diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index f4a1598483c..b6983e39c0e 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -121,6 +121,9 @@ int	mac_externalize_pipe_label(struct label *label, char *elements,
 	    char *outbuf, size_t outbuflen);
 int	mac_internalize_pipe_label(struct label *label, char *string);
 
+int	mac_socket_label_set(struct ucred *cred, struct socket *so,
+	    struct label *label);
+
 int	mac_externalize_vnode_label(struct label *label, char *elements,
 	    char *outbuf, size_t outbuflen);
 int	mac_internalize_vnode_label(struct label *label, char *string);
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 4c040c8aaff..183e79c3562 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -885,6 +885,20 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
 	return (0);
 }
 
+int
+mac_socket_label_set(struct ucred *cred, struct socket *so,
+    struct label *label)
+{
+	int error;
+
+	error = mac_check_socket_relabel(cred, so, label);
+	if (error)
+		return (error);
+
+	mac_relabel_socket(cred, so, label);
+	return (0);
+}
+
 int
 mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac)
 {
@@ -906,21 +920,15 @@ mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac)
 	intlabel = mac_socket_label_alloc(M_WAITOK);
 	error = mac_internalize_socket_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
-	if (error) {
-		mac_socket_label_free(intlabel);
-		return (error);
-	}
-
-	mac_check_socket_relabel(cred, so, intlabel);
-	if (error) {
-		mac_socket_label_free(intlabel);
-		return (error);
-	}
-
-	mac_relabel_socket(cred, so, intlabel);
+	if (error)
+		goto out;
 
+	/* XXX: Socket lock here. */
+	error = mac_socket_label_set(cred, so, intlabel);
+	/* XXX: Socket unlock here. */
+out:
 	mac_socket_label_free(intlabel);
-	return (0);
+	return (error);
 }
 
 int