Que tal usar uma máscara de direitos efetivos:
[test@abcdef ~]$ setfacl -m g::rwx test/
[test@abcdef ~]$ getfacl test/
# file: test/
# owner: test
# group: test
user::rwx
group::rwx
mask::rwx
other::---
[test@abcdef ~]$ setfacl -m m::rw test/
[test@abcdef ~]$ getfacl test/
# file: test/
# owner: test
# group: test
user::rwx
group::rwx #effective:rw-
mask::rw-
other::---