> Just to clarify... *Java will run* with a grsecurity hardened kernel,
> with pax enabled. It just needs mprotect disabled for the specific programs
> that need it disabled. (and also many other things need this... python,
> kdeinit4, skype, kscreenlocker_greet, thunderbird, firefox,
> plugin-container, gdb, utox, grub-probe, etc. also firefox needs JIT
> disabled for optimal stability). For this you need some kernel features
> enabled; I recommend the one using xattrs because then the binaries don't
> need modifications (or backups, and modified binaries won't run properly in
> a non-grsec kernel, but they run fine with xattrs).
>
> Set the extended file system attribute with:
>
> setfattr -n user.pax.flags -v m /usr/lib*/jvm/java-*-openjdk-*/jre/bin/java
>
> (example path, may not be right for Debian openjdk)
>

cool, thanks! I think it would be important that packages that have an
issue running under grsec all do what they need to do on installation to
make sure the correct configs are in place to actually work under grsec.
This is often left out, making proper security expensive and difficult to
track down.