Restricting access to the /var/lib/neutron path to the user neutron negatively affects the dnsmasq processes spawned by the neutron dhcp-agent, which execute as the dnsmasq user:
---------------------
2018-01-25T10:48:56.609668+00:00 d52-54-77-77-01-01 dnsmasq[25454]: started, version 2.78-security-prerelease cachesize 2000
2018-01-25T10:48:56.612892+00:00 d52-54-77-77-01-01 dnsmasq[25454]: compile time options: IPv6 GNU-getopt no-DBus i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
2018-01-25T10:48:56.613198+00:00 d52-54-77-77-01-01 dnsmasq-dhcp[25454]: DHCP, static leases only on 192.168.123.0, lease time 1d
2018-01-25T10:48:56.613521+00:00 d52-54-77-77-01-01 dnsmasq-dhcp[25454]: DHCP, sockets bound exclusively to interface tap775d1b31-34
2018-01-25T10:48:56.613735+00:00 d52-54-77-77-01-01 dnsmasq[25454]: using nameserver 192.168.251.1#53
2018-01-25T10:48:56.613946+00:00 d52-54-77-77-01-01 dnsmasq[25454]: failed to load names from /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/addn_hosts: Permission denied
2018-01-25T10:48:56.614153+00:00 d52-54-77-77-01-01 dnsmasq[25454]: cannot read /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/host: Permission denied
2018-01-25T10:48:56.614354+00:00 d52-54-77-77-01-01 dnsmasq[25454]: cannot read /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/opts: Permission denied
2018-01-25T10:48:56.622489+00:00 d52-54-77-77-01-01 haproxy[25455]: Proxy listener started.
2018-01-25T10:48:56.858479+00:00 d52-54-77-77-01-01 dnsmasq[25454]: failed to load names from /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/addn_hosts: Permission denied
2018-01-25T10:48:56.858834+00:00 d52-54-77-77-01-01 dnsmasq[25454]: cannot read /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/host: Permission denied
2018-01-25T10:48:56.859148+00:00 d52-54-77-77-01-01 dnsmasq[25454]: cannot read /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/opts: Permission denied
2018-01-25T10:48:56.916623+00:00 d52-54-77-77-01-01 dnsmasq[25454]: failed to load names from /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/addn_hosts: Permission denied
2018-01-25T10:48:56.916925+00:00 d52-54-77-77-01-01 dnsmasq[25454]: cannot read /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/host: Permission denied
2018-01-25T10:48:56.917146+00:00 d52-54-77-77-01-01 dnsmasq[25454]: cannot read /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/opts: Permission denied
---------------------
# ls -ald /var/lib/neutron
drwxr-x--- 7 neutron neutron 4096 Jan 25 11:55 /var/lib/neutron
---------------------
# ps -ef|grep dnsmasq
dnsmasq 13805 1 0 17:20 ? 00:00:00 dnsmasq --user=neutron --no-hosts --no-resolv --strict-order --except-interface=lo --pid-file=/var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/host --addn-hosts=/var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/opts --dhcp-leasefile=/var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/leases --dhcp-match=set:ipxe,175 --bind-interfaces --interface=tap775d1b31-34 --dhcp-range=set:tag0,192.168.123.0,static,255.255.255.0,86400s --dhcp-option-force=option:mtu,8858 --dhcp-lease-max=256 --conf-file= --server=192.168.251.1 --domain=openstack.local
---------------------
If the dnsmasq process is started as the neutron user using its '--user' option, the problem dissapears.
Can't you allow 'dnsmasq' user to access /var/lib/