Thanks for the reply
I wasn't using keystores.
I worked with permissions some more - with no luck. I probably could have gotten it if I had a working stack to check against. But I didn't have one available.
I ended up using yum to remove kibana. then I manually deleted all the kibana folders that were still hanging around (/usr/share/kibana, /opt/kibana, /etc/kibana (after I saved a copy of kibana.yml). I made sure the uninstall had cleaned out the kibana user (it had).
Then I re-installed. Once I changed the permissions to 774 on the log file I'd set up at /var/log/kibana/kibana.log - systemctl was able to start the service.