Trusted Extensions uses labels to control printer access. Labels are used to control access to printers and to information about queued print jobs. The software also labels printouts. Body pages are labeled, and mandatory banner and trailer pages are labeled. Banner and trailer pages can also include handling instructions.
The system administrator handles basic printer administration. The security administrator role manages printer security, which includes labels and how the labeled output is handled. The administrators follow basic Oracle Solaris printer administration procedures. Configuration is required to apply labels, limit the label range of print jobs, configure labeled zones to print, and relax print restrictions.
Trusted Extensions supports both multilevel and single-level printing. By default, a print server that is configured in the global zone of a Trusted Extensions system can print the full range of labels, that is, the print server is multilevel. Any labeled zone or system that can reach that print server can print to the connected printer. A labeled zone can support single-level printing. The zone can connect to the printer by way of the global zone, or the zone can be configured as a print server. Any zone at that label that can reach the labeled zone, and hence its print server, can print to the connected printer. Single-level printing is also possible by using the print server on an unlabeled system that has been assigned an arbitrary label. These print jobs print without a label.
The default printing protocol for Oracle Solaris 10 is the LP print service. The default for Oracle Solaris 11.4 is the Common UNIX Printing System (CUPS). For a comprehensive guide to CUPs in Oracle Solaris, see Configuring and Managing Printing in Oracle Solaris 11.4. The following table lists salient differences between the CUPS and LP printing protocols.
Users and roles on a system that is configured with Trusted Extensions create print jobs at the label of their session. The print jobs are accepted only by print servers that recognize that label. The label must be in the label range of the print server.
Users and roles can view print jobs whose label is the same as the label of the session. In the global zone, a role can view jobs whose labels are dominated by the label of the zone.
Trusted Extensions prints security information on body pages and banner and trailer pages. The information comes from the /etc/security/tsol/label_encodings file and from the /usr/lib/cups/filter/tsol_separator.ps file. Labels that are longer than 80 characters are printed truncated at the top and bottom of all pages. The truncation is indicated by an arrow (->). The header and footer labels are printed in portrait orientation even when the body pages are printed in landscape. For an example, see Job's Label Prints in Portrait Mode When the Body Page Is Printed in Landscape Mode.
The text, labels, and warnings that appear on print jobs are configurable. The text can also be replaced with text in another language for localization. The security administrator can configure the following:
Localize or customize the text on the banner and trailer pages
Specify alternate labels to be printed on body pages or in the various fields of the banner and trailer pages
Change or omit any of the text or labels
Users who are directed to an unlabeled printer can print output with no labels. Users in a labeled zone with its own print server can print output with no labels if they are assigned the solaris.print.unlabeled authorization. Roles can be configured to print output with no labels to a local printer that is controlled by a Trusted Extensions print server. For assistance, see Reducing Printing Restrictions in Trusted Extensions.
The following figures show a default banner page and how the default trailer page differs. Callouts identify the various sections. For an explanation of the source of the text in these sections, see Chapter 4, Labeling Printer Output in Trusted Extensions Label Administration. Note that the trailer page uses a different outer line.
Figure 3 Typical Banner Page of a Labeled Print Job
Figure 4 Differences on a Trailer Page
By default, the "Protect as" classification is printed at the top and bottom of every body page. The "Protect as" classification is the dominant classification when the classification from the job's label is compared to the minimum protect as classification. The minimum protect as classification is defined in the label_encodings file.
For example, if the user is logged in to an Internal Use Only session, then the user's print jobs are at that label. If the minimum protect as classification in the label_encodings file is Public, then the Internal Use Only label is printed on the body pages.
Figure 5 Job's Label Printed at the Top and Bottom of a Body Page
When the body pages are printed in landscape mode, the label prints in portrait mode. The following figure illustrates a body page, printed in landscape mode, whose Protect As label extends past the page boundaries. The label is truncated to 80 characters.
Figure 6 Job's Label Prints in Portrait Mode When the Body Page Is Printed in Landscape Mode
The following table shows aspects of trusted printing that the security administrator can change by modifying the /usr/lib/cups/filter/tsol_separator.ps file.
Labeled printing in Trusted Extensions relies on features from Oracle Solaris printing. As in the Oracle Solaris OS, the –job-sheets option handles banner page creation. To implement labeling, a filter converts the print job to a PostScript file. Then, the PostScript file is manipulated to insert labels on body pages, and to create banner and trailer pages.
Trusted Extensions adds the following print authorizations to implement Trusted Extensions security policy. These authorizations are checked on the print server. Therefore, remote users, such as users in labeled zones, cannot pass the authorization check.
solaris.print.admin – Enables a role to administer printing
solaris.print.list – Enables a role to view print jobs that do not belong to the role
solaris.print.nobanner – Enables a role to print jobs without banner and trailer pages from the global zone
solaris.print.unlabeled – Enables a role to print jobs without page labels from the global zone
The following user commands are extended to conform with Trusted Extensions security policy:
cancel – The caller must be equal to the label of the print job to cancel a job. Regular users can cancel only their own jobs.
lp – The –o nolabel option, which prints body pages without labels, requires the solaris.print.unlabeled authorization. The –o job-sheets=none option, which prints the job without a banner or trailer page, requires the solaris.print.nobanner authorization.
lpstat – The caller must be equal to the label of the print job to obtain the status of a job. Regular users can view only their own print jobs.
The following administrative commands are extended to conform with Trusted Extensions security policy. As in the Oracle Solaris OS, these commands can only be run by a role that includes the Printer Management rights profile.
lpmove – The caller must be equal to the label of the print job to move a job. By default, regular users can move only their own print jobs.
lpadmin – In the global zone, this command works for all jobs. In a labeled zone, the caller must dominate the print job's label to view a job, and be equal to change a job.
lpsched – In the global zone, this command is always successful. As in the Oracle Solaris OS, use the svcadm command to enable, disable, start, or restart the print service. In a labeled zone, the caller must be equal to the label of the print service to change the print service. For details about the service management facility, see the smf(7), svcadm(8), and svcs(1) man pages.