Description of problem:
I run cgit configured to serve up some user's git repos out of /home/*/public_git/. On F21 this was fine but after upgrading to F23 with the same configuration, cgit now hits an AVC denial for search like this:

type=AVC msg=audit(1456917059.991:79808): avc:  denied  { search } for  pid=4474 comm="cgit" name="dan" dev="dm-0" ino=13107202 scontext=system_u:system_r:git_script_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0

The files in question are not mislabelled, and the labels make sense to me:

drwx--x--x. 34 dan users unconfined_u:object_r:user_home_dir_t:s0    12288 Mar  2 21:10 /home/dan
drwxr-xr-x.  3 dan users unconfined_u:object_r:git_user_content_t:s0  4096 Mar  2 20:54 /home/dan/public_git

cgit should indeed be prevented from *reading* inside my homedir, but it does need to be able to traverse it to get to ~/public_git.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-158.7.fc23.noarch
cgit-0.12-1.fc23.x86_64

How reproducible:
relatively easily

Steps to Reproduce:
1. dnf install cgit httpd, start httpd
2. Create ~/public_git and put a git repo there to be served up:
mkdir /home/user/public_git
restorecon /home/user/public_git
git init --bare /home/user/public_git/testrepo
3. Configure cgit to serve it, append the following to /etc/cgitrc:
repo.url=testrepo
repo.path=/home/dan/public_git/testrepo
4. Visit http://localhost/cgit/testrepo/

Actual results:
500 Internal Server Error, and AVC denial for search, like the one pasted above

Expected results:
Should successfully serve an HTML page showing the git repo contents (or "Repository seems to be empty" or whatever)

Additional info:
Seems like a policy regression since the same setup was working without denials on F21.