package/refpolicy: bump to version 2.20250213

Add a patch (found in an upstream PR) to avoid the following error when
the dbus module is not enabled:

   ```
   policy/modules/system/selinuxutil.te:102:ERROR 'attribute
   dbusd_system_bus_client is not within scope' at token ';'
   on line 155976:
   ```

Remove the patch 0001-policy-modules-services-smartmon.te-make-fstools-opt.patch
(upstream commit 65eed16b58015b08f43a096c202dae6cba2f0a37).

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
[Arnout:
 - Add patch to fix dbus issue.
 - Remove dbus from default modules again.
 - Remove the existing patch which is applied upstream.
]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>

package/refpolicy/2.20231002/0001-policy-modules-services-smartmon.te-make-fstools-opt.patch

@@ -1,44 +0,0 @@
-From c6d1345732c463cb45d8ba490081ad92936bfd69 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Tue, 28 Nov 2023 22:30:01 +0100
-Subject: [PATCH] policy/modules/services/smartmon.te: make fstools optional
-
-Make fstools optional to avoid the following build failure raised since
-version 2.20231002 and
-https://github.com/SELinuxProject/refpolicy/commit/cb068f09d224f90a97fa63a574fb423bbe1ceeda:
-
- Compiling targeted policy.33
- env LD_LIBRARY_PATH="/home/thomas/autobuild/instance-2/output-1/host/lib:/home/thomas/autobuild/instance-2/output-1/host/usr/lib" /home/thomas/autobuild/instance-2/output-1/host/usr/bin/checkpolicy -c 33 -U deny -S -O -E policy.conf -o policy.33
- policy/modules/services/smartmon.te:146:ERROR 'type fsadm_exec_t is not within scope' at token ';' on line 237472:
- 	allow smartmon_update_drivedb_t fsadm_exec_t:file { { getattr open map read execute ioctl } ioctl lock execute_no_trans };
- #line 146
- checkpolicy:  error(s) encountered while parsing configuration
- make[1]: *** [Rules.monolithic:80: policy.33] Error 1
-
-Fixes:
- - http://autobuild.buildroot.org/results/a01123de9a8c1927060e7e4748666bebfc82ea44
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Upstream: https://github.com/SELinuxProject/refpolicy/pull/738
----
- policy/modules/services/smartmon.te | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
-index 32c80f712..761280c11 100644
---- a/policy/modules/services/smartmon.te
-+++ b/policy/modules/services/smartmon.te
-@@ -143,7 +143,9 @@ corenet_tcp_connect_http_port(smartmon_update_drivedb_t)
- 
- files_read_etc_files(smartmon_update_drivedb_t)
- 
--fstools_exec(smartmon_update_drivedb_t)
-+optional_policy(`
-+	fstools_exec(smartmon_update_drivedb_t)
-+')
- 
- kernel_dontaudit_read_system_state(smartmon_update_drivedb_t)
- 
--- 
-2.42.0
-

package/refpolicy/2.20250213/0001-fix-building-when-dbus-module-is-not-enabled.patch

@@ -0,0 +1,40 @@
+From eff537f7be038120ca06fc7c39f9817ae120ce00 Mon Sep 17 00:00:00 2001
+From: Dave Sugar <dsugar100@gmail.com>
+Date: Thu, 15 May 2025 10:05:24 -0400
+Subject: [PATCH] fix building when dbus module is not enabled
+
+Signed-off-by: Dave Sugar <dsugar100@gmail.com>
+Upstream: https://github.com/SELinuxProject/refpolicy/pull/908
+Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
+---
+ policy/modules/system/selinuxutil.te | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index 86a6e5503..cd0e8762f 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -99,7 +99,8 @@ role run_init_roles types run_init_t;
+ 
+ type selinux_dbus_t;
+ type selinux_dbus_exec_t;
+-dbus_system_domain(selinux_dbus_t, selinux_dbus_exec_t)
++domain_type(selinux_dbus_t)
++domain_entry_file(selinux_dbus_t, selinux_dbus_exec_t)
+ 
+ type semanage_t;
+ type semanage_exec_t;
+@@ -504,6 +505,10 @@ miscfiles_read_localization(selinux_dbus_t)
+ 
+ seutil_domtrans_semanage(selinux_dbus_t)
+ 
++optional_policy(`
++	dbus_system_domain(selinux_dbus_t, selinux_dbus_exec_t)
++')
++
+ optional_policy(`
+ 	policykit_dbus_chat(selinux_dbus_t)
+ ')
+-- 
+2.49.0
+

package/refpolicy/refpolicy.hash

@@ -1,5 +1,5 @@
 # From https://github.com/SELinuxProject/refpolicy/releases
-sha256  7ed41f4f45189b9ee9706da8ac357eccc103651b56daabaddb54c436e8117cf9  refpolicy-2.20240226.tar.bz2
+sha256  d2487c49420e8710e999b18bbe699fbff033fe5adc5127e3f0c7dafaa9b4d209  refpolicy-2.20250213.tar.bz2
 
 # Locally computed
 sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  COPYING

package/refpolicy/refpolicy.mk

@@ -23,7 +23,7 @@ REFPOLICY_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL))
 REFPOLICY_SITE_METHOD = git
 BR_NO_CHECK_HASH_FOR += $(REFPOLICY_SOURCE)
 else
-REFPOLICY_VERSION = 2.20240226
+REFPOLICY_VERSION = 2.20250213
 REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
 REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_$(subst .,_,$(REFPOLICY_VERSION))
 endif