> IMO, there's a rather desperate need to be able to override the system-wide policy for individual processes, maybe via some sort of wrapper around one of the containerization technologies.
There's part of me that's almost surprised that there's not an SELinux Policy flag of some kind that would restrict or allow access of individual applications from using certain crypto bits. That seems like something that someone would have cooked up before, but perhaps it's just too intrusive into every other piece of software for even the SELinux team to want to futz with.
Alternatively I wouldn't be surprised if at some point the industry doesn't unofficially opt for a legacy openssl option which could be utilized by legacy code, but still allow all the modern code to use the new stuff. But of course if that did exist, tons of people would just refuse to update their code and deps because they have an option not to.