Notice: Undefined variable: name in /srv/http/vhosts/ on line 248

Package Details: linux-pax-flags 2.0.18-4

Git Clone URL: (read-only)
Package Base: linux-pax-flags
Description: Deactivates PaX flags for several binaries to work with PaX enabled kernels.
Upstream URL:
Keywords: grsecurity linux pax security
Licenses: GPL3
Submitter: phects
Maintainer: phects
Last Packager: phects
Votes: 18
Popularity: 0.000872
First Submitted: 2012-01-12 18:16
Last Updated: 2015-12-15 12:27

Latest Comments

« First ‹ Previous 1 2 3 4 5 6 7 8 9 10 ... Next › Last »

s4ndman commented on 2013-03-22 07:31

I agree with s1gma, i dont use sudo and had to manually modify the script to get it work.

Anonymous comment on 2013-03-22 06:40


Why use 'sudo' in linux-pax-flags, as it will anyway usually run as root (in the linux-grsec.install script) ?

Or, you could add 'sudo' as a dependency (as some of use do not have it installed), but it seems a little overkill.

Thanks for your package !

phects commented on 2013-03-19 10:33

That's good to hear! Do you use linux-pax-flags on another distribution? On Arch Linux at least polkitd needs flags set on a PaX kernel (which is not exactly ideal).

echoblack commented on 2013-03-19 10:19

The problem with Freemind "may" be a result of the disabling of JIT. "Just In time Compiling" with java. JIT makes java programs run much faster but is a very dangerous thing. There is no way to verify that the code is not modified before execution. However, I thought I read that what happens is the JIT simply dose not work and the java program is run by the JVM like normal i.e. it should not brake anything. BUT, maybe with that program it dose? Or maybe this has nothing to do with it. In any case you could disable it. I think it is in the "Miscellaneous Hardening" options.

As for the suspend... Strange, I use KDE and I have KDE set to do nothing. Then SystemD dose the suspend when I close my laptop lid (by default) and it works fine.

phects: Meh, I no longer have any issue with the ruby. Ruby as it turns out is only 3MB. The main thing was that I didn't want to install ruby on my servers, but it turns out that basically no server software needs any PaX flags anyway. Non that I have run at least.

Anonymous comment on 2013-03-10 02:28

Thanks for the answers,much appreciated

1)About Java, I do have jre7-openjdk. Tried re-installing pax flags but its the same. If I open Freemind in Terminal it says:
ERROR: Your Java VM is not a complete implementation,
to point to such a VM. See the manpage of freemind(1) for details.
Error occurred during initialization of VM

Doesn't happen on default kernel (arch)

2)System Monitor does work as you said
3)Another thing, Gradm, doesn't enable, it says:
Duplicate subject found for "/sbin/shutdown" in role shutdown, on line 287 of /etc/grsec/policy.
"/sbin/shutdown" references the same object as "/sbin/halt" specified on an earlier line.
The RBAC system will not load until this error is fixed.
4)Last thing...Can't hibernate/suspend in Xfce4, going by logout>suspend it's just grayed out. And mounting USB devices it won't let me either.

phects commented on 2013-03-09 09:36

More Answer,

gnome-system-monitor works well with PaX but collides with /proc and /sys access restriction of grsec. The "Resources" tab needs access to /proc/vmstat, which is granted only for users in the proc-trusted group. After adding your user to the group and relogin, the tab should work. Network statistics won't work without root privileges.

phects commented on 2013-03-09 09:26


it possibly does. linux-pax-flags takes care of PaX flags for java. Which VM are you using? I would recommend jdk7-openjdk. Flags for gnome-system-monitor aren't included, yet. I will look into it and include them, if neccessary.

Anonymous comment on 2013-03-09 05:34


If I can't open Freemind(mindmap program, runs on java) in a grsec,pax kernel, does that mean it's because some sort of pax flag?

Can't open gnome-system-monitor too.

duncant commented on 2013-02-28 04:33

Disregard that last comment, I see that it's already in the package. I need to learn to actually check things before commenting.

duncant commented on 2013-02-27 23:02

From the package android-sdk-platform-tools, /opt/android-sdk/platform-tools/adb needs MPROTECT off