diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 24609bc2e8..587b3b5478 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -808,6 +808,38 @@ SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
 }
 
 
+static int
+SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+                                        virDomainSmartcardDefPtr dev,
+                                        void *opaque)
+{
+    virDomainObjPtr vm = opaque;
+    const char *database;
+
+    switch (dev->type) {
+    case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
+        break;
+
+    case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
+        database = dev->data.cert.database;
+        if (!database)
+            database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
+        return SELinuxRestoreSecurityFileLabel(database);
+
+    case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
+        return SELinuxRestoreSecurityChardevLabel(vm, &dev->data.passthru);
+
+    default:
+        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+                               _("unknown smartcard type %d"),
+                               dev->type);
+        return -1;
+    }
+
+    return 0;
+}
+
+
 static int
 SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                virDomainObjPtr vm,
@@ -842,6 +874,12 @@ SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                vm) < 0)
         rc = -1;
 
+    if (virDomainSmartcardDefForeach(vm->def,
+                                     false,
+                                     SELinuxRestoreSecuritySmartcardCallback,
+                                     vm) < 0)
+        rc = -1;
+
     if (vm->def->os.kernel &&
         SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
         rc = -1;
@@ -1073,6 +1111,38 @@ SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
 }
 
 
+static int
+SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+                                    virDomainSmartcardDefPtr dev,
+                                    void *opaque)
+{
+    virDomainObjPtr vm = opaque;
+    const char *database;
+
+    switch (dev->type) {
+    case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
+        break;
+
+    case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
+        database = dev->data.cert.database;
+        if (!database)
+            database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
+        return SELinuxSetFilecon(database, default_content_context);
+
+    case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
+        return SELinuxSetSecurityChardevLabel(vm, &dev->data.passthru);
+
+    default:
+        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+                               _("unknown smartcard type %d"),
+                               dev->type);
+        return -1;
+    }
+
+    return 0;
+}
+
+
 static int
 SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
                            virDomainObjPtr vm,
@@ -1108,6 +1178,12 @@ SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
                                vm) < 0)
         return -1;
 
+    if (virDomainSmartcardDefForeach(vm->def,
+                                     true,
+                                     SELinuxSetSecuritySmartcardCallback,
+                                     vm) < 0)
+        return -1;
+
     if (vm->def->os.kernel &&
         SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0)
         return -1;