diff --git a/SOURCES/libvirt-qemu-block-commit-Determine-relative-path-of-images-before-initializing.patch b/SOURCES/libvirt-qemu-block-commit-Determine-relative-path-of-images-before-initializing.patch
new file mode 100644
index 0000000..a6d2bf2
--- /dev/null
+++ b/SOURCES/libvirt-qemu-block-commit-Determine-relative-path-of-images-before-initializing.patch
@@ -0,0 +1,69 @@
+From 615457ad6a27f84b9c1898626dc691fe445ec852 Mon Sep 17 00:00:00 2001
+Message-Id: <615457ad6a27f84b9c1898626dc691fe445ec852@dist-git>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 22 Nov 2017 18:20:49 +0100
+Subject: [PATCH] qemu: block commit: Determine relative path of images before
+ initializing
+
+Changing labelling of the images does not need to happen after setting
+the labeling and lock manager access. This saves the cleanup of the
+labeling if the relative path can't be determined.
+
+(cherry picked from commit 3488f449a63994c1a20e08cd6a7fe35de303e77a)
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1516717
+
+This commit simplifies backport of the actual patch, is simple and useful.
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/qemu/qemu_driver.c | 26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 46016fb36e..f8df2d452d 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -17225,19 +17225,6 @@ qemuDomainBlockCommit(virDomainPtr dom,
+             goto endjob;
+     }
+ 
+-    /* For the commit to succeed, we must allow qemu to open both the
+-     * 'base' image and the parent of 'top' as read/write; 'top' might
+-     * not have a parent, or might already be read-write.  XXX It
+-     * would also be nice to revert 'base' to read-only, as well as
+-     * revoke access to files removed from the chain, when the commit
+-     * operation succeeds, but doing that requires tracking the
+-     * operation in XML across libvirtd restarts.  */
+-    clean_access = true;
+-    if (qemuDomainDiskChainElementPrepare(driver, vm, baseSource, false) < 0 ||
+-        (top_parent && top_parent != disk->src &&
+-         qemuDomainDiskChainElementPrepare(driver, vm, top_parent, false) < 0))
+-        goto endjob;
+-
+     if (flags & VIR_DOMAIN_BLOCK_COMMIT_RELATIVE &&
+         topSource != disk->src) {
+         if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_CHANGE_BACKING_FILE)) {
+@@ -17257,6 +17244,19 @@ qemuDomainBlockCommit(virDomainPtr dom,
+         }
+     }
+ 
++    /* For the commit to succeed, we must allow qemu to open both the
++     * 'base' image and the parent of 'top' as read/write; 'top' might
++     * not have a parent, or might already be read-write.  XXX It
++     * would also be nice to revert 'base' to read-only, as well as
++     * revoke access to files removed from the chain, when the commit
++     * operation succeeds, but doing that requires tracking the
++     * operation in XML across libvirtd restarts.  */
++    clean_access = true;
++    if (qemuDomainDiskChainElementPrepare(driver, vm, baseSource, false) < 0 ||
++        (top_parent && top_parent != disk->src &&
++         qemuDomainDiskChainElementPrepare(driver, vm, top_parent, false) < 0))
++        goto endjob;
++
+     /* Start the commit operation.  Pass the user's original spelling,
+      * if any, through to qemu, since qemu may behave differently
+      * depending on whether the input was specified as relative or
+-- 
+2.15.1
+
diff --git a/SOURCES/libvirt-qemu-block-commit-Don-t-overwrite-error-when-rolling-back-disk-labels.patch b/SOURCES/libvirt-qemu-block-commit-Don-t-overwrite-error-when-rolling-back-disk-labels.patch
new file mode 100644
index 0000000..af45104
--- /dev/null
+++ b/SOURCES/libvirt-qemu-block-commit-Don-t-overwrite-error-when-rolling-back-disk-labels.patch
@@ -0,0 +1,46 @@
+From 8fc980241464db978fad2e86bc3d6916a173cbe9 Mon Sep 17 00:00:00 2001
+Message-Id: <8fc980241464db978fad2e86bc3d6916a173cbe9@dist-git>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 22 Nov 2017 18:20:48 +0100
+Subject: [PATCH] qemu: block commit: Don't overwrite error when rolling back
+ disk labels
+
+Calls to qemuDomainDiskChainElementPrepare resets the original error,
+thus we need to save it in the cleanup path of qemuDomainBlockCommit.
+
+(cherry picked from commit c885b7fe1de1961391a117c033b4012a02cc8fca)
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1516717
+
+Helps resolve merge conflicts with the actual patch and is useful by
+itself.
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/qemu/qemu_driver.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index bfd7ff6c09..46016fb36e 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -17302,10 +17302,16 @@ qemuDomainBlockCommit(virDomainPtr dom,
+ 
+  endjob:
+     if (ret < 0 && clean_access) {
++        virErrorPtr orig_err = virSaveLastError();
+         /* Revert access to read-only, if possible.  */
+         qemuDomainDiskChainElementPrepare(driver, vm, baseSource, true);
+         if (top_parent && top_parent != disk->src)
+             qemuDomainDiskChainElementPrepare(driver, vm, top_parent, true);
++
++        if (orig_err) {
++            virSetError(orig_err);
++            virFreeError(orig_err);
++        }
+     }
+     virStorageSourceFree(mirror);
+     qemuDomainObjEndJob(driver, vm);
+-- 
+2.15.1
+
diff --git a/SOURCES/libvirt-qemu-domain-Don-t-call-namespace-setup-for-storage-already-accessed-by-vm.patch b/SOURCES/libvirt-qemu-domain-Don-t-call-namespace-setup-for-storage-already-accessed-by-vm.patch
new file mode 100644
index 0000000..9f47835
--- /dev/null
+++ b/SOURCES/libvirt-qemu-domain-Don-t-call-namespace-setup-for-storage-already-accessed-by-vm.patch
@@ -0,0 +1,141 @@
+From cccfeedda80612c8ce2c48e4eed26fe6c51382f3 Mon Sep 17 00:00:00 2001
+Message-Id: <cccfeedda80612c8ce2c48e4eed26fe6c51382f3@dist-git>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 22 Nov 2017 18:20:50 +0100
+Subject: [PATCH] qemu: domain: Don't call namespace setup for storage already
+ accessed by vm
+
+When doing block commit we need to allow write for members of the
+backing chain so that we can commit the data into them.
+
+qemuDomainDiskChainElementPrepare was used for this which since commit
+786d8d91b4 calls qemuDomainNamespaceSetupDisk which has very adverse
+side-effects, namely it relabels the nodes to the same label it has in
+the main namespace. This was messing up permissions for the commit
+operation since its touching various parts of a single backing chain.
+
+Since we are are actually not introducing new images at that point add a
+flag for qemuDomainDiskChainElementPrepare which will refrain from
+calling to the namespace setup function.
+
+Calls from qemuDomainSnapshotCreateSingleDiskActive and
+qemuDomainBlockCopyCommon do introduce new members all calls from
+qemuDomainBlockCommit do not, so the calls are anotated accordingly.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1506072
+(cherry picked from commit 3746a38e7b9ae5342675547624122d55e73d6c81)
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1516717
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/qemu/qemu_domain.c | 17 ++++++++++++++---
+ src/qemu/qemu_domain.h |  3 ++-
+ src/qemu/qemu_driver.c | 12 ++++++------
+ 3 files changed, 22 insertions(+), 10 deletions(-)
+
+diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
+index 68c1f3b7c5..dd70bd6367 100644
+--- a/src/qemu/qemu_domain.c
++++ b/src/qemu/qemu_domain.c
+@@ -5510,15 +5510,25 @@ qemuDomainDiskChainElementRevoke(virQEMUDriverPtr driver,
+ 
+ /**
+  * qemuDomainDiskChainElementPrepare:
++ * @driver: qemu driver data
++ * @vm: domain object
++ * @elem: source structure to set access for
++ * @readonly: setup read-only access if true
++ * @newSource: @elem describes a storage source which @vm can't access yet
+  *
+  * Allow a VM access to a single element of a disk backing chain; this helper
+  * ensures that the lock manager, cgroup device controller, and security manager
+- * labelling are all aware of each new file before it is added to a chain */
++ * labelling are all aware of each new file before it is added to a chain.
++ *
++ * When modifying permissions of @elem which @vm can already access (is in the
++ * backing chain) @newSource needs to be set to false.
++ */
+ int
+ qemuDomainDiskChainElementPrepare(virQEMUDriverPtr driver,
+                                   virDomainObjPtr vm,
+                                   virStorageSourcePtr elem,
+-                                  bool readonly)
++                                  bool readonly,
++                                  bool newSource)
+ {
+     bool was_readonly = elem->readonly;
+     virQEMUDriverConfigPtr cfg = NULL;
+@@ -5531,7 +5541,8 @@ qemuDomainDiskChainElementPrepare(virQEMUDriverPtr driver,
+     if (virDomainLockImageAttach(driver->lockManager, cfg->uri, vm, elem) < 0)
+         goto cleanup;
+ 
+-    if (qemuDomainNamespaceSetupDisk(driver, vm, elem) < 0)
++    if (newSource &&
++        qemuDomainNamespaceSetupDisk(driver, vm, elem) < 0)
+         goto cleanup;
+ 
+     if (qemuSetupImageCgroup(vm, elem) < 0)
+diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
+index 1a658bcf7e..68458ad9ae 100644
+--- a/src/qemu/qemu_domain.h
++++ b/src/qemu/qemu_domain.h
+@@ -642,7 +642,8 @@ void qemuDomainDiskChainElementRevoke(virQEMUDriverPtr driver,
+ int qemuDomainDiskChainElementPrepare(virQEMUDriverPtr driver,
+                                       virDomainObjPtr vm,
+                                       virStorageSourcePtr elem,
+-                                      bool readonly);
++                                      bool readonly,
++                                      bool newSource);
+ 
+ int qemuDomainCleanupAdd(virDomainObjPtr vm,
+                          qemuDomainCleanupCallback cb);
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index f8df2d452d..498f787ad3 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -14277,7 +14277,7 @@ qemuDomainSnapshotCreateSingleDiskActive(virQEMUDriverPtr driver,
+     }
+ 
+     /* set correct security, cgroup and locking options on the new image */
+-    if (qemuDomainDiskChainElementPrepare(driver, vm, dd->src, false) < 0) {
++    if (qemuDomainDiskChainElementPrepare(driver, vm, dd->src, false, true) < 0) {
+         qemuDomainDiskChainElementRevoke(driver, vm, dd->src);
+         goto cleanup;
+     }
+@@ -16865,7 +16865,7 @@ qemuDomainBlockCopyCommon(virDomainObjPtr vm,
+                                          keepParentLabel) < 0)
+         goto endjob;
+ 
+-    if (qemuDomainDiskChainElementPrepare(driver, vm, mirror, false) < 0) {
++    if (qemuDomainDiskChainElementPrepare(driver, vm, mirror, false, true) < 0) {
+         qemuDomainDiskChainElementRevoke(driver, vm, mirror);
+         goto endjob;
+     }
+@@ -17252,9 +17252,9 @@ qemuDomainBlockCommit(virDomainPtr dom,
+      * operation succeeds, but doing that requires tracking the
+      * operation in XML across libvirtd restarts.  */
+     clean_access = true;
+-    if (qemuDomainDiskChainElementPrepare(driver, vm, baseSource, false) < 0 ||
++    if (qemuDomainDiskChainElementPrepare(driver, vm, baseSource, false, false) < 0 ||
+         (top_parent && top_parent != disk->src &&
+-         qemuDomainDiskChainElementPrepare(driver, vm, top_parent, false) < 0))
++         qemuDomainDiskChainElementPrepare(driver, vm, top_parent, false, false) < 0))
+         goto endjob;
+ 
+     /* Start the commit operation.  Pass the user's original spelling,
+@@ -17304,9 +17304,9 @@ qemuDomainBlockCommit(virDomainPtr dom,
+     if (ret < 0 && clean_access) {
+         virErrorPtr orig_err = virSaveLastError();
+         /* Revert access to read-only, if possible.  */
+-        qemuDomainDiskChainElementPrepare(driver, vm, baseSource, true);
++        qemuDomainDiskChainElementPrepare(driver, vm, baseSource, true, false);
+         if (top_parent && top_parent != disk->src)
+-            qemuDomainDiskChainElementPrepare(driver, vm, top_parent, true);
++            qemuDomainDiskChainElementPrepare(driver, vm, top_parent, true, false);
+ 
+         if (orig_err) {
+             virSetError(orig_err);
+-- 
+2.15.1
+
diff --git a/SPECS/libvirt.spec b/SPECS/libvirt.spec
index 73d1f1b..722b4c6 100644
--- a/SPECS/libvirt.spec
+++ b/SPECS/libvirt.spec
@@ -228,7 +228,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 3.2.0
-Release: 14%{?dist}.4%{?extra_release}
+Release: 14%{?dist}.5%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -488,6 +488,9 @@ Patch245: libvirt-qemu-Separate-CPU-updating-code-from-qemuProcessReconnect.patc
 Patch246: libvirt-conf-Introduce-virCPUDefFindFeature.patch
 Patch247: libvirt-qemu-Filter-CPU-features-when-using-host-CPU.patch
 Patch248: libvirt-qemu-Fix-CPU-model-broken-by-older-libvirt.patch
+Patch249: libvirt-qemu-block-commit-Don-t-overwrite-error-when-rolling-back-disk-labels.patch
+Patch250: libvirt-qemu-block-commit-Determine-relative-path-of-images-before-initializing.patch
+Patch251: libvirt-qemu-domain-Don-t-call-namespace-setup-for-storage-already-accessed-by-vm.patch
 
 Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-daemon-config-network = %{version}-%{release}
@@ -2336,6 +2339,11 @@ exit 0
 
 
 %changelog
+* Fri Dec  1 2017 Jiri Denemark <jdenemar@redhat.com> - 3.2.0-14.el7_4.5
+- qemu: block commit: Don't overwrite error when rolling back disk labels (rhbz#1516717)
+- qemu: block commit: Determine relative path of images before initializing (rhbz#1516717)
+- qemu: domain: Don't call namespace setup for storage already accessed by vm (rhbz#1516717)
+
 * Mon Nov  6 2017 Jiri Denemark <jdenemar@redhat.com> - 3.2.0-14.el7_4.4
 - qemu: Pass virArch * to virQEMUCapsCPUFilterFeatures (rhbz#1508549)
 - qemu: Publish virQEMUCapsCPUFilterFeatures (rhbz#1508549)