build_library: Forbid SELinux policy packages in sysexts

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>

build_library/prod_image_util.sh

@@ -267,6 +267,7 @@ create_prod_sysexts() {
         --image_builddir="${BUILD_DIR}" \
         --install_root_basename="${name}-extra-sysext-rootfs" \
         ${mangle_script:+--manglefs_script=${mangle_script}} \
+        --forbidden_packages='sec-policy/selinux-.*;selinux policy packages must be in base image' \
         "${name}" "${pkg_array[@]}"
     delta_generator \
       -private_key "/usr/share/update_engine/update-payload-key.key.pem" \
@@ -311,6 +312,7 @@ create_oem_sysexts() {
         --image_builddir="${BUILD_DIR}" \
         --metapkgs="${metapkg}" \
         --install_root_basename="${name}-oem-sysext-rootfs" \
+        --forbidden_packages='sec-policy/selinux-.*;selinux policy packages must be in base image' \
         --compression=none \
         ${mangle_script:+--manglefs_script="${mangle_script}"} \
         "${name}"

build_library/sysext_prod_builder

@@ -73,6 +73,7 @@ create_prod_sysext() {
             --generate_pkginfo \
             --compression=none \
             --install_root_basename="${name}-base-sysext-rootfs" \
+            --forbidden_packages='sec-policy/selinux-.*;selinux policy packages must be in base image' \
             "${build_sysext_opts[@]}" \
             "${name}" "${grp_pkg[@]}"