When SELinux is disabled, and a user requests that it be set to either permissive or enforcing, a resulting Puppet error occurs because it attempts to run 'setenforce'.
Instead, this should check to see the state of SELinux on the system itself, and if a reboot is required to properly use the setenforce command, the reboot_notify type should be used instead of allowing a failed resource to execute.
This is especially important now that svckill warns by default. If you toggle enforcing -> permissive/disabled, named-chroot kicks off, but svckill won't kill the original named process. Having two nameservers that dish out potentially different information to the same clients is bad. By rebooting and running puppet, you ensure that these unintended consequences are avoided.