From 53ee6d2237146316f0fda42c658434f891ef4b54 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Fri, 3 Oct 2014 11:43:22 -0400
Subject: [PATCH] Fix security-opt docs

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
---
 docs/sources/reference/run.md | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/docs/sources/reference/run.md b/docs/sources/reference/run.md
index f5d6cc45e5..c72d28a000 100644
--- a/docs/sources/reference/run.md
+++ b/docs/sources/reference/run.md
@@ -234,22 +234,32 @@ the container exits**, you can add the `--rm` flag:
     --secutity-opt="apparmor:PROFILE"  : Set the apparmor profile to be applied 
                                          to the container
 
-If you want to use the same label for multiple containers, you can override use
-the security-opt flag to select an MCS level.  This is a common practice for MLS
-systems.  But it also might help in cases where you want to share the same 
-content between containers. Run the following command.
+You can override the default labeling scheme for each container by specifying
+the `--security-opt` flag. For example, you can specify the MCS/MLS level, a
+requirement for MLS systems. Specifying the level in the following command
+allows you to share the same content between containers.
 
     # docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash
 
-Run the following command if you want to disable the labeling controls for just 
-this container.
+An MLS example might be:
+
+    # docker run --security-opt label:level:TopSecret -i -t rhel7 bash
+
+To disable the security labeling for this container versus running with the
+`--permissive` flag, use the following command:
 
     # docker run --security-opt label:disable -i -t fedora bash
 
-Run the following command if you want to run a container that could only listen
-on apache ports.
+If you want a tighter security policy on the processes within a container,
+you can specify an alternate type for the container. You could run a container
+that is only allowed to listen on Apache ports by executing the following
+command:
 
-    # docker run --security-opt label:type:svirt_apache_t -i -t fedora bash
+    # docker run --security-opt label:type:svirt_apache_t -i -t centos bash
+
+Note:
+
+You would have to write policy defining a `svirt_apache_t` type.
 
 ## Runtime Constraints on CPU and Memory