The apache module of SELinux has two similar boolean parameters: httpd_read_user_content and httpd_enable_homedirs.
Man page says the former allows httpd to read user content and the latter allow httpd to read home directories.
What is the difference between them?
Which parameter should I set true if I want to allow httpd to read files on /home/foo directory?
httpd_read_user_content allows any confined web server to read files in user home directories in /home.
httpd_enable_homedirs allows Apache to use its UserDir directive (i.e. URLs that look like http://www.example.com/~username/).
If you are just mapping domain names to users' directories, it should be sufficient to enable the first one, httpd_read_user_content, but if you want to use Apache user directories, you should enable both.
After doing some research myself, I investigated the differences between them using sesearch command:
$ sesearch --allow -s httpd_t -b httpd_read_user_content
Found 5 semantic av rules:
allow httpd_t user_home_dir_t : dir { ioctl read getattr lock search open } ;
allow httpd_t user_home_t : file { ioctl read getattr lock open } ;
allow httpd_t user_home_t : dir { ioctl read getattr lock search open } ;
allow httpd_t home_root_t : dir { getattr search open } ;
allow httpd_t home_root_t : lnk_file { read getattr } ;
$ sesearch --allow -s httpd_t -b httpd_enable_homedirs
Found 15 semantic av rules:
allow httpd_t user_home_dir_t : dir { ioctl read getattr lock search open } ;
allow httpd_t user_home_dir_t : lnk_file { read getattr } ;
allow httpd_t autofs_t : dir { ioctl read getattr lock search open } ;
allow httpd_t cifs_t : file { ioctl read getattr lock open } ;
allow httpd_t cifs_t : dir { ioctl read getattr lock search open } ;
allow httpd_t cifs_t : lnk_file { read getattr } ;
allow httpd_t nfs_t : file { ioctl read getattr lock open } ;
allow httpd_t nfs_t : dir { ioctl read getattr lock search open } ;
allow httpd_t nfs_t : lnk_file { read getattr } ;
allow httpd_t user_home_t : file { ioctl read getattr lock open } ;
allow httpd_t user_home_t : dir { ioctl read getattr lock search open } ;
allow httpd_t user_home_type : dir { getattr search open } ;
allow httpd_t user_home_type : lnk_file { read getattr } ;
allow httpd_t home_root_t : dir { ioctl read getattr lock search open } ;
allow httpd_t home_root_t : lnk_file { read getattr } ;
All rules of the http_read_user_content are included in the httpd_t -b httpd_enable_homedirs. That is, the scope of the latter is wider than the former.
As Michael said correctly, we should enable only the first one if we just want to place the document root on the home directory of a user.