Drop/adjust SELinux `install_t` testing

[cgwalters]

SELinux: Context unconfined_u:object_r:invalid_bootcinstall_testlabel_t:s0 is not valid (left unmapped).

comes from

bootc/crates/lib/src/lsm.rs

Line 50 in 03fa72b

.args(["-t", "invalid_bootcinstall_testlabel_t"])

Basically this is us trying to verify that we have the install_t capability, and some people (reasonably!) think this is an error or a problem.

To fix this what we need is a reliable mechanism to know if we have mac_admin. I believe via /sys/fs/selinux there's an API to dynamically query if a particular access would be allowed.

OK impressive I just clicked the copilot button in the web page on the selinux git repo) and it pointed me at security_compute_av) which looks right to me.

Though the next issue is Rust bindings; we'd need to do a review of [https://lib.rs/crates/selinux] as an option.

[glen-gibson]

Makes sense. Lines up with how the SELinux warning is triggered the first time I ran bootc status after reboot, but then subsequent times - it's aware of its capability, so doesn't trigger it again, possibly until the next reboot when it needs to check again.

[glen-gibson]

@cgwalters would this or this do the trick?

[cgwalters]

Some prep for this in #1463