Open Radar

 
Summary:
This is a duplicate of radar #33967043

Creating a NetBoot image and including a pkg to install using System Image Utility on 17A344b results in a NBI dmg that has /usr/local/ restricted by SIP.
This directory is very common for 3rd party tools to install into.  Having it restricted blocks any attempts at installing tools.  In testing this seems to only happen when a pkg with a payload that ends up in /usr/local on the target volume is added to the SIU process to install into the DMG.  A stock SIU run with just the beta6 installer does not have /usr/local/ restricted.

This issue is a show stopper for us rolling out High Sierra to 1,500 Macs in the company. It is essential we have access to install tools to /usr/local/.

Steps to Reproduce:
1) Download the full beta 6 High Sierra installer
2) Acquire a pkg that has a payload that installs to /usr/local. I used https://github.com/munki/munki/releases/download/v3.0.3/munkitools-3.0.3.3352.pkg
3) Launch SIU
4) Choose the Sierra installer as the Source
5) Choose to create a NetBoot Image
6) Agree to the terms
7) Create an admin
8) At the "Add Configuration Profiles, Packages, and Post-Install Scripts" section drop the munki installer downloaded in step 2 to the window.
9) Leave System Configuration, Directory Servers, Image Settings, Supported Computer Models, and Filter Clients by MAC Address settings default
10) Save the image to the Desktop
11) Once complete, find the Netboot.dmg and mount it
12) Using Terminal issue `ls -lO /Volumes/Netboot/usr/`

Repeat the steps above and not include a package at step 8 to see the that the NBI without an additional pkg does not have /usr/local/ restricted.

Expected Results:
The NBI would be created, and /usr/local/ would not be SIP protected.

Actual Results:
/usr/local/ on the output volume is SIP protected causing issues with installing 

Version:
macOS 10.13 17A344b

Notes: