diff --git a/private/system_server.te b/private/system_server.te
index e183606d75096ce13ef594da318825a05e16b854..46fb5918246788ab695ff4ce40d3725d3958e600 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -150,10 +150,6 @@ allow system_server stats_data_file:file unlink;
 # The DhcpClient and WifiWatchdog use packet_sockets
 allow system_server self:packet_socket create_socket_perms_no_ioctl;
 
-# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
-# as raw sockets, but the kernel doesn't yet distinguish between the two.
-allow system_server node:rawip_socket node_bind;
-
 # 3rd party VPN clients require a tun_socket to be created
 allow system_server self:tun_socket create_socket_perms_no_ioctl;
 
diff --git a/public/net.te b/public/net.te
index 5867d67f54a292d6ecb61324e8880224511f71da..afa2a9c8ce0a75529bfeb52dc6457151a15a3826 100644
--- a/public/net.te
+++ b/public/net.te
@@ -14,7 +14,7 @@ allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms
 # Connect to ports.
 allow netdomain port_type:tcp_socket name_connect;
 # Bind to ports.
-allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
 allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
 allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
 # See changes to the routing table.