This report describes a formal security policy model for a secure relational database system.  This model is intended to meet the formal model requirement specified in the DoD Trusted COmputer System Evaluation Criteria.  The model is formulated in two layers, one corresponding to a reference monitor thta enforces mandatory security, and the second defining multilevel relations and formulazing policies for labeling new and derived data, data consistency, discretionary security, and transaction consistency.  The development of a formal security policy model is the second task of the SeaView Project to design a multilevel secure database system meeting the Criteria for Class A1.