tmpfiles: use ACL magic on journal directories

README

@@ -178,14 +178,9 @@ USERS AND GROUPS:
         During runtime, the journal daemon requires the
         "systemd-journal" system group to exist. New journal files will
         be readable by this group (but not writable), which may be used
-        to grant specific users read access.
-
-        It is also recommended to grant read access to all journal
-        files to the system groups "wheel" and "adm" with a command
-        like the following in the post installation script of the
-        package:
-
-        # setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
+        to grant specific users read access. In addition, system
+        groups "wheel" and "adm" will be given read-only access to
+        journal files using systemd-tmpfiles.service.
 
         The journal gateway daemon requires the
         "systemd-journal-gateway" system user and group to

configure.ac

@@ -666,6 +666,7 @@ if test "x${have_acl}" != xno ; then
         if test "x$have_acl" = xyes ; then
                 ACL_LIBS="-lacl"
                 AC_DEFINE(HAVE_ACL, 1, [ACL available])
+                M4_DEFINES="$M4_DEFINES -DHAVE_ACL"
         else
                 have_acl=no
         fi

tmpfiles.d/systemd.conf.m4

@@ -26,9 +26,17 @@ d /run/log 0755 root root -
 
 z /run/log/journal 2755 root systemd-journal - -
 Z /run/log/journal/%m ~2750 root systemd-journal - -
+m4_ifdef(`HAVE_ACL',``
+a+ /run/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x
+A+ /run/log/journal/%m - - - - group:adm:r-x,group:wheel:r-x
+'')m4_dnl
 
 z /var/log/journal 2755 root systemd-journal - -
 z /var/log/journal/%m 2755 root systemd-journal - -
+m4_ifdef(`HAVE_ACL',``
+a+ /var/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x
+A+ /var/log/journal/%m - - - - group:adm:r-x,group:wheel:r-x
+'')m4_dnl
 
 d /var/lib/systemd 0755 root root -
 d /var/lib/systemd/coredump 0755 root root 3d