From f5bd20b9e06d31bf5baefc85f8724ab5cf16251c Mon Sep 17 00:00:00 2001
From: Daniel Demus <daniel-github@demus.dk>
Date: Mon, 20 May 2024 21:59:44 +0200
Subject: [PATCH] Package including selinux

Move from dist-git
---
 README-Fedora         |   6 ++
 surrogator.conf       |  26 +++++
 surrogator.config.php |  62 +++++++++++
 surrogator.fc         |   5 +
 surrogator.if         | 237 ++++++++++++++++++++++++++++++++++++++++++
 surrogator.pp         | Bin 0 -> 91151 bytes
 surrogator.spec       | 160 ++++++++++++++++++++++++++++
 surrogator.te         |  50 +++++++++
 8 files changed, 546 insertions(+)
 create mode 100644 README-Fedora
 create mode 100644 surrogator.conf
 create mode 100644 surrogator.config.php
 create mode 100644 surrogator.fc
 create mode 100644 surrogator.if
 create mode 100644 surrogator.pp
 create mode 100644 surrogator.spec
 create mode 100644 surrogator.te

diff --git a/README-Fedora b/README-Fedora
new file mode 100644
index 0000000..8f7a815
--- /dev/null
+++ b/README-Fedora
@@ -0,0 +1,6 @@
+After installation edit the domain in /etc/httpd/conf.d/surrogator.config.php.
+Add avatar images to the /var/lib/surrogator folder and run /usr/bin/surrogator.
+Restart your httpd server.
+
+The surrogator.config.php.dist is the original project version of the
+config file.
diff --git a/surrogator.conf b/surrogator.conf
new file mode 100644
index 0000000..7863a04
--- /dev/null
+++ b/surrogator.conf
@@ -0,0 +1,26 @@
+<VirtualHost 0.0.0.0:80>
+  ServerName avatars.example.com
+  Redirect / https://avatars.example.com
+</VirtualHost>
+
+<VirtualHost 0.0.0.0:443>
+  ServerName avatars.example.com
+
+  ErrorLog logs/avatars.example.com-error_log
+  TransferLog logs/avatars.example.com-access_log
+  LogLevel warn
+  CustomLog logs/avatars.example.com-request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+  DocumentRoot /usr/share/surrogator/www
+
+  <Location />
+    Require all granted
+    Options Indexes MultiViews FollowSymlinks
+  </Location>
+
+  <IfModule mod_rewrite.c>
+    RewriteEngine On
+    RewriteRule ^avatar/ avatar.php [L]
+  </IfModule>
+
+</VirtualHost>
diff --git a/surrogator.config.php b/surrogator.config.php
new file mode 100644
index 0000000..3356e39
--- /dev/null
+++ b/surrogator.config.php
@@ -0,0 +1,62 @@
+<?php
+/**
+ * Directory where you source image files live
+ */
+$rawDir = '/var/lib/surrogator/';
+
+/**
+ * Directory in which all the image files get generated into.
+ * You could put that to /var/cached/avatars/ or so
+ */
+$varDir = '/var/cache/surrogator/';
+
+/**
+ * Document root of the web server host.
+ */
+$wwwDir = '/usr/share/surrogator/www/';
+
+/**
+ * Directory of default resource files.
+ * You probably do not want to change that.
+ */
+$resDir = '/usr/share/surrogator/res/';
+
+/**
+ * Array of image sizes to generate.
+ * Needs to be in ascending order.
+ */
+$sizes   = array(16, 32, 48, 64, 80, 96, 128, 256, 512);
+
+/**
+ * Maximum image size supported by the server
+ */
+$maxSize = 512;
+
+/**
+ * Default log level. 0 for no logging, 1 for important messages, 3 for all
+ */
+$logLevel = 1;
+
+/**
+ * By default, images are only generated if their source file (in raw/)
+ * is newer than the generated square file. If you set $forceUpdate
+ * to true, the images will always be regenerated.
+ */
+$forceUpdate = false;
+
+/**
+ * URL prefixes that may be used as "default" parameter.
+ *
+ * Taken from https://git.linux-kernel.at/oliver/ivatar/-/blob/master/config.py
+ */
+$trustedDefaultUrls = [
+    'http://gravatar.com/avatar/',
+    'http://www.planet-libre.org/themes/planetlibre/images/',
+    'https://avatars.dicebear.com/api/',
+    'https://badges.fedoraproject.org/static/img/',
+    'https://gravatar.com/avatar/',
+    'https://secure.gravatar.com/avatar/',
+    'https://ui-avatars.com/api/',
+    'https://www.azuracast.com/img/',
+];
+?>
diff --git a/surrogator.fc b/surrogator.fc
new file mode 100644
index 0000000..e7bd446
--- /dev/null
+++ b/surrogator.fc
@@ -0,0 +1,5 @@
+/usr/bin/surrogator		--	gen_context(system_u:object_r:surrogator_exec_t,s0)
+
+/var/cache/surrogator(/.*)?		gen_context(system_u:object_r:surrogator_cache_t,s0)
+
+/var/lib/surrogator(/.*)?		gen_context(system_u:object_r:surrogator_var_lib_t,s0)
diff --git a/surrogator.if b/surrogator.if
new file mode 100644
index 0000000..6b16ddd
--- /dev/null
+++ b/surrogator.if
@@ -0,0 +1,237 @@
+
+## <summary>policy for surrogator</summary>
+
+########################################
+## <summary>
+##	Execute surrogator_exec_t in the surrogator domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`surrogator_domtrans',`
+	gen_require(`
+		type surrogator_t, surrogator_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, surrogator_exec_t, surrogator_t)
+')
+
+######################################
+## <summary>
+##	Execute surrogator in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`surrogator_exec',`
+	gen_require(`
+		type surrogator_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, surrogator_exec_t)
+')
+
+########################################
+## <summary>
+##	Search surrogator cache directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`surrogator_search_cache',`
+	gen_require(`
+		type surrogator_cache_t;
+	')
+
+	allow $1 surrogator_cache_t:dir search_dir_perms;
+	files_search_var($1)
+')
+
+########################################
+## <summary>
+##	Read surrogator cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`surrogator_read_cache_files',`
+	gen_require(`
+		type surrogator_cache_t;
+	')
+
+	files_search_var($1)
+	read_files_pattern($1, surrogator_cache_t, surrogator_cache_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	surrogator cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`surrogator_manage_cache_files',`
+	gen_require(`
+		type surrogator_cache_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, surrogator_cache_t, surrogator_cache_t)
+')
+
+########################################
+## <summary>
+##	Manage surrogator cache dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`surrogator_manage_cache_dirs',`
+	gen_require(`
+		type surrogator_cache_t;
+	')
+
+	files_search_var($1)
+	manage_dirs_pattern($1, surrogator_cache_t, surrogator_cache_t)
+')
+
+
+########################################
+## <summary>
+##	Search surrogator lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`surrogator_search_lib',`
+	gen_require(`
+		type surrogator_var_lib_t;
+	')
+
+	allow $1 surrogator_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read surrogator lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`surrogator_read_lib_files',`
+	gen_require(`
+		type surrogator_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, surrogator_var_lib_t, surrogator_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage surrogator lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`surrogator_manage_lib_files',`
+	gen_require(`
+		type surrogator_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, surrogator_var_lib_t, surrogator_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage surrogator lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`surrogator_manage_lib_dirs',`
+	gen_require(`
+		type surrogator_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, surrogator_var_lib_t, surrogator_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an surrogator environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`surrogator_admin',`
+	gen_require(`
+		type surrogator_t;
+		type surrogator_cache_t;
+		type surrogator_var_lib_t;
+	')
+
+	allow $1 surrogator_t:process { signal_perms };
+	ps_process_pattern($1, surrogator_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 surrogator_t:process ptrace;
+    ')
+
+	files_search_var($1)
+	admin_pattern($1, surrogator_cache_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, surrogator_var_lib_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/surrogator.pp b/surrogator.pp
new file mode 100644
index 0000000000000000000000000000000000000000..79413e3428eb8cbc323db14813598baf6021b3c3
GIT binary patch
literal 91151
zcmeHQ2bAPUk!{=ogZJhz1%sJ|+1XZE)gGS3!?Lh=SEyB4-D0YwT1hoMjrZPr@4ffl
z+yQrZ@4Y*J2X}CIH~0QerJ_`d8fMv^Wp?R&uV*TL{79uDGE=FLd(xr%|K=PkD=X(*
zSy{Q{%F4>cZ*`89Cmg!}Z!WU3vU2K88n=$(*}=wblHqJ@K)KY)$_nV`Td`%=%F0SM
zOVeaM$dmLuD=RDBzSVuJHz?HeWwf%wKbW9gbY*4b3dJ8v9!>{Y67DzoxmH$IF0it)
zG6|-Cv$8^iU^+GN@Z2jaD;Hc@Sy_wX;dxh9RxY%%vJxh7Y{DEwsKe9*xj{ov%Vrwo
z234WGsTl`rW;{xh3EFV^m6eqs49zqLa{iT-mCH(Xd4ejir%@8-V`wk4va%8f6Encp
z0sJk1WM~02=W+ndCR&8%z@3?ihk1gn!*i(#4-6*RI^;_iTF5ZQ_SQ`v<ar7a6=YV#
zPlUrZ77|>yZt`TB!y9lS8&<diZa}P36AZz=n5`<A=GgAVA#Kd^VX_%RzC_V3I02T}
z_&5poV-N9Hcr8y*)rFyqvfR)V#T1@~w^5>GFiWF&9c(lrJ8hbb$I#+0oD5L~{F)pv
zX&Md9AWY3L!<JF7F9?q7B$I6YG_(S(3bHH-qaZh^8&ycGfiTwKVy|X#bZ`I%z!2>i
znk-L~Er@8yoTstr!qfPPI5<PJ!o;V|%*@~?Drd#q6lz7m=Fl4ap^S#u0Hj%FphUS*
z(F|uaO_R`MSrf4V7AM&(8V>R_h_fh<lGwQ^j;C{|bIU13e?*@|8IQv=ZR{L=U?37_
zM#o2};JBmO$+06S*C+-z1~^J=@^KXJA4JpcX!96xJZ3pgK;ucaZhPq2Di-Man4s<c
zA?(;=lsha8hG-TZI7WhUwu%7eDiriGOgwJ#;gmRBPlL&h*Ks7--UBU;&nUZ>%s~f7
z>9OMXzrHER1?QRzL&6;(hH;wj42ta^6j(f?_)Gl0Zeo*0J8Pn&;Cgq|y~%>>gM-b^
zPFLUluI`rnw^;D^j=PV_d98DIvsi9o$%&HB;<IG$MuGtQ5af9fZVY%Xi<96#FWqpa
zoOQVnAiik23&Cu7<|T*@f0Bzt09sXMf6i9xe3!ErF61nb6++esdyn)+6z66=jq)ud
zr*JMFCh;g5nmCVwag=Ylv*pgh%;gqGqiAg~PLlnzV<oI-t0*Ezh;r(J_t(ZVlP5{O
zah9CUj`69>C5*1VklS`$K9~(7<%9rhDx{-bZetv5p)X=0JR^y3j7uhmnG(wLExUbe
z4P$&RAAb1h4!KAsyIBuXFVi$S@Yi>?=a#;=To_Vml9`>+wEat8i~*EZacu{y4-{O0
zF)5<K!_Z`E(kzLCoY{7em_{EN=JR=A3dUm$1|;S)ljA~3ZVu*y$vP=0Cls~0EdJD3
zbI7=C;|_}0DuyclP}au#2cu|gP&IV5YgX6^w8>tq!2E@ln1d#q{psseFvLYJWSdbD
zR&%o$Qf0)VMjUN7gFM_AY)1LUU~19{*vL@WSqGPovdp#LQZbgZ!_TSE;@TBjJV|&7
zZa(jhxgj;U`~(kSQDke**03d{2(3IxW^s;2<J6rH_6?P*7n`8Kl`5JgF}Rpplc|ZJ
z!qV`xS&|0{I|+_;*=8_J%C!ro&iRXr;YNCv3X^NUiSu-8nnW>YZFIV0Ja7mFjuk}*
zAH<2he04?xibd!AxEsei<L($5ckZ0+?hA*;c(jv*JBmlfYZr4UMi<I7!2J`Ld4Y_Q
zbTdeYgJi}l|CoJ8<75*uCR7~SaDM`R+bKOffH>kn<4hx-?cv~7-Uoo1VZy4S@*s_4
z(EL@QGwW84%7GBG1R7D^r-6Mr+gy%@*HN%j^9Q%H()wfPz*ekOTrjaf!+^yf3UW$t
z68d!-Y(~?8TYh4^;wC94V^kt12HA~UYk^UX<rqdaZ>uU~Y?E0uWA9)BXBZY$V(j3L
z02o+4Vz8Tdl%$~<;1(KmJ+u^hdtVc_j27VjAuLr<ZnZEM3{4mt<-8ZQ!TyY#<f1j$
zk0U;tJzGr)&f|Ap@c48i+41;Mxj^7jJXc-txJ&WGqj9pnlMUGZYyhS^l)VdUp8bZ&
zGR#zRLm<e!OAk{XCe8zq*~D*5t2loK9W%k)oqzMEwV-AuNW%?xsrf2P?!U;x=`ae8
zm55_D{Oh_43|Rscq#ou^5P4TpmZ#=Sye$dGGPL2(zO5L&lHogZ?;=KTpYQ!gb>h78
zl7W;av;0^|qyF^{qw6l@L8EvS#nD<24+kb5PLnjpk^?j9B#47`GstFZvB}+yP$w=q
zDyG9puyat{{(~ac=qUGC@cRLre(yMZ`yGxc9tG<N%o6xR!8v%gmF0#{lHi1-d|Uwn
z%$TrVx9J(4-Bq7Q!Q3zR|3kvGTs)|NI&gBvIwr{w_8f#rtAlH&?^5KsVO%EN(Ml$c
zQ3sYiWj4okARI<<2*n>taUyvpJ&)sdXZgc6XxG{Eb_=(z#lpdzgQH}&D<QaLS3>9z
zc3J2G+2$u-&{xqAdDI0PK|xcI=ffY0?eOTP=wMl%@Qfa|SsvuG3>SwG+6kW@8>Hs6
zS&>7qXY6Z9!p@6B$}q};wJ|q^K51e|s1_S9Di|jL@4dnHXYtUCqS!Fe0iQ(Ea1h0#
z1U48A*;a-#F<jz83*pC&V9X4Ly=aBn&^qjImIrAL7}UZtOyVpVGZ}*&FVIQCEuvtn
zXu3NI&rCSO{V=Ep7GW}(VoftKlQolKuh0mG&N7pNiMBe-#uW{MgEEsBxfg5!EekhH
zxZhpAgcs;{lM_$PY11^}UVwif7)Qe(H}?7q$nd1wQZWIbL5!El*OFw6>fjQ%W-v|0
zQMd&NO@|-nAUe(DnF*&s8gS*yj#=z-z}o{*ZohD3$`PkyV_tzj&Nj(m1O(-#3;vF#
z2Y1}P{p$b>92AURoYCM9rFgIpT?>PI-Q=NtiWLJ8BQ==96oV{_)-h#5<opt?hZ|$g
zZ>VhD<mot?M7(Iu3)~w)%C!Vi|G2!mVS*{5juS@IJWEq!uM=Z6o|$}<+4%&+_lg$U
zZ?-Ik2I8`Q7Oh9|2IdPKVTW6>EJ08=c25vYK^WzuB;5}!=7x1l0$CO%<YPF+Nq~7_
zmhx@~PN>oP{%Fj}2HVY|^>{Ys#Txq*Y_X^C1Wr8{);!okxM6s5%%@jPj@@_5D$GJo
zjXhmA`E)%Z8@rWR5!;2uG*5$&kBPdg)L9<br(JR3$hy4n$d#-)CM$6o8i^eUxH~v#
z^Ueq}fiqB6i$jVVkYO+l)*{>x*+iJph_&emTKt)5GTsdKo7oh*hN+lyIWPGSQj_IL
z%J{+UlOP<p$7aDqaDWBFNks2sC+*E1n5`knfeXGsuUo_Y7K3b-;el$j00BY^2EjN;
zC)hpwO-(wQ*qEZ=f$m1}hY|);9>8K=*oOxFt?1mv0cBeBd~9HpY{rJGSa><x$_6<0
zV}u|Kka2q&Zy@D8e$XI+od%nzjooA`lRae*-^vEzMw%o!c7r*KtqjNK*_iHOU)jn~
zN5pk5{54$gAx0LCNNgWk3a_EFV!Xn8FyOJzrUTI$j+?D)Fb%?xr^D!WXzf~>1j8`M
za@30cKro7jgUqA{qOiP22G(&QqYFXKqX|bPf;7rZ9&vGk!9Lj^CyXZhp2^pvvO8xc
zpIIUX_}By)cOAjTw%Ie#5OihRGq_m9&cSJ8Jl;QuCX-o?<rW|w5V3O{D5watk+sEr
zQ)x0r7e)>68+sFVpOX-rZL(yRhI|5_3xbW}j$stkhTX*<$|xEoXQ|tA;7T<97{3Vz
z{RF-L^xi#%_@e|1Ylwr#%$@fbooAaR8+HVxz2I(lDJjarEZSMTVUpY4XKFEFq1<-C
z@zd!v*;y?g1&8Bsj)Hf<;HZE<6r2MOaI;P}4MHCMc+B8CT-=4Xt1Se{jgHLNqu0*4
z<hG9wtkF=guET*He<;rNqbN0-!FYU(_#Q`PG|@hvzy;3P>NtVJGV`D1^A}i!qF^GM
zUr=Ez>@28`o!il|;6=Il!W<Ullj(t-G}uu%(%^gvrN7{DH+5l2#e@bfWga8**V$^a
z!np^^^@?+8>>NsQ28>f|oQJ!M1x!%zVgU?6p1Tl$Q(=1{01B9<W!4@G1!nD00}2ue
zs2P7KlWZLp<Qe<EIH*z+n&^PR89K_f7WzprosLZ&jCU@c9)-b)12xK?BASQ~io3p5
zBoWysOkO;th0wbo+FMSGF!GjD<RVbbG#O9u^po4fT^HgS2GM9|xNrYb(XH%}6T`C6
zEgj4G_L#VWj6QU>NgKE<4O~CJ_zU7B9z?iEjsb*$u=6mYP1OB`9!5lt6y-V#XT5Xx
zR85P!S24la2Q*!D@3t_Yg7L9(kLlTJFuBzORv+`%@rF@4H;S+jfi|5CBfgInQL;}h
zxRr@bTA&()y?Fc)cBqEuq!^JnT+QA0gCiHt5w`dFUaWyrGf55@=2o!X)0MPFBe9wa
zhC@~W8J8DQGYxQw5j(kEj|9Vg_BtDGwuZlu_u;UGbFisxeL&d78{5QLv^$fIrXhY}
zdu}zdkdH#!(AuMZw~f06tGh4*xI=33n%^YdS<h_$dd8ix-+ICMK|aZL&e)H}Nr4-Y
z_bx6_W1OL^O-C4!T->M0dU^8~_>*92^L&_^a5?}0S7|XX<5&vW&d6Y(O4gCi%5#vD
z7Xlom!<{>nkHUa*CuD02{+@*S&U>GZg1_DR@iq(oPKVjf@nZXr7p{BXc;RF$J9fG^
zX3@XM?bGhQknQ<6fm_D9<ymB33$t{Eh_xC{k?r>i+@h+tFf81nDmM8j8s}zbQFRms
ziAxfB3n|+DCXLP5-5iDUCLGJ{ahsR1vO&N*mvKm+Wo8g$<qdFHi=f<PA)t{l#$RoE
zo%YUjxBb(dTOQwR!RxWf)8trr4>?Bu*(TfPmd7{&$FbcV-?I%qX>{hFuwp@uM&Ps@
z|Kso?kBYeFfwgeMXmJ-TTD)_^=*|tJIM6J+VbravZn%)834>{~xbGO_0_S#X)6p?`
z=d{~};}`Csv9DJ-Ca#K{O%{fS%@bBvfo^uX=fdG@f4Fn(Itr@=9J5f4TX45qbnj2r
z?qkAyFf#{CymL3kQHX%M)Af!E5l9cFJCETV4TrlK=5`AX4}-Jj_XDt6L;7^?gL#-z
zkKogUn3nCG8b|RngzhMNrv-OM*>K0-M`1p3-P_&j;coZXZ?<+$x3~Xv+g%I6*(_Y|
z+#j1f;v<A0oRPN#Vl1Olv!0rax8Pw>7{wIb#g)UoLJ;#q<rRW3DqkV!(gnDt>$(hz
zeNX95kJ<hn<9bNAaQh{m=NxdE1qSA3KHtaZOwozZ5qM=AD)uT9@I$7|$W3R^<CM#$
z>_9?J4)5c3TimyBm&?RV@Hzq$=IBzqD2J<Z_cdwa@`3kS=oY6%(=g3<Qm{v%U*LWX
zl)qbWxm${d>DDw)c1Gm(k4QI%Uw>hIOw;7xmK#VIZEh`dQgOY;U9yP6$+2>!^e>h%
zfS-=~V$#iIgM~4YO?DpDI0^#;@x&ii3^+WX6bXTJ{sZ#Me!DWScS{x&`*tE*7dUPk
z*e1%n-TZG?<}ut3hd+!_H)dUCex5gsQY18@IO2-|FodyLx9NGR$wS<ag2(;`ybTVE
zBoMWF@xh%DhaZlei!4;@HgQfK%Iyou2Km;sd>_E!jcmbfi!{Pw4d=%&ay8F4-uiY}
z94`i(%Z7s->r}j&VX4_HO_TKi_pTiX(!n@d8*n{>G{q6M51+$e0}*JXke6*~oP@#H
z47j$z&Mf003OPKF$R4f<(4mA$YVc}>Sv(Hb%-9Us9Mpj8mxrstMFzKNyH`c=Dkp1z
zw{fUAd=0kD^|Aq70%LS*7`uj6!X<vUAx2x#&lb1lO0k7>hC9lm92s`}9YOtJ5N?<O
zE%1!Z;s&&?3Wo%<d_$apapR^1Z8)G!X=vYU72!^R!7!Nw5g$InFkRNpjXa+Y?P$Y-
zb{P%T+pdHAW|y&MS!zk>^~*@;<{aHPQ37dxcjlb|9m+5;lZ4k<-LiS!!j-}ScCX#&
zK@~7USrUD&#jzGVTzfez-I?JLwVBQ@wp<ps2{+$nt3c)(#;Nq&)+e~V8YOJ4VuHOD
zxD>7Yt)iB&*II=`a0SuoJ<xA0bjsfrx(7Pm-fZbj&~GDj%HI(>U($n@ds})7^pk~7
z`MW}=d|T1Cu{C_F+nTpw{ym{nK1Jvq(D8)3rFTI8zR)S(PUv0G@o_mz?}GjVp;NxS
z(0ia?qonsh|Dn(+pDJ`8bbQJhC2aYi|48VR?;!L(=y;UN()*zQv(Tw_ryXIFQN3Yl
zZRIbN^d_T<X_U1!8O0k3o$?oj&ZxTVQ`lq_Z!C1mUlKZ_>K4>tlTkZK=#;-K^cHr_
zJ@p<o8MT`To$^<N&Y)weux)45ZYp%jUllroj%mu$8MT`Uo$}X&&Y-*JTEixzc5|Uq
z{<_c^ba&+?Y%*%M5IW^=2%SO4-SD<CjN&bYPWhWcXH?ypO6W1Fy^?O_kCk+fQFRv~
zLXT1Og--e7LT6N6(kS#8#lFxfe?sVts!Jw>9;0}o&?$dX=!`0keB4!!QT#ihQ~s3D
z8CCb3Xy`GD*AY79PYaz<#evw?&M012=#)PrbVe1&R7+<RuP1cMpA|Zz>fW*(dW_=r
zg--c%LT6NQT(Y$@iZ>8C<<AS9^6{m9m0|rrskibz(KBuz6g}k=M9)BdNc5CB{o5Iy
zk@<VkQ})E3q4)>UQ*Mf$zW=c3DYryVXMaTWl-r`GcRwn6${o?uo&P9$%3aaZU;iX}
z%2}!JvD@PwDeiBN?mQRf6zqP_%DK?l?eUHPtEV^5Ep*B=p|jiLd*GH%=blICln)4<
z-5%epv~>FVZ-h>HQ|RpW_=1b2)Ai>SI^}~xXSc`G5|++LoKNVKw}j4ak9(6Xoq;*O
z&?(<n=<N2mRo~JXr(Hs)d_SQxP8Se8hXLO5W6i0)zt9=B3ksc++bJcT>Zqi58CAR>
z9VP5Cs=p~aftBwgbVe1A!CN|`_*<b<-Y;}U6-gpXXB2-Ybjo9)GpcSe6?PfL-wU1c
zMCgnvZl|%eGm3u@I^|gCjOvX_I-~eUp;JzT&Zy!RXq2$aC>|0z<*CpaRiwErol$hl
z+^}cm(}d0_-lU{6isvY!X601qj3QoxiV}7i#d8Xs@}Q)57*%{?l=Kdx`afmct$c5x
zGpcxFm!&g`|0{ILfzTOMd;#0i8O5Ipo${K{8C5*^W$BFK&xB4n6gs1dTbeDMQT#ul
zQyvPPQT0nYqxf^7Q#L|pRPiDWl(54n{zB-KM?z;*@c{r!XH<VFbjs^OXH=1nwsc1I
zS3;+}A#_F+PtsaCqxfr~Q@&$KZ!@a6?}YR=qxvr;-O6_oI-`nrL0CGY_^(2zd}pCE
zs`&Vxr8A2ECUnYo5jvxa@77p4qxkPar+inTGpe|6%+eXf{}4Lmy9u39#nl%}XB7Wa
z=#=j+bVe1QyR~#i@xO#l`5r=NRPjzzOJ@}STj-SUDRf2^_jy}7qxfT?Q@)qb8P#S<
zXB2-Tbjpt^>3xRrGUZtAGs^hpBuZ%2j}|(^c3Gh_%J@`*rBnSFp)+ik6FQ@eTg5D$
z>c<M5VY|H08D(73vUI8+Cv=AGZ-ve%Bh_r_R6kzm4BHii&M4y<IZLPd2|{Pst|)Xy
z8SinlbgG{ybcXFpLT8lmh?b>O{Uo6?Y*!XKql`<8mQMAPh0d@wgw7}rOFGpLDCs_<
zdZCi;Gpe|O1|_uW2MV2GyRgt1RlH{0(y4xs&>6Oi2%S+qwWL%1V4*W?7Zp0AdWVuu
z^+SZtuw6{(j4JN7LJ6(<p+aZaE-rLN6*sR~I@J#oI>UAep);!Z)|;hM{cxc(Y?l-|
zqlyP4ES>5{2%TZOl+YPfyg0?useYu;8MaFcol(VW3M`%Ke{*8frfoLeSngW+-$l<j
z9TYv~{}4R`vn6`U|0#M#;=ZD%{9mGHWbP+=%Kt5T`uhH&r~G5l)42~2J>{Q>p5A<*
z=qdk?=;^)(iJtQRik|*@u;?j&r_|d7$)wa<`MaX0zjzS^J*{iy?}?uNO2nS>_eD>C
zO+`=n2coCHP7^)lABvv-N<~lkN1~^{GSO51XVKGNx#%hXi|FaEndmA1tLW*k1EQz=
zrBZKG5n-vf@|Q(V{|!Y?`75HQzl`W9e^vDK*GTk~zb1P6YhCn|zb<<EYeV#uzae`1
zD-u2BZ;GD&x{v57e@pcA*M8Ac{<i4pud(PUf1=debN;)QdMkfY^z_%=L{IrsqNl&^
zE_%wJ7CrrS57ATpjOgjFdy1a&XGKqc-AnY8KPP(nYan{cpBFv-b#KvA{(|V~uR!#a
zzbJb8Yfbc&FXE=lraj4jQK`4`MMY14y;$^=FD82W>m{P6d~wm!UoRCs<x7a3{(70{
zDPL0b^w-NpPx(@!r@vkyddim;J^l4c(Nn&R=;^OliJtOhMNfadTJ)69Q|j&M^fOAm
zmH$Tc^w%>*Px-u}r@x*hddlY$J^l4;(NjLZ=;^QLh@SE;(bHeg6+Pt(h@Sp>p6DrG
zQ1tZI^F>ejLZYX?ULbnP7ZyGJ^+M58{$1HW?TPE-O1+hTFM9gx@uH{v2hr1CPY^xj
zKZ>6IdZOql9}+$N^(4_#=0zbKubTF3^U0#8|IShFpFO>Nis<RTbBdn+daCFtpG)-g
z*V9B#`P`zXzn(67%0DgJZ%+{)QtGYzGttvu4;4M-{}Vm^^)S&>{<-MsuZN4C@-IYB
ze?3C<lz%CD`s<ORr~E6?(_fDgJ>_4Ep8k5Y=qdk3^z_$bL{Is*qNl$eD|*ViOaI!F
zvA30aD_>3Y^w--(Px<Pir@!7Iddk-jJ^l4g(Nn&r=;^O_iJtNv(bHe=7Cq(TL{ERc
zNA#4hC3^bny`ralZPC+T?-M=cy`rbT-Y<H}mn-%5wC6RY-pZF3J^l4s(Nq3g(bHeA
z6FucCh@Sp>z33@lQS|iJ8$?g}N}{K~-Y9y?R~9|}^(N6%Zit@#db8*$Uq$rv*IPtS
z`KqF)zuqePK7JPJm5}F@4|BcMvu7WdaO{qiU*=9``mI%{3iV1zUp`!{DPK~oDZgB-
zDL+E^O;8K<N=VONN~|frLaZr2Qmk8`;%X{N$hcfutSP@ztSLXrvAtFsRCm*1$f#XL
ztSP@rtSLWQtUI9M+CNIjm|j+_DZg5*DL=-sJ$sIHIpKHl6L&tKgzN#Y5o^kibz0A!
zL0w*~d-#dlKu|*VkJpMd<;OX#XV0(xR;+#ebhkr<>^-j&Ys!xoYxbrqh&6kYyCE>7
z_Vr>-d8@Rx=Vs?Gt*!i=l5gev3ZMODm+&b+SNN3gCw%sh3kaX`^Mp_N{=#RUxS;SU
zKVSHiA0T}8f(r?s@(YAd`GLY`+%GJA$}bc?<p&9$k-muVDZfbglpid7#`dDZr~G2!
zQ+|l>8O@6cpYltDPx+z3XZ$WMe9A8sKINq3+jGZ5Ztm$=`AH?;%2VMper`GmJ63+O
z@Tosd_>A8<%Jx|KDZ-~d6+Yv4PT^C2s_-di!e{)>C49<H6F%i!_>AAVg-`kE!lyhF
zKI3;D;ZuHw@F^b<KI8W{!l(R9;ZxoeKI3;@;ZuH=@F^b@KI3;j;ZuIL@F|;;Z_jOi
zQO4KGk0|+8#>XpALeHM-{!;ji=Ocwrd0qI7->-yE`BB2BydiwX@7Kbo{Al4*j)c$n
z{YLndA0vFq_Ypqh_gmppeys2*?-xGf_dDTJew^?rkA=_p{a*N#A1{2$6X7#{e-J+9
zCkUUiyTL5<?78+Ih0l0CQTUW!SJrROz5lN44_5wE$+z<Bh0pk1NBERKEquyv5I*B~
zUEx#yjPNPHQTUAC^@LCPv%;tRCgC%F*B3tJ&k3LMn}yH#-9Y%1KQDaBZxKG@cSGS*
z{(|r+zg75*-;IP%`HRA*{5Ih;em53A<u3`J^4o>a_?;wt%3l^f<(HIvn;Y;-zLo!>
z<Xicr!e{)rNaHHU${!X!^)C}X<Hu#0<x~EM@F~As_>3PHVwO+&qr#{B3gI(;TzXkP
z<$n}D<yQ)y@#Esk@+tq5@F~Aa_>3QyQ<hKpW5TEWYT+|}TtHbq<&O)W@@s_8_;JZ(
z`IJ8)e9EsCKI3<y#EbGLg-`ieCEw;Qu37S}{H~I3<!1|@@!KPO%I_9F<>v^W@jFiV
zl;0zK%Fh)(<999LQ+}`TDL+s6jNi3|Px*bqr~G{3Gk$x8Px<}Ar~CrpGk(VlpYjKU
zPx*zyXZ-dFpYjKVPx(c{XZ%hOKIIPypYn@^&-n3_iv7XLe=mIMpHT8`Zsm$){Z@WM
z$+z+oh0pk1N%)lCD16FK5<cU1W#LnPlkh1&S@?`!L->^6EPTpO5kBL072#8Ui|{Ew
zRrrkGRfSLat-`1LG~qLTyM<5rZNjJgbm238R}((vw+o;0Glb9hU0wK;-ywX;&lEo6
zcMaiFey8v$f2ic!+|O-GzLmdM@~!;$!e{(W5kBSb3!m~o2%qu0o$x9DK=_nDEPTfA
z_QI$9L*Y~Yi0~P|Q-x3YN5ZH4QQ<RwcMv}1e-=LFe-u9BcSqq<{ukj>{wLuxes>Z+
z<$o1E<&O!U@w>C|DgT@BDSuq}jNe^^Px;@4Px&1s-{z)nQu3|*m6C7ecM6~JyQ%Og
ze^vOD-z9v;?`FcM{59cIez))$zncr6^4En=`8~pC{B9w9%HI$^<@XAo@w=t)DSuP=
zl;0<O#_v|br~ED9Q+~hj8NXW#pYpebPx%AFXZ&s>e9GSuKIIPzpYc0c_>{jZe9CWf
z>+817mR;ZJeJj6N^o-XHL{IrGqGx<=D0<3o6+Po|BhgcSo9OBP8;hRu+eJ@*pCo$9
z?+`uxdlS)9ey8Z^&zp*#^1DP&|J_XVl;16S`s?PR?<4>A2Pb>0HUadC(!k2R`2z<?
zzqty7Kh7D@gRc|=%Dnx<8h9``G-p7UzDf)z^9B%W&}2%m$SR^q^zp03fHH3Zu?Cc1
zBYOIr_k37A<=2XyK0nd5$hY$AL{Fdpo#-jQUi9?&bwp434Wg&duPb`WZxlUaa6Qp8
z2LI<|Z`CGgo>v-J`Pz=)dyK))o$RgJEY0)9fHBzX2)@S{{KCoJs!h|pKnxgz;~l~G
z7=vFr*;}=Fniq-zeZJ2Te6NL|{mRMSs!i0qNDLT+6CA<!+A#RFlf6}&sd=#&FiO0^
zic$1BF!;@!0mJeVF`&#_tgJy72EUy%V4Pkm29$Y|l{M(W;CFKd4BX4afHH5hvIag3
zem`fx$i7?*DDy@uYrshVhZxv&%~MJPD__MC{8dK!Kb`EY+I-DZ#ek8%sw4QTjP!pw
z*;};<o2Q8ZBfZ-Z{8dK!zn$!@+KkQ9#ek8%nj`qDjP#G4?5*0A%`?P+k-oYk_^XWc
zPn_(n+MLZZ#ek8%h9mf^jP(CF*;}<qn`emuBYjOr@K+h>|8=srYO^-a76V3lk0bc2
zjPy^P?5*0g&2z+nkv`55{8dK!XHNE3ZQka&V!%jW%MpAlf34Kpyv=&4xANCT&p2*~
zp7J+D&#*<Jr~FOPGfMXnJ>_qSo<Z3!ddlAxJ!3EyJ>~C+o-Ut=p7M7^PY=6Sz=pn+
zzbAS+G!c8s-xodoHx)hQ&y;$b7rAGtxAJF2Pk-G@^prm*dirZ1ddi;{J^giW(Nq3{
z=;^OO^pw9SdirZk^pw9OdipCAJ>@Tpp8n%&Y&cU``75HQzxcT<tEc=`(bHcesh{#k
zO1;fHoLcIw{87=<Uw05a<$n}C{dGstQ~oE>(_eQIJ>`#yp8mSC=qZ0(^z_$VL{Iq>
zqNl&^DtgMF6g~ZSH_=o6l<4WNyNjOkr$tYH-9z-0-&5-CdHpR)y_Mf9div{@qNn^m
z(bHeI5<TVji=O_vwdg5-K=kz2ZA4G`gQBOuP8L1o4~d@sx~=Fb|GntxuTw-%`5#12
zf89>>ls_zb`s?<hr~F@~-kvw#uhd)lzeP`f-Cy*Se=K_X>j9#t{1egBUk?;L<^K^q
z{q-QxQ~qDk(_ar3J>{Q@p8k4>=qdk9^z_$5MNj$vL{EP`O!Sn0E_(Xw;i9MfgHmtL
zOHV8HR{o*r=`Vf=jPrw)e<XVPi?1TKddmMSdiu+Kp)~ZZ{4b)Xzh<(1%Ks{Q`s;w`
zDgT@3>90-EQ~r0+(_aTgPx(JYPk(KRp7MW+p8mS8=*xR73JMFJgK;t*NW-6#-T&@E
zHCGmS#i?kG2m9h~1b6FR&33!Caq3CuD<Ah=Y@gf68QBl)Biicz7PoP@{cvS*`>?_D
z(sw@R`L?}YJTCvB-=3?|E^Obm)BV5Lrp5ho7s3~Lu*bb2cV0Q4yDh3_yItFOkiW-0
zL2}f#akTdX<KRIj?s2z3o@Ms~_vAe2#Kt!4hrKuGaQ(_XzQ5QfkGx;$+rX5F{lEkK
z=)?FQ@o_K7LHYByX|ptk+pqcdgXd)T|Dx?;TipF+i#*t4f3|15{AKrJ`^L*(c0bOn
z@p93X^SRqIYyIWO`;{GW%lZ}O$TL1B^=-H@iMM2+595FI0rx_(Gd3pe3x~A*axbcy
z_YrtbcK<KhLZ0VY$^9z@_Sm0Ow<SKd6^m_g+t{8yuzVYc$EhoJt#ZcVv3wiw)zRJ$
zH}}uS7A<nJ`+w2Tkmq?W+KW6FkF!q9?cJN&ew?*pzI;E<teBs5`mQ}~(_+4TW6%zz
zW!u=E@p1TVY)?FvZ)5w$$MS8Q8S&V@@v(eA;43W0=I2-R4JW&W?P7m{T;<t}!y*s$
zU>g@NpF5B;&&6-d6fSRZs3^ek6YufCZ~VEoIqo9<`$NA*c!;|Kjw_3NS06d&#<9+p
z#WtXzjSk2CHSRYmali3iF!viTLU6y4$8^8Zc=sFkmAc<}e%<}X`@Gz5EXLe#+!x?}
zBNym?<9;yr8~0W(?&qQ6m5??3&>=orP{WG{4r=(JLwqc;hSTfHb`KrmOX6z$CEJ~k
z2W*^t=#afWuhg@werDPf{x;#(K}!A0+QW{e@O6BdKiPWC&&%3#dhuocSyE3CpvC<v
znpwk_wtv}vEvf&|A*)&3?&-&u?AOxzm-3gzoqJGkr(O>$*@pPq+Ux#bhA-P+H~tpe
zzYJd%$EE$jPA9ecx62R3G*hepFNH7j+cMm}!|sUvzifUkHn3RFVd6s7B7a%D{!;$j
z*{&@+ez3*8`MTb3_4#(0-<FNLW#gqdT-UZcKdxOt+gw@v4cXb8%dXIC99I@?x3i!P
zZjFrs*|iJXop0wnK3^7ju7>$`ySnY`q;0-nzRYv+d;884ezS9)psWve&J%1o%=yN$
z<Khy0*}SuKy~qYEj-92)-JSCUmSyXkW$W70k1vfQr@wl<mhyMb6Xx!=U-a9u<Lk2i
zzjK~o%d+*#{IMCncJj`7f-TF|e>?cu+dpUZ^8{Bgrd>Ib-`iENcElTf_&M7o+;8{=
z2Fxz_!&Uq!8O+is=1a;Qj(a~Q**afG?=YNYjQC!4hroK8CZWkPex}0V*xq>TJ|E~%
z{Ev@wxQ}l})9z@q_?Fr{2j5wVX5j%vg%6F);^^RDxSj?Rg@C&rT>S?}>7Swu<J5hR
zcfJMqAdjnM-NYu1w0%K4gM-bE(hN9Yxh9{vuXN9E6gIP=`{w1m25ufF;r?N=$&VE{
z9X{3LnmLNr2IC~zKhr9}wUV{*%;ZUuZz#>3k4i8bMw(Bsw`r0Y#T=K8)}nZ5_&EaC
zI&`6_sbbiZwefy_^33t@Kk#rPRq=6L=fhX=NDB(uV!yLIUq8@#=SK@i(YVqQU~w|6
zV7S$EXhMAdu3ib0(~U$|&O0_9jgxhy0xYEV8-6UrHF>`O<>7P~1)3r5y5nHT^3<rK
zVSe*zGRw8#p_V8fMRBwi#KVD!htnjjIB$MTrNc>}>;t}abO63lbchwaY(Jjpb`k%>
z%6`VX?pAmuGZi|6xRvEq6kW%CS8%>^^w&I^YJCJPilzsZt>PT5n9vsM3WI5|7LB8P
zt2Whz!E`XoOd3~=aA9~9jgnfY#^w*I1ARVTQ5I&A(nL6II-Mq3^YKwAG-MD56O&DY
zu+oj^dsSw}Q9RS?z}LlOQc2BbFdi$-z}_+7ivtMbA;>4w1DfaYJug=|_AgI^I75F^
zwt!e<COr^U_W~Vbl2r~?nBIcvbZqiqto1-n)LE8<QGl-|)*~B@l<mWrWm{_pP6RQ)
zCmf^2*#ajza|3F+Ft%wp*2XjTY#3GMP(aa?pFVM|M*ht;D@@|pg!ry#y@5p>GBpmU
zcWuhAn7Df3q$nL~qZ_J8m}^HC>`gk%l<mVP(~ahLAvXCa8s|pa1w_Dpd3~UC1gr%j
zV~oGr^g3;&1@J&@@-)#_0q{V!QJG(`FEYxVU+_QnB@CubWt2lT48vu<*&k{f$9L*n
z4EGlw|DEwO^~!E=mOPj)oyo#LTTP%{Q8v_6*w6iDOW712L5@uxRXPR_Z~+#MiUsPL
znshW^>*sw2&BRQmX_A|;qCr@z-@Ko<!?zQiZz`W>pC_TA{QB-Z$X%ANhR>_e82O&{
zyatO}975bDm?1ko4=p_43@W42eG+-@gS5^B|HEOG&m7Myxjx}%jptE&tiYFhx2Baj
z8;bJt#Pb%Irk8w<*wL^nIHJsb2DkkD@ceGVIr52NXN~{i0QX7Zc^vNNCxqug9A5O#
z1TV7mPXW)fFt+EsYd`n9NSNC%>!SIc!YsV-Ip2AEta|3`i_iDYR{%!+6TS0wU>aNY
zN#1!L4rIkAc;{jC1pCR|c@(bYCw3P>eo}WHguVT2?mUXlSNTltyb@E%++J7q7d@@)
z9`i=r4nK7}kGcX3ZnK}cbqp+{F~f!}e*VzGSX_rK1?yEYYsxPpE|}J_UKO*Zl_grS
z)jHOzV%C)3Q(V|;9qTDrtHp0EI$K*^1!7Bj3f5}zGmKT!3RIZZu~v&;Xsnu6pu)6{
zwOag!Y1Om>6{dBp)#CR|tELsGFs);)7Qby;HLXB}X$7M<n@Vp|uwE6jruClFQm|eX
zv!?Z)(^9Zr6|<)Gp3_pWUKO*Z^`6sGuwE6jrb;hSuwE6jrb;hSuwE6jrb;hSuwE6j
zrb;hSuwE6jrj=g8p3_pWUKOLMr}QQT>s2vps`MrW>s2vps`MrW>s2vps`MrW>s2vp
zs`MrW>s2vps`MrW>s2vps`MrW>s2vps`MrW>s2vps`MrW>s2vps`MrW>nT`kwcee2
z3f5Y!_nn@CwN~pLrKe!6)q1b!DOhW@-UWIJ)>^H{yQg5S)p~Gy3f5Y!N3y42t<`$i
zdJ5KBt;eXRV69#y9t>|4vWFQ3YxOE2vZfWNFs);)UL|VQv;q~Tb*$B^1k##Tpu)6{
zwR)A<TGI+tnAWjYuM%!+T7e4FI@an{dVn>pK!s@?YxOFf!kSi~!nBUHdP+a3Vz#<E
zt<_VyP8GAJby}-i?@d+6Hdw)0-AXs%7OGHTTA>kZbt~P(npU8~w2rm9m2P59D^Out
z$6DP=H?gJ_s4%T#t!|~8SknqrnAWjYx6)0lX$2}w>sYH>=_b~+0u`optktb_6Kh(5
z3e!5)>Q=gmHLXB}X&q~I>b<E7SyKgTbt>J2TdhKcX@y3t)v0t7Yg&N{(>m7bRJw^Z
ztw4oo9cy(e-Nc$!pu)6{wK|n<VofVhVOqypok};crWL3#tz)fDrJGpO3RIZZu~w(j
zO{{4JDopEGt5fMF*0cf@rgf~<uJ@)YWK9*U)vk0CZnX*(rWG2oR=d(otZ4-*OzT*y
zUFjy)v;q~Tb*$B{bQ5b@feO<))@oO}i8ZZ2g=rmYwJY7knpU8~w2rmfm2P59D^Out
z$6D=5H?gJ_s4%T#t#+lGSknqrnAWjYztWp5uZpp{DnweVU+*TpDrQaVv{t{~O?p+#
zn$~Hpe!ZLYs+cvc(^~y{H|bR|Yg(tZ`t@$ot76u)PHXk+-K1B=tZALr>estTuZmgI
zI<3{OcavTfv!-=gt6%RXy((r+>$H}y^rk9C(<)?plV9&9y((r+>$H|%?<Tz}W=-p~
zmS68Cy((r+>$H|%?<Tz}W=-p~mS68Cy((r+>$H|%?<Tz}W=-p~mS68Cy((r+>$H|%
z?<Tz}W=-p~mS68Cy((r+>$GMyP0Vi6Rj_6?CtUFA{iIn<02jP^r)VnK-mZc*mDFxm
z!J0}Qx2s@HC28ALu%?os?J8JPNyl~-tXa*y7JgCUQBAa3o`N;2S=EB4#G{%*EqF>i
zs`=7_S09nhYI3yT)rViRnh7m<^|98hracQ@ePA`KInIJtA4Sb-LbKr2hfK4Yy)1Z2
zJgTWm%TussH7{B4lz3E=kOfbPM>XSE@RWE|(~AX9iAOb;Sn!m1R1=2<Pl-o0OIYxf
zcvMq@1y6~GlK<-}SX0UWbrr0s<o~(~)>QI;T?K0@`M<7$HI@8dSHYS}{;#WGO(p-=
zRj{U#|LZDPQ_25z6|AY`|GEm+RFZvN1#2pqy{>{al{8*g!J10WuB%{8B|+C!u%?oY
z>nd1NNxgLytf}PLx(e1*l4@NAYbqJEu7Wj{bXixyno4f0t6)tf5!O|(rjqsQDp*rV
zadj1}spPY|3f5GTS6u~bDw(RTf;E-2R9C^8N)D>4U`-|A)K##il3nU5SW`(Qbrr0s
z<c+!t)>M*2T?K0@8KJI%HI?*FSHYS}uBWSDO(n6@Rj{U##px<oQ%Tu$6|AY`XSxd3
zRFW}W1#2pqm#%^}l{8CN!J0}=rK?~~C4tgau%?nN=_*)LNsV+Btf}Ndx(e1*k{(?J
zYbqIzu7Wj{bVgUfno91Xt6)tfQPEYfrjnKDDp*rVL39<YspK2F3f5GT3ta_kDw%|?
zf;E-2L07?=N{*nbU`-_<&{eRea`xX<u%>dV-&L@ta$et6u%>bn-&L@ta>m|Ou%>c)
z-c_)saxUJjVz>t^tmk?><?OtpVErn_+Un;co^lS~QLw&(dDZiJZlQiA)2Xs}2GCb9
zuX^^++Un;!ohqxSt<LkRIRe&JKP&1~Sw(Gio>$Ezu(tZSQ>V%*YOC`+CEw7gV%$Rg
ztgByTaSNW3mFQG4)>c0^>sMJtZS`}rP8DNqbymO1Dr&2rQFp2sYpb*RRhF$y$%Awh
ztgm36k{jtLSYN?BC127}u)czMN)Dx?V0{Jil)Oqu!TJj3DY=%8g7p>5Q}Qnz1?wxA
zr{rWh3f5OJPs!7C6s)gco|3!iC|F;?JSCsgQLw&(c}k9_qhNgn^OU?#N5T3E<|(<L
zj)L_S%v1719R=$vn5X27IttcTFi*)Nbrh_xV4jj&>L^%W!8|43)KRd$f_X{~s-s|i
z1@n}=R7b)33g#)fs*Zy770greR~-fGE10L`v^ombS1?b>b9EG~uV9{%`|2oIU%@;j
zAJ$Q@zJhs5j;y0#eFgKByje%V`U>VLxwMXg^%cxh@@pLh>noV2<lH(6)>kl3$-{LN
ztgm36lAG%&SYN?BC12N3u)czMN)E51V0{Jil)PR?!TJj3DY?Fmg7p>5Q}TZu1?wxA
zr{n}X3f5OJPstN@6s)gco{~H4C|F;?JSCslQLw&(c}kA4qhNgn^OU?}N5T3E<|(<z
zj)L_S%v17{9R=$vn5X0{I||lUFi**2b`-3yV4jlO>?l}Y!8|43*-@~*f_X{~w4-2s
z1@n}=Xh*^N3g#)f(vE`l70greryT|BE10L`R67dRS1?b>vvw4$uV9{%d+jJ#U%@;j
zAKOu|zJhs5j<%y<eFgKBylqFp`U>VLx!jI|^%cxh^1B@c>noV2<a|2{)>kl3$pd#3
ztgm36k{j+QSYN?BC12c8u)czMN)EZBV0{Jil)Q3B!TJj3DY@p3g7p>5Q}WLp1?wxA
zr{ttN3f5OJPsvkv6s)gco|3!nC|F;?JSCsqQLw&(c}kAEqhNgn^OU@IN5T3E<|(=G
zj)L_S%v18?9R=$vn5X2-I||lUFi**&cNDCzV4jj&?<iPb!8|43-chi=f_X{~zN27$
z1@n}=d`H3h3g#)f`i_G270gre_Z<c6E10L`^g9aHS1?b>^LG@iuV7v^_s@K1N5T3E
z)~;syY3nOkTgl=33f5M#^S*+$mAt#JU~MI%?kiYZ$(8#G)>g9MzJj%t{I;)PZ6$N<
zD_C2}N&8g{?;1e<rGD9_tzdo?bH??nG;Ia*tC%ycUw~;Vm|w-5as4_<Tfuw<Yb!Zu
zU%}c+zS&o>wvt=+6|Ak~k$nYgD>-9d!P-iG*so%Rvy^0TTfzJ)=8TmXE0|x!oUsyP
z1@o(zGge}(V15;I#`Q~MZ3XkIm@}?l32Q5uU&Wkp{bE>K!Tc)bjO*9F+6v}ZF=t%A
z)YVonzlu5I`jxG=g85afFjmsSZ3XkIm@`&-n1cCL%o!^^Ou_sr=8TmdreJ;*bH+*!
zQ!u}ZIb)@VDVSfyoUziw6wI$;&RFST3g%ZaXRP!v1@o(zGgf+-g82&8R`SEXg0+=g
zu&-ckCGYDiSX;^Q`U=)o^0~f(wUykhuV8H@PwOjKTgl1#3f5NgufBq{m0YW@U~MI@
z>MK}V$)WlR)>iVRzJj%t+^DZ$Z6y!tD_C2}dHM?0R`Q#^g0+=grmtXaC2#2~SX;?a
z`U=)o@{zuRwUykXuV8H@&*&>yTgfT<3f5NghrWWfm0Y2(U~MHY=qp%T$pQKb)>iU;
zzJj%t+@7ysZ6%NAD_C2}+4&0AR`PScg0+=goUdSQCGX}dSX;@l`3lxn@@c+;wUykN
zuV8H@Pv$FFTgi#}3f5NgU%rC1m0XvvU~MI@<ttcQ$zk~l)>iUWzJj%t+?20iZ6y!o
zD_C2}Ir$3KR`N@}g0+=glCNNGC2!;_SX;>v`3lxn@<G0WwUykDuV8H@&*LjtTgmD8
z3f5NgH@<?km0XRlU~MHY<11KO$-($l4CTp(?*E%z$4uG1Yj@+MDCN6tw;IzR&+&HU
z#-3r69!KRVK^ja<Zqn?;UAr6JzJ`56VFT~a+_k&W+}8+`I1i%Oq_na%9q06|eGU6^
z$Ryn=up`)awCeU|eKro#23~tS*D#3N)iPFXcjO2fg@T5ix;0r##!=W9NAdo-mburb
zpV_TLoA%r>J`S&<9yU&irY1Y#rnk81ZReU+z8(87+cx{|<ZP~C<%_M)+=jtrH^Phl
z8$*NFUN`V+>A7aPH|L+Zt#Tdg#v4Hzgt<wVw9dW1|IBV3ymnKJMhuw&-zXm8HQ%M<
z$iSeYZV(KIgJMS6V`q)M!zhLE-q>vN|8N{+*&dS}xA*R_Ll?d$cFT@5sp`+JhE2k|
z``x@{``~<&v9Tj8tnD^Im?l|cl%$PpGs?q_C|+-@nS9fjxRE8ZG&GGVCWx(FyBk3~
zY>bm&7_4CyBifiG!`aw0ve^_bWXIkfe)HDxN!kd8Lu@PGFl8Nikei8#S<8`DGs{dP
ziW^a!n{*U}CfnP{lSVQ{EQ9fQs}aSSN%Ka~NX==pC^d~Wj1?P}#)cVBP1+dE;t&RV
z8(9>GrZH(ZHj_ASn1fU7^Mp>?wYw3G8UbcX(}=Q0&<K+Wn%mg3`?wR2sKK|0xxb@X
zK1<PT*XBmHk<7-!#v1pfbg}iV?TNXWOvgcP_MltsO=n}16@BZlh3-BBn=RW|+wKwV
z@NJ7YxZbi6#KUnEuUq#Ywy@<V;b1+X!$*xx<NSo6qvH(CD431&UAr6kEM~7f5R7N0
z5oC>QYQks~nPFpXi`=poCn@3x^W=a@(`aZ4D+$6ZGs7co;!O_bnBW>~NisG;oHdeJ
z-bhA`AV&8|O_oJTyl>a;#vL}ItPvYC%+N#EOd~a$NxI(*8(A_(ML*k&@{PtcNKKq?
zn9O92Fo+u<@B7mOoPN7Q;f|pR$3e>P7aZySIMZT$pN@!0VH<94$CevBcJ|6PqER02
ziD#3&<0#Ab?b~N3e&P%Y;6^-~H1cS|zHbeqQ9LxGJ#gvXJe`>Vhw<J~FwTnKwxUV9
zF-%O>h?Bgr5gb52iL!lm=XdRH4DhKEjNrk5jU3J<lP%juM5UZ8VzUX>z6SdO=f_>U
z8zxPsX%y#s5i<0kaGYc~)>b36hQ%blY!l~Z*a(vp3(4_T(TXE1Y+h<c(`39Er174K
z$+BR*I8L$^ji3PyX3;`<1TmH}w*ix;YW*?xI7wag`x>QhckOOWg8ilu#9KL!8KWQ?
z{~0^DZeo5OVGqBAf~l=BP0c7exVMoeV>8H1zPB+MXM<v>kIexywn!Sp>t=7`?vpSZ
zgh6iBlQc4!JK`Q;p%c&uEd0&Ed{6QJUTiZnF%|^}qI_$wx|t)~h}{alxPUj#yX6CZ
z&vMLKM>3I1DVvNL$4<+Ia|WFKSR4BKspS;tPIK_xl-eq1*RI_-l1+m=vR|q>v0S{}
zaF!>NAdkX7yM~jt;$RYmjryj`A$i+;!=#Pk`#Fs%=6lYWIPRT34>OKIp6xl=&INY%
z<MheyfnTc_=HZ@`kN2$C|BOwbThuloeZ^#rj9baL6+4*^lSvc@acF0TMihss2{H`b
zcs9Y8!Wv0BG^r(LtBrB8X)??+wvLTxeZypSVf3dD0aD7o!f})BIeG7GtZS^?7^TUi
zXzg5MWi%E3+H;#f(_J?TGMrmt&^9o-i<Kt7j)8sTk`g<|-f+5tf%*7UyXq{CF?JPe
z@(hPx`(=&>*W@PScB);gI3V-1xj6DC@p#J~H0G@rY#W&=H+Vb_0$3U2_)P26j7(~<
zhMcd$HsFLLoo~ZFdtkfacs!R?z;csKDjHsn642r#K3)<K^E5fYoeYjW57Y@K9Zrd@
z6ekr$1El7Yf;_<Y^Xh~~ag08dUlgnB3-ujie8MCen{}>v@NF2kmBt=(FdWZ@rok_J
z?QIm_a@pIk-;g=(^d4H!JLb=Aie6Fe0vsKu$b^HbVUo<^oMD*7_P6aJ?6Py-m^Z`O
z(~N_;ND5%NSM2m6592<^xJRUq)TrRiyZ7{N<BZrcRHt`?6{DJ`;WEV)Mc9wPkJcp%
zd{&!Gja~6(jeH}>aTXPgwi-OUJWODYyuxG+-<2|dvc}BBJjD$#sG{{a7$2tpl;n8W
zNKI&>13WmG9LxS<6dcCfw*FK*vEHe1i&JjwX4KPvyg1ox&J7gIclJ<R$*#Jjs#d_P
zWIW46=iv&MER}R*B@4Mwz}6Cl88%jYKF=NDE2V09s_mwYYVvNOz@(O8%Nmu;TCKoH
zO@3vKO46%VV0gngiMJ-nENk#Xah!v)#vb`}T(N6%q(6LNrCbjN<7KhEV`dtAQWFe0
zHEpI*ZjNi%)9+wx4@9;a>oVKF(AZm<Ejdn|YQMc#9=GH(U)JD+S(cu#7R4vX7lqD$
z{^O57fAPhv*@^CxS|<vj_)yb{+3K!cCmaaU6Zqk!xf=GIu<u&OUH|-tucY`|lhiVf
O)=qC7<)@BN%l`vOu@`gz

literal 0
HcmV?d00001

diff --git a/surrogator.spec b/surrogator.spec
new file mode 100644
index 0000000..777d12c
--- /dev/null
+++ b/surrogator.spec
@@ -0,0 +1,160 @@
+%define relabel_files() \
+restorecon -R /usr/bin/surrogator; \
+restorecon -R /var/cache/surrogator; \
+restorecon -R /var/lib/surrogator; \
+
+%define selinux_policyver 39.6-1
+
+Name:       surrogator
+Summary:    Simple open source Libravatar compatible avatar image server written in PHP
+Version:    0.3.0
+Release:    8%{?dist}
+Group:      System Environment/Daemons
+License:    AGPL-3.0-or-later
+
+Source0:    surrogator-0.3.0.tar.bz2
+Source1:    surrogator.config.php
+Source2:    surrogator.conf
+Source3:    README-Fedora
+Source4:    surrogator.te
+Source5:    surrogator.if
+Source6:    surrogator.fc
+
+
+URL:        https://sourceforge.net/p/surrogator/wiki/Home/
+Requires:   php >= 5
+Requires:   webserver
+Requires:   surrogator
+BuildArch:  noarch
+
+%description
+Simple open source Libravatar compatible avatar image server written
+in PHP.
+
+Features:
+* Delivers images for email addresses
+* Very easy to setup.
+* No graphics processing is done on the server,
+  keeping the CPU load low. All avatar images get
+  pre-generated for a set of sizes
+* If no image at the user requested size is found,
+  the next larger image gets returned.
+* Supports the mm fallback image (mystery man)
+
+%package httpd
+Summary:            A htppd config to enable surrogator on an apache server
+Requires:           surrogator
+Requires:           httpd-core
+
+%description httpd
+Simple open source Libravatar compatible avatar image server written
+in PHP.
+This package contains an http config file that enables the service on
+an apache server.
+
+%package selinux
+Summary:            SELinux policy module for surrogator
+Group:              System Environment/Base
+
+Requires:           policycoreutils-python-utils, libselinux-utils
+Requires:           surrogator, surrogator-http
+Requires(post):     selinux-policy-base >= %{selinux_policyver}, policycoreutils-python-utils
+Requires(postun):   policycoreutils-python-utils
+Requires(post):     surrogator
+BuildRequires:      selinux-policy-devel
+BuildArch:          noarch
+
+%description selinux
+This package installs and sets up the  SELinux policy security module for surrogator.
+
+
+%prep
+%setup -q
+cp %{SOURCE1} surrogator.config.php
+cp %{SOURCE2} surrogator.conf
+cp %{SOURCE3} README-Fedora
+cp %{SOURCE4} surrogator.te
+cp %{SOURCE5} surrogator.if
+cp %{SOURCE6} surrogator.fc
+
+%build selinux
+make -f %{_datadir}/selinux/devel/Makefile %{name}.pp
+bzip2 -9 %{name}.pp
+
+%install
+install -dm 755 %{buildroot}
+install -Dm 644 -t %{buildroot}%{_sysconfdir} %{SOURCE1}
+install -Dm 644 -t %{buildroot}%{_docdir}/%{name} %{SOURCE3}
+install -Dm 644 -t %{buildroot}%{_sysconfdir}/httpd/conf.d %{SOURCE2}
+install -Dm 644 -t %{buildroot}%{_datadir}/%{name}/res res/*.png res/*.svg
+install -Dm 644 -t %{buildroot}%{_datadir}/%{name}/www www/avatar.php res/www/*
+install -dm 755 %{buildroot}%{_var}/cache/%{name}
+install -dm 755 %{buildroot}%{_sharedstatedir}/%{name}
+install -Dm 755 surrogator.php %{buildroot}%{_bindir}/%{name}
+install -Dm 644 -t %{buildroot}%{_datadir}/%{name}/www www/avatar.php res/www/*
+
+install -Dm 644 -t %{buildroot}%{_datadir}/selinux/packages %{name}.pp.bz2
+install -Dm 644 -t %{buildroot}%{_datadir}/selinux/devel/include/contrib/ %{SOURCE5}
+
+%post selinux
+semodule -n -i %{_datadir}/selinux/packages/surrogator.pp
+sepolicy manpage --domain surrogator_t
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+    %relabel_files
+
+fi;
+exit 0
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    semodule -n -r surrogator
+    if /usr/sbin/selinuxenabled ; then
+       /usr/sbin/load_policy
+       %relabel_files
+
+    fi;
+fi;
+exit 0
+
+
+%files
+%defattr(-,root,root)
+%{_datadir}/%{name}
+%{_var}/cache/%{name}
+%{_sharedstatedir}/%{name}
+%{_bindir}/%{name}
+%config(noreplace) %{_sysconfdir}/%{name}.config.php
+%doc README.rst
+%doc data/%{name}.config.php.dist
+%doc %{_docdir}/%{name}/*
+%license LICENSE
+
+%files httpd
+%config(noreplace) %{_sysconfdir}/httpd/conf.d/%{name}.conf
+%license LICENSE
+
+%files selinux
+%attr(0600,root,root) %{_datadir}/selinux/packages/surrogator.pp.bz2
+%{_datadir}/selinux/devel/include/contrib/surrogator.if
+%ghost %{_mandir}/man8/surrogator_selinux.8.gz
+
+%changelog
+* Mon May 20 2024 Daniel Demus <daniel@demus.dk> - 0.3.0-8
+- Add selinux targeted policy
+* Sat May 18 2024 Daniel Demus <daniel@demus.dk> - 0.3.0-7
+- Add final slash to cache directory path
+* Sun Nov 19 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-6
+- Correct DocumentRoot
+* Sun Nov 19 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-5
+- Add Location section to allow all in apache config
+* Wed Nov 15 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-4
+- Correct license
+* Wed Nov 15 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-3
+- Remove invalid RewriteBase directive from apache config
+* Wed Nov 15 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-2
+- Require only webserver in the base package
+* Wed Nov 15 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-1
+- Require base package in the httpd config package
+* Mon Oct 30 2023 Daniel Demus <daniel@demus.dk> - 0.3.0-0
+- First package
diff --git a/surrogator.te b/surrogator.te
new file mode 100644
index 0000000..4722995
--- /dev/null
+++ b/surrogator.te
@@ -0,0 +1,50 @@
+policy_module(surrogator, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type surrogator_t;
+type surrogator_exec_t;
+init_daemon_domain(surrogator_t, surrogator_exec_t)
+
+permissive surrogator_t;
+
+type surrogator_cache_t;
+files_type(surrogator_cache_t)
+
+type surrogator_var_lib_t;
+files_type(surrogator_var_lib_t)
+
+########################################
+#
+# surrogator local policy
+#
+allow surrogator_t self:fifo_file rw_fifo_file_perms;
+allow surrogator_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(surrogator_t, surrogator_cache_t, surrogator_cache_t)
+manage_files_pattern(surrogator_t, surrogator_cache_t, surrogator_cache_t)
+manage_lnk_files_pattern(surrogator_t, surrogator_cache_t, surrogator_cache_t)
+files_var_filetrans(surrogator_t, surrogator_cache_t, { dir file lnk_file })
+
+manage_dirs_pattern(surrogator_t, surrogator_var_lib_t, surrogator_var_lib_t)
+manage_files_pattern(surrogator_t, surrogator_var_lib_t, surrogator_var_lib_t)
+manage_lnk_files_pattern(surrogator_t, surrogator_var_lib_t, surrogator_var_lib_t)
+files_var_lib_filetrans(surrogator_t, surrogator_var_lib_t, { dir file lnk_file })
+
+domain_use_interactive_fds(surrogator_t)
+
+files_read_etc_files(surrogator_t)
+
+miscfiles_read_localization(surrogator_t)
+
+#============= httpd_t ==============
+require {
+	type httpd_t;
+	class file { getattr read open };
+}
+
+allow httpd_t surrogator_cache_t:file { getattr read open map };
+