diff --git a/releasenotes/notes/dnsmask-pxe-filter-rootwrap-systemctl-099964ad39d38b4c.yaml b/releasenotes/notes/dnsmask-pxe-filter-rootwrap-systemctl-099964ad39d38b4c.yaml
new file mode 100644
index 000000000..49a393ac2
--- /dev/null
+++ b/releasenotes/notes/dnsmask-pxe-filter-rootwrap-systemctl-099964ad39d38b4c.yaml
@@ -0,0 +1,11 @@
+---
+fixes:
+  - |
+    A new rootwrap filter is now included to allow control of the systemd
+    dnsmasq service used by ironic-inspector. This fixes a permission issue
+    when systemctl commands are used as ``dnsmasq_start_command`` and
+    ``dnsmasq_stop_command`` in the configuration for the dnsmasq pxe filter.
+    See bug `2002818 <https://storyboard.openstack.org/#!/story/2002818>`_.
+
+    .. Note:: The filter uses the systemd service name used by the RDO
+              distrubution (``openstack-ironic-inspector-dnsmasq.service``).
diff --git a/rootwrap.d/ironic-inspector-firewall.filters b/rootwrap.d/ironic-inspector-firewall.filters
deleted file mode 100644
index 893454f1a..000000000
--- a/rootwrap.d/ironic-inspector-firewall.filters
+++ /dev/null
@@ -1,6 +0,0 @@
-# ironic-inspector-rootwrap command filters for firewall manipulation
-# This file should be owned by (and only-writeable by) the root user
-
-[Filters]
-# ironic_inspector/firewall.py
-iptables: CommandFilter, iptables, root
diff --git a/rootwrap.d/ironic-inspector.filters b/rootwrap.d/ironic-inspector.filters
new file mode 100644
index 000000000..352dd843a
--- /dev/null
+++ b/rootwrap.d/ironic-inspector.filters
@@ -0,0 +1,10 @@
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# ironic-inspector-rootwrap command filters for firewall manipulation
+# ironic_inspector/firewall.py
+iptables: CommandFilter, iptables, root
+
+# ironic-inspector-rootwrap command filters for systemctl manipulation of the dnsmasq service
+# ironic_inspector/pxe_filter/dnsmasq.py
+systemctl: RegExpFilter, /bin/systemctl, root, systemctl, .*, openstack-ironic-inspector-dnsmasq.service