/dev/console must be labeled with SELinux label

/dev/console must be labeled with SELinux label

If the user specifies an selinux_apifs_context all content created in
the container including /dev/console should use this label.

Currently when this uses the default label it gets labeled user_devpts_t,
which would require us to write a policy allowing container processes to
manage user_devpts_t.  This means that an escaped process would be allowed
to attack all users terminals as well as other container terminals.  Changing
the label to match the apifs_context, means the processes would only be allowed
to manage their specific tty.

This change fixes a problem preventing RKT containers from working with systemd-nspawn.