diff --git a/sys/security/mac_veriexec/mac_veriexec.c b/sys/security/mac_veriexec/mac_veriexec.c
--- a/sys/security/mac_veriexec/mac_veriexec.c
+++ b/sys/security/mac_veriexec/mac_veriexec.c
@@ -602,11 +602,11 @@
 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
 		return (0);
 
-	/*
-	 * Check if it's a verified file
-	 */
 	error = mac_veriexec_check_vp(cred, vp, VVERIFY);
-	if (error == 0) {             /* file is verified */
+	if (error == 0) {
+		/*
+		 * The target is verified, so disallow replacement.
+		 */
 		MAC_VERIEXEC_DBG(2,
     "(UNLINK) attempted to unlink a protected file (euid: %u)", cred->cr_uid);
 
@@ -643,11 +643,11 @@
 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
 		return (0);
 
-	/*
-	 * Check if it's a verified file
-	 */
 	error = mac_veriexec_check_vp(cred, vp, VVERIFY);
-	if (error == 0) {            /* file is verified */
+	if (error == 0) {
+		/*
+		 * The target is verified, so disallow replacement.
+		 */
 		MAC_VERIEXEC_DBG(2,
     "(RENAME_FROM) attempted to rename a protected file (euid: %u)", cred->cr_uid);
 		return (EAUTH);
@@ -692,11 +692,11 @@
 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
 		return (0);
 
-	/*
-	 * Check if it's a verified file
-	 */
 	error = mac_veriexec_check_vp(cred, vp, VVERIFY);
-	if (error == 0) {             /* file is verified */
+	if (error == 0) {
+		/*
+		 * The target is verified, so disallow replacement.
+		 */
 		MAC_VERIEXEC_DBG(2,
     "(RENAME_TO) attempted to overwrite a protected file (euid: %u)", cred->cr_uid);
 		return (EAUTH);
@@ -727,13 +727,14 @@
 		return (0);
 
 	/*
-	 * Do not allow chmod (set-[gu]id) of verified file
+	 * Prohibit chmod of verified set-[gu]id file.
 	 */
 	error = mac_veriexec_check_vp(cred, vp, VVERIFY);
-	if (error == EAUTH)             /* it isn't verified */
+	if (error == EAUTH)		/* target not verified */
 		return (0);
 	if (error == 0 && (mode & (S_ISUID|S_ISGID)) != 0)
 		return (EAUTH);
+
 	return (0);
 }