Apache vhost privilege separation using mod_selinux

I have 2 sites/apps on a server; a proprietary app, and Nextcloud. Nextcloud will be using the files_external storage plugin which allows for local mounts, but I do NOT want it to be able to browse and view the source of the proprietary app... thus mod_selinux and sedomain children.

I'm using mod_selinux to create domain children, and I'm assigning a child id to each of the sites and labelling their respective app and data directories accordingly in their vhost definitions...

httpd.conf

selinuxServerDomain *:s0-s0:c0.c100

proprietary.vhost.conf

selinuxDomainVal *:s0:c10

nextcloud.vhost.conf

selinuxDomainVal *:s0:c20

The app directory, where the code is located has the following permissions and contexts applied...

drwxr-x---.  4 apache apache unconfined_u:object_r:httpd_sys_content_t:s0:c10 4096 Jan 17 17:02 proprietary_app_dir
drwxr-x---. 15 apache apache unconfined_u:object_r:httpd_sys_content_t:s0:c20 4096 Jan 20 08:09 nextcloud

The problem... Everything is running, but the problem is, I can still browse the proprietary app folder using nextcloud even though the proprietary app's directory has a domain context limited to s0:c10, and as far as the vhost is defined, Nextcloud should be running as s0:c20.

I know that SELinux is doing it's job because I can't view folders like /etc even though other users have read permissions on it, I can only view folders with contexts of httpd_sys_(rw_)content_t as it should be.

I would have expected that a child process of c20 should not be able to read a folder asking for c10. So the only thing I can think of is that the spawned children of httpd_t (via mod_selinux) are not using the selinuxDomainVal contexts that I've defined in the vhost files.

I'm not sure what I've done wrong, have I misconfigured this somehow, or have I forgotten a step? Would appreciate any help you can offer.

Extra info...

• CentOS8
• Apache 2.4.37
• PHP 7.3 (via remi)
• PHP-FPM
• mod_selinux (repackaged RPM from fedora 31)