SELinux: Ensure we label /var, and fix /etc merge wrt xattrs

SELinux: Ensure we label /var, and fix /etc merge wrt xattrs

First, /var needs to be labeled at least once.  We should probably
rearrange things so that /var is only created (and labeled) on the
first deployment, but this patch adds a /var/.ostree-selabeled file
instead.

Second, when doing the /etc merge, we compare the xattrs of the old
/usr/etc versus the current /etc.  The problem with that is that the
policy has different labels for /usr/etc on disk than the real /etc.

The correct fix for this is a bit invasive - we have to take the
physical content of the old /usr/etc, but compare the labels as if
they were really in /etc.

Instead for now, just ignore changes to xattrs.  If the file
content/mode changes, then we take the new file (including any changed
xattrs).

Bottom line: just doing chcon -t blah_t /etc/foo.conf may be lost on
upgrade (for now).