@nlewo, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @ericsagnes and @globin to be potential reviewers.

Notice the comment. I think it may be broken because we remove several dependencies of systemd-tmpfiles to fix something inside NixOps. See also #4825.

BTW,

drwxr-sr-x+ 1 root systemd-journal      64 Sep 11  2015 journal

So indeed, it seems that tmpfiles has failed to set permissions up correctly for you.

@abbradar I think my problem is not related to the issue you mentionned. Even once systemd-tmpfiles has been executed, I still have the issue.

The problem comes from ACLs. getfacl /var/log/journal shows that the ACL for group is empty. Do you confirm this behavior?

In the folliowing I jsut provide some elements but I don't know yet from where comes the problem (our side or systemd side)!

more /etc/tmpfiles.d/* | grep "/var/log/journal " | cat -n
     1	z /var/log/journal 2755 root systemd-journal - -
     2	a+ /var/log/journal    - - - - d:group:adm:r-x,d:group:wheel:r-x
     3	a+ /var/log/journal    - - - - group:adm:r-x,group:wheel:r-x

It seems to me line 1 is executed after lines 2 and 3. In this case, the ACL for group is inherited from chmod permissions...

My ACL seems to be correct:

 ~  getfacl /var/log/journal 
getfacl: Removing leading '/' from absolute path names
# file: var/log/journal
# owner: root
# group: systemd-journal
# flags: -s-
user::rwx
group::r-x
group:wheel:r-x
group:adm:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:wheel:r-x
default:group:adm:r-x
default:mask::r-x
default:other::r-x

So systemd-tmpfiles failed to set ACL for you for some reason. Anyway, if even after rerun of systemd-tmpfiles you see no change it seems that the issue is unrelated.

I opened the issue systemd/systemd#5264 to see what systemd guys think about my problem... FYI, there is also a more detailled description of this issue.

Otherwise, Archlinux chmod 2755 the file /var/log/journal (see https://git.archlinux.org/svntogit/packages.git/tree/systemd/trunk/PKGBUILD#n192).
So, maybe we could do a chmod 750 to fix this issue? ;)

@abbradar did you tryied a fresh installation of systemd >= 231? Because I didn't have this problem with systemd 217.

@abbradar A fix has been merged in systemd and would be available in systemd v233.

I then added a FIXME comment in our systemd module that says we could remove rights when we use systemd v233.

@nlewo Thank you very much for your investigation! Pushed that as 9d30099 (fixed comment identation and clarified it a bit).

Hopefully when #4825 is fixed we can just have systemd-tmpfiles do the right thing without creating anything by ourselves.