diff --git a/daemon/create.go b/daemon/create.go
index 3a71a8ac7e..e666e6f6ff 100644
--- a/daemon/create.go
+++ b/daemon/create.go
@@ -83,8 +83,8 @@ func (daemon *Daemon) Create(config *runconfig.Config, hostConfig *runconfig.Hos
 	if warnings, err = daemon.mergeAndVerifyConfig(config, img); err != nil {
 		return nil, nil, err
 	}
-	if hostConfig != nil && config.SecurityOpt == nil {
-		config.SecurityOpt, err = daemon.GenerateSecurityOpt(hostConfig.IpcMode)
+	if hostConfig != nil && hostConfig.SecurityOpt == nil {
+		hostConfig.SecurityOpt, err = daemon.GenerateSecurityOpt(hostConfig.IpcMode)
 		if err != nil {
 			return nil, nil, err
 		}
diff --git a/daemon/daemon.go b/daemon/daemon.go
index 84628be729..93cb101f61 100644
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@@ -531,10 +531,10 @@ func (daemon *Daemon) getEntrypointAndArgs(configEntrypoint, configCmd []string)
 	return entrypoint, args
 }
 
-func parseSecurityOpt(container *Container, config *runconfig.Config) error {
+func parseSecurityOpt(container *Container, config *runconfig.HostConfig) error {
 	var (
-		label_opts []string
-		err        error
+		labelOpts []string
+		err       error
 	)
 
 	for _, opt := range config.SecurityOpt {
@@ -544,7 +544,7 @@ func parseSecurityOpt(container *Container, config *runconfig.Config) error {
 		}
 		switch con[0] {
 		case "label":
-			label_opts = append(label_opts, con[1])
+			labelOpts = append(labelOpts, con[1])
 		case "apparmor":
 			container.AppArmorProfile = con[1]
 		default:
@@ -552,7 +552,7 @@ func parseSecurityOpt(container *Container, config *runconfig.Config) error {
 		}
 	}
 
-	container.ProcessLabel, container.MountLabel, err = label.InitLabels(label_opts)
+	container.ProcessLabel, container.MountLabel, err = label.InitLabels(labelOpts)
 	return err
 }
 
@@ -586,7 +586,6 @@ func (daemon *Daemon) newContainer(name string, config *runconfig.Config, img *i
 		execCommands:    newExecStore(),
 	}
 	container.root = daemon.containerRoot(container.ID)
-	err = parseSecurityOpt(container, config)
 	return container, err
 }
 
diff --git a/daemon/daemon_unit_test.go b/daemon/daemon_unit_test.go
index f3b899ec8d..fbc3302aaa 100644
--- a/daemon/daemon_unit_test.go
+++ b/daemon/daemon_unit_test.go
@@ -8,7 +8,7 @@ import (
 
 func TestParseSecurityOpt(t *testing.T) {
 	container := &Container{}
-	config := &runconfig.Config{}
+	config := &runconfig.HostConfig{}
 
 	// test apparmor
 	config.SecurityOpt = []string{"apparmor:test_profile"}
diff --git a/daemon/start.go b/daemon/start.go
index f2c375ddc9..f72407e3f3 100644
--- a/daemon/start.go
+++ b/daemon/start.go
@@ -44,6 +44,9 @@ func (daemon *Daemon) ContainerStart(job *engine.Job) engine.Status {
 }
 
 func (daemon *Daemon) setHostConfig(container *Container, hostConfig *runconfig.HostConfig) error {
+	if err := parseSecurityOpt(container, hostConfig); err != nil {
+		return err
+	}
 	// Validate the HostConfig binds. Make sure that:
 	// the source exists
 	for _, bind := range hostConfig.Binds {
diff --git a/runconfig/config.go b/runconfig/config.go
index 29c54a4d6d..ca5c3240b6 100644
--- a/runconfig/config.go
+++ b/runconfig/config.go
@@ -33,7 +33,6 @@ type Config struct {
 	NetworkDisabled bool
 	MacAddress      string
 	OnBuild         []string
-	SecurityOpt     []string
 }
 
 func ContainerConfigFromJob(job *engine.Job) *Config {
@@ -58,7 +57,6 @@ func ContainerConfigFromJob(job *engine.Job) *Config {
 	}
 	job.GetenvJson("ExposedPorts", &config.ExposedPorts)
 	job.GetenvJson("Volumes", &config.Volumes)
-	config.SecurityOpt = job.GetenvList("SecurityOpt")
 	if PortSpecs := job.GetenvList("PortSpecs"); PortSpecs != nil {
 		config.PortSpecs = PortSpecs
 	}
diff --git a/runconfig/hostconfig.go b/runconfig/hostconfig.go
index 01388ad727..b619e9c31c 100644
--- a/runconfig/hostconfig.go
+++ b/runconfig/hostconfig.go
@@ -95,6 +95,7 @@ type HostConfig struct {
 	CapAdd          []string
 	CapDrop         []string
 	RestartPolicy   RestartPolicy
+	SecurityOpt     []string
 }
 
 // This is used by the create command when you want to set both the
@@ -130,6 +131,7 @@ func ContainerHostConfigFromJob(job *engine.Job) *HostConfig {
 	job.GetenvJson("PortBindings", &hostConfig.PortBindings)
 	job.GetenvJson("Devices", &hostConfig.Devices)
 	job.GetenvJson("RestartPolicy", &hostConfig.RestartPolicy)
+	hostConfig.SecurityOpt = job.GetenvList("SecurityOpt")
 	if Binds := job.GetenvList("Binds"); Binds != nil {
 		hostConfig.Binds = Binds
 	}
diff --git a/runconfig/parse.go b/runconfig/parse.go
index 2bd8cf969e..0d682f35d3 100644
--- a/runconfig/parse.go
+++ b/runconfig/parse.go
@@ -273,7 +273,6 @@ func Parse(cmd *flag.FlagSet, args []string) (*Config, *HostConfig, *flag.FlagSe
 		MacAddress:      *flMacAddress,
 		Entrypoint:      entrypoint,
 		WorkingDir:      *flWorkingDir,
-		SecurityOpt:     flSecurityOpt.GetAll(),
 	}
 
 	hostConfig := &HostConfig{
@@ -294,6 +293,7 @@ func Parse(cmd *flag.FlagSet, args []string) (*Config, *HostConfig, *flag.FlagSe
 		CapAdd:          flCapAdd.GetAll(),
 		CapDrop:         flCapDrop.GetAll(),
 		RestartPolicy:   restartPolicy,
+		SecurityOpt:     flSecurityOpt.GetAll(),
 	}
 
 	// When allocating stdin in attached mode, close stdin at client disconnect