1. We should add a reboot notify when toggling selinux
Mode is not guaranteed to take full effect until after reboot
Strange things happen if you toggle without a reboot (nfs gets mad, stunnel falls over, contexts could be wrong, etc.)
2. We should touch autorelabel when going from a lower -> higher level of security (disabled -> permissive/enforcing, permissive -> enforcing)
This, when combined with the reboot notify, will ensure users have sane contexts.