diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 2c0ac306116906b61a9f10675419424bb756c466..b37af6d34efa75dd5b031f030766475713b449b1 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -77,7 +77,7 @@ qemuSetImageCgroupInternal(virDomainObjPtr vm,
 
         VIR_DEBUG("Deny path %s", src->path);
 
-        ret = virCgroupDenyDevicePath(priv->cgroup, src->path, perms, false);
+        ret = virCgroupDenyDevicePath(priv->cgroup, src->path, perms, true);
     } else {
         if (!src->readonly && !forceReadonly)
             perms |= VIR_CGROUP_DEVICE_WRITE;
@@ -85,7 +85,7 @@ qemuSetImageCgroupInternal(virDomainObjPtr vm,
         VIR_DEBUG("Allow path %s, perms: %s",
                   src->path, virCgroupGetDevicePermsString(perms));
 
-        ret = virCgroupAllowDevicePath(priv->cgroup, src->path, perms, false);
+        ret = virCgroupAllowDevicePath(priv->cgroup, src->path, perms, true);
     }
 
     virDomainAuditCgroupPath(vm, priv->cgroup,
@@ -94,14 +94,6 @@ qemuSetImageCgroupInternal(virDomainObjPtr vm,
                              virCgroupGetDevicePermsString(perms),
                              ret == 0);
 
-    /* Get this for root squash NFS */
-    if (ret < 0 &&
-        virLastErrorIsSystemErrno(EACCES)) {
-        VIR_DEBUG("Ignoring EACCES for %s", src->path);
-        virResetLastError();
-        ret = 0;
-    }
-
     return ret;
 }