Solaris Trusted Extensions Administrator's Procedures
Previous Next

Labels, Printers, and Printing

Trusted Extensions software uses labels to control printer access. Labels are used to control access to printers and to information about queued print jobs. The software also labels printed output. Body pages are labeled, and mandatory banner and trailer pages are labeled. Banner and trailer pages can also include handling instructions.

The system administrator handles basic printer administration. The security administrator role manages printer security, which includes labels and how the labeled output is handled. The administrators follow basic Solaris printer administration procedures, then they assign labels to the print servers and printers.

Trusted Extensions software supports both single-level and multilevel printing. Multilevel printing is implemented in the global zone only. To use the global zone's print server, a labeled zone must have a host name that is different from the global zone. One way to obtain a distinct host name is to assign an IP address to the labeled zone. The address would be distinct from the global zone's IP address.

Restricting Access to Printers and Print Job Information in Trusted Extensions

Users and roles on a system that is configured with Trusted Extensions software create print jobs at the label of their session. The print jobs can print only on printers that recognize that label. The label must be in the printer's label range.

Users and roles can view print jobs whose label is the same as the label of the session. In the global zone, a role can view jobs whose labels are dominated by the label of the zone.

Printers that are configured with Trusted Extensions software print labels on the printer output. Printers that are managed by unlabeled print servers do not print labels on the printer output. Such printers have the same label as their unlabeled server. For example, a Solaris print server can be assigned an arbitrary label in the tnrhdb database of the LDAP naming service. Users can then print jobs at that arbitrary label on the Solaris printer. As with Trusted Extensions printers, those Solaris printers can only accept print jobs from users who are working at the label that has been assigned to the print server.

Labeled Printer Output

Trusted Extensions prints security information on body pages and banner and trailer pages. The information comes from the label_encodings file and from the tsol_separator.ps file.

The security administrator can do the following to modify defaults that set labels and add handling instructions to printer output:

  • Localize or customize the text on the banner and trailer pages

  • Specify alternate labels to be printed on body pages or in the various fields of the banner and trailer pages

  • Change or omit any of the text or labels

The security administrator can also configure user accounts to use printers that do not print labels on the output. Users can also be authorized to selectively not print banners or labels on printer output.

Labeled Body Pages

By default, the “Protect As” classification is printed at the top and bottom of every body page. The “Protect As” classification is the dominant classification when the classification from the job's label is compared to the minimum protect as classification. The minimum protect as classification is defined in the label_encodings file.

For example, if the user is logged in to an Internal Use Only session, then the user's print jobs are at that label. If the minimum protect as classification in the label_encodings file is Public, then the Internal Use Only label is printed on the body pages.

Figure 21-1 Job's Label Printed at the Top and Bottom of a Banner Page
Illustration shows a sample banner page with the label printed at the top and bottom of the page.
Labeled Banner and Trailer Pages

The following figures show a default banner page and how the default trailer page differs. Callouts identify the various sections. Note that the trailer page uses a different outer line.

The text, labels, and warnings that appear on print jobs are configurable. The text can also be replaced with text in another language for localization.

Figure 21-2 Typical Banner Page of a Labeled Print Job
Illustration shows a banner page with job number, classifications, and handling instructions.
Figure 21-3 Differences on a Trailer Page
Illustration shows that the trailer page reads JOB END, while the banner page reads JOB START at the bottom of the page.

The following table shows aspects of trusted printing that the security administrator can change by modifying the /usr/lib/lp/postscript/tsol_separator.ps file.


Note - To localize or internationalize the printed output, see the comments in the tsol_separator.ps file.


Table 21-1 Configurable Values in the tsol_separator.ps File

Output

Default Value

How Defined

To Change

PRINTER BANNERS

/Caveats Job_Caveats

/Caveats Job_Caveats

See Specifying Printer Banners in Solaris Trusted Extensions Label Administration.

CHANNELS

/Channels Job_Channels

/Channels Job_Channels

See Specifying Channels in Solaris Trusted Extensions Label Administration.

Label at the top of banner and trailer pages

/HeadLabel Job_Protect def

See /PageLabel description.

The same as changing /PageLabel..

Also see Specifying the Protect As Classification in Solaris Trusted Extensions Label Administration.

Label at the top and bottom of body pages

/PageLabel Job_Protect def

Compares the label of the job to the minimum protect as classification in the label_encodings file. Prints the more dominant classification.

Contains compartments if the print job's label has compartments.

Change the /PageLabel definition to specify another value.

Or, type a string of your choosing.

Or, print nothing at all.

Text and label in the “Protect as” classification statement

/Protect Job_Protect def

/Protect_Text1 () def

/Protect_Text2 () def

See /PageLabel description.

Text to appear above label.

Text to appear below label.

The same as changing /PageLabel.

Replace () in Protect_Text1 and Protect_Text2 with text string.

PostScript Printing of Security Information

Labeled printing in Trusted Extensions relies on features from Solaris printing. In the Solaris OS, printer model scripts handle banner page creation. To implement labeling, a printer model script first converts the print job to a PostScriptTM file. Then, the PostScript file is manipulated to insert labels on body pages, and to create banner and trailer pages.

Solaris printer model scripts can also translate PostScript into the native language of a printer. If a printer accepts PostScript input, then Solaris software sends the job to the printer. If a printer does not accept PostScript input, then the software converts the PostScript format to a raster image. The raster image is then converted to the appropriate printer format.

Because PostScript software is used to print label information, users cannot print PostScript files by default. This restriction prevents a knowledgeable PostScript programmer from creating a PostScript file that modifies the labels on the printer output.

The Security Administrator role can override this restriction by assigning the Print PostScript authorization to role accounts and to trustworthy users. The authorization is assigned only if the account can be trusted not to spoof the labels on printer output. Also, allowing a user to print PostScript files must be consistent with the site's security policy.

Printer Model Scripts

A printer model script enables a particular model of printer to provide banner and trailer pages. Trusted Extensions provides four scripts:

  • tsol_standard - For directly attached PostScript printers, for example, printers attached by a parallel port

  • tsol_netstandard - For network–accessible PostScript printers

  • tsol_standard_foomatic - For directly attached printers that do not print PostScript format

  • tsol_netstandard_foomatic - For network–accessible printers that do not print PostScript format

The foomatic scripts are used when a printer driver name begins with Foomatic. Foomatic drivers are PostScript Printer Drivers (PPD). By default, “Use PPD” is specified in the Print Manager when you add a printer. A PPD is then used to translate banner and trailer pages into the language of the printer.

Additional Conversion Filters

A conversion filter converts text files to PostScript format. The filter's programs are trusted programs that are run by the printer daemon. Files that are converted to PostScript format by any installed filter program can be trusted to have authentic labels and banner and trailer page text.

Solaris software provides most conversion filters that a site needs. A site's System Administrator role can install additional filters. These filters can then be trusted to have authentic labels, and banner and trailer pages. To add conversion filters, see Chapter 7, Customizing Printing Services and Printers (Tasks), in System Administration Guide: Solaris Printing.

Interoperability of Trusted Extensions With Trusted Solaris 8 Printing

Trusted Solaris 8 and Trusted Extensions systems that have compatible label_encodings files and that identify each other as using a CIPSO template can use each other for remote printing. The following table describes how to set up the systems to enable printing. By default, users cannot list or cancel print jobs on a remote print server of the other OS. Optionally, you can authorize users to do so.

Originating System

Print Server System

Action

Results

Trusted Extensions

Trusted Solaris 8

Configure printing – In the Trusted Extensions tnrhdb, assign a template with the appropriate label range to the Trusted Solaris 8 print server. The label could be CIPSO or unlabeled.

Trusted Solaris 8 printer can print jobs from a Trusted Extensions system within the printer's label range.

Trusted Extensions

Trusted Solaris 8

Authorize users – On the Trusted Extensions system, create a profile that adds the needed authorizations. Assign the profile to users.

Trusted Extensions users can list or cancel print jobs that they send to a Trusted Solaris 8 printer.

Users cannot view or remove jobs at a different label.

Trusted Solaris 8

Trusted Extensions

Configure printing – In the Trusted Solaris 8 tnrhdb, assign a template with the appropriate label range to the Trusted Extensions print server. The label could be CIPSO or unlabeled.

Trusted Extensions printer can print jobs from a Trusted Solaris 8 system within the printer's label range.

Trusted Solaris 8

Trusted Extensions

Authorize users – On the Trusted Solaris 8 system, create a profile that adds the needed authorizations. Assign the profile to users.

Trusted Solaris 8 users can list or cancel print jobs that they send to a Trusted Extensions printer.

Users cannot view or remove jobs at a different label.

Trusted Extensions Print Interfaces (Reference)

The following user commands are extended to conform with Trusted Extensions security policy:

  • cancel – The caller must be equal to the label of the print job to cancel a job. By default, regular users can cancel only their own jobs.

  • lp – Trusted Extensions adds the -o nolabels option. Users must be authorized to print with no labels. Similarly, users must be authorized to use the -o nobanner option.

  • lpstat – The caller must be equal to the label of the print job to obtain the status of a job. By default, regular users can view only their own print jobs.

The following administrative commands are extended to conform with Trusted Extensions security policy. As in the Solaris OS, these commands can only be run by a role that includes the Printer Management rights profile.

  • lpmove – The caller must be equal to the label of the print job to move a job. By default, regular users can move only their own print jobs.

  • lpadmin – In the global zone, this command works for all jobs. In a labeled zone, the caller must dominate the print job's label to view a job, and be equal to change a job.

    Trusted Extensions adds printer model scripts to the -m option. Trusted Extensions adds the -o nolabels option.

  • lpsched – In the global zone, this command is always successful. As in the Solaris OS, use the svcadm command to enable, disable, start, or restart the print service. In a labeled zone, the caller must be equal to the label of the print service to change the print service. For details about the service management facility, see the smf(5), svcadm(1M), and svcs(1) man pages.

Trusted Extensions adds the solaris.label.print authorization to the Printer Management rights profile. The solaris.print.unlabeled authorization is required to print body pages without labels.

Previous Next