diff --git a/parser/parser.h b/parser/parser.h
index 4ee9a11b6..920ff0518 100644
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -309,6 +309,8 @@ extern int kernel_supports_signal;
 extern int kernel_supports_ptrace;
 extern int kernel_supports_unix;
 extern int kernel_supports_stacking;
+extern int kernel_supports_domain_xattr;
+extern int kernel_supports_oob;
 extern int conf_verbose;
 extern int conf_quiet;
 extern int names_only;
diff --git a/parser/parser_common.c b/parser/parser_common.c
index 4d5d8141e..3e097959a 100644
--- a/parser/parser_common.c
+++ b/parser/parser_common.c
@@ -74,6 +74,8 @@ int kernel_supports_diff_encode = 0;	/* kernel supports diff_encode */
 int kernel_supports_signal = 0;		/* kernel supports signal rules */
 int kernel_supports_ptrace = 0;		/* kernel supports ptrace rules */
 int kernel_supports_stacking = 0;	/* kernel supports stacking */
+int kernel_supports_domain_xattr = 0;	/* x attachment cond */
+int kernel_supports_oob = 0;		/* out of band transitions */
 int conf_verbose = 0;
 int conf_quiet = 0;
 int names_only = 0;
diff --git a/parser/parser_main.c b/parser/parser_main.c
index 2c763019d..a98c0a461 100644
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -788,6 +788,10 @@ static void set_supported_features(aa_features *kernel_features unused)
 							   "policy/diff_encode");
 	kernel_supports_stacking = aa_features_supports(compile_features,
 							"domain/stack");
+	kernel_supports_domain_xattr = aa_features_supports(compile_features,
+							"domain/attach_conditions/xattr");
+	kernel_supports_oob = aa_features_supports(compile_features,
+							"policy/outofband");
 
 	if (aa_features_supports(compile_features, "policy/versions/v7"))
 		kernel_abi_version = 7;
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index f3bb8b403..6a087938c 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -457,6 +457,22 @@ char *get_xattr_value(struct cond_entry *entry)
 	return entry->vals->value;
 }
 
+/* do we want to warn once/profile or just once per compile?? */
+static void warn_once_xattr(const char *name)
+{
+	static const char *warned_name = NULL;
+
+	if ((warnflags & WARN_RULE_DOWNGRADED) && warned_name != name) {
+		cerr << "Warning from profile " << name << " (";
+		if (current_filename)
+			cerr << current_filename;
+		else
+			cerr << "stdin";
+		cerr << ") xattr attachment conditional ignored\n";
+		warned_name = name;
+	}
+}
+
 static int process_profile_name_xmatch(Profile *prof)
 {
 	std::string tbuf;
@@ -508,6 +524,12 @@ static int process_profile_name_xmatch(Profile *prof)
 			}
 		}
 		if (prof->xattrs.list) {
+			if (!(kernel_supports_domain_xattr && kernel_supports_oob)) {
+				warn_once_xattr(name);
+				free_cond_entry_list(prof->xattrs);
+				goto build;
+			}
+
 			for (entry = prof->xattrs.list; entry; entry = entry->next) {
 				xattr_value = get_xattr_value(entry);
 				if (!xattr_value)
@@ -529,6 +551,7 @@ static int process_profile_name_xmatch(Profile *prof)
 				}
 			}
 		}
+build:
 		prof->xmatch = rules->create_dfa(&prof->xmatch_size, &prof->xmatch_len, dfaflags);
 		delete rules;
 		if (!prof->xmatch)