What were you trying to do that didn't work?

I am trying to set acl for a user on file /var/log/dnf.log. As the logrotation of dnf.log is managed by /etc/dnf/dnf.conf and there is no option to preserve the acl for dnf.log in /etc/dnf/dnf.conf.

//Test :

1. Added acl to dnf.log:

1. setfacl -Rm u:cribl:r-x,g:cribl:r-x /var/log/dnf.log
   [root@localhost ~]# getfacl /var/log/dnf.log
   getfacl: Removing leading '/' from absolute path names
2. file: var/log/dnf.log
3. owner: root
4. group: root
   user::rw-
   user:cribl:r-x
   group::r--
   group:cribl:r-x
   mask::r-x
   other::r--

2. Installed a package to generate dnf logs, so that the file will be rotated.

3. File got rotated:

1. ll /var/log/ | grep dnf
   rw-rr-. 1 root   root      2440 Oct 16 05:37 dnf.librepo.log
   rw-rr-. 1 root   root     44211 Oct 16 05:09 dnf.librepo.log.1
   rw-r-xr. 1 root   root      4023 Oct 16 05:38 dnf.log                         <--- New file do not have acl.
   rw-r-xr-+ 1 root   root     10206 Oct 16 05:37 dnf.log.1
   rw-rr-. 1 root   root    122610 Oct 16 05:09 dnf.log.2
   rw-rr-. 1 root   root      5030 Oct 16 05:37 dnf.rpm.log

3.  Stopped logrotation in dnf.conf file:

[root@localhost ~]# cat /etc/dnf/dnf.conf 
[main]
gpgcheck=1
installonly_limit=3
clean_requirements_on_remove=True
best=True
skip_if_unavailable=False
log_rotate=0
log_size=0

4. Added logrotation configuration:

1. cat /etc/logrotate.d/dnf
   /var/log/hawkey.log
   /var/log/dnf.log {     missingok     notifempty     rotate 4     weekly     create }

4. Again set acl:

[root@localhost ~]# setfacl -Rm u:cribl:r-x,g:cribl:r-x /var/log/dnf.log
[root@localhost ~]# getfacl /var/log/dnf.log
getfacl: Removing leading '/' from absolute path names

1. file: var/log/dnf.log
2. owner: root
3. group: root
   user::rw-
   user:cribl:r-x
   group::r-x
   group:cribl:r-x
   mask::r-x
   other::r--

5. Logrotate forcefully:

1. logrotate f /etc/logrotate.d/dnf       <--Logrotate forcefully

1. ll /var/log/ | grep dnf
   rw-rr-. 1 root   root      2440 Oct 16 05:37 dnf.librepo.log
   rw-rr-. 1 root   root     44211 Oct 16 05:09 dnf.librepo.log.1
   rw-r-xr+ 1 root   root         0 Oct 16 05:41 dnf.log                 <---New generated file after rotation have acl
   rw-r-xr-+ 1 root   root      4023 Oct 16 05:38 dnf.log.1
   rw-r-xr-+ 1 root   root     10206 Oct 16 05:37 dnf.log.2
   rw-rr-. 1 root   root    122610 Oct 16 05:09 dnf.log.3
   rw-rr-. 1 root   root      5030 Oct 16 05:37 dnf.rpm.log

1. getfacl /var/log/dnf.log
   getfacl: Removing leading '/' from absolute path names
2. file: var/log/dnf.log
3. owner: root
4. group: root
   user::rw-
   user:cribl:r-x
   group::r-x
   group:cribl:r-x
   mask::r-x
   other::r--

   What is the impact of this issue to you?
   Customer need to give read and execute permission for cribl user to all files under /var/log/ to make cribl compliant.

   Please provide the package NVR for which the bug is seen:

   dnf-data-4.7.0-20.el8.noarch

   How reproducible is this bug?:

   It is reproducible.