diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 8384b5d434a197be60a24d5bea98c3c2964d5a38..eccecd4425abedaa481529b5aface2c34e71b52f 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -4803,9 +4803,9 @@ virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr **seclabels_rtn,
         relabel = virXMLPropString(list[i], "relabel");
         if (relabel != NULL) {
             if (STREQ(relabel, "yes")) {
-                seclabels[i]->norelabel = false;
+                seclabels[i]->relabel = true;
             } else if (STREQ(relabel, "no")) {
-                seclabels[i]->norelabel = true;
+                seclabels[i]->relabel = false;
             } else {
                 virReportError(VIR_ERR_XML_ERROR,
                                _("invalid security relabel value %s"),
@@ -4815,7 +4815,7 @@ virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr **seclabels_rtn,
             }
             VIR_FREE(relabel);
         } else {
-            seclabels[i]->norelabel = false;
+            seclabels[i]->relabel = true;
         }
 
         /* labelskip is only parsed on live images */
@@ -4830,7 +4830,7 @@ virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr **seclabels_rtn,
                                     VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
         seclabels[i]->label = label;
 
-        if (label && seclabels[i]->norelabel) {
+        if (label && !seclabels[i]->relabel) {
             virReportError(VIR_ERR_XML_ERROR,
                            _("Cannot specify a label if relabelling is "
                              "turned off. model=%s"),
@@ -14736,7 +14736,7 @@ virSecurityDeviceLabelDefFormat(virBufferPtr buf,
 {
     /* For offline output, skip elements that allow labels but have no
      * label specified (possible if labelskip was ignored on input).  */
-    if ((flags & VIR_DOMAIN_XML_INACTIVE) && !def->label && !def->norelabel)
+    if ((flags & VIR_DOMAIN_XML_INACTIVE) && !def->label && def->relabel)
         return;
 
     virBufferAddLit(buf, "<seclabel");
@@ -14747,7 +14747,7 @@ virSecurityDeviceLabelDefFormat(virBufferPtr buf,
     if (def->labelskip)
         virBufferAddLit(buf, " labelskip='yes'");
     else
-        virBufferAsprintf(buf, " relabel='%s'", def->norelabel ? "no" : "yes");
+        virBufferAsprintf(buf, " relabel='%s'", def->relabel ? "yes" : "no");
 
     if (def->label) {
         virBufferAddLit(buf, ">\n");
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 665cbc943dda50bf616b01a505414ae9f8e373e4..4d2a9d6ef626738f21a0c66122aa47c066632188 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -312,7 +312,7 @@ virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr,
 
     disk_seclabel = virStorageSourceGetSecurityLabelDef(src,
                                                         SECURITY_DAC_NAME);
-    if (disk_seclabel && disk_seclabel->norelabel)
+    if (disk_seclabel && !disk_seclabel->relabel)
         return 0;
 
     if (disk_seclabel && disk_seclabel->label) {
@@ -374,7 +374,7 @@ virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
 
     disk_seclabel = virStorageSourceGetSecurityLabelDef(src,
                                                         SECURITY_DAC_NAME);
-    if (disk_seclabel && disk_seclabel->norelabel)
+    if (disk_seclabel && !disk_seclabel->relabel)
         return 0;
 
     /* If we have a shared FS and are doing migration, we must not change
@@ -703,7 +703,7 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
         chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
                                                           SECURITY_DAC_NAME);
 
-    if (chr_seclabel && chr_seclabel->norelabel)
+    if (chr_seclabel && !chr_seclabel->relabel)
         return 0;
 
     if (chr_seclabel && chr_seclabel->label) {
@@ -772,7 +772,7 @@ virSecurityDACRestoreChardevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
         chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
                                                           SECURITY_DAC_NAME);
 
-    if (chr_seclabel && chr_seclabel->norelabel)
+    if (chr_seclabel && !chr_seclabel->relabel)
         return 0;
 
     switch ((virDomainChrType) dev_source->type) {
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 8d4a9aa1251f59983f017837143df482b6ea0ca8..a0e89b7e8d78e87a96b6854460262c3b2a12a1ac 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1130,7 +1130,7 @@ virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
 
     disk_seclabel = virStorageSourceGetSecurityLabelDef(src,
                                                         SECURITY_SELINUX_NAME);
-    if (!seclabel->relabel || (disk_seclabel && disk_seclabel->norelabel))
+    if (!seclabel->relabel || (disk_seclabel && !disk_seclabel->relabel))
         return 0;
 
     /* If labelskip is true and there are no backing files, then we
@@ -1208,10 +1208,10 @@ virSecuritySELinuxSetSecurityImageLabelInternal(virSecurityManagerPtr mgr,
     disk_seclabel = virStorageSourceGetSecurityLabelDef(src,
                                                         SECURITY_SELINUX_NAME);
 
-    if (disk_seclabel && disk_seclabel->norelabel)
+    if (disk_seclabel && !disk_seclabel->relabel)
         return 0;
 
-    if (disk_seclabel && !disk_seclabel->norelabel && disk_seclabel->label) {
+    if (disk_seclabel && disk_seclabel->relabel && disk_seclabel->label) {
         ret = virSecuritySELinuxSetFilecon(src->path, disk_seclabel->label);
     } else if (first) {
         if (src->shared) {
@@ -1677,7 +1677,7 @@ virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
         chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
                                                           SECURITY_SELINUX_NAME);
 
-    if (chr_seclabel && chr_seclabel->norelabel)
+    if (chr_seclabel && !chr_seclabel->relabel)
         return 0;
 
     if (chr_seclabel)
@@ -1747,7 +1747,7 @@ virSecuritySELinuxRestoreSecurityChardevLabel(virSecurityManagerPtr mgr,
     if (dev)
         chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
                                                           SECURITY_SELINUX_NAME);
-    if (chr_seclabel && chr_seclabel->norelabel)
+    if (chr_seclabel && !chr_seclabel->relabel)
         return 0;
 
     switch (dev_source->type) {
diff --git a/src/util/virseclabel.c b/src/util/virseclabel.c
index 9b209c0a326f039454853caed8d88c2339581bcf..e9d973c6be3d8784f8a4a8b474f871ce718c8614 100644
--- a/src/util/virseclabel.c
+++ b/src/util/virseclabel.c
@@ -92,7 +92,7 @@ virSecurityDeviceLabelDefCopy(const virSecurityDeviceLabelDef *src)
     if (VIR_ALLOC(ret) < 0)
         return NULL;
 
-    ret->norelabel = src->norelabel;
+    ret->relabel = src->relabel;
     ret->labelskip = src->labelskip;
 
     if (VIR_STRDUP(ret->model, src->model) < 0 ||
diff --git a/src/util/virseclabel.h b/src/util/virseclabel.h
index c164c48cecaad95079d4ed69d7aa487be510cc89..94c4dfc39634713d9d64b0bb9e624ad311e3ebc9 100644
--- a/src/util/virseclabel.h
+++ b/src/util/virseclabel.h
@@ -51,7 +51,7 @@ typedef virSecurityDeviceLabelDef *virSecurityDeviceLabelDefPtr;
 struct _virSecurityDeviceLabelDef {
     char *model;
     char *label;        /* image label string */
-    bool norelabel;     /* true to skip label attempts */
+    bool relabel;       /* true (default) for allowing relabels */
     bool labelskip;     /* live-only; true if skipping failed label attempt */
 };