diff --git a/parser/io_uring.cc b/parser/io_uring.cc
index 17fa39614..60b8c2579 100644
--- a/parser/io_uring.cc
+++ b/parser/io_uring.cc
@@ -127,6 +127,13 @@ int io_uring_rule::gen_policy_re(Profile &prof)
 					audit == AUDIT_FORCE ? perms : 0,
 					parseopts))
 			goto fail;
+		/* add a mediates_io_uring rule for every rule added. It
+		 * needs to be the same priority
+		 */
+		if (!prof.policy.rules->add_rule(buf.c_str(), priority,
+					RULE_ALLOW, AA_MAY_READ, 0,
+					parseopts))
+			goto fail;
 
 		if (perms & AA_IO_URING_OVERRIDE_CREDS) {
 			buf = buffer.str(); /* update buf to have label */
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 71126c5f9..7810458d5 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -1097,6 +1097,17 @@ static const char *deny_file = ".*";
  */
 static int mediates_priority = INT_MAX;
 
+/* some rule types unfortunately encoded permissions on the class byte
+ * to fix the above bug, they need a different solution. The generic
+ * mediates rule will get encoded at the minimum priority, and then
+ * for every rule of those classes a mediates rule of the same priority
+ * will be added. This way the mediates rule never has higher priority,
+ * which would wipe out the rule permissions encoded on the class state,
+ * and it is guaranteed to have the same priority as the highest priority
+ * rule.
+ */
+static int perms_onclass_mediates_priority = INT_MIN;
+
 int process_profile_policydb(Profile *prof)
 {
 	int error = -1;
@@ -1112,7 +1123,7 @@ int process_profile_policydb(Profile *prof)
 	 * to be supported
 	 */
 	if (features_supports_userns &&
-	    !prof->policy.rules->add_rule(mediates_ns, mediates_priority, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+	    !prof->policy.rules->add_rule(mediates_ns, perms_onclass_mediates_priority, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
 		goto out;
 
 	/* don't add mediated classes to unconfined profiles */
@@ -1148,7 +1159,7 @@ int process_profile_policydb(Profile *prof)
 		    !prof->policy.rules->add_rule(mediates_sysv_mqueue, mediates_priority, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
 			goto out;
 		if (features_supports_io_uring &&
-		    !prof->policy.rules->add_rule(mediates_io_uring, mediates_priority, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+		    !prof->policy.rules->add_rule(mediates_io_uring, perms_onclass_mediates_priority, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
 			goto out;
 	}
 
diff --git a/parser/userns.cc b/parser/userns.cc
index c66ce062e..a2cd9e8eb 100644
--- a/parser/userns.cc
+++ b/parser/userns.cc
@@ -99,6 +99,14 @@ int userns_rule::gen_policy_re(Profile &prof)
 					rule_mode, perms,
 					audit == AUDIT_FORCE ? perms : 0,
 					parseopts))
+
+			goto fail;
+		/* add a mediates_userns rule for every rule added. It
+		 * needs to be the same priority
+		 */
+		if (!prof.policy.rules->add_rule(buf.c_str(), priority,
+					RULE_ALLOW, AA_MAY_READ, 0,
+					parseopts))
 			goto fail;
 	}