First of all I love Whonix. Thank you for your efforts! I’ve had some odd occurrences with my sys-whonix (I’m on latest Qubes) that i’ll describe after my specific question.
When I check the apparmor status I get this: Is it expected to have this many profiles & processes in complain mode?
apparmor module is loaded.
44 profiles are loaded.
26 profiles are in enforce mode.
//*-browser/Browser/firefox
/usr/bin/hexchat
/usr/bin/man
/usr/bin/onioncircuits
/usr/bin/pidgin
/usr/bin/pidgin//sanitized_helper
/usr/bin/sdwdate
/usr/bin/systemcheck
/usr/bin/timesanitycheck
/usr/bin/tor-circuit-established-check
/usr/bin/totem
/usr/bin/totem-audio-preview
/usr/bin/totem-video-thumbnailer
/usr/bin/totem//sanitized_helper
/usr/bin/url_to_unixtime
/usr/lib/onion-grater
/usr/libexec/systemcheck/canary
/usr/sbin/haveged
apt-cacher-ng
bootclockrandomization
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
system_tor
18 profiles are in complain mode.
/usr/bin/irssi
/usr/bin/whonix_firewall
/usr/libexec/whonix-firewall/
/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
avahi-daemon
identd
klogd
mdnsd
nmbd
nscd
ping
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
6 processes have profiles defined.
3 processes are in enforce mode.
/usr/bin/python3.9 (843) /usr/lib/onion-grater
/usr/sbin/haveged (511)
/usr/bin/tor (846) system_tor
3 processes are in complain mode.
/usr/bin/bash (704) /usr/libexec/whonix-firewall/**
/usr/bin/bash (723) /usr/libexec/whonix-firewall/**
/usr/bin/inotifywait (724) /usr/libexec/whonix-firewall/**
0 processes are unconfined but have a profile defined.
When I run aa-unconfined I get:
815 /usr/bin/tinyproxy not confined
820 /usr/bin/tinyproxy not confined
821 /usr/bin/tinyproxy not confined
843 /usr/bin/python3.9 (/usr/bin/python3) confined by ‘/usr/lib/onion-grater (enforce)’
846 /usr/bin/tor confined by ‘system_tor (enforce)’
1210 /usr/bin/tinyproxy not confined
1279 /usr/bin/tinyproxy not confined
1337 /usr/bin/tinyproxy not confined
1391 /usr/bin/tinyproxy not confined
1409 /usr/bin/tinyproxy not confined
I understand the concept that complain mode is there so that profiles and processes can tell you they have violations without that necessarily killing them, and you can adjust and test from there, but is this expected?
To my nonspecific question:
When I launch my sys-whonix on startup and run a whonix DVM & my KeepassXC vault (on whonix) I’ve had sys-whonix crash randomly (yes, must be hacked then… 
) and when it loads back up it no longer shows keepassxc in the list when I click on the whonix lock icon (offline vault, should it even be in there?). Sometimes a dispvm that is currently running will no longer appear despite it still running and saying it is on tor.
I also had an occurance where in a DISPVM downloads were going to a mozilla folder, not .tb/tor-browser/… and when I ran ‘top’ I saw systemd-socket-. Does this strike you as just standard random bugs?
I’m sorry if this is long winded or misguided, but I love whonix and I tried to google key search terms to find out, but I’d love an explanation.
THANK YOU!!