This question was answered in the WWDC Security Lab Session. The notes for that session that are relavent to your question are as follows:
Question: How is the management config for System Integrity Protection updated?
Updates to /System/Library/Sandbox/rootless.conf will likely be coming through Software Update
Which directories and files is System Integrity Protection protecting? Is there a way to get a listing from the command line?
/System/Library/Sandbox/rootless.conf is the SIP conf file, but changes to this conf file are not immediately picked up by SIP. /System/Library/Sandbox/rootless.conf itself is protected by SIP.
ls's -O flag (capital O) should show restricted files
ls -laO lists files and shows restrictions
Is it possible to add custom inclusions and exclusions to System Integrity Protection?
/System/Library/Sandbox/rootless.conf is Apple's, it should not altered by third-parties.Asterix-marked ( * ) listings in /System/Library/Sandbox/rootless.conf will indicate exclusions to the protection.
To expand on the given answer to your first question, changes to the rootless.conf file will only be picked up during the boot process, so you will need to restart for them to take effect.