diff --git a/daemon/daemon.go b/daemon/daemon.go
index b47498b2e1..0ee0e3d127 100644
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@@ -527,11 +527,35 @@ func (daemon *Daemon) getEntrypointAndArgs(configEntrypoint, configCmd []string)
 	return entrypoint, args
 }
 
+func parseSecurityOpt(container *Container, config *runconfig.Config) error {
+	var (
+		label_opts []string
+		err        error
+	)
+
+	for _, opt := range config.SecurityOpt {
+		con := strings.SplitN(opt, ":", 2)
+		if len(con) == 1 {
+			return fmt.Errorf("Invalid --security-opt: %q", opt)
+		}
+		switch con[0] {
+		case "label":
+			label_opts = append(label_opts, con[1])
+		case "apparmor":
+			container.AppArmorProfile = con[1]
+		default:
+			return fmt.Errorf("Invalid --security-opt: %q", opt)
+		}
+	}
+
+	container.ProcessLabel, container.MountLabel, err = label.InitLabels(label_opts)
+	return err
+}
+
 func (daemon *Daemon) newContainer(name string, config *runconfig.Config, img *image.Image) (*Container, error) {
 	var (
-		id         string
-		err        error
-		label_opts []string
+		id  string
+		err error
 	)
 	id, name, err = daemon.generateIdAndName(name)
 	if err != nil {
@@ -558,26 +582,8 @@ func (daemon *Daemon) newContainer(name string, config *runconfig.Config, img *i
 		execCommands:    newExecStore(),
 	}
 	container.root = daemon.containerRoot(container.ID)
-
-	for _, opt := range config.SecurityOpt {
-		con := strings.SplitN(opt, ":", 2)
-		if len(con) == 1 {
-			return nil, fmt.Errorf("Invalid --security-opt: %q", opt)
-		}
-		switch con[0] {
-		case "label":
-			label_opts = append(label_opts, con[1])
-		case "apparmor":
-			container.AppArmorProfile = con[1]
-		default:
-			return nil, fmt.Errorf("Invalid --security-opt: %q", opt)
-		}
-	}
-
-	if container.ProcessLabel, container.MountLabel, err = label.InitLabels(label_opts); err != nil {
-		return nil, err
-	}
-	return container, nil
+	err = parseSecurityOpt(container, config)
+	return container, err
 }
 
 func (daemon *Daemon) createRootfs(container *Container, img *image.Image) error {
diff --git a/daemon/daemon_unit_test.go b/daemon/daemon_unit_test.go
new file mode 100644
index 0000000000..f3b899ec8d
--- /dev/null
+++ b/daemon/daemon_unit_test.go
@@ -0,0 +1,39 @@
+package daemon
+
+import (
+	"testing"
+
+	"github.com/docker/docker/runconfig"
+)
+
+func TestParseSecurityOpt(t *testing.T) {
+	container := &Container{}
+	config := &runconfig.Config{}
+
+	// test apparmor
+	config.SecurityOpt = []string{"apparmor:test_profile"}
+	if err := parseSecurityOpt(container, config); err != nil {
+		t.Fatalf("Unexpected parseSecurityOpt error: %v", err)
+	}
+	if container.AppArmorProfile != "test_profile" {
+		t.Fatalf("Unexpected AppArmorProfile, expected: \"test_profile\", got %q", container.AppArmorProfile)
+	}
+
+	// test valid label
+	config.SecurityOpt = []string{"label:user:USER"}
+	if err := parseSecurityOpt(container, config); err != nil {
+		t.Fatalf("Unexpected parseSecurityOpt error: %v", err)
+	}
+
+	// test invalid label
+	config.SecurityOpt = []string{"label"}
+	if err := parseSecurityOpt(container, config); err == nil {
+		t.Fatal("Expected parseSecurityOpt error, got nil")
+	}
+
+	// test invalid opt
+	config.SecurityOpt = []string{"test"}
+	if err := parseSecurityOpt(container, config); err == nil {
+		t.Fatal("Expected parseSecurityOpt error, got nil")
+	}
+}
diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go
index 9b9d8efc5a..01a3f57638 100644
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@@ -19,7 +19,6 @@ import (
 
 	"github.com/docker/docker/pkg/mount"
 	"github.com/docker/docker/pkg/networkfs/resolvconf"
-	"github.com/docker/libcontainer/label"
 	"github.com/kr/pty"
 )
 
@@ -1720,42 +1719,6 @@ func TestRunWriteResolvFileAndNotCommit(t *testing.T) {
 	logDone("run - write to /etc/resolv.conf and not commited")
 }
 
-func TestRunSecurityOptLevel(t *testing.T) {
-	plabel, _, _ := label.InitLabels(nil)
-	if plabel != "" {
-		defer deleteAllContainers()
-		cmd := exec.Command(dockerBinary, "run", "--security-opt", "label:level:s0:c0,c100", "busybox", "ps", "-eZ")
-		out, _, err := runCommandWithOutput(cmd)
-		if err != nil {
-			t.Fatal(err, out)
-		}
-		id := strings.TrimSpace(out)
-		if !strings.ContainsAny(id, "s0:c0,c100") {
-			t.Fatal("security-opt label:level:s0:c0,c100 failed")
-		}
-	}
-
-	logDone("run - security-opt label:level")
-}
-
-func TestRunSecurityOptDisable(t *testing.T) {
-	plabel, _, _ := label.InitLabels(nil)
-	if plabel != "" {
-		defer deleteAllContainers()
-		cmd := exec.Command(dockerBinary, "run", "--security-opt", "label:disable", "busybox", "ps", "-eZ")
-		out, _, err := runCommandWithOutput(cmd)
-		if err != nil {
-			t.Fatal(err, out)
-		}
-		id := strings.TrimSpace(out)
-		if !strings.ContainsAny(id, "svirt") {
-			t.Fatal("security-opt label:level:disable failed")
-		}
-	}
-
-	logDone("run - security-opt label:disable")
-}
-
 func TestRunWithBadDevice(t *testing.T) {
 	name := "baddevice"
 	cmd := exec.Command(dockerBinary, "run", "--name", name, "--device", "/etc", "busybox", "true")