diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 03055002cb..b2748eb6a4 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -927,7 +927,6 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
     virTimeBackOffVar timebackoff;
     const unsigned long long timeout = 1000; /* ms */
     bool setTPMStateLabel = true;
-    bool teardownlabel = false;
     int cmdret = 0;
     pid_t pid = -1;
 
@@ -960,18 +959,18 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
         setTPMStateLabel = false;
     }
 
-    if (qemuSecurityStartTPMEmulator(driver, vm, cmd,
-                                     cfg->swtpm_user, cfg->swtpm_group,
-                                     setTPMStateLabel, NULL, &cmdret) < 0) {
+    if (qemuSecuritySetTPMLabels(driver, vm, setTPMStateLabel) < 0)
+        return -1;
+
+    if (qemuSecurityCommandRun(driver, vm, cmd, cfg->swtpm_user,
+                               cfg->swtpm_group, NULL, &cmdret) < 0)
         goto error;
-    }
 
     if (cmdret < 0) {
-        /* virCommandRun() hidden in qemuSecurityStartTPMEmulator()
+        /* virCommandRun() hidden in qemuSecurityCommandRun()
          * already reported error. */
         goto error;
     }
-    teardownlabel = true;
 
     if (virPidFileReadPath(pidfile, &pid) < 0) {
         virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
@@ -1014,8 +1013,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
         virProcessKillPainfully(pid, true);
     if (pidfile)
         unlink(pidfile);
-    if (teardownlabel)
-        qemuSecurityRestoreTPMLabels(driver, vm, setTPMStateLabel);
+    qemuSecurityRestoreTPMLabels(driver, vm, setTPMStateLabel);
     return -1;
 }