diff --git a/parser/af_rule.h b/parser/af_rule.h
index 3d9adeeee..bc06e6193 100644
--- a/parser/af_rule.h
+++ b/parser/af_rule.h
@@ -80,8 +80,7 @@ public:
 	virtual bool is_mergeable(void) { return true; }
 	virtual int cmp(rule_t const &rhs) const
 	{
-		/* use class_rule_t instead of perms_rule_t to merge perms */
-		int res = class_rule_t::cmp(rhs);
+		int res = perms_rule_t::cmp(rhs);
 		if (res)
 			return res;
 		af_rule const &trhs = (rule_cast<af_rule const &>(rhs));
diff --git a/parser/dbus.h b/parser/dbus.h
index 71186f1e1..a273bffe5 100644
--- a/parser/dbus.h
+++ b/parser/dbus.h
@@ -65,8 +65,7 @@ public:
 	virtual bool is_mergeable(void) { return true; }
 	virtual int cmp(rule_t const &rhs) const
 	{
-		/* use class_rule_t instead of perms_rule_t to merge perms */
-		int res = class_rule_t::cmp(rhs);
+		int res = perms_rule_t::cmp(rhs);
 		if (res)
 			return res;
 		dbus_rule const &trhs = (rule_cast<dbus_rule const &>(rhs));
diff --git a/parser/io_uring.h b/parser/io_uring.h
index b4d4d9fed..d363c5443 100644
--- a/parser/io_uring.h
+++ b/parser/io_uring.h
@@ -52,8 +52,7 @@ public:
 	virtual bool is_mergeable(void) { return true; }
 	virtual int cmp(rule_t const &rhs) const
 	{
-		/* use class_rule_t instead of perms_rule_t to merge perms */
-		int res = class_rule_t::cmp(rhs);
+		int res = perms_rule_t::cmp(rhs);
 		if (res)
 			return res;
 		return null_strcmp(label,
diff --git a/parser/mount.cc b/parser/mount.cc
index 6c7d15a6a..5d9c6c974 100644
--- a/parser/mount.cc
+++ b/parser/mount.cc
@@ -649,8 +649,7 @@ static int cmp_vec_int(std::vector<unsigned int> const &lhs,
 }
 
 int mnt_rule::cmp(rule_t const &rhs) const {
-		/* use class_rule_t instead of perms_rule_t to merge perms */
-		int res = class_rule_t::cmp(rhs);
+		int res = perms_rule_t::cmp(rhs);
 		if (res != 0)
 			return res;
 		mnt_rule const &rhs_mnt = rule_cast<mnt_rule const &>(rhs);
diff --git a/parser/mqueue.h b/parser/mqueue.h
index f53289e8b..da5e414b8 100644
--- a/parser/mqueue.h
+++ b/parser/mqueue.h
@@ -110,8 +110,7 @@ public:
 	virtual bool is_mergeable(void) { return true; }
 	virtual int cmp(rule_t const &rhs) const
 	{
-		/* use class_rule_t instead of perms_rule_t to merge perms */
-		int res = class_rule_t::cmp(rhs);
+		int res = perms_rule_t::cmp(rhs);
 		if (res)
 			return res;
 		mqueue_rule const &trhs = rule_cast<mqueue_rule const &>(rhs);
diff --git a/parser/ptrace.h b/parser/ptrace.h
index 10472930d..b129c5795 100644
--- a/parser/ptrace.h
+++ b/parser/ptrace.h
@@ -55,8 +55,7 @@ public:
 	virtual bool is_mergeable(void) { return true; }
 	virtual int cmp(rule_t const &rhs) const
 	{
-		/* use class_rule_t instead of perms_rule_t to merge perms */
-		int res = class_rule_t::cmp(rhs);
+		int res = perms_rule_t::cmp(rhs);
 		if (res)
 			return res;
 		return null_strcmp(peer_label,
diff --git a/parser/rule.h b/parser/rule.h
index 004ae312b..def3190ff 100644
--- a/parser/rule.h
+++ b/parser/rule.h
@@ -353,9 +353,48 @@ public:
 
 };
 
+/* same as perms_rule_t except enable rule merging instead of just dedup
+ * original permission set is saved off
+ */
 class perms_rule_t: public class_rule_t {
 public:
-	perms_rule_t(int c): class_rule_t(c), perms(0) { };
+	perms_rule_t(int c): class_rule_t(c), perms(0), saved(0) { };
+
+	virtual int cmp(rule_t const &rhs) const {
+		/* don't compare perms so they can be merged */
+		return class_rule_t::cmp(rhs);
+	}
+
+	virtual bool merge(rule_t &rhs)
+	{
+		int res = class_rule_t::merge(rhs);
+		if (!res)
+			return res;
+		if (!saved)
+			saved = perms;
+		perms |= (rule_cast<perms_rule_t const &>(rhs)).perms;
+		return true;
+	};
+
+	/* defaut perms, override/mask off if none default used */
+	virtual ostream &dump(ostream &os) {
+		class_rule_t::dump(os);
+
+		if (saved)
+			os << "(0x" << hex << perms << "/orig " << saved << ") ";
+		else
+			os << "(0x" << hex << perms << ") ";
+
+		return os;
+	}
+
+	perms_t perms, saved;
+};
+
+// alternate perms rule class that only does dedup instead of perms merging
+class dedup_perms_rule_t: public class_rule_t {
+public:
+	dedup_perms_rule_t(int c): class_rule_t(c), perms(0) { };
 
 	virtual int cmp(rule_t const &rhs) const {
 		int res = class_rule_t::cmp(rhs);
@@ -364,24 +403,19 @@ public:
 		return perms - (rule_cast<perms_rule_t const &>(rhs)).perms;
 	}
 
-	virtual bool merge(rule_t &rhs)
-	{
-		int res = class_rule_t::merge(rhs);
-		if (!res)
-			return res;
-		perms |= (rule_cast<perms_rule_t const &>(rhs)).perms;
-		return true;
-	};
+	// inherit default merge which does dedup
 
 	/* defaut perms, override/mask off if none default used */
 	virtual ostream &dump(ostream &os) {
+		class_rule_t::dump(os);
 
+		os << "(0x" << hex << perms << ") ";
 		return os;
 	}
 
 	perms_t perms;
-
 };
 
+
 #endif /* __AA_RULE_H */
 
diff --git a/parser/signal.cc b/parser/signal.cc
index 07fbddb59..09e144ba0 100644
--- a/parser/signal.cc
+++ b/parser/signal.cc
@@ -249,8 +249,7 @@ static int cmp_set_int(Signals const &lhs, Signals const &rhs)
 
 int signal_rule::cmp(rule_t const &rhs) const
 {
-	/* use class_rule_t instead of perms_rule_t to merge perms */
-	int res = class_rule_t::cmp(rhs);
+	int res = perms_rule_t::cmp(rhs);
 	if (res)
 		return res;
 	signal_rule const &trhs = rule_cast<signal_rule const &>(rhs);