Question: How can you configure your VM to lock accounts after five failed login attempts, and to unlock after 15 minutes ?

Here are the steps:

1)  Edit the PAM configuration file for sytem-auth  -  use your favorite editor

       #  vi  /etc/pam.d/system-auth

2)  Locate the line that starts with  auth  [ default=1 ]  pam_unix.so ... and add the following paramete rs at the end of the line:

         auth  [ default=1 ]  pam_unix.so  remember=5   faillock=5

3)  Save and exit the file

4)  Edit the PAM configuration file for  password-auth:

      #  vi   /etc/pam.d/password-auth

5)  Locate the line that starts with  auth  [ default=1 ]  pam_unix.so ...  and add the following parameters at the end of the line:

        auth  [ default=1 ]  pam_unix.so  remember=5   faillock=5

6)  Save and exit the file

The  steps above will configure the Linux system to lock an account after 5 failed login attempts.  Now, let's see the steps to auto unlock the account 15 miinutes afterwards.

1)  Edit the file  /etc/pam.d/common-auth

2)  Add the following line to the file:

            auth required  pam_tally2.so  onerr=fail  deny=5  unlock_time=900

3)  Save and exit the file

4)  Restart the sshd service - to apply the changes for the first 6 steps, as well as the changes for the last 3 steps.

A little explanation for some of the pieces in the line added to the common-auth file:

     *  auth required  -  Specifies that the pam_tally2 module is required for
                                       authenticaiton

     *  onerr=fail  -  If an error occurs during authentication, the attempt is
                                considered a failure

     *  deny=5  -  The account will be locked after 5 failed attempts

     *  unlock_time=900  -  The account will be unloced after the lockout period of
                                            900 seconds  (15 minutes)

How to prevent users from executing the su and sudo commands, by using SELinux to confine them?

To confine users in SELinux, and prevent them from using su and sudo, the user
accounts need to be mapped to a specific-confined SELinux user, that limits the 
capabilities of the user account.  The SELinux user, "user_u", will provide this
limitation (i.e. restriction).

To confine a Linux user account, use the -Z option ,with the useradd command, to
explicitly map the user account to the "user_u" SELinux user.

Note:  Linux user accounts that are mapped to the SELinux user "user_u" , can only
perform actions allowed by the SELinux policy.  The SELinux policy prevents direct
execution of the sudo and su commands, by Linux user accounts that are mapped
to the SELinux user "user_u".

So, to achieve this restriction of su and sudo use, the following command should
be used when creating a Linux user account:

#   useradd  -Z  user_u  Linux-user-account
- This command will create a confined Linux user account
-  Use of the su and sudo command will be prohibited

Bonus Q.) How can you prevent those users from running programs in their home directory? 

Hello Chetan, on this bonus question, did you want that accomplished
using SELinux?  I've got a couple of non-SELinux methods to make 
that happen if SELinux is not a requirement.

Here's my best whack at that bonus question.

To confine Linux user accounts from executing applications in their home directory, the first step is to modify the SELinux user that the account is mapped to. This is achieved via the following commands:

-    # semanage login -a -s user_u linux-user-account-name
-    # semanage login -m -s user_u linux-user-account name

Now, after this is done, there is an SELinux boolean that needs to be
set to off:   user_exec_content

That boolean can be set to off using the following command:

      # setsebool   -P  user_exec_content  off

Note:
By default, all Linux user accounts are mapped with to the default
SELinux user unconfined_u, which provides privilege across the entire
Linux system.  To protect the Linux system from user accounts that 
have virtually no restriction (SELinux unconfined_u), we can change
the default SELinux user from unconfined_u to user_u.