build_sysext: Add SELinux labeling

[pothos]

The build_sysext tool is now used for the OEM and in the future the internal Docker/containerd systemd-sysext image.
For Docker and containerd we need to make sure that the files are correctly labeled for SELinux to work in enforcing mode.

There were attempts to do this with the torcx tar ball but they failed.
Note that the /usr image is also not completely labeled yet https://github.com/flatcar/scripts/blob/1f1a53140cf7b3cbb4d3e8961bce7a44af295ce4/build_library/build_image_util.sh#L775 and that enforcing mode is not expected to work until we update the policy and debug any remaining issues.

[pothos]

The change is prepared as part of flatcar/scripts#1517 (currently not working due to label/policy mismatch in the rest of /usr)

[vielmetti]

This should also be labelled area/selinux

[krishjainx]

@vielmetti @pothos On nights and weekends, I've been dabbling quite a bit in SELinux policy analysis and generation lately, using LLMs and formal verification—picked up a thing or two along the way. Any chance you could assign this to me? I’d love to take a look at it. Plus, I’m using Flatcar for something right now, so solving this would definitely help me out. And since I wrote build_sysext during my internship, I’ve already got some context :)

[jepio]

You're welcome to work on it, no one else is currently looking into this. It doesn't require the issue to be assigned.