Once you get past that error, the dnsmasq process spawned by lxc-net will need to write its PID to /run/lxc/dnsmasq.pid so this also needs to be added to the policy.
Once you get past that error, the dnsmasq process spawned by lxc-net will need to write its PID to /run/lxc/ dnsmasq. pid so this also needs to be added to the policy.