pipeline: drop CAP_MAC_ADMIN by default

Drop `CAP_MAC_ADMIN` from the default capabilities which is needed
to write and read(!) unknown SELinux labels. Adjust the stages
that need to read or write SELinux labels accordingly.

assemblers/org.osbuild.ostree.commit

@@ -29,7 +29,7 @@ from osbuild import api
 from osbuild.util import ostree
 
 
-CAPABILITIES = ["CAP_NET_ADMIN", "CAP_SYS_PTRACE"]
+CAPABILITIES = ["CAP_MAC_ADMIN", "CAP_NET_ADMIN", "CAP_SYS_PTRACE"]
 
 
 SCHEMA = """

assemblers/org.osbuild.tar

@@ -27,6 +27,9 @@ import sys
 import osbuild.api
 
 
+CAPABILITIES = ["CAP_MAC_ADMIN"]
+
+
 SCHEMA = """
 "additionalProperties": false,
 "required": ["filename"],