diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
index a7abcfcb6e..3336776b96 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
@@ -12,7 +12,7 @@ dev-util/perf tui -doc
dev-vcs/git webdav curl bash-completion
# We don't want any driver/hw rendering on the host
net-misc/curl kerberos threads telnet
-net-misc/iputils arping tracepath traceroute
+net-misc/iputils arping tracepath traceroute6
sys-devel/gettext -git
app-emulation/qemu aio caps curl -doc ncurses png python threads uuid vhost-net virtfs vnc -xkb -slirp -jpeg qemu_softmmu_targets_x86_64 qemu_softmmu_targets_aarch64
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/ping.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/ping.patch
new file mode 100644
index 0000000000..e6a31f6630
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/ping.patch
@@ -0,0 +1,19 @@
+diff -u -r refpolicy/policy/modules/admin/netutils.te refpolicy/policy/modules/admin/netutils.te
+--- refpolicy/policy/modules/admin/netutils.te 2022-01-12 14:28:26.850809330 -0000
++++ refpolicy/policy/modules/admin/netutils.te 2022-01-12 14:29:50.323880882 -0000
+@@ -117,6 +117,7 @@
+ corenet_raw_sendrecv_generic_node(ping_t)
+ corenet_tcp_sendrecv_generic_node(ping_t)
+ corenet_raw_bind_generic_node(ping_t)
++corenet_icmp_bind_generic_node(ping_t)
+
+ dev_read_urand(ping_t)
+
+@@ -189,6 +190,7 @@
+ corenet_tcp_connect_all_ports(traceroute_t)
+ corenet_sendrecv_all_client_packets(traceroute_t)
+ corenet_sendrecv_traceroute_server_packets(traceroute_t)
++corenet_icmp_bind_generic_node(traceroute_t)
+
+ dev_read_rand(traceroute_t)
+ dev_read_urand(traceroute_t)
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild
index 0c920e702e..cd986fdb29 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild
@@ -43,6 +43,8 @@ PATCHES=(
# to fail if SELinux is enforced in early boot.
# It can be removed once we drop torcx support.
"${FILESDIR}/unlabeled.patch"
+ # This is to allow pings from some IP address.
+ "${FILESDIR}/ping.patch"
)
# Code entirely copied from selinux-eclass (cannot inherit due to dependency on
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch
new file mode 100644
index 0000000000..a2d653caf2
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch
@@ -0,0 +1,40 @@
+diff -u -r refpolicy/policy/modules/kernel/corenetwork.if.in refpolicy2/policy/modules/kernel/corenetwork.if.in
+--- refpolicy/policy/modules/kernel/corenetwork.if.in 2022-01-12 16:59:47.572670384 -0000
++++ refpolicy2/policy/modules/kernel/corenetwork.if.in 2022-01-12 17:01:54.974858982 -0000
+@@ -879,6 +879,24 @@
+
+ ########################################
+ ##
++## Bind ICMP sockets to generic nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corenet_icmp_bind_generic_node',`
++ gen_require(`
++ type node_t;
++ ')
++
++ allow $1 node_t:icmp_socket node_bind;
++')
++
++########################################
++##
+ ## Bind TCP sockets to generic nodes.
+ ##
+ ##
+diff -u -r refpolicy/policy/modules/kernel/corenetwork.te.in refpolicy2/policy/modules/kernel/corenetwork.te.in
+--- refpolicy/policy/modules/kernel/corenetwork.te.in 2022-01-12 16:59:47.573670362 -0000
++++ refpolicy2/policy/modules/kernel/corenetwork.te.in 2022-01-12 17:03:12.754142616 -0000
+@@ -373,7 +373,7 @@
+
+ # Bind to any network address.
+ allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind;
+-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
++allow corenet_unconfined_type node_type:{ icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
+
+ # Infiniband
+ corenet_ib_access_all_pkeys(corenet_unconfined_type)
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild
index 63859fde4d..50935ad704 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild
@@ -43,6 +43,7 @@ BDEPEND="sys-devel/m4
PATCHES=(
"${FILESDIR}"/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
"${FILESDIR}"/0001-policy-ms-MCS-restricts-relabelfrom.patch
+ "${FILESDIR}"/icmp-bind.patch
)
S=${WORKDIR}/