2 files changed, 20 insertions, 8 deletions

diff --git a/pkg/api/handlers/utils/containers.go b/pkg/api/handlers/utils/containers.go
index 74485edf2..c9bb9cf09 100644
--- a/pkg/api/handlers/utils/containers.go
+++ b/pkg/api/handlers/utils/containers.go
@@ -15,7 +15,7 @@ import (
 
 func KillContainer(w http.ResponseWriter, r *http.Request) (*libpod.Container, error) {
 	runtime := r.Context().Value("runtime").(*libpod.Runtime)
-	decoder := r.Context().Value("decorder").(*schema.Decoder)
+	decoder := r.Context().Value("decoder").(*schema.Decoder)
 	query := struct {
 		Signal syscall.Signal `schema:"signal"`
 	}{
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index b2a152a2d..21b6bc3b3 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -241,23 +241,35 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 	}
 
 	// SECURITY OPTS
+	var runtimeConfig *libpodconfig.Config
+
+	if runtime != nil {
+		runtimeConfig, err = runtime.GetConfig()
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	g.SetProcessNoNewPrivileges(config.Security.NoNewPrivs)
 
 	if !config.Security.Privileged {
 		g.SetProcessApparmorProfile(config.Security.ApparmorProfile)
 	}
 
-	blockAccessToKernelFilesystems(config, &g)
-
-	var runtimeConfig *libpodconfig.Config
-
-	if runtime != nil {
-		runtimeConfig, err = runtime.GetConfig()
-		if err != nil {
+	// Unless already set via the CLI, check if we need to disable process
+	// labels or set the defaults.
+	if len(config.Security.LabelOpts) == 0 && runtimeConfig != nil {
+		if !runtimeConfig.EnableLabeling {
+			// Disabled in the config.
+			config.Security.LabelOpts = append(config.Security.LabelOpts, "disable")
+		} else if err := config.Security.SetLabelOpts(runtime, &config.Pid, &config.Ipc); err != nil {
+			// Defaults!
 			return nil, err
 		}
 	}
 
+	blockAccessToKernelFilesystems(config, &g)
+
 	// RESOURCES - PIDS
 	if config.Resources.PidsLimit > 0 {
 		// if running on rootless on a cgroupv1 machine or using the cgroupfs manager, pids