Let's say I'm installing a compiled selinux policy on linux, like
a.pp. I run
semodule -i a.pp, which fails with a message like
Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/a/cil:713 semodule: Failed!
How can I debug what's going on? The file mentioned is a binary file, I can't see what's on line 713. And I don't have access to the original built selinux policy code, so how can I deconstruct the
.pp file to see what went wrong?
You can use the
pp tool to deconstruct a compiled policy file into a human-readable
cil file, and then you can check what's on that line. If you have
selinux-policy-devel installed on your machine, you can:
/usr/libexec/selinux/hll/pp a.pp a.cil
This will spit out a
a.cil file, in plaintext, which should allow you to see what on line 713 is failing.
Thanks to the Red Hat tracker comment for the trick: