After commit 272130 (https://lists.freebsd.org/pipermail/svn-src-head/2014-September/062990.html), mac_bsdextended allows renaming and moving, when it should not. Unfortunately, the change is rather old, so the same problem is in 10-STABLE already too.
Quick test (change "user" to your favorite login in you system):
# kldload mac_bsdextended
# ugidfw add subject uid user object type l mode rs
# su - user
$ ln -s src dst
$ rm -v dst
rm: dst: Permission denied # correct
$ mv -v dst dst2
dst -> dst2 # incorrect, it should be permission denied
You can look into sys/security/mac_bsdextended/ugidfw_vnode.c, functions ugidfw_vnode_check_rename_from() and ugidfw_vnode_check_unlink() - the codes are the same, but behavior is different. Before 272130, it really worked and mv was not possible, so probably change 272130 changed behavior, so that ugidfw_vnode_check_rename_from() is not called for rename operation anymore?
Over to committer of 272130.