How to recreate /usr/local with SIP/rootless mode on El Capitan?

With rootless mode enabled (a.k.a System Integrity Protection) it turns out you can remove /usr/local but cannot recreate it:

$ sudo rm -rf /usr/local
$ sudo mkdir /usr/local
mkdir: /usr/local: Operation not permitted

How to (re)create /usr/local or any such folder?


/usr/local has been both re-creatable and writable on El Capitan since 2015-10-21 when Apple released /System/Library/Sandbox/Compatibility.bundle version 12 in software update 031-40358 patching 10.11 and 10.11.1, and installed as part of the 10.11.2 update, 10.11.2 combo update, and 10.11.2 clean installs. You do not need to do anything special unless you have not updated to the latest point release of El Capitan.

A patched system will have compatibility bundle greater than or equal to 12 and show

iMac-TMP:~ joe$ grep /usr/local /System/Library/Sandbox/rootless.conf 
*               /usr/local
iMac-TMP:~ joe$ grep /usr/local /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths
/usr/local
iMac-TMP:~ joe$ defaults read /System/Library/Sandbox/Compatibility.bundle/Contents/Info.plist CFBundleVersion
12.0
iMac-TMP:~ joe$

An unpatched system will have compatibility bundle less than 12.0 and not have the /usr/local entry in /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths.


The simplest and most secure way is to:

  • reboot into recovery (CMD+R)
  • start Disk Utility
  • from the menu, select Macintosh HD and either Unlock if encrypted otherwise Mount
  • once Macintosh HD is mounted, close Disk Utility
  • start a Terminal from the Disk Utility menu

Now run the following commands:

  mkdir "/Volumes/Macintosh HD/usr/local"
  chflags norestricted "/Volumes/Macintosh HD/usr/local"
  ls -lOd "/Volumes/Macintosh HD/usr/local"
  drwxr-xr-x  2 root  wheel  - 68 17 Mar 09:24 /Volumes/Macintosh HD/usr/local
  exit

Or, as one simple command:

  mkdir "/Volumes/Macintosh HD/usr/local"; chflags norestricted "/Volumes/Macintosh HD/usr/local"; ls -lOd "/Volumes/Macintosh HD/usr/local"; drwxr-xr-x  2 root  wheel  - 68 17 Mar 09:24 /Volumes/Macintosh HD/usr/local; exit

Finally, quit Terminal and reboot into OS X.

References:

  • https://openradar.appspot.com/23093676
  • https://github.com/Homebrew/legacy-homebrew/issues/40837#issuecomment-120762533
  • What is the "rootless" feature in El Capitan, really?