[patch] CUPS 1.2 SELinux policy changes...
Joe Nall
joe at nall.com
Mon Nov 21 19:08:34 UTC 2005
On Nov 21, 2005, at 11:57 AM, Michael Sweet wrote:
> Chad Hanson wrote:
>> I am positive there are customer requirements for this. The
>> example could be
>> multiple classified networks, instead of unclass/class as well.
>> This can
>> provide printer reduction in these cases with a multilevel print
>> server.
>
> Again, in my experience (having managed many DoD and other gov't
> contracts), this type of configuration just isn't allowed. There
> is typically a single "system high" classification level and all
> print jobs are labeled as such. Users must then mark each page in
> a document with a lower classification by hand. The CUPS classified
> printing support is actually modeled on specific DoD requirements...
Michael, in a non LSPP system environment your summary is correct.
In an LSPP system, since the label is bound to the document (file)
with some assurance, you can print real labels on documents. We spool
multilevel print jobs from our Compartmented Mode Workstations (B1
era MLS) with print banners that reflect the document classification
- not the network system high. Banner pages and markings at the top
and bottom of each page. Accredited in 5 different countries and
multiple domains :)
DoD is not the only set of US rules (DCID 6/3 vs DoD 8500) and other
nations have their own rules. If possible, I would certainly like to
see real multilevel printer support. Anything less will be a step
backwards for our users.
joe
More information about the fedora-selinux-list
mailing list