diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
index 81043c6f1..1bd398cf5 100644
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@@ -165,9 +165,6 @@ retaining its user namespace membership by using a pair of
 calls to move to another user namespace and then return to
 its original user namespace.
 
-Having a capability inside a user namespace
-permits a process to perform operations (that require privilege)
-only on resources governed by that namespace.
 The rules for determining whether or not a process has a capability
 in a particular user namespace are as follows:
 .IP 1. 3
@@ -208,6 +205,24 @@ has all capabilities in the namespace.
 By virtue of the previous rule,
 this means that the process has all capabilities in all
 further removed descendant user namespaces as well.
+.PP
+Having a capability inside a user namespace
+permits a process to perform operations (that require privilege)
+only on resources governed by that namespace.
+In other words, having a capability in a user namespace permits a process
+to perform privileged operations on resources that are governed by (nonuser)
+namespaces associated with the user namespace (see the next subsection).
+On the other hand, there are many privileged operations that affect
+resources that are not associated with any namespace type,
+for example, changing the system time (governed by
+.BR CAP_SYS_TIME ),
+loading a kernel module (governed by
+.BR CAP_SYS_MODULE ),
+and creating a device (governed by
+.BR CAP_MKNOD ).
+Only a process with privileges in the
+.I initial
+user namespace can perform such operations.
 .\"
 .\" ============================================================
 .\"