diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index d88eb7881f2e8ec32c0315abfb418f63628096cc..546a4c8e6330fdf6af903a3c900c58d29aebfa88 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -114,6 +114,8 @@ qemuSetupImagePathCgroup(virDomainObjPtr vm,
 }
 
 
+#define DEVICE_MAPPER_CONTROL_PATH "/dev/mapper/control"
+
 static int
 qemuSetupImageCgroupInternal(virDomainObjPtr vm,
                              virStorageSourcePtr src,
@@ -125,6 +127,10 @@ qemuSetupImageCgroupInternal(virDomainObjPtr vm,
         return 0;
     }
 
+    if (virStoragePRDefIsManaged(src->pr) &&
+        qemuSetupImagePathCgroup(vm, DEVICE_MAPPER_CONTROL_PATH, false) < 0)
+        return -1;
+
     return qemuSetupImagePathCgroup(vm, src->path, src->readonly || forceReadonly);
 }
 
@@ -142,9 +148,8 @@ qemuTeardownImageCgroup(virDomainObjPtr vm,
                         virStorageSourcePtr src)
 {
     qemuDomainObjPrivatePtr priv = vm->privateData;
-    int perms = VIR_CGROUP_DEVICE_READ |
-                VIR_CGROUP_DEVICE_WRITE |
-                VIR_CGROUP_DEVICE_MKNOD;
+    int perms = VIR_CGROUP_DEVICE_RWM;
+    size_t i;
     int ret;
 
     if (!virCgroupHasController(priv->cgroup,
@@ -157,6 +162,28 @@ qemuTeardownImageCgroup(virDomainObjPtr vm,
         return 0;
     }
 
+    for (i = 0; i < vm->def->ndisks; i++) {
+        virStorageSourcePtr diskSrc = vm->def->disks[i]->src;
+
+        if (src == diskSrc)
+            continue;
+
+        if (virStoragePRDefIsManaged(diskSrc->pr))
+            break;
+    }
+
+    if (i == vm->def->ndisks) {
+        VIR_DEBUG("Disabling device mapper control");
+        ret = virCgroupDenyDevicePath(priv->cgroup,
+                                      DEVICE_MAPPER_CONTROL_PATH, perms, true);
+        virDomainAuditCgroupPath(vm, priv->cgroup, "deny",
+                                 DEVICE_MAPPER_CONTROL_PATH,
+                                 virCgroupGetDevicePermsString(perms), ret);
+        if (ret < 0)
+            return ret;
+    }
+
+
     VIR_DEBUG("Deny path %s", src->path);
 
     ret = virCgroupDenyDevicePath(priv->cgroup, src->path, perms, true);
diff --git a/src/util/virdevmapper.c b/src/util/virdevmapper.c
index d2c25af00329479a0a6499439cf749f2b35ed315..b365f20145f7568befb06b29f0f76baad776e858 100644
--- a/src/util/virdevmapper.c
+++ b/src/util/virdevmapper.c
@@ -101,8 +101,13 @@ virDevMapperGetTargetsImpl(const char *path,
 
     dm_task_no_open_count(dmt);
 
-    if (!dm_task_run(dmt))
+    if (!dm_task_run(dmt)) {
+        if (errno == ENXIO) {
+            /* If @path = "/dev/mapper/control" ENXIO is returned. */
+            ret = 0;
+        }
         goto cleanup;
+    }
 
     if (!dm_task_get_info(dmt, &info))
         goto cleanup;