Hi, I am new to here. This is my first question.
I am using debian 9 with mate desktop. I have enabled apparmor. Used backports to install prepatched grsec kernel. Now with carefull work I disabled mprotect for libreoffice and firefox to make them usable. But I need precise executable files for bleachbit, debian report bug, synaptic package manager to configure it for grsecurity and recommended paxctl flag.
I especially want help for recommended paxctl flag of most common apps and their path to execute them. Also want a default tight security settings for global defaults, enabling chroot and several features usable for security. Except RBAC because I am satisfied with apparmor.
Also I want to ensure tight kernel configuration like seccomp, namespaces and several kernel executable features(if these are compatible with pax then also I will use them). But how to configure it and compile install, reload it into grub and delete the optional kernel.
Oh yes, I also want to block root and run xorg rootless.
Here is my question. I am quite a newbie. So advance apology for any commited mistakes.

I haven't used GRSecurity since before the big announcement that Brad and his team were closing off the source. That being said, with all respect, I think your question is too broad:

1. Rootless Xorg would be more of a Debian security team issue if they chose to implement it, and not something you can tweak GRSec settings to bring about, although keeping "disable IOPL/IOPERM" unchecked should keep you in the Xorg money period.

2. Most flag configuration issues for day to day use (at least only in my own experience) are really going to be disabling MPROTECT.

3. What do you mean by "block root"? If you want to forego root login, how well that works out would instead be dependent on your distro. If you want to confine root's abilities like the SELinux sysadm_u user mapping might, that is more of a RBAC thing, sorry.