diff --git a/usr.bin/su/su.1 b/usr.bin/su/su.1
index 472d5db3ba2..a3f2a2965fd 100644
--- a/usr.bin/su/su.1
+++ b/usr.bin/su/su.1
@@ -41,7 +41,7 @@
 .Sh SYNOPSIS
 .Nm
 .Op Fl
-.Op Fl flm
+.Op Fl flms
 .Op Fl c Ar class
 .Op Ar login Op Ar args
 .Sh DESCRIPTION
@@ -122,6 +122,14 @@ and the caller's real uid is
 non-zero,
 .Nm
 will fail.
+.It Fl s
+Set the MAC label to the user's default label as part of the user
+credential setup.
+Setting the MAC label may fail if the MAC label of the invoking process
+isn't sufficient to transition to the user's default MAC label.
+If the label cannot be set,
+.Nm
+will fail.
 .It Fl c Ar class
 Use the settings of the specified login class.
 Only allowed for the super-user.
diff --git a/usr.bin/su/su.c b/usr.bin/su/su.c
index 9191b87a42d..434b4c7b441 100644
--- a/usr.bin/su/su.c
+++ b/usr.bin/su/su.c
@@ -127,7 +127,7 @@ main(int argc, char *argv[])
 	}		np;
 	uid_t		ruid;
 	int		asme, ch, asthem, fastlogin, prio, i, setwhat, retcode,
-			statusp, child_pid, child_pgrp, ret_pid;
+			statusp, child_pid, child_pgrp, ret_pid, setmaclabel;
 	char		*username, *cleanenv, *class, shellbuf[MAXPATHLEN];
 	const char	*p, *user, *shell, *mytty, **nargv;
 
@@ -137,8 +137,9 @@ main(int argc, char *argv[])
 	asme = asthem = fastlogin = statusp = 0;
 	user = "root";
 	iscsh = UNSET;
+	setmaclabel = 0;
 
-	while ((ch = getopt(argc, argv, "-flmc:")) != -1)
+	while ((ch = getopt(argc, argv, "-flmsc:")) != -1)
 		switch ((char)ch) {
 		case 'f':
 			fastlogin = 1;
@@ -152,6 +153,9 @@ main(int argc, char *argv[])
 			asme = 1;
 			asthem = 0;
 			break;
+		case 's':
+			setmaclabel = 1;
+			break;
 		case 'c':
 			class = optarg;
 			break;
@@ -359,7 +363,13 @@ main(int argc, char *argv[])
 		 * Umask Login records (wtmp, etc) Path
 		 */
 		setwhat = LOGIN_SETALL & ~(LOGIN_SETENV | LOGIN_SETUMASK |
-			   LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP);
+			   LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP |
+			   LOGIN_SETMAC);
+		/*
+		 * If -s is present, also set the MAC label.
+		 */
+		if (setmaclabel)
+			setwhat |= LOGIN_SETMAC;
 		/*
 		 * Don't touch resource/priority settings if -m has been used
 		 * or -l and -c hasn't, and we're not su'ing to root.
@@ -462,7 +472,7 @@ static void
 usage(void)
 {
 
-	fprintf(stderr, "usage: su [-] [-flm] [-c class] [login [args]]\n");
+	fprintf(stderr, "usage: su [-] [-flms] [-c class] [login [args]]\n");
 	exit(1);
 }