Trusted Extensions software uses labels to control printer access. Labels are used to control access to printers and to information about queued print jobs. The software also labels printed output. Body pages are labeled, and mandatory banner and trailer pages are labeled. Banner and trailer pages can also include handling instructions.
The system administrator handles basic printer administration. The security administrator role manages printer security, which includes labels and how the labeled output is handled. The administrators follow basic Oracle Solaris printer administration procedures, then they assign labels to the print servers and printers.
Trusted Extensions software supports both single-level and multilevel printing. Multilevel printing is implemented in the global zone only. To use the global zone's print server, a labeled zone must have a host name that is different from the global zone. One way to obtain a distinct host name is to assign an IP address to the labeled zone. The address would be distinct from the global zone's IP address.
Users and roles on a system that is configured with Trusted Extensions software create print jobs at the label of their session. The print jobs can print only on printers that recognize that label. The label must be in the printer's label range.
Users and roles can view print jobs whose label is the same as the label of the session. In the global zone, a role can view jobs whose labels are dominated by the label of the zone.
Printers that are configured with Trusted Extensions software print labels on the printer output. Printers that are managed by unlabeled print servers do not print labels on the printer output. Such printers have the same label as their unlabeled server. For example, an Oracle Solaris print server can be assigned an arbitrary label in the tnrhdb database of the LDAP naming service. Users can then print jobs at that arbitrary label on the Oracle Solaris printer. As with Trusted Extensions printers, those Oracle Solaris printers can only accept print jobs from users who are working at the label that has been assigned to the print server.
Trusted Extensions prints security information on body pages and banner and trailer pages. The information comes from the label_encodings file and from the tsol_separator.ps file.
The security administrator can do the following to modify defaults that set labels and add handling instructions to printer output:
Localize or customize the text on the banner and trailer pages
Specify alternate labels to be printed on body pages or in the various fields of the banner and trailer pages
Change or omit any of the text or labels
The security administrator can also configure user accounts to use printers that do not print labels on the output. Users can also be authorized to selectively not print banners or labels on printer output.
By default, the “Protect As” classification is printed at the top and bottom of every body page. The “Protect As” classification is the dominant classification when the classification from the job's label is compared to the minimum protect as classification. The minimum protect as classification is defined in the label_encodings file.
For example, if the user is logged in to an Internal Use Only session, then the user's print jobs are at that label. If the minimum protect as classification in the label_encodings file is Public, then the Internal Use Only label is printed on the body pages.
Figure 15-1 Job's Label Printed at the Top and Bottom of a Body Page
The following figures show a default banner page and how the default trailer page differs. Callouts identify the various sections. Note that the trailer page uses a different outer line.
The text, labels, and warnings that appear on print jobs are configurable. The text can also be replaced with text in another language for localization.
Figure 15-2 Typical Banner Page of a Labeled Print Job
Figure 15-3 Differences on a Trailer Page
Note - To localize or internationalize the printed output, see the comments in the tsol_separator.ps file.
Table 15-1 Configurable Values in the tsol_separator.ps File
Labeled printing in Trusted Extensions relies on features from Solaris printing. In the Oracle Solaris OS, printer model scripts handle banner page creation. To implement labeling, a printer model script first converts the print job to a PostScript file. Then, the PostScript file is manipulated to insert labels on body pages, and to create banner and trailer pages.
Solaris printer model scripts can also translate PostScript into the native language of a printer. If a printer accepts PostScript input, then Oracle Solaris software sends the job to the printer. If a printer does not accept PostScript input, then the software converts the PostScript format to a raster image. The raster image is then converted to the appropriate printer format.
Because PostScript software is used to print label information, users cannot print PostScript files by default. This restriction prevents a knowledgeable PostScript programmer from creating a PostScript file that modifies the labels on the printer output.
The Security Administrator role can override this restriction by assigning the Print Postscript authorization to role accounts and to trustworthy users. The authorization is assigned only if the account can be trusted not to spoof the labels on printer output. Also, allowing a user to print PostScript files must be consistent with the site's security policy.
A printer model script enables a particular model of printer to provide banner and trailer pages. Trusted Extensions provides four scripts:
tsol_standard - For directly attached PostScript printers, for example, printers attached by a parallel port
tsol_netstandard - For network–accessible PostScript printers
tsol_standard_foomatic - For directly attached printers that do not print PostScript format
tsol_netstandard_foomatic - For network–accessible printers that do not print PostScript format
The foomatic scripts are used when a printer driver name begins with Foomatic. Foomatic drivers are PostScript Printer Drivers (PPD).
Note - When you add a printer to a labeled zone, “Use PPD” is specified by default in the Print Manager. A PPD is then used to translate banner and trailer pages into the language of the printer.
A conversion filter converts text files to PostScript format. The filter's programs are trusted programs that are run by the printer daemon. Files that are converted to PostScript format by any installed filter program can be trusted to have authentic labels and banner and trailer page text.
Oracle Solaris software provides most conversion filters that a site needs. A site's System Administrator role can install additional filters. These filters can then be trusted to have authentic labels, and banner and trailer pages. To add conversion filters, see Chapter 7, Customizing LP Printing Services and Printers (Tasks), in System Administration Guide: Printing.
Trusted Solaris 8 and Trusted Extensions systems that have compatible label_encodings files and that identify each other as using a CIPSO template can use each other for remote printing. The following table describes how to set up the systems to enable printing. By default, users cannot list or cancel print jobs on a remote print server of the other OS. Optionally, you can authorize users to do so.
The following user commands are extended to conform with Trusted Extensions security policy:
cancel – The caller must be equal to the label of the print job to cancel a job. By default, regular users can cancel only their own jobs.
lp – Trusted Extensions adds the -o nolabels option. Users must be authorized to print with no labels. Similarly, users must be authorized to use the -o nobanner option.
lpstat – The caller must be equal to the label of the print job to obtain the status of a job. By default, regular users can view only their own print jobs.
The following administrative commands are extended to conform with Trusted Extensions security policy. As in the Oracle Solaris OS, these commands can only be run by a role that includes the Printer Management rights profile.
lpmove – The caller must be equal to the label of the print job to move a job. By default, regular users can move only their own print jobs.
lpadmin – In the global zone, this command works for all jobs. In a labeled zone, the caller must dominate the print job's label to view a job, and be equal to change a job.
Trusted Extensions adds printer model scripts to the -m option. Trusted Extensions adds the -o nolabels option.
lpsched – In the global zone, this command is always successful. As in the Oracle Solaris OS, use the svcadm command to enable, disable, start, or restart the print service. In a labeled zone, the caller must be equal to the label of the print service to change the print service. For details about the service management facility, see the smf(5), svcadm(1M), and svcs(1) man pages.
Trusted Extensions adds the solaris.label.print authorization to the Printer Management rights profile. The solaris.print.unlabeled authorization is required to print body pages without labels.