diff --git a/meta-citadel-distro/recipes-core/base-files/base-files_%.bbappend b/meta-citadel-distro/recipes-core/base-files/base-files_%.bbappend
index b509821..4da7a6f 100644
--- a/meta-citadel-distro/recipes-core/base-files/base-files_%.bbappend
+++ b/meta-citadel-distro/recipes-core/base-files/base-files_%.bbappend
@@ -5,12 +5,19 @@ SRC_URI += "\
     file://locale.conf \
     file://environment.sh \
     file://fstab \
+    file://99-grsec-debootstrap.conf \
 "
 
 do_install_append () {
     install -m 0755 -d ${D}/storage
+    install -m 0755 -d ${D}/var/lib/machines
     install -m 0755 -d ${D}${sysconfdir}/profile.d
     install -m 0644 ${WORKDIR}/locale.conf ${D}${sysconfdir}/locale.conf
     install -m 0644 ${WORKDIR}/environment.sh ${D}${sysconfdir}/profile.d/environment.sh
     install -m 0644 ${WORKDIR}/fstab ${D}${sysconfdir}/fstab
+
+    # disable some pax and grsecurity features so that debootstrap will work
+    # this should be removed later
+    install -d ${D}${libdir}/sysctl.d
+    install -m 0644 ${WORKDIR}/99-grsec-debootstrap.conf ${D}${libdir}/sysctl.d/
 }
diff --git a/meta-citadel-distro/recipes-core/base-files/files/99-grsec-debootstrap.conf b/meta-citadel-distro/recipes-core/base-files/files/99-grsec-debootstrap.conf
new file mode 100644
index 0000000..8d5131e
--- /dev/null
+++ b/meta-citadel-distro/recipes-core/base-files/files/99-grsec-debootstrap.conf
@@ -0,0 +1,9 @@
+
+# disable some pax and grsecurity features so that debootstrap will work
+# this should be removed later
+
+kernel.grsecurity.chroot_caps = 0
+kernel.grsecurity.chroot_deny_chmod = 0
+kernel.grsecurity.chroot_deny_mknod = 0
+kernel.grsecurity.chroot_deny_mount = 0
+kernel.pax.softmode = 1