diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 646c251..7a5d677 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -46,21 +46,22 @@ interface(`postgresql_role',`
 	#
 
 	tunable_policy(`sepgsql_enable_users_ddl',`
-		allow $2 user_sepgsql_table_t:db_table { create drop };
-		allow $2 user_sepgsql_table_t:db_column { create drop };
+		allow $2 user_sepgsql_table_t:db_table { create drop setattr };
+		allow $2 user_sepgsql_table_t:db_column { create drop setattr };
 
 		allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
+		allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
 	')
 
-	allow $2 user_sepgsql_table_t:db_table  { getattr setattr use select update insert delete lock };
-	allow $2 user_sepgsql_table_t:db_column { getattr setattr use select update insert };
+	allow $2 user_sepgsql_table_t:db_table  { getattr use select update insert delete lock };
+	allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
 	allow $2 user_sepgsql_table_t:db_tuple	{ use select update insert delete };
 	type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
 
 	allow $2 user_sepgsql_sysobj_t:db_tuple	{ use select };
 	type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
 
-	allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };
+	allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
 	type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
 
 	allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
@@ -347,6 +348,7 @@ interface(`postgresql_unpriv_client',`
 		allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
 		allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
 		allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
+		allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
 	')
 
 	allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
@@ -357,7 +359,7 @@ interface(`postgresql_unpriv_client',`
 	allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
 	type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
 
-	allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };
+	allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
 	type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;
 
 	allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index e922f6f..2c32bdc 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,5 +1,5 @@
 
-policy_module(postgresql, 1.8.5)
+policy_module(postgresql, 1.8.6)
 
 gen_require(`
 	class db_database all_db_database_perms;
@@ -338,12 +338,6 @@ allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
 # Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
 dontaudit { postgresql_t sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
 
-tunable_policy(`sepgsql_enable_users_ddl',`
-	allow sepgsql_client_type sepgsql_table_t:db_table { create drop setattr };
-	allow sepgsql_client_type sepgsql_table_t:db_column { create drop setattr };
-	allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { update insert delete };
-')
-
 ########################################
 #
 # Unconfined access to this module