secadm_vnode_check_exec calls pax_elf too early

I'm not completely sure that this is indeed a problem, but it seems to me that `secadm_vnode_check_exec` is called at a point when `execve` can still fail. `secadm_vnode_check_exec` applies the new policy to the current thread with `pax_elf`, and if `execve` fails, this affects the running process image, not the new process image, and an unexpected policy is applied to it.
