diff --git a/0001-tpm-Use-dev-null-for-cancel-path-if-none-was-found.patch b/0001-tpm-Use-dev-null-for-cancel-path-if-none-was-found.patch
new file mode 100644
index 0000000..bd818f0
--- /dev/null
+++ b/0001-tpm-Use-dev-null-for-cancel-path-if-none-was-found.patch
@@ -0,0 +1,34 @@
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Thu, 29 Jun 2017 14:01:11 -0400
+Subject: [PATCH] tpm: Use /dev/null for cancel path if none was found
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+TPM 2 does not implement sysfs files for cancellation of commands.
+We therefore use /dev/null for the cancel path passed to QEMU.
+
+Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Tested-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit dfbb15b75433e520fb1b905c1c3e28753e53e4a5)
+---
+ src/util/virtpm.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/util/virtpm.c b/src/util/virtpm.c
+index 6d9b0657a..d5c10da38 100644
+--- a/src/util/virtpm.c
++++ b/src/util/virtpm.c
+@@ -61,9 +61,7 @@ virTPMCreateCancelPath(const char *devpath)
+                 VIR_FREE(path);
+             }
+             if (!path)
+-                virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+-                               _("No usable sysfs TPM cancel file could be "
+-                                 "found"));
++                ignore_value(VIR_STRDUP(path, "/dev/null"));
+         } else {
+             virReportError(VIR_ERR_INTERNAL_ERROR,
+                            _("TPM device path %s is invalid"), devpath);
diff --git a/0002-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch b/0002-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch
new file mode 100644
index 0000000..29716d6
--- /dev/null
+++ b/0002-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch
@@ -0,0 +1,108 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Sun, 27 Aug 2017 11:23:47 -0400
+Subject: [PATCH] security: add MANAGER_MOUNT_NAMESPACE flag
+
+The VIR_SECURITY_MANAGER_MOUNT_NAMESPACE flag informs the DAC driver
+if mount namespaces are in use for the VM. Will be used for future
+changes.
+
+Wire it up in the qemu driver
+
+(cherry picked from commit 321031e482425dfeae0f125cdac6df870f079efd)
+---
+ src/qemu/qemu_driver.c          |  2 ++
+ src/security/security_dac.c     | 10 ++++++++++
+ src/security/security_dac.h     |  3 +++
+ src/security/security_manager.c |  4 +++-
+ src/security/security_manager.h |  1 +
+ 5 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index b7824512c..1f9264639 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -419,6 +419,8 @@ qemuSecurityInit(virQEMUDriverPtr driver)
+     if (virQEMUDriverIsPrivileged(driver)) {
+         if (cfg->dynamicOwnership)
+             flags |= VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP;
++        if (virBitmapIsBitSet(cfg->namespaces, QEMU_DOMAIN_NS_MOUNT))
++            flags |= VIR_SECURITY_MANAGER_MOUNT_NAMESPACE;
+         if (!(mgr = qemuSecurityNewDAC(QEMU_DRIVER_NAME,
+                                        cfg->user,
+                                        cfg->group,
+diff --git a/src/security/security_dac.c b/src/security/security_dac.c
+index ca7a6af6d..507be44a2 100644
+--- a/src/security/security_dac.c
++++ b/src/security/security_dac.c
+@@ -57,6 +57,7 @@ struct _virSecurityDACData {
+     gid_t *groups;
+     int ngroups;
+     bool dynamicOwnership;
++    bool mountNamespace;
+     char *baselabel;
+     virSecurityManagerDACChownCallback chownCallback;
+ };
+@@ -238,6 +239,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
+ }
+ 
+ void
++virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr,
++                                bool mountNamespace)
++{
++    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
++    priv->mountNamespace = mountNamespace;
++}
++
++
++void
+ virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
+                                virSecurityManagerDACChownCallback chownCallback)
+ {
+diff --git a/src/security/security_dac.h b/src/security/security_dac.h
+index 846cefbb5..97681c961 100644
+--- a/src/security/security_dac.h
++++ b/src/security/security_dac.h
+@@ -32,6 +32,9 @@ int virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr,
+ void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
+                                        bool dynamic);
+ 
++void virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr,
++                                     bool mountNamespace);
++
+ void virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
+                                     virSecurityManagerDACChownCallback chownCallback);
+ 
+diff --git a/src/security/security_manager.c b/src/security/security_manager.c
+index 95b995230..e43c99d4f 100644
+--- a/src/security/security_manager.c
++++ b/src/security/security_manager.c
+@@ -146,7 +146,8 @@ virSecurityManagerNewDAC(const char *virtDriver,
+     virSecurityManagerPtr mgr;
+ 
+     virCheckFlags(VIR_SECURITY_MANAGER_NEW_MASK |
+-                  VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP, NULL);
++                  VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP |
++                  VIR_SECURITY_MANAGER_MOUNT_NAMESPACE, NULL);
+ 
+     mgr = virSecurityManagerNewDriver(&virSecurityDriverDAC,
+                                       virtDriver,
+@@ -161,6 +162,7 @@ virSecurityManagerNewDAC(const char *virtDriver,
+     }
+ 
+     virSecurityDACSetDynamicOwnership(mgr, flags & VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP);
++    virSecurityDACSetMountNamespace(mgr, flags & VIR_SECURITY_MANAGER_MOUNT_NAMESPACE);
+     virSecurityDACSetChownCallback(mgr, chownCallback);
+ 
+     return mgr;
+diff --git a/src/security/security_manager.h b/src/security/security_manager.h
+index 01296d339..08fb89203 100644
+--- a/src/security/security_manager.h
++++ b/src/security/security_manager.h
+@@ -36,6 +36,7 @@ typedef enum {
+     VIR_SECURITY_MANAGER_REQUIRE_CONFINED   = 1 << 2,
+     VIR_SECURITY_MANAGER_PRIVILEGED         = 1 << 3,
+     VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP  = 1 << 4,
++    VIR_SECURITY_MANAGER_MOUNT_NAMESPACE    = 1 << 5,
+ } virSecurityManagerNewFlags;
+ 
+ # define VIR_SECURITY_MANAGER_NEW_MASK  \
diff --git a/0003-security-dac-relabel-spice-rendernode.patch b/0003-security-dac-relabel-spice-rendernode.patch
new file mode 100644
index 0000000..4a92ba1
--- /dev/null
+++ b/0003-security-dac-relabel-spice-rendernode.patch
@@ -0,0 +1,101 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Mon, 17 Jul 2017 08:57:57 -0400
+Subject: [PATCH] security: dac: relabel spice rendernode
+
+For a logged in user this a path like /dev/dri/renderD128 will have
+default ownership root:video which won't work for the qemu:qemu user,
+so we need to chown it.
+
+We only do this when mount namespaces are enabled in the qemu driver,
+so the chown'ing doesn't interfere with other users of the shared
+render node path
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1460804
+(cherry picked from commit 98931187eefdec6f2dea5cb82ab6d23a3ffa6634)
+---
+ src/security/security_dac.c | 58 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 58 insertions(+)
+
+diff --git a/src/security/security_dac.c b/src/security/security_dac.c
+index 507be44a2..349dbe81d 100644
+--- a/src/security/security_dac.c
++++ b/src/security/security_dac.c
+@@ -1381,6 +1381,54 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr,
+ 
+ 
+ static int
++virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr,
++                               virDomainDefPtr def,
++                               virDomainGraphicsDefPtr gfx)
++
++{
++    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
++    virSecurityLabelDefPtr seclabel;
++    uid_t user;
++    gid_t group;
++
++    /* Skip chowning the shared render file if namespaces are disabled */
++    if (!priv->mountNamespace)
++        return 0;
++
++    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
++    if (seclabel && !seclabel->relabel)
++        return 0;
++
++    if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
++        return -1;
++
++    if (gfx->type == VIR_DOMAIN_GRAPHICS_TYPE_SPICE &&
++        gfx->data.spice.gl == VIR_TRISTATE_BOOL_YES &&
++        gfx->data.spice.rendernode) {
++        if (virSecurityDACSetOwnership(priv, NULL,
++                                       gfx->data.spice.rendernode,
++                                       user, group) < 0)
++            return -1;
++    }
++
++    return 0;
++}
++
++
++static int
++virSecurityDACRestoreGraphicsLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
++                               virDomainDefPtr def ATTRIBUTE_UNUSED,
++                               virDomainGraphicsDefPtr gfx ATTRIBUTE_UNUSED)
++
++{
++    /* The only graphics labelling we do is dependent on mountNamespaces,
++       in which case 'restoring' the label doesn't actually accomplish
++       anything, so there's nothing to do here */
++    return 0;
++}
++
++
++static int
+ virSecurityDACSetInputLabel(virSecurityManagerPtr mgr,
+                             virDomainDefPtr def,
+                             virDomainInputDefPtr input)
+@@ -1491,6 +1539,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
+             rc = -1;
+     }
+ 
++    for (i = 0; i < def->ngraphics; i++) {
++        if (virSecurityDACRestoreGraphicsLabel(mgr, def, def->graphics[i]) < 0)
++            return -1;
++    }
++
+     for (i = 0; i < def->ninputs; i++) {
+         if (virSecurityDACRestoreInputLabel(mgr, def, def->inputs[i]) < 0)
+             rc = -1;
+@@ -1611,6 +1664,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
+             return -1;
+     }
+ 
++    for (i = 0; i < def->ngraphics; i++) {
++        if (virSecurityDACSetGraphicsLabel(mgr, def, def->graphics[i]) < 0)
++            return -1;
++    }
++
+     for (i = 0; i < def->ninputs; i++) {
+         if (virSecurityDACSetInputLabel(mgr, def, def->inputs[i]) < 0)
+             return -1;
diff --git a/libvirt.spec b/libvirt.spec
index 4e0d2b8..d84d393 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -240,7 +240,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 3.7.0
-Release: 1%{?dist}%{?extra_release}
+Release: 2%{?dist}%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -251,6 +251,12 @@ URL: https://libvirt.org/
 %endif
 Source: https://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.xz
 
+# Fix TPM2 passthrough (bz #1486240)
+Patch0001: 0001-tpm-Use-dev-null-for-cancel-path-if-none-was-found.patch
+# Fix spice GL qemu:///system rendernode permissions (bz #1460804)
+Patch0002: 0002-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch
+Patch0003: 0003-security-dac-relabel-spice-rendernode.patch
+
 Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-daemon-config-network = %{version}-%{release}
 Requires: libvirt-daemon-config-nwfilter = %{version}-%{release}
@@ -2121,6 +2127,10 @@ exit 0
 
 
 %changelog
+* Fri Sep 15 2017 Cole Robinson <crobinso@redhat.com> - 3.7.0-2
+- Fix TPM2 passthrough (bz #1486240)
+- Fix spice GL qemu:///system rendernode permissions (bz #1460804)
+
 * Mon Sep  4 2017 Daniel P. Berrange <berrange@redhat.com> - 3.7.0-1
 - Rebase to version 3.7.0