Where do qubes get their “tag” from?
E.g. in /etc/qubes/policy.d/80-whonix.policy there is a line
whonix.SdwdateStatus + @tag:anon-gateway @default deny notify=no
How can I find out which qubes are tagges with anon-gateway, and how did they get tagged?
Thank you in advance!
Can get/set tags using qvm-tags.
Ok. That is already interesting, but I did not set any tags with this command, yet, many qubes are tagged. Where did they get their tags from?
Probably from the developers making something (Salt?) automatically apply certain tags in certain circumstances. For example, my understanding is that the Whonix tags are the result of the Whonix devs using tags in order to enforce various things, e.g., ensuring that Whonix templates update always and only via a Whonix Gateway (e.g., sys-whonix).
Yes, now I only need to know where in the salt or templates those things are introduced! 
When new VM is created based on a template with
whonix-gwfeature set it gets:
anon-gatewaytag
Aha! Thank you!
(I will mark that as a solution, although there probably more ways this happens?)
Or maybe related follow-up question: Does it make sense to add the tag anon-vm to qubes that don’t have a whonix-ws as template, but use a whonix-gw as netvm?
If you add this tag then your VMs won’t be able to get time from your clockvm (source):
VMs to communicate with the default clockvm (by default
sys-net, adjustable via policy redirect as discussed below) to request thequbes.GetDateservice
The whonix-ws is using sdwdate to update and randomize clock instead. So if you add sdwdate to your qubes that don’t have a whonix-ws as template than it should work.
Also here’s more info on tags: