As /sbin/init call umount, and as allowing umount to unmount is the same as not protecting umount syscall, you can select the Unmounting capability is inherited option, and give the capability to unmount devices to /sbin/init. This capability will be inherited by umount only when it is executed by init.d/umountfs which is executed by rcS which is executed by /sbin/init which have the authorization.
So that, in standard case, if you have a monitored UPS, you might only need to give /sbin/init as "allowed prog" and to select the inheritage of the capability.
It is also possible to call shutdown with the -n option6.5, for it not to call the init process and to execute itself the umount -a command. In this case, the program that must be allowed to unmount must be /sbin/shutdown.
To feed the Allowed processes field, see 6.2.
Saying no increases security.