the rw requirement of urandom is probably coming from gnutls and not samba directly (the older Samba version of SLES doesn't use gnutls for crypto yet). For differences of other paths in the apparmor profile it looks a bit pointless to me to try to include all possible different possibe paths being used by different packagers upstream. The requirements here can change from version to version also. For SUSE specifically I would really appreciate if the apparmor profiles would consistently all be packaged along with the package packages that they are made for and not as part of the apparmore package itself. Currently some are still shipped from the apparmor package and some are shipped with the package they're made for. For the Samba package of SUSE I suggested moving the samba apparmore profile accordingly to Jim some days ago.