diff --git a/security/apparmor/af_unix.c b/security/apparmor/af_unix.c
index ce7dc9d98fb1..ed4b34b88e38 100644
--- a/security/apparmor/af_unix.c
+++ b/security/apparmor/af_unix.c
@@ -197,7 +197,7 @@ static int profile_create_perm(struct aa_profile *profile, int family,
 	AA_BUG(!profile);
 	AA_BUG(profile_unconfined(profile));
 
-	state = RULE_MEDIATES_NET(rules);
+	state = RULE_MEDIATES_v9NET(rules);
 	if (state) {
 		state = aa_match_to_prot(rules->policy, state, AA_MAY_CREATE,
 					 PF_UNIX, type, protocol, NULL,
@@ -226,7 +226,7 @@ static int profile_sk_perm(struct aa_profile *profile,
 	AA_BUG(is_unix_fs(sk));
 	AA_BUG(profile_unconfined(profile));
 
-	state = RULE_MEDIATES_NET(rules);
+	state = RULE_MEDIATES_v9NET(rules);
 	if (state) {
 		state = match_to_sk(rules->policy, state, request, unix_sk(sk),
 				    &p, &ad->info);
@@ -251,7 +251,7 @@ static int profile_bind_perm(struct aa_profile *profile, struct sock *sk,
 	AA_BUG(!ad);
 	AA_BUG(profile_unconfined(profile));
 
-	state = RULE_MEDIATES_NET(rules);
+	state = RULE_MEDIATES_v9NET(rules);
 	if (state) {
 		/* bind for abstract socket */
 		state = match_to_local(rules->policy, state, AA_MAY_BIND,
@@ -281,7 +281,7 @@ static int profile_listen_perm(struct aa_profile *profile, struct sock *sk,
 	AA_BUG(!ad);
 	AA_BUG(profile_unconfined(profile));
 
-	state = RULE_MEDIATES_NET(rules);
+	state = RULE_MEDIATES_v9NET(rules);
 	if (state) {
 		__be16 b = cpu_to_be16(backlog);
 
@@ -315,7 +315,7 @@ static int profile_accept_perm(struct aa_profile *profile,
 	AA_BUG(!ad);
 	AA_BUG(profile_unconfined(profile));
 
-	state = RULE_MEDIATES_NET(rules);
+	state = RULE_MEDIATES_v9NET(rules);
 	if (state) {
 		state = match_to_sk(rules->policy, state, AA_MAY_ACCEPT,
 				    unix_sk(sk), &p, &ad->info);
@@ -342,7 +342,7 @@ static int profile_opt_perm(struct aa_profile *profile, u32 request,
 	AA_BUG(!ad);
 	AA_BUG(profile_unconfined(profile));
 
-	state = RULE_MEDIATES_NET(rules);
+	state = RULE_MEDIATES_v9NET(rules);
 	if (state) {
 		__be16 b = cpu_to_be16(optname);
 
@@ -379,7 +379,7 @@ static int profile_peer_perm(struct aa_profile *profile, u32 request,
 	AA_BUG(!ad);
 	AA_BUG(is_unix_fs(peer_sk)); /* currently always calls unix_fs_perm */
 
-	state = RULE_MEDIATES_NET(rules);
+	state = RULE_MEDIATES_v9NET(rules);
 	if (state) {
 		struct aa_sk_ctx *peer_ctx = aa_sock(peer_sk);
 		struct aa_profile *peerp;
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 45afd585b52b..c5c756dda5cf 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -2414,7 +2414,7 @@ static struct aa_sfs_entry aa_sfs_entry_features[] = {
 	AA_SFS_DIR("domain",			aa_sfs_entry_domain),
 	AA_SFS_DIR("file",			aa_sfs_entry_file),
 	AA_SFS_DIR("network_v8",		aa_sfs_entry_network),
-	AA_SFS_DIR("network",		aa_sfs_entry_networkv9),
+	AA_SFS_DIR("network_v9",		aa_sfs_entry_networkv9),
 	AA_SFS_DIR("mount",			aa_sfs_entry_mount),
 	AA_SFS_DIR("namespaces",		aa_sfs_entry_ns),
 	AA_SFS_FILE_U64("capability",		VFS_CAP_FLAGS_MASK),
diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index d918b5dc6f59..85f89814af1e 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -228,7 +228,7 @@ int __aa_path_perm(const char *op, const struct cred *subj_cred,
 	int e = 0;
 
 	if (profile_unconfined(profile) ||
-	    ((flags & PATH_SOCK_COND) && !RULE_MEDIATES_NET(rules)))
+	    ((flags & PATH_SOCK_COND) && !RULE_MEDIATES_v9NET(rules)))
 		return 0;
 	aa_str_perms(rules->file, rules->file->start[AA_CLASS_FILE],
 		     name, cond, perms);
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 5128c5414f04..a6ddf3b7478e 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -304,11 +304,27 @@ static inline aa_state_t RULE_MEDIATES(struct aa_ruleset *rules,
 					rules->policy->start[0], &class, 1);
 }
 
+static inline aa_state_t RULE_MEDIATES_v9NET(struct aa_ruleset *rules)
+{
+	return RULE_MEDIATES(rules, AA_CLASS_NETV9);
+}
+
 static inline aa_state_t RULE_MEDIATES_NET(struct aa_ruleset *rules)
 {
-	return RULE_MEDIATES(rules, AA_CLASS_NET);
+	/* can not use RULE_MEDIATE_v9AF here, because AF match fail
+	 * can not be distiguished from class match fail, and we only
+	 * fallback to checking older class on class match failure
+	 */
+	aa_state_t state = RULE_MEDIATES(rules, AA_CLASS_NETV9);
+
+	/* fallback and check v7/8 if v9 is NOT mediated */
+	if (!state)
+		state = RULE_MEDIATES(rules, AA_CLASS_NET);
+
+	return state;
 }
 
+
 static inline aa_state_t ANY_RULE_MEDIATES(struct list_head *head,
 					   unsigned char class)
 {