Reducing Printing Restrictions in Trusted Extensions (Task Map)

The following tasks are optional. They reduce the printing security that Trusted Extensions provides by default when the software is installed.

Task	Description	For Instructions
Configure a printer to not label output.	Prevents security information from printing on printouts from the global zone.	How to Remove Banner and Trailer Pages
Configure printers at a single label without labeled output.	Enables users to print at a specific label. The print jobs are not marked with labels.	How to Assign a Label to an Unlabeled Print Server
Remove visible labeling of body pages.	Prints to an unlabeled print server. Assigns print authorizations that suppress labeling.	How to Assign a Label to an Unlabeled Print Server How to Enable Specific Users and Roles to Bypass Labeling Printed Output
Suppress banner and trailer pages.	Removes banner and trailer pages, thus removing the additional security information on those pages.	How to Remove Banner and Trailer Pages
Assign print authorizations.	Authorizes specific users and roles to print jobs without labels.	How to Enable Specific Users and Roles to Bypass Labeling Printed Output

How to Remove Banner and Trailer Pages

Printers that have the job-sheets option set to none do not print banner or trailer pages.

Before You Begin

You must be in the Security Administrator role in the global zone.

At the appropriate label, configure the printer with no banner or trailer pages.
```
$ lpadmin -p print-server-IP-address -o job-sheets=none,none
```
Or, you can specify none once.
```
$ lpadmin -p print-server-IP-address -o job-sheets=none
```
The body pages are still labeled. To remove labels from body pages, see How to Enable Specific Users and Roles to Bypass Labeling Printed Output.

How to Assign a Label to an Unlabeled Print Server

An Oracle Solaris print server can be assigned a label by a Trusted Extensions system for access to a printer at that label. Jobs print at the assigned label without labels. If a job prints with a banner page, the page does not contain any security information.

A Trusted Extensions system can be configured to submit jobs to a printer that is managed by an unlabeled print server. Users can print jobs on the unlabeled printer at the assigned label.

Before You Begin

You must be in the Security Administrator role in the global zone.

Assign an unlabeled template to the print server.
For details, see How to Add a Host to a Security Template.
Users who are working at the label that is assigned to the print server in the unlabeled template can send print jobs to the Oracle Solaris printer at that label.
On the system that does not have printer access, assume the System Administrator role.
Change the label of the role workspace to the label of the labeled zone.
For details, see How to Change the Label of a Workspace in Trusted Extensions User’s Guide.

Add access to the printer that is connected to the arbitrarily labeled print server.

$ lpadmin -p printer-name -E \
-v ipp://print-server-IP-address/printers/printer-name-on-print-server

Example 19-1 Sending Public Print Jobs to an Unlabeled Printer

Files that are available to the general public are suitable for printing to an unlabeled printer. In this example, marketing writers need to produce documents that do not have labels printed on the top and bottom of the pages.

The security administrator assigns an unlabeled host type template to the Oracle Solaris print server. The template is described in How to Configure a Tunnel Across an Untrusted Network. The arbitrary label of the template is PUBLIC. The printer pr-nolabel1 is connected to this print server. Print jobs from users in a PUBLIC zone print on the pr-nolabel1 printer with no labels. Depending on the settings for the printer, the jobs might or might not have banner pages. The banner pages do not contain security information.

How to Enable Specific Users and Roles to Bypass Labeling Printed Output

To enable users and roles to print jobs without labels requires authorization by the Security Administrator and action on the part of the authorized user or role when submitting a print job.

Before You Begin

You must be in the Security Administrator role in the global zone.

Assign print authorizations to a user or role.
- To enable the user or role to remove labels from banner and trailer pages, assign the solaris.print.nobanner authorization.
```
$ usermod -A +solaris.print.nobanner username
```
```
$ rolemod -A +solaris.print.nobanner rolename
```
- To enable the user or role to remove labels from body pages, assign the solaris.print.unlabeled authorization.
```
$ usermod -A +solaris.print.unlabeled username
```
```
$ rolemod -A +solaris.print.unlabeled rolename
```
- To enable the user or role to remove all labels from printouts, assign both authorizations.
```
$ usermod -A +solaris.print.unlabeled,+solaris.print.nobanner username
```
```
$ rolemod -A +solaris.print.unlabeled,+solaris.print.nobanner rolename
```
Prepare to print unlabeled output.
Ensure that the printer is local.
For the user, that means that the user must be printing from a labeled zone that has a print server for that zone. A role can print from the global zone or a labeled zone.
To print unlabeled output, specify the options that remove the labels on the command line.
You must be authorized to print unlabeled output.
- To print without banners, use the job-sheets=none option.
```
$ lp -o job-sheets=none file
```
- To print without labels on body pages, use the nolabel option.
```
$ lp -o nolabels file
```
- To print without labels on the output, use both options.
```
$ lp -o job-sheets=none -o nolabels file
```

Skip Navigation Links
Exit Print View
	Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library