Symptom
On systems using SELinux enforcing, docker.service (user unit) on account creation fails immediately on start:
× docker.service - Docker Application Container Engine (Rootless)
Active: failed (Result: exit-code)
Duration: 32ms
Process: ExecStart=/home/<user>/bin/dockerd-rootless.sh (code=exited, status=1/FAILURE)
Running dockerd-rootless.sh manually shows rootlesskit failing during network setup:
[rootlesskit:parent] error: failed to setup network ...: pasta failed with exit code 1:
netns dir open: Permission denied, exiting
Root cause
Rootless Docker now defaults to pasta as its network driver (replacing slirp4netns on systems where it's available). Pasta works by opening a target process's network namespace directly via /proc/<pid>/ns.
Under SELinux, pasta runs confined in the pasta_t domain. On some policy versions, pasta_t does not have an allow rule to open the dir class on /proc/<pid>/ns for processes running in unconfined_t (i.e. normal user processes). The kernel denies the open() syscall, pasta exits 1, rootlesskit aborts, and dockerd never starts — all within milliseconds, which is why the systemd unit shows almost no Duration.
Confirm this is the cause with:
ausearch -m avc -ts recent | grep -i pasta
You'll see something like:
type=AVC msg=audit(...): avc: denied { open } for pid=... comm="pasta" path="/proc/<pid>/ns" dev="proc" ... scontext=...:pasta_t:... tcontext=...:unconfined_t:... tclass=dir permissive=0
tclass=dir, denied { open }, scontext ending in pasta_t is the signature of this issue.
Fix: Patch SELinux policy (keeps pasta)
Generate a local policy module from the actual denial and load it:
ausearch -m avc -ts recent -c pasta | audit2allow -M pasta_local
semodule -i pasta_local.pp
Try creating account again.
SELinux often surfaces denials one syscall at a time. If docker still fails, re-run the ausearch command, check for new denials, and re-run audit2allow to extend the module. Inspect what got generated with cat pasta_local.te before trusting it on multiple boxes — it should be a narrow allow pasta_t unconfined_t:dir open; style rule, not something broad.