The selinux-policy maintainers sometimes set new rules to permissive to give users time to report denials and fix those before flipping the switch to enforcing. We haven't been noticing the new denials until the switch to enforcing happens because we currently don't report tests with SELinux denials as failing. We should fix that.

Also, when reporting denials to the policy maintainers, it's helpful to them to include the audit logs. So we need to archive that information too alongside the console and journal.

There's a lot of discussions and code in #2067 related to this.

Briefly:

1. after a test completes, export out audit.log from the machine
2. in the same area we check for unit failures, also check for SELinux denials in the audit logs
3. if denials are found, export out audit.log to the outputdir for that test and mark the test as failed
4. add a new kola test tag that allows skipping selinux denial checking, and use it for tests that may purposely trigger them
5. make it possible to skip only selinux denials via kola-denylist.yaml