diff --git a/sys/security/mac_veriexec/mac_veriexec.c b/sys/security/mac_veriexec/mac_veriexec.c
--- a/sys/security/mac_veriexec/mac_veriexec.c
+++ b/sys/security/mac_veriexec/mac_veriexec.c
@@ -105,6 +105,8 @@
 static int mac_veriexec_slot;
 
 static int mac_veriexec_block_unlink;
+SYSCTL_INT(_security_mac_veriexec, OID_AUTO, block_unlink, CTLFLAG_RDTUN,
+    &mac_veriexec_block_unlink, 0, "Veriexec unlink protection");
 
 MALLOC_DEFINE(M_VERIEXEC, "veriexec", "Verified execution data");
 
@@ -797,12 +799,6 @@
 	EVENTHANDLER_REGISTER(vfs_unmounted, mac_veriexec_vfs_unmounted, NULL,
 	    EVENTHANDLER_PRI_LAST);
 
-	/* Fetch tunable value in kernel env and define a corresponding read-only sysctl */
-	mac_veriexec_block_unlink = 0;
-	TUNABLE_INT_FETCH("security.mac.veriexec.block_unlink", &mac_veriexec_block_unlink);
-	SYSCTL_INT(_security_mac_veriexec, OID_AUTO, block_unlink,
-	    CTLFLAG_RDTUN, &mac_veriexec_block_unlink, 0, "Veriexec unlink protection");
-
 	/* Check if unlink control is activated via tunable value */
 	if (!mac_veriexec_block_unlink)
 		mac_veriexec_ops.mpo_vnode_check_unlink = NULL;