--- policy/modules/services/postgresql.if	2009-05-08 12:32:51.000000000 +0900
+++ policy/modules/services/postgresql.if.2	2009-05-08 11:58:46.000000000 +0900
@@ -46,20 +46,21 @@
 	#
 
 	tunable_policy(`sepgsql_enable_users_ddl',`
-		allow $2 user_sepgsql_table_t:db_table { create drop };
-		allow $2 user_sepgsql_table_t:db_column { create drop };
+		allow $2 user_sepgsql_table_t:db_table { create drop setattr };
+		allow $2 user_sepgsql_table_t:db_column { create drop setattr };
 		allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
+		allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
 	')
 
-	allow $2 user_sepgsql_table_t:db_table  { getattr setattr use select update insert delete lock };
-	allow $2 user_sepgsql_table_t:db_column { getattr setattr use select update insert };
+	allow $2 user_sepgsql_table_t:db_table  { setattr use select update insert delete lock };
+	allow $2 user_sepgsql_table_t:db_column { setattr use select update insert };
 	allow $2 user_sepgsql_table_t:db_tuple	{ use select update insert delete };
 	type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
 
 	allow $2 user_sepgsql_sysobj_t:db_tuple	{ use select };
 	type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
 
-	allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };
+	allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
 	type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
 
 	allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
@@ -346,6 +347,7 @@
 		allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
 		allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
 		allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
+		allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
 	')
 
 	allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
@@ -356,7 +358,7 @@
 	allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
 	type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
 
-	allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };
+	allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
 	type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;
 
 	allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
--- policy/modules/services/postgresql.te	2009-05-08 12:38:30.000000000 +0900
+++ policy/modules/services/postgresql.te.2	2009-05-08 12:39:10.000000000 +0900
@@ -338,12 +338,6 @@
 # Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
 dontaudit { postgresql_t sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
 
-tunable_policy(`sepgsql_enable_users_ddl',`
-	allow sepgsql_client_type sepgsql_table_t:db_table { create drop setattr };
-	allow sepgsql_client_type sepgsql_table_t:db_column { create drop setattr };
-	allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { update insert delete };
-')
-
 ########################################
 #
 # Unconfined access to this module