The fundamental difference with the strict policy is that it restricts every process, including user logins, instead of just a few selected daemons. This has important ramifications for Apache HTTP, because ordinary users are often involved in providing and controlling Web content.

In the default strict policy, there are two user login types, user_t and staff_t. The strict Apache policy defines an additional set of types for each user login type, replacing _sys_ with _user_ and _staff_. For example, this gives httpd_user_script_ro_t and httpd_staff_script_exec_t. This provides for a stronger, mandatory separation between users, administrators, and the system. An ordinary user is prevented from reading system Web content directly, and a compromised or misconfigured system CGI script is prevented from reading a user's content.