I've followed the migration guide, https://wiki.gentoo.org/wiki/Project:Hardened/PaX_flag_migration_from_PT_PAX_to_XATTR_PAX
on a few machines now without problem. But, I have a couple of routers that should experience a minimum of downtime. The guide has you reboot twice: once to enable XATTR_PAX in the kernel, and again to remove PT_PAX after running migrate-pax. I was wondering: is it safe to do both at once, assuming I can live without PaX for five minutes? That is, can I disable PT_PAX, enable XATTR_PAX, reboot, and run migrate-pax? Or might that cause problems? (Note: I can't run the elfix test suite anyway, since I have EMUTRAMP disabled.)
