diff --git a/daemon/container.go b/daemon/container.go
index 17eaac7323..5e4b72bf12 100644
--- a/daemon/container.go
+++ b/daemon/container.go
@@ -330,8 +330,8 @@ func populateCommand(c *Container, env []string) {
 		en      *execdriver.Network
 		context = make(map[string][]string)
 	)
-	context["process_label"] = []string{c.ProcessLabel}
-	context["mount_label"] = []string{c.MountLabel}
+	context["process_label"] = []string{c.GetProcessLabel()}
+	context["mount_label"] = []string{c.GetMountLabel()}
 
 	en = &execdriver.Network{
 		Mtu:       c.daemon.config.Mtu,
@@ -392,7 +392,6 @@ func (container *Container) Start() (err error) {
 	if err := container.setupContainerDns(); err != nil {
 		return err
 	}
-
 	if err := container.Mount(); err != nil {
 		return err
 	}
@@ -1192,3 +1191,19 @@ func (container *Container) allocatePort(eng *engine.Engine, port nat.Port, bind
 	bindings[port] = binding
 	return nil
 }
+
+func (container *Container) GetProcessLabel() string {
+	// even if we have a process label return "" if we are running
+	// in privileged mode
+	if container.hostConfig.Privileged {
+		return ""
+	}
+	return container.ProcessLabel
+}
+
+func (container *Container) GetMountLabel() string {
+	if container.hostConfig.Privileged {
+		return ""
+	}
+	return container.MountLabel
+}
diff --git a/daemon/daemon.go b/daemon/daemon.go
index cdd1bb915f..64a53989d0 100644
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@@ -538,10 +538,9 @@ func (daemon *Daemon) newContainer(name string, config *runconfig.Config, img *i
 	}
 	container.root = daemon.containerRoot(container.ID)
 
-	if container.MountLabel, container.ProcessLabel, err = label.GenLabels(""); err != nil {
+	if container.ProcessLabel, container.MountLabel, err = label.GenLabels(""); err != nil {
 		return nil, err
 	}
-
 	return container, nil
 }
 
@@ -848,7 +847,7 @@ func (daemon *Daemon) Close() error {
 }
 
 func (daemon *Daemon) Mount(container *Container) error {
-	dir, err := daemon.driver.Get(container.ID, container.MountLabel)
+	dir, err := daemon.driver.Get(container.ID, container.GetMountLabel())
 	if err != nil {
 		return fmt.Errorf("Error getting container %s from driver %s: %s", container.ID, daemon.driver, err)
 	}