container-log-archive-charm does not set logdir permissions correctly

The c-l-a charm relies on the logdir having read permissions set on the others bit of a file. It seems the common approach is for non-subordinate charms to override the default vendor logrotate config to ensure the logfiles get rotated with the permissions that c-l-a expects (world-readable read). This leaves this bit of code in the c-l-a charm broken:

    # Ensure we can list log directories
    for logdir in logdirs:
        if not os.path.isdir(logdir):
            continue
        st = os.stat(logdir)
        os.chmod(logdir, st.st_mode | stat.S_IXOTH | stat.S_IROTH)

I think c-l-a should be solely responsible for setting up its permission requirements for the logdirs it cares about, non-subordinate charms shouldn't have to adjust logrotate config to comply. I propose we rewrite this block of code to use POSIX Access Control Lists instead. This would also provide the benefit that only the log-archive user is able to read logs as opposed to them being world readable. Perhaps something like:

    # Ensure we can list log directories
    archive_userinfo = conf.archive_userinfo()
    for logdir in logdirs:
        if not os.path.isdir(logdir):
            continue
        subprocess.check_call(["/usr/bin/setfacl", "-m", archive_userinfo + ":r-x", logdir])
        subprocess.check_call(["/usr/bin/setfacl", "-d", "-m", archive_userinfo + ":r--", logdir])