# enable java execution in pax?

## Vyeperman

I'm trying to execute a script/program that was completely written in java. After realizing the program wasn't running right I checked /var/log/messages and found something interesting.

```

Apr  2 13:05:07 Neji PAX: From 68.7.245.143: execution attempt in: /opt/sun-jdk-1.4.2.07/jre/lib/i386/client/libjvm.so, 23728000-23744000 003fd000

Apr  2 13:05:07 Neji PAX: terminating task: /opt/sun-jdk-1.4.2.07/bin/java(java):8764, uid/euid: 0/0, PC: 23732204, SP: 5ae2f604

Apr  2 13:05:07 Neji PAX: bytes at PC: 68 7f 02 00 00 d9 6c 24 00 58 c3 90 cc cc cc cc 00 80 01 00 

Apr  2 13:05:07 Neji PAX: bytes at SP: 23588347 23740d50 5ae2f62c 23584745 00000001 23740d50 00003000 0000e000 0000e000 00003000 5ae2f63c 2358731c 08067408 23740d50 5ae2f6f4 235cecd5 08067408 23740d50 234f38b4 5ae317d0 

```

I'm not to familiar with how to configure grsecurity in my kernel I had a little help from a friend getting it configured, but I would like to keep pax if possible, just enable java support. Can this be done?

----------

## Vyeperman

Ok I've learned that I need to use paxctl with java to get it to work but I'm not sure what option to use, my guess is it's one of the exec ones since it appears to be an exec issue.

```

usage: paxctl <options> <files>options:       

-p: disable PAGEEXEC        -P: enable PAGEEXEC        -e: disable EMUTRMAP          

-E: enable EMUTRMAP       -m: disable MPROTECT      -M: enable MPROTECT        

-r: disable RANDMMAP        -R: enable RANDMMAP      -x: disable RANDEXEC            

-X: enable RANDEXEC        -s: disable SEGMEXEC        -S: enable SEGMEXEC

```

----------

## mxc

Did you get this fixed in the end? If so what did you do?

thanks

----------

## dryadcito

You should use

chpax -pemrxs /opt/*-jdk-*/{jre,}/bin/*

See http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#paxjava

You also can emerge chpax and add chpax to the default runlevel. It will set the right flags for some other apps. like xmms and Xorg. It's configuration file is /etc/conf.d/chpax , but I think you won't need to edit it. 

If you emerge ( or re-emerge ) xmms, java or any other program needing special flags you must run manually "/etc/init.d/chpax start" because once it's been run it doesn't do anything ( there is no daemon ) or reboot.

----------

