refactor: Distinguish semanage 'already exists' from real failures

[frostyardyeti]

In internal/provision/provision.go:330-334, the semanage fcontext -a error is unconditionally swallowed with _ = err and a comment that it may mean 'already defined'. However, this also silences genuine failures like missing SELinux tools or permission denied errors. The fix is to check the command output/stderr for 'already defined' or 'already exists' and only suppress that specific case, returning the error for other failures.

---

Automated improvement by yeti improvement-identifier

[bketelsen]

need someone with SELinux to review/validate

[frostyardyeti]

— Automated by Yeti —

No code changes needed. The review comment from @bketelsen is not requesting a code change — it's flagging that the PR needs validation from someone with SELinux experience before merging.

The change itself is straightforward and correct:

• Before: semanage fcontext -a errors were unconditionally swallowed (_ = err), hiding real failures.
• After: The error output is checked for "already defined" or "already exists" (the two known messages semanage emits for duplicate contexts). Only that specific case is suppressed; all other failures are properly returned.

This matches semanage's actual behavior — when a context rule already exists, it exits non-zero with a message containing "already defined" (older versions) or "already exists" (newer versions). The string check on the combined output is the standard way to distinguish this from genuine errors like missing tools or permission issues.