diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te
index edfa54e..c651ee1 100644
--- a/policy/modules/admin/vbetool.te
+++ b/policy/modules/admin/vbetool.te
@@ -5,6 +5,13 @@ policy_module(vbetool, 1.5.1)
 # Declarations
 #
 
+## <desc>
+## <p>
+##	Ignore vbetool mmap_zero errors.
+## </p>
+## </desc>
+gen_tunable(vbetool_mmap_zero_ignore, false)
+
 type vbetool_t;
 type vbetool_exec_t;
 init_system_domain(vbetool_t, vbetool_exec_t)
@@ -33,6 +40,10 @@ term_use_unallocated_ttys(vbetool_t)
 
 miscfiles_read_localization(vbetool_t)
 
+tunable_policy(`vbetool_mmap_zero_ignore',`
+	dontaudit vbetool_t self:memprotect mmap_zero;
+')
+
 optional_policy(`
 	hal_rw_pid_files(vbetool_t)
 	hal_write_log(vbetool_t)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index c26662d..0440b4c 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -105,6 +105,10 @@ template(`wine_role_template',`
 
 	domain_mmap_low($1_wine_t)
 
+	tunable_policy(`wine_mmap_zero_ignore',`
+		dontaudit $1_wine_t self:memprotect mmap_zero;
+	')
+
 	optional_policy(`
 		xserver_role($1_r, $1_wine_t)
 	')
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index 8af45db..ac19c40 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -5,6 +5,13 @@ policy_module(wine, 1.7.1)
 # Declarations
 #
 
+## <desc>
+## <p>
+##	Ignore wine mmap_zero errors.
+## </p>
+## </desc>
+gen_tunable(wine_mmap_zero_ignore, false)
+
 type wine_t;
 type wine_exec_t;
 application_domain(wine_t, wine_exec_t)
@@ -35,6 +42,10 @@ files_execmod_all_files(wine_t)
 
 userdom_use_user_terminals(wine_t)
 
+tunable_policy(`wine_mmap_zero_ignore',`
+	dontaudit wine_t self:memprotect mmap_zero;
+')
+
 optional_policy(`
 	hal_dbus_chat(wine_t)
 ')
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 41f36ed..aad8c52 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -1361,25 +1361,53 @@ interface(`domain_entry_file_spec_domtrans',`
 
 ########################################
 ## <summary>
-##	Ability to mmap a low area of the address space,
-##	as configured by /proc/sys/kernel/mmap_min_addr.
+##	Ability to mmap a low area of the address
+##	space conditionally, as configured by
+##	/proc/sys/kernel/mmap_min_addr.
 ##	Preventing such mappings helps protect against
 ##	exploiting null deref bugs in the kernel.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed access.
-##	</summary>
+## </summary>
 ## </param>
 #
 interface(`domain_mmap_low',`
 	gen_require(`
 		attribute mmap_low_domain_type;
+		bool mmap_low_allowed;
 	')
 
-	allow $1 self:memprotect mmap_zero;
+	typeattribute $1 mmap_low_domain_type;
+
+	if ( mmap_low_allowed ) {
+		allow $1 self:memprotect mmap_zero;
+	}
+')
+
+########################################
+## <summary>
+##	Ability to mmap a low area of the address
+##	space unconditionally, as configured
+##	by /proc/sys/kernel/mmap_min_addr.
+##	Preventing such mappings helps protect against
+##	exploiting null deref bugs in the kernel.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_mmap_low_uncond',`
+	gen_require(`
+		attribute mmap_low_domain_type;
+	')
 
 	typeattribute $1 mmap_low_domain_type;
+
+	allow $1 self:memprotect mmap_zero;
 ')
 
 ########################################
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index aa02659..182a07f 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -5,6 +5,14 @@ policy_module(domain, 1.8.0)
 # Declarations
 #
 
+## <desc>
+## <p>
+##	Control the ability to mmap a low area of the address space,
+##	as configured by /proc/sys/kernel/mmap_min_addr.
+## </p>
+## </desc>
+gen_tunable(mmap_low_allowed, false)
+
 # Mark process types as domains
 attribute domain;
 
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8084740..7899188 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -681,8 +681,6 @@ dev_rw_xserver_misc(xserver_t)
 dev_rw_input_dev(xserver_t)
 dev_rwx_zero(xserver_t)
 
-domain_mmap_low(xserver_t)
-
 files_read_etc_files(xserver_t)
 files_read_etc_runtime_files(xserver_t)
 files_read_usr_files(xserver_t)
@@ -734,6 +732,7 @@ xserver_use_user_fonts(xserver_t)
 
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
+	domain_mmap_low_uncond(xserver_t)
 ')
 
 ifdef(`distro_rhel4',`