centos7 – Why does custom rsyslog log file permissions comes up all questions marks?

This is infuriating me. I have a basic rsyslog.d customization to write a dedicated log file for a service, but the file ownership is all ??? when I try to read it as a non-root user. I feel it’s a mystery worth asking to SF.

Here’s my rsyslog.d:

$template BlackXmlTransfer,"/var/log/sphyrna/black-xml.log"
:programname, startswith, "black-xml." ?BlackXmlTransfer

I restart rsyslogd and try to check the log file. Permission denied as a user, but sudo is ok. Note the file permissions wouldn’t allow the user to read the file anyways.

$  ls -al /var/log/sphyrna
ls: cannot open directory /var/log/sphyrna: Permission denied

sudo  ls -al /var/log/sphyrna
total 8
drwx------. 2 root root   27 Oct 30 16:37 .
drwxr-xr-x. 9 root root 4096 Oct 30 16:37 ..
-rwx------. 1 root root  267 Oct 30 16:37 black-xml.log

So I update my rsyslog.d with dir and file create modes:

$DirCreateMode 0744
$FileCreateMode 0744

I stop rsyslog, delete the log directory and files, start and no change in permissions:

$ sudo ls -al /var/log/sphyrna
total 8
drwx------. 2 root root   27 Oct 30 16:29 .
drwxr-xr-x. 9 root root 4096 Oct 30 16:29 ..
-rwx------. 1 root root  123 Oct 30 16:29 black-xml.log

After some digging, it seems that if UMask is set in the rsyslog.service it’ll override any file permission changes in the rsyslog.d file (correct me if I’m wrong, please!):

sudo vi /usr/lib/systemd/system/rsyslog.service

# Comment out UMask to start
#UMask 0066

Restart rsyslog. File permissions are different!

$ sudo ls -al /var/log/sphyrna
total 8
drwxr--r--. 2 root root   27 Oct 30 16:30 .
drwxr-xr-x. 9 root root 4096 Oct 30 16:30 ..
-rwxr--r--. 1 root root  265 Oct 30 16:30 black-xml.log

But not for a user. Anyone but root gets denied with question marks?!?

$  ls -al /var/log/sphyrna
ls: cannot access /var/log/sphyrna/.: Permission denied
ls: cannot access /var/log/sphyrna/..: Permission denied
ls: cannot access /var/log/sphyrna/black-xml.log: Permission denied
total 0
d????????? ? ? ? ?            ? .
d????????? ? ? ? ?            ? ..
-????????? ? ? ? ?            ? black-xml.log

What am I doing wrong? Is it a rsyslog write mode thing and the file (and directory?) is write locked? How am I supposed to cat the log file outside of sudo’ing every time?

Also I don’t think I should be removing the UMask from rsyslog.service. That was just an experiment. Any tips are 1000% welcome!