diff --git a/docs/config.md b/docs/config.md
index 1aacf15f1..e9a32435a 100644
--- a/docs/config.md
+++ b/docs/config.md
@@ -35,6 +35,10 @@ version = 2
   # enable_selinux indicates to enable the selinux support.
   enable_selinux = false
 
+  # selinux_category_range allows the upper bound on the category range to be set.
+  # if not specified or set to 0, defaults to 1024 from the selinux package.
+  selinux_category_range = 1024
+
   # sandbox_image is the image used by sandbox container.
   sandbox_image = "k8s.gcr.io/pause:3.2"
 
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 579d72480..7cfb6d51f 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -198,6 +198,9 @@ type PluginConfig struct {
 	StreamIdleTimeout string `toml:"stream_idle_timeout" json:"streamIdleTimeout"`
 	// EnableSelinux indicates to enable the selinux support.
 	EnableSelinux bool `toml:"enable_selinux" json:"enableSelinux"`
+	// SelinuxCategoryRange allows the upper bound on the category range to be set.
+	// If not specified or set to 0, defaults to 1024 from the selinux package.
+	SelinuxCategoryRange int `toml:"selinux_category_range" json:"selinuxCategoryRange"`
 	// SandboxImage is the image used by sandbox container.
 	SandboxImage string `toml:"sandbox_image" json:"sandboxImage"`
 	// StatsCollectPeriod is the period (in seconds) of snapshots stats collection.
diff --git a/pkg/config/config_unix.go b/pkg/config/config_unix.go
index 906301726..9df456b53 100644
--- a/pkg/config/config_unix.go
+++ b/pkg/config/config_unix.go
@@ -44,12 +44,13 @@ func DefaultConfig() PluginConfig {
 				},
 			},
 		},
-		DisableTCPService:   true,
-		StreamServerAddress: "127.0.0.1",
-		StreamServerPort:    "0",
-		StreamIdleTimeout:   streaming.DefaultConfig.StreamIdleTimeout.String(), // 4 hour
-		EnableSelinux:       false,
-		EnableTLSStreaming:  false,
+		DisableTCPService:    true,
+		StreamServerAddress:  "127.0.0.1",
+		StreamServerPort:     "0",
+		StreamIdleTimeout:    streaming.DefaultConfig.StreamIdleTimeout.String(), // 4 hour
+		EnableSelinux:        false,
+		SelinuxCategoryRange: 1024,
+		EnableTLSStreaming:   false,
 		X509KeyPairStreaming: X509KeyPairStreaming{
 			TLSKeyFile:  "",
 			TLSCertFile: "",
diff --git a/pkg/server/service_unix.go b/pkg/server/service_unix.go
index 44f43f8c4..a1d9c9038 100644
--- a/pkg/server/service_unix.go
+++ b/pkg/server/service_unix.go
@@ -44,6 +44,9 @@ func (c *criService) initPlatform() error {
 		if !selinux.GetEnabled() {
 			logrus.Warn("Selinux is not supported")
 		}
+		if r := c.config.SelinuxCategoryRange; r > 0 {
+			selinux.CategoryRange = uint32(r)
+		}
 	} else {
 		selinux.SetDisabled()
 	}
diff --git a/vendor.conf b/vendor.conf
index 35741b13d..df5449187 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -1,8 +1,8 @@
 # cri dependencies
 github.com/docker/docker                            4634ce647cf2ce2c6031129ccd109e557244986f
 github.com/opencontainers/selinux                   v1.6.0
-github.com/willf/bitset								d5bec3311243426a3c6d1b7a795f24b17c686dbb # 1.1.10+ used by selinux pkg
 github.com/tchap/go-patricia                        v2.2.6
+github.com/willf/bitset                             d5bec3311243426a3c6d1b7a795f24b17c686dbb # 1.1.10+ used by selinux pkg
 
 # containerd dependencies
 github.com/beorn7/perks                             v1.0.1