Add restorecon service

This service runs `restorecon` on `/var` to fix any errant SELinux
labels when the system first boots following an update.

overlay/usr/lib/systemd/system-preset/80-local-default.preset

@@ -1,5 +1,7 @@
 enable auditd.service
 
+enable restorecon.service
+
 disable ldconfig.service
 
 disable systemd-userdbd.service

overlay/usr/lib/systemd/system/restorecon.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Restore SELinux file contexts in /var
+ConditionNeedsUpdate=/var
+DefaultDependencies=no
+After=local-fs.target
+Before=sysinit.target
+Before=systemd-tmpfiles-setup.service
+Before=systemd-update-done.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/restorecon -RFv /var
+
+[Install]
+WantedBy=sysinit.target