Security policy model is the groundwork for secure or trusted system. Bell-LaPadula model with its good adaptability has comprehensive applications to multilevel security system, but it is short of the rules about integrity and consistency. Based on that model, an extended policy model is proposed, which is founded on the extended object hierarchy. By this way, the integrity becomes one of the inherence properties of the model. The object domains, extended security axioms and operation rules are also introduced or redefined. The proposed model more suits the requirements of multilevel security databases, and guarantees the consistency among policy model, system specification and other high-level security model. The extensions and enhancements, especially other properties besides security, are the necessary steps for transforming a policy model into a practical system.