diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 4a1c4ef..646c251 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -47,18 +47,18 @@ interface(`postgresql_role',`
 
 	tunable_policy(`sepgsql_enable_users_ddl',`
 		allow $2 user_sepgsql_table_t:db_table { create drop };
-		type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
-
 		allow $2 user_sepgsql_table_t:db_column { create drop };
 
 		allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
-		type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
 	')
 
 	allow $2 user_sepgsql_table_t:db_table  { getattr setattr use select update insert delete lock };
 	allow $2 user_sepgsql_table_t:db_column { getattr setattr use select update insert };
 	allow $2 user_sepgsql_table_t:db_tuple	{ use select update insert delete };
+	type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
+
 	allow $2 user_sepgsql_sysobj_t:db_tuple	{ use select };
+	type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
 
 	allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };
 	type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
@@ -313,24 +313,55 @@ interface(`postgresql_stream_connect',`
 #
 interface(`postgresql_unpriv_client',`
 	gen_require(`
+		class db_database all_db_database_perms;
 		class db_table all_db_table_perms;
 		class db_procedure all_db_procedure_perms;
+		class db_column all_db_column_perms;
+		class db_tuple all_db_tuple_perms;
 		class db_blob all_db_blob_perms;
 
 		attribute sepgsql_client_type;
+		attribute sepgsql_database_type, sepgsql_sysobj_table_type;
 
-		type sepgsql_db_t, sepgsql_table_t, sepgsql_proc_exec_t, sepgsql_blob_t;
 		type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;
+		type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t;
+		type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;
 	')
 
+	########################################
+	#
+	# Declarations
+	#
+
 	typeattribute $1 sepgsql_client_type;
 
-	type_transition $1 sepgsql_db_t:db_table sepgsql_table_t;
-	type_transition $1 sepgsql_db_t:db_procedure sepgsql_proc_exec_t;
-	type_transition $1 sepgsql_db_t:db_blob sepgsql_blob_t;
+	########################################
+	#
+	# Client local policy
+	#
 
 	type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
 	allow $1 sepgsql_trusted_proc_t:process transition;
+
+	tunable_policy(`sepgsql_enable_users_ddl',`
+		allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
+		allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
+		allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
+	')
+
+	allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
+	allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
+	allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
+	type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t;
+
+	allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
+	type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
+
+	allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };
+	type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;
+
+	allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
+	type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
 ')
 
 ########################################
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 6e1d3ad..e922f6f 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,5 +1,5 @@
 
-policy_module(postgresql, 1.8.4)
+policy_module(postgresql, 1.8.5)
 
 gen_require(`
 	class db_database all_db_database_perms;
@@ -97,6 +97,20 @@ domain_type(sepgsql_trusted_proc_t)
 postgresql_unconfined(sepgsql_trusted_proc_t)
 role system_r types sepgsql_trusted_proc_t;
 
+# Types for unprivileged client
+type unpriv_sepgsql_blob_t;
+postgresql_blob_object(unpriv_sepgsql_blob_t)
+
+type unpriv_sepgsql_proc_exec_t;
+postgresql_procedure_object(unpriv_sepgsql_proc_exec_t)
+
+type unpriv_sepgsql_sysobj_t;
+postgresql_system_table_object(unpriv_sepgsql_sysobj_t)
+
+type unpriv_sepgsql_table_t;
+postgresql_table_object(unpriv_sepgsql_table_t)
+
+# Types for UBAC
 type user_sepgsql_blob_t;
 typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t };
 typealias user_sepgsql_blob_t alias { auditadm_sepgsql_blob_t secadm_sepgsql_blob_t };