SELinux: compiling the exception module now from source each time

roles/rke2/selinux/my-openstack.te

+module my-openstack 1.0;
+
+require {
+        type cert_t;
+        type container_t;
+        class dir read;
+}
+
+#============= container_t ==============
+allow container_t cert_t:dir read;
\ No newline at end of file

roles/rke2/tasks/fix_selinux.yml

@@ -20,19 +20,36 @@
 #Target Objects                cacert.pem [ file ]
 #Source                        openstack-cloud
 #Source Path                   /bin/openstack-cloud-controller-manager
+- name: Copy SELinux Policies
+  template:
+    src: ../selinux/my-openstack.te
+    dest: /etc/selinux/targeted/policy/my-openstack.te
 
-- name: allow openstack CCM to mount the /etc/ssl/certs files 
-  sefcontext:
-    target: '/etc/ssl/certs(/.*)?'
-    ftype: 'd'
-    setype: container_file_t
-    state: present
-    reload: True
-
-#- name: uninstall SELinux debug RHEL packages
-#  dnf:
-#    name:
-#      - setroubleshoot      
-#      - python3-libselinux
-#      - policycoreutils-python-utils
-#    state: absent
\ No newline at end of file
+
+- name: Build SELinux exception module & allow openstack CCM to mount the /etc/ssl/certs files
+  shell: |
+    checkmodule -M -m -o /etc/selinux/targeted/policy/my-openstack.mod /etc/selinux/targeted/policy/my-openstack.te
+    semodule_package -o /etc/selinux/targeted/policy/my-openstack.pp -m /etc/selinux/targeted/policy/my-openstack.mod
+    semodule -i /etc/selinux/targeted/policy/my-openstack.pp
+
+
+
+
+#module test 1.0;
+#
+#require {
+#        type cert_t;
+#        type container_t;
+#        class dir read;
+#}
+#
+##============= container_t ==============
+#allow container_t cert_t:dir read;
+
+- name: uninstall SELinux debug RHEL packages
+  dnf:
+    name:
+      - setroubleshoot      
+      - python3-libselinux
+      - policycoreutils-python-utils
+    state: absent
\ No newline at end of file