diff --git a/daemon/daemon.go b/daemon/daemon.go
index d069797ac4..9f90643c4e 100644
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@@ -528,10 +528,10 @@ func (daemon *Daemon) getEntrypointAndArgs(configEntrypoint, configCmd []string)
 	return entrypoint, args
 }
 
-func parseSecurityOpt(container *Container, config *runconfig.Config) error {
+func parseSecurityOpt(container *Container, config *runconfig.HostConfig) error {
 	var (
-		label_opts []string
-		err        error
+		labelOpts []string
+		err       error
 	)
 
 	for _, opt := range config.SecurityOpt {
@@ -541,7 +541,7 @@ func parseSecurityOpt(container *Container, config *runconfig.Config) error {
 		}
 		switch con[0] {
 		case "label":
-			label_opts = append(label_opts, con[1])
+			labelOpts = append(labelOpts, con[1])
 		case "apparmor":
 			container.AppArmorProfile = con[1]
 		default:
@@ -549,7 +549,7 @@ func parseSecurityOpt(container *Container, config *runconfig.Config) error {
 		}
 	}
 
-	container.ProcessLabel, container.MountLabel, err = label.InitLabels(label_opts)
+	container.ProcessLabel, container.MountLabel, err = label.InitLabels(labelOpts)
 	return err
 }
 
@@ -583,7 +583,6 @@ func (daemon *Daemon) newContainer(name string, config *runconfig.Config, img *i
 		execCommands:    newExecStore(),
 	}
 	container.root = daemon.containerRoot(container.ID)
-	err = parseSecurityOpt(container, config)
 	return container, err
 }
 
diff --git a/daemon/daemon_unit_test.go b/daemon/daemon_unit_test.go
index f3b899ec8d..fbc3302aaa 100644
--- a/daemon/daemon_unit_test.go
+++ b/daemon/daemon_unit_test.go
@@ -8,7 +8,7 @@ import (
 
 func TestParseSecurityOpt(t *testing.T) {
 	container := &Container{}
-	config := &runconfig.Config{}
+	config := &runconfig.HostConfig{}
 
 	// test apparmor
 	config.SecurityOpt = []string{"apparmor:test_profile"}
diff --git a/daemon/start.go b/daemon/start.go
index f2c375ddc9..f72407e3f3 100644
--- a/daemon/start.go
+++ b/daemon/start.go
@@ -44,6 +44,9 @@ func (daemon *Daemon) ContainerStart(job *engine.Job) engine.Status {
 }
 
 func (daemon *Daemon) setHostConfig(container *Container, hostConfig *runconfig.HostConfig) error {
+	if err := parseSecurityOpt(container, hostConfig); err != nil {
+		return err
+	}
 	// Validate the HostConfig binds. Make sure that:
 	// the source exists
 	for _, bind := range hostConfig.Binds {
diff --git a/runconfig/config.go b/runconfig/config.go
index 28e85de647..c00110bf71 100644
--- a/runconfig/config.go
+++ b/runconfig/config.go
@@ -32,7 +32,6 @@ type Config struct {
 	Entrypoint      []string
 	NetworkDisabled bool
 	OnBuild         []string
-	SecurityOpt     []string
 }
 
 func ContainerConfigFromJob(job *engine.Job) *Config {
@@ -56,7 +55,6 @@ func ContainerConfigFromJob(job *engine.Job) *Config {
 	}
 	job.GetenvJson("ExposedPorts", &config.ExposedPorts)
 	job.GetenvJson("Volumes", &config.Volumes)
-	config.SecurityOpt = job.GetenvList("SecurityOpt")
 	if PortSpecs := job.GetenvList("PortSpecs"); PortSpecs != nil {
 		config.PortSpecs = PortSpecs
 	}
diff --git a/runconfig/hostconfig.go b/runconfig/hostconfig.go
index 5c49522038..ae75434d41 100644
--- a/runconfig/hostconfig.go
+++ b/runconfig/hostconfig.go
@@ -56,6 +56,7 @@ type HostConfig struct {
 	CapAdd          []string
 	CapDrop         []string
 	RestartPolicy   RestartPolicy
+	SecurityOpt     []string
 }
 
 // This is used by the create command when you want to set both the
@@ -90,6 +91,7 @@ func ContainerHostConfigFromJob(job *engine.Job) *HostConfig {
 	job.GetenvJson("PortBindings", &hostConfig.PortBindings)
 	job.GetenvJson("Devices", &hostConfig.Devices)
 	job.GetenvJson("RestartPolicy", &hostConfig.RestartPolicy)
+	hostConfig.SecurityOpt = job.GetenvList("SecurityOpt")
 	if Binds := job.GetenvList("Binds"); Binds != nil {
 		hostConfig.Binds = Binds
 	}
diff --git a/runconfig/parse.go b/runconfig/parse.go
index 42ec68898d..43976f604b 100644
--- a/runconfig/parse.go
+++ b/runconfig/parse.go
@@ -256,7 +256,6 @@ func Parse(cmd *flag.FlagSet, args []string, sysInfo *sysinfo.SysInfo) (*Config,
 		Volumes:         flVolumes.GetMap(),
 		Entrypoint:      entrypoint,
 		WorkingDir:      *flWorkingDir,
-		SecurityOpt:     flSecurityOpt.GetAll(),
 	}
 
 	hostConfig := &HostConfig{
@@ -276,6 +275,7 @@ func Parse(cmd *flag.FlagSet, args []string, sysInfo *sysinfo.SysInfo) (*Config,
 		CapAdd:          flCapAdd.GetAll(),
 		CapDrop:         flCapDrop.GetAll(),
 		RestartPolicy:   restartPolicy,
+		SecurityOpt:     flSecurityOpt.GetAll(),
 	}
 
 	if sysInfo != nil && flMemory > 0 && !sysInfo.SwapLimit {