diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index b6f6dc49fd..8bc23baa66 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -37,6 +37,7 @@ module Libvirtd_qemu =
    let spice_entry = str_entry "spice_listen"
                  | bool_entry "spice_tls"
                  | str_entry  "spice_tls_x509_cert_dir"
+                 | bool_entry "spice_auto_unix_socket"
                  | str_entry "spice_password"
                  | bool_entry "spice_sasl"
                  | str_entry "spice_sasl_dir"
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 59c839ea8d..796427368e 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -130,6 +130,17 @@
 #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
 
 
+# Enable this option to have SPICE served over an automatically created
+# unix socket. This prevents unprivileged access from users on the
+# host machine.
+#
+# This will only be enabled for SPICE configurations that have listen
+# type=address but without any address specified. This setting takes
+# preference over spice_listen.
+#
+#spice_auto_unix_socket = 1
+
+
 # The default SPICE password. This parameter is only used if the
 # per-domain XML config does not already provide a password. To
 # allow access without passwords, leave this commented out. An
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index e00ddcaa57..d4c34c994c 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -588,6 +588,7 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
     GET_VALUE_STR("spice_sasl_dir", cfg->spiceSASLdir);
     GET_VALUE_STR("spice_listen", cfg->spiceListen);
     GET_VALUE_STR("spice_password", cfg->spicePassword);
+    GET_VALUE_BOOL("spice_auto_unix_socket", cfg->spiceAutoUnixSocket);
 
 
     GET_VALUE_ULONG("remote_websocket_port_min", cfg->webSocketPortMin);
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index 1fdef70859..e830b4096c 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -123,6 +123,7 @@ struct _virQEMUDriverConfig {
     char *spiceSASLdir;
     char *spiceListen;
     char *spicePassword;
+    bool spiceAutoUnixSocket;
 
     int remotePortMin;
     int remotePortMax;
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index ce6bcce3c0..7d61ecde79 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -4035,6 +4035,7 @@ qemuProcessGraphicsSetupListen(virQEMUDriverConfigPtr cfg,
         break;
 
     case VIR_DOMAIN_GRAPHICS_TYPE_SPICE:
+        useSocket = cfg->spiceAutoUnixSocket;
         listenAddr = cfg->spiceListen;
         break;
 
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index 8bec7437cd..c4d4f1945e 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -14,6 +14,7 @@ module Test_libvirtd_qemu =
 { "spice_listen" = "0.0.0.0" }
 { "spice_tls" = "1" }
 { "spice_tls_x509_cert_dir" = "/etc/pki/libvirt-spice" }
+{ "spice_auto_unix_socket" = "1" }
 { "spice_password" = "XYZ12345" }
 { "spice_sasl" = "1" }
 { "spice_sasl_dir" = "/some/directory/sasl2" }
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.args b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.args
new file mode 100644
index 0000000000..61335b0460
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.args
@@ -0,0 +1,20 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/home/test \
+USER=test \
+LOGNAME=test \
+QEMU_AUDIO_DRV=spice \
+/usr/bin/qemu \
+-name QEMUGuest1 \
+-S \
+-M pc \
+-m 214 \
+-smp 1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-nodefaults \
+-monitor unix:/tmp/lib/domain--1-QEMUGuest1/monitor.sock,server,nowait \
+-no-acpi \
+-boot c \
+-usb \
+-spice unix,addr=/tmp/lib/domain--1-QEMUGuest1/spice.sock \
+-vga cirrus
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.xml b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.xml
new file mode 100644
index 0000000000..f2e3d124e4
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.xml
@@ -0,0 +1,30 @@
+<domain type='qemu'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219100</memory>
+  <currentMemory unit='KiB'>219100</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='i686' machine='pc'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu</emulator>
+    <controller type='usb' index='0'/>
+    <controller type='ide' index='0'/>
+    <controller type='pci' index='0' model='pci-root'/>
+    <input type='mouse' bus='ps2'/>
+    <input type='keyboard' bus='ps2'/>
+    <graphics type='spice' autoport='yes'>
+      <listen type='address'/>
+    </graphics>
+    <video>
+      <model type='cirrus' vram='16384' heads='1'/>
+    </video>
+    <memballoon model='none'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 4dc3d66735..1d88084df1 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -972,6 +972,11 @@ mymain(void)
     DO_TEST("graphics-spice-auto-socket",
             QEMU_CAPS_SPICE,
             QEMU_CAPS_SPICE_UNIX);
+    driver.config->spiceAutoUnixSocket = true;
+    DO_TEST("graphics-spice-auto-socket-cfg",
+            QEMU_CAPS_SPICE,
+            QEMU_CAPS_SPICE_UNIX);
+    driver.config->spiceAutoUnixSocket = false;
 
     DO_TEST("input-usbmouse", NONE);
     DO_TEST("input-usbtablet", NONE);
diff --git a/tests/qemuxml2xmloutdata/qemuxml2xmlout-graphics-spice-auto-socket-cfg.xml b/tests/qemuxml2xmloutdata/qemuxml2xmlout-graphics-spice-auto-socket-cfg.xml
new file mode 100644
index 0000000000..7548184f85
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/qemuxml2xmlout-graphics-spice-auto-socket-cfg.xml
@@ -0,0 +1,35 @@
+<domain type='qemu'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219100</memory>
+  <currentMemory unit='KiB'>219100</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='i686' machine='pc'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu</emulator>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <controller type='ide' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
+    </controller>
+    <controller type='pci' index='0' model='pci-root'/>
+    <input type='mouse' bus='ps2'/>
+    <input type='keyboard' bus='ps2'/>
+    <graphics type='spice' autoport='yes'>
+      <listen type='address'/>
+    </graphics>
+    <video>
+      <model type='cirrus' vram='16384' heads='1' primary='yes'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </video>
+    <memballoon model='none'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index 4e06b72832..ba55919347 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -444,6 +444,10 @@ mymain(void)
     DO_TEST("graphics-spice-qxl-vga");
     DO_TEST("graphics-spice-socket");
     DO_TEST("graphics-spice-auto-socket");
+    cfg->spiceAutoUnixSocket = true;
+    DO_TEST("graphics-spice-auto-socket-cfg");
+    cfg->spiceAutoUnixSocket = false;
+
     DO_TEST("nographics-vga");
     DO_TEST("input-usbmouse");
     DO_TEST("input-usbtablet");