diff --git a/policy/modules/services/nx.fc b/policy/modules/services/nx.fc
index ce8d0b3a..c4d2dca8 100644
--- a/policy/modules/services/nx.fc
+++ b/policy/modules/services/nx.fc
@@ -1,7 +1,12 @@
/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
-
-/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_ssh_home_t,s0)
-
+/opt/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0)
/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+/usr/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+/usr/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+/usr/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+
+/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
diff --git a/policy/modules/services/nx.if b/policy/modules/services/nx.if
index 0ab8cbc0..ccc68c75 100644
--- a/policy/modules/services/nx.if
+++ b/policy/modules/services/nx.if
@@ -17,3 +17,69 @@ interface(`nx_spec_domtrans_server',`
spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
')
+
+########################################
+##
+## Read nx home directory content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nx_read_home_files',`
+ gen_require(`
+ type nx_server_home_ssh_t, nx_server_var_lib_t;
+ ')
+
+ allow $1 nx_server_var_lib_t:dir search_dir_perms;
+ read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+')
+
+########################################
+##
+## Read nx /var/lib content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nx_search_var_lib',`
+ gen_require(`
+ type nx_server_var_lib_t;
+ ')
+
+ allow $1 nx_server_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Create an object in the root directory, with a private
+## type using a type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
+#
+interface(`nx_var_lib_filetrans',`
+ gen_require(`
+ type nx_server_var_lib_t;
+ ')
+
+ filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
+')
diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
index d7a15ea4..c6b8ae05 100644
--- a/policy/modules/services/nx.te
+++ b/policy/modules/services/nx.te
@@ -22,6 +22,9 @@ term_user_pty(nx_server_t, nx_server_devpts_t)
type nx_server_tmp_t;
files_tmp_file(nx_server_tmp_t)
+type nx_server_var_lib_t;
+files_type(nx_server_var_lib_t)
+
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
@@ -37,10 +40,17 @@ allow nx_server_t self:udp_socket create_socket_perms;
allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(nx_server_t, nx_server_devpts_t)
+manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+
manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir })
+manage_files_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
+manage_dirs_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
+files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
+
manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)