This chapter describes how to use Solaris Trusted Extensions software to configure labeled printing. It also describes how to configure print jobs without the labeling options.
Trusted Extensions software uses labels to control printer access. Labels are used to control access to printers and to information about queued print jobs. The software also labels printed output. Body pages are labeled, and mandatory banner and trailer pages are labeled. Banner and trailer pages can also include handling instructions.
The system administrator handles basic printer administration. The security administrator role manages printer security, which includes labels and how the labeled output is handled. The administrators follow basic Solaris printer administration procedures, then they assign labels to the print servers and printers.
Trusted Extensions software supports both single-level and multilevel printing. Multilevel printing is implemented in the global zone only. To use the global zone's print server, a labeled zone must have a host name that is different from the global zone. One way to obtain a distinct host name is to assign an IP address to the labeled zone. The address would be distinct from the global zone's IP address.
Users and roles on a system that is configured with Trusted Extensions software create print jobs at the label of their session. The print jobs can print only on printers that recognize that label. The label must be in the printer's label range.
Users and roles can view print jobs whose label is the same as the label of the session. In the global zone, a role can view jobs whose labels are dominated by the label of the zone.
Printers that are configured with Trusted Extensions software print labels on the printer output. Printers that are managed by unlabeled print servers do not print labels on the printer output. Such printers have the same label as their unlabeled server. For example, a Solaris print server can be assigned an arbitrary label in the tnrhdb database of the LDAP naming service. Users can then print jobs at that arbitrary label on the Solaris printer. As with Trusted Extensions printers, those Solaris printers can only accept print jobs from users who are working at the label that has been assigned to the print server.
Trusted Extensions prints security information on body pages and banner and trailer pages. The information comes from the label_encodings file and from the tsol_separator.ps file.
The security administrator can do the following to modify defaults that set labels and add handling instructions to printer output:
Localize or customize the text on the banner and trailer pages
Specify alternate labels to be printed on body pages or in the various fields of the banner and trailer pages
Change or omit any of the text or labels
The security administrator can also configure user accounts to use printers that do not print labels on the output. Users can also be authorized to selectively not print banners or labels on printer output.
By default, the “Protect As” classification is printed at the top and bottom of every body page. The “Protect As” classification is the dominant classification when the classification from the job's label is compared to the minimum protect as classification. The minimum protect as classification is defined in the label_encodings file.
For example, if the user is logged in to an Internal Use Only session, then the user's print jobs are at that label. If the minimum protect as classification in the label_encodings file is Public, then the Internal Use Only label is printed on the body pages.
The following figures show a default banner page and how the default trailer page differs. Callouts identify the various sections. Note that the trailer page uses a different outer line.
The text, labels, and warnings that appear on print jobs are configurable. The text can also be replaced with text in another language for localization.
The following table shows aspects of trusted printing that the security administrator can change by modifying the /usr/lib/lp/postscript/tsol_separator.ps file.
To localize or internationalize the printed output, see the comments in the tsol_separator.ps file.
Output |
Default Value |
How Defined |
To Change |
---|---|---|---|
PRINTER BANNERS |
/Caveats Job_Caveats |
/Caveats Job_Caveats |
See Specifying Printer Banners in Oracle Solaris Trusted Extensions Label Administration. |
CHANNELS |
/Channels Job_Channels |
/Channels Job_Channels |
See Specifying Channels in Oracle Solaris Trusted Extensions Label Administration. |
Label at the top of banner and trailer pages |
/HeadLabel Job_Protect def |
See /PageLabel description. |
The same as changing /PageLabel.. Also see Specifying the Protect As Classification in Oracle Solaris Trusted Extensions Label Administration. |
Label at the top and bottom of body pages |
/PageLabel Job_Protect def |
Compares the label of the job to the minimum protect as classification in the label_encodings file. Prints the more dominant classification. Contains compartments if the print job's label has compartments. |
Change the /PageLabel definition to specify another value. Or, type a string of your choosing. Or, print nothing at all. |
Text and label in the “Protect as” classification statement |
/Protect Job_Protect def /Protect_Text1 () def /Protect_Text2 () def |
See /PageLabel description. Text to appear above label. Text to appear below label. |
The same as changing /PageLabel. Replace () in Protect_Text1 and Protect_Text2 with text string. |
Labeled printing in Trusted Extensions relies on features from Solaris printing. In the Solaris OS, printer model scripts handle banner page creation. To implement labeling, a printer model script first converts the print job to a PostScript file. Then, the PostScript file is manipulated to insert labels on body pages, and to create banner and trailer pages.
Solaris printer model scripts can also translate PostScript into the native language of a printer. If a printer accepts PostScript input, then Solaris software sends the job to the printer. If a printer does not accept PostScript input, then the software converts the PostScript format to a raster image. The raster image is then converted to the appropriate printer format.
Because PostScript software is used to print label information, users cannot print PostScript files by default. This restriction prevents a knowledgeable PostScript programmer from creating a PostScript file that modifies the labels on the printer output.
The Security Administrator role can override this restriction by assigning the Print Postscript authorization to role accounts and to trustworthy users. The authorization is assigned only if the account can be trusted not to spoof the labels on printer output. Also, allowing a user to print PostScript files must be consistent with the site's security policy.
A printer model script enables a particular model of printer to provide banner and trailer pages. Trusted Extensions provides four scripts:
tsol_standard - For directly attached PostScript printers, for example, printers attached by a parallel port
tsol_netstandard - For network–accessible PostScript printers
tsol_standard_foomatic - For directly attached printers that do not print PostScript format
tsol_netstandard_foomatic - For network–accessible printers that do not print PostScript format
The foomatic scripts are used when a printer driver name begins with Foomatic. Foomatic drivers are PostScript Printer Drivers (PPD).
When you add a printer to a labeled zone, “Use PPD” is specified by default in the Print Manager. A PPD is then used to translate banner and trailer pages into the language of the printer.
A conversion filter converts text files to PostScript format. The filter's programs are trusted programs that are run by the printer daemon. Files that are converted to PostScript format by any installed filter program can be trusted to have authentic labels and banner and trailer page text.
Solaris software provides most conversion filters that a site needs. A site's System Administrator role can install additional filters. These filters can then be trusted to have authentic labels, and banner and trailer pages. To add conversion filters, see Chapter 7, Customizing LP Printing Services and Printers (Tasks), in System Administration Guide: Printing.
Trusted Solaris 8 and Trusted Extensions systems that have compatible label_encodings files and that identify each other as using a CIPSO template can use each other for remote printing. The following table describes how to set up the systems to enable printing. By default, users cannot list or cancel print jobs on a remote print server of the other OS. Optionally, you can authorize users to do so.
Originating System |
Print Server System |
Action |
Results |
---|---|---|---|
Trusted Extensions |
Trusted Solaris 8 |
Configure printing – In the Trusted Extensions tnrhdb, assign a template with the appropriate label range to the Trusted Solaris 8 print server. The label could be CIPSO or unlabeled. |
Trusted Solaris 8 printer can print jobs from a Trusted Extensions system within the printer's label range. |
Trusted Extensions |
Trusted Solaris 8 |
Authorize users – On the Trusted Extensions system, create a profile that adds the needed authorizations. Assign the profile to users. |
Trusted Extensions users can list or cancel print jobs that they send to a Trusted Solaris 8 printer. Users cannot view or remove jobs at a different label. |
Trusted Solaris 8 |
Trusted Extensions |
Configure printing – In the Trusted Solaris 8 tnrhdb, assign a template with the appropriate label range to the Trusted Extensions print server. The label could be CIPSO or unlabeled. |
Trusted Extensions printer can print jobs from a Trusted Solaris 8 system within the printer's label range. |
Trusted Solaris 8 |
Trusted Extensions |
Authorize users – On the Trusted Solaris 8 system, create a profile that adds the needed authorizations. Assign the profile to users. |
Trusted Solaris 8 users can list or cancel print jobs that they send to a Trusted Extensions printer. Users cannot view or remove jobs at a different label. |
The following user commands are extended to conform with Trusted Extensions security policy:
cancel – The caller must be equal to the label of the print job to cancel a job. By default, regular users can cancel only their own jobs.
lp – Trusted Extensions adds the -o nolabels option. Users must be authorized to print with no labels. Similarly, users must be authorized to use the -o nobanner option.
lpstat – The caller must be equal to the label of the print job to obtain the status of a job. By default, regular users can view only their own print jobs.
The following administrative commands are extended to conform with Trusted Extensions security policy. As in the Solaris OS, these commands can only be run by a role that includes the Printer Management rights profile.
lpmove – The caller must be equal to the label of the print job to move a job. By default, regular users can move only their own print jobs.
lpadmin – In the global zone, this command works for all jobs. In a labeled zone, the caller must dominate the print job's label to view a job, and be equal to change a job.
Trusted Extensions adds printer model scripts to the -m option. Trusted Extensions adds the -o nolabels option.
lpsched – In the global zone, this command is always successful. As in the Solaris OS, use the svcadm command to enable, disable, start, or restart the print service. In a labeled zone, the caller must be equal to the label of the print service to change the print service. For details about the service management facility, see the smf(5), svcadm(1M), and svcs(1) man pages.
Trusted Extensions adds the solaris.label.print authorization to the Printer Management rights profile. The solaris.print.unlabeled authorization is required to print body pages without labels.
Trusted Extensions procedures for configuring printing are performed after completing Solaris printer setup. The following task map points to the major tasks that manage labeled printing.
Task |
Description |
For Instructions |
---|---|---|
Configure printers for labeled output. |
Enables users to print to a Trusted Extensions printer. The print jobs are marked with labels. | |
Remove visible labels from printer output. |
Enables users to print at a specific label to a Solaris printer. The print jobs are not marked with labels. Or, prevents labels from printing on a Trusted Extensions printer. |
Reducing Printing Restrictions in Trusted Extensions (Task Map) |
The following task map describes common configuration procedures that are related to labeled printing.
Printer clients can only print jobs within the label range of the Trusted Extensions print server.
Task |
Description |
For Instructions |
---|---|---|
Configure printing from the global zone. |
Creates a multilevel print server in the global zone. | |
Configure printing for a network of systems. |
Creates a multilevel print server in the global zone and enables labeled zones to use the printer. | |
Configure printing for unlabeled systems in the same subnet as labeled systems. |
Enable unlabeled systems to use the network printer. | |
Configure printing from a labeled zone. |
Creates a single–label print server for a labeled zone. | |
Configure a multilevel print client. |
Connects a Trusted Extensions host to a printer. |
How to Enable a Trusted Extensions Client to Access a Printer |
Restrict the label range of a printer. |
Limits a Trusted Extensions printer to a narrow label range. |
Printers that are managed by a Trusted Extensions print server print labels on body pages, banner pages, and trailer pages. Such printers can print jobs within the label range of the print server. Any Trusted Extensions host that can reach the print server can use the printers that are connected to that server.
Determine the print server for your Trusted Extensions network. You must be in the System Administrator role in the global zone on this print server.
Start the Solaris Management Console.
For details, see How to Administer the Local System With the Solaris Management Console.
Choose the Files toolbox.
The title of the toolbox includes Scope=Files, Policy=TSOL.
Enable multilevel printing by configuring the global zone with the print server port, 515/tcp.
Create a multilevel port (MLP) for the print server by adding the port to the global zone.
Define the characteristics of every connected printer.
Use the command line. The Print Manager GUI does not work in the global zone.
# lpadmin -p printer-name -v /dev/null \ -o protocol=tcp -o dest=printer-IP-address:9100 -T PS -I postscript # accept printer-name # enable printer-name |
Assign a printer model script to each printer that is connected to the print server.
The model script activates the banner and trailer pages for the specified printer.
For a description of the scripts, see Printer Model Scripts. If the driver name for the printer starts with Foomatic, then specify one of the foomatic model scripts. On one line, use the following command:
$ lpadmin -p printer \ -m { tsol_standard | tsol_netstandard | tsol_standard_foomatic | tsol_netstandard_foomatic } |
If the default printer label range of ADMIN_LOW to ADMIN_HIGH is acceptable for every printer, then your label configuration is done.
In every labeled zone where printing is allowed, configure the printer.
Use the all-zones IP address for the global zone as the print server.
In every zone, test the printer.
Starting in the Solaris 10 7/10 release, files with an administrative label, either ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.
As root and as a regular user, perform the following steps:
Limit printer label range – How to Configure a Restricted Label Range for a Printer
Prevent labeled output – Reducing Printing Restrictions in Trusted Extensions (Task Map)
Use this zone as a print server – How to Enable a Trusted Extensions Client to Access a Printer
This procedure configures a PostScript printer on a Sun Ray server that has a single all-zones interface. The printer is made available to all users of Sun Ray clients of this server. Initial configuration happens in the global zone. After the global zone is configured, each labeled zone is configured to use the printer.
You must be logged in to a multilevel session in Trusted CDE.
In the global zone, assign an IP address to the network printer.
For instructions, see Chapter 5, Setting Up Printers by Using LP Print Commands (Tasks), in System Administration Guide: Printing.
Start the Solaris Management Console.
For instructions, see Initialize the Solaris Management Console Server in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide.
Select the Scope=Files, Policy=TSOL toolbox and log in.
Assign the printer to the admin_low template.
Add the printer port to the shared interface of the global zone.
Verify that the Solaris Management Console assignments are in the kernel.
# tninfo -h printer-IP-address IP address= printer-IP-address Template = admin_low |
# tninfo -m global private: 111/tcp;111/udp;513/tcp;515/tcp;631/tcp;2049/tcp;6000-6050/tcp; 7007/tcp;7010/tcp;7014/tcp;7015/tcp;32771/tcp;32776/ip shared: 515/tcp;6000-6050/tcp;7007/tcp;7010/tcp;7014/tcp;7015/tcp |
The additional private and shared multilevel ports (MLPs) such as 6055 and 7007 support Sun Ray requirements.
Ensure that printing services are enabled in the global zone.
# svcadm enable print/server # svcadm enable rfc1179 |
If your system was installed with netservices limited, enable the printer to reach the network.
The rfc1179 service must listen on addresses other than localhost. The LP service listens only on a named pipe.
# inetadm -m svc:/application/print/rfc1179:default bind_addr='' # svcadm refresh rfc1179 |
If you are running netservices open, the preceding command generates the following error: Error: "inetd" property group missing.
Enable all users to print PostScript.
In the Trusted Editor, create the /etc/default/print file and add this line:
PRINT_POSTSCRIPT=1 |
Applications such as StarOffice and gedit create PostScript output.
Add all LP filters to the printing service.
In the global zone, run this C-Shell script:
csh cd /etc/lp/fd/ foreach a (*.fd) lpfilter -f $a:r -F $a end |
Add a printer in the global zone.
Use the command line. The Print Manager GUI does not work in the global zone.
# lpadmin -p printer-name -v /dev/null -m tsol_netstandard \ -o protocol=tcp -o dest=printer-IP-address:9100 -T PS -I postscript # accept printer-name # enable printer-name |
(Optional) Set the printer as the default.
# lpadmin -d printer-name |
In every labeled zone, configure the printer.
Use the all-zones IP address for the global zone as the print server. If your all-zones NIC is a virtual network interface (vni), use the IP address for the vni as the argument to the -s option.
In every zone, test the printer.
Starting in the Solaris 10 7/10 release, files with an administrative label, either ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.
As root and as a regular user, perform the following steps:
In this example, the administrator verifies the network printer's status from the global zone and from a labeled zone.
global # lpstat -t scheduler is running system default destination: math-printer system for _default: trusted1 (as printer math-printer) device for math-printer: /dev/null character set default accepting requests since Feb 28 00:00 2008 lex accepting requests since Feb 28 00:00 2008 printer math-printer is idle. enabled since Feb 28 00:00 2008. available. |
Solaris1# lpstat -t scheduler is not running system default destination: math-printer system for _default: 192.168.4.17 (as printer math-printer) system for math-printer: 192.168.4.17 default accepting requests since Feb 28 00:00 2008 math-printer accepting requests since Feb 28 00:00 2008 printer _default is idle. enabled since Feb 28 00:00 2008. available. printer math-printer is idle. enabled since Feb 28 00:00 2008. available. |
Cascade printing provides the ability to print from a Windows desktop session to a Trusted Extensions labeled zone interface, where the zone IP address of the physical interface acts as the print spooler. The multilevel port (MLP) listener that is on the zone IP address of the physical interface talks to the Trusted Extensions printing subsystem and prints the file with the appropriate labeled header and trailer sheets.
This procedure enables unlabeled systems that are in the same subnet as labeled systems to use the labeled network printer. The rfc1179 service handles cascade printing. You must perform this procedure in every labeled zone from which you permit cascade printing.
You have completed How to Configure a Network Printer for Sun Ray Clients.
Log in as root to the zone console of the labeled zone.
# zlogin -C labeled-zonename |
Remove the rfc1179 service's dependency on the print/server service.
labeled-zone # cat <<EOF | svccfg select application/print/rfc1179 delpg lpsched end EOF |
labeled-zone # svcadm refresh application/print/rfc1179 |
Ensure that the rfc1179 service is enabled.
labeled-zone # svcadm enable rfc1179 |
If the labeled zone was installed with netservices limited, enable the printer to reach the network.
The rfc1179 service must listen on addresses other than localhost. The LP service listens only on a named pipe.
# inetadm -m svc:/application/print/rfc1179:default bind_addr='' # svcadm refresh rfc1179 |
If you are running netservices open, the preceding command generates the following message: Error: "inetd" property group missing.
Configure cascade printing from the labeled zone.
labeled-zone # lpset -n system -a spooling-type=cascade printer-name |
This command updates the zone's /etc/printers.conf file.
Test a Solaris system that is on the same subnet as this labeled zone.
For example, test the Solaris1 system. This system is on the same subnet as the internal zone. The configuration parameters are the following:
math-printer IP address is 192.168.4.6
Solaris1 IP address is 192.168.4.12
internal zone IP address is 192.168.4.17
Solaris1# uname -a SunOS Solaris1 Generic_120011-11 sun4u sparc SUNW,Sun-Blade-1000 Solaris1# lpadmin -p math-printer -s 192.168.4.17 Solaris1# lpadmin -d math-printer Solaris1# lpstat -t scheduler is not running system default destination: math-printer system for _default: 192.168.4.17 (as printer math-printer) system for math-printer: 192.168.4.17 default accepting requests since Feb 28 00:00 2008 math-printer accepting requests since Feb 28 00:00 2008 printer _default is idle. enabled since Feb 28 00:00 2008. available. printer math-printer is idle. enabled since Feb 28 00:00 2008. available. |
Test a Windows 2003 server that is on the same subnet as this labeled zone.
Set up the printer on the Windows server.
Use the Start Menu->Settings->Printers & Faxes GUI.
Specify the following printer configuration:
Add A Printer
Local Printer attached to this computer
Create a new port – Standard TCP/IP Port
Printer Name or IP Address – 192.168.4.17, that is, the IP address of the labeled zone
Port Name – Accept default
Additional Port Information Required – Accept default
Device Type = Custom
Settings – Protocol = LPR
LPR Settings – Queue Name = math-printer, that is, the UNIX Queue Name
LPR Byte Counting Enabled
Finish the printer prompts by specifying the manufacturer, model, driver and other printer parameters.
Test the printer by selecting the printer from an application.
For example, test the winserver system that is on the same subnet as the internal zone. The configuration parameters are the following:
math-printer IP address is 192.168.4.6
winserver IP address is 192.168.4.200
internal zone IP address is 192.168.4.17
winserver C:/> ipconfig Windows IP Configuration Ethernet adapter TP-NIC: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.4.200 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.4.17 |
The zone must not be sharing an IP address with the global zone. You must be in the System Administrator role in the global zone.
Add a workspace.
For details, see How to Add a Workspace at a Particular Label in Oracle Solaris Trusted Extensions User’s Guide.
Change the label of the new workspace to the label of the zone that will be the print server for that label.
For details, see How to Change the Label of a Workspace in Oracle Solaris Trusted Extensions User’s Guide.
Define the characteristics of the connected printers.
At the label of zone, start the Print Manager.
By default, the “Use PPD” checkbox is selected. The system finds the appropriate driver for the printer.
(Optional) To specify a different printer driver, do the following:
Remove the check from “Use PPD”.
Define the make and model of the printer that uses a different driver.
In the Print Manager, you supply the values for the first two fields, then the Print Manager supplies the driver name.
Printer Make manufacturer Printer Model manufacturer-part-number Printer Driver automatically filled in |
Assign a printer model script to each printer that is connected to the zone.
The model script activates the banner and trailer pages for the specified printer.
For your choices of scripts, see Printer Model Scripts. If the driver name for the printer starts with Foomatic, then specify one of the foomatic model scripts. Use the following command:
$ lpadmin -p printer -m model |
The attached printers can print jobs only at the label of the zone.
Test the printer.
Starting in the Solaris 10 7/10 release, files with an administrative label, either ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.
As root and as a regular user, perform the following steps:
Prevent labeled output – Reducing Printing Restrictions in Trusted Extensions (Task Map)
Initially, only the zone in which a print server was configured can print to the printers of that print server. The system administrator must explicitly add access to those printers for other zones and systems. The possibilities are as follows:
For a global zone, add access to the printers that are connected to a global zone on a different system.
For a labeled zone, add access to the printers that are connected to the global zone of its system.
For a labeled zone, add access to a printer that a remote zone at the same label is configured for.
For a labeled zone, add access to the printers that are connected to a global zone on a different system.
A print server has been configured with a label range or a single label, and the printers that are connected to it have been configured. For details, see the following:
You must be in the System Administrator role in the global zone, or be able to assume the role.
Complete the procedures that enable your systems to access a printer.
Configure the global zone on a system that is not a print server to use another system's global zone for printer access.
Configure a labeled zone to use its global zone for printer access.
Change the label of the role workspace to the label of the labeled zone.
For details, see How to Change the Label of a Workspace in Oracle Solaris Trusted Extensions User’s Guide.
Add access to the printer.
$ lpadmin -s printer |
Configure a labeled zone to use another system's labeled zone for printer access.
The labels of the zones must be identical.
On the system that does not have printer access, assume the System Administrator role.
Change the label of the role workspace to the label of the labeled zone.
For details, see How to Change the Label of a Workspace in Oracle Solaris Trusted Extensions User’s Guide.
Add access to the printer that is connected to the print server of the remote labeled zone.
$ lpadmin -s printer |
Configure a labeled zone to use an unlabeled print server for printer access.
The label of the zone must be identical to the label of the print server.
On the system that does not have printer access, assume the System Administrator role.
Change the label of the role workspace to the label of the labeled zone.
For details, see How to Change the Label of a Workspace in Oracle Solaris Trusted Extensions User’s Guide.
Add access to the printer that is connected to the arbitrarily labeled print server.
$ lpadmin -s printer |
Test the printers.
Starting in the Solaris 10 7/10 release, files with an administrative label, either ADMIN_HIGH or ADMIN_LOW, print ADMIN_HIGH on the body of the printout. The banner and trailer pages are labeled with the highest label and compartments in the label_encodings file.
On every client, test that printing works for root and roles in the global zone and for root, roles, and regular users in labeled zones.
The default printer label range is ADMIN_LOW to ADMIN_HIGH. This procedure narrows the label range for a printer that is controlled by a Trusted Extensions print server.
You must be in the Security Administrator role in the global zone.
Start the Device Allocation Manager.
Click the Device Administration button to display the Device Allocation: Administration dialog box.
Type a name for the new printer.
If the printer is attached to your system, find the name of the printer.
Click the Configure button to display the Device Allocation: Configuration dialog box.
Change the printer's label range.
Click the Min Label button to change the minimum label.
Choose a label from the label builder. For information about the label builder, see Label Builder in Trusted Extensions.
Click the Max Label button to change the maximum label.
Save the changes.
Close the Device Allocation Manager.
The following tasks are optional. They reduce the printing security that Trusted Extensions provides by default when the software is installed.
Task |
Description |
For Instructions |
---|---|---|
Configure a printer to not label output. |
Prevents security information from printing on body pages, and removes banner and trailer pages. | |
Configure printers at a single label without labeled output. |
Enables users to print at a specific label to a Solaris printer. The print jobs are not marked with labels. | |
Remove visible labeling of body pages. |
Modifies the tsol_separator.ps file to prevent labeled body pages on all print jobs that are sent from a Trusted Extensions host. | |
Suppress banner and trailer pages. |
Authorizes specific users to print jobs without banner and trailer pages. | |
Enable trusted users to print jobs without labels. |
Authorizes specific users or all users of a particular system to print jobs without labels. | |
Enable the printing of PostScript files. |
Authorizes specific users or all users of a particular system to print PostScript files. |
How to Enable Users to Print PostScript Files in Trusted Extensions |
Assign printing authorizations. |
Enables users to bypass default printing restrictions. |
How to Create a Rights Profile for Convenient Authorizations |
Printers that do not have a Trusted Extensions printer model script do not print labeled banner or trailer pages. The body pages also do not include labels.
You must be in the Security Administrator role in the global zone.
At the appropriate label, do one of the following:
From the print server, stop banner printing altogether.
$ lpadmin -p printer -o nobanner=never |
Body pages are still labeled.
Set the printer model script to a Solaris script.
$ lpadmin -p printer \ -m { standard | netstandard | standard_foomatic | netstandard_foomatic } |
No labels appear on printed output.
A Solaris print server is an unlabeled print server that can be assigned a label for Trusted Extensions access to the printer at that label. Printers that are connected to an unlabeled print server can print jobs only at the label that has been assigned to the print server. Jobs print without labels or trailer pages and might print without banner pages. If a job prints with a banner page, the page does not contain any security information.
A Trusted Extensions system can be configured to submit jobs to a printer that is managed by an unlabeled print server. Users can print jobs on the unlabeled printer at the label that the security administrator assigns to the print server.
You must be in the Security Administrator role in the global zone.
Open the Solaris Management Console in the appropriate scope.
For details, see Initialize the Solaris Management Console Server in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide.
Under System Configuration, navigate to the Computers and Networks tool.
Provide a password when prompted.
Assign an unlabeled template to the print server.
For details, see How to Assign a Security Template to a Host or a Group of Hosts.
Choose a label. Users who are working at that label can send print jobs to the Solaris printer at the label of the print server. Pages do not print with labels, and banner and trailer pages are also not part of the print job.
Files that are available to the general public are suitable for printing to an unlabeled printer. In this example, marketing writers need to produce documents that do not have labels printed on the top and bottom of the pages.
The security administrator assigns an unlabeled host type template to the Solaris print server. The template is described in Example 13–6. The arbitrary label of the template is PUBLIC. The printer pr-nolabel1 is connected to this print server. Print jobs from users in a PUBLIC zone print on the pr-nolabel1 printer with no labels. Depending on the settings for the printer, the jobs might or might not have banner pages. The banner pages do not contain security information.
This procedure prevents all print jobs on a Trusted Extensions printer from including visible labels on the body pages of the print job.
You must be in the Security Administrator role in the global zone.
Edit the /usr/lib/lp/postscript/tsol_separator.ps file.
Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions.
Find the definition of /PageLabel.
Find the following lines:
%% To eliminate page labels completely, change this line to %% set the page label to an empty string: /PageLabel () def /PageLabel Job_PageLabel def |
The value Job_PageLabel might be different at your site.
Replace the value of /PageLabel with a set of empty parentheses.
/PageLabel () def |
This procedure enables an authorized user or role to print jobs on a Trusted Extensions printer without labels on the top and bottom of each body page. Page labels are suppressed for all labels at which the user can work.
You must be in the Security Administrator role in the global zone.
Determine who is permitted to print jobs without page labels.
Authorize those users and roles to print jobs without page labels.
Assign a rights profile that includes the Print without Label authorization to those users and roles. For details, see How to Create a Rights Profile for Convenient Authorizations.
Instruct the user or role to use the lp command to submit print jobs:
% lp -o nolabels staff.mtg.notes |
You must be in the Security Administrator role in the global zone.
Create a rights profile that includes the Print without Banner authorization.
Assign the profile to each user or role that is allowed to print without banner and trailer pages.
For details, see How to Create a Rights Profile for Convenient Authorizations.
Instruct the user or role to use the lp command to submit print jobs:
% lp -o nobanner staff.mtg.notes |
You must be in the Security Administrator role in the global zone.
Use one of the following three methods to enable users to print PostScript files:
To enable PostScript printing on a system, modify the /etc/default/print file.
Create or modify the /etc/default/print file.
Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions.
Type the following entry:
PRINT_POSTSCRIPT=1 |
Save the file and close the editor.
To authorize all users to print PostScript files from a system, modify the /etc/security/policy.conf file.
Modify the policy.conf file.
Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions.
Add the solaris.print.ps authorization.
AUTHS_GRANTED=other-authorizations,solaris.print.ps |
Save the file and close the editor.
To enable a user or role to print PostScript files from any system, give just those users and roles the appropriate authorization.
Assign a profile that includes the Print Postscript authorization to those users and roles. For details, see How to Create a Rights Profile for Convenient Authorizations.
In the following example, the security administrator has constrained a public kiosk to operate at the PUBLIC label. The system also has a few icons that open topics of interest. These topics can be printed.
The security administrator creates an /etc/default/print file on the system. The file has one entry to enable the printing of PostScript files. No user needs a Print Postscript authorization.
# vi /etc/default/print # PRINT_POSTSCRIPT=0 PRINT_POSTSCRIPT=1 |