RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1211499 - "wheel" can't read the system journal.
Summary: "wheel" can't read the system journal.
Keywords:
Status: CLOSED DUPLICATE of bug 1101226
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: systemd
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: systemd-maint
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks: 1143927
TreeView+ depends on / blocked
 
Reported: 2015-04-14 07:27 UTC by Marius Vollmer
Modified: 2015-04-17 12:54 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-17 08:44:46 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Marius Vollmer 2015-04-14 07:27:44 UTC 
Description of problem:

Unlike on Fedora, members of the "wheel" group can't read the system journal directly.  They need to use sudo or pkexec.

Version-Release number of selected component (if applicable):

systemd-208-20.el7_1.2.x86_64

How reproducible:

Always

Steps to Reproduce:

1. Log in as a user in the "wheel" group:
   [admin@localhost ~]$ id
   uid=1000(admin) gid=1000(admin) groups=1000(admin),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

2. Try to read the system journal:
   [admin@localhost ~]$ journalctl --system
   No journal files were found.

Actual results:

No journal files are found.

Expected results:

The journal is shown, just as for root.

Additional info:

Members of the "wheel" group can directly read the system journal on Fedora.  I primarily file this bug to understand why RHEL is different, and to confirm that this is indeed on purpose.
Comment 2 Michal Sekletar 2015-04-14 08:17:00 UTC 
IIRC this works with volatile journal data in /run, thus I assume you are interested in persistent journal setup.

Access list granting read access on /var/log/journal to members of wheel group is adjusted at package install time. In RHEL there is no /var/log/journal by default so after user creates it has to setup access list on directory manually.
Comment 3 Marius Vollmer 2015-04-16 08:00:27 UTC 
(In reply to Michal Sekletar from comment #2)
> IIRC this works with volatile journal data in /run, thus I assume you are
> interested in persistent journal setup.

No, "wheel" can not read the journal files in /run either.  The steps above were done without /var/log/journal, by accident.

I think this is good, actually, because it means that the straightforward way to enable persistent journals, a simple mkdir /var/log/journal, will give consistent results.

> Access list granting read access on /var/log/journal to members of wheel
> group is adjusted at package install time.

So the access rights might change when systemd is updated or reinstalled?

I did

 # mkdir /var/log/journal
 # reboot
 # yum reinstall systemd

and "wheel" still can't read the system journal.


Your reply now makes me think that the actual behaviour here is more by accident than by design, but I must be wrong, no?
Comment 4 Michal Sekletar 2015-04-17 08:44:46 UTC 
Too many systemd version to keep track of what's where. Anyway, I think I can close this as dupe of #1101226. 

As for RHEL-7.2, we will rebase systemd to systemd-219. Package is already in works and should be available for testing sometime next week. And there we have tmpfiles.d snippet which takes care of setting appropriate ACLs on both /run/log/journal and /var/log/journal.

And btw, in case you guys are interested we can ping you when RHEL systemd-219 build is available, so you could give it a try and test it in Cockpit setup. Note that package will be quite different from the one in Fedora.

*** This bug has been marked as a duplicate of bug 1101226 ***
Comment 5 Marius Vollmer 2015-04-17 12:54:42 UTC 
(In reply to Michal Sekletar from comment #4)
> Too many systemd version to keep track of what's where. Anyway, I think I
> can close this as dupe of #1101226. 

Yes, thanks!
 
> As for RHEL-7.2, we will rebase systemd to systemd-219. Package is already
> in works and should be available for testing sometime next week. And there
> we have tmpfiles.d snippet which takes care of setting appropriate ACLs on
> both /run/log/journal and /var/log/journal.

Very good.
 
> And btw, in case you guys are interested we can ping you when RHEL
> systemd-219 build is available, so you could give it a try and test it in
> Cockpit setup. Note that package will be quite different from the one in
> Fedora.

Yes, please.
Note You need to log in before you can comment on or make changes to this bug.