diff --git a/releasenotes/notes/rootwrap-removal-68af457a0104a2ba.yaml b/releasenotes/notes/rootwrap-removal-68af457a0104a2ba.yaml
new file mode 100644
index 000000000..4b1db9bb0
--- /dev/null
+++ b/releasenotes/notes/rootwrap-removal-68af457a0104a2ba.yaml
@@ -0,0 +1,9 @@
+---
+upgrade:
+  - |
+    The rootwrap rule to allow restarting the systemd service
+    openstack-ironic-inspector-dnsmasq.service has been removed. No known
+    tooling requires this rule since before Train. Any configuration tool which
+    is setting [dnsmasq_pxe_filter]dnsmasq_start_command also needs to be
+    writing an appropriate rootwrap.d file, as the inspector devstack plugin
+    does.
\ No newline at end of file
diff --git a/rootwrap.d/ironic-inspector.filters b/rootwrap.d/ironic-inspector.filters
index 4a38b515f..a36706cc6 100644
--- a/rootwrap.d/ironic-inspector.filters
+++ b/rootwrap.d/ironic-inspector.filters
@@ -5,7 +5,3 @@
 # ironic_inspector/pxe_filter/iptables.py
 iptables: CommandFilter, iptables, root
 ip6tables: CommandFilter, ip6tables, root
-
-# ironic-inspector-rootwrap command filters for systemctl manipulation of the dnsmasq service
-# ironic_inspector/pxe_filter/dnsmasq.py
-systemctl: RegExpFilter, /bin/systemctl, root, systemctl, .*, openstack-ironic-inspector-dnsmasq.service