Obsolete El Capitan System Integrity Protection (SIP) Instructions #45387
Comments
|
CC @DomT4 who would be interested here. |
|
As far as I know Apple didn't change this, but they may have snuck in the change in the way Apple is prone to. |
|
@DomT4 Let's investigate. Would be awesome if we can remove these scary warnings. |
|
This "serious bug" from a couple of weeks ago seems to state otherwise, and then some: |
|
@mikedld @DomT4 OK, I investigated further. I believe this is going to come down to the ontogeny of the particular system. The difference turns out to be in what I will call the "compatibility paths file." It is insufficient for /usr/local to be whitelisted only in /System/Library/Sanbox/rootless.conf. It must also be whitelisted in the compatibility paths file. Whether that should or should not be necessary (i.e., whether this should be considered a more general bug with the functioning of rootless.conf) is unclear, but that is the difference. A clean install of 10.11 (15A284) has /usr/local in the compatibility paths file (version 12 of the bundle according to its Info.plist), and still has /usr/local in this file after the upgrade to 10.11.1. By deliberately going in and removing /usr/local from the compatibility paths file, I can "infect" an otherwise healthy system with the "bug." A Developer Beta 8 VM that was upgraded stepwise from Developer Beta 1 (15A178w) -> Developer Beta 2 (15A204h) -> Developer Beta 3 (15A216g) -> Developer Beta 4 (15A226f) -> Developer Beta 5 (15A235d) -> Developer Beta 8 (15A279b) does not have /usr/local in Compatibility.bundle/Contents/Resources/paths (version 10 of the bundle according to its Info.plist) and exhibits the symptoms of the bug. One option would be to actually check for "/usr/local" in the compatibility paths file and only issue the "scary warnings" if it's missing, since that is not the normal state of affairs on a clean install. I have not checked a 10.10.5->10.11.0 or 10.10.5->10.11.1 upgrade path to see if they are affected. You can tell if you're affected by running If you don't see /usr/local, you should add it or wait for Apple to add it for you the next time they upgrade the whole Sandbox or at least the Compatibility.bundle within it. Or perhaps they will remove it from the compatibility paths file altogether if they decide to change how SIP handles non-existent directories whitelisted in rootless.conf but not in the compatibility paths. It is good news that version 12 of the bundle has /usr/local and version 10 does not in terms of the intent that it signals on Apple's part with respect to /usr/local. |
|
@ilovezfs wrong person highlight ;) Thanks for keeping me in the loop :)) |
|
@mikedld hehe Sorry about that. |
|
@MikeMcQuaid @DomT4 @cicuz The scary message can indeed go bye-bye or at least be revised. The mystery was solved by https://swscan.apple.com/content/catalogs/others/index-10.11-1.sucatalog http://swcdn.apple.com/content/downloads/53/38/031-40358/y7sn2l7yvfxb73myuiufqin8fp2sqyetvl/SystemIntegrityProtectionConfig.pkg installs com.apple.pkg.SystemIntegrityProtectionConfig.14U2076, which is Compatibility.bundle version 12. Neither version 10 nor 11 contained /usr/local in /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths whereas 12 does. So users whose /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths lacks /usr/local (or, equivalently, whose Compatibility.bundle version is less than 12) should be directed to install that package (or later). This probably happens automatically if you have "Install system data files and security updates" enabled in your App Store preferences. Here's the relevant catalog entry: |
|
Confirmed with a user who still had version Compatibility.bundle version 11. He had "Install system data files and security updates" unchecked. |
|
I'll reply here later. Travelling today; not ignoring you intentionally. Thanks for doing some research on the changes! Sent from my iPhone
|
|
@DomT4 Didn't imagine you were, and you're welcome! |
|
Yeh thanks for this @ilovezfs, we can definitely tweak some of the checks (perhaps inspect this actual file) |
|
One thing to note... Java now installs as an internet plugin and the java_home is INSIDE THE PLUGIN PACKAGE. If you have something that needs java (e.g. selenium), you're going to have to change the invocation from |
|
We work out the Java in a fairly special way rather than necessarily just poking at |
|
Selenium doesn't use this to determine the path to use in the launcher.
|
|
You mean the |
|
Yes, the plist. I installed Oracle's basic Java SE. Not sure about the SDK. |
|
Interesting. Guess I'll have to find some time to spin up yet another clean El Cap VM and see what's going on. |
|
Also, installing the SE edition JAVA_HOME was not set for the command line so your solution would not work unless i'm missing something, which I very well may be. |
|
Just an FYI: I have "Install system data files and security updates" enabled in my App Store preferences, but that update does not show up. My system's on 10.11.1 (15B42) |
|
@CamJN How about the remainder of the App Store preferences? Automatically check for updates and automatically download updates? Probably not needed, but worth noting their values. I'm not sure what schedule "Install system data files and security updates" runs on, or if it's a push-based model. Perhaps someone else knows off the top of their head. |
|
Everything is on, and I used softwareupdate on the cli to check manually. I also reset my update server just in case. That update just isn't showing up. |
|
"but that update does not show up" ... where are you looking? Did you check your packages database itself? I don't think this one would necessarily show in the App Store itself. 1445476605 is 1:16:45 am UTC | Thursday, October 22, 2015 |
|
running results in on 10.11.1 which never saw a dev build. Just used csrutil with the kext-dev, but that's it |
|
I'm back to wondering if there's an issue specific to machines that were/are configured to use the beta and/or dev program seeds. @CamJN was/is the machine ever set up that way? |
|
|
I run the betas. Have both: |
|
@CamJN Weird. "Everything is on, and I used softwareupdate on the cli to check manually. I also reset my update server just in case. That update just isn't showing up." I wonder if others who don't have the update are running their own update servers. |
|
I'm not running my own update server, however I reset the value just in case b/c I couldn't find a way to check what it was set to. |
|
@CamJN What's the output of |
So it looks like the install can fail and OS X won't retry it. That's not great... |
|
It looks like it tried twice. Once on 10/23 and once on 10/28. So maybe it tries every 5 days or something like that. The question is why did it fail with the same error both times: "The update has been deleted since being downloaded from the Apple Software Update server." It's possible more of /var/log/install.log from 10/28 could shed some light, if you don't already know what the reason could be. You should probably paste output into a gist or pastebin. |
|
https://gist.github.com/CamJN/ac9d784091adb9918a77#file-oct-28_install-log Looks like the download didn't finish and therefore got deleted. |
These seem to not apply for everyone on 10.11.0 any more (as explained in Homebrew/legacy-homebrew#45387).
These seem to not apply for everyone on 10.11.0 any more (as explained in Homebrew/legacy-homebrew#45387).
The Homebrew installer (https://raw.githubusercontent.com/Homebrew/install/master/install) currently does the following check:
While these directions may have been correct for some range of the El Capitan developer betas, they seem to be incorrect now.
I removed the /usr/local dir, upgraded 10.11.0 -> 10.11.1, and had no trouble running sudo mkdir /usr/local && sudo chflags norestricted /usr/local && sudo chown -R $(whoami):admin /usr/local
There was no need to disable SIP.
The text was updated successfully, but these errors were encountered: