diff --git a/Changelog b/Changelog
index d53c468..0e09011 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Memprotect support patch from Stephen Smalley.
 - Add logging_send_audit_msgs() interface and deprecate
   send_audit_msgs_pattern().
 - Openct updates patch from Dan Walsh.
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index d45ad96..edbc454 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -648,3 +648,8 @@ inherits socket
 	node_bind
 	name_connect
 }
+
+class memprotect
+{
+	mmap_zero
+}
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index ff96cf1..c681855 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -97,4 +97,6 @@ class context			# userspace
 
 class dccp_socket
 
+class memprotect
+
 # FLASK
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 4228a0e..a8a12f7 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -1254,3 +1254,26 @@ interface(`domain_unconfined',`
 	typeattribute $1 can_change_object_identity;
 	typeattribute $1 set_curr_context;
 ')
+
+########################################
+## <summary>
+##	Ability to mmap a low area of the address space,
+##      as configured by /proc/sys/kernel/mmap_min_addr.
+##      Preventing such mappings helps protect against
+##      exploiting null deref bugs in the kernel.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to mmap low memory.
+##	</summary>
+## </param>
+#
+interface(`domain_mmap_low',`
+	gen_require(`
+		attribute mmap_low_domain_type;
+	')
+
+	allow $1 self:memprotect mmap_zero;
+
+	typeattribute $1 mmap_low_domain_type;
+')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index da92f37..574322e 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -1,5 +1,5 @@
 
-policy_module(domain,1.3.0)
+policy_module(domain,1.3.1)
 
 ########################################
 #
@@ -15,6 +15,10 @@ neverallow domain ~domain:process { transition dyntransition };
 # Domains that are unconfined
 attribute unconfined_domain_type;
 
+# Domains that can mmap low memory.
+attribute mmap_low_domain_type;
+neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
+
 # Domains that can set their current context
 # (perform dynamic transitions)
 attribute set_curr_context;