Let's say I'm installing a compiled selinux policy on linux, like a.pp
. I run semodule -i a.pp
, which fails with a message like
Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/a/cil:713
semodule: Failed!
How can I debug what's going on? The file mentioned is a binary file, I can't see what's on line 713. And I don't have access to the original built selinux policy code, so how can I deconstruct the .pp
file to see what went wrong?
You can use the pp
tool to deconstruct a compiled policy file into a human-readable cil
file, and then you can check what's on that line. If you have selinux-policy-devel
installed on your machine, you can:
/usr/libexec/selinux/hll/pp a.pp a.cil
This will spit out a a.cil
file, in plaintext, which should allow you to see what on line 713 is failing.
Thanks to the Red Hat tracker comment for the trick:
Source: https://bugzilla.redhat.com/show_bug.cgi?id=1406969#c1