+</div>
+
+<div class="navbar">
+
+<h4 class="tight">Contents</h4>
+
+<ul>
+
+<li class="tight"><a href="#what_is">What Is SIP?</li>
+
+<li class="tight"><a href="#sip_enabled">Installing rEFInd with SIP Enabled</a>
+
+ <ul>
+
+ <li class="tight"><a href="#recovery">Using Recovery Mode</a></li>
+
+ <li class="tight"><a href="#disable">Disabling SIP</a>
+ <ul>
+
+ <li class="tight"><a href="#disable_in_osx">Disabling SIP with Recovery HD</a></li>
+
+ <li class="tight"><a href="#disable_in_refind">Disabling SIP with rEFInd</a></li>
+
+ </ul></li>
+
+ <li class="tight"><a href="#another">Using Another OS</a></li>
+
+ </ul></li>
+
+<li class="tight"><a href="#refind_manage">Using rEFInd to Manage SIP</a></li>
+
+<li class="tight"><a href="#conclusion">Conclusion</a></li>
+
+</ul>
+
+</div>
+
+<a name="what_is">
+<h2>What Is SIP?</h2>
+</a>
+
+<p>To understand SIP, you should first know that Unix-like systems, including OS X, have traditionally provided a model of security in which ordinary users can read and write their own files (word processor documents, their own digital photos, etc.), but cannot write to system files (programs, system configuration files, etc.)—and users cannot even read some system files. This system security model has worked well for decades on traditional Unix systems, which have been administered by computer professionals and used by individuals with less experience. For administrative tasks, the <tt>root</tt> account is used. On Macs, this access is generally granted by the <tt>sudo</tt> command or by various GUI tools. Most Macs, in contrast to traditional Unix mainframes and minicomputers from the 20th century, are single-user computers that are administered by their users. Such people often lack the knowledge of the professional system administrators who have traditionally managed Unix systems; but they must still perform system administration tasks such as installing new software and configuring network settings. OS X has always provided some measure of security by requiring users to enter their passwords before performing these dangerous tasks, and by providing GUI tools to help guide users through these tasks in a way that minimizes the risk of damage.</p>
+
+<p>Apple has apparently decided that these safeguards are no longer sufficient, at least for certain tasks, such as writing files to certain system directories and installing boot loaders. I won't try to speak for Apple or explain their motivations, but the result of Apple's decisions is SIP. With SIP active, as is the default, OS X 10.11 limits your ability to perform some of these administrative tasks. You can still install and remove most third-party programs, configure your network, and so on; but some critical directories can no longer be written, even as <tt>root</tt>, and some utilities cannot be used in certain ways, even as <tt>root</tt>. These restrictions impact rEFInd because one of the affected tools, a command called <tt>bless</tt>, is required to tell the Mac to boot rEFInd rather than to boot OS X directly.</p>
+
+<a name="sip_enabled">
+<h2>Installing rEFInd with SIP Enabled</h2>
+</a>
+
+<p>The end result of SIP is that rEFInd cannot be installed under OS X 10.11 in the way described on the <a href="installing.html">Installing rEFInd</a> page—at least, not without first booting into <a href="#recovery">Recovery mode,</a> in which SIP restrictions are ignored; or <a href="#disable">disabling SIP</a> (either temporarily or permanently). This page covers these two options in more detail, as well as a third: <a href="#another">Using another OS</a> to install rEFInd.</p>