diff --git a/parser/immunix.h b/parser/immunix.h
index ab8a2b5e3..3c27d71ea 100644
--- a/parser/immunix.h
+++ b/parser/immunix.h
@@ -59,6 +59,8 @@
 
 #define AA_USER_PTRACE			(1 << 28)
 #define AA_OTHER_PTRACE			(1 << 29)
+#define AA_PTRACE_PERMS			(AA_USER_PTRACE | AA_OTHER_PTRACE)
+
 #define AA_CHANGE_HAT			(1 << 30)
 #define AA_CHANGE_PROFILE		(1 << 31)
 #define AA_SHARED_PERMS			(AA_CHANGE_HAT | AA_CHANGE_PROFILE)
@@ -81,7 +83,8 @@
 #define AA_EXEC_PROFILE_OR_INHERIT	(AA_EXEC_MOD_2)
 #define AA_EXEC_LOCAL			(AA_EXEC_MOD_2 | AA_EXEC_MOD_0)
 
-#define AA_VALID_PERMS			(AA_FILE_PERMS | AA_CHANGE_PROFILE)
+#define AA_VALID_PERMS			(AA_FILE_PERMS | AA_PTRACE_PERMS | \
+					 AA_OTHER_PERMS)
 
 #define AA_USER_EXEC			(AA_MAY_EXEC << AA_USER_SHIFT)
 #define AA_OTHER_EXEC			(AA_MAY_EXEC << AA_OTHER_SHIFT)
diff --git a/parser/parser_merge.c b/parser/parser_merge.c
index cd871ba81..4b5239106 100644
--- a/parser/parser_merge.c
+++ b/parser/parser_merge.c
@@ -67,6 +67,12 @@ static int file_comp(const void *c1, const void *c2)
 	if ((*e1)->deny != (*e2)->deny)
 		return (*e1)->deny < (*e2)->deny ? -1 : 1;
 
+	/* rules with ptrace and change_profile can only merge with
+	 * rules with exact same perm */
+	if (((*e1)->mode & (AA_CHANGE_PROFILE | AA_PTRACE_PERMS)) !=
+	    ((*e2)->mode & (AA_CHANGE_PROFILE | AA_PTRACE_PERMS)))
+		return 1;
+
 	return strcmp((*e1)->name, (*e2)->name);
 }
 
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 52d4c5722..a13b35003 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -503,6 +503,8 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
 	    AA_EXEC_INHERIT)
 		entry->mode |= AA_EXEC_MMAP << AA_USER_SHIFT;
 
+	/* relying on ptrace and change_profile not getting merged earlier */
+
 	/* the link bit on the first pair entry should not get masked
 	 * out by a deny rule, as both pieces of the link pair must
 	 * match.  audit info for the link is carried on the second
@@ -518,6 +520,7 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
 				   entry->audit))
 			return FALSE;
 	}
+
 	if (entry->mode & (AA_LINK_BITS)) {
 		/* add the pair rule */
 		char lbuf[PATH_MAX + 8];
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index e4efd8954..ca63d200b 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -481,9 +481,9 @@ rules: rules opt_audit_flag opt_owner_flag TOK_OPEN rules TOK_CLOSE
 					yyerror(_("Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"));
 			}
 			if ($3 == 1)
- 				entry->mode &= (AA_USER_PERMS | AA_SHARED_PERMS);
+ 				entry->mode &= (AA_USER_PERMS | AA_SHARED_PERMS | AA_USER_PTRACE);
 			else if ($3 == 2)
-				entry->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS);
+				entry->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS | AA_OTHER_PTRACE);
 
 			if ($2 && !entry->deny)
 				entry->audit = entry->mode & ~ALL_AA_EXEC_TYPE;