Let's say I'm installing a compiled selinux policy on linux, like a.pp. I run semodule -i a.pp, which fails with a message like

Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/a/cil:713
semodule:  Failed!

How can I debug what's going on? The file mentioned is a binary file, I can't see what's on line 713. And I don't have access to the original built selinux policy code, so how can I deconstruct the .pp file to see what went wrong?

You can use the pp tool to deconstruct a compiled policy file into a human-readable cil file, and then you can check what's on that line. If you have selinux-policy-devel installed on your machine, you can:

/usr/libexec/selinux/hll/pp a.pp a.cil

This will spit out a a.cil file, in plaintext, which should allow you to see what on line 713 is failing.

Thanks to the Red Hat tracker comment for the trick:

Source: https://bugzilla.redhat.com/show_bug.cgi?id=1406969#c1