You should not use chroot with a hosting control panel unless the control panel support chroot.
For the security rule, if you want to block something like a URL "/blabla"
Just add a rule in modsec2.user.conf like
SecRule REQUEST_URI "/blabla"
then create a file to serve url "/blabla". remember, if file not found (404), LSWS will not go through the security rules.
then hit the URL, you will see 406 response, means that the request was blocked by security rule. check the audit_log, it should be logged.