What were you trying to do that didn't work?

When building a SELinux module based on the output of sepolicy generate, the generated module is broken and cannot be loaded when a TYPE environment variable exists:

# /usr/bin/sepolicy generate --init /usr/local/bin/foo
[...]

# make -f /usr/share/selinux/devel/Makefile foo.pp
[...]

# export TYPE=TEST
# semodule -i foo.pp
Failed to resolve filecon statement at /var/lib/selinux/targeted/tmp/modules/400/foo/cil:64
Failed to resolve AST
semodule:  Failed!

The reason for failure is the generated PP module doesn't have the s0 sensitivity, as seen by hexdump'ing the generated module:

# hexdump -C foo.pp
[...]
0000cd90  76 65 6e 74 0a 23 0a 0a  0a 0a 2f 75 73 72 2f 6c  |vent.#..../usr/l|
0000cda0  6f 63 61 6c 2f 62 69 6e  2f 66 6f 6f 09 09 2d 2d  |ocal/bin/foo..--|
0000cdb0  09 73 79 73 74 65 6d 5f  75 3a 6f 62 6a 65 63 74  |.system_u:object|
0000cdc0  5f 72 3a 66 6f 6f 5f 65  78 65 63 5f 74 0a        |_r:foo_exec_t.|
0000cdce

Here above on line 0000cdc0 it should be foo_exec_t:s0.

Due to this, when loading the module, the CIL contains systemlow instead of s0:

# bunzip2 -c /var/lib/selinux/targeted/tmp/modules/400/foo/cil | tail -1
(filecon "/usr/local/bin/foo" file (system_u object_r foo_exec_t (systemlow systemlow)))

Note: it's unclear where this systemlow comes from, probably from some macro as well.

Please make sure environment variables do not affect the Makefile.

What is the impact of this issue to you?

Cannot load generated SELinux modules, very hard to troubleshoot (I spent 2 days on this with help from the customer).

Please provide the package NVR for which the bug is seen:

All packages

How reproducible is this bug?

Always, see above.