diff --git a/contrib/dockerd-rootless.sh b/contrib/dockerd-rootless.sh
index c8783dba22..e342c26097 100755
--- a/contrib/dockerd-rootless.sh
+++ b/contrib/dockerd-rootless.sh
@@ -84,6 +84,12 @@ if [ -z $_DOCKERD_ROOTLESS_CHILD ]; then
 		echo "This script must be executed as a non-privileged user"
 		exit 1
 	fi
+	# `selinuxenabled` always returns false in RootlessKit child, so we execute `selinuxenabled` in the parent.
+	# https://github.com/rootless-containers/rootlesskit/issues/94
+	if command -v selinuxenabled > /dev/null 2>&1 && selinuxenabled; then
+		_DOCKERD_ROOTLESS_SELINUX=1
+		export _DOCKERD_ROOTLESS_SELINUX
+	fi
 	# Re-exec the script via RootlessKit, so as to create unprivileged {user,mount,network} namespaces.
 	#
 	# --copy-up allows removing/creating files in the directories by creating tmpfs and symlinks
@@ -105,5 +111,12 @@ else
 	# remove the symlinks for the existing files in the parent namespace if any,
 	# so that we can create our own files in our mount namespace.
 	rm -f /run/docker /run/containerd /run/xtables.lock
+
+	if [ -n "$_DOCKERD_ROOTLESS_SELINUX" ]; then
+		# iptables requires /run in the child to be relabeled. The actual /run in the parent is unaffected.
+		# https://github.com/containers/podman/blob/e6fc34b71aa9d876b1218efe90e14f8b912b0603/libpod/networking_linux.go#L396-L401
+		# https://github.com/moby/moby/issues/41230
+		chcon system_u:object_r:iptables_var_run_t:s0 /run
+	fi
 	exec dockerd $@
 fi
diff --git a/daemon/graphdriver/overlayutils/overlayutils.go b/daemon/graphdriver/overlayutils/overlayutils.go
index e0553a09f7..09d3b17fb3 100644
--- a/daemon/graphdriver/overlayutils/overlayutils.go
+++ b/daemon/graphdriver/overlayutils/overlayutils.go
@@ -37,6 +37,16 @@ func ErrDTypeNotSupported(driver, backingFs string) error {
 // checkMultipleLowers parameter enables check for multiple lowerdirs,
 // which is required for the overlay2 driver.
 func SupportsOverlay(d string, checkMultipleLowers bool) error {
+	// We can't rely on go-selinux.GetEnabled() to detect whether SELinux is enabled,
+	// because RootlessKit doesn't mount /sys/fs/selinux in the child: https://github.com/rootless-containers/rootlesskit/issues/94
+	// So we check $_DOCKERD_ROOTLESS_SELINUX, which is set by dockerd-rootless.sh .
+	if os.Getenv("_DOCKERD_ROOTLESS_SELINUX") == "1" {
+		// Kernel 5.11 introduced support for rootless overlayfs, but incompatible with SELinux,
+		// so fallback to fuse-overlayfs.
+		// https://github.com/moby/moby/issues/42333
+		return errors.New("overlay is not supported for Rootless with SELinux")
+	}
+
 	td, err := ioutil.TempDir(d, "check-overlayfs-support")
 	if err != nil {
 		return err