Chapter 15 Managing Labeled Printing (Tasks)

This chapter describes how to use Solaris Trusted Extensions software to configure labeled printing. It also describes how to configure print jobs without the labeling options.

• Labels, Printers, and Printing

• Managing Printing in Trusted Extensions (Task Map)

• Configuring Labeled Printing (Task Map)

• Reducing Printing Restrictions in Trusted Extensions (Task Map)

Labels, Printers, and Printing

Trusted Extensions software uses labels to control printer access. Labels are used to control access to printers and to information about queued print jobs. The software also labels printed output. Body pages are labeled, and mandatory banner and trailer pages are labeled. Banner and trailer pages can also include handling instructions.

The system administrator handles basic printer administration. The security administrator role manages printer security, which includes labels and how the labeled output is handled. The administrators follow basic Solaris printer administration procedures, then they assign labels to the print servers and printers.

Trusted Extensions software supports both single-level and multilevel printing. Multilevel printing is implemented in the global zone only. To use the global zone's print server, a labeled zone must have a host name that is different from the global zone. One way to obtain a distinct host name is to assign an IP address to the labeled zone. The address would be distinct from the global zone's IP address.

Restricting Access to Printers and Print Job Information in Trusted Extensions

Users and roles on a system that is configured with Trusted Extensions software create print jobs at the label of their session. The print jobs can print only on printers that recognize that label. The label must be in the printer's label range.

Users and roles can view print jobs whose label is the same as the label of the session. In the global zone, a role can view jobs whose labels are dominated by the label of the zone.

Printers that are configured with Trusted Extensions software print labels on the printer output. Printers that are managed by unlabeled print servers do not print labels on the printer output. Such printers have the same label as their unlabeled server. For example, a Solaris print server can be assigned an arbitrary label in the tnrhdb database of the LDAP naming service. Users can then print jobs at that arbitrary label on the Solaris printer. As with Trusted Extensions printers, those Solaris printers can only accept print jobs from users who are working at the label that has been assigned to the print server.

Labeled Printer Output

Trusted Extensions prints security information on body pages and banner and trailer pages. The information comes from the label_encodings file and from the tsol_separator.ps file.

The security administrator can do the following to modify defaults that set labels and add handling instructions to printer output:

• Localize or customize the text on the banner and trailer pages

• Specify alternate labels to be printed on body pages or in the various fields of the banner and trailer pages

• Change or omit any of the text or labels

The security administrator can also configure user accounts to use printers that do not print labels on the output. Users can also be authorized to selectively not print banners or labels on printer output.

Labeled Body Pages

By default, the “Protect As” classification is printed at the top and bottom of every body page. The “Protect As” classification is the dominant classification when the classification from the job's label is compared to the minimum protect as classification. The minimum protect as classification is defined in the label_encodings file.

For example, if the user is logged in to an Internal Use Only session, then the user's print jobs are at that label. If the minimum protect as classification in the label_encodings file is Public, then the Internal Use Only label is printed on the body pages.

Figure 15–1 Job's Label Printed at the Top and Bottom of a Body Page

Labeled Banner and Trailer Pages

The following figures show a default banner page and how the default trailer page differs. Callouts identify the various sections. Note that the trailer page uses a different outer line.

The text, labels, and warnings that appear on print jobs are configurable. The text can also be replaced with text in another language for localization.

Figure 15–2 Typical Banner Page of a Labeled Print Job

Figure 15–3 Differences on a Trailer Page

The following table shows aspects of trusted printing that the security administrator can change by modifying the /usr/lib/lp/postscript/tsol_separator.ps file.

To localize or internationalize the printed output, see the comments in the tsol_separator.ps file.

PostScript Printing of Security Information

Labeled printing in Trusted Extensions relies on features from Solaris printing. In the Solaris OS, printer model scripts handle banner page creation. To implement labeling, a printer model script first converts the print job to a PostScript file. Then, the PostScript file is manipulated to insert labels on body pages, and to create banner and trailer pages.

Solaris printer model scripts can also translate PostScript into the native language of a printer. If a printer accepts PostScript input, then Solaris software sends the job to the printer. If a printer does not accept PostScript input, then the software converts the PostScript format to a raster image. The raster image is then converted to the appropriate printer format.

Because PostScript software is used to print label information, users cannot print PostScript files by default. This restriction prevents a knowledgeable PostScript programmer from creating a PostScript file that modifies the labels on the printer output.

The Security Administrator role can override this restriction by assigning the Print Postscript authorization to role accounts and to trustworthy users. The authorization is assigned only if the account can be trusted not to spoof the labels on printer output. Also, allowing a user to print PostScript files must be consistent with the site's security policy.

Printer Model Scripts

A printer model script enables a particular model of printer to provide banner and trailer pages. Trusted Extensions provides four scripts:

• tsol_standard - For directly attached PostScript printers, for example, printers attached by a parallel port

• tsol_netstandard - For network–accessible PostScript printers

• tsol_standard_foomatic - For directly attached printers that do not print PostScript format

• tsol_netstandard_foomatic - For network–accessible printers that do not print PostScript format

The foomatic scripts are used when a printer driver name begins with Foomatic. Foomatic drivers are PostScript Printer Drivers (PPD).

When you add a printer to a labeled zone, “Use PPD” is specified by default in the Print Manager. A PPD is then used to translate banner and trailer pages into the language of the printer.

Additional Conversion Filters

A conversion filter converts text files to PostScript format. The filter's programs are trusted programs that are run by the printer daemon. Files that are converted to PostScript format by any installed filter program can be trusted to have authentic labels and banner and trailer page text.

Solaris software provides most conversion filters that a site needs. A site's System Administrator role can install additional filters. These filters can then be trusted to have authentic labels, and banner and trailer pages. To add conversion filters, see Chapter 7, Customizing LP Printing Services and Printers (Tasks), in System Administration Guide: Printing.

Interoperability of Trusted Extensions With Trusted Solaris 8 Printing

Trusted Solaris 8 and Trusted Extensions systems that have compatible label_encodings files and that identify each other as using a CIPSO template can use each other for remote printing. The following table describes how to set up the systems to enable printing. By default, users cannot list or cancel print jobs on a remote print server of the other OS. Optionally, you can authorize users to do so.

Trusted Extensions Print Interfaces (Reference)

The following user commands are extended to conform with Trusted Extensions security policy:

• cancel – The caller must be equal to the label of the print job to cancel a job. By default, regular users can cancel only their own jobs.

• lp – Trusted Extensions adds the -o nolabels option. Users must be authorized to print with no labels. Similarly, users must be authorized to use the -o nobanner option.

• lpstat – The caller must be equal to the label of the print job to obtain the status of a job. By default, regular users can view only their own print jobs.

The following administrative commands are extended to conform with Trusted Extensions security policy. As in the Solaris OS, these commands can only be run by a role that includes the Printer Management rights profile.

• lpmove – The caller must be equal to the label of the print job to move a job. By default, regular users can move only their own print jobs.

• lpadmin – In the global zone, this command works for all jobs. In a labeled zone, the caller must dominate the print job's label to view a job, and be equal to change a job.

  Trusted Extensions adds printer model scripts to the -m option. Trusted Extensions adds the -o nolabels option.

• lpsched – In the global zone, this command is always successful. As in the Solaris OS, use the svcadm command to enable, disable, start, or restart the print service. In a labeled zone, the caller must be equal to the label of the print service to change the print service. For details about the service management facility, see the smf(5), svcadm(1M), and svcs(1) man pages.

Trusted Extensions adds the solaris.label.print authorization to the Printer Management rights profile. The solaris.print.unlabeled authorization is required to print body pages without labels.

Managing Printing in Trusted Extensions (Task Map)

Trusted Extensions procedures for configuring printing are performed after completing Solaris printer setup. The following task map points to the major tasks that manage labeled printing.

Configuring Labeled Printing (Task Map)

The following task map describes common configuration procedures that are related to labeled printing.

Printer clients can only print jobs within the label range of the Trusted Extensions print server.

How to Configure a Multilevel Print Server and Its Printers

Printers that are managed by a Trusted Extensions print server print labels on body pages, banner pages, and trailer pages. Such printers can print jobs within the label range of the print server. Any Trusted Extensions host that can reach the print server can use the printers that are connected to that server.

Before You Begin

Determine the print server for your Trusted Extensions network. You must be in the System Administrator role in the global zone on this print server.

1. Start the Solaris Management Console.

   For details, see How to Administer the Local System With the Solaris Management Console.

2. Choose the Files toolbox.

   The title of the toolbox includes Scope=Files, Policy=TSOL.

3. Enable multilevel printing by configuring the global zone with the print server port, 515/tcp.

   Create a multilevel port (MLP) for the print server by adding the port to the global zone.

   1. Navigate to the Trusted Network Zones tool.

   2. In the Multilevel Ports for Zone's IP Addresses, add 515/tcp.

   3. Click OK.

4. Define the characteristics of every connected printer.

   Use the command line. The Print Manager GUI does not work in the global zone.

   # lpadmin -p printer-name -v /dev/null \ -o protocol=tcp -o dest=printer-IP-address:9100 -T PS -I postscript # accept printer-name # enable printer-name

5. Assign a printer model script to each printer that is connected to the print server.

   The model script activates the banner and trailer pages for the specified printer.

   For a description of the scripts, see Printer Model Scripts. If the driver name for the printer starts with Foomatic, then specify one of the foomatic model scripts. On one line, use the following command:

   $ lpadmin -p printer \ -m { tsol_standard | tsol_netstandard | tsol_standard_foomatic | tsol_netstandard_foomatic }

   If the default printer label range of ADMIN_LOW to ADMIN_HIGH is acceptable for every printer, then your label configuration is done.

6. In every labeled zone where printing is allowed, configure the printer.

   Use the all-zones IP address for the global zone as the print server.

   1. Log in as root to the zone console of the labeled zone.

      # zlogin -C labeled-zone

   2. Add the printer to the zone.

      # lpadmin -p printer-name -s all-zones-IP-address

   3. (Optional) Set the printer as the default.

      # lpadmin -d printer-name

7. In every zone, test the printer.

   ---

   Note –

   Starting in the Solaris 10 7/10 release, files with an administrative label, either ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.

   ---

   As root and as a regular user, perform the following steps:

   1. Print plain files from the command line.

   2. Print files from your applications, such as StarOffice, your browser, and your editor.

   3. Verify that banner pages, trailer pages, and security banners print correctly.

See Also

• Limit printer label range – How to Configure a Restricted Label Range for a Printer

• Prevent labeled output – Reducing Printing Restrictions in Trusted Extensions (Task Map)

• Use this zone as a print server – How to Enable a Trusted Extensions Client to Access a Printer

How to Configure a Network Printer for Sun Ray Clients

This procedure configures a PostScript printer on a Sun Ray server that has a single all-zones interface. The printer is made available to all users of Sun Ray clients of this server. Initial configuration happens in the global zone. After the global zone is configured, each labeled zone is configured to use the printer.

Before You Begin

You must be logged in to a multilevel session in Trusted CDE.

1. In the global zone, assign an IP address to the network printer.

   For instructions, see Chapter 5, Setting Up Printers by Using LP Print Commands (Tasks), in System Administration Guide: Printing.

2. Start the Solaris Management Console.

   • For instructions, see Initialize the Solaris Management Console Server in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide.

   • Select the Scope=Files, Policy=TSOL toolbox and log in.

3. Assign the printer to the admin_low template.

   1. In the Computers and Networks tool, double-click Security Templates.

   2. Double-click admin_low.

   3. In the Hosts Assigned to Template tab, add the printer's IP address.

      For more information, read the online help in the left pane.

4. Add the printer port to the shared interface of the global zone.

   1. In the Computers and Networks tool, double-click Trusted Network Zones.

   2. Double-click global.

   3. To the Multilevel Ports for Shared IP Addresses list, add port 515, protocol tcp.

5. Verify that the Solaris Management Console assignments are in the kernel.

   # tninfo -h printer-IP-address IP address= printer-IP-address Template = admin_low

   # tninfo -m global private: 111/tcp;111/udp;513/tcp;515/tcp;631/tcp;2049/tcp;6000-6050/tcp; 7007/tcp;7010/tcp;7014/tcp;7015/tcp;32771/tcp;32776/ip shared: 515/tcp;6000-6050/tcp;7007/tcp;7010/tcp;7014/tcp;7015/tcp

   ---

   Note –

   The additional private and shared multilevel ports (MLPs) such as 6055 and 7007 support Sun Ray requirements.

   ---

6. Ensure that printing services are enabled in the global zone.

   # svcadm enable print/server # svcadm enable rfc1179

7. If your system was installed with netservices limited, enable the printer to reach the network.

   The rfc1179 service must listen on addresses other than localhost. The LP service listens only on a named pipe.

   # inetadm -m svc:/application/print/rfc1179:default bind_addr='' # svcadm refresh rfc1179

   ---

   Note –

   If you are running netservices open, the preceding command generates the following error: Error: "inetd" property group missing.

   ---

8. Enable all users to print PostScript.

   In the Trusted Editor, create the /etc/default/print file and add this line:

   PRINT_POSTSCRIPT=1

   Applications such as StarOffice and gedit create PostScript output.

9. Add all LP filters to the printing service.

   In the global zone, run this C-Shell script:

   csh cd /etc/lp/fd/ foreach a (*.fd) lpfilter -f $a:r -F $a end

10. Add a printer in the global zone.

    Use the command line. The Print Manager GUI does not work in the global zone.

    # lpadmin -p printer-name -v /dev/null -m tsol_netstandard \ -o protocol=tcp -o dest=printer-IP-address:9100 -T PS -I postscript # accept printer-name # enable printer-name

11. (Optional) Set the printer as the default.

    # lpadmin -d printer-name

12. In every labeled zone, configure the printer.

    Use the all-zones IP address for the global zone as the print server. If your all-zones NIC is a virtual network interface (vni), use the IP address for the vni as the argument to the -s option.

    1. Log in as root to the zone console of the labeled zone.

       # zlogin -C labeled-zonename

    2. Add the printer to the zone.

       # lpadmin -p printer-name -s global-zone-shared-IP-address

    3. (Optional) Set the printer as the default.

       # lpadmin -d printer-name

13. In every zone, test the printer.

    ---

    Note –

    Starting in the Solaris 10 7/10 release, files with an administrative label, either ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.

    ---

    As root and as a regular user, perform the following steps:

    1. Print plain files from the command line.

    2. Print files from your applications, such as StarOffice, your browser, and your editor.

    3. Verify that banner pages, trailer pages, and security banners print correctly.

Example 15–1 Determining Printer Status for a Network Printer

In this example, the administrator verifies the network printer's status from the global zone and from a labeled zone.

global # lpstat -t
    scheduler is running
    system default destination: math-printer
    system for _default: trusted1 (as printer math-printer)
    device for math-printer: /dev/null
    character set
    default accepting requests since Feb 28 00:00 2008
    lex accepting requests since Feb 28 00:00 2008
    printer math-printer is idle. enabled since Feb 28 00:00 2008. available.

Solaris1# lpstat -t
   scheduler is not running
   system default destination: math-printer
   system for _default: 192.168.4.17 (as printer math-printer)
   system for math-printer: 192.168.4.17
   default accepting requests since Feb 28 00:00 2008
   math-printer accepting requests since Feb 28 00:00 2008
   printer _default is idle. enabled since Feb 28 00:00 2008. available.
   printer math-printer is idle. enabled since Feb 28 00:00 2008. available.

How to Configure Cascade Printing on a Labeled System

Cascade printing provides the ability to print from a Windows desktop session to a Trusted Extensions labeled zone interface, where the zone IP address of the physical interface acts as the print spooler. The multilevel port (MLP) listener that is on the zone IP address of the physical interface talks to the Trusted Extensions printing subsystem and prints the file with the appropriate labeled header and trailer sheets.

This procedure enables unlabeled systems that are in the same subnet as labeled systems to use the labeled network printer. The rfc1179 service handles cascade printing. You must perform this procedure in every labeled zone from which you permit cascade printing.

Before You Begin

You have completed How to Configure a Network Printer for Sun Ray Clients.

1. Log in as root to the zone console of the labeled zone.

   # zlogin -C labeled-zonename

2. Remove the rfc1179 service's dependency on the print/server service.

   labeled-zone # cat <<EOF | svccfg select application/print/rfc1179 delpg lpsched end EOF

   labeled-zone # svcadm refresh application/print/rfc1179

3. Ensure that the rfc1179 service is enabled.

   labeled-zone # svcadm enable rfc1179

4. If the labeled zone was installed with netservices limited, enable the printer to reach the network.

   The rfc1179 service must listen on addresses other than localhost. The LP service listens only on a named pipe.

   # inetadm -m svc:/application/print/rfc1179:default bind_addr='' # svcadm refresh rfc1179

   ---

   Note –

   If you are running netservices open, the preceding command generates the following message: Error: "inetd" property group missing.

   ---

5. Configure cascade printing from the labeled zone.

   labeled-zone # lpset -n system -a spooling-type=cascade printer-name

   This command updates the zone's /etc/printers.conf file.

6. Test a Solaris system that is on the same subnet as this labeled zone.

   For example, test the Solaris1 system. This system is on the same subnet as the internal zone. The configuration parameters are the following:

   • math-printer IP address is 192.168.4.6

   • Solaris1 IP address is 192.168.4.12

   • internal zone IP address is 192.168.4.17

   Solaris1# uname -a SunOS Solaris1 Generic_120011-11 sun4u sparc SUNW,Sun-Blade-1000 Solaris1# lpadmin -p math-printer -s 192.168.4.17 Solaris1# lpadmin -d math-printer Solaris1# lpstat -t scheduler is not running system default destination: math-printer system for _default: 192.168.4.17 (as printer math-printer) system for math-printer: 192.168.4.17 default accepting requests since Feb 28 00:00 2008 math-printer accepting requests since Feb 28 00:00 2008 printer _default is idle. enabled since Feb 28 00:00 2008. available. printer math-printer is idle. enabled since Feb 28 00:00 2008. available.

   • Test the lp command.

     Solaris1# lp /etc/hosts request id is math-printer-1 (1 file)

   • Test printing from applications such as StarOffice and the browser.

7. Test a Windows 2003 server that is on the same subnet as this labeled zone.

   1. Set up the printer on the Windows server.

      Use the Start Menu->Settings->Printers & Faxes GUI.

      Specify the following printer configuration:

      • Add A Printer

      • Local Printer attached to this computer

      • Create a new port – Standard TCP/IP Port

      • Printer Name or IP Address – 192.168.4.17, that is, the IP address of the labeled zone

      • Port Name – Accept default

      • Additional Port Information Required – Accept default

        • Device Type = Custom

        • Settings – Protocol = LPR

        • LPR Settings – Queue Name = math-printer, that is, the UNIX Queue Name

        • LPR Byte Counting Enabled

      Finish the printer prompts by specifying the manufacturer, model, driver and other printer parameters.

8. Test the printer by selecting the printer from an application.

   For example, test the winserver system that is on the same subnet as the internal zone. The configuration parameters are the following:

   • math-printer IP address is 192.168.4.6

   • winserver IP address is 192.168.4.200

   • internal zone IP address is 192.168.4.17

   winserver C:/> ipconfig Windows IP Configuration Ethernet adapter TP-NIC: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.4.200 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.4.17

How to Configure a Zone for Single-Label Printing

Before You Begin

The zone must not be sharing an IP address with the global zone. You must be in the System Administrator role in the global zone.

1. Add a workspace.

   For details, see How to Add a Workspace at a Particular Label in Oracle Solaris Trusted Extensions User’s Guide.

2. Change the label of the new workspace to the label of the zone that will be the print server for that label.

   For details, see How to Change the Label of a Workspace in Oracle Solaris Trusted Extensions User’s Guide.

3. Define the characteristics of the connected printers.

   1. At the label of zone, start the Print Manager.

      By default, the “Use PPD” checkbox is selected. The system finds the appropriate driver for the printer.

   2. (Optional) To specify a different printer driver, do the following:

      1. Remove the check from “Use PPD”.

      2. Define the make and model of the printer that uses a different driver.

         In the Print Manager, you supply the values for the first two fields, then the Print Manager supplies the driver name.

         Printer Make manufacturer Printer Model manufacturer-part-number Printer Driver automatically filled in

4. Assign a printer model script to each printer that is connected to the zone.

   The model script activates the banner and trailer pages for the specified printer.

   For your choices of scripts, see Printer Model Scripts. If the driver name for the printer starts with Foomatic, then specify one of the foomatic model scripts. Use the following command:

   $ lpadmin -p printer -m model

   The attached printers can print jobs only at the label of the zone.

5. Test the printer.

   ---

   Note –

   Starting in the Solaris 10 7/10 release, files with an administrative label, either ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.

   ---

   As root and as a regular user, perform the following steps:

   1. Print plain files from the command line.

   2. Print files from your applications, such as StarOffice, your browser, and your editor.

   3. Verify that banner pages, trailer pages, and security banners print correctly.

See Also

Prevent labeled output – Reducing Printing Restrictions in Trusted Extensions (Task Map)

How to Enable a Trusted Extensions Client to Access a Printer

Initially, only the zone in which a print server was configured can print to the printers of that print server. The system administrator must explicitly add access to those printers for other zones and systems. The possibilities are as follows:

• For a global zone, add access to the printers that are connected to a global zone on a different system.

• For a labeled zone, add access to the printers that are connected to the global zone of its system.

• For a labeled zone, add access to a printer that a remote zone at the same label is configured for.

• For a labeled zone, add access to the printers that are connected to a global zone on a different system.

Before You Begin

A print server has been configured with a label range or a single label, and the printers that are connected to it have been configured. For details, see the following:

• How to Configure a Multilevel Print Server and Its Printers

• How to Configure a Zone for Single-Label Printing

• How to Assign a Label to an Unlabeled Print Server

You must be in the System Administrator role in the global zone, or be able to assume the role.

1. Complete the procedures that enable your systems to access a printer.

   • Configure the global zone on a system that is not a print server to use another system's global zone for printer access.

     1. On the system that does not have printer access, assume the System Administrator role.

     2. Add access to the printer that is connected to the Trusted Extensions print server.

        $ lpadmin -s printer

   • Configure a labeled zone to use its global zone for printer access.

     1. Change the label of the role workspace to the label of the labeled zone.

        For details, see How to Change the Label of a Workspace in Oracle Solaris Trusted Extensions User’s Guide.

     2. Add access to the printer.

        $ lpadmin -s printer

   • Configure a labeled zone to use another system's labeled zone for printer access.

     The labels of the zones must be identical.

     1. On the system that does not have printer access, assume the System Administrator role.

     2. Change the label of the role workspace to the label of the labeled zone.

        For details, see How to Change the Label of a Workspace in Oracle Solaris Trusted Extensions User’s Guide.

     3. Add access to the printer that is connected to the print server of the remote labeled zone.

        $ lpadmin -s printer

   • Configure a labeled zone to use an unlabeled print server for printer access.

     The label of the zone must be identical to the label of the print server.

     1. On the system that does not have printer access, assume the System Administrator role.

     2. Change the label of the role workspace to the label of the labeled zone.

        For details, see How to Change the Label of a Workspace in Oracle Solaris Trusted Extensions User’s Guide.

     3. Add access to the printer that is connected to the arbitrarily labeled print server.

        $ lpadmin -s printer

2. Test the printers.

   Starting in the Solaris 10 7/10 release, files with an administrative label, either ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.

   On every client, test that printing works for root and roles in the global zone and for root, roles, and regular users in labeled zones.

   1. Print plain files from the command line.

   2. Print files from your applications, such as StarOffice, your browser, and your editor.

   3. Verify that banner pages, trailer pages, and security banners print correctly.

How to Configure a Restricted Label Range for a Printer

The default printer label range is ADMIN_LOW to ADMIN_HIGH. This procedure narrows the label range for a printer that is controlled by a Trusted Extensions print server.

Before You Begin

You must be in the Security Administrator role in the global zone.

1. Start the Device Allocation Manager.

   • Choose the Allocate Device option from the Trusted Path menu.

   • In Trusted CDE, launch the Device Allocation Manager action from the Tools subpanel on the Front Panel.

2. Click the Device Administration button to display the Device Allocation: Administration dialog box.

3. Type a name for the new printer.

   If the printer is attached to your system, find the name of the printer.

4. Click the Configure button to display the Device Allocation: Configuration dialog box.

5. Change the printer's label range.

   1. Click the Min Label button to change the minimum label.

      Choose a label from the label builder. For information about the label builder, see Label Builder in Trusted Extensions.

   2. Click the Max Label button to change the maximum label.

6. Save the changes.

   1. Click OK in the Configuration dialog box.

   2. Click OK in the Administration dialog box.

7. Close the Device Allocation Manager.

Reducing Printing Restrictions in Trusted Extensions (Task Map)

The following tasks are optional. They reduce the printing security that Trusted Extensions provides by default when the software is installed.

How to Remove Labels From Printed Output

Printers that do not have a Trusted Extensions printer model script do not print labeled banner or trailer pages. The body pages also do not include labels.

Before You Begin

You must be in the Security Administrator role in the global zone.

1. At the appropriate label, do one of the following:

   • From the print server, stop banner printing altogether.

     $ lpadmin -p printer -o nobanner=never

     Body pages are still labeled.

   • Set the printer model script to a Solaris script.

     $ lpadmin -p printer \ -m { standard | netstandard | standard_foomatic | netstandard_foomatic }

     No labels appear on printed output.

How to Assign a Label to an Unlabeled Print Server

A Solaris print server is an unlabeled print server that can be assigned a label for Trusted Extensions access to the printer at that label. Printers that are connected to an unlabeled print server can print jobs only at the label that has been assigned to the print server. Jobs print without labels or trailer pages and might print without banner pages. If a job prints with a banner page, the page does not contain any security information.

A Trusted Extensions system can be configured to submit jobs to a printer that is managed by an unlabeled print server. Users can print jobs on the unlabeled printer at the label that the security administrator assigns to the print server.

Before You Begin

You must be in the Security Administrator role in the global zone.

1. Open the Solaris Management Console in the appropriate scope.

   For details, see Initialize the Solaris Management Console Server in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide.

2. Under System Configuration, navigate to the Computers and Networks tool.

   Provide a password when prompted.

3. Assign an unlabeled template to the print server.

   For details, see How to Assign a Security Template to a Host or a Group of Hosts.

   Choose a label. Users who are working at that label can send print jobs to the Solaris printer at the label of the print server. Pages do not print with labels, and banner and trailer pages are also not part of the print job.

Example 15–2 Sending Public Print Jobs to an Unlabeled Printer

Files that are available to the general public are suitable for printing to an unlabeled printer. In this example, marketing writers need to produce documents that do not have labels printed on the top and bottom of the pages.

The security administrator assigns an unlabeled host type template to the Solaris print server. The template is described in Example 13–6. The arbitrary label of the template is PUBLIC. The printer pr-nolabel1 is connected to this print server. Print jobs from users in a PUBLIC zone print on the pr-nolabel1 printer with no labels. Depending on the settings for the printer, the jobs might or might not have banner pages. The banner pages do not contain security information.

How to Remove Page Labels From All Print Jobs

This procedure prevents all print jobs on a Trusted Extensions printer from including visible labels on the body pages of the print job.

Before You Begin

You must be in the Security Administrator role in the global zone.

1. Edit the /usr/lib/lp/postscript/tsol_separator.ps file.

   Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions.

2. Find the definition of /PageLabel.

   Find the following lines:

   %% To eliminate page labels completely, change this line to %% set the page label to an empty string: /PageLabel () def /PageLabel Job_PageLabel def

   ---

   Note –

   The value Job_PageLabel might be different at your site.

   ---

3. Replace the value of /PageLabel with a set of empty parentheses.

   /PageLabel () def

How to Enable Specific Users to Suppress Page Labels

This procedure enables an authorized user or role to print jobs on a Trusted Extensions printer without labels on the top and bottom of each body page. Page labels are suppressed for all labels at which the user can work.

Before You Begin

You must be in the Security Administrator role in the global zone.

1. Determine who is permitted to print jobs without page labels.

2. Authorize those users and roles to print jobs without page labels.

   Assign a rights profile that includes the Print without Label authorization to those users and roles. For details, see How to Create a Rights Profile for Convenient Authorizations.

3. Instruct the user or role to use the lp command to submit print jobs:

   % lp -o nolabels staff.mtg.notes

How to Suppress Banner and Trailer Pages for Specific Users

Before You Begin

You must be in the Security Administrator role in the global zone.

1. Create a rights profile that includes the Print without Banner authorization.

   Assign the profile to each user or role that is allowed to print without banner and trailer pages.

   For details, see How to Create a Rights Profile for Convenient Authorizations.

2. Instruct the user or role to use the lp command to submit print jobs:

   % lp -o nobanner staff.mtg.notes

How to Enable Users to Print PostScript Files in Trusted Extensions

Before You Begin

You must be in the Security Administrator role in the global zone.

1. Use one of the following three methods to enable users to print PostScript files:

   • To enable PostScript printing on a system, modify the /etc/default/print file.

     1. Create or modify the /etc/default/print file.

        Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions.

     2. Type the following entry:

        PRINT_POSTSCRIPT=1

     3. Save the file and close the editor.

   • To authorize all users to print PostScript files from a system, modify the /etc/security/policy.conf file.

     1. Modify the policy.conf file.

        Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions.

     2. Add the solaris.print.ps authorization.

        AUTHS_GRANTED=other-authorizations,solaris.print.ps

     3. Save the file and close the editor.

   • To enable a user or role to print PostScript files from any system, give just those users and roles the appropriate authorization.

     Assign a profile that includes the Print Postscript authorization to those users and roles. For details, see How to Create a Rights Profile for Convenient Authorizations.

Example 15–3 Enabling PostScript Printing From a Public System

In the following example, the security administrator has constrained a public kiosk to operate at the PUBLIC label. The system also has a few icons that open topics of interest. These topics can be printed.

The security administrator creates an /etc/default/print file on the system. The file has one entry to enable the printing of PostScript files. No user needs a Print Postscript authorization.

# vi /etc/default/print

# PRINT_POSTSCRIPT=0
PRINT_POSTSCRIPT=1