Trusted Extensions adds the following print authorizations to implement Trusted Extensions security policy. These authorizations are checked on the print server. Therefore, remote users, such as users in labeled zones, cannot pass the authorization check.
solaris.print.admin – Enables a role to administer printing
solaris.print.list – Enables a role to view print jobs that do not belong to the role
solaris.print.nobanner – Enables a role to print jobs without banner and trailer pages from the global zone
solaris.print.unlabeled – Enables a role to print jobs without page labels from the global zone
The following user commands are extended to conform with Trusted Extensions security policy:
cancel – The caller must be equal to the label of the print job to cancel a job. Regular users can cancel only their own jobs.
lp – The –o nolabel option, which prints body pages without labels, requires the solaris.print.unlabeled authorization. The –o job-sheets=none option, which prints the job without a banner or trailer page, requires the solaris.print.nobanner authorization.
lpstat – The caller must be equal to the label of the print job to obtain the status of a job. Regular users can view only their own print jobs.
The following administrative commands are extended to conform with Trusted Extensions security policy. As in the Oracle Solaris OS, these commands can only be run by a role that includes the Printer Management rights profile.
lpmove – The caller must be equal to the label of the print job to move a job. By default, regular users can move only their own print jobs.
lpadmin – In the global zone, this command works for all jobs. In a labeled zone, the caller must dominate the print job's label to view a job, and be equal to change a job.
lpsched – In the global zone, this command is always successful. As in the Oracle Solaris OS, use the svcadm command to enable, disable, start, or restart the print service. In a labeled zone, the caller must be equal to the label of the print service to change the print service. For details about the service management facility, see the smf(5), svcadm(1M), and svcs(1) man pages.