JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Configuration and Administration     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information


Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

6.  Trusted Extensions Administration Concepts

7.  Trusted Extensions Administration Tools

8.  Security Requirements on a Trusted Extensions System (Overview)

9.  Performing Common Tasks in Trusted Extensions

10.  Users, Rights, and Roles in Trusted Extensions (Overview)

11.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

12.  Remote Administration in Trusted Extensions (Tasks)

13.  Managing Zones in Trusted Extensions

14.  Managing and Mounting Files in Trusted Extensions

15.  Trusted Networking (Overview)

16.  Managing Networks in Trusted Extensions (Tasks)

17.  Trusted Extensions and LDAP (Overview)

18.  Multilevel Mail in Trusted Extensions (Overview)

19.  Managing Labeled Printing (Tasks)

Labels, Printers, and Printing

Differences Between Trusted Extensions Printing in Oracle Solaris 10 and Oracle Solaris 11

Restricting Access to Printers and Print Job Information in Trusted Extensions

Labeled Printer Output

Labeled Banner and Trailer Pages

Labeled Body Pages Configuration File

PostScript Printing of Security Information

Trusted Extensions Print Interfaces (Reference)

Managing Printing in Trusted Extensions (Tasks)

Configuring Labeled Printing (Task Map)

How to Configure a Multilevel Print Server and Its Printers

How to Configure a Network Printer

How to Configure a Zone as a Single-Level Print Server

How to Enable a Trusted Extensions Client to Access a Printer

How to Configure a Restricted Label Range for a Printer

Reducing Printing Restrictions in Trusted Extensions (Task Map)

How to Remove Banner and Trailer Pages

How to Assign a Label to an Unlabeled Print Server

How to Enable Specific Users and Roles to Bypass Labeling Printed Output

20.  Devices in Trusted Extensions (Overview)

21.  Managing Devices for Trusted Extensions (Tasks)

22.  Trusted Extensions Auditing (Overview)

23.  Software Management in Trusted Extensions

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions



Labels, Printers, and Printing

Trusted Extensions uses labels to control printer access. Labels are used to control access to printers and to information about queued print jobs. The software also labels printouts. Body pages are labeled, and mandatory banner and trailer pages are labeled. Banner and trailer pages can also include handling instructions.

The system administrator handles basic printer administration. The security administrator role manages printer security, which includes labels and how the labeled output is handled. The administrators follow basic Oracle Solaris printer administration procedures. Configuration is required to apply labels, limit the label range of print jobs, configure labeled zones to print, and relax print restrictions.

Trusted Extensions supports both multilevel and single-level printing. By default, a print server that is configured in the global zone of a Trusted Extensions system can print the full range of labels, that is, the print server is multilevel. Any labeled zone or system that can reach that print server can print to the connected printer. A labeled zone can support single-level printing. The zone can connect to the printer by way of the global zone, or the zone can be configured as a print server. Any zone at that label that can reach the labeled zone, and hence its print server, can print to the connected printer. Single-level printing is also possible by using the print server on an unlabeled system that has been assigned an arbitrary label. These print jobs print without a label.

Differences Between Trusted Extensions Printing in Oracle Solaris 10 and Oracle Solaris 11

The default printing protocol for Oracle Solaris 10 is the LP print service. The default for Oracle Solaris 11 is the Common UNIX Printing System (CUPS). For a comprehensive guide to CUPs in Oracle Solaris, see Configuring and Managing Printing in Oracle Solaris 11.1. The following table lists salient differences between the CUPS and LP printing protocols.

Table 19-1 CUPS – LP Differences

Area of Difference
IANA port number
Sided printing
Cascade printing
Must share the printer on the print server
Must configure the route to the printer
Accessing network printers
Must be able to successfully ping the IP address of the printer and print server
Must configure the route to the printer
Remote print jobs
Cannot print without labels
Can print without labels
Adding a remote printer to a client
lpadmin -p printer-name -E \ 
-v ipp://print-server-IP-address/
lpadmin -p printer-name \
 -s server-name
Enabling and accepting the print server
lpadmin -E option
accept and enable commands
PostScript protection
Provided by default
Requires an authorization
Disabling banner and trailer pages
-o job-sheets=none option
-o nobanner option
lp -d printer file1 file2
One banner page and one trailer page per print job
A banner and a trailer page for each file in a print job
Label orientation on job pages
Always portrait
Always the orientation of the job
Print services

Restricting Access to Printers and Print Job Information in Trusted Extensions

Users and roles on a system that is configured with Trusted Extensions create print jobs at the label of their session. The print jobs are accepted only by print servers that recognize that label. The label must be in the label range of the print server.

Users and roles can view print jobs whose label is the same as the label of the session. In the global zone, a role can view jobs whose labels are dominated by the label of the zone.

Labeled Printer Output

Trusted Extensions prints security information on body pages and banner and trailer pages. The information comes from the /etc/security/tsol/label_encodings file and from the /usr/lib/cups/filter/ file. Labels that are longer than 80 characters are printed truncated at the top and bottom of all pages. The truncation is indicated by an arrow (->). The header and footer labels are printed in portrait orientation even when the body pages are printed in landscape. For an example, see Figure 19-4.

The text, labels, and warnings that appear on print jobs are configurable. The text can also be replaced with text in another language for localization. The security administrator can configure the following:

Users who are directed to an unlabeled printer can print output with no labels. Users in a labeled zone with its own print server can print output with no labels if they are assigned the solaris.print.unlabeled authorization. Roles can be configured to print output with no labels to a local printer that is controlled by a Trusted Extensions print server. For assistance, see Reducing Printing Restrictions in Trusted Extensions (Task Map).

Labeled Banner and Trailer Pages

The following figures show a default banner page and how the default trailer page differs. Callouts identify the various sections. For an explanation of the source of the text in these sections, see Chapter 4, Labeling Printer Output (Tasks), in Trusted Extensions Label Administration. Note that the trailer page uses a different outer line.

Figure 19-1 Typical Banner Page of a Labeled Print Job

image:Illustration shows a banner page with job number, classifications, and handling instructions.

Figure 19-2 Differences on a Trailer Page

image:Illustration shows that the trailer page reads JOB END, while the banner page reads JOB START at the bottom of the page.

Labeled Body Pages

By default, the “Protect as” classification is printed at the top and bottom of every body page. The “Protect as” classification is the dominant classification when the classification from the job's label is compared to the minimum protect as classification. The minimum protect as classification is defined in the label_encodings file.

For example, if the user is logged in to an Internal Use Only session, then the user's print jobs are at that label. If the minimum protect as classification in the label_encodings file is Public, then the Internal Use Only label is printed on the body pages.

Figure 19-3 Job's Label Printed at the Top and Bottom of a Body Page

image:Illustration shows a sample body page with the label printed at the top and bottom of the page.

When the body pages are printed in landscape mode, the label prints in portrait mode. The following figure illustrates a body page, printed in landscape mode, whose Protect As label extends past the page boundaries. The label is truncated to 80 characters.

Figure 19-4 Job's Label Prints in Portrait Mode When the Body Page Is Printed in Landscape Mode

image:Illustration shows a sample body page printed in landscape mode with the label printed in portrait mode. Configuration File

The following table shows aspects of trusted printing that the security administrator can change by modifying the /usr/lib/cups/filter/ file.

Table 19-2 Configurable Values in the File

Default Value
How Defined
To Change
/Caveats Job_Caveats
/Caveats Job_Caveats
/Channels Job_Channels
/Channels Job_Channels
Label at the top of banner and trailer pages
/HeadLabel Job_Protect def
See /PageLabel description.
Label at the top and bottom of body pages
/PageLabel Job_Protect def
Compares the label of the job to the minimum protect as classification in the label_encodings file. Prints the more dominant classification.

Contains compartments if the print job's label has compartments.

Change the /PageLabel definition to specify another value.

Or, type a string of your choosing.

Or, print nothing at all.

Text and label in the “Protect as” classification statement
/Protect Job_Protect def

/Protect_Text1 () def

/Protect_Text2 () def

See /PageLabel description.

Text to appear above label.

Text to appear below label.

The same as changing /PageLabel.

Replace () in Protect_Text1 and Protect_Text2 with text string.

PostScript Printing of Security Information

Labeled printing in Trusted Extensions relies on features from Oracle Solaris printing. As in the Oracle Solaris OS, the job-sheets option handles banner page creation. To implement labeling, a filter converts the print job to a PostScript file. Then, the PostScript file is manipulated to insert labels on body pages, and to create banner and trailer pages.

Note - CUPS prevents any alteration of PostScript files. Therefore, a knowledgeable PostScript programmer cannot create a PostScript file that modifies the labels on the printout.

Trusted Extensions Print Interfaces (Reference)

Trusted Extensions adds the following print authorizations to implement Trusted Extensions security policy. These authorizations are checked on the print server. Therefore, remote users, such as users in labeled zones, cannot pass the authorization check.

The following user commands are extended to conform with Trusted Extensions security policy:

The following administrative commands are extended to conform with Trusted Extensions security policy. As in the Oracle Solaris OS, these commands can only be run by a role that includes the Printer Management rights profile.