Solaris Trusted Extensions Administrator's Procedures

Chapter 21 Managing Labeled Printing (Tasks)

This chapter describes how to use Solaris Trusted Extensions software to configure labeled printing. It also describes how to configure print jobs without the labeling options.

Labels, Printers, and Printing

Trusted Extensions software uses labels to control printer access. Labels are used to control access to printers and to information about queued print jobs. The software also labels printed output. Body pages are labeled, and mandatory banner and trailer pages are labeled. Banner and trailer pages can also include handling instructions.

The system administrator handles basic printer administration. The security administrator role manages printer security, which includes labels and how the labeled output is handled. The administrators follow basic Solaris printer administration procedures, then they assign labels to the print servers and printers.

Trusted Extensions software supports both single-level and multilevel printing. Multilevel printing is implemented in the global zone only. To use the global zone's print server, a labeled zone must have a host name that is different from the global zone. One way to obtain a distinct host name is to assign an IP address to the labeled zone. The address would be distinct from the global zone's IP address.

Restricting Access to Printers and Print Job Information in Trusted Extensions

Users and roles on a system that is configured with Trusted Extensions software create print jobs at the label of their session. The print jobs can print only on printers that recognize that label. The label must be in the printer's label range.

Users and roles can view print jobs whose label is the same as the label of the session. In the global zone, a role can view jobs whose labels are dominated by the label of the zone.

Printers that are configured with Trusted Extensions software print labels on the printer output. Printers that are managed by unlabeled print servers do not print labels on the printer output. Such printers have the same label as their unlabeled server. For example, a Solaris print server can be assigned an arbitrary label in the tnrhdb database of the LDAP naming service. Users can then print jobs at that arbitrary label on the Solaris printer. As with Trusted Extensions printers, those Solaris printers can only accept print jobs from users who are working at the label that has been assigned to the print server.

Labeled Printer Output

Trusted Extensions prints security information on body pages and banner and trailer pages. The information comes from the label_encodings file and from the tsol_separator.ps file.

The security administrator can do the following to modify defaults that set labels and add handling instructions to printer output:

The security administrator can also configure user accounts to use printers that do not print labels on the output. Users can also be authorized to selectively not print banners or labels on printer output.

Labeled Body Pages

By default, the “Protect As” classification is printed at the top and bottom of every body page. The “Protect As” classification is the dominant classification when the classification from the job's label is compared to the minimum protect as classification. The minimum protect as classification is defined in the label_encodings file.

For example, if the user is logged in to an Internal Use Only session, then the user's print jobs are at that label. If the minimum protect as classification in the label_encodings file is Public, then the Internal Use Only label is printed on the body pages.

Figure 21–1 Job's Label Printed at the Top and Bottom of a Body Page

Illustration shows a sample banner page with the label
printed at the top and bottom of the page.

Labeled Banner and Trailer Pages

The following figures show a default banner page and how the default trailer page differs. Callouts identify the various sections. Note that the trailer page uses a different outer line.

The text, labels, and warnings that appear on print jobs are configurable. The text can also be replaced with text in another language for localization.

Figure 21–2 Typical Banner Page of a Labeled Print Job

Illustration shows a banner page with job number, classifications,
and handling instructions.

Figure 21–3 Differences on a Trailer Page

Illustration shows that the trailer page reads JOB END,
while the banner page reads JOB START at the bottom of the page.

The following table shows aspects of trusted printing that the security administrator can change by modifying the /usr/lib/lp/postscript/tsol_separator.ps file.


Note –

To localize or internationalize the printed output, see the comments in the tsol_separator.ps file.


Table 21–1 Configurable Values in the tsol_separator.ps File

Output 

Default Value 

How Defined 

To Change 

PRINTER BANNERS

/Caveats Job_Caveats

/Caveats Job_Caveats

See Specifying Printer Banners in Solaris Trusted Extensions Label Administration.

CHANNELS

/Channels Job_Channels

/Channels Job_Channels

See Specifying Channels in Solaris Trusted Extensions Label Administration.

Label at the top of banner and trailer pages 

/HeadLabel Job_Protect def

See /PageLabel description.

The same as changing /PageLabel..

Also see Specifying the “Protect As” Classification in Solaris Trusted Extensions Label Administration.

Label at the top and bottom of body pages 

/PageLabel Job_Protect def

Compares the label of the job to the minimum protect as classification in the label_encodings file. Prints the more dominant classification.

Contains compartments if the print job's label has compartments. 

Change the /PageLabel definition to specify another value.

Or, type a string of your choosing. 

Or, print nothing at all. 

Text and label in the “Protect as” classification statement 

/Protect Job_Protect def

/Protect_Text1 () def

/Protect_Text2 () def

See /PageLabel description.

Text to appear above label. 

Text to appear below label. 

The same as changing /PageLabel.

Replace () in Protect_Text1 and Protect_Text2 with text string.

PostScript Printing of Security Information

Labeled printing in Trusted Extensions relies on features from Solaris printing. In the Solaris OS, printer model scripts handle banner page creation. To implement labeling, a printer model script first converts the print job to a PostScriptTM file. Then, the PostScript file is manipulated to insert labels on body pages, and to create banner and trailer pages.

Solaris printer model scripts can also translate PostScript into the native language of a printer. If a printer accepts PostScript input, then Solaris software sends the job to the printer. If a printer does not accept PostScript input, then the software converts the PostScript format to a raster image. The raster image is then converted to the appropriate printer format.

Because PostScript software is used to print label information, users cannot print PostScript files by default. This restriction prevents a knowledgeable PostScript programmer from creating a PostScript file that modifies the labels on the printer output.

The Security Administrator role can override this restriction by assigning the Print Postscript authorization to role accounts and to trustworthy users. The authorization is assigned only if the account can be trusted not to spoof the labels on printer output. Also, allowing a user to print PostScript files must be consistent with the site's security policy.

Printer Model Scripts

A printer model script enables a particular model of printer to provide banner and trailer pages. Trusted Extensions provides four scripts:

The foomatic scripts are used when a printer driver name begins with Foomatic. Foomatic drivers are PostScript Printer Drivers (PPD). By default, “Use PPD” is specified in the Print Manager when you add a printer. A PPD is then used to translate banner and trailer pages into the language of the printer.

Additional Conversion Filters

A conversion filter converts text files to PostScript format. The filter's programs are trusted programs that are run by the printer daemon. Files that are converted to PostScript format by any installed filter program can be trusted to have authentic labels and banner and trailer page text.

Solaris software provides most conversion filters that a site needs. A site's System Administrator role can install additional filters. These filters can then be trusted to have authentic labels, and banner and trailer pages. To add conversion filters, see Chapter 9, Customizing LP Printing Services and Printers (Tasks), in System Administration Guide: Solaris Printing.

Interoperability of Trusted Extensions With Trusted Solaris 8 Printing

Trusted Solaris 8 and Trusted Extensions systems that have compatible label_encodings files and that identify each other as using a CIPSO template can use each other for remote printing. The following table describes how to set up the systems to enable printing. By default, users cannot list or cancel print jobs on a remote print server of the other OS. Optionally, you can authorize users to do so.

Originating System 

Print Server System 

Action 

Results 

Trusted Extensions 

Trusted Solaris 8 

Configure printing – In the Trusted Extensions tnrhdb, assign a template with the appropriate label range to the Trusted Solaris 8 print server. The label could be CIPSO or unlabeled.

Trusted Solaris 8 printer can print jobs from a Trusted Extensions system within the printer's label range. 

Trusted Extensions 

Trusted Solaris 8 

Authorize users – On the Trusted Extensions system, create a profile that adds the needed authorizations. Assign the profile to users. 

Trusted Extensions users can list or cancel print jobs that they send to a Trusted Solaris 8 printer. 

Users cannot view or remove jobs at a different label. 

Trusted Solaris 8 

Trusted Extensions 

Configure printing – In the Trusted Solaris 8 tnrhdb, assign a template with the appropriate label range to the Trusted Extensions print server. The label could be CIPSO or unlabeled.

Trusted Extensions printer can print jobs from a Trusted Solaris 8 system within the printer's label range. 

Trusted Solaris 8 

Trusted Extensions 

Authorize users – On the Trusted Solaris 8 system, create a profile that adds the needed authorizations. Assign the profile to users. 

Trusted Solaris 8 users can list or cancel print jobs that they send to a Trusted Extensions printer. 

Users cannot view or remove jobs at a different label. 

Trusted Extensions Print Interfaces (Reference)

The following user commands are extended to conform with Trusted Extensions security policy:

The following administrative commands are extended to conform with Trusted Extensions security policy. As in the Solaris OS, these commands can only be run by a role that includes the Printer Management rights profile.

Trusted Extensions adds the solaris.label.print authorization to the Printer Management rights profile. The solaris.print.unlabeled authorization is required to print body pages without labels.

Managing Printing in Trusted Extensions (Task Map)

Trusted Extensions procedures for configuring printing are performed after completing Solaris printer setup. The following task map points to the major tasks that manage labeled printing.

Task 

Description 

For Instructions 

Configure printers for labeled output. 

Enables users to print to a Trusted Extensions printer. The print jobs are marked with labels. 

Configuring Labeled Printing (Task Map)

Remove visible labels from printer output. 

Enables users to print at a specific label to a Solaris printer. The print jobs are not marked with labels. 

Or, prevents labels from printing on a Trusted Extensions printer. 

Reducing Printing Restrictions in Trusted Extensions (Task Map)

Configuring Labeled Printing (Task Map)

The following task map describes common configuration procedures that are related to labeled printing.


Note –

Printer clients can only print jobs within the label range of the Trusted Extensions print server.


Task 

Description 

For Instructions 

Start the Print Manager. 

Uses a GUI to identify the printer to the network or to the local system. The system administrator starts the GUI in an administrative role workspace. 

Chapter 6, Setting Up and Administering Printers by Using LP Print Commands (Tasks), in System Administration Guide: Solaris Printing

Configure printing from the global zone. 

Creates a multilevel print server in the global zone. 

How to Configure a Multilevel Print Server and Its Printers

Configure printing from a labeled zone. 

Creates a single–label print server for a labeled zone. 

How to Configure a Zone for Single-Label Printing

Configure a multilevel print client. 

Connects a Trusted Extensions host to a printer. 

How to Enable a Trusted Extensions Client to Access a Printer

Restrict the label range of a printer. 

Limits a Trusted Extensions printer to a narrow label range. 

How to Configure a Restricted Label Range for a Printer

ProcedureHow to Configure a Multilevel Print Server and Its Printers

Printers that are managed by a Trusted Extensions print server print labels on body pages, banner pages, and trailer pages. Such printers can print jobs within the label range of the print server. Any Trusted Extensions host that can reach the print server can use the printers that are connected to that server.

Before You Begin

Determine the print server for your Trusted Extensions network. You must be in the System Administrator role in the global zone on this print server.

  1. Start the Solaris Management Console.

    For details, see How to Administer the Local System With the Solaris Management Console.

  2. Choose the Files toolbox.

    The title of the toolbox includes Scope=Files, Policy=TSOL.

  3. Enable multilevel printing by configuring the global zone with the print server port, 515/tcp.

    Create a multilevel port (MLP) for the print server by adding the port to the global zone.

    1. Navigate to the Trusted Network Zones tool.

    2. In the Multilevel Ports for Zone's IP Addresses, add 515/tcp.

    3. Click OK.

  4. Define the characteristics of the connected printers.

    1. Start the Print Manager.

    2. Define the make and model of a connected printer.

      In the Print Manager, you supply the values for the first two fields, then the Print Manager supplies the driver name.


      Printer Make   manufacturer
      Printer Model  manufacturer-part-number
      Printer Driver automatically filled in
      
  5. Assign a printer model script to each printer that is connected to the print server.

    The model script activates the banner and trailer pages for the specified printer.

    For your choice of scripts, see Printer Model Scripts. If the driver name for the printer starts with Foomatic, then specify one of the foomatic model scripts. Use the following command:


    $ lpadmin -p printer -m model
    

    If the default printer label range of ADMIN_LOW to ADMIN_HIGH is acceptable for every printer, then your label configuration is done.

See Also

ProcedureHow to Configure a Zone for Single-Label Printing

Before You Begin

The zone must not be sharing an IP address with the global zone. You must be in the System Administrator role in the global zone.

  1. Add a workspace.

    For details, see How to Add a Workspace at a Particular Label in Solaris Trusted Extensions User’s Guide.

  2. Change the label of the new workspace to the label of the zone that will be the print server for that label.

    For details, see How to Change the Label of a Workspace in Solaris Trusted Extensions User’s Guide.

  3. Define the characteristics of the connected printers.

    1. At the label of zone, start the Print Manager.

      By default, the “Use PPD” checkbox is selected. The system finds the appropriate driver for the printer.

    2. (Optional) To specify a different printer driver, do the following:

      1. Remove the check from “Use PPD”.

      2. Define the make and model of the printer that uses a different driver.

        In the Print Manager, you supply the values for the first two fields, then the Print Manager supplies the driver name.


        Printer Make   manufacturer
        Printer Model  manufacturer-part-number
        Printer Driver automatically filled in
        
  4. Assign a printer model script to each printer that is connected to the zone.

    The model script activates the banner and trailer pages for the specified printer.

    For your choices of scripts, see Printer Model Scripts. If the driver name for the printer starts with Foomatic, then specify one of the foomatic model scripts. Use the following command:


    $ lpadmin -p printer -m model
    

    The attached printers can print jobs only at the label of the zone.

See Also

ProcedureHow to Enable a Trusted Extensions Client to Access a Printer

Initially, only the zone in which a print server was configured can print to the printers of that print server. The system administrator must explicitly add access to those printers for other zones and systems. The possibilities are as follows:

Before You Begin

A print server has been configured with a label range or a single label, and the printers that are connected to it have been configured. For details, see the following:

You must be in the System Administrator role in the global zone, or be able to assume the role.

  1. Complete the procedures that enable your systems to access a printer.

    To use the Print Manager instead of the lpadmin command, see Example 21–1.

    • Configure the global zone on a system that is not a print server to use another system's global zone for printer access.

      1. On the system that does not have printer access, assume the System Administrator role.

      2. Add access to the printer that is connected to the Trusted Extensions print server.


        $ lpadmin -s printer
        
    • Configure a labeled zone to use its global zone for printer access.

      1. Change the label of the role workspace to the label of the labeled zone.

        For details, see How to Change the Label of a Workspace in Solaris Trusted Extensions User’s Guide.

      2. Add access to the printer.


        $ lpadmin -s printer
        
    • Configure a labeled zone to use another system's labeled zone for printer access.

      The labels of the zones must be identical.

      1. On the system that does not have printer access, assume the System Administrator role.

      2. Change the label of the role workspace to the label of the labeled zone.

      3. Add access to the printer that is connected to the print server of the remote labeled zone.


        lpadmin -s printer
        
    • Configure a labeled zone to use an unlabeled print server for printer access.

      The label of the zone must be identical to the label of the print server.

      1. On the system that does not have printer access, assume the System Administrator role.

      2. Change the label of the role workspace to the label of the labeled zone.

        For details, see How to Change the Label of a Workspace in Solaris Trusted Extensions User’s Guide.

      3. Add access to the printer that is connected to the arbitrarily labeled print server.


        $ lpadmin -s printer
        

Example 21–1 Using the Print Manager to Enable Printer Access

Rather than run the lpadmin command, choose the Add button from the Print Manager. The Print Manager must be started in the same zone at the same label as the lpadmin -s  printer command.


ProcedureHow to Configure a Restricted Label Range for a Printer

The default printer label range is ADMIN_LOW to ADMIN_HIGH. This procedure narrows the label range for a printer that is controlled by a Trusted Extensions print server.

Before You Begin

You must be in the Security Administrator role in the global zone.

  1. Start the Device Manager.

    Choose the Allocate Device option from the Trusted Path menu.

  2. Click the Administration button to display the Device Administration dialog box.

  3. Type a name for the new printer.

    If the printer is attached to your system, find the name of the printer.

  4. Click the Configure button to display the Device Configuration dialog box.

  5. Change the printer's label range.

    1. Click the Min Label button to change the minimum label.

      Choose a label from the label builder. For information about the label builder, see Label Builder in Trusted Extensions.

    2. Click the Max Label button to change the maximum label.

  6. Save the changes.

    1. Click OK in the Configuration dialog box.

    2. Click OK in the Administration dialog box.

  7. Close the Device Manager.

Reducing Printing Restrictions in Trusted Extensions (Task Map)

The following tasks are optional. They reduce the printing security that Trusted Extensions provides by default when the software is installed.

Task 

Description 

For Instructions 

Configure a printer to not label output. 

Prevents security information from printing on body pages, and removes banner and trailer pages. 

How to Remove Labels From Printed Output

Configure printers at a single label without labeled output. 

Enables users to print at a specific label to a Solaris printer. The print jobs are not marked with labels. 

How to Assign a Label to an Unlabeled Print Server

Remove visible labeling of body pages. 

Modifies the tsol_separator.ps file to prevent labeled body pages on all print jobs that are sent from a Trusted Extensions host.

How to Remove Page Labels From All Print Jobs

Suppress banner and trailer pages. 

Authorizes specific users to print jobs without banner and trailer pages. 

How to Suppress Banner and Trailer Pages for Specific Users

Enable trusted users to print jobs without labels. 

Authorizes specific users or all users of a particular system to print jobs without labels. 

How to Enable Specific Users to Suppress Page Labels

Enable the printing of PostScript files. 

Authorizes specific users or all users of a particular system to print PostScript files. 

How to Enable Users to Print PostScript Files in Trusted Extensions

Assign printing authorizations. 

Enables users to bypass default printing restrictions. 

How to Create a Rights Profile for Convenient Authorizations

How to Modify policy.conf Defaults

ProcedureHow to Remove Labels From Printed Output

Printers that do not have a Trusted Extensions printer model script do not print labeled banner or trailer pages. The body pages also do not include labels.

Before You Begin

You must be in the Security Administrator role in the global zone.

  1. At the appropriate label, do one of the following:

    • From the print server, stop banner printing altogether.


      % lpadmin -p printer -o nobanner=never

      Body pages are still labeled.

    • Set the printer model script to a Solaris script.


      % lpadmin -p printer  \
      -m { standard | netstandard | standard_foomatic | netstandard_foomatic }

      No labels appear on printed output.

ProcedureHow to Assign a Label to an Unlabeled Print Server

A Solaris print server is an unlabeled print server that can be assigned a label for Trusted Extensions access to the printer at that label. Printers that are connected to an unlabeled print server can print jobs only at the label that has been assigned to the print server. Jobs print without labels or trailer pages and might print without banner pages. If a job prints with a banner page, the page does not contain any security information.

A Trusted Extensions system can be configured to submit jobs to a printer that is managed by an unlabeled print server. Users can print jobs on the unlabeled printer at the label that the security administrator assigns to the print server.

Before You Begin

You must be in the Security Administrator role in the global zone.

  1. Open the Solaris Management Console in the appropriate scope.

    For details, see Initialize the Solaris Management Console Server in Trusted Extensions.

  2. Under System Configuration, navigate to the Computers and Networks tool.

    Provide a password when prompted.

  3. Assign an unlabeled template to the print server.

    For details, see How to Assign a Security Template to a Host or a Group of Hosts.

    Choose a label. Users who are working at that label can send print jobs to the Solaris printer at the label of the print server. Pages do not print with labels, and banner and trailer pages are also not part of the print job.


Example 21–2 Sending Public Print Jobs to an Unlabeled Printer

Files that are available to the general public are suitable for printing to an unlabeled printer. In this example, marketing writers need to produce documents that do not have labels printed on the top and bottom of the pages.

The security administrator assigns an unlabeled host type template to the Solaris print server. The template is described in Example 19–6. The arbitrary label of the template is PUBLIC. The printer pr-nolabel1 is connected to this print server. Print jobs from users in a PUBLIC zone print on the pr-nolabel1 printer with no labels. Depending on the settings for the printer, the jobs might or might not have banner pages. The banner pages do not contain security information.


ProcedureHow to Remove Page Labels From All Print Jobs

This procedure prevents all print jobs on a Trusted Extensions printer from including visible labels on the body pages of the print job.

Before You Begin

You must be in the Security Administrator role in the global zone.

  1. Edit the /usr/lib/lp/postscript/tsol_separator.ps file.

    Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions.

  2. Find the definition of /PageLabel.

    Find the following lines:


    %% To eliminate page labels completely, change this line to
    %% set the page label to an empty string: /PageLabel () def
    /PageLabel Job_PageLabel def

    Note –

    The value Job_PageLabel might be different at your site.


  3. Replace the value of /PageLabel with a set of empty parentheses.


    /PageLabel () def

ProcedureHow to Enable Specific Users to Suppress Page Labels

This procedure enables an authorized user or role to print jobs on a Trusted Extensions printer without labels on the top and bottom of each body page. Page labels are suppressed for all labels at which the user can work.

Before You Begin

You must be in the Security Administrator role in the global zone.

  1. Determine who is permitted to print jobs without page labels.

  2. Authorize those users and roles to print jobs without page labels.

    Assign a rights profile that includes the Print without Label authorization to those users and roles. For details, see How to Create a Rights Profile for Convenient Authorizations.

  3. Instruct the user or role to use the lp command to submit print jobs:


    % lp -o nolabels staff.mtg.notes
    

ProcedureHow to Suppress Banner and Trailer Pages for Specific Users

Before You Begin

The Always Print Banner checkbox in the Print Manager dialog box does not contain a checkmark.

Window part shows the Always Print Banner without a checkmark.

You must be in the Security Administrator role in the global zone.

  1. Create a rights profile that includes the Print without Banner authorization.

    Assign the profile to each user or role that is allowed to print without banner and trailer pages.

    For details, see How to Create a Rights Profile for Convenient Authorizations.

  2. Instruct the user or role to use the lp command to submit print jobs:


    % lp -o nobanner staff.mtg.notes
    

ProcedureHow to Enable Users to Print PostScript Files in Trusted Extensions

Before You Begin

You must be in the Security Administrator role in the global zone.

  1. Use one of the following three methods to enable users to print PostScript files:

    • To enable PostScript printing on a system, modify the /etc/default/print file.

      1. Create or modify the /etc/default/print file.

        Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions.

      2. Type the following entry:


        PRINT_POSTSCRIPT=1
      3. Save the file and close the editor.

    • To authorize all users to print PostScript files from a system, modify the /etc/security/policy.conf file.

      1. Modify the policy.conf file.

        Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions.

      2. Add the solaris.print.ps authorization.


        AUTHS_GRANTED=other-authorizations,solaris.print.ps
      3. Save the file and close the editor.

    • To enable a user or role to print PostScript files from any system, give just those users and roles the appropriate authorization.

      Assign a profile that includes the Print Postscript authorization to those users and roles. For details, see How to Create a Rights Profile for Convenient Authorizations.


Example 21–3 Enabling PostScript Printing From a Public System

In the following example, the security administrator has constrained a public kiosk to operate at the PUBLIC label. The system also has a few icons that open topics of interest. These topics can be printed.

The security administrator creates an /etc/default/print file on the system. The file has one entry to enable the printing of PostScript files. No user needs a Print Postscript authorization.


# vi /etc/default/print

# PRINT_POSTSCRIPT=0
PRINT_POSTSCRIPT=1