Fix SELinux denials and "Text file busy" on SSH fleet provisioning (#3712)

The shim binary download uses cp to copy from /tmp to /usr/local/bin/.
This causes two issues:

1. "Text file busy" (ETXTBSY) when re-provisioning without cleanup,
   because cp tries to write to a running executable. Revert to mv
   which atomically replaces the directory entry.

2. On SELinux-enforcing hosts (RHEL, Rocky), mv from /tmp preserves
   the user_tmp_t context. Add chcon to set the correct bin_t context.
   No-op on non-SELinux systems via 2>/dev/null || true.

Co-authored-by: Andrey Cheptsov <andrey.cheptsov@github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 3 people

src/dstack/_internal/core/backends/base/compute.py

@@ -906,8 +906,9 @@ def get_shim_pre_start_commands(
         f"dlpath=$(sudo mktemp -t {DSTACK_SHIM_BINARY_NAME}.XXXXXXXXXX)",
         # -sS -- disable progress meter and warnings, but still show errors (unlike bare -s)
         f'sudo curl -sS --compressed --connect-timeout 60 --max-time 240 --retry 1 --output "$dlpath" "{url}"',
-        f'sudo cp "$dlpath" {dstack_shim_binary_path} && sudo rm "$dlpath"',
+        f'sudo mv "$dlpath" {dstack_shim_binary_path}',
         f"sudo chmod +x {dstack_shim_binary_path}",
+        f"{{ sudo chcon system_u:object_r:bin_t:s0 {dstack_shim_binary_path} 2>/dev/null || true; }}",
         f"sudo mkdir {dstack_working_dir} -p",
     ]