author Mike Sullivan <Mike.Sullivan@Oracle.COM>
Mon, 11 Mar 2013 10:38:09 -0700
changeset 2520 ceec631e74d1
parent 2389 7984e0fd8655
permissions -rw-r--r--
Close of build 10.

# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or
# See the License for the specific language governing permissions
# and limitations under the License.
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

The following steps should be followed for setting up the test environment
for Trusted Solaris:

1. Install trusted packages
	# pkg install system/trusted
	# pkg install system/trusted/trusted-global-zone
	# pkg install trusted-extensions

2. Enable labeld service
	# svcadm enable -s labeld

3. Verify that the service is enabled.
	# svcs -x labeld
	svc:/system/labeld:default (Trusted Extensions)
	 State: online since weekday month date hour:minute:second year
	   See: labeld(1M)
	Impact: None.

4. This step is required in case you want to install your own
   label_encodings file.

   To test labels greater than 80 characters, you will have to use
   large labels_encodings file.
   i)   Copy the label_encodings file to the disk.
   ii)  Check the syntax of the file and make it the active
        label_encodings file.
     a) Run the chk_encodings command.
	# /usr/sbin/chk_encodings /full-pathname-of-label-encodings-file
     b) Make the file the active label_encodings file.
	# cp /full-pathname-of-label-encodings-file \
	# cd /etc/security/tsol
	# cp label_encodings label_encodings.tx.orig
	# cp label_encodings
   Your label_encodings file must pass the Check Encodings test before
   you continue.

5. Reboot the system.

6. Once the system is up after reboot, create labeled zones.
   Labeled zones can be created using '/usr/sbin/txzonemgr' command.
   For details refer to 'txzonemgr(1M)' manpage.

   Documentation on 'Printing in Trusted extensions environment' can be found at:


All the following test cases should be run in Trusted Solaris environment.

1. Run printing test suite for CUPS.
   Details on printing test-suite can be found at:

2. Printing from labeled zones to network printer directly.
3. Printing from labeled zones to network printer via Global zone.
4. Printing from global zone to directly attached USB printer.
5. Printing from global zone to network printer.
6. Print in different orientations.  (Should be tested for both Image & Text files)
   The -o landscape option will rotate the page 90 degrees to print in landscape 
	lp -o landscape filename
	lpr -o landscape filename

   The -o orientation-requested=N option rotates the page depending on the value of N:

	-o orientation-requested=3 - portrait orientation (no rotation)
	-o orientation-requested=4 - landscape orientation (90 degrees)
	-o orientation-requested=5 - reverse landscape or seascape orientation (270 degrees)
	-o orientation-requested=6 - reverse portrait or upside-down orientation
				     (180 degrees)

   -o number-up=2
   -o number-up=6
   this should be landscape by default

   rest number-up should be portrait

   Mix -o number-up & orientation-requested.

7. Printing On Both Sides of the Paper

	-o sides=two-sided-short-edge
	-o sides=two-sided-long-edge
   These options will enable two-sided printing on the printer if the printer supports it.

   '-o sides=two-sided-short-edge' option is suitable for landscape pages,
   while '-o sides=two-sided-long-edge' option is suitable for portrait pages:

	lp -o sides=two-sided-short-edge filename
	lp -o sides=two-sided-long-edge filename
	lpr -o sides=two-sided-long-edge filename

   The default is to print single-sided:

	lp -o sides=one-sided filename
	lpr -o sides=one-sided filename

8. Labels greater than 80 characters. 
   Labels greater than 80 characters would be truncated at the right by '->'

9. Printing to a printer in same subnet.
   If the printer is in the same subnet, then add it using cups web interface
   at localhost:631

10. Printing to a printer in different subnet.
   You should be able to ping the printer ip address.

   Adding the printer:
	lpadmin -p printer_name -E -v socket://<ip-addr-of-printer> -m <model>

   You can find your printer model using
	lpinfo -m | grep -i <model name>

	model example: "foomatic-db-ppds/Ricoh/PS/Ricoh-Aficio_MP_5000_PS.ppd.gz"

	lpadmin -p printer -E -v socket:// -m foomatic-db-ppds/Ricoh/PS/Ricoh-Aficio_MP_5000_PS.ppd.gz

11. Printing without banner and trailer pages and also without page-labels.

	-o nolabels
   Does not print job labels

	-o job-sheets=none
	-o job-sheets=none, none
	-o job-sheets=none,<any-label>
   The above three work same. No banner and trailer pages get printed.

	-o job-sheets=<any-label>,none
	-o job-sheets=<any-label>,<any-label>
   The above two work same. Both banner and trailer pages get printed.

	-o job-sheets=none -o nolabels
   No banner and trailer page and no job-labels

12. Test following authorizations:

   Following command can be used to list the user authorizations:
	$ auths <user>

   For eg:
   Printing from a labeled zone as root.

	$ lp -d public -o job-sheets=none,none /etc/release
	request id is public-19 (1 file(s))

   This request is submitted to the server as 'remroot'. In this case both
   banner and trailer pages get printed, as 'remroot' does not have the
   solaris.print.nobanner authorization.

	# lp -d test /etc/release
	request id is test-313 (1 file(s))

	# lpstat test
	test-313                root              3072   Fri Mar 30 07:42:58 2012

	---> Login as 'remroot' <---
	# su - remroot
	Oracle Corporation      SunOS 5.11      11.0    November 2011

	---> 'remroot' doesn't have solaris.print.list authorization so it cannot list
              the jobs for printer test <---
	$ lpstat test

	$ lp -d test /etc/release
	request id is test-314 (1 file(s))

	---> For 'remroot', 'lpstat' lists only the jobs requested by 'remroot' <---
	$ lpstat test
	test-314                remroot           3072   Fri Mar 30 07:43:44 2012

	$ logout

	---> For 'root', 'lpstat' lists all the jobs <---
	# lpstat test
	test-313                root              3072   Fri Mar 30 07:42:58 2012
	test-314                remroot           3072   Fri Mar 30 07:43:44 2012

	---> Give remroot solaris.print.list authorization <---
	# usermod -A solaris.print.list remroot
	Found user in files repository.

	---> Login as 'remroot'
	[email protected]:/var/log/cups# su - remroot
	Oracle Corporation      SunOS 5.11      11.0    November 2011

	---> Now for 'root', 'lpstat' lists all the jobs <---
	-bash-4.1$ lpstat test
	test-313                root              3072   Fri Mar 30 07:42:58 2012
	test-314                remroot           3072   Fri Mar 30 07:43:44 2012

13. Printing to a printer which is outside the labeled range.
   E.g: Printing from a 'Public Zone' to a printer labeled 'Confidential'

	$ lp -d hp /etc/release
	lp: label violation.

14. Cascade printing
   Print from a system which is accessible from local zone, to a printer which
   is accessible to the GZ only.
   Print request goes from the system to LZ to GZ to Printer.

   Note: For cascading to work printer must be shared on both LZ and GZ.

   Printer can be shared from command line as:
	$ lpadmin -p <printer> -o printer-is-shared=true