I have a symlink /srv/web/fedoraproject.org that points to
~/work/fedora/git/fedora-web/fedoraproject.org/out, and I'm trying to share
it via httpd. Here are the permissions and file contexts on the directories
leading up to it:

drwxr-x--x  ignacio ignacio root:object_r:user_home_dir_t    .
drwxrwxr-x  ignacio ignacio user_u:object_r:user_home_t      work
drwxrwxr-x  ignacio ignacio user_u:object_r:user_home_t      work/fedora
drwxrwxr-x  ignacio ignacio user_u:object_r:user_home_t      work/fedora/git
drwxrwxr-x  ignacio ignacio user_u:object_r:user_home_t      work/fedora/git/fedora-web
drwxrwxr-x  ignacio ignacio user_u:object_r:user_home_t      work/fedora/git/fedora-web/fedoraproject.org
drwxrwxr-x  ignacio ignacio system_u:object_r:httpd_sys_content_t work/fedora/git/fedora-web/fedoraproject.org/out/

The httpd_enable_homedirs boolean is on.

I get the following denial (and *only* the following) in both permissive and
enforcing mode:

Summary
    SELinux is preventing the /usr/sbin/httpd from using potentially mislabeled
    files (work).

Detailed Description
    SELinux has denied /usr/sbin/httpd access to potentially mislabeled file(s)
    (work).  This means that SELinux will not allow /usr/sbin/httpd to use these
    files.  It is common for users to edit files in their home directory or tmp
    directories and then move (mv) them to system directories.  The problem is
    that the files end up with the wrong file context which confined
    applications are not allowed to access.

Allowing Access
    If you want /usr/sbin/httpd to access this files, you need to relabel them
    using restorecon -v work.  You might want to relabel the entire directory
    using restorecon -R -v .

Additional Information        

Source Context                user_u:system_r:httpd_t
Target Context                user_u:object_r:user_home_t
Target Objects                work [ dir ]
Affected RPM Packages         httpd-2.2.6-1.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-70.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.home_tmp_bad_labels
Host Name                     ignacio.ignacio.lan
Platform                      Linux ignacio.ignacio.lan 2.6.23.14-64.fc7 #1 SMP
                              Sun Jan 20 23:54:08 EST 2008 i686 athlon
Alert Count                   1
First Seen                    Wed 27 Feb 2008 02:50:17 AM EST
Last Seen                     Wed 27 Feb 2008 02:50:17 AM EST
Local ID                      dfde3427-6f32-4258-a8e7-08cef6b6724e
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm="httpd" dev=dm-1 egid=48 euid=48
exe="/usr/sbin/httpd" exit=0 fsgid=48 fsuid=48 gid=48 items=0 name="work"
pid=22840 scontext=user_u:system_r:httpd_t:s0 sgid=48
subj=user_u:system_r:httpd_t:s0 suid=48 tclass=dir
tcontext=user_u:object_r:user_home_t:s0 tty=(none) uid=48

What I want to know is *why* httpd is only checking that *one* directory for
access, instead of checking the entire chain.