When anything goes wrong, review the /dev/secpolgenerate/errors file.
secpolgenerate generates new subranges each time it's run
In some cases, especially with abilities that are subranged by virtual address, each time you run a system, secpolgenerate generates new rules that define new subranges for the abilities. To avoid this problem, you can remove the subranges for the affected abilities from the policy entirely and grant the ability in an unrestricted manner.
System failures that secpolgenerate doesn't detect
There are ways in which a system can fail that are invisible to secpolgenerate and thus won’t show up in its errors file. For example, if permissions are wrong on files or devices, a resource manager that runs successfully as root might fail when run as non-root. One possible solution to this problem is to identify the paths that it fails to open and grant the resource manager access to them by adding ACLs.