v0.5.2: move veilor-installer + veilor-firstboot to /usr/local/bin

QEMU boot test of v0.5.1 (commit 1c99ae0) revealed both scripts
missing from /usr/local/sbin/ on running system, despite being in
overlay/usr/local/sbin/ in the source tree.

Root cause: Fedora's filesystem package (or post-install scriptlet)
rewrites /usr/local/sbin → /usr/local/bin symlink AFTER kickstart
%post --nochroot's overlay copy runs. The cp -a placed files in
/usr/local/sbin/ as a real directory; the symlink replacement
deleted them.

Confirmed via tty diagnostic: `ls -la /usr/local` shows
`lrwxrwxrwx ... sbin -> bin` with bin mtime predating sbin symlink
ctime by ~5min — overlay copy ran first, scriptlet rewrote sbin
second.

Fix: move both binaries to overlay/usr/local/bin/ where they're
safe from the symlink rewrite. Update all references:
- kickstart/veilor-os.ks chmod path + chown + diagnostic ls
- overlay/etc/systemd/system/getty@tty1.service.d/veilor-installer.conf ExecStart
- overlay/etc/systemd/system/veilor-firstboot.service ExecStart
- scripts/selinux/build-policy.sh fcontext + restorecon paths
- generated install ks template inside veilor-installer

Service drop-in stays at /etc/systemd/system/getty@tty1.service.d/
unchanged. The veilor-installer binary in /usr/local/bin/ is
discoverable via $PATH same as before.

kickstart/veilor-os.ks

@@ -182,7 +182,7 @@ cp -a "$SRC/scripts" "$DEST/usr/share/veilor-os/" || echo "[ERR] scripts cp fail
 ls -la "$DEST/usr/share/veilor-os/" 2>&1 || echo "[ERR] dest dir missing post-cp"
 # Force root ownership on everything we copied — `cp -a` preserves
 # CI runner uid (1001), which makes sudo refuse to read /etc/sudoers.d.
-chown -R 0:0 "$DEST/etc" "$DEST/usr/share/veilor-os" "$DEST/usr/local/bin" "$DEST/usr/local/sbin" 2>&1 || echo "[WARN] chown failed"
+chown -R 0:0 "$DEST/etc" "$DEST/usr/share/veilor-os" "$DEST/usr/local/bin" 2>&1 || echo "[WARN] chown failed"
 set +x
 
 # Persist nochroot log into installed system for diagnostics
@@ -191,7 +191,7 @@ set +x
     date
     echo "SRC=$SRC DEST=$DEST"
     ls -la "$DEST/usr/share/veilor-os/" 2>&1
-    ls -la "$DEST/usr/local/sbin/" 2>&1
+    ls -la "$DEST/usr/local/bin/" 2>&1
 } > "$DEST/var/log/veilor-nochroot.log" 2>&1 || true
 %end
 
@@ -205,7 +205,7 @@ echo " veilor-os install — %post"
 echo "════════════════════════════════════════════════════════"
 
 REPO=/usr/share/veilor-os
-chmod +x $REPO/scripts/*.sh $REPO/scripts/selinux/*.sh /usr/local/bin/veilor-power /usr/local/bin/veilor-update /usr/local/bin/veilor-doctor /usr/local/sbin/veilor-firstboot /usr/local/sbin/veilor-installer
+chmod +x $REPO/scripts/*.sh $REPO/scripts/selinux/*.sh /usr/local/bin/veilor-power /usr/local/bin/veilor-update /usr/local/bin/veilor-doctor /usr/local/bin/veilor-firstboot /usr/local/bin/veilor-installer
 
 # Live image plumbing (matches upstream Fedora live ks). Without these the
 # squashfs/EFI build fails — livesys-scripts ships systemd units lorax expects.

overlay/etc/systemd/system/getty@tty1.service.d/veilor-installer.conf

@@ -3,7 +3,7 @@
 # isn't copied into target system — see kickstart/install.ks).
 [Service]
 ExecStart=
-ExecStart=-/usr/local/sbin/veilor-installer
+ExecStart=-/usr/local/bin/veilor-installer
 StandardInput=tty
 StandardOutput=tty
 StandardError=tty

overlay/etc/systemd/system/veilor-firstboot.service

@@ -9,7 +9,7 @@ Conflicts=sddm.service
 [Service]
 Type=oneshot
 RemainAfterExit=no
-ExecStart=/usr/local/sbin/veilor-firstboot
+ExecStart=/usr/local/bin/veilor-firstboot
 StandardInput=tty
 StandardOutput=tty
 StandardError=tty

overlay/usr/local/bin/veilor-installer

@@ -418,7 +418,7 @@ cp -a "$SRC/scripts" "$DEST/usr/share/veilor-os/" || echo "[ERR] scripts cp fail
 ls -la "$DEST/usr/share/veilor-os/" 2>&1 || echo "[ERR] dest dir missing post-cp"
 # Force root ownership on everything we copied — `cp -a` preserves
 # CI runner uid (1001), which makes sudo refuse to read /etc/sudoers.d.
-chown -R 0:0 "$DEST/etc" "$DEST/usr/share/veilor-os" "$DEST/usr/local/bin" "$DEST/usr/local/sbin" 2>&1 || echo "[WARN] chown failed"
+chown -R 0:0 "$DEST/etc" "$DEST/usr/share/veilor-os" "$DEST/usr/local/bin" 2>&1 || echo "[WARN] chown failed"
 set +x
 
 {
@@ -426,7 +426,7 @@ set +x
     date
     echo "SRC=$SRC DEST=$DEST"
     ls -la "$DEST/usr/share/veilor-os/" 2>&1
-    ls -la "$DEST/usr/local/sbin/" 2>&1
+    ls -la "$DEST/usr/local/bin/" 2>&1
 } > "$DEST/var/log/veilor-nochroot.log" 2>&1 || true
 %end
 
@@ -441,8 +441,8 @@ echo "════════════════════════
 
 REPO=/usr/share/veilor-os
 chmod +x $REPO/scripts/*.sh $REPO/scripts/selinux/*.sh \
-    /usr/local/bin/veilor-power /usr/local/sbin/veilor-firstboot \
+    /usr/local/bin/veilor-power /usr/local/bin/veilor-firstboot \
-    /usr/local/sbin/veilor-installer 2>/dev/null || true
+    /usr/local/bin/veilor-installer 2>/dev/null || true
 
 # /etc/machine-id reset on first boot
 > /etc/machine-id

scripts/selinux/build-policy.sh

@@ -3,7 +3,7 @@
 #
 # Modules:
 #   veilor-systemd    — capabilities for systemd-modules-load (post-boot lock)
-#   veilor-firstboot  — confine /usr/local/sbin/veilor-firstboot one-shot
+#   veilor-firstboot  — confine /usr/local/bin/veilor-firstboot one-shot
 #
 # Usage:
 #   sudo ./build-policy.sh           # build + install all
@@ -33,9 +33,9 @@ done
 if printf '%s\n' "${MODULES[@]}" | grep -qx veilor-firstboot; then
     if command -v restorecon >/dev/null 2>&1; then
         # Mark the binary + state file with the right types.
-        semanage fcontext -a -t veilor_firstboot_exec_t  '/usr/local/sbin/veilor-firstboot' 2>/dev/null || true
+        semanage fcontext -a -t veilor_firstboot_exec_t  '/usr/local/bin/veilor-firstboot' 2>/dev/null || true
         semanage fcontext -a -t veilor_firstboot_state_t '/var/lib/veilor-firstboot\.done' 2>/dev/null || true
-        restorecon -v /usr/local/sbin/veilor-firstboot 2>/dev/null || true
+        restorecon -v /usr/local/bin/veilor-firstboot 2>/dev/null || true
         [[ -e /var/lib/veilor-firstboot.done ]] && restorecon -v /var/lib/veilor-firstboot.done 2>/dev/null || true
     fi
 fi