This is the RC logic and usage of the new Apache module mod_rsbac for virtual servers (also works with directories).
The target is to have completely separated virtual domains (or directories) without the overhead of forking new processes and/or executing a helper program like SuExec. As long as the worker process serves for one virtual server, it cannot access anything from another virtual server.
We have two basic roles, Master and Worker-Main, and one role per virtual server. The Master role has ASSIGN right to Worker-Main and all virtual domain roles. Worker-Main is compatible with all virtual domain roles. The data area of each virtual server has its own type, which can only be accessed by this virtual server's role and not by Worker-Main or Master.
Apache clear and sanitize the request data between each request of different virtual servers or directories. We have to trust Apache to be perfect in this area, however, you can set the child processes to be used only once so that a totally new child is started each time (but this is more SuExec-like and slower)
The Apache master process, which accepts connections, runs with role Master. This can e.g. be set as initial role on the httpd binary. The Worker-Main role is assigned to the Apache user (e.g. www-run). When a worker process gets forked from the master process, it calls setuid(www-run) and thus gets the Worker-Main role as current role. Whenever a new connection comes in, the Master process selects an idle worker process, assigns the Worker-Main role to it and hands over the connection.
Alternatively, the worker process can actively change from Master to Worker-Main, if set as compatible role. To work with this alternative you need to patch Apache with the corresponding RSBAC patch. In that case, all worker processes are created with the worker role, and reset to this worker role after serving each request.
The worker process reads the request, actively changes its current role to the correct virtual domain role and serves the requested pages. As it cannot change back to Worker-Main by itself, there is no way to access another virtual domain without help of the master process.
Not directly related to mod_rsbac Each virtual server has its own upload user, which gets a separate role as def_role. All these users are in the same Linux group as the Webserver, this is important for PHP safe mode and write accesses to function properly.
Pages, which must often be writable by the webserver (e.g. for Wikis), get the group write right. The virtual server role either needs write access to the virtual server data type or another type per virtual server is introduced for Webserver write accesses. In this case, the upload user role must have ASSIGN right to both types to choose.
Each virtual domain can have a directory for CGIs with a force_role setting for another role per virtual domain, so that CGIs have different access rights. Otherwise, CGI's are executed with the virtual domain role calling this cgi.