Are you able to specify which profile you want to use for a given user when using pfexec who has been assigned multiple profiles?
One example for this use is so that we can execute a command as a different user within the same process. In exec_attr, you are able to specify the uid/gid that will be used to execute a particular command as in the following example entry:
Name Service Security:suser:cmd:::/usr/sbin/rpc.nsid:uid=0;gid=0
The above profile will use the super user (uid=0) to execute the rpc.nsid command.
In user_attr, you can specify multiple profiles as below: testuser::::type=normal;profiles=Name Service Security,Object Access Management
Can you then specify directly to use the Object Access Management profile to pfexec?
From the [pfexec(1) man page][1]:
So if you put 'Object Access Management' before 'Name Service Security' it'll use that instead.