Lookup selinux policy in / when labeling image storage

[ckyrouac]

Spawned from: https://github.com/bootc-dev/bootc/pull/1198#discussion_r1999683826

The booted deployment's directory is going to be equivalent (mostly) to /...actually where it won't is if there are locally modified policy in /etc - which we probably want to use?

If we did that it'd argue to just open up the / directory...basically everywhere instead of passing e.g. self.run above we just pass a fd for the root. OR we could pass a SePolicy instance.