There are at least two bugs involved here. One is the fact that you can breach into the setroubleshootd_t domain because of the shell parsing error. The second is a policy one: the setroubleshootd_t allows you to create a file with any attribute (here the suid bit), making it possible to elevate privileges.
The point Sebastian (stealth) is making is fairly balanced: SELinux is very useful, but it's not the catch-all solution to containing root exploits; it even has bugs in its implementations and policies, like all software.
Summary: SELinux executes untrusted input without sanitization
"The setroubleshootd daemon which runs as root, activated by its DBUS activation file when sedispatch was forwarding its AVC denial message, straight passes the pathname to a shell without further sanitization."
The point Sebastian (stealth) is making is fairly balanced: SELinux is very useful, but it's not the catch-all solution to containing root exploits; it even has bugs in its implementations and policies, like all software.