In this paper, we propose a formal model for multilevel databases. This model aims at being a generic model, that is it can be interpreted for any kind of database (relational, object-oriented...). Our model has three layers. The first layer corresponds to a model for a non-protected database. The second layer corresponds to a model for a multilevel database. In this second layer, we propose a list of theorems that must be respected in order to build a secure multilevel database. We also propose a new solution to manage cover stories without using the ambiguous technique of polyinstantiation. The third layer corresponds to a model for a MultiView database, that is, a database that provides at each security level a consistent view of the multilevel database. Finally, as an illustration, we interpret our 3-layer model in the case of an object-oriented database.