Open Radar

 
Description of the problem:
Creating a NetBoot image and including a pkg to install using System Image Utility on 17A344b results in a NBI dmg that has /usr/local/ restricted by SIP.
This directory is very common for 3rd party tools to install into.  Having it restricted blocks any attempts at installing tools.  In testing this seems to only happen when a pkg with a payload that ends up in /usr/local on the target volume is added to the SIU process to install into the DMG.  A stock SIU run with just the beta6 installer does not have /usr/local/ restricted.

This issue is a show stopper for us rolling out High Sierra to 1,500 Macs in the company. It is essential we have access to install tools to /usr/local/.


Step-by-step reproduction
1) Download the full beta 6 High Sierra installer
2) Acquire a pkg that has a payload that installs to /usr/local. I used https://github.com/munki/munki/releases/download/v3.0.3/munkitools-3.0.3.3352.pkg
3) Launch SIU
4) Choose the Sierra installer as the Source
5) Choose to create a NetBoot Image
6) Agree to the terms
7) Create an admin
8) At the "Add Configuration Profiles, Packages, and Post-Install Scripts" section drop the munki installer downloaded in step 2 to the window.
9) Leave System Configuration, Directory Servers, Image Settings, Supported Computer Models, and Filter Clients by MAC Address settings default
10) Save the image to the Desktop
11) Once complete, find the Netboot.dmg and mount it
12) Using Terminal issue `ls -lO /Volumes/Netboot/usr/`

Repeat the steps above and not include a package at step 8 to see the that the NBI without an additional pkg does not have /usr/local/ restricted.


Expected results
The NBI would be created, and /usr/local/ would not be SIP protected.


Actual results
/usr/local/ on the output volume is SIP protected causing issues with installing 

On the NBI that had the package installed I see:

hs13:~ eholtam$ ls -lO /Volumes/NetBoot/usr/
total 0
drwxr-xr-x  975 eholtam  staff  restricted 33150 Aug 18 11:53 bin
drwxr-xr-x  291 eholtam  staff  restricted  9894 Aug 18 11:53 lib
drwxr-xr-x  233 eholtam  staff  restricted  7922 Aug 18 11:53 libexec
drwxr-xr-x    3 eholtam  staff  restricted   102 Aug 18 11:56 local
drwxr-xr-x  247 eholtam  staff  restricted  8398 Aug 18 11:58 sbin
drwxr-xr-x   46 eholtam  staff  restricted  1564 Aug 18 11:53 share
drwxr-xr-x    5 eholtam  staff  restricted   170 Aug 10 22:13 standalone

hs13:~ eholtam$ ls -l /Volumes/NetBoot/usr/local/
total 0
drwxr-xr-x  16 eholtam  staff  544 Aug 18 11:56 munki



On the NBI that did not have a pkg installed I see the following:
 
 hs13:~ eholtam$ ls -lO /Volumes/NetBoot/usr/
total 0
drwxr-xr-x  975 eholtam  staff  restricted 33150 Aug 18 13:00 bin
drwxr-xr-x  291 eholtam  staff  restricted  9894 Aug 18 13:00 lib
drwxr-xr-x  233 eholtam  staff  restricted  7922 Aug 18 13:00 libexec
drwxr-xr-x    2 eholtam  staff  sunlnk        68 Aug  8 16:45 local
drwxr-xr-x  247 eholtam  staff  restricted  8398 Aug 18 13:05 sbin
drwxr-xr-x   46 eholtam  staff  restricted  1564 Aug 18 13:00 share
drwxr-xr-x    5 eholtam  staff  restricted   170 Aug 10 22:13 standalone

hs13:~ eholtam$ ls -l /Volumes/NetBoot/usr/local/
hs13:~ eholtam$