diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c
index 3cd6d9bd3d315b805009fa70d205973fb8e7583c..91dd34f0e7f2a074009d86a78bd07d2bf6f9ca85 100644
--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@@ -479,21 +479,10 @@ qemuSecurityStartTPMEmulator(virQEMUDriverPtr driver,
         goto cleanup_abort;
     transactionStarted = false;
 
-    if (virSecurityManagerSetChildProcessLabel(driver->securityManager,
-                                               vm->def, cmd) < 0)
-        goto cleanup;
-
-    if (virSecurityManagerPreFork(driver->securityManager) < 0)
+    if (qemuSecurityCommandRun(driver, vm, cmd, uid, gid, exitstatus, cmdret) < 0)
         goto cleanup;
 
     ret = 0;
-    /* make sure we run this with the appropriate user */
-    virCommandSetUID(cmd, uid);
-    virCommandSetGID(cmd, gid);
-
-    *cmdret = virCommandRun(cmd, exitstatus);
-
-    virSecurityManagerPostFork(driver->securityManager);
 
     if (*cmdret < 0)
         goto cleanup;
@@ -632,3 +621,48 @@ qemuSecurityRestoreSavedStateLabel(virQEMUDriverPtr driver,
     virSecurityManagerTransactionAbort(driver->securityManager);
     return ret;
 }
+
+
+/**
+ * qemuSecurityCommandRun:
+ * @driver: the QEMU driver
+ * @vm: the domain object
+ * @cmd: the command to run
+ * @uid: the uid to force
+ * @gid: the gid to force
+ * @existstatus: pointer to int returning exit status of process
+ * @cmdret: pointer to int returning result of virCommandRun
+ *
+ * Run @cmd with seclabels set on it. If @uid and/or @gid are not
+ * -1 then their value is enforced.
+ *
+ * Returns: 0 on success,
+ *         -1 otherwise.
+ */
+int
+qemuSecurityCommandRun(virQEMUDriverPtr driver,
+                       virDomainObjPtr vm,
+                       virCommandPtr cmd,
+                       uid_t uid,
+                       gid_t gid,
+                       int *exitstatus,
+                       int *cmdret)
+{
+    if (virSecurityManagerSetChildProcessLabel(driver->securityManager,
+                                               vm->def, cmd) < 0)
+        return -1;
+
+    if (uid != (uid_t) -1)
+        virCommandSetUID(cmd, uid);
+    if (gid != (gid_t) -1)
+        virCommandSetGID(cmd, gid);
+
+    if (virSecurityManagerPreFork(driver->securityManager) < 0)
+        return -1;
+
+    *cmdret = virCommandRun(cmd, exitstatus);
+
+    virSecurityManagerPostFork(driver->securityManager);
+
+    return 0;
+}
diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h
index 68e377f41800cd141e620b984d14deca6d7ec417..224a4d61c9996aeab2e210121901846686d500e5 100644
--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@@ -101,6 +101,14 @@ int qemuSecurityRestoreSavedStateLabel(virQEMUDriverPtr driver,
                                        virDomainObjPtr vm,
                                        const char *savefile);
 
+int qemuSecurityCommandRun(virQEMUDriverPtr driver,
+                           virDomainObjPtr vm,
+                           virCommandPtr cmd,
+                           uid_t uid,
+                           gid_t gid,
+                           int *exitstatus,
+                           int *cmdret);
+
 /* Please note that for these APIs there is no wrapper yet. Do NOT blindly add
  * new APIs here. If an API can touch a file add a proper wrapper instead.
  */