If you come by this more than a decade later and wonder, hmm this isn't working still/again please do mind bug 2002771 that explains that this is different for "normal"-files vs read-only-files.
See https://gitlab.com/libvirt/libvirt/-/blob/master/src/security/security_dac.c?ref_type=heads#L987
Quote:
/* Don't restore labels on readoly/shared disks, because other VMs may
* still be accessing these. Alternatively we could iterate over all
* running domains and try to figure out if it is in use, but this would
* not work for clustered filesystems, since we can't see running VMs using
* the file on other nodes. Safest bet is thus to skip the restore step. */
Due to that it works since the fix above in >=Focal for files, but still (and never) not for .iso files which the very initial report was about.
If you come by this more than a decade later and wonder, hmm this isn't working still/again please do mind bug 2002771 that explains that this is different for "normal"-files vs read-only-files.
See https:/ /gitlab. com/libvirt/ libvirt/ -/blob/ master/ src/security/ security_ dac.c?ref_ type=heads# L987
Quote:
/* Don't restore labels on readoly/shared disks, because other VMs may
* still be accessing these. Alternatively we could iterate over all
* running domains and try to figure out if it is in use, but this would
* not work for clustered filesystems, since we can't see running VMs using
* the file on other nodes. Safest bet is thus to skip the restore step. */
Due to that it works since the fix above in >=Focal for files, but still (and never) not for .iso files which the very initial report was about.