According to Hayden, the criteria is NOBUS - Nobody But US. He brought it up in a private off the record meeting, but he has since made the same statements in public and been published so I will repeat them.
They are not going to sabotage something if they think there is a chance that they are going to be caught. Which would mean that SELinux is probably safe as it is open source. Any backdoors are going to be very subtle ones.
The further claim is that now the NSA is going to consider being caught to be much more likely as they have to consider the insider threat. So if they sabotaged SELinux or the like they would have to expect the attack would become public.
But as Bruce points out, there is another option: Don't depend on the NSA at all for COMSEC. Which is what we are now talking about and what we will be discussing in London next week.
One proposal I plan to make is that we go outside the W3C/IETF orbit and start a new group whose function will be to develop security profiles for network applications. So there would be a set of defined criteria (robust against confidentiality attacks, metadata, yadda yadda) and profiles that are designed to provide assurance that certain of those criteria are met.
There are technical constraints that mean that it is not possible to meet every criteria in one profile. A profile for locking down email can't protect against traffic analysis but a network backbone profile can. A network backbone profile can't provide end-to-end confidentiality assurances.
I don't want the profiles to be developed and agreed in IETF though, that would just mean the IETF writing a profile that required use of its dogfood. I want to see groups like OWASP and the Linux Plumbers and such getting involved.
So for email there would be a profile that says the SMTP/SUBMIT/POP3/IMAP server MUST offer transport layer security in a mechanism that is not subject to downgrade attack, passwords MUST be secure against MITM disclosure without relying on transport layer security to do this, etc. Then there would be either be a standards based profile that met those criteria or a defect report explaining why they are not met. And then the IETF would have to fix any defects.