To make my Debian Jessie system work with pax, I had to set pax flags for these three binaries:
paxctl -c -m /usr/bin/gnome-shell paxctl -c -m /usr/bin/gnome-session paxctl -c -m /usr/bin/pulseaudio If you don't want to modify the binary, you can also set the attributes in the file system: setfattr -n user.pax.flags -v m /usr/bin/gnome-shell setfattr -n user.pax.flags -v m /usr/bin/gnome-session setfattr -n user.pax.flags -v m /usr/bin/pulseaudio You will need the `attr` package to run the above command. See https://wiki.debian.org/grsecurity/setfattr for more information. It may make sense to add a suggestion on the grsec kernel package for attr. The above allowed me to properly start GDM and to login to my system. To use iceweasel and other utilities, I had to modify other things. I also was able to set `kernel.grsecurity.disable_priv_io=0` after running the setfattr commands above. I additionally had to set the following to make the following programs "work" with this kernel: setfattr -n user.pax.flags -v m /usr/bin/seahorse setfattr -n user.pax.flags -v m /usr/bin/iceweasel setfattr -n user.pax.flags -v m /usr/bin/chromium setfattr -n user.pax.flags -v m /usr/lib/chromium/chromium For those who care pulse audio was also making some log entries about "denied resource overstep by requesting 25 for RLIMIT_NICE against limit 0 for /usr/bin/pulseaudio" - I reconfigured it with an edit to /etc/pulseaudio/daemon.conf to add 'high-priority = no' and the kernel stopped complaining. I now only see two grsec denied messages on by Debian jessie system after boot: [ 9.560994] grsec: denied use of ioperm() by /usr/lib/xorg/Xorg[Xorg:891] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/gdm3[gdm3:885] uid/euid:0/0 gid/egid:0/0 [ 12.091674] grsec: denied priority change of process (rtkit-daemon:1066) by /usr/lib/rtkit/rtkit-daemon[rtkit-daemon:1066] uid/euid:107/107 gid/egid:114/114, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0 After login - I see the following grsec messages: [ 448.243314] grsec: denied untrusted exec (due to not being in trusted group and file in non-root-owned directory) of /run/user/1000/orcexec.pIjl0t by /usr/bin/pulseaudio[alsa-source-ALC:1617] uid/euid:1000/1000 gid/egid:1000/1000, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0 [ 448.243366] grsec: denied untrusted exec (due to not being in trusted group and file in non-root-owned directory) of /home/error/orcexec.iEBctM by /usr/bin/pulseaudio[alsa-source-ALC:1617] uid/euid:1000/1000 gid/egid:1000/1000, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0 [ 448.243405] grsec: denied untrusted exec (due to not being in trusted group and file in world-writable directory) of /tmp/orcexec.VrI4V4 by /usr/bin/pulseaudio[alsa-source-ALC:1617] uid/euid:1000/1000 gid/egid:1000/1000, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0 [ 448.999276] grsec: denied RWX mmap of <anonymous mapping> by /usr/share/system-config-printer/applet.py[applet.py:1661] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gnome-session[x-session-manag:1464] uid/euid:1000/1000 gid/egid:1000/1000 [ 448.999349] grsec: denied untrusted exec (due to not being in trusted group and file in world-writable directory) of /tmp/ffixSCBQp by /usr/share/system-config-printer/applet.py[applet.py:1661] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gnome-session[x-session-manag:1464] uid/euid:1000/1000 gid/egid:1000/1000 [ 448.999395] grsec: denied untrusted exec (due to not being in trusted group and file in world-writable directory) of /var/tmp/ffiQhZWhL by /usr/share/system-config-printer/applet.py[applet.py:1661] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gnome-session[x-session-manag:1464] uid/euid:1000/1000 gid/egid:1000/1000 [ 448.999422] grsec: denied untrusted exec (due to not being in trusted group and file in world-writable directory) of /dev/shm/ffi5YViJ6 by /usr/share/system-config-printer/applet.py[applet.py:1661] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gnome-session[x-session-manag:1464] uid/euid:1000/1000 gid/egid:1000/1000 [ 448.999457] grsec: more alerts, logging disabled for 10 seconds [ 449.760884] EXT4-fs (sdb1): mounted filesystem with ordered data mode. Opts: (null) To eliminate most of those issues, I ran: setfattr -n user.pax.flags -v m /usr/bin/seahorse setfattr -n user.pax.flags -v m /usr/bin/gjs-console setfattr -n user.pax.flags -v m /usr/bin/python I was left with: [ 1802.373906] grsec: denied untrusted exec (due to not being in trusted group and file in non-root-owned directory) of /run/user/1000/orcexec.bCtW1V by /usr/bin/pulseaudio[alsa-source-ALC:3038] uid/euid:1000/1000 gid/egid:1000/1000, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0 [ 1802.373967] grsec: denied untrusted exec (due to not being in trusted group and file in non-root-owned directory) of /home/error/orcexec.SzaIXb by /usr/bin/pulseaudio[alsa-source-ALC:3038] uid/euid:1000/1000 gid/egid:1000/1000, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0 [ 1802.374015] grsec: denied untrusted exec (due to not being in trusted group and file in world-writable directory) of /tmp/orcexec.5bPuTr by /usr/bin/pulseaudio[alsa-source-ALC:3038] uid/euid:1000/1000 gid/egid:1000/1000, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0 I have no idea why pulse audio is trying to exec anything but audio works fine regardless - so I'm just going to ignore it. After I was finished with my X session, I logged out and grsec emitted the following: [ 1275.111624] grsec: denied use of ioperm() by /usr/lib/xorg/Xorg[Xorg:1956] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/gdm3[gdm3:885] uid/euid:0/0 gid/egid:0/0 It might make sense to have a different bug where we track things that need to be done for user space. That said - this is now my main kernel - hooray! Here is my /etc/sysctl.d/grsec.conf file for the above observations: # Disable privileged io: iopl(2) and ioperm(2) # Warning: Xorg needs it to be 0 kernel.grsecurity.disable_priv_io = 1 # Chroot restrictions kernel.grsecurity.chroot_deny_shmat = 1 kernel.grsecurity.chroot_deny_unix = 1 kernel.grsecurity.chroot_deny_mount = 1 kernel.grsecurity.chroot_deny_fchdir = 1 kernel.grsecurity.chroot_deny_chroot = 1 kernel.grsecurity.chroot_deny_pivot = 1 kernel.grsecurity.chroot_enforce_chdir = 1 kernel.grsecurity.chroot_deny_chmod = 1 kernel.grsecurity.chroot_deny_mknod = 1 kernel.grsecurity.chroot_restrict_nice = 1 kernel.grsecurity.chroot_execlog = 1 kernel.grsecurity.chroot_caps = 1 kernel.grsecurity.chroot_deny_sysctl = 1 kernel.grsecurity.chroot_findtask = 1 # Trusted execution # Add users to the 64040 (grsec-tpe) group to enable them to execute binaries # from untrusted directories kernel.grsecurity.tpe = 1 kernel.grsecurity.tpe_gid = 64040 kernel.grsecurity.tpe_invert = 1 kernel.grsecurity.tpe_restrict_all = 1 # Socket restrictions # If the setting is enabled and an user is added to relevant group, she won't # be able to open this kind of socket kernel.grsecurity.socket_all = 1 kernel.grsecurity.socket_all_gid = 64041 kernel.grsecurity.socket_client = 1 kernel.grsecurity.socket_client_gid = 64042 kernel.grsecurity.socket_server = 1 kernel.grsecurity.socket_server_gid = 64043 # Auditing kernel.grsecurity.audit_mount = 1 kernel.grsecurity.audit_chdir = 1 kernel.grsecurity.dmesg = 1 kernel.grsecurity.exec_logging = 1 kernel.grsecurity.resource_logging = 1 # Ptrace kernel.grsecurity.audit_ptrace = 1 kernel.grsecurity.harden_ptrace = 1 # Protect mounts kernel.grsecurity.romount_protect = 0 # Prevent symlinks/hardlinks exploits (don't follow symlink on world-writable +t # folders) kernel.grsecurity.linking_restrictions = 1 # Prevent writing to fifo not owned in world-writable +t folders kernel.grsecurity.fifo_restrictions = 1 kernel.grsecurity.execve_limiting = 1 kernel.grsecurity.ip_blackhole = 1 kernel.grsecurity.lastack_retries = 4 kernel.grsecurity.signal_logging = 1 kernel.grsecurity.forkfail_logging = 1 kernel.grsecurity.timechange_logging = 1 # PAX kernel.pax.softmode = 0 # Disable module loading # This is not a grsecurity anymore, but you might still want to disable module # loading so no code is inserted into the kernel #kernel.modules_disabled=0 # Once you're satisfied with settings, set grsec_lock to 1 so noone can change # grsec sysctl on a running system kernel.grsecurity.grsec_lock = 1 # vim: filetype=conf: As a side note, I found that kernel.modules_disabled=1 caused me a bunch of problems. It might be interesting to ensure that this is called before GDM3 login but not beforehand...