selinux relabel support

[allisonkarlitskaya]

There are some outstanding items here:

• [x] figure out which policy to check. It's hardcoded to targeted right now
• [x] provide a nice fallback if the policy isn't present. It's currently fatal.
• [x] ~figure out a nicer way to handle linking to libselinux, possibly making it a conditional feature?~ don't link libselinux: do it ourselves
• [x] figure out a better way to handle mutability of hardlinks in the filesystem tree
• [x] properly label our /run/systemd/volatile-root hack symlink to avoid this: [ 3.055118] audit: type=1400 audit(1731016644.835:3): avc: denied { read } for pid=447 comm="systemd-gpt-aut" name="volatile-root" dev="tmpfs" ino=679 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=lnk_file permissive=1
• [x] drop enforcing=0

Closes #29

[travier]

As far as I know, the SELinux policy type is taken from /etc/selinux/config:

$ grep "^SELINUXTYPE=" /etc/selinux/config`
SELINUXTYPE=targeted