diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c
index 6aaee4768f60..f4df25151622 100644
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@@ -648,6 +648,9 @@ icmp_reflect(m)
 		goto done;
 	}
 match:
+#ifdef MAC
+	mac_reflect_mbuf_icmp(m);
+#endif
 	t = IA_SIN(ia)->sin_addr;
 	ip->ip_src = t;
 	ip->ip_ttl = ip_defttl;
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 8816bc68986b..26aa1a69244e 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -488,10 +488,10 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags)
 		mac_create_mbuf_from_socket(tp->t_inpcb->inp_socket, m);
 	} else {
 		/*
-		 * XXXMAC: This will need to call a mac function that
-		 * modifies the mbuf label in place for TCP datagrams
-		 * not associated with a PCB.
+		 * Packet is not associated with a socket, so possibly
+		 * update the label in place.
 		 */
+		mac_reflect_mbuf_tcp(m);
 	}
 #endif
 	nth->th_seq = htonl(seq);
diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c
index 8816bc68986b..26aa1a69244e 100644
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@@ -488,10 +488,10 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags)
 		mac_create_mbuf_from_socket(tp->t_inpcb->inp_socket, m);
 	} else {
 		/*
-		 * XXXMAC: This will need to call a mac function that
-		 * modifies the mbuf label in place for TCP datagrams
-		 * not associated with a PCB.
+		 * Packet is not associated with a socket, so possibly
+		 * update the label in place.
 		 */
+		mac_reflect_mbuf_tcp(m);
 	}
 #endif
 	nth->th_seq = htonl(seq);