diff --git a/files/rootwrap.d/vpnaas.filters b/files/rootwrap.d/vpnaas.filters
index 4d72d7df..846ac2d1 100644
--- a/files/rootwrap.d/vpnaas.filters
+++ b/files/rootwrap.d/vpnaas.filters
@@ -1,7 +1,7 @@
 # neutron-rootwrap command filters for nodes on which neutron is
 # expected to control network
 #
-# This file should be owned by (and only-writeable by) the root user
+# This file should be owned by (and only-writable by) the root user
 
 # format seems to be
 # cmd-name: filter-name, raw-command, user, args
@@ -13,7 +13,8 @@ ip: IpFilter, ip, root
 ip_exec: IpNetnsExecFilter, ip, root
 ipsec: CommandFilter, ipsec, root
 rm: RegExpFilter, rm, root, rm, -rf, (.*/strongswan.d|.*/ipsec/[0-9a-z-]+)
+rm_file: RegExpFilter, rm, root, rm, -f, .*/ipsec.secrets
 strongswan: CommandFilter, strongswan, root
 neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
 neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root
-chown: RegExpFilter, chown, root, chown, --from=.*, root.root, .*/ipsec.secrets
+chown: RegExpFilter, chown, root, chown, --from=.*, root.root, .*/(ipsec.secrets|ipsec/[0-9a-z-]+/log)