In the simplest of terms, if you have SIP enabled and caches are rebuilt problems can occur. If SIP remains disabled via Clover's config.plist there should be no issues.

However if SIP is enabled, workarounds may be needed for most post-installation user processes where the kext cache is rebuilt. Workarounds for injecting kexts into the protected kernel cache include booting into Single User mode and passing commands to the system via the command line.

Installing any system update will trigger a cache rebuild. In order to boot successfully after updating, the user must be running with SIP disabled prior to starting the update. This requires enabling SIP via Clover's config.plist and rebooting. Updating a system with SIP enabled will result in an unbootable system due to the lack of the essential FakeSMC.kext in the cache.

To do a system update on OS X El Capitan:

1. Disable SIP
2. Apply System Update (with reboot)
3. Enable SIP, reboot

To fix an unbootable system, or to boot a freshly updated system, one must disable SIP, then boot into Single User Mode in order to rebuild the cache. This is done in Clover by pressing spacebar to access boot menu, then selecting "Boot Mac OS X in single user verbose mode". Type the following commands in order once the command line appears in verbose mode.

To fix an unbootable system via Terminal:

1. fsck -fy
2. mount -uw /
3. touch /System/Library/Extensions && kextcache -u /
4. reboot

Often, the EFI partition is not available to disable SIP.

1. At BIOS, boot with OS X El Capitan Public Beta Installation USB Using Clover_v3259 or newer (SIP is disabled with Post #1 attached config.plists)
2. On restart, boot with OS X El Capitan Public Beta Installation USB Using Clover_v3259 or newer
3. Rebuild kernel cache in Terminal: touch /System/Library/Extensions && kextcache -u /
4. Remove USB
5. Restart and boot normally

Source: Explaining OS X El Capitan Security Changes - Workarounds and Current Information