Trusted Solaris Administrator's Procedures

Chapter 11 Managing Printing

This chapter describes how to set up labeled printing in the Trusted Solaris environment. This chapter contains the following procedures:

Requirements Unique to Trusted Solaris Printers

Solaris print utilities and databases have been modified to meet Trusted Solaris requirements for:

Label-based control of access to printers and to information about queued print jobs
Automatic printing of labels and other handling information on printer output and on mandatory banner and trailer pages

The System Administrator role manages printers. The Security Administrator role manages printer security, including the handlings of labeled output. The administrators follow basic printer administration procedures described in the Solaris System Administration Guide, Volume 2. See especially the sections "Print Management (Overview)" and "Setting Up Printers (Tasks)".

Configuring Printers in a Trusted Solaris Environment

The following table shows the tasks for configuring printers in a Trusted Solaris environment and the recommended roles and the tools that perform each task. The table provides links to procedures and other related documentation.

Table 11-1 Tasks for Configuring Printers


Role Rights Profile	Task	Tool	Notes
System Administrator Device Management	Configures printers	Printer Administrator action	See "To Configure an Attached Printer","To Configure a Network Printer for Labeled Output", and "To Add Access to a Remote Printer". See also "Starting Solaris Print Manager" and "Setting Up Printers (Tasks)" in the Solaris 8 System Administration Guide, Volume 2 and following for how to do the configuration. Note - Where the instructions tell you to become superuser, do the steps at `ADMIN_LOW` in the System Administrator role.
Security Administrator Printer Security	Specifies a restricted label range for a printer (optional). The default is `ADMIN_LOW` to `ADMIN_HIGH`.	The Set Printer Label Range action or the add_allocatable(1M) command	See "To Configure a Restricted Label Range for a Printer".

Printer clients can only submit print requests at labels that are allowed by the trusted network database entries for the printer client computer and printer server.

Allowing the Printing of PostScript Files

By default, users cannot print PostScript files. This restriction exists because a knowledgeable PostScript programmer could create a PostScript file that modifies the labels on the printer output.

If desired, the Security Administrator role can assign the Print PostScript authorization to trustworthy users and role accounts. The Security Administrator role should do so only if the account can be trusted not to spoof the labels on printer output and if permitting the printing of PostScript files is consistent with the site's security policy.

Adding Support for Additional File Types

A filter provided with the Trusted Solaris printing system converts text files to PostScript. Files converted to PostScript by any installed filter programs can be trusted to have authentic labels and banner and trailer page text because the filter's programs are trusted programs that are run by the printer daemon.

A site's System Administrator role can install additional filters, which then can be trusted to have authentic labels and banner and trailer pages. See the "Managing Character Sets, Filters, Forms, and Fonts (Tasks)" in System Administration Guide, Volume 2 for how to add filters.

Setting Up Printers That do not Support Security Features

PostScript printers are the only types of printers that support labels and other handling information on printer output and on mandatory banner and trailer pages. The following types of printers function correctly, but they do not support page labels or labeled banner and trailer pages.

Non-PostScript printers
Printers connected to a print server that is not running the Trusted Solaris release
Network printers that have not been configured from a Trusted Solaris computer

Jobs sent to a network printer print without labels and trailer pages if the network is not being managed by a Trusted Solaris print server. The network printer would have been configured in one of the two following ways:
- Using the printer's own software supplied by the printer vendor to be a standalone node on the network
- Using LP printer administration commands on a print server that is not running the Trusted Solaris release

If desired, the Trusted Solaris computer can be set up to send jobs to a printer connected to or managed by a computer (print server) that is not running Trusted Solaris software. Print servers connected to unlabeled servers can print jobs only at the single label that is specified for the print server in the trusted network databases on the Trusted Solaris computer. Jobs print without labels or trailer pages and without security information on banner pages.

Printing from unlabeled computers to a printer on a Trusted Solaris print server is supported.

Note -

A user submitting a job from a single-label computer to a Trusted Solaris print server cannot cancel that job and cannot remove the job from the print queue. When a user sends a job from a labeled computer, the trusted network provides the UID of the user sending the print request. For unlabeled computers, the UID of the sender of the job is not available, so the UID assigned to the print job does not match that of the submitting user.

Managing Network Printers

Network printers can print labels on body pages and banner and trailer pages if the printer is managed by a Trusted Solaris computer. See "To Configure a Network Printer for Labeled Output" for how to set this up.

Note -

A network printer can print jobs only at the single label specified in the template that is assigned to the network printer's IP address.

Controlling Whether Security Information is Printed on Print Jobs

The Security Administrator role can change the default for the printing of labels on body pages in the following ways:

Give users an authorization on the print server to allow them to print jobs without labels on the body pages or print jobs without banner or trailer pages.

See "To Enable Some Users to Print Without Banners and Trailer Pages ".
Redefine fields in the /usr/lib/lp/postscript/tsol_separator.ps file on the print server in one of the following ways:
- Completely disable the printing of labels on body pages for all users, as described in "To Suppress the Printing of Page Labels on All Print Jobs".
- Specify that another label or other wording is printed on body pages for all users.

By default, the Protect As classification is printed at the top and bottom of every body page. The "Protect As" classification is the dominant classification when the classification from the job's label is compared to the minimum protect as classification that is defined in the label_encodings file.

The label printed at the top and bottom of banner and trailer pages as shown in the following figure is specified by means of the /PageLabel definition.

Figure 11-1 Job's Label Printed on Body Pages

The /HeadLabel definition can be changed to put a different value or string at the top and bottom of the banner trailer pages or to print nothing at all.

Print Job Information on Banner and Trailer Pages

The following figures show a default banner page and the differences in the default trailer page. The names of the various sections are shown because they are needed when configuring what appears.

All the text and the labels and warnings that appear on print jobs are site-configurable. The text can also be replaced with text in another language for localization.

Figure 11-2 Typical Print Job Banner Page

Figure 11-3 Differences on a Trailer Page

The following table shows aspects of trusted printing that the Security Administrator can change by assigning an authorization. For other printing-related authorizations see the Trusted Solaris Administration Overview.

Table 11-2 Modifiable Printing Features


What Can Be Changed	Authorization Name	How to Change
Whether individual users can print jobs without labels on body pages	Print without Label	Assign a rights profile with the Print without Label authorization to the user.
Whether all users can print jobs without labels on body pages	Print without Label	Enter AUTHS_GRANTED= solaris.print.unlabeled in `policy.conf` file.
Whether individual users can print jobs without banner or trailer pages	Print without Banner	Assign a rights profile with the Print without Banner authorization to the user.
Whether all users can print jobs without banner or trailer pages	Print without Banner	Security administrator enters Enter AUTHS_GRANTED= solaris.print.nobanner in `policy.conf` file.

The Security Administrator role can do the following to modify defaults that set labels and handling caveats on printer output:

Localize or customize the text on the banner and trailer pages.
Specify alternate labels to be printed in the various fields of the banner and trailer pages or at the top and bottom of body pages.
Change or omit any of the text or labels.

Note -

For how to do customizations or internationalization, see the comments in the tsol_separator.ps file.

Permitting Safe Jobs to Be Printed Without Labeled Pages

Certain users, such as technical writers, need to produce publicly-readable documents that do not have labels printed on the top and bottom of the pages. If a printer connected to a Solaris print server is available, the Security Administrator role can set up the users' environments so that the publicly-readable jobs go to the printer connected to the Solaris computer while jobs at all other labels go to Trusted Solaris computers. See: "To Set Up Public Print Jobs from an Unlabeled Print Server". The procedure requires understanding of how to set up user accounts as described in Chapter 3, Managing User Accounts , and computer network entries as described in Chapter 8, Specifying Routing and Security for Remote Computers.

Managing Printing (Tasks)

To Set Up Printing to a Non-Trusted Solaris Server

Users send print jobs to the single-label printer at the same label assigned to the print server.

Assume the Security Administrator role and go to an ADMIN_LOW workspace.

Open the Solaris Management Console in the desired scope.

Click Trusted Solaris Management Console, then Computers and Networks. Provide a password when prompted.

Assign a template to the print server with the desired label.

The template is assigned to the IP address of the unlabeled print server.

See Chapter 8, Specifying Routing and Security for Remote Computers for how the Security Administrator assigns a single label to an unlabeled computer.

To Launch the Printer Administrator Action

Assume the System Administrator role and go to an ADMIN_LOW workspace.

In the System_Admin folder in the Application Manager, double-click the Printer Administrator action.

Choose files to update local files or choose either NIS, NIS+(xfn) or NIS+ for a naming service.

To Configure an Attached Printer

Connect the printer to a serial or parallel port on a print server using the appropriate cable, as described in the printer's installation guide.

Assume the System Administrator role on the print server, and go to an ADMIN_LOW workspace.

If the printer is connected to a serial port, make sure the correct baud rate is set, using the Serial Port tool from the Solaris Management Console Devices and Hardware manager.

See the printer documentation for the correct baud rate. See also "Adjusting Printer Port Characteristics" in System Administration Guide, Volume 2.

Bring up the Printer Administrator tool as described in "To Launch the Printer Administrator Action".

Choose New Attached Printer from the Printer menu.

If needed, follow the procedure "How to Add a New Attached Printer With Solaris Print Manager" in the "Setting Up Printers (Tasks)" in System Administration Guide, Volume 2.

Caution -
Do not change the Printer Type and File Contents settings from the default value of PostScript. If you do, printing will not work.

If the default printer label range of ADMIN_LOW to ADMIN_HIGH is acceptable, you are done.

To restrict the label range for the printer, go to "To Configure a Restricted Label Range for a Printer".

To Configure a Network Printer for Labeled Output

A network printer must be managed by a Trusted Solaris print server in order to print labeled output. A network printer prints only at a single-label assigned to it in a Security Families template.

Pick a printer name to be used as its host name, and assign the printer an IP address.

Set up the printer as described in the printer's documentation.

Assume the System Administrator role on the Trusted Solaris print server, and go to an ADMIN_LOW workspace.

Add an entry for the printer using the Computers tool in the Solaris Management Console.

The scope of the toolbox that you load determines whether the entry is made in the local hosts file, NIS map or NIS+ table.
1. Double-click Trusted Solaris Configuration->Computers and Networks->Computers.
2. Select Action->Add Computer.
3. On the Add Computer dialog, type the printer name in the Name field, type the printer's IP address in the IP Address field, and click OK.

Create a new unlabeled tamplate assigning it the ADMIN_HIGH label.
1. Double-click Trusted Solaris Configuration->Computers and Networks->Security Families.
2. In the Action menu, select Add->Template.
3. On the New Template dialog->Basic Information tab
  1. Assign a Name.
  2. Select Unlabeled from the Host Type menu and specify the Minimum Label and the Maximum Label as ADMIN_HIGH.
  3. Assign a Label and a Clearance of ADMIN_HIGH, and click OK in the New Template dialog box.

Assign the new template to the host name or IP address of the printer by double-clicking the icon for the new template.

In the Action menu, select Add->Host.

In the New Remote Host Entry dialog, enter the Host Name and IP address, then click OK.

Configure the printer on the Trusted Solaris computer using the LP administration commands.

Complete the setup of the Network printer on the Trusted Solaris computer by following the procedure "How To Add A Network Printer Using LP Commands" in the "Setting Up Printers (Tasks)" in System Administration Guide, Volume 2.

To Configure a Restricted Label Range for a Printer

Do this procedure only if you need to restrict the label range for a printer that is controlled by a Trusted Solaris print server. The default printer label range is ADMIN_LOW to ADMIN_HIGH.

Assume the Security Administrator role and go to an ADMIN_LOW workspace.

See "To Log In and Assume a Role", if needed.

Bring up the Device Allocation Manager.

Either select the Allocate Device option from the Trusted Path menu or launch the Device Allocation Manager action from the Tools subpanel on the Front Panel.

Click the Device Administration button to display the Device Allocation: Administration dialog box.

Select the name of the new printer.

Click the Configure button to display the Device Allocation: Configuration dialog box, as shown in the following figure.

Change the label range as desired by clicking the Min Label and Max Label buttons and using the label builders that display to select the desired label.

Click the OK button on the Configuration dialog box to save the label changes, click the OK button on the Administration dialog box to close it, and then close the Device Allocation Manager.

To Add Access to a Remote Printer

Note -

If either NIS+ or NIS was specified as the naming service when the print server is configured, this procedure is not needed on any NIS+ or NIS clients in the domain.

On the local computer, access the Printer Administrator.

See "To Launch the Printer Administrator Action", if needed.

See How to Add Printer Access With Solaris Print Manager in "Setting Up Printers (Tasks)" in System Administration Guide, Volume 2.

To Enable Some Users to Print Without Banners and Trailer Pages

Caution -

If the Always Print Banner check box on the Printer Administrator dialog is checked, banner and trailer pages always print, even if the user has the solaris.print.nobanner authorization and uses the -o nobanner option to lp.

Bring up the Printer Administrator on the print server.

See "To Launch the Printer Administrator Action", if needed.

Make sure that the Always Print Banner check box is not checked.

Exit the Printer Administrator.

Make sure that the solaris.print.nobanner authorization is in one of the profiles assigned to each user or role that is allowed to print without banner and trailer pages.

See "To Assign Printing-Related Authorization(s) to an Account", if needed.

Instruct the user or role to submit jobs using the lp command with the option -o nobanner.
trustworthy% lp -o nobanner staff.mtg.notes

To Assign Printing-Related Authorization(s) to an Account

Assume the Security Administrator role and go to an ADMIN_LOW workspace.

Bring up the User Accounts tool.

Make sure that the desired print-related authorization is contained in one of the user's rights profiles.

To Suppress the Printing of Page Labels on All Print Jobs

Assume the Security Administrator role and go to an ADMIN_LOW workspace.

Use the Admin Editor action to edit the /usr/lib/lp/postscript/tsol_separator.ps file.

See "To Edit a Local File", if needed.

Find the following lines:

%% To eliminate page labels completely, change this line to
%% set the page label to an empty string: /PageLabel () def
/PageLabel Job_SL_Internal def

Note -

The value of Job_PageLabel may have been changed at your site.

Replace the value of /PageLabel with an empty parentheses.
/PageLabel () def

To Allow Some Users to Print Jobs Without Page Labels

Make sure that the Print Without Label authorization is in one of the profiles assigned to each user or role that is allowed to print jobs without labels at the top and bottom of each page.

See "To Assign Printing-Related Authorization(s) to an Account", if needed.

Make sure that the user or role submits jobs using lp with the option -o nolabels.
trustworthy% lp -o nolabels staff.mtg.notes
Doing this procedure enables an authorized user or role to print jobs without labels when working at any label.

To Set Up Public Print Jobs from an Unlabeled Print Server

Files that are available to the general public may be printed on an unlabeled printer.

In the tnrhdb/tnrhtp entries that define an unlabeled print server, assign to the print server the appropriate label.

For example, a site may label files that are available to the general public as PUBLIC or UNCLASSIFIED.

Do the following three steps for each user or role allowed to print publicly-readable files without page labels.
1. Make sure that the public label is in each account's personal label range.
2. Instruct each user to define the PRINTER variable in the appropriate shell initialization file in the user's publicly-labeled home directory SLD.
  1. Go to the publicly-labeled home directory SLD.
  2. Open the .login or .profile file (as appropriate) for editing.
  3. Define the PRINTER variable to be the name of the printer connected to the unlabeled print server.
    
    When a printer named nolabels is connected to a single-label print server whose label is PUBLIC, the .login or .profile file in the PUBLIC SLD directory would have the following environment variable defined.
    setenv PRINTER nolabels
  4. Write and quit the file.
3. Have each affected account log out and log in again to put the changed printer definitions in effect.
4. Have each affected account create and print jobs that need to be printed without labels from within the publicly-labeled SLD.