Can anyone explain this line in the log.smbd? Searching the internet for apparmor details gets so many hits I cannot find the information. This occurs when smbd is started.
kernel: [908896.070790] type=1400 audit(1442305563.416:371): apparmor="STATUS"
operation="profile_replace" profile="unconfined" name="/usr/sbin/nmbd"
pid=16870 comm="apparmor_parser"
I would beg to differ with Marks answer.
Any time I type sudo service mysql restart I see a similar message in syslog... time kernel:
audit: type=1400 apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/mysqld" pid=5014 comm="apparmor_parser"
If I then type sudo aa-status I see that mysql is in the list "nn processes are in enforce mode" 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
So I think this rather confusing message is just apparmor saying... I just found a process matching profile="unconfined" and I am going to perform operation="profile_replace"
These messages also appear when the pc is rebooted, presumably for the same reason, apparmor loads first, then as other processes load it confines them.
It means the AppArmor profile affecting the program /usr/sbin/nmbd has been removed ("unconfined") using the apparmor_parser tool. This means that program will run unrestricted by AppArmor from now on (until it's confined again - perhaps that will happen at boot, depending on how your system is set up).
If you're asking why it happens, I don't know. Something is calling apparmor_parser -R, evidently, but why it would want to, or exactly how it gets called, I don't know.
/etc/apparmor.d - it MAY be called usr.sbin.nmbd) and either delete it or create a symlink to it from `/etc/apparmor.d/disable' - look in that folder for examples. Reboot and check it behaves as you wish.