That's marginally better. To clarify, "rootless=0" is being replaced by the CSR flags which allow more fine-grained control of what aspects of SIP are in place: http://www.idelta.info/archives/sip-rootless-internal-in-el-capitan/ I'm not clear why they're choosing 0x67, or what it will take to get kexts to be loaded from the EFI partition. My impression is that the system will ultimately need kexts installed to S/L/E under 0x67 then run normally under 0x1, but I'm curious to see what the reality is.