Move one block in postgresql.

policy/modules/services/postgresql.te

@@ -367,12 +367,6 @@ allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param se
 type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t;
 
 allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search };
-# Note that permission of creation/deletion are eventually controlled by
-# create or drop permission of individual objects within shared schemas.
-# So, it just allows to create/drop user specific types.
-tunable_policy(`sepgsql_enable_users_ddl',`
-	allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
-')
 
 allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock };
 allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert };
@@ -426,6 +420,13 @@ allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
 # Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
 dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
 
+# Note that permission of creation/deletion are eventually controlled by
+# create or drop permission of individual objects within shared schemas.
+# So, it just allows to create/drop user specific types.
+tunable_policy(`sepgsql_enable_users_ddl',`
+	allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
+')
+
 ########################################
 #
 # Rules common to administrator clients