fagenrules: Validate new compiled rules

When `fagenrules` was run with invalid rules it broke `fapolicyd`
startup, see below.

    # fapolicyd
    04/17/2026 13:52:30 [ INFO ]: Can handle 524288 file descriptors
    04/17/2026 13:52:30 [ INFO ]: Ruleset identity: 8b5126cc76e5372274fdf0024d2d13c274a52cda6611f15a577742bbace2dc99
    04/17/2026 13:52:30 [ NOTICE ]: SHA256HASH object name is deprecated; use FILE_HASH instead
    # killall fapolicyd

    # echo 'a b c' > /etc/fapolicyd/rules.d/99.rules
    # fagenrules
    # fapolicyd
    04/17/2026 13:53:35 [ INFO ]: Can handle 524288 file descriptors
    04/17/2026 13:53:35 [ INFO ]: Ruleset identity: 308521d067909a4e66a429c5fafaf864cfe4071b00ba40ac24d63f2deb7ef36f
    04/17/2026 13:53:35 [ NOTICE ]: SHA256HASH object name is deprecated; use FILE_HASH instead
    04/17/2026 13:53:35 [ ERROR ]: Invalid decision (a) in line 15

With this change, `fapolicyd-cli --check-rules` is used before $TmpRules
are renamed to /etc/fapolicyd/compiled.rules in order to prevent this
behaviour.

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>

Author: bachradsusi

init/fagenrules

@@ -97,6 +97,15 @@ END     {
         for (i = 0; i < rest; i++) { printf "%s\n", rules[i]; }
 }' >> "${TmpRules}"
 
+fapolicyd-cli --check-rules "${TmpRules}"
+err=$?
+if [ $err -ne 0 ]; then
+    echo "Rules file content:"
+    cat -n "${TmpRules}"
+    rm -f "${TmpRules}"
+    exit $err
+fi
+
 # If the same then quit
 cmp -s "${TmpRules}" ${DestinationFile} > /dev/null 2>&1
 if [ $? -eq 0 ]; then