The Apache options should prevent anything from being executed (though any suggestions on improving this are welcomed).
I understand where this requirement is coming from. Many current web engines nowadays allow you to install "extensions" or "plugins" via web interface.
No, these are just image files, not code.
Regarding the rules you mentioned in your next message: I have similar rules for my image directory, but SELinux does not apply them to this file. Since the image is first uploaded to a temporary location, it has type httpd_tmp_t, and it is not relabeled according to my policy when it is moved into its final location.
-----Scott.