Comment 46 for bug 691590

If you come by this more than a decade later and wonder, hmm this isn't working still/again please do mind bug 2002771 that explains that this is different for "normal"-files vs read-only-files.

See https://gitlab.com/libvirt/libvirt/-/blob/master/src/security/security_dac.c?ref_type=heads#L987
Quote:
    /* Don't restore labels on readoly/shared disks, because other VMs may
     * still be accessing these. Alternatively we could iterate over all
     * running domains and try to figure out if it is in use, but this would
     * not work for clustered filesystems, since we can't see running VMs using
     * the file on other nodes. Safest bet is thus to skip the restore step. */

Due to that it works since the fix above in >=Focal for files, but still (and never) not for .iso files which the very initial report was about.