Labels, Printers, and Printing

Trusted Extensions uses labels to control printer access. Labels are used to control access to printers and to information about queued print jobs. The software also labels printouts. Body pages are labeled, and mandatory banner and trailer pages are labeled. Banner and trailer pages can also include handling instructions.

The system administrator handles basic printer administration. The security administrator role manages printer security, which includes labels and how the labeled output is handled. The administrators follow basic Oracle Solaris printer administration procedures. Configuration is required to apply labels, limit the label range of print jobs, configure labeled zones to print, and relax print restrictions.

Trusted Extensions supports both multilevel and single-level printing. By default, a print server that is configured in the global zone of a Trusted Extensions system can print the full range of labels, that is, the print server is multilevel. Any labeled zone or system that can reach that print server can print to the connected printer. A labeled zone can support single-level printing. The zone can connect to the printer by way of the global zone, or the zone can be configured as a print server. Any zone at that label that can reach the labeled zone, and hence its print server, can print to the connected printer. Single-level printing is also possible by using the print server on an unlabeled system that has been assigned an arbitrary label. These print jobs print without a label.

Differences Between Trusted Extensions Printing in Oracle Solaris 10 and Oracle Solaris 11

The default printing protocol for Oracle Solaris 10 is the LP print service. The default for Oracle Solaris 11 is the Common UNIX Printing System (CUPS). For a comprehensive guide to CUPs in Oracle Solaris, see Configuring and Managing Printing in Oracle Solaris 11.1. The following table lists salient differences between the CUPS and LP printing protocols.

Table 19-1 CUPS – LP Differences

Area of Difference	CUPS	LP
IANA port number	`631`	`515`
Sided printing	Single-sided	Double-sided
Cascade printing	Must share the printer on the print server	Must configure the route to the printer
Accessing network printers	Must be able to successfully `ping` the IP address of the printer and print server	Must configure the route to the printer
Remote print jobs	Cannot print without labels	Can print without labels
Adding a remote printer to a client	lpadmin -p `printer-name` -E \ -v ipp://`print-server-IP-address`/ printers/`printer-name-on-server`	lpadmin -p `printer-name` \ -s `server-name`
Enabling and accepting the print server	`lpadmin` `-E` option	`accept` and `enable` commands
PostScript protection	Provided by default	Requires an authorization
Disabling banner and trailer pages	`-o job-sheets=none` option	`-o nobanner` option
lp -d `printer` file1 file2	One banner page and one trailer page per print job	A banner and a trailer page for each file in a print job
Label orientation on job pages	Always portrait	Always the orientation of the job
Print services	svc:/application/cups/ scheduler .../in-lpd:default	svc:/application/print/ service-selector .../server .../rfc1179 .../ipp-listener svc:/network/device-discovery/ printers:snmp

Restricting Access to Printers and Print Job Information in Trusted Extensions

Users and roles on a system that is configured with Trusted Extensions create print jobs at the label of their session. The print jobs are accepted only by print servers that recognize that label. The label must be in the label range of the print server.

Users and roles can view print jobs whose label is the same as the label of the session. In the global zone, a role can view jobs whose labels are dominated by the label of the zone.

Labeled Printer Output

Trusted Extensions prints security information on body pages and banner and trailer pages. The information comes from the /etc/security/tsol/label_encodings file and from the /usr/lib/cups/filter/tsol_separator.ps file. Labels that are longer than 80 characters are printed truncated at the top and bottom of all pages. The truncation is indicated by an arrow (->). The header and footer labels are printed in portrait orientation even when the body pages are printed in landscape. For an example, see Figure 19-4.

The text, labels, and warnings that appear on print jobs are configurable. The text can also be replaced with text in another language for localization. The security administrator can configure the following:

Localize or customize the text on the banner and trailer pages
Specify alternate labels to be printed on body pages or in the various fields of the banner and trailer pages
Change or omit any of the text or labels

Users who are directed to an unlabeled printer can print output with no labels. Users in a labeled zone with its own print server can print output with no labels if they are assigned the solaris.print.unlabeled authorization. Roles can be configured to print output with no labels to a local printer that is controlled by a Trusted Extensions print server. For assistance, see Reducing Printing Restrictions in Trusted Extensions (Task Map).

Labeled Banner and Trailer Pages

The following figures show a default banner page and how the default trailer page differs. Callouts identify the various sections. For an explanation of the source of the text in these sections, see Chapter 4, Labeling Printer Output (Tasks), in Trusted Extensions Label Administration. Note that the trailer page uses a different outer line.

Figure 19-1 Typical Banner Page of a Labeled Print Job

image:Illustration shows a banner page with job number, classifications, and handling instructions.

Figure 19-2 Differences on a Trailer Page

image:Illustration shows that the trailer page reads JOB END, while the banner page reads JOB START at the bottom of the page.

Labeled Body Pages

By default, the “Protect as” classification is printed at the top and bottom of every body page. The “Protect as” classification is the dominant classification when the classification from the job's label is compared to the minimum protect as classification. The minimum protect as classification is defined in the label_encodings file.

For example, if the user is logged in to an Internal Use Only session, then the user's print jobs are at that label. If the minimum protect as classification in the label_encodings file is Public, then the Internal Use Only label is printed on the body pages.

Figure 19-3 Job's Label Printed at the Top and Bottom of a Body Page

image:Illustration shows a sample body page with the label printed at the top and bottom of the page.

When the body pages are printed in landscape mode, the label prints in portrait mode. The following figure illustrates a body page, printed in landscape mode, whose Protect As label extends past the page boundaries. The label is truncated to 80 characters.

Figure 19-4 Job's Label Prints in Portrait Mode When the Body Page Is Printed in Landscape Mode

image:Illustration shows a sample body page printed in landscape mode with the label printed in portrait mode.

`tsol_separator.ps` Configuration File

The following table shows aspects of trusted printing that the security administrator can change by modifying the /usr/lib/cups/filter/tsol_separator.ps file.

Table 19-2 Configurable Values in the tsol_separator.ps File

Output	Default Value	How Defined	To Change
`PRINTER BANNERS`	`/Caveats Job_Caveats`	`/Caveats Job_Caveats`	See Specifying Printer Banners in Trusted Extensions Label Administration.
`CHANNELS`	`/Channels Job_Channels`	`/Channels Job_Channels`	See Specifying Channels in Trusted Extensions Label Administration.
Label at the top of banner and trailer pages	`/HeadLabel Job_Protect def`	See `/PageLabel` description.	The same as changing `/PageLabel`. Also see Specifying the “Protect As” Classification in Trusted Extensions Label Administration.
Label at the top and bottom of body pages	`/PageLabel Job_Protect def`	Compares the label of the job to the `minimum protect as classification` in the `label_encodings` file. Prints the more dominant classification. Contains compartments if the print job's label has compartments.	Change the `/PageLabel` definition to specify another value. Or, type a string of your choosing. Or, print nothing at all.
Text and label in the “Protect as” classification statement	`/Protect Job_Protect def` `/Protect_Text1 () def` `/Protect_Text2 () def`	See `/PageLabel` description. Text to appear above label. Text to appear below label.	The same as changing `/PageLabel`. Replace `()` in `Protect_Text1` and `Protect_Text2` with text string.

PostScript Printing of Security Information

Labeled printing in Trusted Extensions relies on features from Oracle Solaris printing. As in the Oracle Solaris OS, the job-sheets option handles banner page creation. To implement labeling, a filter converts the print job to a PostScript file. Then, the PostScript file is manipulated to insert labels on body pages, and to create banner and trailer pages.

Note - CUPS prevents any alteration of PostScript files. Therefore, a knowledgeable PostScript programmer cannot create a PostScript file that modifies the labels on the printout.

Trusted Extensions Print Interfaces (Reference)

Trusted Extensions adds the following print authorizations to implement Trusted Extensions security policy. These authorizations are checked on the print server. Therefore, remote users, such as users in labeled zones, cannot pass the authorization check.

solaris.print.admin – Enables a role to administer printing
solaris.print.list – Enables a role to view print jobs that do not belong to the role
solaris.print.nobanner – Enables a role to print jobs without banner and trailer pages from the global zone
solaris.print.unlabeled – Enables a role to print jobs without page labels from the global zone

The following user commands are extended to conform with Trusted Extensions security policy:

cancel – The caller must be equal to the label of the print job to cancel a job. Regular users can cancel only their own jobs.
lp – The -o nolabel option, which prints body pages without labels, requires the solaris.print.unlabeled authorization. The -o job-sheets=none option, which prints the job without a banner or trailer page, requires the solaris.print.nobanner authorization.
lpstat – The caller must be equal to the label of the print job to obtain the status of a job. Regular users can view only their own print jobs.

The following administrative commands are extended to conform with Trusted Extensions security policy. As in the Oracle Solaris OS, these commands can only be run by a role that includes the Printer Management rights profile.

lpmove – The caller must be equal to the label of the print job to move a job. By default, regular users can move only their own print jobs.
lpadmin – In the global zone, this command works for all jobs. In a labeled zone, the caller must dominate the print job's label to view a job, and be equal to change a job.
lpsched – In the global zone, this command is always successful. As in the Oracle Solaris OS, use the svcadm command to enable, disable, start, or restart the print service. In a labeled zone, the caller must be equal to the label of the print service to change the print service. For details about the service management facility, see the smf(5), svcadm(1M), and svcs(1) man pages.

Skip Navigation Links
Exit Print View
	Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library