Mac OS X 10.11 (15A263a): "csrutil status" returns "enabled (Custom Configuration)" when SIP is disabled

Originator:rtrouton
Number:rdar://22361698 Date Originated:20-Aug-2015 11:55 AM
Status:Closed (Duplicate) Resolved:
Product:OS X Product Version:Mac OS X 10.11 (15A263a)
Classification:UI/Usability Reproducible:Always
 
Summary:

When System Integrity Protection is disabled, running “/usr/bin/csrutil status” on the boot drive will give the following output:

------

computename:~ username$ csrutil status
System Integrity Protection status: enabled (Custom Configuration).

Configuration:
	Apple Internal: disabled
	Kext Signing: disabled
	Filesystem Protections: disabled
	Debugging Restrictions: disabled
	DTrace Restrictions: disabled
	NVRAM Protections: disabled

This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.

------

Receiving “System Integrity Protection status: enabled (Custom Configuration)” is confusing. The "Custom Configuration" is that System Integrity Protection is disabled, but the status message may cause the reader to believe that System Integrity Protection’s protection is still enabled.


Steps to Reproduce:

1. Boot to Recovery HD
2. Open Terminal
3. Run the following command:

/usr/bin/csrutil disable

4. Boot to regular boot drive
5. Open Terminal
6. Run the following command:

/usr/bin/csrutil status

Expected Results:

Receive the following output:

System Integrity Protection status: disabled.

Actual Results:

Receive the following output:

System Integrity Protection status: enabled (Custom Configuration).

Regression:

1. Boot to Recovery HD
2. Open Terminal
3. Run the following command:

/usr/bin/csrutil disable

4. Receive the following output:

System Integrity Protection status: disabled.

Notes:

Both the Recovery HD and OS X boot volume were running OS X 10.11 (15A263a).

Comments

Closed as a duplicate of 22356187 (Open)

Engineering has determined that your bug report (22361698) is a duplicate of another issue (22356187) and will be closed.

The open or closed status of the original bug report your issue was duplicated to appears in the yellow "Duplicate of XXXXXXXX" section of the bug reporter user interface. This section appears near the top of the right column's bug detail view just under the bug number, title, state, product and rank.

An example of the duplicate section from the bug reporter user interface with your bug and the duplicate bug info is included below:

22361698 Mac OS X 10.11 (15A263a): "csrutil status" returns "enabled (Custom Configuration)" when SIP is disabled

State: Closed Product:

Rank: No Value

Duplicate of 22356187 (Open/Closed)

By rtrouton at Aug. 27, 2015, 5:53 p.m. (reply...)

Regression correction:

Regression:

  1. Boot to Recovery HD
  2. Open Terminal
  3. Run the following command:

/usr/bin/csrutil status

  1. Receive the following output:

System Integrity Protection status: disabled.

By rtrouton at Aug. 20, 2015, 3:58 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!