diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 45f7f3ec6..96f377ad8 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -522,9 +522,14 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 	 * out by a deny rule, as both pieces of the link pair must
 	 * match.  audit info for the link is carried on the second
 	 * entry of the pair
+	 *
+	 * So if a deny rule only record it if there are permissions other
+	 * than link in the entry.
+	 * TODO: split link and change_profile entries earlier
 	 */
-	if (entry->deny && (entry->mode & AA_LINK_BITS)) {
-		if (!dfarules->add_rule(tbuf.c_str(), entry->deny,
+	if (entry->deny) {
+		if ((entry->mode & ~(AA_LINK_BITS | AA_CHANGE_PROFILE)) &&
+		    !dfarules->add_rule(tbuf.c_str(), entry->deny,
 					entry->mode & ~AA_LINK_BITS,
 					entry->audit & ~AA_LINK_BITS, dfaflags))
 			return FALSE;
diff --git a/parser/tst/simple_tests/file/ok_audit_deny_link.sd b/parser/tst/simple_tests/file/ok_audit_deny_link.sd
new file mode 100644
index 000000000..393f9069d
--- /dev/null
+++ b/parser/tst/simple_tests/file/ok_audit_deny_link.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+profile test {
+  audit deny link /alpha/beta -> /tmp/**,
+}
+
diff --git a/parser/tst/simple_tests/file/ok_deny_link.sd b/parser/tst/simple_tests/file/ok_deny_link.sd
new file mode 100644
index 000000000..fe0684c04
--- /dev/null
+++ b/parser/tst/simple_tests/file/ok_deny_link.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+profile test {
+  deny link /alpha/beta -> /tmp/**,
+}
+