man/systemd-analyze: split out example to a separate section

It turns out we can't have an Example nested in a list, and every combination of nesting I tried looked bad either in troff or in html. The whole example is moved to a separate section.
author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2022-02-22 22:55:42 +0100
committer: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2022-02-23 08:56:03 +0100
commit: e6ce19516315138d983ed4b7776d9ebd2fb296d8 (patch)
tree: 51ddf0f6e00530b609517c4a0c0f7e53376a8ada /man/systemd-analyze.xml
parent: 8c4db5629c877425b2f46e414a94a8f24280a9d3 (diff)
download: systemd-e6ce19516315138d983ed4b7776d9ebd2fb296d8.tar.gz
1 files changed, 65 insertions, 61 deletions
diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml
index 8bc67a1ea8..7baa1794d7 100644
--- a/man/systemd-analyze.xml
+++ b/man/systemd-analyze.xml
@@ -1129,69 +1129,9 @@ $ systemd-analyze verify /tmp/source:alias.service
           </tgroup>
         </table>
 
-          <example>
-          <title>JSON Policy</title>
-          <para>The JSON file passed as a path parameter to <option>--security-policy=</option>
-          has a top-level JSON object, with keys being the assessment test identifiers mentioned
-          above. The values in the file should be JSON objects with one or more of the
-          following fields: description_na (string), description_good (string), description_bad
-          (string), weight (unsigned integer), and range (unsigned integer). If any of these fields
-          corresponding to a specific id of the unit file is missing from the JSON object, the
-          default built-in field value corresponding to that same id is used for security analysis
-          as default. The weight and range fields are used in determining the overall exposure level
-          of the unit files: the value of each setting is assigned a badness score, which is multiplied
-          by the policy weight and divided by the policy range to determine the overall exposure that
-          the setting implies. The computed badness is summed across all settings in the unit file,
-          normalized to the 1…100 range, and used to determine the overall exposure level of the unit.
-          By allowing users to manipulate these fields, the 'security' verb gives them the option to
-          decide for themself which ids are more important and hence should have a greater effect on
-          the exposure level. A weight of <literal>0</literal> means the setting will not be
-          checked.</para>
-
-          <programlisting>
-          {
-            "PrivateDevices":
-              {
-              "description_good": "Service has no access to hardware devices",
-              "description_bad": "Service potentially has access to hardware devices",
-              "weight": 1000,
-              "range": 1
-              },
-            "PrivateMounts":
-              {
-              "description_good": "Service cannot install system mounts",
-              "description_bad": "Service may install system mounts",
-              "weight": 1000,
-              "range": 1
-              },
-            "PrivateNetwork":
-              {
-              "description_good": "Service has no access to the host's network",
-              "description_bad": "Service has access to the host's network",
-              "weight": 2500,
-              "range": 1
-              },
-            "PrivateTmp":
-              {
-              "description_good": "Service has no access to other software's temporary files",
-              "description_bad": "Service has access to other software's temporary files",
-              "weight": 1000,
-              "range": 1
-              },
-            "PrivateUsers":
-              {
-              "description_good": "Service does not have access to other users",
-              "description_bad": "Service has access to other users",
-              "weight": 1000,
-              "range": 1
-              }
-          }
-            </programlisting>
-          </example>
-        </listitem>
+        <para>See example "JSON Policy" below.</para></listitem>
       </varlistentry>
 
-
       <varlistentry>
         <term><option>--json=<replaceable>MODE</replaceable></option></term>
 
@@ -1262,6 +1202,70 @@ $ systemd-analyze verify /tmp/source:alias.service
   <xi:include href="common-variables.xml" />
 
   <refsect1>
+    <title>Examples</title>
+
+    <example>
+      <title>JSON Policy</title>
+
+      <para>The JSON file passed as a path parameter to <option>--security-policy=</option> has a top-level
+      JSON object, with keys being the assessment test identifiers mentioned above. The values in the file
+      should be JSON objects with one or more of the following fields: <option>description_na</option>
+      (string), <option>description_good</option> (string), <option>description_bad</option> (string),
+      <option>weight</option> (unsigned integer), and <option>range</option> (unsigned integer). If any of
+      these fields corresponding to a specific id of the unit file is missing from the JSON object, the
+      default built-in field value corresponding to that same id is used for security analysis as default.
+      The weight and range fields are used in determining the overall exposure level of the unit files: the
+      value of each setting is assigned a badness score, which is multiplied by the policy weight and divided
+      by the policy range to determine the overall exposure that the setting implies. The computed badness is
+      summed across all settings in the unit file, normalized to the 1…100 range, and used to determine the
+      overall exposure level of the unit.  By allowing users to manipulate these fields, the 'security' verb
+      gives them the option to decide for themself which ids are more important and hence should have a
+      greater effect on the exposure level. A weight of <literal>0</literal> means the setting will not be
+      checked.</para>
+
+      <programlisting>
+{
+  "PrivateDevices":
+    {
+    "description_good": "Service has no access to hardware devices",
+    "description_bad": "Service potentially has access to hardware devices",
+    "weight": 1000,
+    "range": 1
+    },
+  "PrivateMounts":
+    {
+    "description_good": "Service cannot install system mounts",
+    "description_bad": "Service may install system mounts",
+    "weight": 1000,
+    "range": 1
+    },
+  "PrivateNetwork":
+    {
+    "description_good": "Service has no access to the host's network",
+    "description_bad": "Service has access to the host's network",
+    "weight": 2500,
+    "range": 1
+    },
+  "PrivateTmp":
+    {
+    "description_good": "Service has no access to other software's temporary files",
+    "description_bad": "Service has access to other software's temporary files",
+    "weight": 1000,
+    "range": 1
+    },
+  "PrivateUsers":
+    {
+    "description_good": "Service does not have access to other users",
+    "description_bad": "Service has access to other users",
+    "weight": 1000,
+    "range": 1
+    }
+}
+      </programlisting>
+    </example>
+  </refsect1>
+
+  <refsect1>
     <title>See Also</title>
     <para>
       <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2022-02-22 22:55:42 +0100
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2022-02-23 08:56:03 +0100
commit	e6ce19516315138d983ed4b7776d9ebd2fb296d8 (patch)
tree	51ddf0f6e00530b609517c4a0c0f7e53376a8ada /man/systemd-analyze.xml
parent	8c4db5629c877425b2f46e414a94a8f24280a9d3 (diff)
download	systemd-e6ce19516315138d983ed4b7776d9ebd2fb296d8.tar.gz