diff --git a/share/man/man4/mac_do.4 b/share/man/man4/mac_do.4
--- a/share/man/man4/mac_do.4
+++ b/share/man/man4/mac_do.4
@@ -3,7 +3,7 @@
 .\"
 .\" SPDX-License-Identifier: BSD-2-Clause
 .\"
-.Dd May 22, 2024
+.Dd December 17, 2024
 .Dt MAC_DO 4
 .Os
 .Sh NAME
@@ -41,6 +41,11 @@
 (Default: 1).
 .It Va security.mac.do.rules
 The set of rules.
+.It Va security.mac.do.log
+Enable logging of
+.Nm
+activity.
+(Default: 0).
 .El
 .Pp
 The rules consist of a list of elements separated by
diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c
--- a/sys/security/mac_do/mac_do.c
+++ b/sys/security/mac_do/mac_do.c
@@ -45,6 +45,10 @@
     &print_parse_error, 0, "Print parse errors on setting rules "
     "(via sysctl(8)).");
 
+static int	do_log = 0;
+SYSCTL_INT(_security_mac_do, OID_AUTO, log, CTLFLAG_RWTUN,
+    &do_log, 0, "Log mac_do invocations");
+
 static MALLOC_DEFINE(M_DO, "do_rule", "Rules for mac_do");
 
 #define MAC_RULE_STRING_LEN	1024
@@ -1974,6 +1978,12 @@
 	error = EPERM;
 	STAILQ_FOREACH(rule, &rules->head, r_entries)
 	    if (rule_applies(rule, cred)) {
+		    if (do_log)
+			    printf("MAC/do: switching UID %u to %u, GID %u to %u for pid %u\n",
+					    cred->cr_uid, new_cred->cr_uid,
+					    cred->cr_gid, new_cred->cr_gid,
+					    curthread->td_proc->p_pid);
+
 		    error = rule_grant_setcred(rule, cred, new_cred);
 		    if (error != EPERM)
 			    break;
@@ -1991,7 +2001,7 @@
 	/*
 	 * Only grant privileges if requested by the right executable.
 	 *
-	 * XXXOC: We may want to base this check on a tunable path and/or
+	 * XXX: We may want to base this check on a tunable path and/or
 	 * a specific MAC label.  Going even further, e.g., envisioning to
 	 * completely replace the path check with the latter, we would need to
 	 * install FreeBSD on a FS with multilabel enabled by default, which in