diff --git a/roles/collectd/base/files/selinux/Makefile b/roles/collectd/base/files/selinux/Makefile
new file mode 100644
index 0000000000..0f32a55703
--- /dev/null
+++ b/roles/collectd/base/files/selinux/Makefile
@@ -0,0 +1,22 @@
+detected_mods := $(wildcard *.te)
+detected_fcs := $(detected_mods:.te=.fc)
+all_packages := $(notdir $(detected_mods:.te=.pp))
+
+.PHONY: all
+.SUFFIXES: .pp
+
+all: $(all_packages)
+
+%.mod: %.te
+	checkmodule -m $^ -o $@
+
+# If we have file contexts one day:
+# %.pp: %.mod %.fc
+# 	semodule_package -o $@ -m $< -f $(<:.mod=.fc)
+
+%.pp: %.mod
+	semodule_package -o $@ -m $<
+
+# so users dont have to make empty .fc and .if files
+$(detected_fcs):
+	touch $@
diff --git a/roles/collectd/base/files/selinux/fi-collectd.mod b/roles/collectd/base/files/selinux/fi-collectd.mod
index 2c0a469683..c1d326de15 100644
Binary files a/roles/collectd/base/files/selinux/fi-collectd.mod and b/roles/collectd/base/files/selinux/fi-collectd.mod differ
diff --git a/roles/collectd/base/files/selinux/fi-collectd.pp b/roles/collectd/base/files/selinux/fi-collectd.pp
index 8574dd2ce0..7af3149698 100644
Binary files a/roles/collectd/base/files/selinux/fi-collectd.pp and b/roles/collectd/base/files/selinux/fi-collectd.pp differ
diff --git a/roles/collectd/base/files/selinux/fi-collectd.te b/roles/collectd/base/files/selinux/fi-collectd.te
index 3e9c1d5509..82c1f13a11 100644
--- a/roles/collectd/base/files/selinux/fi-collectd.te
+++ b/roles/collectd/base/files/selinux/fi-collectd.te
@@ -1,4 +1,4 @@
-module fi-collectd 1.10.0;
+module fi-collectd 1.11.0;
 
 require {
     type shell_exec_t;
@@ -14,7 +14,7 @@ require {
     type var_run_t;
     type anon_inodefs_t;
     type initrc_t;
- lgtype proc_net_t;
+    type proc_net_t;
 
     class capability { kill setuid dac_read_search sys_ptrace setgid dac_override };
     class dir { getattr read };
@@ -22,6 +22,7 @@ require {
     class lnk_file read;
     class sock_file { read write getattr };
     class unix_stream_socket connectto;
+    class netlink_generic_socket create;
 }
 
 #============= collectd_t ==============
@@ -39,4 +40,5 @@ allow collectd_t tmp_t:dir read;
 allow collectd_t var_run_t:sock_file { read write getattr };
 allow collectd_t anon_inodefs_t:file { write read };
 allow collectd_t initrc_t:unix_stream_socket connectto;
-atlow collectd_t proc_net_t:lnk_file read;
+allow collectd_t proc_net_t:lnk_file read;
+allow collectd_t self:netlink_generic_socket create;
diff --git a/roles/collectd/base/tasks/main.yml b/roles/collectd/base/tasks/main.yml
index 5090682120..eec1308d57 100644
--- a/roles/collectd/base/tasks/main.yml
+++ b/roles/collectd/base/tasks/main.yml
@@ -132,18 +132,29 @@
   - collectd
   - selinux
 
-- name: check to see if its even installed yet
-  shell: semodule -l | grep fi-collectd | wc -l
-  register: ficgeneral_grep
+# TODO: consider using selinux_modules from https://galaxy.ansible.com/linux-system-roles/selinux instead
+- name: check to see what version is installed (if any)
+  shell: semodule -l -m | grep fi-collectd | cut -d: -f2
+  register: ficgeneral_installed_version
   check_mode: no
-  changed_when: "'0' in ficgeneral_grep.stdout"
+  changed_when: false
+  tags:
+  - collectd
+  - selinux
+
+# This cmd comes from the last example of the semodule man page
+- name: check to see what version we have
+  shell: /usr/libexec/selinux/hll/pp /usr/share/collectd/fi-collectd.pp | sha256sum | cut -d ' ' -f1
+  register: ficgeneral_local_version
+  check_mode: no
+  changed_when: false
   tags:
   - collectd
   - selinux
 
 - name: install our general collectd selinux module
   command: semodule -i /usr/share/collectd/fi-collectd.pp
-  when: ficgeneral_module is changed or ficgeneral_grep is changed
+  when: ficgeneral_module is changed or ficgeneral_installed_version != ficgeneral_local_version
   tags:
   - collectd
   - selinux