The evaluation of computer systems has been an important issue for many years, as evidenced by the introduction of industry evaluation guides such as the Rainbow Books and the more recent Common Criteria for IT Security Evaluation. As organizations depend on the Internet for their daily operations, the need for evaluation is even more apparent due to new security risks. It is not uncommon for large organizations to evaluate different systems, such as operating systems, to identify which would best fit their security policy. Each system would undoubtedly use different methods to represent access control policies. The security policy would therefore need to be translated into specific access control policies that each system understands, which is challenging when large and complex systems are involved. In this paper, we focus on the evaluation of operating systems. We describe Chameleos, a policy specification language that is designed to specify the access control policies of multiple operating systems. The strength of Chameleos is its flexibility to cater to many operating systems, while remaining sufficiently extensible to support the specific features of each system. We describe the design and architecture of Chameleos, and demonstrate that Chameleos can flexibly and effectively represent the access control policies of grsecurity and SELinux - two very different systems.