4.9. What does it mean to "seal the kernel"?

At the end of the bootup process, you should seal the kernel. This sets the global capabilities on your system according to your /etc/lids/lids.cap file. File ACLs are enforced even before the kernel is sealed, however. To seal the kernel, put the following at the end of your rc.local (assuming SysV style init):

/sbin/lidsadm -I

The "-I" option is only used to seal the kernel. After it's sealed, you must use the "-S" option to make changes to your system. WARNING: If you do not seal your kernel at boot time, you will not receive the full benefits of a LIDS enhanced system.