Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1211499

Summary: "wheel" can't read the system journal.
Product: Red Hat Enterprise Linux 7 Reporter: Marius Vollmer <mvollmer>
Component: systemdAssignee: systemd-maint
Status: CLOSED DUPLICATE QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: msekleta, systemd-maint-list
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-17 08:44:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1143927    

Description Marius Vollmer 2015-04-14 07:27:44 UTC 
Description of problem:

Unlike on Fedora, members of the "wheel" group can't read the system journal directly.  They need to use sudo or pkexec.

Version-Release number of selected component (if applicable):

systemd-208-20.el7_1.2.x86_64

How reproducible:

Always

Steps to Reproduce:

1. Log in as a user in the "wheel" group:
   [admin@localhost ~]$ id
   uid=1000(admin) gid=1000(admin) groups=1000(admin),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

2. Try to read the system journal:
   [admin@localhost ~]$ journalctl --system
   No journal files were found.

Actual results:

No journal files are found.

Expected results:

The journal is shown, just as for root.

Additional info:

Members of the "wheel" group can directly read the system journal on Fedora.  I primarily file this bug to understand why RHEL is different, and to confirm that this is indeed on purpose.
Comment 2 Michal Sekletar 2015-04-14 08:17:00 UTC 
IIRC this works with volatile journal data in /run, thus I assume you are interested in persistent journal setup.

Access list granting read access on /var/log/journal to members of wheel group is adjusted at package install time. In RHEL there is no /var/log/journal by default so after user creates it has to setup access list on directory manually.
Comment 3 Marius Vollmer 2015-04-16 08:00:27 UTC 
(In reply to Michal Sekletar from comment #2)
> IIRC this works with volatile journal data in /run, thus I assume you are
> interested in persistent journal setup.

No, "wheel" can not read the journal files in /run either.  The steps above were done without /var/log/journal, by accident.

I think this is good, actually, because it means that the straightforward way to enable persistent journals, a simple mkdir /var/log/journal, will give consistent results.

> Access list granting read access on /var/log/journal to members of wheel
> group is adjusted at package install time.

So the access rights might change when systemd is updated or reinstalled?

I did

 # mkdir /var/log/journal
 # reboot
 # yum reinstall systemd

and "wheel" still can't read the system journal.


Your reply now makes me think that the actual behaviour here is more by accident than by design, but I must be wrong, no?
Comment 4 Michal Sekletar 2015-04-17 08:44:46 UTC 
Too many systemd version to keep track of what's where. Anyway, I think I can close this as dupe of #1101226. 

As for RHEL-7.2, we will rebase systemd to systemd-219. Package is already in works and should be available for testing sometime next week. And there we have tmpfiles.d snippet which takes care of setting appropriate ACLs on both /run/log/journal and /var/log/journal.

And btw, in case you guys are interested we can ping you when RHEL systemd-219 build is available, so you could give it a try and test it in Cockpit setup. Note that package will be quite different from the one in Fedora.

*** This bug has been marked as a duplicate of bug 1101226 ***
Comment 5 Marius Vollmer 2015-04-17 12:54:42 UTC 
(In reply to Michal Sekletar from comment #4)
> Too many systemd version to keep track of what's where. Anyway, I think I
> can close this as dupe of #1101226. 

Yes, thanks!
 
> As for RHEL-7.2, we will rebase systemd to systemd-219. Package is already
> in works and should be available for testing sometime next week. And there
> we have tmpfiles.d snippet which takes care of setting appropriate ACLs on
> both /run/log/journal and /var/log/journal.

Very good.
 
> And btw, in case you guys are interested we can ping you when RHEL
> systemd-219 build is available, so you could give it a try and test it in
> Cockpit setup. Note that package will be quite different from the one in
> Fedora.

Yes, please.