Can't disable non-EtM MACs

Originally reported by @sej7278 in #38 (closed):

Its generally accepted that EtM is better than E&M, and whilst we prioritise EtM hmacs here, there is a missing else or indent I suppose, that would allow mac_map_etm without mac_map.

Steps to reproduce (doesn't have to be DEFAULT):

echo 'mac = -HMAC-SHA1 -HMAC-SHA2-256' > /etc/crypto-policies/policies/modules/HMAC.pod
update-crypto-policies --set DEFAULT:HMAC
sshd -T | grep hmac

Returns macs hmac-sha2-512-etm@openssh.com,hmac-sha2-512, whereas macs hmac-sha2-512-etm@openssh.com alone is a > perfectly valid configuration (and can be achieved manually by editing sshd_config).