tl;dr
Create the following file:
# /etc/tmpfiles.d/somegroup_journal.conf
#Type Path Mode User Group Age Argument
a+ /run/log/journal - - - - d:group:somegroup:r-x
a+ /run/log/journal - - - - group:somegroup:r-x
a+ /run/log/journal/%m - - - - d:group:somegroup:r-x
a+ /run/log/journal/%m - - - - group:somegroup:r-x
a+ /run/log/journal/%m/*.journal* - - - - d:group:somegroup:r--
a+ /run/log/journal/%m/*.journal* - - - - group:somegroup:r--
How to figure it out:
man systemd-journald.service(8) has the following:
Additional users and groups may be granted access to journal files via file system access control lists (ACL). Distributions and administrators may choose to grant read access to all members of the "wheel" and "adm" system groups with a command such as the following:
# setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
While this sounds perfect, the example touches /var/log/journal/
, but journalctl prioritizes /run/log/journal/
as demonstrated by the following source:
if (laccess("/run/log/journal", F_OK) >= 0)
dir = "/run/log/journal";
else
dir = "/var/log/journal";
/* If we are in any of the groups listed in the journal ACLs,
- then all is good, too. Let's enumerate all groups from the
- default ACL of the directory, which generally should allow
- access to most journal files too. */
r = acl_search_groups(dir, &g);
/run
is mounted as tmpfs
, so the following ACL rule would probably not persist:
# setfacl -Rnm g:somegroup:rx,d:g:somegroup:rx /run/log/journal/
To make this persist, configure whatever is used to generate /run/log/journal
. Browsing a few more sources, we find tmpfiles.d/systemd.conf.m4
:
z /run/log/journal 2755 root systemd-journal - -
Z /run/log/journal/%m ~2750 systemd-journal - -
m4_ifdef(`HAVE_ACL',`
a+ /run/log/journal/%m - - - - d:group:adm:r-x
a+ /run/log/journal/%m - - - - group:adm:r-x
a+ /run/log/journal/%m/*.journal* - - - - d:group:adm:r--
')'m4_dnl
This suggests that the ACL rules need to be added in tmpfiles.d
. The compiled version of the above file is found locally at /usr/lib/tmpfiles.d/systemd.conf
. Combining that example with man tmpfiles.d(5) gives some details to help create a working solution.
Create the following file:
# /etc/tmpfiles.d/somegroup_journal.conf
#Type Path Mode User Group Age Argument
a+ /run/log/journal - - - - d:group:somegroup:r-x
a+ /run/log/journal - - - - group:somegroup:r-x
a+ /run/log/journal/%m - - - - d:group:somegroup:r-x
a+ /run/log/journal/%m - - - - group:somegroup:r-x
a+ /run/log/journal/%m/*.journal* - - - - d:group:somegroup:r--
a+ /run/log/journal/%m/*.journal* - - - - group:somegroup:r--
A quick test plus reboot confirms that this works!