I admit to a paranoid streak and have been confining my users with selinux.
I confine almost all users as user_u
/usr/sbin/semanage login -a -s user_u $user
Users who need admin access I confine as staff_u
/usr/sbin/semanage login -a -s staff_u $user
There are 2 minor annoyances with this method.
First I like regular users to be able to ping. This is enabled as a boolean.
setsebool -P selinuxuser_ping on
And second, although staff_u can use sudo, they are still restricted by selinux. To allow unlimited access, add or edit /etc/sudoers.d/sudo to read
%user ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
Change “%user” to the user name you wish to allow unconfined root access.