diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh
index b6d760fba2..d327a5096f 100755
--- a/build_library/prod_image_util.sh
+++ b/build_library/prod_image_util.sh
@@ -267,6 +267,7 @@ create_prod_sysexts() {
         --image_builddir="${BUILD_DIR}" \
         --install_root_basename="${name}-extra-sysext-rootfs" \
         ${mangle_script:+--manglefs_script=${mangle_script}} \
+        --forbidden_packages='sec-policy/selinux-.*;selinux policy packages must be in base image' \
         "${name}" "${pkg_array[@]}"
     delta_generator \
       -private_key "/usr/share/update_engine/update-payload-key.key.pem" \
@@ -311,6 +312,7 @@ create_oem_sysexts() {
         --image_builddir="${BUILD_DIR}" \
         --metapkgs="${metapkg}" \
         --install_root_basename="${name}-oem-sysext-rootfs" \
+        --forbidden_packages='sec-policy/selinux-.*;selinux policy packages must be in base image' \
         --compression=none \
         ${mangle_script:+--manglefs_script="${mangle_script}"} \
         "${name}"
diff --git a/build_library/sysext_prod_builder b/build_library/sysext_prod_builder
index 8e57080630..73363ce5ba 100755
--- a/build_library/sysext_prod_builder
+++ b/build_library/sysext_prod_builder
@@ -73,6 +73,7 @@ create_prod_sysext() {
             --generate_pkginfo \
             --compression=none \
             --install_root_basename="${name}-base-sysext-rootfs" \
+            --forbidden_packages='sec-policy/selinux-.*;selinux policy packages must be in base image' \
             "${build_sysext_opts[@]}" \
             "${name}" "${grp_pkg[@]}"