Having gained an understanding of some basic SELinux concepts, it is useful to step back and see what you have achieved so far, and examine some of the philosophy behind SELinux.

Running Apache HTTP as httpd_t does ensure that even if the part of Apache HTTP that is running as root is compromised or misconfigured, it is isolated from the rest of the system, and cannot delete or deface your website.

This mention of misconfiguration is useful to elaborate on. At a fundamental level, a hostile attacker trying to break into Apache HTTP is not very different from a webmaster misconfiguring it. Given Apache HTTP's extremely complex configuration file, all it takes is a one-line mistake such as the following to cause serious problems on your system:

PidFile /etc/passwd

And there are plenty of other easier to make mistakes in your Apache configuration.

SELinux lets you separate your security policy (Apache HTTP should never have direct access to /etc/passwd) from the rest of all the complexity in /etc/httpd/conf/httpd.conf. Having specific labels for your Web content and Apache HTTP also ensures a compromised or misconfigured name server (named_t) cannot read the website at all (which is useful if some parts of the website are password-protected by Apache HTTP, for example).

For a much more thorough discussion of the philosophy behind SELinux, refer to The Inevitability Of Failure (http://www.nsa.gov/selinux/papers/inevit-abs.cfm.)