Initialize SELinux and Apparmor after capabilities are set

Initialize SELinux and Apparmor after capabilities are set

avc_init() in the SELinux code path is creating a new thread, we need to
set to capabilities before it gets created so it has the permission to
send audit messages.

It also make more sense to open the audit netlink before the different
logging callbacks are set.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92832
[smcv: add comments explaining why initialization must happen in this
specific order]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857660
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
(cherry picked from commit a3a5935a0a038c3b44c61ce5719f0f7e647b96c6)