Split out of RHELBU-2798

In a nutshell because the goal for RHEL10 is to get away from fips-mode-setup, we need to support explicitly invoking `update-crypto-policies --set=FIPS` as that's what we'll be guiding customers to do as part of a container build.

A few options:

• Add `update-crypto-policies --set=FIPS --ack-fips-karg-is-set` (bikeshed naming) where the admin just acks the need for a separate karg
• Teach `update-crypto-policies` to detect a bootc container and not emit the warning

Of these I kind of like the former the most, as it works in other image build environments too.