--- ./lib/nss/nssinit.c.cond_ignore	2016-07-01 16:09:21.187499579 -0700
+++ ./lib/nss/nssinit.c	2016-07-01 16:19:16.095862425 -0700
@@ -529,16 +529,19 @@
 {
     SECMODModule *parent = NULL;
     PKIX_UInt32 actualMinorVersion = 0;
     PKIX_Error *pkixError = NULL;
     PRBool isReallyInitted;
     char *configStrings = NULL;
     char *configName = NULL;
     PRBool passwordRequired = PR_FALSE;
+#ifdef POLICY_FILE
+    char *ignoreVar;
+#endif
 
     /* if we are trying to init with a traditional NSS_Init call, maintain
      * the traditional idempotent behavior. */
     if (!initContextPtr && nssIsInitted) {
 	return SECSuccess;
     }
   
     /* make sure our lock and condition variable are initialized one and only
@@ -678,32 +681,38 @@
 		    dbpath = NULL;
 		}
 		if (dbpath) {
 		    nss_FindExternalRoot(dbpath, secmodName);
 		}
 	    }
 	}
 #ifdef POLICY_FILE
-        if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
+	/* Load the system crypo policy file if it exists,
+	 * unless the NSS_IGNORE_SYSTEM_POLICY environment
+	 * variable has been set to 1. */
+	ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
+	if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) {
+	    if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
 	    SECMODModule *module = SECMOD_LoadModule(
 		"name=\"Policy File\" "
 		"parameters=\"configdir='sql:" POLICY_PATH "' "
 		"secmod='" POLICY_FILE "' "
 		"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
 		"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
-		parent, PR_TRUE); 
+		parent, PR_TRUE);
 	    if (module) {
 		PRBool isLoaded = module->loaded;
 		SECMOD_DestroyModule(module);
 		if (!isLoaded) {
 		    goto loser;
 		}
 	    }
 	}
+    }
 #endif
 	pk11sdr_Init();
 	cert_CreateSubjectKeyIDHashTable();
 
 	pkixError = PKIX_Initialize
 	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
 	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);