link source -> target doesn't work as I expect

The following lines in my profile didn't allow a link operation to work as I expected:

link subset @{PROJECTS}/** -> @{PROJECTS}/**/deps/** ,
link subset @{PROJECTS}/** -> @{PROJECTS}/** ,
link @{PROJECTS}/** -> @{PROJECTS}/** ,

All three of these rules (tried one at a time) lead to the following DENIED messages:

type=AVC msg=audit(1486541632.347:41896): apparmor="DENIED" operation="link" info="target restricted" error=-13 profile="rust" name="/home/sarnold/projects/sarvm/target/debug/sarvm-ea4803ad22705e94" pid=3867 comm="cargo" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/sarnold/projects/sarvm/target/debug/deps/sarvm-ea4803ad22705e94"
type=SYSCALL msg=audit(1486541632.347:41896): arch=c000003e syscall=86 success=no exit=-13 a0=7feff8210000 a1=7feff8210050 a2=41 a3=7a4 items=0 ppid=3854 pid=3867 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts23 ses=4294967295 comm="cargo" exe="/home/sarnold/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/bin/cargo" key=(null)

Linux hunt 4.4.0-57-generic #78-Ubuntu SMP Fri Dec 9 23:50:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

#include <tunables/global>

@{PROJECTS}=@{HOME}/projects/

profile rust /home/sarnold/{.cargo,.rustup}/** {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  /dev/tty rw,

  @{HOME}/.cargo/ rw,
  @{HOME}/.cargo/**/ rw,
  @{HOME}/.cargo/** rw,
  @{HOME}/.cargo/bin/* rmix,

  link subset @{HOME}/.cargo/** -> @{HOME}/.cargo/** ,

  @{HOME}/.rustup/ r,
  @{HOME}/.rustup/**/ r,
  @{HOME}/.rustup/** r,
  @{HOME}/.rustup/toolchains/*/bin/* rmix,

  /tmp/rustc.????????????/ rw,
  /tmp/rustc.????????????/** rw,

  @{PROJECTS}/**/ rw,
  @{PROJECTS}/** rwmix,

  link subset @{PROJECTS}/** -> @{PROJECTS}/**/deps/** ,

  @{HOME}/.gitconfig r,

  /usr/bin/hg Cx,

  profile /usr/bin/hg {
    #include <abstractions/base>
    /usr/bin/hg rmix,
    /usr/bin/python2.7 rmix,
    /usr/local/lib/python2.7/dist-packages/ r,
    /usr/local/lib/python2.7/dist-packages/** r,
    /etc/python2.7/sitecustomize.py r,
    /etc/mercurial/hgrc.d/ r,
    /etc/mercurial/hgrc.d/** r,
    /etc/mercurial/hgrc r,
  }

  /usr/bin/gcc-5 Cx,

  profile /usr/bin/gcc-5 {
    #include <abstractions/base>
    /usr/bin/gcc-5 rmix,
    /usr/lib/gcc/** rmix,
    /usr/bin/*-ld.bfd rmix,
    /tmp/????????.res rw,
    /tmp/????????.c rw,
    /tmp/????????.o rw,
    /tmp/????????.ld rw,
    /tmp/????????.le rw,
    @{PROJECTS}/**/ rw,
    @{PROJECTS}/** rw,
    @{HOME}/.rustup/toolchains/** r,

  }

}

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apparmor 2.10.95-0ubuntu2.5
ProcVersionSignature: Ubuntu 4.4.0-57.78-generic 4.4.35
Uname: Linux 4.4.0-57-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Feb 8 00:20:46 2017
InstallationDate: Installed on 2012-10-18 (1574 days ago)
InstallationMedia: Ubuntu 12.04.1 LTS "Precise Pangolin" - Release amd64 (20120823.1)
KernLog:
 Feb 7 21:32:35 hunt NetworkManager[1294]: <info> [1486531955.0418] device (wlan0): Activation: (wifi) access point 'CenturyLink3337' has security, but secrets are required.
 Feb 7 21:32:35 hunt NetworkManager[1294]: <info> [1486531955.0805] device (wlan0): Activation: (wifi) connection 'CenturyLink3337' has security, and secrets exist. No new secrets needed.
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.4.0-57-generic root=UUID=7b8c2e1b-d2e6-47d9-9030-c078e9701a1d ro quiet splash vt.handoff=7
SourcePackage: apparmor
Syslog:

UpgradeStatus: Upgraded to xenial on 2016-04-30 (284 days ago)
modified.conffile..etc.apparmor.d.abstractions.ubuntu-browsers.d.text-editors: [modified]
mtime.conffile..etc.apparmor.d.abstractions.ubuntu-browsers.d.text-editors: 2013-03-26T13:10:49