I've seen Apache run inside a chroot jail, but that was always very hassle-prone, and ironically, when security updates came out, they weren't applied within the chroot jail, (eg, installed via yum) making it more likely to get compromised! Is there an easier/better way to do this? Can you mix/match chroot'ed websites with those that aren't, without running a wholy separate webserver daemon?
What other actions would the knowledgeable crowd here suggest?
SELinux and php in safe mode should take care of most of the problems. I'd recommend is going through the config and unloading the modules you don't need. I'd also recommend putting some time into mod_security. With a proper mod_security config and selinux, you can stop nearly everything thrown at the webserver. If someone manages to make it through an updated apache, selinux, php in safe mode, and mod_security.... they've EARNED that compromise. Beyond that, just the usual "keep your webapps updated" blah blah blah.
-- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety'' Benjamin Franklin 1775