It's actually not a vulnerability in isolation. The use of SELinux simply changes the address space policy from one in which the kernel enforces the zero page area to one in which the process can map stuff there (by default, unless the security module turns it off). By itself, that does nothing.
There were other holes that had to be there too: the handler code was incorrectly dereferencing a pointer before the check for null (that's a real bug), and the compiler was optimizing out the null pointer test in the same function (a really, really subtle interaction that no one expected) that would have detected the attack and returned an error instead.
It's a perfect storm of coincidence, basically. There's nothing the NSA could have done to predict this, and the SELinux part is only a small piece. And in any case, the security policy bug isn't even in the NSA's SELinux code at all, it's in the way the kernel sets defaults for its security policies for any security module. In principle, app-armor would be vulnerable to the same issue (not sure if it is or not to this one specifically).
It's a subscriber-only article at lwn.net, which means it isn't available to the public for a week. I saw it last week too, but HN can only link to it today.
FWIW: lwn.net is a great site, and very much worth the subscription cost. Better kernel articles than anywehre else, and a higher signal-to-noise ratio in the comments than anywhere else on the internet I'm aware of. Lots of famous geeks post there regularly.
