user_namespaces.7: Relocate text on capabilities of initial process in userns

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

man7/user_namespaces.7

@@ -45,6 +45,17 @@ in other words,
 the process has full privileges for operations inside the user namespace,
 but is unprivileged for operations outside the namespace.
 
+The first process in a user namespace starts out with a complete set
+of capabilities with respect to the new user namespace.
+On the other hand,
+that process has no capabilities outside that user namespace,
+even if the new namespace is created by the root user.
+(However, a child process created by the root user
+will be able to access resources such as
+files that are owned by user ID 0,
+and will be able to do things such as sending signals
+to processes belonging to user ID 0.)
+
 User namespaces can be nested;
 that is, each user namespace\(emexcept the initial ("root")
 namespace\(emhas a parent user namespace,
@@ -99,18 +110,6 @@ in the user namespace that the kernel associated with the new namespace.
 .\" ============================================================
 .\"
 .SS Capabilities
-.PP
-The first process in a user namespace starts out with a complete set
-of capabilities with respect to the new user namespace.
-On the other hand,
-that process has no capabilities outside that user namespace,
-even if the new namespace is created by the root user.
-(However, a child process created by the root user
-will be able to access resources such as
-files that are owned by user ID 0,
-and will be able to do things such as sending signals
-to processes belonging to user ID 0.)
-
 A process may have a capability either
 because that capability is present in its effective capability set,
 or because it inherits the capability from a parent user namespace