diff --git a/system_server.te b/system_server.te
index a8c3938ccfe423dc7dd6bee8284ba0b898c49c71..4ab42d6f539eb9b37a371293daa38947d51fa6b0 100644
--- a/system_server.te
+++ b/system_server.te
@@ -103,9 +103,13 @@ allow system_server proc_sysrq:file rw_file_perms;
 # Read /sys/kernel/debug/wakeup_sources.
 allow system_server debugfs:file r_file_perms;
 
-# WifiWatchdog uses a packet_socket
+# The DhcpClient and WifiWatchdog use packet_sockets
 allow system_server self:packet_socket create_socket_perms;
 
+# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
+# as raw sockets, but the kernel doesn't yet distinguish between the two.
+allow system_server node:rawip_socket node_bind;
+
 # 3rd party VPN clients require a tun_socket to be created
 allow system_server self:tun_socket create_socket_perms;