diff --git a/Changelog b/Changelog
index 3c16854..9cf3910 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Conditional mmap_zero support from Dominick Grift.
 - Added devtmpfs support.
 - Dbadm updates from KaiGai Kohei.
 - Virtio disk file context update from Mika Pfluger.
diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te
index 8215138..2102bba 100644
--- a/policy/modules/admin/vbetool.te
+++ b/policy/modules/admin/vbetool.te
@@ -1,10 +1,17 @@
-policy_module(vbetool, 1.5.1)
+policy_module(vbetool, 1.5.2)
 
 ########################################
 #
 # Declarations
 #
 
+## <desc>
+## <p>
+##	Ignore vbetool mmap_zero errors.
+## </p>
+## </desc>
+gen_tunable(vbetool_mmap_zero_ignore, false)
+
 type vbetool_t;
 type vbetool_exec_t;
 init_system_domain(vbetool_t, vbetool_exec_t)
@@ -36,6 +43,10 @@ term_use_unallocated_ttys(vbetool_t)
 
 miscfiles_read_localization(vbetool_t)
 
+tunable_policy(`vbetool_mmap_zero_ignore',`
+	dontaudit vbetool_t self:memprotect mmap_zero;
+')
+
 optional_policy(`
 	hal_rw_pid_files(vbetool_t)
 	hal_write_log(vbetool_t)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index 62e455a..f5a9673 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -116,6 +116,10 @@ template(`wine_role_template',`
 		dontaudit $1_wine_t self:memprotect mmap_zero;
 	')
 
+	tunable_policy(`wine_mmap_zero_ignore',`
+		dontaudit $1_wine_t self:memprotect mmap_zero;
+	')
+
 	optional_policy(`
 		xserver_role($1_r, $1_wine_t)
 	')
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index 6fe38a1..51e65e7 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -1,4 +1,4 @@
-policy_module(wine, 1.7.1)
+policy_module(wine, 1.7.2)
 
 ## <desc>
 ## <p>
@@ -13,6 +13,13 @@ gen_tunable(wine_mmap_zero_ignore, false)
 # Declarations
 #
 
+## <desc>
+## <p>
+##	Ignore wine mmap_zero errors.
+## </p>
+## </desc>
+gen_tunable(wine_mmap_zero_ignore, false)
+
 type wine_t;
 type wine_exec_t;
 application_domain(wine_t, wine_exec_t)
@@ -49,6 +56,10 @@ files_execmod_all_files(wine_t)
 
 userdom_use_user_terminals(wine_t)
 
+tunable_policy(`wine_mmap_zero_ignore',`
+	dontaudit wine_t self:memprotect mmap_zero;
+')
+
 optional_policy(`
 	hal_dbus_chat(wine_t)
 ')
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 3f2c4ad..09d4b31 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -1361,23 +1361,53 @@ interface(`domain_entry_file_spec_domtrans',`
 
 ########################################
 ## <summary>
-##	Ability to mmap a low area of the address space,
-##	as configured by /proc/sys/kernel/mmap_min_addr.
+##	Ability to mmap a low area of the address
+##	space conditionally, as configured by
+##	/proc/sys/kernel/mmap_min_addr.
 ##	Preventing such mappings helps protect against
 ##	exploiting null deref bugs in the kernel.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed access.
-##	</summary>
+## </summary>
+## </param>
+#
+interface(`domain_mmap_low',`
+	gen_require(`
+		attribute mmap_low_domain_type;
+		bool mmap_low_allowed;
+	')
+
+	typeattribute $1 mmap_low_domain_type;
+
+	if ( mmap_low_allowed ) {
+		allow $1 self:memprotect mmap_zero;
+	}
+')
+
+########################################
+## <summary>
+##	Ability to mmap a low area of the address
+##	space unconditionally, as configured
+##	by /proc/sys/kernel/mmap_min_addr.
+##	Preventing such mappings helps protect against
+##	exploiting null deref bugs in the kernel.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
 ## </param>
 #
-interface(`domain_mmap_low_type',`
+interface(`domain_mmap_low_uncond',`
 	gen_require(`
 		attribute mmap_low_domain_type;
 	')
 
 	typeattribute $1 mmap_low_domain_type;
+
+	allow $1 self:memprotect mmap_zero;
 ')
 
 ########################################
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index b9c5804..ae62211 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -1,4 +1,4 @@
-policy_module(domain, 1.8.0)
+policy_module(domain, 1.8.1)
 
 ########################################
 #
@@ -20,6 +20,14 @@ gen_tunable(allow_domain_fd_use, true)
 #
 gen_tunable(domain_kernel_load_modules, false)
 
+## <desc>
+## <p>
+##	Control the ability to mmap a low area of the address space,
+##	as configured by /proc/sys/kernel/mmap_min_addr.
+## </p>
+## </desc>
+gen_tunable(mmap_low_allowed, false)
+
 # Mark process types as domains
 attribute domain;
 
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index d676187..46e9859 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -718,6 +718,26 @@ interface(`kernel_rw_debugfs',`
 
 ########################################
 ## <summary>
+##	Manage information from the debugging filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_manage_debugfs',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	manage_files_pattern($1, debugfs_t, debugfs_t)
+	read_lnk_files_pattern($1, debugfs_t, debugfs_t)
+	list_dirs_pattern($1, debugfs_t, debugfs_t)
+')
+
+########################################
+## <summary>
 ##	Mount a kernel VM filesystem.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 4b4ddc3..50b4a08 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.4.1)
+policy_module(xserver, 3.4.2)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;
@@ -1031,6 +1031,7 @@ xserver_use_user_fonts(xserver_t)
 
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
+	domain_mmap_low_uncond(xserver_t)
 ')
 
 ifdef(`distro_rhel4',`
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 2639086..a2f7102 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -81,7 +81,7 @@ kernel_unmount_unlabeled(mount_t)
 kernel_read_system_state(mount_t)
 kernel_read_network_state(mount_t)
 kernel_read_kernel_sysctls(mount_t)
-kernel_rw_debugfs(mount_t)
+kernel_manage_debugfs(mount_t)
 kernel_setsched(mount_t)
 kernel_use_fds(mount_t)
 kernel_request_load_module(mount_t)
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index bdb4c7b..b3da05d 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -45,7 +45,7 @@ interface(`unconfined_domain_noaudit',`
 	fs_unconfined($1)
 	selinux_unconfined($1)
 
-	domain_mmap_low_type($1)
+	domain_mmap_low($1)
 
 	mls_file_read_all_levels($1)