buildroot: grant CAP_MAC_ADMIN for labeling

When applying labels inside the container that are unknown to the
host, the process needs to have the CAP_MAC_ADMIN capability in order
to do so, otherwise the kernel will prevent setting those unknown
labels. See the previous commit for more details.

osbuild/buildroot.py

@@ -112,6 +112,7 @@ class BuildRoot(contextlib.AbstractContextManager):
             "--keep-unit",
             "--as-pid2",
             "--link-journal=no",
+            "--capability=CAP_MAC_ADMIN",  # for SELinux labeling
             f"--directory={self.root}",
             "--setenv=PYTHONPATH=/run/osbuild/lib",
             *[f"--bind-ro={b}" for b in nspawn_ro_binds],