diff --git a/roles/distgit/files/cgi-nfs.pp b/roles/distgit/files/cgi-nfs.pp
new file mode 100644
index 0000000000..a0df2ccccc
Binary files /dev/null and b/roles/distgit/files/cgi-nfs.pp differ
diff --git a/roles/distgit/files/cgi-nfs.te b/roles/distgit/files/cgi-nfs.te
new file mode 100644
index 0000000000..5ba0dfe4f6
--- /dev/null
+++ b/roles/distgit/files/cgi-nfs.te
@@ -0,0 +1,23 @@
+policy_module(nfscgi, 1.0.0)
+
+require {
+	type httpd_git_script_t;
+	type git_script_t;
+	type git_system_t;
+	type httpd_git_content_t;
+	type nfs_t;
+	class dir { create write search add_name remove_name getattr open };
+	class file { create write rename setattr read open };
+}
+
+
+allow git_system_t httpd_git_content_t:dir { getattr read open };
+allow git_system_t httpd_git_content_t:file { read open getattr };
+
+
+
+allow httpd_git_script_t nfs_t:dir { write };
+allow git_system_t httpd_git_content_t:dir { search };
+allow httpd_git_script_t nfs_t:dir { create write add_name remove_name };
+allow httpd_git_script_t nfs_t:file { create write rename setattr };
+allow git_script_t nfs_t:file { unlink link };
diff --git a/roles/distgit/files/upload_cgi.pp b/roles/distgit/files/upload_cgi.pp
index cec2215820..9091f92664 100644
Binary files a/roles/distgit/files/upload_cgi.pp and b/roles/distgit/files/upload_cgi.pp differ
diff --git a/roles/distgit/files/upload_cgi.te b/roles/distgit/files/upload_cgi.te
index ea41d80639..f9ba1f3393 100644
--- a/roles/distgit/files/upload_cgi.te
+++ b/roles/distgit/files/upload_cgi.te
@@ -1,11 +1,11 @@
-policy_module(upload_cgi,1.1.0)
+policy_module(upload_cgi,1.2.0)
 
 
 require {
 	type httpd_git_script_t;
 	type git_script_tmp_t;
-	type git_script_t;
-	type nfs_t;
+        type git_script_t;
+        type nfs_t;
 }
 
 files_tmp_file(git_script_tmp_t)
@@ -27,6 +27,3 @@ term_getattr_all_ptys(httpd_git_script_t);
 term_getattr_all_ttys(httpd_git_script_t);
 # Do not audit attempts to get the attributes of generic pty devices.
 term_dontaudit_getattr_generic_ptys(httpd_git_script_t);
-
-# Allow upload.cgi to make link on nfs
-allow git_script_t nfs_t:file { unlink link };
diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml
index 8a213060a9..bc5b6fc5e9 100644
--- a/roles/distgit/tasks/main.yml
+++ b/roles/distgit/tasks/main.yml
@@ -328,3 +328,10 @@
   command: semodule -i /usr/local/share/selinux/upload_cgi.pp
   when: selinux_module|changed
 
+- name: copy over our custom nfs selinux policy
+  copy: src=cgi-nfs.pp dest=/usr/local/share/selinux/cgi-nfs.pp
+  register: nfs_selinux_module
+
+- name: install our custom nfs selinux policy
+  command: semodule -i /usr/local/share/selinux/cgi-nfs.pp
+  when: nfs_selinux_module|changed