Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: November 2020

Labels, Printers, and Printing

Trusted Extensions uses labels to control printer access. Labels are used to control access to printers and to information about queued print jobs. The software also labels printouts. Body pages are labeled, and mandatory banner and trailer pages are labeled. Banner and trailer pages can also include handling instructions.

The system administrator handles basic printer administration. The security administrator role manages printer security, which includes labels and how the labeled output is handled. The administrators follow basic Oracle Solaris printer administration procedures. Configuration is required to apply labels, limit the label range of print jobs, configure labeled zones to print, and relax print restrictions.

Trusted Extensions supports both multilevel and single-level printing. By default, a print server that is configured in the global zone of a Trusted Extensions system can print the full range of labels, that is, the print server is multilevel. Any labeled zone or system that can reach that print server can print to the connected printer. A labeled zone can support single-level printing. The zone can connect to the printer by way of the global zone, or the zone can be configured as a print server. Any zone at that label that can reach the labeled zone, and hence its print server, can print to the connected printer. Single-level printing is also possible by using the print server on an unlabeled system that has been assigned an arbitrary label. These print jobs print without a label.

Differences Between Trusted Extensions Printing in Oracle Solaris 10 and Oracle Solaris 11.4

The default printing protocol for Oracle Solaris 10 is the LP print service. The default for Oracle Solaris 11.4 is the Common UNIX Printing System (CUPS). For a comprehensive guide to CUPs in Oracle Solaris, see Configuring and Managing Printing in Oracle Solaris 11.4. The following table lists salient differences between the CUPS and LP printing protocols.

Table 22  CUPS – LP Differences
Area of Difference
IANA port number
Sided printing
Cascade printing
Must share the printer on the print server
Must configure the route to the printer
Accessing network printers
Must be able to successfully ping the IP address of the printer and print server
Must configure the route to the printer
Remote print jobs
Cannot print without labels
Can print without labels
Adding a remote printer to a client
lpadmin -p printer-name -E \
-v ipp://print-server-IP-address/
lpadmin -p printer-name \
-s server-name
Enabling and accepting the print server
lpadmin –E option
accept and enable commands
PostScript protection
Provided by default
Requires an authorization
Enabling banner pages
–o job-sheets=labeled option
Provided by default
Disabling banner and trailer pages
–o job-sheets=none option
–o nobanner option
lp -d printer file1 file2
One banner page and one trailer page per print job
A banner and a trailer page for each file in a print job
Label orientation on job pages
Always portrait
Always the orientation of the job
Print services

Restricting Access to Printers and Print Job Information in Trusted Extensions

Users and roles on a system that is configured with Trusted Extensions create print jobs at the label of their session. The print jobs are accepted only by print servers that recognize that label. The label must be in the label range of the print server.

Users and roles can view print jobs whose label is the same as the label of the session. In the global zone, a role can view jobs whose labels are dominated by the label of the zone.

Labeled Printer Output

Trusted Extensions prints security information on body pages and banner and trailer pages. The information comes from the /etc/security/tsol/label_encodings file and from the /usr/lib/cups/filter/tsol_separator.ps file. Labels that are longer than 80 characters are printed truncated at the top and bottom of all pages. The truncation is indicated by an arrow (->). The header and footer labels are printed in portrait orientation even when the body pages are printed in landscape. For an example, see Job's Label Prints in Portrait Mode When the Body Page Is Printed in Landscape Mode.

    The text, labels, and warnings that appear on print jobs are configurable. The text can also be replaced with text in another language for localization. The security administrator can configure the following:

  • Localize or customize the text on the banner and trailer pages

  • Specify alternate labels to be printed on body pages or in the various fields of the banner and trailer pages

  • Change or omit any of the text or labels

Users who are directed to an unlabeled printer can print output with no labels. Users in a labeled zone with its own print server can print output with no labels if they are assigned the solaris.print.unlabeled authorization. Roles can be configured to print output with no labels to a local printer that is controlled by a Trusted Extensions print server. For assistance, see Reducing Printing Restrictions in Trusted Extensions.

Labeled Banner and Trailer Pages

The following figures show a default banner page and how the default trailer page differs. Callouts identify the various sections. For an explanation of the source of the text in these sections, see Chapter 4, Labeling Printer Output in Trusted Extensions Label Administration. Note that the trailer page uses a different outer line.

Figure 3  Typical Banner Page of a Labeled Print Job

image:Graphic shows a banner page with job number, classifications, and handling instructions.

Figure 4  Differences on a Trailer Page

image:Graphic shows that the trailer page reads JOB END, while the banner page reads JOB START at the bottom of the page.

Labeled Body Pages

By default, the "Protect as" classification is printed at the top and bottom of every body page. The "Protect as" classification is the dominant classification when the classification from the job's label is compared to the minimum protect as classification. The minimum protect as classification is defined in the label_encodings file.

For example, if the user is logged in to an Internal Use Only session, then the user's print jobs are at that label. If the minimum protect as classification in the label_encodings file is Public, then the Internal Use Only label is printed on the body pages.

Figure 5  Job's Label Printed at the Top and Bottom of a Body Page

image:Graphic shows a sample body page with the label printed at the top and bottom of the page.

When the body pages are printed in landscape mode, the label prints in portrait mode. The following figure illustrates a body page, printed in landscape mode, whose Protect As label extends past the page boundaries. The label is truncated to 80 characters.

Figure 6  Job's Label Prints in Portrait Mode When the Body Page Is Printed in Landscape Mode

image:Graphic shows a sample body page printed in landscape mode with the label printed in portrait mode.

tsol_separator.ps Configuration File

The following table shows aspects of trusted printing that the security administrator can change by modifying the /usr/lib/cups/filter/tsol_separator.ps file.

Table 23  Configurable Values in the tsol_separator.ps File
Default Value
How Defined
To Change
/Caveats Job_Caveats
/Caveats Job_Caveats
/Channels Job_Channels
/Channels Job_Channels
Label at the top of banner and trailer pages
/HeadLabel Job_Protect def
See /PageLabel description.
The same as changing /PageLabel.
Label at the top and bottom of body pages
/PageLabel Job_Protect def
Compares the label of the job to the minimum protect as classification in the label_encodings file. Prints the more dominant classification.
Contains compartments if the print job's label has compartments.
Change the /PageLabel definition to specify another value.
Or, type a string of your choosing.
Or, print nothing at all.
Text and label in the "Protect as" classification statement
/Protect Job_Protect def
/Protect_Text1 () def
/Protect_Text2 () def
See /PageLabel description.
Text to appear above label.
Text to appear below label.
The same as changing /PageLabel.
Replace () in Protect_Text1 and Protect_Text2 with text string.

PostScript Printing of Security Information

Labeled printing in Trusted Extensions relies on features from Oracle Solaris printing. As in the Oracle Solaris OS, the –job-sheets option handles banner page creation. To implement labeling, a filter converts the print job to a PostScript file. Then, the PostScript file is manipulated to insert labels on body pages, and to create banner and trailer pages.

Note - CUPS prevents any alteration of PostScript files. Therefore, a knowledgeable PostScript programmer cannot create a PostScript file that modifies the labels on the printout.

Trusted Extensions Print Interfaces (Reference)

    Trusted Extensions adds the following print authorizations to implement Trusted Extensions security policy. These authorizations are checked on the print server. Therefore, remote users, such as users in labeled zones, cannot pass the authorization check.

  • solaris.print.admin – Enables a role to administer printing

  • solaris.print.list – Enables a role to view print jobs that do not belong to the role

  • solaris.print.nobanner – Enables a role to print jobs without banner and trailer pages from the global zone

  • solaris.print.unlabeled – Enables a role to print jobs without page labels from the global zone

    The following user commands are extended to conform with Trusted Extensions security policy:

  • cancel – The caller must be equal to the label of the print job to cancel a job. Regular users can cancel only their own jobs.

  • lp – The –o nolabel option, which prints body pages without labels, requires the solaris.print.unlabeled authorization. The –o job-sheets=none option, which prints the job without a banner or trailer page, requires the solaris.print.nobanner authorization.

  • lpstat – The caller must be equal to the label of the print job to obtain the status of a job. Regular users can view only their own print jobs.

    The following administrative commands are extended to conform with Trusted Extensions security policy. As in the Oracle Solaris OS, these commands can only be run by a role that includes the Printer Management rights profile.

  • lpmove – The caller must be equal to the label of the print job to move a job. By default, regular users can move only their own print jobs.

  • lpadmin – In the global zone, this command works for all jobs. In a labeled zone, the caller must dominate the print job's label to view a job, and be equal to change a job.

  • lpsched – In the global zone, this command is always successful. As in the Oracle Solaris OS, use the svcadm command to enable, disable, start, or restart the print service. In a labeled zone, the caller must be equal to the label of the print service to change the print service. For details about the service management facility, see the smf(7), svcadm(8), and svcs(1) man pages.