chcon: anchor recursive relabel resolution to traversal dirfd

[can1357]

uutils chcon still resolved recursive targets from fts_accpath with a fresh path lookup, so traversal and apply were not bound to traversal directory state. GNU performs relabel operations relative to traversal dirfds; this fix opens targets with openat against the traversal cwd fd before SELinux get/set.

Reproduction Steps

This race is timing-sensitive and not deterministic.

Impact

Privileged recursive relabel operations can be redirected to unintended objects under rename or symlink races. This breaks GNU hardening expectations for SELinux administration workflows.

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/misc/selinux. tests/misc/selinux is passing on 'main'. Maybe you have to rebase?
Skip an intermittent issue tests/date/date-locale-hour (fails in this run but passes in the 'main' branch)
Skip an intermittent issue tests/date/resolution (fails in this run but passes in the 'main' branch)
Note: The gnu test tests/cp/link-heap is now being skipped but was previously passing.
Note: The gnu test tests/rm/many-dir-entries-vs-OOM is now being skipped but was previously passing.
Congrats! The gnu test tests/seq/seq-epipe is now passing!