system-config-selinux allows shell code injection

[mgerstner]

The GUI code for system-config-selinux uses Python's subprocess.getstatusoutput() a lot to call utilities like semanage or semodule. getstatusoutput() passes the command line to the shell and is thus susceptible to injection of shell code. In various spots the GUI utility passes on strings unfiltered from text input fields to getstatusoutput(), which can result in unexpected errors or even damage to the system.

For a simple reproducer follow these steps:

• run system-config-selinux on an SELinux enabled sytem.
• In "File Labeling" click "+" for adding an entry.
• put something like '; touch /tmp/evil_file; ls ' into the "File Specification" field.
• /tmp/evil_file will be created by root when adding the entry.

system-config-selinux is typically run as root via Polkit (pkexec) and requires entering the administrator password. Thus I don't consider this a security issue. The code is still unclean in this area and I believe it should be fixed.

From a quick grep I see potentially problematic uses of getstatusoutput() with format specifiers in gui/loginsPage.py, gui/usersPage.py, gui/modulesPage.py, gui/booleansPage.py, gui/fcontextPage.py, gui/portsPage.py, gui/domainsPage.py and also in python/sepolicy/sepolicy/manpage.py and python/sepolicy/sepolicy/interface.py.