Information access control programs are based on a security policy model. Flaws in them may come from a lack of precision or some incoherences in the policy model or from inconsistencies between the model and the code. In this paper, we build a full mechanized formalization of the well-known Bell and LaPadula policy model, checking all the steps of the proofs. Then, we derive automatically a program for the access controls considered in this model. Such a program implements a transition function which has been formally proved sound according to the three security properties involved in the Bell and La Padula model. All the work is done within Coq, a theorem prover based on a very strong type theory.