/var/log/foreman/production.log is world readable but /var/log/foreman/ isn't world executable I cannot read it. We should make these consistent.

I suggest making /var/log/foreman/production.log not world readable.

[vagrant@centos7-katello-3-3 ~]$ sudo ls ld /var/log/foreman/
drwxr-x--. 3 foreman foreman 4096 Apr 7 10:40 /var/log/foreman/
[vagrant@centos7-katello-3-3 ~]$ sudo ls l /var/log/foreman/production.log
-rw-r--r-. 1 foreman foreman 73200 Apr 10 08:15 /var/log/foreman/production.log
[vagrant@centos7-katello-3-3 ~]$ tail /var/log/foreman/production.log
tail: cannot open ‘/var/log/foreman/production.log’ for reading: Permission denied