runner: relabel leash-managed mounts for SELinux

[navanchauhan]

Summary

• detect SELinux on Linux hosts and relabel only leash-managed internal bind mounts with :z
• keep caller workspace mounts and auto user mounts unchanged to avoid relabel-denied failures on home paths
• add unit tests for relabel mode handling and mount assembly behavior

Why

Issue #57 reproduces on rootless podman + SELinux enforcing because /leash is mounted from a host temp dir without relabeling. leash-entry-linux-amd64 cannot execute, so cgroup-path is never written and startup fails with:

failed to locate cgroup path hint: .../cgroup-path not found after waiting

Validation

• go test ./internal/runner -count=1 -run 'TestWithSELinuxRelabelMode|TestInternalBindMountSpecUsesSELinuxRelabel|TestLaunchContainersAddSELinuxRelabelToInternalMounts|TestLaunchCommandsUseSplitMounts|TestLaunchTargetContainerAppendsAutoMount|TestLaunchTargetContainerAppendsFileMount|TestLaunchTargetContainerSkipsDuplicateMount'
• GCE Fedora (SELinux enforcing, podman-docker)
  • baseline leash 1.1.5 --open codex reproduces issue failed to locate cgroup path #57
  • patched ./leash-fixed --open codex passes cgroup-path/bootstrap stage (no issue failed to locate cgroup path #57)
• GCE openSUSE Leap + Docker
  • patched binary behavior unchanged (starts successfully to normal non-TTY failure in ssh command context)

Closes #57

[navanchauhan]

Addressed follow-up review notes:

• simplified withSELinuxRelabelMode to a single strings.EqualFold(trimmed, "z") check (removed redundant condition)
• added a clarifying comment in selinuxEnabled() documenting the safe-default behavior for unexpected /sys/fs/selinux/enforce content

Re-ran runner tests:

• go test ./internal/runner -count=1 -run 'TestWithSELinuxRelabelMode|TestInternalBindMountSpecUsesSELinuxRelabel|TestLaunchContainersAddSELinuxRelabelToInternalMounts'