diff --git a/parser/libapparmor_re/policy_compat.cc b/parser/libapparmor_re/policy_compat.cc
index 58e11bad3..5e0e0ae83 100644
--- a/parser/libapparmor_re/policy_compat.cc
+++ b/parser/libapparmor_re/policy_compat.cc
@@ -182,6 +182,8 @@ struct aa_perms compute_perms_entry(uint32_t accept1, uint32_t accept2,
 	perms.prompt = dfa_user_allow(accept3);
 	perms.audit = dfa_user_audit(accept1, accept2);
 	perms.quiet = dfa_user_quiet(accept1, accept2);
+	if (accept1 & AA_COMPAT_CONT_MATCH)
+		perms.allow |= AA_CONT_MATCH;
 
 	/*
 	 * This mapping is convulated due to history.
diff --git a/parser/network.cc b/parser/network.cc
index f5ea79947..b53e24d1a 100644
--- a/parser/network.cc
+++ b/parser/network.cc
@@ -721,7 +721,7 @@ bool network_rule::gen_ip_conds(Profile &prof, std::list<std::ostringstream> &st
 
 	cond_perms = map_perms(perms);
 	if (!is_cmd && (label || is_peer))
-		cond_perms = (AA_CONT_MATCH << 1);
+		cond_perms = AA_COMPAT_CONT_MATCH;
 
 	for (auto &oss : streams) {
 		oss << "\\x00"; /* null transition */
diff --git a/parser/perms.h b/parser/perms.h
index ab92632eb..0d194d9a1 100644
--- a/parser/perms.h
+++ b/parser/perms.h
@@ -65,6 +65,9 @@
 #define AA_MAY_DELEGATE
 #define AA_CONT_MATCH		0x08000000
 
+// TODO: move into a reworked immunix.h that is dependent on perms.h
+#define AA_COMPAT_CONT_MATCH	(AA_CONT_MATCH << 1)
+
 #define AA_MAY_STACK		0x10000000
 #define AA_MAY_ONEXEC		0x20000000 /* either stack or change_profile */
 #define AA_MAY_CHANGE_PROFILE	0x40000000