Update how to setup a policy namespace for containers

how-to-setup-a-policy-namespace-for-containers.md

@@ -2,6 +2,11 @@
 
 bla bla bla, dependent on apparmor version and kernel version
 
+# Base Requirements
+
+* [A kernel that supports LSM stacking](how-to-setup-a-policy-namespace-for-containers#Stacking-Kernel-Requirements)
+* [Authority to create an apparmor policy namespace](how-to-setup-a-policy-namespace-for-containers#Authority-to-create-a-policy-namespace)
+
 # snappy
 
 Is not required for snappy. Snappy applications don't load their own policy, snapd does it for them.
@@ -19,11 +24,10 @@ need the display lsm set
 Lxd already supports creating apparmor child namespaces.
 Nesting requirement with user namespaces
 
-# Stacking Kernel Requirements
 
-Caveat: Audit subsystem is not namespaced
+# Authority to create a policy namespace
 
-## Authority to create a policy namespace
+Depends on apparmor and kernel versions
 
 * kernels up to ??? require capability MAC_ADMIN in the user namespace.
 
@@ -31,6 +35,12 @@ Caveat: Audit subsystem is not namespaced
 
 * kernels ??? add the ability for users to create/admin their own policy.
 
+
+# Stacking Kernel Requirements
+
+Caveat: Audit subsystem is not namespaced
+
+
 ## Nesting Requirement
 
 if apparmor policy namespaces are used in conjunction with user namespaces. There is a nesting limit.