+++ This bug was initially created as a clone of Bug #1035080 +++

libvirtd only changes the selinux labels of top two disk snapshots. 

When I used qemu-img to create 4 snapshot files like:
base <- snap1 <- snap2 <- snap3 <- snap4

The guest can not start, selinux denied qemu-kvm access snap file.
I checked the selinux labels of these snapshot files, only snap3 and snap4
are labeled.
snap3 to "system_u:object_r:svirt_content_t:s0"(readonly) and snap4 to
"system_u:object_r:virt_image_t:s0"(read/write).

libvirtd should set the rest of backing files to "system_u:object_r:svirt_content_t:s0".

Version:
libvirt-1.1.1-13.el7.x86_64
qemu-kvm-rhev-1.5.3-19.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. create 4 snapshots using qemu-img
# qemu-img create -f qcow2 -b kvm-rhel6.5-x86_64-qcow2.img kvm-rhel6.5-x86_64-qcow2-snap1.img 
Formatting 'kvm-rhel6.5-x86_64-qcow2-snap1.img', fmt=qcow2 size=4194304000 backing_file='kvm-rhel6.5-x86_64-qcow2.img' encryption=off cluster_size=65536 lazy_refcounts=off 

# qemu-img create -f qcow2 -b kvm-rhel6.5-x86_64-qcow2-snap1.img kvm-rhel6.5-x86_64-qcow2-snap2.img 
Formatting 'kvm-rhel6.5-x86_64-qcow2-snap2.img', fmt=qcow2 size=4194304000 backing_file='kvm-rhel6.5-x86_64-qcow2-snap1.img' encryption=off cluster_size=65536 lazy_refcounts=off 

# qemu-img create -f qcow2 -b kvm-rhel6.5-x86_64-qcow2-snap2.img kvm-rhel6.5-x86_64-qcow2-snap3.img 
Formatting 'kvm-rhel6.5-x86_64-qcow2-snap3.img', fmt=qcow2 size=4194304000 backing_file='kvm-rhel6.5-x86_64-qcow2-snap2.img' encryption=off cluster_size=65536 lazy_refcounts=off 

# qemu-img create -f qcow2 -b kvm-rhel6.5-x86_64-qcow2-snap3.img kvm-rhel6.5-x86_64-qcow2-snap4.img 
Formatting 'kvm-rhel6.5-x86_64-qcow2-snap4.img', fmt=qcow2 size=4194304000 backing_file='kvm-rhel6.5-x86_64-qcow2-snap3.img' encryption=off cluster_size=65536 lazy_refcounts=off 

2. check label
# ll -Z
-rw-r--r--. qemu qemu system_u:object_r:virt_content_t:s0 kvm-rhel6.5-x86_64-qcow2.img
-rw-r--r--. root root unconfined_u:object_r:virt_image_t:s0 kvm-rhel6.5-x86_64-qcow2-snap1.img
-rw-r--r--. root root unconfined_u:object_r:virt_image_t:s0 kvm-rhel6.5-x86_64-qcow2-snap2.img
-rw-r--r--. root root unconfined_u:object_r:virt_image_t:s0 kvm-rhel6.5-x86_64-qcow2-snap3.img
-rw-r--r--. root root unconfined_u:object_r:virt_image_t:s0 kvm-rhel6.5-x86_64-qcow2-snap4.img

3. configure guest to use kvm-rhel6.5-x86_64-qcow2-snap4.img as virtual disk, and start it
# virsh edit kvm-rhel6.5-x86_64-qcow2-virtio 
Domain kvm-rhel6.5-x86_64-qcow2-virtio XML configuration edited.

# virsh start kvm-rhel6.5-x86_64-qcow2-virtio
error: Failed to start domain kvm-rhel6.5-x86_64-qcow2-virtio
error: internal error: process exited while connecting to monitor: qemu-kvm: -drive file=/var/lib/libvirt/images/kvm-rhel6.5-x86_64-qcow2-snap4.img,if=none,id=drive-virtio-disk0,format=qcow2,cache=none: could not open disk image /var/lib/libvirt/images/kvm-rhel6.5-x86_64-qcow2-snap4.img: Could not open file: Permission denied

4. we can see the labels of snap3 and snap4 are changed, but not for snap1 and snap2
# ll -Z
-rw-r--r--. qemu qemu system_u:object_r:virt_content_t:s0 kvm-rhel6.5-x86_64-qcow2.img
-rw-r--r--. root root unconfined_u:object_r:virt_image_t:s0 kvm-rhel6.5-x86_64-qcow2-snap1.img
-rw-r--r--. root root unconfined_u:object_r:virt_image_t:s0 kvm-rhel6.5-x86_64-qcow2-snap2.img
-rw-r--r--. qemu qemu system_u:object_r:virt_content_t:s0 kvm-rhel6.5-x86_64-qcow2-snap3.img
-rw-r--r--. root root system_u:object_r:virt_image_t:s0 kvm-rhel6.5-x86_64-qcow2-snap4.img


Actual results：
start fails

Expected results:
start success

Additional info:
The part of audit.log is:
type=AVC msg=audit(1385522525.946:560): avc:  denied  { read } for  pid=2609 comm="qemu-kvm" name="kvm-rhel6.5-x86_64-qcow2.snap2" dev="sda3" ino=526210 scontext=system_u:system_r:svirt_t:s0:c237,c674 tcontext=unconfined_u:object_r:virt_image_t:s0 tclass=file
type=SYSCALL msg=audit(1385522525.946:560): arch=c000003e syscall=2 success=no exit=-13 a0=7fff9f7a3e40 a1=80800 a2=0 a3=0 items=0 ppid=1 pid=2609 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c237,c674 key=(null)
type=AVC msg=audit(1385522525.946:561): avc:  denied  { read } for  pid=2609 comm="qemu-kvm" name="kvm-rhel6.5-x86_64-qcow2.snap2" dev="sda3" ino=526210 scontext=system_u:system_r:svirt_t:s0:c237,c674 tcontext=unconfined_u:object_r:virt_image_t:s0 tclass=file
type=SYSCALL msg=audit(1385522525.946:561): arch=c000003e syscall=2 success=no exit=-13 a0=7fff9f7a3e40 a1=80800 a2=0 a3=0 items=0 ppid=1 pid=2609 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c237,c674 key=(null)
type=AVC msg=audit(1385522525.946:562): avc:  denied  { read } for  pid=2609 comm="qemu-kvm" name="kvm-rhel6.5-x86_64-qcow2.snap2" dev="sda3" ino=526210 scontext=system_u:system_r:svirt_t:s0:c237,c674 tcontext=unconfined_u:object_r:virt_image_t:s0 tclass=file