keepalived selinux module

files_keepalived_ping.te

module keepalived_ping 1.0;
require {
    type ping_exec_t;
    type ifconfig_exec_t;
    type keepalived_t;
    class process setcap;
    class file { execute execute_no_trans getattr open read };
    class capability { setuid net_raw };
    class rawip_socket { getopt create setopt write read };
    class netlink_socket create;
    class netlink_tcpdiag_socket create;
}
#============= keepalived_t ==============
allow keepalived_t ping_exec_t:file { execute execute_no_trans getattr open read };
allow keepalived_t self:process setcap;

allow keepalived_t ifconfig_exec_t:file getattr;
allow keepalived_t self:netlink_tcpdiag_socket create;
allow keepalived_t self:capability { setuid net_raw };
allow keepalived_t self:netlink_socket create;
allow keepalived_t self:rawip_socket { getopt create setopt write read };

tasks_main.yml

- name: Ensure SELinux packages are installed
  yum:
    name:
      - libselinux
      - libselinux-devel
    state: present

- name: Create directory for compiling SELinux role
  file:
    path: /tmp/ansible-keepalived-selinux/
    state: directory
    mode: '0755'
    
- name: Deploy SELinux policy source file
  copy:
    src: keepalived_ping.te
    dest: /tmp/ansible-keepalived-selinux/keepalived_ping.te
    owner: root
    group: root
    mode: "0755"

- name: Compile and load SELinux module
  command: "{{ item }}"
  args:
    creates: /etc/selinux/targeted/active/modules/400/keepalived_ping/cil
    chdir: /tmp/ansible-keepalived-selinux
  with_items:
    - checkmodule -M -m -o keepalived_ping.mod keepalived_ping.te
    - semodule_package -o keepalived_ping.pp -m keepalived_ping.mod
    - semodule -i keepalived_ping.pp

- name: Remove temporary directory
  file:
    path: /tmp/ansible-keepalived-selinux/
    state: absent