This section discusses per-user ~/public_html directories. You need to do three things:

The rest of this process is from the perspective of a user wanting to maintain your own website.

	Remember normal Linux permissions
	Make sure that you have your home directory set up with the normal Linux permissions for this: in particular, you may need to run chmod a+x ~.

In your home directory, execute mkdir public_html. Examine the security context of the new directory:

ls -adZ public_html
drwxrwxr-x  walters  walters  user_u:object_r:user_home_t      public_html/

Note that it has the type user_home_t, because SELinux has a rule that says new files created in a user's home directory (user_home_dir_t), get assigned the type user_home_t by default. A process running as httpd_t (i.e., Apache HTTP) can't read a file with this type. To change the file's type and allow Apache HTTP to read the file, execute: chcon -t httpd_sys_content_t public_html

	Targeted versus strict
	In the strict policy, normal users have to use the type httpd_user_content_t; the _sys_ means it is reserved for the system administrator by default. Using separate types like this allows stronger separation between the system and the user.

Now, create some content in your new public_html (perhaps index.php). Test that you can browse to http://localhost/~username/index.php, and see the expected data. Try relabeling the file back: chcon -t user_home_t index.php. When you reload the page, the Web server will not have permission to read it any more.

One key idea is that there are actually two independent layers of security involved. There is the normal Unix permissions (which you modify with chmod), and the SELinux file labels, which you modify with chcon. Simply making a file world-readable with the Unix command chmod a+r filename will not, with SELinux, in general allow any process to read the file. Each process must be explicitly authorized in the SELinux policy for access to a particular file type.