tmpfiles: set acls on system.journal explicitly https://github.com/systemd/systemd/issues/1397

tmpfiles: also set acls on /var/log/journal This way, directories created later for containers or for journald-remote, will be readable by adm & wheel groups by default, similarly to /var/log/journal/%m itself. https://github.com/systemd/systemd/issues/1971

tmpfiles: don't recursively descend into journal directories in /var Do so only in /run. We shouldn't alter ACLs for existing files in /var, but only for new files. If the admin made changes to the ACLs they shouls stay in place. We should still do recursive ACL changes for files in /run, since those are not persistent, and will hence lack ACLs on every boot. Also, /var/log/journal might be quit large, /run/log/journal is usually not, hence we should avoid the recursive descending on /var, but not on /run. Fixes #534

tmpfiles: use ACL magic on journal directories

build-sys: configure the list of system users, files and directories Choose which system users defined in sysusers.d/systemd.conf and files or directories in tmpfiles.d/systemd.conf, should be provided depending on comile-time configuration.