Lookup selinux policy in / when labeling image storage

[ckyrouac]

Spawned from: #1198 (comment)

The booted deployment's directory is going to be equivalent (mostly) to /...actually where it won't is if there are locally modified policy in /etc - which we probably want to use?

If we did that it'd argue to just open up the / directory...basically everywhere instead of passing e.g. self.run above we just pass a fd for the root. OR we could pass a SePolicy instance.