzŽ««5õÍÛY¥¤W—V°ÅM¼ˆ¦d ÌXŽ‹È לö¬˜|O­Mq¦ÞÓÆ™ªÉ`°˜ßÎÊ7–Ý‚I‹¦ÑŒ÷®¶ÊÆÛO…âµËGšIØn'/#—sÏ«1?ÊM/‹-ïþÉikgox÷›£¼šF•Ê°â8‰-–e$¶=ÍQÑ5-SíhÚCYÅ<·º¥Ô“ÝÆÒ(T»e YI$¿\ðCš«g®kž³s¬é‹ao#ø~Öâh®CH ,·?"•eÀ'wÎsŽ>Sž; è·Q*=¬‰¶Y¦W†æXœ4¬ZOX6œ•Î:qÀ¨®¼áû¶F’À¦ËT³ òD¦$ˆÈF§Ìr§ƒÆs@Søêqwcqm$ÙO5¤RÛ-„ìðùþX®ò•‡˜§a‘ŽrEmxþFOØBý$‚§ŸÂZ%ÍѸ’Ñ÷£¸(—$~l{v?–.á±yÇ `ñZvöÖ·7wǶ[¹³¶âw°E@yéòªŽ=(”´ñ6°n ¹ºO—X¹ÓDi‰£Ê«!rØÿ–`·¹9+9¼y¨C¢ÂKKÕ]ëR´4û‹xÉ„/Ë™%S½Nä#§lŠì¿°tÏ&8~Ê qݽâ©v#ÎvffëÎK·9éTSÁ:FñýŽVF³’Çl—S8[y05Ë«òŒcÇ  [ÏxªÒ]FýŽd³Ó—SÝäÉ‚§xòq¿¯îÏï:±Q¿Žu+Nãì2Ikmq -nºuÄÒLQ„È<¸ö‰8 vòW"ºùôm>æ[™%·Ü÷6¢ÎS½†è†ï—¯}¹óÖ«7…ô“x·k ñJònådØ]ê¬ð0< Pp×µü`Ú}ãAefÓí–K)XÝ/vVà7–­»pØW8SëYzoŒuoìmSÕ¥Òâ‡U±’uhãu[gXü̹.w!çp2z×PÞÓ_U]IãîO5î¥h•ñÂ"Û`žBçšÆð÷€´½3ÃÖvWö©qr¶ÎßÈñr Iå« b2J…'©  è|o©)¾²xḽG³KYžÆ{8Ûí4`´r’ØR„ä6@9­=o\Õô=>Þy-®/ﮌ+qo§ÌñÆËy(Ìì~\`0뜀 h/„t@—Šö²Lo#Ž)ÞâæYYÖ2Y>gbARÄ‚Gð*WðΗ&š¶¥Ì±$¾r<·“<ÈøÆ唾õ8ã!º(¾Õ/µ=î.ìÞ+¨ä’<4@& ~WTnPÃ8ç“Œ×7mã Z=&æòý­VêÐC=å‹XMo%¼±)܉®HuùNÃëÇgi§[ÙXýŽ9¢9É–w•ÎzåÜ–?‰¬yü3 Ž›~4‹U¸¾ºƒìùÔ¯f•vr6–mìn'hÀ'Өθñ6¯q Ð<›hÖÎXÅ©˜Àñ]ÍÆf`òêÁ¾b=zdt$P·Œµ[‰l&¹Km:ÆUD’w³–xå›ÍhݪÁbQ´¸9Ü+½¬6ðŽˆßg_²Ê°Ûª,vés*Ä9]ÑØØ#?05«kg’Ê VQ,­3îvl³“É8Ã@ÑEQEQEQEQEQEQEQEQEQEçÿÿæJÿ±®Çÿg¯@¯?ø§ÿ2Wýv?û=zQEQEQEQEQEQEQEÏø“Àþñw–uÍ" ¹#ÀY²ÑÈÎzÛ~bvç9Æk ¢€<ÿþ—ÃÏú¿òvãÿŽWa£hz_‡´ä°Ò, ²µ\¦7ÜÇ«6Ë“ŽMhQ@GYÕmt-÷U¼b-í!iŸd€3’O@3É"‹ gLÕ6±Ô-n|Ä2(†erTÁ<ÇÖ€/QY‘ø‹Cšxà‹YÓži*F·HY˜€@9'¡<Ú¾›o¨E§Í¨ZE{0ÌVÏ2¬Ž?ÙRr ¹EV½Ô,´è–[ëË{XÙ¶«Ï* 'àzàôÒ«Éâ xn%Õì Ô¼25Ê‘A•9Á²Ž=G­hÑTãÕôÙu'ÓcÔ-þ1¹íVe2¨õ)œøTqëÚ<ÒÝE­`òZ×(·(L u.3òþ4¡\ÿ‰<¡x§Ë—Q´Û} ½ý»®`a¥$ü¥‹r¹ç®Ÿhk¦ Lë:x°-°]¤ò‹zoÎ3íšuÖ¿£XÚÛÝ]êöö÷#0K-Ê"J1Ÿ”“†àŽ”Ȭÿ©÷Ç?ø8ÿì+CFøm¡izŠjw’_kšœxÞë7æHTÊ *á ¸<ó]…QEQÖu[] E½Õo‹{HZgÁ àd“Ð òH  ÕOUÒ¬uÍ.ãLÔí£¹³¸M’Äý0AÁr`Šm†³¦j‰Xê·>bC2¹* àžãëQGâ-iã‚-gNy¤`©Ý!fb äœ~„P>kúMï…¼}©iº{"ªÙ^[­ú«üˆ€^9'Œø3â ͼ°?Å H…Ç¢BŒá•Sî#µwjúm¾¡Ÿ6¡iìÃ1[<ʲ8ÿeIÉü*-OUþκҠò|Ï·Ýý›vìyº’MÝ9ÿWŒq×Ú€3<5à#ÃÞÀ×wº¥Ê¸Ôµ Ì÷¨<Ç€Ú0 d*ç8ºJ¥m¬iw³\Ci©YÏ-±ÄéêÍûÀ—ñ¤°Ö´­T°Óµ;;£'ìó¬˜Æ~R{Ðê(¢€ (¢€8ÿü<Óµûɵ[+Ûí]’/(êZlíºò¬€s´žŒv(ܬÿøD¾!ÿÑOÿÊ¿ø× Q@v>_kÞ3ñ†¥¯ZT'Ø­ÜOï6ùÈb¤‚ Œä`@‚mmâ··Š8`‰GjQ@ÀŒT”PEPEPEPEPEPEPEPEPEPŸüSÿ™+þÆ»ýž½¼ÿâŸüÉ_ö5ØÿìõèQEQEQEQEQEQEQEQEQEQEQEQEQEQEW¬½+Äš¦´º»éBxšÚêÂø¤6±áÀw|û‰m¯Ã˜®ò±nü)£ßß5ÝÔÊìë#Dnåò]—-í„Œ«Ú€9‹-_Ä:w…µ+ö¼³½›ûií-ÒXd]»¯Ì'-æ”ù@h|Ø©õmgSÑõ;à‘i·’ÚéÉö!ãy×’E´ä…Pr9<’yWGÿΓºç÷í¹¸K™#ûLž_š² ݵNðà ÷ÍMw¡i·×2\ÜÛo–AfÞÃ" ±ðg$ûô9P8þ$Ö×V::yÔšø@—fˆÌbÆ=ù-Á\oç¯*?øI¼@Ú/ž-­¼èõ9ìîg·³–å"Ž2À?’Œ²UGŒûVÆ»áØo"šk]> ï%ž9˜Ë{-±ÜŠT2É,Œ”r ­VѼ¯‡ã°¾i_´KrÆÊîhB4Ž[huev2zã$s@ê÷óÝ|9¾Ô,o­ÞfÓ¤•.¢‚’UwdwÆNAëœW=e¨jº&‘=–•Z>›õÊ‹V‰n ïm¨ü‡lg.weJîH°Mé n«`a0T6‚3œô'œæ©êÑu7®íÊB !g‘‘’`$^¿+dr}MTÐõOZÖõ,H´ËIbDC¤ßo¼¶ì. ž‡#Ž1“šîªž+—Ní¬mÚO*ÌOc+‹ŸÝîN ;³ò» }k¢¶°¶´¸»ž¶Iw –c’w0E@pz|¨£J¦ÞÓ_U]IãžK”5K©Z%|cpˆ¶ÀpO!sÍsã‹ùt[‹«k{aqa¢Ü^ߣ«ÊnEˆ`Ž7Å6{áLæyâZK¨Â±Ì–zrê{¼™0TïN7õýÙýçOö+OFð¬qØ닪Û[yºäÒ=ä6Ò1@Œ»6±ã$œY«b}O¹–æIm÷=ͨ³”ïaº!»åëÇßnG<õ FòûU>/Ôo´†²Lh6—.·h͸ .Aµ†ÜäüÜペrxÓS»³Ÿ[µ†Ñ4‹k‹x$·•ÜIæ,LÌ0UÛç )S»iädVý÷ƒô=Fq5ͤ†O³¥¡)s,{¡RÄFÛXn\±È9¾p*I¼+¢Ï©-ûÙþø29U•Ö6dÆÆhÁØ̸$01ÐPm­êzEŒ¦ßÊ·±:ž¦÷²ØËt±‘tøVXÙJ ç m®‹Æ—7©áx§Ó/R ^öÈ ‚³¯qñµ”àîçžW#¾E»Ÿè×Q4RCr±»Ë#¤W“F²»î à0,IÁÈçÅh^évz†šÚ}Ì­X(ØŒSnÒ í*ARAÅj—:îâbîÒ]9çµÐm§¸i`p²”’äíU”Ï<’ØÀàæ¬_øÒâÛS¶ky`žÎK‹X&·[ÙâóŠ µÀ>R°óí#$cœ‘]2èpYÃE$†âÑl¥ig‘Ùá]øRÌÄ“ûÇù³žzð*¤žÐä˜HÖ’q,Sì2ˆüÈöìr¶–œdãœÐOI«Mg¨I¨ßÅtƒQ¼Ž0!utÛq"ãs;ep´2j®³âÛ3_HažÞâÑo-í&,'fŒÊȹk€|¥`da#äŠèìt{-:êêâÑ%®œÉ*yîÑî$’Á *¤’I*{Õ[¯ h×—u=´#ÏË(¸‘c2ÆT«” ·pؼã'9 ^ãÆäA‹5K­VïO·ØOpѬ/'ïcmÎq6€9;·1]W†õ;ÍWIóï­ž ÒWˆî·’ SêIó(#§#'­:oiSØ›7¶aÚ^ì•ÑÒgffupC)%Û¡HéÅ\±±ƒNµ[ks)Œs4Ï+’}YÉcøšáâñ†¸¾ÐoîEŸÚµ½†!oa<Ën¾SHÌQ¼„…n2rHª³Ýê:öµáé5;{t‚ÜÝË$Zl Lb)‰Q$e*J·Ëv’~õvÏáÍ*MÓI6̶va°I]^£ V@w‚<ŸZ’ÛBÓí$µ–8åimD‹“\I+øÝ–f%³´uÏJâ ñöµ&‡qªý…^'Ò§¿ˆfÜĖΑïDy_ (aÆSo#ŒƒšÓÔüI­é×Z~œímö˨$ºy¡Ó..R$]€'—c—ûä¨Àé’l'ƒôHíîm’Þqms Àöÿk˜Ä±¸Ã*G¿jdáªæ¥¡iú¨€ÝG({|ùRÁ<È€ã :0`Fpp=(”oøŠâ+™!´³²6š4zŒÐ^A!s!iƒG÷”¨>WŒŒòxÖÒ5W_Ônf³k+}6Òd…ãšy¥&4‘ˆ`à&<ÀU³ŒñšÔ]LU~ÎÍö‹E²”´®Åá]øRIÎxüõ9ëÒ¢_ éQê }3E:ʹ•Mƒ ½r, àP7§øÏUÔ5D0X<¶R^Mj!]>à4jŒê%7yDA•€ÝIV§„õÛýU¦‡U’¯’$‘ìEŒ¶òAœäìD«‘€ëÁ­ðΕü—‘Å@àóß95%¯‡4›+{8-ívGgr÷p1ÎÉ_~æÉ<çÍ~G>€9ë_^¯‰¬4ùnm/­®îe´2[iÓ±Ȉí‘33FüÆÀ¨9׳týKS·K)õIíoâ>!½†<Û¸’ŸjåXÈ{&ÕáIõ®º/ hÐêÞÇm š Þân$)Ž;*Ú¹ÞÙcœõ§Gá&+ÿ¶¤‰EÉ» nd1¬¥YKˆ÷m‰8ç'šåeñž¹e¡¦§uœë}£\jVqÄû†Ž1"¤„·ï 2Ãg#ç5ªuÍ~ÚMJÒKk;ÛèôÕ¾µŽÝ0X–6ÜÇw*0ÃnsÐUè¼ CÌ)bÞUͻڲ4ò2¤/÷£ŒÄj}oAè*ýÆau4³Ky²Û‹ft•Ðù`’ Œ’r9÷ BûXš÷ÂÒßKy Ú†›¨[ºˆìe´x˜ºŒÌ +²ç8!ø®ú±šdQ$Q Â}ª;¹L³¼Ï;Ç÷7¼…˜€B3ü#¶kn€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€<ÿâŸüÉ_ö5ØÿìõèçÿÿæJÿ±®Çÿg¯@ Š( Š( Š( Š( Š( Š( Š( Š( Š(  ¿XMªø[WÓ­öù÷vSA㹨Ïâk•ñ[j‡IÒu++Il5v‘´Å†wBág3”fk¬ru臥wÕ^[Iîà»šÖ .m÷fxÁx·pÛXò3œu 7MçÏñO‡ô'tugoà‘[,vÖø, vŽWh<ç§Z½áJOj‚UÕf²Ô/aºY,ÞÐ"lXÀWÍJdl'Œc5ßGo 2M$PÆ3••@.Às…'°µI@ŸŒ‹uáwŠÏí’&°@Al[Nx,@Ü1‘’@äuªz'‡õñE¦¯y` ‰›P›ÊgF6Í+@N ˜G#¹±çžÒ[xfxžXc‘¡2&u£`®åô8f‰õ©(Ïàðö®e²ÓMƒìš¥ÍójÂXÈ‘dóHÚß¼ùŠ¬òx¦>‡¬\øÓÃË£Égq¦­±3$°˜G’ß{ioÞ ÆsɯC¢€<óûóË}Gì$:‹Þ ÖO;OÆâ#𠈈*vœäð=*}OOñ éº]ÚY]ŸÅdñ4ö/l"Vm¤¤©)ÁRUI( àâ»Ê(¢Š(¬¿XMªø[WÓ­öù÷vSA㹨ÏâkRŠà|VÚ¡ÒtJÊÒ[ ]¤m1aиYÆÌåÚëz!éY©£\ùþ)ðþ“¤îî¬íã¼"‹eŽÚß!ŽÑÊíœôë^‘-¤÷p]Ík—6û„3<`¼[¸m¬yÀÎ:Ô‘Ûà “I1£ÌÁåeP °AcÜá@Éìí@ ÿ†5)dC5²2$ªèNÖf*y Œž™Ï5ÄÇ'ˆ'þÈwÔ-.%ÿ„¢ò( °Iû½«x¤“æÊùPmÀg½z—¤YhðI”N¢Y ’<’¼¯#à ÌîK1À$žZ? é0êõ ”L.MÚ´ÈcYJº³ˆ÷m‰8ç'šçnÞÂÌZB%h¹ÏŸ3ÌÍž¹g%âh‹µñž­5Íŵ´vú¤’é³^Ù463Û#´eÀÒ%ÌRéÐdTSëZΣ&†–ºÍ¢]k˜'S¦Oo´i\,¼¡ˆã=p~R>ï=, Ðí™Z+iÃ%»ZÆMäÄÇ%—ùFQqŒcbÿ†‹öV·0ÜÓ ƒ9½˜ÏæÚÎßæd)#ït$w  µÜn ¶9 `\t^-¹ÿ„²ÒÀOowcyw5¢´6Çä²$þ½‰ŽCû¶R«‚® tš^•o¤A4VæCç\Iq#HۙؓϷ{ÔóU"𦡠ìvÒ  î!âB‘Èჲ¡m«í9ÏZå!ñεgáí?XÔ °™/ô©oc‚Ù3ˆ¨ÁK36U·z ¿íu­Mj‹ñí5ilåœi0ö‘´kƒ,œmfcÁÏ9çÐVØðÖŽ,¬ìÍ’µµ³Zó2¬L¡YNOÌ €9Í.›áÝ3I¼’îÒ)¾Ó$K Ë5Ì“1E$ªåØð ?sÞ,ñ~¥ ÞÝÙZZÛÏr`Š{$uoÞ€diÔàòBE‘ŒrÃ9¬Oøµ;Wqohö¯¥ë)ipª|Ï.%…qó>üñÑWÐçЮtm>óT´Ôî-–KË4‘ “ò,€Î@}ñÔÕ¼ Ã¦C¦Ç`Ò I¬ãŒJüC6<ÅÎrs´s×Њ©¦ÿÈû{ÿ`[/ýqX’ꚦ¬øÃR¶ûXÚßÛ½Ä2#eÚÜ6Æ 9 “Çk¸‹Nµ†ý/[³î<Æ…ŠŒgnzóYÓøKD¹ÔåÔf´v¸šTšoô‰Jè!t µ¶…\g©&€0tÏjz–±—dïa-ô¶†4Ó®7DˆÎžiœ(ÉÊÀo¼H"µõí[S´×4ý?OkHãžÒêæig…¤*"1cj«.sæ×ÐöÁ»‡4È56Ô!Žx¦i ¬‰u*Ä\õcm…Rvç<ÕÙ,m¥Ô ¿xósrEî?*¹RÃJ/_O­qþñv¯­Og$¶ ö×Ö­p4ûˆ±ÀdFšA²MÀ‘¹qÈàsPÛxÇVs‹£hºÄ’[B–2XÍoögš@™rÎ|ÔýäÀ%qÆxéì|3¥i²³ÚE¦€9Uñ†¹rÁ-¢K<¯oµËé·6¬’Ê#*Â^[nCeHÝÓ Z~ûhñŠP{y.æÒ[¡Dqä&RI^;dýkF/ iYÍiå\ËÁAYïf—nÓ•ØYÉLÛŒ1Ò­iš%†Ž×/e«Ý8’w’g•¤`‚YÉ$àøP)aªI¦xväÁw¼ók—ñÇæÙËt_ý"bBÅ Ç<&ªÙø‹YÕõm ò;¨­cû.¢.íÍ´¥dh'Ž6! ©R@ùC ¦X玾_ iRÀ›y%Ì—hÑ\I¬².ÁÕƒ ïl€qƒŒb¢‹ÂZ,ZG´°‹Id–ŠêTei{åƒÊÍÉRHRH8äp*æ§á=W3}²ÑÙf€[J‘\IÉΕÆ㌎3ÅfI­x‚kÏ›,æ‡K`–öþ[nÛÇ(·€¸gô9py9ÒøÖö+hVâBâôÛ1]å °ûmÍ#/ sœ]yѬv_ ‰”_°{‚’º–`Š€‚TíE.:g­RÑE¤–æÞgß0œÌ÷r´þ`C ‹y€ÀÃp èÞÔ¯õmæ¹€Û^,’D­%¬‘+àád¾);Iõï\¯…õoÉ¥øRÈßØNúŽ˜÷Osqm#:ŸÞüìL‡'#±Ç=ÝŒuªÛ[™L`“™¦y\“êÎKÄÕ;Ã:N“q ÖpJ I!îd‘bG(YQYˆUýÚpc&€9«/êWzˆ™ld“N7s[´Qé·ãH˯šg#Ê9dåGMßxEMá_êºÝÝ‹\Y·Ù/­Œà¦qµ8 ªÒÈ6KO̸äp9®†/ijm SÇ3HedK©V竃l,z“·9æ;Úf“qçXÇ<\X¾Õ+E=BFX¢À@  ½g^ÔtïÃlí––Ë.f²–e•ÙÈdó‚ÂGË‚à‚Z±4m_SÑÍ ´}*}{P·1¬mçŒÏ;o »oÞ\mÛÓÝ«¯¾ð^­ÕÜsÈêTùj•bb§*Z ÛÔ‘t-5#Š5¶ÂEv÷¨7·;33uî]Ž:sÒ€0t/ê÷Wz9ÔRÄÛëVown¶ÊÁíð‚9,Cü¯÷€^GNk\ñ5æ£ðòÕæŽÝN±á«»»€ŠF×êØLž\õÏnk°Ó<1¤h÷FæÆÕ£“a7Lî±! ”YˆI…p=*°ðG‡Âºý‰Ê4Ûk™J¤RŒ: -„R1ÂããÌx‡TÕuP‹4Ó,oìí7Fó¤mð1pÛ¶¨À ´çädVïŒÍ×Úü.,š¹:¾§‘smp NN23Ó#­h^xKE¿¸i®-™Þ7u[‰ãÆÆd ˜m^HÏÒ­jÚ-†·ê´‚Þa<%exÙ$ Ê ‚zuêr·>3Ôm¬âµx¡:›jriï<6“OÙ“Ì¡.r¸wpIË`Vþƒ¬]_hRÞj6²C4"¶mä‡ÍU'©'Ì¡†C‘“Ö¤>ÑΕ›öVñÊgFÈ%Y $È% ¿yÉËnÏ'š½ccj¶ÖþiŒs4Ï+z圖?‰ 8¾ñ.«i.â]J+9bm"òú {UedÊDÂ6bNî üÀüV¢x§Ä†ÚñSO72ÆÈ— ¤]@ˆöÈ<©iJ¯Ì6[ž9߃ÁÚ ¼«"X–Ù –è’Í$‘¤OȨÌUTà| Å:? iPÛIn†üFûzêW“o@ŒdÊe"€9ëmWWÕâCzT³øoI¸±ûÛ0‹í/v¦9&vfgWV ¤—n„pHéÅc[x¦øZÙOy²¢j’i—ïm¡²È’&O¿–9ÆügŒœçñ¶§ºW¾Ó/ᵊX$O².Ûw·žH$‰pUxÙXÈÎ¥qš¯ˆµÍkÃz¼pÙÛXý›EûEì7‘Iæ;H²‚‰’¥“¹”ç#ƒZž-[—øovÒÅ‘mc“ÍŒ¸dgE+€Ë×<óÈÈyáPˆEsm+§ÙþÌøº•L±sòÈCã“÷³ÔúšÐ¹Ó,ï4õ°žö˳ ¸¸C/ ç‚£ò ØÀ2¨Cgxf©hr¬%´™+šû:à^Fk±¸ðÆuªÿiMjZçzHØ™ÄnéŽÑ†Ø̸$01ÐTÖÚ›iwÔÛf§emìpgpòðN>fP}»`P"|]ât«kÙ Ó¥mGK›P³†$pbdEFä·Ï•lnpGCšu¯ŽîïµÃgm ³[Ý^Ã! L°‚ÿh'ž«äÉŒp2¹Ï9étß èÚMÃOghQÌf%3ȱ¡9)±"5$•@Jm„´-5´¶³ÓÖ#¥Ç$Vg{)dûã“Î}NO_S@ö¬ê—o„l´¨´Û%¿Òd¹“té–! ¨¡ÁÇïÁ>œñƒñ¦¹¨h÷wú|:t'OÒRúæ;„wóda'È„0Ú£Ê?1ÎsŒ f»= M°ûÙ­¼¿ìûvµ¶ùØùq6̯'ŸõiÉÉãÜ×3â/‹ë5°Ò¬,â…­ÐÜK}:4hI<Æ ‰ÀÜHW`Ï­]ñeæ¢|kuct¶—RÝXî}ŒFx2œÜŒò2;ädê—:îâbîÒ]9çµÐm§¸i`p²”’äíU”Ï<’ØÀàæ»;­&Î÷Iþ̹ŒÉkµWÊŸ”‚¤2A ‚*%Ð4ೆŠI Å¢ÙJÒÏ#³Â»ð¥™‰'÷óg<õàP&þ"ÔmN}.ÂѯáYîVÎK¦Dk8Ü;Ås’©òãWJÚ¥Ô¾mOMjWfÐË„Ißo’=‰ÏlÑ'…t™EX®a2:ÈÍoy4,YcXÇÌŽ6"Œgg­\M&Æ-!t¨¡1Y,~RDz_fp>ùÍq3ëZΣ&†–ºÍ¢]k˜'S¦Oo´i\,¼¡ˆã=p~R>ï6nüeª®¹{oifÓÁau¬Ç¦ÜÊóåQÖUÌqà? ÙÎÞHÈ­ïøD4_²µ¹†äî˜\ÍìÆ0.ÐÞvÿ3!I{¡#½M7†´¹µ·îàí.b»–5”¨LŠ¬B,€0m)ÿÌ•ÿc]þÏ^\=‡Âišµýž…åÝZÊ“Bÿkœíu ©Á|:×q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@yÿÁ/ù$:ý¼éD•èçÿ¿äè_öñÿ¥P QEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEWŸüÿ’C¡ÛÇþ”I^^ðKþI…ÿoúQ%zQ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@oñÍOÇ~ ÐáÖµ].Öÿíßh}6èÀíåÄŽ¼ŽîSëV?áVÔûãŸüöx·þJ÷ïû‰ÿé:ÖŸ‹¼Iq¢jºUœZ¦‘¦CwÄ’\êq–@còð£& Þ{ž(3þgýO¾9ÿÁÇÿaGü*ÏúŸ|sÿƒþµ¬de~eÆNNàjůŒm5 Ë{}6Æú÷Ì‚+‰1ˆB@.Õº«d(b1@?ð«?ê}ñÏþ?û ?áVÔûãŸüöÐ[øºÊãRŽÙm/Þk™- ¾d_"Y“vävî¨À §ñYº"oÇyª´Íwm¤A¨\¸Gœ[”ÈÃãÔPøUŸõ>øçÿý…ð«?ê}ñÏþ?û ߸ñ}¥½äµ•óAo,pÝ]*!ŠÚG B?͸ŸrT0䊡{â÷ŸTÒ­ôû{ÈífÕM›^4haŸbÈä°Ã'R;N   ÿøUŸõ>øçÿý…ð«?ê}ñÏþ?û ßñ~µ£ép®o έw0†Ò²UˆRíœpñÅfjþ3t·Ñ.l®ìtý?R¶kƒ¨ê4ÇÂŒ…d›y9fä=MSÿ…YÿSïŽðqÿØQÿ ³þ§ßÿàãÿ°­êž#Óôk=JÃPÑ^9Ö g$ªï4Éôa2ü¸p@Áéמ:{¼ŽÎ5Ô'‚{¡ò[ÂbCÉƳÆ?ˆþ(‡ÿ…YÿSïŽðqÿØQÿ ³þ§ßÿàãÿ°¯@¢€<ÿþgýO¾9ÿÁÇÿaGü*ÏúŸ|sÿƒþ½ŠóÿøUŸõ>øçÿý…ð«?ê}ñÏþ?û ô (ÏÿáVÔûãŸüö¬ÿ©÷Ç?ø8ÿì+Ð( ?ÿ…YÿSïŽðqÿØQÿ ³þ§ßÿàãÿ°¯@¢€<ÿþgýO¾9ÿÁÇÿaGü*ÏúŸ|sÿƒþ½ŠóÿøUŸõ>øçÿý…ð«?ê}ñÏþ?û ô (ÏÿáVÔûãŸüö¬ÿ©÷Ç?ø8ÿì+Ð( ?ÿ…YÿSïŽðqÿØQÿ ³þ§ßÿàãÿ°¯@¢€<ÿþgýO¾9ÿÁÇÿaGü*ÏúŸ|sÿƒþ½ŠóÿøUŸõ>øçÿý…ð«?ê}ñÏþ?û ±}ñƒÀ:}ä–³xŽ‘1“RL‡ ©ëØñÓ­?<¨^GkˆàI83Å$(0 åÝBŽÏ=:ÐøUŸõ>øçÿý…ð«?ê}ñÏþ?û ô (ÏÿáVÔûãŸüö¬ÿ©÷Ç?ø8ÿì+Ð( ?ÿ…YÿSïŽðqÿØQÿ ³þ§ßÿàãÿ°¯@¢€<ÿþgýO¾9ÿÁÇÿaGü*ÏúŸ|sÿƒþ½ŠóÿøUŸõ>øçÿý…ð«?ê}ñÏþ?û ô (ÏÿáVÔûãŸüö¬ÿ©÷Ç?ø8ÿì+Ð( ?ÿ…YÿSïŽðqÿØQÿ ³þ§ßÿàãÿ°¯@¢€<ÿþgýO¾9ÿÁÇÿaGü*ÏúŸ|sÿƒþ½ŠóÿøUŸõ>øçÿý…ð«?ê}ñÏþ?û ô (ÏÿáVÔûãŸüö¬ÿ©÷Ç?ø8ÿì+Ð( ?ÿ…YÿSïŽðqÿØQÿ ³þ§ßÿàãÿ°¯@¢€<ÿþgýO¾9ÿÁÇÿaGü*ÏúŸ|sÿƒþ½ŠóÿøUŸõ>øçÿý…ð«?ê}ñÏþ?û ô (ÏÿáVÔûãŸüö¬ÿ©÷Ç?ø8ÿì+Ð( ?ÿ…YÿSïŽðqÿØQÿ ³þ§ßÿàãÿ°¯@¢€<ÿþgýO¾9ÿÁÇÿaGü*ÏúŸ|sÿƒþ½Šòÿ éמøÉ&‡ÿ ¹ªX¿‡ÍæÍNô϶Cp `ÀôÏ'žkÔ+ÏÿæáîTÿÛºô (¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š+Ïþ É!пíãÿJ$®âû;‹Ë›8nà’ê×oÚ!Ix· ®å®G#=k‡ø%ÿ$‡Bÿ·ý(’€=Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( ?ñoü•ï‡_÷ÿÒu®®ûEKí{OÔ¤‘JZA<&p“ÍÙÎsÆ6tÁÎk”ñoü•ï‡_÷ÿÒu¯@ "‡q<6J³ØÜ5‡²ê:x¹‰m݃,e ƒ”À ÀŽ8 Ô÷ž {ÏìøÄú\ÙùeßKÍVÜ|—ˆƒtÆÖàŸZì( Z×Â3A{l©‡Ò­/d¾·´øHåÎMß2#6ƒÓ$â«Â†ÓÖçQ!t˜c‚ãñy4nß/Ïžüë²¢€9 ¯[KâR8ô—[©’y–÷K[‰U€U>\›†ÐBƒ‚$u©#ðÔW6(šª :ËP{ø­þÍó’ûÉC&üFÇÊ9®®ŠÀÕü-¹®Újw—IœÃm42»‘¹Ë£~U sëUl<1ªèšbéÚ6µv‘Ë+Gå›\mÛpLùªÄ©-‚O ŒŽ+©¢€9¥ð„qxBËÃñ^0[iàŸÎhÁÜcf#h J=ïŠéh¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ ó;Ûi¾(ø—SÒ®d’/h÷Þe·˜Æ÷÷ˆQ™åȉ2F2pÁ}2¼ïá¼ðØøƒÆÚ Ì±Çª vãPû1`XÛÊÇ ÇŒã•ÈÎ2(¼±°³Ó,ã³°´‚ÒÖ<ì†Äh¹$œ(àd’/¬,õ;9,ïí »µ“áž1"6#*x8 ¬Q@gem7ÂïéšU´’KàíbàÛ·Âñ˲¢|¹1>ÁÎX°çw¦WüHžïx'A¶–95C®Ûêf  xƒ™$9à3ŒòØ8Î z%QEQEQEQEQEQEQEQEQEQEQEQEQEQEQEyÿüÜ/ýÊŸûw^^ÿ7 ÿr§þÝ× PEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEsþ.ñuŸƒ´ëKËË;ëϵ]¥œ0ØÄ$‘¤`Å@RÃ9ÚGäŽ+Ÿÿ…§ÿRŽðOÿÙРQ^ÿ Oþ¤/ÿàŸÿ³£þŸýH^9ÿÁ?ÿg@Eyÿü-?ú¼sÿ‚þÎøZõ!xçÿÿýzçÿð´ÿêBñÏþ ÿû:?áiÿÔ…ãŸüÿötÃüuµÔ|/®i>6ðýÄöS¡ÝϪ‡eÃÆz¾B°;·.#PGLâ|Ðõ/^ÛϪÝ]¿‡ü<êöV¢FHÖö‘NÃÞìNw|ÈT⺿ˆ^'ÿ„×ÁwÚ4~ñ”wO¶Ki¦Ñ7äRþ<®FT°ä<‡C¾3·ð§…ôí×Àž9xí"_û1É˾ ‡˜±ÆxÎëWŸÿÂÓÿ© Ç?ø'ÿìèÿ…§ÿRŽðOÿÙРQ^ÿ Oþ¤/ÿàŸÿ³£þŸýH^9ÿÁ?ÿg@Eyÿü-?ú¼sÿ‚þÎøZõ!xçÿÿýzçñüX³þÑÓìï<+â½?í÷qÙÃ5öž"Ìs…‹ýO8Šô (¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢ŠóÿÿÉ^øuÿq?ý'Zô óÿÿÉ^øuÿq?ý'Zô (¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(ªÚ…õ¶—§\ßÞIåÛ[FÒÊøÎ ž;×?sâ ùnô5]>ûMKDC"]¬Y–3o3ñµ›oÌŠyÃq@MŠþ$Ž Z;Í:úÕ&y#‚êUCÌŠÌBíbÃåV#rŒ€qT£ñ­»èƒWm+QŽÒSµgòsre`©³¼‘÷öã<ÐOET¶¼šãO7/§ÝA( ~Ë)ÌÈí•bœöù±ÏQ^qmâýi¼1=ý夓é7×öæX­ DBl%À\Œ99ÏêTW9'‹í-îµ¼–wŠ»ØÑ|˜$p¤+eƒ¾¹*¤ Ã$s]QEQ\>¿ñf¹†|)o³¯Ë¿ÍlA`«•/;.q†ÆPa»pJ†Üñ/‹t [Àú”ÒîœÇiifIîdÇ I'', ‘‘\<ñ ^(Ôoã𮩰-„VvìÓÓxK†.¡‡XØ`SòæDnƒÂ^]&â-wÄrk>)da%üÎÌ°‡91§„A–€ÌÝm¥yÿü$_¬Ñ®| cªLŸzòÃWH!“<©(Þ0zHàŠ?á"ø•}þmàK.gû·—úºO xäîH†ó01ÐO× Q@¿…<ÿü·Ž¥©Ï­k·YYµ•Áî,"2Dq‚sµx'Ø(EPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPŸÿÍÂÿÜ©ÿ·uèçÿóp¿÷*íÝzQÔ5X4Ù¬"™$f¾¹±ì€ÅòrzaLö¢Ç[Òµ9LV•ÜŠ‚B\,„)èØ¡Èæ¨ø‡Oº¾¼Ð$¶‹zÚêk<ÇpSÊ•sÉç–QÏ5áß_i¶Þ I,ÖÓôé » Ëò;$yrÊO  íCÄÚN—®Yi·qAsyÉ™"(ùYWrÅøíoJ‹Ãž)Ó¼G¦ZÜCsj—rÚÇs5š\+Éu ~¤ f­ozž*ѵ;{nà† ‹i„NŠÑù w²åG–sŒžF®JOê“x?BÒà·KK¨´K‹;‡ G$‘§ÊHÎAu9#>´è~­§jÉ#éÚ…­âFÛ­æY·¡ÚN WÓEù°:…§Û ÛùËæ1ùsŸºAúkžð¶—w©=ýì´3d¶ÿMk=…T’ p2N cƒÒ£½ðÕíõ§áVÞma‚ÛNX|ê-cŒg n9§ò¿ˆtY짽‡XÓä´·8št¹B‘F`p?Gñ‡Ÿ¡&³§-”­¶;–ºA· làž q«áÛ»ˆn.o4ß=ÊÇo)žÁyroC—µNÃÓÌÇŒU‹k/Áya«ê:Tš¤‘Cwmö}öé:,Ž…þab¨U¶žãò(¦:ý¼zÕÝŒÆ( ·³†ìÝ< )<Š<õ}sÎïÎü×övï"Mwm^tä R>Fãž‹Áç§Æè^º†Þm;TZÖ}ßO‘‘ÁPÁ§Þ‹ß ²(µPñ©á«ÙõDòõ©'´4’6ó!¶*p L»y®>pu àkú1ÒΦ5{§ƒ´Ý ”ò³œc~q×Þ›¡ë1ë–·"ˆâº–d“x#`88èzÿZämôF;ÛmhØj·3G¨‹›‹[é-²~ᢠˆˆò7/S’î­¿ Y_i:¢eÓ<‰ä½ºº†Í$CîÌ‹v‚r;à¹aâ;Q×uM"/5gÓB™]ÔpG;yÚxn V³ñdš¼²ðæ³=´± m¤HÁ]Ò‚¹wÏ·ëÅsš/…üQ£ÝhZ„òØÝËN·Ðà ŽB.™!iBl¡O 8•wAÒ/ídšíŠ±#8\1ôçÖ‡‰ì¾ß£…¥Ýˬ±Ê‹g$i*²°ee2™ƒÁ _ÆžMGO³­›B9$·™.#1¶ÆUÆíÜ’[ çkzU„ñŸu5ªi×ú}à–eÌw‰• º•;‰ÛÂñ‘“Ú¹ë _E©hºž¡a=Ó·–òhdŽY"1¼€2¡ Fwl'¨À4í+Ã×ö~ð=™´XåÓ%ï:þïýTcÁÃ|î:g®h§±Öô­NS†§ew" ¤ ! z6èr9¦Eâ y¥†^ÂIaÝæ¢\¡dÛ÷·xÇ|ô®_DðÖ¡e§øFn-¤±Ó%·ºdeÌR:Gèyù”ž3ÈÍ`&›,óè:æ€wZèwVÒ,fåq ƒp¤ò í9=:šôÝ?UÓµx}6þÖöm†Ki–E é•'žE`Ÿiéw¶Ãrmš/=&둘pN’Ã=@3ÅŸ ¦²Þ UnD~hû/Û<Ÿ´lÚ3æ~CÎqŽqÖ±&Ñ5+QÑeÒ•µ¥¼YHŒSÂ×ÂfÀÝ»!3Àg £þ= i¿Ú_ÛZwØùjûRy[¿»¿8϶j½Ï‹tK]SN°—Q¶WÔ!y­äó#€Ty,_åÆsµ½+PÓ5ëmkQ¸ÓmåKk«Ødwµò žÂщNÀw·;sŒÕ_èºÖ&‰qq¦Ï?‘&¥±¤°o'¹Y#sÊ¡S½20½€s=ý©\]Á Ž&üÉíz¹ÏEÏJiÔ¬BHÆöÛlQ,ò5p‘¶v¹ç…;[¡Áô®oÆz ö¯y¤½ŒK$m!´¿€Å¤Œ!ç¯ú¥\~o­`ÁàÝløWRµ™J]¥õ²Û*È„ÍijPF2Á—,˜ËíwCÄ:+X%øÖ4óg#Krž[08$'€úSÿ·4µ[ZÿjY}¢é–ñ}¡7ʧTg,¨®BÓ׳j:}ôÖš‘oí…»º“Úî-e\,/Þ1ŽíÀ=©ÒxwRÅ·²Ë¥qc{¨ÛÞ+Û5§”¾X_0y£i?!Ôîâ’îK-U®b6™·¾’È%ÄpÌ$òÓÈqó`¾ p3Ž“Ã6Wë ¿¹ÓM„w÷1Ë3£3©fØH*{ÐÅ~«<¶¦âÚô¹¸…m ™Yb•ãÞƒƒ³=8ÏSMѤð¤rßM¡¾Š²)ÝxöF GS™ ~=}ë_ÁkjÑÙF·Iâ+«÷bËþ­ä›k’tt냌qQxwIñü%~¡«Ar=.kkƒ)¶¬Œð±,_1å|o$ý3Èg&§a qÉ-õ²G,fXÙ¥P°9äAÏNE-Ž¡eªZ‹­>òÞî݉[yVD$uä+Í¥ðV»seqo$eJ1[iAeŒ™íÒàJ~ðe¢B€8Æbä`×_á]:{C¨ÝÜÇ©Ç=äªò A­‹±U ¸ põ8cGñFŸ«M-©¸¶†ý.n!†áZVX¥x÷íààìÏN3Ôõ«ë«é¯©¶šš…£_¢îkQ2™@õ)œãð®*ËBÕ…ÊY>öu_O©CÍŒ©ˆÊì8 ¿{) ŒciäçŠO𮩢¶·gV1ŨÏ{ Ô/h-Á‘œ†?(Ÿvi|b€;T×´yZícÕl]¬”µÐ[„&:—çå®*[-SOÔŒ¢ÆúÚèÂÛeL¯°ú6ë^kƒµøFfÓf¶ÕöÓE¹±·/-˜¶‘ž-¸Bd!˜ûÌc©$ó]½ž•5¯ŠÍÒ[¬vÙq[¤¹ˆ\uà7ÓšÞ¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(Ïþ)ÿÌ•ÿc]þÏ^^ñOþd¯ûìözô (¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢ŠóÿŠó%Ø×cÿ³× WŸüSÿ™+þÆ»ýž½€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€<ÿÅ¿òW¾ÜOÿIÖ½¼ÿÅ¿òW¾ÜOÿIÖ½€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€+ßß[éšuÍýäž]­¬O4Ï´¨ –8œzWØXk_“ûWU¾»Òü%r¬ô‹f1Ot›™K\¾3±×øˆ*ês•Ü×>6ÿÉ!×íßÿJ#¯@ ?ÿ…%ðóþ…ïü¸ÿã•ß î|6‚çáÞ§&‘8u/§]ÌóXÜ ÃyemÌ®@Q½Np¸Éaè•ÏøŸþô_øE?°ÿí?Ú¾w¶Ýž_ü 9ö +Ѿh?ŸSñV±©k1js^¼76k@l™@ƒ!ÞQvüdc*p¯@Ò¾xEÕ-õ+ 4»¶}ñ;Ï,[±ÚìFGPqÁÁ\‡ácÿÂÇñ§Ø¿áþÓÿAûö'ýIòü¬|ßw;·wé]‡ü]ÿú‘¿òn€=¹ÿø®ßÁövúŽ£m;é(†ââ.m‹Ý@ÿW×-œƒ´mÜsÿñwÿêFÿɺÏ×ágÂ=©ÿkÿ ý™öI~Ùÿ¿êvÿwæû¹éÏ¥lk߬×ÃÖw>ò5íOT—ìÚ}´ƒ™6o- ÈeTR ‚2¡¶ç ÑþiqJ÷þ'“þ}f]áï5(÷¢¡mÁ#„’‘¨=1Ó-‚ÀùCÃvZíαlÚÏ ñ”A ÄS‹}²:¶ÔóIP¬Á\[ ×Øþ´ñMžŽ±ø¯T±Ô/¹ùí-Êcæn­Àn ôDÆÞë@ü žÿ¡SCÿÁt?üMrú·„o<,¾#ð*Î#‹t·žŒ–‚÷s.öK~ê@ ãh9ت éóÃko-ÅıÃH^I$`ªŠI$ðæ€)èzÍŸˆt;-^Á÷ÚÝIJ¦H%sÕ[€Àäž"Ÿ}©Ãas§Á*ÈÍ}pm¢(¼·“-ÏLFÝ3ÉÈ|‚ko„š O‘9I\+©RU¦vSÏb¤{‚ _ñÕ¢].€gÓî/­"Õ—1A Kˆü‰,ª +’ç8ÁÎA6§ Ŧ˜Ë!žêfFm @Ùç9ýâãŽÆ®×èmôZ圶¶W–^§ö$–Aoµ¿–¥HùevU8 qŒ ‹mQ:\qhZ]ý†®º4ñj“ÉBn.J¦ßÞ6®X9@¨Î(Ó¯µ8l.tø%Y¯® ´E 7–òe¹éˆÛ¦y"®×™êš\wz~—‚ô™ô‹¤Ô7I$št–ûOÙn,Yy9`¾gÌa÷º×ÃÂ|= Úi³Ùl ¬à¬‚@NíÌ~ñ-“¿$6s“š×¢¼ßÁ–—qx²Úèi)§C>™1»ŠßL–Õ2«#»3€dÀ27uíéQEQEQEQEQEQEQEQEQEQEQEQEçÿóp¿÷*íÝzyÿüÜ/ýÊŸûw^@¯u -6%–úòÞÖ6mªóʨ ÁlO\)?@}*íÍ#íVÖ¿Ú–_hºA%¼_hMò©äËê*ž¿¦M¨ßøyÒ–+=Kí3d‘D(nzáÙ:sßµsþÔ¤ñ¨%]Vk-Bö¥’Íí&ÅŒ!•|ÐT¦FÂxÆ0s@¤:Ö•q|laÔ줻‡“©“*Ho”ðAÓ²´ßh·öZ.¥}6Ÿc¨_Ú«ÛC<éæ&ÒQ Á ½%G¥sZ-þ ~Í—åÁ‰®ï_PónÔ¸”ŒïÞq³¦6ž½ª÷‡”Ô]ëÖÒF¢ą̂¸0\.U $DÒ;¶;x;Inƒœh|}£]éš>¥kqYꈥy.M§î$›÷˜$x ‘Œç´ÓÙkÚ6£tÖ¶:µ…Õ®ö† ”w Ç$œr9÷¨?á&ÒG‰ŸÃïwj sÞD÷—¨ÎK™#OzÆÐl5k¼pYÞÚèÄÏ$‘ÞI ‘ßp0&LXþØ«·wñøÊæê+IžÖûNŠ×í1:³º<Í– Áˆ>`ÆÐyâ€5í5}7P¸žÞËP´¹žÜâhá™]£>ŒÈük\ñÆ“¢MªÙ¼Ñ>¡a§›ánó¢¾Y"òNìG“òðO9¬Ï hºœº\é#OMO’ÒY„±°ºfØ>@¤™BçxSœqÔÓüW¥j·7zø²Óe»MSA61¼rF¢9WÏ >öSƒæ¨ß8ë@MŽ¯§jk)²¾µ¸0³fWò›Ñ°x?Z]?VÓµd‘ôíBÖñ#mŽÖó,[Ðí'¹mgÂ×—­ªÛXF–±]h+aŠB¨3áHàÆqК±ám.î R{ûØ5hf6ÉmþšÖ{ ©$àd œÇ¥u´QEQEQEQEQEQEQEQEQEQEQEyÿÅ?ù’¿ìk±ÿÙëÐ+Ïþ)ÿÌ•ÿc]þÏ^@Q@½÷‹#}3W¸¶´Ô’ÎÒœêqG@ñ+nجùb ]¤ŒgrÏQ¹›Æv-)kTÓ-® €C¼“9òxéÅP ßdêš,:¼)¤ÞÇr©Ù––6â~}à ä·8ãu]ž4MbMfy.¥Yí ²[YK;JÛ–àù˜éŽ¼Ðú·ˆ"Òµ;±]Ý\ÝÅ,±¬0=›‹3²÷Ç~ǾÍ_é¢Ñ¯.-/í¬ÚÖKËiåvÝD€P$pAÂ’z‹‘ÛÛkú¥®¯¹Hm­î,Ú ›9 góLDŸÞ8^:s׊ÈÑü4HÌV¢ ÿc Ÿ`y®÷œpp=èeüH–ú3ê7ºeõ $QÛÉå<“3¨ËvS’ÀrG¾5™uâ¹f¹Ó#¶·ºµuCk{e2FeÇÙ¥”.A+΂­íž¢›kào³é7vÂö'šî+ÈM•§“¼‘•*VíÁ+ó|Üäô«xJoí5+ÝI'¾€½™ã·òÑ‚Àð¬j»‰Pç$±Î}x°|g¤ ;K¶iE½Æžú‘“hýÔ(%Ær\I úU+_MNî[Il/l.£‰fݪxØlfAîEcÛxÕ ×­®¯{mQ Sk 3¾Å99ÃÊÇ8é´cŸ¥éVþ]\ÁbÞh+hú Ç!êrâ"äôë…\ýEnjºœÚlhñiWÚ†C‚< äïuÏ^É>•‹­/¯m­ôÛ+ËõšÚ¦š-V(¥ÎÆ`î¬xü¡±Š©©èöþ1–Öú26Ë$-oªéR2ÛõŽ]˜aŒ!‡$c­Uÿ„S§è– ¨Y´Z\ñ%ÇöúP1c&9|Ï݆Ç# ÔÐÇ…µÛÍvÚöK½:KCäð#1M²*Jè1µØîFìàxÈ­êÉÑ4™ô†¾ŒÝÇ5¬÷R\‚¯‘ÙÜ3n!†æã ¸µ­@ñOþd¯ûìözô óŒ_lþÎðŸöw‘öïøIlþÏöŒù~f$Û¿íÎ3ŽqV?âïÿÔÿ“tèWŸÿÅßÿ©ÿ&èÿ‹¿ÿR7þMРQ^ÿþ¤oü›£þ.ÿýHßù7@Eyÿü]ÿú‘¿ònø»ÿõ#äÝzçÿñwÿêFÿɺ?âïÿÔÿ“tèWŸÿÅßÿ©ÿ&èÿ‹¿ÿR7þMРQ^ÿþ¤oü›£þ߈ôL?ò¿oþèWŸÿÂ[ñþ‰‡þWíÿÂøK~!ÿÑ0ÿÊý¿øP Q^ÿ oÄ?ú&ù_·ÿ ?á-ø‡ÿDÃÿ+öÿá@Eyÿü%¿ÿè˜å~ßü(ÿ„·âýü¯Ûÿ…zçÿð–üCÿ¢aÿ•ûð£þ߈ôL?ò¿oþèWŸÿÂ[ñþ‰‡þWíÿÂøK~!ÿÑ0ÿÊý¿øPq}g¦YÉyw¥¬xß4òÑr@cÀÉ ~5b¼¿\Õ#øðâóRðåö‰1þÓýÍÛ)ÝûœqÑÇ™ï ds^Á@Q@Q@Q@Q@SUÔaÒ4{ÝNá]¡³·’âEŒÅQK2@έc?, I>×ek(Ž9!‚XÔÉr$p‰°+K0Ø## h¤¢¹Ù|cio¥Þ^\Ø_Á-Ä6óÙ²#L­+"¡X«¼†=ûŒUI|{mm-Ú]hº¼ gß2-웶°aÊG  hQ@þ³àŸëž\i°C¦òbŽÚ5‹È|“¾< +d“ÓœAƒË¯Š<]à¯.ËÅzTþ!†i^;MOF Ó1ÜËÛ|¸`ˆìYr 99jè;äŽ>ðçõ{ë|Eðv›k'›¦[ZɽJ Gܶe?{r»*vŒsÒ€,ÂÓÿ© Ç?ø'ÿìê½Æ—â_ˆòǹeý‡áù¥ÓdukËð^3!÷ Àʃ¼Àõ}"ŠŽ!µ·ŠÞÞ(á‚$ q¨UE81RQEQEQEQE^ÛP²¼*-níç-̾T³gkð~éÁÁèp}+ŠƒÄ—ÇÅÚjÁs¨O¦j×é[, Æ’ŸÝm"l«E´—žœg @Ô§Ñü96¥jŠóÚø>ÆT PA¸9 vO° Z¢¼þ÷[Õ´K‹Ø¶Ž¥og¥ü·A–&˜¬ªv(]¦0̧<šg…üO¬êÚý¦Ÿuqþ·ÍÔöˆ”¡TaDBWQÈ]ÛÕ@lçG#½wôWžišž»qáß =λ2ÜkÆ?:ëÈ„y¸y6Æ6cs-¸uÀ ~›­êúÆ¡i£6°ÖªôB¢ßwäJ¨¡C« 8b[ ÕxÀ @¢¼òMoÄÓëš„vîdÓn €"‹E‚d)3Ê]„€°vÚP7"´n5=VËÅŒ/¯.c°žãȱò–µcågl¼yÊûƒƒ·PeQϨ¶ñÎñN¶þN ´-¡ Œ?ÍÀ¬kCÕ¬4O^Þ_ùÖ“i·T;›äýÉ:|ßQŽ”è`†‚<‚)kƒÖõJ)µQm« 6=#IŠö41FÂå›ÌÎýÀƒË ò•9'ž•SPñ³%¶¥©¦ªtö´¿´´M<Ųy%‹]Û˜ØÁÐòhÑêé²Gö¡ijò+2,ó* 2Äyr}+3źN¥¬ii™yöY„ŠÅþö@aÆÒvŸ^zcŽµÉk–zž­¬\G­]ÃqiáÁ(±JŒTËÁócbT•ÉçœgÀ£ÃuopÒ,Å+DBÈÃ%CqÓ ƒô ÷©kÌ&Ö5+-Vþ 8“QÕà†Im–1Gö|O„óHŒ1*ÍÛ8â»o ϪM¤ŸíxÝ.cšDS!‹{ ?)q(ŒŽƒ8  š+ŽðͶ—âO[éÖñÄ¢HcQ€X 'êk‰vm;ÂZV¥¢1]bûÃדêÄ{,‚%f‘û—YN<‚H”ìôW“ëVú~•y5Ž‰² âÛOkÿ³¶Ë{µBäŽïpÍÔ“Òº¿ ­¦—­x’ÎÓɶҭ® ƘX¡‘£R꣢õCÝ­u´T_j·ã÷ñs'–>q÷ÿ»õã¥K@ÿ7 ÿr§þÝ× WŸÿÍÂÿÜ©ÿ·uèåí¦j÷W×PÚۧߖy"ýIàUFñˆ‰hï¬iê—ŸñìÆ執ÉÏÍøUXÝÏq£ßÚÙ›á§Ý™ä´ªÒ eÞBîRÀŒ‘ßqX:Æ—«^K¬M‡Zq¬é‹f‰,ЃhÀË‘'Í§Ì ”Ür uW®…¡–‚æÿNÓÉ&fŽI’,ïf%È$}âç¹ ïK'ˆô8m ܺΜ–Ë/’fk¤$þîìãw·Zæµ j â*q5dž“N·™™CK0ó÷/'Œ—Œäàs׃‰žºŽ©Âxe’âkW¢G'dÃ;P̈zzUm3OÔuXd²¶Ó¼Iâ;˳©‰ âPxÎýçîtÆÓ×µz¦¯¦êÛÙj—3ÛœM3+´gÑ€92Ï\Ò5d²Õ,n]#²ÃpŽUF8==ë•ðÖ‹©Á{ %Î’4ôÑ´ù-%˜K ¦mƒä IÙ”.w…9ÇMgKàÍVoh:\6ÑÛÜÁ¢ÜYÜfE$’4ùI̧$gÖ€:_øLl®u -ôÙ¬/!Hásr·ª#Ì“yer‡P3É!xÎk^MoJŠüXI©Ù%áq·k… »sœàƒB=k‰Ô4M[UÕîobÐÆ7‡NŒ+Ëæ0݉î1TéÏ8Ç «ú‡¯§O¼Vjf¾Ôm'·mÊ ¤IoÎsÆÖI1œ8ê(¦þÛÒ´OþÔ²ûj°Smö„ó# mÎsŠ./tØ·76:mšâ(D’$1ŒsÐtÁ[«OÃÚ]Æš»ÓÄ |%„á„îJ€wî°Û€oSÅtÚí¥ô^#°Ö-ô¶Õ!ŠÒ{V·I#WFvŒ‡c „*yÎÀ<ЩüU§Yëòé—·V¶¨- ž)æ¸T™^U ã'÷YàœîéÇ7¤Ô£†þæ䶊-Òv‘®e¸%”ýÕù8bpyÃ\·†µ! -¡&¦%ðü:näš0±É¾bÉó|° €085_ßÞ_\éVó´×všN’ÒTŒW1pW'i#p#8Ï õuíô³©®­bÚzœ±p†!Î>þqúÕ+_h7šçöE¾§k%ËAñ ̸0Ùb@=ëš@Ô£º·Ö†Ÿª]M¢.§³¿–ÐI6 hƒ ˆˆÃ.åûÄ·¨â¶ìãÔÅçR}â+kë oÞBM³Ç$Ì|Àœ‰ÜÝÎsë@ºüZV“y¨Î®ÐÚ@óȨbª¥ˆ gÖ«Ëâ "ØD.õ;;W•Ö;‰Ñ¼Ü‚®¥UÖa¾Ö<ª[‹†úîÂx–Ù¤RC²0 ¸½Hç8¬‹¿Þ\\k25sqáج!%—æ÷§^Ï'ƒëÅt:î»aáÍ4_ê2ˆà3EK(åÜ(?19>€Ú¨Ÿi1ë g=õ”6ÆÖ ˆ.ÞéNeyT*çƒþ«<Þܳ[Ó¯î¼ok kØ^Îf‡z‚æ)c‘”@É@ÉÆ{Õ GD»Õ¯µÛ×ÒÊÝ;8RvŒ¸“tå£8bß'8÷â€:iµ}6ßP‹O›P´Šöa˜­žeY²¤äþ-åí¦j÷W×PÚۧߖy"ýIàW¯…5u¾º†í5Y­ï§¶¸/i%˜D1¤c˜ ´d‚„ŒtÁÍu~&±»žãG¿µ³7ÃO»3ÉhU¤7@˼…Ü¥#¿ â€.ŸèA­TëZp7``n“÷Ã8ù9ù¹ãŠ•µ-5EÒÛR³ƒ ‹C:ù¤c?s9éÏJâ|_§ø›]Óu+kM6îÞ­8¤6ñ5 >q/•œ±P,õ'æ‘}ôÍf/HÚm½õ­½Ôþeì³InöÏû­¾b ù«'1Âðh©µÕôÛë©ílõ K‹‹s‰¢†ewŒÿ´Èüh¼ÕôÝ:h!¾Ô--e¸;aIæTi¢‚y?Jã<á½CM¹Ò“Q‡Tivn’»Ú}™²6Ï-D¤¡¾p:s“V!ÏkàMgÈðÍÀ•ä¸›÷’G©¬h ›oº®¡›sFÇr‡$«Ê|/ø•­]xƒÄ© —ú÷ˆ.k¥”‹HÞϹ‹**À\’±ÈÀ¯_ðg€aÐ]õjXõoÝ¿›u©J€”b¥vC‘ò RW€2;…^Mý›4­ÙuMsR¹Ÿy*öª(\ °rNsÎ{Ž8çÖ<= ÚxkFƒK²–îH!EUk«‡™¸P¼n8Q…*€£œ@”QEQEQETsÏ ­¼·Ç !y$‘‚ª($“Àsšóø|kâo!›Àš5¢éªì£VÖÙ£Šr¬T¬Q'ÎAà‡82  OŠšgö¿ÂÿÛyÞVËCs»nìù$K·vc=³žzWÍ ´/x‹\’ÃÃZ¥ö—nvµýݼÏFƒ8-´ÍËm^üôˆ÷ûûŠúžsay¤µº‰á™7^ ÈÀ†Œ‚zUêÖ~þÍð6³¢aßM»ì÷k(–ÛRmVq'HçŒ2ÁÆUh¸ðdž4¿èpéDU¼|³7/+ž®ç»È Š( Š+Ÿñ_Œt¿ÙÛËçÏqu(†ÖÊÑ<Éî0‰‘œdgžàu ‚ŠóÿµüX¾ÿI¶Òü)¥ÂÿvÎþâiæÏÈrFF:ä>×ñbÇý&çK𦩠}ë; ‰ šLð6¼¿ Á99ê’(Ð(®ž1Òüagq-‡ŸŬ¦«+´òç·pHæN3ƒŽ{Ô: (¢Š š“ñ¾K²[ÂæCp¶è$ÞA·c9Á#>榃N±µ[Ù[ÂKòâUÄk©Àû£qÀè2}jÍBÛCÒ,짲µÒ¬`µ¸MVè©.Få#ƒšž; 8nÄVG0ˆ@$XÀa9 ž»A'§5Éê¿á]RãEðÖ•wâ-bÝöO ©ÁnÝq,íò! >ÏÌ…N Sÿ„·âýü¯Ûÿ…zbhþÓô™åº6öÓ_½ÍÄÂì۪ʫ,¯&ÍÜœ øëÎ:•¥|C…µK}ĺU߇u‹‡Ù7DIÃuÄS¯Èä™3…5ÚP9t6}5tÙ´ûI,B-«Â¦ £ F0;qQÜhZEÝ„V:UŒÖpãË·’Ý4ÇL)¡EgÍ è×6÷3é6Ü[€°JöÈÍ’21íKý‡¤ Iõ/ì«·¸!®¾Îžk0Alg§jýKNÑ´½ H4Í6ÎÈJs ¶cÞ}NÐ3Vg‚+›y-î"Ia•JIŠ]HÁ#µIER»ÑôËùmå½Ó¬îd·9æ\Ä}T‘ÇAÒ±uŸkZŠòi,x˜‘` ÑÁ¶ ÷p„‘·8ÈÏ5ÓÑ@A-¤í+Mk4^L…ã¼|ü‡=W“ÇNMOES›HÓn-ç‚}:ÒXn3Fð«,¤`F¨ç°•-¦j–¶6°Zۧ݊Â"ýàTôPe—†ô-6õ¯l4]:Öí <¨Žs×,y©í´6Êæâæ×O´‚âäæyb…U¥>¬@Ë~5rŠ£k¢iVV³ÚÚi–Vöó’fŠ+uD“<À ûÒãivúxÓáÓlã²0¶HGœç;@ÇPÖ®Ñ@F›b1‹+n&7÷Kħ9~Ÿ{“Ï^jÕPŸÿÍÂÿÜ©ÿ·uèçÿóp¿÷*íÝzdë~$Òü<ö ©ÝGn·³˜#y$TU!Ë1b0¿.3Ï,£½Ckâ­:mf÷LžæÖÞxnVÞÝ^áC\î†9rŠpOúÌ`g¦{â›âk[É_F¼³³’ñ¬/ÅÄDè®Èa–?—{*ä䎬mC÷·1øžhìíÚ…œöä²nd-ùÎxÚÉ'_N:Œ€uk«é¯©¶šš…£_¢îkQ2™@õ)œãð¤Ô53HXÛRÔm,–S¶3s:Æú Äf¸­'Õ®± 7«ªË œ×ÑÜDö‚Ü—g Ÿ—Ïݵö‘È÷Æ+wÄöúÍÅݬvÎlšRsj-Ì›ÎÝ¡¼ðTFFìíä(Ú·Š†™¨\Z­ ˜E“‡ãwÚ. >‡îãw¾qÇZÓµ¿Ñã¿—J´»°[Å-,–‘H‚@Xîf(9䜓ŽIÍpv¾×SH±†k3çG¦h¶ò2Ior^QœóµyÏ~Ù5~ÇAÕc¼Ó¬dÓ<µ²Õî5Õ<ØÊÊŽe ýäH²À<ž(²MOO‘áD¾¶gœ9…DÊLo<í=qÓ½9µ°K÷½·[92\TFÁÈ Cg$ŒzäWšjþñ\ë3éöèd·¿²š£)sæ†äñ´ÍœgËãµv~"ÐÍ×…`Òl­–X㸲S•ñ3gs·ýî:Óañ‡pm„Ö)ºbºFóXu ƒóè+›“Ã7rxF÷Oki®uãy$e“BoÄ»8?ºÇ^1ŒñF£á›¹_ÄÒÛا›{g=»@]b峞0UúàñÇZèÿ·l­ì%½Ô¯,, K‰ ó^íve]”Ç7ËÊõ#œSäñ‹¶±I«Ø$—€5²µÊ8= üÀöÅrÒèwðéJM†¢obÕïníäÓæ·IJK)VÄ­°‚È9#=3P?ÄÑÜXÝÅepš¼°ÛÇ{4onläUbH‘XïncO¥uðX[YµÖ§}§ÙD.d·W{ÄØJ¹P7Ür½AÈç5Ö»¤XȱÝê¶6ò8VU–á°bB èJœzàúWm¢êÚV¨š›hí¨ ›SO³$±Q=Ϙ’ ìF9Ž"£Ó¼¨Úi·ö×±K#øj-:2®¥|Àg-Ï;FøÆNãÓ€ÖïYÒì/ ³¼Ô¬íî§À†§Ty2p6©9<ñÅ.¡¬išBÆÚ–£id²±›™Ö0çÐn#5ÉÞišÔÆ—gz—¯¬73mÚÖECó U˜ ø1ŽIÖ§‰íõ›‹»Xì#œÙ42¤æÔ[™7»Cy਌ÙÚ ÈPÍ毦iÂ3}¨ÚZ‰²yó*n€HÉäe—þú´ZêúmõÔö¶z…¥ÅŹÄÑC2»ÆÚä~5ÊhÞÔ¢‹Âò.];CšÖy «'e·QŒNNFGy_ÁÞÔ4Û)5uA&—hÖé+½§Ù›!ClòÔJA*ç§94ßÑEQEQEQEQEQEQEQEQEçÿÿæJÿ±®Çÿg¯@¯?ø§ÿ2Wýv?û=zQEQEQEQEQEQEQEyÿÅ?ù’¿ìk±ÿÙëÐ+Ïþ)ÿÌ•ÿc]þÏ^@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@âßù+ß¿î'ÿ¤ë^^âßù+ß¿î'ÿ¤ë^@Q@Q@Q@Q@Q@Q@Q@w Á©ñ¯Å×—ÑG=Æoema#(ͼrÄîá}ËópHè•ç~%ŠûÁ,¹ñ½¼—z-ݺ¦»ioùÁ‰XGp›˜ B°¹b%{M\ÒüC§%þ‘í«`o…ó´ÖU°FTàŒò(B¼ïãDÃàuäŠ1ªh÷\Ø\• “ÎŒ3ÁuSp28ô ç†ÖÞ[‹‰c†¼’HÁU ’Ià9Íyž«¨Â×ÔG‡ôS¿ÂÖwcûjýãýÝÞÂŽ°@á²rAÜÃHbêQEQEQEQEyßÄhW]ñ?ƒü!xdþÉÕn.'¼H¤diE¼aÖ2Aû…ŽHëÀ ‚3^‰\?Ä-/TIô_èv_Ú–,²}„¾>Ñ©²P¸2_dž8SÒh#Ò Òô3'™%¬_½pÙF%ßiÀùw3c#8Æy®?⯃¼KãýGJÐì|‹= ô««Ù[t¹ØP Û• ÈVß‚A€3üñûBÖ¼«?Åý‘|Ø_;%­¤o”gwXòK6U@åëcáÑ·ñ'Š'òÖò<¤ûUÜ ¼máÀb[–+ÐüCñGKñ/…ì,¼)­}ŸRÖµ }4¶v\؉H/'–yl—rœe¸|Šçü7ðãSÔd× ÚwŽ|5¨èöúšë60C4bM·Q«G÷rnÀ#z‚3Áaê+VÛVÓo.ä´µÔ-g¹‰CÉ S+:)èJƒG5ÇøoBÔb¸ðÄzŽ’Ñ&¦\YI,¯«H|€¬›Xœ0I:€zä ŒÉáï ßéVþQe2XXO Ï̸Gp„ƒÈ,¤ñž”ÓÛøƒE»ŽêKm^Âd´R×-Ê0„ ’\ƒòŽ_JT×´y šxõkŠXå‘n¬lÇ ¬sÁ$€êMy®©¥ø„iZž¥ªÃt¢? j÷Sl±¤¬±°X–/›gÊøÞIÙælj,u<ßK¢¥œQG§Ø¥´’¡[–ûl$ci8Œc¶Î~Q@„5ÝéϨVÄØÆv½È¸O)O¡là~tù521u)u4°`ºiÔDAèwç­pº—‡õÝKVmz+;»-—ÑL,c’ÜÎÁ!x̃vø·åÆ?u:ƒŠ½ygi¤]Åcpmu9¯f³º’ßÎ&D‘w …b3îÀ=ÛœÐM¡ë1ë–·"ˆâº–d“x#`88èzÿZ«áïišþ‘ox·v‘\5¤wW¢å]­•”7ÏЀ3ÔQø7OºÓ´«´»²M6¡spVÚ!eû¤Œàô®GKÐ|I‡ôKX48lo´}6hüÉ¥‰ãžWh@‰ ·ÌÛ°2£¯Zï¡ñ‹q§Ë¨C«ØKe Ä·)rö˜£­#ø‹DNQ}gO[[lw-t‚'>³‚x=ûWžÕ¦½Ö.¯ìu‹ˆç†ÄÂLÖir%†I[r„Ä.Sï‘ÆN0]Å2Ϧj·Býå·K¨ v¿c!$t(Ì$ÅS °ŽØÏ"€;»Í[MÓàŠ{ÝBÒÚ)˜,RM2¢¹=$òOµC¡êÃYÐm5C€\Gæ/»gã\ݶ…u¤I¡Ï—sok§Mfm¥–,%ÙÊ¡B§oAŒ3RYøsPo„£Ã¯vºƒi­oåïÊ+#iaÛ¶Gc@¶úLJçIõKmGL‘We¼×qÏæùœï9À'«qÖ®YjZ¿Ú,/-îáÜWÌ‚U‘r:ŒƒŒ× ¨h:¦¹=ÕÙÐþÁƒN€ÙÉ,LeX®–Gc±ŠíTÈ9<ð8¨Ò¬.-|C¯\ÉÈ.å…â`ÃçÄJ¬p:r¸çÒ€(iéw¶Ãrmš/=&둘pN’Ã=@3ÆÂkú3é©&­`Öv½Ð¹CŸBùÀ?r³hš•Æ¨è²éNÊÚÒÞ,$F)áká3`nÝ™È`3Œ Ô:ç†uyuûJÊ9Ö(õ®Õ-Z$¸¶1A()¸>ø‚(®}nÌ=¼«wbÖÛKrnÒ€6å€èˆ$¶p¸µfßR°»·–âÚöÚh!b²IªÊ„ H8w¯>¼ðž§.•:ZYÞ—ŸLÕ£d¼–ÜH'¸òŠ)òðƒqVYsÈßœwÇnµÍi~ñŒ ð™4ë4ýLêë$e™až>Q`ãýYìj¸ðö¿swªÏ-½ë‹“¥7¯j²1†è¼™áFÔÁç$ôÉè=jL¨ËwnUæh‰E$2y`UFÓéQ®¯¦¾¦Újj~‹¹­DÊeÔ¦s¹´f+› ì·0[k÷ƒÞyÑì0Èó8ÀÝ»#Í‚CŒÕK jVúˆ·¾‡U¸†F{ØåŠKE·}ìädíî*ûHä{â€;‹ gKÕ^dÓµ+;Ç„âU·d1Ÿö¶“Ž‡¯¥^®KÁöZ¶Ÿ4¶³[Þ[éÛǬWïËAUhIÌavãyÝšëh¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(Îþ-Ï ­¿ƒî.%Ž"ñE“É$ŒQ@rI'€ç5ÒÂwàÿúô?üÃÿÅV¦¥¤éºÍºÛêš}¥ô áÖ;¨VU ‚23‚F}Íeÿ àÿú4?üCÿÄÐÿ ߃ÿèkÐÿðcÿGü'~ÿ¡¯CÿÁŒ?üUð‚x?þ…MÿÐÿñ4 àÿú4?üCÿÄÐÿ ߃ÿèkÐÿðcÿGü'~ÿ¡¯CÿÁŒ?üUð‚x?þ…MÿÐÿñ4 àÿú4?üCÿÄÐÿ ߃ÿèkÐÿðcÿGü'~ÿ¡¯CÿÁŒ?üUð‚x?þ…MÿÐÿñ4 àÿú4?üCÿÄÐÿ ߃ÿèkÐÿðcÿGü'~ÿ¡¯CÿÁŒ?üUð‚x?þ…MÿÐÿñ4 àÿú4?üCÿÄÐÿ ߃ÿèkÐÿðcÿGü'~ÿ¡¯CÿÁŒ?üUð‚x?þ…MÿÐÿñ4 àÿú4?üCÿÄÐÿ ߃ÿèkÐÿðcÿGü'~ÿ¡¯CÿÁŒ?üUð‚x?þ…MÿÐÿñ4 àÿú4?üCÿÄÐÿ ߃ÿèkÐÿðcÿGü'~ÿ¡¯CÿÁŒ?üUð‚x?þ…MÿÐÿñ4 àÿú4?üCÿÄÐñ ĺ³qàË}/[Óo§_X»Gkt’°\¸É IÆH÷ꕇ‚ü+kqÅ¿†´hg‰ÃÇ$v+#A Aç5¹@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@âßù+ß¿î'ÿ¤ë^^âßù+ß¿î'ÿ¤ë^@Q@Q@Q@Q@Q@Q@Q@qúÏÂÏëú‹ßê:tù.ðÉ$;É$–a(f$œ±äú×aEpp|ø}mqéáØËÆáÔIs3© ç•g!‡±õÜA6¶ñ[ÛÅ0D#Ž5 ¨ `Æ*J(¢²KˆÚE² 6ì.9Pr0xâ€5¨¬ÝO_Ó´‹›kk¹e*ï PÛÉ3ÈnìRxÜ¿ä‚/hÓÞÛZ[Ý<óÜCÄk H NJ«’ªB®T‚N1ß³EbYø»B¾iD7à,PµÁ’XÞ4x—†‘€WAÆYI#ži‹´cdnÌ·IuØί+0%DhSt™Ÿ”  ÊãõŸ†Ú©¨¾§g%ö‡©É‘5îpm¤™I,Áð ¶X‚I‰QϨþ/ÑV yVây¾Ð¤pZM,€!Úû‘P²mcƒ¸ *Ìúþo©Ç§3Î÷R;aµ–PÉ ]•H@H<± r_ð«?ê}ñÏþ?û è<7འÂÞdºu¦ëé²n/îËs;n/!çæ*…Ï8ÐQ@VG‰5Øü9¤‹ù-åMÄ0l‰ï$TÏʬx N1Éu"€5ê½õ…ž§g%ý¤v²c|3Æ$FÁeOøU?øH´±äÒ\<+el·Wh^6Ž& CeøŒg‚:Ô~-ÑoîÖÚÞêC#NöÀ½´¨žjgt{ÙBîOËœœdP5ÿ —N·ýÖ“â_é+þ®ÆÃUe†/]¡ƒNXäžI£þ.qû­[ľ+Õì[ýeþªÍ ¾›‚…<0Á]T^&Ò&Õ³cºcqæ4 ù.#iÈ$Û°¸åAÈÁãŠRÖÿ³uûIš줲ººži8)å°sœ‰œú”¥cag¦YÇgai¥¬yÙ ˆÑrI8QÀÉ$þ5b°âñ~‡-Õмxã¶Ò¬ÖòFà9ÂŒ¡˜1ápãÀÍ[ÒµÝ?Z7Ægw¶qé$/ÆÄ•À àƒŒPQ@Q@^«ðòÕ.5¯ j·~Ö.|óZ$ Ó2Àß# àŒ|ÎXäÕ?øD¾!ÿÑOÿÊ¿ø× Q@^•ðòÕ-õ¯ê·~"Ö-ß|]íÓ1@¿"dœüÈ`×iEQEQEQEQEQEQEQEQEQEçÿóp¿÷*íÝzyÿüÜ/ýÊŸûw^@o.ͬÖQ ûDþQó&GÈÍòŒ|íòýÑŽ2{Tv:Þ•©Êb°Ôì®äT‚ád!OFÀ=G5S]°¹¼Ô4 mãÞ–šŸ1ÜÄò&Ló×æuóX~ðõö›màÔ’Íam?N’ °¬¿#²G‘Áç,¤ñ‘‘šÞÿ„›I&½ÜI¨,1Ì#yÞ_ £9,dŒte=ê/x§Nñ™kq ͪ]ËkÌÖip¯$Ô0=ú)†ÞöÛÇR_-Œ³YÝØClgÐZ7•ŽðÌH1´7CœW%'‚uI¼¡ip[¥¥ÔZ%ÅÇP#’HÓå$g ºœ‘ŸZïm¯ô~Òâ+[»J؃ ë‰2r0U€Èäv5Þ© ›¿ì«Ûý7í+¶_²M2o~pÛ ÏCŽ1žÕám.î R{ûØ5hf6ÉmþšÖ{ ©$àd œÇ¥GýŸªÛøÁ¥Ó¬ï!²¹ºóoŒïnö²¯—·z ™UþUÀ^h¦—TÓà…&šúÖ8ž&æP­Œ³‚O*ž€ª|M g:æšeò¾×ŸÜ<ýïnµÁØèW÷ú?ŠìcE›û>ÂçCÒ”8ù•ƒ62x4žzÄ ÍKÂòM{¬=¾ Ž.Ÿ6 ¸2üx)Éãò  ÉîÓQ·[¨-íîU•L’¤d–÷cÛ·ZƼ²×í/nn,tï´Ïu¢Ch’3ÆR)ã2·ï0$0”79Î5‹wá¿^®·#Ø]]}­tÍ‘êZ«Ja¹g0‡ B:ä‘ÆO@è1ëšDÚlš”z­‹ØFH{¥¸C‘×/œΧ²¾´Ô­RêÆê «wÎÙ :6àó\tÚ=åúëW÷:5ôk¸¶’ Kyà ðà‰²XÇ»8à±ÈAŸJÚðôšäVvð궒;É$ŧvˆcd’{~$~³‡E±ÓỽŽ[)Zxoƒ©œJÛ·¹%J±mïTƒ»¥YðÞ¿ˆôŸ¶Ä#%xdL%MÊpJ¸á”ðAÀàôŠÍÕübš6¿o§Ü.œbšx`j*.³! ¬ Ûʆa“»8ÉÆ^77ú:%ªéúÆ´q¹®ÃÚ©$“Áãéì¸ýj¤¾¶Ô%’êKFÑ.® Ô&²ß:3]Ä+þ­AŠñÇ­dj6¿ŸFñ3XCaos§Z]Úúâiu-Bþùd·šÙ"˜Æåp¥Xð1óÅkYéæßL77sß®Ò%ÈM̧±Øª:qÒ€9ØüwúÅÆŸŽý·–öÖòyÜ\,›·¸ãž\¼s£‘ž&_¢x¶ uÓ³q4Åö}EeYQŸ2C´P󓃀qš]/ÀZF“.‰,]»èé2ÀÒȘdÎæ“ŽXn|¾Þµ-¿ƒ­-¯í.úøÅiy-쥣òÖIº&æ½sË=qÅr^ñMä3év¯%Æ£¨_h[ÛI9ÃÈZ2Vc£w6 8àWYoâ‰.É<’ÄXæI"Æät`êFàAÁ‚¬ë_Ú[^ ·½½¸¸þÐþÑi&dËKös »p1Ï··ŠžD±7"6¡.pVmË«»ihܬTp̼TÑx”ÍáKÍ},$’(„ÏQ¶æž4f ÃŽ7Ü:ðGZ¡âOHþÔ4½2‰§ÔnÌÂo5ì²3‡órH;Q€ ¶qîG@šdVú4ze¤’ÚÃ+O £U dphÃÅÏsŸ<°éÏoyxm ö‡ÚcŠ\‹Éa³à•ëž!Oß^K§Å¦hÑÜ5úÝËKyå©Š ’ˆ€q‘êHƒ]ðœÃú•“^ê–«4eïe’(Ú]»%;B`8U,N>£¡·Ð,­n´É ßÓmÎÁ|¶òúñœ)qϯà•¡xº}bçM󴯲Zêv¯qi!¸ÿ&ÝÊê ÷²fÈã¥ah7»Ò¼£]k¶243i~tWBçÍšwŽ0Ä:0\AÜÙïƒ]m‡†l´åÒniP<o`w+¶'å1YvŸt»{tû‹½BúÊ G´‚ ©¬H뵈*ªwÜ“Œ¸OZñ¥öIl/-?³5ŸO™MµÙ•^).ÑnÚ¤ °Æ0ÝH&µ¼S©jú}敼†îüÃ2O)Œ:ù¸\„rS9?( ÂÚºÌo5BöâV·ÍÅæõX%¢ ¨7N2sÉé-cGXŠØ«‹Y­gOo³z>Ö\áÕ”å]‡ õ `xSÒõϼ¶FçNƒR¶ŠIìƒÉ¸ÄhT_½‘’H«Ïã#Š#ÐÚ=1¦žIabÔƒÌQœy±ÌjBAldsZ3øbÎâ N)&¸?Ú7\LÛ”Ѭj6ü¼"\ýON1ZßÁÖ–×ö— }|b´¼–ö RÑùk$‚@Ýs޹剸â€jz¾«à½?PÔâ·k¹­#•Z9³ç€å†ÅIì2­c‰QIè´ÆmÚlwqæln¸rƒìçåà6>}ÏWQ¡hÉ éÉa åÌöÑa`Iö~åÀE* ?ÚÉ÷¬xþh±y;Zë÷Z©ÕW÷ƒ™0‡õc ×ä^x jþ1M_·ÓîN1M<05Y…VmåC0ÉÝœdã¥Ð¼PúÖ±ygäYÀ¶Ï"Íîn—kíáØ6«c î<ëKwàëK»Ë‰õôQ\^C}-¼mGš"…I% c÷k‘»€jÍ¿‡-j=RãR¾¼–‘-ÒsØC‘¸ ˆ¬zó  z׉ïtÝNþÒÓIŽé,tôÔ&‘î¼¼©iU[2@9äŒs¾5q$÷0ižnkq µÅÙŸlŠÒ9Xöʾbä–®ÅlÝè6·—ZÄ’LþÅle Fjd ¯{÷­×#Ç®qðMŸ"òùmH¦žÉ]<™äˆ(Wo—v~DÈVí€DÔµ‹¿ø†Öê+caiv±Âë1Þ€Á…Û匃¸±%² Ç TµoK¥\êÞf³Ó®¡´7ÞüÉ%Ž6\¸P ƒq,0FzVõ¾Œ–šÝæ§ åÊ‹Í­=¯Èbg ¨îîj¨á±ÇJ‚çÃ7I©‰à5ýÌwlêà4RÆ‘ª2q)O9ç=Ž(/Ç&‡¨^¥½œóØÜE Ÿe¾[bM¸Ì!ã¸ìÈÚxïV×ÅW×"ÂßN°°¾¾º†[ŸÜj9¶X‘‚äL#ËX6Žù#¦º5Òéò[¶¿ª<ÌáÅÙ €ÇÕMg'‚m Hž×RÔm¯Q¦f½‰£óeóX4B˜%Tð£ã‘ŒKjÏ«¤s¶&›§»Á$˜û?™q2;ã‘•ãv:…ëÀ«ú§ŽàÓŒêa¶Qý tûyn®ÄHëùœ©Øªw/F%†1Wãðn“­Åª$¿f¸ÓSLx‹äyKæ`äŒî>cd’{~$~³‡E±ÓỽŽ[)Zxoƒ©œJÛ·¹%J±mïTƒ»¥gXxâ]d[A¤iÖ÷w®'i”^ ,LªJÊïÜ]vð23¸­/]O{à­"ææIdš[pÎÓ6ç'ÜúÓäðטֳcRÖé$l!#£Yy{1•R0 Œpzæö¥A¡èÖš]«JðZÆ#F•·1Ô÷4Æø·þJ÷ïû‰ÿé:× WŸø·þJ÷ïû‰ÿé:× PEPEPEPEPEPEPEPEPEPO‰tË[D{[Fˆ\,ÐOšÅQš)R@¤€Hf3ƒŒô5Ëø’Î][Å:—™måÔXÕ­!”É‹Tq(9»ÐÆ "VãÓ¾¢€<÷BÒõ]QZ6ûipx†òìʼâRêRnÜrÃ;·tãozµ¥ø2ãOÕKw6Q^ÉyϪ܆BÎÎÙÿÕd#9댚î( GÄ'Q_h¦Ek,ëa|Lw24j˾Ø}åV äƒ÷OLwÈ_øJãIžá®®"•gÓ£¶v‹ ùžlòH@#…ýðœñÍu´PŸ·‚5mKJ¶Òµ+‹(mì4Étûi­‹;JYUŽ¥@P  -’zŒUý_C×µè,f¼ŠÆ Í>ãÍŠ;]FxÖpcdlȈ¯ù²0¦A®ÆŠà®¼¨64°°³¶¿&fûRë7^lä|ÂM…¥•m ‘ZZ†ƒ©Ï®XÞ[¥²É'¿KÙa–DFË£BªR@Fà77utPEPY>%Ó.5mím!p³A<~kFh¥I’ ˜Î3ÐÖµÀø’Î][Å:—™måÔXÕ­!”É‹Tq(9»ÐÆ "VãÒ= KÕuEhÛìi¥Áâ˳(vó‰K©HM»qË îÝÓ½ëШ KðeÆŸ« –(îl¢½’ò)ŸU¹ …œ³ÿªÈ,Fr3×5£â¯ Íâ9Ð$ñÃöuÝ£1É`ò˜Š:<³žGo碀8-cDÕ.>Ó¯ëU…ŲÚù ³;Aû™¼ÒdvU 18èvõËUßÜÍ©_x‡Usjñ]^F#’ÒC$/²S±ÈÀÖ\áÕ”å]‡ õªóøbÎâ N)&¸?Ú7\LÛ”Ѭj6ü¼"\ýON0‰gñÊó]ŠÅ—‘5ãÙFVýZçz–š eP• Äò —Å2êòx§B°±ÝÒyÙ£-¯˜é³ŒhĨݜt9äqεŸ‡WO¾im5;ø­W˜Ø‡{’ÌA)¼ÄœÆOJ»>™ Æ­g¨»H&´IR5m"M¹ÏþŽ}h˜Ó¼QxtÏÁa¥5ÌÚŽŸ-×úEóËÈgØYÉó1œu×"”Þ6Õu 6¡¦C¦E8»³ËMCÌ’1$è­ÊbýÛ`í#œdr£=5…ìôñ¦&¹Îg-œ$²ä£˜É'¼<µÆ0:ñUÁV×éï5MFîêtŠ1s)‰^!žbmÙRC€rÁºsÅijš¤úG…ïµk›XÚ{;9.^æ%ID-´9PqÆ3·ð¬¶ñM幞Ý:ÒÒàZ-ä>mþ"1î Þd…>B¥†psÁ5wÄ:mÝßõm2 $¼¼›NžÚRŠÒ»FÊ3€ª $véTá´š"nµ F{°¬3Jñ–¶8‘U>L˜K†'$â€3ÇÄXßJ71Á§™üØË1ÔA²Œùb@æà!ùH*T|Çyü_2ëv:a¶Ó£{ˆb”¼ÚŽÁ.òA[Ý‘1ÏUê=jÔ^6ëxÖúî«ÅåÏÚgœY¼µhÊíÂ/x=08¨‚m>Ãi§.£¨.™n#b ŽBŒ%7‚Híe š¹Gñ‘Åèm˜ÓO$°À±jAæ¨Î<Ø‚f5! ¶29­í6Ê[î×rÝ<×MºB~Ef%QA'FàOÅdÛø:ÒÚþÒá/¯ŒV—’ÞÁjZ?-dH¢naû×<±#×P=aâ?Ïá¿]˜,ãR™R×EE›iæÄ?»$®~Pq´ N/XüE´½Öá² b"šíì“eúµÀ‘K ÍÜ„,¤œò P iGàØaÒlôøµmEÂe–ÆAä—¶Â2\dž]¬Ãç yëVl|84Û¿2×UÔÔÊóÆa.Ä–?sx‰l'Ú€0ôßkœZQ‹Ã£êÖmuhPù@P¥„„G•ûãi³žBö»‹®¯†„ºf”’˪ÙÍu‹‹Ÿ)`òü°UˆFÏ2c u±ÈÑÓü3e¦®Œ!–ῲmÒ ìä`€–Àäþízc©â±§ð„±êš6—¶Öšu•Ü_k‰ãó¡Úe!²ÿ„ŽÇÍÅ:®±âY|›H¿³ Ï Mûؤó'GÀwÑíÆà0 Ž¤VŸ…ãsw¥¤`Ô¦Ó¾Ð.w>ä‘£³`ùI\}ì‚zÍeÛüSµ¸²¸ºK{)û>{ûx ÔVYH7ì™Bþéˆÿ{ ò0t4_0ygÔç»Ø5[»Ô±i %¦Ç!ÀÝ÷YNÝØÏ%sWSÁЮ‘u¤_S}2kI,ÒÕž"°FË·Û7s6('U¿Öîµý+«X­,¤Y®¦ŽRTm¨åÊF2T1;2Uãš•¼yso¥¶£w¢ˆ`ŸLŸR±ësJ± }’ Ÿ»b¤7Ž¼ä`ôÓéוì…ËÚE,H™Yd pÇ?t~µˆ¾ÓþÅ-œ·ÚŒöæÆ]>Þ9dB-!‘B° ’p÷:g ŸÄzÜWšuŒz ³Þ_C=Â#_•XÒ?+ï·–pO™Œ@ rA$&…âéõ‹7ÎÒ¾Ék©Ú½Å¤†à;ü›w+¨\/ÞÈ!› sŽ•¶úT«Yê%äó­-å·AJÈc,OÏî—÷?…K Ùiˤ,2Ü0Ò x ÞÀîV lOÊ:b€(x³Æ á_ßLšs[¤FimEaÀ'"(ÊŸ0€3ËžƒšÓñ°Ú&Œoâµ7oçA B$Ù¸Ë*F9 ôߟ÷Z§­øB×[–ýÞúúÔj‚Îém™–1»²ÞÝ<ƒZz–—©`–s¼‹M À¡îŠE‘zƒÆPgÛ=(oÝ[[_‹›]6ÖîÆá!—íZ—•oµÐ:°”ÇžøÆξÜÕk_Üê±iCHÒaºžþ;¶!¯BÅ[ȱ·Î¨Û”–8`9ãŒ;ß Ú]êm©-Ýݽá¸K„–"‡c,F.+ cœƒíŠv•á[-&âÖx®.å’Ûí{ZgV,n%Yd-€2w(DZ9ÏZ££xÊMJK .tϱÙj’][JÓï|&ÝÁÐ.†È!› sƒÅeÙüP¶¼…¦ŽÒÞq%”·–ÐÙß,ó€6Éc÷lAÎn„FKeá{ô˜ãyÝtËw·„HTïW þ9?(銎Ëà §[sUKD‹Ê·ƒtD[¯m§ËÜpòÔŒn¦°Ó¦·²Ó/%¿¿ûbËSób_Ý<…™ü°A+·#¯=*Ìž+•4YîÞ >ÚæÖí­.R÷Pò`€ÎD»AHùAùº ¡¨ø.Ss§Io}5Ãê«wy|ÏJm¥XªœƒNsÈ#5¦<h–¶Éõê][ݽà½Ìm+ÊêÊÌÁ§*Ä`(cÅR±ñ¬ºÍ¾žº>ÍåÒO#¤—›a‰a“Ês檶à\ü¸^G"%ºÛ[Ëoam¨È÷ ,wºˆ‚ü—Ø”¡-’FÑ·$g8ÅoÇá›(’ÙV[Œ[ê3j)–É!°<}ßÞ¶^>µßÂË9º´¿¾²¼ó¦”\ÀіĬÓŒ¥rªFA#h6ÓÇɨßi°ÚÛZGìL­{}ä³ïfR€Œ%eÚr7£sVo|]ug{¬Ä©OÒgŠ+›Ÿ´áʼq¹eMœír < wÞ’ÃÞ±©KjžY’ÝŒ[&d`Á˜ù{ÈÚTqYËá¿×µû‹û‹È¬o/a”[G"yWHBñ‚ÀoV¹œŒP¯ãX­¼Qv4à²É,hmõ,èQó,;A@U[œŒÔRxÖæ×ã_¾Òà¶Óî#g¾øs+(O4 ÃNæÀ®CàË(o-f·­­Ü×Ú3Gå,’‰çäÜÃ÷®ybG®8¢/ÛG¦5µ=JK X^DÿD(ÁÆÁeJŒn-ÀÇJ—Ã&‹ÄIx«öO:ÎA†Îì\ÂÁ”0+ =H €AØœ­;Ä–ºx†8šÿP¼Ö¯­­’yÊ*ªM1ùŸ UU{+§Ólf±…Ò}JîýÙ³æ]ÁÀFŠ1øVtž³kDŠ«»y¢¾šþ˜™<È¥•œ¾2¥Jþñ†sÍP‡Æ7—ÒCe§èé&«þ‘ö‹y®ü¸áò\#~ð#nÉeÛòŒƒ“¶³-¼köŸ§Øâžyµ-&Ò[=9äÚüË1˜ò(U ÀºÉÀ­±à»H¢·6šŽ¡iyºö'C4¾k“~ä*rÀº1·‡Àº8T›ˆ+h-íäŽA¾$ÈQш'ï[$ä0à‚ ÈàñI–ÖÊcdÜêÓé…D¹ÛåÉ*oÎÞsåg}î¼s¯‹®¥dŸJHtöÕ%ÓâçsïY5}›ÚÌ }ì‚zÍNžµKØ'þÐÔ P^½üvÛ£‰ŸvóÂn —s‚q“Æ*–‡áŽi.u‹ÀV»¾ŽÈȆÍ4†98³µ”íÝ€y#4­ªëWvº­®—¦ééyw42\0–ãÉD ‚wml±.Ç\‘\V›ñtßiñ\y®£Ó’òäêŠÁ+†-…Œ0&I>SÆ@éós]Þ¥¢G¨^ÛÞ¥åÕÜñ,ÖÅ2Ѿ ) ¬1•SÓ#ÍfZø&ÛM‚Ú=/UÔìdµy!xÙ¦ *z0ÈÜß0óÖ€ÃÆÚ^$m2lãˆm*g¼1ÜJ¦0áã‡gÌŸ0ÝØñÅV²ñ5Ì“ÿgéšs]]½Õ󸺾!R8n d†*Ç’FÔÆã Ö›ÃisªÛ^ÝjwóÇm0žI ~ZH¨l„Üð[ô¬WçOòn4˜5‰®üë§2XÏnŽòyŽæávÆ—è¼>½¼²k«]Y"Ò£Õ&^l*¬ÒƒÂ·î‰Ï$cí{RŽÃ|«3G-Å QÆ&Ä“Æ£‘Ûæäwë?@ðdVKK¹dûLÚLZuÈÁU æT‘œæVäõÀã­lÞh¶×º<d(†Õ”ÄÄêëž1ÉAž:g¥cÞxºê×PÔÐiHÖmä³Ü¬9óV&Ü©³¾hÈ,8< üS©jú}敼†îüÃ2O)Œ:ù¸\„rS9?( Å«Ÿ Y]Gª#Ë8•ÌW3maò´k€¼p1ç9ê õ=b+`n®-fµœ\A=¾ÍèûYs‡VS•vƒÖ€9øS†E†þÈÉgq­^Ù%Û]—ua4ÅB¿êÀ]€î`|¸æ¤³ø‹ey®Åb‚ËÈšñì£+~­s½K Í2¨Jây€ mÅá‹8­íáó®A¨I¨«3.ZWwrs#p1Ûš,ü:º}óKi©ßÅhÒ¼ÆÀÌ;Ü–b Mà$à62zP+»OWñ]Öe©É¦[XZÃ4²Áo,¯+8yŠÊÎxÉ'¨Ågø«WÖ4(¡†-C|«£ê7/ƒ|±$f6Æn<§jÞÔü;þ¢š½ýî|±y-=£&d$…eue H8ÈÉÁ桿𕞥oWWw²ì®,¼Ã .Ë8PìI{åì=(bÊGšÂÞW9w‰Y© WŸÜx¯X-­þÔ Å†¥pu'1/ÏiȽ1…>\ñ¶FËõ®ËGÒ.4 V]oPÔ#Øé`ôòãCù“U$ðv—.¥®^¹œ¾µn-îP°Ú«³a(1Á .IÏÝ™g®\]\ZÜ\<²Auâ ílÄrya#Ž)Wæ~ñKDç ÝÏÊfh,–ÿá”—b;›¸ltB×wÆ飒K…‡s"6 nåûcqÎ:»O ØÙéÚ-”rÜ2iùл°-#ìt%Î9ϘÄãþUJivºTºm¼÷‘[ϧg\uýòìز7Ë0/€èAÒÂÛ ¹åAäçµqŸð’êðžmó—þÿ´díØ?ãïËówîëùgŽ›«­¶³û4Ó8¹žE“nØä`V=ªËÆq“œó\çü+}“gÙÛ¼ÿ´ÿiìOµù¾g™¿ÌÛ×w¶1ÇJŽI(ÖX[°Ó’f6±Þn¼>[7C°mVÆA ÜëV4ÿ½âiLÑiÒBù­K Cí¦ ’\–Ø¿7îö•ÀÆsžÕa¼,$Ô ôÚΧ,é‘Û3‡Ùƒ‘»a‚zóÁ–À4Í©j¨5ÒÝý¼˜„¢EŒÆ0bïÎxëÓšæôÿݲÑÚâ+} RW¹Ô }æ|›ŠïˆÉÉÀ99#¾–­ã ‹_¶¾™¥-ô66 rÏs䬪 ÚÛ›IÉqÉ× C•oÌ«æ.I`zàVM‡f³Ò|@ñ[É©I¤O©OvòÎPD‰,Æ8ƒÙbªaWŸ@züa5ëÊ·7qZK4SÏa(‚Y# ˆÛ¸}ÄÈ Ú2 1ü¤¸œo¹_´›•¹*àyñÎîïñʆ•î½' k(þÉ}U~Çæÿgé-©­ÛæcÉÐãîuç¯J¡ã[½*)þWî!QvZ?-¤ÆWÙû½…”¶  £Vð„¿ØzûÁ{}¨êwºD–‹§Œgå}€mUîsÉüjí·„„æ]gT†‚;‚ñ3Áœì\ÆT‚z– NIÅjh×íªiPÞ7ØÏ™’ ÏÚ"#8dÚ¹ü…_¬ýGƒD²khe–c$¯<²ÌWt’9Ë1ÚŽ{µhPEPŸø·þJ÷ïû‰ÿé:× WŸø·þJ÷ïû‰ÿé:× PEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPŸÿÍÂÿÜ©ÿ·uèçÿóp¿÷*íÝzQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEEu+Ai4ʪÍ3ï°ycÐ{ö®2?ˆbK=E£´±»»²’Ñ|½?QYâ\Kå.$Ø0ÀîÊ•ôç5Öêšm¾±¥]é·A½ÔM›NÖ85ÿm¬“\Ou©jSOö@Ï+F0-æ2ÆT ÄçŽG¡æ€3u¯ÿaݽ•Ý¾˜—–öÂææ95A*KmXw 2¹NP2y­ÍkÄ ¥øpkAöˆßÊ)½ÌhªìwlªdœÒáõ»Ô›PµÔ¯´ë™"Xf{C&E$¨a"0ÈÜØ#žµvöÎK»/"+ë«G< Œ¾¬§>àÐV›âF¾¾Ó-Z6ûu¥ÍÈšÎóψž%[jîÏ›œàcn9ªZg‹ïµß!t½ìÑÜÝy÷†5ˆHX*©ÅÛäcÑGNy«0ø2ÖÙmÞÛQ¿†îÚí ~d¾q `Sn U?*ŒmÅ6ÏÁVºbZ7SÔ¬Ú tµw‰ãcqT>ô##s|˃Éæ€'Ó5û½NI®ÓO†=9&Œ]=Éó[ËfRÞPLm,§vqÎ+Ÿ³ø¡my M¥¼âK)o-¡³¾Yç!m’Æî؃œÝ<ŒšÇñé×’½½ýಒI%:{ÌÜ’Äe7€I'±“Ò¢²ðÃiÖÆÖÛ\ÕRÑ"ò­àÝëÛiò÷¼µeKã©!ÑmïÌZ;¬÷_gŪ–´ˆl-™&ò²‡#n6õ#žk;V×µK}vãT–Þ)ltÍêB }VEGlHO d Q»€>`3ÅtQxLÀ·»ªGyu(–âì7Ë… ©‹f”z[i6örZ3Û˧ 5ãwÈh²ÄöÎã½½½  ¾+×%‡Lñº¼3[èRÞÇs…YX¬€c‚ ç9®žÜ–¶ˆ’I( 'é\ÿü!–Ò¦¢.õ=JîKý?û:Y&x÷,_7Ý €ùÏ$|ÖµŽŸ%ÝìÏy4É;'•“¶T €3Œ’‰ëí’ÄO®ø†_ßÝÜÇ’q ­nO˜êº‚Æb#b€6™ÉÜ8É­ ß0Ik¨ÙYÚêKx¶ª’ß…¶;¢óC™™ ·#îgw浿á¶ò®­Íõ鵸½Káo˜öÅ*Ì'%NÍØg‚Oãëß YÞ^Ï|·7v÷’N“¥Ä,¡¡uŒÇòåH © † ho ëðøIûlB0RW†AÂTܧ«ŽO@x®@ñ.¥}â{‘q*>—© λBí6ï±òÀdïÎñžÀ⺨tù#Ò䳓Q¼žGVSu!A('¸Ú¡A¾\qXv¿|7aýšú}„vW:{+GunŠ“>¡ØËçׯZÎðÞ¥¨ÞL¶:Æ·ªZkWϾÊk¢HäÀÜÖïå‘ BxË>F kÑjòø‹ZŠïĺվ™x$2Cl«*µ¼R|å" Ò„tùÒ³ðÂÛê–ú…Þ­©j2Ú«­²Ý´{aÜ0HØŠX㌱'“ZZTÚ•ÜO!“Pg”1VXÒ0Ž˜ŒuÏ9  sÄ¿Øz¾¢Ëk$Í £’÷,°¨’iSs §`\eœHÇ-méz„Ú–Š—¨¶/,ŠÅ­ßàœbPƒ úíãÐÔWš Üê7„:…åÜðE’ܧʱ³°Àua’d`rÆ:TÚ6‰dÖÐË,ÆI^ye˜®é$s–c´öjóÍÄZ–•£ÛêÚ¬—K¥ÞêA†¯4‚SF*cdÚƒnBóÇ5Ðê'¹D’×QÓZÚ`Ö3F-¯NY%¹XðÌ`©ûÊ2g“WeðN›6‘o¦´÷b,.4õ`ë¸Ç0PÄü¸Ü6ŒqcVµ Ùjw_hš[…}&” C0™zŽì>Þh´({O¢,â¾ÓçÞì¸l ¾8v|ÉÎ3»±ãŠç|?ã{­/ÂMνfþCèæí.þÓæË9‰¶õ `¶ìƒ¹³ßºË%Þ¯ýÖ¥}4vóý¢61ùQÉ´¨ „Üð[ô¨?á Ò›KÓ´ÙŒóZØY=’+¸ýälŠ‡qs…Œs@öÿ¢™g„[XÜ_ [Åa¨­Är4²yj­ Q°‚AnÇ ·JÒðÅö£w®xŠ=F3 \B‹Îe…ÈHçîŽIâ¬7…üû-ou­NñKFð¼Íx2²Œd‚ËnÎ9Ï4ûO ¥¢ê,š¦¢×7óG4×,è(¸@  Ž™  Ê(¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€<ÿÅ¿òW¾ÜOÿIÖ½¼ÿÅ¿òW¾ÜOÿIÖ½€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€ (¢€<ÿþnþåOý»¯@¯?ÿ›…ÿ¹SÿnëÐ(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(‡ñ¿†üI©øÃz熤ҖëHûVSRi7šŠdàî;uªÿñwÿêFÿɺ( þ.ÿýHßù7Gü]ÿú‘¿ònŠ(ÿ‹¿ÿR7þMÑÿþ¤oü›¢Š?âïÿÔÿ“tÅßÿ©ÿ&袀ø»ÿõ#äÝñwÿêFÿɺ( þ.ÿýHßù7Gü]ÿú‘¿ònŠ(ÿ‹¿ÿR7þMÑÿþ¤oü›¢Š?âïÿÔÿ“tÅßÿ©ÿ&袀ø»ÿõ#äÝñwÿêFÿɺ( þ.ÿýHßù7Gü]ÿú‘¿ònŠ(ÿ‹¿ÿR7þMÑÿþ¤oü›¢Š?âïÿÔÿ“tÅßÿ©ÿ&袀ø»ÿõ#äÝñwÿêFÿɺ( þ.ÿýHßù7Gü]ÿú‘¿ònŠ(ÿ‹¿ÿR7þMÑÿþ¤oü›¢Š?âïÿÔÿ“tÅßÿ©ÿ&袀ø»ÿõ#äÝñwÿêFÿɺ( þ.ÿýHßù7Gü]ÿú‘¿ònŠ(ÿ‹¿ÿR7þMÑÿþ¤oü›¢Š?âïÿÔÿ“tÅßÿ©ÿ&袀ø»ÿõ#äÝñwÿêFÿɺ( þ.ÿýHßù7Gü]ÿú‘¿ònŠ(ÿ‹¿ÿR7þMÑÿþ¤oü›¢Š?âïÿÔÿ“tÅßÿ©ÿ&袀ø»ÿõ#äÝñwÿêFÿɺ( þ.ÿýHßù7Gü]ÿú‘¿ònŠ(ÿ‹¿ÿR7þMÑÿþ¤oü›¢Š?âïÿÔÿ“tÅßÿ©ÿ&袀ø»ÿõ#äÝñwÿêFÿɺ( þ.ÿýHßù7Gü]ÿú‘¿ònŠ(ÿ‹¿ÿR7þMÑÿþ¤oü›¢Š?âïÿÔÿ“tÅßÿ©ÿ&袀ø»ÿõ#äÝñwÿêFÿɺ( Ã~ñ‡ü,9]` may be used to specify a different path or file name. **Statement definition:** ```secil (filecon "path" file_type context_id) ``` **Where:**

filecon

The filecon keyword.

path

A string representing the file path that may be in the form of a regular expression. The string must be enclosed within double quotes (e.g. "/this/is/a/path(/.*)?")

file_type

A single keyword representing a file type in the file_contexts file as follows:

keyword

file_contexts entry

file

--

dir

-d

char

-c

block

-b

socket

-s

pipe

-p

symlink

-l

any

no entry

context_id

The security context to be allocated to the file, which may be:

  • A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.

  • An empty context list represented by () can be used to indicate that matching files should not be re-labeled. This will be interpreted as <<none>> within the file_contexts(5) file.
**Examples:** These examples use one named, one anonymous and one empty context definition: ```secil (context runas_exec_context (u object_r exec low_low)) (filecon "/system/bin/run-as" file runas_exec_context) (filecon "/dev/socket/wpa_wlan[0-9]" any (u object_r wpa.socket ((s0)(s0)))) (filecon "/data/local/mine" dir ()) ``` to resolve/build `file_contexts` entries of (assuming MLS enabled policy): ``` /system/bin/run-as -- u:object_r:runas.exec:s0 /dev/socket/wpa_wlan[0-9] u:object_r:wpa.socket:s0 /data/local/mine -d <> ``` fsuse ----- Label filesystems that support SELinux security contexts. **Statement definition:** ```secil (fsuse fstype fsname context_id) ``` **Where:**

fsuse

The fsuse keyword.

fstype

A single keyword representing the type of filesystem as follows:

  • task - For pseudo filesystems supporting task related services such as pipes and sockets.

  • trans - For pseudo filesystems such as pseudo terminals and temporary objects.

  • xattr - Filesystems supporting the extended attribute security.selinux. The labeling is persistent for filesystems that support extended attributes.

fsname

Name of the supported filesystem (e.g. ext4 or pipefs).

context_id

The security context to be allocated to the network interface.

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.
**Examples:** The [context](#context) identifiers are declared in the `file` namespace and the [`fsuse`](cil_file_labeling_statements.md#fsuse) statements in the global namespace: ```secil (block file (type labeledfs) (roletype object_r labeledfs) (context labeledfs_context (u object_r labeledfs low_low)) (type pipefs) (roletype object_r pipefs) (context pipefs_context (u object_r pipefs low_low)) ... ) (fsuse xattr ex4 file.labeledfs_context) (fsuse xattr btrfs file.labeledfs_context) (fsuse task pipefs file.pipefs_context) (fsuse task sockfs file.sockfs_context) (fsuse trans devpts file.devpts_context) (fsuse trans tmpfs file.tmpfs_context) ``` genfscon -------- Used to allocate a security context to filesystems that cannot support any of the [`fsuse`](cil_file_labeling_statements.md#fsuse) file labeling options. Generally a filesystem would have a single default security context assigned by [`genfscon`](cil_file_labeling_statements.md#genfscon) from the root `(/)` that would then be inherited by all files and directories on that filesystem. The exception to this is the `/proc` filesystem, where directories can be labeled with a specific security context (as shown in the examples). **Statement definition:** ```secil (genfscon fsname path [file_type] context_id) ``` **Where:**

genfscon

The genfscon keyword.

fsname

Name of the supported filesystem (e.g. rootfs or proc).

path

If fsname is proc, then the partial path (see examples). For all other types this must be ‘/’.

file_type

Optional keyword representing a file type. Valid values are the same as in [`filecon`](cil_file_labeling_statements.md#filecon) rules.

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.
**Examples:** The [context](#context) identifiers are declared in the `file` namespace and the [`genfscon`](cil_file_labeling_statements.md#genfscon) statements are then inserted using the [`in`](cil_container_statements.md#in) container statement: ```secil (file (type rootfs) (roletype object_r rootfs) (context rootfs_context (u object_r rootfs low_low)) (type proc) (roletype object_r proc) (context rootfs_context (u object_r proc low_low)) ... ) (in file (genfscon rootfs / rootfs_context) ; proc labeling can be further refined (longest matching prefix). (genfscon proc / proc_context) (genfscon proc /net/xt_qtaguid/ctrl qtaguid_proc_context) (genfscon proc /sysrq-trigger sysrq_proc_context) (genfscon selinuxfs / selinuxfs_context) ) ``` secilc-3.8.1/docs/cil_infiniband_statements.md000066400000000000000000000052221476211737200214510ustar00rootroot00000000000000Infiniband Statements ===================== To support access control for InfiniBand (IB) partitions and subnet management, security contexts are provided for: Partition Keys (Pkey) that are 16 bit numbers assigned to subnets and their IB end ports. An overview of the SELinux IB implementation can be found at: [http://marc.info/?l=selinux&m=149519833917911&w=2](http://marc.info/?l=selinux&m=149519833917911&w=2). ibpkeycon --------- Label IB partition keys. This may be a single key or a range. **Statement definition:** ```secil (ibpkeycon subnet pkey|(pkey_low pkey_high) context_id) ``` **Where:**

ibpkeycon

The ibpkeycon keyword.

subnet

IP address in IPv6 format.

pkey | (pkey_low pkey_high)

A single partition key or a range of partition keys.

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.
**Example:** An anonymous context for a partition key range of `0x0-0x10` assigned to an IPv6 subnet: ```secil (ibpkeycon fe80:: (0 0x10) (system_u system_r kernel_t (low (s3 (cats01 cats02))))) ``` ibendportcon ------------ Label IB end ports. **Statement definition:** ```secil (ibendportcon device_id port context_id) ``` **Where:**

ibendportcon

The ibendportcon keyword.

device_id

A single device identifier.

port

A single port number.

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.
**Example:** A named context for device `mlx5_0` on port `1`: ```secil (ibendportcon mlx5_0 1 system_u_bin_t_l2h) ``` secilc-3.8.1/docs/cil_introduction.md000066400000000000000000000205661476211737200176320ustar00rootroot00000000000000Introduction =================== The SELinux Common Intermediate Language (CIL) is designed to be a language that sits between one or more high level policy languages (such as the current module language) and the low-level kernel policy representation. The intermediate language provides several benefits: * Enables the creation of multiple high-level languages that can both consume and produce language constructs with more features than the raw kernel policy (e.g., interfaces). Pushing these features into CIL enables cross-language interaction. * Eases the creation of high-level languages, encouraging the creation of more domain specific policy languages (e.g., CDS Framework, Lobster, and Shrimp). * Provides a semantically rich representation suitable for policy analysis, allowing the analysis of the output of multiple high-level languages using a single analysis tool set without losing needed high-level information. Design Philosophy ------------------ CIL is guided by several key decision principles: * Be an intermediate language - provide rich semantics needed for cross-language interaction but not for convenience. If a feature can be handled by a high-level language without sacrificing cross-language interoperability leave the feature out. Less is more. * Facilitate easy parsing and generation - provide clear, simple syntax that is easy to parse and to generate by high-level compilers, analysis tools, and policy generation tools. Machine processing should be prioritized higher than human processing when there is a conflict as humans should be reading and writing high-level languages instead. * Fully and faithfully represent the kernel language - the ultimate goal of CIL is the generation of the policy that will be enforced by the kernel. That policy must be full represented so that all of the policy can be represented in CIL. And that representation should not adorn, obscure, or otherwise hide the kernel policy. CIL should allow additional high-level language semantics but should not abstract away the essence of the kernel enforcement. Be C (portable assembler) not a pure functional language (which hides how the processor actually works). * The only good binary file format is a non-existent one - CIL is meant for a source policy oriented world, so assume and leverage that. The only binary policy format moving forward should be for communication with the kernel. * Enable backwards compatibility but don't be a slave to it - source, but not binary, compatibility with existing policies is a goal but not an absolute requirement. Where necessary it is assumed that manual or automated policy conversion will be required to move to enable the freedom needed to make CIL compelling. * Don't fix what isn't broken - CIL is an opportunity to make bold changes to SELinux policy, but there is no reason to re-think core concepts that are working well. All changes to existing language constructs need a clear and compelling reason. One key aspect of the current policy to retain is it's order-independent, declarative style. * No more M4 - the pervasive use of M4 and pre-processing in general has eased policy creation, but the side-effects cause many additional problems. CIL should eliminate the need for a pre-processor. * Shift more compilation work to happen per-module instead of globally - the current toolchain performance is often driven by the size of the policy and the need to have the entire policy loaded to do much of the processing. If possible, make it possible to do more compilation of one module at a time to increase performance. At the very least, clearly identify and manage language constructs that cause work on the global policy. Goals and Primary Features ----- CIL is meant to enable several features that are currently difficult or impossible to achieve with the current policy languages and tools. While generality is always a goal, with CIL there are also several well-known and clear motivating language needs. * Policy customization without breaking updates - one of the challenges in SELinux is allowing a system builder or administrator to change the access allowed on a system - including removing unwanted access - while not preventing the application of future policy updates from the vendor. It is desirable, therefore, to allow an administrator to make changes to vendor policy without necessitating the direct modification of the shipped policy files. This is most clearly seen when an administrator wants to remove access allowed by a vendor policy that is not already controlled by a policy boolean. * Interfaces as a first class feature - interfaces, and macros before them, have been a successful mechanism to allow policy authors to define related sets of access and easily grant that access to new types. However, this success has been hampered by interfaces existing solely as pre-processor constructs, preventing compilers, management tools, and analysis tools from understanding them. This has many unintended consequences, including the need to recompile all modules to include the changes to an interface. Interfaces or some similar construct should become first class language features. * Rich policy relationships - templates, interfaces, and attributes are currently the only means of quickly creating new types or sets of types with commonly needed access. However, use of these constructs require up-front design by the policy developer, limiting their use by system builders and administrators to rapidly create or mold existing policy. Policy authors need language features to create new types or modules based upon existing ones with large or small changes. These features should allow ad-hoc creation of new policy modules or types related to existing types. * Support for policy management - semanage and related tools currently make policy modifications using private data stores and code to directly manipulate the binary policy format before it is generated for loading into the kernel. These tools should be able to generate and consume CIL to accomplish the same goals. Design Overview ------------------ The design is aims to provide simplicity in several ways: 1. The syntax is extremely regular and easy to parse being based upon s-expressions. 2. The statements are reduced to the bare minimum. There is one - and only one - way to express any given syntax. 3. The statements are unambiguous and overlap in very well defined ways. This is in contrast to the current language where a statement, such as a role statement, might be a declaration, a further definition, or both depending on context. The language, like the existing policy languages, is declarative. It removes all of the ordering constraints from the previous languages. Finally, the language is meant to be processed in source form as a single compilation unit - there is no module-by-module compilation. This has advantages (no need for compiled disk representation, better error reporting, simpler processing) with the primary disadvantage of space. However, this is not a problem in practice as the linking process for the binary policy modules required the entire representation in memory as well. It is, in many ways, a natural result of the declarative nature of the language. In many ways, this design document describes what is different between the current language and CIL. For example, types have exactly the same semantics as they currently do, CIL simply uses a different syntax for declaring and referencing them. Consequently, no space is spent describing the semantics of types and only a small amount of space spent discussing the new syntax separate from interaction with new CIL features. Contrastingly, CIL has new constructs for creating, managing, and traversing namespace. There is a corresponding amount of space describing the semantics of those features. When referring to current semantics it is important to note that there are currently three separate policy languages in common usage: the reference policy syntax created in M4 (which includes interfaces and templates), the module syntax understood by checkmodule, and what is commonly called the kernel policy which is the policy understood by checkpolicy. In general, CIL preserves the current kernel policy almost unchanged (just with different syntax) and layers on features from the module language, reference policy, and novel new features. When discussing current semantics, if the context is not clear attempts will be made to clarify which policy language is being referenced. secilc-3.8.1/docs/cil_mls_labeling_statements.md000066400000000000000000000506461476211737200220120ustar00rootroot00000000000000Multi-Level Security Labeling Statements ======================================== Because there are many options for MLS labeling, the examples show a limited selection of statements, however there is a simple policy that will build shown in the [`levelrange`](cil_mls_labeling_statements.md#levelrange) section. sensitivity ----------- Declare a sensitivity identifier in the current namespace. Multiple [`sensitivity`](cil_mls_labeling_statements.md#sensitivity) statements in the policy will form an ordered list. **Statement definition:** ```secil (sensitivity sensitivity_id) ``` **Where:**

sensitivity

The sensitivity keyword.

sensitivity_id

The sensitivity identifier.
**Example:** This example declares three [`sensitivity`](cil_mls_labeling_statements.md#sensitivity) identifiers: ```secil (sensitivity s0) (sensitivity s1) (sensitivity s2) ``` sensitivityalias ---------------- Declares a sensitivity alias identifier in the current namespace. See the [`sensitivityaliasactual`](cil_mls_labeling_statements.md#sensitivityaliasactual) statement for an example that associates the [`sensitivityalias`](cil_mls_labeling_statements.md#sensitivityalias) identifier. **Statement definition:** ```secil (sensitivityalias sensitivityalias_id) ``` **Where:**

sensitivityalias

The sensitivityalias keyword.

sensitivityalias_id

The sensitivityalias identifier.
**Example:** See the [`sensitivityaliasactual`](cil_mls_labeling_statements.md#sensitivityaliasactual) statement. sensitivityaliasactual ---------------------- Associates a previously declared [`sensitivityalias`](cil_mls_labeling_statements.md#sensitivityalias) identifier to a previously declared [`sensitivity`](cil_mls_labeling_statements.md#sensitivity) identifier. **Statement definition:** ```secil (sensitivityaliasactual sensitivityalias_id sensitivity_id) ``` **Where:**

sensitivityaliasactual

The sensitivityaliasactual keyword.

sensitivityalias_id

A single previously declared sensitivityalias identifier.

sensitivity_id

A single previously declared sensitivity identifier.
**Example:** This example will associate sensitivity `s0` with two sensitivity alias's: ```secil (sensitivity s0) (sensitivityalias unclassified) (sensitivityalias SystemLow) (sensitivityaliasactual unclassified s0) (sensitivityaliasactual SystemLow s0) ``` sensitivityorder ---------------- Define the sensitivity order - lowest to highest. Multiple [`sensitivityorder`](cil_mls_labeling_statements.md#sensitivityorder) statements in the policy will form an ordered list. **Statement definition:** ```secil (sensitivityorder (sensitivity_id ...)) ``` **Where:**

sensitivityorder

The sensitivityorder keyword.

sensitivity_id

One or more previously declared sensitivity or sensitivityalias identifiers..
**Example:** This example shows two [`sensitivityorder`](cil_mls_labeling_statements.md#sensitivityorder) statements that when compiled will form an ordered list. Note however that the second [`sensitivityorder`](cil_mls_labeling_statements.md#sensitivityorder) statement starts with `s2` so that the ordered list can be built. ```secil (sensitivity s0) (sensitivityalias s0 SystemLow) (sensitivity s1) (sensitivity s2) (sensitivityorder (SystemLow s1 s2)) (sensitivity s3) (sensitivity s4) (sensitivityalias s4 SystemHigh) (sensitivityorder (s2 s3 SystemHigh)) ``` category -------- Declare a category identifier in the current namespace. Multiple category statements declared in the policy will form an ordered list. **Statement definition:** ```secil (category category_id) ``` **Where:**

category

The category keyword.

category_id

The category identifier.
**Example:** This example declares a three [`category`](cil_mls_labeling_statements.md#category) identifiers: ```secil (category c0) (category c1) (category c2) ``` categoryalias ------------- Declares a category alias identifier in the current namespace. See the [`categoryaliasactual`](cil_mls_labeling_statements.md#categoryaliasactual) statement for an example that associates the [`categoryalias`](cil_mls_labeling_statements.md#categoryalias) identifier. **Statement definition:** ```secil (categoryalias categoryalias_id) ``` **Where:**

categoryalias

The categoryalias keyword.

categoryalias_id

The categoryalias identifier.
categoryaliasactual ------------------- Associates a previously declared [`categoryalias`](cil_mls_labeling_statements.md#categoryalias) identifier to a previously declared [`category`](cil_mls_labeling_statements.md#category) identifier. **Statement definition:** ```secil (categoryaliasactual categoryalias_id category_id) ``` **Where:**

categoryaliasactual

The categoryaliasactual keyword.

categoryalias_id

A single previously declared categoryalias identifier.

category_id

A single previously declared category identifier.
**Example:** Declares a category `c0`, a category alias of `documents`, and then associates them: ```secil (category c0) (categoryalias documents) (categoryaliasactual documents c0) ``` categoryorder ------------- Define the category order. Multiple [`categoryorder`](cil_mls_labeling_statements.md#categoryorder) statements declared in the policy will form an ordered list. Note that this statement orders the categories to allow validation of category ranges. **Statement definition:** ```secil (categoryorder (category_id ...)) ``` **Where:**

categoryorder

The categoryorder keyword.

category_id

One or more previously declared category or categoryalias identifiers.
**Example:** This example orders one category alias and nine categories: ```secil (categoryorder (documents c1 c2 c3 c4 c5 c6 c7 c8 c9) ``` categoryset ----------- Declare an identifier for a set of contiguous or non-contiguous categories in the current namespace. Notes: - Category expressions are allowed in [`categoryset`](cil_mls_labeling_statements.md#categoryset), [`sensitivitycategory`](cil_mls_labeling_statements.md#sensitivitycategory), [`level`](cil_mls_labeling_statements.md#level), and [`levelrange`](cil_mls_labeling_statements.md#levelrange) statements. - Category sets are not allowed in [`categoryorder`](cil_mls_labeling_statements.md#categoryorder) statements. **Statement definition:** ```secil (categoryset categoryset_id (category_id ... | expr ...)) ``` **Where:**

categoryset

The categoryset keyword.

categoryset_id

The categoryset identifier.

category_id

Zero or more previously declared category or categoryalias identifiers.

Note that there must be at least one category_id identifier or expr parameter declared.

expr

Zero or more expr's, the valid operators and syntax are:

(and (category_id ...) (category_id ...))

(or (category_id ...) (category_id ...))

(xor (category_id ...) (category_id ...))

(not (category_id ...))

(range category_id category_id)

(all)
**Examples:** These examples show a selection of [`categoryset`](cil_mls_labeling_statements.md#categoryset) statements: ```secil ; Declare categories with two alias's: (category c0) (categoryalias documents) (categoryaliasactual documents c0) (category c1) (category c2) (category c3) (category c4) (categoryalias spreadsheets) (categoryaliasactual spreadsheets c4) ; Set the order to determine ranges: (categoryorder (c0 c1 c2 c3 spreadsheets)) (categoryset catrange_1 (range c2 c3)) ; Two methods to associate all categories: (categoryset all_cats (range c0 c4)) (categoryset all_cats1 (all)) (categoryset catset_1 (documents c1)) (categoryset catset_2 (c2 c3)) (categoryset catset_3 (c4)) (categoryset just_c0 (xor (c1 c2) (documents c1 c2))) ``` sensitivitycategory ------------------- Associate a [`sensitivity`](cil_mls_labeling_statements.md#sensitivity) identifier with one or more [category](#category)'s. Multiple definitions for the same [`sensitivity`](cil_mls_labeling_statements.md#sensitivity) form an ordered list of categories for that sensitivity. This statement is required before a [`level`](cil_mls_labeling_statements.md#level) identifier can be declared. **Statement definition:** ```secil (sensitivitycategory sensitivity_id categoryset_id) ``` **Where:**

sensitivitycategory

The sensitivitycategory keyword.

sensitivity_id

A single previously declared sensitivity or sensitivityalias identifier.

categoryset_id

A single previously declared categoryset (named or anonymous), or a list of category and/or categoryalias identifiers. The examples show each variation.
**Examples:** These [`sensitivitycategory`](cil_mls_labeling_statements.md#sensitivitycategory) examples use a selection of [`category`](cil_mls_labeling_statements.md#category), [`categoryalias`](cil_mls_labeling_statements.md#categoryalias) and [`categoryset`](cil_mls_labeling_statements.md#categoryset)'s: ```secil (sensitivitycategory s0 catrange_1) (sensitivitycategory s0 catset_1) (sensitivitycategory s0 catset_3) (sensitivitycategory s0 (all)) (sensitivitycategory unclassified (range documents c2)) ``` level ----- Declare a [`level`](cil_mls_labeling_statements.md#level) identifier in the current namespace and associate it to a previously declared [`sensitivity`](cil_mls_labeling_statements.md#sensitivity) and zero or more categories. Note that if categories are required, then before this statement can be resolved the [`sensitivitycategory`](cil_mls_labeling_statements.md#sensitivitycategory) statement must be used to associate categories with the sensitivity. **Statement definition:** ```secil (level level_id (sensitivity_id [categoryset_id])) ``` **Where:**

level

The level keyword.

level_id

The level identifier.

sensitivity_id

A single previously declared sensitivity or sensitivityalias identifier.

categoryset_id

A single previously declared categoryset (named or anonymous), or a list of category and/or categoryalias identifiers. The examples show each variation.
**Examples:** These [`level`](cil_mls_labeling_statements.md#level) examples use a selection of [`category`](cil_mls_labeling_statements.md#category), [`categoryalias`](cil_mls_labeling_statements.md#categoryalias) and [`categoryset`](cil_mls_labeling_statements.md#categoryset)'s: ```secil (level systemLow (s0)) (level level_1 (s0)) (level level_2 (s0 (catrange_1))) (level level_3 (s0 (all_cats))) (level level_4 (unclassified (c2 c3 c4))) ``` levelrange ---------- Declare a level range identifier in the current namespace and associate a current and clearance level. **Statement definition:** ```secil (levelrange levelrange_id (low_level_id high_level_id)) ``` **Where:**

levelrange

The levelrange keyword.

levelrange_id

The levelrange identifier.

low_level_id

The current level specified by a previously declared level identifier. This may be formed by named or anonymous components as discussed in the level section and shown in the examples.

high_level_id

The clearance or high level specified by a previously declared level identifier. This may be formed by named or anonymous components as discussed in the level section and shown in the examples.
**Examples:** This example policy shows [`levelrange`](cil_mls_labeling_statements.md#levelrange) statement and all the other MLS labeling statements discussed in this section and will compile as a standalone policy: ```secil (handleunknown allow) (mls true) ; There must be least one set of SID statements in a policy: (sid kernel) (sidorder (kernel)) (sidcontext kernel unconfined.context_1) (sensitivitycategory s0 (c4 c2 c3 c1 c0 c3)) (category c0) (categoryalias documents) (categoryaliasactual documents c0) (category c1) (category c2) (category c3) (category c4) (categoryalias spreadsheets) (categoryaliasactual spreadsheets c4) (categoryorder (c0 c1 c2 c3 spreadsheets)) (categoryset catrange_1 (range c2 c3)) (categoryset all_cats (range c0 c4)) (categoryset all_cats1 (all)) (categoryset catset_1 (documents c1)) (categoryset catset_2 (c2 c3)) (categoryset catset_3 (c4)) (categoryset just_c0 (xor (c1 c2) (documents c1 c2))) (sensitivity s0) (sensitivityalias unclassified) (sensitivityaliasactual unclassified s0) (sensitivityorder (s0)) (sensitivitycategory s0 (c0)) (sensitivitycategory s0 catrange_1) (sensitivitycategory s0 catset_1) (sensitivitycategory s0 catset_3) (sensitivitycategory s0 (all)) (sensitivitycategory s0 (range documents c2)) (level systemLow (s0)) (level level_1 (s0)) (level level_2 (s0 (catrange_1))) (level level_3 (s0 (all_cats))) (level level_4 (unclassified (c2 c3 c4))) (levelrange levelrange_2 (level_2 level_2)) (levelrange levelrange_1 ((s0) level_2)) (levelrange low_low (systemLow systemLow)) (context context_2 (unconfined.user object_r unconfined.object (level_1 level_3))) ; Define object_r role. This must be assigned in CIL. (role object_r) (block unconfined (user user) (role role) (type process) (type object) (userrange user (systemLow systemLow)) (userlevel user systemLow) (userrole user role) (userrole user object_r) (roletype role process) (roletype role object) (roletype object_r object) (class file (open execute read write)) ; There must be least one allow rule in a policy: (allow process self (file (read))) (context context_1 (user object_r object low_low)) ) ; End unconfined namespace ``` rangetransition --------------- Allows an objects level to transition to a different level. Generally used to ensure processes run with their correct MLS range, for example `init` would run at `SystemHigh` and needs to initialise / run other processes at their correct MLS range. **Statement definition:** ```secil (rangetransition source_id target_id class_id new_range_id) ``` **Where:**

rangetransition

The rangetransition keyword.

source_type_id

A single previously declared type, typealias or typeattribute identifier.

target_type_id

A single previously declared type, typealias or typeattribute identifier.

class_id

A single previously declared class or classmap identifier.

new_range_id

The new MLS range for the object class that is a previously declared levelrange identifier. This entry may also be defined as an anonymous or named level, sensitivity, sensitivityalias, category, categoryalias or categoryset identifier.
**Examples:** This rule will transition the range of `sshd.exec` to `s0 - s1:c0.c3` on execution from the `init.process`: ```secil (sensitivity s0) (sensitivity s1) (sensitivityorder s0 s1) (category c0) ... (level systemlow (s0)) (level systemhigh (s1 (c0 c1 c2))) (levelrange low_high (systemlow systemhigh)) (rangetransition init.process sshd.exec process low_high) ``` secilc-3.8.1/docs/cil_network_labeling_statements.md000066400000000000000000000172021476211737200226770ustar00rootroot00000000000000Network Labeling Statements =========================== ipaddr ------ Declares a named IP address in IPv4 or IPv6 format that may be referenced by other CIL statements (i.e. [`netifcon`](cil_network_labeling_statements.md#netifcon)). Notes: - CIL statements utilising an IP address may reference a named IP address or use an anonymous address, the examples will show each option. - IP Addresses may be declared without a previous declaration by either writing them directly e.g. `127.0.0.11 or `::1` or by enclosing within parentheses e.g. `(127.0.0.1)` or `(::1)`. **Statement definition:** ```secil (ipaddr ipaddr_id ip_address) ``` **Where:**

ipaddr

The ipaddr keyword.

ipaddr_id

The IP address identifier.

ip_address

A correctly formatted IP address in IPv4 or IPv6 format.
**Example:** This example declares a named IP address and also passes an 'explicit anonymously declared' IP address to a macro: ```secil (ipaddr netmask_1 255.255.255.0) (context netlabel_1 (system.user object_r unconfined.object low_low)) (call build_nodecon ((192.168.1.64) netmask_1)) (macro build_nodecon ((ipaddr ARG1) (ipaddr ARG2)) (nodecon ARG1 ARG2 netlabel_1)) ``` netifcon -------- Label network interface objects (e.g. `eth0`). **Statement definition:** ```secil (netifcon netif_name netif_context_id packet_context_id) ``` **Where:**

netifcon

The netifcon keyword.

netif_name

The network interface name (e.g. wlan0).

netif_context_id

The security context to be allocated to the network interface.

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.

packet_context_id

The security context to be allocated to packets. Note that these are defined but currently unused as the iptables(8) SECMARK services should be used to label packets.

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.
**Examples:** These examples show named and anonymous [`netifcon`](cil_network_labeling_statements.md#netifcon) statements: ```secil (context context_1 (unconfined.user object_r unconfined.object low_low)) (context context_2 (unconfined.user object_r unconfined.object (systemlow level_2))) (netifcon eth0 context_1 (unconfined.user object_r unconfined.object levelrange_1)) (netifcon eth1 context_1 (unconfined.user object_r unconfined.object ((s0) level_1))) (netifcon eth3 context_1 context_2) ``` nodecon ------- Label network address objects that represent IPv4 or IPv6 IP addresses and network masks. IP Addresses may be declared without a previous declaration by either writing them directly e.g. `127.0.0.11 or `::1` or by enclosing within parentheses e.g. `(127.0.0.1)` or `(::1)`. **Statement definition:** ```secil (nodecon subnet_id netmask_id context_id) ``` **Where:**

nodecon

The nodecon keyword.

subnet_id

A previously declared ipaddr identifier, or an anonymous IPv4 or IPv6 formatted address.

netmask_id

A previously declared ipaddr identifier, or an anonymous IPv4 or IPv6 formatted address.

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.
**Examples:** These examples show named and anonymous [`nodecon`](cil_network_labeling_statements.md#nodecon) statements: ```secil (context context_1 (unconfined.user object_r unconfined.object low_low)) (context context_2 (unconfined.user object_r unconfined.object (systemlow level_2))) (ipaddr netmask_1 255.255.255.255) (ipaddr ipv4_1 192.0.2.64) (nodecon ipv4_1 netmask_1 context_2) (nodecon 192.0.2.64 255.255.255.255 context_1) (nodecon (192.0.2.64) netmask_1 (unconfined.user object_r unconfined.object ((s0) (s0 (c0))))) (context context_3 (sys.id sys.role my48prefix.node ((s0)(s0)))) (ipaddr netmask_2 ffff:ffff:ffff:0:0:0:0:0) (ipaddr ipv6_2 2001:db8:1:0:0:0:0:0) (nodecon ipv6_2 netmask_2 context_3) (nodecon (2001:db8:1:0:0:0:0:0) (ffff:ffff:ffff:0:0:0:0:0) context_3) (nodecon (2001:db8:1:0:0:0:0:0) netmask_2 (sys.id sys.role my48prefix.node ((s0)(s0)))) ``` portcon ------- Label a udp, tcp, dccp or sctp port. **Statement definition:** ```secil (portcon protocol port|(port_low port_high) context_id) ``` **Where:**

portcon

The portcon keyword.

protocol

The protocol keyword tcp, udp, dccp or sctp.

port |

(port_low port_high)

A single port to apply the context, or a range of ports.

The entries must consist of numerics [0-9].

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.
**Examples:** These examples show named and anonymous [`portcon`](cil_network_labeling_statements.md#portcon) statements: ```secil (portcon tcp 1111 (unconfined.user object_r unconfined.object ((s0) (s0 (c0))))) (portcon tcp 2222 (unconfined.user object_r unconfined.object levelrange_2)) (portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1)) (portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2))) (portcon tcp (2000 20000) (unconfined.user object_r unconfined.object (systemlow level_3))) (portcon dccp (6840 6880) (unconfined.user object_r unconfined.object ((s0) level_2))) (portcon sctp (1024 1035) (unconfined.user object_r unconfined.object ((s0) level_2))) ``` secilc-3.8.1/docs/cil_policy_config_statements.md000066400000000000000000000063021476211737200221740ustar00rootroot00000000000000Policy Configuration Statements =============================== mls --- Defines whether the policy is built as an MLS or non-MLS policy by the CIL compiler. There MUST only be one [`mls`](cil_policy_config_statements.md#mls) entry in the policy otherwise the compiler will exit with an error. Note that this can be over-ridden by the CIL compiler command line parameter `-M true|false` or `--mls true|false` flags. **Statement definition:** ```secil (mls boolean) ``` **Where:**

mls

The mls keyword.

boolean

Set to either true or false.
**Example:** ```secil (mls true) ``` handleunknown ------------- Defines how the kernel will handle unknown object classes and permissions when loading the policy. There MUST only be one [`handleunknown`](cil_policy_config_statements.md#handleunknown) entry in the policy otherwise the compiler will exit with an error. Note that this can be over-ridden by the CIL compiler command line parameter `-U` or `--handle-unknown` flags. **Statement definition:** ```secil (handleunknown action) ``` **Where:**

handleunknown

The handleunknown keyword.

action

A keyword of either allow, deny or reject. The kernel will handle these keywords as follows:

allow unknown class / permissions. This will set the returned AV with all 1's.

deny unknown class / permissions (the default). This will set the returned AV with all 0's.

reject loading the policy if it does not contain all the object classes / permissions.
**Example:** This will allow unknown classes / permissions to be present in the policy: ```secil (handleunknown allow) ``` policycap --------- Allow policy capabilities to be enabled via policy. These should be declared in the global namespace and be valid policy capabilities as they are checked against those known in libsepol by the CIL compiler. **Statement definition:** ```secil (policycap policycap_id) ``` **Where:**

policycap

The policycap keyword.

policycap_id

The policycap identifier (e.g. open_perms).
**Example:** These set two valid policy capabilities: ```secil ; Enable networking controls. (policycap network_peer_controls) ; Enable open permission check. (policycap open_perms) ``` secilc-3.8.1/docs/cil_reference_guide.md000066400000000000000000000365701476211737200202260ustar00rootroot00000000000000CIL Information =============== 1. Not all possible alternate statement permutations are shown, however there should be enough variation to work out any other valid formats. There is also an example [`policy.cil`](../test/policy.cil#example-policy) file in the test directory. 2. The MLS components on contexts and user statements must be declared even if the policy does not support MCS/MLS. 3. The CIL compiler will not build a policy unless it also has as a minimum: one [`allow`](cil_access_vector_rules.md#allow) rule, one [`sid`](cil_sid_statements.md#sid), [`sidorder`](cil_sid_statements.md#sidorder) and [`sidcontext`](cil_sid_statements.md#sidcontext) statement. 4. The role `object_r` must be explicitly associated to contexts used for labeling objects. The original **`checkpolicy`**`(8)` and **`checkmodule`**`(8)` compilers did this by default - CIL does not. 5. Be aware that CIL allows [`class`](cil_class_and_permission_statements.md#class) statements to be declared in a namespace, however the policy author needs to note that applications (and the kernel) generally reference a class by its well known class identifier (e.g. `zygote`) however if declared in a namespace (e.g. `(block zygote (class zygote (...)))` or `(block zygote (class class (...)))`) it would be prefixed with that namespace (e.g. `zygote.zygote` or `zygote.class`). Unless the application / kernel code was updated the class would never be resolved, therefore it is recommended that classes are declared in the global namespace. 6. Where possible use [`typeattribute`](cil_type_statements.md#typeattribute)'s when defining source/target [`allow`](cil_access_vector_rules.md#allow) rules instead of multiple [`allow`](cil_access_vector_rules.md#allow) rules with individual [`type`](cil_type_statements.md#type)'s. This will lead to the generation of much smaller kernel policy files. 7. The [](http://github.com/SELinuxProject/cil/wiki) site explains the language however some of the statement definitions are dated. Declarations ------------ Declarations may be named or anonymous and have three different forms: 1. Named declarations - These create new objects that introduce a name or identifier, for example: `(type process)` - creates a [`type`](cil_type_statements.md#type) with an identifier of `process`. `(typeattribute domain)` - creates a [`typeattribute`](cil_type_statements.md#typeattribute) with an identifier of `domain`. `(class file (read write))` - creates a [`class`](cil_class_and_permission_statements.md#class) with an identifier of `file` that has `read` and `write` permissions associated to it. The list of declaration type statement keywords are: block optional common class classmap classmapping sid user role roleattribute type classpermission classpermissionset typeattribute typealias tunable sensitivity sensitivityalias category categoryalias categoryset level levelrange context ipaddr macro policycap 2. Explicit anonymous declarations - These are currently restricted to IP addresses where they can be declared directly in statements by enclosing them within parentheses e.g. `(127.0.0.1)` or `(::1)`. See the [Network Labeling Statements](#network_labeling) section for examples. 3. Anonymous declarations - These have been previously declared and the object already exists, therefore they may be referenced by their name or identifier within statements. For example the following declare all the components required to specify a context: ```secil (sensitivity s0) (category c0) (role object_r) (block unconfined (user user) (type object) ) ``` now a [`portcon`](cil_network_labeling_statements.md#portcon) statement can be defined that uses these individual components to build a context as follows: ```secil (portcon udp 12345 (unconfined.user object_r unconfined.object ((s0) (s0(c0))))) ``` Definitions ----------- Statements that build on the objects, for example: - `(typeattributeset domain (process))` - Adds the [`type`](cil_type_statements.md#type) '`process`' to the [`typeattribute`](cil_type_statements.md#typeattribute) '`domain`'. - `(allow domain process (file (read write))))` - Adds an [`allow`](cil_access_vector_rules.md#allow) rule referencing `domain`, `process` and the `file class`. Definitions may be repeated many times throughout the policy. Duplicates will resolve to a single definition during compilation. Symbol Character Set -------------------- Symbols (any string not enclosed in double quotes) must only contain alphanumeric `[a-z A-Z] [0-9]` characters plus the following special characters: `\.@=/-_$%@+!|&^:` However symbols are checked for any specific character set limitations, for example: - Names or identifiers must start with an alpa character `[a-z A-Z]`, the remainder may be alphanumeric `[a-z A-Z] [0-9]` characters plus underscore `[_]` or hyphen `[-]`. - IP addresses must conform to IPv4 or IPv6 format. - Memory, ports, irqs must be numeric `[0-9]`. String Character Set -------------------- Strings are enclosed within double quotes (e.g. `"This is a string"`), and may contain any character except the double quote ("). Comments -------- Comments start with a semicolon '`;`' and end when a new line is started. Namespaces ---------- CIL supports namespaces via containers such as the [`block`](cil_container_statements.md#block) statement. When a block is resolved to form the parent / child relationship a dot '`.`' is used, for example the following [`allow`](cil_access_vector_rules.md#allow) rule: ```secil (block example_ns (type process) (type object) (class file (open read write getattr)) (allow process object (file (open read getattr))) ) ``` will resolve to the following kernel policy language statement: ``` allow example_ns.process example_ns.object : example_ns.file { open read getattr }; ``` Global Namespace ---------------- CIL has a global namespace that is always present. Any symbol that is declared outside a container is in the global namespace. To reference a symbol in global namespace, the symbol should be prefixed with a dot '`.`' as shown in the following example: ```secil ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; This example has three namespace 'tmpfs' types declared: ; 1) Global .tmpfs ; 2) file.tmpfs ; 3) other_ns.tmpfs ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; This type is the global tmpfs: (type tmpfs) (block file ; file namespace tmpfs (type tmpfs) (class file (open read write getattr)) ; This rule will reference the local namespace for src and tgt: (allow tmpfs tmpfs (file (open))) ; Resulting policy rule: ; allow file.tmpfs file.tmpfs : file.file open; ; This rule will reference the local namespace for src and global for tgt: (allow tmpfs .tmpfs (file (read))) ; Resulting policy rule: ; allow file.tmpfs tmpfs : file.file read; ; This rule will reference the global namespace for src and tgt: (allow .tmpfs .tmpfs (file (write))) ; Resulting policy rule: ; allow tmpfs tmpfs : file.file write; ; This rule will reference the other_ns namespace for src and ; local namespace for tgt: (allow other_ns.tmpfs tmpfs (file (getattr))) ; Resulting policy rule: ; allow other_ns.tmpfs file.tmpfs : file.file getattr; ) (block other_ns (type tmpfs) ) ``` Should the symbol not be prefixed with a dot, the current namespace would be searched first and then the global namespace (provided there is not a symbol of that name in the current namespace). Expressions ----------- Expressions may occur in the following CIL statements: [`booleanif`](cil_conditional_statements.md#booleanif), [`tunableif`](cil_conditional_statements.md#tunableif), [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset), [`typeattributeset`](cil_type_statements.md#typeattributeset), [`roleattributeset`](cil_role_statements.md#roleattributeset), [`categoryset`](cil_mls_labeling_statements.md#categoryset), [`constrain`](cil_constraint_statements.md#constrain), [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain), [`validatetrans`](cil_constraint_statements.md#validatetrans), [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans) CIL expressions use the [prefix](http://www.cs.man.ac.uk/~pjj/cs212/fix.html) or Polish notation and may be nested (note that the kernel policy language uses infix notation). The syntax is as follows, where the parenthesis are part of the syntax: ``` expr_set = (name ... | expr ...) expr = (expr_key expr_set ...) expr_key = and | or | xor | not | all | eq | neq | dom | domby | incomp | range ``` The number of `expr_set`'s in an `expr` is dependent on the statement type (there are four different classes as defined below) that also influence the valid `expr_key` entries (e.g. `dom`, `domby`, `incomp` are only allowed in constraint statements). | expr_key | classpermissionset roleattributeset typeattributeset | categoryset | booleanif tunableif | constrain mlsconstrain validatetrans mlsvalidatetrans | |:----------:|:----------:|:----------:|:----------:|:----------:| | **`dom`** | | | | **X** | | **`domby`** | | | | **X** | | **`incomp`** | | | | **X** | | **`eq`** | | | **X** | **X** | | **`ne`** | | | **X** | **X** | | **`and`** | **X** | **X** | **X** | **X** | | **`or`** | **X** | **X** | **X** | **X** | | **`not`** | **X** | **X** | **X** | **X** | | **`xor`** | **X** | **X** | **X** | | | **`all`** | **X** | **X** | | | | **`range`** | | **X** | | | 1. The [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset), [`roleattributeset`](cil_role_statements.md#roleattributeset) and [`typeattributeset`](cil_type_statements.md#typeattributeset) statements allow `expr_set` to mix names and `expr`s with `expr_key` values of: `and`, `or`, `xor`, `not`, `all` as shown in the examples: This example includes all `fs_type type` entries except `file.usermodehelper` and `file.proc_security` in the associated [`typeattribute`](cil_type_statements.md#typeattribute) identifier `all_fs_type_except_usermodehelper_and_proc_security`: ```secil (typeattribute all_fs_type_except_usermodehelper_and_proc_security) (typeattributeset all_fs_type_except_usermodehelper_and_proc_security (and (and fs_type (not file.usermodehelper) ) (not file.proc_security) ) ) ``` The `cps_1 classpermissionset` identifier includes all permissions except `load_policy` and `setenforce`: ```secil (class security (compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy)) (classpermission cps_1) (classpermissionset cps_1 (security (not (load_policy setenforce)))) ``` This example includes all permissions in the associated [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset) identifier `security_all_perms`: ```secil (class security (compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy) ) (classpermission security_all_perms) (classpermissionset security_all_perms (security (all))) ``` 2. The [`categoryset`](cil_mls_labeling_statements.md#categoryset) statement allows `expr_set` to mix names and `expr_key` values of: `and`, `or`, `not`, `xor`, `all`, `range` as shown in the examples. Category expressions are also allowed in [`sensitivitycategory`](cil_mls_labeling_statements.md#sensitivitycategory), [`level`](cil_mls_labeling_statements.md#level), and [`levelrange`](cil_mls_labeling_statements.md#levelrange) statements. 3. The [`booleanif`](cil_conditional_statements.md#booleanif) and [`tunableif`](cil_conditional_statements.md#tunableif) statements only allow an `expr_set` to have one `name` or `expr` with `expr_key` values of `and`, `or`, `xor`, `not`, `eq`, `neq` as shown in the examples: ```secil (booleanif disableAudio (false (allow process device.audio_device (chr_file_set (rw_file_perms))) ) ) (booleanif (and (not disableAudio) (not disableAudioCapture)) (true (allow process device.audio_capture_device (chr_file_set (rw_file_perms))) ) ) ``` 4. The [`constrain`](cil_constraint_statements.md#constrain), [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain), [`validatetrans`](cil_constraint_statements.md#validatetrans) and [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans) statements only allow an `expr_set` to have one `name` or `expr` with `expr_key` values of `and`, `or`, `not`, `all`, `eq`, `neq`, `dom`, `domby`, `incomp`. When `expr_key` is `dom`, `domby` or `incomp`, it must be followed by a string (e.g. `h1`, `l2`) and another string or a set of `name`s. The following examples show CIL constraint statements and their policy language equivalents: ```secil ; Process transition: Require equivalence unless the subject is trusted. (mlsconstrain (process (transition dyntransition)) (or (and (eq h1 h2) (eq l1 l2)) (eq t1 mlstrustedsubject))) ; The equivalent policy language mlsconstrain statement is: ;mlsconstrain process { transition dyntransition } ; ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); ; Process read operations: No read up unless trusted. (mlsconstrain (process (getsched getsession getpgid getcap getattr ptrace share)) (or (dom l1 l2) (eq t1 mlstrustedsubject))) ; The equivalent policy language mlsconstrain statement is: ;mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } ; (l1 dom l2 or t1 == mlstrustedsubject); ``` Name String ----------- Used to define [`macro`](cil_call_macro_statements.md#macro) statement parameter string types: ```secil (call macro1("__kmsg__")) (macro macro1 ((string ARG1)) (typetransition audit.process device.device chr_file ARG1 device.klog_device) ) ``` Alternatively: ```secil (call macro1("__kmsg__")) (macro macro1 ((name ARG1)) (typetransition audit.process device.device chr_file ARG1 device.klog_device) ) ``` secilc-3.8.1/docs/cil_role_statements.md000066400000000000000000000217601476211737200203160ustar00rootroot00000000000000Role Statements =============== role ---- Declares a role identifier in the current namespace. **Statement definition:** ```secil (role role_id) ``` **Where:**

role

The role keyword.

role_id

The role identifier.
**Example:** This example declares two roles: `object_r` in the global namespace and `unconfined.role`: ```secil (role object_r) (block unconfined (role role) ) ``` roletype -------- Authorises a [`role`](cil_role_statements.md#role) to access a [`type`](cil_type_statements.md#type) identifier. **Statement definition:** ```secil (role role_id type_id) ``` **Where:**

roletype

The roletype keyword.

role_id

A single previously declared role or roleattribute identifier.

type_id

A single previously declared type, typealias or typeattribute identifier.
**Example:** This example will declare [`role`](cil_role_statements.md#role) and [`type`](cil_type_statements.md#type) identifiers, then associate them: ```secil (block unconfined (role role) (type process) (roletype role process) ) ``` roleattribute ------------- Declares a role attribute identifier in the current namespace. The identifier may have zero or more [`role`](cil_role_statements.md#role) and [`roleattribute`](cil_role_statements.md#roleattribute) identifiers associated to it via the [`roleattributeset`](cil_role_statements.md#roleattributeset) statement. **Statement definition:** ```secil (roleattribute roleattribute_id) ``` **Where:**

roleattribute

The roleattribute keyword.

roleattribute_id

The roleattribute identifier.
**Example:** This example will declare a role attribute `roles.role_holder` that will have an empty set: ```secil (block roles (roleattribute role_holder) ) ``` roleattributeset ---------------- Allows the association of one or more previously declared [`role`](cil_role_statements.md#role) identifiers to a [`roleattribute`](cil_role_statements.md#roleattribute) identifier. Expressions may be used to refine the associations as shown in the examples. **Statement definition:** ```secil (roleattributeset roleattribute_id (role_id ... | expr ...)) ``` **Where:**

roleattributeset

The roleattributeset keyword.

roleattribute_id

A single previously declared roleattribute identifier.

role_id

Zero or more previously declared role or roleattribute identifiers.

Note that there must be at least one role_id or expr parameter declared.

expr

Zero or more expr's, the valid operators and syntax are:

(and (role_id ...) (role_id ...))

(or (role_id ...) (role_id ...))

(xor (role_id ...) (role_id ...))

(not (role_id ...))

(all)
**Example:** This example will declare three roles and two role attributes, then associate all the roles to them as shown: ```secil (block roles (role role_1) (role role_2) (role role_3) (roleattribute role_holder) (roleattributeset role_holder (role_1 role_2 role_3)) (roleattribute role_holder_all) (roleattributeset role_holder_all (all)) ) ``` roleallow --------- Authorise the current role to assume a new role. Notes: - May require a [`roletransition`](cil_role_statements.md#roletransition) rule to ensure transition to the new role. - This rule is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) statements. **Statement definition:** ```secil (roleallow current_role_id new_role_id) ``` **Where:**

roleallow

The roleallow keyword.

current_role_id

A single previously declared role or roleattribute identifier.

new_role_id

A single previously declared role or roleattribute identifier.
**Example:** See the [`roletransition`](cil_role_statements.md#roletransition) statement for an example. roletransition -------------- Specify a role transition from the current role to a new role when computing a context for the target type. The [`class`](cil_class_and_permission_statements.md#class) identifier would normally be `process`, however for kernel versions 2.6.39 with policy version \>= 25 and above, any valid class may be used. Note that a [`roleallow`](cil_role_statements.md#roleallow) rule must be used to authorise the transition. **Statement definition:** ```secil (roletransition current_role_id target_type_id class_id new_role_id) ``` **Where:**

roletransition

The roletransition keyword.

current_role_id

A single previously declared role or roleattribute identifier.

target_type_id

A single previously declared type, typealias or typeattribute identifier.

class_id

A single previously declared class or classmap identifier.

new_role_id

A single previously declared role identifier to be set on transition.
**Example:** This example will authorise the `unconfined.role` to assume the `msg_filter.role` role, and then transition to that role: ```secil (block ext_gateway (type process) (type exec) (roletype msg_filter.role process) (roleallow unconfined.role msg_filter.role) (roletransition unconfined.role exec process msg_filter.role) ) ``` rolebounds ---------- Defines a hierarchical relationship between roles where the child role cannot have more privileges than the parent. Notes: - It is not possible to bind the parent role to more than one child role. - While this is added to the binary policy, it is not enforced by the SELinux kernel services. **Statement definition:** ```secil (rolebounds parent_role_id child_role_id) ``` **Where:**

rolebounds

The rolebounds keyword.

parent_role_id

A single previously declared role identifier.

child_role_id

A single previously declared role identifier.
**Example:** In this example the role `test` cannot have greater privileges than `unconfined.role`: ```secil (role test) (block unconfined (role role) (rolebounds role .test) ) ``` secilc-3.8.1/docs/cil_sid_statements.md000066400000000000000000000056651476211737200201420ustar00rootroot00000000000000SID Statements ============== sid --- Declares a new SID identifier in the current namespace. **Statement definition:** ```secil (sid sid_id) ``` **Where:**

sid

The sid keyword.

sid_id

The sid identifier.
**Examples:** These examples show three [`sid`](cil_sid_statements.md#sid) declarations: ```secil (sid kernel) (sid security) (sid igmp_packet) ``` sidorder -------- Defines the order of [sid](#sid)'s. This is a mandatory statement when SIDs are defined. Multiple [`sidorder`](cil_sid_statements.md#sidorder) statements declared in the policy will form an ordered list. **Statement definition:** ```secil (sidorder (sid_id ...)) ``` **Where:**

sidorder

The sidorder keyword.

sid_id

One or more sid identifiers.
**Example:** This will produce an ordered list of "`kernel security unlabeled`" ```secil (sid kernel) (sid security) (sid unlabeled) (sidorder (kernel security)) (sidorder (security unlabeled)) ``` sidcontext ---------- Associates an SELinux security [context](#context) to a previously declared [`sid`](cil_sid_statements.md#sid) identifier. **Statement definition:** ```secil (sidcontext sid_id context_id) ``` **Where:**

sidcontext

The sidcontext keyword.

sid_id

A single previously declared sid identifier.

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.
**Examples:** This shows two named security context examples plus an anonymous context: ```secil ; Two named context: (sid kernel) (context kernel_context (u r process low_low)) (sidcontext kernel kernel_context) (sid security) (context security_context (u object_r process low_low)) (sidcontext security security_context) ; An anonymous context: (sid unlabeled) (sidcontext unlabeled (u object_r ((s0) (s0)))) ``` secilc-3.8.1/docs/cil_type_statements.md000066400000000000000000000441511476211737200203350ustar00rootroot00000000000000Type Statements =============== type ---- Declares a type identifier in the current namespace. **Statement definition:** ```secil (type type_id) ``` **Where:**

type

The type keyword.

type_id

The type identifier.
**Example:** This example declares a type identifier `bluetooth.process`: ```secil (block bluetooth (type process) ) ``` typealias --------- Declares a type alias in the current namespace. **Statement definition:** ```secil (typealias typealias_id) ``` **Where:**

typealias

The typealias keyword.

typealias_id

The typealias identifier.
**Example:** See the [`typealiasactual`](cil_type_statements.md#typealiasactual) statement for an example that associates the [`typealias`](cil_type_statements.md#typealias) identifier. typealiasactual --------------- Associates a previously declared [`typealias`](cil_type_statements.md#typealias) identifier to a previously declared [`type`](cil_type_statements.md#type) identifier. **Statement definition:** ```secil (typealiasactual typealias_id type_id) ``` **Where:**

typealiasactual

The typealiasactual keyword.

typealias_id

A single previously declared typealias identifier.

type_id

A single previously declared type identifier.
**Example:** This example will alias `unconfined.process` as `unconfined_t` in the global namespace: ```secil (typealias unconfined_t) (typealiasactual unconfined_t unconfined.process) (block unconfined (type process) ) ``` typeattribute ------------- Declares a type attribute identifier in the current namespace. The identifier may have zero or more [`type`](cil_type_statements.md#type), [`typealias`](cil_type_statements.md#typealias) and [`typeattribute`](cil_type_statements.md#typeattribute) identifiers associated to it via the [`typeattributeset`](cil_type_statements.md#typeattributeset) statement. **Statement definition:** ```secil (typeattribute typeattribute_id) ``` **Where:**

typeattribute

The typeattribute keyword.

typeattribute_id

The typeattribute identifier.
**Example:** This example declares a type attribute `domain` in global namespace that will have an empty set: ```secil (typeattribute domain) ``` typeattributeset ---------------- Allows the association of one or more previously declared [`type`](cil_type_statements.md#type), [`typealias`](cil_type_statements.md#typealias) or [`typeattribute`](cil_type_statements.md#typeattribute) identifiers to a [`typeattribute`](cil_type_statements.md#typeattribute) identifier. Expressions may be used to refine the associations as shown in the examples. **Statement definition:** ```secil (typeattributeset typeattribute_id (type_id ... | expr ...)) ``` **Where:**

typeattributeset

The typeattributeset keyword.

typeattribute_id

A single previously declared typeattribute identifier.

type_id

Zero or more previously declared type, typealias or typeattribute identifiers.

Note that there must be at least one type_id or expr parameter declared.

expr

Zero or more expr's, the valid operators and syntax are:

(and (type_id ...) (type_id ...))

(or (type_id ...) (type_id ...))

(xor (type_id ...) (type_id ...))

(not (type_id ...))

(all)
**Examples:** This example will take all the policy types and exclude those in `appdomain`. It is equivalent to `~appdomain` in the kernel policy language. ```secil (typeattribute not_in_appdomain) (typeattributeset not_in_appdomain (not (appdomain))) ``` This example is equivalent to `{ domain -kernel.process -ueventd.process -init.process }` in the kernel policy language: ```secil (typeattribute na_kernel_or_ueventd_or_init_in_domain) (typeattributeset na_kernel_or_ueventd_or_init_in_domain (and (and (and (domain) (not (kernel.process)) ) (not (ueventd.process)) ) (not (init.process)) ) ) ``` expandtypeattribute ------------------- Overrides the compiler defaults for the expansion of one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers. This rule gives more control over type attribute expansion and removal. When the value is true, all rules involving the type attribute will be expanded and the type attribute will be removed from the policy. When the value is false, the type attribute will not be removed from the policy, even if the default expand rules or "-X" option cause the rules involving the type attribute to be expanded. **Statement definition:** ```secil (expandtypeattribute typeattribute_id expand_value) ``` **Where:**

expandtypeattribute

The expandtypeattribute keyword.

typeattribute_id

One or more previously declared typeattribute identifiers. Multiple entries consist of a space separated list enclosed in parentheses '()'.

expand_value

Either true or false.
**Examples:** This example uses the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. ```secil (expandtypeattribute domain true) ``` This example uses the expandtypeattribute statement to not expand previously declared `file_type` and `port_type` type attributes regardless of compiler defaults. ```secil (expandtypeattribute (file_type port_type) false) ``` typebounds ---------- This defines a hierarchical relationship between domains where the bounded domain cannot have more permissions than its bounding domain (the parent). Requires kernel 2.6.28 and above to control the security context associated to threads in multi-threaded applications. Note that an [`allow`](cil_access_vector_rules.md#allow) rule must be used to authorise the bounding. **Statement definition:** ```secil (typebounds parent_type_id child_type_id) ``` **Where:**

typebounds

The typebounds keyword.

parent_type_id

A single previously declared type or typealias identifier that is the parent domain.

child_type_id

A single previously declared type or typealias identifier that is the bound (child) domain.
**Example:** In this example the `httpd.child.process` cannot have `file (write)` due to lack of permissions on `httpd.process` which is the parent. It means the child domain will always have equal or less privileges than the parent: ```secil (class file (getattr read write)) (block httpd (type process) (type object) (typebounds process child.process) ; The parent is allowed file 'getattr' and 'read': (allow process object (file (getattr read))) (block child (type process) (type object) ; However the child process has been given 'write' access that will be denied. (allow process httpd.object (file (read write))) ) ) ``` typechange ---------- The type change rule is used to define a different label of an object for userspace SELinux-aware applications. These applications would use **`security_compute_relabel`**`(3)` and [`typechange`](cil_type_statements.md#typechange) rules in the policy to determine the new context to be applied. Note that an [`allow`](cil_access_vector_rules.md#allow) rule must be used to authorise the change. **Statement definition:** ```secil (typechange source_type_id target_type_id class_id change_type_id) ``` **Where:**

typechange

The typechange keyword.

source_type_id

A single previously declared type, typealias or typeattribute identifier.

target_type_id

A single previously declared type, typealias or typeattribute identifier.

class_id

A single previously declared class or classmap identifier.

change_type_id

A single previously declared type or typealias identifier that will become the new type.
**Example:** Whenever **`security_compute_relabel`**`(3)` is called with the following parameters: ` scon=unconfined.object tcon=unconfined.object class=file` the function will return a context of: ` unconfined.object:object_r:unconfined.change_label:s0` ```secil (class file (getattr read write)) (block unconfined (type process) (type object) (type change_label) (typechange object object file change_label) ) ``` typemember ---------- The type member rule is used to define a new polyinstantiated label of an object for SELinux-aware applications. These applications would use **`avc_compute_member`**`(3)` or **`security_compute_member`**`(3)` with the [`typemember`](cil_type_statements.md#typemember) rules in the policy to determine the context to be applied. The application would then manage any required polyinstantiation. Note that an [`allow`](cil_access_vector_rules.md#allow) rule must be used to authorise the membership. **Statement definition:** ```secil (typemember source_type_id target_type_id class_id member_type_id) ``` **Where:**

typemember

The typemember keyword.

source_type_id

A single previously declared type, typealias or typeattribute identifier.

target_type_id

A single previously declared type, typealias or typeattribute identifier.

class_id

A single previously declared class or classmap identifier.

member_type_id

A single previously declared type or typealias identifier that will become the new member type.
**Example:** Whenever **`avc_compute_member`**`(3)` or **`security_compute_member`**`(3)` is called with the following parameters: ` scon=unconfined.object tcon=unconfined.object class=file` the function will return a context of: ` unconfined.object:object_r:unconfined.member_label:s0` ```secil (class file (getattr read write)) (block unconfined (type process) (type object) (type change_label) (typemember object object file member_label) ) ``` typetransition -------------- The type transition rule specifies the labeling and object creation allowed between the `source_type` and `target`\_type when a domain transition is requested. Kernels from 2.6.39 with policy versions from 25 and above also support a 'name transition' rule, however this is not allowed inside conditionals and currently only supports the file classes. Note that an [`allow`](cil_access_vector_rules.md#allow) rule must be used to authorise the transition. **Statement definition:** ```secil (typetransition source_type_id target_type_id class_id [object_name] default_type_id) ``` **Where:**

typetransition

The typetransition keyword.

source_type_id

A single previously declared type, typealias or typeattribute identifier.

target_type_id

A single previously declared type, typealias or typeattribute identifier.

class_id

A single previously declared class or classmap identifier.

object_name

A optional string within double quotes representing an object name for the 'name transition' rule. This string will be matched against the objects name (if a path then the last component of that path). If the string matches exactly, the default_type_id will then become the new type.

default_type_id

A single previously declared type or typealias identifier that will become the new type.
**Examples:** This example shows a process transition rule with its supporting [`allow`](cil_access_vector_rules.md#allow) rule: ```secil (macro domain_auto_trans ((type ARG1) (type ARG2) (type ARG3)) ; Allow the necessary permissions. (call domain_trans (ARG1 ARG2 ARG3)) ; Make the transition occur by default. (typetransition ARG1 ARG2 process ARG3) ) ``` This example shows a file object transition rule with its supporting [`allow`](cil_access_vector_rules.md#allow) rule: ```secil (macro tmpfs_domain ((type ARG1)) (type tmpfs) (typeattributeset file_type (tmpfs)) (typetransition ARG1 file.tmpfs file tmpfs) (allow ARG1 tmpfs (file (read write execute execmod))) ) ``` This example shows the 'name transition' rule with its supporting [`allow`](cil_access_vector_rules.md#allow) rule: ```secil (macro write_klog ((type ARG1)) (typetransition ARG1 device.device chr_file "__kmsg__" device.klog_device) (allow ARG1 device.klog_device (chr_file (create open write unlink))) (allow ARG1 device.device (dir (write add_name remove_name))) ) ``` typepermissive -------------- Policy database version 23 introduced the permissive statement to allow the named domain to run in permissive mode instead of running all SELinux domains in permissive mode (that was the only option prior to version 23). Note that the permissive statement only tests the source context for any policy denial. **Statement definition:** ```secil (typepermissive source_type_id) ``` **Where:**

typepermissive

The typepermissive keyword.

source_type_id

A single previously declared type or typealias identifier.
**Example:** This example will allow SELinux to run the `healthd.process` domain in permissive mode even when enforcing is enabled: ```secil (block healthd (type process) (typepermissive process) (allow ...) ) ``` secilc-3.8.1/docs/cil_user_statements.md000066400000000000000000000321401476211737200203250ustar00rootroot00000000000000User Statements =============== user ---- Declares an SELinux user identifier in the current namespace. **Statement definition:** ```secil (user user_id) ``` **Where:**

user

The user keyword.

user_id

The SELinux user identifier.
**Example:** This will declare an SELinux user as `unconfined.user`: ```secil (block unconfined (user user) ) ``` userrole -------- Associates a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared [`role`](cil_role_statements.md#role) identifier. **Statement definition:** ```secil (userrole user_id role_id) ``` **Where:**

userrole

The userrole keyword.

user_id

A previously declared SELinux user or userattribute identifier.

role_id

A previously declared role or roleattribute identifier.
**Example:** This example will associate `unconfined.user` to `unconfined.role`: ```secil (block unconfined (user user) (role role) (userrole user role) ) ``` userattribute ------------- Declares a user attribute identifier in the current namespace. The identifier may have zero or more [`user`](cil_user_statements.md#user) and [`userattribute`](cil_user_statements.md#userattribute) identifiers associated to it via the [`userattributeset`](cil_user_statements.md#userattributeset) statement. **Statement definition:** ```secil (userattribute userattribute_id) ``` **Where:**

userattribute

The userattribute keyword.

userattribute_id

The userattribute identifier.
**Example:** This example will declare a user attribute `users.user_holder` that will have an empty set: ```secil (block users (userattribute user_holder) ) ``` userattributeset ---------------- Allows the association of one or more previously declared [`user`](cil_user_statements.md#user) or [`userattribute`](cil_user_statements.md#userattribute) identifiers to a [`userattribute`](cil_user_statements.md#userattribute) identifier. Expressions may be used to refine the associations as shown in the examples. **Statement definition:** ```secil (userattributeset userattribute_id (user_id ... | expr ...)) ``` **Where:**

userattributeset

The userattributeset keyword.

userattribute_id

A single previously declared userattribute identifier.

user_id

Zero or more previously declared user or userattribute identifiers.

Note that there must be at least one user_id or expr parameter declared.

expr

Zero or more expr's, the valid operators and syntax are:

(and (user_id ...) (user_id ...))

(or (user_id ...) (user_id ...))

(xor (user_id ...) (user_id ...))

(not (user_id ...))

(all)
**Example:** This example will declare three users and two user attributes, then associate all the users to them as shown: ```secil (block users (user user_1) (user user_2) (user user_3) (userattribute user_holder) (userattributeset user_holder (user_1 user_2 user_3)) (userattribute user_holder_all) (userattributeset user_holder_all (all)) ) ``` userlevel --------- Associates a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared [`level`](cil_mls_labeling_statements.md#level) identifier. The [`level`](cil_mls_labeling_statements.md#level) may be named or anonymous. **Statement definition:** ```secil (userlevel user_id level_id) ``` **Where:**

userlevel

The userlevel keyword.

user_id

A previously declared SELinux user identifier.

level_id

A previously declared level identifier. This may consist of a single sensitivity with zero or more mixed named and anonymous category's as discussed in the level statement.
**Example:** This example will associate `unconfined.user` with a named [`level`](cil_mls_labeling_statements.md#level) of `systemlow`: ```secil (sensitivity s0) (level systemlow (s0)) (block unconfined (user user) (userlevel user systemlow) ; An anonymous example: ;(userlevel user (s0)) ) ``` userrange --------- Associates a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared [`levelrange`](cil_mls_labeling_statements.md#levelrange) identifier. The [`levelrange`](cil_mls_labeling_statements.md#levelrange) may be named or anonymous. **Statement definition:** ```secil (userrange user_id levelrange_id) ``` **Where:**

userrange

The userrange keyword.

user_id

A previously declared SELinux user identifier.

levelrange_id

A previously declared levelrange identifier. This may be formed by named or anonymous components as discussed in the levelrange statement and shown in the examples.
**Example:** This example will associate `unconfined.user` with a named [`levelrange`](cil_mls_labeling_statements.md#levelrange) of `low_high`, other anonymous examples are also shown: ```secil (category c0) (category c1) (categoryorder (c0 c1)) (sensitivity s0) (sensitivity s1) (sensitivityorder (s0 s1)) (sensitivitycategory s0 (c0 c1)) (level systemLow (s0)) (level systemHigh (s0 (c0 c1))) (levelrange low_high (systemLow systemHigh)) (block unconfined (user user) (role role) (userrole user role) ; Named example: (userrange user low_high) ; Anonymous examples: ;(userrange user (systemLow systemHigh)) ;(userrange user (systemLow (s0 (c0 c1)))) ;(userrange user ((s0) (s0 (c0 c1)))) ) ``` userbounds ---------- Defines a hierarchical relationship between users where the child user cannot have more privileges than the parent. Notes: - It is not possible to bind the parent to more than one child. - While this is added to the binary policy, it is not enforced by the SELinux kernel services. **Statement definition:** ```secil (userbounds parent_user_id child_user_id) ``` **Where:**

userbounds

The userbounds keyword.

parent_user_id

A previously declared SELinux user identifier.

child_user_id

A previously declared SELinux user identifier.
**Example:** The user `test` cannot have greater privileges than `unconfined.user`: ```secil (user test) (unconfined (user user) (userbounds user .test) ) ``` userprefix ---------- Declare a user prefix that will be replaced by the file labeling utilities described at [http://selinuxproject.org/page/PolicyStoreConfigurationFiles](http://selinuxproject.org/page/PolicyStoreConfigurationFiles#file_contexts.template_File) that details the `file_contexts` entries. **Statement definition:** ```secil (userprefix user_id prefix) ``` **Where:**

userprefix

The userprefix keyword.

user_id

A previously declared SELinux user identifier.

prefix

The string to be used by the file labeling utilities.
**Example:** This example will associate `unconfined.admin` user with a prefix of "[`user`](cil_user_statements.md#user)": ```secil (block unconfined (user admin) (userprefix admin user) ) ``` selinuxuser ----------- Associates a GNU/Linux user to a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared MLS [`userrange`](cil_user_statements.md#userrange). Note that the [`userrange`](cil_user_statements.md#userrange) is required even if the policy is non-MCS/MLS. **Statement definition:** ```secil (selinuxuser user_name user_id userrange_id) ``` **Where:**

selinuxuser

The selinuxuser keyword.

user_name

A string representing the GNU/Linux user name

user_id

A previously declared SELinux user identifier.

userrange_id

A previously declared userrange identifier that has been associated to the user identifier. This may be formed by named or anonymous components as discussed in the userrange statement and shown in the examples.
**Example:** This example will associate `unconfined.admin` user with a GNU / Linux user "`admin_1`": ```secil (block unconfined (user admin) (selinuxuser admin_1 admin low_low) ) ``` selinuxuserdefault ------------------ Declares the default SELinux user. Only one [`selinuxuserdefault`](cil_user_statements.md#selinuxuserdefault) statement is allowed in the policy. Note that the [`userrange`](cil_user_statements.md#userrange) identifier is required even if the policy is non-MCS/MLS. **Statement definition:** ```secil (selinuxuserdefault user_id userrange_id) ``` **Where:**

selinuxuserdefault

The selinuxuserdefault keyword.

user_id

A previously declared SELinux user identifier.

userrange_id

A previously declared userrange identifier that has been associated to the user identifier. This may be formed by named or anonymous components as discussed in the userrange statement and shown in the examples.
**Example:** This example will define the `unconfined.user` as the default SELinux user: ```secil (block unconfined (user user) (selinuxuserdefault user low_low) ) ``` secilc-3.8.1/docs/cil_xen_statements.md000066400000000000000000000134321476211737200201440ustar00rootroot00000000000000Xen Statements ============== Policy version 30 introduced the [`devicetreecon`](cil_xen_statements.md#devicetreecon) statement and also expanded the existing I/O memory range to 64 bits in order to support hardware with more than 44 bits of physical address space (32-bit count of 4K pages). See the ["XSM/FLASK Configuration"](http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt) document for further information ([](http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt)) iomemcon -------- Label i/o memory. This may be a single memory location or a range. **Statement definition:** ```secil (iomemcon mem_addr|(mem_low mem_high) context_id) ``` **Where:**

iomemcon

The iomemcon keyword.

mem_addr |

(mem_low mem_high)

A single memory address to apply the context, or a range of addresses.

The entries must consist of numerics [0-9].

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.
**Example:** An anonymous context for a memory address range of `0xfebe0-0xfebff`: ```secil (iomemcon (1043424 1043455) (unconfined.user object_r unconfined.object low_low)) ``` ioportcon --------- Label i/o ports. This may be a single port or a range. **Statement definition:** ```secil (ioportcon port|(port_low port_high) context_id) ``` **Where:**

ioportcon

The ioportcon keyword.

port |

(port_low port_high)

A single port to apply the context, or a range of ports.

The entries must consist of numerics [0-9].

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.
**Example:** An anonymous context for a single port of :`0xecc0`: ```secil (ioportcon 60608 (unconfined.user object_r unconfined.object low_low)) ``` pcidevicecon ------------ Label a PCI device. **Statement definition:** ```secil (pcidevicecon device context_id) ``` **Where:**

pcidevicecon

The pcidevicecon keyword.

device

The device number.The entries must consist of numerics [0-9].

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.
**Example:** An anonymous context for a pci device address of `0xc800`: ```secil (pcidevicecon 51200 (unconfined.user object_r unconfined.object low_low)) ``` pirqcon ------- Label an interrupt level. **Statement definition:** ```secil (pirqcon irq_level context_id) ``` **Where:**

pirqcon

The pirqcon keyword.

irq_level

The interrupt request number. The entries must consist of numerics [0-9].

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.
**Example:** An anonymous context for IRQ 33: ```secil (pirqcon 33 (unconfined.user object_r unconfined.object low_low)) ``` devicetreecon ------------- Label device tree nodes. **Statement definition:** ```secil (devicetreecon path context_id) ``` **Where:**

devicetreecon

The devicetreecon keyword.

path

The device tree path. If this contains spaces enclose within "".

context_id

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.
**Example:** An anonymous context for the specified path: ```secil (devicetreecon "/this is/a/path" (unconfined.user object_r unconfined.object low_low)) ``` secilc-3.8.1/docs/secil.xml000066400000000000000000000207551476211737200155610ustar00rootroot00000000000000 allow allowx auditallow auditallowx block blockabstract boolean booleanif category categoryalias categoryaliasactual categoryorder categoryset class classcommon classmap classmapping classorder classpermission classpermissionset common constrain context defaultrange defaultrole defaulttype defaultuser devicetreecon dontaudit dontauditx expandtypeattribute false filecon fsuse genfscon handleunknown ibendportcon ibpkeycon ioctl iomemcon ioportcon ipaddr level levelrange mls mlsconstrain mlsvalidatetrans netifcon neverallow neverallowx nodecon optional pcidevicecon perm permissionx pirqcon policycap portcon rangetransition role roleallow roleattribute roleattributeset rolebounds roletransition roletype selinuxuser selinuxuserdefault sensitivity sensitivityalias sensitivityaliasactual sensitivitycategory sensitivityorder sid sidcontext sidorder true tunable tunableif type typealias typealiasactual typeattribute typeattributeset typebounds typechange typemember typepermissive typetransition unordered user userattribute userattributeset userbounds userlevel userprefix userrange userrole validatetrans blockinherit call in macro and dom domby eq incomp neq not or range xor * all dccp false h1 h2 l1 l2 object_r r1 r2 r3 sctp self notself other t1 t2 t3 tcp true u1 u2 u3 udp secilc-3.8.1/docs/theme.theme000066400000000000000000000027551476211737200160660ustar00rootroot00000000000000{ "text-color": null, "background-color": null, "line-number-color": null, "line-number-background-color": null, "text-styles": { "String": { "text-color": "#049b0a", "background-color": null, "bold": false, "italic": false, "underline": false }, "SpecialChar": { "text-color": "#049b0a", "background-color": null, "bold": false, "italic": false, "underline": false }, "Function": { "text-color": "#ff9358", "background-color": null, "bold": true, "italic": false, "underline": false }, "Operator": { "text-color": "#43a8ed", "background-color": null, "bold": true, "italic": false, "underline": false }, "BuiltIn": { "text-color": "#ff6dd3", "background-color": null, "bold": true, "italic": false, "underline": false }, "Comment": { "text-color": "#bc7a00", "background-color": null, "bold": false, "italic": true, "underline": false }, "Keyword": { "text-color": "#28648e", "background-color": null, "bold": true, "italic": false, "underline": false } } } secilc-3.8.1/secil2conf.8.xml000066400000000000000000000075711476211737200157300ustar00rootroot00000000000000 JamesCarter SECIL2CONF 8 21 November 2016 secil2conf SELinux CIL to policy.conf Converter secil2conf invoke the SELinux Common Intermediate Language (CIL) to policy.conf converter secil2conf OPTION file DESCRIPTION secil2conf invokes the CIL to policy.conf converter with the specified arguments. OPTIONS Write policy.conf to file (default: policy.conf) Build an mls policy.conf. Must be true or false. This will override the (mls boolean) statement if present in the policy. Treat tunables as booleans. Allow names containing dots (qualified names). Blocks, blockinherits, blockabstracts, and in-statements will not be allowed. Increment verbosity level. Display usage information. SEE ALSO secilc 8 sestatus 8 HTML documentation describing the CIL language statements is available starting with docs/html/index.html. PDF documentation describing the CIL language statements is available at: docs/pdf/CIL_Reference_Guide.pdf. There is a CIL Design Wiki at: that describes the goals and features of the CIL language. secilc-3.8.1/secil2conf.c000066400000000000000000000135171476211737200152010ustar00rootroot00000000000000/* * Copyright 2011 Tresys Technology, LLC. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY TRESYS TECHNOLOGY, LLC ``AS IS'' AND ANY EXPRESS * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO * EVENT SHALL TRESYS TECHNOLOGY, LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * The views and conclusions contained in the software and documentation are those * of the authors and should not be interpreted as representing official policies, * either expressed or implied, of Tresys Technology, LLC. */ #include #include #include #include #include #include #ifdef ANDROID #include #else #include #endif #include static __attribute__((__noreturn__)) void usage(const char *prog) { printf("Usage: %s [OPTION]... FILE...\n", prog); printf("\n"); printf("Options:\n"); printf(" -o, --output= write policy.conf to \n"); printf(" (default: policy.conf)\n"); printf(" -M, --mls true|false write an mls policy. Must be true or false.\n"); printf(" This will override the (mls boolean) statement\n"); printf(" if present in the policy\n"); printf(" -P, --preserve-tunables treat tunables as booleans\n"); printf(" -Q, --qualified-names Allow names containing dots (qualified names).\n"); printf(" Blocks, blockinherits, blockabstracts, and\n"); printf(" in-statements will not be allowed.\n"); printf(" -v, --verbose increment verbosity level\n"); printf(" -h, --help display usage information\n"); exit(1); } int main(int argc, char *argv[]) { int rc = SEPOL_ERR; FILE *file = NULL; char *buffer = NULL; struct stat filedata; uint32_t file_size; char *output = NULL; struct cil_db *db = NULL; int mls = -1; int preserve_tunables = 0; int qualified_names = 0; int opt_char; int opt_index = 0; enum cil_log_level log_level = CIL_ERR; static struct option long_opts[] = { {"help", no_argument, 0, 'h'}, {"verbose", no_argument, 0, 'v'}, {"mls", required_argument, 0, 'M'}, {"preserve-tunables", no_argument, 0, 'P'}, {"qualified-names", no_argument, 0, 'Q'}, {"output", required_argument, 0, 'o'}, {0, 0, 0, 0} }; int i; while (1) { opt_char = getopt_long(argc, argv, "o:hvM:PQ", long_opts, &opt_index); if (opt_char == -1) { break; } switch (opt_char) { case 'v': log_level++; break; case 'M': if (!strcasecmp(optarg, "true") || !strcasecmp(optarg, "1")) { mls = 1; } else if (!strcasecmp(optarg, "false") || !strcasecmp(optarg, "0")) { mls = 0; } else { usage(argv[0]); } break; case 'P': preserve_tunables = 1; break; case 'Q': qualified_names = 1; break; case 'o': free(output); output = strdup(optarg); break; case 'h': usage(argv[0]); case '?': break; default: fprintf(stderr, "Unsupported option: %s\n", optarg); usage(argv[0]); } } if (optind >= argc) { fprintf(stderr, "No cil files specified\n"); usage(argv[0]); } cil_set_log_level(log_level); cil_db_init(&db); cil_set_preserve_tunables(db, preserve_tunables); cil_set_qualified_names(db, qualified_names); cil_set_mls(db, mls); cil_set_attrs_expand_generated(db, 0); cil_set_attrs_expand_size(db, 0); for (i = optind; i < argc; i++) { file = fopen(argv[i], "r"); if (!file) { fprintf(stderr, "Could not open file: %s\n", argv[i]); rc = SEPOL_ERR; goto exit; } rc = stat(argv[i], &filedata); if (rc == -1) { fprintf(stderr, "Could not stat file: %s\n", argv[i]); goto exit; } file_size = filedata.st_size; buffer = malloc(file_size); if (!buffer) { fprintf(stderr, "Out of memory\n"); rc = SEPOL_ERR; goto exit; } rc = fread(buffer, file_size, 1, file); if (rc != 1) { fprintf(stderr, "Failure reading file: %s\n", argv[i]); goto exit; } fclose(file); file = NULL; rc = cil_add_file(db, argv[i], buffer, file_size); if (rc != SEPOL_OK) { fprintf(stderr, "Failure adding %s\n", argv[i]); goto exit; } free(buffer); buffer = NULL; } rc = cil_compile(db); if (rc != SEPOL_OK) { fprintf(stderr, "Failed to compile cildb: %d\n", rc); goto exit; } if (output == NULL) { file = fopen("policy.conf", "w"); } else { file = fopen(output, "w"); } if (file == NULL) { fprintf(stderr, "Failure opening policy.conf file for writing\n"); rc = SEPOL_ERR; goto exit; } cil_write_policy_conf(file, db); fclose(file); file = NULL; rc = SEPOL_OK; exit: if (file != NULL) { fclose(file); } free(buffer); free(output); cil_db_destroy(&db); return rc; } secilc-3.8.1/secil2tree.8.xml000066400000000000000000000071601476211737200157340ustar00rootroot00000000000000 JamesCarter SECIL2TREE 8 05 April 2021 secil2tree SELinux CIL AST Writer secil2tree invoke the SELinux Common Intermediate Language (CIL) AST Writer secil2tree OPTION file DESCRIPTION secil2tree invokes the CIL AST Writer with the specified arguments. OPTIONS Write AST to file (default: stdout) Treat tunables as booleans. Allow names containing dots (qualified names). Blocks, blockinherits, blockabstracts, and in-statements will not be allowed. Write AST of phase phase. Must be parse, build, or resolve. (default: resolve) Increment verbosity level. Display usage information. SEE ALSO secilc 8 secil2conf 8 HTML documentation describing the CIL language statements is available starting with docs/html/index.html. PDF documentation describing the CIL language statements is available at: docs/pdf/CIL_Reference_Guide.pdf. secilc-3.8.1/secil2tree.c000066400000000000000000000143421476211737200152100ustar00rootroot00000000000000/* * Copyright 2011 Tresys Technology, LLC. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY TRESYS TECHNOLOGY, LLC ``AS IS'' AND ANY EXPRESS * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO * EVENT SHALL TRESYS TECHNOLOGY, LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * The views and conclusions contained in the software and documentation are those * of the authors and should not be interpreted as representing official policies, * either expressed or implied, of Tresys Technology, LLC. */ #include #include #include #include #include #include #ifdef ANDROID #include #else #include #endif #include enum write_ast_phase { WRITE_AST_PHASE_PARSE = 0, WRITE_AST_PHASE_BUILD, WRITE_AST_PHASE_RESOLVE, WRITE_AST_PHASE_POST, }; static __attribute__((__noreturn__)) void usage(const char *prog) { printf("Usage: %s [OPTION]... FILE...\n", prog); printf("\n"); printf("Options:\n"); printf(" -o, --output= write AST to . (default: stdout)\n"); printf(" -P, --preserve-tunables treat tunables as booleans\n"); printf(" -Q, --qualified-names Allow names containing dots (qualified names).\n"); printf(" Blocks, blockinherits, blockabstracts, and\n"); printf(" in-statements will not be allowed.\n"); printf(" -A, --ast-phase= write AST of phase . Phase must be parse, \n"); printf(" build, resolve, or post. (default: resolve)\n"); printf(" -v, --verbose increment verbosity level\n"); printf(" -h, --help display usage information\n"); exit(1); } int main(int argc, char *argv[]) { int rc = SEPOL_ERR; FILE *file = NULL; char *buffer = NULL; struct stat filedata; uint32_t file_size; char *output = NULL; struct cil_db *db = NULL; int preserve_tunables = 0; int qualified_names = 0; enum write_ast_phase write_ast = WRITE_AST_PHASE_RESOLVE; int opt_char; int opt_index = 0; enum cil_log_level log_level = CIL_ERR; static struct option long_opts[] = { {"help", no_argument, 0, 'h'}, {"verbose", no_argument, 0, 'v'}, {"preserve-tunables", no_argument, 0, 'P'}, {"qualified-names", no_argument, 0, 'Q'}, {"output", required_argument, 0, 'o'}, {"ast-phase", required_argument, 0, 'A'}, {0, 0, 0, 0} }; int i; while (1) { opt_char = getopt_long(argc, argv, "o:hvPQA:", long_opts, &opt_index); if (opt_char == -1) { break; } switch (opt_char) { case 'v': log_level++; break; case 'P': preserve_tunables = 1; break; case 'Q': qualified_names = 1; break; case 'o': output = strdup(optarg); break; case 'A': if (!strcasecmp(optarg, "parse")) { write_ast = WRITE_AST_PHASE_PARSE; } else if (!strcasecmp(optarg, "build")) { write_ast = WRITE_AST_PHASE_BUILD; } else if (!strcasecmp(optarg, "resolve")) { write_ast = WRITE_AST_PHASE_RESOLVE; } else if (!strcasecmp(optarg, "post")) { write_ast = WRITE_AST_PHASE_POST; } else { fprintf(stderr, "Invalid AST phase: %s\n", optarg); usage(argv[0]); } break; case 'h': usage(argv[0]); case '?': break; default: fprintf(stderr, "Unsupported option: %s\n", optarg); usage(argv[0]); } } if (optind >= argc) { fprintf(stderr, "No cil files specified\n"); usage(argv[0]); } cil_set_log_level(log_level); cil_db_init(&db); cil_set_preserve_tunables(db, preserve_tunables); cil_set_qualified_names(db, qualified_names); cil_set_attrs_expand_generated(db, 0); cil_set_attrs_expand_size(db, 0); for (i = optind; i < argc; i++) { file = fopen(argv[i], "r"); if (!file) { fprintf(stderr, "Could not open file: %s\n", argv[i]); rc = SEPOL_ERR; goto exit; } rc = stat(argv[i], &filedata); if (rc == -1) { fprintf(stderr, "Could not stat file: %s\n", argv[i]); goto exit; } file_size = filedata.st_size; buffer = malloc(file_size); if (!buffer) { fprintf(stderr, "Out of memory\n"); rc = SEPOL_ERR; goto exit; } rc = fread(buffer, file_size, 1, file); if (rc != 1) { fprintf(stderr, "Failure reading file: %s\n", argv[i]); goto exit; } fclose(file); file = NULL; rc = cil_add_file(db, argv[i], buffer, file_size); if (rc != SEPOL_OK) { fprintf(stderr, "Failure adding %s\n", argv[i]); goto exit; } free(buffer); buffer = NULL; } if (output == NULL) { file = stdout; } else { file = fopen(output, "w"); if (file == NULL) { fprintf(stderr, "Failure opening file %s for writing\n", output); rc = SEPOL_ERR; goto exit; } } switch (write_ast) { case WRITE_AST_PHASE_PARSE: rc = cil_write_parse_ast(file, db); break; case WRITE_AST_PHASE_BUILD: rc = cil_write_build_ast(file, db); break; case WRITE_AST_PHASE_RESOLVE: rc = cil_write_resolve_ast(file, db); break; case WRITE_AST_PHASE_POST: rc = cil_write_post_ast(file, db); break; } if (rc != SEPOL_OK) { fprintf(stderr, "Failed to write AST\n"); goto exit; } exit: if (file != NULL && file != stdin) { fclose(file); } free(buffer); free(output); cil_db_destroy(&db); return rc; } secilc-3.8.1/secilc.8.xml000066400000000000000000000160171476211737200151360ustar00rootroot00000000000000 RichardHaines SECILC 8 18 February 2015 secilc SELinux CIL Compiler secilc invoke the SELinux Common Intermediate Language (CIL) Compiler secilc OPTION file DESCRIPTION secilc invokes the CIL compiler with the specified arguments to build a kernel binary policy. A file_contexts file will also be built as described in the FILE FORMAT section of file_contexts5. OPTIONS Write binary policy to file (default: policy.version) Write file contexts to file (default: file_contexts) Specify target architecture. May be selinux or xen (default: selinux) Build an mls policy. Must be true or false. This will override the (mls boolean) statement if present in the policy. Build a binary policy with a given version (default: depends on the systems SELinux policy version, see sestatus8) How to handle unknown classes or permissions. May be deny, allow, or reject (default: deny). This will override the (handleunknown action) statement if present in the policy. Do not add dontaudit rules to the binary policy. Treat tunables as booleans. Allow names containing dots (qualified names). Blocks, blockinherits, blockabstracts, and in-statements will not be allowed. Allow some statements to be re-declared. Do not check neverallow rules. Expand and remove auto-generated attributes Expand type attributes with fewer than <SIZE> members. Optimize final policy (remove redundant rules). Increment verbosity level. Display usage information. SEE ALSO file_contexts 5 sestatus 8 HTML documentation describing the CIL language statements is available starting with docs/html/index.html. PDF documentation describing the CIL language statements is available at: docs/pdf/CIL_Reference_Guide.pdf. There is a CIL Design Wiki at: that describes the goals and features of the CIL language. secilc-3.8.1/secilc.c000066400000000000000000000300331476211737200144040ustar00rootroot00000000000000/* * Copyright 2011 Tresys Technology, LLC. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY TRESYS TECHNOLOGY, LLC ``AS IS'' AND ANY EXPRESS * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO * EVENT SHALL TRESYS TECHNOLOGY, LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * The views and conclusions contained in the software and documentation are those * of the authors and should not be interpreted as representing official policies, * either expressed or implied, of Tresys Technology, LLC. */ #include #include #include #include #include #include #ifdef ANDROID #include #else #include #endif #include static __attribute__((__noreturn__)) void usage(const char *prog) { printf("Usage: %s [OPTION]... FILE...\n", prog); printf("\n"); printf("Options:\n"); printf(" -o, --output= write binary policy to \n"); printf(" (default: policy.)\n"); printf(" -f, --filecontext= write file contexts to \n"); printf(" (default: file_contexts)\n"); printf(" -t, --target= specify target architecture. may be selinux or\n"); printf(" xen. (default: selinux)\n"); printf(" -M, --mls true|false build an mls policy. Must be true or false.\n"); printf(" This will override the (mls boolean) statement\n"); printf(" if present in the policy\n"); printf(" -c, --policyvers= build a binary policy with a given \n"); printf(" (default: %i)\n", POLICYDB_VERSION_MAX); printf(" -U, --handle-unknown= how to handle unknown classes or permissions.\n"); printf(" may be deny, allow, or reject. (default: deny)\n"); printf(" This will override the (handleunknown action)\n"); printf(" statement if present in the policy\n"); printf(" -D, --disable-dontaudit do not add dontaudit rules to the binary policy\n"); printf(" -P, --preserve-tunables treat tunables as booleans\n"); printf(" -Q, --qualified-names Allow names containing dots (qualified names).\n"); printf(" Blocks, blockinherits, blockabstracts, and\n"); printf(" in-statements will not be allowed.\n"); printf(" -m, --multiple-decls allow some statements to be re-declared\n"); printf(" -N, --disable-neverallow do not check neverallow rules\n"); printf(" -G, --expand-generated Expand and remove auto-generated attributes\n"); printf(" -X, --expand-size Expand type attributes with fewer than \n"); printf(" members.\n"); printf(" -O, --optimize optimize final policy\n"); printf(" -v, --verbose increment verbosity level\n"); printf(" -h, --help display usage information\n"); exit(1); } int main(int argc, char *argv[]) { int rc = SEPOL_ERR; sepol_policydb_t *pdb = NULL; struct sepol_policy_file *pf = NULL; FILE *binary = NULL; FILE *file_contexts; FILE *file = NULL; char *buffer = NULL; struct stat filedata; uint32_t file_size; char *output = NULL; char *filecontexts = NULL; struct cil_db *db = NULL; int target = SEPOL_TARGET_SELINUX; int mls = -1; int disable_dontaudit = 0; int multiple_decls = 0; int disable_neverallow = 0; int preserve_tunables = 0; int qualified_names = 0; int handle_unknown = -1; int policyvers = POLICYDB_VERSION_MAX; int attrs_expand_generated = 0; int attrs_expand_size = -1; int optimize = 0; int opt_char; int opt_index = 0; char *fc_buf = NULL; size_t fc_size; enum cil_log_level log_level = CIL_ERR; static struct option long_opts[] = { {"help", no_argument, 0, 'h'}, {"verbose", no_argument, 0, 'v'}, {"target", required_argument, 0, 't'}, {"mls", required_argument, 0, 'M'}, {"policyversion", required_argument, 0, 'c'}, {"handle-unknown", required_argument, 0, 'U'}, {"disable-dontaudit", no_argument, 0, 'D'}, {"multiple-decls", no_argument, 0, 'm'}, {"disable-neverallow", no_argument, 0, 'N'}, {"preserve-tunables", no_argument, 0, 'P'}, {"qualified-names", no_argument, 0, 'Q'}, {"output", required_argument, 0, 'o'}, {"filecontexts", required_argument, 0, 'f'}, {"expand-generated", no_argument, 0, 'G'}, {"expand-size", required_argument, 0, 'X'}, {"optimize", no_argument, 0, 'O'}, {0, 0, 0, 0} }; int i; while (1) { opt_char = getopt_long(argc, argv, "o:f:U:hvt:M:PQDmNOc:GX:n", long_opts, &opt_index); if (opt_char == -1) { break; } switch (opt_char) { case 'v': log_level++; break; case 't': if (!strcmp(optarg, "selinux")) { target = SEPOL_TARGET_SELINUX; } else if (!strcmp(optarg, "xen")) { target = SEPOL_TARGET_XEN; } else { fprintf(stderr, "Unknown target: %s\n", optarg); usage(argv[0]); } break; case 'M': if (!strcasecmp(optarg, "true") || !strcasecmp(optarg, "1")) { mls = 1; } else if (!strcasecmp(optarg, "false") || !strcasecmp(optarg, "0")) { mls = 0; } else { usage(argv[0]); } break; case 'c': { char *endptr = NULL; errno = 0; policyvers = strtol(optarg, &endptr, 10); if (errno != 0 || endptr == optarg || *endptr != '\0') { fprintf(stderr, "Bad policy version: %s\n", optarg); usage(argv[0]); } if (policyvers > POLICYDB_VERSION_MAX || policyvers < POLICYDB_VERSION_MIN) { fprintf(stderr, "Policy version must be between %d and %d\n", POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); usage(argv[0]); } break; } case 'U': if (!strcasecmp(optarg, "deny")) { handle_unknown = SEPOL_DENY_UNKNOWN; } else if (!strcasecmp(optarg, "allow")) { handle_unknown = SEPOL_ALLOW_UNKNOWN; } else if (!strcasecmp(optarg, "reject")) { handle_unknown = SEPOL_REJECT_UNKNOWN; } else { usage(argv[0]); } break; case 'D': disable_dontaudit = 1; break; case 'm': multiple_decls = 1; break; case 'N': disable_neverallow = 1; break; case 'P': preserve_tunables = 1; break; case 'Q': qualified_names = 1; break; case 'o': free(output); output = strdup(optarg); break; case 'f': free(filecontexts); filecontexts = strdup(optarg); break; case 'G': attrs_expand_generated = 1; break; case 'X': { char *endptr = NULL; errno = 0; attrs_expand_size = strtol(optarg, &endptr, 10); if (errno != 0 || endptr == optarg || *endptr != '\0') { fprintf(stderr, "Bad attribute expand size: %s\n", optarg); usage(argv[0]); } if (attrs_expand_size < 0) { fprintf(stderr, "Attribute expand size must be > 0\n"); usage(argv[0]); } break; } case 'O': optimize = 1; break; case 'h': usage(argv[0]); case '?': break; default: fprintf(stderr, "Unsupported option: %s\n", optarg); usage(argv[0]); } } if (optind >= argc) { fprintf(stderr, "No cil files specified\n"); usage(argv[0]); } cil_set_log_level(log_level); cil_db_init(&db); cil_set_disable_dontaudit(db, disable_dontaudit); cil_set_multiple_decls(db, multiple_decls); cil_set_disable_neverallow(db, disable_neverallow); cil_set_preserve_tunables(db, preserve_tunables); cil_set_qualified_names(db, qualified_names); if (handle_unknown != -1) { rc = cil_set_handle_unknown(db, handle_unknown); if (rc != SEPOL_OK) { goto exit; } } cil_set_mls(db, mls); cil_set_target_platform(db, target); cil_set_policy_version(db, policyvers); cil_set_attrs_expand_generated(db, attrs_expand_generated); if (attrs_expand_size >= 0) { cil_set_attrs_expand_size(db, (unsigned)attrs_expand_size); } for (i = optind; i < argc; i++) { file = fopen(argv[i], "r"); if (!file) { fprintf(stderr, "Could not open file: %s\n", argv[i]); rc = SEPOL_ERR; goto exit; } rc = stat(argv[i], &filedata); if (rc == -1) { fprintf(stderr, "Could not stat file: %s\n", argv[i]); rc = SEPOL_ERR; goto exit; } file_size = filedata.st_size; if (!file_size) { fclose(file); file = NULL; continue; } buffer = malloc(file_size); if (!buffer) { fprintf(stderr, "Out of memory\n"); rc = SEPOL_ERR; goto exit; } rc = fread(buffer, file_size, 1, file); if (rc != 1) { fprintf(stderr, "Failure reading file: %s\n", argv[i]); rc = SEPOL_ERR; goto exit; } fclose(file); file = NULL; rc = cil_add_file(db, argv[i], buffer, file_size); if (rc != SEPOL_OK) { fprintf(stderr, "Failure adding %s\n", argv[i]); goto exit; } free(buffer); buffer = NULL; } rc = cil_compile(db); if (rc != SEPOL_OK) { fprintf(stderr, "Failed to compile cildb: %d\n", rc); goto exit; } rc = cil_build_policydb(db, &pdb); if (rc != SEPOL_OK) { fprintf(stderr, "Failed to build policydb\n"); goto exit; } if (optimize) { rc = sepol_policydb_optimize(pdb); if (rc != SEPOL_OK) { fprintf(stderr, "Failed to optimize policydb\n"); goto exit; } } if (output == NULL) { int size = snprintf(NULL, 0, "policy.%d", policyvers); output = malloc((size + 1) * sizeof(char)); if (output == NULL) { fprintf(stderr, "Failed to create output filename\n"); rc = SEPOL_ERR; goto exit; } if (snprintf(output, size + 1, "policy.%d", policyvers) != size) { fprintf(stderr, "Failed to create output filename\n"); rc = SEPOL_ERR; goto exit; } } binary = fopen(output, "w"); if (binary == NULL) { fprintf(stderr, "Failure opening binary file for writing\n"); rc = SEPOL_ERR; goto exit; } rc = sepol_policy_file_create(&pf); if (rc != 0) { fprintf(stderr, "Failed to create policy file: %d\n", rc); goto exit; } sepol_policy_file_set_fp(pf, binary); rc = sepol_policydb_write(pdb, pf); if (rc != 0) { fprintf(stderr, "Failed to write binary policy: %d\n", rc); goto exit; } fclose(binary); binary = NULL; rc = cil_filecons_to_string(db, &fc_buf, &fc_size); if (rc != SEPOL_OK) { fprintf(stderr, "Failed to get file context data\n"); goto exit; } if (filecontexts == NULL) { file_contexts = fopen("file_contexts", "w+"); } else { file_contexts = fopen(filecontexts, "w+"); } if (file_contexts == NULL) { fprintf(stderr, "Failed to open file_contexts file\n"); rc = SEPOL_ERR; goto exit; } if (fwrite(fc_buf, sizeof(char), fc_size, file_contexts) != fc_size) { fprintf(stderr, "Failed to write file_contexts file\n"); rc = SEPOL_ERR; goto exit; } fclose(file_contexts); file_contexts = NULL; rc = SEPOL_OK; exit: if (binary != NULL) { fclose(binary); } if (file != NULL) { fclose(file); } free(buffer); free(output); free(filecontexts); cil_db_destroy(&db); sepol_policydb_free(pdb); sepol_policy_file_free(pf); free(fc_buf); return rc; } secilc-3.8.1/test/000077500000000000000000000000001476211737200137565ustar00rootroot00000000000000secilc-3.8.1/test/anonymous_arg_test.cil000066400000000000000000000040411476211737200203660ustar00rootroot00000000000000;; Test anonymous args (mls true) (class CLASS (PERM)) (classorder (CLASS)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) (category c0) (category c1) (category c2) (category c3) (categoryorder (CAT c0 c1 c2 c3)) (categoryset cs01 (c0 c1)) (categoryset cs03 (range c0 c3)) (sensitivity s0) (sensitivity s1) (sensitivity s2) (sensitivity s3) (sensitivityorder (SENS s0 s1 s2 s3)) (sensitivitycategory s0 (cs01 c2 c3)) (sensitivitycategory s1 (c0 c1 c2 c3)) (sensitivitycategory s2 (c0 c1 c2 c3)) (sensitivitycategory s3 (range c0 c3)) (level lvl (s0 (c0))) (level lvl0 (s0)) (level lvl3 (s3 (range c0 c3))) (levelrange rng ((s0) (s3 (c0 c1 c2 c3)))) (user u1) (user u2) (user u3) (user u4) (userrole u1 ROLE) (userrole u2 ROLE) (userrole u3 ROLE) (userrole u4 ROLE) ; Test categoryset (macro m1 ((user u)(sensitivity s)(categoryset cs)) (userlevel u (s (cs))) ) (call m1 (u1 s1 (c0 c1))) (call m1 (u2 s2 cs01)) ; Test level (macro m2 ((user u)(level l)) (userlevel u l) ) (call m2 (u3 (s3 (c2)))) (call m2 (u4 lvl)) ; Test levelrange (macro m3 ((user u)(levelrange lr)) (userrange u lr) ) (call m3 (u1 ((s0) (s3 (range c0 c3))))) (call m3 (u2 (lvl0 (s3 (cs03))))) (call m3 (u3 (lvl0 lvl3))) (call m3 (u4 rng)) ; Test ipaddr (macro m4 ((user u)(ipaddr nm)(ipaddr ip)) (nodecon ip nm (u ROLE TYPE ((s0) (s0)))) ) (ipaddr nm1 255.255.255.0) (ipaddr ip4 1.2.3.4) (call m4 (u1 nm1 192.25.35.200)) (call m4 (u2 255.255.255.0 ip4)) ; Test classpermission (type t1) (type t2) (type t3) (classpermission cp1) (classpermissionset cp1 (CLASS (PERM))) (classmap cm1 (cm1p)) (classmapping cm1 cm1p (CLASS (PERM))) (macro m5 ((type t)(classpermission cp)) (allow t self cp) ) (call m5 (t1 (CLASS (PERM)))) (call m5 (t2 cp1)) (call m5 (t3 (cm1 (cm1p)))) secilc-3.8.1/test/block_test.cil000066400000000000000000000042001476211737200165740ustar00rootroot00000000000000;; Minimum stuff (class CLASS (PERM)) (classorder (CLASS)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) ;; Extra stuff (common COMMON (PERM1 PERM2 PERM3 PERM4)) (classcommon CLASS COMMON) ;; Tests 1 and 2 show that the order of inheritance matters ;; (block b1 (type ta)) (block b1a (block b1 (type tb))) (block b1b (blockinherit b1) ;; Results in b1b.ta (blockinherit b1a)) (block b2 (type ta)) (block b2a (block b2 (type tb))) (block b2b (blockinherit b2a) (blockinherit b2)) ;; All of these work (block b3a (type t3a) (block b (type t) (allow t3a t (CLASS (PERM))) ) ) (block b3b (blockinherit b3a) ) (block b3c (blockinherit b3a.b) ) (block b3d (type t3a) (blockinherit b3a) ) (block b3e (type t3a) (blockinherit b3a.b) ) ;; Since block is abstract, allow rule will not be in policy (type t4) (block b4 (blockabstract b4) (allow t4 self (CLASS (PERM))) ) ;; Inheriting the abstract block causes the allow rule to be in the policy (type t5) (block b5 (blockabstract b5) (allow t5 self (CLASS (PERM))) ) (blockinherit b5) ;; A sub-block can be inherited out of an abstract block (type t6) (block b6 (blockabstract b6) (allow t6 self (CLASS (PERM1))) (block b (blockabstract b) (allow t6 self (CLASS (PERM))) ) ) (blockinherit b6.b) ;; ;; Expected: ;; ;; Types: ;; b1.ta, b1a.b1.tb, b1b.b1.tb, b1b.ta ;; b2.ta, b2a.b2.tb, b2b.b2.tb, b2b.ta ;; b3a.b.t, b3a.t3a, b3b.b.t, b3b.t3a, b3c.t, b3d.b.t, b3d.t3a, b3e.t, b3e.t3a ;; t4 ;; t5 ;; t6 ;; ;; Allow rules: ;; allow b3a.t3a b3a.b.t : CLASS { PERM }; ;; allow b3a.t3a b3c.t : CLASS { PERM }; ;; allow b3b.t3a b3b.b.t : CLASS { PERM }; ;; allow b3d.t3a b3d.b.t : CLASS { PERM }; ;; allow b3e.t3a b3e.t : CLASS { PERM }; ;; allow t5 t5 : CLASS { PERM }; ;; allow t6 t6 : CLASS { PERM };secilc-3.8.1/test/bounds.cil000066400000000000000000000127141476211737200157460ustar00rootroot00000000000000(class CLASS (PERM)) (classorder (CLASS)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) (class c1 (p1a p1b p1c)) (class c2 (p2a p2b p2c)) (class c3 (p3a p3b p3c)) (classorder (CLASS c1 c2 c3)) (classpermission cp1) (classpermissionset cp1 (c1 (p1a p1b))) (classpermissionset cp1 (c2 (p2a))) (classmap cm1 (mp1)) (classmapping cm1 mp1 (c1 (p1a))) (boolean b_b1 false) (boolean b_b2 false) (boolean b_b3 false) (type b_ta) (type b_tb) (type b_tc) (type b_td) ;; All of these rules should pass the bounds check (type b_t1) (type b_t1_c) (typebounds b_t1 b_t1_c) (allow b_t1 self (CLASS (PERM))) (allow b_t1_c self (CLASS (PERM))) (allow b_t1 b_ta (CLASS (PERM))) (allow b_t1_c b_ta (CLASS (PERM))) (allow b_ta b_t1 (CLASS (PERM))) (allow b_ta b_t1_c (CLASS (PERM))) (booleanif b_b1 (false (allow b_t1 b_tb (CLASS (PERM))) (allow b_t1_c b_tb (CLASS (PERM))) (allow b_tb b_t1 (CLASS (PERM))) (allow b_tb b_t1_c (CLASS (PERM))))) (allow b_t1 b_tc (CLASS (PERM))) (allow b_tc b_t1 (CLASS (PERM))) (booleanif b_b2 (false (allow b_t1_c b_tc (CLASS (PERM))) (allow b_tc b_t1_c (CLASS (PERM))))) (allow b_t1_c b_td (CLASS (PERM))) (allow b_td b_t1_c (CLASS (PERM))) (booleanif b_b3 (true (allow b_t1 b_td (CLASS (PERM))) (allow b_td b_t1 (CLASS (PERM)))) (false (allow b_t1 b_td (CLASS (PERM))) (allow b_td b_t1 (CLASS (PERM))))) ;; All of these rules should pass the bounds check (type b_t2) (type b_t2_c) (typebounds b_t2 b_t2_c) (typeattribute b_a2) (typeattribute b_a2_c) (typeattributeset b_a2 b_t2) (typeattributeset b_a2_c b_t2_c) (allow b_a2 self (CLASS (PERM))) (allow b_a2_c self (CLASS (PERM))) (allow b_a2 b_ta (CLASS (PERM))) (allow b_a2_c b_ta (CLASS (PERM))) (allow b_ta b_a2 (CLASS (PERM))) (allow b_ta b_a2_c (CLASS (PERM))) (booleanif b_b1 (false (allow b_a2 b_tb (CLASS (PERM))) (allow b_a2_c b_tb (CLASS (PERM))) (allow b_tb b_a2 (CLASS (PERM))) (allow b_tb b_a2_c (CLASS (PERM))))) (allow b_a2 b_tc (CLASS (PERM))) (allow b_tc b_a2 (CLASS (PERM))) (booleanif b_b2 (false (allow b_a2_c b_tc (CLASS (PERM))) (allow b_tc b_a2_c (CLASS (PERM))))) (allow b_a2_c b_td (CLASS (PERM))) (allow b_td b_a2_c (CLASS (PERM))) (booleanif b_b3 (true (allow b_a2 b_td (CLASS (PERM))) (allow b_td b_a2 (CLASS (PERM)))) (false (allow b_a2 b_td (CLASS (PERM))) (allow b_td b_a2 (CLASS (PERM))))) ;; All of these rules should fail the bounds check (type b_t3) (type b_t3_c) (typebounds b_t3 b_t3_c) (allow b_t3 self (CLASS (PERM))) (allow b_t3_c self (c1 (p1a))) (allow b_t3 b_ta (CLASS (PERM))) (allow b_t3_c b_ta (c1 (p1a))) (allow b_ta b_t3 (CLASS (PERM))) (allow b_ta b_t3_c (c1 (p1a))) (booleanif b_b1 (false (allow b_t3_c b_tb (c1 (p1a))) (allow b_tb b_t3_c (c1 (p1a))))) (booleanif b_b2 (true (allow b_t3_c b_tc (c1 (p1a))) (allow b_tc b_t3_c (c1 (p1a)))) (false (allow b_t3 b_tc (c1 (p1a))) (allow b_tc b_t3 (c1 (p1a))))) (allow b_t3_c b_td (c1 (p1a))) (allow b_td b_t3_c (c1 (p1a))) (booleanif b_b3 (false (allow b_t3 b_td (c1 (p1a))) (allow b_td b_t3 (c1 (p1a))))) ;; All of these rules should fail the bounds check (type b_t4) (type b_t4_c) (typebounds b_t4 b_t4_c) (typeattribute b_a4) (typeattribute b_a4_c) (typeattributeset b_a4 b_t4) (typeattributeset b_a4_c b_t4_c) (allow b_a4 self (CLASS (PERM))) (allow b_a4_c self (c1 (p1a))) (allow b_a4 b_ta (CLASS (PERM))) (allow b_a4_c b_ta (c1 (p1a))) (allow b_ta b_a4 (CLASS (PERM))) (allow b_ta b_a4_c (c1 (p1a))) (booleanif b_b1 (false (allow b_a4_c b_tb (c1 (p1a))) (allow b_tb b_a4_c (c1 (p1a))))) (booleanif b_b2 (true (allow b_a4_c b_tc (c1 (p1a))) (allow b_tc b_a4_c (c1 (p1a)))) (false (allow b_a4 b_tc (c1 (p1a))) (allow b_tc b_a4 (c1 (p1a))))) (allow b_a4_c b_td (c1 (p1a))) (allow b_td b_a4_c (c1 (p1a))) (booleanif b_b3 (false (allow b_a4 b_td (c1 (p1a))) (allow b_td b_a4 (c1 (p1a))))) ;; Marked rules should fail, all others should pass (type b_t5) (type b_t5_c) (typebounds b_t5 b_t5_c) (allow b_t5 b_ta cp1) (allow b_t5_c b_ta (c1 (p1a))) (allow b_t5_c b_ta (c2 (p2a))) (allow b_t5_c b_ta (c2 (p2b))) ;; Fail (allow b_t5_c b_ta (c3 (p3a))) ;; Fail (allow b_t5 b_tb (c1 (p1a p1b))) (allow b_t5 b_tb (c2 (p2a))) (allow b_t5_c b_tb cp1) (allow b_t5 b_tc (cm1 (mp1))) (allow b_t5_c b_tc (c1 (p1a))) (allow b_t5_c b_tc (c1 (p1b))) ;; Fail (allow b_t5_c b_tc (c2 (p2a))) ;; Fail (allow b_t5 b_tc (c1 (p1a))) (allow b_t5_c b_tc (cm1 (mp1))) ;; Marked rules should fail, all others should pass (type b_t6a) (type b_t6a_c) (type b_t6b) (type b_t6b_c) (typebounds b_t6a b_t6a_c) (typebounds b_t6b b_t6b_c) (allow b_t6a b_t6b (CLASS (PERM))) (allow b_t6a_c b_t6b_c (CLASS (PERM))) ;; Needs: (allow b_t6a b_t6b (c1 (p1a))) (allow b_t6a_c b_t6b (c1 (p1a))) ;; Fail (allow b_t6a_c b_t6b_c (c1 (p1a))) ;; Fail ;; Needs: (allow b_t6a b_t6b (c2 (p2a))) (allow b_t6a b_t6b_c (c2 (p2a))) ;; Fail (allow b_t6a_c b_t6b (c2 (p2a))) ;; Fail (allow b_t6a_c b_t6b_c (c2 (p2a))) ;; Needs: (allow b_t6a b_t6b (c3 (p3c))) (allow b_t6a b_t6b (c3 (p3a p3b))) (allow b_t6a b_t6b_c (c3 (p3b p3c))) ;; Fail (allow b_t6a_c b_t6b (c3 (p3a p3c))) ;; Fail (allow b_t6a_c b_t6b_c (c3 (p3a p3b p3c))) ;; Fail secilc-3.8.1/test/deny_rule_test1.cil000066400000000000000000000313441476211737200175620ustar00rootroot00000000000000(class CLASS (PERM)) (class ca (pa1 pa2 pa3 pa4 pa5 pa6 pa7 pa8 pa9)) (class cb (pb1 pb2 pb3 pb4 pb5 pb6 pb7 pb8 pb9)) (class cc (pc1 pc2 pc3 pc4 pc5 pc6 pc7 pc8 pc9)) (class cd (pd1 pd2 pd3 pd4 pd5 pd6 pd7 pd8 pd9)) (class ce (pe1 pe2 pe3 pe4 pe5 pe6 pe7 pe8 pe9)) (class cf (pf1 pf2 pf3 pf4 pf5 pf6 pf7 pf8 pf9)) (class cg (pg1 pg2 pg3 pg4 pg5 pg6 pg7 pg8 pg9)) (class ch (ph1 ph2 ph3 ph4 ph5 ph6 ph7 ph8 ph9)) (class ci (pi1 pi2 pi3 pi4 pi5 pi6 pi7 pi8 pi9)) (class cj (pj1 pj2 pj3 pj4 pj5 pj6 pj7 pj8 pj9)) (classorder (CLASS ca cb cc cd ce cf cg ch ci cj)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) (classmap cma (mpa1 mpa2)) (classmapping cma mpa1 (cc (pc1 pc2))) (classmapping cma mpa2 (cc (pc3 pc4))) (classmap cmb (mpb1 mpb2)) (classmapping cmb mpb1 (cd (pd1 pd2))) (classmapping cmb mpb2 (cd (pd3 pd4))) (classpermission cpsa) (classpermissionset cpsa (cd (pd5 pd6))) (classpermissionset cpsa (cd (pd7 pd8))) (classpermission cpsb) (classpermissionset cpsb (cd (pd1 pd2))) (classpermissionset cpsb (cd (pd3 pd4))) (type ta) (type tb) (type tc) (type td) (type te) (type tf) (type tg) (type th) (type ti) (type tj) (type tk) (type tl) (type tm) (type tn) (type to) (type tp) (type tq) (type tr) (type ts) (type tt) (type tu) (type tv) (type tw) (type tx) (type ty) (type tz) (typeattribute a_s1) (typeattributeset a_s1 (ta tb tc td te tf tg th tk tl tm tn ts tt)) (typeattribute a_t1) (typeattributeset a_t1 (ta tb tc td te tf ti tj tk tl to tp tu tv)) (typeattribute a_s2) (typeattributeset a_s2 (ta tb tc td tg th ti tj tm tn tq tr tw tx)) (typeattribute a_t2) (typeattributeset a_t2 (ta tb te tf tg th ti tj to tp tq tr ty tz)) (typeattribute a_s3) (typeattributeset a_s3 (and a_s1 (not a_s2))) (typeattribute a_s4) (typeattributeset a_s4 (and a_s1 a_s2)) (typeattribute a_t3) (typeattributeset a_t3 (and a_t1 (not a_t2))) (typeattribute aab) (typeattributeset aab (ta tb)) (typeattribute aNab) (typeattributeset aNab (and (all) (not (ta tb)))) (typeattribute aNac) (typeattributeset aNac (and (all) (not (ta tc)))) (typeattribute aNbc) (typeattributeset aNbc (and (all) (not (tb tc)))) (typeattribute acd) (typeattributeset acd (tc td)) (typeattribute aNacd) (typeattributeset aNacd (and (all) (not (ta tc td)))) (typeattribute aabc) (typeattributeset aabc (ta tb tc)) ; Test 01 (allow ta tb (ca (pa1))) (deny ta tb (ca (pa1))) (neverallow ta tb (ca (pa1))) ; Test 02 (allow ta tb (ca (pa2 pa3))) (deny ta tb (ca (pa2))) (neverallow ta tb (ca (pa2))) ; (neverallow ta tb (ca (pa3))) ; This check should fail ; Test 03 (allow tc td (ca (pa2))) (deny tc td (ca (pa2 pa3))) (neverallow tc td (ca (pa2 pa3))) ; Test 04 (allow aab acd (ca (pa4))) (deny aab acd (ca (pa4))) (neverallow aab acd (ca (pa4))) ; Test 05 (allow ta tc (ca (pa5))) (deny aab acd (ca (pa5))) (neverallow aab acd (ca (pa5))) ; Test 06 (allow aab acd (ca (pa6))) (deny ta tc (ca (pa6))) (neverallow ta tc (ca (pa6))) ; (neverallow tb td (ca (pa6))) ; This check should fail ; Test 07 (allow ta self (ca (pa7))) (deny ta self (ca (pa7))) (neverallow ta self (ca (pa7))) ; Test 08 (allow ta self (ca (pa8))) (deny ta ta (ca (pa8))) (neverallow ta ta (ca (pa8))) ; Test 09 (allow ta ta (ca (pa9))) (deny ta self (ca (pa9))) (neverallow ta self (ca (pa9))) ; Test 11 (allow aab self (cb (pb1))) (deny aab self (cb (pb1))) (neverallow aab self (cb (pb1))) ; Test 12 (allow ta self (cb (pb2))) (deny aab self (cb (pb2))) (neverallow aab self (cb (pb2))) ; Test 13 (allow aab self (cb (pb3))) (deny ta self (cb (pb3))) (neverallow ta self (cb (pb3))) ; (neverallow tb self (cb (pb3))) ; This check should fail ; Test 14 (allow aab self (cb (pb4))) (deny aab aab (cb (pb4))) (neverallow aab aab (cb (pb4))) ; Test 15 (allow aab aab (cb (pb5))) (deny aab self (cb (pb5))) (neverallow aab self (cb (pb5))) ; (neverallow ta tb (cb (pb5))) ; This check should fail ; (neverallow tb ta (cb (pb5))) ; This check should fail ; Test 16 (allow aab self (cb (pb6))) (deny ta ta (cb (pb6))) (neverallow ta ta (cb (pb6))) ; (neverallow tb tb (cb (pb6))) ; This check should fail ; Test 17 (allow ta ta (cb (pb7))) (deny aab self (cb (pb7))) (neverallow aab self (cb (pb7))) ; Test 18 (allow ta self (cb (pb8))) (deny aab aab (cb (pb8))) (neverallow aab aab (cb (pb8))) ; Test 19 (allow aab aab (cb (pb9))) (deny ta self (cb (pb9))) (neverallow ta self (cb (pb9))) ; (neverallow ta tb (cb (pb9))) ; This check should fail ; (neverallow tb ta (cb (pb9))) ; This check should fail ; Test 21 (allow ta tb (cma (mpa1))) (deny ta tb (cma (mpa1))) (neverallow ta tb (cma (mpa1))) ; Test 22 (allow tc td (cma (mpa1 mpa2))) (deny tc td (cma (mpa1))) (neverallow tc td (cma (mpa1))) ; (neverallow tc td (cma (mpa2))) ; This check should fail ; Test 23 (allow te tf (cma (mpa1))) (deny te tf (cma (mpa1 mpa2))) (neverallow te tf (cma (mpa1 mpa2))) ; Test 24 (allow tg th (cc (pc1))) (deny tg th (cma (mpa1))) (neverallow tg th (cma (mpa1))) ; Test 25 (allow ti tj (cma (mpa1))) (deny ti tj (cc (pc1))) (neverallow ti tj (cc (pc1))) ; (neverallow ti tj (cc (pc2))) ; This check should fail ; Test 31 (allow ta tb cpsa) (deny ta tb cpsa) (neverallow ta tb cpsa) ; Test 32 (allow tc td cpsa) (deny tc td (cd (pd5 pd6))) (neverallow tc td (cd (pd5 pd6))) ; (neverallow tc td (cd (pd7 pd8))) ; This check should fail ; Test 33 (allow te tf (cd (pd5 pd6))) (deny te tf cpsa) (neverallow te tf cpsa) ; Test 34 (allow tg th cpsb) (deny tg th (cmb (mpb1 mpb2))) (neverallow tg th (cmb (mpb1 mpb2))) ; Test 35 (allow ti tj (cmb (mpb1 mpb2))) (deny ti tj cpsb) (neverallow ti tj cpsb) ; Test 36 (allow tk tl cpsb) (deny tk tl (cmb (mpb1))) (neverallow tk tl (cmb (mpb1))) ; (neverallow tk tl (cmb (mpb2))) ; This check should fail ; Test 37 (allow tm tn (cmb (mpb1))) (deny tm tn cpsb) (neverallow tm tn cpsb) ; Test 41 (block b41 (allow ta tb (ce (pe1))) (deny ta tb (ce (pe1))) (neverallow ta tb (ce (pe1))) ) ; Test 42 (block b42 (type ta) (type tb) (type tc) (type td) (type te) (type tf) (type tg) (typeattribute aa) (typeattribute ab) (typeattribute ac) (typeattribute ad) (typeattribute s3) (typeattribute s4) (typeattribute t3) (typeattributeset aa (ta tb td)) (typeattributeset ab (ta tc te)) (typeattributeset ac (ta tb tf)) (typeattributeset ad (ta tc tg)) (typeattributeset s3 (and aa (not ac))) (typeattributeset s4 (and aa ac)) (typeattributeset t3 (and ab (not ad))) (allow aa ab (ce (pe2))) (deny ac ad (ce (pe2))) (neverallow ac ad (ce (pe2))) ;(neverallow s3 ab (ce (pe2))) ; This check should fail ;(neverallow s4 t3 (ce (pe2))) ; This check should fail ) ; Test 43 (block b43 (type ta) (type tb) (allow ta tb (ce (pe3))) ) (deny b43.ta b43.tb (ce (pe3))) (neverallow b43.ta b43.tb (ce (pe3))) ; Test 44 (block b44 (type ta) (type tb) (allow ta tb (ce (pe4))) ) (block b44a (blockinherit b44) (deny ta tb (ce (pe4))) (neverallow ta tb (ce (pe4))) ) (block b44b (blockinherit b44) ) (deny b44b.ta b44b.tb (ce (pe4))) (neverallow b44b.ta b44b.tb (ce (pe4))) ; Test 45 (optional opt45 (allow aab acd (ce (pe5))) (deny aab acd (ce (pe5))) (neverallow aab acd (ce (pe5))) ) ; Test 46 (allow ta tc (ce (pe6))) (optional opt46 (deny aab acd (ce (pe6))) (neverallow aab acd (ce (pe6))) ) ; Test 47 (optional opt47 (allow aab acd (ce (pe7))) ) (deny ta tc (ce (pe7))) (neverallow ta tc (ce (pe7))) ; Test 51 (boolean b51 true) (booleanif b51 (true (allow ta tb (cf (pf1))) ) ) (deny ta tb (cf (pf1))) (neverallow ta tb (cf (pf1))) ; Test 52 (boolean b52 true) (booleanif b52 (false (allow ta tb (cf (pf2))) ) ) (deny ta tb (cf (pf2))) (neverallow ta tb (cf (pf2))) ; Test 53 (boolean b53 false) (booleanif b53 (true (allow ta tb (cf (pf3))) ) ) (deny ta tb (cf (pf3))) (neverallow ta tb (cf (pf3))) ; Test 54 (boolean b54 false) (booleanif b54 (true (allow ta tb (cf (pf4))) ) ) (deny ta tb (cf (pf4))) (neverallow ta tb (cf (pf4))) ; Test 55 (tunable b55 true) (tunableif b55 (true (allow ta tb (cf (pf5))) ) ) (deny ta tb (cf (pf5))) (neverallow ta tb (cf (pf5))) ; Test 56 (tunable b56 true) (tunableif b56 (false (allow ta tb (cf (pf6))) ) ) (deny ta tb (cf (pf6))) (neverallow ta tb (cf (pf6))) ; Test 57 (tunable b57 false) (tunableif b57 (true (allow ta tb (cf (pf7))) ) ) (deny ta tb (cf (pf7))) (neverallow ta tb (cf (pf7))) ; Test 58 (tunable b58 false) (tunableif b58 (true (allow ta tb (cf (pf8))) ) ) (deny ta tb (cf (pf8))) (neverallow ta tb (cf (pf8))) ; Test 61 (allow a_s1 a_t1 (cg (pg1))) (deny a_s2 a_t2 (cg (pg1))) (neverallow a_s2 a_t2 (cg (pg1))) ; (neverallow a_s3 a_t1 (cg (pg1))) ; This check should fail ; (neverallow a_s4 a_t3 (cg (pg1))) ; This check should fail ; Test 62 (allow tm a_t1 (cg (pg2))) (deny a_s2 a_t2 (cg (pg2))) (neverallow a_s2 a_t2 (cg (pg2))) ; (neverallow tm a_t3 (cg (pg2))) ; This check should fail ; Test 63 (allow a_s1 to (cg (pg3))) (deny a_s2 a_t2 (cg (pg3))) (neverallow a_s2 a_t2 (cg (pg3))) ; (neverallow a_s3 to (cg (pg3))) ; This check should fail ; Test 64 (allow a_s1 a_t1 (cg (pg4))) (deny tm a_t2 (cg (pg4))) (neverallow tm a_t2 (cg (pg4))) ; (neverallow a_s3 a_t1 (cg (pg4))) ; This check should fail ; (neverallow tm a_t3 (cg (pg4))) ; This check should fail ; Test 65 (allow a_s1 a_t1 (cg (pg5))) (deny a_s2 to (cg (pg5))) (neverallow a_s2 to (cg (pg5))) ; (neverallow a_s3 a_t1 (cg (pg5))) ; This check should fail ; (neverallow a_s4 a_t3 (cg (pg5))) ; This check should fail ; Test 71 (allow a_s1 self (ch (ph1))) (deny a_s2 a_t2 (ch (ph1))) (neverallow a_s2 a_t2 (ch (ph1))) ; Below should fail (typeattribute a71) (typeattributeset a71 (and a_s4 (not a_t2))) ; (neverallow a_s3 self (ch (ph1))) ; This check should fail ; (neverallow a71 self (ch (ph1))) ; This check should fail ; Test 72 (allow tg self (ch (ph2))) (deny a_s2 a_t2 (ch (ph2))) (neverallow a_s2 a_t2 (ch (ph2))) ; Test 73 (allow a_s1 self (ch (ph3))) (deny tg a_t2 (ch (ph3))) (neverallow tg a_t2 (ch (ph3))) ; (neverallow a_s3 self (ch (ph3))) ; This check should fail ; Test 74 (allow a_s1 self (ch (ph4))) (deny a_s2 tg (ch (ph4))) (neverallow a_s2 tg (ch (ph4))) ; Below should fail (typeattribute a74) (typeattributeset a74 (and a_s4 (not tg))) ; (neverallow a_s3 self (ch (ph4))) ; This check should fail ; (neverallow a74 self (ch (ph4))) ; This check should fail ; Test 81 (allow a_s1 a_t1 (ci (pi1))) (deny a_s2 self (ci (pi1))) (neverallow a_s2 self (ci (pi1))) ; Below should fail (typeattribute a81a) (typeattribute a81b) (typeattribute a81c) (typeattribute a81b01) (typeattribute a81b02) (typeattribute a81b03) (typeattribute a81b04) (typeattributeset a81a (and a_s4 (not a_t1))) (typeattributeset a81b (and a_s4 a_t1)) (typeattributeset a81c (and a_t1 (not a_s4))) (typeattributeset a81b01 (and a81b (not ta))) (typeattributeset a81b02 (and a81b (not tb))) (typeattributeset a81b03 (and a81b (not tc))) (typeattributeset a81b04 (and a81b (not td))) ; (neverallow a_s3 a_t1 (ci (pi1))) ; This check should fail ; (neverallow a81a a_t1 (ci (pi1))) ; This check should fail ; (neverallow a81b a81c (ci (pi1))) ; This check should fail ; (neverallow ta a81b01 (ci (pi1))) ; This check should fail ; (neverallow tb a81b02 (ci (pi1))) ; This check should fail ; (neverallow tc a81b03 (ci (pi1))) ; This check should fail ; (neverallow td a81b04 (ci (pi1))) ; This check should fail ; Test 82 (allow tc a_t1 (ci (pi2))) (deny a_s2 self (ci (pi2))) (neverallow a_s2 self (ci (pi2))) ; Below should fail (typeattribute a82) (typeattributeset a82 (and a_t1 (not a_s4))) ; (neverallow tc a82 (ci (pi2))) ; This check should fail ; Test 83 (allow a_s1 tc (ci (pi3))) (deny a_s2 self (ci (pi3))) (neverallow a_s2 self (ci (pi3))) ; Below should fail (typeattribute a83) (typeattributeset a83 (and a_s4 (not tc))) ; (neverallow a_s3 tc (ci (pi3))) ; This check should fail ; (neverallow a83 tc (ci (pi3))) ; This check should fail ; Test 84 (allow a_s1 a_t1 (ci (pi4))) (deny tc self (ci (pi4))) (neverallow tc self (ci (pi4))) ; Below should fail (typeattribute a84) (typeattributeset a84 (and a_t1 (not a_s4))) ; (neverallow a_s3 a_t1 (ci (pi4))) ; This check should fail ; (neverallow tc a84 (ci (pi4))) ; This check should fail ; Test 91 (allow a_s1 self (cj (pj1))) (deny a_s2 self (cj (pj1))) (neverallow a_s2 self (cj (pj1))) ; (neverallow a_s3 self (cj (pj1))) ; This check should fail ; Test 92 (allow tm self (cj (pj2))) (deny a_s2 self (cj (pj2))) (neverallow a_s2 self (cj (pj2))) ; Test 93 (allow a_s1 self (cj (pj3))) (deny tm self (cj (pj3))) (neverallow tm self (cj (pj3))) ; (neverallow a_s3 self (cj (pj3))) ; This check should fail secilc-3.8.1/test/deny_rule_test2.cil000066400000000000000000000246311476211737200175640ustar00rootroot00000000000000(class CLASS (PERM)) (class ca (pa1 pa2 pa3 pa4 pa5 pa6 pa7 pa8 pa9)) (class cb (pb1 pb2 pb3 pb4 pb5 pb6 pb7 pb8 pb9)) (class cc (pc1 pc2 pc3 pc4 pc5 pc6 pc7 pc8 pc9)) (class cd (pd1 pd2 pd3 pd4 pd5 pd6 pd7 pd8 pd9)) (class ce (pe1 pe2 pe3 pe4 pe5 pe6 pe7 pe8 pe9)) (class cf (pf1 pf2 pf3 pf4 pf5 pf6 pf7 pf8 pf9)) (class cg (pg1 pg2 pg3 pg4 pg5 pg6 pg7 pg8 pg9)) (class ch (ph1 ph2 ph3 ph4 ph5 ph6 ph7 ph8 ph9)) (class ci (pi1 pi2 pi3 pi4 pi5 pi6 pi7 pi8 pi9)) (class cj (pj1 pj2 pj3 pj4 pj5 pj6 pj7 pj8 pj9)) (classorder (CLASS ca cb cc cd ce cf cg ch ci cj)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) (type ta) (type tb) (type tc) (type td) (type te) (type tf) (type tg) (type th) (type ti) (type tj) (type tk) (type tl) (type tm) (type tn) (type to) (type tp) (type tq) (type tr) (type ts) (type tt) (type tu) (type tv) (type tw) (type tx) (type ty) (type tz) (typeattribute a_s1) (typeattributeset a_s1 (ta tb tc td te tf tg th tk tl tm tn ts tt)) (typeattribute a_t1) (typeattributeset a_t1 (ta tb tc td te tf ti tj tk tl to tp tu tv)) (typeattribute a_s2) (typeattributeset a_s2 (ta tb tc td tg th ti tj tm tn tq tr tw tx)) (typeattribute a_t2) (typeattributeset a_t2 (ta tb te tf tg th ti tj to tp tq tr ty tz)) (typeattribute a_s3) (typeattributeset a_s3 (and a_s1 (not a_s2))) (typeattribute a_s4) (typeattributeset a_s4 (and a_s1 a_s2)) (typeattribute aab) (typeattributeset aab (ta tb)) (typeattribute aNab) (typeattributeset aNab (and (all) (not (ta tb)))) (typeattribute aNac) (typeattributeset aNac (and (all) (not (ta tc)))) (typeattribute aNbc) (typeattributeset aNbc (and (all) (not (tb tc)))) (typeattribute acd) (typeattributeset aab (tc td)) (typeattribute aNacd) (typeattributeset aNacd (and (all) (not (ta tc td)))) (typeattribute aabc) (typeattributeset aabc (ta tb tc)) ; Test 01 (allow ta notself (ca (pa1))) (deny ta notself (ca (pa1))) (neverallow ta notself (ca (pa1))) ; Test 02 (allow aab notself (ca (pa2))) (deny aab notself (ca (pa2))) (neverallow aab notself (ca (pa2))) ; Test 03 (allow ta notself (ca (pa3))) (deny aab notself (ca (pa3))) (neverallow aab notself (ca (pa3))) ; Test 04 (allow aab notself (ca (pa4))) (deny ta notself (ca (pa4))) (neverallow ta notself (ca (pa4))) ; (neverallow tb notself (ca (pa4))) ; This check should fail ; Test 11 (allow ta notself (cb (pb1))) (deny ta tb (cb (pb1))) (neverallow ta tb (cb (pb1))) ; (neverallow ta aNab (cb (pb1))) ; This check should fail ; Test 12 (allow ta tb (cb (pb2))) (deny ta notself (cb (pb2))) (neverallow ta notself (cb (pb2))) ; Test 13 (allow aab notself (cb (pb3))) (deny ta tb (cb (pb3))) (neverallow ta tb (cb (pb3))) ; (neverallow ta aNab (cb (pb3))) ; This check should fail ; (neverallow tb notself (cb (pb3))) ; This check should fail ; Test 14 (allow ta tb (cb (pb4))) (deny aab notself (cb (pb4))) (neverallow aab notself (cb (pb4))) ; Test 15 (allow aab notself (cb (pb5))) (deny aab tc (cb (pb5))) (neverallow aab tc (cb (pb5))) ; (neverallow ta aNac (cb (pb5))) ; This check should fail ; (neverallow tb aNbc (cb (pb5))) ; This check should fail ; Test 16 (allow aab tc (cb (pb6))) (deny aab notself (cb (pb6))) (neverallow aab notself (cb (pb6))) ; Test 17 (allow aab notself (cb (pb7))) (deny aab acd (cb (pb7))) (neverallow aab acd (cb (pb7))) ; (neverallow aab aNacd (cb (pb7))) ; This check should fail ; Test 18 (allow aab acd (cb (pb7))) (deny aab notself (cb (pb7))) (neverallow aab notself (cb (pb7))) ; Test 21 (allow aab other (cc (pc1))) (deny aab other (cc (pc1))) (neverallow aab other (cc (pc1))) ; Test 22 (allow aabc other (cc (pc2))) (deny aab other (cc (pc2))) (neverallow aab other (cc (pc2))) ; (neverallow tc aab (cc (pc2))) ; This check should fail ; Test 23 (allow aab other (cc (pc3))) (deny aabc other (cc (pc3))) (neverallow aabc other (cc (pc3))) ; Test 31 (allow aab other (cd (pd1))) (deny aab aab (cd (pd1))) (neverallow aab aab (cd (pd1))) ; Test 32 (allow aab aab (cd (pd2))) (deny aab other (cd (pd2))) (neverallow aab other (cd (pd2))) ; (neverallow aab self (cd (pd2))) ; This check should fail ; Test 33 (allow ta tb (cd (pd3))) (deny aab other (cd (pd3))) (neverallow aab other (cd (pd3))) ; Test 34 (allow aab other (cd (pd4))) (deny ta tb (cd (pd4))) (neverallow ta tb (cd (pd4))) ; (neverallow tb ta (cd (pd4))) ; This check should fail ; Test 61 (allow a_s1 notself (ce (pe1))) (deny a_s2 a_t2 (ce (pe1))) (neverallow a_s2 a_t2 (ce (pe1))) ; Below should fail (typeattribute a61a) (typeattributeset a61a (and a_s4 (not a_t2))) (typeattribute a61b) (typeattributeset a61b (and a_s4 a_t2)) (typeattribute a61c) (typeattributeset a61c (and (all) (not a_t2))) (typeattribute a61d) (typeattributeset a61d (and a61c (not a_s4))) ; (neverallow a_s3 notself (ce (pe1))) ; This check should fail ; (neverallow a61a other (ce (pe1))) ; This check should fail ; (neverallow a61a a61d (ce (pe1))) ; This check should fail ; (neverallow a61b a61c (ce (pe1))) ; This check should fail ; Test 62 (allow tg notself (ce (pe2))) (deny a_s2 a_t2 (ce (pe2))) (neverallow a_s2 a_t2 (ce (pe2))) ; Test 63 (allow tm notself (ce (pe3))) (deny a_s2 a_t2 (ce (pe3))) (neverallow a_s2 a_t2 (ce (pe3))) ; Test 64 (allow a_s1 notself (ce (pe4))) (deny tg a_t2 (ce (pe4))) (neverallow tg a_t2 (ce (pe4))) ; Test 65 (allow a_s1 notself (ce (pe5))) (deny tm a_t2 (ce (pe5))) (neverallow tm a_t2 (ce (pe5))) ; Test 66 (allow a_s1 notself (ce (pe6))) (deny a_s2 tg (ce (pe6))) (neverallow a_s2 tg (ce (pe6))) ; (neverallow a_s3 notself (ce (pe6))) ; This check should fail ; Test 67 (allow a_s1 notself (ce (pe7))) (deny a_s2 ty (ce (pe7))) (neverallow a_s2 ty (ce (pe7))) ; (neverallow a_s3 notself (ce (pe7))) ; This check should fail ; Test 68 (typeattribute a68) (typeattributeset a68 (tg tm)) (allow a68 notself (ce (pe8))) (deny a_s2 a_t2 (ce (pe8))) (neverallow a_s2 a_t2 (ce (pe8))) ; Test 71 (allow a_s1 a_t1 (cf (pf1))) (deny a_s2 notself (cf (pf1))) (neverallow a_s2 notself (cf (pf1))) ; Below should fail (typeattribute a71a) (typeattributeset a71a (and a_s4 a_t1)) ; (neverallow a_s3 a_t1 (cf (pf1))) ; This check should fail ; (neverallow a71a self (cf (pf1))) ; This check should fail ; Test 72 (allow tc a_t1 (cf (pf2))) (deny a_s2 notself (cf (pf2))) (neverallow a_s2 notself (cf (pf2))) ; Test 73 (allow tm a_t1 (cf (pf3))) (deny a_s2 notself (cf (pf3))) (neverallow a_s2 notself (cf (pf3))) ; Test 74 (allow a_s1 a_t1 (cf (pf4))) (deny tc notself (cf (pf4))) (neverallow tc notself (cf (pf4))) ; Test 75 (allow a_s1 a_t1 (cf (pf5))) (deny tm notself (cf (pf5))) (neverallow tm notself (cf (pf5))) ; Test 76 (allow a_s1 tc (cf (pf6))) (deny a_s2 notself (cf (pf6))) (neverallow a_s2 notself (cf (pf6))) ; (neverallow a_s3 tc (cf (pf6))) ; This check should fail ; Test 77 (allow a_s1 tu (cf (pf7))) (deny a_s2 notself (cf (pf7))) (neverallow a_s2 notself (cf (pf7))) ; (neverallow a_s3 tu (cf (pf7))) ; This check should fail ; Test 78 (typeattribute a78) (typeattributeset a78 (tc tm)) (allow a_s1 a_t1 (cf (pf8))) (deny a78 notself (cf (pf8))) (neverallow a78 notself (cf (pf8))) ; Test 81 (allow a_s1 other (cg (pg1))) (deny a_s2 a_t2 (cg (pg1))) (neverallow a_s2 a_t2 (cg (pg1))) ; Below should fail (typeattribute a81a) (typeattributeset a81a (and a_s4 (not a_t2))) (typeattribute a81b) (typeattributeset a81b (and a_s4 a_t2)) (typeattribute a81c) (typeattributeset a81c (and a_s1 (not a_t2))) (typeattribute a81d) (typeattributeset a81d (and a_s3 (not a_t2))) ; (neverallow a_s3 other (cg (pg1))) ; This check should fail ; (neverallow a81a other (cg (pg1))) ; This check should fail ; (neverallow a81a a81d (cg (pg1))) ; This check should fail ; (neverallow a81b a81c (cg (pg1))) ; This check should fail ; Test 82 (allow a_s1 other (cg (pg2))) (deny tg a_t2 (cg (pg2))) (neverallow tg a_t2 (cg (pg2))) ; Test 83 (allow a_s1 other (cg (pg3))) (deny tm a_t2 (cg (pg3))) (neverallow tm a_t2 (cg (pg3))) ; Test 84 (allow a_s1 other (cg (pg4))) (deny a_s2 tg (cg (pg4))) (neverallow a_s2 tg (cg (pg4))) ; (neverallow a_s3 other (cg (pg4))) ; This check should fail ; Test 85 (allow a_s1 other (cg (pg5))) (deny a_s2 ty (cg (pg5))) (neverallow a_s2 ty (cg (pg5))) ; (neverallow a_s3 other (cg (pg5))) ; This check should fail ; Test 86 (typeattribute a86) (typeattributeset a86 (tg tm ts)) (allow a86 other (cg (pg6))) (deny a_s2 a_t2 (cg (pg6))) (neverallow a_s2 a_t2 (cg (pg6))) ; Test 91 (allow a_s1 a_t1 (ch (ph1))) (deny a_s2 other (ch (ph1))) (neverallow a_s2 other (ch (ph1))) ; Below should fail (typeattribute a91a) (typeattributeset a91a (and a_s4 a_t1)) (typeattribute a91b) (typeattributeset a91b (and a_t1 a_s2)) ; (neverallow a_s3 a_t1 (ch (ph1))) ; This check should fail ; (neverallow a_s4 a91b (ch (ph1))) ; This check should fail ; (neverallow a91a self (ch (ph1))) ; This check should fail ; Test 92 (allow tc a_t1 (ch (ph2))) (deny a_s2 other (ch (ph2))) (neverallow a_s2 other (ch (ph2))) ; Test 93 (allow tm a_t1 (ch (ph3))) (deny a_s2 other (ch (ph3))) (neverallow a_s2 other (ch (ph3))) ; Test 94 (allow a_s1 tc (ch (ph4))) (deny a_s2 other (ch (ph4))) (neverallow a_s2 other (ch (ph4))) ; (neverallow a_s3 tc (ch (ph4))) ; This check should fail ; Test 95 (allow a_s1 tu (ch (ph5))) (deny a_s2 other (ch (ph5))) (neverallow a_s2 other (ch (ph5))) ; (neverallow a_s3 tu (ch (ph5))) ; This check should fail ; Test 96 (typeattribute a96) (typeattributeset a96 (tc tm tw)) (allow a_s1 a_t1 (ch (ph6))) (deny a96 other (ch (ph6))) (neverallow a96 other (ch (ph6))) ; Test 101 (allow a_s1 other (ci (pi1))) (deny a_s2 other (ci (pi1))) (neverallow a_s2 other (ci (pi1))) ; (neverallow a_s3 other (ci (pi1))) ; This check should fail ; (neverallow a_s4 a_s3 (ci (pi1))) ; This check should fail ; Test 102 (allow a_s1 notself (ci (pi2))) (deny a_s2 other (ci (pi2))) (neverallow a_s2 other (ci (pi2))) ; (neverallow a_s3 notself (ci (pi2))) ; This check should fail ; (neverallow a_s4 a_s3 (ci (pi2))) ; This check should fail ; Test 103 (allow a_s1 other (ci (pi3))) (deny a_s2 notself (ci (pi3))) (neverallow a_s2 notself (ci (pi3))) ; (neverallow a_s3 other (ci (pi3))) ; This check should fail ; Test 104 (allow a_s1 notself (ci (pi4))) (deny a_s2 notself (ci (pi4))) (neverallow a_s2 notself (ci (pi4))) ; (neverallow a_s3 notself (ci (pi4))) ; This check should fail secilc-3.8.1/test/in_test.cil000066400000000000000000000050501476211737200161140ustar00rootroot00000000000000;; Minimum stuff (class CLASS (PERM)) (classorder (CLASS)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) ;; Extra stuff (common COMMON (PERM1 PERM2 PERM3 PERM4)) (classcommon CLASS COMMON) ;; Check that "in" statements work in blocks (block b1 (type t1a) (allow t1b self (CLASS (PERM1))) ) (in b1 (type t1b) (allow t1a self (CLASS (PERM1))) ) (in b1 (allow t1a self (CLASS (PERM2))) (allow b1.t1a self (CLASS (PERM3))) (allow .b1.t1a self (CLASS (PERM4))) (allow t1b self (CLASS (PERM2))) (allow b1.t1b self (CLASS (PERM3))) (allow .b1.t1b self (CLASS (PERM4))) ) ;; Check that "in" statements work in optionals (optional option2 (type t2a) (allow t2b self (CLASS (PERM1))) ) (in option2 (type t2b) (allow t2a self (CLASS (PERM1))) ) (in option2 (allow t2a self (CLASS (PERM2))) (allow t2b self (CLASS (PERM2))) ) (allow t2a self (CLASS (PERM3))) (allow t2b self (CLASS (PERM3))) ;; Check that "in" statements work in macros (type t3a) (type t3b) (macro m3 ((type t)) (allow t3a self (CLASS (PERM1))) (allow t self (CLASS (PERM1))) ) (call m3 (t3b)) (in m3 (allow t3a self (CLASS (PERM2))) ) (in m3 (allow t self (CLASS (PERM3))) ) ;; Check "in" statements work for nested optionals (optional o4a (optional o4b (type t4b) (allow t4b self (CLASS (PERM1))) ) ) (in o4a.o4b (allow t4b self (CLASS (PERM2))) ) ;; Check "in: statements work for nested optionals and macros (macro m5 () (type t5a) (type t5b) (optional o5a (allow t5a self (CLASS (PERM1))) (optional o5b (allow t5b self (CLASS (PERM1))) ) ) ) (call m5) (in m5.o5a (allow t5a self (CLASS (PERM2))) ) (in m5.o5a.o5b (allow t5b self (CLASS (PERM2))) ) ;; ;; Expected: ;; ;; Types: ;; b1.t1a, b1.t1b ;; t2a, t2b ;; t3a, t3b ;; t4b ;; t5a, t5b ;; ;; Allow rules: ;; allow b1.t1a b1.t1a : CLASS { PERM1 PERM2 PERM3 PERM4 }; ;; allow b1.t1b b1.t1b : CLASS { PERM1 PERM2 PERM3 PERM4 }; ;; allow t2a t2a : CLASS { PERM1 PERM2 PERM3 }; ;; allow t2b t2b : CLASS { PERM1 PERM2 PERM3 }; ;; allow t3a t3a : CLASS { PERM1 PERM2 }; ;; allow t3b t3b : CLASS { PERM1 PERM3 }; ;; allow t4b t4b : CLASS { PERM1 PERM2 }; ;; allow t5a t5a : CLASS { PERM1 PERM2 }; ;; allow t5b t5b : CLASS { PERM1 PERM2 }; secilc-3.8.1/test/integration.cil000066400000000000000000000131411476211737200167720ustar00rootroot00000000000000(type bin_t) (type kernel_t) (type security_t) (type unlabeled_t) (policycap open_perms) (sensitivity s0) (sensitivity s1) (sensitivityalias s0 sens0) (dominance (s0 s1)) (category c0) (category c1) (category c2) (categoryalias c0 cat0) (categoryset cats01 (c0 c1)) (categoryorder (c0 c1 c2)) (categoryrange catrng02 (c0 c2)) (sensitivitycategory s0 (catrng02)) (sensitivitycategory s1 cats01) (sensitivitycategory s1 (c2)) (level low (s0 (c0))) (level high (s1 (c0 c1))) (levelrange low_high (low high)) (permissionset file_perms (execute_no_trans entrypoint execmod open audit_access)) (class file (execute_no_trans entrypoint execmod open audit_access)) (class process (open)) (common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) (classcommon file file) (classpermissionset file_rw (file (read write getattr setattr lock append))) (class char (foo transition)) (classcommon char file) (classpermissionset char_w (char (write setattr))) (classmap files (read)) (classmapping files read (file (open read getattr)) char_w) (type auditadm_t) (type console_t) (type console_device_t) (type user_tty_device_t) (type device_t) (type getty_t) (type exec_t) (allow console_t console_device_t file_rw) (allow console_t console_device_t (files (read))) (boolean secure_mode false) (boolean console_login true) (sid kernel) (sid security) (sid unlabeled) (typeattribute exec_type) (typeattribute foo_type) (typeattribute bar_type) (typeattribute baz_type) (typeattributeset exec_type (or bin_t kernel_t)) (typeattributeset foo_type (and exec_type kernel_t)) (typeattributeset bar_type (xor exec_type foo_type)) (typeattributeset baz_type (not bin_t)) (typealias bin_t sbin_t) (typepermissive device_t) (typebounds device_t bin_t) (typemember device_t bin_t file exec_t) (typetransition device_t console_t file console_device_t) (rangetransition device_t console_t file low_high) (nametypetransition some_file device_t console_t file getty_t) (allow foo_type self (file (execute))) (allow bin_t device_t (file (execute))) (booleanif secure_mode (true (auditallow device_t exec_t (file (read write))) ) ) (booleanif console_login (true (typechange auditadm_t console_device_t file user_tty_device_t) (allow getty_t console_device_t (file (getattr open read write append))) ) (false (dontaudit getty_t console_device_t (file (getattr open read write append))) ) ) (booleanif (not (xor (eq secure_mode console_login) (and (or secure_mode console_login) secure_mode ) ) ) (true (allow bin_t exec_t (file (execute))) ) ) (tunable allow_execfile true) (tunable allow_userexec false) (tunableif (not (xor (eq allow_execfile allow_userexec) (and (or allow_execfile allow_userexec) (and allow_execfile allow_userexec) ) ) ) (true (allow bin_t exec_t (file (execute))) ) ) (optional allow_rules (allow user_t exec_t (bins (execute))) ) (dontaudit device_t auditadm_t (file (read))) (auditallow device_t auditadm_t (file (open))) (user system_u) (user user_u) (userprefix user_u user) (userprefix system_u user) (selinuxuser name user_u low_high) (selinuxuserdefault user_u low_high) (role system_r) (role user_r) (roletype system_r bin_t) (roletype system_r kernel_t) (roletype system_r security_t) (roletype system_r unlabeled_t) (roleallow system_r user_r) (rolebounds system_r user_r) (roletransition system_r bin_t process user_r) (userrole system_u system_r) (userlevel system_u low) (userrange system_u low_high) (userbounds system_u user_u) (userrole user_u user_r) (userlevel user_u low) (userrange user_u (low low)) (sidcontext kernel (system_u system_r kernel_t (low high))) (sidcontext security (system_u system_r security_t (low high))) (sidcontext unlabeled (system_u system_r unlabeled_t (low high))) (context system_u_bin_t_l2h (system_u system_r bin_t (low high))) (ipaddr ip_v4 192.25.35.200) (ipaddr netmask 192.168.1.1) (ipaddr ip_v6 2001:0DB8:AC10:FE01::) (ipaddr netmask_v6 2001:0DE0:DA88:2222::) (filecon "/usr/bin/" "foo" file system_u_bin_t_l2h) (filecon "/usr/bin/" "bar" file ()) (filecon "/usr/bin/" "baz" any ()) (nodecon ip_v4 netmask system_u_bin_t_l2h) (nodecon ip_v6 netmask_v6 system_u_bin_t_l2h) (portcon udp 25 system_u_bin_t_l2h) (portcon tcp 22 system_u_bin_t_l2h) (genfscon - "/usr/bin" system_u_bin_t_l2h) (netifcon eth0 system_u_bin_t_l2h system_u_bin_t_l2h) ;different contexts? (fsuse xattr ext3 system_u_bin_t_l2h) ; XEN (pirqcon 256 system_u_bin_t_l2h) (iomemcon (0 255) system_u_bin_t_l2h) (ioportcon (22 22) system_u_bin_t_l2h) (pcidevicecon 345 system_u_bin_t_l2h) (constrain (files (read)) (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2)))) (constrain char_w (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2)))) (constrain (file (read)) (or (and (eq t1 exec_t) (neq t2 bin_t) ) (eq u1 u2) ) ) (constrain (file (open)) (dom r1 r2)) (constrain (file (open)) (domby r1 r2)) (constrain (file (open)) (incomp r1 r2)) (validatetrans file (eq t1 exec_t)) (mlsconstrain (file (open)) (not (or (and (eq l1 l2) (eq u1 u2)) (eq r1 r2)))) (mlsconstrain (file (open)) (or (and (eq l1 l2) (eq u1 u2)) (neq r1 r2))) (mlsconstrain (file (open)) (dom h1 l2)) (mlsconstrain (file (open)) (domby l1 h2)) (mlsconstrain (file (open)) (incomp l1 l2)) (mlsvalidatetrans file (domby l1 h2)) (macro all ((type x)) (allow x bin_t (file (execute))) ) (call all (bin_t)) (type a_t) (type b_t) (boolean b1 false) (tunable tun1 true) (macro m ((boolean b)) (tunableif tun1 (true (allow a_t b_t (file (write)))) (false (allow a_t b_t (file (execute))))) (booleanif b (true (allow a_t b_t (file (read)))))) (call m (b1)) secilc-3.8.1/test/minimum.cil000066400000000000000000000006251476211737200161250ustar00rootroot00000000000000(class CLASS (PERM)) (classorder (CLASS)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))secilc-3.8.1/test/name_resolution_test.cil000066400000000000000000000067311476211737200207200ustar00rootroot00000000000000;; Minimum stuff (class CLASS (PERM)) (classorder (CLASS)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) ;; Extra stuff (common COMMON (PERM1 PERM2 PERM3 PERM4)) (classcommon CLASS COMMON) ;; Check global resolution (type t0) (allow t0 self (CLASS (PERM1))) (allow .t0 self (CLASS (PERM2))) ;; Check block and sub-block resolution (block b1a (type t1a) (allow t1a self (CLASS (PERM))) (allow b1b.t1b self (CLASS (PERM))) (block b1b (type t1b) (allow t1a self (CLASS (PERM1))) (allow t1b self (CLASS (PERM1))) (allow .b1a.t1a self (CLASS (PERM2))) (allow .b1a.b1b.t1b self (CLASS (PERM2))) ) ) (allow b1a.t1a self (CLASS (PERM3))) (allow b1a.b1b.t1b self (CLASS (PERM3))) (allow .b1a.t1a self (CLASS (PERM4))) (allow .b1a.b1b.t1b self (CLASS (PERM4))) ;; Check macro arg resolution (type t2) (macro m2 ((type t)) (allow t self (CLASS (PERM))) ) (call m2 (t2)) ;; Check resolution for a macro with a parent decl (block b3 (type t3) (macro m3 () (allow t3 self (CLASS (PERM))) ) ) (call b3.m3) ;; Check resolution for a macro with a caller decl (block b4 (block b4a (macro m4 () (allow t4 self (CLASS (PERM))) ) ) (block b4b (type t4) (call .b4.b4a.m4) ) ) ;; Check resolution for blockinherits with type in inheriting block (block b5a (type t5a) (block b5b (allow t5a self (CLASS (PERM1))) ) ) (block b5c (type t5a) (blockinherit b5a.b5b) (allow t5a self (CLASS (PERM2))) ) ;; Check resolution for blockinherits with no type in inheriting block (block b6a (type t6a) (block b6b (allow t6a self (CLASS (PERM1))) ) ) (block b6c (blockinherit b6a.b6b) ;; This does not cause an error. ;;(allow t6a self (CLASS (PERM2))) ;; This causes an error ) ;; Check for proper resolution of t (block b7 (type t) (macro m7 ((type t)) (allow t self (CLASS (PERM))) ) (allow t self (CLASS (PERM1))) (block b7a (type t) (allow t self (CLASS (PERM2))) (block b7b (type t) (allow t self (CLASS (PERM3))) (call m7 (t)) ) ) ) ;; Check that improper name causes an error (block b8 (optional o8a (type t8a) ) (in o8a (allow t8a self (CLASS (PERM1))) ) ;;(allow o8a.t8a self (CLASS (PERM))) ;; Bad name (macro m8 ((type t)) (allow t self (CLASS (PERM1))) ) ;;(allow m8.t self (CLASS (PERM))) ;; Bad name ) ;; ;; Expected: ;; ;; Types: ;; t0 ;; b1a.t1a, b1a.b1b.t1b ;; t2 ;; b3.t3 ;; b4.b4b.t4 ;; b5a.t5a, b5c.t5a ;; b6a.t6a ;; b7.t, b7.b7a.t, b7.b7a.b7b.t ;; b8.t8a ;; ;; Allow rules: ;; allow t0 t0 : CLASS { PERM1 PERM2 }; ;; allow b1a.b1b.t1b b1a.b1b.t1b : CLASS { PERM PERM1 PERM2 PERM3 PERM4 }; ;; allow b1a.t1a b1a.t1a : CLASS { PERM PERM1 PERM2 PERM3 PERM4 }; ;; allow t2 t2 : CLASS { PERM }; ;; allow b3.t3 b3.t3 : CLASS { PERM }; ;; allow b4.b4b.t4 b4.b4b.t4 : CLASS { PERM }; ;; allow b5a.t5a b5a.t5a : CLASS { PERM1 }; ;; allow b5c.t5a b5c.t5a : CLASS { PERM1 PERM2 }; ;; allow b6a.t6a b6a.t6a : CLASS { PERM1 }; ;; allow b7.b7a.b7b.t b7.b7a.b7b.t : CLASS { PERM PERM3 }; ;; allow b7.b7a.t b7.b7a.t : CLASS { PERM2 }; ;; allow b7.t b7.t : CLASS { PERM1 }; ;; allow b8.t8a b8.t8a : CLASS { PERM1 }; secilc-3.8.1/test/neverallow.cil000066400000000000000000000031141476211737200166240ustar00rootroot00000000000000(class CLASS (PERM)) (classorder (CLASS)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) (class c1 (p1a p1b p1c)) (class c2 (p2a p2b p2c)) (class c3 (p3a p3b p3c)) (classorder (CLASS c1 c2 c3)) (classpermission cp1) (classpermissionset cp1 (c1 (p1a p1b))) (classpermissionset cp1 (c2 (p2a))) (classmap cm1 (mp1)) (classmapping cm1 mp1 (c1 (p1a))) (type t1) (type t2) (type t3) (type t4) (type t5) (type t6) (type t7) (typeattribute a1) (typeattribute a2) (typeattribute a3) (typeattribute a4) (typeattribute a5) (typeattribute a6) (typeattributeset a1 (t1 t2 t3 t4 t5)) (typeattributeset a2 (t1 t2)) (typeattributeset a3 (t3 t4)) (typeattributeset a4 (t2 t3)) (typeattributeset a5 (t5 t6)) (typeattributeset a6 (t6 t7)) (neverallow t1 t2 (c1 (p1a p1b))) (allow t1 t2 (c1 (p1a))) (neverallow t3 t4 (cm1 (mp1))) (allow t3 t4 (c1 (p1a))) (neverallow t5 t6 cp1) (allow t5 t6 (c1 (p1b))) (allow t5 t6 (c2 (p2a))) (neverallow a1 self (CLASS (PERM))) (allow t1 t1 (CLASS (PERM))) (allow t2 self (CLASS (PERM))) (allow a3 self (CLASS (PERM))) (allow a2 a4 (CLASS (PERM))) (neverallow a5 a6 (CLASS (PERM))) (allow t5 t7 (CLASS (PERM))) (allow t6 self (CLASS (PERM))) ;; Should not call these violations (allow a1 self (c1 (p1a))) (allow a2 a3 (CLASS (PERM))) (allow t5 t6 (c2 (p2b))) secilc-3.8.1/test/notself_and_other.cil000066400000000000000000000030571476211737200201510ustar00rootroot00000000000000(class CLASS (PERM)) (class C1 (p1a p1b p1c p1d p1e)) (classorder (CLASS C1)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) (type ta) (type tb) (type tc) (type td) (typeattribute aab) (typeattributeset aab (ta tb)) (typeattribute aac) (typeattributeset aac (ta tc)) (typeattribute abc) (typeattributeset abc (tb tc)) (typeattribute aabc) (typeattributeset aabc (ta tb tc)) (typeattribute a_all_not_ta) (typeattributeset a_all_not_ta (and (all) (not ta))) (typeattribute a_all_not_aab) (typeattributeset a_all_not_aab (and (all) (not aab))) ; Test 01 (allow ta notself (C1 (p1a))) ; (neverallow ta a_all_not_ta (C1 (p1a))) ; This check should fail ; Test 02 (allow aab notself (C1 (p1b))) ; (neverallow aab a_all_not_aab (C1 (p1b))) ; This check should fail ; Test 03 (allow aab other (C1 (p1c))) ; (neverallow ta tb (C1 (p1c))) ; This check should fail ; (neverallow tb ta (C1 (p1c))) ; This check should fail ; Test 04 (allow aabc other (C1 (p1d))) ; (neverallow ta abc (C1 (p1d))) ; This check should fail ; (neverallow tb aac (C1 (p1d))) ; This check should fail ; (neverallow tc aab (C1 (p1d))) ; This check should fail ; Test 05 (allow ta other (C1 (p1e))) ; other used with a single type results in no rule (neverallow ta a_all_not_ta (C1 (p1e))) secilc-3.8.1/test/opt-expected.cil000066400000000000000000000026771476211737200170640ustar00rootroot00000000000000(handleunknown deny) (class cl01 (p01a p01b p11a p11b)) (classorder (cl01)) (sid kernel) (sidorder (kernel)) (mls true) (sensitivity s01) (sensitivityorder (s01)) (category c01) (categoryorder (c01)) (sensitivitycategory s01 (c01)) (typeattribute at01) (typeattribute at02) (boolean b01 false) (type tp01) (type tp02) (type tp04) (type tpr1) (type tpr2) (type tpr3) (type tpr4) (type tpr5) (typeattributeset at01 (tp01)) (typeattributeset at02 (tp01 tp02)) (allow at02 tpr1 (cl01 (p01a p01b p11a))) (allow at02 tpr3 (cl01 (p01a p01b p11a))) (allow tp01 at01 (cl01 (p11b))) (allow tp01 self (cl01 (p01a p01b p11a))) (allow tp01 tpr1 (cl01 (p11b))) (dontaudit at02 tpr2 (cl01 (p01a p01b p11a))) (dontaudit at02 tpr4 (cl01 (p01a p01b p11a))) (dontaudit tp01 tpr2 (cl01 (p11b))) (booleanif b01 (true (allow tp01 tpr3 (cl01 (p11b))) (allow tp01 tpr5 (cl01 (p01a p01b p11a p11b))) (allow tp02 tpr5 (cl01 (p01a p11a))) (dontaudit tp01 tpr4 (cl01 (p11b))) ) (false (allow at02 tpr5 (cl01 (p01a p01b p11a))) ) ) (role object_r) (role rl01) (roletype rl01 tp01) (roletype object_r tp01) (roletype object_r tp02) (roletype object_r tp04) (roletype object_r tpr1) (roletype object_r tpr2) (roletype object_r tpr3) (roletype object_r tpr4) (roletype object_r tpr5) (user us01) (userrole us01 object_r) (userrole us01 rl01) (userlevel us01 (s01)) (userrange us01 ((s01) (s01))) (sidcontext kernel (us01 rl01 tp01 ((s01) (s01)))) secilc-3.8.1/test/opt-input.cil000066400000000000000000000033041476211737200164060ustar00rootroot00000000000000(handleunknown deny) (class cl01 (p01a p01b p11a p11b)) (classorder (cl01)) (sid kernel) (sidorder (kernel)) (mls true) (sensitivity s01) (sensitivityorder (s01)) (category c01) (categoryorder (c01)) (sensitivitycategory s01 (c01)) (typeattribute at01) (typeattribute at02) (boolean b01 false) (type tp01) (type tp02) (type tp04) (type tpr1) (type tpr2) (type tpr3) (type tpr4) (type tpr5) (typeattributeset at01 (tp01)) (typeattributeset at02 (tp01 tp02)) (allow at02 tpr1 (cl01 (p11a p01a p01b))) (allow at02 tpr3 (cl01 (p11a p01a p01b))) (allow tp01 at01 (cl01 (p11b))) (allow tp01 self (cl01 (p11a p01a))) (allow tp01 tp01 (cl01 (p01b))) (allow tp01 tpr1 (cl01 (p11a p11b p01a p01b))) (allow tp02 tpr1 (cl01 (p11a p01a))) (dontaudit at02 tpr2 (cl01 (p11a p01a p01b))) (dontaudit at02 tpr4 (cl01 (p11a p01a p01b))) (dontaudit tp01 tpr2 (cl01 (p11a p11b p01a p01b))) (dontaudit tp02 tpr2 (cl01 (p11a p01a))) (booleanif (b01) (true (allow tp01 tpr3 (cl01 (p11a p11b p01a p01b))) (allow tp01 tpr5 (cl01 (p11a p11b p01a p01b))) (allow tp02 tpr3 (cl01 (p11a p01a))) (allow tp02 tpr5 (cl01 (p11a p01a))) (dontaudit tp01 tpr4 (cl01 (p11a p11b p01a p01b))) (dontaudit tp02 tpr4 (cl01 (p11a p01a))) ) (false (allow at02 tpr5 (cl01 (p11a p01a p01b))) ) ) (role object_r) (role rl01) (roletype rl01 tp01) (roletype object_r tp01) (roletype object_r tp02) (roletype object_r tp04) (roletype object_r tpr1) (roletype object_r tpr2) (roletype object_r tpr3) (roletype object_r tpr4) (roletype object_r tpr5) (user us01) (userrole us01 object_r) (userrole us01 rl01) (userlevel us01 (s01)) (userrange us01 ((s01) (s01))) (sidcontext kernel (us01 rl01 tp01 ((s01) (s01)))) secilc-3.8.1/test/optional_test.cil000066400000000000000000000025411476211737200173350ustar00rootroot00000000000000;; Minimum stuff (class CLASS (PERM)) (classorder (CLASS)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) ;; Extra stuff (common COMMON (PERM1 PERM2 PERM3 PERM4)) (classcommon CLASS COMMON) ;; Check resolution failure handling for optionals (type t1) (optional o1 (allow t1 self (CLASS (PERM))) ;; Should not appear in policy (allow UNKNOWN self (CLASS (PERM))) ) ;; These should not cause an error (block b2a (type t2) (allow t2 self (CLASS (PERM1))) ) (block b2b (optional o2b (type t2) (allow t2 DNE (CLASS (PERM))) ) (blockinherit b2a) ) (block b2c (optional o2c (type t2) (allow t2 self (CLASS (PERM))) ) (blockinherit b2a) ) ;; This is not allowed ;;(block b3 ;; (optional o3 ;; (type t3) ;; (allow t3 DNE (CLASS (PERM))) ;; ) ;; (type t3) ;; (allow t3 self (CLASS (PERM1))) ;;) ;; ;; Expected: ;; ;; Types: ;; t1 ;; b2a.t2, b2b.t2, b2c.t2 ;; ;; Allow rules: ;; allow b2a.t2 b2a.t2 : CLASS { PERM1 }; ;; allow b2b.t2 b2b.t2 : CLASS { PERM1 }; ;; allow b2c.t2 b2c.t2 : CLASS { PERM PERM1 }; secilc-3.8.1/test/policy.cil000066400000000000000000000251061476211737200157520ustar00rootroot00000000000000(type bin_t) (type kernel_t) (type security_t) (type unlabeled_t) (handleunknown allow) (mls true) (policycap open_perms) (category c0) (category c1) (category c2) (category c3) (category c4) (category c5) (categoryalias cat0) (categoryaliasactual cat0 c0) (categoryset cats01 (c0 c1)) (categoryset cats02 (c2 c3)) (categoryset cats03 (range c0 c5)) (categoryset cats04 (not (range c0 c2))) (categoryorder (cat0 c1 c2 c3)) (categoryorder (c3 c4 c5)) (sensitivity s0) (sensitivity s1) (sensitivity s2) (sensitivity s3) (sensitivityalias sens0) (sensitivityaliasactual sens0 s0) (sensitivityorder (s0 s1 s2 s3)) (sensitivitycategory s0 (cats03)) (sensitivitycategory s1 cats01) (sensitivitycategory s1 (c2)) (sensitivitycategory s2 (cats01 cats02)) (sensitivitycategory s2 (range c4 c5)) (sensitivitycategory s3 (range c0 c5)) (level low (s0)) (level high (s3 (range c0 c3))) (levelrange low_high (low high)) (levelrange lh1 ((s0 (c0)) (s2 (c0 c3)))) (levelrange lh2 (low (s2 (c0 c3)))) (levelrange lh3 ((s0 cats04) (s2 (range c0 c5)))) (levelrange lh4 ((s0) (s1))) (block policy (class file (execute_no_trans entrypoint execmod open audit_access a b c d e)) (class socket (nlmsg)) ; order should be: file socket char b c a dir d e f (classorder (file socket char)) (classorder (unordered dir)) (classorder (unordered c a b d e f)) (classorder (char b c a)) (common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) (classcommon file file) (classpermission file_rw) (classpermissionset file_rw (file (read write getattr setattr lock append))) ;;(classpermission loop1) ;;(classpermissionset loop1 ((loop2))) ;;(classpermission loop2) ;;(classpermissionset loop2 ((loop3))) ;;(classpermission loop3) ;;(classpermissionset loop3 ((loop1))) (class char (foo)) (classcommon char file) (class dir ()) (class a ()) (class b ()) (class c ()) (class d ()) (class e ()) (class f ()) (classcommon dir file) (classpermission char_w) (classpermissionset char_w (char (write setattr))) (classpermissionset char_w (file (open read getattr))) (classmap files (read)) (classmapping files read (file (open read getattr))) (classmapping files read char_w) (type auditadm_t) (type console_t) (type console_device_t) (type user_tty_device_t) (type device_t) (type getty_t) (type exec_t) (type bad_t) ;;(allow console_t console_device_t file_rw) (allow console_t console_device_t (files (read))) (permissionx ioctl_test (ioctl files (and (range 0x1600 0x19FF) (not (range 0x1750 0x175F))))) (allowx console_t console_device_t ioctl_test) (boolean secure_mode false) (boolean console_login true) (sid kernel) (sid security) (sid unlabeled) (sidorder (kernel security)) (sidorder (security unlabeled)) (typeattribute exec_type) (typeattribute foo_type) (typeattribute bar_type) (typeattribute baz_type) (typeattribute not_bad_type) (typeattributeset exec_type (or bin_t kernel_t)) (typeattributeset foo_type (and exec_type kernel_t)) (typeattributeset bar_type (xor exec_type foo_type)) (typeattributeset baz_type (not bin_t)) (typeattributeset baz_type (and exec_type (and bar_type bin_t))) (typeattributeset not_bad_type (not bad_t)) (typealias sbin_t) (typealiasactual sbin_t bin_t) (typepermissive device_t) (typemember device_t bin_t file exec_t) (typemember exec_type self file exec_t) (typetransition device_t console_t files console_device_t) (typetransition device_t exec_type files console_device_t) (typetransition exec_type self files console_device_t) (typetransition exec_type self files "filename" console_device_t) (typechange console_device_t device_t file user_tty_device_t) (typechange exec_type device_t file user_tty_device_t) (typechange exec_type self file console_device_t) (roleattribute exec_role) (roleattribute foo_role) (roleattribute bar_role) (roleattribute baz_role) (roleattribute foo_role_a) (roleattributeset exec_role (or user_r system_r)) (roleattributeset foo_role_a (baz_r user_r system_r)) (roleattributeset foo_role (and exec_role system_r)) (roleattributeset bar_role (xor exec_role foo_role)) (roleattributeset baz_role (not user_r)) (rangetransition device_t console_t file low_high) (rangetransition device_t kernel_t file ((s0) (s3 (not c3)))) (typetransition device_t console_t file "some_file" getty_t) (allow foo_type self (file (execute))) (allow bin_t device_t (file (execute))) ;; Next two rules violate the neverallow rule that follows ;;(allow bad_t not_bad_type (file (execute))) ;;(allow bad_t exec_t (file (execute))) (neverallow bad_t not_bad_type (file (execute))) (auditallowx getty_t console_device_t (ioctl file (range 0x1000 0x10FF))) (auditallowx getty_t kernel_t (nlmsg socket (range 0x1000 0x10FF))) (booleanif secure_mode (true (auditallow device_t exec_t (file (read write))) ) ) (booleanif console_login (true (typechange auditadm_t console_device_t file user_tty_device_t) (allow getty_t console_device_t (file (getattr open read write append))) (auditallowx getty_t console_device_t (ioctl file (range 0x2000 0x21FF))) (auditallowx getty_t kernel_t (nlmsg socket (0x1))) ) (false (dontaudit getty_t console_device_t (file (getattr open read write append))) (dontauditx getty_t console_device_t (ioctl file (range 0x3000 0x31FF))) ) ) (booleanif (not (xor (eq secure_mode console_login) (and (or secure_mode console_login) secure_mode ) ) ) (true (allow bin_t exec_t (file (execute))) ) ) (tunable allow_execfile true) (tunable allow_userexec false) (tunableif (not (xor (eq allow_execfile allow_userexec) (and (or allow_execfile allow_userexec) (and allow_execfile allow_userexec) ) ) ) (true (allow bin_t exec_t (file (execute))) ) ) (optional allow_rules (allow user_t exec_t (bins (execute))) ) (dontaudit device_t auditadm_t (file (read))) (auditallow device_t auditadm_t (file (open))) (user system_u) (user user_u) (user foo_u) (userprefix user_u user) (userprefix system_u user) (selinuxuser name user_u low_high) (selinuxuserdefault user_u ((s0 (c0)) (s3 (range c0 c3)))) (role system_r) (role user_r) (role baz_r) (roletype system_r bin_t) (roletype system_r kernel_t) (roletype system_r security_t) (roletype system_r unlabeled_t) (roletype system_r exec_type) (roletype exec_role bin_t) (roletype exec_role exec_type) (roleallow system_r user_r) (roletransition system_r bin_t file user_r) (userrole foo_u foo_role) (userlevel foo_u low) (userattribute ua1) (userattribute ua2) (userattribute ua3) (userattribute ua4) (userattributeset ua1 (user_u system_u)) (userattributeset ua2 (foo_u system_u)) (userattributeset ua3 (and ua1 ua2)) (user u5) (user u6) (userlevel u5 low) (userlevel u6 low) (userrange u5 low_high) (userrange u6 low_high) (userattributeset ua4 (u5 u6)) (userrole ua4 foo_role_a) (userrange foo_u low_high) (userrole system_u system_r) (userlevel system_u low) (userrange system_u low_high) (userrole user_u user_r) (userlevel user_u (s0 (range c0 c2))) (userrange user_u (low high)) (sidcontext kernel (system_u system_r kernel_t ((s0) high))) (sidcontext security (system_u system_r security_t (low (s3 (range c0 c3))))) (sidcontext unlabeled (system_u system_r unlabeled_t (low high))) (context system_u_bin_t_l2h (system_u system_r bin_t (low high))) (ipaddr ip_v4 192.25.35.200) (ipaddr netmask 192.168.1.1) (ipaddr ip_v6 2001:0DB8:AC10:FE01::) (ipaddr netmask_v6 2001:0DE0:DA88:2222::) (filecon "/usr/bin/foo" file system_u_bin_t_l2h) (filecon "/usr/bin/bar" file (system_u system_r kernel_t (low low))) (filecon "/usr/bin/baz" any ()) (filecon "/usr/bin/aaa" any (system_u system_r kernel_t ((s0) (s3 (range c0 c2))))) (filecon "/usr/bin/bbb" any (system_u system_r kernel_t ((s0 (c0)) high))) (filecon "/usr/bin/ccc" any (system_u system_r kernel_t (low (s3 (cats01))))) (filecon "/usr/bin/ddd" any (system_u system_r kernel_t (low (s3 (cats01 cats02))))) (nodecon ip_v4 netmask system_u_bin_t_l2h) (nodecon ip_v6 netmask_v6 system_u_bin_t_l2h) (portcon udp 25 system_u_bin_t_l2h) (portcon tcp 22 system_u_bin_t_l2h) (portcon dccp (2048 2096) system_u_bin_t_l2h) (portcon sctp (1024 1035) system_u_bin_t_l2h) (genfscon - "/usr/bin" system_u_bin_t_l2h) (netifcon eth0 system_u_bin_t_l2h system_u_bin_t_l2h) ;different contexts? (fsuse xattr ext3 system_u_bin_t_l2h) ; XEN (pirqcon 256 system_u_bin_t_l2h) (iomemcon (0 255) system_u_bin_t_l2h) (ioportcon (22 22) system_u_bin_t_l2h) (pcidevicecon 345 system_u_bin_t_l2h) (devicetreecon "/this is/a/path" system_u_bin_t_l2h) ; InfiniBand (ibpkeycon fe80:: (0 0x10) system_u_bin_t_l2h) (ibpkeycon fe80::7629:afff:fe0f:8e5d (15 25) (system_u system_r kernel_t (low (s3 (cats01 cats02))))) (ibendportcon mlx5_0 1 system_u_bin_t_l2h) (ibendportcon mlx4_3 5 (system_u system_r kernel_t (low (s3 (cats01 cats02))))) (constrain (files (read)) (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2)))) (constrain char_w (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2)))) (constrain (file (read)) (or (and (eq t1 exec_t) (neq t2 bin_t) ) (eq u1 ua4) ) ) (constrain (file (open)) (dom r1 r2)) (constrain (file (open)) (domby r1 r2)) (constrain (file (open)) (incomp r1 r2)) (validatetrans file (eq t1 exec_t)) (mlsconstrain (file (open)) (not (or (and (eq l1 l2) (eq u1 u2)) (eq r1 r2)))) (mlsconstrain (file (open)) (or (and (eq l1 l2) (eq u1 u2)) (neq r1 r2))) (mlsconstrain (file (open)) (dom h1 l2)) (mlsconstrain (file (open)) (domby l1 h2)) (mlsconstrain (file (open)) (incomp l1 l2)) (mlsvalidatetrans file (domby l1 h2)) (macro test_mapping ((classpermission cps)) (allow bin_t auditadm_t cps)) (call test_mapping ((file (read)))) (call test_mapping ((files (read)))) (call test_mapping (char_w)) (defaultuser (file char) source) (defaultrole char target) (defaulttype (files) source) (defaultrange (file) target low) (defaultrange (char) source low-high) ) (macro all ((type x)) (allow x bin_t (policy.file (execute))) (allowx x bin_t (ioctl policy.file (range 0x1000 0x11FF))) ) (call all (bin_t)) (block z (block ba (roletype r t) (blockabstract z.ba))) (block test_ba (blockinherit z.ba) (role r) (type t)) (block bb (type t1) (type t2) (boolean b1 false) (tunable tun1 true) (macro m ((boolean b)) (tunableif tun1 (true (allow t1 t2 (policy.file (write)))) (false (allow t1 t2 (policy.file (execute))))) (booleanif b (true (allow t1 t2 (policy.file (read)))))) (call m (b1)) ) (in bb (tunableif bb.tun1 (true (allow bb.t2 bb.t1 (policy.file (read write execute))))))